Incident Response Playbook Builder
PROBuild SOC-ready incident response playbooks with NIST SP 800-61 framework coverage for ransomware, data breach, DDoS, insider threat, and supply chain attacks.
Example Usage
Build an incident response playbook for:
- Incident type: Ransomware attack
- Organization size: Mid-market (500-2000 employees)
- Industry: Healthcare
- Compliance: HIPAA, HITECH
- Team structure: Dedicated SOC (8 analysts), separate IT ops team
Include: Full NIST lifecycle coverage, severity matrix, escalation paths, communication templates (internal, patient notification, HHS reporting), evidence preservation checklist, and tabletop exercise scenarios.
Build Real AI Skills
Step-by-step courses with quizzes and certificates for your resume
How to Use This Skill
Copy the skill using the button above
Paste into your AI assistant (Claude, ChatGPT, etc.)
Fill in your inputs below (optional) and copy to include with your prompt
Send and start chatting with your AI
Suggested Customization
| Description | Default | Your Value |
|---|---|---|
| Attack scenario: ransomware, data_breach, ddos, insider_threat, phishing_campaign, supply_chain, business_email_compromise | ransomware | |
| Organization scale: startup (1-50), smb (50-500), mid-market (500-2000), enterprise (2000+) | mid-market | |
| Industry vertical: technology, healthcare, finance, government, retail, manufacturing, education | technology | |
| Regulatory frameworks: SOC2, HIPAA, PCI-DSS, GDPR, CCPA, NIST-CSF, CMMC, FedRAMP, ISO-27001 | SOC2 | |
| IR team model: dedicated_soc, shared_responsibility, managed_soc, hybrid | shared_responsibility |
Overview
The Incident Response Playbook Builder creates comprehensive, step-by-step incident response playbooks that SOC teams can execute during active security incidents. Built on the NIST SP 800-61 framework, it generates tailored procedures for seven common attack scenarios including ransomware, data breach, DDoS, insider threat, phishing campaigns, supply chain compromise, and business email compromise.
Unlike generic templates, this skill adapts playbooks to your organization’s size, industry, compliance requirements, and team structure. Each playbook includes roles and responsibilities, severity classification, escalation paths, communication templates, evidence preservation checklists, and recovery procedures.
Companion skill: Use the Incident Postmortem Generator for post-incident analysis after the crisis is resolved.
Step 1: Copy the Skill
Click the Copy Skill button above to copy the complete incident response framework to your clipboard.
Step 2: Open Your AI Assistant
Open Claude, ChatGPT, Gemini, or your preferred AI assistant.
Step 3: Paste and Customize
Paste the skill and provide your organizational context:
{{incident_type}}- Attack scenario (ransomware, data_breach, ddos, insider_threat, phishing_campaign, supply_chain, business_email_compromise){{organization_size}}- Your organization scale (startup, smb, mid-market, enterprise){{industry_sector}}- Your industry (technology, healthcare, finance, government, retail, manufacturing, education){{compliance_requirements}}- Applicable frameworks (SOC2, HIPAA, PCI-DSS, GDPR, CCPA, NIST-CSF, CMMC){{team_structure}}- IR team model (dedicated_soc, shared_responsibility, managed_soc, hybrid)
Example Output
When you request a ransomware playbook for a mid-market healthcare organization, the skill generates:
- Full NIST lifecycle procedures (Preparation through Post-Incident)
- Healthcare-specific escalation paths with HIPAA notification timelines
- Ransomware-specific containment steps (isolation, backup verification, pay/no-pay framework)
- Communication templates (internal status, HHS notification, patient notification)
- Evidence preservation checklist with HIPAA-compliant chain of custody
- Recovery validation procedures for healthcare systems
- Tabletop exercise scenario tailored to healthcare ransomware
Key Features
- NIST SP 800-61 Framework - Complete lifecycle coverage for any incident type
- 7 Attack-Specific Playbooks - Ransomware, data breach, DDoS, insider threat, phishing, supply chain, BEC
- Severity Classification Matrix - P1-P4 with SLA targets and escalation triggers
- Role-Based Procedures - Incident Commander, Technical Lead, Communications Lead, Legal, Executive Sponsor
- Communication Templates - Internal updates, executive briefs, customer notifications, regulatory filings, press statements
- Evidence Preservation - Chain of custody, forensic imaging, log retention requirements
- Legal Compliance - Breach notification timelines for GDPR, HIPAA, CCPA, PCI-DSS, and more
- Tabletop Exercises - Four ready-to-use scenarios for validating playbooks
- Response Metrics - MTTD, MTTR, containment time tracking
Customization Tips
- Startup/SMB teams: Focus on shared responsibility model; the skill simplifies roles for smaller teams
- Enterprise SOC: Request comprehensive playbooks with full escalation matrices and multiple approval chains
- Regulated industries: Specify compliance requirements upfront for automatic inclusion of notification timelines and regulatory procedures
- Multi-playbook strategy: Generate all seven playbooks and use the tabletop exercises to validate each one quarterly
Best Practices
- Review and customize the generated playbook with your actual team contacts and system names
- Conduct tabletop exercises quarterly using the included scenarios
- Update playbooks after every real incident using lessons learned
- Store playbooks in accessible, offline-available locations (not only in systems that may be compromised)
- Pair with the Incident Postmortem Generator for complete incident lifecycle coverage
Related Skills
See the “Related Skills” section above for complementary security and DevOps skills that enhance your incident response capability.
Research Sources
This skill was built using research from these authoritative sources:
- NIST SP 800-61 Rev. 2 - Computer Security Incident Handling Guide The definitive federal standard for incident response lifecycle, team structure, and handling procedures
- SANS Incident Handler's Handbook Comprehensive practitioner guide covering preparation, identification, containment, eradication, recovery, and lessons learned
- MITRE ATT&CK Framework Adversarial tactics and techniques knowledge base for understanding attack patterns and building detection-informed playbooks
- CISA Cybersecurity Incident & Vulnerability Response Playbooks Federal government playbook templates covering incident response and vulnerability management procedures
- ISO/IEC 27035 - Information Security Incident Management International standard for planning, detecting, assessing, responding to, and learning from information security incidents