Security Playbooks Diagrams


Playbooks are best described in diagrams. In May 2017, a Google image search for ‘Security Playbooks’ did not return a helpful list of diagrams of Security Playbooks that can be easily used and adopted.

This Working Session will assess, create, and publish diagrams of Security Playbooks.

Ayehu’s site has a really good example of what these diagrams could look like:

The Phantom product seems to have native Playbook support (which can be also scripted):

Threat Connect also looks interesting:


  • Create and publish multiple Security Playbooks Diagrams


  • Diagrams of Security Playbooks published

Synopsis and Takeaways

We discussed how best to visualise the information contained in a playbook, realising that without data, we are restricted to process flows.

OWASP is proactive, but we recognise that certain situations are reactive by nature – you can only start to solve a problem after it has manifested.

We agreed that Playbooks should include process diagrams, but only where necessary. It is difficult to come up with diagrams without data, and data usually comes after the playbook has been followed (e.g., pen-test, bug bounty).

We also agreed that we should create iconography for different audiences to help readers define the scope of the playbook: either

  • The buyer or end-user, or
  • The person who has to follow the process, or
  • The person who has to take the result of the process and deal with the outcome (analyse, distil, process).


  • Security teams


Working materials

Here are the current ‘work in progress’ materials for this session


1. Introduction and purpose

2. Executive summary

3. Playbook (template table)

4. Global glossary

5. Conclusion

Back to list of all Working Sessions and Tracks

Edit this page here