Incident Response Playbooks for Compromised Credentials: Source-Aware, Data-Driven Guidance

Credential compromise is an unrelenting reality for security teams worldwide. In 2025, with over 3.2 billion credentials exposed in breaches and infostealer malware logs, the question isn’t if your organization’s credentials will be leaked, but when and where they’ll surface (Tech Radar).

What’s often overlooked is that not all compromised credentials are created equal. The source of exposure, whether an infostealer infection, a third-party data breach, a combo list, or a paste site dump, directly shapes both the urgency and the tactics of your response. Treating every incident the same way can mean wasted time, missed threats, or even repeated compromise.

The good news? With a source-aware approach and the right automation, organizations can slash their median response time from days to hours, and reduce attacker dwell time by more than 60%. 

Below, you’ll find practical playbooks tailored to the most common sources of credential exposure, starting with a section defining the sources of compromised credentials. Each definition includes a clear explanation of why the source matters.

Click on the link to the section you want to go to on the table of contents on the left to jump to the relevant playbook. 

What are the most common sources of compromised credentials? 

Source 1: Infostealer malware logs

Infostealer malware is malicious software that silently harvests credentials, cookies, tokens, and sensitive data from infected endpoints. The information provided in stealer logs makes it very easy for threat actors to use the information for targeted nefarious activities. Flashpoint tracked 23 million infected hosts globally, with the majority of infections targeting corporate devices and systems.

Critical first steps for mitigation

1. Remove the malware.
2. Reset credentials to prevent immediate re-compromise.

Why it matters:

• Active endpoint compromise: Infostealer presence means the device is still at risk. Resetting credentials before malware removal can result in immediate re-compromise.
• Depth of exposure: Infostealers also harvest browser autofill data, cookies, and session tokens, exposing access to dozens of business applications per infection.
• Attack enablement: Infostealer logs are a top enabler for ransomware, supply chain attacks, and further malware deployment.

Source 2: Data breaches

Data breaches occur when attackers exfiltrate large volumes of credentials from vulnerable organizations. 

Critical first step for mitigation

1. Reset exposed passwords immediately. 
2. Monitor your system for unauthorized access.

Why it matters:

• External exposure: Threat actors are quick to weaponize breached credentials for account takeover, credential stuffing, and lateral movement.
• Attack chaining: Stolen credentials from breaches can be used to fuel ransomware and supply chain attacks. Infostealers often act as the initial access vector for attack chains.
• Delayed detection: Many organizations only learn of exposure after credentials appear in underground marketplaces.

Source 3: Combo lists

Combo lists are aggregated files of username/password pairs compiled from multiple breaches and infostealer logs. These lists are widely circulated on dark web forums and used in automated credential stuffing attacks.

Critical first steps for mitigation

1. Reset exposed passwords immediately. 
2. Monitor your system for unauthorized access.

Why it matters:

• Automation: Attackers use combo lists with bots to test thousands of credentials per minute, exploiting password reuse and weak policies.
• Persistent threat: Even old credentials in combo lists can be dangerous if users haven’t updated their passwords across services.

Source 4: Paste sites

Paste sites (e.g., Pastebin) are public platforms where users share text anonymously, including credential dumps or stolen data. These sites are often used to leak or advertise fresh credentials.

Critical first steps for mitigation 

1. Investigate the dark web immediately

Why it matters:

• Early indicator: Paste sites are often where credentials show up first, sometimes before they appear in dark web markets.
• Rapid proliferation: Credentials posted here can be scraped quickly and added to combo lists or sold on underground forums.

Source 5: Dark web marketplaces and forums

Anonymous forums where cybercriminals buy, sell, and trade stolen credentials, often bundled with company names, access levels, and other metadata. As of 2025, 24 billion credential pairs are circulating on these platforms (Flashpoint, via CyberScoop).

Critical first steps for mitigation: 

1. Investigate the dark web immediately.

Why it matters:

• Scale: The large volume of credentials available increases the risk for every organization.
• Low cost, high risk: Corporate credentials can be bought for as little as $10, enabling even low-skilled attackers to launch sophisticated attacks.
• No notification: Organizations rarely know their credentials are for sale until after an attack occurs.

