Name: Operationalizing Incident Response: Compliance-Ready Tabletop Exercises with an AEV Platform
Uploaded: 2025-11-20T11:30:17.755Z
Duration: 59 min 4 s
Description: Operationalizing Incident Response: Compliance-Ready Tabletop Exercises with an AEV Platform

Transcript for "Operationalizing Incident Response: Compliance-Ready Tabletop Exercises with an AEV Platform": Alright. Hello. Hello, and welcome, everyone. If you can hear me, please put a note into the chat. We are going to, give it a few moments for everyone to join before, before we get started. So you still have time if you want to get up, grab a cup of coffee or tea, and, we will start in something like two minutes. Again, if you hear me, please, put a note into the chat. Hello, everyone. Welcome to those who joined. I see we are a big crowd now, but we are waiting for, actually, even more people. So we are going to wait for another minute, and, and then we we will start in about, one minute. Thank you. Okay. I think we could start now. So, let's go and get let's go let's go ahead. Welcome everyone to today's session. We are going to talk about operationalizing incident response and more specifically, we'll talk about compliance ready tabletop exercise within AAV platform. My name is Marie. I will be your moderator. If you have questions, I will bring them on. I have a few housekeeping item before we start for you. First, the session is being recorded. Anyone who register for the event will receive the on demand version afterwards by e mail. Second, if you have any questions for our speakers today, you can ask them by clicking on the Q and A on your right hand side. You will see the Q and A tab. You can also post them into the chat. You will see this session is divided into three parts of stuff. At the end of each part, we'll have a poll, and during the poll, we will also take questions. We will also, leave some time at the end to address, as as many questions as we can. If we don't have enough time to go through all the questions, we will come back to you, personally through email to to get your your question answered. About the poll, when, it will become active, you will see it as well. Nearby chats, docs, and q and a, there will also be another tab, called poll with a red dot, and I will I will tell you. So you will just have to to click on it to be able to vote. And I think I forgot something. Yeah. The docs. You also have a a a tab with the docs where you have all the, relevant resources for for today, basically. So that's enough for the housekeeping items. I think we are going to get into the session. I will, now, let our speakers introduce themselves. We have Nina Sharma, our project marketing manager, and Damien Skillz, our solution engineer, leading APJ, actually based in Australia. I leave the floor, to you first, Nina. Thank you, Mary, and a very warm welcome to everyone. My name is Nina. I am the head of product and customer marketing team here at Filigram. I've been a strategic marketeer all my professional life, and I've been in the cybersecurity space for about twelve, thirteen years now, which means I have learned a lot of buzzwords and acronyms, use them too, and then you can now add AI to pretty much everything. But jokes apart, I I've had a front row, seat to a lot of change. I've seen some new, security categories appearing like EDR, XDR, adverse field exposure management, AAV, which we will talk about today. Some categories that have quietly disappeared also, like stand alone vulnerability scanners. A a big part of my job as a product marketeer and something that I, really enjoy is tracking market trends and understand customer pain points and how they reshape or rather how should they reshape cybersecurity solutions. What's the hype? What's real? What what are these, security teams genuinely struggling with? This is the insight, that, we today, you know, bring into the business also. Part of it is talking to our customers and prospects directly, and this is why we are here today. One of the most exciting shifts, I'm seeing this year is, this shift towards proactive cybersecurity and improving cyber resilience. Traditionally, incident response plans have often been, you know, treated like a compliance checkbox exercise or something you write, file away, and hope you never need it. But should that really be their primary purpose, or can we actually turn them into real advantage in a lever to actually improve our security posture? So that that's really the, topic of the webinar today. And, we have decided to keep it very light on slides, heavy on honest conversation, sharing the market and customer insights with you, and also understand here from your side what you are seeing and what you are, expecting from, vendors like us. So please keep your questions coming. Challenge us, disagree with us if you like, but, hopefully, together, we'll make a genuinely useful session for you. Over to you, Julian. That's me. Okay. I've cleared my throat. So So hi everyone. I'm Damien Skillz. I am the solution engineering manager for ABJ. I'm based, I think as Marie said, in Sydney. So I have been at Filigree about eighteen months now and before that I've been have a long and checker's history in threat intelligence platforms, threat intelligence solutions and feeds, sim, SOC solutions. So my career goes back to the point where sim was cool and trendy and new, so that's fair way back. I currently, head up the technical