Tabletop Exercises
A tabletop exercise (TTX) is a discussion-based exercise where participants walk through a simulated cybersecurity scenario, verbally describing their response actions, decisions, and communications at each stage of the incident.
Continue your mission
A tabletop exercise (TTX) is a discussion-based exercise where participants walk through a simulated cybersecurity scenario, verbally describing their response actions, decisions, and communications at each stage of the incident.
# Tabletop Exercises
A tabletop exercise (TTX) is a discussion-based exercise where participants walk through a simulated cybersecurity scenario, verbally describing their response actions, decisions, and communications at each stage of the incident. No systems are touched. No recovery is executed. No emails are sent. The exercise occurs entirely in conversation, guided by a facilitator who presents the scenario in stages (called "injects") and asks participants to describe what they would do.
Tabletop exercises are the most accessible, lowest-cost, and highest-return security exercise available. A 3-hour TTX consistently reveals gaps in incident response plans, communication procedures, decision authority, and organizational coordination that no document review can identify. The gaps are revealed because the exercise forces participants to think through their response in sequence, under the pressure of a realistic scenario, with their peers observing.
The military has used tabletop exercises (called "war games" or "sand table exercises") for centuries to test operational plans before committing forces. The cybersecurity application is identical: test the plan before the incident forces you to execute it under real pressure. A plan that fails during a TTX can be fixed. A plan that fails during a real ransomware event cannot.
A tabletop exercise follows a standard structure:
Pre-exercise preparation. The facilitator designs the scenario based on the organization's threat profile, selects participants based on the exercise objectives, prepares injects (scenario developments presented at intervals), and develops discussion questions for each inject. Participants receive a briefing on the exercise format, ground rules, and objectives. They do not receive the scenario details in advance (the exercise should test their response to the unexpected, not their preparation for a known scenario).
Scenario introduction. The facilitator presents the initial scenario: "At 7:42 AM on a Tuesday, the SOC receives an alert indicating ransomware encryption activity on three file servers in the finance department. Initial investigation confirms that the encryption is active and spreading. The SOC escalates to the incident commander." The scenario is specific enough to be realistic (named systems, specific timing, believable details) and relevant to the organization's actual environment.
Inject progression. The facilitator introduces new scenario developments at intervals (typically every 15 to 30 minutes), escalating the situation and introducing complications:
Inject 1: "The ransomware has encrypted 40% of the finance file server data. The SOC identifies lateral movement to two additional servers in the HR department. The attacker has been in the environment for at least 72 hours based on log analysis." Discussion: what containment actions do you take? Who do you notify internally?
Inject 2: "Forensic analysis reveals that the attacker exfiltrated 15 GB of data before encrypting. The data includes employee PII and customer financial records. The ransom note demands $2 million in Bitcoin." Discussion: does the exfiltration change your response? Who makes the ransom decision? What notification obligations are triggered?
Inject 3: "A journalist from a national publication contacts your communications team asking about a 'data breach at [your organization].' An employee posted about the incident on social media." Discussion: how do you respond to media inquiries? How do you manage internal communication? Who authorizes public statements?
Inject 4: "Day 3. Systems are restored from backup, but the forensic team identifies that the backup from 48 hours ago may also contain the attacker's persistence mechanism. Your cyber insurance carrier's IR firm recommends rebuilding from clean images, adding 5 days to the recovery timeline." Discussion: do you accept the extended timeline? How do you communicate the delay to customers and partners? What is the business impact?
Each inject introduces a decision point that tests a different aspect of the response plan: technical response, executive decision-making, communication, legal/regulatory, insurance activation, and recovery.
Discussion and debrief. After the final inject, the facilitator leads a structured debrief: what went well? What did not go well? Where did we have confusion about roles or authority? Where did the plan not match what we actually did? What needs to change?
The debrief is the most valuable part of the exercise. It converts the experience into actionable improvement. A debrief that produces five specific action items (update the communication plan to include social media, clarify who authorizes ransom decisions, add the insurance carrier to the initial notification list, test backup integrity for the finance servers, and conduct DMARC verification for the email domain) is a debrief that improved the organization's readiness.
Incident response TTX. Tests the IR plan: detection, containment, eradication, recovery, and lessons learned. Participants include the SOC team, IR team, IT operations, CISO, and executive leadership. This is the most common TTX type.
Business continuity TTX. Tests the BC/DR plan: disaster declaration, alternate processing activation, communication with stakeholders, recovery execution, and return to normal operations. Participants include IT operations, facilities, business unit leaders, communications, and executive leadership.
Communication TTX. Tests the incident communication plan specifically: who is notified, through what channels, with what content, on what timeline. Participants include communications/PR, legal, CISO, executive leadership, and customer-facing team leads.
