For an uncomfortable number of organizations, it’s only when a crisis hits that leaders learn whether their incident response plan works. By then, it’s too late to, for example, plug security gaps that led to a successful breach. In fact, more than 90% of breaches tracked by Palo Alto Networks in 2025 resulted from gaps that could have been filled; if only teams had known about them.
That’s where a cybersecurity tabletop exercise comes in. Cybersecurity tabletop exercises represent a low-cost, low-impact way to rehearse a company’s response to realistic threats, before those threats materialize.
This guide covers everything you need to run an effective cybersecurity tabletop exercise, including step-by-step instructions, sample scenarios, a template you can adapt to your own purposes, and a quick guide to additional resources.
What is a Tabletop Exercise in Cyber Security?
A tabletop exercise in cybersecurity is a discussion-based simulation in which participants respond to a hypothetical but realistic security scenario. Some practitioners have likened it to running a D&D campaign.
Participants don’t touch live systems. Instead, they gather in a facilitated session to walk through how they would respond if the scenario were real.
Tabletop exercises test human decision-making, communication, and, most of all, how well your documented plans hold up under pressure. They identify ownership gaps, where no one knows who should handle what during a crisis, and build teams’ familiarity with incident response to shorten response times and reduce confusion under stress.
Effective exercises include more than the IT and security teams. They also bring in executive leadership, communications staff, in-house legal counsel, and anyone else who has a role to play in a real incident.
Why Cybersecurity Tabletop Exercises Matter
The average cost of a data breach is $4.4 million, according to IBM’s latest estimate. For a smaller company with fewer resources to absorb the damage, the impact could represent an existential threat.
Tabletop cybersecurity exercises help organizations head off cyberattacks before they happen and cut down on panicked decision-making under pressure. Other benefits include faster incident response, thanks to rehearsed teams acting more efficiently and with greater confidence, stronger cross-departmental coordination, and up-to-date documentation, as exercises reveal which obsolete or incomplete policies and contact lists are
From a cybersecurity compliance standpoint, regular tabletop exercises also help organizations align with government regulations. For companies in regulated industries, including financial services firms, healthcare companies, law firms, and life sciences companies, exercises may also satisfy regulatory compliance requirements for incident response planning and testing.
How to Conduct a Cybersecurity Tabletop Exercise (Step-by-Step)
Follow these steps to run a tabletop exercise in cybersecurity, whether it’s a focused 90-minute session or a full-day, multi-module exercise.
Step 1: Define Objectives and Scope
Before choosing a scenario to run an exercise against, get clear on what you hope to learn from cybersecurity tabletop exercises. Do you want to test your incident response plan as a whole? Evaluate how the communications team handles media inquiries about a breach? Get clear on whether your backup and recovery procedures really work?
Well-defined objectives keep the exercise from drifting into unfocused conversation. The scope of the exercise should also take into account which systems, teams, and business processes to put in play (and keep out of a given session).
Step 2: Choose a Scenario
The most effective scenarios remain grounded in threats that are realistic for your organization, given your industry, size, and the kinds of data you handle. For example, a ransomware scenario is highly relevant for almost any organization. But a healthcare organization might run a scenario involving patient data compromise, and a financial services firm might focus on fraudulent wire transfers.
Draw from your most recent cybersecurity assessment to align scenarios with your actual risk profile. Scenarios can be simple or layered with “injects,” i.e., new developments introduced mid-exercise to escalate the situation and test how participants adapt.
Step 3: Assign Roles
CISA defines four standard roles for tabletop exercises:
- Players discuss their actual company responsibilities as they relate to the exercise scenario
- Observers contribute to the discussion without leading it; they may include subject experts or business leaders
- Facilitators narrate scenarios, guide discussion, and keep the exercise on track
- Note-takers document what participants say, the decisions they make, and any security gaps revealed in the exercise
Step 4: Run the Exercise
The facilitator opens with the scenario overview and begins presenting injects in the form of timed updates that move the scenario forward and introduce complications. A well-paced exercise includes time for structured discussion after each inject, with the facilitator asking targeted questions that reference the organization’s actual incident response plan (IRP).
