Enhancing your overall cyber response posture and the collective team decision-making process when an incident occurs. 

You’ve heard it before: for most organizations, it’s not a matter of if they will be a target of a cyber attack—it’s a matter of when.

In the U.S. alone, there were more than 1,200 reported breaches in 2018.  More than 446 million records were exposed.  And these are just the breaches reported through the Statista portal.   Business is at the heart of the problem: in 2017, 91% of the total number of files breached were controlled by business enterprises, according to TechRepublic.

Analysts estimate the global cost of cyber crime has now reached as much as $600 billion annually.  That’s approaching 1% of the world’s GDP (Gross Domestic Product).  CNBC labels the problem “a pandemic.”

To protect your business’s reputation and finances, developing an Incident Response Plan is the first step to combatting a future incident. Then, you can train as you fight and mature your organization's cyber response posture along the way, especially when coupled with pen testing and SIEM.

Incident Response (IR) Planning

The Incident Response Plan serves as the blueprint that enables staff to detect, respond to, and recover from security incidents.  If your organization has an IR plan in place, the tabletop exercise can validate that plan, or it can highlight lapses that need to be addressed.  If your organization does not have an IR plan in place, you need to develop one before a meaningful exercise can be done.

Your organization’s security posture requires resilience.  In a 2018 study, IBM reported that “77% of business leaders admitted that they don't have a formal cybersecurity incident response plan that's applied consistently in their organization.”

Developing your IR plan can be a complex and painstaking task.  RedLegg Advisory Services can assist based on our real-life experience with handling information security incidents.

But if you have an IR plan in place, the tabletop exercise is a practical way to make sure everyone on your team knows their roles and knows how certain attacks should be handled. The tabletop exercise gets everyone on the same page through hands-on experience.

Incident Response Tabletop Exercises are an important form of organizational training that can help mitigate cyber attacks.

Read more about the importance of this IR activity in relation to your overall security strategy and how tabletops can help to activate and direct your information security strategy.

What is a Tabletop Exercise?

Tabletop Exercise (TTX): A security incident preparedness activity, taking participants through the process of dealing with a simulated incident scenario and providing hands-on training for participants that can then highlight flaws in incident response planning.

The exercise begins with the Incident Response Plan and gauges team performance against the following questions:


What happens when you encounter a breach?
Who does what, when, how, and why?
What roles will legal, IT, law enforcement, marketing, and company officers play?
Who is spearheading the effort and what authority do they have?
What resources are available when you need them?


Since most companies are unprepared when a cyber attack occurs, every company needs a well-executed Incident Response Plan. You do not want to wait until a cyber attack occurs to figure out what you need to do.
Read more about how often you should validate your Incident Response Plan with a tabletop exercise.

Tabletop Exercise Benefits and Outcomes

A tabletop exercise simulates an actual crisis.  The National Cyber Security Alliance reports that 60% of small and mid-sized businesses that are attacked never recover.  On average, they go out of business within just 6 months.  FEMA, the Federal Emergency Management Agency, studied responses to natural disasters and cyber attacks.  They report that among the businesses that do recover after a disaster, only 29% were still in business two years later.

But we don’t want statistics to scare you. Tabletop exercises give you greater peace of mind that a crisis will be handled in a clear, efficient way and that you’ve exercised a recovery plan.

If you’re wondering whether you and your team can handle an incident, the tabletop exercise will confirm your confidence and give you clear areas for improvement.

Increase awareness and understanding of threats

There’s no shortage of cyber criminal activity.  Investor Warren Buffett says cyber attacks are a bigger threat to humanity than nuclear weapons.  He calls it “the number one problem with mankind.”  IBM Chairman, President, and CEO Ginni Rometty phrased it this way:  “Cyber crime, by definition, is the greatest threat to every profession, every industry, every company in the world.”

Cyber crime is also becoming increasingly sophisticated. Long ago, it stopped being about lone hackers sitting in dark basements. With so much money at stake, it’s become big business for organized crime. Because of the growing threat, the FBI’s Internet Crime Complaint Center issued an advisory warning about Business Email Compromise after seeing an increase of 1,300 percent since 2015.  The FBI calls it the $12 billion-dollar scam. “Organized crimes groups have targeted large and small companies and organizations in every U.S. state and more than 150 countries around the world,” the FBI reports. “Non-profits and well-known corporations to churches and school systems.  Losses are in the billions of dollars and climbing.”

There’s simply too much at risk not to take a proactive approach to your cyber security planning, training, and execution. To stay abreast of the current threat landscape and arm your team to deal with it, performing a TTX at least once a year – preferably four times – will ensure that existing staff awareness is always refreshed, and that new staff receives comprehensive training on your IR processes.

Evaluate your overall incident preparedness

A TTX brings your team together and increases your effectiveness – and efficiency – in case an incident occurs.  

