What is a tabletop exercise?

A tabletop exercise (TTX) is a discussion-based simulation where your team talks through their response to a hypothetical security incident. It tests your Incident Response Plan without the stress of a real crisis.

How often should we run a tabletop exercise?

At least annually. Best practice is twice a year: one executive-level exercise (focusing on communication/legal) and one technical exercise (focusing on containment/forensics).

Who should participate?

Core participants: IT/Security, Legal, Communications/PR, HR, and Executive Leadership. For specific scenarios, include relevant department heads (e.g., Finance for ransomware).

Cyber Security Tabletop Exercise Scenarios [Free Templates]

Facilitator's Guide: How to Run This

1. Set the Room

Block 90 minutes. No phones. Bring printed copies of your current Incident Response Plan.

2. Read the Start

Read the "Initial State" aloud. Ask: "Who is in charge? What is the first thing we do?"

3. Throw Injects

Every 15 minutes, introduce a complication ("Inject"). This forces the team to adapt.

Scenario 1: The Double Extortion

Focus: Decision making, payment, legal, communications.

🏁 Initial State (Minute 0)

"It is 9:00 AM on a Tuesday. The Help Desk reports that users cannot open files on the shared drive. They see a text file named 'README_DECRYPT.txt' in every folder. A few minutes later, the CFO calls: the accounting server is down."

Discussion: Who declares the incident? Do we shut down the internet? Who calls Legal?

💉 Inject 1 (Minute 20)

"The attacker sends an email to the CEO. They claim to have stolen 500GB of data, including employee SSNs and customer contracts. They demand $2M in Bitcoin within 48 hours or they will publish the data."

Discussion: Do we engage? Do we notify the FBI? Do we notify employees?"

💉 Inject 2 (Minute 45)

"Brian Krebs (security journalist) calls the PR Director. He says he saw a sample of your data on the dark web and is publishing a story in 1 hour. He wants a comment."

Discussion: What is our public statement? Who approves it?"

Scenario 2: The Disgruntled Admin

Focus: HR, technical controls, access revocation.

🏁 Initial State (Minute 0)

"HR notifies IT that a Senior System Administrator is being terminated for performance issues at 4:00 PM today. It is currently 2:00 PM."

Discussion: How do we time the access revocation? What accounts does he have?"

💉 Inject 1 (Minute 20)

"At 3:30 PM, the admin calls in sick. He says he won't be in tomorrow either. He is currently logged into the VPN."

Discussion: Do we fire him over the phone? Do we kill his VPN session now?"

💉 Inject 2 (Minute 45)

"Logs show he is currently downloading the entire 'Customer Database' backup to his personal Dropbox."

Discussion: This is now a data breach. How do we stop it? Legal implications?"

Want a Pro to Facilitate?

Self-run exercises are great, but an external facilitator brings unbiased scrutiny and industry benchmarks. Find firms that specialize in TTX facilitation.

Find TTX Facilitators Update Response Plan