DEV Community

Cover image for EIOC Guard™ Runbook: SOC‑Style Emotional Incident Response
Narnaiezzsshaa Truong
Narnaiezzsshaa Truong

Posted on

EIOC Guard™ Runbook: SOC‑Style Emotional Incident Response

#cybersecurity #career #management #mentalhealth

Part 3 of the EIOC Series

If Part 1 showed you the pattern

and Part 2 gave you the detection system,

Part 3 gives you the playbook.

This is the operational layer—a SOC‑style runbook adapted for the human emotional system.

It’s structured, repeatable, and designed for real‑world use.

1. Trigger Conditions (When to Activate This Runbook)

Activate this runbook when any of the following are observed:

  • Sudden cognitive fog or confusion
  • Pressured agreement or boundary collapse
  • Guilt spikes, hypervigilance, or emotional shrinking
  • Tight chest, shallow breathing, or autonomic stress
  • Feeling “unlike yourself” or emotionally flattened

These are EIOC alerts.

2. Severity Classification

SEV‑1 (Critical)

  • Four or more EIOC categories firing
  • Loss of agency or clarity
  • Persistent relational pressure

SEV‑2 (High)

  • Three categories firing
  • Noticeable energy drain
  • Boundary erosion + cognitive drift

SEV‑3 (Moderate)

  • Two categories firing
  • Recoverable with short intervention

SEV‑4 (Low)

  • One category firing
  • Early warning signal

3. Initial Detection Workflow (SIEM‑Style)

Step 1—Validate the Signal

Confirm the EIOC is not a false positive.

Step 2—Identify the Source

Interpersonal, environmental, internal load, or accumulated stress.

Step 3—Classify Severity

Use the SEV scale above.

Step 4 Escalate if Needed

SEV‑1 or SEV‑2 → immediate containment.

SEV‑3 or SEV‑4 → monitor + reinforce boundaries.

4. Emotional Kill Chain Mapping (Forensic Analysis)

Map the event to the emotional kill chain:

  1. Recon—Was vulnerability probed?
  2. Access—What bypassed emotional boundaries?
  3. Execution—What pressure or overload occurred?
  4. Persistence—Is the pattern repeating?
  5. Exfiltration—What emotional clarity or energy was lost?

5. Containment Procedures (Immediate Response)

5.1 Cognitive Containment

  • Pause the interaction
  • Slow breathing
  • Re‑anchor internal reference points
  • Use a grounding phrase: “I need a moment to think this through.”

5.2 Boundary Containment

  • Create space
  • Delay commitment
  • Reassert agency: “I’ll follow up once I’ve reviewed this.”

5.3 Relational Containment

  • Reduce exposure
  • Avoid further emotional load
  • Document the interaction

6. Eradication Procedures (Removing the Compromise Vector)

6.1 Identify TTPs Used

Examples: rapid‑fire questioning, shifting expectations, implied consequences.

6.2 Neutralize the TTP

  • Slow the pace
  • Request clarity
  • Reframe expectations
  • Reassert boundaries

6.3 Remove Access Pathways

  • Avoid 1:1 pressure contexts
  • Use written communication
  • Set explicit limits

7. Recovery Procedures (Restoring Emotional Integrity)

7.1 Rebuild Cognitive Clarity

  • Write a debrief
  • Reconstruct the timeline
  • Identify distortions

7.2 Rebuild Boundary Integrity

  • Define what is acceptable
  • Define what is not
  • Create a boundary statement

7.3 Rebuild Relational Integrity

  • Adjust communication channels
  • Reduce exposure
  • Seek neutral third‑party support if needed

8. Post‑Incident Review (PIR)

Conduct a PIR within 24–48 hours.

8.1 What happened?

Timeline + EIOC categories triggered.

8.2 What TTPs were used?

List tactics and techniques.

8.3 What vulnerabilities were exploited?

Examples: conflict avoidance, urgency pressure.

8.4 What worked in containment?

Document effective responses.

8.5 What needs to change?

Update boundaries, workflows, or communication patterns.

9. Long‑Term Hardening (Emotional Security Posture)

9.1 Boundary Hardening

  • Pre‑defined scripts
  • Clear expectations
  • Reduced ambiguity

9.2 Cognitive Hardening

  • Pattern recognition training
  • Emotional journaling
  • Scenario rehearsal

9.3 Relational Hardening

  • Avoid high‑risk dynamics
  • Build supportive networks
  • Establish escalation paths

10. Runbook Closure Criteria

Close the incident when:

  • No EIOCs have fired for 72 hours
  • Boundaries are restored
  • Cognitive clarity is stable
  • No persistence patterns remain
  • A PIR has been completed

Series Conclusion

With this runbook, the EIOC framework becomes fully operational:

  • Part 1 showed the pattern
  • Part 2 gave you the detection system
  • Part 3 gives you the response protocol

The human layer is now observable, detectable, and defensible.

Top comments (0)