Cyber Horizon
Back to Blog
Incident ResponseTabletopResilience

How to Run a Cyber Tabletop Exercise: A Step-by-Step Guide

29 May 2026·8 min read·Cyber Horizon Team

The worst time to discover that nobody knows who declares an incident — or that your “24/7” vendor only answers email — is at 2am during a live breach. A tabletop exercise surfaces those gaps in a conference room instead, for the price of an afternoon.

Here is a practical, repeatable way to run one that produces real findings rather than a tick-box record.

What a tabletop exercise actually is

A tabletop is a discussion-based walkthrough of a simulated incident. There is no real system access and nothing is broken — participants talk through what they would do, step by step, as a facilitator injects new information. The goal is to test decisions and communication, not technical containment.

Step 1 — Set a clear objective

Pick one thing to test. “Validate our ransomware decision-making and internal comms” is a good objective; “test incident response” is too vague to measure. A tight scope keeps a 90-minute session focused and makes the findings actionable.

Step 2 — Get the right people in the room

Facilitator: Runs the session, delivers injects, keeps time, stays neutral.
Incident lead: The person who would actually run the response.
Technical responders: Security, IT, and engineering who would investigate and contain.
Communications & legal: Internal comms, PR, legal, and data-protection / privacy.
An executive sponsor: Someone who can speak to business decisions and risk appetite.

Step 3 — Build the scenario and the injects

Start with a realistic trigger, then prepare three or four injects — new pieces of information you reveal over time to escalate the situation and force fresh decisions. Good injects create dilemmas: a journalist calls before you have confirmed anything; the backup restore is slower than expected; a regulator’s reporting clock starts ticking.

Three ready-to-use scenarios

1. Ransomware in the finance team

An accountant’s workstation is encrypted and a note demands payment. Injects: lateral spread to a file server; the offline backup is 11 days old; press enquiry; the board asks whether to pay.

2. Compromised SaaS vendor

A core supplier discloses a breach affecting your data. Injects: unclear what data was exposed; customers begin asking; your DPA requires notification within a fixed window; the vendor goes quiet.

3. Stolen credentials and data exfiltration

MFA fatigue leads to an account takeover. Injects: evidence of data being copied; the attacker emails an executive directly; you must decide on disclosure and law-enforcement involvement.

Step 4 — Facilitate, do not lecture

Deliver the trigger, then ask open questions: “What happens next? Who makes that call? How long does that take?” Resist the urge to supply answers. The silences are the findings. Capture every “we’d have to check” and “I assumed someone else owned that” — those are your gaps.

Step 5 — Write it down and assign owners

Within a day, turn observations into a short after-action report: what went well, what did not, and a numbered list of remediation actions with named owners and due dates. An exercise that does not produce assigned actions was entertainment, not assurance.

Common pitfalls to avoid

Letting it become a technical deep-dive — keep it at the decision level.
No executive in the room, so business trade-offs never get tested.
Treating it as a pass/fail exam rather than a safe space to find gaps.
Never closing the loop on the actions before the next exercise.

Run one at least twice a year, and rotate the scenario each time. Maturity shows up as shorter silences and faster, more confident decisions. For where these exercises sit in a wider programme, see our guide to third-party vendor risk management.

Run AI-generated tabletop exercises in Cyber Horizon

Generate realistic scenarios and injects, track participant responses, and produce the after-action report automatically — tied to your incident-response evidence trail.

Book a Demo