Capability 01
Built for the buyer who isn't compliance-driven.
No SOC 2 timeline. No HIPAA auditor. No FFIEC examiner. Just a clear, defensible record of a tested IR plan that satisfies underwriters, customer questionnaires, and board reviews.
For Small & midsize businesses
The tabletop your carrier, your customer, or your board has started asking for.
Built for small and midsize businesses without a compliance gun to their head — but with an underwriter, a vendor questionnaire, or a leadership ask that wants documented IR readiness. No CISO required.
The problem
Nobody's auditing you. But your insurance carrier wants proof, your biggest customer's vendor questionnaire wants proof, and your board wants to know what would happen on the day.
You don't have a compliance regime forcing you into a tabletop. You also don't have a $40K consultant budget to run one. What you have is a cyber-insurance renewal asking for documented IR testing, a vendor questionnaire from your largest customer asking the same question, and a quietly nervous leadership team. Annual Tabletop is the entry-level tier built for exactly this: one hour, once a year, the AI runs the exercise, you walk away with an AAR that answers every one of those questions.
Why Annual Tabletop fits
Built for small & midsize businesses — not retrofitted from an enterprise SOC tool.
Capability 02
Aligned to NIST CSF 2.0 and CIS Controls — but not weaponized.
Scenarios map to NIST CSF 2.0's RS (Respond) function and CIS Controls v8 IG1/IG2. You get framework alignment without becoming a framework expert.
Capability 03
Priced like a SaaS line item, not a consultant invoice.
The General SMB tier on the Pricing page is the lowest paid tier we offer. Annual contract. No per-seat charges. No procurement gymnastics. The number is the number.
Scenarios for SMB
2 scenarios tuned to your environment.
Framework crosswalks: NIST CSF 2.0 subset, CIS Controls v8 IG1/IG2, cyber-insurance evidence
- Business Email CompromiseIntro
Wire Fraud via BEC — The Auditor's Favorite SMB Scenario
A finance lead authorizes a $187K wire to a 'new vendor' after a CEO email thread that turns out to be a BEC. Run the response your SOC 2 / cyber-insurance underwriter wants documented.
- SOC 2 CC7.4/CC7.5
- HIPAA §164.308
- FFIEC
- PCI 12.10
Your file server starts encrypting on a Sunday night. No regulator is calling, but your cyber-insurance carrier wants documented evidence of a tested IR plan at renewal. Run the exercise that produces it.
- NIST CSF 2.0
- CIS Controls v8 IG1
- Cyber-insurance evidence
Sample AAR
Sample general-SMB AAR. NIST CSF 2.0 and CIS Controls v8 crosswalks. Cover page designed to drop straight into a carrier renewal packet or a vendor-questionnaire response.
The AAR is the artifact. It's what your insurance underwriter or customer questionnaire actually reads. Every Annual Tabletop exercise produces one.
After-Action Report
Small & midsize businesses — Sample Exercise
Conducted via Annual Tabletop · 60 minutes · NIST CSF 2.0 subset, CIS Controls v8 IG1/IG2, cyber-insurance evidence
- Scenario
- Constrained-decision injects tuned to a SMB environment.
- Decisions captured
- Three time-boxed decisions, scored against your plan. Each maps to a framework control in the AAR.
- Framework crosswalk
- NIST CSF 2.0 subsetCIS Controls v8 IG1/IG2cyber-insurance evidence
Pricing
Entry-tier pricing — built for non-regulated SMBs.
The General SMB tier is the most affordable paid tier we offer. Annual contract, full library access, NIST CSF / CIS Controls AAR template, and email support.
FAQ
Small & midsize businesses — questions we get
We're not regulated — do we even need this?
If your cyber-insurance carrier, your largest customer, or your board has asked about IR readiness, you need it. The exercise produces the documented evidence those three audiences are asking for.Will my insurance carrier accept the AAR?
In our experience, yes. Carriers want to see (1) an exercise occurred, (2) it was scenario-based, (3) decisions and gaps were captured, (4) it's signed and dated. The AAR is built around exactly those four things.What's the difference between this and the Regulated SMB tier?
The Regulated SMB tier adds SOC 2 / HIPAA / PCI / CMMC framework crosswalks, audit-grade AAR templates, and SSO. If you're not bound by those frameworks, the General SMB tier is the right fit and the right price.Do I need a CISO or security lead to run this?
No. Atlas runs the session. Your IT lead, ops lead, and an executive participate. The exercise is designed for teams without a dedicated security function.How long does it take?
60 minutes for the exercise itself. AAR is generated in-session.