Incident Response Plan Generator: how it works and what it delivers
What do you do if your organisation is hit by ransomware tomorrow? Or if a data breach is discovered? Without a plan, you are improvising while every minute counts. The Incident Response Plan Generator creates a tailored IR plan based on your organisation, team and incident types — built on the NIST framework. On this page, we explain how the tool works, the methodology behind it and what you can expect.
What is the IR Plan Generator?
The Incident Response Plan Generator is a free online tool that generates a tailored incident response plan for your organisation. By entering information about your industry, critical systems, IR team and the incident types you want to address, you receive a structured plan that follows the four NIST phases.
An incident response plan is not a document you create and then put in a drawer. It is a living playbook that describes who does what, when and how — from the first signal of an incident to the post-incident evaluation. Organisations with a tested IR plan detect and contain incidents significantly faster. IBM reports a difference of 54 days in the average resolution time between organisations with and without an IR plan.
The generator is designed as a starting point. The free report delivers a basic IR plan that you can use immediately, while the premium report produces a fully implementable plan compliant with NIST SP 800-61, complete with playbooks per scenario.
Methodology: NIST SP 800-61
The Incident Response Plan Generator is based on NIST Special Publication 800-61 Revision 2 (Computer Security Incident Handling Guide), the international standard for incident response. This framework describes four phases that together cover the full lifecycle of a security incident:
- Preparation — The foundation of effective incident response. In this phase, you set up the IR team, define roles and responsibilities, implement detection tools and establish communication protocols. Good preparation determines how quickly and effectively you can respond when it matters.
- Detection & Analysis — Detecting, classifying and analysing security incidents. This phase involves recognising indicators of compromise (IoCs), determining scope and impact, and classifying the incident based on severity. The faster you detect and correctly classify an incident, the smaller the ultimate damage.
- Containment, Eradication & Recovery — The core phase of the actual response. Containment limits the spread of the incident. Eradication removes the cause (malware, compromised accounts, vulnerabilities). Recovery restores systems to normal operation and verifies that the threat has been fully eliminated.
- Post-Incident Activity — The phase most often skipped but crucial for improvement. Here you evaluate the incident, document lessons learned, update the IR plan and identify improvements in processes and tooling. Without this phase, you keep repeating the same mistakes.
The NIST framework is globally recognised as the standard for incident response and is used as a reference by NIS2, ISO 27001 and numerous industry-specific regulations. By basing your IR plan on this framework, you ensure a solid structure that is compatible with virtually any compliance requirement.
The three steps explained
The IR Plan Generator collects the information needed to generate a relevant and realistic IR plan in three steps. Each step is deliberately designed to map a specific aspect of your incident response capability.
In the first step, you define the context of your IR plan. You select your industry (healthcare, financial services, technology, government, manufacturing, retail or other) and the number of employees. You then indicate which critical systems your organisation has: email and communication, ERP and business software, customer portal and website, financial systems, production systems and OT, and cloud infrastructure.
Each critical system affects the impact of an incident and the priority of recovery. A ransomware attack that hits your email system has different consequences than the same attack on your production environment. The tool uses this information to include the right priorities and recovery sequence in your IR plan.
In the second step, you map out your current IR capability. You indicate which roles are filled on your IR team: IR coordinator, technical analyst, communications lead, legal advisor, management sponsor and external IR partner. Additionally, you select which procedures are already available: incident classification, escalation procedure, internal communication plan, external communication plan, stakeholder contact list and familiarity with legal reporting obligations.
An IR plan without a team is a document without action. By incorporating your current team composition and available procedures, the tool generates a plan that fits your actual capability. If a crucial role is missing, the plan flags this as a risk and provides recommendations for filling it.
In the third step, you define the threat landscape that your IR plan is designed for. You select the incident types you want to address: ransomware, phishing and social engineering, data breach and data theft, DDoS attacks, insider threats, supply chain compromises and unauthorised access. Finally, you indicate the maximum acceptable downtime: less than 4 hours, 4-24 hours, 1-7 days or more than a week.
Not every incident is the same — a DDoS attack requires a fundamentally different response than a data breach or insider threat. By determining in advance which scenarios you want to address and what your maximum downtime tolerance is, the tool generates specific response procedures and timelines per incident type. The maximum downtime directly affects the urgency of containment and the requirements for your recovery procedures.
What do you get?
After completing the three steps, the IR Plan Generator immediately generates a comprehensive analysis with four components:
- Completeness score — A score indicating how complete your current IR capability is, based on the team entered, the available procedures and the incident types addressed. The score immediately shows where the largest gaps are.
- NIST phases overview — A structured overview of the four NIST phases, tailored to your organisation. Per phase, the plan shows which activities, roles and tools are relevant to your specific situation.
- Response checklist — An action checklist per NIST phase that your team can follow during an incident. From initial detection to post-incident evaluation — every step is described with concrete, actionable items.
- Response timeline — A timeline showing which actions must take place at which moment, aligned with your maximum acceptable downtime. This helps your team set the right priorities under pressure.
Free report
- PDF with a basic IR plan structured according to the four NIST phases
- Action checklist per phase with concrete steps for your team
- Recommendations for improving your IR capability
- Starting point for developing a formal, organisation-wide IR plan
The free report offers a solid starting point for organisations that do not yet have a formal IR plan. The PDF contains a structured overview of the four NIST phases, an action checklist and targeted recommendations. You can use it directly as a basis for internal discussions about incident response capability and as a starting document for a more comprehensive plan.
