Financial Services Financial Services & Banking Cybersecurity & Operational Resilience

Incident Response

Regulated environments where trust, compliance, and operational resilience are non-negotiable.

Mandiant (Google) Palo Alto Networks IBM Kroll
Inside this journey
  1. Pre-Discovery

    Align the room on outcomes, decision process, and constraints before deeper discovery.

    1. Stakeholder Alignment

      Confirm decision roles (CISO, GC, CRO, board), escalation paths, and what a successful retainer activation must achieve for each stakeholder.

      Alignment Questions

      Quick Check-In: Who We’re Talking To

      • Who should we consider the primary contact for incident readiness conversations? Options: CISO, General Counsel, CRO, Head of IT/Infrastructure, Head of Security Operations, Other
      • Which type of financial institution best describes you? Options: Regional bank, National bank, Broker-dealer, Insurance carrier, Credit union, Other
      • Can you briefly describe a recent incident or near-miss that shaped leadership’s urgency on breach preparedness?
      • How confident are you that your current retainers and vendors can mobilize and start forensics within two hours? Options: Very confident, Somewhat confident, Not confident, Unsure
      • Who typically attends tabletop exercises at your organization? Options: CISO, GC/Deputy GC, CRO, Head of Operations, Head of Communications/PR, Board representative, Other

      When Midnight Calls, Who’s on First?

      • If a breach landed at 2 AM this Saturday, who makes the initial 'activate the retainer' call and why?
      • How do you define the trigger that moves an event from 'monitor' to 'activate' in your organization? Options: Confirmed compromise, Suspected data exfiltration, Ransomware detected, Regulator-contact threshold, Other
      • Do you have written escalation paths for activation, and where are they stored? Options: Yes—central runbook accessible to all, Yes—documented but limited access, No formal path, In progress
      • If the person authorized to activate is unavailable, what is the fallback decision process? Options: Pre-designated deputy, Cross-team consensus call, Activate after time-based threshold, No clear fallback
      • How would your board expect to be notified in an active incident (timing and channel)? Options: Immediate phone call to chair, Email update within 1 hour, Secure portal update, Depends on severity

      Who Really Needs to Sign Off?

      • Which stakeholders must explicitly approve a retainer or activation for you to feel protected? Options: General Counsel, CISO, CRO, CEO, Board/Audit Committee, Head of Compliance, Head of Operations, Other
      • For each approver you listed, what does 'signed off' practically mean (e.g., legal wording, budget sign-off, verbal authorization)?
      • How long does it typically take to secure each approver’s sign-off during a crisis? Options: Under 15 minutes, 15–60 minutes, 1–4 hours, More than 4 hours, Varies widely/Unsure
      • Which stakeholders prioritize preserving privilege over immediate technical transparency? Options: GC—privilege focus, CISO—technical containment focus, CRO—business continuity, Board—reputation management, Compliance—regulatory alignment, Other
      • Who normally fields regulator outreach in the first 72 hours (internal or external counsel)? Options: Internal GC, External counsel, CISO with legal support, Head of Compliance, CEO/Executive

      What Keeps Your Board Up at 2AM?

      • When you imagine the board seeing conflicting public statements after a breach, what outcome would be worst for your institution?
      • How would a poorly coordinated first 24–72 hours affect your regulatory standing or license risk? Options: Severe risk to license, Material regulatory penalties, Reputational impact only, Minimal regulatory consequence, Unsure
      • When prior incidents hit headlines, what internal criticism surfaced most—slow notification, inaccurate facts, or legal exposure? Options: Slow notification, Inaccurate public statements, Inadequate legal protection, Operational disruption, Other
      • Describe a situation where communications, forensics, and legal gave different advice—what broke down and how did it feel internally?
      • How much does fear of litigation influence decisions on forensic transparency or evidence handling? Options: Heavily influences, Moderately influences, Little influence, No influence/Unsure

      If This Went Perfectly, What Would Everyone Say?

      • Imagine the GC, CISO, and CRO each said the retainer activation was a success—what would each of them highlight first (publicly and privately)?
      • What three measurable success signals would your GC need to confirm that privilege and legal posture were preserved? Options: Privileged-retainer structure documented, Forensic work done under counsel direction, Chain-of-custody fully intact, No unintended disclosure of privileged materials, Privilege opinion documented
      • Which technical KPIs would your CISO use to judge success in the first 24 hours? Options: Containment within 2 hours, Forensic imaging of affected endpoints, Root cause identified, No lateral movement, Critical systems restored
      • What board-level deliverables would the CRO expect for an audit-committee briefing after activation? Options: Concise timeline of events, Regulatory notification status, Customer impact estimate, Remediation and mitigation plan, Estimated costs and exposures
      • How soon would each stakeholder expect a short executive brief after activation? Options: Within 1 hour, 1–4 hours, By end of day, Next business day

      Where Does Privilege Live—and Where Does It Break?

      • From your experience, what single mistake most reliably destroys attorney-client privilege during an incident?
      • Do you use a privilege-retainer structure today where forensics are directed by counsel? Options: Yes—standard across incidents, Yes—used selectively, No, but evaluating, No
      • When forensic findings are shared internally, what controls (labels, access restrictions, policies) prevent privileged material from spreading?
      • Who is responsible for applying and enforcing privilege markings—internal GC, external counsel, IT, or a joint process? Options: Internal GC, External counsel, IT/SecOps, Joint process
      • If a regulator requests evidence, what is your typical posture: produce promptly, negotiate scope, or refuse until a court order? Options: Produce promptly, Negotiate scope with counsel, Refuse until court order, Case-by-case with counsel

      Escalation Paths: From Pager to Board

      • If your escalation chain were a pipeline, where are the biggest leaks right now and why?
      • Which technical or business triggers currently auto-notify executives? Options: Ransomware detection, Confirmed data exfiltration, Major system outage, External disclosure, Regulator outreach, Other
      • Do you have contractual SLAs or internal RTOs for retainer activation and start of forensics? Options: Yes—contractual SLA (e.g., 2 hours), Yes—internal target only, No formal SLA/RTO, Currently negotiating
      • What percentage of past incidents reached the board within 24 hours at your firm? Options: 0–10%, 10–30%, 30–60%, 60–100%, Unsure
      • When multiple incidents arise concurrently (internal or vendor-loaded), how do you prioritize which gets immediate retainer support?

      Where Things Tend to Fail

      • Tell me about a time a retainer or vendor engagement failed you—what concrete consequences followed?
      • Which failure modes worry you most? (select up to three) Options: Slow mobilization, Chain-of-custody errors, Privileged information leaked, Vendor overwhelmed by concurrent incidents, Poor regulator coordination, Inadequate forensic depth
      • How often do you exercise or audit retainer readiness and vendor handoffs? Options: Quarterly, Biannually, Annually, Rarely, Never
      • What routine handoff or administrative tasks most often break down under pressure (e.g., credential access, legal direction, contact lists)?
      • Who owns capturing lessons learned and updating the shared playbook after an incident—GC, CISO, CRO, or a shared committee? Options: GC, CISO, CRO, Shared committee, Other

      Small Steps That Change Everything

      • If you could implement one operational change this quarter to reduce board anxiety after a breach, what would it be and why?
      • How receptive would leadership be to embedding a privilege-retainer into the annual budget cycle? Options: Highly receptive, Somewhat receptive, Resistant, Unsure
      • What would you need from a retainer partner to feel comfortable moving to a signed agreement? Options: Contract language preserving privilege, Guaranteed 2‑hour activation SLA, Experienced former-FBI responders, Clear escalation matrix and runbooks, Regular tabletop exercises, Cost certainty/overrun protections
      • Which metrics or evidence would help you justify a retainer to the audit committee (e.g., SLA attestations, exercise reports, regulatory references)?
      • Realistically, what is your timeline for deciding on a new retainer or updating existing terms? Options: Immediate (days), Weeks, 1–3 months, 3–6 months, No plans
      • Would you be open to a short tabletop exercise with our team to validate activation and board reporting within two hours? Options: Yes—schedule, Maybe—need more information, No
    2. Current State Mapping

      Document existing incident playbooks, legal privilege processes, vendor relationships, and past failure modes that drive risk.

