How to Design and Run a Cybersecurity Tabletop Exercise
No jargon, just readiness: Tabletop exercises give your team a safe space to practice defeating cyberthreats before they strike.
When Memorial Health Systems, a not-for-profit healthcare network, experienced a ransomware cyberattack, almost all its systems were impacted, from its MRI machines to its cafeteria cash registers. Its digital records quickly became useless as it transitioned to ready-made paper backup forms. Yet Memorial was able to keep business going and ultimately recover from the cyberattack quickly. How?
Lori Price, an emergency management coordinator with Memorial, described in an episode of The Employee Safety Podcast that despite the attack, Memorial was prepared for this eventuality because of their tabletop exercise training.
Just a few months before this incident, “All department directors had walked through the process of thinking about what they would do in their department if we had a cyberattack and had those types of problems. So, I think that we were able to circumvent that initial shock,” said Lori. They performed a cybersecurity tabletop exercise, also known as a cybersecurity incident response tabletop exercise, which familiarized employees and stakeholders with the challenges a cyberattack could present and methods to remedy the situation.
Despite the success of organizations like Memorial in defending against cyber threats, about one-third of organizations don’t offer cybersecurity training, even though one-half of those employees have access to critical data. Today, we’ll explain the purpose of cybersecurity tabletop exercises and how to perform them.
Download our Cybersecurity Tabletop Exercise Template
What Is a Cybersecurity Tabletop Exercise?
A cybersecurity tabletop exercise is a session where a group of employees is prompted to consider a hypothetical cyber threat situation, such as a phishing attack, and discuss how they could respond to and fix the problem. You can think of a tabletop exercise (TTX) as a drill that takes place entirely in the minds and conversation of the participants—from the safety and security of a conference room, hence why they’re called “tabletop” exercises.
These tabletop exercises allow everyone to examine their organization’s cybersecurity preparedness measures and raise questions or concerns. Then, those concerns are rolled up into a report used to make material and procedural changes to existing cyber incident response plans used by your incident response team.
Tabletop exercises are easy, cost-efficient, and informative, and they should be part of every company’s cybersecurity planning effort.
Aligning cybersecurity TTX with NIST guidelines
Cybersecurity tabletop exercises directly support the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) by enhancing your organization’s response capabilities and preparedness. These exercises are a practical way to test and validate your incident response guidelines, particularly within the “Respond” and “Recover” functions of the CSF.
Aligned with the NIST Incident Response Lifecycle, tabletop exercises fall under both the preparation and testing phase and the improvement phase. They help teams assess plans, uncover gaps, and strengthen coordination.
In short, tabletop exercises bring NIST’s principles to life, reinforcing strong security and risk management practices through hands-on scenario planning.
How to Run a Cybersecurity Tabletop Exercise
Any organization can easily run a tabletop exercise with thoughtful planning. Here are the steps you need to follow to create one of your own from scratch:
1. Assemble your team
Tabletop exercises are group activities, and people within that group will take on various roles to help keep the exercise moving.
Participant
Participants will be the largest cohort within your group. Exercise participants are meant to engage with the scenario presented to them and critically examine its consequences from their point of view. That is, how would such a hypothetical scenario impact their job? How would they recognize the threat? What would mitigation look like? Participants are encouraged to discuss, ask questions, and actively contribute to the session—drawing on their on-the-job experiences.
Participants should not be solely from your IT team but should represent a cross-section of your company.
Facilitator
You can think of your facilitator as a moderator in a debate. They ultimately hold the reins, guiding the session as a whole, but ideally, they won’t have to talk too much other than to kick things off. They begin sessions by presenting the hypothetical situation to the group, occasionally chiming in to ensure the discussion moves forward to meet the exercise objectives.
Evaluator
This role is not actively involved as the exercise unfolds. The evaluator’s purpose is to watch, noting what goes well and what could be improved for next time. They keep this to themselves during the session to allow for unfettered conversation. Then, they document their observations and reflections, which leaders can use to improve the session for next time. Most organizations opt for at least two evaluators to give them a better chance to capture all the details.
Observer
Finally, there’s the observer. Like the evaluator, they take a backseat during the session, but unlike the evaluator, they’re allowed to pipe up with recommendations or answer questions from the group. Because of this responsibility, observers should be experts in the particular scenario in play. In the case of a cybersecurity tabletop exercise, that person would likely be a senior IT leader at the company or someone with similar expertise, such as your Chief Information Security Officer (CISO).
2. Design the scenario
If you’ve performed a business threat assessment, specifically a cyber threat assessment, you’ll have pre-identified a set of digital threats to which your organization might be vulnerable. Compile a diverse list of these that might make good foundations for a tabletop exercise scenario.
Choose a couple of these scenarios, but remember that most tabletop exercises are only 60–90 minutes, and quality matters more than quantity in the conversation. You’ll also want to imagine one or two curveball details you can throw at your participants to keep them on their toes.
Not sure what scenarios to use? We have a few ready-made ones below to help get you started.
3. Run the experiment
Here’s where the fun begins! (You think safety exercises are fun, right?) Gather your team members in a quiet room, separate from the rest of your workplace, so that you can focus. The facilitator will then describe the selected scenario to the participants and ask them to discuss how they would respond to and remedy the incident. Remind participants that they’re welcome to ask questions and maintain a relaxed, open environment so everyone is as comfortable as possible when talking about potentially disconcerting topics.
