Security Incident Playbook Generator

Prepare for security incidents with structured response plans.

Incident Response Phases

# Security Incident Response Playbook

## Phase 1: Detection & Triage (0-15 min)

### Detection Sources

- Security alerts (CloudWatch, Sentry)
- User reports
- Anomaly detection
- Penetration test findings

### Initial Assessment

- [ ] Identify incident type
- [ ] Assess severity (P0-P3)
- [ ] Determine scope
- [ ] Alert on-call security

## Phase 2: Containment (15-60 min)

### Immediate Actions

- [ ] Isolate affected systems
- [ ] Revoke compromised credentials
- [ ] Block malicious IPs
- [ ] Enable enhanced monitoring

### Evidence Preservation

- [ ] Capture logs
- [ ] Take system snapshots
- [ ] Document timeline
- [ ] Preserve artifacts

## Phase 3: Eradication (1-24 hours)

- [ ] Remove malware
- [ ] Close vulnerabilities
- [ ] Reset passwords
- [ ] Update firewall rules

## Phase 4: Recovery (24-72 hours)

- [ ] Restore from backup
- [ ] Verify system integrity
- [ ] Resume operations
- [ ] Monitor for reinfection

## Phase 5: Post-Incident (1 week)

- [ ] Document lessons learned
- [ ] Update procedures
- [ ] Security training
- [ ] Notify affected users (if required)

Output Checklist

• Response phases defined
• Containment procedures
• Communication templates
• Evidence collection rules
• Post-incident review ENDFILE