█
LastWrite
  • > Curriculum
  • > Pricing
  • > For Educators
  • > About
  • > Contact
Log InGet Started

Questions, concerns, bug reports, or suggestions? We read every message, write to us at [email protected].

More ways to reach us →
LastWrite

Structured computer science lessons for aspiring developers and security professionals.

[email protected]

(201) 785-7951

Mon–Fri, 9 AM–5 PM EST

Learn

  • Curriculum
  • Pricing

Company

  • About
  • For Educators & Schools
  • Contact Us

Legal

  • Terms of Service
  • Privacy Policy
© 2026 LastWrite. All rights reserved.
Curriculum/Cybersecurity/Incident Response/Preparation and Planning
35 minBeginner

Preparation and Planning

After this lesson, you will be able to: Build an IR plan with defined roles, communication protocols, and tabletop exercises.

An IR plan is just a document, until it's tested. This lesson covers the components that make a plan actually work when an incident hits.

Prerequisites:What is Incident Response?

Core plan components

Roles & responsibilities (incident commander, scribe, technical lead, comms lead, legal). Severity definitions (what's a P0 vs P3?). Communication channels (who gets paged, when, on what platform). Decision authority (who can pull the website offline?). Pre-built playbooks for common incident types (ransomware, account takeover, data leak).

Internal vs external comms

Internal: keep stakeholders informed without spreading false information. External: legal/PR-approved statements only. Premature public disclosure can violate breach laws and damage trust. Many companies have predefined holding statements, used immediately on confirmation, then updated as facts emerge.

💡 Tabletops are non-negotiable

A tabletop is a simulated incident the team walks through aloud. It surfaces gaps no document review will catch, 'who has the after-hours number for our cloud provider?', 'where's the offline copy of the runbook if email is down?'. Run them at least quarterly.

Run a mini tabletop with friends

Realistic, takes 30 minutes.

  1. 1

    Pick a fictional company, give it 50 employees, an e-commerce site, AWS hosting

  2. 2

    Write a 3-line scenario: 'a customer complains they can't log in; alerts show high traffic from one IP; the support inbox has 50 similar reports'

  3. 3

    Assign roles: IC, technical lead, comms

  4. 4

    Play it out, every 5 minutes inject a new fact ('the CFO is on vacation', 'the database is at 100% CPU')

  5. 5

    Debrief: what worked, what was confusing, what's missing from the plan

Quick Check

Why use a written runbook instead of relying on the team's expertise?

Choose the right answer.

Sign in and purchase access to unlock this lesson.

Sign in to purchase
←What is Incident Response?
Back to Incident Response
Detection and Analysis→