How to Build an Incident Response Plan for OpenClaw

# In config/incident/severity-levels.yaml:
severity_levels:
  critical:
    description: "Confirmed data breach or total service outage"
    examples:
      - Customer data exposed or accessed by attacker
      - OpenClaw service completely unavailable (>100 users affected)
      - Payment system compromised
      - Ransomware detected
    response_time: < 15 minutes
    who_to_notify: [CEO, CTO, Legal, Customer Success]
    communication_frequency: Every 30 minutes
    public_statement: Required within 4 hours

  high:
    description: "Security control failure or significant service degradation"
    examples:
      - Unauthorized access detected (no data confirmed stolen)
      - Service unavailable for 30-120 minutes
      - API security vulnerability discovered
      - Failed authentication bypass attempts detected
    response_time: < 1 hour
    who_to_notify: [CTO, Security Lead, On-call Engineer]
    communication_frequency: Every 2 hours
    customer_notification: Required

  medium:
    description: "Non-critical security finding or service slowdown"
    examples:
      - Configuration drift detected
      - Missing security patch (no active exploits)
      - High error rates but service degraded not down
      - Suspicious activity (investigation needed)
    response_time: < 4 hours
    who_to_notify: [On-call Engineer, Security Team]
    communication_frequency: As needed
    customer_notification: Optional (if affects them)

  low:
    description: "Audit finding or non-urgent security improvement"
    examples:
      - Documentation gap
      - Non-critical policy violation
      - Security warning from scanning tool
    response_time: < 1 week
    who_to_notify: [Security Team]
    communication_frequency: In team standup

# In config/incident/team-structure.yaml:
incident_response_team:
  # Incident Commander (coordinates response)
  incident_commander:
    primary: cto@company.com
    backup: security-lead@company.com
    responsibilities:
      - Declare incident start/end
      - Make containment/recovery decisions
      - Authorize customer notifications
      - Schedule post-incident review

  # Technical Lead (directs technical response)
  technical_lead:
    primary: on-call-engineer@company.com
    backup: senior-engineer@company.com
    responsibilities:
      - Assess impact and scope
      - Lead containment steps
      - Coordinate system recovery
      - Preserve evidence for investigation

  # Communications Lead (manages all messaging)
  communications_lead:
    primary: customer-success-manager@company.com
    backup: product-manager@company.com
    responsibilities:
      - Draft customer notification
      - Coordinate press response
      - Update status page
      - Manage internal comms

  # Security Investigator (forensics and root cause)
  security_investigator:
    primary: security-engineer@company.com
    backup: architect@company.com
    responsibilities:
      - Collect forensic evidence
      - Perform root cause analysis
      - Identify attack vectors
      - Recommend preventive measures

  # Scribe (documents incident)
  scribe:
    primary: on-call-ops@company.com
    backup: junior-engineer@company.com
    responsibilities:
      - Log incident timeline
      - Record decisions and actions
      - Capture metrics (downtime, data affected)
      - Maintain decision log for post-incident

  # On-call schedule:
  rotation:
    incident_commander: 1 week
    technical_lead: 1 week
    on-call rotation: PagerDuty (automatic escalation)

  # Access and permissions during incident:
  incident_access:
    - All team members get database read access
    - IC gets temporary admin privileges (logged)
    - Forensics team gets backup system access
    - After incident: privileges revoked and logged

# In config/incident/runbooks/:

# runbook-data-breach.yaml
data_breach_response:
  detection:
    - Alert: "Suspicious data access pattern detected"
    - Action: "Page incident commander immediately"
    - Evidence: "Preserve access logs before any cleanup"

  initial_assessment (within 15 min):
    1. What data was accessed?
       - Query: SELECT accessed_tables FROM audit_log WHERE time > incident_start
       - Document: tables, row count, column names

    2. Who accessed it?
       - Identify: user account, IP address, API key
       - Check: Is it a known service account?

    3. When and for how long?
       - Timeline: first access, last access, duration
       - Pattern: single access or ongoing?

  containment (parallel to assessment):
    1. Revoke access immediately
       - openclaw admin keys revoke --key-id [compromised_key]
       - openclaw admin users disable --user [compromised_account]
       - Document: timestamp, reason

