Subscribe to the Non-Human & AI Identity Journal

What breaks when incident response plans are not rehearsed?

When plans are not rehearsed, teams lose time deciding who can act, what to isolate, and how to communicate. That delay can let attackers keep access, expand scope, or destroy evidence. A plan that cannot be executed under pressure is not a control, only a document.

Why This Matters for Security Teams

incident response plans fail most visibly when an organisation needs them most: during fast-moving compromise, ransomware, credential theft, or a cloud service disruption. The written plan may name roles and channels, but unless those elements are practiced, responders waste precious minutes confirming authority, finding evidence sources, and deciding whether containment should be broad or surgical. Current guidance from ENISA Threat Landscape reinforces that modern attacks are rarely single-step events, which means delay compounds quickly across systems, identities, and third-party dependencies.

Practitioners also underestimate how often communications fail before technical containment does. Legal, executive, SOC, IT operations, and external response partners may each assume someone else has declared a major incident. If roles are not rehearsed, escalation paths become ambiguous, evidence handling becomes inconsistent, and business decisions arrive too late to matter. In practice, many security teams encounter gaps in authority and coordination only after containment has already become a recovery problem, rather than through intentional rehearsal.

How It Works in Practice

Rehearsed incident response is less about memorising a runbook and more about proving that the organisation can execute under pressure. A useful exercise tests decision rights, communications, tooling access, evidence preservation, and recovery sequencing together. That includes who can isolate hosts, disable accounts, revoke tokens, rotate secrets, contact cloud providers, and trigger external notification workflows. It also checks whether monitoring data, ticketing records, and access to logs are available when normal systems are degraded.

Strong rehearsal programs usually include a mix of tabletop exercises, technical simulations, and full process walks. A tabletop reveals gaps in ownership and escalation. A technical exercise exposes whether responders can actually use the tooling, such as EDR, SIEM, SOAR, backup restoration, and identity controls, without hunting for approvals. When identity is part of the incident, the response should explicitly cover privileged access, service accounts, API keys, and other incident response dependencies because those are often the first things attackers abuse.

  • Test decision-making, not just documentation.
  • Validate that contact paths work outside normal business hours.
  • Confirm that responders can obtain logs, snapshots, and chain-of-custody records quickly.
  • Include cloud, identity, legal, communications, and vendor stakeholders.
  • Practice containment choices that balance speed against business impact.

For teams facing automated or AI-assisted attacks, rehearsal should also reflect how quickly adversaries can change tactics. The Anthropic — first AI-orchestrated cyber espionage campaign report is a useful reminder that escalation speed, scale, and operator workload can all be altered by automation. These controls tend to break down when incident response is handled as a compliance checkpoint for a single enterprise network because hybrid identity, cloud logging, and outsourced operations make the real response path much more distributed.

Common Variations and Edge Cases

Tighter incident response practice often increases operational overhead, requiring organisations to balance speed of containment against business continuity and governance review. That tradeoff becomes sharper in regulated environments, during major outages, or when third parties host critical logs or services. Best practice is evolving here, and there is no universal standard for how often every scenario should be exercised; the right cadence depends on threat exposure, change velocity, and maturity.

Edge cases usually appear where the plan assumes stable systems and clear ownership. Cloud-native environments may require responders to act through ephemeral workloads, multiple accounts, or delegated administration. Mergers, managed service providers, and cross-border operations introduce additional friction because evidence, authority, and communications may sit with different entities. Identity-heavy incidents are especially sensitive: if privileged accounts, secrets, or federation trust are involved, containment may require coordination across IAM, PAM, and application owners before isolation can be safely completed.

Rehearsal also needs to account for partial failures. A playbook that works when a SOC is fully staffed can collapse during holiday coverage, after-hours escalation, or simultaneous incidents. The practical test is not whether the document exists, but whether the organisation can still preserve evidence, maintain command structure, and communicate clearly when normal assumptions no longer hold.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 RS.RP-1 Response plans must be rehearsed so the organisation can execute them consistently.
MITRE ATT&CK T1078 Rehearsal should cover valid account abuse and containment after credential compromise.

Run and improve incident exercises so response actions are repeatable under stress.