When something goes wrong, start at 00-first-60-seconds.md.
| File | Purpose |
|---|---|
| 00-first-60-seconds.md | Universal first-touch checklist |
| 01-severity-classification.md | P1-P4 definitions + decision tree |
| 02-on-call-and-contacts.md | Who to page, how to escalate |
| 03-comms-templates.md | Status messages: investigating / mitigated / resolved |
| 04-post-mortem-template.md | Blameless post-mortem template |
| 05-alerting-integration.md | How sensors reach the pager |
| 06-tabletop-exercises.md | Quarterly rehearsal scenarios |
| PB | Trigger | Severity |
|---|---|---|
| PB-01 | R6 audit chain bad > 0 | P1 |
| PB-02 | R10 honey emission | P2 |
| PB-03 | R5 cosign verify fail | P1 |
| PB-04 | Auth burst exceeds rate limit | P2 |
| PB-05 | R12 SLO burn > 50% in 7d | P3 |
| PB-06 | > 3 restarts / 24h per service | P3 |
| PB-07 | R8 backup or restore fails | P1/P3 |
| PB-08 | External vulnerability report | P2 |
| PB-09 | Secret found in logs/repo | P1 |
| PB-10 | Clock drift > 30s | P2 |
- Threat model — what we're protecting and from whom
- Audit rounds — how controls were built
- Compliance posture — framework alignment
- Chaos experiments — resilience testing