# Incident Decision Tree Builder > Draft scenario-specific incident response playbooks (NIST CSF RS.RP) with a clear Decision Matrix for isolate vs. monitor and logic gates for Containment, Eradication, and Recovery. Inserts or validates mandatory regulatory reporting windows (e.g. GDPR 72h, SEC 4 days) in the playbook timeline. Tags: NIST CSF, Incident Response, Security, GRC, Playbook, Regulatory ## Example Prompts - Draft a ransomware playbook with a decision matrix for when to isolate vs. monitor and add GDPR/SEC notification timelines - Create a BEC incident playbook with containment logic gates and regulatory notification timer - Build an incident response playbook for data exfiltration with isolate/monitor matrix and 72h GDPR deadline URL: https://rakenne.app/skills/incident-decision-tree-builder/index.md Try this skill: https://rakenne.app/a/?skill=incident-decision-tree-builder ## Overview Draft scenario-specific incident response playbooks aligned to **NIST CSF 2.0 Respond (RS.RP)** with a defined **Decision Matrix** for when to isolate a system vs. monitor it, and logic gates through Containment, Eradication, and Recovery. The skill uses **regulatory_notification_timer** to insert or validate mandatory reporting windows (e.g. GDPR 72 hours, SEC 4 business days, NDB Australia, HIPAA 60 days) in the playbook timeline so Communications Lead and legal stay within deadlines. ## Example Conversation > **You:** We need a ransomware playbook with a clear decision matrix for when to isolate vs. monitor, and we're under GDPR and SEC (listed). > **Agent:** I'll draft the playbook with a Containment-phase decision tree (isolate vs. monitor vs. contain-in-place) and a Post-Incident section. I'll run **regulatory_notification_timer** to get the mandatory reporting table for GDPR and SEC and insert it into the playbook. > **Agent:** I've written the playbook in `ransomware-playbook.md`. Running **regulatory_notification_timer** with regulations `gdpr` and `sec`… > **Agent:** Result of **regulatory_notification_timer**: > > ======== Regulatory notification timer — Playbook check ======== > File: ransomware-playbook.md > [INFO] No explicit 'Regulatory' or 'Notification timeline' section found. Consider adding the snippet below. > [ADD] GDPR (EU/UK): 72 hours — Notify supervisory authority without undue delay… > [ADD] SEC (US listed): 4 business days — Form 8-K Item 1.05… > > INSERT THE FOLLOWING BLOCK INTO THE PLAYBOOK (e.g. Post-Incident / Regulatory section): > [markdown table with Regulation | Deadline | Authority] > > I've added a "Mandatory regulatory notification timeline" section to the playbook with the table. The Decision Matrix is in the Containment section and on the Quick Reference Card. ## Output Excerpt A typical playbook produced with this skill includes a Containment-phase decision matrix and a regulatory timeline. Excerpt: ```markdown ## Containment — Decision matrix (isolate vs. monitor) | Condition | Action | |-----------|--------| | Confirmed compromise (IOC positive) | Isolate — disconnect from network, preserve evidence | | Suspected only (unconfirmed alert) | Monitor — increase logging, short review window; do not isolate yet | | Ransomware / destructive malware | Isolate immediately — halt encryption | | Critical system, no failover | Contain in place — segment, block egress; escalate to Incident Commander | ## Post-Incident — Mandatory regulatory notification timeline | Regulation | Deadline | Authority / Action | |------------|----------|--------------------| | GDPR (EU/UK) | 72 hours | Supervisory authority (e.g. ICO, CNIL) | | SEC (US listed) | 4 business days | SEC (8-K filing) | ``` The agent inserts the regulatory table using the output from **regulatory_notification_timer** so deadlines (e.g. GDPR 72h, SEC 4 business days) are explicit for the Communications Lead. ## Extension Tool and Validations The skill includes one tool that runs on the incident response playbook document (Markdown or text). **`regulatory_notification_timer`** — Run after drafting the playbook (or its Post-Incident / Regulatory section). Pass the playbook file path and optionally a list of regulation IDs: `gdpr`, `sec`, `ndb`, `hipaa`, `pcidss`, `nyshield`, `calccpa`. Omit or use `all` to include every supported regulation. **What it does:** - **Validation** — Scans the playbook for an explicit "Regulatory" or "Notification timeline" section and for mentions of each selected regulation (e.g. "72 hour", "GDPR", "8-K", "SEC"). Reports [OK] or [ADD] per regulation so you know what is already documented. - **Insert snippet** — Returns a ready-to-insert markdown table: "Mandatory regulatory notification timeline" with columns Regulation, Deadline, Authority. The agent (or you) paste this into the Post-Incident / Regulatory section so responders see mandatory reporting windows at a glance. - **Supported deadlines** — GDPR 72 hours (supervisory authority), SEC 4 business days (8-K Item 1.05), NDB Australia (as soon as practicable), HIPAA 60 days, PCI-DSS (per contract), NY SHIELD, California breach (without unreasonable delay). Use the tool after drafting the playbook; add the generated table to the document so the playbook stays aligned with regulatory notification requirements. ## Getting Started Describe the scenario (e.g. Ransomware, BEC, data exfiltration), organizational context, and applicable regulations. Activate the *Incident Decision Tree Builder* skill; the agent will draft the playbook with the isolate/monitor matrix and run **regulatory_notification_timer** to inject the notification timeline into the Post-Incident section. --- Back to [Skill Library](https://rakenne.app/skills/index.md)