Cyber Security Exercise Scenarios: Ransomware, Phishing, and Insider Threats

Most organizations run one tabletop exercise a year. Some run fewer. That level of frequency is box-checking, and the distinction matters when the real call comes in at 2 a.m.

Exercises are expensive, logistically painful, and rarely simulate the conditions that matter most: when your primary systems are compromised and the tools your team relies on every day can't be trusted. You end up running exercises on the very infrastructure that would be unavailable during an actual incident. You practice communication over email, collaboration in Teams, and decision-making through corporate channels, and none of that tests what actually breaks under attack.

This guide covers how to design realistic cybersecurity exercise scenarios for the three attack types your organization is most likely to face: ransomware, phishing, and insider threats. The goal is to surface the real gaps before an attacker does, so you can respond from a position of strength rather than scrambling through chaos.

Why Most Exercises Don't Do What You Think They Do

A team can walk through a technically accurate ransomware scenario and still leave the room no better prepared than when they arrived, because the exercise never stressed the things that actually fail during incidents. The failures are structural, not scenario-based.

The most common failure modes share a pattern. The scenario is too abstract, with no operational pressure and no time constraints, so participants reason through decisions rather than make them under stress. The wrong people are in the room: IT and security only, with no legal counsel, no communications lead, and no executive sponsor. The exercise runs entirely on corporate infrastructure, which means nobody tests what incident preparedness actually requires when that infrastructure is offline or compromised. The debrief gets rushed or skipped. The gaps identified in the after-action never make it back into the playbooks.

There is also a frequency problem. One exercise per year finds one round of gaps. It doesn't build the muscle memory that lets teams move quickly and decisively when the scenario is real. ShadowHQ users run tabletop exercises at more than twice the industry rate, 85% versus a 40% industry average, because frequency is where preparation compounds.

Assess where your program stands today before designing your next exercise. Knowing your actual gaps determines which scenario type you need and which gaps to stress.

What a Well-Designed Exercise Scenario Requires

Every exercise needs a clear starting condition: an initial alert, an anomaly report, or a specific user action that triggers the scenario. From there, injections (escalating events that force decisions) drive the exercise forward and prevent participants from stalling at the theoretical level.

Role assignments matter. An IR lead, CISO, legal representative, communications lead, and executive sponsor should all have defined functions in the exercise, not because you need everyone in the room, but because the exercise should stress the coordination between those functions.

Time pressure is non-negotiable. Exercises without deadlines don't test real behavior. They test what participants think the right answer is, not how fast they can get to it under pressure. The industry average for IR team activation is five hours. If your exercise doesn't surface why that number is that high for your organization, it hasn't done its job.

The most frequently overlooked component is the communications layer. Every exercise should run out-of-band from your primary systems. That means practicing coordination through a crisis response management framework that exists independently of your email, your corporate messaging tools, and any system that touches your SSO environment. If your exercise infrastructure is the same infrastructure that would be compromised in a real attack, you haven't tested the thing that will actually fail.

Advanced exercises can layer in red team participation, external stakeholder simulation (insurance representatives, regulators, or a simulated media inquiry), and compliance documentation requirements. The core principle stays the same regardless of complexity: stress the decision points, not just the technical details. Who calls what, when, and on what platform, especially when primary systems are down.

Check incident response plan templates and cost breakdown for a structured starting point if your current playbooks need rebuilding before an exercise will generate useful findings.

Ransomware: The Scenario That Tests Everything at Once

Setting the Stage

Your starting condition: encrypted file shares detected across three business units, ransom notes on three workstations, and the IT helpdesk fielding calls it can't answer because nobody has authority to act. The containment-versus-continuity decision is what makes ransomware exercises the hardest to run well, because nobody has practiced making that call under pressure.

The critical decision points are: Who has authority to isolate critical systems, and is that authorization documented anywhere? Do you pay the ransom, and if so, who decides? What legal exposure does that decision create? How do you communicate to employees when email is down? Can your IR team activate using tools that don't touch your corporate environment?

Why SSO dependency compounds ransomware exposure matters here. In environments where SSO credentials are the key to every system, a ransomware event and a credential compromise often arrive together, and the communications tools you'd use to coordinate your response may already be inaccessible.

Injects That Create Useful Pressure

Inject 1: Backup systems are also encrypted. Your recovery timeline is unknown. Inject 2: The attacker makes contact with a ransom demand and a 48-hour deadline. Inject 3: A business unit head, frustrated by the pace of the official response, bypasses IT to restore operations from a local copy, creating a new attack surface in the process. Inject 4: Your cyber insurer requires incident documentation within 24 hours to preserve coverage. Inject 5: A local news outlet contacts your communications team for comment.

