App removed from an app store
A mobile app or developer account is rejected, removed, or suspended, blocking new installs, updates, billing, or discovery.
Practical playbooks for common business failures. Prepare before an incident, or open the recovery checklist when it has already happened.
Risk landscape
The library spans six operational areas. Use this map to find the parts of the business with the most recovery paths to prepare.
Incident library
50 playbooks
A mobile app or developer account is rejected, removed, or suspended, blocking new installs, updates, billing, or discovery.
Queued emails, imports, billing actions, webhooks, or other asynchronous work is delayed or frozen.
Backups exist, but they are missing, corrupt, incomplete, encrypted, incompatible, or too slow to use.
An attacker may read mail, reset other accounts, impersonate the business, or redirect payments.
Builds, tests, package publishing, or deployments cannot run through the normal automation provider.
An attacker may control cloud identities, infrastructure, data, logs, or the account's billing and recovery settings.
A provider limit prevents new requests, instances, storage, messages, builds, or other critical resources.
A cloud region or availability zone hosting critical workloads becomes unavailable or severely degraded.
A contractor becomes unreachable while retaining access, knowledge, devices, code, data, or ownership of critical services.
A provider your product or operations depend on is unavailable, degraded, or losing data.
A cron task or scheduler no longer runs backups, renewals, reports, cleanup, billing, or synchronization.
A provider announces closure, ends your product, terminates service, or gives a short migration deadline.
Automated attackers are testing stolen username and password pairs against customer accounts.
An export, report, attachment, or support response exposes one customer's information to another.
A retry, webhook, race condition, import, or operator action creates duplicate customer charges.
The application cannot obtain database connections, causing requests, jobs, and administrative access to stall.
A schema or data migration partially applies, blocks traffic, corrupts records, or leaves old and new code incompatible.
Malicious traffic exhausts bandwidth, connections, compute, or expensive application operations.
Incorrect nameservers or DNS records make the website, API, email, or verification services unreachable.
Your domain no longer resolves, has left your registrar account, or is registered to someone else.
Encrypted customer data, backups, or infrastructure cannot be decrypted because the required key is missing or inaccessible.
Someone who no longer works with the business can still reach accounts, code, data, devices, or customer systems.
The only person with critical authority, access, or knowledge cannot work or communicate.
An attacker may control an owner account, repositories, Actions, apps, or credentials connected to your GitHub organization.
A work laptop containing sessions, source code, customer data, or recovery credentials is missing.
A launch, mention, campaign, or attack sends far more legitimate traffic than the system was designed to handle.
The phone or security key used to approve critical logins is unavailable, damaged, or stolen.
Logs, metrics, traces, uptime checks, or alerts stop reporting while production continues to run.
Your newsletter account is suspended, disabled, terminated, or inaccessible before an important send.
An attacker may be able to publish malicious versions of packages your customers or systems install.
The vault containing business passwords, recovery codes, and secure notes is unavailable or cannot be unlocked.
Payment events are delayed, rejected, or ignored, leaving orders, subscriptions, and access out of sync.
Customer information, credentials, internal documents, or private source code were pushed to a public repository.
Files intended for restricted access can be listed or downloaded without proper authorization.
A credential that can read data, spend money, send messages, or control production has been exposed.
Records, files, tables, or an entire production database were deleted or overwritten.
Production records still exist but values, relationships, indexes, or internal storage are no longer trustworthy.
A release causes errors, missing pages, failed checkouts, corrupt writes, or unexpected customer behavior.
Systems or data are encrypted, stolen, deleted, or held for payment by a malicious actor.
Passwords, tokens, payment details, personal data, or private content are being recorded in application or vendor logs.
A library, container, plugin, action, SDK, or build dependency may contain malicious or unauthorized code.
Stripe is still collecting money, but payouts are delayed, paused, failed, or restricted.
Disputes rise sharply because of fraud, customer confusion, service failure, or an organized abuse campaign.
A key person departs before transferring ownership, context, credentials, work, or recurring responsibilities.
Browsers or API clients reject your site because its HTTPS certificate is expired, invalid, or issued for the wrong name.
Login links, receipts, alerts, invitations, and account messages are rejected, delayed, or sent to spam.
Cloud, AI, storage, bandwidth, or API spending rises far beyond the expected amount.
A third-party API changes behavior, authentication, fields, limits, or versions and breaks a critical workflow.
An attacker may have altered your site, stolen data, installed persistence, or gained access to connected systems.
A hidden, unfinished, risky, or destructive code path is activated for the wrong customers or environment.
No playbooks match that search.
How it works
Start with the system, provider, or person that is creating the risk.
Use the readiness checklist beforehand or follow urgent actions in order.
Finish with observable checks that prove the business is actually recovered.