CC7.2 · D2 · detection_only
evidence/incident-response-plan.md — Pinnacle SaaS incident response plan| ID | Type | Severity | Finding |
|---|---|---|---|
| F-001 | gap | high | No after-hours coverage for P2 incidents Section 3.2 states on-call SRE responds to P1 alerts 24/7, but P2 alerts only have a 15-minute triage SLA 'during business hours.' P2 incidents include unauthorized access to production — a serious se... |
| F-002 | gap | medium | Vulnerability scan results only reviewed weekly Section 3.1 shows Qualys vulnerability scan results go to a weekly report. Critical vulnerabilities discovered by a scan would not be triaged for up to 7 days. CC7.2 requires timely detection of anoma... |
| F-003 | gap | medium | No database activity monitoring Section 3.1 lists infrastructure logs, application logs, CloudTrail, endpoint detection, and email security — but no database activity monitoring (DAM). For a SaaS company, the database is the primary... |
| F-004 | gap | low | Annual plan testing is insufficient Section 6 states the IRP is tested annually via tabletop exercise only. SOC 2 auditors increasingly expect more frequent testing (semi-annual) and varied exercise types (tabletop plus simulated incide... |
| Model | Provider | Score | Recall | Prec. | F1 | Gaps | Reported |
|---|---|---|---|---|---|---|---|
| Sonnet 4.6 | Anthropic | 75% | 75% | 25% | 38% | 3/4 | 12 |
| Opus 4.7 | Anthropic | 100% | 100% | 33% | 50% | 4/4 | 12 |
| GPT-5.5 | OpenAI | 75% | 75% | 33% | 46% | 3/4 | 9 |
| GPT-4.1 | OpenAI | 0% | 0% | 0% | 0% | 0/4 | 5 |
| Haiku 4.5 | Anthropic | 100% | 100% | 36% | 53% | 4/4 | 11 |
| GPT-4o | OpenAI | 0% | 0% | 0% | 0% | 0/4 | 4 |