Fast decision practice for security teams

15-minute incident response drill

A 15-minute drill is not a full tabletop exercise. It is a focused rehearsal of the first few decisions a team must make when an alert becomes an incident candidate. Use it when you need a fast readiness check, a meeting opener, or a practical bridge between annual tabletop exercises.

When to use this format

Use this drill when the goal is rhythm, not completeness. It fits a weekly security meeting, a new-team onboarding session, a post-policy-change check, or a quick practice run before a longer exercise. Keep the scenario defensive, generic, and narrow enough that participants can make useful decisions without needing sensitive system details.

Facilitator structure

  1. 0-2 minutes: State the incident type, time box, ground rule, and scribe. Tell the group that the goal is to make reasonable early decisions with incomplete information.
  2. 2-5 minutes: Read the starting condition. Give one alert, one affected service or process, one business pressure, and one unknown.
  3. 5-11 minutes: Ask three decision questions. Capture the answer, owner, assumption, and any fact the team needs next.
  4. 11-14 minutes: Ask what slowed the decision. Look for unclear authority, missing contact paths, evidence risk, communication confusion, or tooling assumptions.
  5. 14-15 minutes: Assign one follow-up. A short drill should end with one concrete improvement, not a wishlist.

Three decision points

  • Declare or monitor: Is this an incident, a suspicious event, or an alert that needs more facts before escalation?
  • Contain or preserve: What action reduces immediate risk without destroying evidence, breaking business operations, or hiding the real scope?
  • Notify or wait: Who needs to know now, what can be said safely, and what must wait until the team has verified facts?

Example starting prompts

  • Credential phishing: A user reports approving an unexpected MFA prompt after clicking a payroll-themed link.
  • Ransomware concern: A shared folder shows renamed files and several users report access errors.
  • Vendor outage: A critical SaaS vendor dashboard is unavailable and support has not posted a clear incident notice.
  • Business email compromise: Finance receives an urgent payment-change request that appears to come from a senior leader.

Common mistakes

  • Trying to solve the whole incident: The drill is about the first decisions, not complete recovery.
  • Letting one person lecture: Ask each role what decision they own or what fact they need.
  • Skipping assumptions: Many bad incident decisions come from unstated assumptions that no one validates.
  • Ending without an owner: One assigned improvement is better than ten vague observations.

After-action notes

Capture five things only: the decision made, the owner, the strongest assumption, the unanswered question, and one follow-up action. This keeps the drill fast while still creating evidence that the team is practicing real response judgment.

Useful follow-ups sound like: "Confirm who can approve account disablement after hours," "Add vendor status-page checks to the outage checklist," or "Create a one-paragraph holding statement for suspected payment fraud."

FAQ

Can a 15-minute drill replace a tabletop?

No. It complements a tabletop by keeping incident decision practice fresh between larger exercises.

How many people should attend?

Keep it small enough for decisions to move. A facilitator, scribe, technical owner, business owner, and communications or leadership representative is often enough.

Should we use real incident details?

Use plausible, sanitized details. Do not put secrets, regulated data, confidential incident history, or sensitive architecture details into the drill notes.

Open the generator