SUBJECT: [SEVERITY] Malware Incident - Initial Notification - [DATE/TIME UTC]

CLASSIFICATION: CONFIDENTIAL - IR TEAM ONLY

INCIDENT ID: IR-[YEAR]-[NUMBER]
DETECTION TIME: [YYYY-MM-DD HH:MM UTC]
NOTIFICATION TIME: [YYYY-MM-DD HH:MM UTC]
SEVERITY: [P1/P2/P3/P4]

SUMMARY:
A malware incident has been detected affecting [NUMBER] systems in
[DEPARTMENT/LOCATION]. The malware has been identified as [TYPE] with
[KNOWN/UNKNOWN] characteristics.

CURRENT IMPACT:
- Systems affected: [COUNT and DESCRIPTION]
- Business functions impacted: [LIST]
- Data at risk: [DESCRIPTION]
- Current spread status: [CONTAINED/SPREADING/UNKNOWN]

IMMEDIATE ACTIONS TAKEN:
1. [ACTION - e.g., Affected endpoints isolated from network]
2. [ACTION - e.g., EDR containment policies activated]
3. [ACTION - e.g., Security team mobilized]

NEXT STEPS:
1. [PLANNED ACTION with TIMELINE]
2. [PLANNED ACTION with TIMELINE]

INCIDENT COMMANDER: [NAME]
CONTACT: [PHONE/ENCRYPTED CHANNEL]

NEXT UPDATE: [TIME] or sooner if situation changes

---
Do not forward this notification outside the IR team.

SUBJECT: Executive Briefing - Malware Incident IR-[YEAR]-[NUMBER]

FOR: [CEO / CISO / CIO / Board]
FROM: [Incident Commander]
DATE: [DATE]
UPDATE: [#]

SITUATION SUMMARY:
[2-3 sentences describing the incident in business terms]

BUSINESS IMPACT:
- Revenue impact: [ESTIMATED/NONE/UNDER ASSESSMENT]
- Operational impact: [DESCRIPTION]
- Customer impact: [DESCRIPTION]
- Regulatory implications: [DESCRIPTION]

CURRENT STATUS: [DETECTED / CONTAINED / ERADICATING / RECOVERING]

KEY DECISIONS NEEDED:
1. [DECISION with context and recommendation]
2. [DECISION with context and recommendation]

TIMELINE:
- [TIME]: Incident detected
- [TIME]: Containment initiated
- [TIME]: [MILESTONE]
- [TIME]: Estimated recovery (if known)

EXTERNAL COMMUNICATION STATUS:
- Regulatory notification: [REQUIRED/SUBMITTED/NOT REQUIRED]
- Customer notification: [REQUIRED/PLANNED/NOT REQUIRED]
- Law enforcement: [ENGAGED/PLANNED/NOT APPLICABLE]

RESOURCE REQUIREMENTS:
- [RESOURCE NEED - e.g., External IR firm engagement]
- [RESOURCE NEED - e.g., Additional hardware for rebuild]

NEXT UPDATE: [TIME]

SUBJECT: TECHNICAL ADVISORY - [MALWARE NAME] - Immediate Action Required

SEVERITY: [CRITICAL/HIGH/MEDIUM]
DATE: [DATE/TIME UTC]
ADVISORY ID: TA-[YEAR]-[NUMBER]

THREAT DESCRIPTION:
[Technical description of the malware, behavior, and indicators]

AFFECTED SYSTEMS:
- Operating Systems: [LIST]
- Applications: [LIST]
- Network segments: [LIST]

INDICATORS OF COMPROMISE (IOCs):
File Hashes:
  MD5: [HASH]
  SHA256: [HASH]

File Names:
  [FILENAME]

Network Indicators:
  C2 Domains: [DOMAIN]
  C2 IPs: [IP ADDRESS]
  User-Agent: [STRING]

Registry Keys:
  [REGISTRY PATH]

DETECTION METHODS:
- EDR: [DETECTION RULE/SIGNATURE]
- SIEM: [CORRELATION RULE]
- Network: [IDS/IPS SIGNATURE]

