PS Product SecurityKnowledge Base

Incident Commander Checklist

Use this checklist during the first minutes of a product-security incident when coordination matters more than deep technical analysis.

First moves

  • confirm severity and current customer or business impact;
  • assign an incident commander and one operations lead;
  • define the active communication channel and update cadence;
  • decide what must stop immediately: deploys, data exports, promotions, or admin actions.

Evidence and containment

  • preserve logs, timelines, screenshots, and affected identifiers;
  • record initial hypothesis, known facts, and unknowns separately;
  • contain blast radius before chasing elegant root cause.

Communication discipline

  • write time-stamped updates in plain language;
  • avoid mixing speculation with confirmed facts;
  • track decisions and owners explicitly.