FRAMEWORK · v0.1.0 · 2026

IR 2.0.

A modular operating model for resilient, defensible, security-by-default operations.

Most incident response programs are built to survive a fire. IR 2.0 is built to prevent one — composable, evidence-based, and adoptable from a 3-person team to a 3,000-person enterprise.

Read the framework → Get the docs

What IR 2.0 is

IR 2.0 is the incident-response component of the Deretti Cyber Labs framework. It gives teams a structured way to declare an incident, log decisions, preserve evidence, learn from what happened, and produce a defensible record. The framework operates as a Calm Loop — Sense → Decide → Act → Learn — applied continuously as an operating posture, not activated only after an alarm.

Who IR 2.0 is for

IR 2.0 scales from small teams without dedicated security staff to organizations with mature operational capacity that lack a structured IR program. The Crawl → Walk → Run progression is what makes the scaling work: a team starts where it is, not where a Fortune 100 SOC starts. The framework is built for any team that values evidence discipline, calm operational posture, and defensible decision-making in incident response.

What IR 2.0 is not

IR 2.0 is not a compliance framework, an insurance product, or a substitute for professional incident response, legal counsel, or insurance brokers. It does not replace NIST CSF, NIST SP 800-61, or CIS Controls; it maps to them. Using IR 2.0 does not certify your program or guarantee any outcome with insurers, regulators, or clients.

Where IR 2.0 fits

Deretti Cyber Labs publishes IR 2.0 as the incident-response component of a broader framework. Future Cyber Labs packs (Foundations, Assurance, Insurance Readiness, sector-specific guidance) will extend reach into broader cybersecurity program work. IR 2.0 is the first of those; not the whole.

Who This Is For

Four entry points. One framework.

IR 2.0 is a framework, not a product promise. It defines a common operating model — same structure, different implementation weight — that scales from manual evidence discipline on a lean team to automated containment at enterprise scale.

Security & infrastructure teams

Use it to reduce improvisation and make response repeatable — the same four moves, every time, regardless of the incident class.

Executives & boards

Use the Governance pillar to understand readiness in business-risk terms: decision rights, evidence currency, and response SLAs they can report on.

Insurers, brokers & auditors

Use the evidence model to evaluate whether controls are documented, tested, and current — not just claimed.

Small teams & MSPs

Use the Crawl phase to establish a minimum viable incident-response operating model without waiting for enterprise tooling or headcount.

Premise

The model we inherited was always temporary.

IR 1.0 treated incidents as rare exceptions requiring heroics. The world stopped cooperating. The frameworks were never the problem. NIST, ISO, SOC 2, HIPAA — they define what good looks like. What failed was the operating posture that grew up around them: runbook-and-escalate, heroics-on-call, compliance-as-checkbox. IR 2.0 is the replacement for that posture — not the standards. It sits on the shoulders of frameworks that already exist and gives them an operating model that scales to the reality of each organization, whether they're starting with NIST CSF or running a mature enterprise program.

— IR 1.0 · The way it was

Reactive firefighting.

Alert fatigue, unclear roles
Security bolted on after the fact
3 a.m. panic, improvised responses
Audit-driven, not outcome-driven
Fragmented controls, duplicated effort

— IR 2.0 · The way forward

Engineered resilience.

Security-by-default architecture
Reversibility-gated automation
Insurable, auditable, evidence-based
Outcome-driven, modular, testable
One Common Controls Backbone (CCB)

The Framework

Four pillars. One operating model.

Each pillar answers a different question. Together they form a load-bearing structure — strong enough to fail safely, simple enough to adopt incrementally. Each contains swappable Packs you can deploy independently.

PILLAR 01

Governance

The Why & The Proof

Decision rights, IR plan, RACI & 3 AM call tree, KPIs, insurer baseline. The pillar that gets you board-readable and underwriter-readable.

Module · Governance & Accountability

PILLAR 02

Architecture

The Blast-Radius Reducer

Big-3 controls, asset baseline, segmentation, crown-jewel maps, cloud-native & Kubernetes IR. Recoverability as a property of the system.

Module · Architecture & Resiliency

PILLAR 03

Technology

The Repeatable Containment

Top-10 playbooks, Calm-Loop scripts, Reversibility Score gating, LLM enrichment, supply-chain & third-party breach drills.

Module · Technology & Automation

PILLAR 04

Culture

The Sustainability Layer

Report training, blameless post-mortems, chaos-day kits, burnout & rotation, psych safety, near-miss incentives. The reason the system holds.

Module · Culture & Evolution

The Calm Loop

Every response. Same four moves.

Sense → Decide → Act → Learn. The loop that ties the pillars together at runtime — and the only shape every playbook in this framework takes.

STEP 01

Sense

Detect & enrich

Ingest signal, normalize evidence, attach context. The loop starts when an indicator earns a ticket.

STEP 02

Decide

Decision rights · RS gates

Who owns it, what the playbook says, whether the action is reversible. The decision is the artefact.

STEP 03

Act

Execute & verify rollback

Run the playbook. Confirm rollback works before you need it. Containment without recoverability is a guess.

