Veri-Tech
Operational guide · 8-minute read

How to run an IR tabletop drill in your tenant.

A step-by-step walkthrough for the compliance officer or IT lead running their first AI-generated IR tabletop. Covers picking a category, scoping the bundle, running the live drill, locking the session as auditor evidence, and using the artifact under HIPAA §164.308(a)(8), SOC 2 CC7.4, ISO 27001 A.5.24, and the equivalent sections of NIST CSF v2.0.

The full cycle, end-to-end, takes about two hours of clock time — most of which is the drill itself. Bundle generation runs in the background while you brief the team.

Step 0 · Decide what you’re drilling

Four drill categories. Pick the one that matches your last scan.

The four categories cover the NIST CSF response surface end-to-end: identity attack, device compromise, HIPAA breach notification, and DR / restore. Each pulls findings from a different scan path, and each generates a category-specific scenario, facilitator guide, injects, and rubric.

Veri-Guard · NIST CSF Protect / Detect

Identity-attack drill

When to run it

Run when your last identity scan surfaced legacy-auth gaps, OAuth grant exposure, MFA bypass risk, or BEC-shaped findings. The drill exercises whether your team can detect, contain, and eradicate a credential-based attack against your Microsoft 365 tenant.

What it draws from

A recent Veri-Guard tenant assessment with at least one failed identity control.

Veri-Tune · NIST CSF Protect

Device-compromise drill

When to run it

Run when your last Intune scan surfaced gaps in App Protection Policy posture, device compliance state, or BYOD coverage. The drill exercises whether your team can revoke access on a lost or stolen endpoint before the data on it is exposed.

What it draws from

A recent Veri-Tune Intune-baseline assessment with at least one failed device control.

HIPAA Pack · NIST CSF Respond

HIPAA breach-notification drill

When to run it

Run when your HIPAA scan surfaced gaps in the §164.308 administrative safeguards or §164.402 breach-determination process. The drill exercises whether your team can correctly walk the four-factor analysis under the 60-day notification clock.

What it draws from

A recent HIPAA Pack assessment with at least one failed safeguard.

Veri-Vault · NIST CSF Recover

DR / restore drill

When to run it

Run quarterly regardless of recent scan posture. The drill exercises the pay-vs-restore decision under simulated ransomware pressure, including a Vault delete-attack survivability check and a per-application RTO validation pass.

What it draws from

Aggregate Veri-Vault posture (no source scan needed). Backup count, age, immutability window, and last successful restore-test date drive the scenario.

The walkthrough

Six steps from scan results to locked auditor evidence.

Each step lists what you actually do in the portal, plus the operational nuance that makes the difference between a drill that passes audit and one that gets flagged for being too generic.

Before you start — one-time setup

Configure your Org Shape so generated drills name your roles.

By default, AI-generated drills assume an enterprise IR structure: dedicated CISO, Privacy Officer, 24/7 SOC analyst. Most teams don’t look like that. Tell the AI what your team actually looks like once, and every drill generated afterward maps the IR functional roles onto the labels you use (“IT Director” instead of “CISO”, “M365 Admin” instead of “SOC analyst”).

  • Pick a size bucket — SMB (≤10 IT/security staff), Mid-market (10-100), or Enterprise (100+). Or leave it unset and we’ll infer from your role headcount.
  • Add the role labels you actually use with headcounts — e.g. IT Director × 1, M365 Admin × 1, Service Desk Lead × 2, Cyber Analyst × 1.
  • Role labels only, never names. Settings are persisted to your tenant + embedded in locked drill records (6-year audit retention). We never store names, emails, or reporting lines.
  • Takes about a minute. The AI Coaching pass + Team Debrief PDF + Executive Brief PDF all use the same shape so the audit chain stays consistent end-to-end.
Configure Org Shape now
Step 1~6 minutes

Generate the drill bundle

Open the scan results page for the category you chose, click Generate IR Tabletop on the hero card, and optionally pick up to three failed controls to anchor the scenario. The AI composes a scenario tailored to your actual findings, plus a facilitator guide, timed injects, and a scoring rubric.

  • Enterprise tier required. Pro and Starter see an upsell teaser instead of the live generator.
  • Rate-limited to five generations per hour per tenant. Built-in defense against accidental fan-out.
  • The bundle output is four markdown files plus a JSON manifest, retained for six years in Veri-Vault as auditor evidence under HIPAA §164.308(a)(8) and SOC 2 CC7.4.
  • Each bundle carries a SHA-256 manifest checksum and a back-pointer to the source scan job, so the audit chain (scan → drill → locked session) is provable end-to-end.
Step 2~30 minutes (one-time)

Prepare for the drill

Block 60 to 90 minutes on the calendar with five to eight named participants. The facilitator (typically the CISO or designate) reads the bundle first; participants do not see it pre-drill so the scenario lands authentically.

  • Open the bundle in /vault/tabletops/{drillId}. Read the scenario summary, threat actor, attack chain, and facilitator opening + closing scripts.
  • Assign roles ahead of time: Incident Commander, Privacy Officer (if HIPAA-relevant), Communications lead, Legal counsel, IT operations lead, SOC analyst on call. Add domain experts (DBA, application owner, vendor liaison) as the scenario warrants.
  • In-person works best for the first drill. Virtual is fine once the team has run the format once.
  • Print the scoring rubric for each participant so the closing scoring round is fast.
Step 360 to 90 minutes

Run the drill live

Click Run drill on the bundle viewer. The facilitator reads the opening script, clicks Start to begin the drill clock, then drops injects at the scheduled times (or earlier or later as the simulation pace dictates). Capture each team response in the inline textarea and score each rubric criterion at the close.

