The BreachBack Method
Resilience isn’t a product you buy. It’s a capability you build and then prove on a schedule. Here’s the whole method — no mystery, no black box.
01 — MAP (Weeks 1–2)
WHAT HAPPENS
We inventory everything that matters: systems, data, dependencies, and the order your business actually needs them back in. Most owners have never ranked their own systems by criticality. We do it together in one working session.
YOU GET
A one-page Critical Systems Map with recovery priorities and target restore times (RTOs) for each tier — 6, 12, 24, or 72 hours.
02 — HARDEN (Weeks 2–6)
WHAT HAPPENS
We build the recovery infrastructure: immutable, object-locked backups that ransomware can’t encrypt and a rogue admin can’t delete; offsite copies; and executive-gated access — your CEO, CFO, and security officer each hold a key, and it takes a quorum to touch the vault.
YOU GET
Documented backup architecture, the three-key recovery protocol, and your written incident response plan — who calls whom, in what order, with what authority, starting at minute zero.
03 — REHEARSE (Weeks 6–10)
WHAT HAPPENS
Two rehearsals. First, a tabletop: we walk your leadership through a realistic breach scenario — Friday 4:45 PM, payroll is encrypted, the attacker is emailing your customers — and pressure-test every decision. Second, a technical dry run of the restore process in an isolated environment.
YOU GET
A revised IR plan (the tabletop always finds holes — that’s the point), trained executives who have made these decisions once before they make them for real, and a drill-ready restore runbook.
04 — PROVE (Quarterly, forever)
WHAT HAPPENS
The live drill. On a scheduled morning, we restore your Tier 1 systems from immutable backup into an isolated environment, against the clock, witnessed and signed by your fractional CSO.
YOU GET
The Evidence Package: measured RTO vs. target, screenshots and logs, attestation signature, and a plain-English summary. This is the artifact you hand your insurer at renewal, your auditor at assessment, and your enterprise customer at vendor review.
- BACKUP SOURCE
- immutable object-lock repo (S3, compliance mode)
- SYSTEMS RESTORED
- EHR db · billing · file shares · phones
- CLOCK START
- 06:00:00 EDT
- CLOCK STOP
- 11:42:17 EDT
- MEASURED RTO
- 5h 42m 17s
- TARGET
- ≤ 12h
- WITNESSED BY
- J. ████, vCISO
- EVIDENCE PKG
- BB-EV-2026-014.pdf
What if the real thing happens?
Then the retainer activates. You call one number, day or night. Within the first hour you have an incident commander, a decision tree your team has already rehearsed, and a recovery process you’ve already timed. Most breach chaos isn’t technical — it’s fifty decisions nobody prepared to make. You’ll have made them already.