INC01 Incident Readiness Missing
What this means
SiteShadow flagged missing or disabled incident readiness basics (alerting gaps, insufficient log retention, missing runbooks, or no way to revoke/contain compromised access).
Why it matters
Without alerts and retention, incidents can go undetected or uninvestigated.
- Longer dwell time: attackers operate for longer before discovery.
- Harder containment: without revocation/rotation paths, you can't stop the bleeding quickly.
- Bigger impact: weak readiness turns "small incident" into "major incident."
Safer examples
1) Define "must-have" alerts
- auth anomalies (failed logins spikes, MFA failures)
- admin activity (role changes, API key creation)
- data access (large exports, unusual reads)
2) Keep enough logs to investigate
Set retention appropriate to your threat model and compliance needs.
3) Make containment fast
- One-click revoke for tokens/sessions/API keys
- Key rotation procedures tested regularly
- A lightweight incident runbook (who/what/when)
How SiteShadow detects it (high level)
- Flags configurations that disable logging/alerting hooks or reduce retention below common baselines.
- Highlights missing "containment primitives" where detectable (no revocation/rotation patterns).
References
- OWASP Top 10: https://owasp.org/Top10/
---