NIST 800-61 · MITRE ATT&CK · CISA Aligned

Cyber Resilience
Exercise & Advisory

We don't run exercises — we build cyber resilience programs. Every engagement pressure-tests your organization's ability to detect, decide, escalate, and coordinate under realistic threat conditions.

Delivering measurable capability improvement aligned to NIST, MITRE ATT&CK, and CISA frameworks — not just a compliance checkbox.

8

Capability dimensions scored per exercise

NIST 800-61 aligned

5

Core deliverables auto-generated from one exercise

IR playbook · triage · comms · RCA · gap remediation

~72h

Typical exercise-to-shipped AAR cycle

most engagements, every tier

100%

Rule-based engine — works without LLM access

no Anthropic key required to run

Foundation

Cyber Readiness Assessment

$7,500
per engagement

Threat-informed tabletop exercise with structured capability assessment. Your organization learns exactly how it responds to a real incident — where decisions stall, coordination breaks, and gaps create operational risk.

Strategic Deliverables
  • Threat scenario exercise design (sector-specific, MITRE ATT&CK-mapped)
  • Facilitated incident response tabletop (half-day)
  • Operational Response Capability Assessment (NIST 800-61 aligned)
  • Coordination gap analysis with escalation mapping
  • Interactive After-Action Review
  • Incident decision playbook template
  • Facilitator & participant guides
  • Written summary report with prioritized findings
NIST 800-61MITRE ATT&CKNIST SP 800-84

Outcome

Your organization understands how it actually responds to a cyber incident — and has documented evidence for your board, insurer, and regulators.

Ideal For

Organizations conducting their first structured exercise, annual compliance requirements, or teams building a repeatable exercise program.

For the CISO

A defensible, evidence-based view of your incident response posture — something you can take to the board, your insurer, and your regulators.

Schedule Scoping Call
Most Popular
Operational

Operational Cyber Resilience Program

$15,000
per engagement

Full capability-building engagement that moves your organization from ad-hoc response to documented, tested operational readiness — with maturity scoring, executive accountability, and a remediation roadmap.

Strategic Deliverables
  • Everything in Cyber Readiness Assessment
  • Custom adversary scenario development (active threat landscape)
  • Threat actor scenario mapping (tested vs. untested TTPs)
  • Incident escalation decision tree (technical → executive)
  • Executive Response Scorecard (decision speed, quality, coordination)
  • Response Maturity Assessment (5-level model, NIST CSF aligned)
  • Crisis communication templates (ransomware, breach, disruption)
  • Response playbook recommendations with implementation priorities
  • Threat actor landscape briefing as part of the engagement
  • Priority advisory support (48h response)
NIST 800-61NIST SP 800-84NIST CSFMITRE ATT&CKCISA IR

Outcome

Your organization moves from ad-hoc incident response to documented, tested operational readiness — with measurable maturity and decision frameworks that work under pressure.

Ideal For

Mid-market and regulated organizations, infrastructure operators, and teams with board-level cyber risk accountability.

For the CISO

Tested escalation paths, scored executive readiness, and a maturity baseline you can improve against quarter over quarter. This turns a one-time exercise into a measurable capability program.

Schedule Scoping Call
Enterprise

Enterprise Cyber Crisis Simulation

$35,000
per engagement

Executive-level crisis simulation testing strategic decision-making, cross-department coordination, and board governance under realistic threat conditions. The engagement your board, regulators, and insurers need to see.

Strategic Deliverables
  • Everything in Operational Cyber Resilience Program
  • Full-day on-site crisis simulation (multi-phase, escalating injects)
  • Executive crisis leadership simulation (C-suite / board track)
  • Cross-department coordination testing (IT, legal, comms, ops, executive)
  • Ransomware business impact scenario (operational + financial + regulatory)
  • Board-level response briefing (presentation-ready)
  • Executive After-Action Report (timeline, decisions, framework scoring)
  • 60-day remediation roadmap with milestones and resource requirements
  • Regulatory framework alignment documentation
  • 30-day post-exercise advisory support
NIST 800-61NIST SP 800-84NIST CSFMITRE ATT&CKCISA IRNIST 800-53

Outcome

Your organization gains executive-level cyber crisis readiness — tested leadership, validated coordination, and a funded remediation plan that satisfies governance, regulatory, and insurance requirements.

