Skip to main content
Annual Tabletop
Try the demo
Menu

For Regulated SMB

The tabletop your SOC 2, HIPAA, PCI, or CMMC auditor is going to ask about.

Built for security and compliance leads at SOC 2, HIPAA, PCI DSS, and CMMC-bound SMBs. Annual cadence. Audit-ready AAR. The control evidence your auditor wants — without dragging in a consultant.

Try the HIPAA demoSee pricing

The problem

You have one annual exercise on the audit calendar, and a stack of frameworks that all expect their own evidence packet.

SOC 2 CC7.4 / CC7.5 wants tested IR. HIPAA §164.308(a)(7) wants a tested contingency plan. PCI 12.10 wants an annual test. CMMC IR.L2-3.6.3 wants documented exercise. Your insurance renewal needs proof. You can run one exercise — but the auditors will each want their own evidence. Annual Tabletop runs the one exercise and produces every framework crosswalk in the AAR, so the same session satisfies every checkbox. (FFIEC-bound institutions: see /for/financial-institutions.)

Why Annual Tabletop fits

Built for regulated smb — not retrofitted from an enterprise SOC tool.

  • Capability 01

    Every regulated-SMB framework, crosswalked.

    SOC 2 CC7.4 / CC7.5, HIPAA §164.308(a)(7), PCI DSS 12.10, CMMC IR.L2-3.6.3, NIST CSF 2.0. Pick your scenario, get the framework crosswalks built into the AAR.

  • Capability 02

    Annual cadence aligned to your audit calendar.

    Annual contracts. Reminder built in 60 days before your audit window. AARs timestamped and signed for evidence purposes — exactly what your QSA, SOC 2 auditor, OCR auditor, or C3PAO is asking for.

  • Capability 03

    Real injects, not awareness training.

    Atlas runs constrained-decision injects that exercise your IR plan, your call tree, your decision authority. The AAR captures the gaps. Your auditor sees a tested plan, not a slide deck.

Scenarios for Regulated

3 scenarios tuned to your environment.

Framework crosswalks: SOC 2 CC7.4/CC7.5, HIPAA §164.308, PCI 12.10, CMMC IR.L2-3.6.3

Browse the full library
  • Data Exfiltration / Insider-AdjacentAdvanced

    CUI Exfiltration on the Eve of CMMC L2 Assessment — DIB Scenario

    A defense-industrial-base subcontractor finds CUI staged for exfil 11 days before its CMMC Level 2 C3PAO assessment. Walk DFARS 7012 72-hour reporting, NIST SP 800-171 R2 incident response, and the assessment-impact decision under live regulatory pressure.

    • CMMC IR.L2-3.6.3
    • NIST SP 800-171 R2 §3.6
    • DFARS 252.204-7012
    • DoD CIO 72-hour reporting
    Try in demo
  • Vendor OutageAdvanced

    Hospital EHR Outage — HIPAA Contingency Plan Test

    Your EHR vendor takes a regional outage during a Friday-night ED surge. Walk the HIPAA §164.308 contingency plan and document the test for your next OCR audit.

    • HIPAA §164.308
    • NIST CSF 2.0
    • NIST 800-84
    Try in demo
  • Business Email CompromiseIntro

    Wire Fraud via BEC — The Auditor's Favorite SMB Scenario

    A finance lead authorizes a $187K wire to a 'new vendor' after a CEO email thread that turns out to be a BEC. Run the response your SOC 2 / cyber-insurance underwriter wants documented.

    • SOC 2 CC7.4/CC7.5
    • HIPAA §164.308
    • FFIEC
    • PCI 12.10
    Try in demo

Sample AAR

Sample regulated-SMB AAR. SOC 2 / HIPAA / PCI / CMMC crosswalks side by side. The artifact your auditor checks the box on.

The AAR is the artifact. It's what your SOC 2 / HIPAA / PCI auditor actually reads. Every Annual Tabletop exercise produces one.

Download sample AAR (PDF)How AARs work

After-Action Report

Regulated SMB — Sample Exercise

Conducted via Annual Tabletop · 60 minutes · SOC 2 CC7.4/CC7.5, HIPAA §164.308, PCI 12.10, CMMC IR.L2-3.6.3

Scenario
Constrained-decision injects tuned to a Regulated environment.
Decisions captured
Three time-boxed decisions, scored against your plan. Each maps to a framework control in the AAR.
Framework crosswalk
SOC 2 CC7.4/CC7.5HIPAA §164.308PCI 12.10CMMC IR.L2-3.6.3

Pricing

Regulated SMB pricing — annual, predictable, audit-aligned.

Regulated SMB tier pricing is published on the Pricing page. Annual contract, SSO, framework-specific AAR templates, and the full scenario library.

See Regulated SMB pricing

FAQ

Regulated SMB — questions we get

  • Will my SOC 2 auditor accept the AAR as evidence?
    Yes — the AAR includes the CC7.4 and CC7.5 crosswalk with timestamps, participants, scenario, and decisions captured. We've designed it to match what Type II auditors look for in IR test evidence.
  • Will my HIPAA / OCR auditor accept it?
    Yes. The AAR includes the §164.308(a)(7)(ii)(D) crosswalk — testing and revision procedures for contingency plans. The signed, timestamped AAR is the artifact OCR investigators ask for.
  • Does this work for PCI DSS 12.10 and CMMC IR.L2-3.6.3?
    Yes. PCI 12.10.2 (annual IR test) and CMMC IR.L2-3.6.3 (test the IR capability) both want documented exercise evidence. The AAR includes both crosswalks where the scenario applies.
  • Can my cyber-insurance carrier use this for renewal?
    Yes. Carriers increasingly ask for proof of an annual tested IR plan. The AAR is the proof. We've designed the cover sheet specifically to be forward-able to a carrier.
  • How long does an annual exercise take?
    60–90 minutes. The premise is one hour, once a year, that actually counts.
  • What if I'm a bank or credit union?
    You want the Financial Institutions tier — see /for/financial-institutions. The framework set there (FFIEC, NCUA, NYDFS, GLBA) is different and the pricing reflects the additional inject library and AAR template.

Run your annual exercise — and get the AAR your auditor wants.

Try the HIPAA demoSee Regulated SMB pricing