SOC Playbook Simulator v0.3 · 10 playbooks · 6-phase IR
Playbook · simulator · v0.3

SOC playbooks for banking, made interactive

Ten canonical incident-response playbooks rendered as click-through phase diagrams with a best-practice scoring panel. Coverage spans the full 6-phase NIST IR lifecycle — phases 2–7 inline (Detection → Containment → Eradication → Recovery → PIR → Improvement) plus a separate Preparation page for the Phase 1 program prerequisites. Each step cites a clause from NIST SP 800-61r3, ISO/IEC 27035-2:2023, FSB FIRE (April 2025), or the relevant MITRE ATT&CK technique.

Illustrative only. Not legal, regulatory, audit, or supervisory advice. Verify clauses, timelines, channels and authorities against the current revision of each cited instrument before issuing any document. Source markdown lives at v2/4-playbooks-strategic/ and scenarios/ in this repository — each playbook page links to its source.

The ten playbooks

Strategic-led IR playbooks. Click-through decision flowcharts + best-practice scoring + pre-set scenarios.
PB-RANSOM-01
Ransomware
Encryption-only, double-extortion, wipers. Counsel before DFIR · pause backup replication · KRBTGT twice-rotation · 3-eyes restore. Ransom payment is Board-only after OFAC + AML + supervisor + insurer.
P1 Gates4 AnchorsNIST 800-61r3 · IR 8374
PB-PHISH-02
Phishing
Credential phishing, AiTM, OAuth-consent, brand-abuse, deepfake, BEC. Mass purge · session-cookie revoke · counterparty recall ≤30 min default-SEND · OAuth audit.
P1 Gates2 AnchorsNIST 800-177r1 · T1566 · T1539
PB-MAL-03
Malware (non-ransomware)
RATs, banking trojans, infostealers, miners, droppers. Pre-impact phase. Sandbox · family classification · persistence sweep · cred-rotate if cred-stealer · escalates to pb-01 / pb-07 on phase change.
P2 Gates2 AnchorsNIST 800-83r1 · TA0002
PB-CRED-04
Credential Compromise
Stuffing, push-fatigue, AiTM, SIM-swap. Force-reset >10k needs CISO + Customer Service head. Customer comms must precede the reset wave. Push-fatigue mitigations stay permanent.
P1 Gates2 AnchorsNIST 800-63B · T1110 · T1621
PB-SYS-05
System Compromise
Host or server foothold via RCE / web shell / valid-account misuse — pre-impact. Snapshot-before-isolate · lateral hunt · close vector before rebuild. Rebuild > restore.
P1 Gates2 AnchorsNIST 800-86 · ISO 27037 · TA0001
PB-PRIV-06
Privilege / Lateral Movement
AD / IdP / federation compromise + cloud IAM lateral + container escape. KRBTGT twice-rotation · AD CS ESC1-8 · clean-rebuild forest if Tier-0 owned. Always BRC-tabled.
P1 Gates3 AnchorsMS AD Hardening · NIST IR 8374 · NSA TA
PB-EXFIL-07
Exfiltration Response
External adversary, third-party identity, card data, SWIFT, INSIDER. Banking-secrecy gate has no timeout · DPA clock from awareness not confirmation · PFI engagement first-30-min for card data.
P1 Gates2 + secrecy AnchorsNIST 800-86 · ISO 27037 · PCI §12.10
PB-DDOS-08
DDoS / Availability
Volumetric, app-layer, DNS, ransom-DDoS. Geo-block needs CISO + GC. Channel failover needs CIO. Customer impact tracked against IBS impact tolerance, not internal SLA.
P1 Gates3 AnchorsCISA DDoS · CPMI–IOSCO · POR P6
PB-WEB-09
Web Application Attack
Active OWASP Top 10 exploitation: SQLi, RCE, SSRF, IDOR, XXE, deserialisation. WAF virtual-patch is containment not fix · code MUST be hardened · hunt second occurrence · regression before re-deploy.
P1 Gates3 AnchorsOWASP Top 10 · NIST SP 800-218 · T1190
PB-TPSP-10
Third-Party / Supply Chain
TPSP advisory, MSP / managed-SOC compromise + software-supply-chain (signed-binary trojan, signed-driver). SBOM-driven · contractual incident clause · exit / step-out plan is Board-level. Concentration-risk reassessed.
P1 Gates4 AnchorsNIST CSF 2.0 GV.SC · ISO 27036 · SLSA

Phase 1 — Preparation (separate page)

Preparation is a program activity, not an incident-time activity — so it doesn't belong on every flowchart. The Preparation page lists the prerequisites every playbook in this kit assumes are already in place: external counsel + DFIR retainer engaged, immutable backups + tested restore, EDR + SIEM coverage, sandbox infrastructure, drilled tabletop, communications templates, regulator contact register, etc.

Each playbook page links to the Preparation page in its header. If your bank does not yet have the Preparation prerequisites in place, the playbooks will not run as designed — fix Preparation first.

Stack & design

Vanilla HTML, CSS, and JavaScript — no framework, no build step, no third-party JS at runtime. Strict default-src 'self'; style-src 'self' CSP. Visual language adapted from design-templates (warm-paper / annotated-flowchart / concept-explainer / incident-report patterns). Accessible: keyboard-only navigation across all flowchart nodes (Tab to enter, arrow keys to traverse, Enter / Space to activate); WCAG AA contrast; prefers-reduced-motion respected.