The Analog Incident Story Compass Theater: Rehearsing Outages Before They Go Live

When a real outage or security breach hits, it feels less like a calm troubleshooting session and more like live theater:

• People scramble for information.
• Leaders demand answers they don’t yet have.
• Emotions spike, tempers flare, and communication breaks down.

Most organizations still learn how to handle those moments only when they’re already burning. But there’s a better approach: rehearsing incidents as low‑tech, story‑driven tabletop exercises—what we can call “analog incidents”.

Think of it as Story Compass Theater for your incident response: a structured, low‑risk way to practice outages and crises like stage rehearsals before the show goes live.

What Is an “Analog Incident”?

An analog incident is a facilitated tabletop exercise where teams walk through a realistic outage or security event using paper, prompts, and role‑play instead of live systems.

There’s no live fire, no risky config changes, no production logs at stake. Instead, you:

• Sit around a table (or virtual equivalent)
• Are presented with a scenario that unfolds in stages
• Make decisions, ask questions, and respond as you would in real life
• Experience the technical, social, and emotional dynamics of a real incident—without real-world damage

It’s “analog” because it’s deliberately low‑tech: you don’t need a full cyber range, a simulation platform, or a cloned environment to get value. You need a scenario, a facilitator, and participants willing to play.

Why Use Real Threat Intelligence and Adversary TTPs?

The difference between a forgettable exercise and a transformative one is relevance.

Analog incidents are most powerful when they’re built on up‑to‑date threat intelligence and real adversary tactics, techniques, and procedures (TTPs). That means:

• Scenarios reflect attacks that are actually happening now in your industry.
• The “villains” in your story behave like real attackers: phishing chains, lateral movement, business email compromise, supply chain pivoting, and so on.
• You aren’t just rehearsing generic “the system is down” moments—you’re practicing for the exact kinds of events you’re likely to face.

By mirroring real threats, these analog rehearsals serve as a preview of coming attractions. When something similar surfaces in production, your team doesn’t start from zero. The story feels familiar, and people know the moves.

Stage Rehearsals for Incident Response

If a real incident is opening night, then analog incidents are dress rehearsals.

They give teams a safe space to practice:

1. Identification

   • How do we first notice something is wrong?
   • Who is on the hook for initial triage?
   • What constitutes “this is bad enough to page people”?

2. Information Gathering

   • What logs, dashboards, or tools do we check?
   • How do we share early findings without overpromising or panicking?
   • How do we handle uncertainty and conflicting data?

3. Coordinated Response

   • Who leads? Who communicates? Who executes changes?
   • How are decisions made under time pressure?
   • How do we coordinate across teams—SRE, security, product, customer support, legal, PR?

Because nothing is actually on fire, teams can experiment with approaches and see where their process breaks:

• Does the on‑call policy actually match real staffing patterns?
• Do people know how to escalate to legal or communications?
• Are roles and responsibilities clear, or does everyone default to “shout into Slack”?

You’re doing real incident response work—but in a room where the only thing at risk is your pride.

Why Low‑Tech Beats Shiny Simulation (At First)

High‑fidelity simulations and technical labs have their place. But starting with low‑tech tabletop scenes has advantages:

• Low barrier to entry: A facilitator, printed prompts, and an hour on everyone’s calendar is often enough.
• Focus on thinking, not tooling: Without dashboards to hide behind, participants must articulate what they’d look for and why.
• Safe to get messy: You can pause, rewind, or branch the story mid‑scene to explore alternatives.
• Covers socio‑technical reality: Real incidents are never just bits and bytes; they’re people, politics, and pressure. Analog incidents make space for all of that.

You’re building a mental playbook, not just proving a runbook executes.

Adding the Human Drama: Role‑Playing the Difficult Moments

Real crises bring out more than technical problems. They surface:

• Friction between teams
• Misaligned priorities
• Personal stress and burnout

Analog incidents can safely include hard interpersonal scenes that commonly arise in or around emergencies, such as:

• A senior leader demanding an ETA and a root cause that don’t exist yet
• A product owner pushing to roll back a change that may actually be a red herring
• A report of harassment or bullying in the war room chat
• News of pending layoffs that lands mid‑incident and shatters trust

By integrating role‑play elements, leaders and responders practice not just what to do, but how to be:

• How to say “We don’t know yet” without sounding evasive
• How to push back on unrealistic demands respectfully
• How to create psychological safety while under pressure
• How to keep communication clear and calm when emotions spike

These are skills that are rarely written into incident runbooks but heavily determine how an incident feels—and how well it’s handled.

