performing-ransomware-tabletop-exercise

Featured

Plans and facilitates tabletop exercises simulating ransomware incidents to test organizational readiness, decision-making, and communication procedures. Designs realistic scenarios based on current ransomware threat actors (LockBit, ALPHV/BlackCat, Cl0p), injects covering double extortion, backup destruction, and regulatory notification requirements. Evaluates participant responses against NIST CSF and CISA guidelines. Activates for requests involving ransomware tabletop, incident response exercise, or ransomware readiness drill.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Performing Ransomware Tabletop Exercise ## When to Use - Testing organizational ransomware response procedures annually or after major infrastructure changes - Validating decision-making processes for ransom payment, regulatory notification, and public disclosure - Training executives, IT, legal, PR, and operations teams on their roles during a ransomware incident - Meeting cyber insurance policy requirements for documented incident response testing - Identifying gaps in recovery playbooks, communication plans, and backup procedures **Do not use** as a substitute for technical controls testing. Tabletop exercises validate procedures and decision-making, not technical detection or prevention capabilities. ## Prerequisites - Documented incident response plan (IRP) that participants should have read before the exercise - Identified exercise participants from: executive leadership, IT/security, legal, communications/PR, HR, operations, and external counsel - Facilitator who is independent from the IR team (to provide objective evaluation) - Ransomware scenario designed with injects that escalate over multiple rounds - Evaluation criteria aligned to NIST CSF Respond/Recover functions - Conference room or virtual meeting for 2-4 hours with no interruptions ## Workflow ### Step 1: Design the Exercise Scenario Build a realistic scenario based on current threat actor TTPs: **Scenario Structure:** ``` Phase 1: Initial Detection (30 min) - SOC receives alert for suspicious ...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

performing-ransomware-response

Executes a structured ransomware incident response from initial detection through containment, forensic analysis, decryption assessment, recovery, and post-incident hardening. Addresses ransom negotiation considerations, backup integrity verification, and regulatory notification requirements. Activates for requests involving ransomware response, ransomware recovery, crypto-ransomware, data encryption attack, ransom payment decision, or ransomware containment.

12,642 Updated today
mukul975
AI & Automation Featured

performing-soc-tabletop-exercise

Performs tabletop exercises for SOC teams simulating security incidents through discussion-based scenarios to test incident response procedures, communication workflows, and decision-making under pressure without impacting production systems. Use when organizations need to validate IR playbooks, train analysts, or meet compliance requirements for incident response testing.

12,642 Updated today
mukul975
AI & Automation Featured

building-soc-playbook-for-ransomware

Builds a structured SOC incident response playbook for ransomware attacks covering detection, containment, eradication, and recovery phases with specific SIEM queries, isolation procedures, and decision trees. Use when SOC teams need formalized response procedures for ransomware incidents aligned to NIST SP 800-61 and MITRE ATT&CK ransomware techniques.

12,642 Updated today
mukul975
AI & Automation Featured

building-ransomware-playbook-with-cisa-framework

Builds a structured ransomware incident response playbook aligned with the CISA StopRansomware Guide and NIST Cybersecurity Framework. Covers preparation, detection, containment, eradication, recovery, and post-incident phases with actionable checklists. Activates for requests involving ransomware response planning, CISA compliance, incident response playbook creation, or ransomware preparedness assessment.

12,642 Updated today
mukul975
Testing & QA Featured

testing-ransomware-recovery-procedures

Test and validate ransomware recovery procedures including backup restore operations, RTO/RPO target verification, recovery sequencing, and clean restore validation to ensure organizational resilience against destructive ransomware attacks.

12,642 Updated today
mukul975