IR 2.0 Framework · v0.1.0
DOCUMENT 04 / 05 · THE PROGRAM

30 / 60 / 90
Day Plan.

Your practical, week-by-week path to a working IR 2.0 program.

Designed to be achievable alongside the day job. Each task is small enough to finish in an afternoon and load-bearing enough to compound. Three checkpoints — at days 30, 60, and 90 — mark the work that has actually moved the program forward.

SeriesIR 2.0
Document04 of 05
Version0.1.0 · 2026
LicenseCC BY 4.0
04 / 30·60·90
How to use this

Don't try to do everything at once. Focus on one task per day. Consistency beats intensity. Check items off as you complete them; carry incomplete items forward without renegotiating the rest of the schedule.

30

Foundation.

"Get your house in order" — assess current state, baseline documentation, quick wins.
Days 1 – 30
WEEK 01Assessment
  1. Download a cyber-insurance application — your free gap assessment.
  2. Complete the insurance checklist. Every "No" is a project.
  3. Inventory current security tools. What you have, what's missing.
  4. Identify IR stakeholders: IT, Legal, HR, Comms, executive sponsor.
  5. Document current backup status. Backed up? Tested? Immutable?
WEEK 02Quick wins
  1. Enable MFA on all admin accounts, email, and VPN.
  2. Verify EDR coverage — every endpoint has an agent and is reporting.
  3. Test one backup restoration. Document time, success, issues.
  4. Build the emergency contact list — personnel, vendors, legal, broker.
WEEK 03Documentation
  1. Draft the IR One-Pager — severity levels, roles, escalation triggers.
  2. Define incident severities (P1 / P2 / P3 / P4 or Critical → Low).
  3. Document IR communication channels (Slack, Teams, email DL).
  4. Draft comms templates — internal, customer, press.
WEEK 04Validation
  1. Review IR One-Pager with stakeholders. Get feedback and buy-in.
  2. Schedule first tabletop drill for days 45 – 60. Send invites.
  3. Open the shared evidence folder for insurance documentation.
  4. Create blameless post-mortem template. Have it ready before the first tabletop — the team should know how to run a post-mortem before they need one.
  5. Brief the executive sponsor. Frame gaps as risk items.
Checkpoint · Day 30 IR One-Pager drafted · Big 3 controls verified · insurance gaps identified · first tabletop scheduled.
IR 2.0 · 30 / 60 / 90 Day Plan v0.1.0 · © 2026 Deretti Cyber Labs · CC BY 4.0 02
04 / 30·60·90
60

Playbooks & Practice.

"From plan to practice" — build the first playbooks and run the first drill.
Days 31 – 60
WEEK 05First playbook
  1. Build Playbook #1 — Endpoint Quarantine + Identity Revoke.
  2. Document manual endpoint-isolation steps in your EDR.
  3. Document manual identity / session revocation in your IdP.
WEEK 06More playbooks
  1. Build Playbook #2 — Phishing Burst Response.
  2. Build Playbook #3 — SaaS Consent Kill.
  3. Review playbooks with the technical team. Steps accurate?
WEEK 07Tabletop prep
  1. Develop tabletop scenario (suggest: ransomware on file server). Write inject cards.
  2. Prepare materials — scenario brief, role cards, timeline.
  3. Send pre-reads. Remind participants of date and time.
  4. Dry-run with one colleague. Adjust timing and injects.
WEEK 08Execute & learn
  1. Run the first tabletop (60–90 min). Document observations.
  2. Conduct blameless post-mortem (not a debrief — language matters). Document: what happened, what worked, what didn't, what changes by next drill. This is a Culture artifact, not a formality.
  3. Update One-Pager and playbooks based on findings.
  4. Brief sponsor on results — gaps, remediation, momentum.
Checkpoint · Day 60 Three playbooks documented · first tabletop completed · lessons captured · IR program actively improving.
IR 2.0 · 30 / 60 / 90 Day Plan v0.1.0 · © 2026 Deretti Cyber Labs · CC BY 4.0 03
04 / 30·60·90
90

Automation & Improvement.

"From manual to automated" — first Calm Loop and a continuous-improvement cadence.
Days 61 – 90
WEEK 09Automation planning
  1. Identify first automation candidate — alert enrichment workflow.
  2. Document the manual steps it replaces. Measure current time.
  3. Define Reversibility Score for each automated action.
  4. Draft RS policy — RS 1/2 auto-execute · RS 3+ require approval.
WEEK 10First automation
  1. Build first automation — alert → enrich → ticket → notify.
  2. Test in non-prod or with low-severity alerts first.
  3. Document trigger, steps, expected output, rollback procedure.
WEEK 11Metrics
  1. Define IR KPIs — MTTD, MTTR, incident type, false-positive rate.
  2. Set up basic metrics tracking (a spreadsheet is fine to start).
  3. Establish baseline metrics from recent incidents.
  4. Build remaining playbooks — Stolen Credential · Data Exfil.
WEEK 12Continuous improvement
  1. Schedule quarterly tabletop drills for the next 12 months.
  2. Review and iterate on the blameless post-mortem template (created Week 4). Refine based on what the first tabletop actually surfaced.
  3. Update insurance documentation with new evidence.
  4. Build 90-day summary for the executive sponsor.
  5. Celebrate. The foundation is built.
Checkpoint · Day 90 Five playbooks live · first automation in production · metrics baseline established · quarterly drill cadence on the calendar · insurance-ready documentation · first blameless post-mortem documented · near-miss reporting channel established · responder rotation defined (if team size permits).

Days 91 – 180 · Walk

  • Deploy SIEM if not already in place
  • Build more automated Calm Loops
  • Expand playbook coverage to 80%+
  • Integrate threat-intelligence feeds

Days 181 – 365 · Run

  • AI-assisted triage in production
  • Chaos engineering / live-fire drills
  • Full Calm Loop automation
  • Continuous improvement culture
IR 2.0 · 30 / 60 / 90 Day Plan v0.1.0 · © 2026 Deretti Cyber Labs · CC BY 4.0 04