SOC 2 Tabletop Exercises for Incident Response Compliance
Run incident response tabletop exercises that produce audit-ready evidence mapped to Trust Services Criteria CC7.3–CC7.5. Breachday captures every decision, escalation, and recovery action, so your SOC 2 auditor reviews what your team actually did instead of a slide deck summary.
The compliance challenge
SOC 2 auditors testing the Security and Availability criteria need evidence that your organization identifies security events, responds to incidents, and recovers from them. CC7.3 through CC7.5 are among the most commonly cited controls during Type II fieldwork — and among the hardest to demonstrate with anything other than a well-documented exercise.
Most teams run an annual tabletop in a conference room, capture notes in a shared doc, and spend days afterward reconstructing what happened for the auditor. The exercise itself may be solid; the evidence trail usually is not.
Breachday turns the live exercise into the audit artifact. Every inject, vote, and attributed response is timestamped and exported in a branded after-action report your assessor can map directly to CC7.x controls.
What teams struggle with today
- →Slide decks and facilitator scripts that leave no attributable record of who decided what
- →Manual after-action write-ups compiled days or weeks after the exercise
- →No link between the scenario exercised and the critical systems in your availability scope
- →Lessons learned tracked in a spreadsheet with no connection to the exercise timeline
- →Auditors asking for CC7 evidence and receiving meeting notes instead of structured test results
Trust Services Criteria
How Breachday maps to SOC 2
Specific control requirements and how each Breachday exercise produces evidence your assessor can review.
| Control | Requirement | How Breachday satisfies it |
|---|---|---|
| CC7.3 | Evaluating security events | Breachday captures how your team identifies and evaluates injects in real time, with attributed responses from each role seat showing who recognized the event, what information they had, and how they prioritized it. |
| CC7.4 | Responding to security incidents | Voting, decision points, and escalation paths are captured per inject with timestamps. The report shows consensus (or disagreement) across Incident Commander, Legal, Comms, and Engineering seats. |
| CC7.5 | Recovery from identified events | Recovery-phase injects and post-exercise lessons learned with owners and status demonstrate that your team moves from containment to restoration — and that gaps identified during the exercise are tracked to closure. |
| A1.2 / A1.3 | Availability and environmental BCM | BIA-linked exercises show which critical systems and business processes were tested. Reports list affected IT assets and BIA processes so availability auditors can verify scope coverage. |
See which plan covers SOC 2 reporting· Learn about building scenarios
The audit packet
What your auditor receives
Every completed exercise generates a structured after-action report, produced as you run the session rather than written up after the fact.
- ✓Branded PDF after-action report with your organization logo
- ✓Inject-by-inject timeline with timestamps for every situation update, decision, and escalation
- ✓Vote tallies and freeform responses attributed by role seat
- ✓Findings grouped by severity with facilitator observations on each inject
- ✓SHA256 hash on exported reports for integrity verification
- ✓Participant roster with display names, role seats, and join/leave timestamps
- ✓Linked IT assets and BIA processes showing what was exercised
- ✓Lessons learned with owners, status, and due dates
- ✓Structured JSON export for GRC tools and audit repositories
04 — Workflow
How it works
A streamlined sequence from preparation to after-action report.
Design the scenario
Define the narrative, injects, and roles. Use our templates or build from scratch.
Start the exercise
Launch the room with one click and activate your scenario timeline for participants.
Join the room
Participants join from any device using a short room code, then pick their role seat.
Run your scenario
Deliver injects, capture votes and responses, and guide decisions in real time.
Review the report
Generate an after-action report with timeline events, decisions, and improvement takeaways.
Frequently asked questions
SOC 2-specific questions from compliance and security teams.
Which SOC 2 criteria does a Breachday report address?
Reports map most directly to CC7.3 (evaluating security events), CC7.4 (responding to incidents), and CC7.5 (recovery). For organizations with Availability in scope, A1.2 and A1.3 evidence comes from BIA-linked scenarios on Plus and Pro plans that show which critical processes were exercised.
How often should we run SOC 2 tabletop exercises?
Most organizations run at least one IR tabletop annually, often aligned with their Type II audit period. Breachday stores exercises on Plus and Pro so you can demonstrate a recurring test program with multiple dated reports across the audit window.
Can we use Breachday reports as our only CC7 evidence?
Tabletop exercises are one form of testing evidence. Auditors may also request IR plan documentation, ticketing records, and actual incident logs. Breachday reports demonstrate that your team has rehearsed response procedures — a requirement auditors routinely ask about during CC7 testing.
Do participants need Breachday accounts for a SOC 2 exercise?
No. Participants join via a 4-character room code and claim role seats (Incident Commander, Legal, Comms, etc.). The report captures their display names, roles, and responses — sufficient for demonstrating cross-functional participation.
Which Breachday plan includes SOC 2-ready branded PDF exports?
Starter generates audit-ready PDF summaries at exercise time. Plus and Pro persist reports to your workspace with branded PDF and JSON export. Pro supports up to 10 facilitator seats and 60 participants per exercise for mature programs running production exercises across the full audit period. See pricing for plan details.
Can one exercise satisfy both SOC 2 and PCI DSS requirements?
Yes. A single Breachday exercise produces a report that maps to CC7.x controls and PCI DSS Requirement 12.10.x. Many customers run one annual exercise and provide the same after-action report to both assessors.
Related framework resources
One exercise can satisfy multiple frameworks. Explore how Breachday maps to other standards.
Ready to run your first SOC 2 tabletop?
Plus and Pro plans include saved reports, branded PDF export, and BIA-linked scenarios for Availability scope. Book a demo and we will walk through how a Breachday report maps to your auditor's CC7 testing procedures.
Breachday is not a substitute for legal or audit advice. Control mappings are guidance for compliance teams; your auditor has the final say.