Skip to content
Docsie Logo

Free Process Template

Free Security Runbook Template

Download a free security runbook template in Word, PDF, or Markdown. Or turn any video into security runbook template with Docsie AI — auto-fills every required field.

Threat Overview Detection Indicators Containment Eradication Recovery Evidence Collection Reporting
Download Word Download PDF Download Markdown
Turn Video Into Security Runbook Browse Templates

Security Runbook

Use this template to security procedures for [threat] detection and response.

Template Metadata

Field Details
Category Process
Owner [Team or owner]
Version [Version number]
Effective Date [Date]
Review Cycle [Monthly / Quarterly / Annual / Event-based]
Status [Draft / In Review / Approved]

Threat Overview

Description of the threat type and potential impact.

Item Details Owner Status
[Item or requirement] [Describe the relevant detail, evidence, or decision] [Owner] [Open / Complete]
[Item or requirement] [Describe the relevant detail, evidence, or decision] [Owner] [Open / Complete]

Notes

[Add context, assumptions, exceptions, evidence links, screenshots, calculations, or reviewer comments.]

Detection Indicators

IOCs, alerts, and log patterns that indicate this threat.

Item Details Owner Status
[Item or requirement] [Describe the relevant detail, evidence, or decision] [Owner] [Open / Complete]
[Item or requirement] [Describe the relevant detail, evidence, or decision] [Owner] [Open / Complete]

Notes

[Add context, assumptions, exceptions, evidence links, screenshots, calculations, or reviewer comments.]

Containment

Immediate steps to limit the threat's impact.

Item Details Owner Status
[Item or requirement] [Describe the relevant detail, evidence, or decision] [Owner] [Open / Complete]
[Item or requirement] [Describe the relevant detail, evidence, or decision] [Owner] [Open / Complete]

Notes

[Add context, assumptions, exceptions, evidence links, screenshots, calculations, or reviewer comments.]

Eradication

Steps to remove the threat from the environment.

Item Details Owner Status
[Item or requirement] [Describe the relevant detail, evidence, or decision] [Owner] [Open / Complete]
[Item or requirement] [Describe the relevant detail, evidence, or decision] [Owner] [Open / Complete]

Notes

[Add context, assumptions, exceptions, evidence links, screenshots, calculations, or reviewer comments.]

Recovery

Steps to restore normal operations.

Item Details Owner Status
[Item or requirement] [Describe the relevant detail, evidence, or decision] [Owner] [Open / Complete]
[Item or requirement] [Describe the relevant detail, evidence, or decision] [Owner] [Open / Complete]

Notes

[Add context, assumptions, exceptions, evidence links, screenshots, calculations, or reviewer comments.]

Evidence Collection

What to preserve for forensic analysis.

Item Details Owner Status
[Item or requirement] [Describe the relevant detail, evidence, or decision] [Owner] [Open / Complete]
[Item or requirement] [Describe the relevant detail, evidence, or decision] [Owner] [Open / Complete]

Notes

[Add context, assumptions, exceptions, evidence links, screenshots, calculations, or reviewer comments.]

Reporting

Who to notify and required compliance reports. Use Markdown with code blocks. Write for urgency.

Item Details Owner Status
[Item or requirement] [Describe the relevant detail, evidence, or decision] [Owner] [Open / Complete]
[Item or requirement] [Describe the relevant detail, evidence, or decision] [Owner] [Open / Complete]

Notes

[Add context, assumptions, exceptions, evidence links, screenshots, calculations, or reviewer comments.]

Review and Signoff

Document review conclusions, approvals, unresolved items, and next review date.

Role Name Date Notes
Preparer [Name] [Date] [Notes]
Reviewer [Name] [Date] [Notes]
Approver [Name] [Date] [Notes]
Template Guide

How to Use the Security Runbook Template

When to Use This Template

Deploy this security runbook template when responding to active cyber threats or building incident response protocols.

  • Active ransomware, phishing, or DDoS attack detected in network
  • Annual SOC 2 or ISO 27001 audit requires documented response procedures
  • Security team onboarding needs standardized threat containment playbooks

What This Template Covers

This template produces a structured incident response playbook with threat detection through full recovery documentation.

  • IOC patterns, SIEM alert triggers, and log signatures for detection
  • Containment commands, isolation scripts, and immediate mitigation steps with code blocks
  • Evidence preservation protocols, chain-of-custody requirements, and compliance reporting contacts

Common Pitfalls to Avoid

Security runbooks fail when teams write vague steps or skip environment-specific details during high-pressure incidents.

