CSIRT Exercise
Stress-test your CSIRT with scenario-driven exercises built from real attack data. Expose gaps in your playbooks, tooling, and coordination, before an incident does.
What is a CSIRT Exercise?
Test your response. Before an attacker does.
A CSIRT exercise is a structured simulation that puts your Computer Security Incident Response Team through a realistic attack scenario. Participants detect, triage, contain, and escalate, just as they would in a real incident, but in a safe, facilitated environment.
Your CSIRT’s first real incident should not be the first time they’ve worked through a scenario like this.
What it reveals
Procedural gaps
Missing steps in your playbooks under real pressure
Tooling blind spots
Detection and logging gaps you didn't know existed
Coordination failures
Escalation and communication breakdowns between teams
The Master Event List (MEL)
We build a tailored scenario for your organisation, from real offensive engagements and incident response experience. The MEL reflects how attackers actually behave: their timing, pivots, social engineering, and persistence.
1. Discovery Meeting
We start with a structured conversation about your environment, your critical assets, and your "doomsday scenarios", being the incidents that would genuinely hurt your organisation. We also discuss your team's current capabilities, tooling, and any previous exercises or incidents.
2. Documentation review
We review your existing incident response playbooks, escalation procedures, and governance documentation. This tells us where your team thinks they're covered, and where the real gaps are likely to be. The review is confidential and informs the scenario design.
3. MEL tailoring & validation
We build the Master Event List: a structured sequence of injects that simulates a realistic attacker campaign targeting your environment. Each inject is grounded in current threat actor behaviour (TTPs from MITRE ATT&CK) and calibrated to your team's maturity level. The MEL is shared with you for validation before the exercise date.
4. Facilitated exercise & debrief
Our facilitators run the exercise in real time, delivering injects, observing behaviour, and capturing findings as they happen. Directly after, we run a hot debrief and follow up with a written report: every gap ranked by risk, with specific recommendations.
What you'll get
- Validated playbooks under realistic conditions
- Insight into gaps and strenghts
- Prioritized actionable recommendations
Ready to stress-test your CSIRT?
We’ll tailor a scenario to your organisation and facilitate from start to debrief.
Give your security a boost
Schedule a call with our digital security experts. We check your security so you can protect your company.
Because you deserve to feel confident and safe in a digital world.