Your team spent two weeks writing the incident response playbook. It covers the IR lifecycle, maps to NIST 800-61, includes escalation procedures, and references the right tools. Leadership approved it. Compliance checked a box. It sits in SharePoint.
Then an alert fires at 2:14 AM on a Saturday. The on-call analyst — who joined the team three months ago and has never handled this incident type — opens the playbook and finds 14 pages of process documentation that tells them everything about incident response philosophy and almost nothing about what to do RIGHT NOW.
What fails under pressure
Narrative format. Paragraphs of explanation work in training material. At 2 AM with an active threat, the analyst needs a decision tree: IF this, THEN do that. IF not, THEN check this instead. Binary choices, not nuanced guidance.
Missing the first 15 minutes. Most playbooks start at "Identify the incident type." The analyst already knows — the alert told them. What they need is the first 15 minutes: which 3 commands to run, which 2 logs to check, and whether to contain now or collect evidence first.
No containment decision framework. The playbook says "contain the threat." The analyst needs to know: does revoking this token lock out 200 users? Does isolating this server take down the customer portal? Every containment action has a blast radius. Playbooks that do not document the blast radius produce analysts who hesitate.
Assumes the senior analyst. The playbook was written by the senior analyst for the senior analyst. The person executing it at 2 AM is the most junior person on the rotation.
What works under pressure
Binary decision trees. "Is the attacker currently active? YES — contain immediately (Step 4). NO — proceed to evidence collection (Step 5)." Every decision point has exactly two branches.
The first 15 minutes on a single page. What do I check first? Who do I notify? Do I contain or collect? If the analyst reads nothing beyond the first page, they should still take the right actions.
Blast radius documentation on every containment action. "Revoke all sessions for this user — this will terminate their active Teams meetings, disconnect Outlook, and require re-authentication on all devices. Rollback: user re-authenticates normally, no data loss."
Written for the newest team member. If the newest analyst on the rotation can follow the playbook without calling the senior analyst, the playbook works.
The test that reveals the truth
Run a tabletop exercise. Hand the playbook to the most junior analyst, give them a scenario, and watch them try to follow it without asking questions. Every question they ask is a gap in the playbook. Every pause is a missing decision point. Every time they reach for the senior analyst is a failure of the document.
Fix the playbook after every tabletop. The first iteration is always wrong. The fifth iteration is usually functional. The tenth iteration is the one that works at 2 AM.
A playbook that survives contact with a real incident has three properties: it can be executed by the least experienced analyst on the team, it produces consistent outcomes regardless of who executes it, and it has been tested under simulated pressure before it is needed under real pressure. Everything else is documentation.