Automated incident response playbooks for compromised credentials

Below are automated, time-measured incident response playbooks for each major source of compromised credentials, following NIST and industry best practices. Each playbook is structured for automation, measurable response, and source-specific risk mitigation.

Automated playbook for infostealer malware logs

Infostealer infections mean an endpoint is actively compromised. Resetting credentials before malware eradication risks immediate re-compromise.

• Detection & identification

• • Trigger: Automated alert from credential monitoring or EDR indicating infostealer-related credential exposure.

• • Time to trigger: Immediate (within 5 minutes of alert).
• Containment
  • Automatically isolate the affected endpoint from the network.

• • Time to isolation: Within 10 minutes of detection.
• Eradication
  • Initiate automated malware scan. 

• • Clean up the malware using pre-approved tools.

• • Run a secondary verification scan.

• • Time to complete: Within 2 hours of isolation.
• Credential reset & session invalidation
  • After malware is confirmed eradicated, trigger automated password resets and session revocation for all accounts accessed from the device.

• Time to reset: Within 15 minutes of eradication confirmation

• Notification & documentation
  • Automated notification to user and SOC team; log all actions in SIEM.
  • Time to notify: Immediately after remediation steps
• Post-incident monitoring
  • Monitor for reinfection or suspicious activity for 7 days.
  • Watch for signs of delayed re-engagement . 
  • Automated alerts for any anomalous behavior.

Key metrics:

• Mean Time to Isolate (MTTI): <10 minutes
• Mean Time to Remediate (MTTR): <2.5 hours
• Automated dwell time reduction: up to 64%

Automated playbook for data breaches

Breached credentials are rapidly weaponized for account takeover and lateral movement, but do not necessarily indicate endpoint compromise.

• Detection & identification
  • Trigger: Automated ingestion of breach data from threat intelligence feeds.
  • Time to trigger: Immediate (within 5 minutes of data availability)
• Triage & prioritization
  • Automated cross-reference against active directory/IdP for matches.
  • Prioritize privileged and high-risk accounts.
  • Time to triage: Within 10 minutes
• Remediation
  • Trigger automated password resets for affected accounts.

• • Invalidate all active sessions immediately upon password reset.
  • Time to reset: Within 30 minutes of triage
• Monitoring & notification
  • Heightened monitoring of affected accounts for 7 days, focusing on unusual login patterns (indicative of credential stuffing attacks).

• • Educate users about securing accounts and recognizing phishing attempts. 

• • Automated notification to users and SOC team.
• Post-incident review

• • Identify root causes and update response strategies. 

Key metrics:

• Mean Time to Detect (MTTD): <10 minutes
• Mean Time to Remediate (MTTR): <40 minutes
• Automated containment time: <1 hour

Automated playbook for combo lists

Combo lists enable automated credential stuffing at scale, exploiting password reuse and weak policies.

• Detection
  • Trigger: Automated detection of combo list exposure relevant to organization.
  • Time to trigger: Immediate
• Triage
  • Automated matching against current user base; flag reused or weak passwords.
  • Time to triage: Within 10 minutes
• Remediation
  • Automated forced password resets for all matched accounts.
  • Automated session revocation.
  • Time to reset: Within 30 minutes
• Monitoring
  • Monitor for credential stuffing attempts

• • Lock accounts after repeated failed logins.
  • Automated alerts for high-risk login patterns.
• Post-incident review

• • Identify root causes and update response strategies. 

Key metrics:

• MTTD: <10 minutes
• MTTR: <40 minutes

Automated playbook for paste sites

Paste sites are often the first public sign of credential exposure and can be scraped quickly by attackers.

• Detection
  • Automated monitoring of paste sites for organization-related credentials.
  • Time to trigger: Immediate
• Triage
  • Automated validation of credential freshness and privilege level.
  • Time to triage: Within 10 minutes
• Remediation
  • Automated password resets and session invalidation for affected accounts.

