Secure 0118 359 2220 Get Started

Press ESC to close or Enter to search

Popular Pages
Managed IT Cyber Security Case Studies Pricing Contact
Home
About Us
Services
Managed IT Services Cyber Security & Compliance Microsoft 365 Cloud & Hosting Backup & Disaster Recovery Connectivity & Telephony Incident Response & 24/7 IT Support Reading
Pricing
Tools
Domain Health Check About You Password Generator
Resources
Case Studies Threat Intelligence Blog & Insights Guides FAQs Customer Portal Remote Support
Contact
Get Started
Live Security Feed
Your IPDetecting...
NCSCUK organisations urged to strengthen cyber defences ALERTPhishing attacks targeting Microsoft 365 users on the rise CISACritical vulnerabilities identified in popular software NEWSRansomware groups increasingly targeting SME businesses NCSCNew guidance released for securing remote workers ALERTBusiness email compromise attacks cost UK firms millions CISAZero-day exploits require immediate patching attention NEWSAI-powered threats becoming more sophisticated in 2025 NCSCUK organisations urged to strengthen cyber defences ALERTPhishing attacks targeting Microsoft 365 users on the rise CISACritical vulnerabilities identified in popular software NEWSRansomware groups increasingly targeting SME businesses NCSCNew guidance released for securing remote workers ALERTBusiness email compromise attacks cost UK firms millions CISAZero-day exploits require immediate patching attention NEWSAI-powered threats becoming more sophisticated in 2025
View Dashboard
Incident Response

What Is a Cyber Security Tabletop Exercise?

Quick Answer

A tabletop exercise is a discussion-based simulation where your team walks through a cyber incident scenario. No actual systems are affected—you're testing your people, processes, and plans, not your technology. It reveals gaps in preparedness before a real incident exploits them.

Quick answer: A tabletop exercise is a discussion-based simulation where your team walks through a cyber incident scenario. No actual systems are affected—you're testing your people, processes, and plans, not your technology. It reveals gaps in preparedness before a real incident exploits them.

How It Works

Format: Meeting-style discussion (90 minutes to half day)

Participants: Key stakeholders—IT, security, leadership, legal, communications, HR, business units

Scenario: Realistic incident presented in stages (e.g., ransomware, data breach, insider threat)

Facilitation: Guide discussions, inject new developments, challenge assumptions

Output: Identified gaps, action items, improved plans

Why Tabletops Matter

Plans look good on paper: Your incident response plan exists. But does anyone know what's in it? Will it work under pressure?

Real incidents are stressful: Decision-making degrades under stress. Tabletops build muscle memory before you need it.

Gaps hide in theory: "We'll contact legal" sounds simple. Who's the contact? What's the number? What if they're unavailable? Tabletops surface these gaps.

Teams don't know each other: Incident response involves people who rarely work together. Tabletops build relationships and understanding.

Leadership needs involvement: Executives often don't engage with security details until crisis hits. Tabletops get them engaged safely.

Sample Scenario Flow

Phase 1: Initial Detection

*"Monday 9am. IT receives alerts that several employees can't access files. Antivirus detects ransomware on one machine. The helpdesk is getting calls."*

Discussion:

  • How did we detect this?
  • Who's responsible for initial triage?
  • What's our immediate containment process?
  • Who needs to be notified internally?

Phase 2: Escalation

*"By 10am, it's clear this is widespread. Encrypted files appearing on servers. Ransom note demanding £500,000 in Bitcoin."*

Discussion:

  • Do we have an incident commander?
  • What's our communication protocol?
  • When do we contact legal and insurance?
  • Are we isolating affected systems?
  • What about customers expecting deliveries today?

Phase 3: External Dimensions

*"A journalist calls asking about 'the attack on your company.' Customers are posting on social media that your portal is down."*

Discussion:

  • Who handles media enquiries?
  • What's our external communication strategy?
  • Do we have holding statements ready?
  • Are we required to notify regulators?

Phase 4: Decision Point

*"Forensics suggest attackers had access for weeks. Customer data may be affected. The attacker offers the decryption key for £500,000."*

Discussion:

  • Do we pay? Who decides?
  • What's our backup status?
  • What's the regulatory notification timeline?
  • How do we notify affected customers?
  • What's our recovery plan?

What Tabletops Reveal

Common findings:

  • "We don't have current contact details for key people"
  • "Nobody knew who was responsible for that decision"
  • "Our backup restoration was never tested"
  • "Legal's involvement wasn't clear"
  • "We hadn't considered communication with customers"
  • "The plan was outdated and didn't match current systems"
Better to find these in an exercise than an incident.

Running Effective Exercises

Preparation

  • Define objectives (what are you testing?)
  • Choose realistic scenario
  • Identify participants
  • Brief facilitators
  • Prepare scenario materials

During

  • Set safe environment (no blame)
  • Present scenario in phases
  • Probe with questions, don't lecture
  • Let discussion flow naturally
  • Note gaps and disagreements
  • Keep to time

After

  • Debrief findings immediately
  • Document gaps and actions
  • Assign remediation owners
  • Set timelines
  • Schedule follow-up exercise

Types of Exercises

Orientation exercise: Introduction for teams new to incident response. Walkthrough of plan and roles.

Tabletop exercise: Discussion-based, scenario-driven. Tests decision-making and coordination.

Functional exercise: More active. People perform actual tasks (without live systems).

Full-scale exercise: Live simulation with actual systems (test environment). Maximum realism.

Start with tabletops. Progress to more complex exercises as maturity increases.

What We Provide

  • Scenario development tailored to your industry and risks
  • Facilitation by experienced incident responders
  • After-action reports documenting findings
  • Remediation support to close identified gaps
  • Ongoing exercises as part of vCISO or managed services
Your incident response plan isn't ready until it's been tested. Tabletops are how you test it safely.

---

about tabletop exercises.

---

Related Questions