CISA recommends that participants think aloud during the exercise to surface hidden assumptions and keep the conversation moving. If key personnel are unavailable for a session, their absence can itself become a scenario element, testing how well a team responds when, for example, the CFO is unreachable.
You can use a shared electronic document to let everyone contribute observations as the exercise unfolds.
Step 5: Capture Insights and Gaps
During and immediately after the exercise, document what went well and what needs improvement. Did communication breakdowns occur between departments? Was the ownership of any decisions unclear at any point? Were contact lists out of date? Were any previously documented procedures left unpracticed?
Step 6: Improve and Update Plans
Update your incident response plan after each exercise as needed. Review relevant policies for any updates that should be escalated to management, and make sure all contact lists are still accurate. If training gaps emerged, for example, employees unable to recognize a phishing attempt or a communications team unfamiliar with breach notification policies, schedule new training before the next exercise.
In short, create a cycle of steady improvement over time instead of treating each exercise as a standalone event.
Cybersecurity Tabletop Exercise Scenarios and Examples
Use the following cybersecurity tabletop exercise scenarios as starting points, adapting them to your needs and taking into account your organization’s size, industry, and unique risk profile.
Ransomware Attack Scenario
Staffers get to their desks to find computers displaying a ransom message, with a clock ticking down. Employees can’t access critical files, and company operations have ground to a halt. Points for discussion should should include how the incident is declared, who has the authority to make ransom payment decisions, backup procedures, and how responders communicate with employees, customers, and regulators during the outage.
Phishing and Business Email Compromise
The company’s bank calls to confirm a $50,000 wire transfer to an offshore vendor account. The problem is that no one in the accounting department authorized the transfer. Thankfully, another transfer, for $150,000, failed due to insufficient funds. It seems the company is the victim of a phishing attack that succeeded in installing credentials. This scenario, drawn from CISA’s published exercise guidance, tests financial controls, fraud detection procedures, and internal (legal counsel) and external (law enforcement) escalation paths.
Malware Infection Scenario
In a scenario drawn from CIS, an employee uses a company device to process a file from a personal storage card. But the card carries an infection picked up from a personal computer infected with malware. Soon, the organization’s network begins exhibiting unusual behavior. Explore how the infection vector gets identified, how to contain the spread, affected devices and data, and any policy or training gaps that contributed to the infection.
Insider Threat Scenario
An engineer with privileged access to cloud infrastructure is suspected of leaking company access credentials to an external party. And now, unusual activity has been detected on critical servers. This scenario tests detection of anomalous behavior by privileged users, off-boarding and access revocation processes, and procedures for investigating internal actors without tipping them off or creating legal exposure.
Cloud Security Breach
Security team members receive an alert of unauthorized access to cloud storage, likely due to misconfigured permissions. Sensitive customer data appears to have been exfiltrated. Discussion should include how your team determines the scope of access, coordination during incidents with cloud service providers, notification obligations, and incident communication with affected parties.
Combined Crisis Scenario
A flood triggers a state of emergency at your company’s location. Emergency operations are underway when a ransomware attack hits, knocking out IT systems. And staffers have to juggle two crises at once, with public communication channels maxed out. This scenario, modeled on CIS scenario guidance, tests integration of incident response and continuity of operations plans, whether teams can execute both sets of plans under compounded stress, the effectiveness of manual backup procedures for critical functions, and redundant channels for crisis communications.
Ready-to-Use Cybersecurity Tabletop Exercise Template
Use this cybersecurity tabletop exercise template to organize tabletop exercises.
Common Mistakes to Avoid in Tabletop Exercises
Beware of common pitfalls that can reduce the effectiveness of cybersecurity tabletop exercises.
Not referring to the company’s incident response plan during exercises greatly increases the likelihood of missteps as participants improvise where they should be on script. Keep hard copies handy or give everyone access to an electronic version.
Outdated contact lists can derail even the most detailed response plans; if you can’t reach responsible parties, you can’t effectively respond to a crisis. Review lists regularly and update them after personnel changes.
