What is the 72-Hour IR Executive Playbook?

The 72-Hour IR Executive Playbook is a framework developed by Mark Lynd from more than 150 executive tabletop exercises. It maps every hour of the first three days of a ransomware or breach response to the specific executive decision that has to land in that hour, who owns it, who needs to be in the room, and what the cost looks like when the decision drifts.

What are the three phases of the 72-Hour IR Executive Playbook?

Phase 1 covers the first 6 hours and is about collapsing parallel narratives into a single war room with a single incident commander and a single regulator clock. Phase 2 covers hours 6 through 24 and is when the company starts spending money and notifying first audiences. Phase 3 covers hours 24 through 72 and is when press inquiries begin and restoration starts.

Who should be the executive incident commander in Phase 1?

Rarely the CISO. The CISO is usually too valuable in the technical room. Pick the COO, General Counsel, or Chief of Staff. The executive incident commander runs the executive war room while the technical incident commander runs containment, and the two coordinate through scheduled checkpoints.

How does Mark Lynd use this framework in keynotes and workshops?

The 72-Hour IR Executive Playbook runs as a 45 to 60 minute keynote for executive audiences, a 3 to 6 hour workshop with the actual leadership team walking through the organization, or a 30 minute board briefing for directors who want to know what to ask the CISO and CEO at the next quarterly meeting.

The 72-Hour IR Executive Playbook, A Ransomware Response Framework Built From 150 Tabletop Exercises

Q: Why does the framework treat ransom posture as a Phase 2 issue?

Because the worst Phase 2 patterns happen when the executive team is debating ransom posture for the first time at hour 9 with a stranger from a forensics firm on the speakerphone. The Cyber Insurance Readiness Score, also a Mark Lynd framework, forces ransom posture onto the file long before incident hour 1.

After running more than 150 tabletop exercises with executive teams, I kept watching the same pattern. The technical side of incident response was usually fine. The executive side was a coordination disaster. Legal, Communications, Finance, and the CEO were trying to make decisions in the first day that should have been made in the first hour. The cost of that gap was every regulator clock missed, every customer notification rewritten three times, and every board email that contradicted the last one. The 72-Hour IR Executive Playbook is the framework I built to close that gap.

What This Framework Does

The 72-Hour IR Executive Playbook is not a SOC playbook. SOC playbooks are everywhere and most of them work. The framework covers the part nobody else writes down. It is the executive layer above the SOC. It maps every hour of the first three days to the specific decision that has to land in that hour, who owns it, who needs to be in the room, and what the cost looks like if the decision drifts to the next hour. The framework has three phases. The first 6 hours, hours 6 through 24, and hours 24 through 72. Each phase has its own decision rights, its own communication rhythm, and its own measure of success.

Phase 1, The First 6 Hours

The goal of the first 6 hours is one thing. Get a single source of truth, a single executive war room, and a single regulator clock. Most of the response patterns I have seen fail in this window because three or four parallel narratives form before anyone names a single source of truth. Slack threads, executive text messages, an open Zoom that nobody is captaining, and a Legal email chain that the CEO has not seen yet. Within 6 hours all of that has to collapse into one room with a designated incident commander on the executive side, separate from the technical incident commander running containment.

The decisions that have to land inside Phase 1, in order, are these. First, declare the incident formally. Not in a chat thread. In writing. With a timestamp. That timestamp starts every regulatory clock that follows. Second, name the executive incident commander. This is rarely the CISO. The CISO is too valuable in the technical room. Pick the COO, the General Counsel, or the Chief of Staff. Third, lock the communication perimeter. Decide who is allowed to post in the war room, who has to stay quiet, and what email aliases trigger which response. Fourth, freeze press, customer, and regulator messaging until Phase 2. Many of the worst breach narratives start when somebody on the marketing team posts a holding statement they wrote alone at hour 4. Fifth, set the clock. A literal clock. Visible to everyone. Counting up from incident declaration.

Phase 2, Hours 6 Through 24

Phase 2 is where the executive team starts spending money. Outside counsel, forensics retainer activation, ransom posture decision, customer notification posture, and the first regulator notification draft. Every one of those is a financial decision and a legal decision before it is a technical one. The pattern that breaks here is when the company has not pre-decided the ransom posture. They are debating it for the first time at hour 9 with a stranger from a forensics firm on the speakerphone. By Phase 2 the answer should already be on file. Yes pay, no pay, depends on these conditions. The Cyber Insurance Readiness Score makes that explicit, which is one of the reasons it matters before you ever need it.

