Ransomware with data exfiltration:
Your systems are encrypted, and sensitive data has been staged for release. Who decides whether to pay? How do you notify customers and regulators?
Tabletop Exercise: A cybersecurity incident response exercise that takes participants through a simulated breach scenario, providing expert facilitation to help uncover incident response planning gaps.
The concept isn't unique to cybersecurity. Military war games have used this format for decades: a group of people working through a hypothetical scenario to test plans before a real event makes testing impossible. What happens if the adversary does X? Who does what? What does the plan actually require? Cybersecurity tabletop exercises apply the same logic. Your team won't simulate a live ransomware infection, but you can walk through exactly what you'd do if one hit.
The exercise begins with your Incident Response Plan (IRP) and gauges team performance against core questions: What happens when you encounter a breach? Who does what, when, how, and why? Who has decision-making authority? And what resources are available when you need them?
A tabletop exercise isn't a pass/fail test. It's a structured discovery process that reveals where your plan works, where it breaks down, and where improvements are needed before an attacker forces the answer.
Most organizations believe their incident response plans are solid. The reality is different. According to IBM' 2025 research, only 49% of organizations plan to invest in security after a breach, down from 63% the year prior. Even among those planning to act, fewer than half focus on areas like threat detection (43%), data protection (37%), or incident response testing (35%). Without testing, most incident response plans break down during the first real crisis.
What incident response tabletop testing reveals is almost always procedural, not technical. RedLegg's analysis of hundreds of client engagements found that the most common gaps involve communication protocols, decision-making authority, and financial tracking during incidents, more so than technology and tooling issues.
The business stakes are significant. A single cyberattack can shut down a company. Nearly 1 in 5 small and mid-sized businesses close after a successful attack, and about 1 in 3 would fold even if losses stay under $10,000. Regulatory exposure compounds the risk: the SEC's cybersecurity disclosure rules now require publicly traded companies to disclose material incidents within four business days and to demonstrate that tested response processes are in place.
A well-executed cyber incident simulation exercise reduces that risk. It doesn't eliminate the possibility of a breach, but it dramatically changes your ability to respond to one.
Cybersecurity tabletop exercise scenarios are developed in close collaboration with your team, based on your specific environment, industry, and current security posture. RedLegg doesn't use generic scripts. Each scenario is tailored to mirror plausible threats your organization faces.
Common scenario types include:
Your systems are encrypted, and sensitive data has been staged for release. Who decides whether to pay? How do you notify customers and regulators?
When a ransomware attack unfolds in real time, the questions that go unanswered are rarely technical. They're organizational. Who has the authority to shut down a system? Who notifies legal? Who approves communication with customers? Who tracks insurance recovery costs?
Think about how the approval chain actually works in your organization. Many teams will say, "We're small enough. I just need to get approval from one person." That works fine until that person is unavailable. High-stress environments are exactly when those gaps surface, because humans under pressure forget steps, misremember procedures, and skip escalations they'd normally follow automatically.
There's also the difference between what's in the plan and what people actually know. Technology runs 24/7, and teams build muscle memory around tools through daily use. Procedures don't work that way. Nobody practices the communication workflow or the cost-tracking process until they need it. That's why the gaps are procedural, not technical.
RedLegg's data from years of conducting incident response tabletop exercises across industries reveals a consistent pattern: while technical defenses are generally strong, procedural gaps persist. The top finding, recommended to 85% of clients, is the absence of a Business Impact Analysis. The second most common gap, identified in 70% of engagements, is the lack of pre-approved communication templates for stakeholder notification.
These aren't technology failures. They're governance failures, and they're exactly what a cybersecurity tabletop simulation is designed to expose.

Participants typically include:
CEO/Executive Leadership
CISO/CIO
IT & Security Teams
Legal & Compliance
HR
PR/Communications
Board Representatives
A security tabletop exercise is most effective when it reflects your organization's actual decision-making structure. RedLegg typically offers two tracks: one for technical staff and one that brings technical and executive leadership together. We see the best results when organizations test both tracks.
Participant quality matters as much as participant title. In regulated industries, external stakeholders (including legal counsel, regulators, and law enforcement liaisons) may also be built into the scenario. The value of legal representation, for example, isn't just having counsel in the room. It's working through the disclosure timeline in advance: once an incident is declared, the clock starts. Who gets notified, what gets communicated, and in what order are decisions that shouldn't be made under pressure for the first time.
RedLegg provides a dedicated observer and data collector throughout the exercise.
To keep existing staff awareness refreshed and so that new staff receive comprehensive training on your IR processes, performing a cybersecurity tabletop exercise at least once a year is the baseline; preferably, four times. Annual exercises meet many regulatory requirements, while quarterly cadences are common in high-risk industries such as healthcare, financial services, and critical infrastructure.
It's worth noting that running them too frequently can create fatigue. Exercises lose effectiveness when participants feel like they're going through the motions. An annual review is a sound minimum for most organizations. Twice annually is appropriate for higher-risk environments.
Specific triggers that should prompt an unscheduled exercise include a significant change to your technology environment, a breach or near miss at a peer organization, a material change in leadership, or a new regulatory requirement.
There's also a regulatory enforcement dimension worth understanding. If your organization experiences a data breach that results in punitive action from the SEC (for publicly traded companies) or the FTC, those agencies may prescribe a specific exercise frequency (sometimes twice annually) as a condition of remediation. A breach doesn't just create response obligations; it can also create ongoing testing obligations.
