Use Case — Incident Response
When a cyberattack hits, every hour counts — and so does every decision made before it
Incident response isn't just about what you do when something goes wrong. It's about whether your organisation is ready to respond — clearly, quickly, and without making things worse. At Cybervalue, we work with organisations both before and during incidents. Because the two are inseparable.
Tabletop exercises
Preparation that makes a real difference
Guided tabletop exercises
We walk your team through a realistic incident scenario — asking targeted questions about how they'd respond, who they'd notify, what decisions they'd make, and when. The scenario is always tailored to your organisation and the specific risks you face.
Unguided tabletop exercises
We observe. Your team responds to a live incident scenario without prompting from us. Afterwards, we report on what worked, what didn't, and where the gaps are — based on what we actually saw, not what people thought they'd do.
Team-level mini tabletops
Before running a full executive exercise, we work with individual teams — networking, HR, PR, legal — to explore what an incident would mean for their specific part of the organisation.
We share our firsthand experience handling real incidents — ransomware attacks, business email compromise, and more. And we inject scenario twists mid-exercise: the organisation that says it won't pay a ransom often changes its mind when sensitive data is threatened.
Incident response planning
Building your incident response plan
Following the tabletop, we help you translate insights into a structured incident response plan — roles, responsibilities, escalation paths, communication protocols, and the crisis team composition.
Backup communication and offline readiness
In a ransomware attack, your incident response plan may be the first thing you lose access to. We help you make sure critical documents, backup procedures, and communication channels are stored and accessible outside your primary environment.
When an incident is live
Where the real complexity lies
We've been part of several high-profile incidents — ransomware attempts, activations, and their aftermath. We don't replace forensic IR teams. What we do is guide organisations through the decisions that matter most when everything is moving fast.
What do you say — and to whom?
Messaging during a live incident is one of the hardest things to get right. What do you tell customers? Which customers — current ones, former ones whose data may be involved?
Communicating with authorities
Notifying regulators and law enforcement while managing internal chaos requires clarity of process and message. We help you navigate this without making things worse.
Containing the damage
We conduct our own investigations to understand the scope and prevent further spread — working alongside technical teams, not instead of them.
What not to do
In high-pressure situations, well-intentioned decisions can worsen an incident. We've seen it. We help leadership avoid the most damaging mistakes in real time.
The organisations that navigate incidents best are the ones who practised. The ones who struggle most are those facing decisions for the first time — under pressure, without a plan, with key information locked inside an encrypted system.
Our experience includes
Don't wait for an incident to find out if your organisation is ready.
Let's run a tabletop and find out together.