Use this when an organization needs a security incident response plan before an incident happens, or when a security incident has occurred and the response needs structure. Covers the full lifecycle: detection, containment, eradication, recovery, and lessons learned.
Related skills: Use
/crisis-comms-playbookfor communication framework during security scenarios. Use/incident-postmortemfor blameless post-incident review. Use/stakeholder-commsfor breach notification drafting. Use/compliance-mapfor regulatory notification requirements.
Process
Step 1: Gather organization context
Collect the following from the user:
- Team structure -- who is on-call, who has production access, who has authority to take systems offline
- Systems in scope -- production services, data stores, infrastructure, third-party integrations
- Existing monitoring and alerting -- SIEM, log aggregation, intrusion detection, uptime monitoring
- Regulatory requirements -- GDPR (72-hour notification), state breach notification laws, PCI-DSS, HIPAA, industry-specific mandates
- Communication channels -- incident Slack channel, phone tree, video bridge, out-of-band communication (if primary channels are compromised)
- Legal counsel contacts -- internal counsel, external breach counsel, cyber insurance carrier
- Existing incident history -- past incidents, what worked, what didn't
Step 2: Define incident severity levels
Build a classification matrix specific to security events:
| Severity | Criteria | Examples | Response Time | Escalation |
|---|---|---|---|---|
| Critical (S1) | Active data breach, ransomware, complete system compromise | Customer PII exfiltrated, ransomware encrypting production, root access compromised | Immediate -- all hands | CEO, Legal, Board (if applicable) |
| High (S2) | Unauthorized access detected, credential compromise, active exploitation | Admin credentials leaked, lateral movement detected, zero-day exploitation | < 1 hour | VP Engineering, CISO, Legal |
| Medium (S3) | Suspicious activity, policy violation, contained compromise | Anomalous access patterns, unauthorized configuration change, phishing success (contained) | < 4 hours | Security team lead, Engineering manager |
| Low (S4) | Failed attack attempt, minor policy deviation | Blocked brute force, policy exception request, low-severity vulnerability discovered | Next business day | Security team |
Step 3: Build response playbooks per incident type
For each incident type, produce a step-by-step playbook. Each playbook follows this structure:
Incident types to cover: data breach, unauthorized access, malware/ransomware, DDoS, insider threat, supply chain compromise.
Playbook template per type:
## {{incident_type}} Playbook
### Detection triggers
- {{specific_alert_or_signal_1}}
- {{specific_alert_or_signal_2}}
### Immediate containment (first 30 minutes)
1. {{containment_step_1}}
2. {{containment_step_2}}
3. {{containment_step_3}}
### Evidence preservation
- [ ] {{evidence_item_1}}
- [ ] {{evidence_item_2}}
### Communication protocol
- Notify: {{role}} via {{channel}} within {{timeframe}}
- Do NOT: {{action_to_avoid}}
### Escalation path
- If {{condition}}, escalate to {{role}}
### Eradication steps
1. {{eradication_step}}
### Recovery steps
1. {{recovery_step}}
### Regulatory notification required?
- {{framework}}: {{requirement_and_deadline}}
Playbooks must be usable under stress. Clear numbered steps, not dense paragraphs. Someone reading this at 2 AM during an active breach should be able to follow it.
Step 4: Map roles and responsibilities
Define the incident response team with clear ownership:
| Role | Responsibility | Backup | Activation Method |
|---|---|---|---|
| Incident Commander | Owns the response, makes containment decisions, controls communication cadence | {{backup_name}} | {{pager/phone/slack}} |
| Technical Lead | Leads investigation, directs containment and eradication | {{backup_name}} | {{method}} |
| Communications Lead | Manages internal and external messaging, coordinates with PR | {{backup_name}} | {{method}} |
| Legal Counsel | Advises on notification obligations, evidence preservation, liability | {{backup_name}} | {{method}} |
| Executive Sponsor | Authorizes business-impacting decisions (taking revenue systems offline) | {{backup_name}} | {{method}} |
Define who activates the plan and how: war room channel creation, bridge line, physical assembly point.
