Rehearse Your Incident Response Before a Real Attack

A credible tabletop must force executives and responders through the hardest decisions before a real crisis does. This domain pressures containment, restoration, and payment governance under realistic uncertainty.

• ▸ Scenario injects for domain controller compromise, backup encryption, and spread into virtualization or hypervisor management planes
• ▸ Decision points around negotiator engagement, insurer notification, outside counsel involvement, and sanctions screening before any payment discussion
• ▸ Validation of how the team distinguishes genuine exfiltration evidence from bluff-based extortion claims
• ▸ Recovery prioritization under degraded identity services where production systems may be available but authentication is not
• ▸ Time-boxed escalation choices that test whether business leaders understand the operational impact of delayed containment

Many severe incidents now begin in the identity or SaaS layer rather than on a workstation. This domain exercises response to tenant-wide trust and access failures.

• ▸ Entra ID or Okta administrator compromise scenarios involving mass session revocation, app disablement, and break-glass account activation
• ▸ Malicious enterprise application consent and OAuth abuse affecting mailbox, file, and directory access across the tenant
• ▸ Microsoft 365 mailbox takeover scenarios with legal hold, message trace, and executive communication integrity decisions
• ▸ Cloud control-plane compromise injects involving access key exposure, role chaining, and emergency account isolation
• ▸ SaaS outage versus intrusion differentiation where the team must act despite incomplete vendor visibility and delayed updates

The technical response often fails because crisis communications and legal obligations are improvised. This domain validates whether the organization can communicate with discipline under pressure.

• ▸ Notification threshold exercises for GDPR, NIS2, sector-specific rules, contractual obligations, and board escalation triggers
• ▸ Board briefing rehearsals using decision logs, confirmed facts, working assumptions, and unresolved investigative questions
• ▸ Customer, partner, media, and employee statement sequencing that prevents over-disclosure while preserving trust
• ▸ Law-enforcement and CERT engagement criteria tied to jurisdiction, threat actor profile, and operational need
• ▸ Privilege preservation workflows with outside counsel, breach coach coordination, and documentation segregation

Strong tabletop programs validate the mechanics of command and control, not just the narrative. This domain checks role clarity, forensics discipline, and war-room execution.

• ▸ Incident commander, deputy, communications lead, legal lead, and technical SME RACI validation against the current IR plan
• ▸ Chain-of-custody steps for memory capture, log export, endpoint triage, cloud snapshots, and volatile evidence preservation
• ▸ Secure war-room tooling and backup communications plans when corporate chat, email, or SSO are unavailable
• ▸ Scenario injects mapped to ATT&CK progression so the team must correlate attacker phases to concrete response actions
• ▸ After-action conversion of findings into playbook changes, control owners, due dates, and evidence of closure