solutions in ABJ, although I have also worked in, EMEA a fair bit of my career. And I yeah I really love working with large complex customers with with complex requirements. I tend to work with MSSPs, with large banks, financial organizations, telcos, government agencies, government organizations. And I like working with solutions that can fulfill these needs which is why I'm currently a study grant. So, I think that's everything about me, and I'm very pleased to be talking to you today. Thank you both. Before we start, I am going to give a bit of context. So first, cyber threats aren't slowing down. They're faster, they're more disruptive, and they hit where, it helps the most, which is usually our, ability to keep the business running. So the question isn't anymore, can we stop every attack, but more, how do we respond when it happened, and how do we, how quickly can we recover? So one of the answers, is the tabletop exercises, but the challenge is, to scale them across teams and geographies. It's often manual, inconsistent, and hard to measure. So today, we're going to discuss how a modern, adversarial exposure validation platform like OpenAV enabled teams like yours to combine technical breach and attack simulation with realistic tabletop exercises, so you would, be able to both validate your defenses and your decision making process. So, yeah. And last, we will also discuss how this integrated approach transform, compliance from a checkbox into a real capability and makes resilience a measurable and continuous practice. If you're okay, we'll dive into the questions now. So I will go with my first question for Nina and Damien, where I need to actually show. No. I don't show the question. That's fine. So, first question, it seems that there has been a growing focus on resilience in the last few years. What is driving this trend? Nina, if you can, go first. I'm actually going to hand it over to, Damien to to, get. started and then yes. I'll add. Alright. Okay. So, it's yeah this very very definitely a trend and I think you saw this at the shows like Black Hat etc the last couple of years. You know especially in say governments and banks it's been large for a while. You know you have resilience teams and so on but certainly I think it's becoming more mainstream. I mean I've been in the industry from when we used to talk about blocking all threats and as a vendor you'd say okay we can block every threat that you see and then we moved on from being able to block everything at the firewall to it's not if you're going to be attacked but when or if there's not if you're going to be you're going to be breached but when and that evolved into the assume breach mindset, which again I think we've accepted now for a few years. That's, I listen to the, sans stormcast, which is, it's a a daily podcast which just gives an update on things like vulnerabilities. And, on the podcast, they basically highlight the latest certain perimeter device vendor, whether it be VPN or firewall or next gen firewall, where they say if you haven't patched then assume breach. So we are in this world now where you, you know, you can easily, maybe multiple times a year, assume breach. And with resilience we're moving on to this almost this concept of assume impact. So yeah I think I think it was about maybe seven or eight years ago now we used to track the number of days that an APT would be an advanced persistent threat would be, present in your network before they were detected or evicted. And I remember there's this golden figure which is in my mind for a while ago, which was, two hundred and five days was the average dwell time. This is going back a few years, and that number's been shrinking. You know, it's been as as adversities adversaries have been becoming more capable, as as they're getting faster, more professional, those figures have shrunk to a hundred days, fifty, thirty. And there was a recent Google threat intelligence report where I think for certain vulnerabilities, they're actually seeing exploitation of those vulnerabilities at day minus one. So at the same time, pretty much as soon as the the vulnerability is, announced and has existed maybe for a little while, then organizations are being breached using that vulnerability. So, yes, there's there's certainly it's more hostile environment by far than it used to be, but also the impact is much larger. You're seeing faster time to impact with these breaches. With Ukraine, for example, there's been several, events of wiper malware. They're destroying entire networks, entire organizations, and this is becoming more commonplace. So, if you look at impact, then you're not you're you're assuming breach, you're assuming impact, and you're really preparing yourselves as an organization to as to how you respond to that that impact. So it's gone from, simply DFIR, the instant response, to assuming that your your your your devices are being encrypted, the data is going out the door, and you're looking how to contain the situation, how to manage the crisis, and it moves on to communicating with stakeholders, understanding and handling the legal and the regulatory obligations, and getting of course back to restoring operations as quickly as possible. And there's there's been very very public instances recently. They're really main headline news without mentioning any companies. There have been published published losses in the billions of dollars very very recently of