      Current State

      Setting the Scene: How This Feels Right Now

      • In one sentence, how confident are you that your team could activate a retained IR partner within two hours? Options: Very confident, Somewhat confident, Not confident, Unsure
      • Walk me through the last time you declared a security event—what happened, who declared it, and who led the activation?
      • Which incident playbooks do you maintain today? Options: Ransomware response, Data exfiltration / breach, Payment system compromise (ACH/SWIFT), Insider threat, Cloud account compromise, Third-party/vendor outage, Other
      • How accessible and current are those playbooks for someone on-call at 2 AM? Options: Regularly updated (within 6 months) and accessible, Updated annually, Outdated (>1 year), No formal playbooks, Accessible but missing details
      • Who is assigned ownership for updating playbooks and ensuring they reflect current vendor and legal arrangements? Options: CISO office, Security operations lead (SOC), General Counsel, Risk/CRO, Third-party vendor, Shared responsibility, Other
      • When you read your existing playbooks, what section most often gives you pause or uncertainty?

      Are you waiting for regulators or for the fire to start?

      • If a regulator requested forensic evidence from your most recent incident tomorrow, what gap would embarrass you most?
      • Do you have a documented process for invoking attorney-client privilege and protecting privilege during collection? Options: Yes — documented and tested, Documented but untested, Informal / verbal process only, No documented process
      • Who is authorized to declare 'privileged response' and how is that authorization recorded? Options: General Counsel signs off, CISO + GC jointly approve, Board or audit committee delegate, No formal authorization process, Other
      • How do you ensure forensic collection tooling and workflows do not inadvertently waive privilege (examples: shared cloud buckets, non-encrypted transfers)?
      • Have you run a live test or tabletop specifically to validate the privilege invocation process? If so, when and what changed afterward? Options: Yes — within 6 months, Yes — within 12 months, Yes — but >12 months ago, No

      Where privilege usually breaks — tell us the worst-case

      • Imagine an investigator accidentally published raw forensic artifacts to a non-secure channel—how likely is that scenario in your current controls? Options: Very likely, Somewhat likely, Unlikely, Impossible / controls prevent it
      • What technical or procedural controls prevent sensitive artifacts from being shared outside privileged or approved channels?
      • Do your engagement contracts with external counsel and forensic vendors include explicit privilege protections and chain-of-custody obligations? Options: Yes — explicit contractual language, In contract but vague on privilege, No explicit terms, We don't use external counsel/vendors
      • Describe an incident where privilege was challenged or compromised—what happened and how was it resolved?
      • Who documents the decision to treat investigative output as privileged (role/title) and where is that documentation stored? Options: GC (stored in legal repository), CISO (security repository), Shared legal-security repository, No single owner/documentation

      Which tooling and vendors actually move the needle?

      • Which of your current vendors would you trust to own a complex, multi-jurisdiction financial investigation at 2 AM? Options: Primary retained IR vendor, Multiple vendors depending on scope, Internal team only, No vendor I fully trust
      • List the external vendors and key tools you rely on for endpoint, network, and cloud forensics (name + primary role).
      • What activation and response SLAs do you have (or expect) from each vendor—activation time, on-scene availability, deliverable timelines? Options: Contracted SLAs (hours/days), Informal expectations only, No SLAs defined, Varies by vendor
      • Have you experienced vendor capacity or prioritization issues during a concurrent large-scale incident in the industry? Options: Yes — caused significant delay, Yes — minor impact, No, Unknown / not tracked
      • Are vendor access requirements (SIEM, EDR, cloud admin roles) pre-authorized and provisioned for out-of-hours activations? Options: Pre-authorized & provisioned, Requires emergency approvals, Not provisioned, Partial / some vendors only

      How do your lines of communication die when it gets worse?

      • When things go sideways, who typically fails to show up or respond—legal, ops, execs, or outsourced partners? Options: Legal, Security Ops (SOC/IR), Executive leadership, Vendors / third parties, All of the above
      • Who is on your primary incident contact roster for nights and holiday weekends, and how frequently is that roster updated?
      • Describe your escalation path from SOC alert to board notification—what decision gates and owners exist today?
      • What channels do you rely on for incident communication (select all that apply)? Options: Secure chat (e.g., encrypted workspace), Email, Phone tree / on-call numbers, Physical war room, Ticketing system, Regulatory portal
      • Have you tested out-of-hours escalation (nights/holidays) and what failures surfaced during those exercises? Options: Regularly tested — few failures, Occasionally tested — some issues, Tested once — many issues, Never tested
      • How comfortable is your CRO and audit committee chair with the current cadence and content of incident briefings under time pressure? Options: Very comfortable, Somewhat comfortable, Not comfortable, Unclear / varies

      If everything went perfectly — what would you still keep from today?

      • Which parts of your current response process do you believe are actually working and should never be replaced?
      • Are there internal teams, specific vendor relationships, or practices you consider 'must keep' because they produce regulator-trusted results? Options: Internal digital forensics team, Primary external IR vendor, Established outside counsel, Strong SOC playbooks, Other
      • Which types of forensic artifacts have been most valuable in regulator inquiries or legal proceedings in the past? Options: Chain-of-custody logs, Raw disk images, Network packet captures, Timeline and action logs, Executive-level briefings
      • What aspects of evidence handling (encryption, custody logs, storage location) would you never compromise, even to speed response?
      • Which stakeholders must sign off on preservation / collection decisions in urgent scenarios? Options: General Counsel (GC), CISO, CRO / Risk lead, Board chair or designee, Other

      What would you be most ashamed to tell the board?

      • What single incident-related failure would you dread having to explain to the audit committee?
      • Have previous incidents at your institution led to regulatory fines, litigation, or public reputational harm? Please summarize the outcome and impact.
      • What root causes have recurred across past incidents—people, process, technology, or third-party failures? Options: People (staffing/training/on-call gaps), Process (outdated/incomplete playbooks), Technology gaps (visibility/tooling), Third-party/vendor failures, Combination of the above
      • How do you track, prioritize, and enforce remediation of recurring failure modes identified after incidents? Options: Formal remediation program with owner tracking, Ad-hoc fixes per incident, Lessons learned documented but not enforced, No consistent remediation process
      • What are the board’s minimum expectations for incident response timelines, notification thresholds, or incident severity that would trigger escalation?

      Quick inventory — evidence, access, and handoffs

      • If an incident began right now, do you have a maintained list of systems or data sets where forensic imaging is legally restricted or sensitive? Options: Yes — list exists and accessible, Yes — exists but not accessible off-hours, No such list, Unsure
      • Which cloud providers, identity systems, and critical applications require special legal or regulator coordination before forensic access?
      • Do you maintain pre-authorized credentials or jumpboxes for third-party responders to use during activation? Options: Yes — pre-authorized and tested, Yes — exists but requires emergency approval, No pre-authorized access, Partial coverage (some systems)
      • Where are your secure evidence repositories and how are they protected? Options: On-prem secure evidence vault, Cloud encrypted storage (S3/GCS/Azure), Vendor-managed evidence custodian, No formal repository
      • Who is responsible for handing custody of evidence to an external responder and how is that transfer logged today?
      • Which regulator-specific reporting rules or compliance frameworks must your forensics and chain-of-custody satisfy (select all that apply)? Options: OCC, SEC, State regulators, FFIEC guidance, PCI DSS, FINRA / broker-dealer rules, Other
  2. Outcome Discovery

    Define the institution’s success signals (e.g., rapid regulated notification, preserved privilege, board-ready briefings) and constraints like holiday/on-call staffing.

