Incident response playbook template

A practical 60-minute incident-response template for solo founders. Covers detect, contain, eradicate, recover, document.

How to use

Save to your internal wiki. Tested IR playbooks reduce SOC 2 audit time substantially.

Template (markdown)

copy-paste, replace {{PLACEHOLDERS}}

# Incident Response Playbook

**Last tested**: {{DATE}}
**Incident commander**: {{NAME}} ({{EMAIL}}, {{PHONE}})
**Backup IC**: {{NAME}} ({{EMAIL}}, {{PHONE}})

## Severity levels

- **P0** — active exploitation + customer data at risk — 15-min response
- **P1** — credible threat of compromise — 1-hour response
- **P2** — security issue without active exploitation — 24-hour response

## Minute-by-minute response (P0)

### 0-5 min: confirm + escalate

- Confirm the incident is real (not false alarm)
- Page incident commander
- Start a timeline document (every action + timestamp)
- Create a private Slack channel #incident-{{DATE}}

### 5-20 min: contain

- Identify the attack vector
- Rotate any credentials the attacker may have accessed
- Pull affected service offline if ongoing exploitation
- Block attacker IP at WAF / CDN

### 20-60 min: eradicate + investigate

- Determine scope (which data, which users, what actions)
- Document evidence (logs, API traces, DB queries)
- Prepare initial customer notification (do not send yet)

### 1-24 hr: communicate

- Consult legal counsel on notification obligations
- Send customer notification if required
- File regulator notification (GDPR: 72hr; HIPAA: 60d)
- Post public status-page update

### 24hr-7 days: recover + postmortem

- Restore affected services
- Offer credit-monitoring / affected-user remediation
- Write + publish postmortem (public)
- Close control gaps identified in the timeline

## Contacts

- Legal: {{NAME}}, {{EMAIL}}, {{PHONE}}
- PR: {{NAME}}, {{EMAIL}}, {{PHONE}}
- Auditor: {{AUDITOR FIRM}}, {{CONTACT}}
- Sub-processors (AWS, Supabase, Stripe) — vendor support hotlines

## Communication templates

### Customer notification (template)

Subject: Important security notice from {{YOUR COMPANY}}

On {{DATE}} at {{TIME}}, we discovered {{INCIDENT DESCRIPTION}}.

**What happened**: {{DETAILS}}
**What data was affected**: {{DATA TYPES}}
**What we did**: {{REMEDIATION}}
**What you should do**: {{USER ACTIONS}}
**What we're doing next**: {{GOING-FORWARD CHANGES}}

If you have questions, email {{EMAIL}}. We'll respond within {{TIME}}.

— {{FOUNDER NAME}}, {{YOUR COMPANY}}