figma guide

Designing incident response runbooks and security playbooks UI in Figma: steps, roles, and handoff

Design incident response runbooks and security playbooks in Figma with step checklists, role assignments, break-glass links, audit hooks, and Dev Mode specs for enterprise Security admin.

Published
Updated
Jul 18, 2026
Read time
7 min
Level
Intermediate

Quick answer

Incident response runbooks give Security admins guided playbooks when something breaks—IdP outage, DLP false positive wave, suspected account takeover. Design a runbook library grouped by scenario (identity, network, data, integrations); step checklist with owner role, timer, and deep-link to the exact settings page; live incident mode that logs each step to the audit log; **break-glass shortcuts](/designing-break-glass-emergency-access-and-account-recovery-ui-in-figma/) only where policy allows; and post-incident review form tied to security posture gaps. Start from the Figma guides hub and pair with SSO, suspicious login alerts, DLP, and Dev Mode handoff.


Who this is for

  • Product designers building Security admin runbook libraries, live incident consoles, and tabletop exercise flows.
  • Design system teams aligning checklist rows with progress steppers, accordions, and badges.
  • Engineers implementing runbook state machines, audit event emission, and integration with on-call paging.

Runbook library layout

ZoneContentPriority
HeaderSearch, filter by domain, “Start tabletop”Always visible
Scenario cardsIdP outage, mass lockout, DLP spike, app compromiseAbove fold
Recent incidentsLast 5 closed with duration and ownerSidebar
TemplatesOrg-custom vs platform default runbooksTab
RunbookLibrary
├── Header: Security runbooks · [ Search ] [ Filter: Identity ▾ ] [ Start tabletop ]
├── ScenarioGrid
│   ├── IdP / SSO certificate expired
│   ├── Mass member lockout (MFA / passkey)
│   ├── DLP false positive surge
│   ├── Suspected org-wide credential leak
│   └── Third-party app OAuth scope drift
└── RecentIncidents: INC-1042 closed · 47 min · jane@acme.com

Verdict: organize by failure scenario, not by settings page name—admins think “SSO is down,” not “navigate to SSO settings.”


Runbook card anatomy

Each library card previews what happens when an admin starts the playbook:

FieldSpec
TitlePlain language: “IdP certificate expired”
Severity defaultP1 / P2 / P3 badge
Est. duration15–45 min typical
Roles requiredSecurity Admin, optional Owner approval
Linked controlsSSO, break-glass, member comms
Last runTabletop or live date
RunbookCard
├── IdP certificate expired · P1
├── ~30 min · Security Admin + Owner notify
├── Steps: 8 · Break-glass eligible: SSO bypass
├── Last tabletop: 2026-06-12 ✓
└── [ Start live incident ] [ Run tabletop ]

Step checklist (live incident mode)

When an admin starts a runbook, switch to focused incident UI—hide unrelated nav:

Step stateUIAudit event
PendingEmpty checkbox, role badge
In progressHighlight + timerrunbook.step.started
BlockedWarning + “Needs break-glass” linkrunbook.step.blocked
DoneCheckmark + completed by + timestamprunbook.step.completed
SkippedStrikethrough + required reasonrunbook.step.skipped

Example: IdP certificate expired runbook

IncidentConsole — INC-1043 · IdP certificate expired
├── Status: In progress · Started 09:14 · Owner notified ✓
├── Step 3/8 — Verify IdP metadata URL reachable
│   └── [ Mark complete ] [ Blocked — need help ] [ Open SSO settings ]
├── Step 4/8 — Enable break-glass SSO bypass (dual approval)
│   └── [ Start break-glass wizard ] ← deep-link
└── [ End incident ] [ Escalate to Owner ]

Deep-link buttons must land on the exact toggle—same rule as posture gap cards.


Role assignments and escalation

RoleRunbook permissions
Security AdminStart live incident, complete most steps
OwnerApprove break-glass, end P1 incident, override skip
Team AdminMember recovery steps only—not org policy
Auditor (read-only)View closed incidents, export timeline

Escalation path when step blocked > 10 min:

EscalationBanner
├── Step 4 blocked 12 min — SSO bypass needs Owner approval
├── Notified: owner@acme.com · Slack #security-oncall
└── [ Re-notify ] [ Assign backup approver ]

Tie notification routing to notification preferences—P1 incidents bypass digest mode.


