// Incident Response + Tabletop

A plan you've never run is a document, not a defense.

When something hits at 2am, nobody reads a 40-page binder. RiskDown auto-builds your incident response plan from your real footprint, then walks your team through it as a 30-minute drill — so the first time you respond isn't the real time.

Build my IR plan See a drill
tabletop · ransomware · 02:14
INJECT →A staff laptop is encrypted. A note demands payment in 48 hours. Two more machines just went dark.
DECISION →Do you isolate the network now (and halt the office), or keep systems up while you investigate?
Strong contain CIS 17 Incident Response · your choices file action items back to the plan

No 30-field forms. We start from what's already public.

Most IR templates ask you to fill in everything yourself, so they never get finished. RiskDown scrapes your public footprint — domains, mail setup, exposed services — and drafts the plan around your actual business, so you're editing a real document instead of staring at a blank one.

01
Ransomware

Files encrypted, ransom demanded. Who isolates, who calls counsel, who decides on payment, who talks to staff.

02
Business email compromise

A fake invoice, a spoofed exec, a wire request. The runbook for catching it and clawing it back.

03
Lost or stolen device

A laptop walks. What's on it, what it can reach, how fast you can cut its access.

04
Credential leak

Staff logins show up in a breach dump. Reset, rotate, and check what was reused where.

The plan that works at 2am is the one your team has already run once.

A guided tabletop walks your team through a realistic incident in about 30 minutes — decision by decision. It shows where you're strong and exactly where the gaps are, and every gap becomes an action item filed back into your plan, so it doesn't vanish when you close the page.

30 minutes

Not a day-long workshop. A focused drill your team will actually do.

Rehearsed quarterly

Run it every quarter so the plan stays current and the muscle memory stays fresh.

Evidence for your carrier

A completed, dated drill is proof of a tested IR program — exactly what an insurer asks for.

Plan, rehearse, repeat.

1

Auto-build the plan

Enter your domain. We draft an IR plan from your real footprint — contacts, systems, and the incidents that actually hit small businesses.

2

Run a 30-minute drill

Pick a scenario and walk your team through it. Each decision is recorded, with a read on what worked and what didn't.

3

Close the gaps

Action items file straight back into your plan, so the weak spots you found turn into fixes, not forgotten notes.

4

Rehearse quarterly

A reminder brings your team back every quarter, so the plan is alive instead of a file nobody's opened since onboarding.

Don't write the plan during the incident.

Build it from your real footprint, run it once with your team, and have the proof ready before your carrier — or an attacker — asks.

Get protected