Open this lesson in your favourite AI. It'll walk you through the why, explain the demo, and quiz you on the try-it list.
Every threat your team identifies should produce an incident runbook — a one-pager that says 'when X is detected, do Y'. The runbook is for the 3am pager moment, not the strategy review. Good runbooks have: definition of the trigger, decision tree (when to escalate), commands to run, communications template, and a 'don't do this' list.
Runbook shape: trigger (alert ID + signal), severity classification (3 questions: production impact, data sensitivity, blast radius), first 5 commands (collect evidence, contain, alert team), escalation rules, comms template (status page, customer email).
Use these three in order. Each builds on the one before.
In one paragraph, explain runbooks.
Walk me through a runbook for a credential-leak alert.
Some incidents don't fit any runbook. Design the 'novel incident' meta-runbook.