Rolling for Resilience Part 3: Battle Prep - The Scrolls of Response

This is the third post in this series addressing my perspective on the current state of Cybersecurity Incident Response training and an approach to improve interest, participation, and expanded learning.
Part I can be found here.
Part II can be found here.

Part III: Battle Prep - The Scrolls of Response

Before initiative is rolled and the encounter begins, wise adventurers prepare. This goes beyond sharpening swords and fletching arrows, to include crystalizing knowledge and drawing battle plans. Before the first alert flashes in the SIEM or the rogue USB is inserted, there must be a call for readiness. When the encounter takes the form of incident response, this preparation is collected in scrolls: playbooks, regulatory mandates, communication requirements, and decision trees that guide every member of the party. These are the “Scrolls of Response”, and they are part of the lifeblood of battle prep.

These are not ancient prophecies or arcane incantations, they are departmental playbooks. In the same way a party would not step into a dungeon without arms and armor, lockpicks and potions, organizations should not enter the chaos of incident response (IR) without structured guidance.

And just like spell scrolls, these documents are not meant to be decorative. They are meant to be well learned and ready to be cast.

The Scrolls We Study Before the Fight

Not every table-top is about slaying dragons. Many are about slaying confusion. When an incident strikes, preparation is what separates a reactive scramble from a cohesive defense. That preparation often lives in documents (scrolls) that are either treasured or forgotten until needed most.

These scrolls do more than inform. They unify… When each team brings their own lexicon, priorities, and risk tolerance, a shared playbook becomes their Rosetta Stone. It bridges the arcane language of Legal with the candid tongues of Security and the comforting mantras of HR. It turns “who does what when” into a well-practiced spell, not a chaotic ritual mid-battle.

Playbooks outline the actions each team should take before, during, and after an incident. They differ from field manuals, which we will dive into in Part 4, by focusing more on structured processes than tactical execution.

These scrolls define:

• Roles and responsibilities during an incident (Who leads? Who informs?)
• Decision trees for containment vs. recovery
• Escalation criteria and when to page the higher-level Mages
• Regulatory touchpoints, such as timelines for notifying authorities
• Inter-departmental dependencies, including Legal, HR, and PR actions

A well-written playbook does not just direct technical actions; it guides communication, coordination, and compliance. It aligns the party; Clerics, Rogues, Bards, and all… so they can act in harmony instead of disarray.

Knowing Your Scroll’s Origin: Regulatory Alignment

Among these scrolls lie ancient runes… regulations and obligations etched not by your party, but by distant emperors known as regulators. Whether your campaign world is governed by HIPAA, PCI-DSS, NERC-CIP, GDPR, or CMMC, your scrolls must honor the laws of the realm.

Every scroll is written for a reason. Often, that reason is law.

Security incidents rarely remain internal anymore. Each of these frameworks demands different feats:

• HIPAA notifications within 60 days of discovery, if patient data is compromised
• GDPR breach disclosure casts a 72 hour reporting timer
• SEC cyber incident reporting within 4 business days (for public companies)
• CMMC asks you to show your work, prove your security posture, even mid-incident
• NERC-CIP is less forgiving; a misstep in critical infrastructure may lead to fines, audits, and even public shaming on the scrolls of the realm
• State breach laws, which vary drastically by realm
  
  

Your Scroll of Response should reference these timelines and define:

• Who determines if notification is required?
• Who crafts the message?
• Who delivers it?
• Who ensures it is recorded for audit purposes?
• And many other business specific items…

These obligations do not wait for you to finish your kaethea (coffee) or akackia (mocha). They are time-bound, role-specific, and riddled with conditional triggers. Which means your scrolls must account for them, in plain language, and in roles distributed across the party.

A Paladin (IT Support) might not know what GDPR says about consent, but they must know to call the Bard (Legal) when customer data is exposed.

This is not just compliance. It is narrative control.

