This post teaches small-business IT/security teams how to design IR tests, collect audit-grade evidence, and assemble an auditor-friendly package that maps directly to NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 control IR.L2-3.6.3—so you can show that your incident response process is tested, effective, and tracked end-to-end.
What auditors will look for (and how to think about evidence)
Auditors want proof that you: (1) planned and executed incident response tests, (2) captured measurable results during those tests, (3) documented decisions and actions, and (4) verified remediation. Evidence should make it easy to answer: what was tested, who participated, what was observed (with logs and timestamps), what actions were taken, and how issues were closed. For Compliance Framework implementations, that means linking each artifact back to the specific control language and showing traceability from policy → test plan → test run → after-action report (AAR) → remediation verification.
Core artifacts to collect during IR tests
Make these items the backbone of your evidence package: a signed test plan (objectives, scope, success criteria), participant roster and roles, scenario script (threat narrative), pre-test permissions/authorizations, timeline (UTC), raw telemetry (EDR/AV alerts, SIEM events, firewall and proxy logs, Windows Event logs, syslog), packet captures (pcap), screenshots or video of console actions, change tickets and remediation records, the AAR with lessons learned, and verification evidence showing fixes were applied. For each artifact include metadata: file hash (sha256sum), creation timestamp, owner, and a short description mapping it to the control clause.
Practical implementation details for Compliance Framework practitioners
Set up an "IR Test Evidence Repository" (can be a hardened file share or a SaaS evidence vault with WORM/immutable options). Use a simple CSV/JSON evidence index that maps artifact filenames to control elements (example fields: artifact_id, control_reference, test_id, timestamp_utc, hash_sha256, description, storage_path, verifier). Standardize naming, e.g., IR-YYYYMMDD-TESTTYPE-ARTIFACTTYPE.ext (IR-20260405-PHISH-RESULTS.json). Ensure all systems involved are time-synchronized (NTP) and record the NTP sources. Store raw logs and processed extracts; include the SIEM saved search used to produce the extract (e.g., Splunk savedsearch name or Elastic search DSL). Sign or checksum critical files and retain chain-of-custody notes if artifacts may be needed for legal action.
Small-business example: phishing-to-ransomware tabletop + technical drill
Scenario: a simulated phishing email leads to an EDR-detected lateral movement and a mocked ransomware encryption. Evidence collected: the phishing campaign plan (objectives: measure time-to-detect and time-to-contain), phishing email sample and headers, EDR alert (Alert ID EDR-2026-0001), Splunk query used to find related anomalies (index=winevent host=web01 sourcetype=wineventlog EventCode=4688 user=* | stats count by New_Process_Name), packet capture of SMB traffic (tcpdump -w ir-20260405-smb.pcap host 10.0.2.15 and port 445), containment action ticket in ITSM (TKT-4532) showing network isolation, backup restore ticket (TKT-4540) with backup timestamp, and an AAR signed by the CISO. Also include verification artifacts: a successful restore log, EDR rule tuning change record, and a follow-up scan showing no persistence artifacts (sha256 hashes matched to known-good binaries).
Specific technical collection tips
Collect raw logs in native formats and document the extraction queries. Example useful fields: timestamp (UTC), host, user, process hash (sha256), event_id (Windows) or syslog program, source/destination IP and port, and alert_id (EDR/SIEM). Useful commands/snippets: tcpdump -w incident.pcap 'host 10.0.2.15 and (port 445 or port 3389)'; tshark -r incident.pcap -Y 'http.request' -T fields -e frame.time_epoch -e ip.src -e http.request.uri > http-requests.csv; sha256sum ir-20260405-smb.pcap > ir-20260405-smb.pcap.sha256. Export SIEM queries as saved searches and include their timestamps and outputs (CSV/JSON). Where possible, use read-only API pulls to avoid altering evidence.
Compliance tips and best practices
Run a mix of tabletop exercises (quarterly) and technical exercises (biannually/annually) and keep the scope proportional to your environment. Never use production sensitive data in tests unless you mask it; maintain a separate test environment for technical drills if possible. Keep executive-level TL;DR summaries for auditors plus a technical appendix with raw evidence. Map each evidence item back to the control using the evidence index and include a short auditor checklist that answers “who, what, when, where, and why.” Engage external testers for independence at least once every 12–24 months and verify remediation with signed closure records. Recommended retention: retain IR test artifacts for at least 12 months, and for contractual/audit reasons retain critical artifacts for 3 years or per contract—store high-value artifacts in immutable storage.
Risk of not implementing this requirement
Failing to run IR tests and retain audit-quality evidence increases the risk of undetected gaps in detection/containment, failed compliance assessments, loss of DoD contracts, regulatory penalties, and reputational damage. In practice, organizations that cannot demonstrate tested IR capability are less likely to detect real intrusions quickly, increasing dwell time and the impact of a breach—higher recovery costs, possible data exfiltration, and extended operational disruption.
In summary, build a repeatable evidence pipeline: define test objectives, capture raw telemetry and contextual artifacts, hash and catalog everything into an evidence index, map artifacts back to IR.L2-3.6.3, and produce an auditor-friendly packet that includes an executive summary and technical appendix. Automate collection where possible, keep tests proportional to business size, and validate remediation—this combination will make your IR test evidence audit-ready and defensible for NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 assessments.
