Loading page content
Loading...
Incident Response Readiness
Cyber Range Exercises
for IR teams
Tabletop walk-throughs through full-spectrum live-fire simulations. Designed around the threats actually targeting your industry, run by the engineers who would respond to your real incident, and closing with detection rules deployed into your Sentinel or Defender XDR.
Exercise Modalities
Pick the depth that matches your readiness gap
01
Tabletop
Discussion-based plan validation
Facilitator narrates a scenario; your IR team, leadership, legal, and comms walk through the decisions they'd make. Catches gaps in the playbook before they cost you in a real incident.
+Half-day session
+Plan + policy validation
+Cross-functional
+Lowest cost / highest reach
02
Functional
Hands-on capability test
Bounded, hands-on exercise that stress-tests specific capabilities — your Sentinel triage workflow, your EDR isolation flow, your DFIR collection process. Real tools, sandboxed data, no production risk.
+1-day session
+Specific capability stress
+Real SIEM / EDR
+Sandboxed environment
03
Live-Fire
Full-scale incident simulation
End-to-end attack scenario against an isolated replica of your environment. Simulated attacker activity plays in real time; your IR team responds with the same tooling, runbooks, and pressure they'd have in a real incident.
+1-3 day exercise
+Replica of your environment
+Real-time adversary play
+Full IR lifecycle test
How we run it
A five-phase engagement
01
Intake
30-minute scoping call. We map the engagement to your IR maturity, recent incidents, and the specific outcomes you want to validate. You leave with a draft scope and a fixed price.
02
Scenario design
We design custom scenarios using current threat-hunting telemetry, your industry's active threat actors, and any control you specifically want stress-tested. MITRE ATT&CK techniques are mapped before kickoff.
03
Pre-exercise prep
Environment stand-up (range or replica of your stack), participant briefing, and a dry-run with the facilitation team to lock timing. Your responders go in fresh, the team behind the scenes goes in tested.
04
Execution
Tabletop, functional, or live-fire — facilitator-driven, time-boxed, recorded. We inject events, observe responses, and capture telemetry. Your team focuses on the work; we capture the data.
05
Hot-wash + after-action
Live debrief within 60 minutes of the exercise ending, formal after-action report within 10 business days. Detection rules and runbook diffs are deployed into your tenant as part of the engagement, not just suggested.
Scenario Catalog
Starter scenarios
Every engagement is custom; these are the most-requested launching points. Scenarios are derived from current Apsispoint threat-hunting telemetry and your industry's active threat actors.
Ransomware with double-extortion
Initial access through phishing, lateral movement to file servers, mass encryption, and an exfiltration leak-site threat. Tests detection at every stage of the kill chain plus the executive-decision pressure of a double-extortion negotiation.
Business Email Compromise → wire fraud
Compromised executive mailbox, mail-rule manipulation, vendor-impersonation invoice, attempted wire transfer. Tests email-security telemetry, the finance team's verification process, and SOC's ability to correlate identity + email signals.
Supply-chain compromise
Trojanized dependency or SaaS-vendor breach pushes malicious code into your build pipeline. Tests your software-bill-of-materials visibility, build-system monitoring, and downstream blast-radius assessment.
Cloud account takeover (Azure / AWS)
Stolen OAuth token, privilege escalation through misconfigured roles, persistence via federated identity. Tests your cloud-control-plane logging, identity-anomaly detection, and ability to revoke access without breaking production.
Insider data exfiltration
Departing employee uses legitimate access to stage and exfiltrate sensitive data over sanctioned channels. Tests DLP, UEBA, and the policy / legal process of handling a credible insider concern.
APT lateral movement
Living-off-the-land traversal through PowerShell, WMI, and signed binaries. MITRE ATT&CK-mapped from initial access through domain dominance. Tests your threat hunters' ability to see what AV and EDR miss.
Framework Alignment
Mapped to standards your auditors recognize
NIST SP 800-84
Exercise taxonomy (tabletop / functional / full-scale) and program structure
NIST SP 800-61r2
Computer Security Incident Handling Guide — the IR lifecycle exercises validate
SANS PICERL
Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned
MITRE ATT&CK
Adversary tradecraft coverage map referenced in the after-action report
FAQ
Cyber Range FAQs
A tabletop exercise is a facilitated discussion — the IR team talks through how they'd respond to a narrated scenario. A live-fire exercise is hands-on — your responders work in a sandboxed environment with simulated attacker activity in real time. Tabletops typically run half a day; live-fire spans one to three days plus prep. We recommend running both in sequence: tabletop to validate the plan, live-fire to validate the team.
Four to six weeks for a complete engagement. Intake and custom scenario design take about two weeks, pre-exercise environment prep takes one week, the exercise execution itself runs one to three days depending on modality, and the formal after-action report plus runbook updates land within one to two weeks of the exercise wrapping.
Both options are supported. For live-fire we typically run inside an isolated replica of your environment — snapshots of your Microsoft Defender, Sentinel, or other SIEM/EDR configuration so the experience matches your real tooling. If a replica isn't feasible, we run in our own range with content tuned to your tech stack. Tabletop exercises are environment-agnostic and can run remotely.
Three inputs drive scenario selection: (1) your industry's most active threat actors based on Apsispoint's current threat-hunting telemetry, (2) recent incidents in your environment if you're already an MDR customer, and (3) any specific control we're stress-testing on request — your DFIR plan, your insider-threat playbook, your cloud-incident runbook. The catalog of starter scenarios on this page is just a launching point; every engagement is custom.
Depends on the modality. Tabletop exercises typically include CISO, Legal, Communications, and Operations leadership for plan validation across business functions. Live-fire is generally just IR responders and team leads. We can also run purple-team variants where leadership observes the live-fire via a war-room feed without participating directly.
A formal after-action report (roughly 30 pages), a MITRE ATT&CK coverage map showing detection gaps, suggested runbook diffs, working Sentinel or Defender detection rules deployed into your tenant during the engagement, a recorded debrief, and a separate executive summary suitable for the board. Deliverables are scoped during intake so you know exactly what to expect.
A phishing simulation tests one technique against your end users. A red team tests your environment's defenses covertly without your IR team knowing. A cyber range exercise tests the IR team's response capability with full awareness — it's a training and validation exercise for the responders, not a covert attack assessment. All three are useful; they answer different questions.
Pressure-test your IR team before adversaries do
30-minute scoping call. You leave with a draft scope, a fixed price, and a recommendation on whether to start with tabletop, functional, or live-fire.