01Incident response
Can your team respond in the first 60 minutes?
Data breaches, cyber attacks, privacy incidents, regulator notification scenarios.
Seen inSOC 2ISO 27001HIPAAPCI DSSNIST CSFCMMCGDPRNIS2APRA CPS 234SEC cyber rule
Proof in under 60 minutes
The fastest way to run tabletopstabletop exercises
Handrails helps teams test readiness under pressure with AI-led exercises and detailed, evidence-backed reporting.
Holly, our AI agent, builds the scenario, runs the live session and generates the report, without the usual prep, coordination or follow-up work.
- Fraction of the cost
- Done in under 60 minutes
- Audit, regulator, board ready
1
Custom scenarios
We use your company context to generate a tailored scenario for you.
IndustrySaaS · B2B
StageSeries B
Size120 employees
RegionUS + EU
CustomersEnterprise buyers
FrameworkSOC 2 Type II
IndustrySaaS · B2B
StageSeries B
Size120 employees
RegionUS + EU
CustomersEnterprise buyers
FrameworkSOC 2 Type II
PolicyIncident response plan
TeamCEO · Ops · Comms
DataCustomer records
SystemsCRM · Finance
ObjectivePractice crisis decisions
CadenceQuarterly
PolicyIncident response plan
TeamCEO · Ops · Comms
DataCustomer records
SystemsCRM · Finance
ObjectivePractice crisis decisions
CadenceQuarterly
Old way vs new way
Once a year was always a compromise. Run as often as you need.
Regulators, boards and auditors are asking for proof. Handrails answers in hours, not weeks.
The old way
With Handrails
- Once a year, if thatToo infrequent to catch drift when controls, people or systems change.Run on demandPick a time that works, invite the team over a link. No lead time.
- Painful to scheduleBlock a full day, fly everyone in, rearrange the calendar around a single workshop.Virtual, under 60 minutesHolly facilitates over video. Your team joins from wherever they are.
- Generic scenariosOff-the-shelf templates lightly re-skinned for your industry.Tuned to your companyHolly drafts a scenario from your industry, stack, customers, contracts and risk exposure — in seconds.
- Weeks to write the reportDays or weeks of drafting, reviewing and formatting. By the time it lands, details have drifted.Report in minutesFindings, decisions and follow-ups — written for whoever needs to read it.
- One scenario, one frameworkDesigned for the cyber tabletop and nothing else.Every category of readinessIncident response, business continuity, crisis management, recall and safety — plus your own policies, SOPs and training.
What you can test
Four categories of readiness. One platform.
Every organization faces different kinds of crisis. Handrails runs tabletop exercises across all four — built from your actual plans, policies and contracts.
02Business continuity
Can your business keep running under pressure?
System outages, supplier failures, infrastructure downtime, critical service disruption.
Seen inSOC 2ISO 22301DORAAPRA CPS 230PRA SS1/21FFIEC BCM
03Crisis management
Do your leaders make the right calls when it matters?
Executive decision-making, media and PR scenarios, legal escalation, board engagement.
Seen inSEC 4-day disclosureNYSE/Nasdaq disclosureBoard dutiesCyber insuranceASX 3.1
04Recall & safety
Can you act fast enough to protect customers and your brand?
Product recalls, food safety incidents, pharmaceutical and consumer product risk, brand protection.
Seen inFSMASQFBRCGSFSANZTGA PRAC21 CFR Part 211CPSC 15(b)EU GPSR
Policies, SOPs & training
The things you've written down. Do they actually work?
Policies, SOPs and training are only real if your team follows them under pressure. Handrails runs low-stakes simulations to find the gap between what's on paper and what happens in practice.
- Test your policiesEvery policy you rely on, e.g. AI use, data handling, vendor review. See whether your team actually follows it under pressure.
- Test your SOPsEvery process you've documented, e.g. onboarding, change management, incident triage. Find the gaps on paper before they show up in production.
- Test your trainingAny training your team has taken, e.g. security awareness, incident response, AI literacy. See who applies it, who forgot and what the training missed.
- Test your HR playbooksThe sensitive ones you hope you never need, e.g. harassment complaints, whistleblower disclosures, exec transitions. Rehearsed before a real situation forces the call.
Three steps, end-to-end
From zero to audit-ready in three steps.
Under 60 minutes, virtual, with your team on a link. Holly handles the scenario, the session and the write-up.
1Context
Context
IndustrySaaS · B2B
StageSeries B
Size120 employees
RegionUS + EU
CustomersEnterprise buyers
FrameworkSOC 2 Type II
IndustrySaaS · B2B
StageSeries B
Size120 employees
RegionUS + EU
CustomersEnterprise buyers
FrameworkSOC 2 Type II
PolicyIncident response plan
TeamCEO · Ops · Comms
DataCustomer records
SystemsCRM · Finance
ObjectivePractice crisis decisions
CadenceQuarterly
PolicyIncident response plan
TeamCEO · Ops · Comms
DataCustomer records
SystemsCRM · Finance
ObjectivePractice crisis decisions
CadenceQuarterly
A scenario tuned to your business
Holly detects your context from your domain, your documents and the signals you share and automatically designs a custom scenario centered around your business context.
