The Incident Response Playbook

This is the part most people skip. This is the part that matters.

An incident response playbook is a pre-written, step-by-step procedure that tells your team exactly what to do when a specific type of incident occurs. You write it before the incident, when you are calm and thinking clearly. You follow it during the incident, when you are stressed and thinking reactively. The playbook is the difference between a coordinated response and a panicked improvisation.

1. Phase 1: Detection and Triage (0-15 minutes) Alert received. On-call engineer validates the alert — is it real or a false positive? If real, classify severity. Assign an incident commander. Open the incident communication channel. Start the incident log. The first fifteen minutes set the tone for the entire response.
2. Phase 2: Containment (15-60 minutes) Apply the containment level matching the severity. Rotate affected credentials. Preserve logs and system state for forensics. Notify stakeholders per the communication plan. The goal is to stop the active threat, not to understand it yet.
3. Phase 3: Investigation (1-24 hours) Reconstruct the attack chain from logs. Determine the entry point, the exploitation method, and the extent of compromise. Identify what data was accessed, exfiltrated, or modified. Determine whether the threat is contained or still active. Document everything in the incident log.
4. Phase 4: Remediation (1-7 days) Fix the vulnerability that was exploited. Update defenses — input filters, output guardrails, system prompt, access controls. Verify the fix by red-teaming the specific attack vector. Restore the system to full operation with the new defenses in place.
5. Phase 5: Post-Incident Review (Within 1 week) Conduct a blameless retrospective. What happened? Why did it happen? Why did the defenses not prevent it? What changes will prevent recurrence? Document the findings and update the playbook, monitoring rules, and defense layers. The review is where incidents become institutional learning.