Security SOPs for Outreach Teams: The Complete Set

Most outreach teams have security practices — they know roughly what a safe weekly volume looks like, they understand that accounts shouldn't be shared across unrelated projects, they've heard the advice about organic activity maintenance. But knowing roughly what to do and having documented security SOPs that specify exactly what to do, in what sequence, under what conditions, with what quality standards, are completely different operational states. The gap between them shows up when new team members need to be onboarded, when something goes wrong and no one is sure what the response protocol is, when platform enforcement tightens and there's no documented baseline to update, or when a team lead is unavailable and another person has to manage accounts they didn't set up. Security SOPs convert institutional knowledge into institutional infrastructure — practices that survive team turnover, scale across team growth, and produce consistent security quality as a system property rather than as a function of individual attention and experience. This guide provides the complete set of security SOPs for outreach teams: the account setup SOP, the daily operational SOP, the volume governance SOP, the incident response SOP, and the quarterly review SOP. Each SOP is written in a format that can be adapted directly into your team's operational documentation.

SOP 1: Account Setup and Onboarding

The account setup SOP defines how every account that enters the outreach portfolio is configured, documented, and cleared for active operation — preventing the technical and behavioral security gaps that typically emerge when account setup is done ad hoc by whoever happens to be onboarding the account that day.

Technical Environment Setup

Every account must have the following technical environment configured before it is used for any outreach activity:

1. Dedicated browser profile: Create a new browser profile in your anti-detect browser (Multilogin, AdsPower, or equivalent) with a unique fingerprint configuration — unique user agent, unique canvas fingerprint, unique WebGL parameters, unique screen resolution. Profile name should include the account identifier and creation date for audit trail purposes.
2. Dedicated proxy endpoint: Assign one dedicated residential or ISP proxy to the browser profile. The proxy should be geographically consistent with the account's apparent location (a London-based account profile should not use a US residential proxy). Log the proxy endpoint, provider, and assignment date in the account registry.
3. Session configuration: Configure automation tool session settings with variable timing (not fixed intervals), session duration within the 25–65 minute range, and time-of-day constraints that match the account's apparent professional time zone. Document the configuration settings in the account's operational file.
4. 2FA and recovery credentials: Configure two-factor authentication using a method that's accessible by the operations team rather than tied to a personal device. Store recovery codes in the team's secure credential management system (1Password, Bitwarden, or equivalent). Never store credentials in email, Slack, or spreadsheets.

Account Documentation

Before any account enters active outreach operation, create an account record in the operations system with:

• Account identifier (internal reference code)
• Account type (owned vs. rental), provider name if rental
• Account age and estimated trust history quality (new / developing / established / pre-warmed)
• Assigned persona background (finance, technology, operations, etc.)
• Browser profile name and location in the profile management system
• Proxy provider, endpoint, and geographic assignment
• Automation tool configuration profile name
• Assigned operations owner (who is responsible for day-to-day management)
• Current campaign assignment (which ICP segment, which sequence)
• Weekly volume limit (documented maximum)
• Status (warm-up / active / paused / restricted / decommissioned)

Warm-Up Protocol

All accounts entering the portfolio must complete the warm-up protocol before reaching full operating volume, regardless of account age or claimed trust history:

• Week 1: Manual-only sessions, 3–4 per week, 20–30 minutes each. Activities: profile visits (10–15 per session), post reactions (5–8 per session), connection requests (8–12 per week). No outreach sequences.
• Weeks 2–3: Begin low-volume automation sessions (25–30 minute sessions, 4 per week). Connection requests: 15–20 per week. Begin monitoring acceptance rate baseline.
• Weeks 4–5: Increase to 30–35 connection requests per week. Add one automated follow-up touch to connected prospects. Continue organic activity alongside outreach.
• Weeks 6–8: Ramp to target operating volume at +15 per week until reaching the account's documented limit. Full sequence activation at Week 7 if acceptance rate is above 30%.

Pre-warmed rental accounts skip Weeks 1–4 but complete a modified 1-week environment acclimatization period (manual activity only, organic actions, no outreach) before beginning the Week 5+ ramp.

