How to Run an Effective Cybersecurity Tabletop Exercise

Co-written with Lewis Pope

Cyber threats are evolving faster than most organizations can adapt. From sophisticated ransomware campaigns to insider data leaks, the frequency and complexity of attacks continue to rise. Yet many organizations still struggle with the basics of incident response – not due to lack of tools, but due to lack of practice.

Tabletop exercises offer a powerful way to close that gap. These discussion-based simulations help IT teams and cross-functional stakeholders rehearse their response to realistic cyber incidents, uncovering vulnerabilities in a controlled environment. By learning how to run a tabletop exercise effectively, IT professionals can uncover blind spots and build organizational resilience before a real crisis hits.

What Is a Tabletop Exercise?

A tabletop exercise (TTX) is a discussion-based simulation that walks teams through a hypothetical cyber incident. Unlike technical penetration tests or red team engagements, tabletop exercises focus on decision-making, communication, and coordination. They’re low-cost, easy to organize, and highly effective at revealing blind spots in your response strategy.

Tabletop exercises are more than just a best practice – they’re a strategic necessity for modern IT teams. These simulations help organizations:

• Validate incident response plans under realistic conditions
• Clarify roles and responsibilities across departments
• Improve cross-functional collaboration between IT, legal, communications, and leadership
• Identify process and communication gaps before they become liabilities
• Build muscle memory for high-pressure decision-making

But beyond operational readiness, tabletop exercises also play a critical role in regulatory compliance.

Supporting Compliance and Audit Readiness

In 2025, many cybersecurity frameworks and data protection laws either recommend or mandate regular incident response testing. Tabletop exercises help demonstrate due diligence and preparedness in line with:

• NIST SP 800-84: Recommends test, training, and exercise (TT&E) programs to evaluate IT response capabilities and improve preparedness.
• ISO/IEC 27001: Requires organizations to establish and maintain an information security management system, including testing and evaluating incident response procedures.
• HIPAA Security Rule: Mandates that covered entities implement and periodically test security incident procedures to detect and mitigate cyber threats. 
• GDPR (Article 33): Requires organizations to notify supervisory authorities of personal data breaches within 72 hours and maintain preparedness for breach response. 
• PCI-DSS Requirement 12.10: Requires entities to implement and test an incident response plan at least annually to ensure readiness for cardholder data breaches. 

By conducting tabletop exercises, IT teams can:

• Document compliance efforts for audits and assessments
• Identify and remediate policy gaps before they result in violations
• Train stakeholders on breach notification timelines and legal obligations
• Reduce the risk of fines, reputational damage, and operational disruption

These exercises not only improve technical response but also ensure that legal, regulatory, and reputational risks are managed effectively.

Designing a Realistic Scenario

The success of a tabletop exercise depends on how believable and relevant the scenario feels to your organization. A well-crafted scenario doesn’t just test technical response – it immerses participants in a situation that mirrors the pressures and uncertainties of a real cyber incident.

Imagine this: It’s 8:45 AM on a Monday. Your team is just settling in when a helpdesk ticket comes in: Someone can’t access their files. Within minutes, similar reports flood in. A ransomware note appears on multiple machines, demanding payment in cryptocurrency. Backups seem compromised. The clock is ticking, and leadership wants answers.

This kind of scenario forces teams to think fast, communicate clearly, and make tough decisions under pressure. It’s not just about containment – it’s about coordination, escalation, and business continuity.

Here are a few common and impactful themes to consider:

• Ransomware Attack: Encrypts critical systems, halts operations, and demands payment. Test your backup strategy, containment protocols, and communication plans.
• Insider Threat: A disgruntled employee with privileged access exfiltrates sensitive data. Explore detection capabilities, HR/legal coordination, and breach notification procedures.
• Cloud Outage: A major third-party service goes down, affecting customer-facing applications. Assess your failover plans, vendor communication, and SLA awareness.
• Phishing Campaign: A convincing email tricks an employee into sharing credentials, leading to unauthorized access. Examine MFA enforcement, detection speed, and internal alerting.

The most effective tabletop scenarios do more than simulate technical failures – they reflect the real-world pressures your organization would face during a cyber crisis. They should challenge assumptions, spark meaningful discussion, and expose where plans, processes, or communication may falter under stress.

To maximize impact, align each scenario with your organization’s industry context, risk profile, and business priorities. For instance, a healthcare provider might simulate a ransomware attack that compromises patient records, triggering HIPAA breach notification protocols. A financial institution, on the other hand, may focus on wire fraud or unauthorized access to trading systems, testing its regulatory reporting and fraud response workflows.

Ultimately, the goal is to create a scenario that feels real enough to engage participants, but structured enough to generate actionable insights. When teams can see themselves in the story – and feel the urgency of the decisions they’re making – you’ve created a scenario that builds true cyber resilience.