Ideal For

Enterprises, critical infrastructure operators, regulated industries, and organizations with board-level cyber risk governance obligations.

For the CISO

This is the engagement you bring to the board. It demonstrates that leadership has been tested, gaps are documented, and a funded remediation plan exists. The difference between "we have a plan" and "we've proven our plan works."

Schedule Scoping Call
Annual Programs

Year-round readiness

Per-engagement work above. Annual programs give your team scheduled exercise cadence, continuous readiness scoring, and an advisor who knows your environment.

Foundation

Readiness Baseline

$48,000/ year
$4,000/mo equivalent · 4 exercises/yr

Quarterly exercises that build muscle memory. Your team practices four times a year, tracks readiness scores, and closes gaps between exercises.

See full details on /pricing
Most Popular

Cyber Resilience Program

$96,000/ year
$8,000/mo equivalent · 8 exercises/yr

The program that justifies your security budget. 8 exercises, executive scorecards, compliance evidence, and an advisor who knows your environment.

See full details on /pricing
Maximum Readiness

Strategic Command

$156,000/ year
$13,000/mo equivalent · 12 exercises/yr

Monthly exercises, a dedicated facilitator, and board-ready briefings. Your executive team practices crisis leadership until it becomes instinct.

See full details on /pricing

All annual program details, deliverables, and Stripe checkout live on the pricing page.

Not another tabletop vendor

What consulting firms sell vs. what After Action delivers.

Typical Vendor

After Action

A tabletop exercise

A cyber resilience exercise program

A checklist of findings

An operational capability assessment

A generic report

An executive-ready board briefing with maturity scoring

One engagement

Quarterly exercises, retainer advisory, and maturity tracking

Framework buzzwords

Mapped, scored alignment to NIST 800-61, CSF, and MITRE ATT&CK

Project-based billing

A resilience program with predictable advisory partnership

How an engagement works

From scoping call to remediation roadmap in 3–5 weeks.

01

Scope & Threat Alignment

We identify your sector threats, regulatory obligations, team structure, and exercise objectives. No generic questionnaires.

02

Scenario Design

Custom scenario development mapped to MITRE ATT&CK techniques and your operational environment — ransomware, supply chain, insider, or cloud compromise.

03

Exercise Execution

Facilitated tabletop or crisis simulation with structured decision injection, real-time gap capture, and escalation pressure testing.

04

After-Action Analysis

Findings scored against a response maturity model and mapped to NIST, CISA, and sector-specific regulatory frameworks.

05

Remediation Roadmap

Prioritized capability investments with clear implementation milestones, resource requirements, and recommended next engagements.

Advisory Add-Ons

Extend any engagement with targeted capability-building services.

Custom Ransomware Response Simulation

$8,000

Multi-phase ransomware scenario with business impact modeling, payment decision simulation, and recovery coordination.

Incident Response Playbook Development

$12,000

Complete IR playbook suite covering detection, containment, eradication, and recovery for your top threat scenarios.

Critical Infrastructure Threat Modeling

$10,000

Sector-specific threat model mapping OT/IT convergence risks, supply chain dependencies, and adversary targeting patterns.

Executive Crisis Leadership Training

$15,000

Half-day intensive for C-suite on cyber crisis decision-making, media response, and regulatory communication under pressure.

Red Team Scenario Development

$20,000

Adversary emulation scenario library (3–5 scenarios) based on active threat actors targeting your sector.

Crisis Communications Strategy

$8,000

Complete communications playbook for cyber incidents — internal, external, media, regulatory, and customer notification.

Response Maturity Re-Assessment

$5,000

Follow-up assessment measuring capability improvement against your initial baseline. Recommended at 6 months.

Add-ons can be bundled with any tier engagement or retainer. Custom scoping available.

Critical Infrastructure

Purpose-built for operational resilience

Designed for organizations where cyber incidents create real-world operational consequences — not just data loss, but service disruption, safety risk, and community impact.

