Session Summary

In this presentation, Bishop Fox offensive security consultant Shanni Prutchi explains why testing incident response capabilities requires more than just technical evaluations. Drawing from her unique background in both offensive security and incident response, she examines how traditional approaches often leave critical gaps: red team exercises test technical controls but not processes, while tabletop exercises evaluate procedures but not actual detection capabilities.

Prutchi outlines two complementary approaches to combine these methodologies. The first involves conducting tabletop and red team exercises simultaneously, forcing response teams to follow established processes during an active simulated attack. The second uses a completed red team exercise as the foundation for a subsequent tabletop discussion, allowing teams to extend scenarios beyond technical limitations and involve executive decision-makers more efficiently. Throughout the presentation, she shares real-world examples of common gaps discovered during these exercises—from organizations lacking accessible offline copies of incident response policies to communication breakdowns where CISOs wouldn't recognize responders' phone numbers during a crisis. By integrating both technical and procedural evaluations, organizations can develop truly resilient incident response capabilities that address the complete lifecycle of security incidents.

Who Should Watch

This session is valuable for security leaders responsible for incident response planning, SOC managers evaluating program effectiveness, red team practitioners looking to deliver more business value, and executives who participate in crisis decision-making. Organizations preparing for compliance requirements around incident response testing will also benefit from Prutchi's practical guidance on comprehensive evaluation approaches.