The 5-Minute Cyber Drill: How to Practice Incident Response Solo

Small teams and one-person security functions still need muscle memory for escalation and scoping. You will not get a full cross-functional tabletop every month—but you can still run short, written drills that keep your first-hour instincts sharp.

Audience: solo practitioners, small IT/security shops, or anyone warming up before a larger exercise.

The Solo Drill Format

Here's the concept: give yourself a scenario, set a 5-minute timer, and write down your response. That's it. No facilitator, no team, no conference room. Just you, a scenario, and a clock.

The time constraint is the point. Real incidents demand fast decisions. If you can articulate your first three moves in 5 minutes, you'll be faster when it matters.

How to Run a Solo Drill

Step 1: Pick a Scenario (30 seconds)

Choose one of these, or pull from our scenario library:

• Ransomware alert: Your EDR just flagged ransomware on a finance workstation at 11 PM on Friday. What do you do?
• Suspicious login: An admin account just logged in from a country where you have no employees. MFA was bypassed.
• Data exfiltration: Your DLP tool flagged 2 GB of data uploaded to a personal cloud storage account by a departing employee.
• Phishing compromise: Three employees clicked a phishing link. One of them is a domain admin.
• Website defacement: Your public website is showing a hacker's message. Customers are tweeting about it.

Step 2: Start the Timer (5 minutes)

Write down your response to these four questions:

1. What's my first action? (The literal first thing you do — not "investigate," but the specific action)
2. Who do I notify, and in what order?
3. What am I trying to determine in the first 15 minutes?
4. What's my containment strategy?

Don't overthink it. Write fast. This is about building instinct, not perfection.

Step 3: Review (2 minutes)

After the timer goes off, review what you wrote. Ask yourself:

• Did I forget to notify anyone critical? (Legal? Management? The IR retainer?)
• Did I jump to containment before understanding the scope?
• Did I preserve evidence, or did my first action potentially destroy it?
• Would I know how to actually perform each step I wrote down?

Step 4: Identify One Gap

Every drill should produce one takeaway. Maybe it's "I don't actually know our evidence preservation procedure." Maybe it's "I need to find out if we have a cyber insurance carrier to notify." Write it down. Fix it before the next drill.

A Sample Solo Drill (Worked Example)

Scenario: It's 3 AM. Your pager fires: "Critical — Cobalt Strike beacon detected on DC01 (Domain Controller)."

My 5-minute response:

1. First action: Verify the alert is real — check the EDR console for the detection details, hash, and process tree. Don't touch the server yet.
2. Notify: Call the IR team lead. If this is confirmed, this is an all-hands incident — we're looking at potential domain compromise.
3. First 15 minutes: Determine if the beacon is active or historical. Check for lateral movement indicators. Query AD for recent account creations or privilege changes. Check if backups are accessible and isolated.
4. Containment: If active, isolate DC01 at the network level (not shutdown — we need the memory). Block the C2 IP at the firewall. Disable any newly created accounts. Begin monitoring other DCs for similar activity.

Gap identified: I don't have the IR team lead's phone number memorized or saved somewhere accessible at 3 AM. Fix: add all IR contacts to my phone today.

Making It a Habit

Daily: Too much. You'll burn out.

Weekly: Ideal. Pick one scenario every Monday morning. Five minutes with coffee.

Monthly: Minimum. Better than nothing, but you won't build real instinct at this pace.

Pro tip: vary the scenario types. Don't just practice ransomware. Rotate through phishing, insider threats, cloud compromises, and physical security incidents.

Level Up: Interactive Solo Drills

If you want more structure than a blank page, try our interactive scenario player. It presents injects one at a time and lets you make decisions at each stage — like a choose-your-own-adventure for incident response. Great for solo practice with more depth than a 5-minute drill.

For the full team version of tabletop exercises, check out our guide to running your first exercise. And for a quick primer on what tabletop exercises are, see our 2-minute explainer.

If you want to build your own scenarios to practice with, our scenario builder lets you create custom exercises with branching decision points.

---

Habit > tooling: five minutes weekly beats zero minutes quarterly. When you need structure beyond a notepad, use the interactive player or build flows. Library · Pricing.