As businesses continue to invest in cyber security, it’s important to make sure that your team is prepared to handle a real-world attack.

Tabletop exercises are a great way to test your team’s response and identify any weaknesses in your systems, processes and capabilities. In this post, we’ll share some tips on how to run a successful cyber security tabletop exercise.

Why are tabletop exercises important?

A tabletop exercise is an assessment and preparedness tool used to test how well a team responds to potentially hazardous situations. By simulating possible events, tabletop exercises allow organizations to train staff in foreseeable scenarios without the risks posed by actual incident responses. They are also incredibly valuable for fostering improved cooperation and collaboration as teams work together towards solutions. Beyond providing team building opportunities, tabletop exercises can be used to develop, refine, or strengthen important strategies for responding quickly and effectively in the event of an incident.

There are 5 steps involved in designing and conducting a cyber security tabletop exercise

A tabletop exercise is a practical way to ensure that an organization is prepared and has plans in place to respond to a critical incident. It generally involves gathering key incident response team members from the organization, such as the executive team, security, legal, HR, PR, and other functional leaders, in one room and placing them in hypothetical scenarios. Each team member can express their different perspectives and best practices can be discussed. Additionally, issues that need attention or further development can be identified before they ever become an issue in a real-world setting. Once the team has agreed on a plan of action for each scenario, it’s important to follow up with testing exercises in order to evaluate if practice led to improvements and create any adaptations necessary to deal with unexpected situations. Here are the five steps when creating, delivering, and evaluating cyber security exercises:

  • Step 1 – Pre-Exercise Planning
  • Step 2 – Exercise and Scenario Design
  • Step 3 – Final Preparations
  • Step 4 – Exercise Delivery
  • Step 5 – Post Exercise Activities

Step 1 – Pre-Exercise Planning

The first step in organizing a cyber security tabletop exercise is to define key objectives, strategies and goals for the exercise. It’s important to determine who should be involved in order to get the most from the experience and ensure that everyone has an understanding of their roles and responsibilities. You’ll also need to decide on how long you want the exercise to last and what type of scenarios you’ll be discussing.

Step 2 – Exercise & Scenario Design

For the exercise to be effective, it’s important to create detailed scenarios that will challenge your team and help them identify areas for improvement. When designing a scenario, consider all potential outcomes such as internal breaches or external threats. Make sure to include the necessary elements such as legal and compliance considerations, IT system vulnerabilities, and other potential risks.

Step 3 – Final Preparations

Once you’ve designed your scenarios, it’s time to put the final touches in place. Make sure to send out invitations with clear instructions to all stakeholders that will be participating in the exercise. This is also a good time to create any additional materials such as handouts, presentation slides or cheat sheets that can help the team better understand and respond to their designated scenarios.

Resource: Free eBook: 12 Essential Steps for Crisis Communicators to Take During a Cyber Breach Crisis

Step 4 – Exercise Delivery

On the day of the exercise, make sure that all materials are ready and that each participant is familiar with their roles. As the facilitator, it’s important to keep the exercise on track by regularly checking in with each team and making sure that everyone is comfortable with their roles. During this time, you should also be taking notes of key decisions that are being made so they can be discussed later.

Step 5 – Post Exercise Activities

Once the exercise has concluded, it’s important to take the time to review any key decisions that were made and discuss areas where improvements need to be made. This is also a good opportunity to recognize team members for their efforts, as well as provide feedback on how the exercise went. After this evaluation has been completed, make sure to document any changes or updates that need to be implemented before the next exercise.

By following these steps, you can ensure that your cyber security tabletop exercises are effective and successful. With the right preparation, your team will be able to identify potential risks and create an actionable plan for responding accordingly. Good luck!

