Know how you'd actually respond to a breach before one happens.
Independent assessment of breach response readiness across the incident response plan, playbooks, roles and decision authority, communications, forensic preparedness, and third-party coordination. Framework-agnostic methodology structured to satisfy cyber insurance underwriter expectations.
An IR plan on paper, or a capability that actually works.
Most organizations have an incident response plan. Few have validated that it would hold up under real conditions. The plan was written by someone who has since left, the playbooks reference contact details that have changed, the communications templates have not been reviewed since they were drafted, and the people named as decision-makers may not be the people who would actually be in the room. When the next incident arrives, response teams discover the gap between what the plan describes and what the organization can execute.
Armour Cybersecurity's Breach Readiness Assessment closes that gap before an event tests it. The engagement evaluates the organization's actual response capability across eight domains: IR plan maturity, playbooks and runbooks, roles and decision authority, communications readiness, forensic preparedness, third-party coordination, recovery capability, and post-incident lessons-learned discipline. The methodology is framework-agnostic and mapped to whichever standard the auditor, regulator, or carrier expects. The output is a prioritized remediation roadmap that internal teams can execute, with evidence the board, auditors, and cyber insurance carriers can rely on.
The methodology is informed by leading incident response standards (NIST SP 800-61, the NIST CSF Respond and Recover functions, ISO 27035, CIS Controls v8) and the control expectations published by major cyber insurance carriers. The assessment is independent: not tied to any technology vendor, not an upsell for a product, and structured to produce honest findings the leadership team can act on.
A plan on paper vs. a capability that holds.
The difference between organizations that recover well from incidents and those that compound the crisis usually comes down to whether the response capability was assessed and remediated before it had to be exercised under pressure.
An IR plan that exists, but has never been pressure-tested against reality.
The plan was drafted years ago. Contacts in the playbook have left the organization. Decision authority is documented at one level but actually exercised at another. The communications team has no pre-approved templates. The breach counsel relationship was discussed but never formalized. The cyber insurance carrier's first-call number is in someone's email. Forensic readiness depends on log retention that nobody has validated. When the next incident lands, the response team improvises every step, and the first hour disappears before containment begins.
Documented capability, validated against reality, ready to satisfy auditors and carriers.
The assessment evaluates the actual capability across eight domains and against established frameworks. Gaps are surfaced with specific evidence. The remediation roadmap sequences fixes by impact and effort, with quick wins (updating contact details, formalizing breach counsel and carrier relationships, drafting communications templates) alongside longer-term initiatives (IR plan rebuild, playbook expansion, forensic logging programs). The board sees an objective view of readiness. Cyber insurance underwriters see evidence the organization knows how it would respond.
What the assessment evaluates.
Nine capability domains across the breach response lifecycle. Each is evaluated against documented standards, validated against past incident or exercise evidence, and benchmarked against the expectations cyber insurance carriers and regulators apply.
Incident Response Plan Maturity
Review of the current IR plan for completeness, currency, alignment with leading IR lifecycle standards, and integration with broader business continuity and crisis management plans.
Playbooks & Runbooks
Inventory of playbooks and runbooks against the most likely incident types: ransomware, BEC, data exposure, insider threat, third-party breach, denial of service, and cloud account compromise.
Roles & Decision Authority
Validation that decision authority is documented and matches the real organization across incident command, legal and privacy escalation, communications approval, insurer engagement, and board notification.
Communications Readiness
Review of internal communications discipline, customer and partner notification templates, regulator notification procedures, media holding statements, and the approval paths for external messaging under pressure.
Forensic Preparedness
Assessment of log retention, evidence preservation procedures, chain-of-custody discipline, forensic acquisition capability, and the integration between SOC operations and forensic readiness.
Third-Party Coordination
Review of pre-established relationships with breach counsel, cyber insurance carrier, external forensic responders, PR support, and law enforcement, including contract readiness and first-call procedures.
Recovery Capability
Assessment of backup integrity, restoration procedures, business continuity activation paths, decision frameworks for ransom negotiation, and operational fallback capability during extended outages.
Governance & Board Escalation
Review of board notification thresholds, executive update cadence, governance documentation, and the briefing materials executives would actually use during a fast-moving event.
Post-Incident Improvement
Review of post-incident review discipline, lessons-learned capture from past events and exercises, and the feedback loop between incident experience and IR plan, playbook, and detection updates.
Who this engagement serves.
Built for organizations that have invested in incident response capability and now need an independent view of whether it would actually work under real conditions.
Boards & Executive Teams
Boards and C-suite leaders accountable for cyber risk oversight who need independent evidence of breach response capability rather than internal self-assessment.
Cyber Insurance Applicants & Renewals
Organizations preparing for cyber insurance underwriting or renewal where carriers expect documented evidence of IR plan testing, defined roles, and forensic readiness.
