Skip to content
Cyber Toolbox
Library

Pre-built playbooks & runbooks. Open one to a live case.

Every playbook ships with a one-click handoff to the platform. Hit Open incident or Open exposure and the case is created with the right policy attached, the right RASCI assigned, and the activity log already running.

PB-CIRP-101
Enterprise IT

Phishing and Business Email Compromise

Phishing, ransomware, account compromise — the everyday IR set.

Open incident
PB-CIRP-102
Enterprise IT

Endpoint Malware Detection

Phishing, ransomware, account compromise — the everyday IR set.

Open incident
PB-CIRP-103
Enterprise IT

Ransomware

Phishing, ransomware, account compromise — the everyday IR set.

Open incident
PB-CIRP-104
Enterprise IT

Account Compromise Mfa Bypass

Phishing, ransomware, account compromise — the everyday IR set.

Open incident
PB-CIRP-105
Enterprise IT

Data Exfiltration

Phishing, ransomware, account compromise — the everyday IR set.

Open incident
PB-CIRP-106
Enterprise IT

Insider Threat Malicious

Phishing, ransomware, account compromise — the everyday IR set.

Open incident
PB-CIRP-107
Enterprise IT

Privileged Account Abuse

Phishing, ransomware, account compromise — the everyday IR set.

Open incident
PB-CIRP-108
Enterprise IT

Lateral Movement Detection

Phishing, ransomware, account compromise — the everyday IR set.

Open incident
PB-CIRP-109
Enterprise IT

Destructive Malware Wiper

Phishing, ransomware, account compromise — the everyday IR set.

Open incident
PB-CIRP-110
Enterprise IT

Unauthorised Software Tool Deployment

Phishing, ransomware, account compromise — the everyday IR set.

Open incident
PB-CIRP-201
Cloud & SaaS

AWS Account Compromise

AWS, Azure, M365, OAuth, Kubernetes, serverless.

Open incident
PB-CIRP-202
Cloud & SaaS

M365 Entra Id Compromise

AWS, Azure, M365, OAuth, Kubernetes, serverless.

Open incident
PB-CIRP-203
Cloud & SaaS

OAUTH Saas Token Abuse

AWS, Azure, M365, OAuth, Kubernetes, serverless.

Open incident
PB-CIRP-204
Cloud & SaaS

Cloud Storage Data Leak s3 Azure Blob GCS

AWS, Azure, M365, OAuth, Kubernetes, serverless.

Open incident
PB-CIRP-205
Cloud & SaaS

Container Kubernetes Compromise

AWS, Azure, M365, OAuth, Kubernetes, serverless.

Open incident
PB-CIRP-206
Cloud & SaaS

Serverless Function Abuse

AWS, Azure, M365, OAuth, Kubernetes, serverless.

Open incident
PB-CIRP-207
Cloud & SaaS

Cloud Management Plane Compromise

AWS, Azure, M365, OAuth, Kubernetes, serverless.

Open incident
PB-CIRP-208
Cloud & SaaS

Cloud IAM Misconfiguration Exploitation

AWS, Azure, M365, OAuth, Kubernetes, serverless.

Open incident
PB-CIRP-301
OT / ICS

SCADA PLC Compromise

SCADA, PLC, HMI, safety systems, IT-to-OT pivot.

Open incident
PB-CIRP-302
OT / ICS

Process Anomaly Unexplained Behaviour

SCADA, PLC, HMI, safety systems, IT-to-OT pivot.

Open incident
PB-CIRP-303
OT / ICS

OT Network Isolation

SCADA, PLC, HMI, safety systems, IT-to-OT pivot.

Open incident
PB-CIRP-304
OT / ICS

Safety Instrumented System Event

SCADA, PLC, HMI, safety systems, IT-to-OT pivot.

Open incident
PB-CIRP-305
OT / ICS

Engineering Workstation Compromise

SCADA, PLC, HMI, safety systems, IT-to-OT pivot.

Open incident
PB-CIRP-306
OT / ICS

HMI Tampering

SCADA, PLC, HMI, safety systems, IT-to-OT pivot.

Open incident

Showing 24 of 98 matching playbooks (98 total). The library is regenerated from the policy-architecture repo on every deploy via scripts/sync-playbooks.py.

Want to fork a playbook? Every artefact is yours from day one.

Templates ship in the box. You customise, version, and own your copy. We update the upstream library; you choose when to merge.

Book a demoHow Govern works