Multi-vector attack¶
For mature SIRT and SOC teams. Full day, 6-8 hours. Requires a facilitator team.
The scenario exposes what all the other playbooks in this section approach only partially: the assumption that incident response proceeds sequentially. Real incidents often do not. Multiple vectors arriving in parallel force prioritisation decisions that reveal how the organisation actually allocates authority under pressure, how teams communicate when every channel is saturated, and whether the playbooks that work for isolated incidents remain functional when two or three are running simultaneously. This is an advanced exercise. It produces the most learning in teams that have already worked through the individual scenario playbooks and believe they have a solid incident response capability.
The scenario¶
Five vectors activate within the first 30 minutes: a phishing campaign with credential compromise, a DDoS attack degrading customer-facing services, suspicious internal account activity suggesting insider threat or credential abuse, automated exploitation attempts on a known vulnerability, and an anonymous report of company data appearing on the dark web. No single vector is extraordinary. The combination is.
The exercise runs in four phases over six to eight hours. The initial chaos phase forces triage decisions before the full picture is clear. The sustained pressure phase introduces complications: some vectors appear to resolve, others escalate, and fatigue begins to affect decision quality. The crisis peak phase requires the team’s largest decisions under the most external pressure. The recovery phase tests whether the team can shift from response to communication and documentation while some threats remain unresolved.
Preparing the exercise¶
This exercise requires a facilitator team: a coordinator managing the overall arc, actors for business stakeholder roles, actors for media and external contacts, an observer, and a technical inject coordinator. Brief each on their role and on the pacing intent. The facilitators are not trying to overwhelm the team, they are maintaining pressure at the level that produces real decisions without crossing into paralysis. Distinguishing those two states in real time is itself a facilitation skill.
Prepare five inject tracks, one per vector, each with pre-written complication escalations. Each track needs to be able to run independently for the first 90 minutes. The facilitator team coordinates to prevent the team from resolving all vectors simultaneously and to ensure that at least two are always active through the sustained pressure phase.
Running the exercise¶
The most important thing to observe in the first phase is prioritisation. How does the team decide which vector gets the most attention? Is there an explicit command decision, or does attention drift toward the most vocal stakeholder? Does an incident command structure emerge, or does coordination become informal as pressure rises?
In the sustained pressure phase, watch for decision fatigue. The team will have been responding for two to three hours. The quality of decisions at hour three compared to hour one is itself a finding. The exercise produces this deliberately, not to punish the team for it, but to make it visible. Satir’s communication stances become more pronounced as fatigue sets in: computing behaviours increase, placating responses to stakeholders become more common, and the team’s internal communication tends to contract.
Do not prevent the team from making mistakes. An advanced team that sails through this exercise without consequence is telling you something, either the exercise was not calibrated correctly for their capability, or their capability is genuinely strong. Both are worth knowing. A facilitator who steps in to help the team avoid a bad decision removes the learning that decision would have produced.
The two-hour debrief is not optional. The exercise generates raw material; the debrief is where it becomes learning.
Debrief¶
Begin with the immediate hot wash: how do people feel, and what was hardest? This is not a courtesy, it names the experience and creates the conditions for honest reflection. After six to eight hours of sustained high-pressure exercise, people will be carrying something. Making space for that before moving to analysis is the difference between a debrief that surfaces real observations and one that produces polished, composed retrospectives that hide what actually happened.
Then the structured retrospective: reconstruct the timeline, examine the prioritisation decisions, review communication, assess coordination. The question to hold through all of it: what did the team’s choices reveal about how the organisation actually works under sustained pressure, as distinct from how it is designed to work?
Then the structural questions:
What had to be true about the organisation for all five vectors to be simultaneously plausible? Are those conditions present in the actual environment?
At hour three, how did decision quality compare to hour one? What does that reveal about staffing levels, decision authority, and what the response plan assumes about the people executing it?
Where did communication break down, and what was the structural cause? Channel saturation, unclear escalation paths, authority gaps, these produce different fixes.
If the team had to run this exercise again in six months, what single structural change would make the most difference?
The multi-vector exercise does not teach teams to prevent simultaneous incidents. It teaches them to observe how they actually behave under conditions they have not been designed to handle, and to use that observation to design toward those conditions rather than away from them.
Outputs¶
A detailed timeline of decisions across all five vectors. An honest prioritisation analysis: what did the team protect first, and does that match what the organisation says it would protect? Communication failure points and their structural causes. A small number of structural improvements, not procedural fixes, but changes to decision authority, escalation paths, or staffing design, with owners and dates.