Rolling for Resilience Part 4 - Boots in the Field: Manuals for Real-Time Action

This is the fourth post in this series addressing my perspective on the current state of Cybersecurity Incident Response training and an approach to improve interest, participation, and expanded learning.
Part I can be found here.
Part II can be found here. 
Part III can be found here.  

Part IV: Boots in the Field
Manuals for Real-Time Action

When the horn sounds and the dice hit the table, all eyes scan for cues. Not just alerts on the dashboard, but body language across the room. Who moves first? Who speaks up? Who freezes? In those early moments, the only thing louder than the alarm might be the silence of waiting for someone else to act.

Your team is not flipping open laminated doctrine or clunky binders, they are reacting with what they practiced, what they trust, and what they understand. This is more than merely following rules and steps. They need to move with rhythm, not stumbling through the incident, with a flow that emerges from clarity, not confusion. This is the moment your team’s field guides come into play. Each team should have their own runbooks, quick-reference guides, and breach-time binders that are reached for.

From Scrolls to Strategy: The Transition from Prep to Practice

While Scrolls of Response (Part 3) is about alignment and policy, defining roles, escalation paths, and regulatory touchpoints, field guides are your real-time action tomes. They are not theoretical. They are the quick-reference battle maps that detail what to do right now. Providing a level of readiness that was honed during the tabletop exercises.

Great field guides do not merely echo their source playbooks. They embody urgency. They translate planning into real-time, strategic action under pressure. Like sheathed blades hanging on your belt, they are familiar, well-practiced, and always within reach. They focus on movement: who acts, when they act, and how they act. Without hesitation.

When the incident starts, there is no time to rediscover the wheel. Every moment spent searching for authority or approval is a moment the threat-actor increases their foothold and evades containment. While in Part 3 we discussed the higher-level coordination of playbooks, we now focus on the actions and tools used in dungeon crawl - Field Guides...

This is where the boots hit the floor. The spell scrolls become muscle memory.

What Makes a Great Field Guide?

Field guides are born in chaos but refined through iteration. The best ones share key traits:

Modular: Tailored to multiple environments (cloud, on-prem, hybrid) with optional paths to action.

Actionable Steps: Not conceptional references. Exact sequences, command-line examples, screenshots, dropdowns, and optional actions when the default options fail.

Role-Specific Guidance: A field guide for the Rogue (Security Analyst) differs in tone and content from those used by a Cleric (HR) or Wizard (Legal).

Time-Awareness: Account for timelines, escalation cutoffs, and regulatory clocks. They do not say “Notify Legal”... they say “within one (1) hour of discovery, notify the Legal contact listed in Appendix A of this document.”

Pre-Battle Familiarity: Not seen for the first time mid-incident. It is reviewed, practiced, and updated regularly.

A great field manual doesn’t simply explain a policy; it walks you through a scenario. These manuals are written in active language, rich with screenshots, IP examples, decision thresholds, and fallback paths. They should be concise enough to be used during an incident, but rich enough to provide clarity when under stress.

Think of a field manual as your dungeon map, not the campaign narrative, but the line-by-line navigation when the pressure mounts.

For example, a response playbook might say:

"Contain lateral movement by isolating compromised hosts."

A field manual says:

"From the SIEM console, select offending endpoint X. Use the Contain Host option under Actions. Confirm containment status in less than 2 minutes. If containment fails, escalate to Tier 3 and proceed with VPN ACL block at firewall Z."

A field manual does not suggest. It directs. With clarity and speed.

Runbooks in the Wild: Examples from the Field

Field guides are often distilled into runbooks, purpose-built play sequences for specific incident types.

Runbooks are the battle-tested versions of field guides. These are what teams actually use when the castle is under siege.

Drawing from real-world campaigns… Some basic examples of runbook outlines found in well prepared organizations include:

Phishing Response

• Identify reported email via ticket or direct message
• Retrieve headers and hash attachments
• Search mail server logs for similar artifacts
• Quarantine affected inboxes
• Check for credential use within past 24 hours
• Alert Legal if impact threshold is crossed

Malware | Ransomware Containment

• Immediately isolate affected hosts from network
• Pull backup restoration points from storage
• Capture memory and disk artifacts (if safe to do so)
• Upload to a sandbox or threat intel service
• Notify DR lead and initiate failover protocol if SLA breached

Unauthorized Privilege Escalation

• Validate trigger (SIEM alert, EDR log)
• Run get-aduser scripts to identify source
• Disable session/token
• Notify IAM lead and investigate RBAC policy drift

Media Inquiry

• Providing pre-approved holding statements
• Escalation contacts
• Decision tree for Legal clearance.

These guides remove hesitation. They do not describe the compromise faced; they arm the responder to act within it while leaving space for judgement.

Learning Mid-Fight: Incorporating Lessons into Future Scrolls

Not every action will work as expected. That is not failure…it is fuel.

Lessons-learned, debriefs, and post-mortems must feed the scrolls (Playbooks and Field Guides). Lessons learned become amendments, annotations, and sometimes entire new volumes.

Some base questions to ask:

• Did the escalation timeline fit reality?
• Did responders know where the guides lived?
• Were any steps skipped due to ambiguity or technical limitations?
• Did we overcomplicate the flow?
• Were there conflicting instructions across teams?

The feedback should not live on a forgotten Confluence page. It must be codified, versioned, and retrained. This is where operational maturity lives, not in never making a mistake, but in never making the same one twice.

Your playbooks are your lore. Your field guides are your tactics. Together, they make sure your party does not just survive the dungeon…but clears it, loots it, and levels up, sharpening their blades for the next battle.

Next up in Part 5: From Scrolls to Side Quests - we build department-specific campaigns that reflect real adversary behavior, unique team stressors, and ways to build morale while measuring resilience.