SOP 2: Daily Operational Security

The daily operational security SOP defines the activities that must be completed each operational day to maintain account health, catch developing problems, and ensure every session runs within safe behavioral parameters. The daily SOP is the highest-frequency security practice in the outreach program — it takes 10–15 minutes per account and prevents the compounding of small problems into large ones.

Daily operational security checklist for each active account:

1. Pre-session verification (2 minutes): Confirm the browser profile is loading the correct proxy endpoint (check IP address via whatismyip.com or equivalent within the browser profile before starting the LinkedIn session). Confirm the proxy is geographically consistent with the account's assigned location. Do not proceed if the proxy is failing or returning an unexpected geographic location.
2. Session launch review (1 minute): Confirm the automation tool is configured to the correct session parameters for this account. Verify no configuration drift from the last session — timing settings, daily volume limits, and session duration constraints should be identical to the documented configuration.
3. Post-session review (5 minutes): Review the session log for anomalies — unexpected authentication requests, CAPTCHA events, session terminations, or action errors. Log any anomalies in the account health log with the date, type, and context. Any CAPTCHA event triggers an immediate flag for investigation before the next session.
4. Reply management (3–5 minutes): Review all new replies received today. Route each reply to the appropriate response protocol. Pause the sequence for any prospect who has replied — regardless of reply type — before the day's other operational tasks are completed.
5. Connection count update (1 minute): Record today's connection request count in the weekly volume tracking log. Verify the running weekly total is within the account's documented limit. If within 10 requests of the weekly limit, do not send additional requests until the next weekly reset.

SOP 3: Volume Governance

The volume governance SOP defines the rules that determine how much outreach activity each account can run, how volume is monitored and enforced, and what the response process is when volume approaches or exceeds safe limits.

The volume governance rules that apply to every account in the portfolio:

Volume governance enforcement process:

• Daily tracking: Log every connection request sent per account per day in the volume tracking log. Cumulative weekly totals are visible to all operations team members.
• Warning threshold response: When an account reaches its warning threshold, no additional connection requests are sent for the remainder of the week. Sequences continue delivering messages to already-connected prospects. The operations owner documents why the warning threshold was reached.
• Immediate stop response: If an account reaches its hard limit, all connection request automation pauses immediately. The account resumes at the start of the next weekly period at 80% of the operational target — not at the full operational target — for the following week as a precautionary reset.
• Spike prevention protocol: Automation tool configuration must enforce per-day connection request limits (not just weekly limits) to prevent single-day volume spikes. Daily limits should be set at 20% of the weekly operational target — approximately 14 per day for a 70/week operational target account.

SOP 4: Organic Activity Maintenance

Organic activity maintenance is the security practice that preserves each account's trust baseline over time — the behavioral history that gives the account behavioral headroom at any given volume level and that deteriorates when outreach continues but genuine professional activity stops.

The organic activity maintenance standards for every active account:

• Posting: Minimum 2 posts per month per account. Posts must be relevant to the account's professional background and target persona context. Use the account's persona profile to identify relevant content topics — a finance background account should post on finance, revenue, and business leadership topics; a technology background account on engineering, architecture, or product topics.
• Commenting: Minimum 8 substantive comments per week (2–3 sentences each). Comments on content from the account's professional network, industry contacts, and relevant hashtag feeds. Generic one-word or emoji comments do not count toward the minimum — they generate lower trust signal than substantive engagement.
• Reactions: 15–20 reactions per week, distributed across at least 4 separate sessions (not all in one session). Mix of like, celebrate, and insightful reactions — single-reaction-type patterns are detectable as non-human behavior.
• Profile optimization review: Every 60 days, review the account's profile for currency — is the professional history current, are the connection count and endorsements consistent with expected activity levels, does the profile photo and headline still match the account's current targeting use case?

Organic activity maintenance tracking: log weekly completion for each account in the portfolio health log. Accounts that miss their organic activity maintenance standards for two consecutive weeks are flagged for operations manager review — maintenance gaps during active outreach periods are a security vulnerability that compounds with time.

