Skip to content

Playbook Generation

After an exercise is scored, Salient generates an incident response playbook tailored to the gaps and strengths revealed during the session.

How It Works

Playbook generation uses two modes:

AI-Powered (Primary)

When an AI provider is configured, the playbook generator:

  1. Reads the exercise scenario and team responses
  2. Loads the organization's digital twin for context
  3. Analyzes identified gaps from scoring
  4. Generates a structured playbook that addresses specific weaknesses
  5. References tools and processes the team actually uses

The result is an organization-specific playbook — not a generic template, but a playbook that names your EDR tool, references your escalation chain, and addresses the exact gaps your team revealed.

Template Fallback

Without an AI provider, playbook generation uses structured templates based on:

  • The scenario type (ransomware, phishing, data breach, etc.)
  • The NIST CSF functions with lowest scores
  • Standard IR phases (preparation, detection, containment, eradication, recovery, lessons learned)

Template playbooks are useful but generic. They provide a starting framework without organizational context.

Playbook Structure

Generated playbooks follow a consistent structure:

# Incident Response Playbook: [Scenario Title]

## Executive Summary
Brief overview of the incident type and key response priorities.

## Preparation
- Required tools and access
- Team roles and responsibilities
- Communication channels

## Detection & Analysis
- Initial indicators
- Triage procedures
- Scope assessment

## Containment
- Immediate actions
- Short-term containment
- Evidence preservation

## Eradication & Recovery
- Root cause removal
- System restoration
- Validation steps

## Post-Incident
- Lessons learned
- Gap remediation plan
- Documentation updates

Generating a Playbook

Navigate to Playbooks, select a scored session, and click "Generate Playbook."

generate_playbook(session_id=1)
get_playbook(session_id=1)

/ttx playbook

Export

Playbooks are stored as markdown and can be:

  • Viewed in the browser UI with full formatting
  • Exported as markdown for integration into your documentation
  • Used as input for future exercises (test the playbook you just generated)

Iterative improvement

Generate a playbook after each exercise. Compare playbooks over time to see how your response procedures evolve. Each playbook reflects the twin's growing understanding of your organization.

Scoring · Running Exercises