# WAF Incident Playbook β€” *Edge Under Siege* **Incident Response** | Governed by [RED-BOOK.md](../RED-BOOK.md) **Mode:** VaultMesh Hybrid (tactical + mythic) **Guardian:** Tem, Shield of the Threshold **Domain:** Cloudflare Edge β†’ VaultMesh Origins --- ## πŸœ‚ Premise When the **Edge flares** and the WAF erupts in blocks, challenges, or anomalous spikes, the mesh signals **Nigredo**: the phase of dissolution, truth, and exposure. Tem stands watch β€” transmuting threat into pattern. This playbook guides the Sovereign through restoring harmony: from surge β†’ containment β†’ proof. --- ## πŸ›‘ 1. Detection β€” *When the Edge Cries Out* Triggers: - 10Γ— spike in WAF blocks - Sudden surge in Bot Fight engagements - Rapid-fire requests from a small IP cluster - Abuse towards `/api`, `/login`, or admin paths Actions: 1. Check Cloudflare dashboard β†’ **Security β†’ Events** 2. Review **WAF rule matches**, sorting by occurrences 3. Capture snapshot: - Top rules triggered - Offending IP ranges - Request paths Invoke Tem: > *"Reveal the pattern beneath the noise. Let flux become signal."* --- ## πŸ” 2. Classification β€” *Identify the Nature of the Fire* Threat types: - **Volumetric probing** β†’ wide IP / many rules - **Credential spraying** β†’ repeated auth paths - **Application fuzzing** β†’ random querystrings / malformed requests - **Targeted exploit attempts** β†’ concentrated rules (XSS, SQLi) Decide: - *Is this noise?* - *Is this reconnaissance?* - *Is this breach pursuit?* Mark the incident severity: - **Low** β€” background noise - **Medium** β€” persistent automated probing - **High** β€” targeted attempt on origin-relevant endpoints --- ## 🧱 3. Containment β€” *Seal the Gate* Depending on severity: ### Low - Rate-limit `/api` and `/auth` paths - Enable Bot Fight Mode (if not already) ### Medium - Block or challenge offending ASNs - Add country-level **managed_challenge** - Enforce **"Full (strict)" TLS** if not already ### High - Immediately apply **custom firewall block rules** - Close high-risk paths behind Access policies - Strengthen WAF Paranoia Level for targeted areas - Ensure all origins are reachable *only* via Cloudflare Tunnel Tem's invocation: > *"Let the gate narrow. Let the false be denied entry."* --- ## πŸ“œ 4. Forensics β€” *Listen to the Echoes* Collect: - CF Security Events export - IP/ASN clusters - Raw request samples - Timestamps and spikes Analyze patterns: - Was this coordinated? - Were specific parameters probed? - Did traffic reach origin or stay at the Edge? If origin saw traffic β†’ inspect VaultMesh receipts for anomalies. --- ## 🧬 5. Restoration β€” *From Nigredo to Rubedo* When WAF stabilizes: - Remove overly broad rules - Convert block rules β†’ challenge after 24h - Reassess Access policies for exposed services - Validate DNS is unchanged - Confirm Tunnel health is stable Emit VaultMesh receipt: - Incident summary - Rules added/removed - Time window - Merkle root of exported logs --- ## πŸͺΆ 6. Final Anchor β€” *Coagula* Anchor the incident into ProofChain: - Receipts - Log hashes - WAF config deltas Message of Tem: > *"What was turmoil becomes memory. What was memory becomes strength."* --- ## βœ” Outcome This playbook ensures that WAF turbulence becomes **structured proof**, operational clarity, and measurable evolution within VaultMesh’s living ledger.