From tabletop exercises to real incidents —why preparation determines outcomes
When 43% of UK businesses report experiencing a cyber breach or attack in just the past year, the question isn’t whether your organization will face a cyber incident—it’s how well you’ll respond when it happens.
This stark reality was at the center of a recent webinar hosted by Resilience, featuring insights from Scott Tenenbaum, Head of North American Claims, and Graeme Manzi, Security Risk Services Lead for UK & Europe. Their combined experience—Scott with “hundreds of incidents” and Graeme’s background spanning Royal Marines Commando communications systems to cybersecurity consulting before, during and after an incident—offers a roadmap for organizations seeking to build true cyber resilience.
Why traditional models are breaking down
The cybersecurity landscape has fundamentally shifted, and the numbers tell a sobering story. According to Manzi, “the average breakout time, which is the time from initial access to lateral movement just continues to drop.” The data is striking: CrowdStrike’s 2024 report showed this critical window dropped from an average of an hour and a half to just an hour between 2022 and 2023, while the fastest time they recorded for that breakout was just two minutes.
This acceleration has led to an evolution beyond traditional incident response frameworks. The venerable PICERL model, developed over 20 years ago, “brought order to chaos and created that initial structure” when “attacks evolved much more slowly,” Manzi explains. Similarly, while NIST 800-61 Rev. 2 “became the default in particular, because it scaled better” and “aligned with regulatory expectations,” it too was designed for a different era.
Recognizing these limitations, NIST 800-61 Rev. 3 represents the latest evolution in incident response models, designed to address the increasing speed and complexity of modern cyberattacks. Released in April, Rev. 3 aligns with the NIST Cybersecurity Framework (CSF) version 2.0, which encompasses six core domains: govern, detect, identify, protect, respond, and recover.
A significant change in Rev. 3 is its repositioning of incident response as a continuous, organization-wide function spanning all six domains. As Manzi notes, “if you are still using Rev. 2 in isolation, your response plans may well be well structured, but it may be not fully aligned with how instant response operates today in an integrated risk driven environment.”
Enter the DAIR model (Detect, Analyze, Investigate, Respond), which “reflects how today’s incidents actually unfold. They’re fast, they’re messy and ideally intelligence driven. It’s nonlinear by design. It’s the modern model for modern attacks.” NIST Rev. 3 is quite well aligned with this approach, acknowledging that modern incidents require extensive feedback loops for continuous re-scoping as new information emerges.
Both frameworks reinforce the need for a coordinated, cross-functional response during an incident. As Manzi emphasizes, incident response is a “team sport, particularly in a severe incident. It’s going to require a cross-functional response. It’s not just the security or IT team. It’s going to involve legal communications, cloud infrastructure, executives, lots of different people.” The crucial point is that everyone needs to know their roles and responsibility before pressure hits.
The four pillars of effective response
When a cyber incident unfolds at breakneck speed, organizations need more than just detection—they need the ability to rapidly contain and respond, effectively “pulling up the digital drawbridge” to limit the severity and scope of the attack. This containment capability, honed through practice and preparation, can mean the difference between a minor security event and a business-threatening crisis.
The goal isn’t just to identify what’s happening, but to systematically tighten security controls across your environment, limiting an attacker’s ability to move laterally and cause further damage. As Manzi explains, effective response requires a coordinated approach that protects multiple digital assets in a proportional and premeditated manner while “limiting the adversary without simultaneously disrupting business operations and trying to preserve forensic value.”
When seconds count, response teams need a clear framework for action. Manzi identifies four critical elements that effective response actions must address.
1. Endpoints and devices
The first line of defense involves quarantining compromised endpoints, fast using automation and ADR tools. As Manzi notes, “that two minute breakout time is only possible with automation. So we need to counteract that as well with automated response.”
2. Networks
Network containment focuses on using firewalls and network access policies to block malicious traffic and contain affected segments in order to limit the blast radius of an incident.
3. Identities
Perhaps most critically, teams must focus on disabling or resetting high risk accounts immediately. Manzi poses a crucial question every organization should answer: “How easily could your organization do a global password reset?” Recent high-profile incidents have shown this capability can be a key factor to successful response or not.
4. Permissions
The final pillar involves rapidly stripping excess permissions, especially from administrator and service or privileged and service accounts. The goal is implementing true least privilege, not just paying lip service to the concept.
Practice makes perfect (or at least prepared)
The webinar emphasized a fundamental truth about crisis response: “You don’t rise to the occasion. You fall to the level or the standards of your preparation,” says Manzi, drawing from performance psychology principles. Yet many organizations resist comprehensive testing.
