A Developer's Playbook for Handling High-Severity Security Incidents
Designed for Experienced backend developers and SREs in fintech startups who are primary responders during high-severity (SEV-1/SEV-2) security incidents to spark real collaboration and high-energy learning.
A 90-minute, in-person session held in a fintech startup's war room. The group is highly technical, used to working under pressure, but feels overwhelmed by ambiguous protocols and unclear communication paths during past SEV-1/SEV-2 incidents. There is fatigue from repetitive fire drills and frustration with misaligned expectations between devs and security leads.
Breach in a Box Reveal
Start with a sealed envelope or box labeled 'Incident X: Confidential.' Invite the group to guess what's inside based on cryptic system log snippets projected on the screen. After a short round of guesses, reveal a real (redacted) SEV-1 incident summary from a known fintech breach.
Tap to view the full activity.
Why this works
This leverages curiosity and primes the group for discovery learning—activating prior knowledge while lowering the barrier to discussing sensitive topics.
Myth-Busting Speed Round
Flash a series of 'common wisdom' slides: 'Only security team leads incident calls', 'Devs must wait for instructions', etc. Participants call out 'Fact' or 'Myth' by holding up colored cards. Immediately debunk or confirm each, tying back to fintech-specific examples.
Tap to view the full activity.
Why this works
People often act on incorrect assumptions under stress. Busting myths early removes blockers and clarifies roles.
Low-Stakes Pager Drill
Simulate a gentle ‘incident’ ping: hand out cards with non-critical security issues (e.g., ‘Suspicious login detected on staging’). Each participant writes down their immediate containment step—no group discussion. Volunteers share their first moves, and the facilitator highlights diverse approaches.
Tap to view the full activity.
Why this works
This builds comfort with participation, surfaces safe-to-fail first actions, and shows that the ‘perfect’ answer is rare.
Incident Command Relay Race
Break into 2-3 teams. Each team gets a high-severity incident scenario with ‘live’ updates every 90 seconds (via facilitator handouts). Teams must decide, in real time, how to contain, communicate, and escalate. Debrief with which team minimized impact and why.
Tap to view the full activity.
Why this works
Pumps up energy, creates urgency, and gives a visceral sense of real-time incident chaos in a safe, gamified way.
The Escalation Dilemma
Present a thorny situation: a critical vulnerability is found, but patching will cause downtime for a major client. Ask, ‘Who do you inform first? What’s the tradeoff?’ Let participants debate and pick sides (whiteboard tally). Reveal how a real team navigated the tradeoff.
Tap to view the full activity.
Why this works
Real dilemmas drive engagement—there are no easy answers, only better tradeoffs, mirroring true incident response pressures.
Personal Worst-Case Postmortems
Invite each participant to jot down (privately) the worst security incident they've personally faced or feared—what happened, and what they’d do differently now. Invite 1-2 volunteers to share, if comfortable. Wrap with a group reflection: one takeaway they’ll apply in the next incident.
Tap to view the full activity.
Why this works
Active personal reflection cements learning and connects abstract playbook steps to lived experience and growth.
Sign up to unlock 3 more activities
Get the full pack, facilitation flow, and more ready-to-run ideas.