Karakor
All case studies
CYBERSECURITY · INCIDENT READINESS

An incident response plan tested before it was needed

A four-week incident-readiness engagement for a mid-market financial services firm: detection coverage analysis, three scenario-driven tabletops, and a communications playbook rewritten by people who would have to use it.

Client
Mid-market financial services firm, ~800 employees, three offices, US.
Duration
Four weeks
Practice
Cybersecurity
Results
60 → 16 ppPlan length, after the rewrite — readable instead of comprehensive
3Tabletop scenarios run with the full leadership team in the room
2Wire-transfer authority assumptions surfaced as incorrect during the BEC scenario
1 near-missReal event the firm executed against six weeks after handoff
01 — Challenge

The firm had an incident-response plan. It was sixty pages long, had been written by a consultancy three years prior, and nobody on the current leadership team had read it end-to-end. The CISO had inherited the document and a vague unease that it would not survive contact with a real incident. A board member with cybersecurity background had asked the CISO whether the firm could execute the plan unaided. The honest answer was that nobody knew.

02 — Scope
  • Read-through of the existing incident-response plan against the firm's actual operating reality — who is on call, who has authority, what tools are deployed where
  • Detection coverage gap analysis — what events would actually trigger the plan, and what would slip through
  • Three scenario-driven tabletops, each two to three hours, with the leadership team in the room: ransomware on the production file servers, business-email compromise of the CFO's account, and a data exfiltration discovered by a third party
  • Communications playbook review — internal escalation, customer notification, regulator notification, and the contradictions between them
  • A rewritten incident-response plan, sixteen pages, that the leadership team helped write rather than receiving
03 — Work

Week 1 was the read-through and the gap analysis. The existing plan had three specific failure modes that became evident within the first hour of review: it relied on a vendor that was no longer engaged, it routed all decisions through a single executive who was on the firm's road for thirty percent of the year, and its notification timelines were calibrated to the wrong jurisdiction. Weeks 2–3 were the tabletops. The CFO BEC scenario in particular surfaced two assumptions about wire-transfer authority that were wrong and a notification obligation the legal team had not previously documented. Week 4 was the rewrite — a sixteen-page plan the firm's leadership team contributed to in writing.

04 — Outcome

The firm has a plan that fits on a printout and that the people responsible for executing it actually understand, because they helped write it. Detection coverage gaps from the analysis have been escalated to the SIEM owner with a scoped remediation plan. The firm's outside counsel has reviewed the communications playbook and made two notification-timeline corrections. Six weeks after handoff, the firm executed against the plan during a near-miss event — a phishing campaign targeting the finance team — and the CISO reported the response was the first time the firm had moved with confidence rather than uncertainty.

An incident response plan that has never been tested is a plan that probably does not work. The deliverable is not the document — the deliverable is the leadership team learning, in a quiet room, what they would actually do when the call comes at 2 a.m.

From the deliverable

Short excerpts representative of the actual documents shipped in this engagement. Anonymised to preserve client confidentiality; faithful to the structure and substance of what we delivered.

From the gap analysis
The existing plan names "the vendor" as the first call for forensic acquisition. The vendor's contract terminated eighteen months ago. The plan was reviewed quarterly during that period without anyone noticing.
From the BEC tabletop after-action
Two assumptions about wire-transfer authority were tested and found incorrect. The CFO believed her sign-off was sufficient up to one million dollars; the firm's actual policy required a co-signer above one hundred thousand. Neither the policy nor the assumption had been documented in the IR plan. The exercise was the first time the leadership team aligned on the actual policy.
From the rewritten plan
First decision in any incident: name the incident commander. Default is the on-call security lead. If the on-call lead is the affected party (account compromise, role compromise), default escalates to the CISO. If both are unavailable, the General Counsel takes the role. This is the first decision because every other decision routes through it.
Engage

We respond within two business days. Scoping calls are obligation-free and run thirty minutes.