Cyber Exercise Resources
Expert guides, real-world scenarios, and best practices for running effective cyber tabletop exercises and incident response drills
Featured Articles
Introducing Facilitator Mode: Run Instructor-Led Cyber Tabletop Exercises
Run synchronized, instructor-led tabletop exercises with a shared presentation view and a private control panel. No installs, just links.
Incident Response Tabletop Exercise: Complete Guide for 2026
How to run incident response tabletop exercises that sharpen real response capability—not just satisfy auditors. Prep, scenario design, facilitation, and debrief in one place.
How to Run Your First Cyber Tabletop Exercise: Complete Guide
A practical path from zero to a first cyber tabletop this month: scenario, attendees, room setup, facilitation prompts, debrief, and a repeat cadence—without boiling the ocean.
10 Cyber Crisis Scenarios Every CISO Should Practice in 2026
Ten crisis scenarios worth rotating into your exercise program in 2026—from ransomware with exfiltration to deepfakes and combined physical-cyber events—and what each one stress-tests.
Ransomware Tabletop Exercise Scenario: Complete Walkthrough for IR Teams
A full ransomware tabletop walkthrough: injects, decision points, and facilitation notes—built to surface payment authority, backup trust, HIPAA-style timelines, media pressure, and recovery tradeoffs.
10 Best Cyber Crisis Tabletop Exercise Platforms (2026 Review)
How to choose tooling for cyber exercises in 2026: ranges vs BAS vs crisis simulation, ten representative vendors by category, and how to match platform type to SOC skills, leadership drills, or control validation.
All Articles
Introducing Facilitator Mode: Run Instructor-Led Cyber Tabletop Exercises
Run synchronized, instructor-led tabletop exercises with a shared presentation view and a private control panel. No installs, just links.
Read ArticleIncident Response Tabletop Exercise: Complete Guide for 2026
How to run incident response tabletop exercises that sharpen real response capability—not just satisfy auditors. Prep, scenario design, facilitation, and debrief in one place.
Read ArticleHow to Run Your First Cyber Tabletop Exercise: Complete Guide
A practical path from zero to a first cyber tabletop this month: scenario, attendees, room setup, facilitation prompts, debrief, and a repeat cadence—without boiling the ocean.
Read Article10 Cyber Crisis Scenarios Every CISO Should Practice in 2026
Ten crisis scenarios worth rotating into your exercise program in 2026—from ransomware with exfiltration to deepfakes and combined physical-cyber events—and what each one stress-tests.
Read ArticleExecutive Cyber Drill vs. Technical Incident Response: Key Differences
Technical IR exercises and executive crisis drills test different skills. Combining them into one session usually wastes one of the audiences—here is how to split them and when a joint run makes sense.
Read ArticleRansomware Tabletop Exercise Scenario: Complete Walkthrough for IR Teams
A full ransomware tabletop walkthrough: injects, decision points, and facilitation notes—built to surface payment authority, backup trust, HIPAA-style timelines, media pressure, and recovery tradeoffs.
Read ArticleMSSP Guide: Delivering Tabletop Exercises to Clients at Scale
How MSSPs and vCISOs can package tabletop exercises as a repeatable service: template libraries, light customization per client, facilitation rhythm, and pricing tiers—without a custom doc for every engagement.
Read ArticleExecutive Cyber Crisis Drill: Board-Ready Simulation Guide for IT Leaders
Design and run executive cyber crisis drills: length, scenario choice, decision-focused injects, facilitation tips, and what usually breaks first—without turning the room into a technical deep dive.
Read ArticleWhat Is a Tabletop Exercise? (Explained in 2 Minutes)
A short, plain-language explainer: what a tabletop exercise is, how injects work, who should participate, and why it beats only reading the IR plan.
Read ArticleGolden SAML Attacks: Why Your ADFS Is the Real Target
What Golden SAML is, why stolen token-signing keys bypass MFA, how the attack chain typically runs (including post-SolarWinds lessons), and what to monitor and rehearse in tabletop form.
Read ArticleThe 5-Minute Cyber Drill: How to Practice Incident Response Solo
A repeatable solo format: one scenario, five minutes, four prompts (first action, notification order, early scoping, containment)—plus a quick self-review to turn each drill into one concrete fix.
Read ArticleCrisis Management Team (CMT) Roles: Who Does What in a Tabletop Exercise?
Who sits on a typical cyber Crisis Management Team (CMT), what each role owns in a drill versus live incident, and the one question each role should be ready to answer when injects land.
Read ArticleScenario Library Spotlights
Explore interactive cyber crisis scenarios from our library.
Voice Phishing Campaign Targeting Bank Customers
A sophisticated voice phishing (vishing) campaign has compromised customer credentials through fake promotional calls, resulting in $2M+ in unauthorized IVR transactions. With 500M ILS processed daily through the IVR channel and the attack scope still unknown, executive leadership must make critical decisions about incident response, customer protection, regulatory compliance, and business continuity under intense time pressure.
Fraud campaign
A sophisticated phishing campaign targets your financial institution's high-value clients, resulting in unauthorized wire transfers. Navigate regulatory notifications, client communications, and operational response while managing reputational damage and potential regulatory sanctions.
CEO Deepfake
A sophisticated business email compromise (BEC) attack using AI voice cloning technology to impersonate executives and authorize fraudulent wire transfers. Players must navigate detection, response, and recovery decisions while managing regulatory, reputational, and financial impacts in a high-pressure environment.
Trusted Vendor, Untrusted Update
A sophisticated supply chain attack targeting a major bank through a compromised third-party banking software update. Exercise participants must navigate critical decisions about vendor isolation, regulatory compliance, customer communications, and business continuity while managing an advanced persistent threat that has infiltrated core banking systems.
The "Bank of the South" (March 2025)
A sophisticated multi-month APT campaign targeting a major financial institution. The Codebreakers collective uses phishing to establish persistence, exfiltrate 1M customer records, deploy ransomware, and leak high-net-worth client data when ransom demands are refused. This expert-level scenario challenges C-suite executives with complex decisions around crisis communications, regulatory compliance, business continuity, and stakeholder management during a catastrophic cyber incident.
The Twitter (X) "Celebrity Hijack" (July 2020)
A major social engineering attack compromises high-profile Twitter accounts through phone-based credential theft. As C-level executives, participants must navigate crisis communications, incident response, and stakeholder management while attackers use compromised accounts to run Bitcoin scams affecting world leaders and celebrities.
Ready to Build Your First Exercise?
Use our free scenario builder to create custom cyber tabletop exercises in minutes