4. Reflect
After the session, your evaluators will convene on their own to conduct a hot wash and prepare an after-action report describing what the session did well, ways it fell short, and suggestions to improve for next time. Share this report with all key stakeholders so everyone is on the same page.
Then, apply the takeaways to your cybersecurity and recovery plans. Then, go back to step 1, and the cycle begins again.
Documenting outcomes and evaluations
A successful exercise doesn’t end when the discussion wraps—it ends when you’ve captured insights, implemented improvements, and confirmed that your organization is measurably more prepared for a real-world cyber event.
After every exercise, your team should produce a formal after-action report outlining key takeaways and documented lessons learned. This report is a cornerstone for strengthening your incident response strategies and improving overall cyber incident preparedness.
You can distribute a brief feedback form to all participants immediately after the session. Encourage candid feedback about the exercise structure, scenario realism, and any gaps in current processes. Review the responses alongside your evaluator’s notes to identify specific action items that need follow-up.
Common deliverables post-exercise include:
- A slide deck summarizing the scenario, discussion points, and key outcomes
- A list of implementation improvements to update protocols, tools, or training
- Updates to your cyber response playbooks or continuity plans based on insights gained
Ensure the participant invitation sets expectations beforehand: this exercise isn’t just about conversation—it’s about operational enhancement. When outcomes are documented and acted upon, tabletop exercises evolve from a theoretical drill to a transformative step in your cyber resilience program.
Cybersecurity Tabletop Exercise Scenarios
Cyber threats come in many shapes and sizes, and depending on your organization’s size, industry, and digital footprint, some of these scenarios will be more applicable to you than others. You must always exercise judgment about the best fit for your people and your organization. Here are some that you can run yourself, either with modifications or out-of-the-box, including twists to mix things up, sort of like discussion questions.
If you’re looking for even more scenarios, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) offers several on its site for free.
Malware/ransomware attack
The most headline-grabbing type of cyber threat is malicious software (malware) intrusion. This threat involves an unauthorized actor injecting foreign code into your system, often rendering software unusable and encrypting your data. Some of these attacks demand that the target pay a ransom to the hacker in return for unlocking this data, in which case the attack is called “ransomware.” Here’s a scenario you can present to your people:
Scenario:
You open your work computer one Monday morning, and when you try to log in, you are greeted by an unfamiliar message demanding that you send a sum of money in cryptocurrency to an unknown party, who will unlock your devices and data in exchange.
Twist:
After finishing your first run of this ransomware tabletop exercise, try adding in the following complication: You receive the same ransom message, but you and your team are currently attending a conference in another state, and your email service is compromised, so you can’t use it. How does this change your plan?
Converged security breach
Converged security is the concept of the intersection between information security and physical security. Often, attackers exploit digital vulnerabilities using physical means, or vice versa. Test your team’s readiness for a converged threat with this prompt:
Scenario:
Joe, a new employee, saw a USB drive in the parking lot on his way to work. It was labeled “LEAKED TAYLOR SWIFT SONG,” so naturally, he picked it up. Unbeknownst to him, he had just fallen for one of the oldest cyber tricks in the book, and the USB drive actually contained vicious malware (Taylor’s Version). How would your people respond? What if Joe had already plugged in the infected drive?
Twist:
What if the USB was somehow already in Joe’s computer, which he keeps at work, when he arrived at the office one day? What implications would that have for your organization’s physical security as well?
Customer data breach
Most companies keep digital business records of their clients and customers, some of which are very sensitive, like payment information and personal details like addresses. This data is often attractive to cyber threat actors because they can sell it for profit, use it for identity theft, or use it for any number of nefarious purposes, which is why it’s essential that you practice for such an attack.
Scenario:
Your IT security team notices a device—in a country where you do not have employees—that has been surreptitiously connecting to your servers periodically for the past two weeks. They discover that the device has been scraping your customer records for anything it could find. How do you prevent further damage? How do you communicate the attack to your customers who might have been seriously impacted?
Twist:
Your data was not only accessed but also deleted. Does your backup process account for a situation like this?
Supply chain attack
Most organizations rely on a wide range of software to keep their business running. Whether it’s for record-keeping, communication, or even security systems, that software is susceptible to a hack, which means that you, as a user, are also vulnerable to that attack. This is known as a “supply chain” or “downstream” attack, where one hack can cascade and impact thousands or millions using that software.
Scenario:
You receive news that your CRM software provider has experienced an attack that has compromised some users’ data. Your entire sales team uses this CRM software and might not be aware of the situation yet. How do you prevent further damage without interrupting business continuity?
Twist:
Half of your sales team is offsite at an industry product conference and is busy demoing and selling your company’s product in another country.
Finding the Common Thread
No matter what situation you encounter during these tabletop exercises, you should be confident that your team can come up with a solution. (You can jumpstart your cyber preparedness efforts during Cybersecurity Awareness Month.) However, during these exercises, you might have noticed that their across-the-table communication was a particular advantage in the incident management process. Without real-time communication, your hopes for overcoming a cybersecurity attack are slim. That’s why you need a multichannel emergency communication system.
During a cyberattack, some critical communication avenues, like email or instant messaging, might also be affected, so having redundant ways to relay the situation to your people is a vital safeguard for any cyber threat your organization encounters.
![How to Run a Ransomware Tabletop Exercise [+ Scenarios]](https://www.alertmedia.com/wp-content/uploads/2022/09/Blog-Ransomware-TabletopExercises.jpg)
