Loading...
Loading...
This Incident Response Plan (IRP) establishes Ad Legends' formal procedures for detecting, analyzing, containing, eradicating, and recovering from security incidents. It is designed to minimize impact, preserve evidence, and ensure regulatory compliance.
The purpose of this Incident Response Plan is to define a structured approach to handling security incidents that threaten the confidentiality, integrity, or availability of Ad Legends' systems, data, and services.
This plan covers:
This document is intended for internal security personnel, enterprise clients, auditors, and regulatory bodies. It is reviewed and updated at least annually or after any significant security incident.
Security Incident: Any event that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system, or constitutes a violation of security policies, acceptable use policies, or standard security practices.
Data Breach: A security incident in which sensitive, protected, or confidential data is accessed, disclosed, or exfiltrated by an unauthorized party.
Incident Commander (IC): The designated individual responsible for coordinating the incident response effort and making tactical decisions during an active incident.
| Severity | Description | Examples | Response Time |
|---|---|---|---|
| P1 – Critical | Active data breach or complete service compromise | Mass data exfiltration, admin account compromise, payment system breach | Immediate (within 15 minutes) |
| P2 – High | Confirmed security compromise with limited scope | Single account takeover, brute force attack in progress, credential stuffing | Within 1 hour |
| P3 – Medium | Potential security issue requiring investigation | Unusual login patterns, failed authentication spikes, suspicious API usage | Within 4 hours |
| P4 – Low | Minor security concern or policy violation | Single failed login reports, minor policy deviations, informational alerts | Within 1 business day |
The Incident Response Team (IRT) comprises the following roles, activated based on incident severity:
| Role | Responsibilities | Activation |
|---|---|---|
| Incident Commander | Coordinates response, makes tactical decisions, manages communication flow | All incidents (P1–P4) |
| Security Engineer | Technical investigation, containment actions, forensic analysis, system restoration | All incidents (P1–P4) |
| Communications Lead | Internal and external communications, user notifications, status updates | P1 and P2 incidents |
| Legal Counsel | Regulatory compliance, breach notification requirements, legal obligations | P1 incidents and any confirmed data breach |
| Executive Sponsor | Strategic decisions, resource allocation, external stakeholder management | P1 incidents |
Ad Legends employs multiple layers of detection to identify security incidents as early as possible:
All authentication events, administrative actions, and security-relevant operations are recorded in a comprehensive audit log stored in our database. Each entry captures the user identity, IP address, user agent, endpoint, event type, severity level, and a full detail payload with timestamps.
Our system automatically detects brute force attacks by monitoring for repeated failed authentication attempts. When five or more failed login attempts are detected from the same account within a one-hour window, a high-severity alert is automatically generated and the security team is notified.
High and critical severity events trigger automated email alerts to the security team in real time. Alert categories include brute force detection, account suspensions, administrative privilege escalations, and anomalous access patterns.
Our hosting infrastructure includes a Web Application Firewall with DDoS protection, IP-based access controls, OWASP managed rulesets, and bot protection. All incoming traffic is inspected at the edge before reaching application servers.
A public health check endpoint monitors database connectivity, application availability, and system performance. This endpoint supports integration with external uptime monitoring services for 24/7 coverage.
Security events are recorded in two independent systems: our application-level audit log and our authentication provider's built-in audit log. This dual trail ensures no single point of failure for security event recording and provides independent verification of incident timelines.
Upon confirming a security incident, the following containment measures are available and can be executed immediately through our administrative security dashboard:
Compromised accounts can be immediately suspended, which blocks all API access, bans the account at the authentication provider level (preventing token refresh), invalidates all active sessions across all devices, and generates an audit log entry with the full action context.
For situations requiring session termination without full account suspension, all active sessions for a specific user can be globally revoked. The user retains their account but must re-authenticate on all devices.
Attacking IP addresses identified through audit log analysis can be blocked at the WAF level. IP blocking is applied at the edge network and takes effect immediately across all application endpoints.
In the event of infrastructure-level compromise, service credentials including database connection strings, API keys, authentication service keys, and third-party integration tokens can be rotated. Credential rotation procedures are documented in our internal runbooks.
Following containment, the security team conducts a thorough root cause analysis using audit log data, infrastructure logs, and any available forensic evidence. The analysis identifies the attack vector, scope of compromise, and any vulnerabilities exploited.
