Tips for Conducting Tabletop Exercises

Most tabletop exercises fail for one boring reason. They are not exercises. They are meetings with a scary slide deck, everyone talks, nobody is tested. ENISA recently published a cybersecurity exercise methodology for planners. It treats an exercise like a product launch. You plan, scope, build, run, measure, then improve. Three things I now push in fintech, and planning time is first. It is not a vibe, it is math. ENISA suggests a minimum of six months. They even give a rough formula for preparation time. More complexity and more stakeholder groups means more months, fast. Second, scope kills more exercises than attackers. If your scope is "test everything", results dilute fast. If it is "test the email server", reality disappears. Pick two or three critical processes. Map the dependencies, including vendors, handoffs, and comms. Be explicit on who plays, who observes, and who decides. Third, evaluation is the point. Without it, you ran training, not readiness. Set smart objectives with a clear measure of success. Define indicators, then metrics, then data sources. Decide what success looks like before day one. Build injects that force real decisions, at realistic pace. Use a master scenario event list as your conductor score. Your after action report becomes evidence, not opinion. Your action plan becomes prioritised, not hand waving. If your tabletop felt pointless, this is why, make it measurable or do not run it. #ENISA

How I Build “Engaging” ICS/OT (& IT) Incident Response Tabletop Exercises in 6 Steps (here's how) I have participated in and led more than a few tabletop exercises over the years. I have been fortunate to learn from some really great ones. And some REALLY bad ones. Here's my six-step process for creating a tabletop that participants will be engaged in: 1. Do the Research Do the research on the client and their environment. -> What is important to the client's industry? -> How does the client's industry make money? -> How do "general" cyber-attacks impact the industry? -> What are the most impactful cyber-attacks in their industry? 2. Understand the Environment EVERY environment is different. No matter if it is ICS/OT, IT or both. -> What critical systems exist? -> What does the IT network look like? -> What does the OT environment look like? -> Why is the business conducting the exercise? -> What happens if a critical system is compromised? -> What are the unique physics of their ICS/OT environment? 3. Create Realistic Scenarios Using the information gathered so far, it is time to design the scenario(s). -> Think like an attacker -> Ensure that the scenarios are realistic -> If you are not sure how an attack might work, do not use it -> Create scenarios based off of known attacks against their industry 4. Build Engaging Injects Injects are new pieces of information given to participants as the scenario unfolds. Like getting a new clue when solving a murder mystery. A few of the engaging ones I have used include: -> Realistic phishing emails designed to look exactly like one they would receive in their specific email client -> Fake Twitter and other social media feeds reporting a cyber-attack against the company -> Phone calls received (on speaker phone) by a participant - A security research calls into to report intel on hacker chatter of a breach of the company - How do the team members respond? - Someone calls in as a local reporter asking about a potential cyber-attack against the company - Will an employee share sensitive information openly with an outside party? 5. End with the Worst-Case Scenario Like in a risk assessment, the worst-case scenario for the company must be examined. This could include people being killed, injured, harm to the environment, and a site or the company becoming inoperable. Even worse? Is when it shows up on the news. Use a photo generator to create an image of their environment on the news that shows their worst-case scenario. 6. Finalize the Design WITH the Client It is your client's tabletop exercise, not yours. Make sure to meet their known needs and help them understand needs they might not be aware of. P.S. What do you think makes a good tabletop?

I am excited to share that we’ve officially relaunched our Complete Guide to Running a Tabletop Exercise! Tabletop exercises are still one of the most under‑used and misunderstood tools in cyber resilience. Too many organisations treat them like a tick‑box exercise, or worse, run them once and assume they are “covered”. In reality, a well run tabletop will reveal more about your real‑world readiness than any piece of technology. It exposes assumptions. It forces decision makers to think under pressure. It uncovers the messy, human parts of a crisis that no playbook truly prepares you for. That is exactly why we created this guide - to help organisations run sessions that genuinely challenge them, spark uncomfortable but essential conversations, and ultimately improve their response capabilities.The updated edition includes: • Practical steps for planning, structuring, and facilitating a session • Common pitfalls and how to avoid them • Scenario building guidance grounded in real incident patterns • Advice on engaging executives and keeping the discussion meaningful • Tips for turning outcomes into lasting improvementsIf you want to elevate your exercises beyond surface‑level discussions and build real organisational resilience, this new version will help you do it You can download the updated guide now. And if you run an exercise using it, I’d love to hear how you got on — the insights we gather from the real world are what keep our work sharp, relevant, and impactful. Link in Comments

