top of page
  • Writer's picturei-confidential

Playbook Simulations

Simulations Test Security Plans and Ensure Readiness for Live Incidents


Brian Boyd

Head of Technical Delivery at i-confidential


The Problem

One of our large financial services clients, with an already mature approach to security, wanted to further optimise its performance.

The organisation had insourced a security function, and although it was well run, the Security Operations team asked us to help test and critique the security playbooks the function was using to respond to incidents.

The team wanted to confirm if the playbooks themselves were up to date and an accurate reflection of how a security alert should be responded to and triaged. There was also a requirement to follow this with simulation testing to assess the playbooks’ effectiveness.

Our Approach

Our strong relationship with the client led to it approaching us to conduct this activity, and our mutual understanding ensured getting started was straightforward. We decided at the outset to bring in one of our technical partners, who specialises in incident response, to work with us. Our combined expertise positioned us to deliver exactly what the client was looking for out of this exercise.

Working with the client, we identified the specific playbooks to focus on. To test them, we created scenarios that incorporated the latest Tactics, Techniques and Procedures (TTPs) of potential threat actors. Understanding these TTPs enables organisations to discover, assess, and respond proactively to security threats. Dummy data was produced to make the simulation as realistic as possible.

The simulations took place on site with all of the required staff present to work through them and test the playbooks. Lasting two to three hours, the group talked through their actions in detail and even created dummy incidents in their system to capture all the activity.

The Outcome

In conjunction with our partner, we produced several cyber threat simulations and ran through them to test the effectiveness of the client’s security playbooks. Working through the simulations was a practical method for reviewing specific steps. This approach also gave the staff members involved some valuable experience of using them under full incident conditions.

In addition, testing the playbooks allowed us to provide additional security education. This meant the team was being upskilled while working through some popular tactics that threat actors use today. It also provided the staff with an opportunity for team building – working together under pressure and demonstrating they could perform successfully.

The overall success of these playbook simulations has led to more of them being carried out over time. We continue to perform this activity for the client and are expanding our coverage to other incident response areas.

“This approach also gave the staff members involved some valuable experience of using (the playbooks) under full incident conditions.”
bottom of page