While the free report covers the essentials, it lacks the depth needed for a fully implementable plan. Scenario-specific playbooks, a RACI matrix and communication templates for regulators are included in the premium version.
Premium IR plan (€89)
- Complete IR plan compliant with NIST SP 800-61, ready for immediate implementation
- RACI matrix with role assignments tailored to your IR team composition
- Scenario-specific playbooks for ransomware, data breach, phishing, DDoS and insider threats
- Communication plan: reporting procedures for the Data Protection Authority, media, customers and regulators
- Response timelines per incident type with escalation procedures and decision points
- Implementable PDF — ready to deploy as an organisation-wide IR plan
The premium report delivers a complete incident response plan that you can implement immediately. The difference from the free version is the depth and practical applicability.
The RACI matrix translates the roles on your IR team into concrete responsibilities per activity. For every step in the response process, it is clear who executes, who is ultimately accountable, who is consulted and who must be informed. This prevents the two biggest pitfalls in incident response: tasks that are missed and tasks that are duplicated.
The scenario-specific playbooks are the core of the premium report. Each playbook describes step by step how to respond to a specific type of incident. A ransomware playbook contains different containment steps than a data breach playbook, and a DDoS response requires different escalation procedures than an insider threat. By working out the response per scenario in advance, your team can fall back on a proven playbook under pressure.
The communication plan is essential for compliance. It describes when and how to report to the Data Protection Authority (within 72 hours for a data breach), the CSIRT (within 24 hours for a NIS2 incident), media, customers and other stakeholders. Including templates for notifications and escalation procedures for involving legal and communications experts.
The response timelines per incident type show which actions must take place when, aligned with your maximum acceptable downtime. Each escalation point is clearly marked, so your team knows when management, legal advisors or external parties need to be brought in.
Free vs. premium compared
| Component | Free | Premium (€89) |
|---|---|---|
| Basic IR plan (4 NIST phases) | ✓ | ✓ |
| Action checklist per phase | ✓ | ✓ |
| Completeness score and recommendations | ✓ | ✓ |
| RACI matrix with role assignments | — | ✓ |
| Scenario-specific playbooks (5 types) | — | ✓ |
| Communication plan (DPA/media/customers/regulators) | — | ✓ |
| Response timelines with escalation procedures | — | ✓ |
| Implementable PDF | — | ✓ |
Frequently Asked Questions
An incident response plan (IR plan) is a structured document that describes how your organisation responds to cybersecurity incidents. It contains roles and responsibilities, escalation procedures, communication protocols and technical response steps per incident type. A good IR plan shortens response time during an incident, limits damage and ensures compliance with legal reporting obligations such as GDPR and NIS2.
Without an IR plan, you must improvise during an incident — and improvisation under pressure leads to mistakes. IBM research shows that organisations with a tested IR plan detect and contain a data breach an average of 54 days faster, resulting in significantly lower costs. Additionally, NIS2 (Article 21), GDPR and industry-specific regulations require organisations to implement incident response procedures. An IR plan is not a luxury but a necessity.
The NIST SP 800-61 framework distinguishes four phases: (1) Preparation — readying the team, tools and procedures, (2) Detection & Analysis — detecting, classifying and analysing incidents, (3) Containment, Eradication & Recovery — containing the incident, removing the cause and restoring systems, and (4) Post-Incident Activity — evaluating, documenting and improving the plan. This cyclical structure ensures that your organisation is better prepared for the next incident after each one.
At least annually via a tabletop exercise, and always after a significant incident or major change to your IT environment. Organisations in heavily regulated industries often test quarterly. NIS2 explicitly requires organisations to test and update their IR procedures regularly. Also test after a cloud migration, acquisition or reorganisation — any major change can affect your response procedures.
An effective IR team consists of at least five roles: an IR coordinator who leads the process and makes decisions, a technical analyst for forensic investigation and technical containment, a communications lead for internal and external communication, a legal advisor for reporting obligations and liability, and a management sponsor for decision-making on business-critical systems and budget authorisation. Many organisations also engage an external IR partner for additional expertise and backup.
A RACI matrix defines per activity who is Responsible (responsible for execution), Accountable (ultimately accountable), Consulted (consulted) and Informed (informed). In the context of incident response, a RACI matrix prevents critical tasks from being missed or multiple people performing the same action while other actions are forgotten. The premium report includes a complete RACI matrix tailored to the team roles you indicated in step 2.
Yes, for organisations that fall under the NIS2 directive, this is mandatory. Article 21 of NIS2 requires essential and important entities to implement measures for incident handling. Article 23 mandates that significant incidents must be reported to the competent CSIRT within 24 hours, with a full incident report within 72 hours. A formal, tested IR plan is essential to meet these obligations and avoid the associated penalties.
The reporting deadline varies by regulation. Under NIS2, a significant impact must be reported to the CSIRT within 24 hours, with a full report within 72 hours and a final report within one month. GDPR requires notification of a data breach to the Data Protection Authority within 72 hours of discovery. In cases of high risk to data subjects, the individuals concerned must also be informed “without undue delay.” A good IR plan includes these reporting deadlines, responsibilities and templates to carry out the notification in a timely and correct manner.