The firm had an incident-response plan. It was sixty pages long, had been written by a consultancy three years prior, and nobody on the current leadership team had read it end-to-end. The CISO had inherited the document and a vague unease that it would not survive contact with a real incident. A board member with cybersecurity background had asked the CISO whether the firm could execute the plan unaided. The honest answer was that nobody knew.
An incident response plan tested before it was needed
A four-week incident-readiness engagement for a mid-market financial services firm: detection coverage analysis, three scenario-driven tabletops, and a communications playbook rewritten by people who would have to use it.
- Client
- Mid-market financial services firm, ~800 employees, three offices, US.
- Duration
- Four weeks
- Practice
- Cybersecurity
- Read-through of the existing incident-response plan against the firm's actual operating reality — who is on call, who has authority, what tools are deployed where
- Detection coverage gap analysis — what events would actually trigger the plan, and what would slip through
- Three scenario-driven tabletops, each two to three hours, with the leadership team in the room: ransomware on the production file servers, business-email compromise of the CFO's account, and a data exfiltration discovered by a third party
- Communications playbook review — internal escalation, customer notification, regulator notification, and the contradictions between them
- A rewritten incident-response plan, sixteen pages, that the leadership team helped write rather than receiving
Week 1 was the read-through and the gap analysis. The existing plan had three specific failure modes that became evident within the first hour of review: it relied on a vendor that was no longer engaged, it routed all decisions through a single executive who was on the firm's road for thirty percent of the year, and its notification timelines were calibrated to the wrong jurisdiction. Weeks 2–3 were the tabletops. The CFO BEC scenario in particular surfaced two assumptions about wire-transfer authority that were wrong and a notification obligation the legal team had not previously documented. Week 4 was the rewrite — a sixteen-page plan the firm's leadership team contributed to in writing.
The firm has a plan that fits on a printout and that the people responsible for executing it actually understand, because they helped write it. Detection coverage gaps from the analysis have been escalated to the SIEM owner with a scoped remediation plan. The firm's outside counsel has reviewed the communications playbook and made two notification-timeline corrections. Six weeks after handoff, the firm executed against the plan during a near-miss event — a phishing campaign targeting the finance team — and the CISO reported the response was the first time the firm had moved with confidence rather than uncertainty.
An incident response plan that has never been tested is a plan that probably does not work. The deliverable is not the document — the deliverable is the leadership team learning, in a quiet room, what they would actually do when the call comes at 2 a.m.
Short excerpts representative of the actual documents shipped in this engagement. Anonymised to preserve client confidentiality; faithful to the structure and substance of what we delivered.
The existing plan names "the vendor" as the first call for forensic acquisition. The vendor's contract terminated eighteen months ago. The plan was reviewed quarterly during that period without anyone noticing.
Two assumptions about wire-transfer authority were tested and found incorrect. The CFO believed her sign-off was sufficient up to one million dollars; the firm's actual policy required a co-signer above one hundred thousand. Neither the policy nor the assumption had been documented in the IR plan. The exercise was the first time the leadership team aligned on the actual policy.
First decision in any incident: name the incident commander. Default is the on-call security lead. If the on-call lead is the affected party (account compromise, role compromise), default escalates to the CISO. If both are unavailable, the General Counsel takes the role. This is the first decision because every other decision routes through it.
We respond within two business days. Scoping calls are obligation-free and run thirty minutes.

