Skip Navigation
Get a Demo
Resources Blog Incident response

Train hard, fight easy: How to keep your IR playbooks fresh

Principal Readiness Engineer Gerry Johansen explores tried-and-true methods for preparing your team to act fast when adversaries come knocking.

Laura Brosnan
Originally published . Last modified .

When security professionals prepare for the inevitable—perhaps a ransomware attack, compromised credentials, you name it—what they’re really trying to do is minimize the Mean Time To Resolve (MTTR) by increasing the effectiveness of their response. In military circles, this is known as “keeping left of bang.” Or, in other words, staying alert, engaged, and ready to respond before the bad stuff happens.

Red Canary’s Gerry Johansen recently took to the stage at the Threat Detection Series Live! event in New York City to explore how to do just that, tackling key practices any security team can adopt to stay ahead of the fight.

How do we know what threat actors are actually doing?

The best way to understand what threat actors are doing is to simply study their ways. It sounds trite, but the key is knowing how and what to analyze so you can align yourself to better defend your environment. Gerry breaks down what we learned from the 2023 Threat Detection Report and how these insights can be applied to adversary emulation and beyond.


How do we plan and prepare for attacks?

As threats such as Qbot and Raspberry Robin continue to evolve alongside defenders, this isn’t a-one-size-fits-all answer. However, there are definitely some best practices security practitioners should consider. Gerry takes a look at the strategic, operational, tactical, and technical pillars of incident preparedness and offers up sage wisdom on how to avoid planning failures often seen in modern SOCs.


How does my security team train to best respond to threats?

This is where the rubber meets the road. Suffice it to say a majority of security teams do not train nearly enough (often due to budgetary or time constraints). But—as Gerry argues—if you want to stay ahead in an ever-changing threat landscape, you must prioritize training. While individual training modules are great, drilling as a unit is most efficient. He outlines a comprehensive set of training intervals designed to keep your team conditioned, agile and ready to respond.



Join us in Chicago or San Francisco for more educational talks

You can find more highlights of our time in New York below. The Threat Detection Series Live! will be in Chicago on May 3, and San Francisco on May 11.

Not seeing a city you can travel to? Reach out to Red Canary on social and tell us where you’d like to attend a future event.





Halting a hospital ransomware attack


Accelerating identity threat detection and response with GenAI


What Home Alone teaches us about proactive defense


Adversaries exploit Confluence vulnerability to deploy ransomware

Subscribe to our blog

Back to Top