Benefits of conducting a cyber security tabletop exercise

Cyber security tabletop exercises offer a beneficial opportunity for organizations to test their preparedness in the event of a cyber attack. By running through simulated scenarios and thinking through potential complications, organizations can gain insight into the strength of their current protocols and become better prepared to identify risks, respond appropriately, and protect vulnerable data. Tabletop exercises also provide an invaluable platform for employers to build awareness among employees about cyber security issues, increasing employee understanding of the organization’s protocols and encouraging sound judgement as they use technology on a daily basis. Finally, participating in these exercises helps companies comply with laws or standards governing personally identifiable information (PII) by building trust that rigorous procedures are in place and tested regularly to prevent data breach.

Resource: 10 Benefits of Running Cybersecurity Exercises

Tips for making the most out of a cyber security tabletop exercise

Preparing for a cyber security tabletop exercise can be daunting. With preparation, it can become more than just an academic exercise and help bolster real-time resilience of your organization’s network. Here are some tips on making the most out of a cyber security tabletop exercise: Firstly, make sure that all relevant stakeholders are involved in order to gain a fuller understanding of how different teams both interact with each other and process potential threats. Secondly, ensure that all potential scenarios are taken into account – as far-fetched as they may seem – so as to prepare your team better for any eventuality. Thirdly, practice good after-action review tactics such as assessing the strengths and weaknesses of everyone’s responses in order to learn from mistakes and identify processes that went well. And lastly, plan to conduct the exercise on an ongoing basis in order to stay prepared both proactively and reactively; even if new threats arise or goals have shifted since the last time you ran the drill. A cyber security tabletop exercise is an invaluable tool if done right – taking these steps into account can make all the difference.

We deliver cyber training and exercises at ICMC 2023.

Examples of different types of cyber security threats that could be covered in a tabletop exercise

A tabletop exercise is an effective way to test the security of a system by simulating a cyber attack. Tabletop exercises can also be used to generate discussions on how organizations should respond and plan for potential threats. Some of the different types of cyber security threats that could be addressed in a tabletop exercise include Distributed Denial-of-Service (DDoS) attacks, malware spread from malicious emails and links, phishing schemes, SQL injection tactics, and unauthorized access. Other topics may include the need for having backup systems in place, insider threats from disgruntled employees or contractors, ransomware, data breaches, or physical authentication measures like two factor authentication or biometrics. A tabletop exercise provides an opportunity for all relevant stakeholders involved in cybersecurity to have a thoughtful and meaningful conversation about a wide range of topics related to cyber security risks.

Why third party vendors that are critical to your ability to operate should also be running tabletop exercises

In order to remain resilient in the face of cyber threats, organizations need to ensure that their vendors and partners are also taking measures to protect your data. Third-party vendors who provide critical services or products impact a company’s ability to operate and should be held to the same standards as the organization itself when it comes to cybersecurity. That’s why running tabletop exercises with third-party vendors is essential for companies who want to remain secure from cyber attacks. By familiarizing yourself with your vendor’s processes, you can gain insight into how they would handle different types of scenarios. This will help you understand where potential vulnerabilities lie and address any weaknesses before attackers can exploit them. Additionally, working together on a tabletop exercise can foster collaboration between vendors and their customers and create a stronger, more secure relationship. The end result is an increased level of cyber security for the entire organization.

Why the leadership team should stay out of the technical side of a cyber security exercise

Leadership teams should not become too involved in the technical details of a cyber security exercise. It is important for leaders to stay focused on setting goals, guiding the discussion, and ensuring that all stakeholders have a chance to voice their opinions. When leadership gets too involved in the nitty-gritty elements of an exercise, it can lead to confusion or miscommunication between the different participants. Additionally, if leadership becomes too entrenched in the technical aspects of a drill, they may miss out on opportunities to learn from mistakes or identify processes that went well. This limits their ability to effectively direct the organization’s response and prevent threats before they happen. The best approach is for leaders to remain at a higher level while providing general direction and allowing subject matter experts to guide the technical elements of a drill. By doing this, they will be able to stay focused on the overall objective and ensure that everyone is prepared for a cyber attack if it ever occurs.

