An incident response plan that has never been tested is largely untested. The paper version of a plan and the executed version of a plan are frequently quite different — people have changed roles, processes don't work as designed, dependencies weren't mapped correctly, and the communications plan assumes phone numbers nobody has.
Tabletop exercises are the most accessible way to close the gap between the plan you have and the plan you'd actually execute.
What a Tabletop Exercise Is
A tabletop exercise is a facilitated, discussion-based session where participants walk through a simulated security incident, discussing what they would do at each stage. Unlike functional exercises that actually execute procedures, tabletops are discussion-only — lower cost, lower risk, and accessible to leadership.
The value is in the conversation and the gaps it surfaces, not in the technical execution.
Who Should Be in the Room
This is the most common mistake in tabletop design: only inviting the security team. A real incident involves much more than security:
- Executive leadership — Decision authority for significant actions, communications, and resource deployment
- Legal counsel — Privilege considerations, regulatory notification decisions, liability management
- Communications/PR — Customer and media communications strategy
- HR — Employee notification, insider threat scenarios
- Finance — Insurance claims, ransom payment decisions, financial controls in BEC scenarios
- Key IT leads — Systems owners who understand infrastructure
- Operations/Business leads — Those who understand business impact and continuity requirements
A tabletop that only involves the security team tests security team procedures, not organizational incident response.
Designing the Scenario
Effective tabletop scenarios are:
Realistic for your organization. A scenario involving regulatory notifications is more useful if you have regulatory obligations. A supply chain compromise scenario is more useful if you have significant vendor dependencies.
Appropriately complex. Simple scenarios ("we got a phishing email") generate short conversations. Scenarios with decision points, competing priorities, and escalating complications are more valuable.
Including inject events. As the scenario progresses, inject new information that changes the situation: "Media has now reported on the breach." "The attacker has contacted us directly." "A regulator has called asking about the incident." These injections test adaptability.
Common scenario types:
- Ransomware attack with operational impact
- Business email compromise with wire fraud
- Third-party vendor breach affecting your data
- Insider threat
- Nation-state intrusion discovered months after initial access
Facilitation
A well-facilitated tabletop guides discussion without solving the problems. Good facilitation:
- Prompts quiet participants to engage
- Surfaces assumptions ("you said you'd notify the insurance company — what's the process for that?")
- Slows down rushed decisions ("the team jumped past the containment decision — let's work through what containment actually means here")
- Tracks decisions and gaps for the after-action report
External facilitation (from a consultant or IR firm) provides objectivity and a different perspective than internal facilitation. For high-stakes exercises, it's worth the investment.
After-Action Review
The exercise itself is only half the value. The after-action review — held within a few days while the exercise is fresh — documents:
- What decisions were made and what drove them
- Where gaps were identified (missing processes, unclear accountability, missing information)
- What changes need to be made to the IR plan, communications plan, or playbooks
- Who is responsible for each change and by when
Without the after-action follow-through, exercises reveal gaps but don't close them. Track completion of post-exercise action items like any other security program task.
Frequency
Annual tabletops are the minimum bar. Organizations that have experienced significant incidents, changed significantly, or completed major infrastructure changes should exercise more frequently.
Running exercises on different scenarios each time builds broad capability and ensures you're not just practicing the same muscle memory repeatedly.