Step 5: Generate notification timeline templates
Build notification sequences aligned with regulatory deadlines:
Internal notifications:
- T+0: Incident Commander notified, activates response team
- T+15min: Technical Lead confirms severity classification
- T+1hr: Executive Sponsor briefed (S1/S2 only)
- T+4hr: Legal Counsel briefed with preliminary scope
External notifications (if required):
- T+24hr: Regulatory body preliminary notification (where required)
- T+48hr: Customer notification draft reviewed by Legal
- T+72hr: GDPR supervisory authority notification deadline
- T+varies: State breach notification deadlines (range from 30-90 days)
Public communication (if required):
- Only after Legal and Communications Lead approve
- Template: acknowledge the incident, state what's known, describe actions taken, provide contact for affected parties
Step 6: Evidence preservation procedures
Before any remediation that might destroy evidence, capture:
- System logs (application, authentication, network, firewall) -- export and hash
- Memory dumps from affected systems
- Network packet captures from the incident timeframe
- Access records (who accessed what, when, from where)
- Malware samples (if applicable) -- isolate, do not delete
- Screenshots of attacker activity (if visible)
- Chain of custody documentation -- who collected what, when, how it was stored
Store evidence in a separate, access-controlled location. Document the chain of custody. If law enforcement involvement is possible, do not modify evidence.
Step 7: Post-incident process
After the incident is resolved:
- Immediate (within 48 hours): Hand off to
/incident-postmortemfor blameless review - Within 1 week: Complete regulatory reporting if required
- Within 2 weeks: Customer follow-up with remediation details
- Within 30 days: Insurance notification and claims process (if cyber insurance exists)
- Ongoing: Track remediation items from postmortem to completion
Step 8: Review
Ask the user:
- Does the team have prior incident response experience?
- Are there legal requirements we haven't addressed?
- Who is the designated Incident Commander, and do they know?
- Does cyber insurance exist, and what are its notification requirements?
- Is there an out-of-band communication plan if primary channels (email, Slack) are compromised?
- Has the plan been tested with a tabletop exercise?
Output location
Deliver as a markdown document. Suggested filename: incident-response-plan-{{org-name}}-{{date}}.md. This document should live somewhere the on-call team can access during an incident -- not buried in a wiki nobody checks.
Example Output
Input
- Organization: Meridian Health Analytics — 280-person Series C healthtech company processing PHI for 140 hospital clients across 23 states
- Systems in scope: AWS production environment (ECS/RDS/S3), Snowflake data warehouse containing de-identified patient datasets, Salesforce CRM, Auth0 for customer SSO, PagerDuty + Datadog for monitoring, no SIEM currently deployed
- Regulatory requirements: HIPAA (BAAs in place with all 140 clients), GDPR (3 EU-based hospital clients), California CMIA, Texas Health & Safety Code breach notification
- Team structure: 4-person security team (1 CISO, 2 security engineers, 1 GRC analyst), 12-person platform engineering on-call rotation, VP Engineering, General Counsel (internal), external breach counsel on retainer at Covington & Burling, cyber insurance through Chubb (policy #CHB-449821)
- Incident history: One prior S3 misconfiguration in 2022 (no PHI exposed), response was disorganized — no designated IC, engineers modified systems before evidence was preserved
Incident Response Plan — Meridian Health Analytics
Version 1.0 | Prepared: 2025-01-15
Filename: incident-response-plan-meridian-health-analytics-2025-01-15.md
Access: Pin in #security-incidents Slack channel + PagerDuty runbook library
⚠️ If you are reading this during an active incident: Go directly to the relevant playbook in Section 3. Do not read this document linearly. Preserve evidence before remediating anything.
Section 1: Severity Classification Matrix
| Severity | Criteria | Meridian-Specific Examples | Response Time | Initial Escalation |
|---|---|---|---|---|
| Critical (S1) | Active PHI exfiltration, ransomware, complete production compromise | Snowflake data warehouse accessed by unauthorized party, ransomware in ECS cluster, RDS backup exfiltrated to external storage | Immediate — all hands | CISO, VP Engineering, General Counsel, CEO within 15 min |
| High (S2) | Unauthorized access confirmed, credential compromise, active lateral movement | Auth0 admin credentials in breach dump, engineer IAM keys exposed on GitHub, anomalous cross-account AWS API calls | < 1 hour | CISO, VP Engineering, General Counsel |
| Medium (S3) | Suspicious activity, contained policy violation, phishing success with no lateral movement | Employee clicked phishing link (machine isolated), unauthorized config change in non-PHI environment, failed privilege escalation attempt | < 4 hours | CISO, Security team lead |
| Low (S4) | Failed attacks, minor deviations, low-severity findings | Blocked SSH brute force, port scan from known scanner, low-severity CVE in non-internet-facing service | Next business day | Security team |
PHI involvement automatically escalates any incident one severity level.