57% of major cyber incidents involve attack types teams never rehearsed. Too many tabletop exercises rely on familiar, dramatic attack scenarios... the kind people already expect. But the real danger is in what nobody saw coming: subtle lateral movement, quiet exfiltration, or chained compromises that don’t start with a big flash. To make exercises meaningful, they have to reflect your environment, your risks, your tech, your people. Teams should test contacting people, fallback comms, expired phone lists, even burner phone logistics. Those “mundane” failures often become the real showstoppers in a crisis. Real preparation is less about scripting a perfect drill and more about building adaptability, muscle memory for surprises, and resilience when chaos hits. #IncidentResponse #CyberReadiness #TabletopExercises

5 questions I always ask before designing a cyber tabletop exercise. The wrong questions can turn your TTX into a cookie-cutter session that feels like a waste of time. Here are the 5 I ask every client: ⸻ 1. What is the purpose of this exercise? - Is it to stress-test the incident response plan? - Train new leaders in decision-making? - Or maybe to educate the board on cyber risk? The purpose shapes everything, from the scenario to how you facilitate. ⸻ 2. What outcome do you want to achieve? Some clients want clear lessons to improve their playbooks. Others want to measure how mature their teams really are. If you do not pin this down, the exercise risks becoming another “discussion meeting” instead of a tool for growth. ⸻ 3. What is the current state of your plans? - Is the incident response plan complete or still sitting in draft? - Do people actually know the playbooks? - Has the communication plan been tested with a real call-tree? If you do not ask, you may end up spending two hours only to discover the plan was never updated. ⸻ 4. Who is participating and why? Not everyone needs to be in the room. A board-level TTX looks very different from a SOC-level one. If you mix both, you will end up with executives debating reputational risk while analysts want to walk through log analysis. Neither group leaves satisfied. ⸻ 5. Are there sensitive topics to avoid? Sometimes clients want to steer clear of scenarios that hit too close to home, like a recent breach or a vendor issue that is still ongoing. Knowing this early keeps the session on track and participants engaged. ⸻ These 5 questions sound simple, but they make the difference between a downloaded template and a tailored exercise that surfaces the tough truths your organization needs. What is one question you never skip before designing a cyber exercise

Have you done your tabletop this quarter? I've been conducting more and more tabletops for clients as we get closer to the end of the year. And I wanted to talk about the difference between a Decision-Based and a Scenario-Based tabletop exercise. Both are great tools, but they serve different purposes. If you’ve used the tabletop exercises from CISA or similar agencies, those are generally Scenario-Based. The full storyline is presented, and stakeholders discuss their processes and responses at each stage. It’s a good way to validate procedures, policies, and communication plans. When I am working with a client, I like to use Decision-Based Tabletops, where the team receives only fragments of information as an “incident” unfolds. Stakeholders must decide what to do next: declare an incident, escalate, engage law enforcement, or contain the threat. At the end, the full technical summary is presented, and we see whether the choices made were effective in protecting people and the organization. This is more realistic to how incidents happen, and the closer you train to the real thing, the better your response when an IR happens. Decision-based exercises allow decision-making under pressure. They add additional stress to better simulate a real incident and keep participants engaged throughout the process. Both styles can be valuable, but I feel 'Scenario's" build awareness, the "Decision Based" builds instincts. Regardless of which style you use — decision-based or scenario-based — I encourage every organization to run 4–5 tabletop exercises each year. At least one should be a formal tabletop with an outside facilitator or cybersecurity firm, bringing together your full Incident Command Team (IT, HR, Legal, Insurance, Communications, and Leadership). These larger exercises help validate coordination at the executive level. Then, run 3–4 smaller tabletops internally — maybe during a staff meeting or within a specific department. These lighter sessions are great for walking through your policies, procedures, and playbooks in a low-pressure setting. The more your teams practice across different scenarios, the more confident, coordinated, and fast they’ll be when a real incident hits. My instructor always said: "Practice doesn't make perfect.... perfect practice makes perfect... If you don't train, (or if you train incorrectly) then you are not building skills..."

