// Playbooks

Incident playbooks from the mtcyper lab.

Curated, narrative-driven playbooks you can adapt for your own incident response programs, covering ransomware, insider threats and SaaS compromise.

Playbook formats
Timeline-based incident narratives
Role-annotated actions and decision points
Checklists and communication templates
Playbook

Ransomware outbreak in hybrid estates

A step-by-step walkthrough of containment, investigation and recovery across on-prem and cloud workloads.

  • First 30 minutes actions for SOC and platform teams.
  • Communication windows for legal, PR and leadership.
  • Criteria for safe service restoration.
Playbook

Compromised admin identity

Guidance for suspected admin account abuse in SaaS and internal systems.

  • Containment strategies that balance safety and uptime.
  • Log sources and telemetry to prioritize.
  • Follow-up hardening checklist.
Playbook

Suspicious deployment pipeline activity

A playbook focused on CI/CD compromise, supply-chain risk and rollback.

  • Sequenced decisions for pausing or rolling back releases.
  • How to preserve forensic signal while containing risk.
  • Recovery actions and future guardrails.