<\!DOCTYPE html> Incident Response Plan Generator — NIST 800-61r3 Aligned — CoreRecon <\!-- Nav --> <\!-- Hero -->
NIST SP 800-61r3 Aligned · 7-Phase · PDF Download

Your Custom Incident Response Plan

8 inputs. A complete, regulation-aware IR plan built for your industry, size, and regulatory regime — with notification timelines, containment playbooks, and pre-populated contact trees.

HIPAA · CMMC · CJIS · GLBA · FERPA OT/SCADA Aware Pre-Populated Notification Timelines Roles & Contact Tree
<\!-- Tool Wrap -->
<\!-- Step progress bar -->
1
Industry
2
Size
3
Regs
4
OT/SCADA
5
IR Status
6
Insurance
7
Roles
8
RTO/RPO
<\!-- Step 1: Industry -->
Step 1 of 8

What Industry Are You In?

Selects industry-specific containment playbooks, threat actor profiles, and regulatory defaults.

HIPAA · TX HB 300
Healthcare
Hospitals, clinics, health systems, dental
CMMC · DIBNet
Defense Contractors
DIB primes, subs, DoD suppliers
CJIS · TX DIR
Municipalities / Gov
Cities, counties, state agencies, public safety
GLBA · NCUA · FFIEC
Financial / Credit Unions
Banks, CUs, RIAs, insurance, mortgage
TSA Pipeline · CISA
Oil & Gas / Energy
Upstream/midstream/downstream, pipelines
AWIA · EPA · TCEQ
Water Utilities
Community water systems, wastewater
NIST CSF · CISA
Manufacturing
Industrial, process, discrete manufacturing
TX Eth. Op 712 · ABA
Law Firms / Legal
Law firms, legal services, title companies
FERPA · COPPA · CJIS
K-12 / Education
School districts, charter schools
NIST CSF
Other / General
Retail, hospitality, technology, nonprofits
<\!-- Step 2: Size -->
Step 2 of 8

Organization Size

Sets staffing assumptions for IR roles and scales severity response times.

10–49 Endpoints
Small org — lean IR team, vendor-dependent
50–199 Endpoints
Mid-market — partial IT staff, growing complexity
200–999 Endpoints
Enterprise-SMB — dedicated IT, IR team forming
1,000+ Endpoints
Large enterprise — full IR program expected
<\!-- Step 3: Regulatory Regime -->
Step 3 of 8

Regulatory Regime

Select all that apply. Notification deadlines, regulator contacts, and compliance-specific controls will be auto-inserted into your plan.

HIPAA / HITECH
60-day breach notification · HHS OCR
TX HB 300
60-day notification · TX AG · Patient data
CMMC Level 1
FCI protection · Self-assessment
CMMC Level 2
72-hr DIBNet · CUI protection · C3PAO
CJIS v6.0
24-hr notification · FBI · CJI access revocation
GLBA Safeguards
30-day FTC notification · Financial data
NCUA 748 / IRPS 23-1
72-hr NCUA notification · Credit unions
PCI DSS v4.0
Immediate card brand notification · CHD
FERPA
ED notification · Student education records
TSA Pipeline SD 2021-02C
12-hr CISA notification · OT/pipeline
AWIA §2013 / EPA
EPA notification · Water sector
TX SB 820
Ransomware reporting · State entities
<\!-- Step 4: OT/SCADA -->
Step 4 of 8

OT / SCADA Exposure

Determines whether OT isolation steps, ICS air-gap procedures, and operational continuity sections are included.

None
IT-only environment, no industrial control systems
Partial
Some OT/ICS exposure, partial IT/OT convergence
Heavy
SCADA/DCS/HMI central to operations, IT/OT converged
<\!-- Step 5: IR Retainer Status -->
Step 5 of 8

Current IR Retainer Status

Sets escalation paths and fill-in-the-blank SOC contact fields in your plan.

No Retainer
Self-managed — internal IT handles incidents
Generic MSP
IT MSP on retainer, not security-specialized
Dedicated IR Firm
MSSP or IR firm on active retainer
Current Client
CoreRecon
CoreRecon SOC on 24/7 retainer
<\!-- Step 6: Insurance -->
Step 6 of 8 — Optional

Cyber Insurance Status

Optional but recommended. Carrier name is included in your IR plan's insurer-notification section.

Active Policy
I have cyber insurance in force
Pending / Shopping
In underwriting or renewal process
No Policy
No cyber insurance currently
Not Sure
Need to verify with broker
<\!-- Step 7: Roles -->
Step 7 of 8 — Optional

Key Response Roles

Name + email are inserted into your plan's communication tree. All fields are optional — leave blank to use role placeholders.

🎖 Incident Commander
📢 Communications Lead
⚖️ Legal Counsel
🔧 Technical Lead
👔 Executive Sponsor
<\!-- Step 8: RTO/RPO -->
Step 8 of 8

Recovery Targets & Critical Systems

Used to populate the eradication & recovery phase, backup verification steps, and the severity matrix.

List your most critical systems — these will be prioritized in the recovery section.
<\!-- Email Gate -->
📋

Your IR Plan Is Ready

Enter your work email to receive your custom NIST 800-61r3 IR plan — including the PDF and a free IR retainer scoping call offer.

Please enter your name and email.
<\!-- Spinner --> <\!-- Plan Output -->
Incident Response Plan
Phase 1: Govern Phase 2: Prepare Phase 3: Detect Phase 4: Analyze Phase 5: Contain Phase 6: Eradicate & Recover Phase 7: Post-Incident

This plan is a starting framework based on NIST SP 800-61r3. A CoreRecon IR retainer adds 24/7 SOC coverage, pre-authorized response authority, and forensics-ready evidence handling.

Book Free IR Retainer Scoping Call →
Generated by CoreRecon — corerecon.polsia.app/tools/incident-response-plan-generator
Run This Plan in a Live Tabletop
Test your IR team against a custom ransomware scenario with injects, decision points, and comms templates.
Generate Tabletop Runbook →
<\!-- /ir-wrap --> <\!-- Cross-link footer strip -->
Related Resources
🚨 Active Breach? Call Now 🎯 Ransomware Tabletop Generator 🛡 Insurance Readiness Checker Book IR Retainer Scoping Call →