Security
Comprehensive Cybersecurity Incident Response Playbook Generator
Generate detailed, actionable incident response playbooks tailored to specific threat types and organizational contexts in minutes.
#incident-response#cybersecurity#compliance#security-operations#risk-management
P
Created by PromptLib Team
Published February 11, 2026
4,378 copies
4.7 rating
You are an elite cybersecurity incident response consultant with 20+ years of experience in digital forensics, crisis management, and enterprise security architecture. Create a comprehensive, enterprise-grade Incident Response Playbook using the following parameters: **INCIDENT TYPE:** [INCIDENT_TYPE] **SEVERITY CLASSIFICATION:** [SEVERITY_LEVEL] **ORGANIZATIONAL CONTEXT:** [ORGANIZATION_CONTEXT] **REGULATORY FRAMEWORKS:** [COMPLIANCE_FRAMEWORKS] **INCIDENT RESPONSE TEAM STRUCTURE:** [TEAM_STRUCTURE] **TARGET AUDIENCE TECHNICAL LEVEL:** [TECHNICAL_LEVEL] Your playbook must strictly follow the NIST SP 800-61r2 Computer Security Incident Handling Guide framework and include the following sections: ## 1. EXECUTIVE OVERVIEW - Precise incident definition and scope boundaries - Business impact assessment matrix (financial, reputational, operational) - Playbook activation triggers and authority delegation - Estimated response timelines per severity level ## 2. PREPARATION & READINESS - Required tools, licenses, and access credentials needed - Pre-staged communication templates (internal, customer, regulatory, media) - Contact trees with primary/alternate contacts (legal, PR, executives, external IR firms) - Evidence preservation kit requirements and chain-of-custody procedures - War room/virtual collaboration space setup instructions ## 3. DETECTION & INITIAL ANALYSIS - Specific IOCs (Indicators of Compromise) and IOAs (Indicators of Attack) to monitor - Critical log sources to prioritize (SIEM queries, EDR telemetry, network flows) - Initial triage questionnaire (first 15 minutes) - Severity escalation matrix with quantitative thresholds - Evidence acquisition and forensic imaging procedures ## 4. CONTAINMENT STRATEGIES - **Immediate Containment (0-1 hour):** Network isolation steps, account disablement procedures, critical system protection - **Short-term Containment (1-4 hours):** Segment-specific actions, evidence preservation while maintaining business continuity - **Long-term Containment (4-24 hours):** System hardening, temporary fixes, monitoring enhancement - Decision trees for: System shutdown vs. continued monitoring, cloud instance suspension vs. snapshot preservation ## 5. ERADICATION PROCEDURES - Step-by-step malware/removal processes specific to [INCIDENT_TYPE] - Vulnerability patching priorities and change management integration - Credential reset protocols (scope: admin, service accounts, user base) - Backdoor and persistence mechanism elimination verification steps - Third-party/vendor notification requirements if supply chain related ## 6. RECOVERY PROTOCOLS - System restoration from clean backups (verification steps included) - Phased return-to-production schedule with rollback criteria - Enhanced monitoring configuration post-recovery - User access restoration procedures with MFA enforcement verification - Business function validation testing criteria ## 7. COMMUNICATION MANAGEMENT - Internal escalation matrix (15-minute, 1-hour, 4-hour, 24-hour notification requirements) - External stakeholder notification templates customized for [COMPLIANCE_FRAMEWORKS] - Regulatory breach notification timeline calculators (72-hour GDPR, 60-day HIPAA, etc.) - Law enforcement engagement guidelines (FBI, Secret Service, local authorities) - Customer communication scripts (transparent but legally vetted) ## 8. POST-INCIDENT ACTIVITIES - Forensic evidence retention schedule per legal hold requirements - Comprehensive lessons learned template (what worked, what failed, time-to-contain metrics) - Playbook update triggers and version control procedures - Security control gap analysis and budget justification for improvements - Team psychological debriefing resources (critical for severe incidents) ## 9. TECHNICAL APPENDICES - Command reference sheets (PowerShell, Bash, AWS CLI, Azure CLI) tailored to [ORGANIZATION_CONTEXT] - ASCII/text-based decision flowcharts for high-pressure scenarios - Regulatory reporting form templates - SLA definitions for external service providers **FORMATTING REQUIREMENTS:** - Use markdown with clear hierarchical headers - Include checkboxes [ ] for all actionable items to enable printing/tracking - Create tables for timeline comparisons and responsibility matrices (RACI) - Use callout blocks (> **CRITICAL:**) for time-sensitive actions - Include placeholder brackets [NAME] for organization-specific details that must be filled in later **TONE AND STYLE:** - Professional, imperative, and unambiguous - Assume [TECHNICAL_LEVEL] audience (adjust technical depth accordingly) - Prioritize clarity over brevity—this is a crisis document, not a summary - Include "GO/NO-GO" decision criteria at critical junctures Generate the complete playbook now, ensuring all procedures are actionable without external research during a crisis.
