Why This Matters

Organizations that conduct regular tabletop exercises detect and contain incidents 30% faster than those that don't. This guide will help you run exercises that actually build muscle memory—not just check compliance boxes.

What is a Tabletop Exercise?

A tabletop exercise (TTX) is a discussion-based training session where your team walks through a simulated incident scenario. Unlike live drills or penetration tests, tabletop exercises focus on decision-making, communication, and coordination—the human elements that often break down during real incidents.

Low Cost

No infrastructure needed

Low Risk

No production impact

High Value

Tests procedures and people

The 4-Phase Tabletop Exercise Process

Follow this proven methodology for effective exercises:

Planning & Preparation

2-3 weeks before

Define exercise objectives

What specific capabilities are you testing? Detection, containment, communication?

Select scenario type

Choose based on your threat landscape: ransomware, data breach, DDoS, etc.

Identify participants

Include all teams involved in real incident response: SOC, IT, legal, comms, leadership

Develop scenario narrative

Create realistic injects that progress through the attack lifecycle

Prepare logistics

Book room, send calendar invites, prepare materials, brief observers

Exercise Kickoff

15-20 minutes

Set ground rules

This is a learning environment. There are no wrong answers. Speak up.

Explain format

How injects will be delivered, how to ask questions, what decisions are needed

Review roles

Clarify who is playing what role (yourself vs. your position)

Establish baselines

Describe current infrastructure, tools, and procedures available

Scenario Execution

90-120 minutes

Deliver initial inject

Present the opening scenario (e.g., "EDR has detected suspicious activity...")

Facilitate discussion

Ask: "What would you do next? Who would you notify? What tools would you use?"

Introduce complications

Add pivots based on team decisions (e.g., "Your backup system is also encrypted")

Track decisions

Document key decisions, gaps identified, and areas of confusion

Manage time

Keep discussion moving. Avoid rabbit holes. Stay focused on objectives.

Hot Debrief & Analysis

30-45 minutes

Review timeline

Walk through what the team did, in what order, and why

Identify successes

What went well? What procedures worked as intended?

Surface gaps

What was unclear? Where did communication break down? What tools were missing?

Assign action items

Concrete next steps to address gaps: update playbooks, train teams, procure tools

Schedule follow-up

When will you re-test? How will you track improvement?

Facilitation Tips for Success

Ask Open-Ended Questions

Instead of "Would you call the CISO?", ask "Who needs to be notified and when?"

Embrace Awkward Silence

Give people time to think. Don't fill every pause. Silence drives deeper thinking.

Challenge Assumptions

If someone says "We'd restore from backup," ask "How long would that take? Who approves it?"

Stay Scenario-Focused

When discussions drift to "we should buy tool X," note it but return to the scenario.

Document Live

Have a scribe capturing decisions, gaps, and action items in real-time.

No Blame Game

Focus on process and procedure gaps, not individual performance.

Common Pitfalls to Avoid

Making it too easy

Why it's bad: Team doesn't encounter real decision points or stress

Fix: Add complications and time pressure

Making it too hard

Why it's bad: Team gets overwhelmed and shuts down

Fix: Start simple, build complexity gradually

Turning it into training

Why it's bad: Becomes lecture instead of exercise

Fix: Test, don't teach. Note gaps for later training

Skipping the debrief

Why it's bad: Lessons aren't captured or acted upon

Fix: Debrief is mandatory. No early escapes.

No follow-through

Why it's bad: Identified gaps never get fixed

Fix: Assign owners and deadlines for action items

Ready to Run Your First Tabletop Exercise?

Breakpoint provides pre-built scenarios, AI-powered injects, and automated scoring so you can focus on facilitation—not preparation.

Start Free Trial Browse Scenarios

How to Run a Ransomware Tabletop Exercise

Specific guidance for ransomware scenarios

Incident Response Best Practices 2025

Latest IR best practices and frameworks

What is a Tabletop Exercise?

Low Cost

No infrastructure needed

Low Risk

No production impact

High Value

Tests procedures and people

The 4-Phase Tabletop Exercise Process

Follow this proven methodology for effective exercises:

Planning & Preparation

2-3 weeks before

Define exercise objectives

What specific capabilities are you testing? Detection, containment, communication?

