Incident Response Team Training

Make Sure Your Team Understands the IR Plan

Incident Response Basics and IR Plan Training

While HALOCK customizes incident training to match your organization’s plan, the general format is the same for all clients:

Review of the Basics. In this phase of the training, attendees become familiar with the key responsibilities of the incident response team (IRT) when handling a security event or incident. We go over incident response basics, terms, roles and responsibilities of the team members, plan phases (alerting, triage, investigation, containment, eradication, recovery, learning and planning), communications management, managing priorities and notification obligations.

Tabletop Exercises. We create two types of scenarios that are relevant to your organization. These scenarios are customized to meet the concerns of the organization, and will include the actual names of client systems, departments, etc., in order to increase the validity of the scenario. In the first set of scenarios (usually 4-6 can be covered in a typical training session) we present a hypothetical breach along with a mix of technical and nontechnical information, including the impact of the data compromise or integrity issue, and the availability of key systems. The facilitator asks participants the following questions regarding the scenario, which are discussed with the team:

  • What are their concerns?
  • What is their role?
  • How should this incident be classified?
  • To whom should they communicate?
  • What message should they communicate?
  • What questions would they like to ask?

The second scenario is one in which the entire plan is examined from the very beginning. This scenario illustrates to the nontechnical team members what would have happened before the entire team is called together.

incident response training tabletop

Sample Topics Presented During Training

The following or similar topics are covered during training to ensure that the team understands the plan and has a good grasp of how to respond in the event of a cyber security incident.

  • Operating the IR Plan
  • Response by Incident Type (e.g., an operations incident vs. a security breach)
  • Communications Management
  • Managing Priorities
  • Key activities per phase
  • Escalation Procedures
  • Notification Obligations
  • Lessons Learned

This cyber security training fulfills your requirements for an annual test of your IR plan and provides training for new staff. The custom tabletop exercises for your industry and based on your run books also fulfill your incident response training requirement by cyber insurance carriers.

”Your staff is incredible. They are excellent to work with.”

-Manufacturing company

incident response procedures

HALOCK’s overall strategic approach – Purpose Driven Security®, helps define reasonable security – the right amount of security to protect critical assets. It brings together a full perspective of an organization to establish what is reasonable and appropriate to manage risk.

  • Security controls implemented should encompass the necessary balance of compliance, business objectives, and obligations on how they affect all parties. Not all security controls should be implemented, and those that are should be implemented only to a certain degree depending on the calculated risk being treated.
  • Organizations have an obligation to perform proactive due care to reduce liability for shareholders, clients, partners, employees and the greater good, as appropriate. Thus, businesses need to take into consideration on cyber threats that are foreseeable, which HALOCK can help identify and establish reasonable safeguards.


The HALOCK Security Briefing is a review of significant events, trends, and movements that will influence how you manage cybersecurity, risk, and compliance. Our clients receive periodic overviews with an extensive report file on the topics discussed. This insightful document also includes reference links throughout the report for easy navigation and deeper research. 

IR Tabletop

HALOCK recognized in 2024 Verizon Data Breach Investigations Report (DBIR) on how to estimate risk.

Estimate risk based on real threat data. Read Appendix D in the 2024 Verizon Data Breach Investigations Report (DBIR) to augment your risk analysis.

Contact Us