IR-OS
Research Report · April 2026

State of Incident Response Readiness 2026

Ten findings on why incident response plans break during real incidents, distilled from 150+ C-suite cyber tabletop exercises facilitated between 2018 and 2026.

150+ tabletops analyzed
32 industries represented
Mark Lynd, Lead Researcher

1. Executive Summary

Most organizations believe they are prepared for a cyber incident. Fewer are. This report documents the gap between documented incident response plans and the reality of executive decision-making during simulated incidents, based on 150+ tabletop exercises facilitated across industries between 2018 and 2026.

The findings are not about technical detection or containment — those capabilities have improved meaningfully in the last five years. The findings are about coordination, judgment, and regulatory awareness under pressure. These are human failures, and they are the reason even well-resourced organizations with mature security programs still struggle during real incidents.

The good news: these failures are fixable. Every pattern documented here has a corresponding intervention that organizations have successfully implemented. The bad news: most organizations do not know these patterns exist in their own programs until a real incident reveals them — often at enormous cost.

2. Methodology

Between 2018 and 2026, 150+ C-suite cyber tabletop exercises were facilitated across 32 industries, ranging from critical infrastructure and healthcare to commercial services and public sector organizations. Each exercise was 90 to 180 minutes, involved 6 to 20 executive participants, and simulated one of eight incident categories: ransomware, data breach, business email compromise, insider threat, supply chain compromise, phishing campaign, DDoS attack, and hybrid scenarios combining multiple vectors.

Observations were captured in real time across four dimensions: role clarity, decision velocity, communication accuracy, and regulatory awareness. Patterns that appeared in at least 40% of exercises are included in this report as findings. Patterns that appeared in more than 80% are flagged as critical.

All organizational names, industries, and specific scenario details have been anonymized. The findings are directional observations, not peer-reviewed statistical claims, and should be interpreted as patterns consistent across a large but non-random sample.

3. Ten Key Findings

Finding 1 · Critical Pattern

Role clarity collapses in the first 30 minutes

Most organizations have documented incident response plans that name roles: Incident Commander, Legal Liaison, Communications Lead, Technical Lead. In practice, when a simulated incident starts, teams cannot answer a basic question within the first 30 minutes: who makes the containment decision right now? The documented plan lists a role; the room does not know who fills it today, who their backup is, or what authority they have without escalating.

Finding 2 · Critical Pattern

Regulatory clocks are not tracked during incidents

Most IR plans list applicable regulations (GDPR Article 33, HIPAA 60-day, SEC Item 1.05, state breach laws, cyber insurance reporting). Few teams track these clocks simultaneously during an incident. In exercises where participants were asked which deadline was closest to expiring at minute 120, fewer than 20% could answer correctly without consulting reference material. In real incidents, a missed deadline compounds into regulatory fines and loss of attorney-client privilege.

Finding 3

Teams call the wrong stakeholder first

When asked "who do you contact first?" after a ransomware simulation, the most common first calls were the CEO, law enforcement, or external legal counsel. The correct first call — per most cyber insurance policies — is the carrier's reporting hotline, which triggers the panel vendor relationship and preserves coverage. Calling law enforcement before the carrier can void specific policy terms; calling legal counsel before the carrier can compromise panel-attorney coverage.

Finding 4

Evidence is contaminated before forensics arrives

In ransomware exercises, well-intentioned IT staff consistently took actions that contaminated forensic evidence: rebooting affected systems, deleting suspicious files, restoring from backup before imaging. These actions eliminated the ability to identify the initial access vector, which is material for both regulatory notification ("was sensitive data accessed?") and cyber insurance claims ("what was the attack method?"). Forensic readiness requires explicit "do not touch" decisions at the outset.

Finding 5

The first executive update is usually wrong

When the Incident Commander first briefed the executive participants in the exercise, the briefing contained one or more material inaccuracies in 70%+ of cases: overstated scope, understated scope, incorrect attack vector, or incorrect timeline. Executives then made decisions based on the inaccurate brief. A structured briefing template with explicit "known / unknown / assumed" sections resolved this in nearly every exercise where it was introduced.

