Compliance & Audit Evidence

Tabletop exercises that double as audit evidence.

Stop running a tabletop and then re-running a documentation project. Every Breachday exercise produces a structured, audit-grade report that maps directly to the controls auditors care about — SOC 2, PCI DSS 4.0, SEC Item 1.05, and ISO 22301.

SOC 2 CC7.x PCI DSS 12.10.1 SEC Item 1.05 ISO 22301

One exercise. Four audit trails.

A single Breachday exercise can satisfy testing requirements across multiple frameworks at once. Here's how the report maps to the controls.

Most common

SOC 2

Trust Services Criteria — Security and Availability

Auditors testing the Common Criteria need evidence that you've identified, evaluated, and responded to security incidents. Breachday reports show participant-attributed decisions, escalation paths, and observed gaps.

Maps to

  • CC7.3 — Evaluating security events
  • CC7.4 — Responding to security incidents
  • CC7.5 — Recovery from identified events
  • A1.2/A1.3 — Availability & environmental BCM
Annual requirement

PCI DSS 4.0

Payment Card Industry Data Security Standard

PCI DSS 4.0 explicitly requires you to test the incident response plan at least annually and document the results. Breachday is built for that requirement.

Maps to

  • Req 12.10.1 — IR plan exists, is reviewed, and is tested
  • Req 12.10.2 — Annual testing & documented results
  • Req 12.10.4 — Personnel are trained on IR responsibilities
  • Req 12.10.5 — IR plan covers all required elements
Public companies

SEC Cyber Disclosure

17 CFR § 229.106 (Reg S-K Item 106) and Form 8-K Item 1.05

Public registrants must disclose material cybersecurity incidents within 4 business days and describe their cyber risk management program annually. You can't do that under pressure if you've never rehearsed.

Maps to

  • Item 1.05 — 4-day material incident disclosure readiness
  • Item 106(b) — Cybersecurity risk management process disclosure
  • Item 106(c) — Board oversight & management role
  • Materiality drills — Practice the legal/finance/comms call
BCM standard

ISO 22301

Business Continuity Management Systems

ISO 22301 requires a documented BIA, prioritized recovery objectives, and exercise programs that validate the BCMS. Breachday connects all three in a single workspace.

Maps to

  • Clause 8.2 — Business Impact Analysis & risk assessment
  • Clause 8.5 — Exercise program & testing
  • Clause 9.1 — Performance evaluation
  • Clause 10 — Continual improvement & lessons learned

How it works

From scenario to audit artifact in one session

The audit-ready report isn't a separate writing project — it's a byproduct of the exercise itself.

01

Pick a scenario

Choose from default real-world breach scenarios, CTEP-based templates, or build your own. Tag the IT assets and BIA processes the exercise will touch.

02

Run the exercise

Stakeholders join via room code, claim their roles, and respond to live injects. Every action, vote, and observation is captured automatically with timestamps.

03

Generate the report

Branded PDF with timeline, participant roster, decisions, vote tallies, observations, facilitator notes, and the assets and BIA processes exercised — ready to hand to your auditor.

04

Close the loop

Capture lessons learned with owners and status. Auditors see not just that you exercised, but that you actually fixed the gaps you found.

The Audit Packet

What's in every Breachday report

Auditors don't want vibes. They want timestamps, participants, decisions, and traceability between what you exercised and what's actually critical to your business.

  • Exercise metadata — date, duration, facilitator, scenario, organization
  • Participant roster — display name, role seat, join/leave timestamps
  • Inject-by-inject timeline — every situation update, escalation, decision, and curveball
  • Per-inject responses — vote tallies, freeform text, attributed by role
  • Observations — captured live by facilitators on each inject
  • Affected systems & processes — IT assets and BIA processes linked to the scenario
  • Lessons learned — action items, owners, status, due dates
  • Branded PDF + structured JSON — your logo, exportable to any GRC tool
soc2_ir_test_q3_2026.pdf

After-Action Report

Scenario: BEC + Wire Fraud · CISA CTEP-aligned

Date
Mar 14, 2026
Duration
1h 22m
Facilitator
j.lopez@acme
Participants
7 (5 roles)

Inject 03 · Decision Required

Freeze outbound wires & escalate to legal?

Yes (5) No (1) IDK (1)

Affected Assets

Stripe Billing Treasury Workstation Okta IdP

Lessons Learned

Built for the people who own the audit

🛡️

GRC & Compliance leads

Hit your annual IR test requirement, satisfy auditors with traceable evidence, and stop manually compiling exercise notes the day before fieldwork.

Security & IR teams

Run realistic incidents — BEC, ransomware, IdP lockout, cloud outage — without spending 20 hours building decks. Use CISA-aligned scenarios out of the box.

📋

vCISOs & consultants

Deliver white-labeled tabletops across multiple clients with the MSP partner program. Branded PDFs, isolated client orgs, and seed scenarios in every account.

Show your auditor a Breachday report.

Book a 30-minute compliance demo and we'll walk through how a Breachday after-action report maps to your specific framework — SOC 2, PCI DSS, SEC, or ISO 22301.

Book a compliance demo See plans & pricing

Breachday is not a substitute for legal or audit advice. Control mappings are guidance for compliance teams; your auditor has the final say.