AI Incident Response Playbook Generator
Generate a scenario-specific incident response playbook in seconds.
Sample Output(representative example — not a live API call)
Incident Overview & Classification
Incident Category (NIST SP 800-61): CAT 2 — Malicious Code (Ransomware variant with probable data exfiltration / double-extortion). Estimated Severity: Critical (SEV-1) — confirmed encryption of production workloads in primary AWS environment; ransom note observed referencing exfiltrated cardholder and customer PII. Blast Radius: Core banking workloads on AWS (us-east-1) impacted; Azure DR region currently unaffected but not yet validated as clean. Approximately 3,200 endpoints reachable from initial compromised host; an estimated 18 production VMs encrypted. Likely Threat Actor Profile: Financially motivated ransomware-as-a-service affiliate (TTPs consistent with BlackCat/ALPHV or LockBit successor) — initial access likely via stolen VPN credentials or unpatched edge appliance, lateral movement via compromised service account, deployment via Group Policy. Attack Vector Analysis: Probable kill-chain — credential theft → VPN access → privilege escalation through over-permissioned service account → reconnaissance → exfiltration to attacker-controlled S3-compatible storage → ransomware deployment outside business hours.
First 30 Minutes — Immediate Actions
| Minute | Action | Owner (Role) | Notes |
|---|---|---|---|
| 0–2 | Declare SEV-1; open incident bridge | SOC L1 / MSSP | Use out-of-band channel (Signal/phone) — assume email is compromised |
| 2–5 | Page CISO, CIO, General Counsel, CFO, Head of Comms | SOC Lead | Use 24/7 paging tree; do NOT email |
| 5–10 | Isolate encrypted hosts at network layer (do NOT power off) | Network Ops | Powering off destroys memory-resident evidence and decryption keys |
| 5–10 | Disable affected service accounts and rotate VPN credentials | IAM Lead | Block lateral movement; do not disable admin accounts yet — preserve audit trail |
| 10–15 | Snapshot Azure DR region BEFORE any failover decision | Cloud Ops | Validate snapshots are immutable and untouched by attacker |
| 10–15 | Preserve ransom note, encrypted file samples, EDR telemetry | IR Lead / MSSP | Chain-of-custody log starts now |
| 15–20 | Engage external IR retainer firm and outside cyber counsel | General Counsel | Counsel-led investigation preserves privilege |
| 20–25 | Notify cyber insurance carrier (binding deadline) | CFO / Risk | Most policies require notification within 24h to preserve coverage |
| 25–30 | Establish executive war room; assign scribe and decision log | CISO | All decisions timestamped for regulatory record |
Do NOT: pay ransom or contact threat actor before counsel review; reboot infected machines; restore from backup until eradication is verified; communicate externally without GC sign-off; assume Azure DR is clean.
Escalation Matrix
| Severity | Internal Trigger | External Trigger | Decision Authority |
|---|---|---|---|
| SEV-1 (current) | CISO → CIO → CEO → Board Chair (within 1h) | Outside counsel, IR firm, cyber insurer, FBI/CISA | CEO with Board Chair concurrence |
| Regulatory threshold | CISO + GC joint assessment | SEC (materiality), GDPR supervisory authority, PCI acquiring bank, card brands | General Counsel approves filing content |
| Customer-facing comms | Head of Comms drafts; CMO + GC review | Media holding statement only until facts confirmed | CEO approves external statements |
| Law enforcement | CISO + GC | FBI Cyber Division, CISA, host-country authority | General Counsel |
Stakeholder Communication Templates
Board / CEO notification (internal): "At [time] today we confirmed a ransomware incident affecting core production workloads. We have isolated affected systems, engaged outside IR counsel and our retainer firm, and activated our crisis response protocol. We will provide a verified situation report within four hours and convene an emergency board call no later than 18:00."
All-hands (employees): "We are managing an active cybersecurity incident. As a precaution, certain systems will be unavailable. Please continue working through approved alternate channels. Do not discuss the incident externally or on social media. Direct all media inquiries to Corporate Communications."
