Skip to content
Changineers Engineering Handbook

Threat detection

How Changineers monitors for attacks, anomalies, and suspicious activity in production and on engineer endpoints.

This is where the platform watches for attacks and suspicious activity, and where you’d look if you suspected something was off. For what to do once a vulnerability is known, see Vulnerability management.

Authentication anomalies

Section titled “Authentication anomalies”

User authentication runs through Amazon Cognito with its advanced security features enabled at default settings, so you don’t need to build credential-stuffing or unusual-login detection yourself:

  • Cognito flags credentials known to have been compromised elsewhere and prompts the user to change their password.
  • Cognito scores sign-in attempts by risk (new locations, new devices) and challenges or blocks the high-risk ones.

Audit logging

Section titled “Audit logging”

If you’re investigating something in AWS, the authoritative trail is CloudTrail. It’s on in every account in the Changineers AWS Organization, and the logs land in a centralised S3 bucket in the Security account. That bucket is read-only to other accounts, so a compromised workload can’t tamper with or delete the trail.

Admin actions are attributable to specific humans. AWS access is granted per-engineer through IAM Identity Center, federated from Google Workspace. Each CloudTrail entry records both the assumed IAM role and the SSO identity that assumed it, so any action in the trail traces back to a named engineer.

AWS account intrusion detection

Section titled “AWS account intrusion detection”

Amazon GuardDuty is enabled across the AWS Organization. It ingests CloudTrail, VPC Flow Logs, and DNS query data and raises findings on suspicious activity.

Application errors and runtime alerts

Section titled “Application errors and runtime alerts”

When something goes wrong in production, you’ll see it in one of these places:

  • incident.io is the centralised place for alerts and alarms; it’s where you’ll land first. Sentry, CloudWatch, and other sources route through it; it pages on-call and coordinates the response. See Change management § Recovery for what happens when an alarm fires during or after a deploy.
  • Sentry for application errors and exceptions. Spikes in error rates or brand-new error classes show up here first.
  • Amazon CloudWatch for logs, metrics, and alarms. Alarms cover production health signals (elevated error rates, latency, capacity).

External advisories

Section titled “External advisories”

We watch for advisories that affect what we run:

  • Vendor advisories for our main software dependencies (Node.js, AWS service announcements).
  • GitHub’s native security advisory feed for our repositories, surfaced in the GitHub Security overview.

When one lands, it goes through Vulnerability management.

Endpoint protection

Section titled “Endpoint protection”

Keep auto-update on for operating-system security updates, and leave the OS-built-in malware protection on (XProtect and Gatekeeper on macOS, Windows Defender on Windows).

If you find malware on your machine, treat it as an incident under Incident response.

Hiring & onboarding

Acceptable use of AI tools Approved software

Building software

Engineering principles Secure development Solution design Shipping code Penetration testing

Shipping & operations

Operations security Architecture Change management Emergency change Configuration baselines Observability Threat detection Vulnerability management

Data

Customer data deletion

Resilience & response

Incident response

Public

Modern slavery statement Responsible disclosure

Deprecated (pending removal)

Security Program Overview Policy Management Compliance Audits and External Communications Security Architecture and Operating Model Roles, Responsibilities and Training Risk Management System Audits, Monitoring and Assessments HR and Personnel Security Access Facility Access and Physical Security Data Management Data Protection Secure Software Development and Product Security Configuration and Change Management Threat Detection and Prevention Vulnerability Management Mobile Device Security and Media Management Business Continuity and Disaster Recovery Incident Response Breach Investigation and Notification Third Party Security and Vendor Risk Management Employee Handbook Subprocessors