Browse Skills

Incident Response Playbook

    Security Incident Response Cybersecurity Playbook MITRE ATT&CK
    Get Started with This Skill

    Overview

    Draft step-by-step security playbooks for any cyber attack type. Tailored to your organisation, tech stack, and threat landscape. Produces detection criteria, containment, eradication, recovery, post-incident review, and a quick-reference card with MITRE ATT&CK mapping and role assignments. Covers scenarios such as ransomware, phishing/BEC, insider threat, DDoS, supply chain compromise, data exfiltration, credential stuffing, and zero-day exploits.

    Example

    You: We need a ransomware incident response playbook. We’re a mid-size healthcare org, mostly Azure and Windows file servers, we use Microsoft Defender and Sentinel, and we’re under HIPAA.

    Agent: I’ll draft a playbook tailored to ransomware in your environment. (Asks any missing details if needed, then produces the playbook.) The playbook includes: header with MITRE ATT&CK mapping and P1–P4 severity; Detection & Identification with triage checklist and evidence preservation before containment; Containment (first 15 minutes, first 4 hours, long-term) with steps for Defender/Sentinel; Eradication and Recovery; Post-Incident with PIR agenda and metrics (MTTD, MTTC, MTTR); and a one-page quick-reference card with the first 5 actions and a “DO NOT” list. You can drop in your contact table and adjust tool commands to match your exact setup.

    Excerpt of a generated playbook

    The agent produces a single structured document. Below is a condensed example of the Quick Reference Card section:

    ## Quick Reference Card — Ransomware

### First 5 actions
- [ ] 1. Confirm scope: identify first affected host and time (do not power off yet if evidence not captured).
- [ ] 2. Notify Incident Commander and Technical Lead; preserve logs and disk image per Evidence Preservation checklist.
- [ ] 3. Isolate affected systems from network (EDR isolate / network segment quarantine).
- [ ] 4. Disable affected service accounts and rotate credentials for any suspected compromise.
- [ ] 5. Brief Communications Lead for internal stakeholder update; do not contact threat actor without leadership approval.

### Severity (abbreviated)
| Criteria        | P1    | P2    | P3   |
|----------------|-------|-------|------|
| Scope          | >1 site / critical systems | Single site / important systems | Single host / contained |
| Data at risk   | PHI/ePHI, backup impact | Business-critical | Limited |

### DO NOT
- Do not pay or negotiate before Incident Commander and legal approval.
- Do not restore from backup until backup integrity is verified and cause is understood.
- Do not skip evidence preservation before containment actions.

    Getting Started

    Add your context (attack type, org description, security tools) to the project or describe it in chat. Activate the Incident Response Playbook skill; the agent will gather any missing details and produce a full playbook you can store in your wiki or runbooks.

    Ready to let your expertise drive the workflow?

    Stop wrestling with rigid templates and complex tooling. Write your process in markdown, let the agent handle the rest.

    Get Started