Help Center / The incident workflow
The incident workflow
Everything inside a single incident: facts intake (including per-state individual-notice dates), roles, the playbook library, tasks, evidence, the communications log, the append-only timeline, the tabletop runner, and the exports.
Facts intake
The Incident facts panel is what drives the deadline engine. Set it carefully — every obligation and deadline is derived from these fields.
| Field | What it means | Why it matters |
|---|---|---|
| Discovered at | The date and time you discovered (or determined) the incident. | This is the legal clock anchor for most obligations. Correct it from the declare-time default to the real moment of discovery. |
| Data types involved | Checkboxes: Name, SSN, Financial/account, PHI/health, Credentials, Biometric, Payment card. | SSN / financial / payment data drive the credit-monitoring analysis; the set also informs which letters and helpers apply. |
| Regulated-data flags | Checkboxes: HIPAA/PHI, DFARS/CUI, GDPR/EU residents, PIPEDA/Canada, Québec Law 25. | Each flag turns on that framework's obligations. No flag, no framework obligation — the engine never guesses. |
| Affected individuals by state | A compact list like CA:600, FL:200, WA:150. | Per-state counts trigger each state's individual notice, and trip the AG / agency thresholds (which differ by state). The total is summed automatically. |
| Individual-notice date sent, per state | A list like CA:2026-06-10, OK:2026-06-12. | The real date you notified each state's residents — see below. |
- Fill in the fields.
- Click Update facts & recompute.
- The obligation table and the reminder cascade refresh, and a timeline event records that facts were updated and how many obligations resulted.
Format for the per-state count field: two-letter state codes, a colon or equals sign, then a number, separated by commas or new lines. Examples: CA:600, FL=200. Anything that doesn't match is ignored, so a typo simply drops that entry rather than corrupting the rest.
Per-state individual-notice dates
Most states' attorney-general clock runs from the same trigger as the individual notice (discovery). But a few run a separate clock that starts after you have notified that state's residents:
| State | AG clock | Statute |
|---|---|---|
| California (SB 446, eff. 2026-01-01) | AG sample due 15 days after individuals are notified (when 500+ CA residents). | Cal. Civ. Code §1798.82 (as amended by SB 446) |
| Oklahoma (SB 626, eff. 2026-01-01) | AG notice due 60 days after individuals are notified (when 500+ OK residents). | 24 O.S. §161 et seq. (as amended by SB 626) |
For these, Klaxon needs to know when you actually notified residents in that state. Record it in the Individual-notice date sent, per state field:
- After you mail / email the individual notices for a state, come back to the incident facts.
- Enter the date in the format CA:2026-06-10 (state code, colon, ISO date YYYY-MM-DD). Add more, comma-separated: CA:2026-06-10, OK:2026-06-12.
- Click Update facts & recompute.
What changes:
- Before you record the date: the AG row shows an fallback — record notice date pill, and the AG deadline is anchored to the individual-notice deadline (the latest lawful start). This is deliberately conservative — the earliest the real clock could end is later than this, never sooner.
- After you record the date: the AG row shows a green from actual notice date pill, and the AG deadline equals your recorded notice date + the statutory days (CA +15, OK +60).
A single legacy global notice date is honored as a fallback for older incident records, but the per-state field is the supported, precise way to capture this. See the FAQ on AG anchoring.
Roles
Assign the five war-room roles so everyone knows their lane:
| Role | Typical responsibility |
|---|---|
| Incident Commander | Owns the response, makes the calls, is recorded as the incident's commander. |
| Comms / Legal | Owns notification decisions, regulator and customer messaging, counsel coordination. |
| Tech Lead | Owns containment, eradication, forensics, and recovery. |
| Scribe | Keeps the timeline current; logs events and decisions. |
| Executive | The leadership sponsor and decision escalation point. |
- Type a name into each role field.
- Click Save roles. The Incident Commander becomes the incident's commander; a timeline event records the update.