  • The drill clock is the audit primitive: the scheduled vs actual delivery time of each inject is what an auditor uses to verify the drill ran live, not as a walkthrough.
  • Drop inject is a deliberate, attestation-grade action. It captures the timestamp into the locked record on save. Undo is available while drafting; locked sessions cannot be edited.
  • When the final inject is delivered, the clock auto-pauses. Scoring is not on the clock — take the time you need.
  • Auto-save runs every 1.5 seconds; a refresh mid-drill resumes the same session at the same elapsed time.
Step 4~2 minutes

Lock the session

Once every rubric criterion is scored, click Lock session. The system writes the session.json blob to Veri-Vault with a SHA-256 checksum, fires a ComplianceArtifactGenerated audit event, and the record becomes immutable. The locked view is what an auditor opens.

  • The lock action is one-way. Future edits are blocked; the record is WORM-protected for six years per BAA §3(b)(iv).
  • The locked view renders the scenario, threat actor, attack chain, all team responses, all rubric scores, and a Drill pacing audit table showing scheduled vs actual delivery time + drift per inject.
  • Provenance fields visible in the locked view: drill ID, source scan job ID, source bundle SHA-256, session SHA-256, locked-by UPN, locked-at timestamp.
  • The audit event flows into the same six-year retained event log as scan and remediation activity, with full ID chain back to the source scan.
Step 5Ongoing

Use the artifact

The locked session record is what proves the drill happened. Cite it in your next periodic-evaluation evidence package, compare scores quarter-over-quarter as your team matures, and feed any gaps surfaced during the drill into the remediation backlog.

  • For HIPAA §164.308(a)(8) periodic evaluation: the locked record (with date, score, participants, rubric) is the evidence that you tested your safeguards against a real attack pattern, not just reviewed policy.
  • For SOC 2 CC7.4 response based on identified events: the locked record demonstrates documented response activities mapped to specific incidents.
  • For ISO 27001 A.5.24 IR planning: the dated drill artifact is exactly the evidence auditors expect.
  • For your own program: the rubric scores are a baseline. Drift trending across quarters is what proves the program is improving.
Step 6Recurring

Run it again next quarter

Annual is the regulatory floor; quarterly is the practical recommendation. Generate a fresh bundle each time so the scenario reflects current scan posture, then watch the rubric scores improve as your team internalizes the tradecraft.

  • Frequency by category: identity quarterly, device twice a year, breach annually, DR quarterly.
  • Same category with different focus controls produces a new scenario — the AI grounds the narrative in whatever failed controls you anchor on.
  • A six-quarter trend chart of rubric scores per category is what most boards and CISOs want as the program-maturity readout.

What the auditor opens.

When an auditor asks for evidence of periodic evaluation under HIPAA §164.308(a)(8), or response activities under SOC 2 CC7.4, or IR planning under ISO 27001 A.5.24, the locked session URL is what you hand over. They open it and see the scenario your team actually drilled, the timed injects with scheduled vs actual delivery times, every team response captured during the live drill, the rubric scores, and the SHA-256 chain back to the source scan.

The pacing-audit table is the artifact most experienced auditors zero in on. It is unambiguous evidence the drill was run in real time under simulated decision pressure, rather than walked through as a policy review. Drift values cluster around plus or minus two minutes for a healthy live drill; all-zero drifts (every inject delivered exactly on schedule) read as suspicious.

Six-year retention is enforced at the storage layer with WORM-immutable policy, not application logic. An admin credential compromise would not enable the locked record to be deleted or altered.

What this guide is not.

This guide describes the operational workflow for running an AI-generated IR tabletop using Veri-Tech’s drill engine. It does not replace the formal incident response plan your organization should have on file, nor the risk analysis your covered entity counsel signed off on, nor the Business Associate Agreement that scopes Veri-Tech’s role as a service provider to your covered-entity work.

The locked drill artifact is one of several pieces of evidence that together demonstrate IR readiness. The others include the IR plan itself, the post-incident reports for real incidents, the workforce training records under §164.530(b), and the documented sanction policy. The drill proves the plan can be executed; the plan still has to exist and be current.

For organizations on the HIPAA Pack tier, the IR Tabletop Generator is included in the existing tier scope. For organizations on Veri-Guard or Veri-Tune Enterprise, the identity, device, and DR drills are included; the breach category is HIPAA-Pack-only.

Take it further.

Try the runner in demo mode

Walk through the live drill experience end-to-end without burning AI tokens or producing a real audit record.

Open the demo runner

HIPAA Microsoft 365 checklist

The Technical Safeguards from the HIPAA Security Rule mapped to Microsoft 365 tenant settings. Useful pre-reading before a breach-notification drill.

Open the checklist

Talk to the founder

Thirty minutes with William. Walk through the drill engine against your tenant’s actual scan posture and figure out which category to start with.

Book a call
Get startedBook a call