MSSP Guide: How to Deliver Tabletop Exercises Without Losing Your Mind

Tabletops are an easy add-on in proposals—clients expect them, frameworks reference testing—but fully bespoke scenarios every quarter do not scale. The fix is repeatable structure: core attack flows, client-specific context layered on top, and a consistent delivery and reporting template.

Below is a practical model we see working for consultancies standardizing on scenario libraries and light customization.

Why Tabletop Exercises Are the Perfect MSSP Service

High perceived value, low delivery cost (once you have a system). Clients can't easily do this themselves — they lack the expertise, the objectivity, and the scenarios. You have all three.

Recurring revenue. Compliance frameworks require regular testing. That's quarterly exercises for most clients, locked in.

Land and expand. A tabletop exercise reveals gaps. Gaps create projects. Projects create revenue. The exercise isn't just a service — it's a sales tool for your other offerings.

The Scalability Problem

Here's where most MSSPs get stuck: every client is a custom engagement. Different industry, different size, different threats, different compliance requirements. You can't just run the same ransomware scenario for a hospital, a law firm, and a manufacturing company.

Or can you?

The Template + Customize Model

The secret to scaling tabletop exercises is templatized scenarios with client-specific customization. You don't build from scratch every time. You maintain a library of base scenarios and adapt them.

Step 1: Build a scenario library. Start with 5-8 base scenarios that cover the most common threats:

• Ransomware with data exfiltration
• Business email compromise
• Insider threat
• Supply chain compromise
• Cloud infrastructure breach

You can build these using our scenario builder and maintain them as reusable templates. The builder lets you create branching scenarios with decision points — much more engaging than a static Word doc.

Step 2: Customize the context, not the scenario. For each client, change:

• Company name and industry
• Specific systems and data at risk
• Regulatory requirements (HIPAA, PCI-DSS, GDPR, etc.)
• Key personnel and roles

The attack flow stays the same. The context changes. This takes 30 minutes instead of 15 hours.

Step 3: Deliver consistently. Use the same facilitation framework every time:

• 15-minute brief
• 60-minute exercise (4-5 injects)
• 15-minute debrief
• Written report within one week

Pricing and Packaging

Per-exercise pricing works for one-offs, but the real money is in packages:

• Starter: 2 exercises per year + reports — basic compliance coverage
• Standard: 4 exercises per year + reports + gap remediation recommendations
• Premium: 4 exercises per year + post-exercise remediation projects + annual maturity assessment

Anecdotally, per-exercise fees often land roughly in the low thousands to mid–high thousands for mid-market clients; annual packages with quarterly runs scale from there—use your local market and scope (prep hours, travel, reporting depth) to set ranges.

Facilitation Tips for Client Exercises

Be the outside expert, not the critic. You're there to help, not to make them look bad. Frame gaps as opportunities, not failures.

Let the client's team lead the discussion. Your job is to facilitate, not to show off your knowledge. Ask questions, don't give answers.

Always tie findings back to actionable improvements. "Your team was unsure about breach notification timelines" → "We recommend documenting a state-by-state notification matrix and training the legal team on it."

Document everything. The written report is what the client shows their board and auditors. Make it professional, concise, and actionable.

Scaling Beyond Manual Delivery

Once you're delivering 10+ exercises per quarter, consider:

• Self-service exercises for smaller clients using our interactive scenario player — they run the exercise, you review the results
• Train-the-trainer programs where you teach the client's security lead to facilitate, while you provide the scenarios and oversight
• Browse our scenario library for pre-built exercises you can white-label and customize for each client

The bottom line

Margin comes from repeatability: scenario templates, a fixed facilitation script, and reports clients can take to the board or auditor. Build that system once, then tune per client.

If you standardize delivery, a scenario builder plus library content can replace one-off Word docs—create a base flow, fork for each tenant. Design principles: IR tabletop guide, scenario seeds: 10 CISO scenarios. MSSP and consultancy · Pricing.