Ask any incident responder where their playbooks live and you'll usually get one of three answers: SharePoint, Confluence, or "I think Dave has them."
This is a quiet crisis. Playbooks are supposed to drive structured, repeatable incident response. But if they're sitting in a Word document that nobody's updated since the last tabletop exercise, they aren't doing that job. They become compliance theatre - something to point at during an audit rather than something responders actually follow when an incident is live.
OASIS CACAO is an open standard that addresses this directly. Here's what it is, why it matters, and how Cydarm uses it.
What is CACAO?
CACAO stands for Collaborative Automated Course of Action Operations. It's an open standard for cybersecurity playbooks published by OASIS - the same standards body behind STIX and TAXII for cyber threat intelligence sharing.
At its core, CACAO defines two things:
- Actions: individual security operations: detecting, investigating, preventing, mitigating, or remediating a specific threat.
- Playbooks: structured workflows that group actions into a logical sequence, triggered by a security event, observation, or scheduled task.
A CACAO playbook is machine-readable JSON. It has a defined schema, a versioning system, and the ability to run steps sequentially, in parallel, or through conditional logic: if/then branching, while loops, switch conditions. It's structured like code, not like a checklist.
The eight types of CACAO playbook
One of the more useful things the specification formalised is a clear taxonomy of what a playbook is actually for. There are eight types:
- Attack: for red team exercises and adversary emulation
- Detection: for identifying known security events or threat hunting
- Engagement: for adversary engagement: denial, deception, disrupting attacker operations
- Investigation: for understanding the scope and impact of an incident
- Mitigation: for containing a threat when full remediation isn't yet possible
- Notification: for alerting and disseminating information across stakeholders
- Prevention: for proactively blocking known or expected threats
- Remediation: for returning affected systems to a known good state
In practice, incident response draws on several of these in sequence. A ransomware response might touch investigation, mitigation, notification, and remediation playbooks - each handling a distinct phase, each runnable independently or as a composed workflow.
Why the format matters
The fundamental problem CACAO solves is proprietary lock-in and institutional isolation.
Before CACAO, every organisation built playbooks in whatever format worked for them internally - which meant those playbooks couldn't travel. You couldn't share a meaningful playbook with a partner organisation, an ISAC, a government agency, or an MSSP without someone on the other end manually reinterpreting it for their environment.
CACAO changes this by creating a common language. A playbook written in CACAO can be imported by any tool that supports the standard. It can be validated against the schema. It can be signed to verify its origin. And it can be adapted - the spec explicitly acknowledges that most shared playbooks will need some modification for the recipient's environment, and the structure supports that.
This is what genuine collective defence looks like. Government agencies, sector ISACs, and sharing communities can publish CACAO playbooks for specific threat types, and member organisations can import, adapt, and operationalise them - rather than each building the same response procedure in isolation.
How Cydarm implements CACAO
Cydarm stores and executes playbooks natively in the CACAO format. In practice, this means:
Playbooks run inside the case, not next to it. When a case is opened, the relevant playbook is available within the same interface. Analysts execute steps directly in their workflow - no tab-switching, no printed checklists.
Every action is tracked. Each step - who completed it and when, and any notes they recorded - is logged automatically against the case record. This is essential for chain of custody, regulatory reporting, and post-incident review.
Your playbooks aren't proprietary. Because Cydarm uses an open standard, your response tradecraft isn't locked to our platform. You can import CACAO playbooks from external sources and export your own for sharing with partners, regulators, or peer organizations.
Manual steps, automated steps, and everything in between
Not every step in a playbook should be automated, and not every step needs a human. CACAO supports both, and Cydarm lets you mix them within a single workflow.
When a playbook action is ready to execute, Cydarm fires a Playbook Action Ready event. For manual steps, an analyst assigns the action to themselves or another team member, then updates the status as they work through it. For automated steps, a connector picks up the event and executes the operation directly against the relevant system - pulling threat intel, querying an EDR, updating firewall rules, or triggering a containment action - and updates the action status on completion.
Inputs and outputs are passed between steps as the playbook progresses. An automated step that queries an endpoint for running processes can feed its output directly into the next step - whether that's another automated action or a manual step where an analyst assigns it, works through it, and updates their status before the workflow continues.
This hybrid model is where CACAO's structure genuinely pays off in practice. The playbook defines the logic. The platform decides, based on your configuration, whether a given action runs automatically or waits for human input. You can start with a fully manual playbook and automate steps incrementally as you build confidence in the connectors and the workflow - without rewriting the playbook itself.
The state of playbooks most teams are still in
There's a version of this where every organisation rebuilds the same response procedures from scratch, stores them in a format nobody else can use, and updates them infrequently because the process is painful. Playbooks drift from reality. Responders improvise. Lessons from one incident don't make it into the next response.
CACAO doesn't fix your incident response programme by itself. But it removes the structural reasons why good playbooks don't get written, maintained, and shared. The format is open. The schema is validated. The playbooks can travel. And when they're running inside a case - with hybrid automation, tracked execution, and a complete audit trail - they're actually doing the job they were supposed to do.
Interested in seeing CACAO playbooks in action inside a live case? Start a free 30-day trial or get in touch with the team.