What the IR plan generator includes
15-minute AI Plan Coach
Conversational interview covering industry, regulatory exposure, team size, technology stack, prior incidents, and insurance. Branches based on your answers.
Three template starting points
Expert template (built from 150+ real tabletops), NIST SP 800-61 Rev. 2, and ISO/IEC 27035-1:2023. Customization layered on top of the chosen base.
Plan as a computable entity
Structured data that drives task generation, SLA timers, and compliance flags when an incident is declared. Not a PDF the team forgets about.
Regulator and insurer mapping
NY DFS Part 500, HIPAA Security Rule, GDPR Article 32, NIS2 Article 21, DORA Article 6, PCI DSS 12.10. Plus standard cyber-insurance policy clauses.
Plan import
PDF, Word, and Markdown import on Command and Theater tiers. Existing plan is parsed and mapped to the computable entity model.
Plan exports
Board-ready PDF for binders, regulator submissions, and audit-committee meetings. Plan version history captured in the hash-chained ledger.
Why a computable IR plan matters
An IR plan that lives in a PDF is exercised once a year and forgotten the rest of the time. An IR plan that lives in the platform - as structured data, with version history, with referential links to runbooks, IRC roles, regulatory clocks, and tabletops - is exercised every time the team uses any of those surfaces. When an incident is declared, the plan generates the tasks. When a regulatory clock fires, the plan tells the team which deadline applies. When a tabletop runs, the plan is the script. When the AAR identifies a gap, the gap remediation tracker references the plan section that needs updating. The plan stops being a paper artifact and starts being the operating system the team runs on.
Common questions
How long does it take to generate an IR plan?
A 15-minute conversational interview with the AI Plan Coach produces a complete, customized IR plan. The interview covers your industry, regulatory exposure, team size, technology stack, prior incidents, and insurance requirements. The output is mapped to NIST SP 800-61 Rev. 2, ISO/IEC 27035-1:2023, your applicable regulators (GDPR, HIPAA, SEC, NY DFS, NIS2, DORA, state laws), and your cyber insurance policy clauses.
What standards does the IR plan map to?
NIST SP 800-61 Rev. 2 (Computer Security Incident Handling Guide), ISO/IEC 27035-1:2023 (Information security incident management), NIST CSF 2.0, and MITRE ATT&CK. Three template starting points are included: the Expert template (built from 150+ real tabletops), NIST SP 800-61, and ISO/IEC 27035. Customization layers each organization's industry, regulatory exposure, and insurance requirements on top.
What does it mean that the plan is a computable entity?
The IR plan is not a PDF the team forgets about. It is structured data that drives task generation when an incident is declared, SLA timers for each task, compliance flags when regulatory deadlines are approaching, and AAR comparisons after the incident closes. The plan, the response, and the audit trail share the same underlying entities - so the team is always running their actual plan, not a simplified summary of it.
Can we import an existing IR plan?
Yes. PDF, Word, and Markdown imports are supported on Command and Theater tiers. The plan is parsed, mapped to the IR-OS computable entity model, and presented for the security team to confirm or adjust. Sections that do not map cleanly are surfaced for manual review. Theater tier includes white-glove import setup with a 60-minute working session.
Does the plan satisfy regulator and insurer requirements?
The generated plan is regulator-ready under NY DFS Part 500, HIPAA Security Rule, GDPR Article 32, NIS2 Article 21, DORA Article 6, PCI DSS 12.10, and state-level requirements where applicable. It is also written to satisfy standard cyber insurance policy requirements (incident response plan attestation, IRC role naming, tabletop schedule, AAR cadence). The plan is exportable as PDF for binders, regulator submissions, and audit-committee meetings.