    Discovery Questions

    Opening: What Brought You In Tonight?

    • Briefly, what prompted you to start exploring a rapid-activation retainer right now?
    • How recently did a peer breach or internal event trigger renewed board or audit committee attention? Options: Within the last week, Within the last month, 3–6 months ago, 6–12 months, More than a year, No recent trigger
    • Who in your organization is pushing hardest for this capability? Options: CISO, General Counsel, CRO, Board/Audit Committee Chair, CEO, Other
    • What would a successful outcome from this conversation look like to you in 30 days?
    • Have you ever activated an external retainer during an incident? If yes, what went well and what didn’t?

    If Your Board Asked 'Are We Ready?' — What Would You Say?

    • If the board asked you to demonstrate you could fully respond during the first 48 hours after a breach, which part would make you hesitate? Options: Regulatory notification timing, Preserving attorney-client privilege, Forensic depth across cloud/endpoints, Coordination between legal and IR, Board-ready briefings, Other
    • On a scale from 'very confident' to 'terrified', how would you rate your ability to deliver a coordinated, board-ready briefing within 48 hours? Options: Very confident, Somewhat confident, Neutral, Somewhat concerned, Terrified
    • Which evidence types make you most nervous when you picture legal or regulatory scrutiny? Options: Endpoint images, Network logs/PCAP, Cloud provider logs, Email archives, Authentication logs, Other
    • Tell us about a time a briefing to executives or the board did not go as planned—what specifically failed and why?
    • Which metrics matter most to your board when judging incident response performance? Options: Time to activation, Time to containment, Regulator notification timeliness, Preserved privilege, Customer communication accuracy, Cost control, Legal exposure

    When the Alarm Goes Off at 2 AM, Who Owns the Room?

    • If a major compromise were declared at 2 AM on a holiday, who in your org would be empowered to activate external responders and speak to regulators? Options: CISO, General Counsel, Head of Ops/IT, CEO/COO, Board designee, Other
    • Do you have documented escalation paths and decision thresholds that combine legal and technical sign-off for retainer activation? Options: Yes, fully documented, Partially documented, Informal verbal process, No
    • How are on-call rotations and holiday staffing covered for the CISO, GC, and incident response leads? Options: 24/7 rotation, Senior execs on-call, External on-call backup, No formal coverage
    • Who is typically responsible for regulator notifications and what sign-off do they need? Options: GC, CISO, Compliance officer, CEO/COO, Other
    • Describe any past situation where escalation ambiguity delayed an investigation—what was the downstream impact (hours lost, regulator contact, public disclosure)?

    What Keeps You Up at Night About Privilege, Regulators, and Evidence?

    • What's the single biggest fear you have about losing privilege or chain-of-custody during a fast-moving response? Options: Forensic data disclosure in discovery, Regulator seizing evidence, Employee communications being unprivileged, Third-party vendor missteps, Insufficient documentation
    • How is your legal team currently structuring retainers and privilege protections with forensic vendors? Options: Privilege-retainer through outside counsel, Vendor provides forensic reports only, Hybrid approach, No formal structure
    • Have you faced regulator pushback on the scope or speed of your disclosures? If yes, indicate which regulators. Options: State regulator, OCC/FDIC, SEC, FINRA, No pushback, Prefer not to say
    • Which internal behaviors, tools, or processes increase your risk of unintentionally waiving privilege? Options: Employee chat tools, Inadequate legal guidelines, Uncontrolled evidence sharing, Using vendor reports without counsel review, Other
    • What evidence-handling protocols (chain-of-custody steps, logging, custody receipts) would make you feel confident in a legal proceeding?

    Imagine a Perfect Two-Hour Activation — What Would We See?

    • If the retainer activated and your team reached full operational response in under two hours, what single outcome would prove it worked? Options: Regulator notified on time, Privileged forensic images secured, Board-ready incident brief produced, Containment achieved, Customers notified appropriately
    • Which stakeholders must receive a status update within the first two hours, and what delivery formats do they prefer? Options: Board/Audit Chair, CEO, CISO, GC, Regulator liaison, Other
    • What does your board expect for a 'board-ready' briefing format (select all that apply)? Options: Slides, One-page executive summary, Incident timeline, Legal analysis memo, Combined packet
    • Which forensic actions are non-negotiable in that two-hour window (e.g., memory capture, disk image, cloud snapshot)? Options: Endpoint disk images, Memory dumps, Network packet capture (PCAP), Cloud snapshots via provider APIs, Authentication and SIEM logs
    • Tell us what success looks like to your risk team 72 hours after activation—describe measurable signals and stakeholder sentiment.

    Constraints That Break Even the Best Plans

    • Which real-world constraint do you believe is most likely to derail a perfect response plan? Options: Limited holiday/on-call staffing, Concurrent major incidents, Vendor capacity limits, Regulatory complexity, Budgetary approval delays
    • How many concurrent incidents can your organization and existing vendors realistically support before response quality degrades? Options: One, Two, Three or more, Depends on severity, Unknown
    • What blackout periods (holidays, quarter-end, trading windows) significantly limit your internal response capacity? Options: Weekends/holidays, Quarter-end/close, Trading hours, Regulatory reporting windows, None
    • Describe any contractual or technical constraints with third parties (MDR, cloud providers, MSPs) that limit rapid evidence collection.
    • What minimum SLA do you require from a retainer partner during peak times? Options: <1 hour, 1–2 hours, 2–4 hours, 4–8 hours, >8 hours
    • If vendor concurrency is a real risk, which mitigation do you prefer: exclusivity, guaranteed priority, or tiered surge capacity? Options: Exclusivity, Guaranteed priority, Tiered surge capacity, No preference

    What's a Realistic Next Step You Can Commit To?

    • If we could design an activation and privilege structure that addressed your top three concerns, what would you be willing to commit to in the next 30 days? Options: Sign a scoping agreement, Schedule a tabletop exercise, Share current playbooks for review, Initiate legal privilege review, Other
    • Which artifacts would you be willing to share for a readiness review? Options: Incident playbooks, On-call rosters, Legal retainer templates, Network architecture diagrams, Cloud provider contacts
    • Who on your team should be involved in a one-hour design session to map activation and privilege flows? Options: CISO, GC, Head of IR, Compliance Officer, IT Ops Lead, Other
    • What criteria will senior leadership use to approve a retainer (select all that will matter)? Options: Cost, SLA/response time, Privilege-retainer structure, Track record/references, Forensic depth
    • What timeline do you realistically expect for full deployment (playbook alignment, technical access, tabletop exercises)? Options: <1 month, 1–2 months, 3–6 months, 6–12 months, Unsure
    • Anything else you want us to know before we propose a tailored retainer and activation plan?
  3. Solution Experience

    Run a scenario-based walkthrough showing how the retainer activates within two hours, preserves chain-of-custody and privilege, and coordinates regulator and board communications.

