Tabletop Exercise Guide

Assign a Facilitator

Choose someone to lead the discussion and present the scenario. This can be internal or a trusted advisor.

Set Objectives

Decide what you want to test (e.g., incident response, disaster recovery, communication, access controls).

Pick a Scenario

Examples: ransomware attack, cloud service outage, employee data breach, lost laptop, vendor compromise.

Invite the Right Participants

Include stakeholders like engineering, security, customer success, and execs.

Schedule in Advance

Set aside 60–90 minutes, ideally quarterly or bi-annually.

Write a Scenario Brief

Describe what has “happened,” including when the team is first notified.

Create Timeline Prompts

Add new information during the session (e.g., media coverage, customer complaints, attacker demands).

Review Your Policies

Have your Incident Response Plan and Disaster Recovery Plan available for reference.

Print or Share Roles

Remind team members of their responsibilities during an incident.

Open with Ground Rules

Emphasize no-fault learning. Encourage candid input and exploration.

Present the Scenario

Describe the initial event. Let the team react as they would in real life.

Prompt with Questions

Examples:

• Who is alerted first?

• What systems are affected?

• Do we notify customers?

• Who approves public statements?

Escalate the Situation

Introduce complications (e.g., vendor unresponsive, customer escalations, missing logs).

Keep it Realistic

Use tools or chat systems you’d use during a real incident.

Summarize Actions Taken

What decisions were made? What worked and what didn’t?

Identify Gaps or Delays

Where were people unsure or unprepared? What slowed down resolution?

Capture Lessons Learned

List clear takeaways with owners and action items.

Update Documentation

Revise your playbooks, contact lists, or IR plan based on the session.

Distribute a Summary Report

Share findings with stakeholders or your auditor if part of a compliance program.