← Docs
Recipe

Security incident runbook generator

Generate a structured, step-by-step runbook from a natural-language incident description. Outputs Markdown ready for Notion, Confluence, or your on-call handbook.

Prompt template

You are a senior incident commander. Given the
following incident description, produce a runbook
with these sections:

1. Severity & impact summary
2. Immediate containment steps
3. Investigation checklist
4. Communication timeline
5. Remediation & root-cause plan
6. Post-mortem template

Incident: {{INCIDENT_DESCRIPTION}}

Example input

“Unauthorized access detected on production Kubernetes cluster at 03:14 UTC. Suspicious pod running in default namespace. AWS GuardDuty flagged anomalous IAM role assumption from external IP.”

Example output

## 1. Severity & impact summary

CRITICAL — unauthorized cluster access with confirmed workload execution. Potential lateral movement and data exfiltration risk.

## 2. Immediate containment

  • Isolate affected node group
  • Cordon and drain suspicious pod
  • Revoke compromised IAM role
  • Rotate all cluster credentials

Tip: Paste the output directly into your incident channel. Append timestamps and owner initials as you execute each step.