“Something that can be hard to overcome is that it’s an exercise, not a test,” Manzi explains. “It’s not about passing or failing. It’s about building capability.”
And the stakes for getting this right have never been higher, as regulators are increasingly requiring regular incident response testing, as seen in DORA and NIS 2.
The good news? Organizations don’t need to start with complex scenarios. Manzi recommends a few different exercises:
- Tactical walkthroughs for testing procedures, task ownership, escalation, logic and developing specific playbooks.
- Blue team exercises that provide safe controlled environments designed to develop technical skills.
- Purple teaming for advanced organizations seeking the dynamic environment of what it would be like with a real attacker.
- Strategic exercises that test how leadership decisions are going to be made.”
Leading during the critical first 30 minutes
Perhaps nowhere is preparation more crucial than in leadership response. As Manzi puts it: “The first 30 minutes of a crisis, can define or decide the next 30 days.”
One of the most practical insights from the webinar involves separating leadership roles during an incident. Based on real-world experience, the recommendation is clear: separate the leader from the manager of the incident. The leader should focus on strategic priorities, briefing executives, managing the impact, while the manager coordinates the technical actions, containment, forensics, and timelines.
“Combining both roles, creates bottlenecks, burnout, and confusion,” Manzi says. “And it’s just too much, really, for one person to do really well.”
The importance of building relationships before crisis hits
While technical controls are essential, Scott Tenenbaum’s experience reveals that preparation extends beyond security tools. He emphasizes the importance of ongoing engagement with customers throughout the policy lifecycle, not just when breaches occur. Here’s what he recommends.
Know your policy reality
Many organizations don’t realize that extortion coverage operates as a reimbursement policy, meaning companies must front potentially significant funds—from $25,000 to over $1 million—before insurance kicks in. There’s also an often-unused proof of loss sublimit providing $50,000-$100,000 for hiring forensic accountants to prepare business interruption claims.
Build your response team early
Establish relationships with specialized professionals before crisis strikes. These resilient service providers offer reduced rates and crucial expertise in what Tenenbaum describes as “very specific type of work, and you want the people with the experience in that work.”
The alternative is costly. Tenenbaum frequently encounters organizations that want to use familiar counsel—perhaps a partner at a big law firm who they think handles cyber cases, or lawyers they know socially. His assessment is direct: “Some of the worst claim experiences I have had have started with some of those comments.”
Equally important: don’t use your managed service provider for post-incident forensics. As Tenenbaum puts it with a stark analogy, you wouldn’t have a suspect investigate their own crime and report back to you.
Regular tabletop exercises conducted when there’s no pressure help clarify roles and answer the critical question of who gets the first call during an actual incident. This preparation ultimately determines whether organizations achieve coordinated responses or descend into chaos.
The importance of including your insurance company during an incident
Scott Tenenbaum’s experience handling hundreds of cyber claims provides valuable perspective on what separates successful responses from disasters. The numbers speak volumes: 78% of Resilience clients recovered without paying a ransom in a ransomware situation and, in cases where payment was necessary, they worked with Resilience professionals so that the team and the insured were able to reduce payments by about 70%.
But these outcomes don’t happen by accident. They require working with specialists who understand the unique demands of cyber incidents. Tenenbaum frequently encounters organizations that want to use familiar counsel, like “my son is friends with a partner at a big law firm, and I think they do cyber,” or companies that “play golf with some lawyers who, I think, could handle this.”
The reality? “This is very specific type of work, and you want the people with the experience in that work,” Tenenbaum emphasizes. “Some of the worst claim experiences I have had have started with some of those comments.”
Where to start building resilience
For organizations looking to improve their cyber resilience, the experts offer clear guidance:
- Start with tabletop exercises: You wouldn’t try and run your first marathon without training. You don’t want to wait for a real incident to put your team and the wider organization under pressure.
- Establish clear roles before any crisis: Everyone needs to know their roles and responsibility before pressure hits.
- Build relationships with specialists: Engage with cyber-focused legal counsel and forensics firms before you need them.
- Practice the fundamentals: Can your organization execute a global password reset? Do you know who your critical vendors are and what happens if they’re compromised?
As Manzi concludes: “Resilience through readiness is what limits damage, protects reputation, and keeps you compliant when it really counts.”
In an era where cyber threats move faster than ever, preparation isn’t just good practice—it’s the difference between a manageable incident and a business-threatening crisis. Remember: The question isn’t whether your organization will face a cyber incident, but whether you’ll be ready when it arrives.