Ransomware Guide

Cybersecurity Tabletop Exercises: How to Run Them Well (With Downloadable Scenarios)

A guide to running cybersecurity tabletop exercises that actually produce useful output: scenario selection, facilitator framing, participant structure, and post-exercise action.

Cybersecurity Tabletop Exercises: How to Run Them Well (With Downloadable Scenarios)

Most tabletop exercises are terrible. Not because the facilitators don’t care, and not because the participants are unprepared — but because the exercise is run as a compliance checkbox rather than a stress test. Two hours get spent with a facilitator reading a PowerPoint scenario, participants taking polite turns to describe what they’d “coordinate with the team on”, and a one-page after-action report landing in a SharePoint folder that nobody will open again until next year’s renewal.

That is not a tabletop exercise. That is a meeting dressed up as one.

A good tabletop exercise produces three things: a list of decisions your organisation cannot currently make under pressure, a list of assumptions that turned out to be wrong, and a prioritised list of fixes with owners and deadlines. If an exercise ends without those three outputs, it didn’t work. This guide is about how to run one that does.

Why the bar has risen

Until recently, tabletop exercises sat in the “nice to have” column. That changed over the last 18 months as cyber insurance underwriting tightened and regulatory regimes like NIS2 and DORA came into force. Insurers now explicitly ask whether you’ve conducted a tabletop exercise within the past 12 months, and whether you can evidence remediation tracking afterwards. Aon has been on record describing missing controls — MFA, EDR, and backup posture among them — as refusal criteria. Incident response testing sits in the same category: it’s no longer something you can promise to do next quarter.

For UK and EU organisations, NIS2 Article 21 mandates business continuity and crisis management measures, and DORA Article 25 requires financial entities to run Threat-Led Penetration Testing alongside operational resilience testing. Tabletop exercises are the cheapest form of operational resilience testing on the menu, and regulators have noticed.

The point is that tabletops have moved from “good practice” to “attested control”. And attested controls get verified after an incident. Forensics firms hired by insurers routinely check whether the tabletop claimed on the application actually happened, who participated, and what the outcomes were. If your last exercise was a one-hour walkthrough with three IT people, that won’t survive scrutiny.

What a tabletop exercise actually is

A cybersecurity tabletop exercise is a facilitated, discussion-based session in which a group of people with defined incident response roles work through a hypothetical scenario in real time. The scenario unfolds in phases (“injects”) that introduce new information or complications. Participants describe what they would do, who they would contact, what decisions they would escalate, and what information they would need. A facilitator controls the pace, an evaluator takes notes, and the session ends with a hot-wash debrief followed by a written after-action report.

The word “tabletop” matters. This is not a simulation, a drill, or a red-team exercise. Nobody is typing commands into a live system. Nothing is actually being contained, forensically imaged, or restored. The value is entirely in the conversation — specifically, in the moments where the conversation breaks down because nobody in the room knows who owns the next decision.

Those moments are the product. Everything else is production overhead.

Who should be in the room

The biggest failure mode in tabletop exercises is the wrong participant list. Running a ransomware tabletop with only the security team produces a security team’s view of a ransomware incident, which is a small and misleading slice of what actually happens. Running it with everyone in the company produces theatre.

The right participant list is defined by the scenario. For a ransomware scenario affecting production systems, you need:

  • Incident commander (usually the CISO or head of security operations)
  • IT operations lead (the person who actually owns the systems being attacked)
  • Legal counsel or a delegate (for regulatory notification decisions, contract obligations, privacy implications)
  • Communications lead (internal and external messaging)
  • A business owner of the affected systems (the person who has to decide whether partial recovery is acceptable)
  • Finance or procurement (for decisions involving outside counsel, forensic firms, or negotiators)
  • An executive decision-maker with authority to approve spending, downtime, or external disclosure

That’s seven to nine people. Add one observer per function if desired, but keep the active roster tight. Large tabletops degrade into roundtables where everyone performs competence rather than expose gaps.

Two participants deserve special attention. The first is the executive decision-maker. Many organisations run tabletops without a real decision-maker in the room and assume someone will just make the call “in real life”. This is exactly backwards — the point of the tabletop is to discover that your actual decision-maker has never been briefed on what decisions they’ll be asked to make, and doesn’t know the criteria. The second is legal counsel. If you run a tabletop without legal in the room, you will not discover the regulatory and contractual traps until you’re standing in them.

Choosing a scenario worth running

A good scenario has three qualities: it’s realistic for your organisation, it forces cross-functional decisions, and it contains at least one genuinely hard dilemma.

“Realistic” means drawn from the threat landscape your sector actually faces. Financial services organisations should be running scenarios based on third-party service provider compromise (DORA-relevant), wire fraud via deepfake voice, and ransomware with data exfiltration. Healthcare should focus on ransomware affecting clinical systems, ePHI breach notification timing, and supply-chain medical device compromise. Manufacturers should be testing OT/IT convergence, ransomware in industrial control environments, and intellectual property theft. Don’t run generic “malware outbreak” scenarios unless you’re starting from zero.

