Lab · You are the IR commander

Ransomware Tabletop

It's 4:17 AM. Your on-call phone rings. The CFO's laptop has a ransom note. Every choice you make from here changes the cost. Walk the team through NIST SP 800-61's four phases — Detection & Analysis, Containment, Eradication, Recovery, Lessons Learned. Some choices are right. Some are very expensive.

Situation report

You are the on-call incident commander for Acme Manufacturing Corp — 1,400 employees, 800 servers, 1,400 workstations. You have EDR on most endpoints, immutable backups in object-lock S3 (you think), MFA on most accounts, and a cyber insurance policy with a $1M retention. The phone just rang.

NIST SP 800-61 Phase Tracker

1Detect

2Contain

3Eradicate

4Recover

5Lessons

Scorecard

Cumulative cost (estimate)

Downtime

Decisions made

Incident timeline

T+00:00