Not designating an incident manager (IM) can also throw off exercises as participants look to someone else for overall coordination or try to juggle technical response obligations with management chores. A dedicated IM keeps the big picture in mind and everyone on the same page.
Leaving out key stakeholders renders the exercise incomplete, as only some functions get put to the test. Don’t forget to include business leaders, the communications team, the legal department, and anyone else who might be affected by a crisis, in addition to IT and security personnel.
Speaking of leaving people out, don’t forget about the role of outside parties in a crisis, including law enforcement and the media. Even though they won’t typically participate in exercises, you should know how and when they will get involved during and after an incident.
Finally, not implementing lessons learned defeats the purpose of tabletop exercises, which represent the ideal opportunity to catch and correct mistakes before they have real-world consequences.
Best Practices for Effective Tabletop Exercises
Here’s how to keep a cybersecurity tabletop exercise on track.
First, keep it realistic and relevant to actual threats your company might face. Select scenarios to run that reflect your past experiences or incidents common to your industry.
Encourage participation from everyone in the room. Not everyone may feel comfortable speaking up, but may nevertheless have valuable insights to contribute. Don’t leave them out by forgetting to ask for their input.
Use progressive complexity through injects that escalate scenarios, again, realistically, to increase pressure and reveal any gaps in your incident response plan. Document everything that happens, with a view toward filling those gaps in your planning. To that end, foster a low-pressure, learning-focused setting that encourages everyone to contribute to improvements.
To close the loop on lessons learned and fixes applied, as well as to keep up with the changing threat environment and company and personnel changes,run exercises regularly.
Cybersecurity Tabletop Exercise Services and Tools
Considering whether to run tabletop exercises internally or bring in outside expertise to facilitate them?
Consider a qualified external provider to run a cyber incident tabletop exercise when compliance requirements call for independent facilitation or third-party assessment, internal teams lack the expertise to design and facilitate an effective exercise, or leadership asks for an objective assessment rather than a self-evaluated one.
Also consider bringing in outside experts if your company is new to cybersecurity tabletop exercises could benefit from a model to build on.
Services provided by outside experts typically include facilitation, to foster objectivity and effective discussion management, red team and tabletop hybrids combining live attack simulations with tabletop exercises to provide technical as well as procedural insights, and compliance-driven exercises geared to regulatory requirements, with documentation tailored to auditor expectations.
Xantrion works with organizations as a trusted MSSP and IT consulting partner to design and facilitate tabletop exercises that reflect real-world threat scenarios and align with the compliance requirements of accounting firms, healthcare companies, financial services firms, and other companies.
Free Cybersecurity Tabletop Exercise Resources
CISA Tabletop Exercise Packages cover a range of scenarios and sectors, including financial services, healthcare, information technology, and ransomware-specific scenarios. Each package includes scenario injects, discussion questions, appendices with case studies, and guidance for facilitators.
CIS tabletop exercises take just 15 minutes to walk through, making them practical for time-constrained teams.
Don’t forget your own documentation as a resource. Internal documentation templates can help your organization grow a library of adapted scenarios and completed templates from previous exercises to build institutional knowledge over time. The most effective exercises reference your actual systems, real vendor relationships, and the specific compliance frameworks that govern your industry.
FAQs About Cybersecurity Tabletop Exercises
How often should you run tabletop exercises?
Who should participate?
How long should a tabletop exercise last?
Are tabletop exercises required for compliance?
What is the difference between a tabletop exercise and a simulation?
Turning Exercises Into Real-World Readiness
Organizations that run exercises regularly, take findings seriously, and close the loop on lessons learned build something more valuable than any single security tool: teams that know how to respond appropriately when it matters.
Every exercise produces insights. Every gap identified in an exercise is one you do not have to discover during a real incident. Every updated contact list, refined escalation path, and clarified ownership decision is an investment in resilience that compounds over time.
If your organization has not run a tabletop exercise recently (or has never run one), now is the time to start. Xantrion is here to help with expert guidance in designing an exercise that reflects your specific environment and compliance obligations. Contact us to assess your readiness and plan your first exercise.
