IR 2.0 Framework · v1.0.0-rc1
DOCUMENT 04 / 05 · THE PROGRAM

30 / 60 / 90
Day Plan.

A week-by-week path to a working IR 2.0 program.

Designed to be achievable alongside the day job. Each task is small enough to finish in an afternoon and load-bearing enough to compound. Three checkpoints — at days 30, 60, and 90 — mark the work that has actually moved the program forward.

SeriesIR 2.0
Document04 of 05
Version1.0.0-rc1 · 2026
LicenseCC BY 4.0

This framework supports resilience, evidence, and readiness. It does not certify compliance, guarantee security, or guarantee cyber-insurance eligibility. It is not a substitute for professional legal, regulatory, or insurance advice.

04 / 30·60·90
How to use this

Don't try to do everything at once. Focus on one task per day. Consistency beats intensity. Check items off as you complete them; carry incomplete items forward without renegotiating the rest of the schedule.

30

Foundation.

"Get your house in order" — assess current state, baseline documentation, quick wins.
Days 1 – 30
WEEK 01Assessment
  1. Download a cyber-insurance application — your free gap assessment.
  2. Complete the insurance checklist. Every "No" is a project.
  3. Inventory current security tools. What you have, what's missing.
  4. Identify IR stakeholders: IT, Legal, HR, Comms, executive sponsor.
  5. Document current backup status. Backed up? Tested? Immutable?
WEEK 02Quick wins
  1. Enable MFA on all admin accounts, email, and VPN.
  2. Verify EDR coverage — every endpoint has an agent and is reporting.
  3. Test one backup restoration. Document time, success, issues.
  4. Build the emergency contact list — personnel, vendors, legal, broker.
WEEK 03Documentation
  1. Draft the IR One-Pager — severity levels, roles, escalation triggers.
  2. Define incident severities (P1 / P2 / P3 / P4 or Critical → Low).
  3. Document IR communication channels (Slack, Teams, email DL).
  4. Draft comms templates — internal, customer, press.
WEEK 04Validation
  1. Review IR One-Pager with stakeholders. Get feedback and buy-in.
  2. Schedule first tabletop drill for days 45 – 60. Send invites.
  3. Open the shared evidence folder for insurance documentation.
  4. Create blameless post-mortem template. Have it ready before the first tabletop — the team should know how to run a post-mortem before they need one.
  5. Brief the executive sponsor. Frame gaps as risk items.
Checkpoint · Day 30 IR One-Pager drafted · Big 3 controls verified · insurance gaps identified · first tabletop scheduled.
IR 2.0 · 30 / 60 / 90 Day Plan v1.0.0-rc1 · © 2026 Deretti Cyber Labs · CC BY 4.0 02
04 / 30·60·90
60

Playbooks & Practice.

"From plan to practice" — build the first playbooks and run the first drill.
Days 31 – 60
WEEK 05First playbook
  1. Build Playbook #1 — Endpoint Quarantine + Identity Revoke.
  2. Document manual endpoint-isolation steps in your EDR.
  3. Document manual identity / session revocation in your IdP.
WEEK 06More playbooks
  1. Build Playbook #2 — Phishing Burst Response.
  2. Build Playbook #3 — SaaS Consent Kill.
  3. Review playbooks with the technical team. Steps accurate?
WEEK 07Tabletop prep
  1. Develop tabletop scenario (suggest: ransomware on file server). Write inject cards.
  2. Prepare materials — scenario brief, role cards, timeline.
  3. Send pre-reads. Remind participants of date and time.
  4. Dry-run with one colleague. Adjust timing and injects.
WEEK 08Execute & learn
  1. Run the first tabletop (60–90 min). Document observations.
  2. Conduct blameless post-mortem (not a debrief — language matters). Document: what happened, what worked, what didn't, what changes by next drill. This is a Culture artifact, not a formality.
  3. Update One-Pager and playbooks based on findings.
  4. Brief sponsor on results — gaps, remediation, momentum.
Checkpoint · Day 60 Three playbooks documented · first tabletop completed · lessons captured · IR program actively improving.
IR 2.0 · 30 / 60 / 90 Day Plan v1.0.0-rc1 · © 2026 Deretti Cyber Labs · CC BY 4.0 03
04 / 30·60·90
90

Automation & Improvement.

"From manual to automated" — first Calm Loop and a continuous-improvement cadence.
Days 61 – 90
WEEK 09Automation planning
  1. Identify first automation candidate — alert enrichment workflow.
  2. Document the manual steps it replaces. Measure current time.
  3. Define Reversibility Score for each automated action.
  4. Draft RS policy — RS 1/2 auto-execute · RS 3+ require approval.
WEEK 10First automation
  1. Build first automation — alert → enrich → ticket → notify.
  2. Test in non-prod or with low-severity alerts first.
  3. Document trigger, steps, expected output, rollback procedure.
WEEK 11Metrics
  1. Define IR KPIs — MTTD, MTTR, incident type, false-positive rate.
  2. Set up basic metrics tracking (a spreadsheet is fine to start).
  3. Establish baseline metrics from recent incidents.
  4. Build remaining playbooks — Stolen Credential · Data Exfil.
WEEK 12Continuous improvement
  1. Schedule quarterly tabletop drills for the next 12 months.
  2. Review and iterate on the blameless post-mortem template (created Week 4). Refine based on what the first tabletop actually surfaced.
  3. Update insurance documentation with new evidence.
  4. Build 90-day summary for the executive sponsor.
  5. Celebrate. The foundation is built.
Checkpoint · Day 90 Five playbooks live · first automation in production · metrics baseline established · quarterly drill cadence on the calendar · insurance-ready documentation · first blameless post-mortem documented · near-miss reporting channel established · responder rotation defined (if team size permits).
Beyond day 90

The foundation is built. The roadmap continues.

Day 90 closes the Crawl phase. From here, the work hands off to the Walk and Run stages defined in 02 — Crawl, Walk, Run.

Days 91 – 180 · Walk

  • Deploy SIEM if not already in place
  • Build more automated Calm Loops
  • Expand playbook coverage to 80%+
  • Integrate threat-intelligence feeds

Days 181 – 365 · Run

  • AI-assisted triage in production
  • Chaos engineering / live-fire drills
  • Full Calm Loop automation
  • Continuous improvement culture

Where to go next

Ship the playbooks in the order given in 05 — Top 5 Playbooks. Track progress against the metrics ladder in 02 — Crawl, Walk, Run.

Get the framework
deretticyberlabs.com/ir2
IR 2.0 · 30 / 60 / 90 Day Plan v1.0.0-rc1 · © 2026 Deretti Cyber Labs · CC BY 4.0 04