Are you confident your SOC can handle a ransomware outbreak? Tabletop exercises are a low-risk way to find and fix weaknesses before attackers exploit them. By walking through a realistic ransomware scenario—from the initial intrusion to full-blown file encryption—you’ll see exactly how your detection and response processes hold up when it matters most. Here’s how to make your next tabletop ransomware-focused and highly technical: 1- Define the Attack Vector & Scope - Start with a plausible infection method: phishing email, RDP brute force, or malicious software update. - Decide which critical systems or segments of the network get compromised, forcing analysts to evaluate lateral movement paths. 2- Map Out Logging & Detection - Outline the key data sources (SIEM, EDR, file integrity monitoring) and how they’d surface potential ransomware-related indicators. - Have pre-built queries or correlation rules ready—simulate triage in Splunk, Elastic, or your chosen SIEM tool. 3- Simulate Ransomware Behavior - Provide mock evidence of file encryption events, suspicious process behaviors (e.g., PowerShell scripts disabling security tools), or domain controller modifications. - Make sure your team attempts to identify encryption keys, kill malicious processes, and isolate compromised endpoints. 4- Practice Containment & Recovery - Force real decision-making around network segmentation, account lockouts, or system shutdowns. - Discuss backup retrieval: Where are they stored, how quickly can they be restored, and are they truly offline? 5- Inject Twists & Extra Stress - Announce new worm-like behavior or an unexpected second payload that threatens to exfiltrate sensitive data. - See if your IR team can adjust blocking rules on firewalls, EDR policies, or generate custom detection signatures on the fly. 6- Debrief for Immediate Wins - Identify which detections triggered quickly and which ones lagged or never fired. - Assign action items: e.g., refine correlation rules, enable Sysmon event logging, or update offline backup policies. Ransomware’s “smash-and-grab” style can cripple organizations within hours. By using a structured tabletop, your SOC and IR teams gain hands-on practice in a safe environment, learning to spot weaknesses and refine procedures. You’ll leave with a prioritized to-do list—before a real attacker finds those blind spots first. Also, you can make it fun by gamifying the process. Tools like Backdoors & Breaches from Black Hills InfoSec are great for creating an engaging, hands-on learning environment that your team won’t dread. Check this link for more info about Backdoors & Breaches: https://lnkd.in/d-6giueK

A tabletop exercise isn’t just a checkbox. It’s your best chance to fail safely—and learn fast. We help clients run TTXs that actually improve readiness, not just fill out compliance reports. Here are a few tips we always share: 1️⃣ Make It Real Use scenarios based on actual threats to your industry and environment. Generic ransomware stories don’t cut it anymore. 2️⃣ Include Business Stakeholders Security isn’t just an IT problem. Bring in legal, comms, ops, and leadership. If they’re not in the room, they won’t be ready when it counts. 3️⃣ Don’t Script the Outcome Let the team make decisions in real time. The goal isn’t perfection—it’s pressure-testing your plan and surfacing gaps. 4️⃣ Capture Lessons, Not Just Actions The best output isn’t a checklist—it’s insight. What broke? What surprised you? What needs to change? 5️⃣ Run It Regularly Threats evolve. So should your response muscle. Quarterly is ideal. Annual is the bare minimum. A good TTX builds confidence. A great one builds resilience. 📚 #MSPs, If you want some guidance facilitating #TTX for your #clients, check out the Guidebook I may or may not have authored for GTIA - Global Technology Industry Association. It is free to download on their website (it isn't even gated!). #TabletopExercises #IncidentResponse #CyberResilience #SecurityLeadership #CISOInsights #ProactiveSecurity #MSPStrategy Erik Kyri

The output of a tabletop isn't a report. It's a short list of specific things to fix: a contact number to update, a protocol step that no one understood, a vendor relationship to establish before you need it, a shutoff location to map and label. The best property teams treat tabletops as a laboratory. The goal isn't to pass - it's to fail in a controlled environment where the cost is just a conversation, not a water loss claim. If you want to fully commit to the exercise, print out your floor plans and spread them on the table. Think of it as Dungeons & Dragons for property teams - your characters have experience levels and authority limits, and the challenges come from the building itself, the equipment, and the people inside it. Run one this week. Pick a scenario your team hasn't practiced. See what the exercise reveals to you. #CRE #EmergencyPreparedness #Tabletop