CASE 99 · RESIN · 2024
A lockdown SCP rehearsed before the incident.
A crypto custody firm’s incident response runbook said "in case of confirmed breach, lock down the affected accounts." Nobody had ever tested how. We built an emergency-lockdown SCP, rehearsed it in a tabletop exercise, and added it to the response playbook with a documented activation path.
Crypto custody
SECURITY
2024
RESULTS
What changed, by the numbers.
ACTIVATION TIME
< 90s
REVERSIBILITY
TESTED
BREAK-GLASS PATHS
2
PLAYBOOK COMPLETENESS
FULL
HOW IT WENT
The runbook had said "lock down" without specifying the SCP, the activation path, or the break-glass roles that would remain functional. In a real incident the team would have spent twenty minutes writing the SCP under stress. The regulator had asked, in writing, what the lockdown procedure was.
We wrote and rehearsed the SCP in a sandbox OU first. It denies everything except read-only operations and the two break-glass principal IDs that the IR lead and a designated security engineer hold. Activation goes through a documented runbook with a two-person rule and CloudTrail logging the SCP attachment event.
Tabletop drill: activation took 87 seconds (target was under 2 minutes); lift was 38 seconds. Both break-glass paths worked during the locked state. The regulator’s next review accepted the documented procedure without follow-up. The team has rerun the drill twice more since.
RELATED · SAME DOMAIN
Other engagements in this space.
READY WHEN YOU ARE
Let's get your AWS bill (and architecture) in order.
The discovery call is free. You walk away with at least one concrete idea — even if we never work together.