You will wake up one morning to find an anonymous GitHub account mass‑dropping 0‑days that touch your stack. Proof‑of‑concept scripts land on social before NVD even assigns IDs. Your pager goes off not because a service is down, but because exploit automation just got copy‑pasted into a thousand botnets.
This is not a once‑in‑a‑decade event. It’s the new tempo. Recent waves of disclosure and mass PoC drops prove the attacker lead time is measured in hours, not weeks. The right move is not panic; it’s a muscle‑memory response that turns chaos into a 72‑hour plan.
If you run a modern SaaS, you’re carrying a lot of surface area. A typical TypeScript/Node service pulls in thousands of transitive packages. A containerized Go microservice may be “static,” but it still sits on a base image with dozens of packages and a kernel that’s constantly moving. The delta between “there’s a bug somewhere” and “your instance is reachable and exploitable” is where you make or lose the next 72 hours.
The objective: reachability, not headlines
Your job is not to “fix everything.” Your job is to rapidly answer three questions for each alleged 0‑day:
- Is this vulnerability reachable in our environment?
- Is it internet‑exposed or gated behind auth/network controls?
- Do we have a near‑term mitigation (config, WAF, feature flag, network policy) that buys us time to patch?
Everything else—PRs, retros, vendor tweets—comes after. This post gives you a concrete 72‑hour playbook you can hand to your leads. It assumes you have at least basic building blocks: centralized logs, CI/CD that can ship within hours, and a place for a cross‑functional war room. If you don’t, your day one project after this storm is to build them.
Hour 0–2: Stabilize, instrument, and convene
1) Spin up a war room with clear roles
- Incident Lead (you or a delegate): single‑threaded owner, calls priorities and trade‑offs.
- Exploit Analyst: tracks claims, PoCs, and indicators of compromise (IoCs).
- Exposure Mapper: maps vulnerable components to assets using your SBOM and service catalog.
- Mitigation Engineer: owns WAF rules, feature flags, network policy, and quick configs.
- Patch Lead: coordinates code changes, image rebuilds, and rollouts.
- Communications: internal updates hourly; external updates at set checkpoints.
2) Create a single intake and tracking surface
- Stand up a shared tracker (a spreadsheet or issue board is fine) with columns: vuln id/name, source link, affected component, reachability, exposure (internet/internal), mitigation, patch status, owner, ETA.
- Label every work item with a severity based on exposure × reachability × exploit maturity. If a working PoC exists and your component is internet‑exposed and reachable, it’s P0.
3) Turn up visibility now
- Enable high‑value logs if they’re off: reverse proxy request logs, auth gateway decisions, 4xx/5xx spikes, container runtime alerts.
- Set ad hoc automations for anomalies: 10× spike in specific routes, atypical User‑Agents, outbound connections to suspicious hosts.
- Subscribe and pull known exploit signals from public sources like CISA KEV and community threat intel feeds.
4) Apply cheap, reversible friction
- Rate limit suspicious endpoints aggressively. If your baseline is 100 rps, drop to 20 rps per IP for the next 6 hours on vulnerable routes.
- Temporarily disable non‑essential public endpoints via config. If you can do it behind a feature flag, do that. Use maintenance pages narrowly.
- Geo or ASN shaping for clearly malicious traffic sources if the pattern is obvious.
Hour 2–8: Size exposure with SBOMs and reachability
5) Build or pull SBOMs for what actually runs
- For containers and services, generate SBOMs with Syft or similar. Store them somewhere queryable (e.g., Dependency‑Track or an internal registry).
- For serverless, collect package lockfiles and build manifests. If you don’t have SBOMs, gather lockfile commit SHAs tied to deployed versions.
- Scan against OSV/NVD and vendor advisories. Prioritize issues that match components you actually deploy.
6) Do fast reachability, not academic SAST
- Ask: is the vulnerable code path called by our application in production? Examples: a templating injection in a library only used by an admin tool that’s not internet‑exposed may be P2, not P0.
- If you have reachability tooling (e.g., call‑graph analysis or vendor features that identify “reachable vulnerabilities”), use it. If not, lean on code owners to confirm import/use sites.
- Check runtime telemetry for invocations of the suspected paths (routes, RPCs, functions). Grepping logs for routes and headers beats guessing.
7) Confirm internet exposure
- Make a quick exposure map: which services are publicly reachable, which ports are open, and where auth is enforced. Tools like Shodan can help you see what the world sees.
