Secure 0118 359 2220 Get Started

Press ESC to close or Enter to search

Popular Pages
Managed IT Cyber Security Case Studies Pricing Contact
Home
About Us
Services
Managed IT Services Cyber Security & Compliance Microsoft 365 Cloud & Hosting Backup & Disaster Recovery Connectivity & Telephony Incident Response & 24/7 IT Support Reading
Pricing
Tools
Domain Health Check About You Password Generator
Resources
Case Studies Threat Intelligence Blog & Insights Guides FAQs Customer Portal Remote Support
Contact
Get Started
Live Security Feed
Your IPDetecting...
NCSCUK organisations urged to strengthen cyber defences ALERTPhishing attacks targeting Microsoft 365 users on the rise CISACritical vulnerabilities identified in popular software NEWSRansomware groups increasingly targeting SME businesses NCSCNew guidance released for securing remote workers ALERTBusiness email compromise attacks cost UK firms millions CISAZero-day exploits require immediate patching attention NEWSAI-powered threats becoming more sophisticated in 2025 NCSCUK organisations urged to strengthen cyber defences ALERTPhishing attacks targeting Microsoft 365 users on the rise CISACritical vulnerabilities identified in popular software NEWSRansomware groups increasingly targeting SME businesses NCSCNew guidance released for securing remote workers ALERTBusiness email compromise attacks cost UK firms millions CISAZero-day exploits require immediate patching attention NEWSAI-powered threats becoming more sophisticated in 2025
View Dashboard
Incident Response

How Do I Run a Cyber Security Tabletop Exercise?

Quick Answer

A tabletop exercise walks your team through a simulated cyber incident in a discussion-based format. No technical testing—just people, scenarios, and decisions. It reveals gaps in plans, communication, and decision-making before a real incident does.

Quick answer: A tabletop exercise walks your team through a simulated cyber incident in a discussion-based format. No technical testing—just people, scenarios, and decisions. It reveals gaps in plans, communication, and decision-making before a real incident does.

Why Tabletop Exercises Matter

Plans look great until tested.

Your incident response plan exists. But:

  • Does everyone know their role?
  • Do communication channels work?
  • Are decision-making authorities clear?
  • Can you actually execute under pressure?
Tabletop exercises answer these questions safely.

What a Tabletop Exercise Is

Format:

  • Key stakeholders in a room (or virtual)
  • Facilitator presents a scenario
  • Scenario unfolds in stages (injects)
  • Team discusses response at each stage
  • No technical systems involved
Duration: 2-4 hours typically

Participants: IT, security, leadership, legal, HR, comms, business units

Output: Identified gaps, action items, improved preparedness

Planning Your Exercise

1. Define objectives

What do you want to test?
  • Incident response plan
  • Communication procedures
  • Decision-making authority
  • Specific scenario type (ransomware, breach, etc.)
  • Cross-team coordination

2. Select the scenario

Common scenarios:
  • Ransomware attack
  • Data breach (customer data exposed)
  • Business email compromise
  • Insider threat
  • Supply chain compromise
  • Cloud service outage
Choose something realistic for your organisation.

3. Identify participants

Essential: Consider:
  • Business unit leaders
  • Finance
  • Customer service
  • External parties (if appropriate)

4. Design the scenario

Structure:
  • Initial detection (what triggered awareness)
  • Inject 1: More information emerges
  • Inject 2: Situation escalates
  • Inject 3: External pressure (media, regulators, customers)
  • Inject 4: Resolution decision point
Include realistic details:
  • Timing (Friday evening, holiday weekend)
  • Pressure points (big customer affected)
  • Ambiguity (incomplete information)
  • Complications (key person unavailable)

5. Prepare materials

  • Scenario document
  • Inject cards
  • Discussion questions
  • Reference materials (IR plan, contact lists)
  • Note-taking template

Running the Exercise

Ground rules

  • No blame—this is learning
  • Stay in role
  • Discuss what you would do, not what you should do
  • All questions are valid
  • Facilitator controls pace

Facilitation

Present scenario, then ask:
  • Who needs to be informed?
  • What's the first action?
  • Who makes that decision?
  • What information do we need?
  • What are we communicating externally?
Introduce injects:
  • "It's now 3 hours later. You've discovered..."
  • "A journalist just called asking about..."
  • "The attacker has made contact demanding..."
Observe and note:
  • Confusion about roles
  • Missing information
  • Communication gaps
  • Decision paralysis
  • Process failures

Keep it moving

Don't get stuck on technical details. The goal is process and decision-making, not technical accuracy.

After the Exercise

Debrief immediately

  • What worked well?
  • What surprised us?
  • Where did we struggle?
  • What would we do differently?

Document findings

  • Gaps identified
  • Process improvements needed
  • Training requirements
  • Plan updates required

Create action plan

  • Specific improvements
  • Assigned owners
  • Target dates
  • Follow-up review

Update plans

Actually improve your incident response plan based on what you learned.

Sample Ransomware Scenario

Initial situation: *Monday 7am. IT arrives to find helpdesk flooded with calls. Users can't access files. Desktop backgrounds have been replaced with ransom notes demanding 50 Bitcoin.*

Discussion: How do we confirm this is ransomware? Who do we tell? Do we isolate the network?

Inject 1: *Investigation reveals ransomware entered via phishing email last Thursday. Attackers have been in the network for 4 days. Backup server appears affected.*

Discussion: What's our recovery position? Do we engage with attackers? Who leads the response?

Inject 2: *Local news picks up the story. Customers are calling asking if their data is safe. Your insurance company needs to be notified within 24 hours.*

Discussion: What do we tell customers? Who handles media? Have we met notification obligations?

Inject 3: *Attackers threaten to publish stolen data in 48 hours if ransom not paid. Evidence suggests customer financial data was exfiltrated.*

Discussion: Do we pay? Who makes that call? What are our ICO obligations? How do we communicate with affected customers?

What We Offer

We design and facilitate tabletop exercises:

  • Customised scenarios for your industry
  • Experienced facilitation
  • Objective observation
  • Comprehensive findings report
  • Improvement recommendations
We also provide follow-up support to implement improvements.

---

about tabletop exercises.

---

Related Questions