An incident response (IR) playbook is the written plan your team executes when things go wrong. Not the feature of a tool, not an idea, not a slide deck — a concrete document that says “when X happens, do Y, then Z, with owner A accountable.” This module covers playbook structure, the core playbooks every organisation should have, and how to make them actually useful.

Why written playbooks matter

At 2am during a real incident, people forget. Pressure degrades decision-making. Playbooks compensate: follow the script, don’t re-derive the workflow under stress. Also: onboarding (new staff know the process), auditing (demonstrable), and legal (defensible).

Playbook structure

Scope — what incident type this covers
Roles — who does what (Incident Commander, Scribe, Comms, Technical Lead, Executive Sponsor)
Trigger — what activates this playbook
Initial response checklist — first 30 minutes
Investigation steps — scope, impact, root cause
Containment — stop the bleeding
Eradication — remove attacker foothold
Recovery — restore to clean state
Communication — who’s notified, when, by whom, with what message
Lessons learned — post-incident review process
Evidence handling — chain of custody, storage
External contacts — law enforcement, regulator, DPA, cyber-insurance

Core playbooks to build first

Ransomware — the one most organisations face
Data breach / exfiltration — with DPDP notification obligations (if India)
Phishing / credential compromise — common, lower-severity but frequent
DDoS — operational response
Insider threat — HR-involved, legal-heavy
Third-party / supply-chain breach — cascading compromise

Sample structure — Ransomware playbook

# RANSOMWARE RESPONSE PLAYBOOK

## Trigger
User reports files can't open, ransom note visible, EDR alert on ransomware TTPs,
unusual encryption activity on file servers.

## Roles (auto-assigned based on rota)
- Incident Commander: [name] / backup: [name]
- Scribe: designated
- Technical Lead: CTO or delegated
- Communications: CEO signs off external
- Legal: [firm] / [contact]

## T+0 to T+30 min — Contain
[ ] IC acknowledges alert; opens incident channel (Slack/Teams)
[ ] Isolate affected systems from network (but DON'T power off — lose memory)
[ ] Disable VPN access for affected users
[ ] Rotate credentials of any potentially compromised accounts
[ ] Preserve encrypted files samples for analysis
[ ] Begin log collection from affected systems
[ ] Notify CEO, Legal, Insurance contact (insurance clock starts now)
[ ] Do NOT pay ransom; do NOT communicate with attackers yet

## T+30 min to T+2 hrs — Scope
[ ] Forensics team begins memory + disk acquisition
[ ] Identify initial access vector (phishing? RDP? supply chain?)
[ ] Enumerate affected systems + data
[ ] Confirm backup integrity (separate isolated copy)
[ ] Identify PII/PHI/financial data in affected scope
[ ] If Indian Data Principals affected: DPDP 72-hour clock started

## T+2 to T+24 hrs — Eradicate + Recover
[ ] Confirm attacker removed from environment
[ ] Restore from clean backups (verified-clean, not infected)
[ ] Rotate ALL credentials (assume worst case)
[ ] Patch initial access vector
[ ] Re-enable services progressively with enhanced monitoring

## T+24 to T+72 hrs — Notify + Document
[ ] DPDP notification to Board (if personal data affected)
[ ] Customer notifications as required
[ ] Public communication (if warranted)
[ ] Regulatory filings (RBI, SEBI, sector-specific)
[ ] Preserve all evidence for potential prosecution

## Communication templates
[ ] Internal all-hands message (template below)
[ ] Customer notification (template below)
[ ] Regulator notification (template below)
[ ] Press statement (legal-reviewed template below)

## External contacts
- Cyber insurance: [policy number, hotline]
- Incident response retainer: [firm, 24/7]
- Law enforcement: CERT-In (cybersecurity incidents in India)
- Data Protection Board: [process for DPDP breach notification]
- Outside counsel: [firm, contact]

## Evidence handling
- Memory dumps: SHA-256 hashed, AWS S3 with Object Lock, retained 7 years
- Logs: centralized SIEM, separate archive bucket
- Photos: timestamped, annotated

Tabletop exercises

Playbooks only work if the team has rehearsed. Tabletop exercises walk through a simulated incident — 2-3 hours, full team present, facilitator introduces new information every 15 min, team works through the playbook. Surfaces gaps in process, capability, or alignment.

Run at minimum annually; quarterly for mature orgs
Different scenarios each time (ransomware, insider, vendor breach, DDoS)
Include executives in at least one per year — builds muscle memory for crisis comms
Debrief in detail: update playbooks with findings

External relationships — build BEFORE incident

Cyber insurance — know your policy, retainer, hotline
IR retainer — Mandiant, CrowdStrike, local firms; 24/7 availability, pre-signed engagement letter
Outside counsel — especially for breach notification legal questions
CERT-In / sector CERT — report obligations
DPDP notification channel — process pre-identified
Peer CISOs — informal threat-sharing networks

Calling your insurance broker for the first time DURING an incident = delayed response. Build relationships in quiet times.

Common pitfalls

Playbook is aspirational, not practical — never tested
Individuals have private knowledge; playbook doesn’t capture it (bus factor)
Playbooks grow stale — review annually at minimum
Tabletops skipped — playbook fails first real incident
No external relationships — scramble during actual incident
No post-incident review — same mistakes repeat

Quick reference summary

Playbook = concrete written plan; name, action, owner per step
Structure: scope, roles, trigger, initial checklist, investigation, containment, eradication, recovery, communication, lessons learned
Core playbooks: ransomware, data breach, phishing, DDoS, insider, third-party breach
DPDP: 72-hour Board notification for personal data breaches
Tabletop exercises annually + quarterly for maturity
Build external relationships (insurance, IR retainer, counsel) BEFORE incidents
Post-incident review + playbook update is mandatory

🧠

Check your understanding

Module Quiz · 20 questions

Pass with 70%+ to mark this module complete. Unlimited retries. Each question shows an explanation.

🔐 Intermediate Module · Basic Tier

Continue reading with Basic tier (₹499/month)

You've read 50% of this module. Unlock the remaining deep-dive, quiz, and every other Intermediate module.

99+ modulesAll levels up to this tier

20-question quizzesUnlimited retries with explanations

Completion certificatesShareable on LinkedIn

See pricing → Sign in

Module 8 · Incident Response Playbook 🔒