Hands-On Playbooks: Workshop
RCCE students will learn incident response playbook development, maintenance, and execution including playbook structure, decision trees, automation integration, and playbook testing. RCCE students will learn to develop incident response playbooks for common attack scenarios, structure playbooks with clear triggers, decision points, escalation criteria, and resolution steps, integrate playbook actions with SOAR platforms for automated execution, test and validate playbooks through tabletop exercises and simulations, maintain playbook currency as the threat landscape evolves, measure playbook effectiveness through response time and outcome metrics, and build a comprehensive playbook library that covers the full spectrum of organizational security incidents. This practice-intensive course emphasizes applied skills through lab exercises, real-world scenarios, and production-realistic workflows. Building on core knowledge, RCCE students will learn by doing, building muscle memory and practical confidence through repeated hands-on engagement. Students complete exercises that mirror actual workplace tasks, ensuring skills transfer directly to their professional roles.
- Security Engineers building defensive controls
- Security Analysts and Blue Team members
- Systems Administrators with security responsibilities
- GRC and Risk Professionals supporting controls
- Professionals implementing Hands-On Playbooks: Workshop
- Execute hands-on tasks for hands-on playbooks: workshop
- Build detections and response workflows for privilege escalation
- Execute hands-on tasks for learning objectives
- Execute hands-on tasks for playbook development — covering Build IR playbooks for common.
- Execute hands-on tasks for structure & flow — covering triggers, decision, Connect playbooks to.
- Integrate privilege controls with identity providers and SIEM telemetry, including Connect playbooks to.
- Execute hands-on tasks for testing & validation — covering Conduct tabletop exercises.
- Execute hands-on tasks for maintenance lifecycle — covering Keep playbooks current with.
- Measure attack surface reduction and program effectiveness — covering response time and.
- Execute hands-on tasks for what is an ir playbook?
- Execute hands-on tasks for core purpose — covering Documented, repeatable response procedure, Speed: cut MTTR by 40-60%, Playbook = strategic decision framework with branching logic.
- Execute hands-on tasks for playbook vs. runbook vs. procedure — covering Playbook = strategic decision framework with branching logic, Runbook = step-by-step operational checklist (linear).
| Module 01 | Hands-On Playbooks: Workshop |
| Module 02 | Incident Response Playbook Development, Maintenance & Execution |
| Module 03 | Learning Objectives |
| Module 04 | Playbook Development |
| Module 05 | Structure & Flow |
| Module 06 | SOAR Integration |
| Module 07 | Testing & Validation |
| Module 08 | Maintenance Lifecycle |
| Module 09 | Metrics & Effectiveness |
| Module 10 | What Is an IR Playbook? |
| Module 11 | Core Purpose |
| Module 12 | Playbook vs. Runbook vs. Procedure |
| Module 13 | Playbook Maturity Model |
| Module 14 | Ad Hoc |
All hands-on labs run on Rocheston Rose X OS. Students practice hands-on playbooks: workshop by implementing the controls discussed in class, with a focus on real-world deployment, monitoring, and validation.
- Lab 1: Execute hands-on tasks for hands-on playbooks: workshop
- Lab 2: Build detections and response workflows for privilege escalation
- Lab 3: Execute hands-on tasks for learning objectives
- Lab 4: Execute hands-on tasks for playbook development
- Lab 5: Execute hands-on tasks for structure & flow
Upon successful completion of this course, students will receive an official RCCE Course Completion Certificate for Hands-On Playbooks: Workshop, verifiable through the Rocheston certification portal.
- Full access to all course materials and slide decks
- Hands-on lab access on Rocheston Rose X OS environment
- Access to Rocheston CyberNotes
- Access to Rocheston Zelfire — EDR/XDR SIEM platform
- Access to Rocheston Raven — online cyber range exercise platform
- Access to Rocheston Vulnerability Vines AI