Validate your cyber security tabletop exercises by having an evaluation criteria

Tabletop exercises are only effective if they provide meaningful and actionable insights. That’s why it’s important to have an evaluation criteria in place that ensures that participants understand the objectives of the drill and can identify areas for improvement. Evaluation criteria should be based on objective standards such as time spent on each element, accuracy of responses, ability to collaborate effectively, or using a scoring system based on severity of potential threats discussed. This allows teams to better measure their performance against established benchmarks and quickly identify any weaknesses or gaps in their cyber security posture. Additionally, having an evaluation criteria helps ensure that all parties involved in the tabletop exercise are taking it seriously and striving to make improvements. Evaluations also serve as a useful tool for validating any changes or updates that have been made to cyber security protocols.

Resource: Tabletop Exercise Group

Create an After Action Report based on your tabletop exercise results

Once the tabletop exercise has been completed and evaluated, it’s important to create an After Action Report (AAR). This document serves as a summary of the drill that includes key insights and lessons learned. An AAR should include a detailed analysis of the objectives met, any adjustments made during the drill, and any areas for improvement identified. It can also provide valuable feedback from participants and help guide decision-making for future drills. By creating an AAR, organizations can ensure that all stakeholders are on the same page about what happened during the exercise and how best to address future cyber security threats. Additionally, having an AAR allows teams to track their progress over time and provides them with a resource they can refer back to when responding to future threats.

Creating and executing on your tabletop exercise remediation plan

After the AAR is finalized, a remediation plan should be developed to ensure gaps are closed. This plan should be based on the findings from the drill, as well as any weaknesses identified in the evaluation criteria. The remediation plan should include specific steps for addressing any issues, such as developing new policies or procedures, enforcing security protocols more strictly, and investing in additional training for staff. It’s important to ensure that any changes made are realistic and can be implemented within the organization’s budget and timeline. Additionally, teams should regularly review their remediation plans to make sure they’re up-to-date with any industry best practices or changes in technology. By following these steps, organizations can create a comprehensive tabletop exercise program that will help them stay ahead of cyber security threats.

By implementing these key elements into your cyber security tabletop exercises, you can ensure that your organization is better prepared for any potential cyber attack. Tabletop exercises are an effective way to keep teams informed and build collaboration among various stakeholders. By having a well-defined evaluation criteria, creating an After Action Report, and developing a remediation plan, organizations can make sure that their drills are as productive as possible and provide meaningful insights into the effectiveness of their cyber security posture.


Tabletop exercises are an effective way for organizations to test their cyber security posture and prepare for potential threats. To maximize the benefit of these drills, teams should develop a clear evaluation criteria, create an After Action Report based on results, and create a remediation plan to address any identified weaknesses. By following these steps, organizations can ensure that their tabletop exercises are as thorough and productive as possible and help them stay ahead of cyber security threats.

Rob Burton
Rob Burton

Rob is a Principal at PreparedEx where he manages a team of crisis preparedness professionals and has over 20 years of experience preparing for and responding to crises. Part of his leadership role includes assisting PreparedEx clients in designing, implementing and evaluating crisis, emergency, security and business continuity management programs. During his career Rob has worked for the US State Department’s Anti-Terrorism Assistance Program, as a crisis management consultant in Pakistan and Afghanistan where he negotiated with the UN and Pashtun tribal warlords and he served with the United Kingdom Special Forces where he operated internationally under hazardous covert and confidential conditions. Rob was also part of a disciplined and prestigious unit The Grenadier Guards where he served Her Majesty Queen Elizabeth II at the Royal Palaces in London. Rob was a highly trained and experienced infantryman serving in Desert Storm and commanded covert operational teams and was a sniper. Rob has keynoted disaster recovery conferences and participated in live debates on FOX News regarding complex security requirements and terrorism. Rob has a Queen’s Commendation for Bravery.