The exercise will put your planning into practice and give you a clear understanding of your current IR plan.  It will make sure your team is educated on the process and knows their roles.

Identify deficiencies in your IR plan, including technical, planning, and procedural

A tabletop exercise will find the holes in your plan so that you can patch them. The purpose of the TTX is to validate your existing Information Security Incident Response Plan and identify its strengths and weaknesses. Conducting these exercises promotes changes in attitudes and perceptions, and enhances the overall cyber response posture and collective decision-making process of participating teams and stakeholders to:

  • Understand roles and responsibilities during an incident.
  • Maximize utilization of available tools and resources to support the incident management processes.
  • Exercise your current decision-making process invoked when incidents occur.

Clarify roles and responsibilities during an incident

When a breach does occur, time is of the essence.  The sooner the breach can be contained and eradicated, the better it is. Like an NFL play strategy, the more times you practice it, the better your response will be.  A TTX will speed up the response time because your team will gain experience assessing and handling problems. The TTX will also determine how well your organization meets incident performance objectives, such as:

  • The organization has instituted a solid approach to its Information Security program.
  • The security team is highly qualified and uses a proactive approach to system protection and monitoring.
  • The network is well engineered, with the proper high-value system segmentation and protection in place (an aspect not frequently observed in the industry).
  • The team is well prepared for an incident, and actively participates with a strong understanding of individual roles and necessary communications.

Validate IR Plan and Trainings

What good is a plan if nobody really knows what to do when it really matters?  Tabletop exercises are a great way to validate training and make sure your team is prepared. 

The purpose of the tabletop exercise is to validate your existing Incident Response Plan and identify its strengths and weaknesses before an actual incident occurs:  

  • Conducting these exercises promotes changes in attitudes and perceptions.  
  • A well-executed tabletop exercise enhances the overall cyber response posture and collective decision-making process of participating teams and stakeholders.
  • Using real-life scenarios, your team will learn how to react and the steps they need to take to mitigate any potential damage.

In the theater, for example, months of planning for a performance culminates in a full-scale dress rehearsal.  The actors perform every detail of the performance in real time, as if it were in front of a live audience.  The performance is evaluated on its technical merits, such as lighting and stage direction, and on team and individual performances.

Think of a tabletop exercise as your cyber threat dress rehearsal.  It takes the plan on paper and brings it to life.  You want to make sure everyone knows their part backwards and forwards in case the real thing ever happens.  Your team’s performance can show deficiencies in protection mechanisms and processes.

Assess the capabilities of existing resources

A major goal of the TTX is to assess whether your organization utilizes its IR tools and resources effectively, whether improvements can be made, and whether new resources and procedures need to be identified and implemented. Organizational resources to assess during a TTX include:

  • Membership of the Computer Incident Response Team (CIRT)
  • IR training resource availability and defined requirements
  • Alert monitoring systems for incident detection and continuous monitoring
  • Systems architecture, databases, gatekeepers, scanning and forensics tools and availability, secure backups
  • Document repositories for information security policies, incident investigation, recording, reporting, and archiving
  • Security and availability of communications systems between Operations, the CISO, the CIRT, and the outside world

Solicit feedback for program improvement

The primary result of the TTX is not really a ‘pass/fail’ determination, but rather a summary of the exercise with participants’ feedback, positive observations, and suggested areas for improvement relating to the organization’s readiness to handle Information Security incidents. Typically, feedback forms are distributed immediately after the exercise, to all participants, to identify issues or concerns and seek input on any areas for improvement, such as:

  • Was the incident scenario presented in the TTX realistic for your company business model, processes, and current security posture?
  • Did all participants understand who needed to take part in the exercise?
  • Is everyone sufficiently familiar with the Incident Response Plan established by your organization?
  • Can IR team members handle crisis situations well, being able to adjust to the evolving scenario, perform analysis, and use available tools/technology proficiently?
  • Can everyone involved in IR communicate well within their own teams and with other teams involved?
  • Are escalations to company management handled appropriately, with the correct level of information and in a timely manner?

Exercise the decision-making process when incidents occur

Performing incident response exercises provides attitude and perception review and adjustments, particularly among the CIRT team and upper management, and elucidates your organization’s cyber response posture and collective decision-making processes of participating teams and stakeholders. Since responding to incidents can be complex and time consuming, organizations typically develop in Incident Response Decision Tree as a reference for data capture, forensics, auditing, policies, and communications activities. Conducting TTXs regularly using differing scenarios can help you determine whether you have effective decision-making processes in place or need improvements.



