Guides

How to Run Your First Cyber Tabletop Exercise: Complete Guide

January 10, 20265 min readby
Guides

How to Run Your First Cyber Tabletop Exercise (Without Overthinking It)

Many teams stay in "we should run a tabletop" mode for quarters—or years—waiting for the perfect scenario, roster, and window.

Ship the first version. The first run will be imperfect; the fifth will be strong. You do not get to five by endlessly polishing one.

Who this is for: IR leads, IT security, and anyone who can pull legal and comms into the room (even once).

Step 1: Pick a Scenario (15 Minutes)

Don't write one from scratch for your first exercise. Use something that already exists.

Best starting points:

  • CISA's free tabletop exercise packages — over 100 scenarios covering ransomware, insider threats, and sector-specific attacks
  • Real-world incidents — pick a breach from the news and ask "what would we do?"
  • Our scenario library — pre-built exercises you can customize and run immediately

For your first time, I'd recommend a ransomware scenario. Everyone understands ransomware. It forces decisions about containment, communication, legal obligations, and whether to pay. Check out our ransomware exercise walkthrough for a detailed example.

Step 2: Invite 6-10 People (5 Minutes)

Don't overthink the invite list. You need:

  • Someone from security/IT (your SOC lead, IR manager, or whoever would actually respond)
  • Someone from leadership (CISO, CTO, or a director)
  • Someone from legal or compliance
  • Someone from communications (whoever would draft the public statement)

That's it for your first exercise. You can expand later. If you can't get legal or comms, do it anyway with just your security team — some practice beats no practice.

Step 3: Set Up the Room (10 Minutes)

Book a conference room for 90 minutes. That's it. No special equipment needed.

Prepare:

  • A printed or shared copy of the scenario
  • A whiteboard or shared doc for notes
  • Someone designated to take notes (not the facilitator)

Do NOT prepare: slide decks, formal agendas with 20 agenda items, pre-written response scripts. This isn't a presentation. It's a conversation.

Step 4: Facilitate the Exercise (60 Minutes)

Opening (5 min): "We're going to walk through a cyber incident scenario. There are no right answers. The goal is to find out where our plan has gaps."

Present the first inject. Read the situation, then ask: "What's our first move?"

Then shut up and let them talk. This is the hardest part for most facilitators. Resist the urge to guide them toward the "right" answer. Let them struggle. Let them disagree. That's where the learning happens.

Good facilitator questions:

  • "Who makes that call? Is everyone clear on that?"
  • "How would we actually communicate that? What channel?"
  • "What if the backup is also compromised?"
  • "What does legal need from us at this point?"

Move through your injects, spending about 10-15 minutes on each. You probably have time for 4-5 injects in 60 minutes.

Want to see how inject-based pacing works in practice? Try the interactive demo — it walks you through a real scenario with branching decisions.

Step 5: Debrief (20 Minutes)

Go around the room and ask two questions:

  1. "What surprised you?" — This surfaces the gaps nobody saw coming
  2. "What's one thing we should fix before the next exercise?" — This creates action items

Write down every gap and every action item. This is the actual deliverable of the exercise — not a compliance report, but a list of things to fix.

Step 6: Do It Again in 90 Days

The biggest mistake teams make with their first exercise is treating it as a one-time event. Schedule the next one before you leave the room. Put it on the calendar. Make it a quarterly habit.

Each exercise gets better. Your team gets faster. Your plans get tighter. That's the whole point — not perfection, but continuous improvement.

What If You're a Team of One?

Solo security practitioners can still practice incident response. Check out our guide on running a 5-minute cyber drill solo — it's designed for exactly this situation.

Your First Exercise Checklist

  • [ ] Pick a scenario (use our library or CISA's resources)
  • [ ] Invite 6-10 people, book 90 minutes
  • [ ] Prepare 4-5 scenario injects
  • [ ] Facilitate — ask questions, don't lecture
  • [ ] Debrief — capture gaps and assign owners
  • [ ] Schedule the next one in 90 days

That's it. No perfect scenario required. No months of planning. Just get people in a room, present a crisis, and see what happens. You'll learn more in 60 minutes than in a year of reading playbooks.

Build a custom scenario or browse ready-made exercises. More context: IR teams, IT and risk leaders, consultancies. Pricing.

tabletop exerciseincident responsecyber drillCISOhow-to

Ready to Put This Into Practice?

Use our free scenario builder to create custom cyber tabletop exercises based on these strategies.

Build Your Own Tabletop ExerciseBrowse Exercise TemplatesCompare Plans

Resources

For IR Teams

Practice incident response with realistic tabletop exercises

For IT & Risk Leaders

Organization-wide cyber readiness drills for enterprise teams

For MSSPs & Consultants

Deliver client tabletop exercises faster without extra work

Related Articles

Guides

Incident Response Tabletop Exercise: Complete Guide for 2026

6 min read

Guides

What Is a Tabletop Exercise? (Explained in 2 Minutes)

3 min read

Guides

The 5-Minute Cyber Drill: How to Practice Incident Response Solo

4 min read