Chapter 20
1 min read
The Ambush
Incident Response
When an attack is active, forward motion is the fastest way to make things worse.
When an attack is active, forward motion is the fastest way to make things worse.
Rothütle and YAML don't win by fighting harder.
They survive by falling back to a position where protection still exists.
This is how real incident response works.
1. Fallback — Stop the Bleeding
- Isolate affected systems.
- Cut network access if needed.
- Disable compromised credentials or workloads.
- Accept partial downtime to prevent full compromise.
If visibility is gone, assume the attacker still has access.
2. Regroup — Re-establish Control
- Restore logging and monitoring.
- Verify which systems are still trustworthy.
- Identify blast radius before touching production.
- Communicate clearly: who owns decisions, who investigates.
Chaos kills response effectiveness faster than attackers do.
3. Restore — Rebuild from Known-Good State
- Rebuild systems from clean images.
- Redeploy from verified pipelines.
- Rotate secrets after containment.
- Bring services back gradually, validating at each step.
Never "clean" a compromised system. Replace it.
The Core Lesson
Incidents are not won by heroics.
They are survived by discipline, retreat, and controlled recovery.
Fall back.
Regroup.
Restore stability.
Everything else is noise.