It Is 8 AM On A Monday. Your Company Is Breached. What Do You Do?

Patrick Mathieu

Patrick Mathieu

7 min read
Share
It Is 8 AM On A Monday. Your Company Is Breached. What Do You Do?

It is 7:58 on a Monday. You walk into the office, coffee in hand. The phone rings. It is your IT director, and his voice is shaking a little.

"We have a problem. The servers are encrypted. There is a ransom note. Nobody can log in."

In thirty minutes, 200 employees arrive. In two hours, your clients start calling. In six hours, a journalist might call. And right now? The only question that matters is the one nobody ever trained for. What do you do?

I have watched this scene play out more times than I can count, in companies of every size. And here is what people don't expect. The team almost always has the talent. They have the tools. They have the budget and the will. What they don't have is practice, or the time to do it.

Nobody ever tested their response as a team, before it counted. That's the whole problem. And it's why I keep coming back to the tabletop exercise.

The first hour is where it falls apart

Let me keep walking through that Monday, because the timeline is the lesson.

At T+15 minutes, IT is still trying to understand the scope. The director calls the CEO. The CEO is in the car. Nobody knows whether to cut the network or leave it up. The cloud provider's support line rings into the void. The first half hour gets burned just figuring out what is happening.

Who decides what? Who calls whom? Nobody has the reflexes.

This is not a problem in some states or some provinces, and it is not a small company problem. It hits everyone, from the corner-store SMB to the Fortune 100.

In August 2025, attackers abused OAuth tokens tied to the Salesloft Drift integration and quietly walked into the Salesforce data of more than 700 organizations. Not small shops. Cloudflare, Zscaler, Palo Alto Networks, Tenable, Proofpoint, CyberArk. Cloudflare alone had to find and rotate 104 leaked API tokens. The campaign ran ten days, from August 8 to 18, before anyone shut it down, and notifications only started going out on August 26. These are teams with world-class security, and the breach still moved faster than the response.

And the lesson was not technical. The incident response plans existed. They defined who to notify. But they stopped short of saying who actually decides, until the thing had already crossed a material risk threshold. So leadership waited for confirmation. Legal, communications, and the business each looked at the risk from their own corner, each one reasonably cautious, and all that caution created friction at exactly the wrong moment. You cannot align for the first time during a crisis. If it happens to Palo Alto Networks, the question for the rest of us is not whether the tools held. It is whether the team knew who decides, what to do, and how.

At T+1 hour, the employees arrive. 200 people, no file access. Customer service takes its first calls. Someone drops a message in Slack: "is this ransomware? Our systems were never secure anyway." Nobody has a clear instruction to give. And there it is, the first real artifact of the day. Your own people become the leak. Whatever gets said internally is on LinkedIn within two hours.

By the way, saying "our systems were never secure" on your own chat can blow up your Attorney Client Privilege. But that's another subject!

Subscribe to Security Autopsy

The decisions get worse as the day goes on

At T+3 hours, the ransom demand is real. Say 850,000 dollars in bitcoin, 72 hours to pay. Now the CEO, the VP of finance, a breach coach, and a lawyer are all on the call. Nobody knows if the cyber insurance even covers a payment. Nobody knows if paying is legal, or even a good idea. The real decisions land when adrenaline is highest and information is lowest. Worst possible combination. And no, this is not hypothetical.

When DaVita, a major US dialysis provider, got hit in April 2025, the analysis after was blunt. The attack exposed deficiencies in incident response planning that went far beyond the usual IT security frameworks. Same lesson I bring to every tabletop. If you scope your plan to servers and networks, it falls apart the moment a real crisis touches everything else. When Nevada's state systems went down in August 2025, recovery was put at a million and a half dollars, and the takeaway was that public sector ransomware is not just a cyber incident, it's a service continuity crisis. And let's not forget, you don't even need an attacker. The 2024 CrowdStrike outage was a masterclass, not in cybersecurity, but in how fast the modern world tips over when one update goes sideways.

