Assess · Resilience
Most incident response plans are written once, filed, and never rehearsed. The first real test is the incident itself, which is the worst possible moment to discover the contact list is stale and no one agreed who can take systems offline. We pressure-test the plan against how your organisation actually runs, exercise it with the people who would run it, and confirm you can recover.
Scope agreed in writing before any work. No obligation.
The method
We review the IR plan and playbooks against your real environment, escalation paths, and decision rights, not an idealised version. The questions that matter are practical: who declares an incident, who can isolate a system, who speaks to customers, and what happens at 2am on a public holiday.
We run a scenario exercise with your leadership and technical teams in the room, walking a realistic incident from detection to recovery. The value is in the disagreements it surfaces while the stakes are still hypothetical.
Backups, continuity, and the path back to normal operations are tested, not taken on trust, against the recovery times the business assumes it has. Where the real recovery time exceeds the assumed one, you find out now.
We make the reportable-incident obligations and insurer expectations explicit, including the notification clocks that apply to you, so the plan is built around the timeframes you are actually held to.
You have an IR plan, possibly a good one, but it has never left the document. You need to know whether it survives contact with a real scenario and your real people, before an attacker provides the test.
Backups run, in theory. Failover exists, on paper. Nobody has actually restored the crown-jewel system end to end and timed it. The readiness review turns those assumptions into evidence.
A cyber-insurance renewal, a customer contract, or a reporting regime expects a tested IR capability with defined timeframes, and you need to show it is real, not aspirational.
What you are commissioning
One named engagement from the Assess track backs this page. Scope, the scenario, and the people involved are agreed in writing before the exercise.
Assess trackTypically 2–3 weeks
Know the plan holds before you ever need it.
Best for teams whose IR plan has never been rehearsed.
Includes
Deliverables
Beyond the exercise
A tabletop that ends with a slide deck is theatre. The findings should change the program.
Questions
A facilitated scenario, chosen to be realistic for your sector and estate, walked through with your leadership and technical responders. We inject decisions and complications and record where roles, authority, or information are unclear. It typically runs a half to a full day, written up afterwards.
We validate the recovery path to the depth you agree, from reviewing the restore process and evidence through to observing a real restore of an agreed system. The point is to replace 'the backups run' with 'we restored it, and it took this long'.
This readiness review covers the plan, the people, and the recovery, not 24/7 monitoring. Where you need around-the-clock detection, we scope a managed-detection provider into the operating model under Operate and hold them to the architecture; we deliberately do not resell eyes-on-glass.
Yes. Whether it is APRA, the SOCI Act's mandatory timeframes, GDPR, or a contractual obligation, we map the notification clocks and content requirements into the plan so the obligation is built in rather than rediscovered mid-incident.
An IR readiness report, the tabletop findings, and a recovery gap register, so the exercise produces a prioritised list of fixes rather than just a sense of how it went.
One conversation, then the scope and the price in writing. Your enquiry arrives already marked for incident response readiness.