Response playbook
Open the Contrast console link — review the full attack payload and code path
Assess impact: what data or function does the exploited sink have access to?
If Block Mode is available for this rule: enable it for this application
If not: escalate to AppSec for emergency mitigation (WAF rule, input validation, or code fix)
Search SIEM for the same source IP across other applications
Search SIEM for the same attack rule across other applications — is this a targeted campaign or opportunistic scanning?
Notify AppSec with the specific function and payload for remediation
What to send developers when escalating
When you hand over the attack event to AppSec or Engineering for remediation, include these fields from the attack event:
Application name: identifies the codebase to fix
File and method: exact source location of the vulnerable sink (for example,
app.py:test_connection() calling subprocess.run())Full stack trace: call path from the request handler to the sink
Attack payload: the exact malicious input that triggered the exploit (needed for a regression test)
HTTP request details: method, endpoint, headers, body
All five are populated automatically by Contrast ADR on every attack event. Forward them verbatim from the Contrast console; no extraction or summarization needed. None of this is available from WAF, EDR, or other perimeter tools. That’s why, without ADR, dev cycles to reproduce and remediate application-layer attacks are typically slow.