Based on root cause analysis, remediation actions are implemented. These may include patching vulnerabilities, updating access controls, strengthening authentication requirements, modifying firewall rules, or updating application code.
Affected systems are restored to a known-good state. User accounts are unsuspended after identity verification, sessions are re-established, and normal operations resume under enhanced monitoring.
Following an incident, enhanced monitoring is implemented for a minimum of 30 days. This includes increased alert sensitivity, additional logging, and more frequent security reviews of the affected systems.
Preserving evidence is critical for post-incident analysis, compliance requirements, and potential legal proceedings.
Complete audit logs can be exported in CSV format with full detail payloads including event IDs, user identities, IP addresses, user agents, endpoints, timestamps, and action-specific metadata. Exports are generated before any remediation actions are taken.
Audit logs are indexed by severity, event type, user identity, and timestamp, enabling rapid filtering and analysis during active incidents. Pagination ensures complete data access regardless of log volume.
Exported evidence files are stored with descriptive naming conventions including incident date and description. Access to evidence files is restricted to authorized security personnel and is tracked for chain of custody purposes.
Evidence from both the application audit log and the authentication provider's audit log is cross-referenced to verify incident timelines and ensure completeness. Discrepancies between the two trails are investigated as part of the evidence review process.
Security alerts are automatically distributed to the security team via email when high or critical severity events are detected. The Incident Commander coordinates all internal communications during an active incident.
Users affected by a confirmed security incident are notified within 72 hours of incident confirmation, in compliance with applicable data protection regulations. Notifications include a description of the incident, the data potentially affected, actions taken, and recommended user actions.
Enterprise clients receive dedicated incident communications through their designated security contacts. Communication timelines and formats are governed by the applicable Service Level Agreement (SLA). Enterprise clients may request detailed incident reports for their own compliance and audit requirements.
Where a data breach meets the notification threshold under applicable regulations (including GDPR, CCPA, and state breach notification laws), the relevant supervisory authorities are notified within the required timeframes. Legal counsel coordinates all regulatory notifications.
Public communications regarding security incidents are authorized only by the Executive Sponsor and coordinated through the Communications Lead. Public statements are reviewed by legal counsel before release.
A formal post-incident review is conducted within 48 hours of incident closure for P1 and P2 incidents, and within one week for P3 incidents.
Each reviewed incident produces a formal report containing: a complete timeline of events, root cause analysis, scope and impact assessment, containment and remediation actions taken, effectiveness evaluation, and recommended improvements.
Findings from post-incident reviews are incorporated into updated procedures, detection rules, and response playbooks. This Incident Response Plan is updated to reflect lessons learned and close any identified procedural gaps.
Ad Legends' security infrastructure includes the following technical controls:
Ad Legends follows Zero Data Retention (ZDR) principles for AI processing. User content and prompts sent to AI models are processed ephemerally and are never used to train, fine-tune, or improve any AI models. Creative content remains exclusively owned by the user.
Ad Legends operates on SOC 2 Type II–compliant infrastructure. Our security controls are designed to meet or exceed the Trust Services Criteria for security, availability, processing integrity, confidentiality, and privacy.
All user assets, brand materials, and creative content are stored in globally redundant, encrypted storage with private access controls. Direct public access to storage is prohibited; all asset access is mediated through authenticated proxy endpoints.
Enterprise customers may request a Data Processing Addendum (DPA) that provides additional contractual commitments regarding data handling, security controls, breach notification, and compliance obligations.
This Incident Response Plan is aligned with the following standards and regulations:
This Incident Response Plan is reviewed and updated at least annually by the security team and executive leadership. Reviews assess the effectiveness of current procedures, incorporate industry developments, and address any identified gaps.
Following any P1 or P2 security incident, this plan is reviewed within 30 days to incorporate lessons learned and procedural improvements identified during the post-incident review.
The Incident Response Team conducts tabletop exercises at least twice per year to validate procedures, identify gaps, and ensure team readiness. Exercise scenarios are based on current threat intelligence and lessons learned from past incidents.
For security concerns, incident reports, or questions about this plan, please contact us through the following channels:
Enterprise clients with dedicated SLAs should contact their assigned account representative or use the enterprise support channel specified in their service agreement.