Technical Director, Jonathan Meehan of Cyber Guarded brings 20 years of experience in cyber incident exercising. Here, he shares insights and lessons learned from working with healthcare trusts, government departments and the private sector
Cyber Guarded is a Belfast-based cyber security company specialising in testing, auditing, and cyber incident exercising. As an Assured Service Provider for the Cyber Incident Exercising (CIE) scheme, Cyber Guarded meet the rigorous quality and security standards set by the National Cyber Security Centre and have the skills and experience to design and deliver both table-top and live-play incident response exercises.
What is Cyber Incident Exercising?
Organisations that have good incident response plans that are regularly rehearsed and reviewed are best placed to respond to cyber attacks and can get back up and running again quicker than those without. The process of practising a response plan is known as ‘exercising’. It is particularly critical to exercise responses to cyber incidents that could have a significant operational, financial, regulatory or reputational impact on your organisation.
Cyber incident scenarios can range from involving just your IT team to requiring a coordinated response across the entire organisation. This could include notifying regulators, communicating with customers and partners, and managing mediacommunications. Cyber Incident Exercising provides a structured way to practise this by simulating real world cyber incidents in a controlled environment. These exercises allow organisations to test their response strategies, identify gaps in their plans, and evaluate communication protocols, all while equipping teams with the skills and confidence needed to handle the real thing.
Jonathan Meehan’s expertise lies in delivering tailored simulations that reflect an organisation’s unique operational environment and threat landscape. He combines technical rigour, real world scenarios, and a focus on collaboration to help organisations build resilience.
Many tailored solutions focus on critical assets, systems or services, that is the organisation’s crown jewels or third party system(s) that are integral in whole or in part in the delivery of an essential service or function.
“Cyber Incident Exercising gives organisations a chance to see how they’d actually respond in a real world scenario. The exercises shouldn’t just follow the plan; they need to throw curveballs with time limited constraints. The time constraints force sharper decision making, quicker prioritisation, and force a mental agility that static plans just don’t touch. That’s where the real value comes in.”
Jonathan Meehan
Case study 1: Northern Ireland health trusts
One of Jonathan’s most impactful projects involved running a cyber incident exercise for all the health trusts in Northern Ireland. They simulated a National Cyber Security Centre (NCSC) Category 3: Significant incident. A cyber attack which has a serious impact on a large organisation or on wider/local government, or which poses a considerable risk to central government or UK essential services.
The tailored exercise was designed to evaluate the response capabilities and communication protocols of participant organisations in the context of a suspected supply chain cyber incident targeting a healthcare essential function imaging system, resulting in disruption to this essential service. The scenario was developed so that the nature of the cyber attack would not be immediately obvious, requiring participants to investigate, analyse, and escalate based on limited or ambiguous information. It was further structured to emulate current trends and adversary tactics observed in the wild, as reported by NCSC and CISA, and broadly aligned to the MITRE ATT&CK Framework for Enterprise.
Key insights:
Assumptions and gaps: Exercises often reveal hidden assumptions that can undermine an organisation’s ability to respond effectively, and this exercise was no exception. For example, some participants believed that critical actions such as incident escalation, communication with external partners, or the coordination of recovery steps were the responsibility of other departments or external bodies. These assumptions created ambiguity over ownership and accountability, exposing potential delays and vulnerabilities in the response process.
This highlights the need for clearer delineation of responsibilities and escalation pathways within an organisation, ensuring that ownership of critical actions is unambiguous and that no essential tasks are left unaddressed during a cyber incident.
Preparedness through practice: The exercise demonstrated that regular participation in cyber exercises builds resilience, confidence, and capability. Trusts with established exercising routines were able to draw on that experience to navigate challenges more effectively. Demonstrating the value of sustained practice and the importance of embedding exercising into routine cyber resilience planning.
Collaboration and communication: Exercises are most effective when they bring together diverse perspectives, enabling organisations to see challenges from multiple viewpoints and strengthen their collective response. Jonathan emphasised that collaboration is essential, both within and between Trusts, for identifying potential gaps and building resilience. By fostering open communication and joint problem solving during exercises, Trusts can improve coordination, reduce duplication of effort, and ensure that critical decisions are informed by the widest possible expertise.
