Library

Pre-built playbooks & runbooks. Open one to a live case.

Every playbook ships with a one-click handoff to the platform. Hit Open incident or Open exposure and the case is created with the right policy attached, the right RASCI assigned, and the activity log already running.

PB-CIRP-101

Enterprise IT

Phishing and Business Email Compromise

Phishing, ransomware, account compromise — the everyday IR set.

PB-CIRP-102

Enterprise IT

Endpoint Malware Detection

Phishing, ransomware, account compromise — the everyday IR set.

PB-CIRP-103

Enterprise IT

Ransomware

Phishing, ransomware, account compromise — the everyday IR set.

PB-CIRP-104

Enterprise IT

Account Compromise Mfa Bypass

Phishing, ransomware, account compromise — the everyday IR set.

PB-CIRP-105

Enterprise IT

Data Exfiltration

Phishing, ransomware, account compromise — the everyday IR set.

PB-CIRP-106

Enterprise IT

Insider Threat Malicious

Phishing, ransomware, account compromise — the everyday IR set.

PB-CIRP-107

Enterprise IT

Privileged Account Abuse

Phishing, ransomware, account compromise — the everyday IR set.

PB-CIRP-108

Enterprise IT

Lateral Movement Detection

Phishing, ransomware, account compromise — the everyday IR set.

PB-CIRP-109

Enterprise IT

Destructive Malware Wiper

Phishing, ransomware, account compromise — the everyday IR set.

PB-CIRP-110

Enterprise IT

Unauthorised Software Tool Deployment

Phishing, ransomware, account compromise — the everyday IR set.

PB-CIRP-111

Enterprise IT

Web Shell Deployment and Server Side Persistence

Phishing, ransomware, account compromise — the everyday IR set.

PB-CIRP-112

Enterprise IT

C2 Beaconing and Command and Control Channel Detection

Phishing, ransomware, account compromise — the everyday IR set.

PB-CIRP-113

Enterprise IT

Living Off The Land Lolbin Abuse

Phishing, ransomware, account compromise — the everyday IR set.

PB-CIRP-114

Enterprise IT

Credential Dumping Lsass Sam Dcsync Ntds Dit

Phishing, ransomware, account compromise — the everyday IR set.

PB-CIRP-115

Enterprise IT

Pass The Hash Pass The Ticket Token Impersonation

Phishing, ransomware, account compromise — the everyday IR set.

PB-CIRP-116

Enterprise IT

DNS Based Attack Tunneling Hijacking Fast Flux C2

Phishing, ransomware, account compromise — the everyday IR set.

PB-CIRP-117

Enterprise IT

Fileless Memory Resident Malware

Phishing, ransomware, account compromise — the everyday IR set.

PB-CIRP-118

Enterprise IT

Browser Compromise Malicious Extension or Session Token Theft

Phishing, ransomware, account compromise — the everyday IR set.

PB-CIRP-119

Enterprise IT

Usb Removable Media Security Incident

Phishing, ransomware, account compromise — the everyday IR set.

PB-CIRP-120

Enterprise IT

Persistence Mechanism Discovery Scheduled Task Registry Wmi Subscription

Phishing, ransomware, account compromise — the everyday IR set.

PB-CIRP-121

Enterprise IT

Active Directory Enumeration and Attack Path Exploitation

Phishing, ransomware, account compromise — the everyday IR set.

PB-CIRP-122

Enterprise IT

Email Delivered Malware Macro Lnk Iso Html Smuggling

Phishing, ransomware, account compromise — the everyday IR set.

PB-CIRP-123

Enterprise IT

Print Spooler or Windows Service Exploitation for Privilege Escalation

Phishing, ransomware, account compromise — the everyday IR set.

PB-CIRP-124

Enterprise IT

Web Application Exploitation Sqli Ssti Deserialisation Ssrf

Phishing, ransomware, account compromise — the everyday IR set.

Showing 24 of 244 matching playbooks (244 total — 161 standard, 83 premium). The library is regenerated from the policy-architecture repo on every deploy via scripts/sync-playbooks.py.

Want to fork a playbook? Every artefact is yours from day one.

Templates ship in the box. You customise, version, and own your copy. We update the upstream library; you choose when to merge.

Book a demo How Govern works