Breach Readiness Assessment

Know how you'd actually respond to a breach before one happens.

Independent assessment of breach response readiness across the incident response plan, playbooks, roles and decision authority, communications, forensic preparedness, and third-party coordination. Framework-agnostic methodology structured to satisfy cyber insurance underwriter expectations.

An IR plan on paper, or a capability that actually works.

Most organizations have an incident response plan. Few have validated that it would hold up under real conditions. The plan was written by someone who has since left, the playbooks reference contact details that have changed, the communications templates have not been reviewed since they were drafted, and the people named as decision-makers may not be the people who would actually be in the room. When the next incident arrives, response teams discover the gap between what the plan describes and what the organization can execute.

Armour Cybersecurity's Breach Readiness Assessment closes that gap before an event tests it. The engagement evaluates the organization's actual response capability across eight domains: IR plan maturity, playbooks and runbooks, roles and decision authority, communications readiness, forensic preparedness, third-party coordination, recovery capability, and post-incident lessons-learned discipline. The methodology is framework-agnostic and mapped to whichever standard the auditor, regulator, or carrier expects. The output is a prioritized remediation roadmap that internal teams can execute, with evidence the board, auditors, and cyber insurance carriers can rely on.

The methodology is informed by leading incident response standards (NIST SP 800-61, the NIST CSF Respond and Recover functions, ISO 27035, CIS Controls v8) and the control expectations published by major cyber insurance carriers. The assessment is independent: not tied to any technology vendor, not an upsell for a product, and structured to produce honest findings the leadership team can act on.

Multi-Framework
Methodology mapped to NIST SP 800-61, NIST CSF, ISO 27035, CIS Controls v8, and the control expectations of major cyber insurance carriers
3-4 wk
Standard engagement timeline from kickoff through executive readout, with stakeholder workshops scheduled in weeks two and three

A plan on paper vs. a capability that holds.

The difference between organizations that recover well from incidents and those that compound the crisis usually comes down to whether the response capability was assessed and remediated before it had to be exercised under pressure.

The Problem

An IR plan that exists, but has never been pressure-tested against reality.

The plan was drafted years ago. Contacts in the playbook have left the organization. Decision authority is documented at one level but actually exercised at another. The communications team has no pre-approved templates. The breach counsel relationship was discussed but never formalized. The cyber insurance carrier's first-call number is in someone's email. Forensic readiness depends on log retention that nobody has validated. When the next incident lands, the response team improvises every step, and the first hour disappears before containment begins.

The Solution

Documented capability, validated against reality, ready to satisfy auditors and carriers.

The assessment evaluates the actual capability across eight domains and against established frameworks. Gaps are surfaced with specific evidence. The remediation roadmap sequences fixes by impact and effort, with quick wins (updating contact details, formalizing breach counsel and carrier relationships, drafting communications templates) alongside longer-term initiatives (IR plan rebuild, playbook expansion, forensic logging programs). The board sees an objective view of readiness. Cyber insurance underwriters see evidence the organization knows how it would respond.

What the assessment evaluates.

Nine capability domains across the breach response lifecycle. Each is evaluated against documented standards, validated against past incident or exercise evidence, and benchmarked against the expectations cyber insurance carriers and regulators apply.

01 / IR PLAN

Incident Response Plan Maturity

Review of the current IR plan for completeness, currency, alignment with leading IR lifecycle standards, and integration with broader business continuity and crisis management plans.

02 / PLAYBOOKS

Playbooks & Runbooks

Inventory of playbooks and runbooks against the most likely incident types: ransomware, BEC, data exposure, insider threat, third-party breach, denial of service, and cloud account compromise.

03 / ROLES

Roles & Decision Authority

Validation that decision authority is documented and matches the real organization across incident command, legal and privacy escalation, communications approval, insurer engagement, and board notification.

04 / COMMUNICATIONS

Communications Readiness

Review of internal communications discipline, customer and partner notification templates, regulator notification procedures, media holding statements, and the approval paths for external messaging under pressure.

05 / FORENSICS

Forensic Preparedness

Assessment of log retention, evidence preservation procedures, chain-of-custody discipline, forensic acquisition capability, and the integration between SOC operations and forensic readiness.

06 / THIRD-PARTY

Third-Party Coordination

Review of pre-established relationships with breach counsel, cyber insurance carrier, external forensic responders, PR support, and law enforcement, including contract readiness and first-call procedures.

