A tabletop exercise is one of the highest-return preparedness investments an organisation can make. It costs a half day of senior leadership time. It reveals gaps in your incident response plan, communication protocols, and decision-making processes that might otherwise only become visible during a real incident — at enormous cost.
Done well, a tabletop exercise surfaces actionable findings that improve your response capability. Done poorly, it is a box-ticking exercise that produces a report nobody reads. This guide covers how to run one that matters.
What a Tabletop Exercise Is — and Is Not
A tabletop exercise is a facilitated discussion of how your organisation would respond to a hypothetical cyber incident. Participants talk through their actions, decisions, and communications in response to an evolving scenario. No systems are actually attacked; no real actions are taken.
It is not a penetration test. It is not a technical drill. It is a leadership and process exercise designed to test your incident response plan, identify gaps in decision-making authority, and expose assumptions that have never been validated.
The distinction matters because the participants are not primarily technical staff — they should include legal, communications, finance, and executive leadership, because those are the people who make decisions during a real incident.
Who Needs to Be in the Room
This is where most tabletop exercises fail. Security teams run them within the IT function, with no business representation, and produce findings that have no visibility above CISO level. The exercise tests technical response but does not test the decisions that actually determine outcomes.
A useful tabletop requires:
- Executive sponsor / CEO or COO: Decision authority for ransom payment, regulatory notification, public communications
- Legal counsel: In-house or external; regulatory notification obligations, legal hold requirements, litigation risk
- Head of Communications / PR: Customer notification strategy, media response, social media management
- CFO or Finance Director: Ransom payment authorisation, business interruption assessment, insurance liaison
- CISO or Head of IT Security: Technical decision-making, containment strategy
- IT Operations Lead: Practical execution of containment and recovery actions
- HR: Employee communication, insider threat scenarios
- Insurance broker or cyber insurer representative: Optional but valuable — surfaces policy-relevant decision points
If key stakeholders cannot attend, the exercise produces gaps you will hit during a real incident. Push for attendance, or reschedule.
Scenario Selection: What to Test
Scenario 1: Ransomware with Data Exfiltration
The most common scenario and the most useful starting point. Key decision points:
- How is the incident detected and by whom?
- What is the escalation path and how long does it take?
- Who authorises containment actions that affect business operations?
- When and how is the cyber insurer notified?
- When is legal counsel engaged?
- What is the decision process for ransom payment?
- When are customers and regulators notified?
- Who communicates publicly and with what message?
Scenario 2: Business Email Compromise
An executive email account is compromised. Finance receives a request — appearing to come from the CEO — to transfer funds to a new supplier account. The transfer is processed. Days later, IT discovers the account had been accessed by an attacker for six weeks. Tests: internal fraud detection, payment authorisation controls, incident classification (is this a cyber incident, a fraud, both?), insurance coverage assessment.
Scenario 3: Supply Chain Compromise
A trusted software vendor notifies you that their platform has been compromised and a malicious update was distributed to customers. You need to determine: which systems have the software installed, whether attacker activity has been detected, how to isolate affected systems without stopping business operations, and how to manage vendor communications and your own disclosure obligations.
Scenario 4: Insider Threat
A departing senior employee is suspected of exfiltrating customer data before leaving. Tests: HR and legal coordination, digital forensics evidence preservation, employee investigation protocols, employment law constraints, customer notification assessment, and the organisation's ability to conduct an internal investigation without contaminating evidence.
Scenario 5: OT/ICS Incident (Manufacturing or Utilities)
For organisations with operational technology — manufacturing equipment, building management systems, SCADA — a scenario where OT systems are affected by a cyber incident. Tests: OT/IT coordination, physical safety decision-making, regulatory notification to sector regulators, and recovery prioritisation where restoring IT may conflict with restoring production.
How to Structure the Exercise
Pre-Exercise Preparation
Circulate a scenario brief in advance — not the full scenario, but context about the type of incident being simulated and the format. Ask participants to review your incident response plan beforehand. Have a facilitator who is not a participant.
The Exercise (3–4 Hours)
The facilitator presents the scenario in phases, with each phase revealing new information. Participants discuss what they would do, who would do it, and when. The facilitator probes decisions: "Who has authority to approve this?" "What does your insurance policy say about this?" "How would you communicate this to customers?" "What does GDPR require at this point?"
Good facilitation surfaces disagreement. Participants often have different assumptions about who is responsible for what. Surface those disagreements during the exercise, not during a real incident.
Hot Wash (30–60 Minutes)
Immediately after the scenario, discuss key findings while they are fresh. What surprised participants? Where were the gaps? What decisions took longest? What information was missing?
Turning Findings into Action
The value of a tabletop is not in the exercise itself — it is in what changes as a result. Common findings and their remediation:
- Escalation path unclear: Document who is notified when, with contact details, and test the notification process separately
- Decision authority ambiguous: Pre-agree who can authorise containment actions, ransom payment, public disclosure — document it before you need it
- Insurance process unknown: Obtain insurer's emergency contact details and notification requirements; incorporate into IR plan
- Communication templates absent: Draft customer notification templates, board update templates, and regulator notification templates in advance
- Legal hold process unclear: Agree with legal counsel what evidence preservation obligations arise and how they are actioned
- Regulatory obligations misunderstood: Clarify GDPR notification timelines, sector regulator requirements, and who is responsible for each
Assign owners and deadlines to each finding. Review progress at the next board or senior leadership meeting. If findings are not actioned, the exercise delivered no value.
How Often to Run Tabletops
Annually as a minimum for the full senior leadership group. Additional exercises at a technical level (IR team, IT operations) can be run more frequently and with less overhead. After any significant incident — your own or a high-profile industry incident — a focused exercise to test your response to that scenario is worthwhile.
Binary Response facilitates tabletop exercises for organisations across multiple sectors, drawing on active incident response experience to make scenarios realistic and findings actionable. Contact us at enquiries@binary-response.com to discuss an exercise tailored to your organisation's risk profile.