Incident Playbooks
Step-by-step response playbooks for every attack type. Built for SOC teams, IR leads, and security managers โ ready to execute when it matters most.
When an incident hits, you don't have time to Google. These playbooks give you phase-by-phase actions โ from detection through containment, eradication, recovery, and post-incident review. Every step is concrete, every role is assigned.
Free playbooks are fully accessible. Premium playbooks show the overview โ unlock all phases with SCW Premium.
PLAYBOOKS By Attack Type
Ransomware Incident Response
FREET1486
Step-by-step response for active ransomware attacks โ from detection through containment, eradication, and recovery.
- Confirm ransomware indicators: mass file renames, ransom notes, encrypted extensions
- Identify patient zero โ first infected host via EDR timeline
- Determine ransomware variant using ransom note or encrypted file samples
- Check scope โ how many hosts show encryption activity
- Immediately isolate infected hosts from the network (EDR network isolation or switch port disable)
- Disable compromised accounts in Active Directory
- Block C2 IPs/domains at firewall level
- Suspend automated backups to prevent encryption of backup data
- Preserve evidence โ do NOT reboot infected machines
- Identify initial access vector (phishing email, RDP, VPN exploit)
- Remove persistence mechanisms (scheduled tasks, services, registry keys)
- Scan all hosts for dormant payloads using IOCs from the variant
- Reset all potentially compromised credentials (prioritize service accounts)
- Patch the vulnerability used for initial access
- Restore from clean backups (verify backup integrity before restoring)
- Rebuild compromised hosts from golden images
- Re-enable network connectivity in stages, monitoring for re-infection
- Conduct full credential rotation for affected scope
- Resume normal backup operations
- Document full timeline from initial access to containment
- Conduct lessons-learned meeting within 48 hours
- Update detection rules based on findings
- Report to relevant authorities (CISA, law enforcement, regulators)
- Communicate with affected stakeholders (customers, partners)
Phishing Response
FREET1566
Handle reported phishing emails โ from triage through user remediation and organization-wide protection.
- Receive and triage phishing report (user report, email gateway alert, or automated detection)
- Analyze email headers โ check sender, SPF/DKIM/DMARC, reply-to mismatch
- Inspect URLs without clicking (use sandbox like urlscan.io or ANY.RUN)
- Check attachments in sandbox environment
- Determine if email is phishing, spam, or legitimate
- Search email gateway for same message delivered to other users
- Purge/quarantine the email from all mailboxes (Exchange: Purge-Content / O365: Threat Explorer)
- Block sender domain and malicious URLs at email gateway
- If any user clicked โ isolate their endpoint and force password reset
- Check if malicious payload was downloaded or executed
- If credentials were submitted โ immediately reset passwords and revoke sessions
- Revoke any OAuth tokens if consent-grant phishing
- Add malicious domains/IPs to blocklists
- Confirm all instances of the email are removed
- Verify affected users have reset credentials
- Send awareness notification to organization about the campaign
- Update email filtering rules with new indicators
- Log the incident with IOCs and timeline
- Share indicators with industry ISACs if applicable
- Consider targeted phishing training for users who clicked
Business Email Compromise (BEC)
๐ PROT1534
Respond to BEC attacks where an attacker compromises or impersonates an executive to redirect payments or steal data.
Unlock all 5 phases with SCW Premium
Active Lateral Movement
๐ PROT1021
Respond when an attacker is actively moving between systems in your network โ time-critical containment.
Unlock all 5 phases with SCW Premium
Cloud Account Compromise
๐ PROT1078.004
Respond to compromised cloud accounts (AWS, Azure, GCP) โ from initial detection through full remediation.
Unlock all 5 phases with SCW Premium
Data Breach Response
๐ PROT1048
Full response plan when sensitive data has been confirmed exfiltrated โ technical, legal, and communication steps.
Unlock all 5 phases with SCW Premium
Insider Threat Investigation
๐ PROT1078
Investigate and respond to suspected malicious insider activity โ balancing security with legal and HR requirements.
Unlock all 5 phases with SCW Premium
DDoS Attack Response
๐ PROT1498
Mitigate active DDoS attacks โ from initial detection through traffic scrubbing and service restoration.
Unlock all 5 phases with SCW Premium
Respond faster. Respond smarter.
Unlock all 8 incident playbooks โ with full phase-by-phase response steps your team can execute immediately.