Skip to content
Changineers Engineering Handbook

Threat Detection and Prevention

2026.1

In order to preserve the integrity of data that Changineers stores, processes, or transmits for Customers, Changineers implements strong intrusion detection tools and policies to proactively track and retroactively investigate unauthorized access. This include threat detection and prevention at both the network and host level, as well as threat intelligence monitoring.

Policy Statements

Section titled “Policy Statements”

Changineers policy requires that:

(a) All critical systems, assets and environments must implement realtime threat detection or prevention.

Controls and Procedures

Section titled “Controls and Procedures”

System Malware Protection

Section titled “System Malware Protection”

Workforce members keep the operating system’s built-in anti-malware facility enabled on their devices (XProtect and Gatekeeper on macOS, Windows Defender on Windows) and apply operating-system security updates as they are released.

Detected malware is handled under the established incident response process.

Firewall Protection

Section titled “Firewall Protection”

Changineers applies firewall controls at the network, host, and application layers.

  • Network. AWS Security Groups and Network ACLs gate traffic between services and into the VPC.
  • Host. Workforce members keep the operating system’s built-in firewall enabled on their devices (Application Firewall on macOS, Windows Defender Firewall on Windows).
  • Application. AWS WAF and AWS Shield protect the platform’s public endpoints from common web application attacks, including injection, cross-site scripting, and denial-of-service.

Network Intrusion Detection in AWS Cloud Environments

Section titled “Network Intrusion Detection in AWS Cloud Environments”

Changineers uses Amazon GuardDuty for real-time threat detection in the Production AWS account. GuardDuty analyses:

Findings are reviewed by the Security team. High-severity findings are routed to on-call engineers through Changineers’s incident response process.

Host Intrusion Detection

Section titled “Host Intrusion Detection”

Workforce members keep the operating system’s built-in threat detection enabled on their devices (XProtect and Gatekeeper on macOS, Windows Defender on Windows) and apply operating-system security updates as they are released.

Web Application Protection

Section titled “Web Application Protection”

leverages AWS Services to protect web applications against common attacks such as SQL injection, cross-site scripting, and denial-of-service (DoS/DDoS) attacks. The services used include AWS Shield, AWS WAF, Amazon CloudFront, and Amazon API Gateway.

Our authentication provider, Amazon Cognito, supports various additional advanced protection methods to further enhance our security posture:

  • Advanced security features for Amazon Cognito help protect our users from unauthorized access to their accounts using compromised credentials. When Amazon Cognito detects users have entered credentials that have been compromised elsewhere, it prompts them to change their password.

  • If Amazon Cognito detects unusual sign-in activity, such as sign-in attempts from new locations and devices, it assigns a risk score to the activity and through configuration can choose to either prompt users for additional verification or block the sign-in request. Users can verify their identities using SMS or a Time-based One-time Password (TOTP) generator, such as Google Authenticator.

Security Event Aggregation

Section titled “Security Event Aggregation”

Security events are aggregated across AWS-native and vendor services:

  • AWS CloudTrail provides the authoritative audit trail of API activity across every AWS account. Logs are delivered to a centralised S3 bucket in the Security account, which is read-only to prevent tampering or log deletion by compromised workloads.
  • Amazon GuardDuty detects suspicious activity in AWS environments (see Network Intrusion Detection).
  • Amazon CloudWatch collects application logs, metrics, and alarms.
  • Sentry captures application errors and exceptions.
  • incident.io routes alerts from these sources to on-call engineers and coordinates the incident response lifecycle.

The Security team reviews findings across these sources as part of weekly security operations.

Revision History

Section titled “Revision History”
DateSummaryApproved by
2020-01Initial revision.James Gregory
2026-04-24Refreshed threat detection procedures.James Gregory

Hiring & onboarding

Acceptable use of AI tools Approved software

Building software

Engineering principles Secure development Solution design Shipping code Penetration testing

Shipping & operations

Operations security Architecture Change management Emergency change Configuration baselines Observability Threat detection Vulnerability management

Data

Customer data deletion

Resilience & response

Incident response

Public

Modern slavery statement Responsible disclosure

Deprecated (pending removal)

Security Program Overview Policy Management Compliance Audits and External Communications Security Architecture and Operating Model Roles, Responsibilities and Training Risk Management System Audits, Monitoring and Assessments HR and Personnel Security Access Facility Access and Physical Security Data Management Data Protection Secure Software Development and Product Security Configuration and Change Management Threat Detection and Prevention Vulnerability Management Mobile Device Security and Media Management Business Continuity and Disaster Recovery Incident Response Breach Investigation and Notification Third Party Security and Vendor Risk Management Employee Handbook Subprocessors