What a typical week looks like

Vikram: web-app:prod was throwing 503s starting 09:32, traced to Jordan's
09:14 deploy. We rolled back at 09:34 (90s to recover). User-impact
window: ~17 minutes elevated error rate.

I've asked Jordan to investigate the regression in staging before
re-shipping. Will follow up Thursday with the root cause + a write-up.

# Day-1 starting state — 2026-05-02 — acme team

**Bottom line up front:** Email security needs attention this week
— DMARC is set to report-only, allowing domain impersonation.
edge-01 disk is filling.

## Code & repos (Jordan)
- 8 active repos, primary stack TypeScript + Python
- 4 open PRs in acme/web (oldest 11 days)
- 3 stale repos last touched >180 days

## Servers (Ravi)
- 2 hosts online: edge-01, edge-02 (Ubuntu 22.04)
- edge-01 root disk 87% full — clean up within 14 days
- nginx + postgres on edge-01; nginx + redis on edge-02

## Public attack surface (Nadia)
- Posture grade C: 0 Critical | 0 High | 2 Medium
  • DMARC p=none — anyone can spoof @acme.com
  • DKIM missing at 5 common selectors — verify your ESP's
  • MTA-STS not configured (optional)
- 14 subdomains in CT logs; nothing suspicious
- KB scan: no committed secrets

## Compliance & cost (Grace)
- Pre-SOC2, treating as Stage 2
- Cloud cost: not connected yet — paste read-only IAM to enable

## Recommended next actions
1. Upgrade DMARC to p=quarantine (after monitoring 2-4 weeks)
2. Verify DKIM selector with your ESP (likely Resend/Sendgrid)
3. Clean up edge-01 disk before it crosses 90%
4. Connect cloud creds for cost tracking
5. Land or close the 4 stale PRs in acme/web

Vikram: weekly handoff — week of 2026-04-26

This week we shipped 12 deploys (1 rollback), handled 3 incidents,
and caught a Critical CVE before it was exploited. MTTR ticked up
slightly to 22 min from last week's 18 min — the long one was an RCA
on Wednesday's billing-svc memory leak that took 38 min to root-cause.

What shipped (Jordan)
- 12 deploys across acme/web (8), billing-svc (3), edge fleet (1)
- 1 rollback Tuesday — fix shipped Thursday after staging soak
- 0 deploy failures in CI; ratio of staging-to-prod stable

What broke (Theo)
- 3 incidents: Tuesday 503 (rolled), Wed billing memory leak (fixed),
  Thursday brief edge-01 ping flap (transient, no action)
- MTTR 22 min, dragged by Wed's RCA

What's dangerous (Nadia)
- 1 Critical: CVE-2026-XXXX on KEV, patched same-night
- 4 Mediums (DMARC p=none, DKIM missing on 2 brands, MTA-STS gap)
- Calibration check: of last quarter's 9 Critical flags, 7 made KEV
  within 60 days. Precision 78%. Holding the bar.

What changed (Ravi)
- Patched all 3 services for CVE-2026-XXXX
- Cleared edge-01 disk from 87% → 41%
- No drift from baseline this week

What it cost (Grace)
- Cloud spend: $4,210 this week (-3% wow). Top mover: RDS down 12%
  after we sized down the test cluster.
- One pattern: web-app:prod's Friday spike is back — was ~22%
  larger than Mon-Thu average. Worth investigating.

One concrete recommendation for next week
Land the DMARC upgrade. It's the single highest-impact unaddressed
item on the team's open-finding list. Nadia has the policy text
ready; needs your sign-off on the rollout plan.

— Vikram, IT Lead

CC6.1 — Logical & physical access controls
   sourced from kinds=[audit, config_change], filtered to
   target~"users:" or target~"ssh:" or target~"iam:"

   2026-04-15  audit          ssh:web-prod-01     "Quarterly access
                                                    review: 3 keys
                                                    rotated, 1 dormant
                                                    user disabled"
   2026-04-22  config_change  iam:cloud-readonly  "Rotated S3 read
                                                    role, prev key
                                                    revoked at AWS"
   ... (12 more events this quarter)

CC7.1 — Detect anomalies & respond
   sourced from kinds=[incident, cve_finding, remediation, decision]

   2026-04-19  incident       web-app:prod        "503 spike, rolled
                                                    back at 09:34,
                                                    user impact 17 min"
                                refs: jordan's deploy, vikram's decision
   2026-04-30  cve_finding    web-app:prod        "CVE-2026-XXXX
                                                    KEV active"
                                refs: nadia's prediction_log entry
   2026-04-30  remediation    CVE-2026-XXXX       "Patch verified on
                                                    3 services 09:42"
   ... (continues with 8 events this quarter)

Auditor questions answered:
✓ Are findings actually triaged?  (every cve_finding has a follow-up
  remediation or decision event linked via refs)
✓ Is access reviewed?              (audit events tagged "Quarterly
  access review" appear every 90 days)
✓ Is response documented?          (incident events link to decision
  events that explain the action taken)