Site Search Site Search

Menu

Featured

Business transformation services

Artificial Intelligence

Sustainability and ESG

Menu

Loading Results

Cyber crisis exercises

Cyber Crisis Exercises

Is your cyber incident response plan truly good, or just good on paper?

In an era where cyber threats are constantly evolving, it is crucial to prepare and strengthen your organisation's response capabilities. Our approach leverages years of experience and industry best practices to create realistic, engaging, and impactful crisis scenarios. These exercises will not only test your current preparedness but also provide valuable insights and recommendations to enhance your overall cyber resilience.

We help build muscle memory and shared understanding across your crisis management team, ensuring alignment of priorities and capabilities during a crisis.

  • Are you confident that your crisis management team can handle a cyber incident involving double or triple extortion?

  • How prepared is your organisation to manage a cyber crisis that escalates globally and involves multiple stakeholders?

  • Can your current response plan withstand the pressures of a real-world cyber attack?

  • What would be the impact on your business if a critical third-party vendor experienced a cyber incident? 

  • Will the actions you take during a crisis be viewed as optimal later, from a customer, legal, and regulator perspective?
     


Overview of cyber crisis simulation

As threat actors increasingly target various sectors and the criminal cyber ecosystem expands at an alarming rate, it is not a matter of "if" your organisation will experience a cyber crisis, but rather "when". Whether identified early or after significant impact, it is crucial to promptly initiate a response and engage all areas of the organisation without delay.

Traditional business continuity and disaster recovery plans are often cumbersome, static documents that are infrequently tested. Given that time is always of the essence and that accuracy at speed is a product of practice, it logically follows that your organisation's plans should be solidified in muscle memory.

Our simulations are designed to build a shared understanding across your Crisis Management Team, helping stakeholders align on priorities and capabilities during a cyber event. 
These exercises are based on industry-leading best practices and tailored to reflect your most significant threats, fulfilling both operational needs and regulatory requirements. 
 
These simulations are not just training—they are strategic tools to rehearse decision-making, expose gaps, and build confidence across your organisation’s response layers.

Types of exercises offered

Given that no cyber crisis is ever the same, we believe that crisis exercises should reflect both your current capabilities and overall maturity.

The most initial level of exercises are facilitated walkthroughs, which guide participants through a structured discussion centered on a scenario. These are most suitable for organisations seeking to embed understanding of their existing plans.

On the next layer of complexity are tabletop exercises. These involve participants working through a mock Crisis Management Team meeting based on a scenario structured around multiple injects.

One level higher are simulation exercises, which engage multiple teams in parallel and in simulated real-time for several hours. These are intense and require significant effort from all parties. They are most suitable for organisations with a deeply entrenched and robust Crisis Management Team.

At the top of the pyramid are war games, which refine an organisation’s mature crisis response capability by exploring decision-making models in high-impact simulated scenarios. These exercises often include both strategic and technical participants, enabling cross-functional teams to test coordination, escalation, and decision-making under pressure.

Each exercise tier is aligned with industry-standard simulation practices, allowing us to support independently scoped engagements rather than proprietary formats. 

Each tier is designed with a specific audience in mind:

  • Initial (Facilitated Walkthroughs) are ideal for teams new to crisis response or those who have recently updated their plans — including IT, SOC, and business continuity leads.

  • Tabletop Exercises engage mid- to senior-level stakeholders across business, legal, comms, and technical functions to validate coordination and decision-making.

  • Simulation Exercises involve the full Crisis Management Team and test real-time response across multiple functions under pressure. 

  • War Games are designed for high-impact scenarios and include a mix of Crisis Management Team, senior leaders, technical responders, and domain experts to simulate realistic, cross-functional crisis conditions.

Crisis simulation

Methodology and approach

We approach delivering a cyber crisis exercise with a structured and comprehensive methodology, tailored to your organisation’s specific needs, maturity level, threat landscape, and business priorities. Our standardised framework ensures that each exercise is realistic, plausible, immersive, and engaging. This methodology is grounded in the experience of PwC’s leading Cyber Incident Response and Managed Cyber Defence experts, who have supported our clients in responding to and recovering from hundreds of cyber incidents. While ransomware is a common scenario, we also simulate a wide range of cyber-attack types, rehearsing against several of your most significant threats at once: to test your response capabilities across multiple dimensions.

Our methodology is divided into four stages:

  • Investigate: We work with subject matter experts to define the objectives of the exercise. This includes a kick-off meeting with your team to align on goals, followed by a comprehensive capability review.
  • Design: We create a realistic scenario, including a walkthrough with your team to validate the scenario and injects.
  • Deliver: We facilitate and observe the exercise, typically through a half-day session with the relevant participants.
  • Report: We capture lessons learned and provide actionable recommendations. This includes drafting the report, delivering it, and presenting a debrief. We can go further, and update your Crisis Management Plans based on the recommendations, if you wish. 

Additionally, the exercise is structured as an escalating global effort, divided into four phases: Crisis Discovery, Crisis Response Escalation, Complexity Escalation, and Debrief. Each phase includes targeted activities to manage a cyber-attack, rehearse decision-making, escalate crises, and address complexities.

This structured approach helps your Crisis Management Team build muscle memory, understand the benefits and limitations of your current response and recovery capabilities, and fulfil regulatory requirements.

Realistic scenarios and immersive experiences

Scenarios are most effective when participants are thoroughly immersed in them. We meticulously develop narratives based on real incidents encountered across our network to ensure they accurately reflect the techniques used by threat actors in the real world.

These narratives are enriched with the aid of injects—such as news stories, social media posts, phone calls, or voicemails—that provide participants with evolving updates. Given the intrinsic link between crises and stress, we tailor these injects to heighten realism and engagement.

Our scenarios are structured around distinct types of cyber-attacks, including but not limited to ransomware, third-party incidents, and insider threats.

Recognising the constant presence of uncertainty during crises and the need for decisive action despite it, we design each scenario to encompass multiple attack types, thereby preparing you for a range of possible situations in a single exercise. 

Post-exercise reporting and recommendations

Cyber crisis exercises are primarily focused on training and building muscle memory across your Crisis Management team. Each exercise includes a hot debrief, conducted immediately after the session, allowing participants to share their thoughts and realisations while the experience is fresh. A cold debrief follows later, after notes have been consolidated and recommendations reviewed.

Prioritised recommendations are compiled into a structured report, tailored to your organisation’s threat landscape and response maturity and encompassing best practices and peer insights to optimise your response. This report provides targeted improvements, aiding in resource allocation and prioritisation for the immediate term as well as strategic planning. We can go further, and directly update your Crisis Management Plans based on the recommendations, if you wish.

The report also helps stakeholders understand what benefits your current response and recovery capabilities do and do not support during a cyber event, fulfilling both operational and regulatory requirements.

Crisis good an practice

Contact our experts

Johannes Dohren

Partner, Cybersecurity and Privacy, PwC Switzerland

+41 58 792 22 20

Email

Rocky Lonigro

Manager Cybersecurity & Privacy, PwC Switzerland

+41 58 792 50 78

Email

© 2018 - 2025 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.