Handrails
Technology

Find the gaps in your IR plan,
or a customer, audit, or crisis will.

That IR tabletop has been on the list since last quarter. You know you need to run it.

What if the entire tabletop, from scenario to audit-ready report, took less than 60 minutes? You could run it this week.

Get startedSee how it works

Mapped to SOC 2 · ISO 27001 · PCI DSS · and more

Scenario · audit-scoped
Live
Context
ModelB2B SaaS · US + EU
FrameworksSOC 2 · ISO · PCI
BuyersEnterprise security review
StackAWS · K8s · Postgres
Review cadenceAnnual + per-incident
IR planOwner: CISO
ModelB2B SaaS · US + EU
FrameworksSOC 2 · ISO · PCI
BuyersEnterprise security review
StackAWS · K8s · Postgres
Review cadenceAnnual + per-incident
IR planOwner: CISO
Threat modelSupply-chain · ransomware · insider
DetectionEDR · SIEM · threat intel
MTTR target< 4 hours
PartnersMSSP · broker · auditor
OutputCC7.3 + A.5.24 evidence
CadenceQuarterly + on-demand
Threat modelSupply-chain · ransomware · insider
DetectionEDR · SIEM · threat intel
MTTR target< 4 hours
PartnersMSSP · broker · auditor
OutputCC7.3 + A.5.24 evidence
CadenceQuarterly + on-demand
What's changed

Why now

01

The cost of getting it wrong

Ransomware at 2am. Encryption spreading. No clear decision owner. Nobody called legal. Fines, litigation, lost contracts. The incident was containable. The botched response made it expensive.

02

The ask has changed

Auditors used to ask whether a plan existed. Prospects took your word for it. QSAs accepted documentation. That's changed. The question now, from all of them, is if it was tested.

03

Annual testing is the floor, not the ceiling

The frameworks require annual testing, but eleven months of change goes untested. Continuous testing builds muscle memory and is best practice, but cost and logistics have always made that out of reach for most teams. Until now.

Says who

The frameworks behind every audit, deal and renewal conversation

Every exercise is built around the specific requirements of your certification, regulation or framework, mapping directly to the evidence your auditors, customers and insurers are asking for.
SOC 2
Incident ResponseAICPA
At least annually
SOC 2 TSC · CC7.3

CC7.3 is what your SOC 2 auditor is testing when they ask for evidence of incident response. They need to see that you evaluated a security event, made decisions and documented the outcome. An annual tabletop with a named after-action report is what In Place looks like.

Also relevant: Availability criteria (A1.3) for teams with DR obligations in scope.

If skipped: Qualified SOC 2 opinion. Enterprise deals delayed or lost. Failed vendor security reviews.
ISO 27001
Incident ResponseISO / Certification body
At least annually
ISO 27001:2022 · A.5.24

A.5.24 is the clause your surveillance auditor checks when they ask how you manage security incidents. They expect evidence the process has been tested. Named participants, a real scenario, documented decisions. Missing it creates a non-conformity that threatens the certificate.

If skipped: Non-conformity at surveillance audit. Remediation plan required. Certificate at risk.
PCI DSS
Incident ResponsePCI SSC / Acquirers
Annually
PCI DSS v4.0.1 · Req 12.10.2

Req 12.10.2 is what your QSA verifies when they check whether your incident response plan has been tested. The requirement is explicit: at least once every 12 months, tested and documented. The after-action report from your tabletop is the evidence they need to mark it In Place on the RoC.

If skipped: QSA finding on RoC. Fines passed through acquiring bank. In a breach, card brand penalties applied retroactively.
Also available

Don't see your framework?

Handrails covers more than SOC 2, ISO 27001 and PCI DSS. If your framework is listed here, or you don't see it at all, let us know.

  • NIST CSF 2.0
    The language your cyber insurer and enterprise buyers are already using to ask about your IR readiness.
  • SEC cyber disclosure rule
    Public companies need evidence the response machinery works before a material incident forces the question.
  • NIS2
    In scope across the EU from October 2024. Most organizations are still figuring out what evidence looks like.
Interested in any of these, or don't see yours? Let us know
How it works

From scenario to audit-ready report, in under 60 minutes.

