TOP Mission TID-B01: Incident Response Readiness
Ensuring incident response capabilities are tested, documented, and ready for activation when security events occur.
Continue your mission
Ensuring incident response capabilities are tested, documented, and ready for activation when security events occur.
Incident Response Readiness is the organizational capability to detect, contain, analyze, and recover from security events in a structured, repeatable way. Mission TID-B01 exists because incident response is not a tool you purchase or a policy you file. It is a perishable skill set that degrades without deliberate maintenance. The problem this mission solves is straightforward: organizations that do not actively test and maintain their response capabilities discover their gaps during an actual breach, when the cost of failure is measured in downtime, regulatory penalties, and reputational damage. TID-B01 provides the structure, cadence, and accountability needed to ensure that when a security event occurs, the response is coordinated and effective rather than improvised and chaotic.
---
Incident Response Readiness refers to the verified, documented state of an organization's ability to execute its incident response plan (IRP) across people, processes, and technology. It encompasses the preparation phase of the incident response lifecycle as defined by NIST SP 800-61r2, but extends beyond documentation to include active validation through exercises, simulations, and tabletop scenarios.
This concept is distinct from incident response planning, which is the activity of writing the plan. Readiness is the confirmed state that the plan works. A plan that has never been tested is not readiness; it is aspiration. Readiness is also distinct from detection capability. An organization can have excellent logging and alerting infrastructure while still failing to respond effectively if the people responsible for response do not know their roles, cannot access the tools they need, or have never practiced the escalation process.
Readiness does not mean perfection. It means the organization has identified its current capabilities, measured them against a defined standard, and has active improvement efforts underway for identified gaps.
Variants and subtypes within this scope include: technical readiness (tooling, playbooks, access permissions), personnel readiness (trained responders, defined roles, backup coverage), process readiness (documented procedures, escalation paths, communication templates), and regulatory readiness (evidence packages, chain-of-custody procedures, breach notification timelines). TID-B01 addresses all four dimensions.
What TID-B01 is not: it is not a one-time audit activity, it is not synonymous with business continuity planning (though the two intersect), and it is not the same as threat hunting or proactive detection work. Those functions feed into readiness but are addressed in separate missions within the Theater of Operations Playbook.
---
TID-B01 executes across five structured phases. Each phase produces a tangible output that feeds the next.
Phase 1: Inventory and Documentation Review
The mission begins with a complete inventory of existing incident response documentation. This includes the master incident response plan, subsidiary playbooks for specific event types (ransomware, credential compromise, data exfiltration, insider threat), escalation trees, contact lists, and any regulatory-specific procedures such as HIPAA breach notification workflows or PCI DSS incident response requirements.
Each document is reviewed against three criteria: currency (updated within the past 12 months or after any significant infrastructure change), completeness (covers all phases of the response lifecycle), and accessibility (stored in a location responders can reach during an active incident, including scenarios where primary systems are unavailable). A common failure mode discovered in this phase is that the incident response plan lives inside the SIEM or ticketing system, making it inaccessible during a ransomware event that encrypts those systems. TID-B01 mandates offline or out-of-band storage for all critical response documentation.
Phase 2: Roles and Responsibilities Validation
The mission assigns and validates every role in the incident response process. This is not simply confirming that an org chart exists. It means confirming that every named individual knows they are assigned, understands their specific responsibilities, has the access permissions required to perform those responsibilities, and has a designated backup who meets the same criteria.
A practical example: during a Phase 2 validation exercise at a mid-size financial services firm, the security team discovered that the primary incident commander had left the company four months earlier. The IRP still listed that individual's contact information. The backup responder had never been formally notified of their role. This is a readiness failure that tabletop exercises routinely surface and that purely documentation-based audits miss entirely.
Phase 3: Technical Validation
Technical validation confirms that the tooling required to execute response is operational and accessible. This includes: EDR consoles and agent coverage across endpoints, network packet capture capability, log aggregation with verified retention periods, out-of-band communication channels (response teams need to communicate if email or Slack is compromised), forensic image acquisition tools, and isolation or quarantine capabilities at the endpoint and network segment level.
TID-B01 requires documented evidence of each tool's operational status. Screenshots, automated health check reports, and configuration exports all serve as acceptable evidence artifacts. The mission also validates that response personnel have tested access to these tools from locations they would realistically use during an incident, including remote access scenarios.
Phase 4: Tabletop or Simulation Exercise
The centerpiece of TID-B01 execution is a structured exercise. For most organizations, this begins with a tabletop scenario: a facilitated discussion in which participants walk through a realistic incident scenario step by step, making decisions and identifying gaps without touching production systems. More mature organizations supplement tabletops with functional exercises that involve actually executing response procedures in a controlled environment.