The playbook library
Klaxon ships eight curated runbooks, each mapped to the six-phase NIST incident-response lifecycle (Detect → Analyze → Contain → Eradicate → Recover → Post-Incident) with framework control maps and built-in notification-trigger checks:
| Playbook | Use when… |
|---|---|
| Ransomware | Systems are encrypted / a ransom demand is made. |
| Business Email Compromise (BEC) | An email account is taken over for fraud / wire diversion. |
| Data Breach (PII/PHI Exfiltration) | Personal or health data was accessed or exfiltrated. |
| Lost / Stolen Device | A laptop, phone, or drive with data goes missing. |
| Account Takeover / Credential Theft | User credentials are compromised. |
| Insider Threat / Data Theft | An employee or contractor exfiltrates data. |
| Denial of Service (DDoS) | Availability is under attack. |
| Third-Party / Vendor Breach | A vendor / business associate is breached. |
Browse a playbook: open the Playbooks tab and click a card to read its phases, steps, owner roles, framework map, and the highlighted notification-trigger steps.
Launch a playbook into an incident:
- Open the incident.
- In the Launch playbook panel (bottom right), pick a playbook.
- Click Launch → auto-create tasks. Every step in every phase becomes a tracked task on the incident, tagged with its owner role, and the incident's severity is set to the playbook's default. A timeline event records the launch.
Tasks
- Tasks come from launching a playbook, or you can add your own with the New task box.
- Check a task to mark it done (and uncheck to reopen). Each toggle is logged to the timeline.
- Tasks that came from a playbook show their owner role.
Evidence (chain-of-custody)
Attach evidence so its integrity is provable later — without ever uploading the file:
- In the Evidence panel, choose a file.
- Klaxon computes its SHA-256 hash in your browser and records the filename, the hash, and a timestamp. A timeline event notes the attachment with a short hash preview.
- The file content is never uploaded — only the hash leaves nothing, it stays local too. The hash is your chain-of-custody fingerprint: anyone can re-hash the original file and compare.
Klaxon stores the fingerprint, not the file. Keep the original evidence files in your own secure evidence store; the hash proves the file you produce later is the same one you hashed during the incident.
Communications log
Auditors and cyber-insurers want a record of who was told what, and when. The Communications log captures it:
- Pick an audience: Internal, Customers, Regulator, Law enforcement, Cyber-insurer, Vendor, or Media.
- Type what was communicated and click Log.
- Each entry is timestamped and also written to the append-only timeline. The log appears in the PIR and the auditor bundle.
The append-only timeline
The timeline is the forensic record of the incident. It is append-only: events are added, never edited or deleted through the UI. Events are created automatically (declaring, facts updates, role changes, task toggles, playbook launches, evidence, comms, filings, status changes) and you can add your own notes with the Log an event… box.
Every event is sealed into a SHA-256 hash chain the moment the incident is rendered, which makes any later tampering evident. A badge by the incident ID shows the chain's status. This is covered in depth on Timeline integrity.
Incident status
Use the Status dropdown to move the incident through its lifecycle: Open → Contained → Eradicated → Recovered → Closed. Setting it to Closed records a closed-at timestamp. Each change is logged to the timeline. The "what-changed" law feed only flags incidents that are not Closed.
Tabletop runner
Test your plan before a real incident. The Tabletop tab offers six scenarios:
| Scenario |
|---|
| Ransomware at a Multi-State Clinic |
| BEC Wire Fraud at a Defense Subcontractor |
| Lost Laptop on a Train |
| Departing Employee Exfiltrates Records |
| SaaS Vendor (Business Associate) Breach |
| Public Cloud Storage Misconfiguration |
- Open a scenario to read its context and objectives.
- Click Release next inject to reveal each timed inject and its decision prompt.
- For each inject, check the rubric items the team satisfied. The running score updates.
- When all injects are released, click Download AAR (Markdown) for an after-action report with the score, per-criterion results, gaps found, and recommended action items.
- Use Reset exercise to run it again from scratch.
Exports (PIR, auditor bundle)
From an open incident you can export durable copies:
| Button | Output | Contains |
|---|---|---|
| PIR | Post-Incident Report (Markdown, .md) | Header (IDs, severity, status, dates, commander), impact (totals, by-state, data types, flags), roles, the full obligation set with filed/outstanding status and citations, the append-only timeline, the comms log, the evidence hash index, and tasks. |
| Auditor bundle | Auditor / cyber-insurance pack (JSON) | A machine-readable export of the incident, the computed obligations with status, the timeline, tasks, comms, the timeline-integrity result, the evidence hash index, plus the dataset version and disclaimer. |
Two more exports live elsewhere: the deadline calendar (.ics) is exported from the Notification Engine, and notification letters (.txt / print-to-PDF) from the Letters tab.
← Getting started · Next: Obligation clocks →