30 / 60 / 90
Day Plan.
A week-by-week path to a working IR 2.0 program.
Designed to be achievable alongside the day job. Each task is small enough to finish in an afternoon and load-bearing enough to compound. Three checkpoints — at days 30, 60, and 90 — mark the work that has actually moved the program forward.
This framework supports resilience, evidence, and readiness. It does not certify compliance, guarantee security, or guarantee cyber-insurance eligibility. It is not a substitute for professional legal, regulatory, or insurance advice.
Don't try to do everything at once. Focus on one task per day. Consistency beats intensity. Check items off as you complete them; carry incomplete items forward without renegotiating the rest of the schedule.
Foundation.
- Download a cyber-insurance application — your free gap assessment.
- Complete the insurance checklist. Every "No" is a project.
- Inventory current security tools. What you have, what's missing.
- Identify IR stakeholders: IT, Legal, HR, Comms, executive sponsor.
- Document current backup status. Backed up? Tested? Immutable?
- Enable MFA on all admin accounts, email, and VPN.
- Verify EDR coverage — every endpoint has an agent and is reporting.
- Test one backup restoration. Document time, success, issues.
- Build the emergency contact list — personnel, vendors, legal, broker.
- Draft the IR One-Pager — severity levels, roles, escalation triggers.
- Define incident severities (P1 / P2 / P3 / P4 or Critical → Low).
- Document IR communication channels (Slack, Teams, email DL).
- Draft comms templates — internal, customer, press.
- Review IR One-Pager with stakeholders. Get feedback and buy-in.
- Schedule first tabletop drill for days 45 – 60. Send invites.
- Open the shared evidence folder for insurance documentation.
- Create blameless post-mortem template. Have it ready before the first tabletop — the team should know how to run a post-mortem before they need one.
- Brief the executive sponsor. Frame gaps as risk items.
Playbooks & Practice.
- Build Playbook #1 — Endpoint Quarantine + Identity Revoke.
- Document manual endpoint-isolation steps in your EDR.
- Document manual identity / session revocation in your IdP.
- Build Playbook #2 — Phishing Burst Response.
- Build Playbook #3 — SaaS Consent Kill.
- Review playbooks with the technical team. Steps accurate?
- Develop tabletop scenario (suggest: ransomware on file server). Write inject cards.
- Prepare materials — scenario brief, role cards, timeline.
- Send pre-reads. Remind participants of date and time.
- Dry-run with one colleague. Adjust timing and injects.
- Run the first tabletop (60–90 min). Document observations.
- Conduct blameless post-mortem (not a debrief — language matters). Document: what happened, what worked, what didn't, what changes by next drill. This is a Culture artifact, not a formality.
- Update One-Pager and playbooks based on findings.
- Brief sponsor on results — gaps, remediation, momentum.
Automation & Improvement.
- Identify first automation candidate — alert enrichment workflow.
- Document the manual steps it replaces. Measure current time.
- Define Reversibility Score for each automated action.
- Draft RS policy — RS 1/2 auto-execute · RS 3+ require approval.
- Build first automation — alert → enrich → ticket → notify.
- Test in non-prod or with low-severity alerts first.
- Document trigger, steps, expected output, rollback procedure.
- Define IR KPIs — MTTD, MTTR, incident type, false-positive rate.
- Set up basic metrics tracking (a spreadsheet is fine to start).
- Establish baseline metrics from recent incidents.
- Build remaining playbooks — Stolen Credential · Data Exfil.
- Schedule quarterly tabletop drills for the next 12 months.
- Review and iterate on the blameless post-mortem template (created Week 4). Refine based on what the first tabletop actually surfaced.
- Update insurance documentation with new evidence.
- Build 90-day summary for the executive sponsor.
- Celebrate. The foundation is built.
The foundation is built. The roadmap continues.
Day 90 closes the Crawl phase. From here, the work hands off to the Walk and Run stages defined in 02 — Crawl, Walk, Run.
Days 91 – 180 · Walk
- Deploy SIEM if not already in place
- Build more automated Calm Loops
- Expand playbook coverage to 80%+
- Integrate threat-intelligence feeds
Days 181 – 365 · Run
- AI-assisted triage in production
- Chaos engineering / live-fire drills
- Full Calm Loop automation
- Continuous improvement culture
Where to go next
Ship the playbooks in the order given in 05 — Top 5 Playbooks. Track progress against the metrics ladder in 02 — Crawl, Walk, Run.