Tabletop exercises are simulated, discussion-based sessions that test your organization’s readiness to respond to cyber threats. They’re essential for identifying gaps in your incident response plan before a real attack occurs.

This guide walks you through every step to plan, run, and evaluate a cyber attack tabletop exercise.

🧩 1. What Is a Cyber Attack Tabletop Exercise?

A tabletop exercise is a non-technical, scenario-based simulation designed to:

• Practice how teams respond to a cyber incident
• Test communication channels and escalation protocols
• Identify weaknesses in current policies and incident response plans
• Strengthen coordination between IT, legal, PR, HR, and leadership teams

🧠 2. Define Your Objectives

Start with clear goals:

• Test the incident response playbook
• Evaluate communication effectiveness
• Review decision-making under pressure
• Improve cross-department collaboration

Example Objectives:

• How quickly can the team detect and contain a ransomware attack?
• How will legal and PR teams manage regulatory disclosures and media?
• What’s the chain of command for breach notification?

🔑 3. Choose a Realistic Scenario

Pick a scenario that reflects your industry’s risks:

Customize the scenario based on your environment, tech stack, and threat intelligence.

🏗️ 4. Plan the Exercise Structure

Participants:

• IT Security
• Legal & Compliance
• HR
• PR/Comms
• Executive Leadership
• Third-party vendors (optional)

Roles:

• Facilitator: Guides the session and presents the scenario
• Observer(s): Notes decisions, actions, and pain points
• Players: Respond as they would in a real incident

📅 5. Build the Timeline and Injects

Create a playbook that rolls out the scenario in real-time or accelerated time using injects (new details/events) to push decision-making.

Example Injects:

• “You receive a report that multiple users are locked out of email.”
• “A known ransomware note appears on all desktops.”
• “A journalist emails asking for comment on a data breach.”

This keeps the exercise dynamic and tests adaptability.

📢 6. Test Communication and Escalation

Evaluate:

• How and when is the incident escalated?
• Is legal looped in for compliance?
• Who approves external communications?
• Are backups and response tools accessible?

Consider simulating communication failures (e.g., email is down) to test backup channels like Slack or phones.

📋 7. Conduct the Exercise

During the session:

• Walk participants through the scenario
• Encourage open discussion, decision-making, and debate
• Pause after key decisions to ask: “What would you do next?”
• Keep time realistic, but flexible

Record everything. Take notes on what went well and what didn’t.

✅ 8. Debrief and Evaluate

Right after the exercise:

• Conduct a hotwash (a quick feedback session)
• Document lessons learned
• Review what was missed, misunderstood, or delayed

Questions to ask:

• Were roles and responsibilities clear?
• Did escalation and notification happen fast enough?
• Were legal and compliance teams involved appropriately?
• Did tech and comms teams coordinate well?

🧭 9. Update Your Incident Response Plan

This is the most important step. Take the findings and:

• Update roles, contact lists, and procedures
• Close gaps in your tech stack or tooling
• Schedule training for teams that need it
• Plan follow-up exercises (e.g., a red team engagement)

🔄 10. Repeat Regularly

Cyber threats evolve constantly. Make tabletop exercises:

• A quarterly or biannual practice
• Include new employees, departments, or vendors
• Add scenario complexity over time (e.g., multi-vector attacks)