This is a work in progress and not a release. We're looking for volunteers.
See Issues and Contribution to know how to collaborate.
A lightweight, end-to-end scaffold for security teams that work without a single authority.
Use it as a menu, not a mandate.
| Principle | What it means in practice |
|---|
| Zero-trust by default | Assume every identity, device, and network path is potentially hostile. |
| Shared responsibility | Any responder can start an action if quorum rules are met. |
| Minimum viable process | Fewer steps, fewer blockers, faster containment. |
| Open tooling | Prefer transparent, auditable, community-maintained tools. |
| Identity plurality | Accept multiple forms of strong identity proof. |
| Evidence first | Collect before you change anything. |
| Continuous learning | Retrospective after every incident and drill. |
| Role | Key duties | Identity options (at least two) |
|---|
| First Reporter | Sounds the alarm and starts evidence capture. | GPG key, DID, or multisig wallet signature |
| Triage Lead | Confirms severity, forms a swarm, assigns tasks. | FIDO2 passkey, GPG, signed Matrix handle |
| Comms Lead | Handles community and regulator updates. | Company issued OIDC, Lens profile |
| Containment Lead | Executes on chain actions or host isolation. | Multisig signer, SSH CA cert |
| Recorder | Maintains the timeline in an immutable log. | GPG key, signed git commit |
Tip: Publish a public mapping of handles to real names and keep it in a tamper evident repo.
| Item | Why it matters | Suggested tools |
|---|
| Asset inventory (code, infra, keys) | You cannot protect what you do not know. | ConfigDB + IaC scans, Sheet/CSV |
| Log pipeline with reliable clock | Forensic accuracy and ordering. | Vector + Loki or OpenSearch, Elasticsearch, RunReveal |
| Secure comms channels | Quick swarm with strong auth. | Matrix + E2EE, Signal groups, Wire |
| Evidence bucket (write-once) | Keeps raw data safe. | S3 object-lock, Storj, or IPFS |
| Automated alert rules | Detect known bad patterns. | On chain monitors, Falco, OpenZeppelin Defender, Slackbot |
| Drill schedule | Muscle memory beats panic. | Calendar invites, gamedays, CTF |
- Alert fires or user reports an issue.
- First Reporter opens a ticket in the transparent issue tracker (GitHub security advisory or private GitLab issue).
- Triage Lead checks severity matrix.
- If P1, spin up a temporary incident channel with a predefined template.
- Assign Leads and set T-minus deadlines.
| Pros | Cons |
|---|
| Fast and clear ownership | Relies on people in multiple time zones being awake |
| Public log builds trust | Attackers also watch public data if over-shared |
| Method | When to use | Pros | Cons |
|---|
| Smart contract pause / circuit breaker | Critical on-chain bug | Stops further damage instantly | Requires a pre-coded pause function and multisig |
| Multisig treasury freeze | Key compromise or theft | No central keyholder | Coordination overhead |
| Host or pod quarantine | Off-chain infra breach | Isolates without full shutdown | Needs orchestration rights |
| DNS or CDN reroute | Phishing or DDoS | Quick traffic shift | May break some services |
Keep a one-liner command ready for each action and store it in the runbook.
- Patch or replace vulnerable code.
- Peer review with at least two signers.
- Deploy to staging with replay of attack scenario.
- Roll forward to production by multisig or automated pipeline.
- Verify by monitoring metrics and logs for stability.
| Automation hint | Keep it simple |
|---|
| GitHub Actions, ArgoCD, and Defender Autotasks are popular. | Always include a manual approval gate in case of false positives. |
| Step | Purpose | Tool Example |
|---|
| Retrospective within 72 h | Capture lessons before they fade. | Miro board, Markdown doc in repo |
| Update runbooks and detection rules | Prevent repeat events. | Docs-as-code PR |
| Reward community reporters | Encourage transparency. | Bug bounty payouts, incentive model |
| Public disclosure | Build long-term trust. | Blog post plus on-chain message |
| Need | Template location |
|---|
| Incident channel message | /templates/incident-kickoff.md |
| Retrospective form | /templates/retro-form.md |
| Aspect | Pros | Cons |
|---|
| No single point of failure | Resilience if one keyholder is offline. | Slower consensus for urgent actions. |
| Community trust | Transparent logs and multisig votes. | Public scrutiny can amplify panic. |
| Open tools | Low cost, auditable, extensible. | Less vendor support, more DIY. |
| Identity plurality | Flexibility for global teams. | Complex to manage revocation and role drift. |
- Run quarterly red team drills.
- Rotate secrets on a fixed cadence.
- Review identity proofs every six months.
- Measure mean time to detect and contain.
- Iterate on this framework during each retrospective.
Remember: Simplicity plus strong fundamentals beat heavy processes every time.