SUBJECT: SECURITY INCIDENT - [Type: Deepfake/Prompt Injection]
SEVERITY: [Critical/High/Medium/Low]
DISCOVERED: [Timestamp - ISO 8601]
IMPACT: [Description of affected systems/users]
ACTIONS: [What's being done immediately]
CONTACT: [Response team contact info]
---
INCIDENT DETAILS:
- Type: [Deepfake video/Audio deepfake/Prompt injection/etc]
- Platform: [Where discovered]
- Scope: [Number of users/systems affected]
- Evidence: [Links to evidence, preserved for forensics]
IMMEDIATE ACTIONS (0-2 hours):
1. Incident confirmed and documented
2. Affected systems isolated/monitored
3. Evidence preserved for forensic analysis
4. Stakeholders notified
NEXT STEPS (2-24 hours):
1. Forensic analysis underway
2. Platform takedown requests submitted
3. External communications being prepared
4. Recovery procedures initiated
CONTACT FOR QUESTIONS:
- Security Team: security@company.com
- Incident Commander: [Name/Contact]
- Legal: [Name/Contact]
[Organization] is aware of [incident type] affecting [scope].
WHAT HAPPENED:
[Brief, factual description of the incident]
WHAT WE'RE DOING:
- Immediate containment and investigation
- Cooperation with platform providers for removal
- Enhanced security monitoring
- Support for affected individuals
WHAT YOU SHOULD DO:
- Do not share or amplify the content
- Report suspicious content to [platform/email]
- Monitor your accounts for unauthorized activity
- Contact us with questions: security@company.com
TIMELINE:
- [Time]: Incident discovered
- [Time]: Investigation began
- [Time]: Platforms notified
- [Time]: Public statement issued
We take this seriously and are committed to protecting our community.
Contact: security@company.com
Document everything (screenshots, URLs, timestamps)
Alert security team immediately
Preserve evidence (do not delete or modify)
Identify affected individuals
Assess platform (social media, email, etc.)
Identify deepfake type (video, audio, image)
Determine creation method if possible
Assess damage and reach
Identify all platforms where content appears
Check for related incidents
Submit takedown requests to platforms
Contact platform trust & safety teams
Issue internal and external statements
Provide support to affected individuals
Begin forensic analysis
Notify law enforcement if applicable
Isolate affected systems from network
Review access logs and audit trails
Identify scope of compromise
Preserve evidence for forensics
Alert security team
Patch identified vulnerabilities
Reset compromised credentials
Notify affected users
Review system prompts for exposure
Implement additional monitoring
Complete forensic analysis
Implement preventive controls
Conduct security training
Update incident response procedures
Document lessons learned
PHASE 1: INITIAL RESPONSE (First 2 hours)
- Acknowledge the incident
- Confirm investigation is underway
- Provide initial guidance to users
- Avoid speculation
PHASE 2: ONGOING UPDATES (2-24 hours)
- Share investigation progress
- Provide specific guidance
- Address public concerns
- Maintain transparency
PHASE 3: RESOLUTION (24+ hours)
- Explain what happened
- Detail preventive measures
- Provide support resources
- Commit to improvements
KEY MESSAGES:
1. We take security seriously
2. We're investigating thoroughly
3. We're protecting affected individuals
4. We're implementing improvements
5. We're committed to transparency
✅ All evidence collected and preserved
✅ Forensic analysis completed
✅ Root cause identified
✅ Vulnerabilities patched
✅ Systems restored to clean state
✅ Credentials reset
✅ Monitoring enhanced
✅ Staff trained on incident
✅ Procedures updated
✅ Post-incident review completed
✅ Stakeholders notified of resolution
✅ Public statement issued (if applicable)