REQUIRED ACTIONS:
Priority 1 (Immediate):
  [ ] Block IOCs at firewall/proxy
  [ ] Push EDR containment rules
  [ ] Scan all endpoints for IOCs

Priority 2 (Within 4 hours):
  [ ] Apply patches [KB/CVE NUMBER]
  [ ] Update antivirus signatures
  [ ] Review logs for historical indicators

Priority 3 (Within 24 hours):
  [ ] Conduct enterprise-wide hunt
  [ ] Validate backup integrity
  [ ] Update detection rules

CONTACT: SOC - [PHONE] | Security Engineering - [PHONE]

[ORGANIZATION LETTERHEAD]

[REGULATORY BODY]
[ADDRESS]

Date: [DATE]

RE: Data Security Incident Notification - [REFERENCE NUMBER]

Dear [TITLE/NAME],

Pursuant to [REGULATION - e.g., GDPR Article 33, State Breach Notification Law],
[ORGANIZATION] is providing notification of a data security incident.

INCIDENT SUMMARY:
On [DATE], [ORGANIZATION] detected a malware incident affecting systems containing
[TYPE OF DATA]. The incident was detected through [DETECTION METHOD].

DATA POTENTIALLY AFFECTED:
- Types of data: [PERSONAL DATA, FINANCIAL, HEALTH, etc.]
- Number of individuals: [COUNT or ESTIMATE]
- Categories of individuals: [CUSTOMERS, EMPLOYEES, etc.]

TIMELINE:
- [DATE]: Incident occurred (estimated)
- [DATE]: Incident detected
- [DATE]: Containment achieved
- [DATE]: This notification

MEASURES TAKEN:
1. [CONTAINMENT ACTION]
2. [INVESTIGATION ACTION]
3. [REMEDIATION ACTION]

MEASURES TO MITIGATE ADVERSE EFFECTS:
1. [MITIGATION - e.g., Credit monitoring offered]
2. [MITIGATION - e.g., Password resets enforced]

CONTACT INFORMATION:
[DPO/PRIVACY OFFICER NAME]
[TITLE]
[EMAIL]
[PHONE]

Respectfully,
[SIGNATORY]
[TITLE]

SUBJECT: Important Security Notice from [ORGANIZATION]

Dear [CUSTOMER/USER],

We are writing to inform you of a security incident that may have affected
your information.

WHAT HAPPENED:
On [DATE], we detected unauthorized activity on our systems involving
malicious software. We immediately activated our incident response procedures
and engaged leading cybersecurity experts to investigate.

WHAT INFORMATION WAS INVOLVED:
Based on our investigation, the following types of information may have
been affected: [LIST - e.g., names, email addresses, etc.]

WHAT WE ARE DOING:
- We have contained the incident and removed the malicious software
- We have engaged [FORENSIC FIRM] to conduct a thorough investigation
- We have enhanced our security controls to prevent similar incidents
- We have notified relevant regulatory authorities

WHAT YOU CAN DO:
- Change your password for your [ORGANIZATION] account
- Enable multi-factor authentication if not already active
- Monitor your accounts for unusual activity
- [Additional specific recommendations]

ADDITIONAL RESOURCES:
- [DEDICATED SUPPORT LINE]
- [FAQ PAGE URL]
- [CREDIT MONITORING ENROLLMENT - if applicable]

We sincerely apologize for any concern this may cause and remain committed
to protecting your information.

[SIGNATORY]
[TITLE]

Malware Detected
  |
  v
[Classify Severity: P1/P2/P3/P4]
  |
  |-- P1: Notify within 15 min
  |     |-- Incident Commander
  |     |-- CISO (phone call)
  |     |-- CEO (phone call)
  |     |-- Legal Counsel
  |     |-- External IR firm
  |     |-- Law enforcement (if applicable)
  |
  |-- P2: Notify within 1 hour
  |     |-- CISO
  |     |-- IT Director
  |     |-- Legal Counsel
  |
  |-- P3: Notify within 4 hours
  |     |-- Security Manager
  |     |-- IT Director
  |
  |-- P4: Notify within 24 hours
        |-- Security Team Lead