Incident Response
Detect. Contain. Recover. Without panic.
Ops and SOC — anyone who could be woken at 03:00.
03:17. Pager. A customer reports impossible charges. Logs show an unfamiliar IP reading production data for 40 minutes. You have an hour before the CEO wants a written statement. This track is the 03:17 reflex set.
Every engineer thinks they know IR until it happens. Then it's dread, panic, and three browser tabs of outdated playbooks. This track installs the reflexes: triage without nuking evidence, contain without breaking production further, communicate without opening a regulatory can of worms.
Get on the waitlist
We ship in cohorts. Early-access members get first picks on missions, credentials, and Sentinel mentor sessions.
Weekly Security Report
Critical CVEs, fix guides, and hardening tips — free, every week.
- ✦Direct access to a former SOC analyst for 2 hours during the beta
- ✦Vote on which ransomware scenario ships first
- ✦Access to the private IR scenario library before public release
- ✦Free tickets to the first ClawGuru Tabletop Day
Concrete outcomes. No lecture notes.
- 01A one-page IR playbook calibrated to your team size
- 02A detection setup that distinguishes real signal from ordinary noise
- 03A forensics-safe containment procedure (isolate without contaminating evidence)
- 04A root-cause methodology that survives the post-mortem
- 05GDPR + NIS2 notification timing and templates
- 06Customer and internal communication templates rated by a real comms professional
- 07A tabletop exercise you will actually run twice a year
- 08A recovery procedure tested against a simulated ransomware event
- ▸On-call engineers in any production team
- ▸Security team of one — no SOC, still on the hook
- ▸CTOs of 5–50 person companies
- ▸Anyone who has had the 'we should have an IR plan' conversation
NIS2 Article 23 mandates notification within 24h, 72h, and a final report at 1 month. GDPR Article 33 mandates 72h. This track ships with timing-compliant notification templates plus the evidence chain you need for both regimes.
We had a real incident two months after I finished this track. The CEO asked if we had an IR plan. I opened the doc from Mission 1. He literally said 'this is the best thing you've done this year'.
Defender III — Incident Response
10 missions + a live tabletop exercise against a simulated incident (timer enabled, multiple-stakeholder roleplay).
- ✓W3C Verifiable Credential — Incident Response
- ✓Template library: playbooks, runbooks, comm templates, notification letters
- ✓Early access to the Runbook Generator (describe incident → get full runbook)
- ✓Priority seat in the quarterly live tabletop Discord events
Questions we already got.
Does this cover ransomware specifically?+
Yes — dedicated mission including decision framework (pay vs don't pay), negotiation patterns, and recovery procedures.
Do I need to be a security specialist?+
No. The track assumes you're a senior engineer dropped into IR. It teaches the reflexes, not the whole discipline.
What tools does this assume?+
Tool-agnostic. The playbooks work with any log pipeline (Loki, ELK, Datadog, CloudWatch, or grep). Real examples shown for each.