organizations who have struggled to to recover from the impact of such a breach. So certainly resilience is very very definitely top of mind. And and and these, you know, these news stories only help to to bring it to the front of mind. And then, of course, there's Ukraine. And I think with the early wiper max wiper attacks in Ukraine, there were I think there were some wiper attacks against their energy infrastructure. One, the telcos, their largest telco, I think it was Kiefstar, was, had a few thousand servers wiped out by a nation state threat. All of these enforce and and reiterate the needs to be able to recover from the impact of such a breach. So what you're seeing is this is, of course, very, very front of mind in Europe, which is much closer to the conflict in Ukraine. And, what we're seeing is that organizations particularly there, are looking at how, I was actually watching Rocky for the first time, but they've seen Rocky before. So Rocky the movie, the boxing movie. I was watching that on the plane, this week. And, when you're a boxer, you train to get punched in the face because you will be punched in the face repeatedly over tens of minutes. So really, we organizations are looking to build their resilience and training themselves to handle that being punched in the face that there will be and they have to know how to handle that. So, organizations are looking to handle that themselves and regulators are also asking if you went by ransomware, if certain critical business processes were were disrupted by a ransomware attack, a WIPO attack. The regulators in certain industries as well want to know what you actually do. Can you assure us that you can respond to those kinds of incidents in the critical hours? How do you, how do you communicate? How do you know how who makes decisions? Have you been through these processes? Do you require alternative sites? Do you require alternative systems? So this is being, these questions have been and are being raised in various different organizations and particularly Europe. So going back to the box there metaphor, you in order to trade, in order to go in the ring for the actual fight, you do need to if not punch yourself in the face then have someone punch you in the face and go through those training exercises. So go through tabletop exercises, go through brief simulations, iterate your processes, run realistic scenarios, and keep going and going until everyone feels comfortable with how they would react if or rather when that real attack and real real impacts takes place. And do you hear stories I think I I spoke to someone a couple of weeks ago who were they were talking about simulating their crisis communications in the event of such a crisis, and it turned out that they they'd lost their Slack credentials. So they had a password manager where the Slack credentials were stored for the emergency Slack, and, something had happened to that password manager, and no one could actually log in to Slack to communicate in the event of a crisis. So testing these backup solutions, backup systems, backup communications to make sure that they work and everyone knows how to use them, these are all parts of of resilience. Yep. Thanks, Damien. That was actually great. And, you, covered all grounds so beautifully. I totally agree with what you said. I mean, cyber resiliency is not new. Right? That's the whole, basis of premise of cybersecurity in a way, but definitely there has been an increased focus on it in recent years mainly because, like, how you were saying the impact, the business and financial impact that we see, some of these are, you know, almost all of the high profile cyber attacks that we have seen this year have been able to do. You took, Ukraine's example here in The UK also. We have seen some very, high profile attacks this year, whether it was Marks and Spencer, co op from the, retail ecommerce sector, or, auto manufacturing with, you know, Jaguar Land Rover case, which even resulted in slowing down, you know, UK's economic growth. So because every organization now is running on interconnected digital services and global supply chains, then, of course, digital dependency now means that downtime is not just a security risk. It's it's a business risk. And one big part of it is also how it hits customer trust. So not only the financial damage to the company in the short term, but actual, ramifications of it on customer trust and reputations in the long run. So that that's why, I would say that resiliency is becoming a competitive differentiators, differentiator even. Can you keep delivering under attack? Can you recover faster than your peers? What's your communication plan looks like? You know? How does it work in action? How are you going to keep your internal teams updated so they can communicate with that with the customers? And like, what Damien mentioned, use the analogy of the boxing ring. So I I I guess what we are coming down to is to be able to do that in practice so you don't have to do that in in real life. Right? So be be ready, be be prepared. And this is what regulations, and governance frameworks are also pushing for. It's just not enough to say that you have controls, but you can actually demonstrate that operational cyber, resilience. This is what, regulators are asking for. This is what boards have started to ask for, and this is what is going to, trickle down to the security, teams also. So, again, it is kind of