Incident Response Runbook Library

The complete IR runbook library your team can actually use during an incident — not a template to fill in someday, but 18 ready-to-execute runbooks built around 2026 threat-prioritized scenarios, each with role-specific checklists, communication templates, and regulatory notification guidance.

eSentire's 2026 Cyberthreat Landscape Report found a 389% increase year-over-year in identity-based account compromise threats. These runbooks reflect that reality — most lead with identity and access context, not just malware detection.

The 18 runbooks (2026 threat-prioritized order):

01 Ransomware — Multi-extortion: encryption + leak site 02 Business Email Compromise — Wire fraud, vendor impersonation 03 M365/Cloud Account Takeover — AiTM session cookie theft, MFA bypass 04 Credential Stuffing/Password Spray — Automated auth abuse 05 Malicious Insider — Data theft, sabotage, fraud 06 Accidental Insider — Misconfiguration, mis-sent email 07 Supply Chain Compromise — Third-party vendor propagation 08 DDoS Attack — Volumetric, L7, ransom DDoS 09 Data Exfiltration Response — Confirmed unauthorized data removal 10 Targeted Phishing — Spear-phishing against execs/finance 11 Vishing/Helpdesk Impersonation — Voice + Teams + email bombing combos 12 Infostealer Infection — Credential/cookie/wallet theft malware 13 Ransomware Negotiation & Payment — OFAC, insurance, law enforcement 14 Lost or Stolen Device — MDM wipe, breach assessment 15 Unauthorized Access to Sensitive Data — Discovered anomalous access 16 Malware (Non-Ransomware) — Trojans, RATs, cryptominers 17 Public-Facing Web App Compromise — Magecart, admin takeover, injection 18 Third-Party SaaS Breach — Your vendor breached, your data affected

Each runbook includes: 2026 threat context with specific citations, threat summary, who-it's-for section, 6 role definitions (Incident Manager / Tech Lead / Comms Lead / Legal Lead / Forensics Lead / Management), 4-tier severity matrix, 8–12 indicators of compromise, 5 NIST SP 800-61 phase checklists (50–70 action items total), 3–4 communication templates (internal, executive, external/customer), and regulatory notification checklist.

Color-coded by phase — Detection & Analysis (steel), Containment (alert red), Eradication (amber), Recovery (forest green), Post-Incident (steel) — so responders can navigate under pressure without reading every line.

ZIP contents: 18 runbooks × 3 formats (.docx, .pdf, .md) = 54 files, plus README.md catalog index with usage tiers, Word User Guide (26 pages, 14 sections), and a sample runbook (IR_01 Ransomware) in .docx and .pdf for direct preview.

Pairs directly with the Tabletop Exercise Pack — use the Tabletop Pack to practice the scenarios, use the Runbook Library to execute them.