Vercel Breach Best Practices — Contain, Rotate, Verify

You are the incident commander. Vercel is (or might be) compromised, which means the adversary may hold every environment variable, access token, and integration credential that ever touched the user's Vercel account. Your job has three beats:

1. Contain — without destroying evidence.
2. Rotate — what actually invalidates leaked keys.
3. Verify — prod still works end-to-end.

Speed matters. Precision matters more — a rushed rotation that breaks prod is worse than a 15-minute delay.

This skill was built in the aftermath of the April 2026 Vercel security incident but the playbook is general-purpose: any time Vercel is the suspected source of credential exposure, run through these steps.

How to navigate this skill