How to Run a Tabletop Security Exercise in 60 Minutes

You have an incident response plan. Maybe it lives in a shared drive somewhere, maybe someone printed it out last year. But here's the uncomfortable question: has anyone on your team actually practiced using it?

If the answer is no, you're not alone. Most small and mid-size organizations write an IR plan, file it away, and never test it until a real incident forces everyone to figure things out on the fly. That's not a plan. That's a hope.

Tabletop exercises are the cheapest, most effective way to test your incident response plan without waiting for a real crisis to expose the holes. No servers go down. No data gets lost. You just sit around a table (or a video call) and walk through a scenario together. And you can do it in 60 minutes.

This post is a complete tabletop exercise kit. Everything you need to run one this month, including a facilitator guide, three ready-to-use scenarios, discussion prompts for each phase, a scoring concept, and a post-exercise report template. It's designed for teams of 4 to 10 people, and you don't need an external facilitator. Anyone on your team can run it.

Why Tabletop Exercises Matter

A tabletop exercise is a discussion-based simulation. You present a realistic security scenario to your team and walk through how you'd respond, step by step. Nobody touches a keyboard. Nobody pulls a network cable. You're testing your decision-making, your communication, and your plan, not your technical tools.

The value is hard to overstate. In 60 minutes, a tabletop exercise will reveal gaps that months of planning on paper will miss. Things like:

• Who actually makes the call to shut down systems? Is it documented? Does that person know?
• Can your team reach the right people at 2 AM on a Saturday?
• Does everyone know where the IR plan is and how to use it?
• Are there handoff gaps between IT, leadership, legal, and communications?

With Cybersecurity Awareness Month coming up in October, now is the perfect time to schedule a session. Walk into October with real data on where your IR plan stands instead of assumptions.

The Facilitator Guide

You don't need a consultant or a hired facilitator. You need one person willing to lead the conversation. Here's what that person should do.

Before the Exercise

• Pick a scenario from the three below (or adapt one to your environment)
• Block 60 minutes on the calendar with at least a week's notice
• Invite 4 to 10 participants: mix of IT, leadership, and anyone with a role in your IR plan
• Print or share the scenario details, but don't distribute them ahead of time. You want genuine reactions, not rehearsed answers
• Have a copy of your current IR plan available for reference during the exercise
• Prepare a simple note-taking template to capture decisions, gaps, and action items

The 60-Minute Agenda

1. Introduction (5 minutes): Set the ground rules. This is a learning exercise, not a test. There are no wrong answers. The goal is to find gaps before a real incident finds them for you.
2. Scenario Presentation (5 minutes): Read the scenario aloud. Let it sink in. Answer clarifying questions about the setup, but don't give away how it should be handled.
3. Phase 1 - Detection and Initial Response (15 minutes): Walk through the first moments of the incident. Who notices it? Who gets called? What's the first action?
4. Phase 2 - Containment and Investigation (15 minutes): The incident is confirmed. Now what? How do you stop the bleeding? Who leads the investigation? What gets communicated and to whom?
5. Phase 3 - Recovery and Lessons Learned (10 minutes): The incident is contained. How do you get back to normal operations? What needs to change to prevent this from happening again?
6. Debrief and Action Items (10 minutes): Capture the top gaps identified. Assign owners and deadlines. Schedule follow-up.

Facilitator Tips

• Keep the discussion moving. If the group gets stuck on one point for more than 3 minutes, note it as a gap and move on.
• Ask "what happens next?" frequently. It forces the team to think sequentially instead of jumping to the end.
• If someone says "I think we have a process for that," stop and ask if anyone can describe it. If nobody can, that's a finding.
• Inject curveballs during the scenario. "The backup admin is on vacation." "Legal can't be reached." This keeps it realistic.

Scenario 1: Ransomware Attack

Setup: It's Tuesday morning at 8:15 AM. Your helpdesk starts receiving calls from multiple employees who can't access their files. Desktop wallpapers have been changed to a ransom note demanding $250,000 in cryptocurrency within 48 hours. Your file server, two department shares, and the accounting application are all encrypted. The attackers claim they've also exfiltrated customer data and will publish it if payment isn't made.

Phase 1 Discussion Prompts

• Who is the first person to realize this is ransomware and not just an IT glitch?
• What's the process for escalating from "users can't access files" to "we have a security incident"?
• Who has the authority to disconnect systems from the network?
• How quickly can you determine which systems are affected and which are still clean?

Phase 2 Discussion Prompts

• Do you have immutable backups? When were they last tested?
• Who contacts your cyber insurance carrier? Do you have the policy number and claims phone number accessible?
• How do you determine whether data was actually exfiltrated or if the attacker is bluffing?
• Who briefs leadership, and what do they need to know in the first hour?
• Do you have a framework for the pay or don't pay decision?

Phase 3 Discussion Prompts

• How long does a full restore from backup actually take? Has anyone timed it?
• What credentials need to be reset before bringing systems back online?
• How do you communicate with customers whose data may have been exposed?
• What regulatory notifications are required, and what are the deadlines?

Scenario 2: Insider Data Theft

Setup: Your HR department notifies IT that a senior engineer submitted their two-week notice on Friday. On Monday, your DLP tool (or a coworker's tip) flags that this employee downloaded 2.4 GB of files from your product development share to a personal USB drive over the weekend. The files include customer lists, proprietary designs, and a pricing database. The employee is still coming into the office and has full system access.

