🛡️ NIST SP 800-61 Compliant Incident Response Plan Generator
ResponseForge is a web application that generates customized, NIST-compliant Incident Response (IR) templates tailored to an organization's structure and operational needs.
- ✅ NIST SP 800-61 Compliance - Follows the ARTEMIS framework structure
- ✅ 16-Question Questionnaire - Captures organization-specific inputs
- ✅ Secure Backend - Template rendering with input validation and sanitization
- ✅ Modern UI - Dark theme with glassmorphism effects
- ✅ Multiple Output Formats - Markdown (.md) and Text (.txt)
- ✅ Security-First Design - Rate limiting, XSS prevention, template injection protection
- Python 3.8+
- Node.js 18+
- npm
cd backend
pip install -r requirements.txt
python app.pyThe API will be available at http://127.0.0.1:5000
cd frontend
npm install
npm run devThe UI will be available at http://localhost:5173
responseforge/
├── backend/
│ ├── app.py # Flask application entry point
│ ├── requirements.txt # Python dependencies
│ ├── routes/
│ │ └── ir_routes.py # API endpoints
│ ├── templates/
│ │ └── nist_ir_template.j2 # NIST IR Jinja2 template
│ ├── validators/
│ │ └── input_validator.py # Input validation & sanitization
│ └── utils/
│ └── template_renderer.py # Secure template rendering
├── frontend/
│ ├── src/
│ │ ├── App.jsx # Main application component
│ │ ├── App.css # Global styles
│ │ ├── components/ # Form section components
│ │ │ ├── OrganizationInfo.jsx
│ │ │ ├── SecurityTeamStructure.jsx
│ │ │ ├── SeverityClassification.jsx
│ │ │ ├── EscalationCommunication.jsx
│ │ │ ├── IncidentResponseExecution.jsx
│ │ │ ├── OutputPreferences.jsx
│ │ │ ├── DocumentPreview.jsx
│ │ │ └── FormNavigation.jsx
│ │ └── services/
│ │ └── apiService.js # API integration
│ └── package.json
└── README.md
The questionnaire follows the exact specification:
- Organization name
- Industry
- Primary infrastructure environment (AWS/Azure/GCP/On-Premises)
- Incident Commander
- SOC Analysts
- Cloud/Infrastructure Remediation Owner
- Legal/Compliance Owner
- Severity levels (Low/Medium/High/Critical)
- Severity determination criteria
- Escalation matrix
- Communication channels
- Critical incident notification list
- Forensic evidence maintenance (Yes/No)
- Forensic evidence location (conditional)
- Post-incident reviews (Yes/No)
- Output format (Markdown/Text)
The generated IR plan follows NIST SP 800-61 with these sections:
- Introduction - Context, Purpose, Audience
- Organizing a CSIRT - Team structure, models, personnel
- Handling an Incident
- 3.1 Preparation
- 3.2 Detection and Analysis
- 3.3 Containment, Eradication, and Recovery
- 3.4 Post-Incident Activity
- Coordination and Information Sharing
- Appendices
- A: Situation Update Template
- B: Resolution Action Plan Template
- C: Evidence Register Template
- D: Assets and Key Contacts
- E: Glossary
| Threat | Mitigation |
|---|---|
| Template Injection | Jinja2 autoescape, no user input in template logic |
| XSS | Content sanitization with Bleach |
| Input Tampering | Server-side validation, type enforcement |
| Missing Fields | Required field validation |
| Large Payloads | Request size limit (16KB), field length limits |
| Rate Abuse | 10 requests/minute per IP |
POST /api/generate-ir-template
Content-Type: application/json
{
"organizationName": "string",
"industry": "string",
"infrastructureEnvironment": "AWS|Azure|GCP|On-Premises",
"incidentCommander": "string",
"socAnalysts": "string",
"cloudRemediationOwner": "string",
"legalComplianceOwner": "string",
"severityLevels": ["Low", "Medium", "High", "Critical"],
"severityDetermination": "string",
"escalationMatrix": "string",
"communicationChannels": ["Email", "Phone", "Slack", "Microsoft Teams", "Other"],
"criticalIncidentNotifications": "string",
"maintainsForensicEvidence": true|false,
"forensicEvidenceLocation": "string",
"conductPostIncidentReviews": true|false,
"outputFormat": "md|txt"
}GET /api/template-optionsBased on NIST SP 800-61 Rev. 2: Computer Security Incident Handling Guide