Incident Response Readiness
Know exactly what to do when β not if β something goes wrong.
Request a quoteThe problem
Most SMEs discover their incident response plan during an actual incident β when it is too late to write one. Without tested procedures, a ransomware attack or business email compromise can result in days of downtime, permanent data loss, and reputational damage that takes years to recover from. The organisations that recover quickly from incidents are the ones that planned before the incident, not during it.
Our methodology
- Incident response plan development aligned to NIST SP 800-61 framework
- Role-specific playbook development for executive, IT, communications, and legal/compliance stakeholders
- Scenario selection and design for tabletop exercise (business email compromise, mobile money fraud, or ransomware β your choice)
- Facilitated tabletop exercise β 2β3 hours, remote or in-person
- Post-exercise gap analysis: what the exercise revealed about your readiness
- Improvement roadmap: what to fix and in what order
What you will receive
- Incident response plan (NIST-aligned)
- Role-specific playbooks β executive, IT, communications, legal/compliance (4 documents)
- Tabletop exercise report including scenario summary and participant findings
- Gap analysis and improvement roadmap
Estimated timeline
4β5 weeks from engagement start
Overview
An incident response plan is not a document β it is a practised capability. The difference between an organisation that recovers from a cyberincident in hours and one that takes weeks is almost always whether they had a tested plan in place before the incident happened.
This engagement gives you a complete, tested incident response capability: plan, playbooks, and a facilitated exercise to validate it.
Why Testing Matters
A plan that has never been tested is a plan that will fail under pressure. Tabletop exercises surface the gaps β the decision-maker who does not know their role, the escalation path that dead-ends, the communication template that has the wrong contact number β in a low-stakes environment where you can fix them.
The exercise is where the real value is.
Tanzania-Specific Scenarios
We do not run generic scenarios. Our tabletop exercises are designed around the threats most likely to affect your organisation in Tanzania:
Business Email Compromise (BEC) β the most common and costly attack against SMEs globally. A supplierβs email is compromised, or your own domain is spoofed. A payment instruction arrives that looks completely legitimate.
Mobile Money Fraud β Tanzania-specific. M-Pesa, Tigo Pesa, and Airtel Money integrations create unique fraud vectors. Insider threats, SIM swaps, and API vulnerabilities are all in scope.
Ransomware β encrypting attacks are increasing across East Africa. What do you do in the first hour? Who decides whether to pay? How do you communicate to customers and regulators?
Your Team, Prepared
After this engagement, every person who has a role in incident response β executive, finance, IT, communications, legal β knows exactly what they are expected to do, who makes decisions, who to call, and what gets documented. The plan is tested. The gaps are closed. You are ready.
Frequently asked questions
What is a tabletop exercise?
A tabletop exercise is a structured discussion where your team walks through a simulated security incident scenario step by step β without any real systems being touched. The facilitator introduces the scenario and injects new information as it evolves (a ransom demand appears, a staff member's account is confirmed compromised, the press calls), and participants discuss what they would do at each stage. The goal is to surface gaps in your plan, identify who needs to make decisions, and practise coordination before a real incident happens.
What scenarios do you simulate?
We offer three Tanzania-relevant scenarios tailored to the SME threat landscape: (1) Business Email Compromise β an executive email is spoofed, a fraudulent payment instruction is issued, and funds are transferred. (2) Mobile Money Fraud β a staff member's credentials are used to authorise fraudulent mobile money transfers. (3) Ransomware β your systems are encrypted, a ransom demand appears, and you need to decide how to respond. You choose the scenario that best fits your risk profile.
Do we need an IT team to participate?
No. The tabletop exercise is designed to involve all key decision-makers β executive leadership, finance, communications, and legal, not just IT. Some of the most valuable insights come from non-technical participants discovering that they did not know their role in an incident, or that escalation paths were unclear. The exercise is as much about organisational coordination as it is about technical response.
What happens after the tabletop exercise?
You receive a full exercise report documenting the scenario, what decisions were made, what gaps were identified, and recommendations for addressing them. The improvement roadmap prioritises the gaps by impact and effort. Many clients choose to re-run a tabletop exercise annually, and some upgrade to a vCISO retainer to maintain the programme on an ongoing basis.
Can we test against a real scenario we have already experienced?
Yes, and this is often the most valuable exercise. Walking your team through a replay of an actual incident β making different decisions this time β is highly effective for reinforcing lessons and building muscle memory. We can design a bespoke scenario based on something your organisation has actually faced.
Related services
Ready to get started?
All engagements begin with a free 30-minute discovery call. No commitment, no jargon β just an honest conversation about your situation.