How Do I Run a Tabletop Exercise?
Run a tabletop exercise by selecting one realistic scenario, setting two to four objectives, inviting the right decision-makers, and walking through the incident step by step. Use timed injects to force decisions, capture gaps as they appear, and end with assigned follow-up actions.
If you want to know how to run a tabletop exercise, start by choosing one realistic incident scenario, defining a few clear objectives, and bringing in the people who would actually make decisions during a real event. A good tabletop exercise focuses on roles, escalation, communications, and response choices, not theater or technical trivia.
What a Tabletop Exercise Is
A tabletop exercise is a structured discussion used to test how your organization would respond to a cyber incident or business disruption. It is not a live-fire technical drill, and it is not useful if it becomes a passive presentation.
The goal is simple: find confusion before a real incident does.
A well-run exercise helps you validate: - who makes key decisions - how incidents are escalated - whether communication paths are clear - where playbooks are incomplete - which dependencies could slow response
Step 1: Set a Clear Scope
Do not try to simulate every possible crisis at once. Pick one scenario and keep the exercise focused.
Common choices include: - ransomware affecting shared systems - business email compromise targeting finance - cloud admin account takeover - customer data exposure - third-party compromise - insider misuse of sensitive data
A narrow scenario produces better discussion than a broad one. If people spend half the session debating what kind of incident it is, the scenario is too vague.
Step 2: Define Objectives Before the Scenario
A tabletop exercise should answer a few practical questions. Good objectives include: - Can we identify who declares an incident? - Do leaders know their decision points? - Are legal, HR, PR, and IT aligned on escalation? - Do we know when to notify customers, regulators, or insurers? - Can the business keep operating if a key system is unavailable?
Limit the exercise to two to four objectives. More than that usually makes the session unfocused.
Step 3: Invite the Right Participants
A tabletop fails when only technical staff attend. Real incidents involve more than IT.
Participants often include: - security or IT operations - incident response leads - infrastructure, cloud, or application owners - legal and privacy teams - communications or PR - HR - finance - executive leadership - business unit owners
Include the people who would actually make decisions during an incident. If nobody in the room can authorize containment, communications, or outside help, you are not really testing the response.
Step 4: Build a Realistic Scenario
Start with a short scenario summary, then reveal more information over time. These updates are usually called injects.
A sample flow might look like this: 1. suspicious activity is reported 2. a key account appears compromised 3. attackers reach internal systems 4. sensitive data may be involved 5. customers or media start asking questions 6. a regulator, insurer, or major client wants answers
Each inject should force a decision, such as: - Who owns the response now? - Do we isolate systems? - Do we shut down remote access? - Who approves external statements? - What evidence must be preserved? - When do we escalate to executives?
The best tabletop exercise scenarios create decision pressure, not just discussion.
Step 5: Assign Roles for the Session
At minimum, assign these roles:
Facilitator
The facilitator keeps the session moving, presents injects, and asks probing questions. They should not let participants stay vague.
Useful prompts include: - Who makes that call? - What if that person is unavailable? - How would you know this in the first hour? - What process supports that step? - Where is that documented today?
Scribe
The scribe records: - decisions made during the session - gaps that were identified - unclear ownership - outdated contacts - missing playbooks - follow-up actions
Participants
Participants should respond in role, based on current reality, not ideal future-state assumptions.
Step 6: Keep the Discussion Grounded in Reality
A tabletop exercise only works if people answer using: - current staffing - real tools - actual vendors - existing contracts - documented playbooks - known escalation paths
Do not accept statements like “we would probably just call the vendor” unless you confirm: - who owns that relationship - whether contact details are current - whether after-hours support exists - whether the contract actually covers that response
This is where many tabletop exercises reveal hidden weaknesses.
Step 7: Ask the Questions That Matter
The most useful tabletop exercise questions are practical. Focus on things like:
- How is the incident detected and confirmed?
- Who determines severity?
- What is the first containment action?
- What logs or evidence need to be preserved?
- Who notifies leadership?
- What triggers legal review?
- When do customers need an update?
- What is the continuity plan if a system stays offline?
- When do we involve outside counsel, cyber insurance, or DFIR support?
If the scenario includes identity risk, password resets, or account takeover, it may help to review: - What Should Be in an Incident Response Plan? - Who Should Be on a Cyber Incident Response Team?
Step 8: End With Findings and Action Items
A tabletop exercise without follow-up is just a meeting.
At the end, document: - what worked well - what was unclear - where decisions stalled - which contacts were outdated - what approvals were missing - which dependencies surprised the team
Then turn those findings into action items with: - a named owner - a due date - a clear deliverable
Examples: - update the ransomware playbook by June 15 - verify after-hours executive contact details - document regulator notification workflow - test emergency privileged access procedures
Step 9: Review Supporting Preparedness Gaps
During follow-up, you may uncover smaller readiness gaps that still matter in a real incident. For example: - key contacts do not use MFA - recovery credentials are scattered or outdated - privileged passwords are shared informally
For organizations that need to tighten credential hygiene after a tabletop, a password manager such as 1Password can help centralize and secure administrative credentials more reliably than spreadsheets or shared documents.
If the scenario involves malware, suspicious attachments, or compromised endpoints, endpoint cleanup planning may also matter. In that case, Malwarebytes can be a reasonable option to evaluate for post-incident scanning on affected systems.
Step 10: Repeat on a Practical Cadence
You do not need one giant annual exercise and nothing else.
A better rhythm is often: - one broader executive tabletop each year - smaller functional exercises quarterly - targeted exercises after major technology or staffing changes
Over time, rotate scenarios so you test different parts of the organization.
Common Mistakes to Avoid
Making the scenario too broad
If the exercise tries to cover ransomware, insider risk, regulatory reporting, vendor compromise, and public relations all at once, it usually loses focus.
Inviting only technical teams
Incident response is rarely just a security problem. Legal, leadership, finance, HR, and communications often shape the outcome.
Letting assumptions go unchallenged
A good facilitator asks for evidence, ownership, and process, not just opinions.
Failing to track remediation
The corrective actions after the session are where the real value appears.
Common Misconceptions
“A tabletop exercise is only for large enterprises.”
False. SMBs often benefit even more because fewer people means unclear roles can slow response quickly.
“It should be highly technical.”
Not usually. The biggest value is testing decisions, authority, communications, and escalation.
“If the exercise feels smooth, we must be ready.”
Not necessarily. Some exercises feel smooth because nobody challenged assumptions.
“The exercise itself is the deliverable.”
Wrong. The deliverable is improved readiness: updated playbooks, clarified authority, fixed contacts, and better coordination.
Final Takeaway
A strong tabletop exercise is realistic, narrow, and decision-focused. If you want to know how to run a tabletop exercise well, keep the scenario believable, involve real decision-makers, challenge assumptions, and treat follow-up actions as mandatory. The session matters, but the changes you make afterward matter more.
Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.