Claude Cowork Incident Response Playbook

When a Cowork incident hits, you have minutes to contain it — and because Cowork is excluded from Audit Logs, the Compliance API, and Data Exports, your forensic trail lives on the user's local device where it degrades fast. This 18-page playbook compresses the first thirty minutes of an incident into a deterministic sequence: contain, preserve, classify, escalate. Five scenario playbooks (Agent Runaway, Dispatch Compromise, Unintended Screen Capture, Prompt Injection, Scheduled Task spam), forensic collection procedures, color-coded communication templates, and a regulator engagement matrix spanning GDPR, HIPAA, GLBA, and seven other frameworks. Designed to be printed and posted near the SOC desk.