Breach readiness & cyber strategy
When it happens, you already know what you’ll do.
Readiness means the board has decided the hard things in daylight: who leads, what gets shut down, whether you’d pay, who calls the regulator. We design plans, playbooks and exercises from what we watch fail in real incidents, tested against the attackers who actually target your sector. When the day comes, your organisation executes instead of improvising, and afterwards, scrutiny finds an organisation that was demonstrably prepared.
Readiness designed by responders.
Most readiness documents are written by consultants who have never used one at 2am. Ours are written by the people who get called when plans fail, and we keep meeting the same failures: the plan that names a provider two years off-contract, the call tree nobody tested on a weekend, the board that was never asked to rehearse a decision. Our work exists to remove exactly those causes. That is the difference between a document and a capability.
What we build and test
- Crisis management and IR plans
- IR playbooks for your likely scenarios
- Executive decision exercises and tabletop exercises → how ours differ
- Live fire exercises and adversary emulation
- Breach readiness maturity assessment
- Threat landscape assessment
- Business continuity and DR alignment
- Industrial breach readiness
Tabletop exercises that answer back.
Most consultancies walk participants through a fixed, printed scenario, slide by slide. Ours don’t have a script to read. The scenario evolves in real time from the decisions your people make: right calls stabilise the situation, wrong ones escalate it, exactly as a real crisis would. The chaos, the ambiguity and the pressure are the point, and no two of our exercises have ended the same way.
Crisis Management Exercise
For boards and executive teams. Disclosure, notification, communications, legal exposure, customers and continuity: the decisions leadership owns when it’s real. The seat we occupy in a live incident →
Incident Response Exercise
For technical and IT teams. Detection, classification, containment, evidence preservation and escalation, run against your actual plans and playbooks rather than an idealised network.
Built from your reality, not a template.
Scenarios are constructed from your own risk register and threat landscape, your IR plans, playbooks and continuity arrangements, real incidents that have struck organisations like yours, and the emerging threats relevant to your sector, including the slow ones: personal data stolen today, weaponised years later.
Immersive enough to raise pulses.
Participants don’t discuss hypotheticals; they react to artefacts designed for the exercise: breaking-news reports, emails from the threat actor and the regulator, security dashboards, dark-web listings, bank records showing fraudulent transfers, social media reaction, vendor compromise notices. Decisions get made the way they will on the day: under pressure, on incomplete information.
Findings that drive improvement.
Every finding carries facilitator commentary, and the engagement closes with a two-dimension maturity score: technical weaknesses (policies, governance, data management, access controls, third-party oversight) and team readiness (critical thinking, incident classification, documentation adherence, exercise cadence), with a prioritised recommendations report. Leadership leaves with the evidence and the language for targeted uplift, and for board and regulatory obligations.
What your people take away.
Decision practice under pressure in a safe environment. Gaps found in plans, communications and coordination before an attacker finds them. Habits reinforced, cross-functional dependencies understood, and confidence for the real thing.
The standing promise holds here: if an exercise doesn’t change at least one decision your leadership had already made, the exercise fee is waived.
Readiness is now a directors’ duty.
Directors approve risk programmes under the SOCI Act, the Cyber Incident Review Board examines significant incidents after the fact, and duty-of-care expectations under the Corporations Act are sharpening. We advise boards and executives directly: risk appetite, crisis roles, the decisions that must be made before an incident because they cannot be made well during one. Business language, evidence from real responses, tailored to your sector’s actual threat environment.
The threat that already has a login.
Malicious insider incidents have overtaken accidental employee error in Australia for the first time. Managing that risk is not a product you buy; it’s a programme spanning HR, legal and security, with executive sponsorship. We design it with you: risk indicators, governance that respects employment law, and response paths for the day someone leaves with more than their farewell card.
Suspect something already underway? Insider investigations →
Regulatory relevance
- SOCI Act: CIRMP obligations, including personnel hazards
- Cyber Security Act 2024: incident and ransomware payment reporting
- APRA CPS 234: response planning for regulated entities
- OAIC: notifiable data breach preparedness
Before you ask.
We have an IR plan. Isn’t that enough?
If it hasn’t been exercised against a realistic scenario in the last year, nobody knows. Testing a plan is cheaper than discovering its gaps live.
How tailored is tailored?
Built from your environment, your people, your sector’s adversaries. We don’t maintain a template library, deliberately.
Where do we start?
The Breach Readiness Baseline: fixed scope, fixed fee, two to three weeks.