Regulated Industries
Finance, healthcare, legal, government, and other organizations with documented incident response obligations where auditors expect evidence of exercised capability.
Post-Incident & Lessons-Learned Programs
Organizations that have experienced a real incident and need an independent view of how the updated capability holds up against current best practice before the next event arrives.
A disciplined methodology across six phases.
The engagement runs three to four weeks across six structured phases. Each phase has defined inputs, outputs, and acceptance criteria. The executive readout in phase six is structured for direct board distribution.
Kickoff & Document Review
Engagement kickoff with leadership. Collection and review of the current IR plan, playbooks, runbooks, communications templates, past incident reports, exercise reports, and any documented procedures.
Stakeholder Workshops
Structured workshops with executive, IT, legal and privacy, communications, and operations teams to validate documented procedures against actual practice and surface gaps that documentation alone cannot reveal.
Capability Domain Analysis
Analysis of each of the nine capability domains against the leading incident response standards (NIST SP 800-61, NIST CSF, ISO 27035, CIS Controls v8) and the control expectations of major cyber insurance carriers.
Gap Identification & Risk Rating
Documentation of gaps with severity ratings based on likelihood of exposure during a real incident and business impact. Quick wins separated from longer-term remediation initiatives.
Remediation Roadmap
Prioritized remediation roadmap with recommended owners, target timelines, dependencies, and effort estimates. Roadmap sequenced so the most insurance-relevant and audit-relevant items are addressed first.
Reporting & Executive Readout
Final Breach Readiness Assessment Report, executive summary suitable for board distribution, and a debrief session with leadership covering findings, business impact, and recommended next steps.
What the organization walks away with.
Nine integrated deliverables that together establish an objective baseline of breach response capability and a roadmap for improvement.
Breach Readiness Assessment Report
Comprehensive report covering current-state capability across the nine domains, with maturity scoring, evidence from workshops and document review, and prioritized recommendations.
Incident Response Plan Gap Analysis
Detailed gap analysis of the current IR plan against the framework the auditor and carrier expect (NIST SP 800-61, NIST CSF, ISO 27035, or carrier-specific control sets), with specific revision recommendations and rebuild guidance where needed.
Playbook & Runbook Inventory
Documented inventory of existing playbooks and runbooks mapped against the most likely incident types, with coverage gaps identified and recommended development priorities.
Role & Decision Authority Map
Validated map of decision ownership across incident command, legal escalation, communications approval, insurer engagement, business continuity decisions, and board notification authority.
Communications Readiness Review
Review of communications discipline with recommended pre-approved templates for internal staff, customers, partners, board notifications, media holding statements, website notices, and call center scripts.
Forensic Preparedness Assessment
Assessment of log retention, evidence preservation procedures, chain-of-custody discipline, and forensic acquisition capability, with specific recommendations for closing forensic readiness gaps.
Third-Party Coordination Review
Review of pre-established relationships with breach counsel, cyber insurance carrier, external forensic responders, and PR support, with recommended contract and first-call procedure improvements.
Prioritized Remediation Roadmap
Sequenced remediation plan with recommended owners, timelines, effort estimates, and quick-win versus longer-term designations, structured for direct execution by internal teams.
Executive Summary Briefing
Board-ready executive summary translating assessment findings into governance language, with strategic implications, risk exposure, and the high-priority actions executives are being asked to sponsor.
The numbers behind the work.
Founded by military intelligence veterans with senior advisors from PwC, KPMG, Deloitte, EY, and Mandiant. The track record reflects the discipline.
Clients Served
Organizations across finance, healthcare, technology, energy, legal, and government trust Armour Cybersecurity to protect what matters.
Client Retention Rate
Long-term engagements built on consistent quality, predictable delivery, and consulting relationships that compound in value over time.
Industries · Worldwide Reach
Cross-sector experience spanning every major regulated industry, with operations supporting clients across North America, Latin America, and beyond.
Cybersecurity Technology Solutions
A vetted catalogue of technology partnerships and proprietary methods deployed in support of incident response capability development and breach readiness validation.
Validate the response capability before the breach forces you to discover it.
Schedule a fifteen-minute discovery call to scope the assessment. Protecting What Matters starts with knowing the response would actually work.
Book Discovery CallFrequently asked questions.
Common questions from CISOs, General Counsel, risk leaders, and board members evaluating a Breach Readiness Assessment.
How is a Breach Readiness Assessment different from a tabletop exercise?
What gets assessed?
How long does the assessment take?
Which frameworks inform the methodology?
Do you need access to our incident response plan?
Will the assessment satisfy our cyber insurance carrier?
What happens after the assessment?
Know how you'd actually respond.
Reach out to scope a Breach Readiness Assessment. Discovery calls are scheduled within two business days.
Talk to Armour Cybersecurity.
Toronto, ON, Canada
Request a discovery call.
Tell us about your current IR capability and what's driving the assessment. A senior advisor will respond within two business days.