- Document network controls: mutual TLS, IP allowlists, API gateways. Exposure without auth is risk; exposure with robust auth and anomaly alerts may buy you patch time.
8) Pull vendor positions early
- Track upstream maintainers’ statements and patches. If a fix ETA is 24 hours, design mitigations that hold the line that long.
- For managed services, open tickets and ask for written positions on exposure and mitigations.
Hour 8–24: Mitigate first, patch fast where it counts
9) Ship mitigations you can reverse in minutes
- WAF rules: Block suspicious payload signatures and add strict content‑type and size limits on affected endpoints. Providers like Cloudflare or Fastly can deploy rules in minutes; validate with canary traffic.
- Feature flags: Kill switches for susceptible features. If you don’t have a flag, create a config‑backed guardrail at the entry point. OpenFeature‑style toggles let you roll back instantly.
- Network policy: For server‑to‑server issues, tighten egress. Outbound restrictions stop post‑exploitation call‑backs.
10) Patch by exposure tier
- Tier A: Internet‑exposed + reachable + PoC exists. Target TTR < 24 hours. Patch or hot‑patch. If patching is not available, mitigate and plan a compensating control you can live with for a week.
- Tier B: Internal or gated + reachable. TTR < 72 hours. Roll into your next release window; don’t starve Tier A work.
- Tier C: Unreachable in production. Document, monitor, and schedule. Use the storm to delete dead dependencies instead of bumping them.
11) Rebuild the world you actually run
- Containers: Rebuild base images to pick up distro fixes. Pin digests, not tags. Push to a hardened registry. Run Trivy/Grype scans as gates, not reports.
- Runtimes: If the exploit hits the runtime (e.g., JIT or interpreter), weigh a major version bump carefully. A targeted backport may be safer in the first 24 hours.
- Secrets: Assume worst‑case on any confirmed exploitation. Rotate credentials and tokens touched by affected services.
12) Communicate like an adult
- Internal updates hourly in the war room: what changed, what’s next, blockers.
- External status updates at predictable checkpoints (e.g., at 8, 24, and 48 hours). Share mitigations you’ve applied and the next ETA. Don’t speculate.
- Regulatory and contractual notifications if thresholds are met. Consult counsel early.
Hour 24–48: Validate, contain, and close the easiest gaps forever
13) Prove mitigation works
- Use safe payloads to validate WAF rules. Confirm 403s where expected and that legitimate traffic flows.
- Roll canary patches to 5–10% and watch error budgets. If stable, proceed to full rollout.
- For critical admin or auth paths, add temporary MFA prompts or re‑authentication to reduce session abuse risk.
14) Hunt for compromise
- Search logs and telemetry for IoCs published with the PoCs. Look back at least 30 days if you suspect pre‑disclosure exploitation.
- Inspect unusual processes, new cron jobs, or reverse shells with runtime tools (e.g., Falco/eBPF‑based alerts) where applicable.
- If you find credible signs of exploitation, escalate to full incident response: isolate hosts, preserve forensic images, and widen communication.
15) Close easy structural gaps
- Add or harden kill switches for high‑risk endpoints so the next storm doesn’t require code edits to disable a feature.
- Reduce blast radius: tighter network policies, namespace boundaries, and per‑service credentials.
- Automate SBOM generation on each build and store artifacts centrally. Tie deployed versions to SBOM snapshots.
Hour 48–72: Normalize and turn panic into process
16) Document the facts, not the myth
- For each vulnerability worked: final severity, reachability determination, mitigations, patch versions, and timestamps for TTI (time‑to‑intake) and TTR (time‑to‑remediate).
- Record negative findings: “not reachable in prod” is a valid, auditable outcome.
17) Update runbooks and SLOs
- Set storm SLOs: P0 internet‑exposed reachable with PoC → mitigate in 4 hours, patch within 24. P1 internal reachable → patch within 72.
- Attach a decision tree to your runbook: if PoC exists and reachability is confirmed → mitigation options A/B/C; if upstream patch ETA > 48h → hot‑patch or feature kill switch.
18) Fill staffing gaps with a follow‑the‑sun pod
- Storms don’t respect time zones. A small nearshore pod (2–4 engineers) trained on your stack, with 6–8 hours of US overlap, can keep mitigation and patch lanes moving while your core team sleeps.
- Make this a standing function, not an ad hoc rota. The cost is small compared to the hours you’re burning in every storm.
Pre‑storm investments that pay off in minutes
Everything above works without perfection. But if you want to turn 72 hours into 24, invest now:
Build SBOMs and a dependency map that answers “where does this run?”
