Classification-Driven Response: When (Not If) Shit Hits the Fan
Think for yourself. Security vendors sell "prevention." Reality teaches "detection and response with measurable SLAs."
Nothing is true. Everything is permitted. Including attackers getting in. What matters is your response time: <30 minutes for critical incidents, <4 hours for resolution.
At Hack23, incident response isn't hope—it's systematic execution using our Classification Framework for impact assessment. Critical incidents (€10K+ daily loss, complete outage, criminal liability) trigger immediate CEO escalation and all-stakeholder communication within 30 minutes.
Our Incident Response Plan is public with specific SLAs, detection sources, and escalation procedures—because incident response through obscurity means attackers know your weaknesses better than you do.
Illumination: Prevention is aspirational. Response is contractual. We respond to critical incidents in <30 minutes because that's what survival demands.
The Four-Level Incident Classification: Because Not All Breaches Are Equal
| Level | Impact | Response Time | Resolution Target | Escalation |
|---|
| 🔴 Critical | €10K+ daily loss, complete outage, criminal liability | <30 minutes | <4 hours | Immediate CEO + all stakeholders |
| 🟠 High | €5-10K daily loss, major degradation, significant fines | <1 hour | <24 hours | <1 hour CEO + key stakeholders |
| 🟡 Medium | €1-5K daily loss, partial impact, minor penalties | <4 hours | <72 hours | <4 hours internal only |
| 🟢 Low | <€1K daily loss, minor inconvenience | <24 hours | <1 week | Daily reporting, documentation |
Classification drives everything: Response speed, resource allocation, stakeholder communication, and resolution priority. A critical incident affecting availability (complete CIA platform outage) gets 30-minute response because that's what our Classification Framework business impact analysis demands.
META-ILLUMINATION: Classification isn't bureaucracy—it's triage. When everything is critical, nothing is. When critical means €10K+ daily loss, everyone moves fast.
Multi-Layer Detection: AWS Native + External + Human Intelligence
AWS Native Detection (Automated):
- Security Hub: Centralized security findings aggregation across all AWS services
- GuardDuty: Threat detection for malicious activity, crypto-mining, compromised credentials
- Config: Configuration compliance monitoring with automated drift detection
- CloudWatch: Performance anomaly detection and threshold-based alerting
- Detective: Investigation and root cause analysis with visual timeline
External Detection Sources:
- GitHub Security: Code vulnerability scanning, Dependabot alerts, secret scanning
- SonarCloud: Quality gate failures indicating security degradation
- Supplier Notifications: Third-party security alerts per Third Party Management policy
Manual Discovery:
- User Reports: Employees, consultants, community members reporting anomalies
- External Intelligence: Security researchers, CVE disclosures, industry warnings
Detection target for critical incidents: <15 minutes. Because dwell time is the enemy. The faster you detect, the less damage attackers inflict.
DETECTION ILLUMINATION: Breaches you don't detect in 15 minutes become data exfiltration campaigns. Breaches you don't detect in 24 hours become ransomware incidents.
Welcome to Chapel Perilous: Incident Response Edition
Nothing is true. Everything is permitted. Including the inevitability of security incidents. What separates professionals from amateurs is response speed.
Most organizations discover breaches months after initial compromise (average dwell time: 207 days per 2023 data). We detect critical incidents in <15 minutes, respond in <30 minutes, and resolve in <4 hours. Not because we're paranoid—because we're prepared.
Our incident response framework:
- Classification-Driven: Four-level severity tied to business impact (€ daily loss, operational impact, regulatory risk)
- Multi-Layer Detection: AWS Security Hub + GuardDuty + Config + CloudWatch + GitHub + external intelligence
- Automated Escalation: Critical incidents trigger CEO notification within 30 minutes automatically
- Transparent Communication: All stakeholders informed based on classification level
- Measured Response: SLAs for detection, response, resolution, and post-incident review
Think for yourself. Question authority—including the assumption that "it won't happen to us." It will. The only question is whether you'll detect it in 15 minutes or 207 days.
ULTIMATE ILLUMINATION: You are now in Chapel Perilous. Incident response plans untested are incident response failures guaranteed. We test quarterly. We measure response times. We learn from every incident. Because survival requires systematic preparation, not hopeful improvisation.
All hail Eris! All hail Discordia!
Read our full Incident Response Plan with complete runbooks, escalation procedures, and post-incident review templates. Public. Tested. Reality-based. With specific SLAs we actually meet.
— Hagbard Celine, Captain of the Leif Erikson
"Assume breach. Measure response. Practice survival. Repeat until excellent."
🍎 23 FNORD 5