    Experience Meetings

    • Scenario Pre-Work & Current State Confirmation
    • Rapid Activation Walkthrough (0–2 Hours)
    • Forensics Preservation & Legal Privilege Drill
    • Regulatory & Board Communications Simulation
    • Validation, After-Action & Acceptance
    • Customer to approve the regulator notification templates and identify primary regulator contacts.
    • Confirm that chain-of-custody templates and controls meet regulatory and legal evidentiary expectations.
    • Prove the privilege segregation workflow prevents inadvertent waiver during forensic work.
    • Validate retention, transfer, and encryption mechanisms for evidentiary artifacts.
    • Agree and sign the evidence-handling SOP and COC forms for inclusion in the shared playbook.
    • Legal to provide the privileged mailbox/secure channel and confirm access controls.
    • Forensics team to provide a checklist of tools and hashing procedures used during imaging.
    • Regulatory Notification Decision Tree
    • Validate that notification timing and content meet regulator expectations while preserving privilege.
    • Prove the board briefing is concise, factual, and uses artifact-backed claims the GC can defend.
    • Align spokespersons and communication gating rules to avoid conflicting public statements.
    • Introductions & Objectives
    • Prepare a board slide-deck template that evidences forensics findings without waiving privilege.
    • Designate and pre-approve public spokespersons and escalation approvals for press statements.
    • AAR vs Success Signals
    • Force validation that the scenario achieved (or failed) the defined future state and document evidence.
    • Produce a prioritized remediation plan with named owners and deadlines.
    • Obtain agreement on acceptance criteria and schedule the next validation exercises.
    • Owner to publish the AAR with timestamps, evidence links, and a checklist of what passed vs failed.
    • Assign remediation owners with target completion dates and publish to the shared playbook.
    • Schedule the first full tabletop drill within 30 days and a follow-up live drill within 90 days.
    • If acceptance criteria are met, prepare the retainer amendment for mutual-commit review.
    • Produce a single-sentence current state that all participants agree is accurate.
    • Quantify the concrete consequences (time, cost, regulatory risk) if the current state remains unchanged.
    • Agree a single-sentence future state that the scenario must prove.
    • Create a pre-scenario checklist of artifacts and roles to enable the walkthrough.
    • Customer to deliver the incident playbook, GC privilege memo, and primary contact roster 48 hours prior to the scenario.
    • Seller to prepare the scripted incident trigger, activation call template, and forensic templates tailored to the customer's environment.
    • Legal (Customer GC) to confirm privileged-retainer language and the invocation procedure for privilege within the first hour of activation.
    • Customer IT to provide temporary access credentials or a sandbox image for the scenario.
    • Incident Trigger & Call to Action
    • Prove the team can reach retainer activation and first-forensic-actions within two hours.
    • Validate the activation call script and role responsibilities in the customer's context.
    • Confirm the invocation process for privilege is practical and enforceable in the first hour.
    • Agree contingency actions if provider resources are constrained.
    • Finalize and distribute the activation call script with named alternates and time expectations.
    • Customer to pre-authorize primary responder access scope for first 120 minutes under agreed legal guardrails.
    • Seller to document the 0–2 hour timeline as a visual runbook for the customer.
    • Forensic Imaging Demonstration
    • Single-Sentence Current State
    • Gap Analysis & Root Cause Review
    • Regulator-Facing Scripts & Filing Mockups
    • Chain-of-Custody Process & Forms
    • 0–60 Minute Tasks
    • Consequence Quantification
    • Privilege Invocation & Segregation Workflow
    • Board Briefing Role-Play
    • Acceptance Criteria & Sign-off Conditions
    • 60–120 Minute Tasks
    • Remediation Prioritization & Owners
    • Activation Script & Roles Validation
    • One-Sentence Future State
    • Press & Customer Communication Alignment
    • Contested Evidence Scenario
    • Validation Criteria Mapping
    • Next Steps: Tabletop/Live Drill Cadence
    • Concurrency & SLA Contingency
    • Post-Notification Evidence and Reporting Package
    • Scope & Constraints Confirmation
    • Logistics & Pre-scenario Data Checklist
  4. Retainer & Response Scope

    Define retainer coverage, guaranteed SLAs, forensic depth (endpoint, network, cloud), notification responsibilities, and measurable deliverables.

    Scope Configuration

    • Emergency Retainer Activation (2-hour response)
    • Onsite Endpoint Forensic Imaging
    • Remote Forensic Artifact Collection
    • Network Traffic Capture and PCAP Analysis
    • Cloud Snapshot and Log Preservation
    • Malware Triage and Reverse Engineering
    • IOC Hunting and Enterprise Sweep
    • Host Isolation and Access Containment
    • Credential Rotation and Session Termination
    • Chain-of-Custody Evidence Packaging
    • Attorney-Privileged Forensic Briefing Package
    • Regulatory and SAR Filing Support
    • Expert Witness Affidavit and Exhibit Preparation

    Scope Questions

    Emergency Retainer Activation (2-hour response)

    • Do you require a guaranteed 2-hour on-call activation SLA for all declared incidents? Options: Yes - 2 hours guaranteed, Yes - 4 hours acceptable, No - activation SLA negotiable
    • Who is authorized to trigger the retainer activation? Options: General Counsel (GC), CISO/Security Lead, Both GC and CISO, Board-designated escalation lead, Other
    • What activation channels should be supported (select all that apply)? Options: 24/7 phone hotline, Secure portal incident declaration, Email to designated address, Pager/SMS, Escalation via vendor management contact
    • Are there blackout periods or geographic constraints that affect response (e.g., data center access, holiday staffing)? Options: No constraints, Limited access during holidays/weekends, Regulatory/geographic constraints apply, Other - please describe
    • What initial deliverable do you require within the first 2 hours of activation? Options: Initial responder on-scene/remote confirmation, Preliminary triage summary, Containment recommendation, No immediate deliverable required, Other - free response
    • If providers are engaged on other matters, what concurrency rules apply (e.g., priority for financial-sector clients)? Options: Preempt for this client, First-come-first-served, Defined prioritization list, Discuss on a case-by-case basis

    Onsite Endpoint Forensic Imaging

    • Do you anticipate requiring onsite imaging capability as part of the retainer? Options: Yes - routinely required, Yes - occasionally, No - remote-only preferred
    • How many endpoints should the provider be prepared to image on initial activation? Options: 1-5, 6-20, 21-100, 100+
    • Which operating systems and device types are in scope for onsite imaging? Options: Windows, Linux, macOS, Mobile (iOS/Android), Network appliances/OT
    • What depth of collection do you require for onsite imaging? Options: Full disk image (forensic) + RAM capture, Full disk only, File-level collection only, Volatile memory only, Other
    • Are there physical access or badge requirements the responder should be aware of?
    • Do you require an attorney or GC presence during onsite imaging to preserve privilege? Options: Yes - attorney present required, Attorney on-call but not required onsite, No

    Remote Forensic Artifact Collection

    • Should remote collection cover endpoints, servers, cloud instances, or all of the above? Options: Endpoints only, Servers only, Cloud instances only, All of the above
    • Which artifact types are mandatory to collect remotely? Options: EDR telemetry/logs, System and application logs, Registry and system metadata, User browser/history artifacts, Memory/RAM captures
    • Do you have an EDR/agent platform already deployed that the provider can use for remote collection? Options: Yes - vendor (please specify)
    • What transfer mechanism is preferred for remote artifacts? Options: Encrypted SFTP/SCP, Secure cloud upload (S3/Azure Blob), Physical courier on encrypted media, Other - free response
    • Are there bandwidth or throttling restrictions that would limit large artifact uploads? Options: No, Yes - limited to small uploads, Yes - requires scheduled windows
    • Do you require signed attestations or timestamped logs for remote collection events? Options: Yes - required, Optional, No

    Network Traffic Capture and PCAP Analysis

    • Do you require full packet capture (PCAP) or selective/session capture? Options: Full PCAP, Selective/session capture, Metadata/flow-only (NetFlow/VPC Flow), Unsure - advise
    • Where should captures be taken (select all that apply)? Options: Perimeter firewall, East-west inside datacenter, VPN concentrators, Cloud VPC/subnet taps, Remote office edge
    • What retention window do you need for captured traffic for retrospective analysis? Options: 24-72 hours, One week, 30 days, Custom - specify
    • Is decrypting encrypted traffic (TLS interception or session key capture) authorized? Options: Yes - authorized, No - not authorized, Only with GC approval per-incident
    • What throughput or volume constraints should the capture plan consider (Gbps or TB/day)?
    • Do you require a written PCAP analysis report with timelines and extracted artifacts? Options: Yes - formal report, Summary findings only, No - raw PCAP delivered