  • Generic containment instructions waste critical minutes without actual firewall rules or commands
  • Missing recovery time objectives (RTOs) delay executive decisions during active breaches
  • Outdated notification trees reach wrong stakeholders, violating GDPR or HIPAA reporting deadlines

Template Structure

What the Security Runbook Template Includes

Use this process template as a starting point, then customize each section to match your internal workflow, evidence, and signoff needs.

1

Threat Overview

Description of the threat type and potential impact.

2

Detection Indicators

IOCs, alerts, and log patterns that indicate this threat.

3

Containment

Immediate steps to limit the threat's impact.

4

Eradication

Steps to remove the threat from the environment.

5

Recovery

Steps to restore normal operations.

6

Evidence Collection

What to preserve for forensic analysis.

7

Reporting

Who to notify and required compliance reports. Use Markdown with code blocks. Write for urgency.

Recommended Structure

Write a Security Runbook. Structure with:

Threat Overview

Description of the threat type and potential impact.

Detection Indicators

IOCs, alerts, and log patterns that indicate this threat.

Containment

Immediate steps to limit the threat's impact.

Eradication

Steps to remove the threat from the environment.

Recovery

Steps to restore normal operations.

Evidence Collection

What to preserve for forensic analysis.

Reporting

Who to notify and required compliance reports.

Use Markdown with code blocks. Write for urgency.

Example Filled Template

Security Runbook: Compromised API Key Response

Threat Overview

A production API key has been exposed (e.g., committed to public repository, found in logs, reported by user). The key may allow unauthorized access to customer data and service operations.

Detection Indicators

  • GitHub Secret Scanning alert
  • Unusual API usage patterns from unknown IPs
  • Customer report of unauthorized access
  • CloudTrail showing API calls from unexpected regions

Containment (Do Immediately)

  1. Revoke the compromised key:
# Disable in API gateway
curl -XPATCH https://admin.internal/api/keys/KEY_ID \
-H "Authorization: Bearer $ADMIN_TOKEN" \
-d '{"status": "revoked"}'
  1. Block source IPs making unauthorized requests:
aws waf update-ip-set --name "blocked-ips" --addresses "1.2.3.4/32"
  1. Rotate any related credentials (database passwords, OAuth secrets) if the key had broad access

Evidence Collection

  • Export CloudTrail logs for the key: last 30 days
  • Capture API gateway access logs matching the key
  • Screenshot the source of exposure (public repo, paste site)
  • Record timeline of events in incident channel

Reporting

  • Internal: Notify Security Lead + CTO within 1 hour
  • Compliance: If customer data accessed, GDPR notification within 72 hours
  • Customers: Individual notification if their data was accessed
Video to Document

Turn Video Into Security Runbook

Already have a walkthrough or training video covering this process? Skip manual drafting. Upload the video and Docsie AI generates security runbook template with every required field populated — ready for review, signoff, or export.

Generate from Video See Video-to-Docs

Use the template manually, or let Docsie generate the first draft from source footage.

DOCX, PDF, and Markdown downloads
Works with process and training videos

More Process Templates

Change Management Document

Process for implementing [change] with rollback

Learn More

Incident Response Runbook

Response procedures for [incident type]

Learn More

Operational Runbook

Daily procedures for [system] maintenance

Learn More

Standard Operating Procedure

Step-by-step process for [task]

Learn More

Template FAQ

Security Runbook Template FAQ

Common questions about downloading and generating a security runbook template.

Using This Template

Q: What is a security runbook template?

A: A security runbook template is a structured document for security procedures for [threat] detection and response.

Q: Is the security runbook template really free?

A: Yes. The security runbook template is completely free to download in Word (DOCX), PDF, and Markdown formats. No signup or credit card required to download.

Q: How do I turn a video into a security Runbook?

A: Upload a process walkthrough, training recording, or screen capture to Docsie. The AI analyzes the video and generates a complete security Runbook using this template's structure — every required field auto-filled from the footage.

Q: Can I edit the security runbook template after downloading?

A: Yes. The DOCX format opens in Microsoft Word or Google Docs. The Markdown format imports into Notion, Confluence, Docsie, or any markdown editor. Customize fields, add your branding, and adapt to your internal workflow.