Phase 2 also covers the first board notification. Most boards are notified late and notified messy. The framework gives you a 200 word board update template that goes out at hour 12, hour 24, and hour 48. The template has six fields. What we know, what we do not know, what we are doing about it, what could change in the next 12 hours, what we need from the board, and what the next update will cover. Six fields. That is it. If you cannot fill in all six, the answer is to update them anyway and write unknown into the fields you cannot fill.

Phase 3, Hours 24 Through 72

Phase 3 is when the press calls. Not might call. Will call. By hour 24 some combination of a customer, a partner, a regulator, or an insider has leaked something, and a journalist will be reaching out to verify. The framework has a single rule for press in Phase 3. Never let the first journalist reach somebody who is not on the war room roster. That includes the CEO if the CEO has not been pre-briefed by Communications. The CEO is the highest risk speaker in the first 72 hours because the CEO has the most authority and the least context. The framework keeps the CEO inside an internal communications channel until the war room agrees on the external statement.

Phase 3 is also when restoration begins. Restoration means deciding which systems come back first, which stay down, and which have to be wiped before they come back. The technical team knows the answer. The executive team has to authorize the cost. A good Phase 3 has a daily 30 minute restoration review with the CFO in the room, because by hour 48 you are usually three to seven days from a recovery cost estimate that will surprise the board.

How To Use The Framework Before You Need It

The 72-Hour IR Executive Playbook is most valuable when you walk through it on a calm afternoon, not under pressure. Pick a Tuesday. Block 90 minutes. Bring the CEO, COO, General Counsel, CFO, CISO, and head of Communications into one room. Read the three phase outlines aloud. Then walk through your own organization. Who is the executive incident commander. Where does the war room run. What is the ransom posture on file. Who calls the board first. What is the press protocol when somebody from CNBC emails the CEO at 11pm on a Saturday. If you cannot answer those questions inside 90 minutes, you have already found the gap. That gap will cost you between 18 and 36 hours under live pressure.

I cover this framework as a keynote, as a workshop, and as a board briefing. The keynote runs 45 to 60 minutes and is right for executive audiences who want a frame they can apply on Monday morning. The workshop runs 3 to 6 hours with your actual leadership team in the room walking through your specific organization. The board briefing is a 30 minute version designed for directors who want to know what to ask the CISO and the CEO at the next quarterly meeting. Reach out through the contact form for a tailored quote on whichever format fits your event.

Key Takeaways

The 72-Hour IR Executive Playbook is a Mark Lynd framework that maps each hour of the first three days of a ransomware response to the specific executive decision that has to land in that hour.
Phase 1, the first 6 hours, is about collapsing parallel narratives into one war room with one incident commander, one source of truth, and one regulator clock.
Phase 2, hours 6 through 24, is when the company starts spending money and notifying its first audiences. Ransom posture should already be on file.
Phase 3, hours 24 through 72, is when the press calls and restoration begins. The CEO is the highest risk speaker until pre-briefed.
The framework is most valuable rehearsed before you need it. A 90 minute walkthrough with the executive team usually surfaces between 18 and 36 hours of recoverable response time.

The 72-Hour IR Executive Playbook, A Ransomware Response Framework Built From 150 Tabletop Exercises

What This Framework Does

Phase 1, The First 6 Hours

Phase 2, Hours 6 Through 24

Phase 3, Hours 24 Through 72

How To Use The Framework Before You Need It

Key Takeaways

Mark Lynd

Frequently Asked Questions

Want Mark to deliver this as a keynote?

Who is Mark Lynd?

What does Mark Lynd speak about?

How do you book Mark Lynd?

What is Mark Lynd's speaking fee?

Where has Mark Lynd spoken?

What are Mark Lynd's rankings?

What has Mark Lynd written?

What is Mark Lynd's research?

Who has Mark Lynd partnered with?

What is Mark Lynd's background?

Does Mark Lynd advise schools?

Can you hire Mark Lynd virtually?