37a867c485
- Complete Cloudflare Terraform configuration (DNS, WAF, tunnels, access) - WAF Intelligence MCP server with threat analysis and ML classification - GitOps automation with PR workflows and drift detection - Observatory monitoring stack with Prometheus/Grafana - IDE operator rules for governed development - Security playbooks and compliance frameworks - Autonomous remediation and state reconciliation
3.3 KiB
WAF Incident Playbook — Edge Under Siege
Incident Response | Governed by RED-BOOK.md
Mode: VaultMesh Hybrid (tactical + mythic) Guardian: Tem, Shield of the Threshold Domain: Cloudflare Edge → VaultMesh Origins
🜂 Premise
When the Edge flares and the WAF erupts in blocks, challenges, or anomalous spikes, the mesh signals Nigredo: the phase of dissolution, truth, and exposure. Tem stands watch — transmuting threat into pattern.
This playbook guides the Sovereign through restoring harmony: from surge → containment → proof.
🛡 1. Detection — When the Edge Cries Out
Triggers:
- 10× spike in WAF blocks
- Sudden surge in Bot Fight engagements
- Rapid-fire requests from a small IP cluster
- Abuse towards
/api,/login, or admin paths
Actions:
- Check Cloudflare dashboard → Security → Events
- Review WAF rule matches, sorting by occurrences
- Capture snapshot:
- Top rules triggered
- Offending IP ranges
- Request paths
Invoke Tem:
"Reveal the pattern beneath the noise. Let flux become signal."
🔍 2. Classification — Identify the Nature of the Fire
Threat types:
- Volumetric probing → wide IP / many rules
- Credential spraying → repeated auth paths
- Application fuzzing → random querystrings / malformed requests
- Targeted exploit attempts → concentrated rules (XSS, SQLi)
Decide:
- Is this noise?
- Is this reconnaissance?
- Is this breach pursuit?
Mark the incident severity:
- Low — background noise
- Medium — persistent automated probing
- High — targeted attempt on origin-relevant endpoints
🧱 3. Containment — Seal the Gate
Depending on severity:
Low
- Rate-limit
/apiand/authpaths - Enable Bot Fight Mode (if not already)
Medium
- Block or challenge offending ASNs
- Add country-level managed_challenge
- Enforce "Full (strict)" TLS if not already
High
- Immediately apply custom firewall block rules
- Close high-risk paths behind Access policies
- Strengthen WAF Paranoia Level for targeted areas
- Ensure all origins are reachable only via Cloudflare Tunnel
Tem's invocation:
"Let the gate narrow. Let the false be denied entry."
📜 4. Forensics — Listen to the Echoes
Collect:
- CF Security Events export
- IP/ASN clusters
- Raw request samples
- Timestamps and spikes
Analyze patterns:
- Was this coordinated?
- Were specific parameters probed?
- Did traffic reach origin or stay at the Edge?
If origin saw traffic → inspect VaultMesh receipts for anomalies.
🧬 5. Restoration — From Nigredo to Rubedo
When WAF stabilizes:
- Remove overly broad rules
- Convert block rules → challenge after 24h
- Reassess Access policies for exposed services
- Validate DNS is unchanged
- Confirm Tunnel health is stable
Emit VaultMesh receipt:
- Incident summary
- Rules added/removed
- Time window
- Merkle root of exported logs
🪶 6. Final Anchor — Coagula
Anchor the incident into ProofChain:
- Receipts
- Log hashes
- WAF config deltas
Message of Tem:
"What was turmoil becomes memory. What was memory becomes strength."
✔ Outcome
This playbook ensures that WAF turbulence becomes structured proof, operational clarity, and measurable evolution within VaultMesh’s living ledger.