After a breach: stop the bleeding, understand what happened, fix the root cause.
A security incident has three phases: containment (stop the attack), investigation (understand what was accessed or damaged), and remediation (fix the vulnerability that was exploited). Each phase has specific technical steps. Moving through them quickly limits the damage.
Application that has been hacked or compromised — data may have been accessed, systems modified, or the application used to attack others — and a need to understand what happened and prevent recurrence
Security incident response in order:
Phase 1: Containment
Stop the attack from continuing. If the entry point is known: block it. If not: rotate all credentials immediately.
Immediate actions:
- Rotate all API keys and service credentials (database, third-party APIs, payment processor)
- Revoke all active user sessions (invalidate session tokens)
- Rotate application secrets (
JWT_SECRET, OAuth client secrets, webhook signing keys) - Review recent deployments for unauthorized code changes
- Check for new user accounts created with admin privileges
Phase 2: Investigation
Understand the scope. What was accessed? What was modified? How did the attacker get in?
Investigate:
- Application logs for the attack period (unusual requests, error spikes)
- Database query logs for unauthorized data access
- Authentication logs for unexpected logins
- Audit logs (if they exist) for privileged actions
- Third-party service access logs (Stripe, AWS, GitHub)
Common entry points:
- Exposed environment variables in public repositories
- SQL injection via unsanitized API parameters
- Authentication bypass in a poorly-implemented route
- Compromised developer machine or leaked credentials
- Vulnerable dependencies with known CVEs
Phase 3: Remediation
Fix the root cause and harden against recurrence.
Security incident response: containment, root cause analysis, vulnerability remediation, and hardening to prevent recurrence
Credential rotation
and session invalidation
Log analysis
to determine scope and entry point
Vulnerability fix
for the identified root cause
Security hardening
to prevent recurrence
Disclosure assessment
notification requirements if user data was accessed
One honest number to start.
Fixed-scope, fixed-price. The number below is the starting point — final scope is built from your brief.
Security incident response: containment, root cause analysis, vulnerability remediation, and hardening to prevent recurrence
Three steps, every time.
The same repeatable engagement on every project. No surprises, no mystery, no billable ambiguity.
Brief & discovery.
We send you questions, then get on a call. Output: a written scope with every step, feature, and integration listed.
Build & ship.
Fixed schedule, weekly reviews. No scope creep unless you change the scope — and if you do, we reprice it transparently.
Warranty & retainer.
30-day warranty on every launch. Most clients stay on a monthly retainer for ongoing features and maintenance.
Why Fixed-Price Matters Here
Incident response scope is determined by the severity. Initial engagement for assessment; fixed-price for the remediation phase once scope is clear.
Questions, answered.
Depends on jurisdiction and what was accessed. GDPR requires notification within 72 hours if personal data was breached. US states have varying breach notification laws. Get legal advice; I can help assess the technical scope of what was accessed.
Combination of: fixing the root cause, adding the security headers and protections that were missing, moving to principle of least privilege, and implementing monitoring that alerts on anomalous activity.
Tell Ryel about your project.
Describe what you’re building and what outcome you need. You’ll have a written, fixed-price scope within the week.