Break-glass and runbook integration

Not every step should offer break-glass—limit to pre-approved scenarios:

RunbookBreak-glass stepGuardrails
IdP outageSSO bypassDual approval, 1 hr scope
IP allowlist misconfigTemporary rule editAudit + auto-revert timer
DLP mass blockMonitor mode toggleOwner approval, 4 hr max
App compromiseRevoke app tokensNo break-glass—use app allowlist

Copy on break-glass steps: “This step uses emergency access—session is logged and time-limited.”


Tabletop exercise mode

Dry-run without changing production settings:

ModeUI differenceAudit
Live incidentReal settings links activeFull incident timeline
TabletopSimulated outcomes, disabled destructive actionsrunbook.tabletop.completed
TabletopCompleteModal
├── Tabletop: IdP certificate expired — 22 min
├── All 8 steps walked through · 2 discussion notes added
├── Findings: "Backup approver unreachable" → create posture gap
└── [ Save to compliance evidence ] [ Schedule next quarter ]

Link tabletop completion to compliance exports as optional SOC2 evidence.


Post-incident review

Closing an incident requires structured debrief—not just “End”:

FieldRequired
Root cause categoryConfig / IdP / User error / Attack
DurationAuto-calculated
Controls that failedMulti-select from posture domains
Follow-up tasksCreates posture gap or ticket
Customer comms sent?Yes / No / N/A
PostIncidentReview
├── Root cause: IdP cert rotation missed
├── Create posture gap: "SSO cert expiry monitoring"
├── Follow-up owner: security-lead@acme.com · Due 7 days
└── [ Close incident ] [ Export timeline PDF ]

Closed incidents appear in audit log as immutable timeline—filter incident.* events.


Comparison: runbook vs audit log vs posture dashboard

SurfacePurposeWhen admins use it
RunbooksGuided response during active incidentIdP down, leak suspected
Audit logHistorical event streamForensics after close
Posture dashboardProactive gap listBetween incidents

Cross-link all three from incident console header—teams confuse reactive vs proactive surfaces during stress.


Common mistakes

MistakeWhy it hurtsFix
Runbooks named after settings pagesAdmins can’t find scenarioScenario-first titles
No live vs tabletop distinctionAccidental prod changesMode toggle + banner
Steps without deep-linksRunbook abandoned mid-incidentFix button per step
Break-glass on every stepOver-privileged responsePre-approved matrix only
Skip without reasonAudit gapsRequired skip justification
No Owner notify on P1Leadership blind during outageAuto-notify on start
Runbook duplicates suspicious login flowTwo paths for same problemLink member vs org runbooks
Closed incident without debriefRepeat failuresRequired post-incident form
Tabletop not loggedSOC2 evidence gaptabletop.completed audit row
Timer without timezoneDistributed team confusionShow org timezone + UTC

  1. Design runbook library with scenario cards grouped by identity, network, data, integrations.
  2. Build live incident console with step checklist, timers, and deep-link actions.
  3. Add tabletop mode with simulated outcomes and completion certificate.
  4. Wire break-glass steps to emergency access wizard with dual approval.
  5. Create escalation banner for blocked steps and Owner notification.
  6. Design post-incident review form that feeds posture gap creation.
  7. Annotate audit events and state transitions in Dev Mode.

FAQ

How is a runbook different from break-glass?

Runbooks are guided multi-step workflows; break-glass is one emergency capability (temporary elevated access). Runbooks may include a break-glass step—not replace it.

Should runbooks auto-start on alerts?

Optional in v2—v1 manual start avoids false-positive incident noise. Link from suspicious login alerts as suggested runbook, not auto-start.

Can Team Admins run org-wide runbooks?

No—org policy runbooks require Security Admin; member recovery runbooks are a separate, shorter library.

Tabletop frequency for SOC2?

Quarterly minimum for top 3 scenarios—surface “overdue tabletop” on posture dashboard.

Export incident timeline for auditors?

Yes—PDF with step timestamps, actors, break-glass usage, and debrief fields; include in compliance export bundle.


Next steps

Share on X

§ Keep reading

Related guides.