Real-World Cyber Incident Response Beyond the Tabletop

Eric Marquette

Hello everyone and welcome back to CMMC Unlocked. I'm Eric Marquette, and I’m joined by Ruby Sturt and Paul Netopski. We’re diving into something that’s really changing the way organizations handle cyber incidents: moving beyond the classic tabletop exercise. Paul, you and I both started out with those, right? You know—everyone in the boardroom, someone passes around a crisis scenario on paper, and everyone sort of guesses, “Well, I’d call IT…”

Paul Netopski

Exactly, Eric. I mean, tabletop exercises have definitely played a huge part for years. They’re great for talking through plans and finding obvious gaps—especially for compliance. But, to be blunt, they’re just not the real thing. I remember running a CMMC-focused tabletop where, on paper, the team seemed ready. When we looked closer, though? They completely skipped steps they’d need in a real incident. Nobody practiced communications between IT, legal, and management, so no one actually knew who would make decisions—what would happen after hours, things like that. It was kind of eye-opening, honestly.

Ruby Sturt

Yeah, and isn’t it wild to think how little you actually “feel” the impact when you’re just talking through it? Like, you can say, “I’d respond to ransomware this way,” but until you’ve got logs flying, systems actually going down, the pressure is just not the same. That’s probably why scenario-based, or simulation-driven training is really starting to take off. Feels less like reading a script and more like... well, flying the actual plane, right?

Eric Marquette

Spot on, Ruby. Simulation-driven stuff brings a level of realism that a whiteboard can’t. It’s like the old analogy—would you want your pilot to only read the manual or practice landings in a simulator?

Ruby Sturt

And speaking of simulators—Bridgewater State’s Cyber Range is seriously impressive, hey? For anyone who hasn’t seen it: it’s a 1,900 square foot facility packed with 24 workstations, each with dual screens, big multi-window LED video walls, and a legit command center vibe. It’s got immersive lighting and sound—so it really feels like a nerve center during an attack.

Paul Netopski

That’s right. The control room setup is a game-changer. The sound and lighting aren’t just for show—they’re designed to ramp up the urgency. You’re not just quietly typing away—you’re hearing alarms, you’re seeing system statuses update in real time. It’s a full sensory immersion into what a real ransomware or malware event might feel like. That intensity develops muscle memory under stress.

Eric Marquette

And there’s something about stepping into a space like that—away from the usual office or conference table—that really flips a switch mentally. Ruby, I’m curious—when you see folks in there, how’s the energy compared to your usual tabletop in a boring boardroom?

Ruby Sturt

Oh, it’s another world! You can just see people’s posture change. And the adrenaline—people are genuinely on edge, even though it’s “just” a simulation. And the feedback’s nearly instant, right? If someone misses a detection or doesn’t follow the comms chain—the video wall catches it, everyone notices. It’s way more dynamic and collaborative, which is exactly what you need for this kind of training.

Paul Netopski

Absolutely. The environment pushes teams out of their comfort zones—forces real world thinking. The closest thing I could compare it to is a security operations center under live attack—stress, comms, the whole lot. No paper exercise can create that level of absorption.

Eric Marquette

You know, Paul, you could argue a lot of disciplines have already made this leap. Think about pilots—they don’t just talk about landing a plane, they practice in a full-motion simulator over and over until it’s second nature. I suppose cybersecurity’s finally catching up. But are there any legal or policy wrinkles when you, say, simulate real attacks that impact even just the training environment?

Paul Netopski

Good question, Eric. As long as the simulations stay isolated—air-gapped from the real production world—legal and compliance concerns are manageable. It gets trickier if there’s sensitive data or you’re using actual company workflows, but Cyber Range environments are built for separation. In terms of value, the difference is night and day. Simulations actually reveal gaps table tops never would—like, you find out immediately if your comms plan’s missing escalation points, or if two departments have totally different playbooks for the same attack.

Ruby Sturt

Yeah, and you can see how teams behave under pressure. Like, do they take shortcuts? Do they freeze up, or do they rally? The real-time chaos lets you test technical responses but also the “human” factor—coordination, decision making, all the stuff that totally falls apart when it’s just on paper. That messiness actually helps highlight what needs to change.

Eric Marquette

And honestly, I love that in the range you can stop, rewind, or rerun a scenario. If someone bungles initial containment, there’s space to analyze without the “blame game” you sometimes get after the fact. It’s so much more growth-oriented than the old “well, here’s what we wrote down” tabletop summary.

Paul Netopski

Right, and let’s talk frameworks for a second. At the BSU Cyber Range, their scenarios aren’t just random—they’re mapped to NIST SP 800-61’s phases: preparation, detection and analysis, containment, eradication and recovery, and post-incident lessons. Same goes for a lot of NIST SP 800-171 requirements and CMMC Level 2+ domains. You can actually embed the standards right into the simulation scripts and observer checklists. For example, last time I observed, teams faced a simulated malware outbreak originating from a phishing email. The “blue team” had to detect the initial compromise, analyze scope, contain the spread by segmenting affected VMs, and then recover clean images—all within a set timeframe.

Ruby Sturt

That’s so cool. So, it’s not just “did we fix it?” but “did we follow each step we’re supposed to for compliance?” Makes sense for CMMC—because, well, it’s not enough to just survive the attack, you’ve got to document your process and map those actions to policy requirements, right?

