Incident Response Pack

We've all been there. Your SOC runs on a shared drive full of Word documents, Slack threads, and a Google Sheet that hasn't been updated since the last audit. When alert #4812 fires at 2 AM, your analysts are guessing whether to isolate the host, preserve volatile memory, or just patch the firewall. You're trying to map your response to NIST SP 800-61 ^[1], but the framework is a mountain of guidance without the scaffolding to actually execute it. Most teams treat incident response as a reactive fire drill instead of a repeatable engineering workflow. You write rules in one tool, track tickets in another, and store forensic artifacts in a cloud bucket with no access logging. When a real breach hits, that fragmentation becomes a liability.

The gap between compliance checkboxes and actual operational readiness is where incidents fester. You can check the box for "incident response plan exists," but if the plan lives in a static PDF, it's useless. Real incident response requires deterministic playbooks, automated evidence capture, and strict chain-of-custody enforcement. Without that, your team is just reacting to symptoms while the attacker owns the environment.

What Ad-Hoc Response Costs in MTTR and Audit Failures

Ignoring structured IR isn't just messy; it's expensive. Every minute spent hunting for the right containment rule or reconstructing a timeline is a minute your attacker owns the environment. The average security breach costs organizations $4.45 million, with lack of training and inadequate processes accounting for a massive chunk of that spend ^[2]. When you skip evidence preservation steps, your chain of custody breaks. Forensic data gets overwritten by routine log rotation, and your legal team has nothing to show during regulatory reviews. We've seen teams burn 40+ hours per incident just on coordination and manual log correlation instead of actual containment. That's not just lost revenue; it's eroded trust from your CISO and your customers.

The downstream effects compound quickly. Unvalidated playbooks fail silently when you try to run them against cloud environments that don't match your on-prem assumptions. Containment rules that work in iptables break when you're managing AWS Security Groups or Azure NSGs. Without schema validation, you ship broken runbooks to production, and when an incident strikes, your analysts are debugging YAML syntax instead of stopping lateral movement. You also lose the ability to measure improvement. If every incident is handled differently, you can't track mean time to detect or mean time to contain. You're flying blind, and the bill comes due during the post-incident review when leadership asks why the same vulnerability was exploited twice in six months.

A Hypothetical SOC's Three-Hour Lateral Movement

Picture a mid-sized fintech with 1,200 endpoints and a legacy monitoring stack. At 03:14, an EDR alert flags anomalous PowerShell execution on a finance workstation. The on-call analyst follows a half-complete runbook, isolates the host, but misses the fact that the attacker already pivoted to a domain controller via SMB lateral movement. Because there's no standardized evidence collection script, the analyst manually screenshots netstat and tasklist, missing critical memory artifacts that would have revealed the C2 beacon. By the time the team realizes the scope, ransomware has encrypted three file shares.

The post-incident review devolves into finger-pointing because there was no unified timeline or decision gate logging. This exact pattern plays out constantly until teams operationalize a phased lifecycle that enforces preparation, detection, containment, and post-incident review ^[3]. When you map your response to MITRE ATT&CK technique IDs from the first alert, you stop guessing and start hunting ^[4]. The NIST SP 800-61 Revision 3 update explicitly aligns these phases with modern CSF 2.0 functions, emphasizing continuous monitoring and automated response patterns ^[7].

In a properly structured workflow, the orchestrator would have triggered the evidence collector script the moment the alert fired, capturing volatile state before log rotation wiped it. The playbook validator would have caught a missing containment rule for SMB traffic before deployment. The MITRE mapping would have highlighted T1059 (Command and Scripting Interpreter) and T1486 (Data Encrypted for Impact), prompting immediate backup isolation and network segmentation. Instead of a three-hour containment window, you're looking at a 20-minute triage with full forensic preservation. You pair this with Blameless Incident Postmortem to ensure the review focuses on systemic gaps rather than individual blame, and integrate with Incident Management Pack to handle severity routing and on-call rotations without manual overhead. You also lean on Automated Crisis Management Protocols Pack to trigger cross-functional comms when the blast radius exceeds the SOC's perimeter.

