If a major ransomware attack hit your organization tomorrow, would your team know what to do? Not just the IT group, but your legal counsel, HR, executive leadership, and communications team? A tabletop exercise is your dress rehearsal. Done right, it surfaces cracks in your defenses before a real incident does. Done wrong, it turns into a disjointed meeting with little takeaway and no clear next steps.
At Breach Point, we’ve helped dozens of companies run tabletop exercises that go beyond the PowerPoint and deliver real readiness. Here’s a few simple steps make your next tabletop exercise a success.
What Is a Tabletop Exercise?
A tabletop exercise (TTX) is a simulated cyber incident that brings key stakeholders together to walk through their response. It’s discussion-based, there is no actual attack happening. Instead, participants talk through their decisions and actions as if the scenario were real.
The goal isn’t to “win” or test people. It’s to understand how your plan holds up, how your people work together, and what needs to improve. Think of it as structured role-play designed to expose friction, confusion, and gaps in your incident response.
Step 1: Set Clear Objectives
Start by defining what you want to get out of the exercise. This helps guide the scenario and ensures you get value from everyone’s time. A great
Some example objectives:
- Validate roles and responsibilities during a ransomware event
- Practice internal communications under pressure
- Test decision-making speed when sensitive data is leaked
- Uncover gaps in legal or regulatory response workflows
Try to pick no more than three objectives. Trying to do too much often results in poor outcomes.
Step 2: Choose the Right Scenario
The scenario is the heartbeat of your exercise. It should feel realistic, relevant, and just stressful enough to prompt real discussion.
Here are three example templates to get you started:
Scenario 1: Phishing Attack on Executives
A targeted phishing email successfully compromises a salesperson’s inbox. Sensitive financial files are accessed. A fraudulent wire transfer is initiated. Attackers pivot to target the CFO and VP of Sales.
This scenario tests:
- Email detection and response workflows
- Sales team awareness and training
- Escalation paths and approval processes for wire transfers
Scenario 2: Ransomware Outbreak in the Cloud
An employee unknowingly syncs an infected file to your shared cloud drive. Ransomware encrypts hundreds of shared documents. A ransom demand appears. Cloud access is frozen.
This scenario tests:
- Data backup strategy and restoration time
- Coordination between IT and cloud vendors
- Legal review of ransom payment and communications
Scenario 3: Insider Leak of Customer Data
A disgruntled employee downloads customer records before quitting. Two weeks later, a journalist contacts your PR team about a leak. The data is authentic. The story is going live in 12 hours.
This scenario tests:
- Insider threat detection and prevention
- Legal and PR crisis coordination
- Customer breach notification procedures
You don’t need to write a movie script. Two to three paragraphs of setup and a timeline of events are enough. Make sure the scenario evolves. A static situation gets stale fast.
Step 3: Pick Your Players
Include participants from across departments, not just IT. Cybersecurity is a team sport. A strong tabletop involves:
- Security and IT leads
- Legal and compliance
- Communications and PR
- HR (for insider or employee issues)
- Executive leadership
- Facilitator
- Note Taker
Assign a facilitator to guide the exercise and keep discussion on track. Someone from outside the response team is ideal. Breach Point often facilitates for clients to keep the process impartial and moving. Perhaps the most important participant of all is a dedicated note taker. Note taking is crucial to ensure responses are captured and can be leveraged for the after-action report.
Step 4: Build the Timeline and Injects
The timeline simulates how the incident unfolds over time. You can deliver it in real time or in chunks, depending on your time limit. Include key injects which are new pieces of information that shift the scenario or introduce tension. For example:
- “An employee posts about the attack on LinkedIn”
- “The ransom deadline is moved up by 12 hours”
- “An executive requests a call in 30 minutes”
Injects create decision points and force players to adapt. They are where most of the learning happens.
Step 5: Keep the Conversation Real
During the exercise, let the team talk it out. Don’t focus on theoretical best practices. Instead, stick to what your organization would actually do, not what it should do.
Use simple prompts to keep discussion flowing:
- Who owns this action?
- What happens next?
- Who needs to be informed?
- What tools or data do you need?
Make space for disagreement. It often reveals hidden assumptions or conflicting priorities that need to be resolved.
Step 6: Capture Lessons and Follow Through
The tabletop is only as valuable as what happens after. Take notes throughout. Immediately after the session, debrief with participants. Ask open-ended questions like what worked well, what surprised you, and what is one thing that you would change next time. From there, build an after-action report. Prioritize the gaps and assign clear owners. Treat this like any other critical project. No follow-up means no improvement.
Common Mistakes to Avoid
- Trying to “stump” participants. This isn’t a game of gotcha.
- Using a scenario that’s too far-fetched or irrelevant.
- Letting one person dominate the discussion.
- Skipping the debrief and action plan.
Final Thoughts
A well-run tabletop exercise is one of the most cost-effective ways to harden your defenses. It turns policies into muscle memory and people into a cohesive response team. Whether you’re preparing for a phishing campaign, a ransomware hit, or an insider breach, the key is realism, focus, and follow-through.
If you need help planning or facilitating your next tabletop, Breach Point is ready. We bring the expertise, structure, and perspective to make your exercise count.