    Cloud Snapshot and Log Preservation

    • Which cloud providers and regions are in scope? Options: AWS, Azure, GCP, OCI, Other - free response
    • Which artifacts are critical to preserve in-cloud? Options: VM/instance snapshots, Cloud storage objects (S3/Blobs), CloudTrail/Activity logs, VPC flow logs, IAM configuration
    • Do you require point-in-time snapshots or continuous preservation (e.g., immutable backups)? Options: Point-in-time snapshots, Continuous retention, Both options available
    • Can the provider be granted the necessary cloud IAM roles to create snapshots/log exports, or must actions be executed by your staff? Options: Provider granted roles, Actions executed by customer staff, Hybrid - temporary elevation
    • Are there regulatory or data residency constraints that affect snapshot export or transfer? Options: No constraints, Yes - residency restrictions, Yes - regulated data handling required
    • What timeline do you expect for preserved cloud artifacts to be available for analysis? Options: Within 2 hours, Within 4-8 hours, Within 24 hours, Custom - free response

    Malware Triage and Reverse Engineering

    • Do you expect initial malware triage only, or full reverse engineering and reporting? Options: Triage only (behavioral indicators), Full reverse engineering (code analysis), Both depending on severity
    • What turnaround time do you require for a triage summary and for a full RE report? Options: Triage within 4 hours, RE within 7 days, Triage within 24 hours, RE within 14 days, Custom - free response
    • Are sandbox detonation and external telemetry sharing permitted for samples? Options: Yes - permitted, No - samples must remain internal, Only with GC approval
    • Do you require YARA rules, signatures, or detection content as deliverables? Options: YARA rules, EDR signatures, IOCs only, None
    • Will potential malware findings require escalation to law enforcement or regulator notification? Options: Yes - law enforcement likely, Yes - regulator notification likely, No
    • Are sample handling and storage subject to privileged/attorney-only controls? Options: Yes - attorney-privileged handling required, Optional, No

    IOC Hunting and Enterprise Sweep

    • Scope for IOC hunting on initial engagement should include which asset types? Options: Endpoints (workstations/laptops), Servers (databases, app servers), Cloud workloads, Network devices, All of the above
    • What retrospective window should sweeps cover (e.g., last 24 hours, 30 days)? Options: 24-72 hours, 7 days, 30 days, Custom - specify
    • Do you permit automated containment when IOCs are confirmed, or should detection only be reported for manual approval? Options: Automated containment allowed, Manual approval required, Hybrid - depends on severity
    • Which telemetry sources can the provider access for hunting? Options: EDR/agent telemetry, SIEM logs, Proxy/web logs, Cloud provider logs, Other - specify
    • What format and cadence do you expect for sweep reporting (real-time alerts, end-of-day, final report)? Options: Real-time alerts + final report, Daily summary, Final consolidated report only, Other - free response
    • Are there tolerance thresholds for false positives that the provider should use when surfacing findings? Options: Low tolerance - surface only high-confidence IOCs, Moderate tolerance - include medium confidence, High tolerance - include all possible IOCs

    Host Isolation and Access Containment

    • What isolation methods are acceptable (select all that apply)? Options: Network quarantine via NAC/firewall, Disable user accounts in AD/IdP, Shut down/power off host, VLAN segmentation, Physical disconnect
    • Who must authorize host isolation actions during an incident? Options: CISO or delegated security lead, GC approval required, Pre-authorized security responders, Board/exec approval
    • What is the acceptable business-impact level for isolation actions (i.e., can critical systems be taken offline)? Options: No critical systems offline, Allowed with GC/CRO approval, Allowed if immediate risk, Discuss per-incident
    • Do you require documented rollback/runbook steps to restore hosts post-isolation? Options: Yes - detailed runbook required, High-level restoration steps, No
    • Should isolation actions be logged in a custody/incident journal and shared with GC for privilege purposes? Options: Yes - mandatory, Optional, No
    • Are there remote access constraints (e.g., RDP/SSH) that affect how responders can perform containment?

    Credential Rotation and Session Termination

    • Which credential types must be covered by rotation capability? Options: Human user passwords, Service accounts, API keys/service principals, Privileged admin accounts, Federated SSO tokens
    • Do rotations need to be staged to avoid service outages (e.g., sequence plan required)? Options: Yes - staged rotation required, No - immediate rotation OK, Depends on system
    • Should active sessions be forcibly terminated as part of the initial response? Options: Yes - terminate sessions immediately, No - require approval, Terminate only for high-risk accounts
    • Do you require the provider to perform the rotations or only provide scripts/playbooks for in-house execution? Options: Provider performs rotations, Provider provides scripts/runbooks, Hybrid - provider assists
    • Is there a logging/audit requirement for all credential changes (e.g., immutable audit trail)? Options: Yes - immutable audit trail, Yes - standard logs sufficient, No
    • Are service windows or maintenance windows that limit credential changes? Options: No constraints, Yes - scheduled windows only, Case-by-case with approval

    Chain-of-Custody Evidence Packaging

    • Do you require forensic evidence packaged to courtroom standards (e.g., sealed, tamper-evident media)? Options: Yes - courtroom standard, Yes - regulator submission standard, No - internal analysis only
    • Which hashing algorithms and integrity controls do you require for evidence (select all that apply)? Options: SHA-256, SHA-1, MD5, Timestamped signatures, Other - specify
    • Where should evidence be stored post-collection? Options: Provider-controlled secure facility, Customer evidence locker, Third-party escrow, Hybrid - specify
    • What documentation format do you require for chain-of-custody logs? Options: Signed PDF with timestamps, Electronic custody log with signatures, Paper chain-of-custody forms, Other - free response
    • Do you require physical transfer via courier for certain artifacts, or is encrypted remote transfer acceptable? Options: Encrypted remote transfer acceptable, Physical courier required for some artifacts, Both as needed
    • Are there legal hold or e-discovery requirements that affect packaging and retention? Options: Yes - legal hold applies, No, Unsure - need guidance
  5. Mutual Commit

    Finalize engagement terms including privilege-retainer structure, fees, activation thresholds, concurrent-incident handling, and acceptance criteria.

    Agreement Modules

    • Statement of Work (SOW)
    • Master Services Agreement (MSA)
    • Privileged Retainer & Attorney-Client Privilege Agreement
    • Service Level Agreement (SLA) & Response Commitments
    • Activation Criteria & Thresholds
    • Concurrent-Incident & Capacity Policy
    • Fees, Pricing Schedule & Billing Terms
    • Evidence Handling & Chain-of-Custody Protocol
    • Regulatory Notification & Cooperation Clause
    • Acceptance Criteria & Deliverable Signoff
    • Termination, Suspension & Exit Plan
    • Data Processing, Privacy & Confidentiality Addendum (DPA)
    • Insurance, Liability & Indemnity Addendum
    • Change Order & Scope Adjustment Process
    • Subcontractor, Conflict of Interest & Background Disclosure
  6. Deployment

    Operationalize rollout with readiness checks, enablement, and outcome validation.

    1. Pre-Deployment Readiness

      Confirm playbooks, access rights, evidence handling protocols, legal coordination, and contact rosters are in place for rapid activation.

      Readiness Questions

      Before the Alarm: How Ready Do You Really Feel?

      • When you imagine activating a breach retainer at 2 a.m. on a holiday, what's the first thing that comes to mind?
      • Do you have a single, documented incident playbook for retainer activation that is expected to be used first-line? Options: Yes, one canonical playbook, Multiple playbooks by team/asset, Playbooks exist but fragmented, No formal playbook
      • How recently was your primary retainer activation playbook reviewed or updated? Options: Within 3 months, 3–6 months, 6–12 months, Over a year, Don't know
      • Who is listed as the formal owner of the activation playbook and who is the nominated deputy? Options: CISO, General Counsel, Head of IR, Head of Ops/Site Reliability, Other (specify in next answer)
      • If you selected 'Other' or want to add detail, please name the owner(s) and how ownership is enforced (e.g., SLA to update, annual sign-off).

