Applying Modular Design to Maintain IR Playbooks at Scale

Playbook Power-Up: Applying Modular Design to Maintain IR Playbooks at Scale

🎙️ Jessica Gorman, Sr Director of Security Operations and Incident Response, Experian, Georgetown University
📍 Presented at SANS DFIR Summit 2025

With only 23% of surveyed security professionals stating their incident response (IR) playbooks are updated frequently enough to keep up with best practices, a new approach is needed to “power up” the way organizations maintain their playbooks.

The rise of Security Orchestration, Automation, and Response (SOAR) technology offers promising potential for cybersecurity teams to modernize incident response processes, but the challenge of managing and updating IR playbooks at scale persists, especially when organizations find themselves managing dozens (or even 100+) of them.

This presentation leverages research conducted through Georgetown University’s Cybersecurity Risk Management program and inspired by years of incident response experience to walk participants through a new proposed framework for evaluating and redesigning their IR playbooks. Using concepts of “modular” design, this research has found that application of these principles can streamline playbook update processes, leading to up to 50% time savings and potentially reducing risk of human error.
Individuals responsible for managing process documentation and/or playbooks will come away with hands-on knowledge that can be applied to achieve real-world results.

View upcoming Summits: https://www.sans.org/u/DuS