Incident Response / Security Operations
Incident Response Runbooks & Tabletop Program
Created practical triage runbooks, severity guidance, escalation paths, and tabletop scenarios based on real operational gaps.
Problem
No standardized triage process existed for security detections. Response quality depended on who was on-call, and critical evidence was sometimes lost during initial containment.
Constraints
Small team with rotating on-call, no dedicated SOC, need for documentation that junior responders could follow under pressure.
Approach
Developed detection-specific runbooks with clear severity criteria, escalation paths, and evidence preservation steps. Introduced tabletop exercises to validate the runbooks against realistic scenarios.
Outcome
Reduced incident response time by 40%, established consistent triage quality regardless of who was on-call, and created a repeatable exercise program for continuous improvement.
Terminal
# tabletop scenario: compromised IAM credentials$ cat runbook-iam-compromise.md | head -12# IAM Credential Compromise Runbook## Severity: P1 (Critical)## First Responder Actions:1. DO NOT delete the key yet (preserve for forensics)2. Disable the access key immediately3. Export CloudTrail logs for the affected principal4. Check for unauthorized resource creation5. Page security-oncall and infra-oncall$ aws iam update-access-key --access-key-id AKIA*** --status Inactive --user-name compromised-svc# key disabled. evidence preserved. responders paged.
Tools
Key Highlights
- Detection-specific triage runbooks
- Severity matrix and escalation intake
- Monthly tabletop / fire-drill concept
- Emphasis on evidence preservation and repeatability
- Built for small-team security operations