• •  Invalidate all active sessions immediately upon password reset.
  • Time to reset: Within 30 minutes
• Threat intelligence feedback
  • Feed incident data into your threat intelligence platform for ongoing monitoring.

• Post-incident review

• • Identify root causes and update response strategies.

Key Metrics:

• MTTD: <10 minutes
• MTTR: <40 minutes

Automated playbook for dark web marketplaces and forums

Credentials for sale on dark web markets indicate targeted risk and potential for broad exploitation.

• Detection
  
  • Automated dark web monitoring for organization-specific credentials.
  • Time to trigger: Immediate
• Triage
  • Automated cross-reference with active users and privilege levels.
  • Time to triage: Within 10 minutes
• Remediation
  • Automated forced password resets and session invalidation.
  • Time to reset: Within 30 minutes
• Monitoring & notification
  • Heightened monitoring for related attack patterns (e.g., phishing, BEC).
  • Educate users about recognizing phishing attempts and securing their accounts. 

• Post-incident review

• • Identify root causes and update response strategies. 

Key Metrics:

• MTTD: <10 minutes
• MTTR: <40 minutes

Best practices for automation and metrics

How to integrate playbooks with SOAR platforms for real-time orchestration and documentation

Modern Security Orchestration, Automation, and Response (SOAR) platforms are the central hub connecting your SIEM, EDR, threat intelligence, vulnerability management, and ITSM tools into a unified ecosystem. By integrating your incident response playbooks with SOAR, you enable:

• Automated data ingestion: SOAR continuously collects alerts and telemetry from disparate sources, ensuring no threat goes unnoticed.
• Workflow automation: Repetitive tasks—such as log analysis, threat classification, and patch deployment—are automated, reducing manual workload and accelerating containment.
• Real-time response: SOAR executes predefined playbooks instantly when a threat is detected, such as isolating endpoints, blocking malicious IPs, and resetting credentials.
• Centralized documentation: Every action is logged automatically, streamlining compliance and audit reporting for regulations like GDPR, HIPAA, and NIST.

This orchestration not only reduces human error and alert fatigue but also ensures your response is consistent and measurable, even during high-volume attack periods.

MTTD, MTTR, and Dwell Time

To measure and optimize your incident response, focus on three essential metrics:

• Mean Time to Detect (MTTD): The average time it takes to identify a threat after it enters your environment. Faster detection means less time for attackers to operate undetected.
• Mean Time to Remediate (MTTR): The average time to contain and eliminate a threat once detected. A lower MTTR reflects streamlined playbooks and efficient tooling, reducing the risk of prolonged exposure.
• Dwell Time: The total duration an attacker remains in your environment, from initial compromise to complete removal. A reduction of dwell time is a strategic indicator of security maturity and directly correlates to lower breach costs and impact.

Best practices for reducing MTTD, MTTR and Dwell Time

1. Align MTTD and MTTR goals to drive down dwell time holistically.
2. Use SOAR analytics to monitor these metrics in real time, enabling continuous improvement.
3. Benchmark your performance against industry standards—mature organizations now aim for detection and containment within 24–72 hours, with leading teams achieving median dwell times as low as 10 days (Mandiant M-Trends 2024).

Review and update playbooks regularly

Incident response is not static. To stay effective, your playbooks must evolve with the threat landscape:

• Update technical procedures, detection rules, and automation workflows every quarter to address new threats and lessons learned from recent incidents.
• Conduct post-incident reviews to identify what worked, where bottlenecks occurred, and what needs improvement. Update the playbook accordingly.
• Ensure all roles, contact information, and escalation procedures remain current and compliant with regulatory requirements.
• Any significant change in systems, team structure, or regulatory landscape should trigger an immediate review and update.

Regular maintenance ensures your playbooks remain actionable, your team is prepared, and your response remains both fast and effective.

The right tool makes the process easier

Lunar continuously scans the deep and dark web, including 36B+ compromised credentials. Lunar gives your cybersecurity team vital information from the deep and dark web so you can respond to incidents with precision and urgency. 

Talk to a cyber expert to learn how your organization can significantly reduce attacker dwell time and the overall impact of credential-based attacks with Lunar, our credential monitoring platform.