becoming, an important topic. That's it from my side, Mary. Yes. I was looking on how to get unmute. Yes. Thank you, both. So, I just launched the the call. You can, see it on the on the right hand side nearby the chat and the docs and q and a. The the question is, when you do hear the term cyber resilience in your organization, what do you feel is the biggest gap right now? You might need better security tools, a clearer strategy, and better leadership support, or you need to invest in employees awareness and training. You need an an incident response and recovery capabilities, or you think you're fairly resilient and your main need is continuous improvement. So you can go to the poll tab and, and stop to vote. And meanwhile, we will take the first questions. So first question is from Vishak. How does OpenAV executed? Show it technically rather than in grammatic. So I take that one already. Yeah. I would love to show it technically. I don't actually have a, a demo right now. I think we have some demos coming up later in the month. So I can talk to I can talk to it in principle, and I apologize. There's not exactly what you're looking for right now. But with just summarised quickly, OpenAB can play scenarios of combinations of technical attacks alongside tabletop exercises. I don't wanna spoil it. I I think, we can probably cover a bit bit more of this later. So I'll answer that briefly for now, and then we can get into more detail. If we don't cover it as part of the questions, I can cover it at the end. I Alright. Thank you. And, we start to see answers. So, I think most most of, sorry? sorry. There you gonna ask I was gonna say, there's a if you need if you want to submit an answer to the poll on the right hand side, you'll see. Yeah. the poll option with the red dots. I I was actually, on the main screen, but it's not there. It's on the red dots on the right as it is. yes. It's on your, yeah, right hand side nearby the chat. You see Paul with the red dot, and you can you can click. I think most of the people have, actually, clicked incident response and recovery capability, if I see well. And then, we need a clear strategy and better leadership support, which is also yeah. Definitely. Yeah. And I I would just comment on it. This is kind of, again, really good, input and response, from the audience side. So thank you, first of all, for it. And and it kind of ties very nicely with why we are doing this session today. Right? The, connecting the, cyber resilience, security strategy, incident response plans, and then how, you know, tools can help you actually execute on it. But, the starting point is to have that clear strategy and, you don't have a very clearly laid out plans that you can then put in practice with the use of the tool. So, it it aligns with, your responses. So thank you for that. Yep. And we also have a few, people who are saying they they are fairly resilient and they need continuous improvement, which is good. Yep. Alright. So I'm gonna close this poll, and stop sharing, and, we will go to our second question. Let me go here, for Nina and Damien. What requirements do newer regulations like Doha in the European Union and Cori in Australia place on organizations in terms of resilience? Damien. Yep. Take that first if you like. So, I I think Dora is probably the biggest one in terms of scale and impact, in terms of number of organizations affected because we have CODI here in Australia. It's, Australia is a smaller market than than Europe, so I think DORA is gonna have more of an impact generally in the market. So, with DORA, it's funny again I've been in the industry for a while and I saw I didn't see PCI PCI DSS come out but I saw PCI DSS which is the the regulations around security of credit card handling and information. And it was unfortunately very true that the one way to get your security program funded was to have a PCI compliance requirement because regulatory compliance introduces budget to be compliant with those regulations. So likely we'll see this with Dora and Corey as well, where having a regulation which is driving which is presenting these requirements which your organizations have to comply to will hopefully fund organizations and the teams within those organizations to build resilience with those organizations and to build those programs. So DORA specifically came in I think it came into act into effect January 2025. It's the digital operational resilience set, and it's basically a framework covering, IT risk managements, incident reports incident reporting, resilience testing, third party risk management, and information sharing. So, specifically, articles 25 to 26. I'll get this let's get these the wrong way around. So article 25 is that all the financial entities, so major financial organizations, structural financial organizations within the EU, must conduct regular testing but scenario based testing of the critical IT systems and processes. And this does explicitly include tabletop exercises. So this is a legal requirement that these exercises must take place. Now typically you're engaging senior stakeholders, you're simulating the decisions, the the pressure, the environment in which these decisions have to be made, and they must simulate really relevant, realistic threats. So they must be relevant to, say, ransom ransomware, campaign which is currently or recently active. It must be something which you're likely to encounter in practice in in business