Skip to main content

Incident Response Playbook Template

A structured playbook for cloud security incidents from triage through recovery and lessons learned.


Incident Response Playbook Template

Severity levels

LevelExampleResponse time
SEV-1Active data breach, ransomwareImmediate, war room
SEV-2Compromised IAM key in prod< 1 hour
SEV-3Suspicious login, contained< 4 hours
SEV-4Policy violation, no exploitNext business day

Phases

1. Detect & triage (0–15 min)

  • Confirm true positive vs false positive
  • Assign incident commander and scribe
  • Open dedicated comms channel

2. Contain (15–60 min)

  • Disable compromised credentials
  • Apply emergency NetworkPolicy / SG deny rules
  • Snapshot volumes / preserve logs (chain of custody)

3. Eradicate & recover

  • Patch root cause (image, IAM policy, secret rotation)
  • Redeploy from known-good artifact digest
  • Monitor for recurrence 72 hours

4. Post-incident (within 5 days)

  • Blameless post-mortem document
  • Track action items in engineering backlog
  • Update detections and runbooks

Communication template

Status: Investigating | Identified | Monitoring | Resolved Impact: [customer/data/system scope] Next update: [time UTC]