Skip to main content

BRB Protocol Overview

Owner: Anchor MSP Operations Lead Last reviewed: 2026-05-24

Purpose

Provide an overview of the BRB (Big Red Button) Protocol, Anchor's automated incident response system for critical security threats. The BRB Protocol enables immediate system lockdown, forensic evidence collection, and staged recovery for situations where manual response is too slow.

Scope

All systems under Anchor managed production that have BRB agents deployed. BRB deployment is mandatory for systems handling sensitive data or classified as Critical tier in the client onboarding assessment.

What is BRB Protocol?

The BRB Protocol is an automated incident response capability with six core functions:

1. Instant Lockdown

When triggered, the BRB agent immediately isolates the target system by blocking all network traffic (except emergency SSH), stopping all services, locking all user accounts, and terminating all active sessions. The lockdown executes in seconds, not minutes.

2. Forensic Collection

During lockdown, the agent automatically collects a forensic package: system state, running processes, network connections, recent logs, file integrity checksums, and memory snapshots. The package is checksummed (SHA256) and uploaded to R2 object storage for secure, tamper-evident preservation.

3. Staged Recovery

Recovery is not all-or-nothing. The BRB system supports staged recovery -- network first, then services, then user accounts -- so operators can verify system integrity at each stage before proceeding. See Recovery Procedures.

4. Dual-Approval Recovery

No single operator can recover a locked-down system. Full recovery requires approval from two different operators. This prevents an attacker who has compromised one operator's credentials from unlocking a contained system.

5. Real-Time Notifications

All BRB events (lockdown triggers, forensic uploads, recovery approvals) generate real-time notifications to #anchor-incidents-critical via Slack. SMS escalation is triggered for lockdown events.

6. Audit Trail

Every BRB action is logged with timestamps, operator identities, and system state. The audit trail is immutable and stored separately from the managed system.

When to Deploy BRB

BRB Protocol is activated for confirmed, active security threats only. See BRB vs Standard Incident Response for the decision framework.

BRB triggers include:

  • Confirmed ransomware or destructive malware
  • Active data exfiltration
  • Compromised credentials with active exploitation
  • Unauthorized root access with an active threat actor

BRB is not used for: performance issues, partial outages, configuration errors, or suspected-but-unconfirmed security events. Those follow the standard Incident Response Procedure.

Architecture

The BRB system consists of three components:

  1. BRB Agent — Runs on each managed host. Listens for commands via Redis pub/sub from the controller. Executes lockdown and recovery actions locally. See Agent Deployment.
  2. BRB Controller — Central command service. Receives lockdown requests via API or dashboard (Glance). Distributes commands to agents. Manages recovery approvals. Stores event history.
  3. Forensics Storage — Cloudflare R2 bucket (brb-forensics) stores all forensic packages with checksums for integrity verification.

Sub-Pages

Exceptions

None. Systems designated for BRB protection must have a fully tested, operational BRB agent before they are accepted into managed production.