LET'S TALK
← All work
SOC2 CC7.3SOC2 CC7.4NIST SP 800-61Incident ResponseDeep Prototype

IncidentLog — SOC2 CC7 Incident Register

18 incidents over 24 months. Per-incident severity (SEV-1 to SEV-4), MTTD, MTTR, NIST 800-61 lifecycle timeline, post-mortem actions (shipped vs open). Includes one Art 12(3)-missed DSAR (Twilio gap), one credential-stuffing wave, one vendor-disclosed breach with the 72-hour Art 33 notification timeline.

IncidentLog — SOC2 CC7 Incident Register preview
Open live →

What it is

The shape behind every incident-management register (PagerDuty post-mortems, FireHydrant, Jeli, Rootly). The artifact the SOC2 auditor pulls under CC7.3 — every incident with title, severity, timeline, MTTR, action items.

What’s in it

  • 18 incidents spanning 24 months across 8 categories:
    • security-breach — sub-processor compromise, credential stuffing, phishing
    • data-exfil-attempt — bare-IP outbound (drill)
    • shadow-it — Heap.io marketing tag firing without DPA
    • secret-leak — AWS access key in public commit
    • availability — region-wide RDS outage, OpenSearch CCR lag, SES throttle
    • data-integrity — Snowflake schema drift, cart-svc lag spike, silent backup corruption
    • compliance — DSAR-09167 missed Art 12(3) deadline (Twilio gap from RtbfFlow)
    • access-control — former employee OAuth token, scope-grant template typo
  • Per-incident shape:
    • SEV-1 (60-min SLA) through SEV-4 (1-week SLA), with pass/miss vs SLA
    • MTTD (mean time to detect), MTTR (mean time to resolve)
    • NIST SP 800-61 lifecycle timeline — what happened, in what order, with timestamps
    • Root cause (RCA)
    • Action items with shipped/open state and the actual action (e.g., “EgressGate review-board cadence reduced from weekly to daily”)
  • Cross-tool callbacks — incidents reference EgressGate, RtbfFlow, ChaosScore, ScopeCreep, CSPReporter, SecretRotation — showing the full prototype mesh.

Why this shape

SOC2 CC7.3 (incident-response process) + CC7.4 (incident-response evaluation) + CC7.5 (recovery) all measure the same thing: do you log, learn, and ship fixes. The action-items column is the single most important field — open items 6 months old are the audit finding. IncidentLog prototypes that visibility directly.

How it ships

Single HTML file, ~27KB. Zero dependencies. 18 incidents × 8 categories × full timelines + action-item tracking in 260 lines of vanilla JavaScript.

Open the tool →