SFC - Incident Response
The SEAL Framework Checklist (SFC) for Incident Response provides structured guidelines to help remain prepared for security incidents affecting blockchain protocols. It covers team structure, monitoring, alerting, and response procedures.
For more details on certifications or self-assessments, refer to the Certification Guidelines.
Section 1: Governance & Team Structure
0/2
IR Team and Role Assignments
Do you have an incident response team with clearly defined roles and responsibilities?
Baseline Requirements
- Incident commander (with designated backup) who coordinates response, assigns tasks, and makes time-sensitive decisions
- Subject matter experts identified for key domains (smart contracts, infrastructure, security) who can analyze attacks and prepare response strategies
- Scribe role defined for real-time incident documentation
- Communications personnel designated for public information sharing and record-keeping
- Legal support available with procedures for reviewing response actions, whitehat engagement, and public communications
- Decision makers defined for high-stakes decisions (system shutdown, public disclosure, fund recovery)
- Roles, authorities, and escalation measures reviewed at least annually and after protocol changes, team restructuring, or major incidents
Stakeholder Coordination and Contacts
Do you maintain current contacts and coordination procedures for all parties needed during an incident?
Baseline Requirements
- Internal coordination procedures between technical (devs, auditors) and operational teams (security council, communications)
- External protocol contacts for protocols you depend on and protocols that depend on you
- External expertise contacts including forensics firms, security consultants, SEAL 911, and auditors
- Legal counsel and communications/PR contacts
- Infrastructure vendor support contacts and escalation procedures
- Contact list reviewed at least quarterly and after team changes
- Escalation order documented for P1 incidents (e.g., SEAL 911 → decision makers → security partners → legal)
Section 2: Monitoring, Detection & Alerting
0/3
Monitoring Coverage
Do you maintain monitoring coverage for your critical systems, protocols, and external attack surfaces?
Baseline Requirements
- Monitoring covers critical smart contracts, infrastructure, and on-chain activity
- 24/7 monitoring capabilities with procedures for after-hours alert handling
- Credential and secret exposure detection including dark web monitoring, breach database scanning, and secret scanning in code repositories
- Organizational account monitoring including social media accounts and websites monitored for unauthorized access or compromise
- Monitoring coverage documented — what's covered, what's not, and known gaps
Alerting, Paging, and Escalation
Do you have alerting and paging systems that reliably route incidents to available responders?
Baseline Requirements
- Automated alerting configured for security events and operational issues
- Alerts include embedded triage guidance for distinguishing true incidents from false positives
- Triage and classification procedures documented with escalation paths based on severity
- Time-based escalation triggers if initial responder doesn't acknowledge within defined window
- Management notification requirements for high-severity incidents
- Redundant paging systems with documented failover procedures
- On-call schedules maintained with adequate coverage for operational needs
- Backup procedures when on-call personnel are unreachable
Logging Integrity and Retention
Do you maintain tamper-evident logs with adequate retention for incident investigation?
Baseline Requirements
- Log retention periods defined for security, infrastructure, and cloud provider logs
- Retention adequate for forensic analysis (consider regulatory requirements and typical investigation timelines)
- Tamper-evident logging for security-relevant events including access logs, alerting system logs, and infrastructure logs
- Alerts triggered if logs are altered, deleted, or if monitoring/logging is disabled
- Log sources documented — what's captured and where it's stored
Section 3: Response & Emergency Operations
0/3
Response Playbooks
Do you maintain response playbooks for common incident types?
Baseline Requirements
- Playbooks cover key scenarios including protocol exploits, infrastructure failures, access control breaches, key compromise, supply chain compromises, and frontend/DNS compromise
- Each playbook includes initial response actions covering containment, evidence preservation, and stakeholder notification
- Role-specific responsibilities defined for each scenario (who does what — technical, comms, legal)
- Escalation criteria documented for when to engage leadership, when to shut down systems, when to make public disclosure, and when to engage external assistance
- Key compromise playbook includes procedures for rotating keys and replacing compromised signers, with threshold and access reviewed after any signer replacement
Signer Reachability and Coordination
Can you reach enough signers to execute emergency on-chain actions at any time, including outside business hours?
Baseline Requirements
- Procedures for coordinating multisig operations during incidents, including cross-timezone signer availability
- Signers integrated into on-call/paging systems
- Escalation paths documented for when signers are unreachable
- Tested quarterly
Emergency Transaction Readiness
Do you have backup signing infrastructure and pre-prepared emergency transactions for critical protocol functions?
Baseline Requirements
- Pre-signed or pre-prepared emergency transactions for critical protocol functions (pause, freeze, parameter changes) where feasible
- Backup signing infrastructure available including alternate signing UI, backup RPC providers, and alternate block explorer
- Emergency execution procedures documented (what to pause/freeze/modify and the process for doing so)
Section 4: Communication & Coordination
0/3
Incident Communication Channels
Do you maintain secure, dedicated communication channels for incident response?
Baseline Requirements
- Dedicated incident communication channels with documented access controls and member lists
- Multiple communication channels (primary and backup) on different platforms, with documented failover procedures
- Procedures for rapidly creating incident-specific channels (war room) when needed
- Secure communication procedures for sensitive incident information including need-to-know access and encrypted channels
Internal Status Updates
Do you have procedures for providing regular status updates to stakeholders during incidents?
Baseline Requirements
- Status update cadence defined by severity level
- Format and distribution lists for internal stakeholders
Public Communication and Information Management
Do you have procedures for public communication and information management during incidents?
Baseline Requirements
- Pre-approved communication templates for different incident types and severity levels
- Procedures for coordinating communications with protocol users during and after incidents
- Procedures for managing public information flow and correcting misinformation during active incidents
- Designated communications approval flow before public statements are released
Section 5: Testing & Continuous Improvement
0/1
IR Drills and Testing
Do you conduct regular incident response drills and evaluate the results?
Baseline Requirements
- Drills conducted at least annually
- Drills cover different incident types across exercises (protocol exploit, infrastructure failure, key compromise, etc.)
- Tests the full pipeline from monitoring through alerting, paging, triage, escalation, team coordination, containment, and recovery
- Production alerting pipeline validated end-to-end from event detection through to responder notification and acknowledgment
- Drill documentation includes date, scenario, participants, response times, gaps identified, and corrective actions
- Corrective actions tracked to completion with owners and deadlines
- Drill findings incorporated into playbook and procedure updates