Runbook: Exploit wave
Symptoms
- sudden increase in security violations
- server lag spikes correlated with remote spam
- player reports of unfair kills / teleporting
- Enable kill-switches:
- disable ranked
- disable trading
- disable high-risk abilities/weapons
- Increase throttling on suspected endpoints
- Quarantine suspicious players (unranked-only)
Evidence capture
- record release version + protocol version
- capture top offending endpoints + payload patterns
- snapshot suspicious player ids and match ids
Response
- patch server validation rules first
- ship hotfix to dev → stage → prod
- consider ban wave after fixing the exploit vector
Post-incident
- add regression tests for the exploit
- add new detectors/signals
- update threat model and ADRs if architecture changes