operations. So it covers testing of instant classification, regulated reporting chains, the communication protocols and the decision making under pressure. So really that being punched in the face, you know, as a a large financial organization punching yourself in the face in order to make sure that when you do get into a fight, a real fight, then you're able to handle handle yourself. So that's article 25 and then article 26 goes deeper into the TLPT which is the threat led penetration sorry, threat led penetration testing. So this is well as it sounds, it's live red team testing. Again you need current threat intelligence. So you would look at recent campaigns by recent threat actors who are likely to target your organization, say targeting EU banks, for example, and, it you're running live red team testing against your organization to test your defenses, to test your blue team, their efficiency, their their efficacy, and how, again, you react to, the red team exercise and and detect that. So, this is the red team testing, and it needs to be followed by governance level validation. So this is again through executive tabletop exercises, reviewing the decision making that takes place in this scenario. So that's that's DORA. And DORA is based on TiberEU, which is a framework of this threat led penetration testing framework. Corey is also based on TiberEU, and that's really an Australian flavor similar to DORA. So it covers, the planning, threat intentions, planning where you're building up your scenario that you're going to simulate for the exercise. It then covers phase two, which is the actual execution of the of the campaign. And then phase three is assessment and debrief, which again is something which is I wouldn't say it's often overlooked in these scenarios. It's generally overlooked in red teaming or at least not practiced as much as it should be. And this is your lessons learned. This is reviewing the response, reviewing the exercise, and understanding what you can do better, taking actions away from that, and then implementing those actions to to improve your resilience. So Corey is the red teaming followed by the tabletop components and the the assessment will review after that. So, across these, I mean, the emphasis is that they're threat they're threat led. They're using real threat intelligence. They're seeking to simulate a real threat. I I haven't done that in that dose about my my surf life saving club, but I'll skip that for the moment. We'll we'll stick with the punches in the face. If you're training to, as a boxer, then you don't simulate being hit in the face. You you, you know, take punches under some level of of pressure. So these threatless scenarios are intended to, really try and simulate the threat which you would be facing in a real scenario. They must be realistic, they must be relevant. You must engage the organization again as you would in reality. So you want a cross functional participation. It's not just an IT exercise that's involving the senior business leaders, risk team, legal, and, you know, any other groups which are involved, maybe business the leaders of each business unit. And this goal is to test the decision making and the escalation chains. It's not just purely a technical exercise. So that's I think I've covered most of Dora and Corey here. Certainly, you need to be able to document this as well. You need to be able to demonstrate this evidence when your audited for this. This involves things like participants, the teams, the players as we call them. So who's involved, what roles they played, the timelines as the scenario unfolds, the responses taken in each, to each trigger or each event, what remediation was taken, and followed that through all the way to the the eventual remediation of the incident. So this is something which is required and I I believe is ordered well, it it is ordered as part of the regulation, and that again should lead to continuous improvement. So in running these exercises, the most important part or course is to improve from that. And to do that, ideally, as an organization, especially a large mature organization, you want to be able to set goals and improve your response and therefore improve your resilience in a consistent and measurable way. So I think I've covered all of that. It's yeah. I I think that covers Dora and Corey pretty substantially. Maybe I can hand over to you, Nina. Nina, you're mute. Okay. I'm sorry. Thanks, Damien. I was saying you explained the regulatory side of things again so nicely. And what does it mean for customers more from, you know, their your cyber, security stack perspective? So in practice, these regulations are pushing you to look beyond, your point controls, right, and ask, does my existing security technologies and tools help me to be genuinely threat informed? Or, the newer investments that we are going towards, are they going to help us to be more, you know, threat informed? Understand, the, adversary driven exposure, respond in a way that we can improve, we can prove and improve over time. So from my side, this is what I say that look beyond the point solutions because they create more silos. I think one of the positive things, point side of these regulations is that it almost enforces security teams to work together from incident response planning perspective, from tabletop exercises perspective. So, like, teams won't be able to do this in isolation end to end. Right? And