Incident Recovery Plan Execution

Build me a recovery execution workflow in Tracecat. When recovery initiates, convert the recovery plan into case tasks with owners and order of operations: restore priorities, verification steps, and sign-offs. Mirror infrastructure tasks to ServiceNow for the platform team, track progress on the case, and post a rolling status to the incident channel. First help me understand how this maps to RC.RP-01 and RC.RP-02, and why recovery order should follow mission criticality instead of convenience. Ask me which services must come back first. Talk me through handling tasks that stall or fail mid-recovery.

Build me a backup verification workflow in Tracecat. Before any restore, check that the chosen backup predates the compromise window from the case timeline, verify checksums against the backup catalog in AWS, restore a sample into an isolated environment, and scan it with CrowdStrike before approving it for production restoration. First help me understand how this maps to RC.RP-03 and how restoring a poisoned backup replays the incident. Ask me what our backup tooling is and how far back retention goes. Talk me through how much verification is proportionate at each incident severity.

Build me a post-restore verification workflow in Tracecat. For each restored system, run an EDR scan through CrowdStrike, compare the configuration against our hardening baseline, confirm service health in Datadog, and check that none of the incident's indicators reappear. Write a per-system verification record to the case and require sign-off before it returns to normal operations. First help me understand how this maps to RC.RP-05 and what confirming normal operating status should actually include. Ask me where our hardening baselines live. Talk me through how long restored systems deserve heightened monitoring.

Build me a recovery closure workflow in Tracecat. Encode our end-of-recovery criteria as a checklist: all systems verified, monitoring back to baseline, stakeholders informed, and evidence archived. When the checklist passes, declare recovery complete on the case, have an agent assemble the incident documentation in Notion from the case record, and open the retro with its findings feeding our improvement backlog in Linear. First help me understand how this maps to RC.RP-06 and why a declared end with criteria beats incidents that just fade out. Ask me who signs the declaration. Talk me through what the closing documentation must contain for auditors and insurers.