ValydexFile → Print → Save as PDF  ·  Paper: Letter  ·  Margins: None  ·  Background graphics: On
Cybersecurity Incident Response RunbookValydex SMB Template · NIST SP 800-61r3 & NIST CSF 2.0 · valydex.comSection 1 — Incident Declaration & Severity
Version: 1.0  ·  Date: 2026-02-21
Page 1 of 6
Org: _______________________
Severity classification
SeverityTypical indicatorsResponse postureSLA
CriticalConfirmed ransomware, regulated data exfiltration, full system compromiseImmediate all-hands; executive sponsor activatedWithin 15 min
HighConfirmed account compromise, active lateral movement, customer-impacting outageIC + technical lead activatedWithin 30 min
MediumMalware on isolated endpoint, phishing with credential submission, suspicious privilege escalationTechnical lead leads; IC on standbyWithin 2 hours
LowPolicy violation, isolated spam/phishing with no click, failed brute-forceStandard ticket workflowNext business day
Incident log — running record
Timestamp (UTC)Action / decision takenOwner
YYYY-MM-DD HH:MMDescriptionName
YYYY-MM-DD HH:MMDescriptionName
YYYY-MM-DD HH:MMDescriptionName
YYYY-MM-DD HH:MMDescriptionName
YYYY-MM-DD HH:MMDescriptionName
YYYY-MM-DD HH:MMDescriptionName
YYYY-MM-DD HH:MMDescriptionName
YYYY-MM-DD HH:MMDescriptionName
YYYY-MM-DD HH:MMDescriptionName
Declaration record
Declaration timestamp
YYYY-MM-DD HH:MM UTC
Declared by
Name / role
Assigned severity
Critical / High / Medium / Low
Incident type
Ransomware / BEC / Cloud compromise / AI data exposure / Other
Incident commander
Name
Technical lead
Name
Initial affected systems
List systems / services
Regulated data involved?
Yes / No / Unknown — data types: ___________________
Incident number
INC-YYYY-NNN
Declared via
Phone / Slack / Email / Alert
War room / bridge
Link or dial-in
Incident closed
YYYY-MM-DD HH:MM UTC
Total duration
___ hours ___ minutes
valydex.com/guides/cybersecurity-incident-response-planNIST SP 800-61r3 · CIRCIA final rule expected May 2026 · Free to use and adapt
Cybersecurity Incident Response RunbookValydex SMB Template · NIST SP 800-61r3 & NIST CSF 2.0 · valydex.comSection 2 — Role & Authority Map
Version: 1.0  ·  Date: 2026-02-21
Page 2 of 6
Org: _______________________

Complete before an incident occurs. Review and test quarterly. Every role must have a named backup.

Core incident response team
RoleAssigned toBackupContact (out-of-hours)Key authority
Incident CommanderNameNamePhone / SlackDeclare severity, authorize containment, own comms cadence
Technical LeadNameNamePhone / SlackDirect investigation and containment actions
Communications LeadNameNamePhone / SlackApprove all external/customer messaging
Legal / Compliance LeadNameNamePhone / SlackTrigger regulatory notifications, approve legal statements
Executive SponsorNameNamePhone / SlackAuthorize business continuity mode, approve major spend
Business Continuity LeadNameNamePhone / SlackActivate continuity tiers, track critical service status
External contacts & retainers
Contact typeOrganization / name24/7 phoneNotes / account ref
Cyber insurer (24/7 claims hotline)NameNumberNotes
External IR / forensics retainerNameNumberNotes
Legal counsel (data breach)NameNumberNotes
Managed security provider (MDR/SOC)NameNumberNotes
Critical vendor security contactNameNumberNotes
Law enforcement liaison (if needed)NameNumberNotes
Pre-incident requirementConfirm all contacts are reachable out-of-hours before an incident occurs. Verify retainer agreements are current and scope covers your incident types.
valydex.com/guides/cybersecurity-incident-response-planNIST SP 800-61r3 · CIRCIA final rule expected May 2026 · Free to use and adapt
Cybersecurity Incident Response RunbookValydex SMB Template · NIST SP 800-61r3 & NIST CSF 2.0 · valydex.comSection 3 — First 60 Minutes Runbook
Version: 1.0  ·  Date: 2026-02-21
Page 3 of 6
Org: _______________________
First-phase ruleApply pre-approved containment actions as soon as active compromise is plausible. Root-cause analysis follows containment — not the other way around.
