Ransomware Readiness Assessment
End-to-end assessment of your ability to prevent, detect, contain, and recover from a ransomware attack — covering initial access controls, lateral movement prevention, backup integrity, and business continuity validation against modern double-extortion attack models.
Prevention · Detection · Recovery
Three assessment pillars covering the complete ransomware attack lifecycle — from preventing initial access through detecting pre-encryption activity to validating your recovery capability.
Prevention & Initial Access Controls
Assessing the controls that prevent ransomware gaining a foothold — email gateway effectiveness against weaponised documents, endpoint protection coverage, exposed RDP and remote access services, VPN and MFA configuration, and the patch posture of internet-facing systems most exploited by ransomware initial access brokers.
- Email gateway weaponised document and macro blocking test
- Exposed RDP and remote desktop service identification
- VPN and MFA configuration review
- Internet-facing CVE assessment (ransomware IAB favourites)
- Endpoint EPP/EDR coverage gap identification
- Phishing simulation for ransomware-specific lure types
Detection & Lateral Movement Containment
Simulating post-access ransomware behaviour — credential theft, lateral movement via SMB and WMI, Active Directory enumeration and domain controller targeting, and shadow copy deletion attempts — validating whether your detection and containment controls would identify and stop a ransomware operator before payload deployment.
- Credential theft simulation (Mimikatz, LSASS access)
- Lateral movement techniques (SMB, WMI, PsExec, Pass-the-Hash)
- Active Directory enumeration and DC targeting simulation
- Network segmentation validation across VLANs
- Shadow copy deletion attempt detection test
- EDR and SIEM alert coverage for pre-detonation behaviour
Backup Integrity & Business Continuity
Validating that your backup and recovery infrastructure is genuinely ransomware-resilient — testing backup immutability, offline copy availability, recovery time objectives, backup access controls, and your business continuity plan's capacity to sustain critical operations during a recovery period.
- Backup immutability verification (can ransomware delete your backups?)
- Offsite and offline backup copy validation
- Backup restoration test — actual RTO measurement vs. stated objective
- Backup access control review (admin credential separation)
- Business continuity plan review against ransomware scenario
- Cyber insurance evidence documentation support
Ransomware Has Evolved. Most Defences Have Not.
Modern ransomware attacks are operated by organised criminal groups with dedicated initial access brokers, affiliate networks, and double-extortion models — exfiltrating data before encryption to maximise leverage. The dwell time between initial access and payload deployment averages 16 days, meaning a ransomware operator typically spends over two weeks inside your environment before you know they are there.
A ransomware readiness assessment answers the critical questions: if a ransomware operator had 16 days inside our environment right now — could we detect them? Could we contain them? Could we recover without paying? Most organisations have never validated their answers to those questions with evidence.
16-Day Dwell Simulation
Simulating the pre-detonation period ransomware operators use before payload deployment
Backup Immutability
Testing whether ransomware with admin credentials can delete or encrypt your backups
Actual RTO Testing
Measuring real recovery time against your stated business continuity objectives
Insurance Evidence Pack
Control documentation in formats aligned with cyber insurance underwriting requirements
5-Phase Ransomware Readiness Methodology
From initial access surface review through ransomware behaviour simulation, backup testing, and a 90-day hardening roadmap with cyber insurance evidence.
Attack Surface & Initial Access Review
Mapping your external attack surface from a ransomware initial access broker perspective — identifying exposed remote access services (RDP, VPN, Citrix), unpatched internet-facing systems matching known ransomware IAB exploit lists, and email security control effectiveness against weaponised documents used in ransomware campaigns.
Endpoint & Network Control Assessment
Reviewing endpoint protection coverage, EDR deployment gaps, network segmentation effectiveness, and east-west traffic visibility — assessing whether a ransomware operator who gains access to one endpoint can enumerate the network, steal credentials, and reach critical systems including domain controllers and backup infrastructure.
Ransomware Behaviour Simulation
Safely simulating post-access ransomware operator behaviour — credential theft, lateral movement, AD enumeration, shadow copy deletion attempts, and data staging — validating whether detection controls alert and containment controls prevent progression toward payload deployment within your 16-day dwell window.
Backup & Recovery Validation
Physically testing the resilience of your backup infrastructure — validating immutability, testing whether backup deletion is possible with compromised admin credentials, performing an actual restoration test to measure RTO against your business continuity plan's stated objective, and documenting controls for cyber insurance evidence.
Ransomware Readiness Report & Roadmap
A comprehensive readiness report mapping your prevention, detection, and recovery posture, risk-ranked remediation guidance, a cyber insurance evidence pack, and a 90-day hardening roadmap designed to close your highest-risk gaps before the next assessment.
End-to-End Ransomware Resilience Coverage
From initial access surface through credential theft, lateral movement, backup immutability, and cyber insurance evidence — every layer of ransomware resilience assessed and validated.
Initial Access Hardening
External attack surface assessment focused on ransomware IAB entry points — exposed RDP, unpatched VPN appliances, exploitable internet-facing services, and email security control effectiveness against ransomware lure themes.
Credential Theft Prevention
Assessment of controls preventing credential theft — LSASS protection, Credential Guard, privileged account exposure, and detection coverage for Pass-the-Hash, Kerberoasting, and LSASS dumping techniques favoured by ransomware operators.
Lateral Movement Containment
Network segmentation validation, east-west traffic monitoring, and simulated lateral movement to confirm whether ransomware can reach critical systems — domain controllers, backup servers, and file shares — from a compromised endpoint.
Ransomware Detection Coverage
EDR and SIEM detection coverage for ransomware pre-detonation behaviour — shadow copy enumeration, VSS deletion, mass file enumeration, and encryption activity — measuring your time-to-detect against the 16-day average dwell time.
Backup Immutability Verification
Testing whether your backups can be encrypted or deleted by a ransomware operator with compromised admin credentials — validating immutable storage configuration, offline copy availability, and backup access control separation.
Cyber Insurance Evidence
Documenting ransomware prevention and recovery controls in formats required by cyber insurers — validating MFA deployment, backup integrity, EDR coverage, and incident response capability to support underwriting and reduce premium.
Validate Your Defences Before the Ransom Note
Most organisations discover their ransomware readiness gaps during an incident. We help you find them first — with evidence-based testing of every layer of your ransomware resilience.
Three-Pillar Assessment
Most assessments focus on prevention. We assess all three pillars: prevention (stop initial access), detection and containment (limit dwell time and lateral movement), and recovery (validate backup integrity and RTO).
Actual Backup Testing
We test whether your backups are actually ransomware-resilient — not just whether a backup policy exists. If a ransomware operator with your admin credentials can delete your backups, your recovery plan has a critical gap.
16-Day Dwell Simulation
Our methodology simulates the 16-day pre-detonation dwell period ransomware operators use — validating whether detection controls would identify them before payload deployment, not just whether your EDR blocks the encryption binary.
Cyber Insurance Support
We document all findings in formats aligned with cyber insurance underwriting requirements — providing evidence to support your insurance application, renewals, and premium reduction discussions.
Tooling We Use
Frequently Asked Questions
Everything you need to know about ransomware readiness assessment
Ready to Validate Your Ransomware Defences?
Find out if your prevention, detection, and recovery controls would survive a real ransomware attack — before an attacker does. Schedule a scoping call to build your assessment.
Get in Touch
Ready to secure your future? Reach out to us for a consultation.