that that's the, whole purpose, and this is something that the vendors, should also be enabling by providing solutions that help information flow through your security stack, provide you the visibility in terms of what's priority, what's high risk, what's relevant for you. So, really, you know, challenge your vendors to make sure that they're supporting your, incident response plans in a comprehensive way. My suggestion for this session is the set of these four questions, set of four questions for you and for you to ask your vendors. First is, like, are we thread informed enough to satisfy these regulations? So that's that's really kind of the starting point. And then, for the vendor, it's how easily, you know, they allow you to bring your, the threat intelligence, exposure data into the platform so you can, you know, drive decision from decisions from it? Second is, do you have the visibility to manage resilience, not just individual alerts? Do you, are your vendors helping you to understand that blast radius in business impact, not just, you know, IOCs or technical indicators. So there is real this, you know, push to understand the, cyber risk holistically and being able to prioritize what's what's really relevant for you. Because regulators are looking for the ability to prioritize response based on business impact, not just, you know, how you respond to, tickets, for example. Third third question is, you know, are are your playbook real or just documents? And and are your, again, are your vendors helping you to simulate these or rehearse these as per Dura or Kuri, specifications? You know, a compromise of a key service provider, data exploitation by a known actor. So are you able to kind of bring all that, intel together and then build your simulation programs? As Damien said, both of these regulations emphasizing testing and exercising con on a continuous, basis. And finally, can you again, Damien mentioned that too. Right? Can you prove it to management and regulators? So are you asking your vendors in terms of, you know, the ROIs or the resilience metrics that help, help you, you know, support or, do these reports in term in terms of whether it's, mean time to detection, time to respond, time to contain. But are your tools security tools allowing you to kind of extract these, matrices and report on these? These are few of the questions I would suggest, you know, you should really start to, put together. Alright. Thank you. And, we actually do have a question. Does OpenAD provide recommendations, tied to, n I s t or NIST or other IR frameworks after each tabletop session. we call. Okay. So at so actually, at the moment, it doesn't. What we have at the moment in OpenAV is, scenarios. So you can have, there's a mix of, say, purely technical scenarios, tabletop scenarios, or blended scenarios. Blended scenarios are they're not man they I don't think they are mandated by Dora or Corey, but it's certainly something which adds to the reality of a of a simulation. So, yeah, we have us canned scenarios for different resilience exercises, and the tool itself doesn't provide recommendations. What it does do is it allows you to track the findings. So to provide metrics as to the time to remediate, time to close, the the progression of the attack and how the team responded to each stage of the attack, we can track those metrics. And then what open AB can do as well after that is also send questionnaires to the players to ask them to self assess on how they responded to each of the, injects as we call them. So, it doesn't do that automatically as, say, part of the package at the moment. I know that that is on the road map. What it does do is it provides the framework. It provides the metrics, the frameworks, and the tools to allow an organization to use it as the the collection point of all these inputs to then perform their own analysis and their own assessments and outputs from the exercise. Yeah. It will be, it's it's part of the road map for, latest q two twenty twenty six. It's At the latest. Alright. great. I hope it does answer the question. I don't see more questions for now. The poll is on, so let me share the question. How would you rate your organization's current understanding and mapping of tabletop exercises with, regulatory re requirement? So We don't really map tabletop exercises to regulatory requirements yet. We do some, but it's informal and inconsistent. We have a defined mapping, but it's not fully up to date. We have a well documented regularly updated mapping, or you're not sure and you don't have visibility, into this. So please go ahead and vote. I'm gonna look at the votes. It's ongoing already. Yeah. Alright. So I'm gonna share the result. So again, it's on your right side. Just nearby the chat tab, you see poll with a red dot, and if you click on it, you can vote. Let me let me share. It's not a great way to share, so that's why we have those slides, but then you can see the results here. Most of us said, oh, well, that's not the right one I'm sharing. Hold on. I am not sharing the right one. I'm back here. So what do we have? Most of the people said we have a well documented, and regularly updated mapping, which is good. Almost all of the people who voted. And then we do some mapping, but it's informal and inconsistent. And one person said oh, well, two person said they're not sure. Three it's got okay. The votes are still ongoing. Yes. Yeah. So some people say they