Playbook · simulator · v0.1
SOC playbooks for banking, made interactive
Six canonical incident-response playbooks — malware/ransomware, phishing/BEC, account compromise, DDoS, data breach, third-party incident — rendered as click-through phase diagrams with a best-practice scoring panel. Each step cites a clause from NIST SP 800-61r3, ISO/IEC 27035-2:2023, FSB FIRE (April 2025), or the relevant MITRE ATT&CK technique.
Illustrative only. Not legal, regulatory, audit, or supervisory advice. Verify clauses, timelines, channels and authorities against the current revision of each cited instrument before issuing any document. Source markdown lives at v2/4-playbooks-soar/ in this repository.
Core six (general scenarios)
Strategic-led IR playbooks — each renders as a click-through decision flowchart with a best-practice scoring simulation.
PB-RANSOM-01
Malware / Ransomware
Counsel before DFIR, pause backup replication, identify family + tier, KRBTGT twice-rotation, restore-from-immutable with 3-eyes. Ransom payment is Board-only after OFAC + AML + supervisor pre-consult + insurer.
PB-PHISH-02
Phishing / BEC
Mass purge, session-cookie revocation (AiTM), counterparty recall ≤30 min, AML STR, OAuth-grant audit. Recall default-on-timeout is SEND, not HOLD.
PB-ATO-03
Account Compromise (ATO)
Credential stuffing, push-fatigue, AiTM, SIM-swap. Force-reset >10k needs CISO + Customer Service head. Customer comms must precede the reset wave. Push-fatigue mitigations stay permanent.
PB-DDOS-04
DDoS / Availability
Volumetric, app-layer, DNS, ransom-DDoS. Geo-block needs CISO + GC. Channel failover needs CIO. Customer impact tracked against IBS impact tolerance, not internal SLA.
PB-EXFIL-05
Data Breach / Exfiltration
External adversary, third-party identity, card data, SWIFT credential. Banking-secrecy gate has no timeout — blocks external sharing until compliance + GC approve. DPA clock runs from awareness, not confirmation.
PB-TPSP-06
Third-Party Incident
TPSP advisory, MSP / managed-SOC compromise, cloud-vendor event. Tier-1 suspension needs CISO + CIO. Exit / step-out plan is Board-level with no timeout. Concentration-risk reassessed in PIR.
Extended three (specialised scenarios)
Sub-scenarios that warrant their own playbook — each cross-references the relevant general scenario.
How this maps to the source repo
Each playbook above corresponds 1:1 to a markdown source in
v2/4-playbooks-soar/ of this repository. The flowchart nodes are the SOAR steps; the aside text is lifted from the source action descriptions; the simulation rules cite the source clause numbers (e.g. PB-RANSOM-01 §3.7). The source is always canonical — if the diagram and the markdown disagree, trust the markdown.
See also: v2/annexes/decision-tree-first-30-minutes.md for the first-30-minute decision aid; v2/shared/common-weaknesses.md for the anti-pattern library that the simulation rules surface; v2/shared/qa-checklist.md for the pre-issue review checklist.
Stack & design
Vanilla HTML, CSS, and JavaScript — no framework, no build step, no third-party JS at runtime. Self-contained per page. Strict default-src 'self' CSP. Light/dark adaptive colours forthcoming. Visual language adapted from design-templates (warm-paper / annotated-flowchart / concept-explainer / incident-report patterns). Accessible: keyboard-only navigation across all flowchart nodes; prefers-reduced-motion respected.