Section 2: Incident Response Team
| Role | Primary | Backup | Activation |
|---|---|---|---|
| Incident Commander | CISO (Renata Osei) | VP Engineering (David Chun) | PagerDuty P1 alert + direct cell |
| Technical Lead | Senior Security Engineer (on-call rotation) | Platform Engineering on-call | PagerDuty escalation policy SEC-ONCALL |
| Communications Lead | VP Marketing (Sara Fielding) | General Counsel | Slack DM + cell (S1/S2 only) |
| Legal Counsel — Internal | General Counsel (Marcus Webb) | Outside: Covington & Burling breach line | Direct cell for S1/S2; email for S3 |
| Legal Counsel — External | Covington & Burling (breach hotline: 202-662-XXXX) | — | IC authorizes contact; S1 PHI breaches always engaged |
| Executive Sponsor | CEO (Priya Nambiar) | COO | IC calls directly; do not Slack for S1 |
| Insurance Liaison | GRC Analyst (Tom Rickard) | General Counsel | Notified within 24hr of S1/S2; Chubb hotline on file |
War room activation: IC creates #inc-YYYYMMDD-[short-description] in Slack and pastes this plan link. Bridge line: Zoom Personal Room (CISO). If Slack is compromised, use Signal group "MHA Incident Bridge" (pre-established).
Section 3: Response Playbooks
🔴 Playbook A: PHI Data Breach / Unauthorized Data Access
Detection triggers
- Datadog alert: Snowflake query volume > 3× baseline from single user/IP
- AWS GuardDuty: S3 GetObject spike on PHI buckets from non-application principals
- External report: client, researcher, or threat intelligence source reports Meridian data in the wild
- Auth0 log: bulk export or API calls inconsistent with normal application behavior
Immediate containment (first 30 minutes)
- Do not modify affected systems yet. Assign a dedicated engineer to evidence preservation (Step A-EP) before any remediation.
- Identify the access vector: compromised credential, misconfigured resource, or application vulnerability.
- Revoke the specific credential, API key, or session token involved — not all credentials system-wide (avoid service disruption without IC authorization).
- If Snowflake: suspend the offending user/role via
ALTER USER <name> SET DISABLED = TRUE. Do not drop the user. - If S3: apply a bucket policy deny for the offending principal; do not delete bucket logs.
- IC confirms severity classification with Technical Lead. If PHI confirmed or suspected → S1.
- IC notifies General Counsel immediately (PHI breach triggers HIPAA clock).
Evidence preservation — A-EP
- Export Snowflake query history for the past 30 days:
INFORMATION_SCHEMA.QUERY_HISTORY— save as CSV, SHA-256 hash the file - Export AWS CloudTrail logs for all PHI bucket activity (past 72 hours minimum) to a separate S3 bucket with object lock enabled
- Capture Auth0 logs for affected user(s) — full session and token history
- Screenshot Datadog anomaly charts before alert state changes
- Document: who collected each artifact, timestamp, storage location — use chain-of-custody log template (Appendix A)
- Do not terminate EC2/ECS instances until memory dump is captured if active session is suspected
Communication protocol
- Notify General Counsel via cell within 15 minutes of S1 confirmation
- Notify CEO via cell within 15 minutes — IC makes this call directly
- Do NOT post specifics about data accessed or affected clients in general Slack channels
- Do NOT notify hospital clients until Legal has reviewed scope and messaging — premature notification can cause compliance issues
- Internal status updates: IC posts to
#inc-channelevery 30 minutes during active response
Escalation path
- If any EU hospital client data involved → engage Covington immediately for GDPR supervisory authority guidance
- If law enforcement contact is anticipated → stop all remediation, call Covington first
Eradication steps
- Rotate all credentials with access to affected data stores (coordinate with Legal — do this after evidence is preserved).
- Patch or disable the vulnerability or misconfiguration that enabled access.
- Audit all IAM policies touching PHI resources for least-privilege violations.
- Confirm no persistence mechanisms (backdoor accounts, Lambda functions, scheduled queries) remain.
Recovery steps
- Re-enable affected services only after Technical Lead signs off on eradication.
- Enable enhanced logging (Snowflake audit trail, S3 access logging) if not already active.
- Monitor for 24 hours post-recovery with manual watch on anomaly dashboards.
- IC declares incident closed; hands off to postmortem process.
Regulatory notification requirements
| Framework | Trigger | Deadline | Owner |
|---|---|---|---|
| HIPAA Breach Notification Rule | Unsecured PHI accessed by unauthorized person | 60 days post-discovery to HHS; 60 days to affected individuals; immediate to Covered Entity clients (per BAA terms — check each BAA) | General Counsel + Covington |