Handrails
Test your SOPs

Stress-test your SOPs before they fail in real life.

Standard Operating Procedures (SOPs) don't fail in a conference room. They fail at 2am when the on-call engineer is tired, the runbook is two versions old, and the DBA it tells you to page left in April.

Upload your SOP, run a live test, walk away with actionable gaps and fixes.

Get startedSee how it works
Live · SOP under test
Live
Live · virtual47:32
Holly, the Handrails AI agent, facilitating a session
Speaking
Holly · Handrails AI
Kai · SRE
Elena · DBA
Transcript
Holly
Why SOPs break

Where your SOPs quietly fall apart.

01

SOPs drift silently

The SOP says ping the DBA in #infra. The DBA left in April. The script in step 5 was retired in Q1. Only an exercise catches it before an incident does.

02

Nobody reads them until 2am

An annual read-through in a meeting is not a test. A live session forces the team to follow the document, in sequence, on a clock, under pressure.

03

Decisions without DRIs

Who calls the CEO? Who talks to customers? Who approves the rollback? SOPs that don't name the Directly Responsible Individual (DRI) fall apart in the first fifteen minutes of a real event.

What you get back

Well-tested SOPs reduce chaos when incidents happen.

When the runbook holds, the situation that would have been a crisis becomes an event. That difference shows up in three places.

Smaller blast radius, faster recovery

A rehearsed on-call contains the situation in hours, not days. Less data exposed, fewer customers affected, fewer regulator clocks running in parallel.

Lower cost when something goes wrong

Insurance claims, legal fees, regulatory penalties and company interruption all scale with how long the situation runs unchecked. A working SOP keeps all four lines smaller.

Confidence under pressure

When teams have practiced the process beforehand, they act faster, communicate better and reduce operational chaos during incidents.

Review vs test

Read it once, or rehearse it under fire.

Annual sign-off proves the SOP exists. A live walk-through proves it works. Both have a place. Only one produces evidence the document survives contact with reality.
The old way

The standard practice · Annual SOP review

  • Read-through in a meeting, signed off as complete
  • Steps walked discursively, not in sequence under pressure
  • Stale owners, retired commands and dead links can sit unnoticed
  • Updates often land months after the review
With Handrails

With Handrails · Live SOP test

  • Scenario built around the decisions inside your SOP
  • On-call team walks each step on the clock
  • Every stale owner, broken link and dead phone number surfaces
  • A prioritized SOP remediation list delivered before the session ends
What we'll test

Your SOPs, under real conditions.

Upload the SOP or share a link. Holly builds a scenario around the decisions inside it and runs your team through live.

On-call & incident runbooks

The 2am SOP. We test whether it actually names owners, escalation paths and decision points under pressure.

Data-breach response SOPs

Regulator clocks, customer comms, legal triggers, evidence preservation. The SOP either holds the sequence or it doesn't.

Recall & supply-chain SOPs

Product recall, supplier failure, logistics disruption. The order of calls matters.

Payment, fraud & ops SOPs

Outages, fraud pattern detected, disputed transaction spikes. Run the SOP and see what's missing.

Clauses covered

The clauses behind operational SOPs.

Every exercise maps to a real process, policy or response your company depends on.
Board Governance
Governance & controlsBoard oversight expectations
Continuous oversight
Board oversight · Operational controls · Reasonable assurance

Boards and business leaders are expected to oversee whether operational controls are tested, maintained and functioning under pressure.

If skipped: Directors and leaders forced to explain why critical controls were never properly tested.
ISO 27001
Operational ProceduresISO 27001:2022
Continuous; reviewed on change
ISO 27001:2022 · A.5.37

Operating procedures for information processing facilities must be documented and made available to personnel who need them. Procedures must be reviewed and updated when operations or systems change.

If skipped: ISO nonconformity at surveillance audit; remediation plan required to maintain certification.
SOC 2 / AICPA
Change & Operations
At least annually
SOC 2 TSC · CC8.1

The entity authorises, designs, develops, configures, documents, tests, approves and implements changes to infrastructure, data, software and procedures to meet its objectives.

If skipped: Qualified SOC 2 report; delayed enterprise deals; failed vendor reviews.
NIST CSF 2.0
Incident Response
Continuous; exercised annually
NIST CSF 2.0 · RS.MA / RS.AN

Incident response plans and procedures must be established, communicated and tested. Lessons learned must feed back into the procedures themselves.

If skipped: Cybersecurity maturity gap flagged by insurers, customers and assessors.
How an SOP test runs

Your SOP. Live fire. Under 60 minutes.

Upload the SOP. Holly builds a scenario around the decisions inside it and runs your on-call through the real thing.
1Context in
Context
SOPIR-OPS-003 · v2.1
OwnersDBA · SRE · Sec
Last review8 months ago
RevisionPending
TriggerProd data corruption
Pages8 pages · 22 decisions
SOPIR-OPS-003 · v2.1
OwnersDBA · SRE · Sec
Last review8 months ago
RevisionPending
TriggerProd data corruption
Pages8 pages · 22 decisions
SystemPostgres primary + replica
Blast radiusCheckout · fraud · ledger
EscalationSlack · PagerDuty
EvidenceLogs · diffs · decisions
OutputSOP edit list
On-callRotating
SystemPostgres primary + replica
Blast radiusCheckout · fraud · ledger
EscalationSlack · PagerDuty
EvidenceLogs · diffs · decisions
OutputSOP edit list
On-callRotating

Holly reads your SOP

Upload or paste your SOP. Holly parses the owners, steps and decision points, then writes a scenario that forces your team to walk them in order, on a clock.

2Virtual session
Live · virtual47:32
Holly, the Handrails AI agent, facilitating a session
Speaking
Holly · Handrails AI
Kai · SRE
Elena · DBA
Transcript
Holly

On-call and leads, step-by-step

Holly runs the incident live over video. At every decision point, she names a participant and asks what they'd do, surfacing the gaps between the document and reality.

3Report out
SOP test · IR-OPS-003Needs revision
Step 3 ownerMarcus left; no successor named
Step 5 commandReferences retired script
Step 8 rollbackExecuted cleanly
Step 12 comms DRIAmbiguous under load
Decision audit trailTranscript + tool captured

A list of SOP edits, ready to merge

Each gap becomes a specific change. Owner is stale. Step is out of order. Decision has no DRI. Paste them straight into the next revision.

What you walk away with

A redline, not a pep talk.

Edits ready to drop into the next version

Each gap from the session becomes a specific change to the SOP. Section, current wording, suggested edit, named owner.

Decision audit trail

Timestamped transcript of what your on-call actually did at each step. A record future reviewers can trust.

Gap register by section

Each gap mapped to the section of the SOP where it surfaced, with severity and suggested owner.

Tested-SOP evidence

Audit-ready proof the SOP has been walked end-to-end. Filed straight into your ISO, SOC 2 or internal audit folder.

When it helps most

Good fit if you...

Maintain SOPs that have never been rehearsed end-to-end
Re-wrote the SOP after an incident and want to pressure-test it
Want evidence the SOP actually works, not just that it exists
Need auditable improvement cycles on operational documents

Ship an SOP that actually survives 2am.

Upload the SOP. Book a sixty-minute session. Merge the fixes the same week.

Get startedSee how it works