// Tabletop Exercises

Cyber Tabletop Exercises

Realistic crisis simulations designed by practitioners who've managed real incidents. Test your plan before you need it.

Written by Simon Lynge, Director DFIR — ChCSP, CREST IR | Last updated: March 2026

< 1 Hour Response Global DFIR Specialists 24/7 Support
Book a TabletopAll Services

All Services

IR Retainer Incident Response Digital Forensics Malware Analysis Ransomware Negotiations Dark Web Monitoring Dark Web Data Recovery Tabletop Exercises Security Assessments Threat Intelligence Cyber Insurance Support M&A Cyber Due Diligence Professional Speaking Expert Witness Services Breach Notification Support

The Plan That's Never Been Tested Is Not a Plan

Most organisations have an incident response plan. Few have tested it with the people who would execute it, under realistic pressure, against a scenario that reflects how threat actors operate today.

Our exercises are designed by practitioners who manage real incidents. The scenarios are drawn from the attacks we see in our casework, adapted to your sector, size, and risk profile.

Exercise Formats

Executive

Crisis Leadership

2–3 hours. C-suite and board focus. Decision-making under uncertainty, communications, and regulatory obligations. No technical deep-dives.

Technical

IR Team Exercise

Half-day. IT security and IR team focus. Technical containment decisions, forensic priorities, and recovery sequencing.

Full-Scale

Cross-Functional

Full day. All functions engaged: IT, legal, comms, HR, finance, operations. Tests end-to-end coordination across the organisation.

Scenario Library

  • Ransomware deployment with active negotiation pressure
  • Business email compromise with confirmed financial transfer
  • Supply chain compromise via third-party software update
  • Insider data exfiltration by a leaving employee
  • Dark web disclosure of sensitive data before internal detection
  • Cloud tenant compromise and M365 account takeover
  • Sector-specific scenarios (healthcare, financial services, legal, manufacturing)

What You Get

  • Pre-exercise briefing and scenario customisation
  • Facilitated exercise (remote or on-site)
  • Inject pack for internal reuse
  • Post-exercise hot debrief
  • Written findings report with prioritised gap analysis
  • Recommendations for IR plan improvements

Frequently Asked Questions

How long does a tabletop exercise take?

Executive exercises run 2–3 hours. Technical exercises typically half a day. Full cross-functional exercises are a full day. We scope this with you based on your objectives and the time your teams can commit.

Do you run exercises remotely?

Yes — video-facilitated exercises work well, especially for executive and technical formats. Full-scale cross-functional exercises benefit from being in-person but can be delivered remotely where needed.

Can you customise the scenario for our sector?

Yes — and we do this as standard. A healthcare exercise looks nothing like a financial services one. We build against your actual IR plan, your technologies, and sector-specific regulatory requirements.

What should we do to prepare?

Share your current IR plan, key contact lists, and any past incident experience. We do the rest. You don't need to prepare your team beyond confirming attendance — the exercise works better when participants haven't seen the scenario in advance.

Is this included in the IR retainer?

Annual tabletop exercises are included in Watchful and Vigilant retainer tiers. Guardian includes semi-annual exercises and a more customised scenario.

Ready to Test Your Incident Plan?

Exercises can be scheduled within 2–4 weeks. Contact us to scope yours.

Contact Us

Frequently Asked Questions

What scenarios do you offer for tabletop exercises?

We design custom scenarios based on your sector and risk profile. Common scenarios include: ransomware attack on critical systems, business email compromise targeting finance, data breach involving personal data, supply chain compromise, insider threat, and cloud infrastructure incident.

Who should participate in a tabletop exercise?

We recommend cross-functional participation: IT/security team, C-suite, legal, communications/PR, HR, operations and any other function with a role in incident response. Board-level exercises are also available and increasingly requested.

How long does a typical exercise take?

Standard tabletop exercises run 2-3 hours including debrief. Executive board exercises typically run 90 minutes. We can also deliver half-day or full-day exercises incorporating multiple inject scenarios for mature teams.

What do we get afterwards?

Every exercise includes a detailed written debrief covering: identified gaps in plans and procedures, communication breakdowns, decision-making bottlenecks, specific recommendations for improvement, and an updated action plan with owners and timelines.

Related Insights

🚨 Active Incident? Contact Us Now