· Palaniappan P
· 7 min read
AWS Incident Response Runbooks (2026): What Changes Now That Security Incident Response Is Metered and GuardDuty Correlates Attack Sequences
Two 2025 shifts rewrite the IR playbook: GuardDuty Extended Threat Detection now emits a single critical attack-sequence finding instead of a pile of high findings, and AWS Security Incident Response moved to metered pricing (free first 10,000 findings/month, then $0.000676 each) on November 21, 2025. The lesson is to page humans on the <1% of correlated criticals, isolate instead of terminate, and let auto-triage absorb the rest. Here are the runbooks.