don't have visibility to this. Alright. Alright. I think, it's enough. I'm gonna close this one. And, we are going back to, now the the last question, question number three for our, two speakers. How often should organizations run tabletop exercises, and who should be involved? Okay. Who goes can? check this. Damian, you go first. Okay. First again. Okay. Thanks. Thanks, Marie. I know how long I think they should be run and I know I do also know how long the regulations say they should be run and, how some customers I've spoken to, how often they run them. So, I see it typically large financial organizations whether not necessarily because of the regulations as in they were doing this beforehand in many cases, But, typically, annually, something I see most commonly. I think just as a regular cadence and, it fits, you know, with with various other processes and and reporting and so on. The regs, you know, they go back as as as infrequently as every three years, but you do see best practices, suggesting one year or sometimes even more often. So I think, I think it's The UK. Their their FCA, the, yeah, so the FCA's operational resilience framework either recommends or requires testing annually. The MAS, the Monetary Authority the Monetary Authority of Singapore, MAS, who, I was talking about this week, I believe they also require scenarios to be run annually. So, annually seems to be where most of the regulations are and also where the large organizations tend to land in terms of frequency. Having said that, you know, we have a reference customer ourselves, who run them, I believe, monthly. So and this is something which the tooling assists with. So typically when you talk about tabletop exercises, we talk about red teaming, red teaming exercise themselves can last depending on the nature of the exercise that can last many months at the longer run one red team exercises. And that's for the the ongoing careful cautious red teaming itself, the the compromise of the organization, to achieve the the planned goal. For tabletop exercises, as I say, they they typically run annually. And they, you know, they run usually with PowerPoints and Excel. So, in forming the planning, you know, if you Google tabletop exercises, tabletop planning, you'll find many consultancies that offer these services and they offer a service which can run over, weeks where they interview stakeholders, understand business processes, build out detailed playbooks for scenario, build out excel sheets of of the stages of the of the scenario, and so on and so forth. So, with all that work, it can take many weeks or even months to plan out a scenario. And to answer the question, earlier from, I think it was Vishaac, you can use OpenAV to streamline the rest of this. So, certainly, OpenAV is designed to be able to build out these scenarios as a package within the tool and then be able to replay those. And not just to be able to replay it, well, you can replay it, say, if you're working as a consultant, you can use this as a a way to automate the structure of much of the content and the processes around the tabletop exercise. But also if you're a single organization and you're running these exercises, it gives you a framework, the automation, the tooling, to be able to run them much more efficiently. And this is the reference case that we have. So if you're using a tool to drive to drive these simulations, you can certainly improve your efficiency by threefold, if not more. I think what we quote is is 99 times more efficient. So yep. So the tools help with that and the tools can then because of the fact that the tools make this much more streamlined, it can then allow you to run the resilience exercises much more frequently than, say, a minimum of one year or three years. So there is that. I think, otherwise, the thing is at the end of the day, you you're you're you're trying to achieve this outcome. You're trying to build resilience. So if you're only running it, say, once a year and you're losing the muscle memory and there's certain other aspects, you know, your password manager expires and you lose access to your emergency Slack or the SIM cards and the phones expire which is another thing. All these things happen. So certainly if you are able to use tools such as open a e v to run these exercises more frequently, then it certainly pays to do so because then with a shorter gap between the exercises, assuming you're not placing too much more load at the stakeholders and the players, then it allows you to test your your controls, test your processes, refine both refine them, get data with improvement, as well as catch all those gaps which will pop up between no. Especially if you're running every one year or three years, catch all the gaps in your processes which and and the the changes which you otherwise wouldn't have detected. So yeah. And then the other thing is if you are able to run your tabletop exercises much more efficiently, so you know you're not having to spend weeks gathering your PowerPoints and your Excels and so on, if you are able to run them in a much more automated fashion then why not run them concurrently with your breach attack simulation and your red team exercises? Because, again, if you're able to use a tool like OpenAV where you can blend the human response and the the scenario and the media pressure and the the legal discussions and you can trigger those off the actual red team events. So rather than