The incident response plan test no one runs
Most incident response plans are binders on a shelf that have never been exercised. Here is a 2-hour test any security team can run this week, and what to do with what it finds.
Your incident response plan is probably wrong. Not because it is badly written. Because it has never been tested, so you have no idea where the friction actually lives.
The friction is always somewhere different than you think. The playbook says call the CISO. The CISO is on a flight. The playbook says escalate to engineering. Engineering is in a different Slack workspace and half the responders do not have access. The playbook says contact legal. Legal is in-house counsel who is on parental leave and the outside counsel relationship has never been activated.
None of these show up in a policy review. They only show up in a real incident, or a realistic tabletop.
Here is the 2-hour test I run with most new retainer clients. Pick a Tuesday afternoon. Pick a scenario: AWS access key compromise, credential stuffing attack, ransomware on a laptop with production access. Walk the team through it hour by hour. Force them to use only the tools they actually have, and only the people they can actually reach.
The results are always worse than people expect. Tooling gaps. Communication gaps. Authority gaps. One company I did this with had a great IR plan that assumed the security team had admin on every cloud account. They did not. The plan was useless.
Write down every friction point. Rank them. Fix the top 3 before the next tabletop. Run the tabletop again in 90 days. Repeat until the tabletop is boring because the plan actually works.