Crawl,
Walk, Run.
A phased adoption path from insurable to proactive.
IR 2.0 is not an all-or-nothing program. This roadmap maps current posture to a three-stage progression — Crawl gets you insurable, Walk gets you resilient, Run gets you proactive. Each stage names its deliverables, transition points, and the metrics that prove it landed.
Progress over perfection. Every step forward improves both resilience and insurability.
Crawl
Walk
Run
Start where you are. Use what you have. Do what you can. The roadmap exists so you can stop arguing about where to begin and begin somewhere that earns insurance, then resilience, then leverage.
Get
defensible.
Deliverables
- IR One-Pager. Incident definition, severity levels, roles (IC, Comms, Tech), escalation triggers, contacts.
- The Big 3 controls. MFA on all critical systems · EDR on all endpoints · Tested immutable backups.
- First tabletop drill. 60–90 minutes walking a ransomware scenario with key stakeholders.
- Evidence collection. Screenshots, policy docs, restoration tests — your insurance application packet.
Quick wins
- Download a cyber insurance application — every "No" answer is your next project.
- Enable MFA on email, VPN, and admin accounts this week.
- Schedule the first tabletop drill within 30 days.
- Test one backup restoration and document the result.
Success metrics
| Metric | Target |
|---|---|
| Insurance checklist completion | ≥ 70% "Yes" answers |
| Team assembly time | ≤ 4 hours |
| Tabletop drills completed | ≥ 1 per year |
| First blameless post-mortem completed | ✓ documented |
Get
resilient.
Deliverables
- Documented playbooks. At minimum: Ransomware, Phishing, Stolen Credentials, Data Exfiltration — each with steps, decision trees, comms templates.
- SIEM deployment. Centralized logging, correlation rules for critical alerts, defined alert triage process.
- First Calm Loop. One automated workflow: detection → enrichment → notification.
- Quarterly drills. Rotated scenarios with documented lessons learned.
- Reversibility Score policy. Defines which automated actions require human approval.
Key transitions
From "we have a plan" to "we've tested the plan."
From manual log review to automated alert correlation.
From improvised response to playbook-driven response.
Success metrics
| Metric | Target |
|---|---|
| Mean Time to Detect (MTTD) | ≤ 24 hours |
| Mean Time to Respond (MTTR) | ≤ 1 hour |
| Playbook coverage | ≥ 80% of incident types |
| Tabletop drill frequency | Quarterly |
| Post-mortem completion rate | ≥ 80% of incidents |
Get
proactive.
Deliverables
- Full Calm Loop automation. End-to-end response for high-confidence scenarios; human gates for RS-3+.
- AI-assisted triage. LLM-powered enrichment, initial analysis, recommended actions — human in the loop.
- Chaos engineering. Scheduled live-fire drills. Inject failures to test recovery.
- Threat intelligence integration. Proactive hunting, intel-driven playbook updates, preparation for emerging threats.
- Continuous improvement loop. Every incident feeds playbooks, automation, and training. Blameless post-mortems standard.
Advanced capabilities
Predictive analytics for high-risk patterns. Cross-team automation across security, IT, and DevOps. Supply-chain incident playbooks. Cloud-native IR for containers, serverless, and multi-cloud.
Success metrics
| Metric | Target |
|---|---|
| Mean Time to Contain (MTTC) | ≤ 15 minutes (automated) |
| Automation coverage | ≥ 70% of common incidents |
| False positive rate | < 10% |
| Chaos drill frequency | Monthly |
| Post-mortem closure rate | ≥ 90% within 5 business days |
This is staged operational work. Every loop iteration earns the next one.