DFIR Investigation Runbooks
Seven incident types. Structured response procedures. From detection to containment.
Step-by-step investigation runbooks for the incidents SOC analysts handle most often. Each runbook covers initial triage, evidence collection, scoping queries, containment actions, and handoff requirements. Designed for the responder who just received the alert and needs to know what to do next.
These runbooks provide the structured response procedure. For the full investigation methodology — evidence interpretation, timeline reconstruction, attack chain correlation, and reporting — see Practical Incident Response (IR13–IR16 cover ransomware, BEC, insider threat, and APT investigations) and Incident Triage (TR2–TR5 cover environment-specific triage). Start the free IR modules →