      If Everything Falls Apart at 2 a.m., Who Will Break the News?

      • Who is empowered to declare 'activate retainer' after hours, and is that escalation authority written and distributed? Options: CISO only, GC only, CISO or GC, CISO/Head of IR with GC concurrence, Other — decision matrix exists
      • How quickly can your decision-maker(s) be reached outside business hours and what redundancy exists if they are unavailable? Options: Reachable <30 mins with 2 contacts, Reachable 30–60 mins, Often >60 mins, Contacting chase process unreliable
      • Who are the 3 people that must be notified immediately on activation (name and role)?
      • Tell us about one past incident or near-miss where escalation failed or was delayed — what happened and why did it stick with you?
      • How comfortable would your board expect you to justify a two‑hour activation timeline if asked the next business day? Options: Very comfortable, Comfortable with evidence, Uncomfortable, No expectation set

      Where Paperwork and Privilege Collide

      • Do you currently have a pre-negotiated privilege-retainer structure that explicitly preserves attorney-client work product during forensics? Options: Yes — written retainer with privilege terms, Yes — verbal/legacy agreement only, No retainer privilege structure, Unsure
      • Which of the following rules guide how forensic data is shared with internal/external counsel? Options: All forensics routed through GC, Pre-defined redaction workflow, Technical artifacts segregated from counsel analysis, No formal rule — ad hoc sharing
      • Describe a concrete control in your process that prevents privileged forensic notes from being used in regulatory disclosure without counsel approval.
      • Who signs off on the privilege designation during activation and how is that documented? Options: GC signs + email log, GC + CISO jointly, Incident commander signs, No formal sign-off
      • Have you had a dispute or close call where privilege status of evidence was contested by a regulator, plaintiff counsel, or internal team? If yes, briefly summarize the outcome. Options: Yes — regulator contested, Yes — plaintiff counsel contested, Yes — internal dispute, No

      What Could Break the Chain of Evidence?

      • Where are you most exposed to chain-of-custody failures — endpoint collection, cloud snapshots, network logs, or vendor handoffs? Options: Endpoint imaging, Cloud forensic exports, Network packet captures/SIEM logs, Third-party vendor handoffs, All of the above, Other
      • What forensic tooling and imaging standards do you expect the retainer provider to use (e.g., EnCase, FTK, EDR export formats)? Options: EnCase/FTK, Vendor EDR native exports (CrowdStrike, SentinelOne, etc.), Cloud native snapshots (AWS, Azure, GCP), Custom scripts & live response, Not specified — provider choice
      • How are evidence custody logs created and stored today (paper, signed chain forms, secure ticketing, forensic lab LIMS)? Options: Paper + signatures, Secure ticketing system, Forensic lab LIMS, Email trail only, Unsure
      • How often do you validate that collected forensic images are cryptographically verifiable and reproducible in an independent environment? Options: After every incident, Quarterly, Annually, Never tested, Unsure
      • Give an example of a time evidence integrity was questioned — what corrective actions did you take and how long did resolution take?

      People, Badges, and Tool Access — Who Actually Gets Through the Door?

      • Do external retainer responders receive pre-approved, documented access (VPN/jumpbox, IAM roles, service accounts) before an incident occurs? Options: Yes — full pre-approved access, Partial — some roles pre-approved, No — ad hoc approvals required, Unsure
      • Which access models do you currently use for third-party investigators? Options: Time-limited just-in-time roles, Long-lived vendor accounts, Proxy jumpbox with vendor creds, On-site physical access only, Other
      • How quickly can the teams provision elevated access required for forensic collection in cloud and privileged endpoints? Options: <30 minutes, 30–90 minutes, 90–240 minutes, >4 hours, Often days
      • What controls prevent retained responders from accessing non-incident systems or data (scoped roles, monitoring, NDA clauses)? Options: Scoped IAM roles, Session recording & monitoring, Strict NDAs + attestations, No technical controls — rely on contracts
      • Are emergency access approvals automated and auditable (e.g., ticket with approval chain) or manual and verbal? Options: Automated + auditable, Semi-automated, Manual + documented, Verbal only

      Practice Doesn’t Hurt — It Reveals

      • When was the last time you ran a full retainer activation tabletop that simulated a 2-hour activation, chain-of-custody, and GC handoff? Options: Within 3 months, 3–6 months, 6–12 months, Over a year, Never
      • If you ran an exercise recently, which elements were included: live collections, regulator script, board briefing, media response, or forensic validation? Options: Live collections, Regulator notification script, Board briefing preparation, Media/PR response, Evidence validation drills, None of the above
      • Who typically participates in your tabletop exercises (names/titles — GC, CISO, IR lead, SOC manager, board representative)?
      • How do you measure success from an exercise — time-to-activation, custody accuracy, regulator readiness, board-ready briefing quality, or something else? Options: Time-to-activation, Chain-of-custody accuracy, Regulatory notification readiness, Board-ready briefing quality, SLA adherence, Other
      • Describe one improvement you implemented after your last exercise and whether it stuck (process, tech, ownership, training).

      When Regulators and Boards Are Watching

      • How confident are you that regulator notification timelines (OCC, SEC, FFIEC/state examiners) are documented and testable under the retainer model? Options: Very confident — documented & tested, Somewhat confident — documented only, Not confident — ad hoc, Unsure
      • Does your retainer define who drafts regulator notifications, who approves them, and the escalation path if immediate legal authority is unavailable? Options: Yes — fully defined, Partially defined, No, Unsure
      • Have you practiced the GC → CISO handoff for briefing the board/audit committee within a tight timeframe? If so, what typically breaks during the handoff? Options: Yes — content gaps, Yes — timing issues, Yes — conflicting statements, No practice done
      • Which external regulators or examiners should the retainer provider be prepared to engage directly on your behalf? Options: OCC, FDIC, Federal Reserve, SEC, State regulator, FinCEN, Other
      • Give an example of a prior regulator interaction that influenced how you'd want a retainer provider to communicate (tone, documentation, timeliness).

      Small Things That Slow You Down

      • How current are your contact rosters and escalation matrices for critical roles (phone, backup phone, email, PGP/secure channels)? Options: Updated within 30 days, Updated within 90 days, Updated within 6–12 months, Not regularly updated, No central roster
      • Do you maintain machine-readable contact lists (CSV/SSO-integrated) that the retainer provider can import, or are they manually shared? Options: Machine-readable + auto-sync, CSV/manual import, Manual lists only, Not available
      • Which small administrative delays have actually caused missed SLAs in the past (e.g., missing phone numbers, expired VPN certs, outdated vendor NDAs)?
      • How do you verify the provider's access and tooling are provisioned in a non-production test before an incident? Options: Regular provisioning tests, Ad hoc test before incidents, Never tested, Unsure
      • What single administrative fix (contact list, cert refresh, NDA, automated approval) would give you the largest practical improvement in activation speed?

      If This Worked Perfectly, What Would You See?

