Ransomware Is a Business Risk, Not an IT Problem

Change Healthcare. Colonial Pipeline. MGM Resorts. CDK Global. The pattern is identical — and predictable.

What Modern Ransomware Looks Like

Today's ransomware operators are not encrypting laptops. They are human-operated criminal enterprises that spend 4–14 days inside your environment before encryption — exfiltrating data, disabling backups, destroying logs, and identifying which systems hurt the most when locked. The encryption event is the end of the attack, not the beginning. Readiness is the gap between "we're being scanned" and "we just paid $40M and still aren't fully recovered."

CISA Ransomware Readiness Assessment (RRA) methodology
Aligned to NIST 800-184, NIST CSF, and the Ransomware Task Force playbook
Executive and technical tabletop exercises with measurable scoring
Backup viability testing — not just verification that backups exist
Network segmentation and Active Directory tier-zero review
Pre-negotiated IR retainer activation if you do get hit
Ransomware tabletop exercise

What We Assess

The eight readiness dimensions that determine whether you recover in 3 days or 90

Backup Architecture

3-2-1-1-0 review: are backups immutable, air-gapped or offline, tested for restore, and isolated from production AD? We trace every backup credential and rebuild-time SLA.

Network Segmentation

East-west blast-radius analysis. Could ransomware in your call center reach the ERP? Could it reach OT? We map current segmentation against your recovery dependencies.

Identity & Tier Zero

Active Directory tier-zero hardening, Kerberoasting exposure, golden-ticket resilience, privileged-access workstations, and recovery-mode credential isolation.

Initial-Access Vectors

External-attack-surface review of the entry points actual ransomware crews exploit: exposed RDP, VPN with no MFA, unpatched ESXi, public file shares, and OAuth-app footholds.

Detection Coverage

Are you generating logs for credential theft, command-and-control, Volume Shadow Copy deletion, and AD enumeration? We test specific TTPs from LockBit, Akira, BlackCat, and Royal against your SOC.

Incident Response Plan

Plan review against the realistic ransomware lifecycle. Decision rights, communications, vendor activation, regulator notification, and crown-jewel recovery prioritization.

Insurance & Counsel Alignment

Coordination check with your cyber-insurance carrier and breach counsel. Pre-approved vendor list, claim-trigger conditions, and ransom-payment authorization chain.

Business Continuity

Maximum tolerable downtime per business unit, manual workarounds, customer-communication readiness, and revenue-impact modeling for 1-day, 7-day, and 30-day outage scenarios.

Human Factors

Phishing-simulation results, MFA-fatigue resilience, help-desk verification, and security-awareness program effectiveness — the actual initial-access vector for most ransomware crews.

How We Engage

From a 1-day executive tabletop to a full readiness program

Executive Tabletop (1–2 days)

A facilitated tabletop exercise putting your leadership team through a realistic ransomware scenario: detection alert, escalation, ransom note, regulator call. Scored against decision-rights, communication, and recovery-prioritization criteria. Delivered with a board-ready readout.

Best for: Boards, audit committees, leadership teams who have never rehearsed.

Readiness Assessment (3–5 weeks)

Full eight-dimension assessment with technical validation: backup-restore testing, segmentation enumeration, AD tier-zero review, TTP-replay against your SOC. Output is a scored readiness report, a prioritized remediation roadmap, and an executive narrative.

Best for: Organizations preparing for a board ask, insurance renewal, or post-near-miss review.

Annual Readiness Program

Year-round program: initial assessment, quarterly tabletops, semi-annual purple-team validation of detection coverage, and an embedded IR retainer. Cyber-insurance carriers frequently discount premiums for organizations with this in place.

Best for: Mature organizations who want this off the board's worry list permanently.

We Know the Threat Actors

Active intelligence on the crews most likely to hit your sector

Our threat research practice tracks the active ransomware ecosystem in real time. We can tell you which affiliate groups are targeting your industry this quarter, which initial-access brokers they buy from, what TTPs they're using right now, and how those TTPs map to your current detection coverage. Every readiness engagement begins with a sector-specific threat brief — not a generic checklist.

LockBit / Bassterlord

ESXi targeting, double-extortion, MFA-fatigue

BlackCat / ALPHV

Cloud-targeted, SEO-poisoned drive-bys

Akira

Cisco VPN exploitation, Linux variant

Scattered Spider

Help-desk vishing, identity-provider abuse

Ransomware readiness team

Closed-Loop With Real IR Cases

Our readiness work is informed directly by what we see in active incident response engagements. The TTPs we found inside a hospital's network last month are the techniques we test against in next month's readiness assessment.

Executive Communicators

Our facilitators are senior operators who can explain a Volume Shadow Copy deletion to a CIO and a quarterly EBITDA impact to a CFO — in the same meeting. Tabletops only work if the room takes them seriously.

Insurance & Board-Ready Output

Reports formatted for cyber-insurance underwriter renewal packets and for board audit committees. We've watched our reports drop premium quotes 15–30% on renewal.

One-Call Activation If You Get Hit

Readiness clients have an embedded IR retainer with a 1-hour SLA. The team that ran your tabletop is the team that picks up the phone at 2am.

Ransomware Readiness FAQ

Three things: a scored readiness report across eight dimensions (backups, segmentation, identity, detection, IR plan, insurance alignment, business continuity, human factors), a prioritized remediation roadmap with effort and impact estimates, and an executive narrative your board can read without translation. Optional add-on: a validated tabletop exercise and TTP-replay against your SOC.

A penetration test finds exploitable vulnerabilities. A readiness assessment asks: if a ransomware crew gets in (and they will, eventually), will you survive it? We measure recovery capability, not just attack surface. Most clients run both — pentest reduces the probability of an incident; readiness reduces the cost when one happens.

Yes. Our reports are formatted for the underwriting packets used by major carriers (Beazley, Chubb, AIG, Coalition, At-Bay, Travelers). Carriers increasingly require evidence of ransomware-readiness work at renewal — particularly in healthcare, manufacturing, and municipal verticals. We've seen our reports drop premium quotes 15–30%.

Yes. We restore backup samples to isolated environments and validate (1) the restore succeeds, (2) the data is uncorrupted, (3) the restore meets your stated RTO, and (4) backup credentials cannot be reached from a production-compromised account. This is the test that turns up the most uncomfortable findings — "we have backups" and "we can restore from them" are not the same thing.

3–5 weeks for the standard assessment. A 1–2 day executive tabletop alone can be scheduled within 2 weeks of engagement. Annual readiness programs are 12-month rolling commitments with quarterly checkpoints.

You activate our IR retainer — instantly. Readiness clients have a 1-hour engagement SLA built into the engagement. The team that knows your environment is already on file and on call.

Find Out Today What You'd Find Out the Hard Way

Ransomware readiness assessments, executive tabletops, and annual programs from senior responders who handle real cases every week.

Schedule a Readiness Discussion