Skip to content
Docsie Logo

Free Process Template

Free Security Runbook

Security procedures for [threat] detection and response

Threat Overview Detection Indicators Containment Eradication Recovery Evidence Collection Reporting
Download Word Download PDF Download Markdown
Generate from Video Browse Templates

Security Runbook

Use this template to security procedures for [threat] detection and response.

Template Metadata

Field Details
Category Process
Owner [Team or owner]
Version [Version number]
Effective Date [Date]
Review Cycle [Monthly / Quarterly / Annual / Event-based]
Status [Draft / In Review / Approved]

Threat Overview

Description of the threat type and potential impact.

Item Details Owner Status
[Item or requirement] [Describe the relevant detail, evidence, or decision] [Owner] [Open / Complete]
[Item or requirement] [Describe the relevant detail, evidence, or decision] [Owner] [Open / Complete]

Notes

[Add context, assumptions, exceptions, evidence links, screenshots, calculations, or reviewer comments.]

Detection Indicators

IOCs, alerts, and log patterns that indicate this threat.

Item Details Owner Status
[Item or requirement] [Describe the relevant detail, evidence, or decision] [Owner] [Open / Complete]
[Item or requirement] [Describe the relevant detail, evidence, or decision] [Owner] [Open / Complete]

Notes

[Add context, assumptions, exceptions, evidence links, screenshots, calculations, or reviewer comments.]

Containment

Immediate steps to limit the threat's impact.

Item Details Owner Status
[Item or requirement] [Describe the relevant detail, evidence, or decision] [Owner] [Open / Complete]
[Item or requirement] [Describe the relevant detail, evidence, or decision] [Owner] [Open / Complete]

Notes

[Add context, assumptions, exceptions, evidence links, screenshots, calculations, or reviewer comments.]

Eradication

Steps to remove the threat from the environment.

Item Details Owner Status
[Item or requirement] [Describe the relevant detail, evidence, or decision] [Owner] [Open / Complete]
[Item or requirement] [Describe the relevant detail, evidence, or decision] [Owner] [Open / Complete]

Notes

[Add context, assumptions, exceptions, evidence links, screenshots, calculations, or reviewer comments.]

Recovery

Steps to restore normal operations.

Item Details Owner Status
[Item or requirement] [Describe the relevant detail, evidence, or decision] [Owner] [Open / Complete]
[Item or requirement] [Describe the relevant detail, evidence, or decision] [Owner] [Open / Complete]

Notes

[Add context, assumptions, exceptions, evidence links, screenshots, calculations, or reviewer comments.]

Evidence Collection

What to preserve for forensic analysis.

Item Details Owner Status
[Item or requirement] [Describe the relevant detail, evidence, or decision] [Owner] [Open / Complete]
[Item or requirement] [Describe the relevant detail, evidence, or decision] [Owner] [Open / Complete]

Notes

[Add context, assumptions, exceptions, evidence links, screenshots, calculations, or reviewer comments.]

Reporting

Who to notify and required compliance reports. Use Markdown with code blocks. Write for urgency.

Item Details Owner Status
[Item or requirement] [Describe the relevant detail, evidence, or decision] [Owner] [Open / Complete]
[Item or requirement] [Describe the relevant detail, evidence, or decision] [Owner] [Open / Complete]

Notes

[Add context, assumptions, exceptions, evidence links, screenshots, calculations, or reviewer comments.]

Review and Signoff

Document review conclusions, approvals, unresolved items, and next review date.

Role Name Date Notes
Preparer [Name] [Date] [Notes]
Reviewer [Name] [Date] [Notes]
Approver [Name] [Date] [Notes]

Template Structure

What the Security Runbook Includes

Use this process template as a starting point, then customize each section to match your internal workflow, evidence, and signoff needs.

1

Threat Overview

Description of the threat type and potential impact.

2

Detection Indicators

IOCs, alerts, and log patterns that indicate this threat.

3

Containment

Immediate steps to limit the threat's impact.

4

Eradication

Steps to remove the threat from the environment.

5

Recovery

Steps to restore normal operations.

6

Evidence Collection

What to preserve for forensic analysis.

7

Reporting

Who to notify and required compliance reports. Use Markdown with code blocks. Write for urgency.

Recommended Structure

Write a Security Runbook. Structure with:

Threat Overview

Description of the threat type and potential impact.

Detection Indicators

IOCs, alerts, and log patterns that indicate this threat.

Containment

Immediate steps to limit the threat's impact.

Eradication

Steps to remove the threat from the environment.

Recovery

Steps to restore normal operations.

Evidence Collection

What to preserve for forensic analysis.

Reporting

Who to notify and required compliance reports.

Use Markdown with code blocks. Write for urgency.

Example Filled Template

Security Runbook: Compromised API Key Response

Threat Overview

A production API key has been exposed (e.g., committed to public repository, found in logs, reported by user). The key may allow unauthorized access to customer data and service operations.

Detection Indicators

  • GitHub Secret Scanning alert
  • Unusual API usage patterns from unknown IPs
  • Customer report of unauthorized access
  • CloudTrail showing API calls from unexpected regions

Containment (Do Immediately)

  1. Revoke the compromised key:
# Disable in API gateway
curl -XPATCH https://admin.internal/api/keys/KEY_ID \
-H "Authorization: Bearer $ADMIN_TOKEN" \
-d '{"status": "revoked"}'
  1. Block source IPs making unauthorized requests:
aws waf update-ip-set --name "blocked-ips" --addresses "1.2.3.4/32"
  1. Rotate any related credentials (database passwords, OAuth secrets) if the key had broad access

Evidence Collection

  • Export CloudTrail logs for the key: last 30 days
  • Capture API gateway access logs matching the key
  • Screenshot the source of exposure (public repo, paste site)
  • Record timeline of events in incident channel

Reporting

  • Internal: Notify Security Lead + CTO within 1 hour
  • Compliance: If customer data accessed, GDPR notification within 72 hours
  • Customers: Individual notification if their data was accessed
Skip Manual Drafting

Generate a Security Runbook from a Video

Record a walkthrough, training session, or process demonstration. Docsie AI turns it into structured documentation using this template as the starting framework.

Generate from Video See Video-to-Docs

Use the template manually, or let Docsie generate the first draft from source footage.

DOCX, PDF, and Markdown downloads
Works with process and training videos

More Process Templates

Change Management Document

Process for implementing [change] with rollback

Learn More

Incident Response Runbook

Response procedures for [incident type]

Learn More

Operational Runbook

Daily procedures for [system] maintenance

Learn More

Standard Operating Procedure

Step-by-step process for [task]

Learn More

Template FAQ

Security Runbook FAQ

Common questions about using and generating a security Runbook.

Using This Template

Q: What is a security Runbook?

A: A security Runbook is a structured document for security procedures for [threat] detection and response.

Q: Can I download this security Runbook as Word or PDF?

A: Yes. This page includes free downloads in DOCX, PDF, and Markdown formats so you can edit, share, or import the template into your documentation system.

Q: Can Docsie generate this from a video?

A: Yes. Upload a process walkthrough, training recording, or screen capture to Docsie, then use this template structure to generate a first draft automatically.