“Cross-functional” means the scenario cannot be resolved by a single team acting alone. A scenario that only stresses the SOC is a SOC drill, which is valuable but isn’t a tabletop. A good scenario forces IT to talk to legal, legal to talk to communications, communications to talk to the executive, and the executive to make a decision with incomplete information.

“Contains a hard dilemma” is the one most organisations skip. If every inject has a correct answer, the exercise is a quiz, not a test. The hardest and most useful dilemmas are:

  • Whether to disclose to customers before you’ve completed forensic analysis (regulatory clocks vs. message accuracy)
  • Whether to take systems offline (operational cost vs. containment)
  • Whether to engage a negotiator (legal, ethical, and insurance implications)
  • How to handle conflicting advice from legal counsel, forensic firm, and cyber insurer
  • How to respond publicly when the attacker begins leaking data

If your scenario doesn’t put at least one of those on the table, raise the stakes.

Five scenario stubs to start from

These are deliberately stripped-down starting points. A full scenario package for each runs to a facilitator’s guide, a participant briefing, an inject schedule, and an evaluation framework. These stubs are the premise.

Scenario 1 — Ransomware with double extortion. A monitoring alert at 04:47 on a Tuesday indicates anomalous encryption activity across a file server cluster. By 07:00 it’s clear that approximately 40% of production file shares are affected and a ransom note has appeared on three systems. By 09:00, the attacker’s leak site lists your organisation with a 72-hour countdown. Inject points: the CEO asks whether to pay; a journalist calls communications before any public statement; your cyber insurer’s hotline asks for forensic engagement approval; a major customer asks whether their data is affected.

Scenario 2 — Business email compromise with deepfake escalation. Your CFO receives a phone call from the CEO approving an urgent wire transfer for an acquisition. The voice is convincing. The payment is processed. Forty-eight hours later, the real CEO learns of it. Inject points: law enforcement notification decisions; bank recall window closing; internal communications to prevent copycat attempts; board-level disclosure obligations; insurance coverage questions for social engineering losses.

Scenario 3 — Third-party SaaS provider compromise. Your marketing automation platform sends an emergency notification that their OAuth infrastructure was compromised three weeks ago. Tokens issued to integrations — including yours — may have been used to access connected systems. You don’t yet know what, if anything, was accessed via your integration. Inject points: evidence gathering within 24h reporting windows under NIS2 or DORA; customer notification timing; vendor risk reassessment; contractual liability review; coordination with other affected customers.

Scenario 4 — Insider data exfiltration. A DLP alert identifies unusually large outbound transfers from a senior engineer’s endpoint to a personal cloud storage account. Review of the last 90 days of activity shows a consistent pattern of IP-related document downloads. The engineer has submitted their resignation, with a two-week notice period ending next Friday. Inject points: when to confront; employment law constraints; evidence preservation; whether to involve law enforcement; communications to the rest of engineering; board notification.

Scenario 5 — Regulatory deadline failure. A compliance audit reveals that your organisation has been out of scope for a mandatory control required under NIS2 Article 21 for approximately eight months. Your regulatory deadline is in six weeks. Inject points: disclosure to regulators; remediation prioritisation; management personal liability exposure; insurer notification; third-party contractual impact; executive accountability.

These are premises, not scripts. Converting a premise into a runnable exercise takes a facilitator’s pack, an inject timeline with realistic time pressure, and an evaluator’s framework built around specific questions you want answered.

Running the exercise well

Facilitation is the whole job. A good facilitator does three things: controls pace, interrupts complacency, and refuses to let participants solve the scenario in the abstract. When a participant says “we would coordinate with legal to determine the appropriate course of action”, the facilitator says: “Legal is here. Specifically, what would you ask them?” When someone says “we’d make sure we have a backup”, the facilitator says: “Let’s talk about that specific backup. Where is it? Who has access to restore from it? When was it last tested?”

Pace matters. An inject should land roughly every 15 to 25 minutes for a two-hour exercise. Each inject should escalate — new information, tightening timeline, new stakeholder in the picture. If the exercise feels comfortable, it isn’t working.

Time pressure is artificial but essential. Announce a hypothetical 72-hour regulatory clock. Announce that the media deadline for the evening news is in 45 minutes. Announce that the ransomware leak site’s timer drops to 24 hours. Real incidents feel time-pressured; a tabletop that doesn’t replicate that feeling doesn’t replicate the decision quality either.

Take notes ruthlessly. The evaluator captures: every question that couldn’t be answered in the room, every assumption that was made without evidence, every handoff that was unclear, every decision that was deferred because the right person wasn’t present. These notes become the after-action report.

End with a hot-wash debrief. Immediately after the exercise, spend 20 to 30 minutes with participants asking three questions: what worked, what broke, and what would you want to change before we do this again. This is more honest than anything that shows up in a written report a week later.

Turning the exercise into action

This is the part most organisations fail. The after-action report gets written, circulated, filed, and forgotten. The gaps it surfaced are still there 12 months later when the next exercise uncovers the same gaps.