07 / RECOVERY

Recovery Capability

Assessment of backup integrity, restoration procedures, business continuity activation paths, decision frameworks for ransom negotiation, and operational fallback capability during extended outages.

08 / GOVERNANCE

Governance & Board Escalation

Review of board notification thresholds, executive update cadence, governance documentation, and the briefing materials executives would actually use during a fast-moving event.

09 / LESSONS LEARNED

Post-Incident Improvement

Review of post-incident review discipline, lessons-learned capture from past events and exercises, and the feedback loop between incident experience and IR plan, playbook, and detection updates.

Who this engagement serves.

Built for organizations that have invested in incident response capability and now need an independent view of whether it would actually work under real conditions.

Boards & Executive Teams

Boards and C-suite leaders accountable for cyber risk oversight who need independent evidence of breach response capability rather than internal self-assessment.

Cyber Insurance Applicants & Renewals

Organizations preparing for cyber insurance underwriting or renewal where carriers expect documented evidence of IR plan testing, defined roles, and forensic readiness.

Regulated Industries

Finance, healthcare, legal, government, and other organizations with documented incident response obligations where auditors expect evidence of exercised capability.

Post-Incident & Lessons-Learned Programs

Organizations that have experienced a real incident and need an independent view of how the updated capability holds up against current best practice before the next event arrives.

A disciplined methodology across six phases.

The engagement runs three to four weeks across six structured phases. Each phase has defined inputs, outputs, and acceptance criteria. The executive readout in phase six is structured for direct board distribution.

1

Kickoff & Document Review

Engagement kickoff with leadership. Collection and review of the current IR plan, playbooks, runbooks, communications templates, past incident reports, exercise reports, and any documented procedures.

2

Stakeholder Workshops

Structured workshops with executive, IT, legal and privacy, communications, and operations teams to validate documented procedures against actual practice and surface gaps that documentation alone cannot reveal.

3

Capability Domain Analysis

Analysis of each of the nine capability domains against the leading incident response standards (NIST SP 800-61, NIST CSF, ISO 27035, CIS Controls v8) and the control expectations of major cyber insurance carriers.

4

Gap Identification & Risk Rating

Documentation of gaps with severity ratings based on likelihood of exposure during a real incident and business impact. Quick wins separated from longer-term remediation initiatives.

5

Remediation Roadmap

Prioritized remediation roadmap with recommended owners, target timelines, dependencies, and effort estimates. Roadmap sequenced so the most insurance-relevant and audit-relevant items are addressed first.

6

Reporting & Executive Readout

Final Breach Readiness Assessment Report, executive summary suitable for board distribution, and a debrief session with leadership covering findings, business impact, and recommended next steps.

What the organization walks away with.

Nine integrated deliverables that together establish an objective baseline of breach response capability and a roadmap for improvement.

DELIVERABLE 01

Breach Readiness Assessment Report

Comprehensive report covering current-state capability across the nine domains, with maturity scoring, evidence from workshops and document review, and prioritized recommendations.

DELIVERABLE 02

Incident Response Plan Gap Analysis

Detailed gap analysis of the current IR plan against the framework the auditor and carrier expect (NIST SP 800-61, NIST CSF, ISO 27035, or carrier-specific control sets), with specific revision recommendations and rebuild guidance where needed.

DELIVERABLE 03

Playbook & Runbook Inventory

Documented inventory of existing playbooks and runbooks mapped against the most likely incident types, with coverage gaps identified and recommended development priorities.

DELIVERABLE 04

Role & Decision Authority Map

Validated map of decision ownership across incident command, legal escalation, communications approval, insurer engagement, business continuity decisions, and board notification authority.

DELIVERABLE 05

Communications Readiness Review

Review of communications discipline with recommended pre-approved templates for internal staff, customers, partners, board notifications, media holding statements, website notices, and call center scripts.

DELIVERABLE 06

Forensic Preparedness Assessment

Assessment of log retention, evidence preservation procedures, chain-of-custody discipline, and forensic acquisition capability, with specific recommendations for closing forensic readiness gaps.

DELIVERABLE 07

Third-Party Coordination Review

Review of pre-established relationships with breach counsel, cyber insurance carrier, external forensic responders, and PR support, with recommended contract and first-call procedure improvements.

DELIVERABLE 08

Prioritized Remediation Roadmap

Sequenced remediation plan with recommended owners, timelines, effort estimates, and quick-win versus longer-term designations, structured for direct execution by internal teams.

