10 Cyber Crisis Scenarios Every CISO Should Practice

If your program only rehearses classic ransomware, you are still building muscle—but you are not covering the full decision surface most enterprises face today. Supply chain, identity, cloud control planes, and third-party breaches all produce different coordination failures than "encrypt and demand."

Below are ten scenarios to keep in rotation, and what each one is designed to expose in process, tooling, and leadership alignment.

1. Ransomware With Data Exfiltration

Yes, I just said don't only practice ransomware. But you need at least one. The twist: modern ransomware isn't just encryption anymore. The attacker has already exfiltrated your data before deploying the ransomware. Now you're dealing with a breach notification AND a business continuity crisis simultaneously.

What it tests: Payment decision framework, legal notification timelines, backup recovery processes.

2. Supply Chain Compromise (SolarWinds-Style)

Your trusted software vendor pushes a compromised update. You've been running it for weeks before anyone notices. How do you figure out what the attacker accessed when you don't even control the entry point?

What it tests: Third-party risk response, forensic scoping, vendor communication.

Want to walk through this one interactively? Try the SolarWinds scenario demo — it includes the actual decision points a SOC team would face.

3. Business Email Compromise (BEC)

The CFO's email account is compromised and the attacker has been reading executive communications for two weeks. They've already initiated a fraudulent wire transfer. This one gets real uncomfortable when the CEO realizes the attacker read their emails too.

What it tests: Financial fraud response, executive communication security, legal privilege concerns.

4. Cloud Infrastructure Takeover

Attacker gains access to your AWS/Azure root account. They've spun up crypto miners, accessed S3 buckets with customer data, and created new admin accounts. Your cloud team isn't sure what's legitimate and what's the attacker.

What it tests: Cloud IR capabilities, identity management, distinguishing attacker activity from normal operations.

5. Insider Threat — The Trusted Admin

A systems administrator with privileged access is exfiltrating data. They know your security tools and how to avoid them. The tip comes from an anonymous employee complaint, not from your SIEM.

What it tests: HR/legal coordination, evidence preservation, how to investigate someone who knows your playbook.

6. Zero-Day Exploitation

A critical zero-day drops on a Friday evening. It affects your edge firewall. There's no patch yet — only a workaround that breaks a critical business application. The CEO is asking why you can't just "turn it off."

What it tests: Risk-based decision making, business impact assessment, communicating technical risk to leadership.

7. Third-Party Data Breach

Your SaaS HR platform gets breached. The vendor tells you employee PII was exposed — names, SSNs, salary data. But the breach happened at the vendor, not your systems. Who owns the response? Who notifies employees?

What it tests: Vendor breach response coordination, notification obligations, legal liability questions.

8. Destructive Wiper Attack

Not ransomware — a wiper. The attacker doesn't want money; they want to destroy. Systems are being wiped faster than you can contain them. There's no negotiation possible.

What it tests: Recovery prioritization, crisis communication, business continuity activation.

9. AI-Generated Deepfake Social Engineering

The CFO receives a video call from the "CEO" instructing an urgent wire transfer. The deepfake is convincing. This scenario is becoming real — it already happened to a multinational company in 2024.

What it tests: Verification procedures, social engineering awareness at the executive level.

10. Coordinated Physical + Cyber Attack

A DDoS attack hits your public-facing services while someone attempts physical access to your data center. The cyber incident is the distraction. This is the scenario nobody thinks about until it happens.

What it tests: Physical/cyber coordination, security operations center prioritization under simultaneous attacks.

How to Actually Use This List

Don't try to practice all 10 at once. Pick two per quarter. Start with the ones closest to your actual threat profile — a hospital should prioritize ransomware and insider threats, while a financial firm should focus on BEC and supply chain compromise.

For each scenario, you can either build a detailed exercise using our scenario builder or browse pre-built exercises in our library. Most of these scenarios have ready-to-run versions you can customize for your organization.

For more on how to structure these as actual exercises, check our complete tabletop exercise guide or the step-by-step guide for first-timers.

---

Takeaway: Rotate a small subset each quarter; match emphasis to sector and threat model. When you are ready to turn a scenario into a structured exercise, start in the builder or use the library. IR teams · IT and risk · Pricing.