Skip to content

SFC - Incident Response

Revision 1.1 · Updated 2026-04-17 · Changelog

The SEAL Framework Checklist (SFC) for Incident Response provides structured guidelines to help teams remain prepared for security incidents affecting blockchain protocols. It covers team structure, monitoring, alerting, and response procedures.

Related: Organizational account takeover monitoring and response coordinates with SFC - Identity & Accounts (ida-4.1.1). IR handles incident response flow; I&A handles account-control baselines.

For more details on certifications or self-assessments, refer to the Certification Guidelines.

Print

Section 1: Governance & Team Structure

0/2
ir-1.1.1 · IR Team and Role Assignments
Do you have an incident response team with clearly defined roles and responsibilities?
Baseline Requirements
  • Response leadership defined with named backups: incident commander (coordination, task assignment, time-sensitive decisions) and decision makers for high-stakes choices (system shutdown, public disclosure, fund recovery)
  • Supporting roles defined: subject matter experts for key domains (smart contracts, infrastructure, security), scribe for real-time documentation, communications lead, and legal support covering response review, whitehat engagement, and disclosure
  • Roles, authorities, and escalation paths reviewed at least annually and after major protocol changes, team restructuring, or incidents
ir-1.1.2 · Stakeholder Coordination and Contacts
Do you maintain current contacts and coordination procedures for all parties needed during an incident?
Baseline Requirements
  • Internal coordination procedures between technical teams (devs, auditors) and operational teams (security council, communications)
  • External contacts maintained for protocol dependencies (both directions), external expertise (forensics, consultants, SEAL 911, auditors), legal and PR, and infrastructure vendor support
  • Contact list reviewed at least quarterly and after team changes
  • Escalation order documented for P1 incidents (e.g., SEAL 911 → decision makers → security partners → legal)

Section 2: Monitoring, Detection & Alerting

0/4
ir-2.1.1 · Threat Model for Protocol Operations
Do you maintain a threat model for protocol operations, including external dependencies?
Baseline Requirements
  • Threat model identifies adversaries, attack surfaces, and likely incident scenarios for protocol operations
  • Identifies single points of failure and highly centralized components across onchain and offchain layers (e.g., cross-chain messaging providers, oracle providers, critical infrastructure dependencies)
  • Covers external dependencies (infrastructure providers, oracles, bridges, integrations, custody partners) and how their compromise would propagate
  • Anchors what the monitoring program detects and what incident playbooks cover
  • Reviewed at least annually and after significant changes (new integrations, architecture shifts, threat landscape changes)
  • Shared with the IR team so detection and response are anchored to the same threat picture
ir-2.1.2 · Monitoring Coverage
Do you maintain monitoring coverage for your critical systems, protocols, and external attack surfaces?
Baseline Requirements
  • Monitoring covers critical smart contracts, infrastructure, and on-chain activity
  • 24/7 monitoring capabilities with procedures for after-hours alert handling
  • Credential and secret exposure detection including dark web monitoring, breach database scanning, and secret scanning in code repositories
  • Organizational account monitoring including social media accounts and websites monitored for unauthorized access or compromise
  • Monitoring coverage documented — what's covered, what's not, and known gaps
ir-2.1.3 · Alerting, Paging, and Escalation
Do you have alerting and paging systems that reliably route incidents to available responders?
Baseline Requirements
  • Automated alerting with embedded triage guidance to distinguish true incidents from false positives
  • Triage and classification procedures with severity-based escalation, including time-based escalation when unacknowledged and management notification for high-severity incidents
  • Redundant paging systems with documented failover procedures
  • On-call schedules with adequate coverage and documented backup procedures when on-call personnel are unreachable
ir-2.1.4 · Logging Integrity and Retention
Do you maintain tamper-evident logs with adequate retention for incident investigation?
Baseline Requirements
  • Log retention periods defined for security, infrastructure, and cloud provider logs
  • Retention adequate for forensic analysis (consider regulatory requirements and typical investigation timelines)
  • Tamper-evident logging for security-relevant events including access logs, alerting system logs, and infrastructure logs
  • Alerts triggered if logs are altered, deleted, or if monitoring/logging is disabled
  • Log sources documented — what's captured and where it's stored

Section 3: Response & Emergency Operations

0/3
ir-3.1.1 · Response Playbooks
Do you maintain response playbooks for common incident types?
Baseline Requirements
  • Playbooks cover key scenarios including protocol exploits, infrastructure failures, access control breaches, key compromise, supply chain compromises, and frontend/DNS compromise
  • Each playbook includes initial response actions covering containment, evidence preservation, and stakeholder notification
  • Role-specific responsibilities defined for each scenario (who does what — technical, comms, legal)
  • Escalation criteria documented for when to engage leadership, when to shut down systems, when to make public disclosure, and when to engage external assistance
  • Key compromise playbook includes procedures for rotating keys and replacing compromised signers, with threshold and access reviewed after any signer replacement
ir-3.1.2 · Signer Reachability and Coordination
Can you reach enough signers to execute emergency on-chain actions at any time, including outside business hours?
Baseline Requirements
  • Procedures for coordinating multisig operations during incidents, including cross-timezone signer availability
  • Signers integrated into on-call/paging systems
  • Escalation paths documented for when signers are unreachable
  • Tested quarterly
ir-3.1.3 · Emergency Transaction Readiness
Do you have backup signing infrastructure and pre-prepared emergency transactions for critical protocol functions?
Baseline Requirements
  • Pre-signed or pre-prepared emergency transactions for critical protocol functions (pause, freeze, parameter changes) where feasible
  • Backup signing infrastructure available including alternate signing UI, backup RPC providers, and alternate block explorer
  • Emergency execution procedures documented (what to pause/freeze/modify and the process for doing so)

Section 4: Communication & Coordination

0/3
ir-4.1.1 · Incident Communication Channels
Do you maintain secure, dedicated communication channels for incident response?
Baseline Requirements
  • Dedicated incident communication channels with documented access controls and member lists
  • Multiple communication channels (primary and backup) on different platforms, with documented failover procedures
  • Procedures for rapidly creating incident-specific channels (war room) when needed
  • Secure communication procedures for sensitive incident information including need-to-know access and encrypted channels
ir-4.1.2 · Internal Status Updates
Do you have procedures for providing regular status updates to stakeholders during incidents?
Baseline Requirements
  • Status update cadence defined by severity level
  • Format and distribution lists for internal stakeholders
ir-4.1.3 · Public Communication and Information Management
Do you have procedures for public communication and information management during incidents?
Baseline Requirements
  • Pre-approved communication templates for different incident types and severity levels
  • Procedures for coordinating communications with protocol users during and after incidents
  • Procedures for managing public information flow and correcting misinformation during active incidents
  • Designated communications approval flow before public statements are released

Section 5: Testing & Continuous Improvement

0/1
ir-5.1.1 · IR Drills and Testing
Do you conduct regular incident response drills and evaluate the results?
Baseline Requirements
  • Drills conducted at least annually, covering different incident types across exercises (protocol exploit, infrastructure failure, key compromise)
  • Tests the full response pipeline end-to-end: monitoring, alerting, paging, triage, escalation, team coordination, containment, and recovery
  • Drill documentation includes date, scenario, participants, response times, gaps identified, and corrective actions
  • Corrective actions tracked with owners and deadlines; findings incorporated into playbook and procedure updates