    2. Reset MFA and passwords
       - Send MFA reset link to user
       - Require password change on next login

    3. Isolate affected systems if needed
       - If attacker still active: isolate database, disable API
       - Preserve logs before isolation

  investigation (parallel to containment):
    1. Review access logs for this user/IP in past 90 days
    2. Identify all accessed data
    3. Check other accounts from same IP (coordinated attack?)
    4. Review system logs for privilege escalation attempts
    5. Check for data exfiltration (large downloads, unusual queries)
    6. Collect evidence for forensic analysis

  notification (within 4 hours):
    1. Determine: Is this a confirmed breach of customer data?
    2. Legal review: Required notification?
    3. Customer notification:
       - Email: What data, when, what to do
       - Phone call: Direct contact within 24 hours
       - Offer: Free credit monitoring if PII exposed
    4. Public disclosure: If legally required

  recovery:
    1. Assume breach is ongoing until proven otherwise
    2. Change all credentials (API keys, database passwords)
    3. Rotate encryption keys if data at rest was exposed
    4. Deploy security patches
    5. Restore from backup if malware suspected
    6. Validate normal operation before re-enabling user access

# runbook-service-outage.yaml
service_outage_response:
  detection:
    - Alert: "Service down" from monitoring
    - Impact: Number of affected users, estimated duration
    - Frequency: Page on-call engineer immediately

  assessment (first 5 minutes):
    1. Verify: Is it really down?
       - Manual test: curl https://openclaw.company.com/health
       - Check: Multi-region test results
       - Review: Recent deployments/changes

    2. Quick classification:
       - Deployment issue? Rollback immediately
       - Database issue? Check connection pool, connections
       - Network issue? Check DNS, load balancer health
       - Disk full? Check disk usage

    3. Owner determination:
       - Is this infrastructure or application?
       - Who needs to fix it?

  immediate_containment:
    1. Stop bleeding immediately:
       - Failed deployment? Rollback to last known good version
       - Rate limit issue? Increase limits
       - Resource exhaustion? Scale up instances

    2. Activate fallback if available:
       - Switch to backup region
       - Enable read-only mode
       - Redirect traffic to degraded service

  status communication:
    - Update status page immediately: "Investigating" (within 1 min)
    - Notify major customers: "We are aware and working on it"
    - Update every 30 minutes with progress
    - Include ETA only if confident

  recovery (parallel to comms):
    1. Root cause investigation while fixing
    2. Fix root cause (not just symptoms)
    3. Validate in staging first if possible
    4. Deploy fix with monitoring
    5. Confirm service restored and healthy
    6. Bring systems back online gradually

  post-incident:
    - Update status page: "Resolved"
    - Send RCA email within 24 hours
    - Schedule post-mortem within 1 week

# In config/incident/communication-templates.yaml:

communication_plan:
  internal_escalation:
    # Level 1: Team Slack channel
    template: |
      [INCIDENT] [SEVERITY] [SERVICE]
      Time: [HH:MM UTC]
      Impact: [# users affected, what's not working]
      Status: Investigating / Containment / Recovery
      Next update: [HH:MM UTC]
      Incident ID: [INC-123]

    # Level 2: Executive notification (for High/Critical)
    template: |
      INCIDENT: [Name]
      SEVERITY: [Level] | IMPACT: [Users affected]
      What happened: [1-2 sentences in plain English]
      What we're doing: [Immediate actions]
      What you need to know: [Any actions execs should take]
      Next update: [Time]

    # Level 3: All-hands notification (for Critical)
    template: |
      We're experiencing an incident affecting [service].
      ETA for resolution: [estimate]
      We'll update you every 30 minutes.
      Thank you for your patience.

  customer_communication:
    # Immediate notice (within 30 min)
    template: |
      We've identified an issue affecting OpenClaw service.
      Impact: [specific customer impact]
      Status: We're working on a fix
      Updates: Every 30 minutes on status page
      Link: https://status.company.com

    # Update every 30-60 minutes
    template: |
      Update on [Service] Incident
      Time affected: [Start - Current]
      Current status: [Investigating/Fixing/Testing]
      ETA: [Estimate if available]
      We appreciate your patience.