      • Imagine a perfect retainer activation: what are the top three measurable success signals you would present to the board within 72 hours? Options: Activation within 2 hours, Chain-of-custody documented and verified, GC-approved regulator notice drafted, Board-ready incident brief delivered, No customer-impacting downtime, Root cause preliminary identified
      • How would you score a 2-hour activation success on a scale of 1–5 and what would justify a 5? Options: 1, 2, 3, 4, 5
      • What artifacts must exist after activation to satisfy both regulators and potential litigation (e.g., encrypted images, signed custody logs, privilege logs, forensic report)? Options: Encrypted forensic images, Signed chain-of-custody, Privilege/redaction log, Executive timeline & board memo, SLA fulfillment report
      • How will you know — operationally and culturally — that the retainer has been successfully integrated into your emergency response cadence?
      • Which KPIs or dashboards would you want the retainer provider to report on monthly after onboarding? Options: Time-to-activation, Evidence integrity checks passed, Exercise frequency & outcomes, Open action remediation rate, Regulatory engagements completed

      Ready to Commit: What Decisions We Need Today

      • What are the non-negotiable items you need in a pre-deployment checklist before signing off (e.g., playbook owned, contact roster validated, access tested, privilege clause signed)?
      • Which internal stakeholders must approve final pre-deployment readiness (roles: GC, CISO, CRO, Head of Ops, Compliance) and who will be the signatory? Options: GC, CISO, CRO, Head of Ops, Chief Compliance Officer, Other
      • Are there budgetary or legal constraints that would prevent provisioning emergency access or running full exercises within the next 90 days? Options: No constraints, Minor constraints — need approvals, Significant constraints — budget/legal blockers, Unsure
      • What timeline feels realistic for completing the remaining readiness items (contact list, playbook sign-off, provisioning test, first tabletop)? Options: <30 days, 30–60 days, 60–90 days, >90 days, Unsure
      • Who should we list as the single point of contact to coordinate the pre-deployment checklist and when are they available to begin?
    2. Deployment Enablement

      Schedule and run tabletop exercises, establish the incident command chain, distribute runbooks, and provision forensic tooling and contact lists.

    3. Validation Checklist

      Verify evidence-collection drills, SLA tests, regulator notification rehearsals, and the GC/CISO handoff operate as expected.

      Validation Questions

      Quick Introductions — who you are in this story

      • Please identify your primary role and responsibility for incident response and legal escalation (pick the closest fit). Options: CISO / Head of Security, General Counsel / Chief Legal Officer, CRO / Head of Operational Risk, Head of Incident Response / SOC Leader, Head of Compliance, Other (please specify)
      • Which of these best describes your team’s IR coverage model today? Options: Fully in‑house (end‑to‑end), Hybrid (in‑house + retainer partners), Retainer partner primary, Ad‑hoc vendors when needed, We don’t have a formal model
      • Who is the day‑to‑day owner of the IR playbook and the person we’d work with most closely?
      • How many verified incident activations has your organization experienced in the last 24 months? Options: 0, 1, 2–3, 4–6, 7+
      • When it comes to a retainer relationship, what’s most important to you on day one? Options: Speed of activation, Legal privilege protection, Forensic depth across endpoint/network/cloud, Regulatory experience with banking regulators, Predictable costs, Other (please specify)

      The Wake‑Up Call — what keeps you up when the headline hits

      • If the board demanded proof tonight that you can execute a coordinated response at 2am on a holiday, what would be the first thing that makes you doubt the plan? Options: Activation delays, Privilege/attorney‑client protection gaps, Conflicting internal authority, Vendor bandwidth or experience, Incomplete evidence handling
      • Tell us about a recent breach or close call (internal or peer) that changed how your board thinks about cyber readiness. What specifically alarmed them?
      • How would you rate your board’s tolerance for uncertainty in the first 72 hours of an incident? Options: Very low — they expect clear answers, Moderate — they accept some ambiguity, High — they’re comfortable with phased updates, Unsure / varies by committee
      • If negative headlines occurred, which downstream impact worries your leadership most? Options: Regulatory enforcement, Customer attrition or class action, Market reputation / stock impact, Operational disruption to clearing/settlement, Other (please specify)
      • When you imagine that worst‑case board conversation, what feeling describes it best? Options: Panic, Anger, Numb resignation, Urgency to fix, Determined to learn

      Where It Breaks at 2AM — the single point you fear most

      • Which single operational failure would cause the most damage during a night/weekend activation: delayed forensic imaging, lawyer unavailability, regulator miscommunication, or vendor overload? Options: Delayed forensic imaging, Lawyer / privilege gaps, Regulator miscommunication, Vendor overload / concurrent incidents, Other (please describe)
      • How quickly can your current responders (internal + retained) be on‑task and coordinated after a trigger is declared? Options: Under 1 hour, 1–2 hours, 2–4 hours, Over 4 hours, Unknown / untested
      • When activation has been required historically, what coordination step most frequently caused delay? Options: Authorization sign‑off, Contacting external counsel, Preserving live evidence, Communicating with regulators, Other (please specify)
      • Describe a time an after‑hours event didn’t go as planned — what broke and what did it cost (time, trust, regulatory hassle)?
      • What do responders say feels missing when they arrive on‑scene at night or on a holiday? Options: Access credentials, Runbooks / playbooks, Clear legal instructions, Board contact info, Other (please specify)

      Who Decides and Who Moves — the real decision chain

      • If we asked: who has unilateral authority to activate the retainer right now, who would you name—and what happens if they can’t be reached? Options: CISO, GC, CRO, Head of IR, Board Chair / Audit Chair, No single authority / committee decision
      • List the primary and secondary contacts we should expect to call during an activation (names/titles and preferred contact methods).
      • What activation thresholds are in use today (e.g., confirmed data exfiltration, material financial impact, regulator notice requirement)? Options: Confirmed data exfiltration, Ransomware encrypting critical systems, Potential regulatory reporting obligation, Material customer impact, Legal demand / subpoena, Other (please describe)
      • Have you defined escalation paths when primary contacts are unreachable? If yes, how often are those paths validated? Options: Yes — validated quarterly, Yes — validated annually, Yes — ad‑hoc / never validated, No escalation path defined
      • How comfortable is your GC with a pre‑negotiated privilege‑retainer that permits immediate forensic collection under attorney direction? Options: Very comfortable, Somewhat comfortable, Hesitant — needs changes, Not comfortable / opposes

      Privilege, Evidence & Legal Handcuffs — what would break the case

      • What would be more damaging to you: a broken chain‑of‑custody that invalidates evidence, or a retainer arrangement that fails to preserve privilege? Why?
      • Do you currently use an attorney‑directed retainer model where the GC signs and controls forensic scope? Options: Yes — standard model, Partially — only for some incidents, No — forensic vendor engages under IR team, We’re evaluating
      • How are sensitive forensic artifacts stored and who has access (select all that apply)? Options: Encrypted central evidence locker, Vendor‑controlled repository, Local analyst machines, Legal holds managed by GC, Other (please specify)
      • Have you had privileged materials inadvertently disclosed to regulators, plaintiffs, or in discovery? If yes, briefly describe. Options: No, Yes — limited scope, Yes — significant exposure, Prefer not to say
      • What specific controls would your GC require from a retainer partner to sign off on privilege protection?

      Are Your Playbooks Real or Decorative? — testing durability under pressure

      • Which single playbook item do you suspect would fail under a simultaneous technical and legal stress test? Options: Evidence collection sequencing, Internal comms approval flow, Regulator notification timing, Third‑party vendor coordination, Board briefing preparation
      • When was the last time your playbooks were exercised end‑to‑end with legal, forensics, communications, and the board present? Options: Within 3 months, 3–6 months, 6–12 months, Over a year, Never
      • Who owns each playbook (title), and how often are owners required to certify the playbook’s accuracy?
      • During exercises, what gap most often surfaces: people, tools, approvals, or documentation? Options: People / roles unclear, Tools unavailable or misconfigured, Approval bottlenecks, Outdated documentation, Other (please specify)
      • Upload or paste the top three runbook excerpts you’d want the retainer partner to review first (e.g., chain‑of‑custody steps, GC contact matrix).

