Contribute.
IR 2.0 is an open framework. Pull requests, war stories, and Pack proposals welcome.
The framework gets better when more programs argue with it. Four ways to push back, share field notes, or ship a new Pack — plus the licenses that make it boring to do so.
Four directions. Pick one.
Every direction has a clear "what landed" bar. Open an issue first if you're unsure where a contribution fits.
Propose a new Pack.
Have a runbook that earned its keep — Kubernetes IR, AI guardrails, OT/ICS, vendor coordination? Submit it as a Pack with the four-section template (Trigger · Owners · Steps · Verification).
Share a field report.
Adopted Crawl in 30 days? Hit a wall at Walk? Numbers and dead-ends are equally useful. Field reports get cited in future releases with attribution (or anonymized on request).
Improve the docs.
Clarifications, broken links, awkward phrasings, better diagrams, translations. Small PRs against the HTML sources get the fastest review.
Map a control.
Today, mapping contributions land in framework/mappings/ (NIST CSF, NIST 800-61, CIS Controls). The Common Controls Backbone (CCB) — one control mapped to NIST, ISO, SOC 2, PCI, HIPAA at once — is a v1.0 target; until then, single-framework mappings build the foundation it will sit on.
Maintained by two. Steered by everyone using it.
A small core team owns the project. RFC-style proposals decide what lands in v0.2, v1.0, and beyond.
Two decades of incident response across financial services, SaaS, and critical infrastructure. Wrote the original IR 1.0 program at three orgs and decided once was enough.
Runs the publication cadence, the field-report intake, and the contributor experience. The reason PRs get reviewed inside a week instead of a quarter.
Boring on purpose. Take it. Ship it. Attribute it.
Prose under Creative Commons BY 4.0; code samples and templates under MIT. Use it commercially, fork it, embed it in your runbooks. Just credit the source. Attribution snippets for each of the lab's three streams are below.
The two licenses.
Two licenses cover everything in the repo. Pick the one that matches what you're using.
How to cite — IR 2.0 — drop into a paper, deck, or runbook footer:
Deretti, T. (2026). IR 2.0: A Modular Operating Model for Resilient, Defensible, Security-by-Default Operations (v0.1.0). Deretti Cyber Labs. https://deretticyberlabs.com/ir2/ — CC BY 4.0.
<a href="https://deretticyberlabs.com/ir2/">IR 2.0 Framework</a> by Tiago Deretti / Deretti Cyber Labs is licensed under <a href="https://creativecommons.org/licenses/by/4.0/">CC BY 4.0</a>. Code samples MIT-licensed.
How to cite — /quantum/ (Post-Quantum Cryptography)
Deretti, T. (2026). Post-Quantum Cryptography: A Practitioner's Guide for Operators Below Hyperscaler Scale (v0.2.0). Deretti Cyber Labs. https://deretticyberlabs.com/quantum/ — CC BY 4.0.
<a href="https://deretticyberlabs.com/quantum/">Post-Quantum Cryptography</a> by Tiago Deretti / Deretti Cyber Labs is licensed under <a href="https://creativecommons.org/licenses/by/4.0/">CC BY 4.0</a>. Code samples MIT-licensed.
How to cite — Threat Research — replace title and slug per entry:
Deretti, T. (year). [Entry Title], Threat Research Archive. Deretti Cyber Labs. https://deretticyberlabs.com/research/[active|archive]/[slug] — CC BY 4.0.
<a href="https://deretticyberlabs.com/research/archive/[slug]">[Entry Title]</a> by Tiago Deretti / Deretti Cyber Labs is licensed under <a href="https://creativecommons.org/licenses/by/4.0/">CC BY 4.0</a>.
For entries dated before the publication of the Threat Research Archive on this site, retain the original publication year of the research; the archive is the citable home, not the origination date.
Three doors. Pick the loudest one.
Choose the channel that fits the message. PRs and issues are public; email is for everything else.