Latest insights and best practices

Blog & Resources

Practical guides, honest takes, and real-world analysis from our security team. We write about what works (and what doesn't) in incident response training.

AllBest PracticesComplianceHow-To

What is a Tabletop Exercise? Complete Guide for Cybersecurity Teams 2025

Featured

Best Practices

What is a Tabletop Exercise? Complete Guide for Cybersecurity Teams 2025

Most security teams have an incident response plan. Almost none of them have tested it under pressure. Here's how tabletop exercises change that — and why a checklist in a binder isn't enough.

January 8, 2025

•

14 min read

Sarah Chen

Breakpoint

Read full article

Latest Articles

14 articles found

Best Practices

Traditional Tabletop Exercises Are Dead (Here's What Replaced Them)

PowerPoint slides. Pre-scripted answers. Once-a-year checkbox compliance. If that sounds like your last tabletop exercise, you're not alone — and you're not getting value from it.

Why Run Tabletop Exercises Quarterly (Not Annually)

Annual exercises feel responsible until ransomware hits 11 months after your last one. Here's the case for quarterly — and an honest look at when it might be too much for smaller teams.

CISA Tabletop Exercise Guide - CISA HSEEP Methodology 2025

CISA's HSEEP framework is the gold standard for exercise design in critical infrastructure — but it can feel bureaucratic if you're not in government. We break down the parts that matter.

Ransomware Response Best Practices 2025

It's 6am. Your SIEM is lighting up. File shares are encrypting. What you do in the next 60 minutes determines whether this is a contained incident or a front-page story.

Incident Response Best Practices

NIST says 4 phases. SANS says 6. PICERL adds another. Which framework actually works when your pager goes off at 2am? A practitioner's take on what matters.

How to Conduct an Incident Response Tabletop Exercise

You've been asked to run a tabletop exercise. You've never done one before. Here's a step-by-step walkthrough — from getting buy-in to writing the after-action report.

NIST Incident Response Framework Guide

SP 800-61r2 is almost a decade old and due for an update. Here's what the framework gets right, what feels dated, and how to apply it without treating it as gospel.

How to Run a Ransomware Tabletop Exercise

A 90-minute exercise template built around a realistic ransomware scenario. Includes the "to pay or not to pay" discussion — the hardest 15 minutes your IR team will face.

Creating Effective Tabletop Exercise Scenarios

Bad scenarios are either too easy ("what would you do?") or too hard ("everything is on fire"). The Goldilocks Principle helps you find the sweet spot that actually trains your team.

How to Test Your Incident Response Plan

A plan that hasn't been tested is a plan that won't work. Five methods for testing — from a quick doc review to a full-scale exercise — and how to pick the right one for your team size.

GDPR Breach Response Requirements

You have 72 hours from discovery to notify the DPA. Penalties go up to €20M or 4% of global revenue. Here's the timeline, the paperwork, and the parts most teams forget.

ISO 27001 Incident Response Requirements

Annex A.5.24 through A.5.28 in ISO 27001:2022 — what auditors actually look for, what you can get away with, and what will fail your cert if you skip it.

Tabletop Exercise vs Cyber Range

One costs under $5K. The other starts at $50K. They test completely different skills. Here's an honest breakdown of when you need each — and when a TTX is genuinely enough.

Never miss an update

Get weekly insights on incident response training, security best practices, and platform updates — straight to your inbox.

Weekly insights

No spam

Unsubscribe anytime