A concrete scenario example: the facilitator presents a scenario in which an employee receives a phishing email, clicks a link, and a C2 beacon is established on their workstation. The exercise walks participants through: initial detection (who gets the alert, when, and through what channel), triage and scoping (how does the team determine what else may be affected), containment decisions (isolate the workstation immediately or monitor to understand the full scope), forensic preservation (what evidence is collected and how is custody documented), executive communication (when does the CISO get notified, what information is included), and external notification (does this trigger any regulatory reporting obligations).
Each decision point surfaces assumptions, gaps, and disagreements that would otherwise emerge during an actual incident under far less forgiving conditions.
Phase 5: Gap Analysis and Remediation Tracking
Every exercise produces a gap register. Each identified gap is assigned an owner, a severity rating, and a target remediation date. TID-B01 does not close until remediation plans exist for every high and critical severity gap. Medium and low gaps are documented and tracked in the organization's security program backlog. The gap register becomes the input for the next execution cycle of TID-B01, creating a continuous improvement loop rather than a point-in-time compliance exercise.
---
The business case for incident response readiness is not theoretical. IBM's Cost of a Data Breach Report consistently shows that organizations with a tested incident response plan and a dedicated IR team contain breaches significantly faster and at lower cost than those without. The 2023 edition reported a mean cost difference of over $1.5 million between organizations with high IR readiness and those with low readiness. That figure includes direct costs such as forensic investigation, legal fees, and customer notification, as well as indirect costs like regulatory fines and customer attrition.
The consequences of poor readiness are visible in documented incidents. The 2020 SolarWinds supply chain compromise demonstrated that many organizations with nominal incident response plans had no effective procedure for responding to a threat that had established persistent access across identity infrastructure. Response teams were forced to make real-time decisions about procedures that did not exist, in some cases making containment errors that extended the attacker's dwell time.
A persistent misconception is that incident response readiness is primarily a large-enterprise concern. In practice, smaller organizations face disproportionate impact from response failures because they have fewer resources to absorb the cost of extended downtime and are less likely to have cyber insurance coverage that offsets recovery expenses. TID-B01 is designed to scale: the mission framework adjusts scope and exercise complexity to match the organization's size and risk profile.
A second misconception is that purchasing an incident response retainer from a managed security service provider eliminates the need for internal readiness. Retainer relationships require the client organization to perform effective initial triage, preserve evidence correctly, and make timely containment decisions. If internal staff cannot execute those steps, the retainer engagement starts from a degraded position, often extending the timeline and increasing costs.
---
CDA addresses TID-B01 through the Threat Intelligence Domain (TID) of the Planetary Defense Model (PDM), applying the Predictive Defense Intelligence (PDI) methodology: "See the threat before it sees you."
The PDI approach reframes incident response readiness from a reactive posture into a forward-looking capability. Rather than preparing generically for any possible incident, CDA grounds readiness preparation in current threat intelligence. Before designing tabletop scenarios, CDA analysts review threat actor profiles relevant to the client's industry, recent tactics, techniques, and procedures (TTPs) documented in MITRE ATT&CK, and active campaigns identified through open-source and commercial intelligence feeds. The result is that TID-B01 exercises test response to threats the organization is actually likely to face, not theoretical scenarios that bear no relationship to the real threat environment.
In practice, this means a healthcare organization running TID-B01 under CDA guidance will exercise ransomware scenarios that reflect the specific initial access brokers and affiliate groups actively targeting healthcare in the current quarter. A financial services client will exercise scenarios built around credential stuffing and account takeover patterns consistent with active threat actor behavior documented in recent intelligence reporting.
CDA also applies PDI to readiness gap prioritization. When the Phase 5 gap register is produced, CDA analysts cross-reference identified gaps against the threat actor profiles most relevant to the client. A gap in network segmentation capability is prioritized differently for a client whose industry is actively targeted by threat actors known to move laterally through flat networks than for a client whose primary threat profile is opportunistic ransomware delivered via phishing. This intelligence-driven prioritization ensures that remediation resources address the gaps that matter most given the actual threat environment, not simply the gaps that score highest on a generic risk matrix.
CDA's execution of TID-B01 produces three standing deliverables: a readiness assessment report documenting current state against defined criteria, an exercise after-action report with the gap register, and an intelligence-anchored remediation roadmap that sequences gap closure against threat relevance.
---
---
---
CDA Theater missions that address topics covered in this article.
Lazarus Group is North Korea's primary advanced persistent threat operation, operating under the RGB (Reconnaissance General Bureau), the DPRK's primary foreign intelligence service.
Salt Typhoon is a Chinese state-sponsored advanced persistent threat (APT) group that conducts signals intelligence collection operations against telecommunications infrastructure.
Evidence collection, chain of custody, forensic imaging, and analysis techniques for incident investigations.
Written by CDA Wiki Team
Found an issue? Help improve this article.