Code Room
On-callMedium
Question
Your auth metrics page lights up: a single source IP is hammering POST /admin/login at ~40 requests/second, all targeting the username 'admin', cycling through what look like dictionary passwords. The admin panel is internet-exposed (it was supposed to be VPN-only). Over the last hour there have been ~140,000 failed attempts and, two minutes ago, one SUCCESS for 'admin' followed by GET /admin/users. You're on call. Triage and respond — fast.
What a strong answer looks like
Stop the bleeding first (mitigate), then form hypotheses from real signals. Separate root cause from symptom, communicate status as you go, and close with what prevents a repeat.
Learn the concepts
Loading whiteboard…
Run or narrate your approach, then ask the coach.