Incident Response 101: How to Run a Tabletop Exercise

Incident response plans prepare organizations for a wide range of possible scenarios that threaten the business. Creating these plans beforehand gives teams a playbook to look to when a threat becomes a reality.

According to IBM, the cost of a data breach in 2023 was an average US$4.45 million — a 15% increase over three years. Developing and practicing incident response plans helps minimize the impact of a successful breach.

However, crafting incident response plans alone isn’t enough — teams need to practice them to prepare for a real incident. There are several ways to practice incident response plans, and all of them are worth exploring.

So, what’s wrong with the way tabletop exercises are handled today? Common challenges include looping in external partners, infrequency of training, lack of organizational context and customization, and not considering your organization’s unique cyber risk profile. 

This exercise is invaluable for identifying gaps in response plans and improving coordination among various stakeholders, including IT, security, legal, and communications teams.

So, let’s examine exactly what a tabletop exercise is, how it benefits your teams, and the steps necessary to conduct successful ones on your own.


The Industry Standard Approach to Tabletop Exercises?

A tabletop exercise is a discussion-based practice session where team members meet to discuss key aspects of various scenarios in a low-stress environment. 

This type of exercise aims to run through response plans, policies, and procedures without involving any actual IT resources. While other exercises involve virtual environments or working in war rooms, this type focuses on verbal discussions about reacting to the given scenario without “boots on the ground.”

A tabletop exercise simulates IT and cybersecurity incidents in incident response plans, such as data breaches, ransomware attacks, or system outages. It allows response teams to practice their roles and refine their actions away from IT resources. 

But the current approach to tabletop exercises has its own flaws. These include:

  • Fragmented tools: These exercises often combine disparate tools, creating a lot of friction and confusion into how these exercises should be carried out.
  • Login credential fatigue: Juggling multiple logins, emails, passwords, and authentication requirements only further complicates these exercises.
  • Vendor dependency: Many companies fear trying to carry out tabletop exercises on their own, leading to vendor dependency.
  • Risk and stakeholder mapping: Tabletop exercises may practice a specific scenario, but they often don’t consider the specific department-level stakeholders required to execute a response during a crisis. For example, looping in supply chain leaders for a supply chain-focused crisis. It’s important to map out risk when deciding which stakeholders to include.
How to Run An Incident Response Tabletop Exercise

Running a tabletop exercise as part of incident response training is critical to preparing an organization for potential crises. These exercises simulate a realistic incident to test the organization’s response procedures, communication, and decision-making in a controlled environment. 

So, let’s break down how you can run a modern tabletop exercise to practice and refine incident response plans.

1. Define Objectives

The first step is deciding the focus and specific objectives of the tabletop exercise. Defining objectives starts by identifying key vulnerabilities and potential threats that could significantly impact your organization.

Here are a few key questions you should be able to answer:

  • What level of readiness and preparedness does the drill show?
  • Do you need a detailed report to support compliance requirements?
  • Do you need to demonstrate preparedness for insurance or other regulatory requirements?
  • How often are you running tabletop exercises?
  • How thorough are these exercises?
  • How long do they last on average?

What specific aspects of those threats require new or refined incident response plans? For example, you may need to practice new communication protocols following a cyber attack.

You may use SMART, a project management approach to defining objectives. Objectives should be Specific, Measurable, Achievable, Relevant, and Time-bound (SMART). Are your defined objectives hitting these marks?

Lastly, you should be prepared to articulate and convey these objectives to participants ahead of tabletop exercise to inform the session.

2. Develop the Scenario

The traditional approach to tabletop exercises is more a means to an end. It’s about demonstrating you’ve done the exercise. A modern approach goes far beyond that — working to highlight that you are ready to address very specific threats to the business, individual departments, or other areas.

Building a compelling and realistic scenario requires thoroughly understanding the organization’s risks. Your chosen scenario should reflect the most probable and dangerous threats specific to the organization, such as a cyber attack, natural disaster, or supply chain disruption.

Work with stakeholders across various departments to gather input and ensure the scenario covers all critical aspects of the organization’s operations. What keeps them up at night? What threats and vulnerabilities face their departments?

The scenario should be complex enough to challenge participants but not so convoluted that it derails the exercise. Remember, these exercises take place away from work machines and should be designed without requiring granular technical details.

An ideal scenario will include triggers, a timeline of events, and unexpected events added during the exercise. A well-crafted scenario forces participants to make difficult decisions and tests the organization’s policies and procedures.