DELIVERABLE 09

Executive Summary Briefing

Board-ready executive summary translating assessment findings into governance language, with strategic implications, risk exposure, and the high-priority actions executives are being asked to sponsor.

The numbers behind the work.

Founded by military intelligence veterans with senior advisors from PwC, KPMG, Deloitte, EY, and Mandiant. The track record reflects the discipline.

260+

Clients Served

Organizations across finance, healthcare, technology, energy, legal, and government trust Armour Cybersecurity to protect what matters.

97%

Client Retention Rate

Long-term engagements built on consistent quality, predictable delivery, and consulting relationships that compound in value over time.

52+

Industries · Worldwide Reach

Cross-sector experience spanning every major regulated industry, with operations supporting clients across North America, Latin America, and beyond.

80+

Cybersecurity Technology Solutions

A vetted catalogue of technology partnerships and proprietary methods deployed in support of incident response capability development and breach readiness validation.

Validate the response capability before the breach forces you to discover it.

Schedule a fifteen-minute discovery call to scope the assessment. Protecting What Matters starts with knowing the response would actually work.

Book Discovery Call

Frequently asked questions.

Common questions from CISOs, General Counsel, risk leaders, and board members evaluating a Breach Readiness Assessment.

How is a Breach Readiness Assessment different from a tabletop exercise?
A tabletop exercise puts the response team through a scenario to test how they perform. A Breach Readiness Assessment evaluates whether the underlying capability is actually there in the first place: is the IR plan current, are playbooks documented, do roles and decision authority match the real organization, is forensic preparedness in place, are the right third-party relationships established? Tabletops validate; readiness assessments diagnose. Many organizations engage both, with the readiness assessment first to identify gaps and the tabletop later to test the remediated capability.
What gets assessed?
Incident response plan maturity, playbook and runbook coverage for the most likely incident types (ransomware, BEC, data exposure, insider threat, third-party breach), roles and decision authority across executive leadership and operational teams, communications readiness (internal, external, regulator, customer), forensic preparedness and evidence handling capability, third-party coordination (breach counsel, cyber insurance carrier, forensic responders, communications support), recovery capability, and post-incident lessons-learned discipline.
How long does the assessment take?
Three to four weeks from kickoff to final report. Week one for scoping and document review. Weeks two through three for workshops with executive, IT, legal/privacy, communications, and operations teams. Week four for analysis, report drafting, and executive readout. Larger or multi-entity organizations scale proportionally.
Which frameworks inform the methodology?
NIST SP 800-61 (Computer Security Incident Handling Guide) is the primary reference. The methodology also draws from NIST Cybersecurity Framework (Respond and Recover functions), ISO 27035 (incident management), CIS Controls v8 (incident response), and the control expectations published by major cyber insurance carriers. Reports can be tailored to whichever framework the organization, auditor, or carrier expects.
Do you need access to our incident response plan?
Yes. The assessment reviews the existing IR plan, playbooks, runbooks, communications templates, and any documented procedures. Where these do not exist, the assessment documents the gap and the remediation roadmap includes development of the missing artifacts. The assessment also reviews real evidence from any past incidents, exercises, or near-misses to validate that documented procedures match actual practice.
Will the assessment satisfy our cyber insurance carrier?
The assessment is structured to produce evidence that satisfies underwriter expectations on incident response capability. Carriers increasingly require documented evidence of IR plan testing, defined roles and escalation paths, third-party coordination arrangements, and forensic readiness. The Breach Readiness Assessment Report is suitable for direct submission alongside underwriting questionnaires and renewal documentation.
What happens after the assessment?
The deliverable is a prioritized remediation roadmap with recommended owners and timelines. Many organizations execute the roadmap with internal teams. Others engage Armour Cybersecurity for follow-on work: incident response plan development, playbook creation, tabletop exercises to validate the remediated capability, or an Incident Response retainer so the team that helped build the capability is also the team that responds when an event occurs.

Know how you'd actually respond.

Reach out to scope a Breach Readiness Assessment. Discovery calls are scheduled within two business days.

Talk to Armour Cybersecurity.

📞
✉️
📍
Headquarters
77 Bloor St West, Suite 600
Toronto, ON, Canada

Request a discovery call.

Tell us about your current IR capability and what's driving the assessment. A senior advisor will respond within two business days.