Every organization believes it has an incident-response plan. Most have a document. The difference shows up in the first thirty minutes of a real event, and it is almost never technical: it is the time it takes for someone with authority to say yes. Yes, shut the line down. Yes, spend the money. Yes, call the regulator. We run exercises for a living, and the finding is never the plan. It is who was allowed to decide.
The finding is never the plan. It is who was allowed to say yes, and how long that took.
Design it to converge
The exercises that change organizations put the physical and digital event in the same afternoon, because that is how it arrives in the real world: a chiller alarm that turns out to be an access event, a ransomware note that lands while the loading dock is receiving eight figures of hardware. Single-domain tabletops rehearse coordination that already works. Convergence scenarios expose the seam where two teams each assume the other has it.
Score it like an engineer
- Measure decision latency: the clock time from inject to authorized action, per decision. One number, trended across exercises.
- Rehearse the regulatory clock: if you are in NIS2 scope, run the twenty-four-hour early warning end to end, including who drafts it at two in the morning.
- Name the spend authority: who can commit money at 03:00 on a Sunday, to what limit, reachable how.
- Keep it no-fault and repeat it: the score belongs to the process, never to a person, and the second run is where the improvement shows.
Two hours, a conference room, and a facilitator who has seen real incidents. Against the cost of learning the same lessons live, it is the best-priced control in the building.
We facilitate exercises where decisions get measurably faster. The first score is a baseline, never a judgment.