Roles and Responsibilities

Cyber incidents rarely stay confined to the server room. They ripple across departments, affect customers, and demand swift, coordinated action. That’s why a successful exercise must include a diverse set of participants, each playing a critical role.

IT and Security: The First Responders. When the simulated breach hits, IT and security teams are on the front lines. They’re responsible for identifying the threat, containing it, and restoring systems. But it’s not just about technical fixes – they must also communicate clearly with other teams, document actions, and escalate appropriately.

Legal: The Risk Navigators. Legal teams help interpret the regulatory implications of the incident. They advise on breach notification requirements, potential liabilities, and how to preserve evidence for future investigations.

Communications: The Voice of the Organization. Internal and external messaging during a cyber crisis can make or break public trust. Communications teams craft statements, manage media inquiries, and ensure consistent messaging across channels.

Executives: The Decision Makers. Executives provide strategic oversight. They authorize major decisions – such as paying a ransom, engaging external counsel, or activating business continuity plans. Their presence ensures alignment with business priorities and risk tolerance.

Before the exercise begins, make sure every participant knows:

• Their role and scope of authority
• Who they report to during the incident
• What decisions they’re expected to make
• How they should communicate with other teams

Step-by-Step: How to Run a Tabletop Exercise

Here are some key steps to take when conducting a tabletop exercise, from setting clear objectives to translating lessons learned into stronger response capabilities:

1. Define Clear Objectives. What, specifically, do you want to test? “Assess containment of a ransomware attack” or “Ensure leadership can make breach disclosure decisions inside 48 hours.” Make objectives measurable and outcome-focused.

2. Gather Key Documentation. Prepare relevant response plans, escalation charts, contact lists, playbooks, tabletop scenario documents, and recent infrastructure diagrams. Updated resources make the exercise grounded in reality.

3. Assign Roles and Set Expectations. Clarify each participant’s function and encourage openness. Remind all: this is a no-blame, learning-first exercise.

4. Run the Scenario

• Use time-based injects: “20 minutes later, the threat actor releases files on the dark web.”
• Introduce ambiguity: “The CISO is unreachable; who steps in?” or “The ransomware note is posted on social media before internal teams are alerted.” These twists force teams to think on their feet and reveal how well your plan holds up when the punch lands.
• Challenge assumptions and encourage creative thinking.
• Keep language jargon-free for non-IT stakeholders.

5. Post-Exercise Debrief

The real value of a tabletop exercise comes after the simulation ends. Here’s how to turn insights into action:

• Hold a structured discussion: What went well? What failed? What surprised people?
• Document actionable insights and assign follow-ups.
• Update plans, playbooks, training, and escalation paths.
• Share summary findings with the broader organization.
• Schedule the next exercise – resilience is a process, not a checkbox.

6. Planning for the unplanned

Tabletop exercises aren’t just about technical containment or legal escalation. They’re about human coordination under pressure. Who’s authorized to speak to the press? Who updates the status page? Who picks up lunch for the team working 12-hour shifts? These seemingly minor details can become major stress points mid-incident.

A well-run TTx should include these roles to simulate the full scope of operational response. If your incident response plan doesn’t include who’s grabbing sandwiches, you’re not ready.

From Tabletop to Transformation: Improving the Plan

An effective improvement plan transforms insights from a Security Tabletop Exercise into actionable steps. Organizing actions by priority – high, medium, and low – ensures critical vulnerabilities are addressed first. A phased timeline (immediate, near-term, long-term) helps teams allocate resources and track progress. Grouping items by functional area (e.g., incident response, platform security) streamlines ownership and execution.

To maintain momentum, establish clear metrics, regular status reviews, and documentation standards. This structure not only supports accountability but also enables leadership visibility and strategic alignment – turning lessons learned into measurable resilience.

Closing Thoughts: Building a Culture of Cyber Resilience

In 2025, cyber resilience is every bit as much about people and processes as it is about technology. Tabletop exercises help organizations move from theory to practice, from isolated IT efforts to true business-wide readiness. They break down silos, clarify roles, and build the “muscle memory” needed to act quickly and decisively when – not if – a cyber incident occurs.

Learning how to run effective tabletop exercises helps you do more than satisfy compliance obligations or check off an audit item. You nurture a culture of preparedness, agility, and shared responsibility, turning the chaos of a cyber crisis into a moment for your organization to shine.

Join industry leaders and security experts at the Cyber Resilience Summit 2025 hosted by N‑able. Discover best practices, hands-on workshops, and real-world insights to strengthen your organization’s defenses. Register now.

For ore on Table Tops Exercises join our webinar: From Plan to Practice: Strengthen Incident Response with Tabletop Exercises. Register now.

Emma Nistor is Senior Product Marketing Manager at N‑able

Lewis Pope is the Head Security Nerd at N‑able. You can follow him on Twitter: @cybersec_nerd LinkedIn: thesecuritypope Twitch: cybersec_nerd