In depth
A tabletop exercise (TTX) is a discussion-based simulation in which a facilitator walks a group of stakeholders through a hypothetical security incident, pausing at each decision point to ask "what do you do now, who do you call, what authority do you have, where is the evidence." Unlike a full-scope cyber range or a live red team, no real systems are touched and no real telemetry is produced — the exercise lives in the conference room (or the Zoom). The output is a list of gaps in the incident-response playbook, the communications tree, the regulatory-notification process, and the decision authority.
The right tabletop has a tight, plausible scenario (ransomware encrypting the production database in the middle of quarter-end close; a critical zero-day in your reverse proxy with an active in-the-wild exploit; a data-exfiltration extortion email demanding payment in 72 hours), well-chosen participants (security, IT, engineering, legal, communications, finance, the executive on call, the board chair, the external IR firm, outside counsel), and a facilitator who is willing to introduce inconvenient injects mid-flow ("the on-call legal counsel is on a flight, you cannot reach her for four hours — what do you do"). A typical exercise runs two-to-four hours and produces a written hotwash with prioritised action items.
Tabletops should be routine, not theatrical. NIST SP 800-84 (Guide to Test, Training, and Exercise Programs) and ISO 22301 (business continuity) both recommend regular exercises. Most cyber-insurance underwriters now ask whether tabletops are conducted at least annually. PCI DSS v4.0 Requirement 12.10.2 requires testing of the incident-response plan at least once every twelve months. SOC 2 CC7.3 expects evidence of incident-response testing. Boards increasingly ask to sit in on a tabletop themselves to understand the response process firsthand.
The most common failure mode is a tabletop that is too easy — everyone agrees the playbook works, no gaps are surfaced, and the exercise becomes a check-box item. A good facilitator deliberately breaks the easy assumptions: the EDR is also compromised, the backup admin is on holiday, the executive who can authorise the ransom payment is uncontactable, the cyber-insurance broker only takes calls during business hours. See adversary simulation services.
The right tabletop has a tight, plausible scenario (ransomware encrypting the production database in the middle of quarter-end close; a critical zero-day in your reverse proxy with an active in-the-wild exploit; a data-exfiltration extortion email demanding payment in 72 hours), well-chosen participants (security, IT, engineering, legal, communications, finance, the executive on call, the board chair, the external IR firm, outside counsel), and a facilitator who is willing to introduce inconvenient injects mid-flow ("the on-call legal counsel is on a flight, you cannot reach her for four hours — what do you do"). A typical exercise runs two-to-four hours and produces a written hotwash with prioritised action items.
Tabletops should be routine, not theatrical. NIST SP 800-84 (Guide to Test, Training, and Exercise Programs) and ISO 22301 (business continuity) both recommend regular exercises. Most cyber-insurance underwriters now ask whether tabletops are conducted at least annually. PCI DSS v4.0 Requirement 12.10.2 requires testing of the incident-response plan at least once every twelve months. SOC 2 CC7.3 expects evidence of incident-response testing. Boards increasingly ask to sit in on a tabletop themselves to understand the response process firsthand.
The most common failure mode is a tabletop that is too easy — everyone agrees the playbook works, no gaps are surfaced, and the exercise becomes a check-box item. A good facilitator deliberately breaks the easy assumptions: the EDR is also compromised, the backup admin is on holiday, the executive who can authorise the ransom payment is uncontactable, the cyber-insurance broker only takes calls during business hours. See adversary simulation services.