Guide Incident response • playbooks • tabletop drills
IR readiness in one month: a realistic plan.
Incident response becomes calm when roles, comms, and evidence are defined ahead of time. This guide gives a week-by-week plan you can run in parallel with normal engineering work.
Guide
30-day incident response readiness
A plan that produces artifacts you can use during a real incident.
Week 1: Roles, comms, and escalation
Define the people system first.
- Incident commander, communications lead, and technical leads
- Escalation contacts and decision makers
- Internal comms channels and an external comms plan (customers, vendors)
Week 2: Evidence and logging coverage
Make sure you can answer “what happened?” and “what changed?” under pressure.
- Identity logs (SSO, MFA, admin actions, user lifecycle)
- Cloud audit logs (IAM, networking, storage, key management)
- Application audit logs for sensitive workflows and admin actions
- Evidence handling: where to store artifacts, who can access, retention period
Week 3: Write playbooks for high-risk scenarios
Start with scenarios that are common and expensive.
- Credential compromise and session/token theft
- Cloud IAM compromise or suspicious role grants
- Ransomware and lateral movement
- Data exfiltration from storage or databases
Week 4: Tabletop drill and closure
A tabletop drill turns theory into muscle memory.
- Run one realistic scenario end-to-end (including comms and decisions).
- Capture gaps: missing logs, unclear roles, missing approval paths.
- Create a remediation backlog with owners and dates.
What a good tabletop agenda includes
- Trigger event and initial alert
- Containment decision points and tradeoffs
- Evidence to collect and where to store it
- Customer communication and legal/regulatory considerations
- Recovery steps and post-incident hardening
Want a tabletop drill facilitated?
We run realistic tabletop exercises and deliver a drill report plus a prioritized backlog. Lex supports teams in India, the USA, Europe, and Australia.