What Is a Tabletop Exercise? (Explained in 2 Minutes)
What Is a Tabletop Exercise? (Explained in 2 Minutes)
A tabletop exercise is a structured conversation about a crisis—usually cyber—where the team walks through what they would do as facts unfold. No production changes; the goal is to rehearse decisions, handoffs, and gaps in the plan.
It is closer to a fire drill for judgment than to a penetration test: you are not proving a server is vulnerable; you are proving people know who decides what, and in what order.
How It Works
- A facilitator presents a scenario. "It's Monday morning. Your SOC just flagged suspicious outbound traffic from three servers."
- The team discusses what they'd do. Not what the playbook says — what they'd actually do.
- The facilitator introduces new information (called "injects") that changes the situation. "The attacker just deployed ransomware. Your file servers are encrypted."
- The team adapts and responds. New decisions, new priorities, new problems.
- Everyone debriefs. What went well? Where did you get stuck? What needs to change?
That's it. The whole thing takes 60-90 minutes.
Who Should Run Them?
Everyone with an incident response plan. If you have a plan, you need to practice it. Plans that sit in a SharePoint folder don't work when the building is on fire.
Specifically:
- Security teams — to test detection and containment procedures
- Leadership teams — to practice crisis decision-making (see our executive drill guide)
- Cross-functional groups — to test coordination between security, legal, comms, and leadership
Why Bother?
Because reading a playbook isn't the same as using one. Tabletop exercises reveal the gaps you can't see on paper:
- The moment two people realize they both think they're in charge
- The communication channel nobody tested
- The backup recovery process that takes 72 hours, not 4
These are things you want to discover on a Tuesday afternoon, not during an actual breach at 3 AM.
How Do I Start?
The fastest way: pick a scenario and schedule 90 minutes. That's it.
- Browse our scenario library for ready-to-run exercises
- Read our step-by-step guide for running your first exercise
- Try an interactive exercise to see what it feels like
If you're a solo practitioner, you can even practice incident response on your own.
For a deep dive into IR-focused exercises, check our incident response tabletop exercise guide. For scenario ideas, see 10 scenarios every CISO should practice.
In short: Low tooling overhead; high honesty requirement. Pick a scenario, run 60–90 minutes, capture gaps, assign owners. Library · IR teams · IT leaders · Consultancies.
Ready to Put This Into Practice?
Use our free scenario builder to create custom cyber tabletop exercises based on these strategies.