COMPANION · BY TEAM SIZE

By team
size.

Three playbooks for adopting IR 2.0 — small, medium, large. Same framework, different cadence.

Team size determines order, not destination. A 5-person SaaS startup and a 5,000-person bank both end up at Run — but the path looks very different in week one.

PLAYBOOK · 01

Small.

3 — 10 people. One security person, sometimes none.

StartThis week
  1. Write the One-Pager IR plan. Print it. Tape it above the on-call laptop.
  2. Document the 3 AM call tree with current contacts. Test it.
  3. Deploy the Big-3 controls — MFA on admin/remote, EDR everywhere, immutable backups.
  4. Run the cyber-insurance readiness self-assessment. Capture your baseline and gap list.
  5. Stay at Reversibility Score 1–2. Don't automate what you can't safely roll back.
  6. Pick one Top-10 Playbook. Run it once on a Friday.
PILLAR OWNERSFounder · CTO · MSP partner
PLAYBOOK · 02

Medium.

10 — 50 people. Dedicated SecOps, no formal IR program yet.

Crawl30 days
  1. Complete Crawl in 30 days — finish all six Small steps as a tracked milestone.
  2. Assign a named owner per pillar. Decision rights go on the org chart.
  3. Target 2–3 Packs per quarter. Schedule the next four.
  4. Run the first tabletop in week 6. Blameless post-mortem in week 7.
  5. Begin RS-3 experiments — semi-automated containment with human approval.
  6. Stand up the KPI dashboard. MTTD, MTTR, drill pass rate, evidence freshness.
PILLAR OWNERSCISO · SecOps lead · IT lead · People ops
PLAYBOOK · 03

Large.

50+ people. Existing IR program, multi-region, audited.

Walk≤ 6 months
  1. Form a named IR 2.0 program team. Charter, RACI, weekly steering.
  2. Run divisional pilots. Two business units in parallel beats one big-bang rollout.
  3. Deploy the Common Controls Backbone (CCB) immediately — collapse audit duplication.
  4. Map the full automation roadmap RS-2 → RS-5. Gate each step on rollback proof.
  5. Integrate with insurance & legal early. Track premium movement as a Run-tier external signal.
  6. Publish quarterly Field Reports back to the framework. Govern the Pack catalog you ship internally.
PILLAR OWNERSCISO · Resilience lead · Automation eng · L&D
CHECKLIST · WEEK 1

Starter Kit.

Seven actions a 3-person team can finish this week. Each maps to a Pack you can deepen later. None of them require new tooling.

  • Download & customize the One-Pager IR template. Names, numbers, vendor escalation paths.STARTER PACK
  • Document your 3 AM call tree with current contacts. Send a test page.STARTER PACK
  • Verify Big-3 controls: MFA (admin/remote), EDR (everywhere), backups (immutable, tested restore).STARTER PACK
  • Write your first Calm-Loop script — start with endpoint quarantine + identity revoke.PLAYBOOKS (v0.2)
  • Create the evidence folder in your ticketing system. One folder per incident class.STARTER PACK
  • Run the cyber-insurance readiness assessment. Capture the baseline score and the gap list.STARTER PACK
  • Schedule a recurring 30-minute review. Same time every month. Standing agenda.STARTER PACK
Team size Crawl complete Walk complete Run target Owner pattern
Small · 3–10 30 days 6 months 12–18 months Founder + MSP. Lean on managed EDR + MDR.
Medium · 10–50 14 days 3–6 months 9–12 months Named pillar owners. SecOps + IT + People split.
Large · 50+ CCB-first, 14 days ≤ 6 months 9 months Program team, divisional pilots, weekly steering.