- Emit SBOMs (CycloneDX or SPDX) during build for every service and container. Store them in a searchable system (Dependency‑Track, OSV‑Scanner output + a database).
- Link SBOMs to your service catalog so you can say: “Library X exists in services A, B; only A is internet‑facing.”
Define kill switches at the ingress
- Put high‑risk feature entry points behind flags you can flip globally. Even a YAML‑backed guard works if you can reload without redeploy.
- Adopt OpenFeature-style interfaces so flags are consistent across languages.
Harden CI/CD for rapid, safe rebuilds
- Pin base image digests and maintain a golden image pipeline that can cut a release with security patches inside 60 minutes.
- Keep rollout guardrails: staged deploys, fast rollback, and canaries.
Stand up a WAF policy you trust
- Pre‑bake a “storm profile” that tightens request size caps, blocks dangerous content‑types, and enforces strict header checks. Make it toggleable.
- Log WAF decisions centrally so you can prove mitigation hit real traffic.
Measure what you actually care about
- TTI (time‑to‑intake): from public disclosure to a ticket in the tracker. Target < 1 hour during a storm.
- Reachability determination time: from intake to “reachable/not” decision. Target < 4 hours for anything internet‑exposed.
- TTR (time‑to‑remediate): to mitigation applied and to patch deployed. Distinguish mitigation TTR and patch TTR.
Trade‑offs you’ll need to own
Mitigate vs. patch
Mitigations (WAF, flags, network policy) are fast but imperfect. Patches are durable but risk regressions. In the first 24 hours, stack mitigations and ship the minimum safe patch on Tier A. Don’t chase perfection while a working PoC circulates.
Runtime harshness vs. user experience
Cranking rate limits and blocking payload patterns will annoy real users. That’s a price worth paying for a day. Communicate it. Roll back as soon as patches stabilize.
Centralization vs. team autonomy
Storms reward centralization: one tracker, one owner, one comms cadence. The rest of the year, let teams own dependencies. Write this distinction into your operating model so you’re not debating process mid‑incident.
A note on Postgres, backups, and false confidence
Mass 0‑days often intersect with your data layer—even if the bug is elsewhere. If you deploy hotfixes under pressure, validate that your recovery path works today. Tools like WAL shipping helpers (e.g., WAL‑G and newer Rust rewrites) are great, but they are not a safety net unless you’ve done a recent successful restore. In the 48–72 hour window, schedule a test restore to a quarantined environment and verify RPO/RTO. A working backup you can’t restore in under two hours is not a backup; it’s a story you tell yourself.
Where a nearshore pod changes the math
There’s a reason big shops run follow‑the‑sun security engineering. You don’t need a 24×7 SOC to get 80% of the benefit. A small, trained nearshore pod can own the 2–8 hour window while your US team sleeps:
- 6–8 hours of overlap for handoffs, then independent triage while your core team is offline.
- Runbooks and tooling access so they can apply WAF rules, flip flags, and ship low‑risk patches behind canaries.
- Cost profile that’s 20–30% lower than adding the same headcount locally, which matters when you’re staffing for rare but critical events.
You don’t outsource risk decisions; you outsource responsiveness. The call “disable the import feature for 12 hours” still belongs to you. The work to wire that kill switch and rebuild the image should not.
What good looks like at hour 72
- Your tracker shows every alleged 0‑day, the exposure call, the mitigation, and the patch path. No orphans, no mysteries.
- Tier A issues are mitigated and patched, with post‑deploy validation. Tier B items have committed ETAs. Tier C is documented and deprioritized or slated for cleanup.
- WAF and network rules are tightened where it matters and measured for impact. Temporary UX hits are communicated and time‑boxed.
- No one is guessing in Slack. You have a written, dated summary that leadership and customers can read.
Key Takeaways
- Don’t fix “vulnerabilities” in the abstract. Decide reachability and exposure first, then act.
- In hour 0–8, centralize intake, increase visibility, and apply reversible friction. Buy time.
- In hour 8–24, mitigate fast on Tier A and patch to durability. Roll canaries and watch error budgets.
- In hour 24–48, validate mitigations, hunt for compromise, and rotate secrets where risk justifies it.
- In hour 48–72, document facts, set SLOs, and turn ad hoc heroics into a repeatable runbook.
- Pre‑storm investments—SBOMs tied to a service catalog, kill switches, WAF profiles, fast rebuild pipelines—cut response time from days to hours.
- A small nearshore pod gives you 24/5 responsiveness without burning your core team.