Practicing Mistakes Safely

One of the greatest benefits of analog incidents is the freedom to fail.

When the stakes are low, people are more willing to:

• Try a new communication pattern
• Step into a leadership role for the first time
• Admit confusion or knowledge gaps
• Question a sacred process or tool

By making the practice space safe, you reduce the risk of making first‑time mistakes during a real outage, where:

• Reputations can be damaged
• Customers can churn
• Regulators may get involved
• Legal and financial consequences are on the line

You still want to explore failure—but on paper first, not in production.

Building Empathy: Roles on Both Practitioner and Client Sides

Analog incidents become especially powerful when they include structured roles on both sides of the table:

• Practitioner side: SREs, security engineers, developers, support, comms, legal
• Client/stakeholder side: A frustrated enterprise customer, an anxious board member, a non‑technical executive, a journalist, a regulator

As participants rotate through these roles across multiple sessions, something important happens: empathy grows.

• Engineers feel what it’s like to be a customer who gets vague updates and long silences.
• Leaders experience what it’s like to have pressure from above but limited technical clarity.
• Security teams better understand product and ops tradeoffs and time constraints.

This doesn’t just improve technical coordination. It builds communication muscles:

• Less blame, more curiosity
• Clearer status updates tailored to the audience
• Smarter tradeoffs between speed, safety, and transparency

The result is a more cohesive, crisis‑capable organization, not just a sharper incident response team.

Maturing Over Time: From Simple Scenes to Deep Theater

You don’t have to start with a Hollywood‑grade storyline. Analog incidents can mature with your team.

Early‑stage exercises might focus on:

• A simple single‑service outage
• A straightforward phishing email
• A customer‑visible performance degradation

As your team gains confidence, you can introduce more complex, high‑stakes scenarios and even experienced role‑players (internal or external) to raise the bar:

• Multi‑vector security events with partial detection
• Cross‑region outages where multiple teams must coordinate
• Incidents that span days or weeks, with fatigue and shifting priorities
• Scenarios where PR, legal, and regulators play a central role

You can also vary the format:

• Time‑boxed scenes: 30–60 minutes focusing on one phase (detection, communication, post‑incident)
• Branching narratives: Different team decisions lead to different “future states” of the incident
• Rotating leads: Different people take the incident commander role each session

Each iteration becomes both training and discovery—exposing gaps in:

• Runbooks and playbooks
• Access and permissions
• Communication channels
• Escalation paths
• Cultural norms and expectations

And because these are analog, adjustments between runs are cheap and fast.

Getting Started: Practical Steps

You can launch your own analog incident “theater” with minimal overhead:

1. Pick a realistic scenario
   Use recent threat intel, near‑misses, or past incidents; update it with current adversary TTPs.

2. Define a cast of roles
   Include technical responders, leadership, customers, and external stakeholders.

3. Script the beats, not the dialogue
   Outline key events and information drops. Let participants improvise the actual responses.

4. Set ground rules for safety
   No blaming, no performance reviews based on this, and a bias toward learning and curiosity.

5. Run, pause, reflect
   Build in short pauses to ask: “What are we assuming? What’s missing? How else could we handle this?”

6. Debrief and capture learnings
   Note process gaps, unclear ownership, tooling needs, communication issues—and convert them into concrete improvements.

Repeat regularly. Frequency beats complexity.

Conclusion: Make Practice the Place You Learn the Hard Lessons

Real outages and security incidents will always carry stress and risk. But they don’t have to be the first and only time your team experiences crisis.

By treating incident response like theater—using analog, story‑driven tabletop rehearsals informed by real threat intelligence—you:

• Build technical and social skills in a safe environment
• Let leaders and responders make mistakes without collateral damage
• Strengthen empathy and communication across roles
• Mature your organization’s resilience one scene at a time

You can’t script reality. But you can rehearse how you show up when it hits. Analog incidents give your teams that stage—before the curtain rises on the real thing.