Executive TTX. Tests executive decision-making during a cyber crisis: ransom payment decisions, public statement authorization, regulatory notification approval, insurance claim initiation, and board communication. Participants are exclusively C-suite and board members. The scenario is presented at the business impact level (financial, reputational, regulatory), not at the technical level.
Cross-functional TTX. Combines elements from multiple exercise types to test the full organizational response. The most comprehensive and the most logistically complex (requires participants from every function).
The facilitator drives the exercise and directly determines its value. An effective facilitator:
Maintains pace: keeps the discussion moving through injects without allowing the group to stall on a single topic. Each inject has a time allocation. The facilitator moves to the next inject when the key discussion points are covered.
Probes assumptions: asks "why?" when participants describe their response. "We would isolate the affected servers." "How? Who has the authority to disconnect production servers? How long does the isolation take? What business processes are affected by the isolation?" Probing reveals assumptions that the plan has not addressed.
Introduces complications: adds realistic complications that the plan may not have considered. "The backup administrator is on vacation in a location with no cell service." "The CEO is traveling internationally and is unreachable for 6 hours." "Your primary forensic firm has a conflict of interest and cannot take the engagement." Complications test whether the organization has contingency depth or single points of failure.
Captures findings: documents every gap, confusion, disagreement, and assumption revealed during the exercise. The findings become the after-action report and the improvement plan.
Remains neutral: does not evaluate participants' decisions as right or wrong during the exercise. The TTX is a learning exercise, not a performance evaluation. Participants who fear judgment will not reveal their genuine response, which defeats the purpose.
TTX findings are remarkably consistent across organizations:
Unclear decision authority. Nobody knows who authorizes the ransom decision, the public statement, the system shutdown, or the regulatory notification. The plan says "senior leadership" without naming a specific individual or establishing a succession if that individual is unavailable.
Communication gaps. The IR team does not know how to reach the insurance carrier after hours. The communication plan does not include social media. The employee communication template does not exist. The board notification procedure is "call the chair" with no documented backup.
Assumption of availability. The plan assumes that key personnel are available, that backup systems work, that the VPN is accessible, and that the conference bridge can handle 40 simultaneous participants. The exercise reveals that the backup administrator's phone number is wrong, the conference bridge has a 25-person limit, and the VPN concentrator is one of the encrypted systems.
Technical-business disconnect. The technical team speaks in technical language. The executive team speaks in business language. Neither understands the other's decisions. The technical team says "we need to isolate the domain controller." The executive team hears "we are shutting down the business for an unknown duration."
No documented playbooks. The team knows what to do conceptually but has no documented, step-by-step playbook for the specific scenario. The response depends on institutional knowledge held by individuals rather than documented procedures accessible to anyone.
A 3-hour TTX requires facilitator preparation (4 to 8 hours), participant time (3 to 4 hours), and a conference room. Total investment: 20 to 40 person-hours. The findings consistently reveal gaps that would cost orders of magnitude more to discover during an actual incident: unclear authority that delays containment by hours, communication failures that extend the incident's reputational impact, and procedural gaps that slow recovery by days.
Tabletop exercises satisfy testing requirements across multiple compliance frameworks. NIST CSF 2.0 includes testing and exercise as part of the Recover function. ISO 27001 A.5.29 (Information Security During Disruption) references testing contingency plans. PCI DSS Requirement 12.10 requires testing the incident response plan annually. HIPAA requires testing contingency plans. SOC 2 CC9.1 includes demonstrated recovery testing. CMMC includes incident response testing practices.
Auditors ask: "When was the last exercise? Who participated? What were the findings? Were the findings remediated?" An organization that produces TTX documentation with findings and a tracked remediation plan demonstrates governance maturity that auditors recognize.
TTX is the only exercise type that brings technical teams, executive leadership, legal, communications, and business units together to work through a crisis scenario. This cross-functional participation builds relationships, shared understanding, and communication patterns before the crisis forces people who have never worked together to coordinate under pressure.
Tabletop exercises sit in the RGA (Risk Governance and Assurance) domain of the Planetary Defense Model, with direct connections to TID (incident response testing) and SPH (social engineering response testing).
CDA's Perpetual Compliance Assurance (PCA) methodology includes TTX as a recurring exercise. "Compliance is not an event. It is a state." A single annual TTX satisfies the minimum compliance requirement. CDA recommends quarterly TTX with rotating scenarios: Q1 ransomware, Q2 data breach with regulatory notification, Q3 business continuity/disaster recovery, Q4 insider threat or supply chain compromise. Each quarter tests a different plan against a different threat.
Three TOP missions incorporate TTX:
CDA facilitates TTX with one non-negotiable practice: every exercise produces a written after-action report (AAR) with specific, assigned, deadline-tracked findings. A TTX without an AAR is a conversation that produced no improvement. The AAR is the deliverable. The discussion is the method. The improvement is the outcome.
Word count: 1,957
CDA Theater missions that address topics covered in this article.
Written by Evan Morgan
Found an issue? Help improve this article.