By T+5 hours, the public shows up. A client calls the newspaper, and the questions start. Under Quebec's Law 25 you may have 72 hours to notify the regulator. Someone has to write a statement. Nobody volunteered. The company LinkedIn is silent, and your competitors are having fun with it. The blind spots, legal, communications, HR, partners, everything that isn't IT, were never in the plan.

By T+6 hours, here is what the post-mortem says. Four hours of delay before the first real decision. Zero defined leadership roles. The Law 25 clock already blown. At least one leak to LinkedIn or the media, from an employee nobody bothered to brief. Not for lack of talent. For lack of practice and knowledge.

So what is a tabletop exercise, really

A TTX is a "discussed" simulation of a cyber crisis, run in a room, without attacking your systems, but you do go and verify them through your processes. It tests your decisions under pressure, your communication channels, your roles and responsibilities, the coherence of your incident response plan, and all your non-technical blind spots.

It is not a penetration test. Nor a PowerPoint you read together!

But yes, it does poke a bit at your systems, logs and validate your process maturity. But the most important, it is absolutely not an exercise to scare people or to blame and point fingers.

The most common mistake? Inviting only IT. The crisis touches legal, communications, HR, and your outside partners. Your insurer, your MSP, your cloud provider. If one of those voices is missing from the table during the exercise, it will be missing during the real thing too.

The other mistakes I see on repeat: reading the plan instead of testing it, because if you have time to turn the pages, it's not a simulation. Picking a fantasy scenario, because a Chinese APT is sexy but an employee clicking a phishing email is what actually happens. Skipping the debrief, which turns the whole thing into theater. And never doing it again. A TTX once every three years is an alibi, not a program.

The data is not subtle

If you still think this is a soft, nice-to-have exercise, look at the numbers. IBM's 2024 Cost of a Data Breach report found that organizations with an incident response team that regularly tested its plan averaged 3.26 million dollars per breach. The ones with no team and no testing? 5.29 million. That's a gap of roughly 2 million dollars, and a breach cost 58 percent lower, just for the ones who practiced. Same report, the global average breach hit 4.88 million in 2024, the highest ever. Practice is not a line item you cut. It is the cheapest control you own.

And yet almost nobody does it. Depending on the survey, only about 30 percent of organizations regularly test their incident response plans, and 70 percent rarely or never test them at all. Roughly one in five has no plan at all. You don't have to rewrite your plan. You don't have to buy a new tool. You just have to practice. That gap, between knowing it matters and actually doing it, is where most failures start.

Five questions you can ask Monday morning, for free

You don't need a budget to start. Ask your team these five, and watch where it hesitates.

  1. Who decides to shut down a production service at 3 AM on a Saturday?
  2. Do you have your lawyer's personal cell number saved in your phone?
  3. If your email is down, how does the team communicate?
  4. Who talks to the media, and what do you say in the first 60 minutes?
  5. Your cyber insurance: who do you call, and how long to activate it?
Hesitate on two or more, and you need a TTX.

A 30-day plan, starting this week

Not in six months. Not after the next budget.

Days 1 to 7: make a list of who gets called first in an incident, with personal numbers, not just emails. Print it. Put it in a drawer.

Days 8 to 14: ask your leadership team the five questions above. Note where it hesitates. Note where it turns into an argument. Those are your blind spots.

Days 15 to 30: book a TTX. Half a day, every actor at the table, a realistic scenario built on your actual context, and an action plan on the way out. Not an 80-page PDF.

The next crisis is not going to wait for your next budget cycle.

If you want to go further, there are three ways forward. A TTX to test your readiness without touching the systems. A targeted penetration test to confirm the blind spots the TTX surfaced. And a fractional CISO to build the program over time. Boutique, delivered directly by me.

One more thing. I am building a TTX and OSINT SaaS platform to make this kind of practice continuous instead of once a year, and I am looking for beta testers. If running real, regular crisis rehearsals sounds like something your organization needs, reach out. I would like you in the beta.

You can find me at hexius.com

Simulate.
Assess.
Strengthen.

Sources

Opening scenario and the broader IR-failure argument

Salesforce / Salesloft Drift breach wave

DaVita ransomware attack

Nevada state systems attack

Breach cost and IR testing data

Read more