Paul Netopski

Exactly, Ruby. So, the observers score based not only on technical success—like stopping a ransomware spread—but also how well the team aligns with required steps: who detected what and how, was the analysis thorough, did they follow notification plans, how quickly did they get to recovery. It's a real-time demonstration of compliance, not just a tick-the-box exercise.

Eric Marquette

And for organizations prepping for a real CMMC assessment, that hands-on validation is gold. If you can demonstrate that teams reacted live in accordance with NIST and CMMC phases, you’ve got strong evidence for assessors—not just policy statements. That’s a big step up from “we hope everyone remembers the process.”

Ruby Sturt

Alright, let's talk about the wrap-up—after-action reviews. CISA’s got these improvement plan templates, and everyone’s got stories about the “legendary” range debrief, right? Paul, what have you seen make the biggest difference after a simulation?

Paul Netopski

Honestly, the most valuable sessions are the ones where folks lean into brutal honesty. The template from CISA walks you through what went well, what didn’t, and—this is key—what you’ll actually change. Real feedback loops: teams come away with updated playbooks, sometimes brand new policies. One group realized during the range that their escalation plan was basically non-existent. Within a week, they’d rewritten it and practiced twice more. That's actionable progress.

Eric Marquette

And you know, sometimes those debriefs have a touch of comic relief. Like, “Who unplugged the wrong server?” Or, “Did we really lock ourselves out of our own recovery system?” But honestly, that atmosphere makes it safe to talk about failure and improvement, rather than point fingers. Organizations that embrace the review culture—especially when it comes to regulatory lessons—are usually the ones who see the fastest real-world progress.

Ruby Sturt

I’ve heard it’s not uncommon for folks to actually look forward to debrief day. I mean, it’s an upgrade from a death-by-PowerPoint session, that’s for sure. Plus, integrating those lessons straight into policy or training updates makes it all stick.

Paul Netopski

Exactly. The cycle of simulate, review, improve is what elevates organizations—not just preparing for the next incident, but tightening up every facet for compliance and readiness.

Eric Marquette

All this wouldn’t be possible without the bigger ecosystem here in Massachusetts. So, you’ve got BSU, MassBay, Salem State, and Springfield Technical, all plugged in through CyberTrust Massachusetts. It’s honestly impressive—state and federal support’s brought in millions in funding from senators like Ed Markey and Elizabeth Warren, which means students, small businesses, even law enforcement can get advanced training without breaking the bank.

Paul Netopski

Absolutely right. That kind of collaborative approach—public and private sectors working together—makes these resources available to everyone across the Commonwealth. Community partners can leverage tailored scenarios that fit their risks, and regional SOCs at BSU and Springfield Tech offer 24/7 monitoring and response, not just training. It truly is about raising the cybersecurity bar for all—municipalities, nonprofits, defense contractors, you name it. That kind of access removes a big barrier for organizations that would never afford this kind of capability alone.

Ruby Sturt

It’s such a good model, honestly. Like, each institution’s got its own flavor—BSU has this huge Command Center vibe, the others focus on their communities, but with centralized tech through Immersive Labs and all that. And, they’re not just in it for the students—even small towns can use the range to get ready for the next big attack, which, unfortunately, feels inevitable these days.

Eric Marquette

And let’s not forget, it strengthens the pipeline of cyber professionals, too. Those BSU grads might end up running incident response for your defense contractor or local municipality in a few years’ time.

Paul Netopski

Alright, let’s close with what this means for CMMC readiness. A lot of organizations still see assessment prep as a paperwork drill. But the Cyber Range flips that on its head—you actually rehearse detection, containment, and recovery in line with NIST SP 800-61 and -171, then document all of it for your CMMC evidence pack. That real-world proof is exactly what assessors are looking for. Plus, the range exercises highlight areas where your incident response documentation, roles, or even technologies don’t quite match up with requirements—better to find that in a drill than during the real assessment.

Ruby Sturt

And you can see how this all ties together with what we’ve covered in past episodes. Like, it’s great to have your access control matrix or your escalation chart, but when you run through a simulation and catch things breaking down—that’s the best evidence you’ve got. Eric, didn’t you have a story about a local defense contractor who used the BSU range before their assessment?

Eric Marquette

Yeah, a small shop just west of Boston. They’d been knee-deep in policy docs and were actually pretty confident until they ran a range drill. Suddenly, little things jumped out—like the remote support vendor didn’t get updates in real time, and someone realized their offboarding checklist was missing two steps for privileged accounts. They tweaked their procedures and walked into the CMMC assessment with evidence from the simulation, so when the assessor asked about detection and response, they had screenshots, logs, and observer feedback to show exactly how their process aligned with NIST—and where it hadn’t until they fixed it.

Paul Netopski

That’s how you bridge theory and practice—not just for compliance, but for real resilience. If you want to impress your CMMC assessor, walk in with proof you can survive an attack, not just recite your manual.

Eric Marquette

Thanks, Paul, and thanks Ruby. That’s all for this episode of CMMC Unlocked. We’ll be back soon, digging into more ways you can turn compliance from a paperwork exercise into genuine security muscle. Cheers, Ruby, Paul—see you next time!

Ruby Sturt

Thanks, Eric, thanks Paul! Always a blast. See you all next episode—don’t forget to subscribe!

Paul Netopski

Take care everyone. Stay secure, and keep practicing—real cyber resilience is all about doing, not just planning. Goodbye, Ruby, Eric.