#NSBCS.113 - Prepared, Not Panicked: The Importance of Incident Readiness and Tabletop Exercises
Most organisations struggle during incidents not because they lack tools or technology, but because their response isn't clear. In the first few hours, uncertainty about ownership, decision-making, and obligations slows progress and amplifies impact. Preparation is what separates a measured response from a reactive scramble. When teams have the right resources and know how to use them, they act with purpose rather than hesitation. This clarity minimises disruption and helps organisations maintain control when it matters most.
Incident Readiness Material
Incident readiness materials form the foundation of an effective response. This includes documented incident response plans, playbooks, escalation pathways, regulatory notification guidance, and clearly defined roles and responsibilities. Good documentation does more than sit on a shelf; it provides clarity under pressure. When an incident occurs, teams shouldn’t be debating who leads, who approves communications, or whether a regulator must be notified within a specific timeframe. Well-prepared organisations can act immediately because expectations are already set and stakeholders understand their responsibilities, the sequence of actions, and the deadlines they must meet. As a result, confusion is minimised, response times are quicker and efficient, and financial impact is limited due to the continuity of business operations.
Tabletop Exercises
Plans alone aren’t enough, they need to be tested.
Tabletop exercises provide a safe, low-risk environment to run through realistic scenarios and confirm if the documented process actually works in practice. The exercise helps to uncover gaps that seldom appear on paper, such as outdated contact lists, unclear handovers, approval delays, or conflicting interpretations of reporting obligations.
More importantly, exercises build muscle memory. People become familiar with their roles and grow confident making decisions under simulated pressure. When a real incident occurs, the process feels familiar rather than overwhelming. Regular TTX sessions also strengthen cross-functional collaboration. Security, IT, legal, HR, communications, and leadership teams learn to work together, facilitating an effective coordination of duties during real events.
Incident Scenario
Imagine a ransomware attack detected on a Monday morning. Systems are unavailable, staff cannot access email, and customers are already noticing disruptions. Without preparation, the first hours are spent figuring out essentials: Who declares the incident? Who contacts legal counsel? Is regulatory notification required within 72 hours? Who communicates with customers?
With readiness materials and prior tabletop exercises, the team responds differently. The incident lead is activated immediately, containment measures are initiated, legal reviews and reporting thresholds are met, communications prepare pre-approved messaging, executives receive structured updates, timelines are tracked, and regulatory obligations are met without last-minute scrambling. The difference isn’t luck, it’s preparation.
What Can You Do To Improve Incident Readiness?
Here at NSB Cyber, we support organisations in strengthening their incident preparedness through tailored tabletop exercises, and comprehensive risk assessments. By working closely with your team, we help validate existing response capabilities, identify gaps, and uplift processes in line with real-world threat scenarios and industry best practice.
As a result, these practices form a strong and sustainable foundation for incident readiness, ensuring your business can respond effectively in taking #NoStepsBackward when faced with a cyber incident:
Maintain a clear, current incident response plan and practical playbooks;
Define roles, responsibilities, and escalation procedures in advance;
Keep contact lists and reporting obligations up to date;
Run regular tabletop exercises to test and refine your approach; and
Continuously review and enhance readiness material as your organisation evolves.
To find out about NSB Cyber's Incident Tabletop Exercises services, head here.
What we read this week
Five Eyes Allies Warn Hackers are Actively Exploiting Cisco SD-WAN Flaws - Five Eyes cybersecurity agencies have issued an urgent warning that advanced threat actors are actively exploiting new vulnerabilities in Cisco Software Defined Wide Area Network (SD‑WAN) products, with the Cybersecurity and Infrastructure Security Agency (CISA) declaring the activity a significant risk to United States federal networks. The flaws allow attackers to create rogue SD‑WAN components, gain root-level access, and evade monitoring, with evidence suggesting compromises dating back to 2023. The United Kingdom and Australian agencies echoed the alert, urging organisations to investigate exposure and hunt for signs of intrusion.
600+ FortiGate Devices Hacked by AI-Armed Amateur - A financially motivated Russian‑speaking actor used generative artificial intelligence (AI) to compromise more than 600 FortiGate firewalls across 55+ countries, despite having limited technical expertise. Instead of exploiting product vulnerabilities, the campaign relied on AI‑assisted automation to identify exposed management ports and abuse weak, single‑factor credentials at scale. Once inside, the attacker used AI‑generated tooling to parse configurations, access Active Directory, and target backup infrastructure like Veeam. AWS says the incident highlights how GenAI is lowering the barrier for attackers, making basic security controls, secured interfaces, strong credentials, and multi-factor authentication (MFA) more important than ever.
Claude Code Flaws Allow Remote Code Execution and API Key Exfiltration - Researchers uncovered several serious flaws in Anthropic’s Claude Code that allow remote code execution and theft of API keys when developers open malicious or untrusted repositories. The vulnerabilities stem from unsafe handling of Hooks, model context protocol (MCP) server configurations, and environment variables, enabling attackers to run arbitrary shell commands or exfiltrate API credentials before any trust prompt appears. Anthropic has patched the issues across recent releases, warning that AI‑driven development environments now expand the supply chain threat surface.
SANDWORM_MODE: Shai-Hulud with an AI twist - Researchers uncovered SANDWORM_MODE, a Shai‑Hulud–style node package manager (npm) supply chain attack that spreads through 19 typo squatted packages and steals a wide range of secrets in two stages, including npm/GitHub tokens, crypto keys, and LLM API keys. The worm self‑propagates by abusing stolen credentials to publish malicious packages or inject itself into victims’ GitHub repositories. A unique second stage deploys a malicious MCP server designed to manipulate AI coding assistants into exfiltrating sensitive files and environment variables. Cloudflare, npm, and GitHub have since removed the malicious infrastructure, and developers are urged to rotate credentials and purge infected packages.
References