First 15 minutes checklist
  • Confirm event meets declaration criteria and assign severity
  • Assign incident commander and technical lead; notify backups
  • Capture evidence snapshot before any disruptive containment
  • Apply pre-approved containment actions (see Section 4)
  • Open timestamped incident log — record every decision
  • Trigger stakeholder notifications per severity level
  • Regulated data involved? → activate legal/compliance immediately
First-hour decision rules
  • Privileged credentials compromised → revoke and rotate immediately
  • Ransomware behavior observed → prioritize isolation over remediation
  • Regulated data may be involved → trigger legal/compliance now
  • Customer-impacting systems affected → activate continuity mode
60-minute execution runbook
WindowAction setOwnerDone (HH:MM)
0–15 minDeclare, assign roles, evidence snapshot, initial containment, open incident logIncident CommanderHH:MM
15–30 minConfirm containment effectiveness; identify initial attack vector; notify exec sponsor (Crit/High); trigger legal/compliance if regulated data involvedIC + Technical LeadHH:MM
30–45 minExpand investigation scope; validate no secondary compromise paths; send first stakeholder updateTechnical Lead + Comms LeadHH:MM
45–60 minAssess business continuity impact; activate continuity mode if critical services affected; confirm evidence preservation completeIC + BC LeadHH:MM
valydex.com/guides/cybersecurity-incident-response-planNIST SP 800-61r3 · CIRCIA final rule expected May 2026 · Free to use and adapt
Cybersecurity Incident Response RunbookValydex SMB Template · NIST SP 800-61r3 & NIST CSF 2.0 · valydex.comSection 4 — Incident-Type Playbook Branches
Version: 1.0  ·  Date: 2026-02-21
Page 4 of 6
Org: _______________________
Ransomware
  • Isolate affected endpoints and network segments immediately
  • Disable compromised accounts and privileged pathways
  • Preserve forensic evidence before any broad reimaging
  • Assess backup integrity and restore viability — confirm backups are clean and offline/immutable
  • Align legal/compliance and executive decision workflow; document ransom decision rationale
Business Email Compromise (BEC)
  • Lock compromised mailbox/account and revoke all active sessions
  • Inspect forwarding rules and mailbox manipulation artifacts
  • Validate potentially affected financial transactions
  • Execute known-channel callback verification for any payment changes

    ⚠ 2026: Treat any voice memo, phone call, or video request to approve a payment as potentially deepfake-generated. Verify through a separate, pre-established channel before acting.

  • Initiate targeted stakeholder notification and enhanced monitoring
Cloud control-plane compromise
  • Revoke high-risk access tokens/keys and secure privileged roles
  • Review recent high-impact configuration changes in cloud audit logs
  • Isolate exposed workloads and data pathways
  • Preserve control-plane logs and relevant artifacts
  • Execute controlled restoration with validation checks before re-enabling access
AI data exposure / unauthorized LLM use
  • Identify the AI service(s) involved and the data categories submitted
  • Determine whether the service retains, trains on, or shares submitted data per its terms of service
  • Disable or restrict access to the unauthorized AI tool at the network or identity layer
  • Assess regulatory exposure — if PII, health, or financial records involved, trigger legal/compliance workflow immediately
  • Notify affected individuals or regulators per applicable data protection obligations
  • Update acceptable-use policy and deploy technical controls (URL filtering, DLP rules)
valydex.com/guides/cybersecurity-incident-response-planNIST SP 800-61r3 · CIRCIA final rule expected May 2026 · Free to use and adapt
Cybersecurity Incident Response RunbookValydex SMB Template · NIST SP 800-61r3 & NIST CSF 2.0 · valydex.comSection 5 — Evidence, Communications & Regulatory Reporting
Version: 1.0  ·  Date: 2026-02-21
Page 5 of 6
Org: _______________________
Evidence ruleAvoid altering compromised systems before initial capture unless needed for immediate containment. Document every action that may change evidence state.
