Process Security, Pillar 02
When an exploit hits, the clock starts immediately. Funds move in seconds. The first fifteen minutes determine whether you contain the damage or watch it compound. Teams that have a practiced incident response plan move fast and make fewer mistakes. Teams that improvise under pressure make the decisions that cost them everything.
Incident response planning for Web3 is categorically different from traditional IT security operations. A DeFi protocol under active exploit cannot simply "take the system offline", pausing a contract may itself require a multi-sig approval process that takes minutes, while an attacker drains funds in a single block. The response must be faster, more rehearsed, and more specifically adapted to on-chain constraints than any enterprise incident response framework provides for.
We build incident response plans and runbooks tailored to your specific protocol, your multi-sig configuration, your team structure, and the threat scenarios most relevant to your architecture. We then test those plans through tabletop exercises, structured simulations that expose gaps, build team muscle memory, and ensure that the first time anyone asks "who calls the pause function?" is not during an actual exploit.
Work is delivered through our internal consultancy team and a curated network of specialist partner firms, rigorously vetted for technical depth and professional integrity in the Web3 space.
Speed Saves Funds. Euler Proved It.
“When Euler Finance lost $197M to a flash loan attack in March 2023, the team activated their emergency pause mechanism within hours of detecting the exploit, freezing further withdrawals and preserving a portion of user funds. They then opened on-chain communication with the attacker and began negotiations. By April 2023, $176M, 90% of the stolen amount, had been returned. The pause mechanism existed. The team had rehearsed using it. That rehearsal was the difference between a contained incident and total loss.”
KyberSwap: When There Is No Plan
“The KyberSwap exploit in November 2023 ($48M) hit multiple chains simultaneously. By the time the team understood the full scope, funds had already been drained from Arbitrum, Optimism, Ethereum, Polygon, and Base. There was no pre-agreed cross-chain pause procedure, no documented escalation path for a multi-chain simultaneous attack, and no runbook for on-chain attacker communication. The team improvised under pressure, in public, in real time. Tabletop exercises are designed to surface exactly those gaps before an attacker does.”
Security operations for Web3 protocols require SOC-level preparation without the enterprise SOC infrastructure. We bring that capability to teams of any size, designing the detection, escalation, and response processes that let you move at the speed a blockchain incident demands.
The Framework
A complete Web3 incident response plan covers five phases, each with specific owners, decision points, and time constraints. Most DeFi teams have informal coverage of one or two. We build all five.
On-chain monitoring alerts, anomaly detection thresholds, and the immediate triage process that determines whether an event is an exploit, an operational error, or a false positive. Who receives the alert, how they assess it, and what the decision threshold is for escalating to full incident response.
Pause function activation, liquidity removal, frontend takedown, and any other containment action specific to your protocol. Who executes each action, in what order, and what the multi-sig or single-key requirements are. Pre-staged transactions for common containment actions, ready to broadcast immediately.
On-chain forensic analysis, root cause identification, and the simultaneous communication process, internal team alignment, community updates, whitehat outreach if applicable, and regulatory notifications where required. Communication timing is itself a security and reputational decision.
The structured process for patching, redeploying or upgrading contracts, restoring user access, and handling any user fund compensation. Defining the criteria for declaring the incident resolved and the conditions that must be met before the protocol resumes normal operation.