Customer notification (post-confirmation): "We recently identified a cybersecurity incident affecting some of our systems. We are working with leading external experts and law enforcement to investigate. At this time we have no evidence that your account credentials have been used to access your funds. We will contact you directly if our investigation determines your personal information was affected."
Regulator (GDPR Article 33 — draft): "Pursuant to Article 33 GDPR we are notifying the [supervisory authority] of a personal data breach identified on [date/time]. The breach involves [categories of data and approximate number of data subjects]. Containment measures are in progress. A full assessment under Article 34 follows within the required timeframe."
Media holding statement: "We are aware of a cybersecurity incident affecting some of our systems. We are working with leading external experts to investigate and resolve the matter. Protecting our customers' information is our highest priority. We will provide further updates as verified information becomes available."
Vendor / partner notification: "We have detected a cybersecurity incident in our environment. Out of an abundance of caution, we are asking you to monitor any integrations or shared accounts for unusual activity over the next 14 days and to immediately rotate any credentials shared with our environment."
Regulatory Notification Timeline
| Regulation | Notification Authority | Deadline | Required Content | Penalties for Non-Compliance |
|---|---|---|---|---|
| GDPR (Art. 33/34) | Lead EU supervisory authority; affected data subjects if high risk | 72 hours from awareness | Nature of breach, categories and approximate number of data subjects, likely consequences, mitigation measures | Up to €20M or 4% of global annual turnover |
| SEC Cybersecurity Disclosure (Item 1.05) | SEC via Form 8-K | 4 business days after materiality determination | Nature, scope, timing, material impact; updates via 8-K/A | Enforcement action, civil penalties, shareholder litigation |
| PCI DSS | Acquiring bank + card brands (Visa, Mastercard, Amex, Discover) | Immediate (without undue delay) — typically within 24 hours | Suspected cardholder data exposure, scope of CDE affected, containment status | Fines $5K–$100K/month, increased transaction fees, loss of card-acceptance privileges |
Technical Recovery Checklist
Contain: Block C2 IPs/domains at edge firewall and DNS; disable compromised service account at IdP; segment encrypted VLANs from rest of network; suspend AWS IAM keys associated with affected workloads; revoke active SSO sessions for privileged users.
Eradicate: Run EDR sweep across all endpoints for known ransomware IoCs; rebuild domain controllers from known-clean media; rotate all privileged credentials (domain admin, service accounts, API keys, certificates); patch initial access vector (VPN appliance, edge device); validate Azure DR region is free of attacker presence before any failover.
Recover: Restore from immutable backups verified clean by both internal team and IR retainer firm; bring systems back in phased order (identity → core data → application tier → customer-facing); validate integrity via file-hash comparison; require multi-party approval (CISO + CIO) before each restore phase.
Validate: 14-day enhanced monitoring with MSSP at heightened alert thresholds; threat hunt for persistence mechanisms; review all privileged actions taken during incident; confirm no anomalous outbound data flows; only declare all-clear after IR retainer firm signs off in writing.
Recommended tooling: CrowdStrike Falcon or SentinelOne for EDR sweep; Velociraptor for endpoint forensics; AWS GuardDuty + Azure Sentinel for cross-cloud telemetry; Veeam or Rubrik for immutable backup validation; mandiant or similar IR firm for third-party attestation.
Evidence Preservation & Chain of Custody
Preserve before any system rebuild: memory captures from encrypted hosts (use FTK Imager or equivalent before powering off); full disk images of patient-zero and at least three affected systems; EDR raw telemetry for the prior 90 days; AWS CloudTrail and Azure Activity logs; VPN authentication logs; IdP sign-in logs; firewall NetFlow; email headers for any suspicious phishing precursor; the ransom note in original format with file metadata intact; samples of encrypted files for potential decryption analysis.