Evidence & chain-of-custody register
Artifact IDDescriptionSource systemCollected byTimestamp (UTC)Storage locationHash (SHA-256)
EVD-001DescriptionSystemNameYYYY-MM-DD HH:MMPath / bucketHash
EVD-002DescriptionSystemNameYYYY-MM-DD HH:MMPath / bucketHash
EVD-003DescriptionSystemNameYYYY-MM-DD HH:MMPath / bucketHash
EVD-004DescriptionSystemNameYYYY-MM-DD HH:MMPath / bucketHash
EVD-005DescriptionSystemNameYYYY-MM-DD HH:MMPath / bucketHash
EVD-006DescriptionSystemNameYYYY-MM-DD HH:MMPath / bucketHash
Communications log
Timestamp (UTC)AudienceChannelMessage summaryApproved
YYYY-MM-DD HH:MMInternal / Customer / RegulatorEmail / SlackSummaryName
YYYY-MM-DD HH:MMInternal / Customer / RegulatorEmail / SlackSummaryName
YYYY-MM-DD HH:MMInternal / Customer / RegulatorEmail / SlackSummaryName
YYYY-MM-DD HH:MMInternal / Customer / RegulatorEmail / SlackSummaryName
Regulatory notification checklist
  • EU personal data → GDPR: notify DPA within 72 hours of awareness
  • PHI involved → HIPAA: notify HHS; individuals within 60 days
  • Payment card data → PCI DSS: notify acquiring bank and card brands
  • CIRCIA-covered entity → notify CISA within 72 hrs; ransom payments within 24 hrs (final rule May 2026)
  • Criminal activity → report to FBI IC3 (ic3.gov)
  • Notify cyber insurer per policy notification requirements
valydex.com/guides/cybersecurity-incident-response-planNIST SP 800-61r3 · CIRCIA final rule expected May 2026 · Free to use and adapt
Cybersecurity Incident Response RunbookValydex SMB Template · NIST SP 800-61r3 & NIST CSF 2.0 · valydex.comSection 6 — Post-Incident Review & Closure
Version: 1.0  ·  Date: 2026-02-21
Page 6 of 6
Org: _______________________
Incident summary
Incident type
Ransomware / BEC / Cloud / AI exposure / Other
Declaration timestamp
YYYY-MM-DD HH:MM UTC
Closure timestamp
YYYY-MM-DD HH:MM UTC
Total duration
___ hours ___ minutes
Peak severity
Critical / High / Medium / Low
Systems affected
List
Data involved
Types and estimated volume
Business impact
Revenue / operational / reputational summary
Review structure
SectionNotes
What workedControls and decisions that reduced impact
What failedControl gaps, workflow delays, unclear ownership
Root-cause analysisTechnical and process-level causes with confidence levels
Residual riskUnresolved risks remaining after closure
Closure criteria
  • Threat pathways contained and monitored
  • Impacted services restored with validation sign-off
  • Legal/compliance checkpoints complete or formally deferred
  • Evidence package complete for current confidence level
  • Corrective actions logged with owner and due date
  • Post-incident review scheduled (≤5 business days for Crit/High)
Closure declared by
Name / role
Closure timestamp
YYYY-MM-DD HH:MM UTC
Deferred items (if any)
List items with rationale and owner
Corrective-action register
IDFindingCorrective actionOwnerDue datePriorityStatus
CA-001FindingActionNameYYYY-MM-DDH / M / LOpen / Closed
CA-002FindingActionNameYYYY-MM-DDH / M / LOpen / Closed
CA-003FindingActionNameYYYY-MM-DDH / M / LOpen / Closed
CA-004FindingActionNameYYYY-MM-DDH / M / LOpen / Closed
CA-005FindingActionNameYYYY-MM-DDH / M / LOpen / Closed
CA-006FindingActionNameYYYY-MM-DDH / M / LOpen / Closed
30-60-90 corrective-action cadence30 days: quick wins and policy clarifications  ·  60 days: workflow and tooling improvements  ·  90 days: governance changes and re-test of affected scenarios
valydex.com/guides/cybersecurity-incident-response-planNIST SP 800-61r3 · CIRCIA final rule expected May 2026 · Free to use and adapt