Ransomware hits on a Friday afternoon. You have 72 hours to report. What do you do?
Most businesses don't have an answer. The Incident Response Planning sprint gives you a tested plan โ not just a document โ in four weeks. Tested means a tabletop exercise is included: the plan is run with your key staff before it's delivered.
"Ransomware hit a business in our industry last week. We realised we have no idea what we would do if it happened to us."
Industry incidents are the most common trigger. The question is whether you want to work out what to do before or during the event.
"Our insurer asked whether we have a documented incident response plan as part of a cyber insurance application. We don't have one."
Cyber insurers are moving toward requiring documented IR plans, not just assuming they exist. A completed plan is the evidence they're asking for.
"A client's security questionnaire asked about our incident response capability. We said yes. We need to make that accurate."
Most businesses that claim to have an IR plan don't have one that would actually work under pressure. The tabletop exercise is how you find out.
"We had a phishing email land in a staff member's inbox and they forwarded it to finance. We had no process for what to do next."
Near-misses are the second most common trigger. The next incident may not be a near-miss.
Why "tested" matters. Any consultant can write an IR plan. CyberCraft runs a tabletop exercise with your key staff before delivering the plan. The tabletop finds the gaps โ the contact who's on leave, the system that's not in scope, the step that assumes a tool you don't have. These are fixed before the plan is delivered, not discovered during an actual incident.
Incident Response Plan
Full documented IR procedures: detection, containment, eradication, recovery, and post-incident review. Calibrated to your most likely incident type and environment.
72-hour reporting workflow
Step-by-step process mapped to the Privacy Act eligible data breach notification requirements โ including internal escalation steps, OAIC notification template, and client notification guidance.
IR quick-reference card
One-page laminated card: the first 24 hours, condensed. Designed to be reached for at 2am on a Saturday โ not the 40-page plan. Mounted on the server room door or in the CEO's desk drawer.
Tabletop exercise (included)
One-hour facilitated walkthrough with your key staff against a realistic scenario for your industry and environment. The plan is tested before it's final โ not after it's needed.
Stakeholder contact list
Pre-populated with internal contacts, CyberCraft (as external response resource), your legal advisor, insurer, and OAIC. No searching during an incident.
Intake interview โ one hour
Current environment, key stakeholders, most likely threat scenarios, and any existing documentation reviewed.
Plan drafting โ no client time required
CyberCraft drafts the IR plan and 72-hour workflow. Draft delivered for your review before the tabletop.
Tabletop exercise โ one hour
Facilitated scenario walkthrough with key staff. We run a realistic incident. Gaps are found and noted. This is where the plan gets tested.
Amendments and final delivery
Tabletop findings applied. Quick-reference card produced. All documents delivered in editable and PDF formats. One hour review call included.
Incident Response Planning โ Pricing Configurator
Fixed fee. The tabletop is included โ it is not an optional extra.
โณ JS configurator to be built. Inputs: staff count, existing IR/BCP docs, tabletop participants (up to 6 / up to 12).