SOP 5: Incident Response

The incident response SOP defines the specific steps taken when a security incident occurs — account restriction, CAPTCHA escalation, proxy failure, or automation detection — ensuring that every incident is handled consistently and that the response doesn't inadvertently create additional problems.

Account Restriction Response

1. Immediate actions (within 1 hour of restriction detection): Pause all automation on the restricted account. Do not attempt to log in repeatedly to verify the restriction — multiple failed authentication attempts can escalate a temporary restriction to a permanent one. Pause all active sequences on the restricted account. Do not redistribute the restricted account's volume to other accounts immediately.
2. Assessment (within 4 hours): Identify the restriction type — temporary feature limit, login restriction, or permanent suspension — by attempting a single manual login. Document the restriction type, the approximate date of last successful session, the volume level at time of restriction, and any recent behavioral changes (list changes, volume increases, new sequences). Update the account status to "Restricted" in the operations system.
3. Gap coverage (within 24 hours): Activate the buffer account to absorb a portion of the restricted account's volume. Do not increase other active accounts above their documented limits. If no buffer account is available, accept the temporary capacity reduction rather than pushing remaining accounts above safe limits.
4. Replacement initiation: For rental accounts, contact the provider within 24 hours of confirmed restriction to initiate the replacement process. For owned accounts, begin the replacement account onboarding process using the Account Setup SOP. Document the replacement timeline in the incident log.
5. Post-incident review: Once the replacement account is operational, conduct a post-incident review: what behavioral pattern preceded the restriction, is there evidence the restriction was list-quality related (high spam reports) vs. volume-related vs. technical signature-related, and what SOP update (if any) would prevent recurrence?

CAPTCHA Escalation Response

• Single CAPTCHA event: Complete the CAPTCHA in the current session. Reduce the session's remaining automation actions by 50%. Log the event. Investigate the proxy performance (was the IP flagged?) and the session timing (was the session running at an unusual time?) before the next session.
• Two CAPTCHA events in one week: Pause automation on the affected account for 48 hours. Switch to manual-only sessions for 5 days. Reduce automation volume to 60% of the operational target for the following 2 weeks after resuming automation.
• CAPTCHA during manual-only session: This is a stronger signal than a CAPTCHA during automation — it indicates the account is under active scrutiny rather than just automation tool detection. Extend the manual-only period to 10 days. Reduce automation volume to 50% for 4 weeks after resuming.

SOP 6: Quarterly Security Review

The quarterly security review SOP ensures that security practices evolve as the platform environment, team composition, and program scale change — preventing SOP drift and identifying security gaps before they produce restriction events.

The quarterly review agenda (60-minute structured session):

1. Restriction event review (15 minutes): Review all restriction events in the trailing quarter — how many accounts, what types, what patterns preceded them, and whether the incident response SOP was followed correctly. Identify any pattern that suggests a systematic vulnerability in the current security architecture.
2. Volume governance audit (10 minutes): Review the trailing quarter's volume tracking logs for each account. Were any warning thresholds triggered? Were any hard limits reached? Were volume increases applied without the documented review process? Identify accounts that are operating at higher average utilization than their maturity tier's operational target.
3. Organic activity completion audit (10 minutes): Review the portfolio health log for organic activity completion rates. Any accounts with consistent maintenance gaps are flagged for investigation. Accounts with recent ownership changes (team member departure or role reassignment) are specifically reviewed for maintenance continuity.
4. Technical environment audit (10 minutes): Verify that each account's browser profile and proxy assignment are current and correctly configured. Check for proxy provider changes (some providers rotate endpoints; verify the geographic consistency is maintained). Review whether any new automation tool updates have affected the session behavior configuration.
5. SOP update review (15 minutes): Identify any security practices the team has adopted informally that aren't currently in the SOPs, any SOP steps that are consistently skipped because they're impractical, and any platform enforcement changes that require SOP updates. Make updates to the SOP documentation before the next quarter begins.

"Security SOPs aren't bureaucracy — they're the documentation that turns good security judgment into consistent security performance across every team member, every campaign, and every account. The teams with the lowest restriction rates aren't necessarily the most careful individuals; they're the teams that have converted careful individual judgment into repeatable institutional practice."