Archer Knox — Intelligence-Led Security Operations
Archer Knox Security Archer Knox Security

Security Playbooks

Pre-built responses so no one improvises the hardest minutes.

In an incident, people reach for whatever they remember. Playbooks make sure what they remember is aligned with legal, risk, and security—not adrenaline and guesswork.

Our playbooks are written to be executed by real people, under stress, with lawyers and leadership in mind. They’re the bridge between intelligence, operations, and documentation.

Browse example playbooks Compose your own stack

The elements below are illustrative. A real engagement would adapt them to your jurisdictions, risk profile, and internal policies.

How different roles see playbooks

Playbooks mean different things to different people. Use the selector to flip perspectives between Legal, Security, and Operations.

Legal and risk perspective

Playbooks as evidence of duty and diligence.

For Legal, playbooks are proof that the organization didn’t improvise. They show that specific threats were anticipated, that responses were pre-agreed, and that documentation was built into the workflow.

  • Make it easy to reconstruct who knew what, when, and what they did.
  • Align with internal policies, insurance positions, and regulator guidance.
  • Clarify where outside counsel and investigators are brought into the loop.
Which intel feeds legal decisions →

Physical security perspective

Playbooks as muscle memory under stress.

For security teams, the playbook must be brutally clear: what to check, who to call, where to move people, and when to stop. It should match the real constraints of guards, cameras, doors, and radios.

  • Translate abstract risk into concrete moves at gates, lobbies, and corridors.
  • Specify when to escalate to law enforcement and how to preserve on-scene evidence.
  • Ensure post-incident debriefs turn into updates for the next version.
How operations executes these steps →

Operations perspective

Playbooks as a coordination tool.

For operations, a playbook is the spine of the incident: it tells them who owns the incident, who needs updates, when to change posture, and which decisions must be timestamped.

  • Clarify ownership so there is exactly one Incident Commander at a time.
  • Define when to switch from baseline to elevated to incident mode.
  • Provide a check-off trail that can be reviewed afterwards for lessons learned.
See how modes interact with playbooks →

Example playbook catalog

Filter by category and severity to see how different playbooks might be grouped. All examples are generic and for illustration only.

Playbook library (sample)
Use the filters to slice by category (executive, facility, digital) and severity. A real catalog would be aligned with your threat register and risk appetite.
High — Executive “Targeted threat to executive”

Trigger: specific threat of harm to a named executive, with indicators of capability or proximity. Includes on-site and travel contexts.

Owner: Executive protection / IC Maps to Incident mode
Medium — Executive “Harassment and stalking indicators”

Trigger: repeated harassment, stalking behavior, or unwanted contact directed at executives or high-risk staff, online or offline, without explicit threat of violence.

Owner: Threat intel + Security Maps to Elevated mode
Medium — Facility “Planned demonstration near site”

Trigger: credible planning for protest or demonstration at or near a facility, with no current indicators of forced entry or targeted violence.

Owner: Site security / Ops Elevated posture
High — Facility “Armed intruder / breach”

Trigger: confirmed or strongly suspected attempt to enter a site with weapons or clear intent to harm staff or visitors.

Owner: Site IC / Emergency services liaison Full Incident mode
Low — Digital “Routine brand abuse takedown”

Trigger: impersonation or brand abuse accounts impersonating the organization without targeted threats of physical harm.

Owner: Security + Legal + Comms Baseline / Elevated
Medium — Digital “Compromise with physical implications”

Trigger: digital incident that exposes routes, floor plans, or staff rosters in a way that may increase physical targeting risk.

Owner: Security + Cyber Elevated posture

Compose a playbook stack

Use this quick composer to sketch what a bundle of playbooks would look like for your environment. The summary updates as you toggle elements on and off.

In a live deployment this becomes a register of which playbooks exist, who owns them, and how often they are rehearsed and updated.

Foundational playbook stack

Executives Facilities Digital

A foundational stack typically includes playbooks for executive threats and harassment, facility disruption, and digital incidents with physical implications. These provide coverage for the most common and visible risks.

How triggers are detected → How operations execute them →