Each injection is designed to break whatever assumption the team was operating under and force a new decision without the luxury of preparation time.

What This Exercise Should Surface

IR team activation time is the first metric. If it takes your team four hours to get the right people in a coordinated channel, you know the first thing to fix. Communication plan gaps come next, particularly whether your organization has an out-of-band backup when corporate email is encrypted. Decision authority gaps reveal themselves quickly when injections keep arriving and nobody can move: who actually has the power to authorize system isolation at 11 p.m.? Backup and recovery assumptions that have never been tested under pressure will surface within the first thirty minutes. Regulatory notification obligations and their timelines are frequently underprepared, particularly when insurance requirements are added to the mix.

See how a US bank reinforced its incident response and moving from ad hoc response to incident-ready for organizations that have already worked through these gaps.

Phishing: Where Detection Speed Determines Blast Radius

Setting the Stage

Your starting condition: one user reports a suspicious email. IT discovers that 40 other users clicked the same link over the previous six hours before anyone flagged it. The exercise shifts from containment to scope: how far did the credential harvest spread before you knew it was happening?

The decision points your team needs to work through: How quickly can you identify every affected account? Do you lock accounts broadly, accepting significant operational disruption, or surgically, accepting a slower process with more residual risk? What is the communication protocol for affected employees, and what channel do you use if their corporate email may be compromised? Is your detection tool alerting on behavioral anomalies or waiting for known indicators of compromise?

How phishing attacks exploit SSO configurations should be surfaced explicitly in this scenario, because SSO is the force multiplier that converts a single clicked link into enterprise-wide credential exposure.

Escalation Injects

Inject 1: An attacker used harvested credentials to access a shared finance drive four hours before the initial report. Inject 2: The compromised account belongs to an executive, and the attacker has been sending internal emails posing as that person for the past two hours. Inject 3: A third-party vendor reports anomalous access from your IP range. Inject 4: Legal flags that the compromised data includes PII, triggering GDPR or state privacy law obligations. Inject 5: IT discovers the phishing kit was active for 72 hours before anyone detected it.

What This Exercise Should Surface

Detection lag is the primary gap this scenario is designed to find. Six hours between first click and first report is a number your team needs to know, because it determines how wide the blast radius gets before anyone acts. Credential hygiene gaps (MFA coverage, shared passwords, stale accounts that should have been deprovisioned) become visible when the injection forces you to enumerate affected accounts quickly. Escalation chain clarity matters most when an executive account is involved, because the political dynamics shift and teams that haven't pre-defined who owns that situation will stall. Third-party exposure is frequently underprepared: do your vendor agreements require you to notify, and within what timeframe? Employee communication protocols need to be tested end-to-end, including which channel you use when corporate communications can't be trusted.

Where SIEM, SOAR, and incident management each fit is useful alongside this scenario, particularly if detection lag is a gap between the exercise surfaces. Understanding what each tool class covers, and what it doesn't, clarifies where to invest next.

Insider Threats and the Jurisdictional Problem

Setting the Stage

Your starting condition: a DLP alert flags a large data export by a departing employee. HR notified the CISO two days after the employee's last day. Legal constraints on what you can investigate before involving counsel, combined with operational urgency to contain exposure, put your cross-functional coordination under direct stress.

The decision points: What actions can you take before legal and HR are formally involved? How do you contain access without tipping off the individual if they still have working credentials? What evidentiary standard applies if you're considering escalation to law enforcement? If this is a privileged user, an IT administrator or a DevOps engineer with production access, how does that change both the scope of exposure and the response authority structure?

Injects That Force Hard Calls

Inject 1: The exported data includes customer PII and proprietary source code. Inject 2: The individual shared credentials with a third party, so the exposure is no longer internal. Inject 3: Legal advises that immediate account lockout may destroy forensic evidence and counsels against it. Inject 4: The individual contacts their former manager directly, creating social pressure on the team and a potential evidence chain. Inject 5: A media inquiry arrives. There are rumors on LinkedIn of "data theft" from your organization.

What This Exercise Should Surface

Off-boarding process gaps are almost always the first finding. Access revocation timelines for standard users are typically documented; timelines for privileged accounts, particularly IT administrators with access to production systems, are often not. DLP coverage and alert routing need to be examined: who receives the alert, how quickly, and what authority do they have to act on it? Cross-functional coordination gaps between HR, legal, IT, and the CISO's office surface clearly in this scenario because each function has different incentives and constraints. Forensic preservation protocols (do you have documented procedures for preserving evidence before taking containment action?) are frequently absent. Communication discipline during an active investigation is its own risk: internal leaks during insider threat investigations are a second incident layered onto the first.