2Session
Live · virtual47:32
Speaking
Holly · Handrails AI
Priya
MarcoTranscript
Holly
“
Holly runs the session live
Holly narrates, escalates the situation in real time, and asks each participant directly. Your team joins from wherever they are.
3Report
Report · Q2 2026Ready
DetectionAlert to action in 4 min
ContainmentAccount locked, password reset
Decision ownerNo clear decision maker named
Customer noticeSent at 52h (target ≤48h)
Audit trailComplete
The report is done the moment you are
Decisions made, gaps found, follow-ups assigned. Structured against the exact clause, artifact or standard being tested. Ready to hand to whoever needs to read it.
What you get
One report. Written for whoever's asking.
Scenario, findings, follow-ups. Structured to the framework, tied to named participants, ready for your auditor, regulator or board.
Handrails · Incident Response · SOC 2 TSC
Incident Response · SOC 2 TSC · CC7.3
External data exfiltration · Q2 2026
Scenario
Privileged AWS access token exfiltrated from a CI runner overnight. At 08:42 the SIEM flags anomalous egress; twelve minutes later a customer reports missing records. 72-hour disclosure clock running.
- Exercise date
- May 14, 2026
- Duration
- 52 minutes
- Participants
- 8 (IR, SRE, Legal, Comms, Exec)
- Facilitator
- Handrails AI agent
Findings
- LowDetectionSIEM alert acknowledged within 4m (SLA: 15m).
- LowContainmentPrivileged session revoked within 11m of escalation.
- HighMateriality decisionDeferred to legal without documented rationale or DRI.
- MediumCustomer commsDraft exceeded 48h target; template not pre-approved.
Follow-up actions
- Amina (Legal) · Publish materiality decision matrix with named DRIs.Jun 7
- Marco (Comms) · Pre-approve three customer statement templates.Jun 14
- Priya (Security) · Schedule re-test with injected supply-chain twist.Q3
Pricing
Three ways to improve readiness.
Tabletops for the moments that matter. Operational Simulations for the muscle memory in between.
Simple pricing. No subscriptions required.
Tabletop Exercises
$400per exercise
Multi-participant · 45-120 min
High-consequence response exercises with audit-ready reporting.
- Holly facilitates live across your team, with role-specific questions that adapt to answers
- Scenario tailored to your business, frameworks and regulatory context
- Structured report: timeline, decisions, gaps, evidence and recommended actions
- Built for auditors, insurers, boards and regulators who read the output
Operational Simulations
$20per simulation
Single participant · 5-20 min
Continuous testing of your training, policies or standard operating procedures.
- On-demand in minutes: short sessions between full tabletops
- Scenario tied to the SOP, policy or training material you are testing
- Strengths, gaps and recommendations without transcript cleanup
- Fast rollout; rerun anytime to keep teams sharp
Readiness Programs
Volume pricing · ongoing cadence · scaled rollout
For organizations running exercises continuously or pushing readiness to vendors, partners and distributed teams.
When you’re ready
Run your first exercise this week.
Sign up, answer a few questions, invite your team. A session under 60 minutes and the audit-ready report comes back written for you.
Not sure where to start? Check your domain first.
FAQs
Questions we get asked
Who actually runs the session?
Holly, our AI agent facilitator. She generates the scenario, narrates the session live, injects twists and asks each named participant specific questions, auto-transcribing everything into the final report. Think of her as a senior tabletop facilitator that scales to every exercise you need, with your team showing up over a link.
How is this different from a consultant?
Consultants definitely have a place for very large and complex exercises. Handrails is on-demand. When your auditor, retailer or insurance broker wants proof of an exercise this week, you don't wait six weeks for a Tuesday slot. Many of our customers use Handrails alongside consultants, not instead of them.
What frameworks do you cover?
SOC 2, ISO 27001, ISO 22301, NIST SP 800-171 (CMMC), NIST CSF, PCI DSS, HIPAA, DORA, APRA CPS 230, PRA SS1/21, the SEC cyber rule, NYDFS Part 500, FSMA, FSANZ, SQF, BRCGS, FSSC, 21 CFR Part 211, FDA QMSR, EU MDR, EU GMP, TGA PRAC, NSQHS, CMS Conditions of Participation, IEC 62443 and more. If your clause isn't listed, tell us. We've probably got a scenario mapped to it.
Can we run this for our vendors (TPRM)?
Yes. Readiness Programs include vendor tabletops and Operational Simulations pushed out to your critical third parties, with a consolidated view of where the risk concentrates.
What's the difference between a tabletop and a policy test?
A tabletop tests how your team responds to a hypothetical incident. A policy test checks whether your written policy actually works when the team has to follow it under pressure. Handrails runs both. Most regulators ask for tabletops. Most failures come from policy gaps. Cover both and you're ready.
Do we need to write the scenario ourselves?
No. Holly drafts the scenario from your business context, the framework you're testing against and the policies you upload. You can also tweak the scenario, it's very customizable, with lots under the hood. The whole point is that you don't spend two weeks scoping the exercise.