Weeks of planning. Hours of facilitation. Days more for the report. Handrails compresses the whole thing into under 60 minutes.
1Context in
Context
ModelB2B SaaS · US + EU
FrameworksSOC 2 · ISO · PCI
BuyersEnterprise security review
StackAWS · K8s · Postgres
Review cadenceAnnual + per-incident
IR planOwner: CISO
ModelB2B SaaS · US + EU
FrameworksSOC 2 · ISO · PCI
BuyersEnterprise security review
StackAWS · K8s · Postgres
Review cadenceAnnual + per-incident
IR planOwner: CISO
Threat modelSupply-chain · ransomware · insider
DetectionEDR · SIEM · threat intel
MTTR target< 4 hours
PartnersMSSP · broker · auditor
OutputCC7.3 + A.5.24 evidence
CadenceQuarterly + on-demand
Threat modelSupply-chain · ransomware · insider
DetectionEDR · SIEM · threat intel
MTTR target< 4 hours
PartnersMSSP · broker · auditor
OutputCC7.3 + A.5.24 evidence
CadenceQuarterly + on-demand

Built around your context

Answer a few questions about your setup, including your industry, your frameworks, your tech stack. The scenario is custom generated from your context, not pulled from a generic library.

2Virtual session
Live · virtual47:32
Holly, the Handrails AI agent, facilitating a session
Speaking
Holly · Handrails AI
Amir · IR lead, participantAmir · IR lead
Ines · Legal, participantInes · Legal
Transcript
Holly

Run it live, virtually

Your team joins a video call. A realistic incident unfolds. Each person makes the decisions they would actually make. The session is recorded. That recording is your evidence trail.

3Report out
Report · SOC 2 CC7.3 · ISO A.5.24Ready
Image-scan triage37 services scanned in 22 min
Customer communicationHolding note inside MSA SLA
Patch-owner rotationSev-2 services have no named DRI
Decision logMapped to CC7.3 & A.5.24
SBOM propagationNo downstream notification path

The report is ready before you close the call

An auditor-ready after-action report is generated from the session. Dated. Named. Mapped to your frameworks. Hand it to your SOC 2 auditor, your enterprise prospect, or your broker. Done.

Example scenarios

Tailored, not templated

Every scenario is generated from your context, not chosen from a library. Based on your frameworks, tech stack, vulnerability areas, even the plans and policies you upload. Three lightweight examples below.
01Scenario

Ransomware in production

Encryption at the storage layer at 2am. Who decides to shut down? When do you page legal and insurance?

02Scenario

Credentials leaked in a third-party breach

Your OAuth provider is breached. Which customers to notify, on what SLA, with what content?

03Scenario

Insider exfiltration

A departing engineer pulls customer data. Evidence preservation, legal escalation, external comms.

Cyber insurance

Cyber insurers are asking the same question your auditor is.

Underwriters at renewal increasingly ask for evidence of a tested incident response plan, not just a policy document. A Handrails session produces the documented exercise record most carriers now expect to see. Plus, some insurers are beginning to offer premium consideration for organizations that can demonstrate a regular testing cadence.

Talk to us about your renewal →
Partner with Handrails

Tabletops don't have to be the hard part.

For most consultants, auditors and vCISOs, tabletops are the most resource-intensive exercise in the toolkit. Days of prep, hours in the room, more hours writing it up. Handrails can now carry that load for you. Stay in the expert role your clients need you in, run more engagements, and earn on every session.
Revenue share, every cycle
Get paid on every session your clients run.
Client visibility
See which clients have run exercises, when they last tested and where the gaps are, without chasing status updates.
Evidence requests, handled
Your clients arrive with mapped, dated after-action reports. Less back and forth. Faster cycles.
Already working withvCISOs and security consultantsSOC 2 auditors and ISO certification bodiesQSAsCyber insurance brokers
Partner with Handrails

Run your next tabletop this week.

Sign up, pick a scenario, invite the team. The report is ready before the session ends.

Get startedSee how it works