Outcome: The exercise not only highlighted key areas for improvement but also encouraged greater collaboration and shared learning among the Trusts, demonstrating the value of joint exercising as a driver of collective resilience. It further revealed that some participants were not fully prepared for the subtleties of how a cyber attack might present in practice, providing valuable insights into the realities of cyber incidents and underscoring the importance of preparedness.
“The organisations that have embraced these exercises, like those in Northern Ireland, have seen the difference it makes. It’s not just about compliance or getting a certificate—it’s about truly understanding your vulnerabilities and being ready to act when a cyber incident happens.”
Michael Kane, Belfast Health & Social Care Trust
Case study 2: Government departments
Jonathan recently facilitated two exercises with the Department of Finance (DoF). Both were National Cyber Security Centre (NCSC) Category 3: Significant incident.
One of the tailored exercises centred around a cyber attack on the PSSN Service, an integral backbone network across the Northern Ireland Civil Service. This time-compressed scenario began on a Sunday morning and escalated over subsequent days, resulting in major disruption to essential services.
The second was a comprehensive, multi-part exercise delivered in three stages. Part 1 began with network performance issues that developed into widespread connectivity problems and eventual loss of access to Office365 and office applications. Part 2 introduced multiple supply chain issues culminating in the receipt of a ransom demand. Finally, Part 3 focused on recovery and restoration activities, challenging participants to make critical decisions under pressure.
Key Insights:
Challenging assumptions: During the exercise, a system was brought back online without verifying whether it remained compromised. This prompted a critical discussion about the risk of re-compromising the entire network. As Jonathan noted, “Exercising brings everything into the light. It gets to the crux of whether your playbooks and policies have been thought through.”
Technical expertise is essential: Jonathan emphasised the value of involving senior technical staff, such as penetration testers, in the delivery of exercises to ensure realism and to challenge assumptions in real time. “There are definite benefits if a company is running a TTX, they should have one of the pen testers or senior technical managers in the room during the exercise. It’s about spotting gaps or assumptions, for example when you’ve brought a system back up without having assurance of its status beforehand.”
Real-world mapping: Drawing on detailed reports from real incidents, including the HSE breach, allowed the scenario to mirror actual attack techniques. This approach ensured that participants were tested in a realistic and relevant environment, strengthening both the credibility of the exercise and the value of the lessons learned.
Stress testing: The exercises were designed to test far more than just technical systems. It placed participants under pressure to make time sensitive, high stakes decisions in an environment that reflected the ambiguity and uncertainty of a real cyber attack. By replicating the confusion, incomplete information, and escalating consequences that often characterise real-world incidents, the exercise challenged both technical teams and leadership to think critically, coordinate effectively, and prioritise actions under stress.
As Jonathan explained, “We try to hit them with realistic scenarios based on real events. It’s not about scaring them, it’s about showing them what it’s actually going to look like.”
Outcome: Both exercises prompted senior leaders to rethink their response strategies and highlighted the importance of technical expertise in decision making during a crisis.
“Exercises like these aren’t just about following a script—they’re about preparing for the unexpected. When you’ve got the right people in the room, you can identify gaps, challenge assumptions, and make sure the organisation is ready to respond effectively when it really matters.”
Hugh Tohill, Chief Cyber Security Officer, Cyber Resilience & Assurance, Digital Security & Engagement. Northern Ireland Department of Finance.
Exercise your incident response plan
For organisations interested in improving their cyber resilience, Jonathan recommends starting with a tabletop exercise tailored to your specific needs. Tabletop exercises provide an opportunity for participants to discuss their roles and responsibilities, review procedures, and identify gaps in their response plans through facilitated discussions.
For more mature organisations looking for in-depth validation of plans, live-play exercises will provide a more immersive and realistic testing environment. These exercises will allow participants to actively respond to a simulated cyber incident with real-time engagement that allows them to experience the pressure and urgency associated with a genuine cyber incident. By involving technical experts and using real-world scenarios, live play exercises can provide invaluable insights and prepare teams for the unexpected.
For organisations that want to plan and practise their response to a cyber incident in a safe environment, you can contact an Assured Service Provider in Cyber Incident Exercising.
You can find a list of NCSC Assured Cyber Incident Exercising providers here.