Automating Security Incident Response Plans

March 20, 2026

blog post for CROGL By Eric Newcomer

How much time should you spend creating, reviewing, and maintaining playbooks for responding to security incidents? And how often do you find those playbooks inaccurate or incomplete, no matter what you do?

To me, this sounds like a great area for gen AI to provide some assistance.

Perhaps the most memorable experience I have with this challenge occurred when I was at Citi and managing a security response team defending against credential stuffing bot attacks.

During one such attack, I got an early morning call from a production support specialist. Her response playbook said when a credential stuffing bot attack is detected, “call Amy.” Amy was indeed the name of our specialist in diagnosing and blocking this type of attack.

But Amy was on vacation that week, and that’s literally all the response playbook said. Nothing about what to do if Amy was on vacation, who else to call, or what the response steps were. So they called me instead, because I was listed as her manager in the company directory.

Needless to say, this was not the optimal response, and it took longer than it should have to assemble the right team, find another specialist, and complete the response.

The right thing to do is to identify appropriate staff and roles and to clearly document all steps involved in responding to such an attack, not just to list the contact information of someone who knew how to respond.

With that information in hand, it would be easier to find someone else who could follow the steps in the incident response playbook, such as:

Identify the IP address (or addresses) from which the attacks are being sent
Check whether the TCP address is identified with known bad actors, such as from China or North Korea etc
Check all the logs from the web application firewall for traffic from the IP address(es)
Map out the exact attack signature
Update the bot defense scripts to block traffic from that IP address with that signature
Confirm the updates blocking script doesn’t block legitimate customer traffic
And so on

There must be a better way to get a response playbook in place. And perhaps there’s even a good way to continuously surface responses and maintain a playbook.

Gen AI to the Rescue

Rather than having someone document all the steps involved in an incident response, you might consider an AI-based technology such as Crogl.

Crogl’s AI system provides a Knowledge Engine component that continuously learns about and improves its understanding of an organization’s security environment and interactions. The Knowledge Engine ingests log and incident data as well as security analyst interactions without requiring normalization, which streamlines the process and saves time.

The AI-based system uses this knowledge graph to generate, adapt, and refine incident response playbooks, identifying the response steps and actions for various types of security incidents. And Crogl’s system continuously learns as it ingests more data, allowing it to create more playbooks and update and maintain previously generated playbooks.

Furthermore, Crogl captures information that security analysts enter into the system through interactions such as adding a comment to a ticket or initiating a specific response action using an integrated security tool.

The Intellyx Take

About three years into the “generative AI revolution,” we’re still debating about the best applications for generative AI.

The Crogl platform aligns well with what generative AI does best: ingesting and correlating large amounts of data, creating summaries, recommendations, analysis, and augmenting analyst judgment with institutional knowledge that would otherwise live in one person’s head.

Furthermore, I can easily understand the potential benefits of the Crogl system, which could have helped avoid the “call Amy” challenge I faced at Citi, where the detailed knowledge of the response was captured in one person’s head and wasn’t written down anywhere