MSSP Guide: How to Deliver Tabletop Exercises Without Losing Your Mind

Tabletops are an easy add-on in a proposal. Clients expect them. Compliance frameworks reference testing. Sales loves them because they open doors. But fully bespoke scenarios for every client every quarter do not scale, and the consultancies that try to deliver that way quietly burn out their senior people or let margin leak until the service is unprofitable.

The fix isn't working harder. It's repeatable structure: a small number of core attack flows, client-specific context layered on top, and a consistent delivery and reporting template that looks the same whether the client is a 200-person law firm or a 2,000-person hospital network.

Below is a practical model we see working for consultancies, vCISOs, and MSSPs that have standardized on scenario libraries plus light per-client customization. It's not theory — it's the pattern that the better-run firms we talk to have already converged on.

Why tabletop exercises are the perfect MSSP service

High perceived value, low delivery cost — once you have a system. Clients can't easily run these themselves. They lack three things: the expertise to design a realistic scenario, the objectivity to challenge their own people, and the facilitator muscle to keep a room productive for 90 minutes. You have all three, and a client will happily pay you to rent them.

Recurring revenue. Most compliance frameworks — SOC 2, ISO 27001, HIPAA, PCI-DSS, NIS2 — reference regular testing of the incident response plan. In practice that means at least quarterly exercises for most mid-market clients, locked in for the length of the engagement. That's a predictable annuity built on top of work you're already doing.

Land and expand, baked in. Every tabletop reveals gaps. Gaps become remediation projects. Remediation projects become retainers. The exercise isn't just a service — it's the highest-signal sales tool you have for your other offerings, because the client sees the gap themselves in real time, rather than being told about it in a slide deck.

A stickier relationship. A client who watches you facilitate their exec team through a ransomware scenario doesn't think of you as a vendor anymore. They think of you as the firm they call when something real happens. That's a different kind of account.

The scalability problem

Here's where most MSSPs get stuck: every client feels like a custom engagement. Different industry, different size, different threats, different compliance regime, different risk appetite, different personalities in the room. You can't just run the same ransomware scenario for a hospital, a law firm, and a manufacturing company.

Or can you?

You can — if you separate the two layers that most consultancies blur together: the attack flow, which is what happens technically, and the context, which is who it happens to. Attack flows are reusable. Context is not. If you build your delivery model around that distinction, everything gets easier.

The template + customize model

The secret to scaling tabletop exercises is templatized scenarios with client-specific context. You don't build from scratch every time. You maintain a small library of base scenarios and adapt the wrapper for each client.

Step 1: Build a scenario library

Start with 5–8 base scenarios that cover the threats your client base actually faces:

• Ransomware with data exfiltration (the 80% scenario)
• Business email compromise leading to wire fraud
• Malicious or negligent insider
• Supply chain / third-party compromise
• Cloud infrastructure breach (AWS/Azure key exposure)
• Credential stuffing and MFA fatigue
• DDoS plus extortion
• A regulated-industry variant (HIPAA breach, PCI incident, GDPR mass notification)

That covers the vast majority of what mid-market clients will ever ask to practice. Build each one once. Review them every six months to keep them current with what's actually happening in the wild.

You can build these using our scenario builder and maintain them as reusable templates. The builder lets you create branching scenarios with decision points — more engaging than a static Word doc, and critically, the branches mean the exercise responds to the client's choices rather than reading the same script out loud regardless of what the room decides.

Step 2: Customize the context, not the scenario

For each client, change the wrapper:

• Company name, industry, and geography
• Specific systems, applications, and data at risk (their CRM, their payroll, their EMR)
• Regulatory requirements (HIPAA, PCI-DSS, GDPR, state notification laws, sector regulators)
• Key personnel and roles — real names, real titles, real reporting lines
• A couple of industry-plausible details in the injects (the ransom note references their vertical, the journalist is from a trade publication they'd recognize)

The attack flow stays the same. The wrapper changes. The first time you do this it takes a couple of hours. By the tenth time, a practiced analyst is doing it in 30–45 minutes instead of the 15 hours a bespoke build would have eaten.

Step 3: Deliver consistently

Use the same facilitation framework every time:

• 15-minute brief: ground rules, objective, who's in the room
• 60-minute exercise: 4–5 injects, each forcing a decision
• 15-minute hot debrief: what surprised you, where did you hesitate
• Written report within one week: top 5 gaps, owners, recommendations

The rhythm doing the heavy lifting isn't glamorous. It's the fact that the brief, the timing, the inject format, and the report template are all identical from one engagement to the next. Your delivery team doesn't have to invent anything under pressure. Junior people can run the middle sections with an experienced lead supervising. That's how you get from one engagement a month to one a week without hiring.

For the underlying design principles behind these scenarios — picking objectives, writing injects that force decisions, running a debrief that actually sticks — our incident response tabletop exercise guide goes deep on the mechanics.

Pricing and packaging

Per-exercise pricing works fine for one-offs and pilots, but the real business is in annual packages:

• Starter: 2 exercises per year + written reports. Basic compliance coverage, fits clients with small security teams and a board that just wants a tick-box.
• Standard: 4 exercises per year + reports + gap remediation recommendations. The sweet spot for most mid-market clients.
• Premium: 4 exercises per year + post-exercise remediation support + an annual maturity assessment. Sold to larger clients or those in heavily regulated sectors.
• Executive-only tier: one or two exercises a year targeted at the C-suite and board, usually priced as a premium add-on. See the executive cyber crisis drill guide for the format.