Tabletop-Exercise-Complete-Guide TTX-Sample-Scenarios TTX-Sales-Sheet-3D-NEW-1 LinkedIn-TTX-Webinar-7-24
Tabletop Exercise eBook Tabletop Exercise Scenario Samples Tabletop Exercise Service Sheet DIY Tabletop Exercises Webinar On Demand


Tabletop Exercise Approach

There are a number of ways to approach tabletop exercises depending on how deep you want to go within your organization. There are a number of parties that can be involved, and there are a number of scenarios to be simulated.


You may want to include a specific IR team within your company. You may want a specific IT team, your entire IT team, or just your IT leadership.Top management, department managers, and key employees may be part of the TTX. In some cases, you may want to involve the entire company in your incident response.In any response, there are internal stakeholders that will be involved. There might also be outside agencies that need to be informed or brought into the situation if an incident really did occur. This is especially important in regulated industries that may have strict regulations for compliance.

Player and Participants

Players and Participants will respond to the situations presented based on their knowledge of the current Incident Response plan.  They will draw on existing policies, procedures, and technology.  Network administrators, help desk, IT support, managers, directors, officers, and executives should all be part of your IR team. 

Outside Agencies

Outside agencies, such as law enforcement, legal counsel, or regulators, may play a role in your scenario or be part of compliance.  Someone within your organization will be drafted to play these parts.


Facilitators are experienced cybersecurity experts.  They will facilitate discussion of the exercise scenario and results.  They will be responsible for making sure all key issues are explored (time permitting). The facilitator will also be responsible for keeping the discussion focused on exercise objectives. 

Read more about the benefits of a facilitator.


Observers will take notes and document the efforts.  They will record areas where training or improvement is needed.  They will pay particular attention to how the proceedings highlight communication gaps.  It’s important these observers act independently and are not active participants.  Although they can respond to minor questions, it’s important for the scenario to unfold as naturally as possible.

Data Collectors

Data Collectors will record all of the participant responses for further review.


Scenarios will be developed in conjunction with your team, based on your security needs. You may want to simulate one of the following cyber tabletop exercise scenarios: Malware tabletop exercise, Phishing tabletop exercise, Physical Security tabletop exercise, Data Breach tabletop exercise, Distributed Denial-of-Service (DDoS) tabletop exercise, Other cybersecurity Incident Response tabletop exercise. Physical Security tabletop exercise scenarios, Data Breach tabletop exercise templates, and other cybersecurity Incident Response tabletop exercise scenarios will be developed to mimic real-life operations as closely as possible. You may also want to consider using a SANS tabletop exercise as the template for your scenario.


A typical event might be one that has happened in the past or one that is likely to occur in the future.  The exercise might start with a fairly common or simple event, such as:

  • An email
  • A phone call
  • System crash
  • Request for virus scans to be performed on a file or attachment
  • Employee termination
  • Other customized scenarios
Simulated Incident

From there, a simulated incident will unfold that has an adverse impact on your systems.  These will include incidents that likely fall under US-CERT Federal Incident Notification Guidelines, such as:

  • Violation of security procedures (implied or explicit)
  • Attempts to gain access to systems without authorization
  • Unwanted denial of service or resources
  • Unauthorized access or escalation of rights
  • Changes without the owner’s knowledge


Prior to the TTX, the facilitator develops the input to meet the pre-determined goal of the TTX, based on the client’s pre-test specifications about their environment. These steps depend on the client, the industry, regulations, and their current security posture.

The facilitator develops the test input to meet a specific level of management, as well as the appropriate technical personnel and all others who should make the appropriate decisions. Typically, a project kickoff call occurs between the client and the facilitator to gather information about the organization, including its IR plan, and the participants needed. Read more about strategic ways to test your Incident Response Plan.

A typical exercise flow will consist of three essential elements:

  1. Inputs
  2. Process
  3. Outputs

These items are consistent with the U.S. Department of Homeland Security’s Cyber Tabletop Exercise for the Healthcare Industry, which can be translated across industries. It recommends the following flow-through process:


A tabletop exercise is based on an input ® action ® output paradigm. An input presents a simulated, realistic cybersecurity situation that prompts participant discussion about the actions to be taken. The following input types may be considered when planning or executing a TTX, depending on the types of incidents that might affect your organization:

  • Scenarios – Situation custom developed to support the exercise objectives, and to provide generic and qualitative descriptions of situations relevant to the overall exercise goal(s). The opening situation may be used as the context or starting point for Participants to identify major concerns and formulate their responses.
  • Internal Reports – Contain pieces of information or conflicting information that indicates a cybersecurity issue or breach, or vulnerabilities and deficiencies at the attendant control points.
  • Media Reports – Articles or other media from well-known news organizations or security and investigation sites suggesting a cybersecurity or data exfiltration issue at the company.
  • Network Data – Anomalies, performance issues, unauthorized access, or traffic/data intercepts either detected and alerted automatically, or evident in another context.
  • Scripted Injects – An integral part of the inputs representing a new piece of information delivered at key times by the facilitator to expand the discussion. Just as an attacker may inject malicious code in an attempt to corrupt a system, a facilitator may inject different tactics or scenarios into a simulation to take the discussion in a different direction or unveil new simulated threats.
  • Contingency Plans – A risk management document, or set of documents, that describes roles, processes, procedures, and considerations for recovering IT services and data in the event of a security breach, natural or other disaster, or system disruption.


