Master the art of creating realistic, engaging cyber crisis scenarios that prepare teams for real incidents
Creating an effective cyber tabletop exercise scenario is both an art and a science. A great scenario challenges participants, reveals gaps in procedures, and generates actionable improvements - all while keeping people engaged.
This guide will teach you how to craft scenarios that your team will remember long after the exercise ends.
Base scenarios on real-world incidents that could actually happen to your organization. Use threat intelligence, industry reports, and recent news. Participants dismiss "aliens hacking your database" but take "ransomware via phishing" seriously.
Every scenario should force participants to make difficult decisions with imperfect information. "Do we shut down the website?" "Do we notify customers now or investigate first?" Great scenarios have no perfect answer - just trade-offs.
Start slow, then ratchet up complexity. Initial inject: "Suspicious activity detected." Later inject: "Data is being exfiltrated AND the CEO's laptop is compromised AND a reporter just called." This mirrors real incident stress.
Add realistic time pressure: "Ransom deadline in 24 hours." "Regulators require notification in 72 hours." Time constraints force prioritization and reveal how teams handle stress. But don't make it impossible - balance challenge with achievability.
Every scenario should have clear learning objectives. What do you want participants to practice? Communication with legal? Business continuity decisions? Regulatory compliance? Design each inject to test specific skills or procedures.
Set the stage. Describe the organization, current business state, and relevant background.
Example:
"You are ACME Corp, a mid-sized healthcare provider with 5 hospitals and 50 clinics. It's Monday morning, peak flu season. Your IT team just deployed a major EHR system upgrade over the weekend. The CFO is traveling in Europe. Your cyber insurance policy has a $500K deductible..."
Introduce the trigger event. Keep it simple at first.
Example:
"At 6:47 AM, your SOC analyst notices unusual network traffic. Multiple workstations are communicating with an unknown external IP address. Initial investigation shows encrypted files appearing on shared drives with .locked extensions..."
Discussion Questions:
Introduce new information that complicates the situation. 3-5 injects is typical.
Inject 2 (30 min later):
"Ransomware has now encrypted 40% of your hospital systems including patient records. A ransom note appears demanding $2M Bitcoin in 48 hours. Your backup server is also encrypted..."
Inject 3 (1 hour later):
"A local news reporter calls your PR team asking about 'system outages affecting patient care.' Social media posts from frustrated patients are going viral. Your stock price just dropped 8%..."
Inject 4 (2 hours later):
"The attackers have exfiltrated 500GB of patient data before encrypting systems. Your legal counsel advises you may need to notify 100,000 patients under HIPAA breach rules..."
Force final decisions and wrap up the scenario.
Final Decision Point:
"It's now 24 hours into the incident. Your IT team estimates 2 weeks for full recovery without paying ransom. Your largest hospital contract is at risk if systems aren't restored in 72 hours. The FBI advises against payment but can't guarantee catching the attackers. What do you do?"
Options:
Example: "Do we take systems offline for forensics (lose revenue) or keep operating (risk spreading infection)?"
Bad Example: "What TCP port does the malware use?" (Too technical for executives)
Asking executives to analyze packet captures or configure firewalls. Focus on business decisions, not technical implementation.
"Nation-state actors breach your small business." While technically possible, it's not the most relevant threat for most organizations.
"Malware detected, antivirus removes it, done." No challenge = no learning. Good scenarios create pressure and reveal gaps.
Real incidents have deadlines: ransom timers, notification requirements, business operations at stake. Add realistic time constraints.
Designing a data breach scenario without involving legal counsel, or ransomware without finance (who approves payments). Include all relevant roles.
Describe the scenario you want: "Ransomware attack on healthcare provider during flu season." Our AI generates a complete exercise in minutes including injects, decision points, and facilitator notes.
Try AI BuilderUse our visual scenario editor to create custom exercises from scratch. Full control over every inject, decision point, and branching path. Perfect for unique or highly customized scenarios.
Open BuilderBrowse our library of pre-built scenarios covering ransomware, data breaches, supply chain attacks, and more. Customize any template to match your organization.
Browse TemplatesWhen running internal exercises, use your actual company name, real systems, and actual executives. This increases realism and engagement. For external/training scenarios, use fictional but realistic names.
Include 1-2 unexpected twists: "Your backup administrator was the insider threat" or "The attackers planted ransomware 3 months ago and it just activated." These reveal how teams handle curveballs.
Add roles for journalists, regulators, customers, or law enforcement. This forces participants to practice external communication, not just internal coordination.
Each scenario should have 1-2 primary learning objectives. Don't try to test everything at once. "This exercise tests breach notification procedures and media communication" is focused. "This tests detection, response, recovery, legal, PR, and business continuity" is too broad.
Run new scenarios with a small group first. Get feedback on realism, difficulty, and timing before running with executives. Adjust based on what worked and what didn't.
Use everything you've learned to build a realistic, engaging tabletop exercise that prepares your team for real cyber crises.