Maintain a chain-of-custody log (date, time, custodian, action, hash) signed by the IR Lead. All preserved evidence stored in an isolated, access-controlled location with cryptographic hashing on intake.
Do NOT: power off systems before memory capture; use compromised admin accounts to investigate; share encrypted file samples on public sandbox services (signals to attacker); restore from backup before forensic imaging is complete; allow remediation work to be performed without an evidence custodian present.
Post-Incident Review Framework
Timeline reconstruction: Build minute-by-minute reconstruction from log correlation, EDR telemetry, and incident bridge transcript. Identify dwell time (initial access to detection) and response time (detection to containment).
Root cause analysis (5 Whys): Encrypted production → ransomware deployed → attacker had domain admin → service account over-permissioned → role review last completed 24 months ago → no quarterly access certification process.
What worked / what failed: What worked: MSSP detected encryption activity within 12 minutes; immutable backups remained untouched; IR retainer activation was smooth. What failed: VPN appliance patch was 90 days overdue; service account had standing domain admin; no out-of-band communication tree previously tested.
Lessons learned → process improvements: Quarterly privileged access certification; PAM rollout for all service accounts; 30-day max patch SLA for internet-facing infrastructure; quarterly tabletop including out-of-band comms drill.
Updated risk register entries: Elevate "ransomware impacting production" from Medium to High; add "third-party MSSP detection latency" as new risk; add "single-region cloud concentration" as accepted-but-monitored risk.
Recommended investments to prevent recurrence: Privileged Access Management platform ($400K–$800K), 24/7 internal SOC tier-2 capability ($1.2M annual), ransomware-specific tabletop with external facilitator ($75K/year), insurance policy review for cyber coverage adequacy.
30/60/90 day follow-ups: Day 30 — close all critical post-incident findings (CISO). Day 60 — complete PAM pilot for top 50 privileged accounts (IAM Lead). Day 90 — full tabletop exercise validating revised playbook with external observer (CISO + IR firm).
Executive Crisis Summary
What happened: On [date] we identified a ransomware attack that encrypted approximately 18 production systems in our primary cloud region. The attacker likely accessed our network through a known vulnerability in our remote-access platform that had not been patched.
What we did: Within 30 minutes we isolated affected systems, engaged our external incident response firm and outside cyber counsel, and notified our cyber insurance carrier. Our disaster-recovery cloud region remained unaffected. We have not paid and do not intend to pay any ransom; this position is supported by counsel and law enforcement guidance.
Impact: Customer-facing services were degraded for approximately [X] hours. No customer funds were accessed. We are still validating whether personal data was exfiltrated; current evidence is consistent with a possible data theft.
Regulatory exposure: We have notified our GDPR supervisory authority within the 72-hour window, filed an SEC Form 8-K under Item 1.05 within four business days of materiality determination, and notified our acquiring bank and the card networks under PCI DSS. We do not currently anticipate material financial penalties beyond standard PCI assessments, but this is subject to investigation findings.
Forward plan: We are accelerating our Privileged Access Management rollout, establishing a tier-2 internal SOC capability, and tightening our patch SLA for internet-facing infrastructure to 30 days. The Board will receive a 30/60/90-day progress dashboard from the CISO.
What This Demonstrates
Crisis Leadership
When a critical incident strikes, the first 30 minutes define the outcome. This tool demonstrates how CogNexSys approaches crisis response — structured, scenario-specific, and calibrated to severity. The difference between a contained incident and a catastrophe is preparation.
Regulatory Precision
Every regulation has different notification deadlines, authorities, and required content. Missing a GDPR 72-hour window or an SEC 4-day Form 8-K filing compounds the damage exponentially. This tool demonstrates mastery of the regulatory landscape that most organizations scramble to understand mid-crisis.
Organizational Resilience
Incident response is not just a security function — it's an enterprise capability that spans legal, communications, operations, and the board. The playbook's post-incident review framework demonstrates how CogNexSys builds lasting resilience, not just one-time fixes.