      Regulators, Press & Customers — who speaks and when

      • If a regulator calls before containment is complete, who is authorized to respond on behalf of the institution and with what constraints? Options: GC only, GC + CISO, Designated PR + GC approval, Head of Compliance, No single pre‑authorized responder
      • Which regulators are you most likely to notify for incidents impacting clearing or customer data (select all that apply)? Options: OCC, FDIC, SEC, FinCEN, State banking regulators, Other (please specify)
      • Do you have templated regulator and customer notification language pre‑approved by counsel? If not, how long does drafting/approval typically take? Options: Yes — templates ready, Partial templates exist, No — 24–72 hours, No — longer than 72 hours
      • Describe the coordination process between legal, PR, and the incident commander when preparing board‑ready briefings.
      • How do you want a retainer partner to support regulator engagements (select top priorities)? Options: Pre‑docketed regulator briefings, Technical appendices for filings, Regulatory liaison during investigations, Expert testimony preparation, SAR/SORN filing support

      What Success Actually Looks Like — measurable signals that calm the board

      • If the board asked for a single measurable outcome to show the response worked, what would you choose (activation time, preserved privilege, regulator engagement within X hours, or another)? Options: Activation within 2 hours, Privilege preserved for all forensic artifacts, Regulator notified within SLA, Board‑ready brief delivered in X hours, Containment achieved within 24 hours, Other (please specify)
      • For each success signal you selected, what metric would count as success (e.g., 'activation within 2 hours' = 90% of incidents)?
      • How would you like success to be evidenced in post‑incident reporting (select all that apply)? Options: Time‑stamped activation logs, Chain‑of‑custody records, Privileged containment memo from GC, Technical root‑cause summary, Regulator engagement timeline, After‑action recommendations
      • What would be unacceptable to the board even if technical containment was successful? Options: Publicly contradictory statements, Privilege waiver, Delayed regulator notification, Major customer data loss, Significant legal exposure
      • Who signs off internally that the success criteria were met and that the incident can move to after‑action? Options: GC, CISO, CRO / Risk Committee, Incident Commander, Board Audit Chair

      Realities & Constraints — holidays, concurrent incidents, and human limits

      • If a material incident hit on a major holiday and your primary vendor was already handling another engagement, what single constraint would most likely force compromise? Options: Limited vendor bandwidth, Internal on‑call fatigue, Legal counsel unavailable, Regulatory timing conflicts, Budget/hours exhaustion
      • How many concurrent incidents is your organization (or your preferred vendor) contractually prepared to handle without service degradation? Options: 1, 2, 3–5, More than 5, Unknown / not defined
      • What are your hard constraints that cannot be negotiated in a retainer (e.g., guaranteed SLA, privilege structure, max billable hours)?
      • On nights/weekends, what percent of your IR decision‑makers are reliably reachable? Options: 100%, 75–99%, 50–74%, Less than 50%, Unknown
      • What budget or contracting hurdles have historically slowed down getting a retainer in place? Options: Procurement timelines, Legal terms (privilege/liability), Budget cycles, Vendor onboarding checks, Other (please specify)

      Commitment, Proof & Next Steps — what it would take to start

      • If we proposed a tabletop and evidence‑collection drill within 30 days, what is the single biggest reason you would decline? Options: Scheduling conflicts, Budget not approved, Concerns about privilege, Perception we’re not ready, Other (please explain)
      • Which stakeholders must be engaged to greenlight a retainer and tabletop (select all that apply)? Options: GC / Legal, CISO / Security, CRO / Risk, CFO / Procurement, Board Audit Chair, Other (please specify)
      • What documents or artifacts would you share pre‑exercise to make the session high‑value (e.g., runbooks, contact lists, recent incident summaries)? Options: Runbooks / playbooks, Contact roster, Recent incident AARs, Network / architecture diagrams, Legal memos on privilege strategy, Other (please list)
      • Realistically, what timeline do you need to review and approve a proposed retainer SOW and privilege appendix? Options: Under 2 weeks, 2–4 weeks, 1–2 months, Longer than 2 months
      • What would make you feel confident enough to run a validation checklist (drills, SLA tests, GC/CISO handoff) with our team?
  7. Success

    Conduct after-action reviews following exercises or incidents, confirm success signals were met, and capture improvements for the shared playbook.

    Success Reviews

    • Cross-Functional After-Action Review (AAR)
    • Technical Forensics & Evidence Validation Deep Dive
    • Legal, Privilege & Regulatory Retrospective
    • Executive & Board-Prep Success Validation
    • Playbook Update & Prioritized Remediation Workshop

    Issues & Enhancements

    • Attain executive agreement on prioritized risk acceptances and remediation timelines.
    • Define technical playbook and tooling updates to address observed gaps and capacity constraints.
    • Produce a chain-of-custody exception log for any artifacts with incomplete metadata and remediate where possible.
    • Update forensic runbooks with specific tooling parameters, imaging checklists, and naming conventions.
    • Schedule a post-mortem evidence re-verification session if any findings remain disputed.
    • Document capacity thresholds and escalation triggers when concurrent incidents exceed resource limits.
    • Opening & Legal Scope
    • Confirm whether privileged channels and document controls were applied correctly and identify any breaches.
    • Validate regulator notification timing and content against contractual and regulatory obligations.
    • Define legal playbook changes and communication guardrails to prevent privilege erosion.
    • Produce a privilege audit: list documents, access logs, and any non-privileged disclosures requiring remediation.
    • Revise regulator notification templates and clarify who is authorized to send/approve notifications.
    • Establish a privileged-document handling training for responders and legal stakeholders.
    • Coordinate with external counsel to finalize privileged reporting format for future incidents.
    • Executive Summary of Findings
    • Produce an approved executive summary and board slide deck reflecting confirmed success signals.
    • Ensure GC/CISO/CRO alignment on regulator posture and public messaging before distribution.
    • Welcome & Objectives
    • Finalize and distribute the board-ready executive summary and Q&A memo.
    • Obtain executive sign-off on regulator communications and press posture if required.
    • Schedule a brief rehearsal for the CRO/GC presenting to the audit committee.
    • Review AAR Remediation Register
    • Produce a version-controlled set of playbook updates with owners and deadlines for each change.
    • Define verification methods and acceptance criteria for each remediation to confirm closure.
    • Establish a recurring improvement cadence and metrics to measure playbook effectiveness.
    • Publish Playbook vNext with tracked changes and notify stakeholders of the update and review window.
    • Assign owners to run a verification tabletop or drill for each high-risk playbook change within 60 days.
    • Integrate AAR metrics into the quarterly risk dashboard and report to the audit committee.
    • Create a lessons-learned annex (privileged where required) and store per legal retention policies.
    • Confirm whether each documented success signal was met and collect evidence to support the assessment.
    • Identify and prioritize the top 3–5 remediation items with owners and deadlines.
    • Surface systemic root causes that require playbook or process changes.
    • Agree on immediate mitigations to prevent recurrence within 30 days.
    • Produce a verified incident/exercise timeline (time-stamped) and publish to the shared playbook repository.
    • Create a prioritized remediation register (top 5) with owners and 30/60/90-day milestones.
    • Schedule focused follow-up sessions for any unresolved high-risk topics (forensics, legal privilege, regulator outreach).
    • Collect and attach supporting artifacts (logs, call records, notifications) to the AAR record.
    • Scope & Objectives
    • Confirm integrity of evidence and a defensible chain-of-custody for critical artifacts.
    • Validate the forensic root-cause findings and identify any outstanding technical questions.
    • Incident/Exercise Timeline Recap
    • Board-Ready Deliverables
    • Privilege Chain & Privileged Reports
    • Forensic Timeline & Actions
    • Playbook Change Mapping
    • Chain-of-Custody Evidence
    • Regulatory & Public Messaging Posture
    • Regulatory Notification Timeline
    • Owner & Timeline Assignment
    • Success Signals Review
    • Tooling & Process Performance
    • Residual Risk & Acceptance
    • Testing & Verification Plan
    • External Communications & Statements
    • What Went Well (WWT)
    • Gaps & Failure Modes
    • Documentation & Publishing Workflow
    • Forensic Findings Validation
    • Approval of Communication Materials
    • Privilege Risk Scenarios
First-Party AI

1-2 minutes please — Your AI agent is working

First-Party AI™ can make mistakes. Always check important information.