2026-04-26 –, Track 2
The Human Centered Investigation Playbook (HCIP) standard is a YAML-based syntax for writing investigation playbooks that correspond to a particular alert, artifact, or attack. The goal is to have an investigation methodology that both guides the analyst and also integrates into defensive tooling to make necessary data easily available during the investigation.
In this presentation I will discuss the standard, explore its purpose and use cases, and demonstrate its functionality in a free and open monitoring platform.
In 2025, Chris Sanders released the Human-Centered Investigation Playbook (HCIP) standard -- an open standard for writing playbooks that are both readable for analysts and also can be integrated into analysis tools to make the data surrounding an alert or investigation more accessible.
Standard available at: https://chrissanders.org/hcip/Human-Centered%20Playbook%20Standard%20v1.0.pdf
In this talk, I will walk through the standard, exploring its purpose and use cases, and then demonstrate how it works in action in a free and open enterprise security monitoring platform.
Matthew Gracie is a defensive security specialist with fifteen years of Blue Team experience in higher education, manufacturing, financial services, and healthcare. He is currently a Senior Engineer at Security Onion Solutions, as well as the interim director of the Cybersecurity graduate program at Canisius University. Matt is also the lead organizer of Infosec 716, a monthly meetup for security enthusiasts in Western New York, and the BSides Buffalo technology conference. He enjoys good beer, mountain bikes, open source security tools, and college hockey, and can be found on Bluesky as @InfosecGoon.