Anecdotally, per-exercise fees often land in the low thousands to mid–high thousands for mid-market clients; annual packages with quarterly runs scale from there. Use your local market, scope (prep hours, travel, reporting depth), and the client's size and sector to set ranges. A regional hospital system with a sensitive regulator expects to pay more than a 150-person SaaS startup, and rightly so.

A few pricing lessons from MSSPs who've been at this a while:

• Don't discount the report. The report is what the client puts in front of their board and their auditors. It's also the artifact that justifies your fee six months from now when someone reviews the spend. Undercharge for the report and you train the client to see it as filler.
• Price the executive exercise separately. An exec-level tabletop is a different product from a technical IR drill. Different audience, different prep, different stakes. Don't bundle it as "same service, different room."
• Build in travel as its own line. On-site exercises are worth more than remote ones, but only if the economics work for you. Be explicit.

Facilitation tips for client exercises

Be the outside expert, not the critic. You're there to help the client find gaps, not to make their team look bad. The moment it feels like a performance review, everyone in the room goes quiet and the exercise stops producing useful data. Frame every finding as an opportunity, not a failure.

Let the client's team lead the discussion. Your job is to facilitate, not to demonstrate how much you know. Ask questions. Let silence happen. When someone senior on the client side tries to hand the decision back to you — "well, what would you do?" — bounce it back: "What does your team think is the right call here?" The exercise is about their muscle, not yours.

Always tie findings back to concrete actions. "Your team was unsure about breach notification timelines" is a gap. "We recommend documenting a state-by-state notification matrix, assigning it to the legal team, and training the IR lead on it by end of Q3" is a recommendation. The first one they read and nod at. The second one they can actually do.

Document everything, but keep the report tight. The written report is what the client shows their board and their auditors — and what they use to justify next year's budget for your services. Make it professional, concise, and actionable. Two or three pages of sharp findings beat a 30-page deliverable every time.

Calibrate the difficulty. A scenario that's too easy produces a happy room and a useless report. A scenario that's too hard demoralizes the team and makes them defensive. Aim for the middle: the team succeeds on the obvious calls, stumbles on two or three meaningful ones, and leaves the room with things to fix but not things to hide.

Protect the junior voices. Some of the best findings come from the analyst or the junior counsel who notices a process gap the senior people have normalized. A facilitator who actively invites those voices — "Nadia, from the SOC side, what are you seeing?" — surfaces issues the exec team would otherwise paper over.

Scaling beyond manual delivery

Once you're delivering 10+ exercises per quarter, manual scales stop working and you need to productize further. A few moves that work:

• Self-service exercises for smaller clients. Set them up with our interactive scenario player so they can run the exercise themselves with their own team. You review the results, write the report, and spend an hour in a debrief call. That model lets you serve tier-3 clients profitably without burning a senior facilitator on a small account.
• Train-the-trainer programs. Teach the client's security lead to facilitate, while you supply the scenarios, the framework, and the oversight. This works especially well for larger clients who want to run internal exercises between your quarterly engagements. You don't lose the account — you become the source of their exercise program.
• A white-label library. Maintain a shared catalog of scenarios your delivery team can pull from. Tag each one by industry, by attack type, and by compliance framework. New consultant joins? They're productive on day two because the scenarios already exist.
• Quarterly content refresh. Assign one senior person a day per quarter to update the library with what's actually happening in the wild. New ransomware crew targeting hospitals? New scenario. Big supply chain incident in the news? Adapt it into a template. Fresh content is the single clearest signal to clients that they're getting expertise, not a canned service.
• A standard debrief template. Fields for top five gaps, owners, deadlines, recommended remediation, next-exercise suggestion. Same template every time. The client starts to recognize the structure, which builds trust — they know what's coming.

Browse our scenario library for pre-built exercises you can white-label and customize for each client. Some of them will fit your practice; others you'll adapt. Either way, the cost of starting from scratch drops to near zero.

Common MSSP-specific traps

Custom-building for a big client and never rolling it back into the library. You spent 30 hours on a beautiful bespoke scenario for one insurance company. Great. Now extract the attack flow, strip the context, and add it to the library. Next time it's a 45-minute job.

Treating the tabletop as a standalone product. It isn't. It's the top of a funnel. The exercise finds gaps, the gaps become projects, the projects become the real revenue. If your tabletop practice isn't feeding your other service lines, you're leaving most of the value on the table.

Under-investing in the facilitator bench. The quality of the facilitator is the single biggest variable in how a client experiences the service. A great facilitator makes a mediocre scenario feel valuable; a weak facilitator makes a great scenario fall flat. Invest in developing that bench deliberately — shadowing, debriefs after every engagement, written rubrics.

Letting the report become a formality. If your delivery team is copy-pasting recommendations between engagements without looking at the notes, clients will notice within two reports. The report is the product. Treat it that way.

The bottom line

Margin in this service comes from repeatability. Scenario templates that get reused. A facilitation script that looks the same on every engagement. Reports built on a fixed template that clients can take straight to the board or the auditor without edits. Build that system once, tune it per client, and the same team that was drowning at five engagements a quarter can comfortably run twenty.

If you standardize delivery, a scenario builder plus library content can replace the one-off Word docs that eat your senior people's time — create a base flow, fork it per tenant, layer in the context, run the exercise, deliver a report that looks like every other report you've ever delivered. Boring is the goal. Boring scales.

Design principles: IR tabletop guide. Scenario seeds: 10 CISO scenarios. MSSP and consultancy · Pricing.