Phase 1 Discussion Prompts

• Who receives the DLP alert or the coworker tip? What's the escalation path?
• Does IT coordinate with HR and legal before taking action, or does IT act independently?
• How do you confirm what was actually downloaded without tipping off the employee?
• Is there a documented offboarding process that addresses access revocation timing?

Phase 2 Discussion Prompts

• At what point do you revoke the employee's access? Immediately, or after gathering more evidence?
• Who conducts the conversation with the employee? IT? HR? Legal?
• Do you involve law enforcement? At what threshold?
• Can you determine if the data has already been shared with a competitor or uploaded to a personal cloud account?

Phase 3 Discussion Prompts

• How do you prevent this from happening with the next departing employee?
• Are your access controls scoped tightly enough, or did this person have access to data they didn't need?
• Does your employee handbook or employment agreement address data handling and IP ownership?
• What changes to your offboarding checklist would have caught this sooner?

Scenario 3: Third-Party Vendor Breach

Setup: You receive an email from your payroll processing vendor informing you that they experienced a data breach. The vendor confirms that employee Social Security numbers, bank account details for direct deposit, salary information, and home addresses for your entire workforce were exposed. The breach happened three weeks ago, but the vendor is just now notifying customers. Media coverage is starting.

Phase 1 Discussion Prompts

• Who receives the vendor notification? Is there a process for triaging third-party breach notifications?
• How do you verify the notification is legitimate and not a phishing attempt itself?
• What's your contractual relationship with this vendor? Do you have an SLA for breach notification timing?
• Who needs to know internally, and in what order?

Phase 2 Discussion Prompts

• What questions do you ask the vendor about scope, root cause, and their remediation steps?
• How and when do you notify your employees that their personal data was exposed?
• Are you obligated to offer credit monitoring? Who pays for it, you or the vendor?
• Do you have other vendors with similar access to sensitive data? Should you be assessing them right now?

Phase 3 Discussion Prompts

• Do you continue using this vendor, or start looking for alternatives?
• How do you update your vendor risk assessment process based on this experience?
• What contractual protections (breach notification timelines, liability caps, audit rights) do you add to future vendor agreements?
• How do you handle employee concerns and questions in the days and weeks after notification?

Scoring Rubric: How Did You Do?

After the exercise, rate your team's performance in each area on a simple 1 to 5 scale. This isn't about grades. It's about identifying where you're strong and where you need work.

1. Detection Speed: How quickly did the team recognize the incident and begin the response process? (1 = no clear process, 5 = clear triggers and immediate escalation)
2. Role Clarity: Did everyone know their role, or was there confusion about who does what? (1 = nobody knew, 5 = every role was clear and practiced)
3. Communication: Was the notification chain clear? Did the right people get informed in the right order? (1 = ad hoc and chaotic, 5 = documented chain followed smoothly)
4. Decision-Making: Were key decisions made confidently, or did the team stall waiting for someone else to decide? (1 = paralysis, 5 = clear authority and timely decisions)
5. Plan Awareness: Could participants reference and use the IR plan during the exercise? (1 = nobody knew where it was, 5 = actively used as a reference throughout)
6. Recovery Planning: Did the team have a realistic understanding of recovery timelines and requirements? (1 = no idea, 5 = tested and documented recovery procedures)

A total score of 24 or above means your IR plan is in decent shape. Below 18, and you have some real work to do before a real incident tests you for real.

Post-Exercise Report Template

Within 48 hours of the exercise, the facilitator should distribute a short report. Keep it to one page. Here's the format:

• Exercise Date and Scenario: Which scenario was used, who participated, and how long it ran
• Top 3 Gaps Identified: The most significant weaknesses revealed during the exercise. Be specific. "Communication was unclear" is not helpful. "No documented process for notifying the CEO after hours" is.
• What Worked Well: Give credit where it's due. Highlight the areas where your team responded confidently.
• Action Items: Each gap gets an owner and a deadline. No gap should leave the report without someone's name next to it.
• Next Exercise Date: Schedule the next one before everyone leaves the room. Quarterly is ideal. Twice a year is the minimum.

Making This a Habit

One tabletop exercise is better than zero. But the real value comes from making it a regular practice. Here's a simple cadence that works.

• September: Run your first exercise using one of the scenarios above. Use October (Cybersecurity Awareness Month) to present the findings and action plan to leadership.
• December: Run scenario two with a focus on any gaps that were supposed to be fixed from the first exercise.
• March: Run scenario three. By now, your team should be noticeably faster and more confident in their responses.
• June: Create a custom scenario based on a real threat relevant to your industry. You've graduated from the starter kit.

"The best incident response plan is the one your team has actually practiced. Everything else is just documentation."

Get Started This Month

Here's your homework. Block 60 minutes on the calendar before the end of September. Pick a scenario. Send the invite. Run the exercise. It doesn't need to be perfect. The first one never is. What matters is that you did it.

After the exercise, identify your top three IR plan gaps and assign an owner to each one. That's it. Three gaps, three owners, three deadlines. You'll walk into Cybersecurity Awareness Month in October with a concrete improvement plan instead of another awareness poster on the break room wall.

Your IR plan deserves better than collecting dust. Give it 60 minutes.