Once the scenario is presented, the facilitator monitors and directs the discussion among the TTX participants. For each inject, the discussion follows the steps in the process below, with individual participants adding the actions they take, and identifying any holes in the process. The TTX facilitator’s job is to direct the conversation focus and move the discussion through these steps:

  1. Assess the situation.
  2. Revalidate assumptions.
  3. Identify security and organizational implications.
  4. Develop a course of action.
  5. Review resources.
  6. Develop recommendations.
  7. Take action to implement changes.

It is acceptable – and possibly expected – for one or more participants to not have an answer, or to point out that a hole exists in the process where organizational development, more information, or process improvements are needed. This type of discussion is the point of the exercise, which is dependent on the client’s industry, including regulatory aspects, as well as the organization’s current security posture or maturity.


As part of the TTX, you will receive deliverables that document in detail the nature of the scenarios presented and the discussion that ensued:

  • The exercise schedule and agenda created in collaboration with your project owner (typically the Information Security Director) during the kickoff call.
  • The scenario(s) created based on the information gathered during the kickoff call and your existing Incident Response Plan, including the roles and participants required for the exercise.
  • Handouts created for distribution to participants during the exercise, based on the scenarios.
  • Notes created by the TTX observer during the discussions, paying particular attention to how the proceedings highlight communication gaps within participant areas or other departments with which they most frequently interact.
  • A summary of the conducted exercise with participants’ feedback, positive observations, and potential areas for improvement as they relate to your organization’s readiness to handle Information Security incidents.

The TTX deliverables will enable you to...

  1. Document process or improvement recommendations directly related to security incidents.
  2. Update or improve internal reporting, potentially including automated alert adjustments, knowledge sharing, and incident documentation requirements.
  3. Define or clarify external reporting for incidents that affect your organization.

The RedLegg Tabletop Exercise Process

At RedLegg, we believe it takes a holistic approach to effectively manage risk, especially when it comes to cybersecurity.  We call our unique approach to cybersecurity the ARMEE method.

We provide tabletop exercises tailored to your organization type, architecture and systems, and business processes after discussing your Incident Response Plan. We can also provide a detailed analysis of the current state of your business and comprehensive analysis of your security posture with a gap analysis or vCISO service.  




Validate Your
Incident Response

RedLegg's TTX Service

The RedLegg team will begin the TTX process by interviewing your established internal SMEs to understand your organization, security posture, and system architecture. Unknown to the rest of the organization, your facilitator will work with the SMEs to develop the scenarios that will be played out.

Your facilitator will also conduct interviews with the IT team to fully understand the security architecture.  Once this has been done, and the scenarios finalized, the exercise will be scheduled.

Your RedLegg facilitator will meet with your staff and explain how the day will play out.  They will then explain expectations for the participants and provide handouts on the day of the exercise so that participants have no prior knowledge of the scenarios presented.

RedLegg will also provide one observer to participate in the tabletop exercise, either on-site or remotely, in addition to observers designated by you.

The TTX inject will be treated as if it were a real incident happening in real time.  While the exercise will use an accelerated timeline, it will cover hypothetical scenarios from start to post-recovery.  This detailed scenario will be explained to the participants and they can break into teams to attack the problem.

After the exercise is concluded, there will be a group discussion, or Hot Wash, around the event and the response.

Feedback received during the Hot Wash and through participant feedback will be reviewed by the RedLegg facilitator and discussed during the follow-up Lessons Learned session with all tabletop exercise participants and designated department/corporate management.

IR tabletop exercises validate your Incident Response Plan, identify strengths and weaknesses, promote changes in attitude and perceptions, and enhance your overall cyber response posture and collective decision-making process of participating teams and stakeholders.

This controlled environment allows exercise players to safely explore real-world scenarios, and it promotes an improved response with a detailed plan. Conducting a tabletop exercise will get you one step closer to tackling security threats.  Tabletop exercises are an extremely cost-effective way to validate plans and capabilities, and it can help identify vulnerabilities and threats before they become a reality.

Like in theater, exercising your IR plan can help make sure that opening night, in case you ever have one—and chances are that you will—goes as smoothly as possible. Like in sports, having regular TTX engagements ensures that you’ve practiced the key things you need to do to before you face your opponent.


Reach out to our expert staff to learn how a facilitated tabletop exercise can prepare your organization for an incident today.