IR 2.0 Framework · v0.1.0
DOCUMENT 01 / 05 · THE FRAMEWORK

The Four
Pillars.

A modular operating model for resilient, defensible, security-by-default operations.

IR 1.0 was reactive — alert fatigue, 3 a.m. panic, security bolted on as an afterthought. IR 2.0 reframes incident response as an operating model built on four load-bearing pillars: Governance, Architecture, Technology, and Culture. This document defines each pillar, the Calm Loop that ties them together, and the first principles that govern the whole.

SeriesIR 2.0
Document01 of 05
Version0.1.0 · 2026
LicenseCC BY 4.0

This framework supports resilience, evidence, and readiness. It does not certify compliance, guarantee security, or guarantee cyber-insurance eligibility. It is not a substitute for professional legal, regulatory, or insurance advice.

01 / Four Pillars
Premise

Most incident response programs are built to survive a fire. Few are built to prevent one.

IR 2.0 is a deliberate replacement for a posture, not a standard. The frameworks most organizations rely on — NIST SP 800-61, NIST CSF, ISO 27035 — define what good looks like. What IR 2.0 replaces is the operating model that grew up around them: runbook-and-escalate, reactive heroics, compliance treated as destination rather than baseline. IR 2.0 builds on those frameworks, maps directly to their controls through the Common Controls Backbone, and gives them an operational spine that works whether an organization is adopting NIST CSF for the first time or running a mature enterprise security program. Same standards. Different operating posture.

A note on "insurable"

In IR 2.0, insurable means evidence-ready and underwriter-legible. It means the organisation can produce current, testable documentation of its controls, response paths, recovery capability, decision rights, and incident history in a form that is useful to brokers, carriers, auditors, and risk committees. It does not mean guaranteed coverage or guaranteed premium reduction.

— IR 1.0 · The way it was

Reactive firefighting

  • Alert fatigue, unclear roles
  • Security bolted on as an afterthought
  • 3 a.m. panic, improvised responses
  • Audit-driven, not outcome-driven
— IR 2.0 · The way forward

Proactive, systematic resilience

  • Security by default architecture
  • Automated, reversibility-gated response
  • Insurable, auditable, evidence-based
  • Outcome-driven, modular, testable

Resilience is not a department. It is a property of the system itself.

IR 2.0 · The Four Pillars v0.1.0 · © 2026 Deretti Cyber Labs · CC BY 4.0 02
01 / Four Pillars
The Framework

Four pillars. One system.

Each pillar answers a different question. Together, they form a load-bearing structure — strong enough to fail safely, simple enough to adopt incrementally.

01

Governance

The Why & The Proof
  • Risk & governance posture
  • IR plan & playbooks
  • Tabletop drills
  • KPIs & metrics
  • Insurability evidence
02

Architecture

The How — Foundation
  • Security by default
  • IAM & Zero Trust
  • Network segmentation
  • Immutable backups
  • Cloud-native ready
03

Technology

The What — Tools
  • EDR / XDR detection
  • SIEM visibility
  • SOAR automation
  • AI-assisted triage
  • The Calm Loop
04

Culture

The Sustainability Layer
  • Blameless post-mortems
  • Near-miss reporting
  • Responder rotation
  • Psychological safety
  • Post-mortem closure rate
  • After-action learning cadence
IR 2.0 · The Four Pillars v0.1.0 · © 2026 Deretti Cyber Labs · CC BY 4.0 03
01 / Four Pillars
The Calm Loop

Automated response, in four moves.

The Calm Loop is the operational heartbeat of IR 2.0 — a closed cycle that turns alerts into action, and action into learning. Each step has explicit inputs, outputs, and a reversibility gate.

01 ↓

Sense

Detect & enrich

Signals from EDR, SIEM, identity, and email gateways are normalized and enriched with threat context before reaching a human.

02 ↓

Decide

Apply RS gates

Each candidate action is scored on Reversibility. RS-1/2 auto-execute; RS-3+ require approval. Decisions are logged as evidence.

03 ↓

Act

Execute playbook

The matching playbook runs end-to-end: contain, revoke, notify. Every step emits a structured artifact for downstream review.

04 ↺

Learn

Improve & evolve

A blameless post-mortem feeds back into playbooks, automation, and training. The loop gets faster every time it runs.

What the Loop creates

Three properties make the Calm Loop different from traditional SOAR. First, every action carries a reversibility score, so automation is never riskier than its rollback path. Second, every step writes evidence — the artifact is the audit. Third, the learning step is a first-class node, not a checkbox; the loop is designed to improve itself.

The result is a response system that scales without scaling the team. Calm comes from the certainty that the system has already handled the easy work, leaving humans for the calls only humans can make.

≤15m
Auto-contain target — Run phase
RS-2
Default auto-execute ceiling
100%
Actions captured as evidence
IR 2.0 · The Four Pillars v0.1.0 · © 2026 Deretti Cyber Labs · CC BY 4.0 04
01 / Four Pillars
First Principles

Six rules. Every decision flows from them.

P · 01

Security by default

Built in, not bolted on. The default configuration is the safe configuration; opt-out, not opt-in.

P · 02

Modular by construction

Adopt what you need, when you need it. Every component stands alone and composes without rewrites.

P · 03

One control, many checkboxes

A single control evidences against multiple frameworks. Compliance is a side effect of doing the work.

P · 04

Evidence as data

Tickets, logs, tests, and artifacts are the proof. If it isn't queryable, it didn't happen.

P · 05

Reversibility-gated automation

Automation may move only as fast as its undo path. RS classification governs every action.

P · 06

Calm Loop discipline

Operate the loop deliberately. Sensing is continuous; deciding is judged; acting is bounded; learning is captured.

Where to go next

Read 02 — Crawl, Walk, Run to map your current posture to a phased adoption path. 03 — The Insurability Cheat Code is the gap assessment that tells you what to fix first.

Get the framework
deretticyberlabs.com/ir2
IR 2.0 · The Four Pillars v0.1.0 · © 2026 Deretti Cyber Labs · CC BY 4.0 05