Select scenario type

Choose based on your threat landscape: ransomware, data breach, DDoS, etc.

Identify participants

Include all teams involved in real incident response: SOC, IT, legal, comms, leadership

Develop scenario narrative

Create realistic injects that progress through the attack lifecycle

Prepare logistics

Book room, send calendar invites, prepare materials, brief observers

Exercise Kickoff

15-20 minutes

Set ground rules

This is a learning environment. There are no wrong answers. Speak up.

Explain format

How injects will be delivered, how to ask questions, what decisions are needed

Review roles

Clarify who is playing what role (yourself vs. your position)

Establish baselines

Describe current infrastructure, tools, and procedures available

Scenario Execution

90-120 minutes

Deliver initial inject

Present the opening scenario (e.g., "EDR has detected suspicious activity...")

Facilitate discussion

Ask: "What would you do next? Who would you notify? What tools would you use?"

Introduce complications

Add pivots based on team decisions (e.g., "Your backup system is also encrypted")

Track decisions

Document key decisions, gaps identified, and areas of confusion

Manage time

Keep discussion moving. Avoid rabbit holes. Stay focused on objectives.

Hot Debrief & Analysis

30-45 minutes

Review timeline

Walk through what the team did, in what order, and why

Identify successes

What went well? What procedures worked as intended?

Surface gaps

What was unclear? Where did communication break down? What tools were missing?

Assign action items

Concrete next steps to address gaps: update playbooks, train teams, procure tools

Schedule follow-up

When will you re-test? How will you track improvement?

Facilitation Tips for Success

Ask Open-Ended Questions

Instead of "Would you call the CISO?", ask "Who needs to be notified and when?"

Embrace Awkward Silence

Give people time to think. Don't fill every pause. Silence drives deeper thinking.

Challenge Assumptions

If someone says "We'd restore from backup," ask "How long would that take? Who approves it?"

Stay Scenario-Focused

When discussions drift to "we should buy tool X," note it but return to the scenario.

Document Live

Have a scribe capturing decisions, gaps, and action items in real-time.

No Blame Game

Focus on process and procedure gaps, not individual performance.

Common Pitfalls to Avoid

Making it too easy

Why it's bad: Team doesn't encounter real decision points or stress

Fix: Add complications and time pressure

Making it too hard

Why it's bad: Team gets overwhelmed and shuts down

Fix: Start simple, build complexity gradually

Turning it into training

Why it's bad: Becomes lecture instead of exercise

Fix: Test, don't teach. Note gaps for later training

Skipping the debrief

Why it's bad: Lessons aren't captured or acted upon

Fix: Debrief is mandatory. No early escapes.

No follow-through

Why it's bad: Identified gaps never get fixed

Fix: Assign owners and deadlines for action items

Ready to Run Your First Tabletop Exercise?

Breakpoint provides pre-built scenarios, AI-powered injects, and automated scoring so you can focus on facilitation—not preparation.

Start Free Trial Browse Scenarios

How to Conduct an Incident Response Tabletop Exercise

Why This Matters

What is a Tabletop Exercise?

The 4-Phase Tabletop Exercise Process

Planning & Preparation

Exercise Kickoff

Scenario Execution

Hot Debrief & Analysis

Facilitation Tips for Success

Ask Open-Ended Questions

Embrace Awkward Silence

Challenge Assumptions

Stay Scenario-Focused

Document Live

No Blame Game

Common Pitfalls to Avoid

Ready to Run Your First Tabletop Exercise?

Related Articles

How to Run a Ransomware Tabletop Exercise

Incident Response Best Practices 2025

How to Conduct an Incident Response Tabletop Exercise

Why This Matters

What is a Tabletop Exercise?

The 4-Phase Tabletop Exercise Process

Planning & Preparation

Exercise Kickoff

Scenario Execution

Hot Debrief & Analysis

Facilitation Tips for Success

Ask Open-Ended Questions

Embrace Awkward Silence

Challenge Assumptions

Stay Scenario-Focused

Document Live

No Blame Game

Common Pitfalls to Avoid

Ready to Run Your First Tabletop Exercise?

Related Articles

How to Run a Ransomware Tabletop Exercise

Incident Response Best Practices 2025