Finding 6

Board communication is not planned in advance

Public-company exercises revealed that executives had no pre-drafted board notification language, no defined threshold for "material incident" reporting, and no clarity on SEC Item 1.05 timing. The same question — "when do we tell the board?" — consumed 15 to 40 minutes of exercise time in most sessions. Pre-drafted board communication templates, tied to incident severity, resolved this immediately.

Finding 7

Tabletops without AARs produce no lasting change

The single strongest predictor of whether a tabletop exercise produced lasting organizational change was whether it was followed by a formal After-Action Report within 14 days, with assigned owners and deadlines for each finding. Exercises without AARs produced enthusiasm in the room and almost no measurable change three months later. Exercises with AARs and tracked remediation produced sustained improvement.

Finding 8

Communications leads are underpowered

The Communications Lead role was the most frequently understaffed and undertrained in exercises. Participants assigned to it often had no pre-drafted holding statements, no working relationship with crisis PR firms, and no clear authority to approve external communications without C-suite sign-off — which created material delays during exercises. Organizations that had crisis communications counsel on retainer resolved this cleanly.

Finding 9

"Hybrid incidents" break single-scenario plans

Most IR plans are organized by incident type: "here is the ransomware playbook, here is the data breach playbook." Real incidents rarely fit one playbook. Ransomware events often involve data exfiltration (making them both a ransomware and breach notification event). DDoS attacks are increasingly used as cover for other intrusions. Teams that had only practiced single-scenario playbooks struggled with hybrids; teams that had practiced hybrid scenarios adapted quickly.

Finding 10

Annual tabletops are insufficient

Organizations that ran tabletops annually showed almost no year-over-year improvement in coordination metrics. Organizations that ran them quarterly — or more — showed substantial improvement. Annual is the compliance minimum; quarterly is the performance target. The improvements were not about repeating the same scenario, but about building muscle memory for the coordination patterns that all incidents share.

4. The Coordination Problem

Technical detection and containment have improved dramatically since 2018. EDR, SIEM, and SOAR platforms are more capable, and security teams are more sophisticated in using them. This report's findings do not dispute that progress.

What has not improved at the same rate is the human coordination layer — the decisions, communications, and role assignments that connect technical work to executive accountability, legal process, regulatory obligation, and stakeholder trust. This is where incidents actually fail today, and it is what the tabletop exercises most consistently revealed.

The coordination problem has four components:

  1. Role clarity — who does what, and who is their backup
  2. Decision velocity — how fast the right decision is made with incomplete information
  3. Communication accuracy — whether the stakeholder message matches the technical reality
  4. Regulatory awareness — whether the team is tracking the clocks as they handle the technical work

Organizations that performed well in exercises treated these four components as a dedicated discipline, not a byproduct of technical response. They built tools, templates, and runbooks specifically for coordination — not as an afterthought to the technical playbook.

5. Regulatory Clock Failures

Every modern incident triggers multiple regulatory clocks simultaneously. A single ransomware event affecting a mid-market healthcare organization in California with EU customers can trigger: HIPAA 60-day notification, California Civil Code §1798.82, GDPR Article 33 72-hour notification, SEC Item 1.05 four-business-day disclosure (if public), cyber insurance first-notice reporting (often 48 or 72 hours), and potentially state Attorney General notification in multiple jurisdictions.

In exercises, teams routinely focused on one clock — usually the most visible one — and missed others. The pattern was consistent:

  • Public companies tracked the SEC clock and missed the state breach laws
  • Healthcare organizations tracked HIPAA and missed the insurance clock
  • Organizations with EU customers tracked GDPR and missed state-level requirements
  • Nearly all organizations forgot the insurance clock until it was too late to preserve coverage
Pattern: The team member tracking the clocks must be different from the team member managing the technical response. When the same person does both, the clocks lose.

6. The Board Communication Gap

Board-level communication failures fell into three categories in the exercises:

Timing: Executives disagreed about when to brief the board, and most had not pre-defined a threshold. The common default — "when we know more" — turned out to be the wrong threshold, because by the time a board is briefed reactively, the SEC, regulators, or media have often already learned of the incident.

