SOC & Incident Response Community Playbooks

Estimated read time 3 min read

Hey there, cybersecurity enthusiasts! We’ve got something exciting to share today. It’s called the “Incident Playbook,” and it’s being developed by the SOC/Incident Response Community. Let’s dive into what it is and why you should be interested.


What’s the Incident Playbook?

The Incident Playbook is a project aimed at creating a comprehensive catalog of Incident Response Playbooks mapped to every MITRE Attack Technique. That sounds cool, right? But there’s more.

Incident Playbook project on Github
Incident Playbook project on Github

The project plans to develop playbooks even for uncommon incidents, ensuring that we’re ready for anything the cyber world throws at us. The playbooks will be set up in JSON, making them easy to use and integrate into various systems​.

Threat hunting mindmaps
Threat hunting mindmaps

The Catalogues

Imagine having a catalog of exercise scenarios that can be used for training purposes or a catalog of tools used for incident response, complete with reviews for different tools. The Incident Playbook is promising just that. It aims to build a collection of resources that can help organizations build and improve their own incident response programs​.

Moreover, the project plans to create a Battle Card Book. It’ll be a quick-reference guide that you can turn to for immediate help during an incident. Now that’s handy!

Tying in with the MITRE ATTACK Framework

This initiative isn’t just throwing together random playbooks. They’re strategically mapping each playbook to the MITRE ATTACK tactics and techniques. This includes tactics like initial access, collection, credential access, defense evasion, persistence, exfiltration, and impact.

For each tactic, the project has already begun developing specific playbooks. For example, under ‘Initial Access,’ there are playbooks for dealing with unauthorized VPN and VDI access, drive-by compromise, and phishing. This is just the beginning, and there are many more to come​.

A Collaborative Effort

The best part about the Incident Playbook project? It’s collaborative. For every pull request submitted, an issue must also be created. You can check the list of MITRE Techniques to choose from and create a new issue or look at the list of issues that are ready to be worked on. So if you’re passionate about cybersecurity and have some ideas, you’re more than welcome to contribute​.

Future Goals

The community is always looking ahead. One of the immediate goals is to figure out how to integrate the Atomic Red Team into the project. This would bring in a whole new dimension to the playbooks, making them even more effective​.

Resources at Your Fingertips

The project is also working on creating a wiki. This will provide guidance on creating a playbook, combining techniques into one playbook, and understanding the phases of incident response. This could be a great learning resource for anyone interested in the field​.


The Incident Playbook is shaping up to be an invaluable tool for cybersecurity and threat hunting professionals. It’s leveraging the power of community collaboration and the strategic framework of MITRE ATTACK to create comprehensive incident response playbooks.

So, watch this space. Better yet, get involved:

  • Project on Github (Link)
  • Project Hunting Mindmaps on Github (Link)

Done reading? Join Cyberwarzone on Telegram.

Reza Rafati https://cyberwarzone.com

Reza Rafati, based in the Netherlands, is the founder of Cyberwarzone.com. An industry professional providing insightful commentary on infosec, cybercrime, cyberwar, and threat intelligence, Reza dedicates his work to bolster digital defenses and promote cyber awareness.

You May Also Like

More From Author