playbooks / response
You Got Pwned. Now What.
A calm order of operations for the worst morning: contain, assess, patch, tell the truth.

duck@duckaudit
Okay. OKAY. We are fine. Step one exists precisely so we do not have to be smart right now.
how it burns you
Some percentage of shipped apps eventually eat an incident, and the damage mostly depends on the first hour. Panic deletes evidence, silence burns trust, and unrotated keys keep the door open while you argue with yourself. Having a list beats having feelings.
Contain first, understand later
Rotate every key and secret the app touches: database, AI APIs, payment, email, OAuth. Revoke active sessions. If data is actively leaking, put the app in maintenance mode; a short outage is cheaper than a longer breach.
-- Supabase: cut active sessions after rotating keys
-- (users sign in again; attackers holding tokens do not)
select auth.admin_delete_user_sessions(id) from auth.users; -- via admin API in practicePreserve the evidence
Before fixing anything, export logs, note timestamps, screenshot the weirdness. You will need this to know what was actually reached, and future you writing the postmortem will be grateful.
Assess what was reachable, not what was taken
Assume the attacker saw everything the hole allowed, because access logs rarely prove otherwise. Missing RLS means assume the whole table. A leaked service key means assume the whole database. Write the honest list.
Patch the actual hole
Fix the root cause, not the symptom: the missing policy, the unchecked route, the leaked secret's hiding spot. Then run the pre launch check again from the top, because holes travel in groups.
Tell your users straight
Short, honest, and fast beats polished and late: what happened, what was affected, what you did, what they should do. Depending on where your users live, disclosure may also be the law. Shame is optional; the email is not.
Write the two paragraph postmortem
What broke, why, and the one change that prevents the class of bug, not just the instance. Ship that change the same week while the fear is still useful.
Make your AI do it
Paste this into Cursor or Claude Code from your project root.
I am responding to a suspected breach of this app. 1) Build my rotation list: every secret, key, and token this codebase uses, with the provider dashboard URL where each gets rotated. 2) Show me how to revoke all user sessions for the auth system in this repo. 3) Based on the code, list what an attacker could reach through the most likely holes: missing auth checks, missing RLS, leaked keys, in order of blast radius. 4) Draft a short honest user notification and a two paragraph internal postmortem template. Work from the actual code, not generic advice.
The 10 minute check
0/5receipts · every claim has a source
next playbook
The 10 Minute Pre Launch Check →