Language: First board briefings routinely used technical language that obscured rather than clarified. Boards do not need to know the CVE exploited; they need to know whether material information was accessed, whether regulatory notification is required, what the remediation cost will be, and whether the insurance carrier has been engaged.

Commitment discipline: Executives often committed to specific remediation outcomes before technical reality supported the commitment. "We will have this contained by end of day" is rarely accurate at hour 4. Boards need honest uncertainty ranges, not false precision.

7. Cyber Insurance Missteps

Organizations with cyber insurance often performed worse than organizations without, because they believed coverage meant preparedness. It does not. Coverage means a claim is possible if the policy terms are followed precisely. Most policies require:

  • Carrier notification within 48 or 72 hours of incident awareness
  • Use of panel-approved vendors (breach counsel, forensics, notification) for coverage
  • Specific documentation preserved before remediation
  • No public statements without carrier or panel counsel coordination

In exercises, executives routinely violated one or more of these terms within the first two hours — calling general counsel instead of panel counsel, engaging their usual forensics vendor instead of the panel vendor, or authorizing public statements that panel counsel would not have approved.

The correct first phone call in most policies is the carrier's 24/7 reporting hotline. This call triggers the panel-vendor relationship and starts the carrier's clock. Everything else waits.

8. What Works

The patterns that distinguished high-performing teams were consistent:

  1. Quarterly tabletops, not annual. Teams that practiced four times a year outperformed teams that practiced once.
  2. Formal AARs within 14 days. Every finding had an owner, a deadline, and a tracking mechanism.
  3. Two IRC teams, not one. A primary team and a backup team with overlapping training meant vacations and illness did not compromise response.
  4. A dedicated clock-watcher role. One person tracks regulatory deadlines; they do not also manage technical response.
  5. Pre-drafted templates for everything. Board notifications, press holding statements, customer communications, regulator notifications — all pre-drafted, all reviewed by counsel in advance.
  6. Carrier-first reporting as the trained reflex. Insurance carrier hotline memorized, tested, practiced.
  7. Hash-chained defensible record. Organizations that kept tamper-evident records of their decision-making had meaningfully better regulatory and litigation outcomes.
  8. Hybrid scenario practice. Ransomware + breach, DDoS + intrusion, BEC + data exfiltration — all practiced in combination, not just isolation.

9. Recommendations

Based on patterns across 150+ exercises, organizations that want to materially improve their IR readiness should consider the following sequence:

  1. In the next 30 days: Run an exercise focused exclusively on role clarity and regulatory clock tracking. Do not test technical containment. Test the coordination layer.
  2. In the next 60 days: Pre-draft five executive templates: board notification, press holding statement, customer breach letter, regulator notification (top three applicable), insurance first-notice. Have counsel review.
  3. In the next 90 days: Build a regulatory clock dashboard that tracks every applicable deadline in real time during an incident. Assign a named owner.
  4. In the next 6 months: Establish a quarterly tabletop cadence with formal AAR process. Each AAR must have tracked remediation.
  5. Ongoing: Build coordination as a discipline equal to technical response. Allocate budget, training, and tooling accordingly.
Mark Lynd
CISO, author, and speaker. Facilitated 150+ C-suite cyber tabletop exercises between 2018 and 2026. Founder of IR-OS, the Cyber Incident Response Management platform built from the patterns documented in this research. LinkedIn

10. About This Research

This report is independent research, not commissioned by any vendor or sponsored by any third party. Findings are based on first-person observation across 150+ tabletop exercises facilitated by the author between 2018 and 2026.

The research is ongoing. Future editions will include observations from continued facilitation, anonymized pattern data from the IR-OS platform (with customer consent), and updated analysis of emerging incident categories.

Citations to this report are welcome. Suggested citation:

Lynd, M. (2026). State of Incident Response Readiness 2026: Patterns from 150+ Tabletops. IR-OS Research. https://ir-os.com/reports/state-of-ir-readiness-2026

For questions, media inquiries, or to contribute observations from your own exercises, contact [email protected].

Run Your Next Tabletop on IR-OS

Every pattern in this report is addressed directly in the IR-OS platform — role clarity, regulatory clocks, pre-drafted templates, hash-chained record, and quarterly cadence. 10-day free trial, no credit card.

Start Your Free Trial