Living Documents, Not Ancient Texts

Response playbooks are often mistaken for checklists. But in truth, they are storyboards. They should not just ask “what to do,” but illuminate “why to do it” and “what happens next.”

Too often, playbooks gather digital dust. They are reviewed once a year, or worse…only when required by an audit. But no party should or would rely on spells they have never cast.

Effective playbooks speak in character:

• To the Warrior (IT Ops): "Here is how you power down a compromised server without nuking evidence."
• To the Bard (Legal): "Here is what triggers breach notification, and who needs to approve the wording."
• To the Cleric (HR): "Here is when employee privacy becomes a concern and when to escalate."
• To the Rogue (Security): "Here is your sandbox for containment… and your limit before cross-team consent is needed."
  
  

This is not just knowledge sharing; it is combat choreography. A coordinated dance that allows for improvisation but remains grounded in shared purpose.

That is why table-top exercises are critical. They test the scrolls. They highlight where they are vague, outdated, or missing entirely. They ensure your communications team knows how to handle a PR fireball and that your Legal counsel is not reading from last campaign’s rulebook.

The best time to find out your scroll needs a rewrite is before you are in the dungeon.

What Scrolls Reveal


In table-top exercises, poorly written or absent scrolls reveal themselves quickly:

• One team freezes, unsure of what they are “allowed” to say to the press
• Another oversteps, disabling accounts without a chain of approval
• A third scrambles to find last year’s breach notification template buried in an archived campaign folder
  
  

In these moments, you are not failing the incident, you are discovering your missing and misplaced scrolls. This is the value of table-top exercises: uncovering the gaps in the library before the siege begins.

The Tome of Lessons

So what do we log in the campaign journal after a scroll-driven exercise?

• Which roles hesitated? Was the scroll unclear or simply unlearned?
• Which steps caused conflict between departments? Did two scrolls contradict?
• Which regulatory runes were misunderstood or entirely unknown?
  

These questions do not accuse, they illuminate. Because the goal is not flawless performance on the first run. It is discovering where your scrolls need footnotes, clarifications, or complete rewrites.

Next Scroll: Boots in the Field

The scrolls (playbooks) prepare the mind. But once the enemy breaches the gates, we shift to field manuals…tactical guides for real-time response. Where playbooks are about roles and responsibilities, field manuals are about commands and consequences… practical, concise, tactical, and forged through experience.

Up Next: Part 4: Boots in the Field - Manuals for Real-Time Action, we’ll explore:

• What makes a great field guide
• Examples of runbooks used during active incidents
• How to incorporate Lessons Learned into future scrolls

This next chapter dives into how your party moves after the horns sound, when the dice hit the table and the only thing louder than the alarm is the silence of waiting for someone else to act.

Until then, gather your party. Review your scrolls. And make sure your Rogue knows not to open every chest without checking for traps.

This is the third in a series of posts to help encourage support for changes in how training can and should be approached. At Secure Ideas we specialize in table-top exercises, training, consulting and advisory services, security assessments, PCI DSS Compliance, vulnerability management and penetration testing services that help provide our clients visibility into what goes unnoticed. Whether providing in-house Cybersecurity training, securing Industrial Control Systems (ICS), or performing penetration testing, our objective is to help clients understand hidden risks, expand the Cybersecurity mind-set and culture, and ensure safe and resilient operations.

About The Author:

Giovanni Cofré joins Secure Ideas with 25+ years of IT experience, specializing in network security for corporate, OT, and e-commerce environments since 2000. He's committed to mentoring security professionals and promoting security awareness. His expertise spans multiple industries in both private and public sectors, where he's implemented security frameworks based on CIS CSC, HITRUST, PCI, GDPR, and NIST standards. Giovanni is skilled in vulnerability assessment, penetration testing, and developing practical security processes. His notable work in e-commerce and energy industries includes establishing secure coding practices and maturing enterprise security strategies. Giovanni focuses on environment-specific practices that meet business needs while building resilient infrastructures.

Read More by Giovanni: Operational Technology’s use of Wireless Networks