Code Room
On-callHardoc-g365
Subject Suspicious accessLevel Senior–Staff~40 minCommon in Reliability & on-call interviewsIndustries Software development, Technology

Question

A behavioral alert flags `svc-ci-deploy`, a service account whose normal job is to deploy to staging on weekdays 09:00–18:00. In the last 6 hours it: authenticated at 03:00 (off-hours for it), enumerated secrets in the **prod** vault path it had latent read access to, and called cloud APIs it has never called before (`s3:ListAllMyBuckets`, `kms:Describe*`) — all technically within its (over-broad) permissions, so nothing was denied. The credential is a long-lived static key stored in CI. CI shows no corresponding pipeline run. How do you triage whether this account is compromised, contain it, and remediate?

What a strong answer looks like

Stop the bleeding first (mitigate), then form hypotheses from real signals. Separate root cause from symptom, communicate status as you go, and close with what prevents a repeat.

Diagram & narrate the incident
Loading whiteboard…
Run or narrate your approach, then ask the coach.