What Changes Once the Framework Is Installed

Once this skill is in your repo, incident response stops being a creative writing exercise and becomes a deterministic workflow. The orchestrator maps the NIST IR lifecycle directly to agent steps, so your team knows exactly what to execute at each phase. Playbooks are validated against a strict JSON schema before they ever leave staging, catching missing MITRE mappings or broken containment rules before an incident strikes. The evidence collector script runs in under 90 seconds, grabbing processes, network sockets, open files, and journal logs into a tamper-evident bundle. Your post-incident reviews shift from blame games to structured root-cause analysis, complete with timeline reconstruction and control gap tracking.

You'll stop wrestling with inconsistent YAML structures and start shipping validated runbooks that pass CI checks. The playbook validator exits cleanly on success and returns diagnostic output on structural failures, so you never deploy a broken playbook to production. The containment rules template ships with real-world syntax for iptables, Suricata, and cloud security groups, validated for immediate deployment. You'll also want to pair this with Runbook & Playbook Pack to standardize operational runbooks across engineering and security teams, and use Disaster Recovery Playbook Pack to bridge the gap between active containment and full environment restoration. For teams pushing further into automation, Developing Autonomous Cybersecurity Agents Pack shows you how to wire these playbooks into self-healing SOC workflows without losing human oversight.

The transformation isn't about buying another tool. It's about enforcing discipline at the repository level. Every playbook must pass schema validation. Every incident must be mapped to ATT&CK techniques. Every post-incident review must track remediation actions to closure. You build a feedback loop that actually improves over time, instead of repeating the same mistakes because the documentation rotted on a shared drive.

What's in the Incident Response Pack

• skill.md — Orchestrator that maps the NIST IR lifecycle to agent workflows, explicitly referencing all templates, references, scripts, validators, and examples for phased execution.
• templates/playbook-template.yaml — Production-grade YAML playbook structure aligned with NIST SP 800-61 phases, MITRE ATT&CK technique IDs, decision trees, and evidence preservation steps.
• templates/postmortem.md — Standardized post-incident review template enforcing root-cause analysis, timeline reconstruction, control gaps, and remediation tracking.
• templates/containment-rules.yaml — Real-world network and endpoint containment rules (iptables, Suricata, cloud security groups) with syntax validated for immediate deployment.
• references/nist-sp800-61.md — Canonical extraction of NIST SP 800-61 Rev 2/3: 4-phase lifecycle, 6-step workflow, IR team roles, chain-of-custody requirements, and reporting standards.
• references/mitre-ir-mapping.md — Authoritative guidance on mapping IR actions to MITRE ATT&CK, detection engineering principles, threat hunting workflows, and response automation patterns.
• scripts/evidence-collector.sh — Executable Linux host forensics script that captures processes, network sockets, open files, journal logs, and memory pointers into a timestamped evidence bundle.
• validators/playbook-validator.sh — Schema validation script that parses the playbook YAML against the JSON schema, exits 0 on success, and exits 1 with diagnostic output on structural failures.
• validators/playbook-schema.json — JSON Schema enforcing required fields for NIST alignment, MITRE mapping, containment actions, evidence handling, and escalation contacts.
• examples/ransomware-playbook.yaml — Worked example playbook for a ransomware incident, fully populated with ATT&CK IDs (T1486, T1059), isolation steps, backup recovery procedures, and comms templates.
• examples/incident-timeline.md — Worked example demonstrating chronological reconstruction using log correlation, IOC timestamps, decision gates, and containment effectiveness analysis.

Stop Guessing, Start Containing

Your team doesn't need another dashboard. You need a validated, executable framework that enforces NIST alignment, preserves forensic evidence, and maps every action to MITRE ATT&CK. Upgrade to Pro to install the Incident Response Pack, run the schema validator against your existing playbooks, and ship your first validated runbook before the next alert fires. The attacker isn't waiting for your spreadsheet to update. Neither should you.