Incident Response Runbook Template for Non-Security Staff

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Every NIST-aligned incident response template assumes you have a CISO, a SOC team, an incident response retainer, and staff who know what an event log is. Most organizations do not have any of those things.
For the organization with one IT person, or the business where the HR manager will be first to notice something is wrong, the NIST framework is too abstract to be actionable in a crisis. This runbook template is designed for that reality.
Fill in the blanks in each section before an incident occurs. The goal is that whoever picks this up during an incident: including someone who has never handled a security event before: can take the correct first actions without making the situation worse.
Before You Start: Assign the Six Roles
These roles must be assigned before an incident. During an incident, there is no time to determine who is responsible for what.
Decision Maker: The person with authority to approve system shutdowns, engage outside vendors, authorize emergency spending, and communicate with customers. Typically: CEO, COO, or Department Head. Name: _____________. Mobile: _____________.
IT Lead: The person who understands the technical environment: which systems are affected, how they connect, where backups are. Typically: IT Manager, MSP contact, or most technical staff member. Name: _____________. Mobile: _____________.
Communicator: The person responsible for all internal and external communications during the incident. Drafts employee notifications, coordinates with legal, interfaces with law enforcement if needed. Typically: HR Director or Marketing/Communications lead. Name: _____________. Mobile: _____________.
Documenter: The person who writes down everything that happens during the incident: actions taken, timestamps, who made each decision. This person should not also be performing technical tasks. Name: _____________. Mobile: _____________.
Insurance/Legal Contact: Your cyber insurance policy number and your insurer's breach response hotline. Policy #: _____________. Hotline: _____________. Attorney on retainer: _____________. Mobile: _____________.
IR Firm Contact: If you have an incident response retainer, this is the 24/7 contact number. If you do not, this is your fastest path to getting one: contact your cyber insurer's breach response hotline: they have pre-vetted IR firms on standby. Contact: _____________.
Step 1: Recognize an Incident is Occurring
Not every IT problem is a security incident. Use this checklist to determine whether to activate this runbook.
Activate this runbook if you observe any of the following:
- Files have changed to strange extensions you do not recognize (e.g.,
.locked,.encrypted,.DARKSIDE) - A ransom note appeared on screen or in folders
- Antivirus or security software is showing alerts you cannot dismiss and they reference malware, ransomware, or unauthorized access
- You are locked out of systems with a message saying your data has been encrypted
- Someone is logged into accounts from locations or at times that are impossible (for example, your account is logged in from another country while you are at the office)
- A vendor or partner calls to say they received suspicious messages appearing to come from your organization
- You receive a notification from a data breach monitoring service that your organization's credentials are for sale
- A system is behaving strangely: running very slowly, making unusual disk activity sounds, sending large amounts of network traffic
Do not activate this runbook for: A virus alert on a single workstation (treat it as a normal IT ticket), a phishing email that was not clicked, or a spam increase alone.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Step 2: Immediate Actions (First 15 Minutes)
Do not reboot. Rebooting a compromised system destroys the most valuable forensic evidence. Even if a system is running slowly or showing alarming messages, do not reboot it.
Do not run antivirus scans or system cleaners. These tools can delete files that forensic investigators need to understand how the attack occurred.
Do not delete files, even if they look suspicious.
Do not pay a ransom without first calling your cyber insurer. Payment decisions have legal, insurance, and regulatory implications.
Document what you see. Take a photograph of the screen with your phone. Write down the exact time you noticed the problem, what you were doing when you noticed it, and what the screen showed.
Disconnect affected systems from the network using this method: physically unplug the ethernet cable from the back of the computer, or disconnect from WiFi via the network icon in the system tray. Do NOT log off or shut down. Disconnecting from the network stops the spread without destroying evidence.
Do not disconnect systems from power unless they are physically on fire or present an immediate physical safety risk.
Notify the Decision Maker and IT Lead immediately by phone. Do not use email or Teams: those systems may be compromised.
Step 3: Notifications and Escalation
Within 30 minutes of discovery:
- Decision Maker and IT Lead: already notified in Step 2.
- Cyber insurer: call the breach response hotline from your policy. They activate IR resources and preserve coverage. This call does not commit you to anything: it opens the case.
- Attorney: if you have legal counsel, notify them now. Legal privilege may apply to the investigation if counsel is directing it.
Within 2 hours of discovery:
- All hands: notify all staff via phone/SMS (not email) that there is an IT security incident, that they should stop using company systems, and that they will receive updates via [designated alternate channel: SMS, personal email, etc.]
- MSP or IT vendor: if you use a managed service provider, notify them immediately. They may have visibility into your environment that can accelerate containment.
Within 24-72 hours:
- Regulatory notifications: depending on the data involved, you may have legal notification obligations. Your attorney and insurer will guide this. GDPR requires notification within 72 hours of discovery. HIPAA requires notification within 60 days. Most US state breach notification laws require notification within 30-90 days.