    # Resolution notice (within 1 hour of fix)
    template: |
      Resolution: [Service] is back to normal
      Impact: [# users, duration, data affected if any]
      Root cause: [Brief explanation]
      What we're doing: [Preventive measures]
      Apology + compensation if applicable
      RCA link: [Will post within 24 hours]

  post-incident_retrospective:
    # Email within 24 hours
    template: |
      Incident Report: [Name]
      Duration: [Start time] - [End time] ([# minutes])
      Severity: [Level]
      Impact: [Quantified impact]

      Timeline:
      - [HH:MM] Detection
      - [HH:MM] Incident declared
      - [HH:MM] Root cause identified
      - [HH:MM] Fix deployed
      - [HH:MM] Service restored

      Root cause: [1-2 paragraphs]

      What went well:
      - [Team responded quickly]
      - [Monitoring alerted us immediately]

      What we'll improve:
      - [Prevent this type of issue]
      - [Improve response time]

      Tracking: Jira epic [JIRA-123] for follow-up

# In config/monitoring/alerts.yaml:
incident_alerts:
  # Security incidents
  alerts:
    - name: "Multiple failed login attempts"
      metric: "failed_login_attempts"
      threshold: "> 5 in 5 minutes from same IP"
      severity: "high"
      notify: incident_commander
      action: "Block IP, investigation"

    - name: "Unauthorized API access"
      metric: "unauthorized_api_calls"
      threshold: "> 10 in 1 minute"
      severity: "high"
      notify: security_team, incident_commander
      action: "Revoke key, investigate"

    - name: "Data access anomaly"
      metric: "data_access_pattern"
      threshold: "Abnormal query volume (3x baseline)"
      severity: "critical"
      notify: incident_commander, security_team
      action: "Preserve logs, investigate"

    # Availability incidents
    - name: "Service unavailable"
      metric: "http_error_rate"
      threshold: "> 50% for 2 minutes"
      severity: "critical"
      notify: incident_commander, on-call_engineer
      action: "Page on-call, declare incident"

    - name: "Database connection pool exhausted"
      metric: "db_pool_available"
      threshold: "< 10% available for 2 minutes"
      severity: "high"
      notify: database_team, incident_commander
      action: "Investigate slow queries, scale if needed"

    - name: "Memory usage critical"
      metric: "memory_usage_percent"
      threshold: "> 90% for 5 minutes"
      severity: "high"
      notify: on-call_engineer
      action: "Investigate memory leak, restart if needed"

    # Performance incidents
    - name: "Response time degradation"
      metric: "p99_latency"
      threshold: "> 10s (3x baseline)"
      severity: "medium"
      notify: on-call_engineer
      action: "Investigate bottleneck"

  # Escalation rules:
  escalation:
    - alert triggered → On-call engineer paged (5 min)
    - alert + manual confirmation → Incident commander paged (immediately)
    - critical alert + no response → Escalate to backup IC (10 min)
    - ongoing > 30 min → Executive notification

# In config/incident/testing-schedule.yaml:

testing:
  quarterly_tabletop_exercises:
    - Scenario: "Data breach discovered"
      Duration: 2 hours
      Participants: [IC, Tech Lead, Comms, Security, Scribe]
      Facilitator: Security team
      Process:
        1. Briefing: "An attacker accessed customer data for 2 hours"
        2. Q: "What do you do in the first 15 minutes?"
        3. Team discusses response (no actual systems touched)
        4. Facilitator injects new information
        5. Repeat until "resolution"

    - Scenario: "Service completely unavailable"
      Focus: Rapid diagnosis and rollback
      Pressure: Real-time simulation (compressed timeline)
      Success criteria: Service restored in < 30 minutes

    - Scenario: "Security breach during business hours"
      Focus: Communication under pressure
      Participants: Add PR/Legal/Exec for comms review
      Success criteria: Customer notification draft within 30 min

  semi-annual_disaster_recovery_drill:
    - Test: Restore entire system from backup
    - Measure: RTO (Recovery Time Objective), RPO (Recovery Point Objective)
    - Validate: All data present and intact
    - Document: Issues found, resolutions, timeline
    - Timeline: Must complete in < RTO target

  annual_full-scale_incident_simulation:
    - Scenario: Real attacker POV (hire red team if possible)
    - Duration: 24+ hours
    - Measure: Detection time, containment effectiveness
    - Debrief: Detailed findings, recommendations
    - Follow-up: Track 100% remediation

  incident_postmortem_process:
    when: Within 1 week of any incident
    who: [IC, Tech Lead, Scribe] + incident responders
    output: Written RCA document
    contents:
      - Timeline of events
      - Root cause analysis
      - Contributing factors
      - What went well (do more of)
      - What could improve (action items)
      - Preventive measures
    tracking: Jira epic for follow-up items
    closure: RCA published to team wiki