Security Incident Response
Last Updated: 2 August 2025
Kai maintains a comprehensive incident response program to quickly identify, contain, and resolve security incidents. This document outlines our process and how to report security concerns.
Security Emergency Contact
If you have discovered a critical security vulnerability or are experiencing a security incident, contact us immediately:
1. Incident Response Overview
Our incident response process follows the NIST Cybersecurity Framework and is designed to:
- Rapidly detect and analyze security incidents
- Contain threats to prevent further damage
- Eradicate threats from our systems
- Recover normal operations quickly and safely
- Learn from incidents to improve our defenses
2. Incident Response Team
Our dedicated Incident Response Team includes:
- Incident Commander: Overall response coordination
- Security Engineers: Technical analysis and remediation
- Infrastructure Team: System and network response
- Legal Counsel: Regulatory and compliance guidance
- Communications Lead: Internal and external communications
- Executive Sponsor: Executive decision-making authority
3. Incident Classification
We classify incidents based on severity and potential impact:
Critical (P0)
Immediate threat to customer data or service availability. Response time: <15 minutes
High (P1)
Significant security risk or service degradation. Response time: <1 hour
Medium (P2)
Potential security concern requiring investigation. Response time: <4 hours
4. Incident Response Process
4.1 Detection & Analysis
- Automated Detection: 24/7 monitoring systems alert on suspicious activities
- Manual Reporting: Security team and external researchers report issues
- Initial Assessment: Rapid triage to determine severity and scope
- Team Mobilization: Appropriate response team assembled based on incident type
4.2 Containment
- Immediate Actions: Stop ongoing damage and prevent spread
- System Isolation: Isolate affected systems while preserving evidence
- Access Revocation: Disable compromised accounts or credentials
- Traffic Blocking: Block malicious IP addresses or domains
4.3 Eradication
- Root Cause Analysis: Identify how the incident occurred
- Threat Removal: Remove malware, close vulnerabilities
- System Hardening: Implement additional security controls
- Patch Deployment: Apply security updates and patches
4.4 Recovery
- System Restoration: Restore systems from clean backups
- Service Validation: Verify systems are clean and functioning
- Monitoring Enhancement: Implement additional monitoring
- Gradual Restoration: Phase return to full operations
4.5 Lessons Learned
- Post-Incident Review: Comprehensive analysis of response
- Process Improvement: Update procedures based on findings
- Training Updates: Enhanced training for response team
- Security Enhancements: Implement preventive measures
5. Communication During Incidents
5.1 Internal Communication
- Incident response team maintains continuous communication
- Executive leadership briefed at appropriate intervals
- All team members have access to real-time incident status
- Decision points clearly documented with rationale
5.2 Customer Communication
- Initial Notification: Affected customers notified within 4 hours
- Regular Updates: Status updates every 2-4 hours during active incidents
- Status Page: Public status page updated in real-time
- Final Report: Detailed post-incident report within 72 hours
6. Data Breach Response
For incidents involving personal data, we follow specific breach response procedures:
- Immediate Assessment: Determine if personal data is involved
- Risk Evaluation: Assess likelihood and severity of harm
- Regulatory Notification: Notify authorities within 72 hours (GDPR)
- Individual Notification: Notify affected individuals if high risk
- Documentation: Maintain detailed records of breach and response
7. Business Continuity
During incidents, we maintain business operations through:
- Backup Systems: Automatic failover to backup infrastructure
- Alternative Processes: Manual procedures where automated systems are affected
- Resource Allocation: Additional staff and resources as needed
- Stakeholder Communication: Regular updates to all stakeholders
8. Reporting Security Issues
8.1 What to Report
Please report any of the following:
- Suspected unauthorized access to your account
- Unusual system behavior or error messages
- Potential vulnerabilities in our systems
- Phishing or social engineering attempts
- Data that appears to be from other organizations
- Any other security concerns
8.2 How to Report
Non-Critical Issues
Response time: Within 24 hours
Critical/Emergency
Response time: Within 15 minutes
8.3 Information to Include
When reporting security issues, please include:
- Description: Clear description of the issue
- Steps to Reproduce: How to reproduce the issue (if applicable)
- Impact Assessment: Your assessment of the potential impact
- Screenshots/Evidence: Any supporting evidence
- Contact Information: How we can reach you for follow-up
- Timing: When you first noticed the issue
9. Vulnerability Disclosure
We follow responsible disclosure practices:
- Acknowledgment: We acknowledge all security reports within 24 hours
- Investigation: We investigate all reports thoroughly
- Coordination: We work with researchers on disclosure timelines
- Credit: We provide appropriate credit for valid findings
- Updates: We keep reporters informed of our progress
10. Testing & Training
We regularly test and improve our incident response capabilities:
- Tabletop Exercises: Quarterly scenario-based training
- Red Team Exercises: Annual simulated attacks
- Process Reviews: Regular review and update of procedures
- Staff Training: Ongoing training for all team members
- External Testing: Third-party security assessments