You are an elite cybersecurity incident response consultant with 20+ years of experience in digital forensics, crisis management, and enterprise security architecture. Create a comprehensive, enterprise-grade Incident Response Playbook using the following parameters: **INCIDENT TYPE:** [INCIDENT_TYPE] **SEVERITY CLASSIFICATION:** [SEVERITY_LEVEL] **ORGANIZATIONAL CONTEXT:** [ORGANIZATION_CONTEXT] **REGULATORY FRAMEWORKS:** [COMPLIANCE_FRAMEWORKS] **INCIDENT RESPONSE TEAM STRUCTURE:** [TEAM_STRUCTURE] **TARGET AUDIENCE TECHNICAL LEVEL:** [TECHNICAL_LEVEL] Your playbook must strictly follow the NIST SP 800-61r2 Computer Security Incident Handling Guide framework and include the following sections: ## 1. EXECUTIVE OVERVIEW - Precise incident definition and scope boundaries - Business impact assessment matrix (financial, reputational, operational) - Playbook activation triggers and authority delegation - Estimated response timelines per severity level ## 2. PREPARATION & READINESS - Required tools, licenses, and access credentials needed - Pre-staged communication templates (internal, customer, regulatory, media) - Contact trees with primary/alternate contacts (legal, PR, executives, external IR firms) - Evidence preservation kit requirements and chain-of-custody procedures - War room/virtual collaboration space setup instructions ## 3. DETECTION & INITIAL ANALYSIS - Specific IOCs (Indicators of Compromise) and IOAs (Indicators of Attack) to monitor - Critical log sources to prioritize (SIEM queries, EDR telemetry, network flows) - Initial triage questionnaire (first 15 minutes) - Severity escalation matrix with quantitative thresholds - Evidence acquisition and forensic imaging procedures ## 4. CONTAINMENT STRATEGIES - **Immediate Containment (0-1 hour):** Network isolation steps, account disablement procedures, critical system protection - **Short-term Containment (1-4 hours):** Segment-specific actions, evidence preservation while maintaining business continuity - **Long-term Containment (4-24 hours):** System hardening, temporary fixes, monitoring enhancement - Decision trees for: System shutdown vs. continued monitoring, cloud instance suspension vs. snapshot preservation ## 5. ERADICATION PROCEDURES - Step-by-step malware/removal processes specific to [INCIDENT_TYPE] - Vulnerability patching priorities and change management integration - Credential reset protocols (scope: admin, service accounts, user base) - Backdoor and persistence mechanism elimination verification steps - Third-party/vendor notification requirements if supply chain related ## 6. RECOVERY PROTOCOLS - System restoration from clean backups (verification steps included) - Phased return-to-production schedule with rollback criteria - Enhanced monitoring configuration post-recovery - User access restoration procedures with MFA enforcement verification - Business function validation testing criteria ## 7. COMMUNICATION MANAGEMENT - Internal escalation matrix (15-minute, 1-hour, 4-hour, 24-hour notification requirements) - External stakeholder notification templates customized for [COMPLIANCE_FRAMEWORKS] - Regulatory breach notification timeline calculators (72-hour GDPR, 60-day HIPAA, etc.) - Law enforcement engagement guidelines (FBI, Secret Service, local authorities) - Customer communication scripts (transparent but legally vetted) ## 8. POST-INCIDENT ACTIVITIES - Forensic evidence retention schedule per legal hold requirements - Comprehensive lessons learned template (what worked, what failed, time-to-contain metrics) - Playbook update triggers and version control procedures - Security control gap analysis and budget justification for improvements - Team psychological debriefing resources (critical for severe incidents) ## 9. TECHNICAL APPENDICES - Command reference sheets (PowerShell, Bash, AWS CLI, Azure CLI) tailored to [ORGANIZATION_CONTEXT] - ASCII/text-based decision flowcharts for high-pressure scenarios - Regulatory reporting form templates - SLA definitions for external service providers **FORMATTING REQUIREMENTS:** - Use markdown with clear hierarchical headers - Include checkboxes [ ] for all actionable items to enable printing/tracking - Create tables for timeline comparisons and responsibility matrices (RACI) - Use callout blocks (> **CRITICAL:**) for time-sensitive actions - Include placeholder brackets [NAME] for organization-specific details that must be filled in later **TONE AND STYLE:** - Professional, imperative, and unambiguous - Assume [TECHNICAL_LEVEL] audience (adjust technical depth accordingly) - Prioritize clarity over brevity—this is a crisis document, not a summary - Include "GO/NO-GO" decision criteria at critical junctures Generate the complete playbook now, ensuring all procedures are actionable without external research during a crisis.
Best Use Cases
Creating a ransomware-specific response playbook for a financial services firm with strict SEC 4-day reporting requirements and hybrid cloud infrastructure
Developing a data exfiltration response guide for a healthcare provider needing HIPAA breach notification procedures and patient communication scripts
Building an insider threat playbook for a government contractor handling classified information with specific counter-intelligence reporting requirements
Establishing a supply chain compromise response protocol for a SaaS company utilizing third-party APIs and microservices architecture
Generating a business email compromise (BEC) playbook for a legal firm with wire transfer fraud prevention and client notification procedures
Frequently Asked Questions
More Like This
Back to LibraryAdvanced Multi-Platform Threat Hunting Query Generator
This prompt helps security analysts, threat hunters, and detection engineers convert vague threat scenarios and IOCs into structured, tiered query sets. It generates platform-specific syntax with performance optimization, false positive handling, and investigation playbooks to accelerate proactive threat detection.
#query-builder#threat-hunting+3
AI ISO 27001 Internal Audit Report Generator
This prompt template enables security professionals and compliance officers to rapidly produce detailed ISO 27001 internal audit reports. It structures findings by control domains, assesses compliance maturity, identifies gaps with risk ratings, and generates prioritized remediation roadmaps aligned with Annex A controls.
#iso 27001#information-security+3
AI Purple Team Scenario Creator
This prompt helps security professionals design sophisticated purple team scenarios that bridge offensive and defensive operations. It creates structured attack simulations complete with adversary tactics, defensive playbooks, and collaborative learning objectives. Use this to build tabletop exercises, live fire drills, or continuous validation programs that measurably improve security posture.
#cybersecurity#purple-team+3
Get This Prompt
FreeQuick Actions
Open in Playground
Estimated time:11 min
Verified by58 experts