- Law enforcement: you are not required to report to law enforcement, but the FBI's Internet Crime Complaint Center (IC3) and CISA both accept breach reports and provide assistance without requiring prosecution. Report at ic3.gov.
What to say internally: 'We are experiencing a technology security issue. We have engaged our security team. Please stop using company systems until further notice. We will provide an update within [2 hours / by end of day]. Do not discuss this externally.'
What not to say: Do not say 'we were hacked,' 'our data was stolen,' or name the specific systems affected in any internal communication: these statements can create legal liability and may not be accurate at the time you make them.
Step 4: What the IR Firm Will Ask When They Arrive
When your IR firm or insurer's vendor engages, they will need the following information immediately. Prepare these answers during the first two hours.
- When was the incident first noticed and by whom?
- What systems are confirmed affected? (List hostnames, IP addresses if known)
- What type of incident is this: ransomware, data exfiltration, unauthorized access, business email compromise?
- Has anything been rebooted, deleted, or modified since discovery?
- What data might be involved? (Customer PII, financial data, health records, employee data)
- What is your backup status? Are backups stored separately from the affected network?
- Who has administrative access to the affected systems?
- Have you received any external communications (ransom note, threat actor contact, extortion email)? Preserve the exact text.
Preserve communications with the threat actor. If a threat actor contacts you through any channel, do not respond without guidance from your attorney or IR firm. Save all communications.
Do not share forensic findings publicly or with employees until your IR firm or attorney clears the communication.
The bottom line
An IR runbook written for a SOC analyst sits in a folder unused during the actual incident: because the person first on scene cannot read it. This template is written for the office manager, HR director, or IT generalist who will be the first responder. The critical actions are simple: do not reboot, disconnect from network (not power), document everything you see, and call the insurer before doing anything else. Assign the six roles now, fill in the contact numbers, and put this document somewhere accessible on paper: not just in a shared drive that may be encrypted during the incident.
Frequently asked questions
What should a non-technical employee do first when they suspect a security incident?
Do not reboot the computer, do not run antivirus scans, and do not delete files. Take a photograph of the screen, write down the exact time, and disconnect the computer from the network by unplugging the ethernet cable. Then call the designated Decision Maker by phone immediately.
When should I call my cyber insurance company during a ransomware attack?
Call your insurer's breach response hotline within 30 minutes of confirming an incident. This call opens the case, activates IR resources, and preserves coverage. Delaying this call is the most common mistake organizations make: most policies require timely notification, and late notification can affect coverage.
What should a non-security employee do if they accidentally click a phishing link?
Do not reboot. Do not enter any credentials on any pages that load. Disconnect from the network immediately by unplugging the ethernet cable or disabling Wi-Fi. Do not try to close the browser or 'undo' the click. Call the security or IT team by phone rather than email (your email may be compromised). Take a photo of the screen if anything displayed before disconnecting. Preserve the email by not deleting it: forward the original to your security team's designated inbox before taking any further action. The most important step is calling security immediately rather than waiting to see if anything happens.
How should a non-technical manager communicate during a ransomware incident?
Use out-of-band communication channels only: phone calls, personal mobile phones, or a secondary messaging platform that does not depend on your corporate email or collaboration tools (which may be encrypted or compromised). Do not send internal incident updates through corporate email during an active ransomware incident. Designate a single point of contact for all external communications (legal, insurer, PR) and route all external calls through that person. Do not make public statements or post on social media about the incident until your legal counsel and PR team have approved the language.
How should a non-technical employee identify if a ransomware attack is still in progress?
Indicators a non-technical employee can identify without tools: file icons changing to an unfamiliar extension on shared drives (files previously named report.docx now appear as report.docx.locked or similar), desktop wallpaper replaced with a ransom note image, a ransom note text file appearing on the desktop or in folders, files on network drives suddenly becoming inaccessible or showing read errors, and extremely high disk activity with the disk access light on continuously while no program is visibly running. If you observe any of these, do not click anything on the desktop, do not reboot, and immediately call the designated IT contact by phone. The most important action is not clicking the ransom note or any link it contains.
What information should a non-technical employee document immediately after noticing a security incident?
Documentation in the first few minutes matters because human memory degrades quickly during stressful situations and the information may be forensically relevant. A non-technical employee should record: the exact time they first noticed something wrong (not an estimate, the actual clock time), what they were doing when they noticed it (which application was open, what action triggered the observation), a description of what appeared on screen using exact language (copy the text of any message or ransom note by photographing the screen with a mobile phone rather than typing it out, to preserve exact wording), whether any unusual sounds accompanied the event (disk activity, fan noise), whether anyone else was present and might have witnessed the same event, and whether the affected machine had been used by anyone else recently or had any external devices connected to it. Write these observations down on paper if possible, since any digital notes taken on the affected system may be encrypted or destroyed. If a ransom note appeared, do not attempt to follow any instructions in it before speaking to IT or the security team. The documenter role assigned before the incident should take over formal logging once notified, but the initial observations from the first person on scene are often the most detailed account of how the incident began.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