FOCUS ON PEOPLE
RedLegg frames our services around Continuous Threat Exposure Management (CTEM), a five-phase approach covering Scoping, Discovery, Prioritization, Validation, and Mobilization. Tabletop exercises live in the Validation phase, not as a tool for finding vulnerabilities but for confirming that people, processes, and communication channels actually work when it counts. Our cybersecurity tabletop exercise process tests whether an organization can detect, respond to, and recover from a real scenario.
For organizations that need a deeper baseline before the exercise, our vCISO Services can provide a comprehensive assessment of your security posture ahead of the simulation:
These deliverables enable you to document process improvement recommendations, update internal reporting requirements, and define external reporting obligations, providing a clear, actionable path from exercise to resilience. Organizations that discover technical gaps during the cybersecurity tabletop exercise often follow up with Penetration Testing or enroll in MDR Services to close the monitoring and detection gaps the exercise surfaces.
Exercise agenda and schedule, created in collaboration with your project owner during the kickoff call.
Custom scenario documentation, including roles, participants, and all scenario materials.
Observer notes, capturing communication gaps, team dynamics, and decision-making patterns.
Participant handouts, distributed on the day of the exercise to maintain scenario integrity.
Executive-ready after-action report, summarizing findings, positive observations, and areas for improvement.
Prioritized improvement roadmap, aligned to your IR plan and applicable compliance frameworks.
Organizations in regulated industries face direct compliance obligations around incident response preparedness. A structured cybersecurity tabletop exercise supports alignment with:
NIST CSF: The exercise directly addresses the Govern, Identify, and Respond functions and is recognized as a practice for demonstrating cybersecurity maturity.
ISO 27001: Tabletop exercises support Annex A controls related to incident management and business continuity.
HIPAA: For covered entities and business associates, exercises validate breach notification procedures and security incident response requirements. Pair with a HIPAA Risk Assessment to validate both your technical controls and your response readiness under a single engagement.
CMMC: Incident response exercises are a specific practice area requirement for organizations in the defense industrial base.
Many organizations pair a cybersecurity tabletop exercise with a NIST CSF Assessment or GRC Gap Assessment to contextualize findings within a broader security program review.
Internal tabletop exercises have value, but they carry inherent limitations. When your team facilitates the exercise, it is difficult to maintain objectivity, surface uncomfortable truths, or challenge assumptions that have become organizational blind spots.
A third-party facilitator brings independence, experience, and structured methodology. RedLegg's facilitators have conducted hundreds of exercises across industries, giving us a data-driven perspective on the most common, consequential, and fixable gaps. Our after-action reports reflect that context: not just what happened in your exercise but how it compares to what we see across the organizations we work with.
An external incident response tabletop exercise also carries more weight with boards, regulators, and auditors. It demonstrates that your testing process is independent and rigorous, not self-graded.

Organizations that integrate these exercises into their security programs achieve faster recovery, stronger compliance, and greater stakeholder confidence. The question isn't whether to test your plan. The question is whether to conduct the test before or after a real incident forces the issue.
A cybersecurity tabletop exercise is a facilitated, discussion-based simulation where your leadership and technical teams walk through a realistic cyberattack scenario to test your incident response procedures, decision-making processes, and crisis communications. It's designed to identify gaps and strengthen preparedness without disrupting live operations.
A standard RedLegg tabletop exercise runs approximately four hours. This includes the scenario presentation, facilitated discussion, and an initial Hot Wash debrief. The follow-up Lessons Learned session is typically scheduled separately within a few weeks of the exercise.
At a minimum, once per year. For organizations in high-risk industries or those subject to specific regulatory requirements, quarterly exercises are common. Any significant change to your environment, leadership, or threat situation is a trigger for an unscheduled exercise. Organizations that have experienced a data breach resulting in SEC or FTC action may also be required to conduct exercises at a prescribed frequency as part of remediation.
Both, ideally together. RedLegg offers two exercise tracks: one focused on technical staff and the other on integrating technical and executive leadership. Organizations see the strongest results when they run both. Executive participation is especially important for scenarios involving public disclosure, legal counsel, and board reporting.
A cybersecurity tabletop exercise is discussion-based. No systems are touched, and no actual traffic is generated. It tests your people, processes, and plan. A live simulation (sometimes called a red team exercise or full-scale drill) involves active technical components. Tabletop exercises are lower-cost, lower-disruption, and typically the right starting point for validating your IR plan.
Yes, and RedLegg offers resources to help, including sample scenarios and a Tabletop Exercise eBook. However, internal exercises are subject to the limitations of self-assessment. A third-party facilitator provides independence, objectivity, and a broader benchmark for evaluating your findings.
Every engagement includes a custom scenario, observer notes, participant handouts, an executive-ready after-action report, and a prioritized improvement roadmap. See the full list in the "What You Receive After the Exercise" section above.
Start with your Incident Response Plan. A tabletop exercise is designed to validate a plan, not substitute for one. If your organization doesn't have a documented IRP yet, that's the first step. Once the plan exists, identify your crown jewels: the systems, data, or processes whose loss would hurt the business most. Those priorities should anchor your first scenario. RedLegg Advisory Services can help you develop an IRP if you don't have one in place.
RedLegg begins every engagement with a kickoff call to gather information about your organization, your existing IR plan, your technology environment, and your participants. You do not need a mature security program to benefit from a tabletop exercise, though you do need a documented IR plan to validate. If you don't have one yet, RedLegg Advisory Services can help you develop it.