The BreachBack Method

Resilience isn’t a product you buy. It’s a capability you build and then prove on a schedule. Here’s the whole method: no mystery, no black box.

01 · MAP (Weeks 1–2)

WHAT HAPPENS

We inventory everything that matters: systems, data, dependencies, and the order your business actually needs them back in. Most owners have never ranked their own systems by criticality. We do it together in one working session.

YOU GET

A one-page Critical Systems Map with recovery priorities and target restore times (RTOs) for each tier: 6, 12, 24, or 72 hours.

TIER 1 ≤ 6h: payments · schedulingTIER 2 ≤ 24h: email · filesTIER 3 ≤ 72h: archives

02 · HARDEN (Weeks 2–6)

WHAT HAPPENS

We build the recovery infrastructure: immutable, object-locked backups that ransomware can’t encrypt and a rogue admin can’t delete; offsite copies; and executive-gated access. Your CEO, CFO, and security officer each hold a key, and it takes a quorum to touch the vault.

YOU GET

Documented backup architecture, the three-key recovery protocol, and your written incident response plan: who calls whom, in what order, with what authority, starting at minute zero.

03 · REHEARSE (Weeks 6–10)

WHAT HAPPENS

Two rehearsals. First, a tabletop: we walk your leadership through a realistic breach scenario (Friday 4:45 PM, payroll is encrypted, the attacker is emailing your customers) and pressure-test every decision. Second, a technical dry run of the restore process in an isolated environment.

YOU GET

A revised IR plan (the tabletop always finds holes; that’s the point), trained executives who have made these decisions once before they make them for real, and a drill-ready restore runbook.

04 · PROVE (Quarterly, forever)

WHAT HAPPENS

The live drill. On a scheduled morning, we restore your Tier 1 systems from immutable backup into an isolated environment, against the clock, witnessed and signed by your fractional CSO.

YOU GET

The Evidence Package: measured RTO vs. target, screenshots and logs, attestation signature, and a plain-English summary. This is the artifact you hand your insurer at renewal, your auditor at assessment, and your enterprise customer at vendor review.

DRILL #2026-014 · RESTORE TEST · CLIENT: [REDACTED] MEDICAL, GRAND RAPIDS MI✓ PASSED

BACKUP SOURCE: immutable object-lock repo (S3, compliance mode)
SYSTEMS RESTORED: EHR db · billing · file shares · phones
CLOCK START: 06:00:00 EDT
CLOCK STOP: 11:42:17 EDT
MEASURED RTO: 5h 42m 17s
TARGET: ≤ 12h
WITNESSED BY: J. ████, vCISO
EVIDENCE PKG: BB-EV-2026-014.pdf

What if the real thing happens?

Then the retainer activates. You call one number, day or night. Within the first hour you have an incident commander, a decision tree your team has already rehearsed, and a recovery process you’ve already timed. Most breach chaos isn’t technical. It’s fifty decisions nobody prepared to make. You’ll have made them already.

See the IR retainer