Threat-Informed

Scenarios built from actual adversary TTPs targeting your sector

Operational Focus

We test real decisions: isolate the network? Notify the regulator? Talk to the media?

Framework Aligned

Every engagement maps to NIST, CISA, and sector-specific regulatory requirements

Program Continuity

Retainer partnerships and quarterly exercises ensure readiness grows over time

Executive Accountability

Scorecards and board briefings create documented evidence of leadership preparedness

How organizations engage with us

The recommended path: start with an assessment, then build a program.

01
Land

Cyber Readiness Assessment

$7.5K

First exercise. Document gaps. Build the case.

02
Expand

Operational Resilience

$15K

Maturity scoring. Playbook recommendations. Executive accountability.

03
Elevate

Enterprise Simulation

$35K

Board-level simulation. Cross-department. Remediation roadmap.

04
Retain

Advisory Retainer

$4–13K/mo

Quarterly exercises. Continuous advisory. Maturity tracking.

Common questions

What CISOs and IR leads ask before their first engagement.

How long does an engagement take from kickoff to final deliverables?

Most engagements complete in 3–5 weeks. Week 1 is scoping and scenario design. Weeks 2–3 are exercise preparation and facilitation. Weeks 3–5 are analysis, reporting, and the After-Action Review. Larger enterprise simulations may extend to 6–8 weeks depending on cross-department coordination requirements.

We've never done a tabletop exercise before. Where should we start?

The Cyber Readiness Assessment ($7,500) is specifically designed as a first engagement. It gives you a structured, facilitated exercise with a full capability assessment — not a pass/fail test. The exercise is designed to reveal exactly what to build next — expect it to scope your next six months of readiness work.

Do you work with our existing incident response plan, or replace it?

We work with what you have. The exercise tests your current plans, procedures, and team coordination under realistic conditions. Our deliverables identify specific gaps and provide actionable recommendations — not a wholesale replacement. If you don't have a formal IR plan, the exercise itself becomes the foundation for building one.

What makes this different from compliance-driven exercises our auditors run?

Compliance exercises check a box. Our exercises build capability. We use active threat intelligence and MITRE ATT&CK-mapped scenarios from real adversaries targeting your sector. Every finding is scored against a maturity model with a remediation roadmap — so your board sees measurable improvement, not just "exercise completed."

Can we start with one department or does it need to be organization-wide?

Absolutely start with one team. The recommended pattern is to begin with your IT/security team for the first exercise, then expand to legal, communications, and executive leadership in subsequent engagements — prove value first, then scale.

How do you handle sensitive findings and exercise data?

All engagement materials, findings, and exercise data are confidential. We sign NDAs before scoping begins. Deliverables are shared only with designated stakeholders. We never reference client names, findings, or scenarios in marketing materials without explicit written consent.

What's the difference between a one-time engagement and a retainer?

A single engagement gives you a snapshot — here's where you stand today. A retainer gives you a program — quarterly exercises, continuous advisory, maturity tracking, and a dedicated partner who knows your environment. The retainer is how you show your board and insurers that readiness is improving over time, not just assessed once.

Do you support regulatory and insurance requirements?

Yes. Every engagement produces documentation aligned to NIST 800-61, NIST CSF, CISA, and sector-specific frameworks (NERC CIP, HIPAA, TSA directives). Our After-Action Reports and maturity assessments are specifically designed to satisfy board governance requirements, regulatory examinations, and cyber insurance renewal evidence.

Free Resource

The CISO's 30/60/90 Day Post-Exercise Roadmap

The framework we use with clients to turn exercise findings into measurable capability improvements. Includes prioritization matrix, board reporting templates, and milestone tracking.

  • 30-day quick wins with immediate risk reduction
  • 60-day capability building milestones
  • 90-day maturity scoring and board reporting
  • Budget justification templates for remediation spend

Get the roadmap template

Delivered instantly to your inbox. No sales pitch.

No spam. Unsubscribe anytime.

Ready to pressure-test your response capability?

A 30-minute scoping call is all it takes to design an engagement that builds real operational readiness.

Every After-Action Report is your roadmap for the next engagement. Each gap we identify becomes a capability you can build — with us or independently. We're building your program, not your dependency.