Skip to content

The 30 incident.io security checks Black Cat runs

Black Cat SSPM evaluates 30 security policies against your incident.io configuration on every scan, classifies each finding by risk, and provides remediation steps. Below is the full list, grouped by category.

access control

highExcessive Admins

Reduce the number of Incident.io organisation admins to three or fewer

mediumSingle Account Owner

Designate at least one additional Incident.io account owner to avoid single points of failure

mediumUser Without Base Role

Assign a base role to every Incident.io user that currently has none

mediumUser Has Custom Roles But No Base Role

Assign a base role to users who have custom roles but lack a base role to avoid ambiguous permission sets

lowUser With Excessive Custom Roles

Review and reduce custom role assignments for users who hold three or more custom roles to limit privilege creep

configuration

mediumWorkflow Has No Steps

Add at least one action step to workflows that currently have none or remove the workflow if it is unused

mediumUser No Slack Linked

Link a Slack account to each Incident.io user so they receive real-time incident notifications and can interact with incidents from Slack

data access

highWorkflow Accesses Private Data

Disable private incident and escalation access in Incident.io workflow settings unless strictly required

data exposure

lowPublic Status Page

Review whether public status page exposure is intended and restrict access if not required

data leakage

mediumWorkflow Unconstrained on All Incidents

Add conditions to workflows that run on all incidents without filters to limit unintended data exposure

governance

mediumAlert Source Unowned

Assign an owning team to every Incident.io alert source that currently has no owner

mediumAlert Route No Conditions

Add filtering conditions to alert routes to prevent all alerts from being handled identically

mediumEscalation Path No Team Assignment

Assign an owning team to every escalation path to establish clear accountability for on-call coverage

mediumSchedule No Team Assignment

Assign an owning team to every on-call schedule to prevent orphaned rotations with no accountable owner

lowActive Workflow Never Updated

Review and update version-1 active workflows to confirm they still reflect current operational requirements

lowSchedule Missing Timezone

Set an explicit timezone on every on-call schedule to ensure handoffs and notifications fire at the correct local time

lowSchedule No Holiday Configuration

Configure holiday awareness on on-call schedules so responders are not unknowingly scheduled during public holidays

incident response

highSingle Responder Escalation

Add additional responders to each escalation path node to remove single points of failure

mediumSingle Rotation Schedule

Add at least one additional rotation to on-call schedules that have only a single rotation

highSchedule Without Active Shift

Ensure every on-call schedule has at least one active shift to maintain continuous incident coverage

mediumWorkflow Disabled or Error

Fix or remove Incident.io workflows that are in a disabled or error state

lowWorkflow Ignores Step Errors

Disable continue-on-step-error in Incident.io workflow settings to ensure reliable workflow execution

lowAlert Source No Auto-Resolve

Enable auto-resolve on Incident.io alert sources to prevent alerts from remaining open indefinitely

highAlert Route No Escalation Path

Attach an escalation path to every alert route so that triggered alerts reach on-call responders

lowAlert Route No Grouping

Configure alert grouping on alert routes to reduce noise during alert storms

highEscalation Path No Current Responders

Ensure every escalation path has at least one active responder so that incidents are never silently dropped

mediumAlert Source Auto-Resolve Timeout Too Long

Reduce the auto-resolve timeout on alert sources that exceed 24 hours to prevent stale alerts lingering unresolved

mediumEscalation Path Shallow

Add additional escalation levels to ensure incidents are re-escalated when the first responder does not acknowledge

network security

mediumIP Allowlist Disabled

Enable the IP allowlist in Incident.io security settings to restrict access to trusted IP ranges

highIP Allowlist Enabled With No Rules

Add at least one IP allowlist rule or disable the allowlist to restore access to Incident.io

See these checks run on your stack

Start a free 14-day trial — no credit card required.

Start Free Trial