How do you architect cyber security incident response for Salesforce?

Incidents happen. Architecture should support detection, containment, recovery.

Detection:

• Event Monitoring (Shield) — runtime activity logs.
• SIEM integration — Splunk / Datadog / Sumo Logic ingesting Salesforce events.
• Behavior analytics — unusual patterns flagged.
• Health Check — security posture monitoring.
• Login anomalies — Login History anomalies.

Detection patterns:

• Large data export unusually.
• Login from unusual geo.
• Mass record changes unexpectedly.
• Permission escalations without ARB.
• Failed login bursts (brute force).

Containment:

• Disable compromised account immediately.
• Revoke OAuth tokens for affected Connected Apps.
• IP allowlist tightening if attack pattern identified.
• Transaction Security Policies (Shield) for real-time blocks.
• Communication freeze if suspicious activity in customer-facing systems.

Investigation:

• Audit logs — what happened? When? By whom?
• Field History — what data changed?
• Event Monitoring — runtime forensics.
• Setup Audit Trail — metadata changes.

Recovery:

• Restore data from backups (OwnBackup or similar).
• Rotate credentials — passwords, OAuth secrets, API keys.
• Re-enable affected accounts after investigation.
• Fix vulnerabilities.
• User communication if data exposed.

Notification:

• GDPR breach notification within 72 hours if EU data affected.
• Customer notification based on contract / regulatory requirements.
• Public disclosure if material to investors / public.

Post-incident:

• Post-mortem — blameless analysis.
• Lessons learned — what worked, what didn't.
• Remediation plan — prevent recurrence.
• Update detection rules based on new attack patterns.

Architecture for response:

• Runbook — pre-written response for common scenarios.
• Communication plan — who tells whom what.
• Escalation paths — when to bring in legal, PR, executives.
• Drill cadence — practice annually.

Senior architect insight: incidents will happen. Plan for them. Architecture that supports detection + response is more valuable than architecture that pretends nothing will go wrong.

The senior framing: prepare in peacetime; execute in crisis. Without runbook + drill, real incidents become disasters.