Compliance documentation requirements for insider threat incidents and how H.I.G. Capital strengthened incident governance are useful references after this scenario surfaces its findings.

Running Exercises Without a $30,000 to $50,000 Consultant

External engagements cost $30,000 to $50,000 each, which forces organizations into an annual cadence at best. Scenarios are often generic, not calibrated to your specific environment, technology stack, or organizational dynamics. Findings live in a static report rather than feeding back into your working playbooks. And the out-of-band communications component, the part that matters most, is frequently absent because the exercise runs on the same corporate infrastructure that would be unavailable during an actual attack.

One exercise per year finds one round of gaps. Quarterly exercises build muscle memory and let teams internalize response procedures rather than look them up.

ShadowHQ platform capabilities are designed specifically for this: unlimited exercises, unlimited participants, scenario libraries with real-world injects that you can customize to your environment, and an out-of-band environment that means the exercise itself runs the way a real incident would. Reporting and audit logs are built in, which matters when your insurer or auditor asks not just whether you ran exercises, but what you found and what you did about it. How the virtual bunker works explains the out-of-band architecture that makes this possible.

What crisis management software actually does and building an effective crisis management strategy provide additional context on how purpose-built platforms differ from adapting general-purpose tools for incident scenarios.

The Debrief: Where Exercises Either Pay Off or Don't

The debrief has two distinct phases, and conflating them is a common mistake. The hot wash happens immediately after the exercise ends, running 30 to 60 minutes, focused on immediate impressions while everything is fresh. The formal after-action report follows within five business days, with a documented timeline, specific findings, and named owners for every action item. These serve different purposes and shouldn't be treated as interchangeable.

Both phases follow the same sequence. Start with timeline reconstruction (no blame). Document what worked explicitly, because repeatable good behavior needs to be reinforced, not just assumed. Identify specific gaps with operational detail, not vague impressions. Close with action items that have named owners and deadlines. A parking lot without owners and deadlines is not an action list.

Documentation serves multiple purposes beyond internal improvement. Insurers and auditors ask to see exercise records, not just confirmation that an exercise occurred, but evidence of what gaps were identified and what remediation steps followed. Using exercise documentation for compliance and audit purposes covers the specific requirements you should build toward. Turning exercise findings into a stronger incident preparedness plan addresses how findings feed back into the preparation framework so each exercise makes the next one more productive.

Feeding findings back into your playbooks is where most programs leave value on the table. An exercise that surfaces a gap in your ransomware containment playbook should produce a revised playbook before the next exercise runs. If the gap stays in a report and never makes it back into the working document your team will use under attack, the exercise accomplished less than it should have.

Choosing the Right Exercise Type for Where You Are

A full-scale tabletop exercise is the right choice if you haven't run an exercise in twelve or more months, if your organization has gone through a significant infrastructure change such as a cloud migration or acquisition, if your IR plan is new or substantially revised, or if you have cross-functional coordination gaps to close between legal, communications, and executive leadership. These scenarios benefit from the broadest possible participant set and the most realistic inject sequence you can build.

A functional drill, focused on a single team or process, makes more sense if you run exercises regularly and want to stress-test a specific playbook or workflow. These typically run two to three hours rather than a full day, and are well suited to testing a specific response procedure like ransomware containment rather than the full cross-functional response.

A red team or adversarial simulation belongs in mature IR programs that want to validate their detection capabilities, not just their response procedures. This requires both budget and the internal capability to act on findings quickly. It tests whether your tools find what they should find, not just whether your team knows what to do after an alert.

If you're unsure which type fits your current state, start with the readiness assessment before designing the exercise. It identifies your biggest gaps, which determines the scenario type that will generate the most useful findings. How to prepare based on where you are today addresses what comes before and after the exercise itself.

Taking the Next Step

Running exercises is harder than it should be, and the cost of doing it properly has kept most organizations stuck at once a year. That gap between what good preparation requires and what organizations can practically execute is exactly the problem ShadowHQ is built to close.

Our platform gives IR teams a virtual bunker to operate from: out-of-band, always available, already loaded with exercise scenarios, playbooks, and the communications tools your team needs when primary systems are offline or compromised. When the worst phone call of your career comes in, the question is whether your team has practiced enough times, in conditions close enough to reality, to respond from a position of strength.

If you want to see how it works against a scenario that matches your environment, book a 30-minute demo. We walk through the platform against a live scenario, no slide deck. If you'd rather start with a self-assessment first, take the readiness assessment to see where your program stands before the next exercise.