The discipline that prevents this is simple: every gap identified in the exercise becomes a tracked action item with an owner and a deadline. Not “we should improve our communications plan” — that’s not an action item, it’s a sentiment. An action item is: “Communications lead to draft a pre-approved external holding statement template for ransomware incidents, reviewed by legal, finalised by end of next quarter, stored in [specific location].” That’s trackable. A sentiment is not.

Insurance carriers specifically ask about remediation tracking after tabletop exercises. If you can produce the action log and show closure rates, you’re in good shape. If you can only produce the after-action report, you’re not.

What NIS2, DORA, and cyber insurers expect

The formal requirements are converging. NIS2 Article 21 requires business continuity and crisis management measures proportional to organisational size and risk. DORA Article 24 requires operational resilience testing, with more intensive Threat-Led Penetration Testing mandated for significant financial entities. ISO 27001:2022 control A.5.29 requires information security during disruption. SOC 2 Common Criteria CC7.3 requires incident evaluation and response capability.

Cyber insurance carriers in 2026 almost universally require evidence of an incident response plan tested within the past 12 months — the tabletop is the standard evidence of testing. Some carriers now request the after-action report itself and evaluate whether remediation tracking is documented. A tabletop with no documented outcomes is worse than none — it suggests you went through the motion without internalising the point.

The overlap between regulatory and insurance requirements is significant enough that a single well-run annual exercise, supplemented by targeted scenario exercises through the year, satisfies most obligations simultaneously. The practical minimum for a moderately regulated organisation is one full exercise annually plus two to three targeted scenario exercises.

Common mistakes to avoid

Running the same scenario every year. Organisations that run the same ransomware walkthrough annually stop surfacing new gaps after the first two cycles. Rotate scenarios so that different parts of the organisation get stressed.

Letting the scenario resolve too cleanly. If every inject is answered neatly and the exercise wraps on time with everyone in agreement, something is wrong. Either the scenario was too easy, the facilitator was too permissive, or — more commonly — participants were performing competence rather than engaging honestly.

Excluding the board or executive team. Executive decision-making under incident pressure is the weakest link in most organisations because it has never been practised. A tabletop without the actual decision-makers is a tabletop without the hardest dilemmas.

Over-structuring the exercise. Some consulting firms sell tabletop packages with 40-inject schedules and scripted facilitator responses. These run more smoothly but reveal less. The messy, half-planned exercise where the facilitator is forced to improvise usually uncovers more real gaps.

Failing to track remediation. Already covered above, but it bears repeating. The after-action report is not the output. The closed action items are the output.

Frequently asked questions

How long should a tabletop exercise be? Two hours is the sensible minimum for a meaningful cross-functional exercise. Three to four hours is better for high-stakes scenarios. Anything over five hours starts to degrade as participants tire and engagement drops.

How often should we run them? At least once a year for the full cross-functional exercise, plus two to three targeted scenario exercises for specific teams (SOC-only, legal-only, communications-only) through the year. Insurance carriers and most regulatory frameworks treat 12 months as the expected cadence.

Do we need an external facilitator? Not necessarily, but external facilitation is better for two reasons: an outsider can challenge assumptions that internal staff treat as settled, and the exercise itself becomes more credible to auditors, insurers, and regulators when facilitated by a third party. For the first one or two cycles in particular, external facilitation is worth the cost.

How do we handle sensitive scenarios involving real vendors or customers? Anonymise. “Major SaaS provider” rather than the actual name. “Tier-1 customer” rather than a specific account. Real names create political friction that distracts from the exercise objectives.

What’s the difference between a tabletop and a simulation? A tabletop is discussion-based — nobody touches systems. A simulation involves live technical response actions in an isolated environment. Tabletops test decision-making and coordination; simulations test technical response capability. Both are useful; they test different things.

Are CISA’s Tabletop Exercise Packages worth using? CISA’s CTEPs are free, structured, and widely recognised by insurers and auditors. They are a reasonable starting point and save significant preparation time. The caveat is that they’re generic by design — an off-the-shelf CTEP should be customised to reflect your specific environment, systems, vendors, and regulatory context before use. For organisations running their first serious tabletop, CTEPs are a good foundation. For mature programs, they work as scenario stubs that facilitators adapt heavily.

Should the exercise be confidential? The scenario briefing should not be shared in advance with participants — surprise is part of the test. The existence of the exercise, the participant list, and the date should be widely known. The after-action report’s distribution depends on its sensitivity: sanitised versions go to the board and insurer; full versions stay with the incident response leadership.

One more thing

If you take nothing else from this: the goal of a tabletop exercise is not to confirm that your incident response plan works. It is to discover the specific ways in which it doesn’t. An exercise that ends with everyone feeling good about the organisation’s readiness is an exercise that failed to stress the right things. An exercise that ends with a long list of uncomfortable questions and genuinely unresolved issues is the exercise you needed. That list is the product. Everything else is packaging.

Organisations that treat tabletops as a compliance box to tick produce compliance. Organisations that treat them as honest stress tests produce readiness. The controls that eventually save you when a real incident hits were almost always surfaced during an exercise where somebody in the room said “wait — we don’t actually know what we’d do here.”

Go and find those moments. The rest is practice.