Skip to content
A concise, directive, specific, flexible, and free incident response plan template
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


This template was developed by the team at Counteractive Security, to help all organizations get a good start on a concise, directive, specific, flexible, and free incident response plan. Build a plan you will actually use to respond effectively, minimize cost and impact, and get back to business as soon as possible.


Download or fork this template

The layout is as follows:

  • the core of the plan, actions taken during an incident response.
  • playbooks/: a folder containing playbooks with investigation, remediation, and communication suggestions for specific incidents. Create playbooks for any incidents that are highly likely or highly damaging for your organization. playbooks/ contains the playbook section header content, and each playbook should follow the convention playbooks/playbook-[THREAT].md.
  • roles/: a folder containing descriptions of each role in the plan, along with duties and training notes. contains the roles section header content, and each role should follow the convention playbooks/role-[ORDER]-[NAME].md.
  • the guide to after-action review (a.k.a., hotwash, debrief, or post-mortem)---actions taken after an incident response.
  • a footer containing information about the plan/template as a whole.

Find and replace template variables that LOOK_LIKE_THIS

These should be discernable from context, but the following is a non-comprehensive reference:

Variable Details Example
COMPANY_NAME The name of your organization Acme, Inc.
AUTHOR_NAME, AUTHOR_EMAIL Name and email of plan author Chris,
REVISION_NUMBER, RELEASE_DATE Document control metadata 1, 1 Jan 2018
REVIEW_DATE Date someone last reviewed the plan 1 Feb 2018
TEST_DATE Date you last tested the plan 15 Jan 2018
RESPONSE_CHAT URL or reference to IR chat program chat.acme.tld/codename
RESPONSE_CALL Call bridge number or URL 555-HACK, webex.acme.tld/codename
ALTERNATIVE_EMAIL Description/URL for alternate email O365 at ir.acme.tld/othermail
ORGANIZATION_DOMAIN Domain name for your organization acme.tld
INCIDENT_COMMANDER_PAGER Number or URL to page Commander(s) 555-PAGE, ir.acme.tld/ic-page
INCIDENT_COMMANDER_ROSTER URL/path to Commander roster/list ir.acme.tld/ic-roster
SECURITY_TEAM_ROSTER As above, for security team ir.acme.tld/sec-roster
TEAM_SME_ROSTER As above, for SMEs ir.acme.tld/sme-roster
EXECTIVE_ROSTER As above, for executive team ir.acme.tld/exec-roster
INCIDENT_COMMANDER_RESPONSE_SLA Time to wait for on-duty IC on call 15 minutes
UPDATE_FREQUENCY Time between scheduled updates 4 hours
INCIDENT_FILE_LOCATION URL/path to incident file ir.acme.tld/files/codename
CRITICAL_INFORMATION_LIST_LOCATION URL/path to critical information list, data you want to protect ir.acme.tld/cil
CRITICAL_ASSET_LIST_LOCATION URL/path to critical asset list, systems you want to protect ir.acme.tld/cal
ASSET_MGMT_DB_LOCATION URL/path to asset management DB ir.acme.tld/assets
NETWORK_MAP_LOCATION URL/path to network map ir.acme.tld/netmap
LOG_AGGREGATOR_CONSOLE URL to log aggregator elk.acme.tld
LIVE_RESPONSE_TOOL Name/URL of live response tool ir-rescue
MEMORY_COLLECTION_TOOL Name/URL of memory collection tool rekall
DISK_IMAGE_TOOL Name/URL of disk imaging tool ftk imager
INCIDENT_REPORT_TEMPLATE URL/path to IR report template ir.acme.tld/report/template
INCIDENT_REPORT_RECIPIENTS URL/path to report recipient list ir.acme.tld/report/recipients
COMPLIANCE_TEAM Compliance team name the legal team, legal@acme.tld
COMMUNICATIONS_TEAM Communications team name the marketing team, marketing@acme.tld
EXECUTIVE_TEAM Executive team name the front office, bosses@acme.tld
LEGAL_TEAM Legal team name the legal team, legal@acme.tld
LOCAL_LE_CONTACT Local law enforcement contact info
FBI_CONTACT FBI contact info 555-FEDS,
INCIDENT_RESPONSE_VENDOR Vendor for IR and infosec support Counteractive Security
PUBLIC_RELATIONS_VENDOR Vendor for PR support pr.firm.tld
INSURANCE_VENDOR (Cyber) insurance provider
ISAC_CONTACT Industry ISAC contact info 555-ISAC

If you don't have the things referenced in the variables, consider fixing that. Especially the critical information list (data you want to protect) and critical asset list (systems you want to protect).


  1. Review all the TODO prompts for likely areas to customize, if desired. Delete them if no changes are required.
  2. Add any roles or playbooks relevant to your organization. These can also be added over time.
  3. Customize anything else! Whatever you feel is most effective for your organization.


Run whichever portions you like through pandoc to create your format of choice, or use the markdown files with mkdocs, hugo, or countless other platforms.

Response Plan Example

cat \
    ./playbooks/ ./playbooks/playbook-*.md \
    ./roles/ ./roles/role-*.md \ \
    | pandoc --toc --toc-depth=3 --standalone -o ./public/response-plan.html

Contact Us

For professional assistance with incident response, or with customizing, implementing, or testing your plan, please contact us at or (888) 925-5765.


This template is provided under the Apache License, version 2.0. See the LICENSE and NOTICE files for additional information.

References and Additional Reading

In Progress

  • After Action, lessons learned, process improvement
  • Recovery
  • Measures and Metrics
  • Business priorities
  • Testing procedure
  • Communication and escalation tree, including executives
  • Finance and budget
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.