# Incident Response Playbook > Draft step-by-step security playbooks for any cyber attack type. Tailored to your organisation, tech stack, and threat landscape. Produces detection criteria, containment, eradication, recovery, post-incident review, and a quick-reference card with MITRE ATT&CK mapping and role assignments. Tags: Security, Incident Response, Cybersecurity, Playbook, MITRE ATT&CK ## Example Prompts - Create a ransomware incident response playbook for our file servers - Draft a playbook for executive email compromise (BEC) for our org - Generate an incident response playbook for DDoS against our customer-facing services - Build a playbook for credential stuffing targeting our auth systems URL: https://rakenne.app/skills/incident-response-playbook/index.md Try this skill: https://rakenne.app/a/?skill=incident-response-playbook ## Overview Draft step-by-step security playbooks for any cyber attack type. Tailored to your organisation, tech stack, and threat landscape. Produces detection criteria, containment, eradication, recovery, post-incident review, and a quick-reference card with MITRE ATT&CK mapping and role assignments. Covers scenarios such as ransomware, phishing/BEC, insider threat, DDoS, supply chain compromise, data exfiltration, credential stuffing, and zero-day exploits. ## Example > **You:** We need a ransomware incident response playbook. We're a mid-size healthcare org, mostly Azure and Windows file servers, we use Microsoft Defender and Sentinel, and we're under HIPAA. > > **Agent:** I'll draft a playbook tailored to ransomware in your environment. *(Asks any missing details if needed, then produces the playbook.)* The playbook includes: header with MITRE ATT&CK mapping and P1–P4 severity; Detection & Identification with triage checklist and evidence preservation before containment; Containment (first 15 minutes, first 4 hours, long-term) with steps for Defender/Sentinel; Eradication and Recovery; Post-Incident with PIR agenda and metrics (MTTD, MTTC, MTTR); and a one-page quick-reference card with the first 5 actions and a "DO NOT" list. You can drop in your contact table and adjust tool commands to match your exact setup. ## Excerpt of a generated playbook The agent produces a single structured document. Below is a condensed example of the Quick Reference Card section: ```markdown ## Quick Reference Card — Ransomware ### First 5 actions - [ ] 1. Confirm scope: identify first affected host and time (do not power off yet if evidence not captured). - [ ] 2. Notify Incident Commander and Technical Lead; preserve logs and disk image per Evidence Preservation checklist. - [ ] 3. Isolate affected systems from network (EDR isolate / network segment quarantine). - [ ] 4. Disable affected service accounts and rotate credentials for any suspected compromise. - [ ] 5. Brief Communications Lead for internal stakeholder update; do not contact threat actor without leadership approval. ### Severity (abbreviated) | Criteria | P1 | P2 | P3 | |----------------|-------|-------|------| | Scope | >1 site / critical systems | Single site / important systems | Single host / contained | | Data at risk | PHI/ePHI, backup impact | Business-critical | Limited | ### DO NOT - Do not pay or negotiate before Incident Commander and legal approval. - Do not restore from backup until backup integrity is verified and cause is understood. - Do not skip evidence preservation before containment actions. ``` ## Getting Started Add your context (attack type, org description, security tools) to the project or describe it in chat. Activate the *Incident Response Playbook* skill; the agent will gather any missing details and produce a full playbook you can store in your wiki or runbooks. --- Back to [Skill Library](https://rakenne.app/skills/index.md)