A modern incident response runbook

Most incident response runbooks were written when infrastructure was physical. The containment step assumed you could unplug a cable. The evidence collection step assumed a disk image that would survive a reboot. In cloud and container environments, the instance may not exist by the time you start investigating.

A modern runbook accounts for ephemeral infrastructure. Containment means adjusting a security group or revoking a role — not walking to a rack. Evidence collection means streaming logs to immutable storage before the container is recycled. Forensics means querying an endpoint agent for process memory, not shipping a hard drive.

The phases are the same — preparation, identification, containment, eradication, recovery, lessons learned — but the actions within each phase are different. Your runbook should map each phase to the specific tools and APIs your team uses. "Contain the host" becomes "apply the isolation policy in Sandworm EDR." "Preserve evidence" becomes "snapshot the EBS volume and export the Sandworm SIEM case file."

The biggest gap in most cloud IR runbooks is identity. When the compromised asset is an IAM role, not a server, your containment options are different. You need to revoke sessions, rotate credentials, and audit cross-account trusts — all within minutes, not hours. CloudGuard's identity posture module is built for this.

A runbook that references your actual tools, your actual APIs, and your actual escalation path is more valuable than a generic framework. Start with the NIST phases, but fill them with your team's real commands. Test the runbook quarterly in a tabletop exercise. Update it every time you learn something.