STEP 04

Learn

Update architecture

Blameless post-mortem feeds back into pillars 1–3. The loop closes when the next incident is shorter.

First Principles

Six rules that decide every trade-off.

When the framework and the calendar disagree, these are the tie-breakers.

P · 01

Security by default

Least privilege, segmentation, and immutable backups are defaults — not projects with budgets.

P · 02

Modular by construction

Each pillar contains swappable Packs. Adopt what you need, when you need it. No big-bang programs.

P · 03

One control, many checkboxes

The Common Controls Backbone (CCB) maps once to NIST, ISO, SOC 2, PCI, HIPAA, and back.

P · 04

Evidence as data

Tickets, logs, and test results are the only accepted proof. No ceremony, no PowerPoint as evidence.

P · 05

Reversibility-gated automation

Automation advances only as far as it can roll back fast. RS-1 manual through RS-5 auto-contain — see the Top 5 playbooks for how RS gating is applied per incident class.

P · 06

Calm Loop discipline

Every response is Sense → Decide → Act → Learn. If a step is missing, the response isn't a response.

How to read the numbers

The percentages and SLAs in this roadmap are target-state maturity indicators, not universal guarantees. Each metric must be calibrated to the organisation's environment, incident classes, evidence sources, and acceptable business-risk thresholds before it is used for audit, insurance, or executive reporting.

The Roadmap

Crawl. Walk. Run.

Three phases, named for the level of automation they support — and the level of trust the rest of the business can place in your response. Each phase ships its own deliverables and proves it landed with metrics.

PHASE 01

Crawl.

The insurable baseline.

OutcomeOne-page IR plan, Big-3 controls, ≥70% compliance, basic training
CadenceManual response · RS-1
ProvesTime-to-Assemble · Compliance Score · Evidence freshness

PHASE 02

Walk.

The resilient foundation.

OutcomeFirst tabletop, MTTD/MTTR measured, drills ≥80% pass, segmentation started
CadenceSemi-auto · RS-2 / RS-3
ProvesDrill Success Rate · Alert Fatigue Index · Handoff Latency

PHASE 03

Run.

The evolved model.

OutcomeBreach Survival Score ≥95%, Zero-Trust defaults, AI/SOAR integrated, ROI tracked, post-mortem closure rate ≥90%
CadenceFull-auto · RS-4 / RS-5
ProvesAuto-triage Rate · AR Debt Trend · Premium Delta

Breach Survival Score — defined

A composite maturity indicator measuring whether critical services, evidence sources, backups, decision rights, containment paths, and rollback procedures remain usable during a defined incident scenario. It is not a guarantee that breaches will not occur. It measures whether the organisation can keep operating, contain damage, preserve evidence, and recover without improvisation.

Phase SLAs

The numbers each phase has to hit.

Concrete service levels for war-room assembly and containment. If you can't hit the row above, don't claim the row below.

Table 06.1 — Phase SLAs

IR 2.0 phase service-level targets — war-room assembly time, first-containment time, verification cadence, and Reversibility Score automation gate per maturity phase (Crawl, Walk, Run).
Phase	War-room assembly	First containment	Verification	Automation gate
Crawl	≤ 4 h	≤ 24 h	3 AM call tree current; quarterly evidence pull.	RS-1 manual
Walk	≤ 1 h	≤ 2 h	Quarterly tabletop · quarterly restore test.	RS-2 / RS-3
Run	≤ 15 m	≤ 5 m auto-contain	Verified rollback per playbook · monthly chaos day.	RS-4 / RS-5

Targets are organisation-specific; calibrate per How to read the numbers (above) before using for audit, insurance, or executive reporting.

Start with the one-pager.

The Week 1 Starter Kit — IR one-pager, 3 AM call tree, Big-3 controls, first Calm-Loop script, evidence folder, insurer baseline. A small team can produce a usable pre-Crawl starter layer in five afternoons, then complete Crawl against the 30-day target.

For a small team, "ship" means producing the first usable operating layer: named owners, a current call tree, a critical asset list, Big-3 control evidence, one Calm-Loop response script, and a basic evidence folder. It does not mean full automation, complete control maturity, or Run-phase capability. That comes later — and the roadmap shows exactly how.

Open the 30/60/90 Plan → Find your team size Contribute a Pack

Four contribution paths — Pack proposals, field reports, doc improvements, standards-mapping contributions. Maintainers review within a week.

The Series

Five volumes. One framework.

Each volume stands alone but maps to the others through the Common Controls Backbone. All resources →

01 · FRAMEWORK

The Four Pillars

Governance, Architecture, Technology, Culture — the load-bearing structure.

Three phases of maturity. Ship Crawl in weeks, Walk in months, Run when the metrics agree.

Roadmap~20 min

Open

03 · REFERENCE

Insurability Cheat-Code

What underwriters actually look at, and the evidence model that satisfies them.

Reference~15 min

Open

04 · WORKBOOK

30 / 60 / 90 Day Plan

A first-quarter operating plan with named owners, milestones, and proof artifacts.

Ransomware, BEC, supply-chain, insider, OT — the five most-asked-about response paths.

Templates~40 min

Open