Detect, triage, and resolve security and operational incidents with playbooks, clear ownership, and audit-ready timelines. Tie everything back to assets, risks, and controls.
From alert to lessons learned, everything stays linked to assets, risks, and controls.
Ingest alerts from SIEM/EDR, email, or forms. Auto-dedupe & correlate by asset, user, or indicator.
Apply impact/urgency matrix, set SLAs, and route to on-call with clear ownership and responders.
Step-by-step tasks for malware, phishing, outage, data loss, access abuse, and more—customisable.
Quarantine hosts, revoke tokens, reset creds, block indicators—recorded with actor & timestamp.
Track dependencies and validate recovery steps with checklists and change approvals.
Capture RCA, lessons learned, and CAPA; link back to risks, controls, and policies for prevention.
Built for major incident management and security response.
Escalation policies with SMS/email/chat. Acknowledge to stop paging; auto-escalate on SLA breach.
Spin up Slack/Teams bridges, stakeholder updates, and customer-safe status notes from one place.
Immutable timeline of actions, artifacts, and decisions—perfect for audits and regulators.
Tie incidents to assets, users, vendors, services, risks, and policies for true blast-radius insight.
Severity matrix, playbook templates, responder roles, and per-severity SLA targets.
MTTA, MTTD, MTTR, reopen rate, SLA compliance, incidents by service/severity, and trend reporting.
Opinionated defaults; tuned to your incident categories and SLAs.
Alerts from SIEM/EDR/SOAR or manual reports become incidents with correlation and enrichment.
Impact × urgency sets severity; assign incident commander, responders, and SLA clocks.
Execute playbook tasks (isolate, revoke, patch, block), recording artifacts and evidence.
Coordinate with change management; validate business and security recovery criteria.
Run a post-incident review, document RCA, assign corrective/preventive actions, and link to risks.
Bring signals in, push tasks out, keep everyone aligned.
Hardened, multi-tenant architecture with defensible evidence.
Least-privilege roles, SSO/SAML/SCIM, optional MFA, and session hardening.
TLS in transit; encryption at rest; optional field-level protection for sensitive artifacts.
Full actor/timestamp audit trail of decisions and actions; exportable for regulators.
Configurable retention, legal hold, and defensible deletion windows.
Supports ISO 27001 incident requirements; easy mapping to policies and risks.
Document regulator/customer notifications with templates and approval flow.
Reduce chaos, shorten outages, and produce defensible evidence.
| Capability | Manual / Ad-hoc | PurpleWASP Incident Management |
|---|---|---|
| Ownership | Unclear commander/responders | Assigned roles, on-call, paging, escalation |
| Process | Tribal knowledge | Standardised playbooks per category/severity |
| Evidence | Scattered notes | Immutable timeline with artifacts & approvals |
| Metrics | Hard to compute | MTTA/MTTD/MTTR, SLA compliance, trends |
| Traceability | Decoupled from estate | Linked to assets, risks, policies, and controls |
Answers for incident commanders, SOC, and Ops.
Open an incident, pick a category, assign an incident commander, and start the playbook.
Set severity matrix, SLAs, and runbooks for common scenarios like phishing, ransomware, or outages.
All actions are time-stamped and attributed. Perfect for audits and regulators.
