The Incident Rehearsal Program

Good news, everyone! We have covered playbook design, containment automation, incident command, evidence preservation, forensics, and improvement tracking. The final lesson is the one that makes all of it work when it matters: rehearsal. A playbook that nobody has practiced is a document. A playbook that has been rehearsed quarterly is a capability. The difference between document and capability is muscle memory — and muscle memory comes only from repetition.

1. Monthly Tabletop Exercises Simulate an AI incident scenario in a conference room. Walk through the playbook step by step. Who gets notified? What containment action fires? What logs do you pull? Time the exercise. Find the bottlenecks. Monthly exercises build familiarity with the process so that the real incident response is recognition, not learning.
2. Quarterly Live Exercises Inject a simulated incident into the production environment — a controlled prompt injection attempt, a synthetic anomaly in the SIEM, a triggered canary token. The response team follows the playbook against a realistic stimulus. Live exercises test not just the process but the tooling — SIEM alerts, containment automation, communication channels.
3. Annual Full Simulation Once a year, run a full incident simulation involving all stakeholders — engineering, security, legal, communications, and executive leadership. The simulation tests the complete response chain from detection through external notification. Measure the total response time. Compare against your targets. The annual simulation is the final exam for your incident response program.

Fundamentals aren't boring. Fundamentals are load-bearing.

— DRILL, Ryan Consulting Academy