Playbooks vs Handbooks

A Playbook can be

“A document defining one or more business process workflows aimed at ensuring a consistent response to situations commonly encountered during the operation of the business” (Wikipedia)


The Cisco security blog describes a Playbook in the following way:

“… To be clear, the Playbook is for organizing and documenting security monitoring. It isn’t an incident response handbook or a policy document or any other type of security document or handbook. The Playbook may reference things like the Incident Response Handbook or Acceptable Use Policy, but it isn’t a replacement for these….”

(see Using a “Playbook” Model to Organize Your Information Security Monitoring Strategy )

But should this distinction be made?

Isn’t it better to consolidate the actions of the SecOps Team, AppSec Team, and SOC into Playbooks (i.e. workflows on how to act/behave)?

This Working Session will discuss and clarify these issues with the aim of agreeing on a definition of Playbook.


  • Clarify concepts
  • Agree on definition of Playbook


  • Agreed definition of Playbook


The target audience for this Working Session is:

  • Security teams

Working materials

Here are the current ‘work in progress’ materials for this session

(please add as much information as possible before the sessions)


1. Introduction and purpose

2. Executive summary

3. Playbook (template table)

4. Global glossary

5. Conclusion

Back to list of all Working Sessions and Tracks

Edit this page here