having, say, red team on day one or in advance and then the tabletop exercises as as a almost separate exercise afterwards. If you can run them concurrently so that you can actually leave real artifacts for forensic investigation in your logs, you can, you know, trigger an actual technical response on a, an endpoint. You can trigger an alert in your sim, and then that flows through to the tabletop exercise and the questions from the stakeholders and the incident response team incident pardon me, incident response team trying to find the answers to those questions. Again, that's much more real. That's a much more real scenario. It may be more fun. And it allows you to have more confidence in your resilience, which at the end of the day is what you really want to be able to report to the board, that you are confident that, you know, one, that you're compliant with your Dora, Corey, etcetera requirements, but also that you're confident that if one of these newsworthy breaches happen to your organization, you feel comfortable that you would be able to, handle it. That you have the muscle memory, the team are skilled and trained, and you are ready to take that punch in the face effectively. So, yeah, I think I think that's a long way of saying at least annually, I think, but certainly if you can do it more frequently, if you have the tooling to support it, then yes, you should do that too. Yeah. And what what what you, were describing, Damien, is also this whole, evolution of, breach and attack simulation tools or pen testing tools towards, adversary exposure validation tools like OpenAV. And this is what it is now allowing you to do to move from static, technical, disparate exercises and validations to move towards continuous exposure management and validation. This is this is how you can now actually realistically reduce the, cyber risks by continuously improving your security posture. You know, why would you, you know, need to do that as an isolated exercises where now you can actually be able to, in time, you know, use your threat intel, your prioritized threat intel, and be able to build scenarios, which allow you to do that continuous validation. And lot of it is actually automated as well. So that's what it means. It it's, cost effective as Damien was describing. And the broader benefit of bringing these, different teams together look at, again, look at the, you know, cyber risks holistically, use your intel, and be able to do do continuous validation resulting in continuous improvement. And this is how it then benefits tabletop exercises or crisis simulation exercises. It, any kind of good AAV tool should allow you to assess all angles and not just your security controls, but your security processes and, people as well. And and this is this is this whole shift towards what Gartner also describes as continuous threat exposure management, CTEM, a really kind of, useful framework to move towards that proactive cybersecurity. Yep. That's it from my side, Mary. Thank you. Thank you both. That's, conclude the session. We have the last poll. It's already on. Let me share the slides so you can see the question. It's a it's a little bit better. So based on discussion today, do you foresee better, standardization and scaling of tabletop exercises with AV tools like OpenAV? And, few people already responded. And so while while we we let people vote, again, it's on your right side, you know, by the chat. I also wanted to highlight the doc tab where you can find a lot of useful resources. And for those, who really want to see it in action instead of discussing it, there is a link to, also a link to book a demo for an open AED demo. Alright. So now I'm going to share the results of the last poll. So, yeah, two two people said yes. I expect a significant improvement. Most of you said somewhat. I expect moderate improvement, while it's still moving. And we have one, person that is still skeptical. It it it doesn't matter really what you you answered. I think, if you are unsure, you we we can still talk because, we can show you the tool. And once you've seen the tool, then you can make your your decision. That's all. Actually, I'm gonna, close the poll and, stop sharing. I'd like to thank our, panelists for, joining us today. I'd like to thank you all for joining us today. If there is one thing to take away, is that cyber threats are not slowing down. Resilience isn't really an option. It's, your ability to respond when disruption happens and to prove that capability with confidence. Compliance isn't just about passing an audit. It's about demonstrating that your organization can keep the business running under pressure. And that requires more than technology. It takes people, processes, and practice. So the organization, that are succeeding are the one that are continuously testing and improving. They're combining the those, technical breach and attack simulation or with realistic tabletop exercises to validate both their defenses and their decision making process. And yes. So OpenAV make this possible. If you want to see it in action, of course, come to us, book an email, have a look at the website. We have a lot of, also documentation if you prefer to have a look on your on your own first. And that's all. Thank you for, being part of this conversation, and, we will, see you next time. Thank you, you, Marie. everyone, Thank you, Marie. and thank you, Mary. Thank you very much. Bye. Thank you. Bye bye.