Mastering Cybersecurity Tabletop Exercises: Building a Strong Cyber Response Team for Success 

Tabletop Exercise Best Practices: Define “Who”

Selecting the correct participants for your exercise is a crucial first step in the planning process. Ensure you understand the participants’ experience level so the approach can be tailored to the attendees. 

Participation may include resources from the following groups: 

• Management 
• Technical 
• Executive 
• Hybrid 

Most clients we work with rotate through teams to test each level thoroughly. If the organization decides to do a hybrid approach, we encourage you to label each slide with the applicable team that is expected to be involved during that step of the incident response process. 

Tabletop Exercise Best Practices: Define “What” 

A TTX revolves around injection points or “injects.” These are small pieces of information that push the participant through the scenario, providing additional information with the intention of learning how the organization would respond. The injects should challenge participants, encourage collaboration amongst teams who typically do not interact, and test incident response capabilities and processes.

It is important to not explicitly target injects to one specific team or person, but instead open the forum to all participants. This approach tests the personnel who should be involved to determine if they know their role in the response process. Facilitators can typically explain injects to everyone as a piece to the puzzle,  and it is important to react and respond to each piece until the full picture is revealed.  

Sometimes it is useful to create an attack path—that the participants can review after the exercise —designed to guide the audience from the initial entry through remediation.  

Tabletop Exercise Best Practices: Define “Where” 

It’s important to think carefully about where to host the exercise.

Tabletop exercises can be conducted in person, virtually, or in a hybrid format, depending on the organization’s preferences and logistics. 

It is typical for executive/c-suite tabletops to be performed in person to push for collaboration and relationship building. Scheduling with this group is often the most challenging, as it requires a strong buy-in from leadership and the coordination of schedules and commitments. 

For obvious reasons, virtual and hybrid exercises have become more popularized since Covid-19 has altered the way people work. If an organization schedules the TTX to be virtual/hybrid, we recommend that all participants are on camera and present during the meeting. We advise that participants comment in the chat if they need to step away, to ensure a section that has been specifically created for their role is not left unanswered.

Regardless of the venue, capturing the attendee's attention must be a prime area of focus. This can be done through prompting the audience with questions as you proceed through the injects, or asking everyone to minimize any work that is not related to the TTX before it gets started.

Tabletop Exercise Best Practices: Define “When”  

The timing of the exercise should take business objectives and resourcing into account. For example, a technical TTX is typically 2-2.5 hours, while an executive TTX is optimally 90 minutes.  

An often-overlooked step is to ensure the team members that have key decision points in the exercise are available for the simulation. Scheduling should be coordinated as soon as possible, to allow the maximum amount of participation. Time zones should be a priority while determining the exercises date and time. 

Tabletop Exercise Best Practices: Define “Why” 

The primary goal of a TTX is to give participants the chance to discuss and practice their responses to an active incident in a low-stakes environment. It is imperative to provide context to the tabletop prior to the facilitation in order to receive buy-in from all participants. It is recommended to include a thorough calendar invitation that details logistics, predicted outcomes, and what to expect.  

It is often said that “you fight how you train.” Tabletop exercises allow teams to flex their incident response muscles, evaluate communication strategies, and practice decision-making—all of which become critical when a potential cyber-attack occurs.

By going through the motions in advance, organizations can build a more cohesive, responsive team that is ready for when the stakes are high. 

Tabletop Exercise Best Practices: Define the Threat Vector 

Choosing the right cyber threat for the scenario is a great way to keep the exercise relevant and impactful. Start by identifying any specific objectives for the exercise—perhaps you're testing a new tool, addressing a policy gap, or re-testing a previous incident to see how improvements have held up. If your organization lacks a cloud presence, for instance, avoid scenarios involving cloud assets.  

Common scenarios include ransomware attacks, insider threats, denial-of-service attacks, and business email compromises. To keep the exercise challenging, we recommend adding unexpected complexities, such as compromised communication tools, which could force the team to adapt and collaborate in new ways.