3. Select Participants

It’s important to select the right participants for your tabletop exercise. Sure, an incident may impact the IT landscape and critical business systems. But in most cases, it also affects operations too.

Participants should include a cross-departmental blend of decision-makers, technical experts, and risk management team staff. Including a group with different focus areas ensures that all departments involved with an active incident response are represented and that solutions are viable across the organization. 

Consider each participant’s roles during a real incident and mirror these roles in the exercise. Including them helps test the overall effectiveness of communications throughout each department.

Think about what stakeholders a specific incident may impact. This could include IT teams, crisis management teams, supply chain leaders, or another department entirely. Regardless, take the time to map out the incident, who it impacts, and who’s needed to address it to ensure the right people are ready to respond when needed.

4. Prepare Materials

Since the exercise will take place away from IT resources, you must prepare everything participants need throughout the scenario. Your exact materials will vary, but common choices include:

  • Detailed scripts
  • Background information on the scenario
  • Role cards
  • Situational updates
  • Printed incident response plans and protocol documentation

These materials should have all the necessary information for participants and detail what IT resources are available for the scenario. The modern approach to tabletop exercises ensures everything you need is up to date and accessible in one place using an out-of-band solution to ensure reliability and availability during a crisis.

5. Facilitate the Exercise

The traditional approach to tabletop exercises is often vendor-led. Teams are often intimidated by the thought of hosting their own internal tabletop exercises. Overcoming this fear is more than possible with the right tools to make these exercises more cohesive and streamlined. You need to make it easy to access the various business continuity documents and playbooks needed to carry out a response.

So, how can you make the transition to independent, internally-led tabletop exercises? We recommend trying a balanced approach as you start to transition. For example, for every vendor-led drill, try and do two on your own.

For many companies, this starts with choosing a skilled facilitator. A skilled facilitator should be assigned to guide the discussion, moderate actions, and ensure that the objectives are met. The facilitator will have several important responsibilities, including:

  • Set the stage by briefing participants on the scenario and explaining the rules of the exercise.
  • Manage the flow of information, introduce new events to simulate changing conditions, and keep participants engaged and on the current task.
  • Challenge assumptions and encourage participants to consider alternative strategies and outcomes
  • Ensure all participants contribute to the discussion, promoting a comprehensive exploration of the team’s response capabilities.
  • Monitoring and documenting the exercise is crucial for capturing how the team responds to the scenario.

Additionally, the exercise should have team members focused on observing the exercise and taking detailed notes on the decision-making process, the interactions between participants, and any issues that arise.

This observer’s documentation should pay close attention to detail, noting what is done well and what could be improved. These observations are invaluable for the post-exercise analysis and crafting a follow-up report that accurately reflects the exercise’s dynamics and outcomes. 

6. Debrief and Follow-Up

The last step of an individual exercise is debriefing. This critical step is where participants reflect on the exercise, discuss what they learned, and identify improvements for the future. This session should be structured to allow participants to speak openly about their experiences, thoughts, and feelings regarding the exercise. 

Discuss each defined objective and evaluate whether it was met and why. Don’t only focus on issues; the debrief should also cover what went well, what challenges emerged, how effectively the team communicated, and whether additional resources or training might be needed. This candid feedback helps refine incident response plans and improve overall preparedness.

Lastly, compile a detailed report that includes an overview of the exercise, the defined objectives, the actions taken by participants, and the outcomes. Even in an exercise, reports can reflect real world requirements like regulatory, legal or authority reporting. Producing reports this way helps participants understand outcomes, and better help them set objectives through the process bearing those outcomes in mind.

How ShadowHQ Can Help You Run Effective Tabletop Exercises

Running effective tabletop exercises requires the right software, training, and familiarity with how to handle crisis situations.

There are several methods of practicing incident plans, from simulations to red team/blue team drills, and each of them has pros and cons. Tabletop incidents are a valuable way to step away from the terminal and put the focus on the challenges, processes, and problem-solving.

ShadowHQ lets you run successful tabletop exercises that give your teams the confidence needed to handle any crisis. With ShadowHQ, you get an out-of-band virtual bunker that helps keep your teams organized, collaborative, and ready to respond. It streamlines processes and ensures your tabletop exercises are dynamic — versus static — events.

Start running effective tabletop exercises on your own with ShadowHQ. Book a demo today to see how easy tabletop exercises can be.


Experience the ShadowHQ platform

Walk through a cyber breach scenario in a 15 minute demo.


Disaster Readiness Checklist

When an emergency happens, every minute counts.