RaccoonIR

Purple Team Incident Response Playbook

Comprehensive Playbook Overview & Simulation Report

How This Playbook Works

RaccoonIR is a structured incident response playbook planner that connects system dependency models (what can go wrong) with response activities (what we do about it). The core workflow is:

Model the System — Define operational goals as Dependency Model trees, where each goal depends on sub-goals connected by AND/OR/UNCONTROLLABLE gates with probability values.
Design the Playbook — Create hierarchical response activities with roles, objectives, action types, data flows (artifacts), and MITRE ATT&CK/D3FEND mappings.
Link Activities to Goals — Connect playbook activities to dependency model paragons via ActivityImpacts, specifying how each response action changes the probability of an operational outcome.
Simulate & Analyse — Use the Impact View to run what-if simulations, stepping through activities to see how cumulative response actions shift system probabilities and the Change in Operations (CiO) metric.

Section 1: Dependency Models

The dependency model represents the system's operational goal structure as a directed acyclic graph (DAG). Each node (paragon) has a type — AND (all children must succeed), OR (any child suffices), or UNCONTROLLABLE (external factor with fixed probability). Probabilities propagate from leaves to root, giving a quantitative view of operational risk.

Section 2: Playbooks

Playbooks define the incident response process as hierarchical activity diagrams. Each activity (PlaybookProcess) specifies objectives (Detect, Contain, Eradicate, Recover), action types (Technical, Administrative, Physical), responsible roles, and data flows via artifacts. Activities can be nested into sub-processes for complex multi-stage responses.

Section 3: Impact View — Cross-Model Simulation

The Impact View is the central analysis tool. It shows playbook activities (left) and the dependency model (right) side-by-side, connected by ActivityImpact arrows. Three simulation modes are available:

Preview — Click any activity to instantly see its isolated effect on system probabilities.
Execute — Toggle activities as "executed" to see cumulative impact build up.
Step — Walk through activities in sequence, watching probabilities shift step by step.

This view answers the key question: "If we execute these response actions, how does our operational posture change?"

Section 4: Metrics

The Metrics tab presents computed values for every paragon in the dependency model:

Probability (P) — Current likelihood the paragon's condition holds (propagated through AND/OR gates).
Change in Operations (CiO) — The difference in probability before vs. after applying activity impacts. Positive CiO means the response improves the situation; negative means degradation.
Critical Threshold — A user-defined boundary below which an alert fires, highlighting paragons at risk.

[Metrics Report — see interactive view]

Section 5: SYMBIOSIS

The SYMBIOSIS module maps business objectives to security measurement goals, security metrics, and base measurements — creating a traceable chain from strategic intent to measurable security KPIs. This ensures the playbook's response activities are aligned with organisational goals.

[SYMBIOSIS Alignment — see interactive view]

Section 6: MITRE ATT&CK / D3FEND Mapping

Each playbook activity can be tagged with MITRE ATT&CK techniques (adversary actions being countered) and MITRE D3FEND countermeasures (defensive techniques being applied). The MITRE View aggregates these mappings to show full technique coverage across the playbook, identifying gaps in detection and response capability.

[MITRE ATT&CK/D3FEND Coverage — see interactive view]

Data Flow Summary

┌─────────────────────┐        ActivityImpact        ┌──────────────────────┐
│   PLAYBOOK          │─────────────────────────────▶│  DEPENDENCY MODEL    │
│   (Response Actions)│    "Activity X changes       │  (System Goals)      │
│                     │     Paragon Y's probability  │                      │
│  • Activities       │     from 40% → 85%"         │  • AND/OR/UNC gates  │
│  • Data Flows       │                              │  • Probabilities     │
│  • Roles & Actors   │                              │  • Critical Thresholds│
└─────────────────────┘                              └──────────────────────┘
         │                                                      │
         ▼                                                      ▼
┌─────────────────────┐                              ┌──────────────────────┐
│  MITRE ATT&CK/D3FEND│                              │  METRICS ENGINE      │
│  (Technique Mapping)│                              │  P, CiO, Thresholds │
└─────────────────────┘                              └──────────────────────┘
         │                                                      │
         └──────────────────────┬───────────────────────────────┘
                                ▼
                   ┌────────────────────────┐
                   │  SYMBIOSIS             │
                   │  (Business Alignment)  │
                   └────────────────────────┘