Skip to content

Runbook: Exploit wave

Symptoms

  • sudden increase in security violations
  • server lag spikes correlated with remote spam
  • player reports of unfair kills / teleporting

Immediate containment

  1. Enable kill-switches:
  2. disable ranked
  3. disable trading
  4. disable high-risk abilities/weapons
  5. Increase throttling on suspected endpoints
  6. Quarantine suspicious players (unranked-only)

Evidence capture

  • record release version + protocol version
  • capture top offending endpoints + payload patterns
  • snapshot suspicious player ids and match ids

Response

  • patch server validation rules first
  • ship hotfix to dev → stage → prod
  • consider ban wave after fixing the exploit vector

Post-incident

  • add regression tests for the exploit
  • add new detectors/signals
  • update threat model and ADRs if architecture changes