The real value of tabletop exercises (and how to pick the right one)


A cybersecurity incident response tabletop exercise (TTX) is an activity conducted as a discussion. There can be multiple goals of a TTX, but a common goal is to review processes and procedures to identify gaps and dependencies in organizational response to an incident. This is done by involving the responders in your organization, including the members of leadership that are also responders. However, not every TTX is suited for the larger response group. It is common to decompose specific aspects of response and design scenarios, focusing on those aspects. Overall, tabletop exercises increase readiness in organizations, and it is expected that some TTXs will be geared towards separate groups, processes, or technologies in the organization.

Why do tabletop exercises?

A tabletop exercise is a discussion where a trusted partner (external vendor or internal well-experienced responder) leads the participants through an attack scenario that is relevant to you in a short meeting, usually one and a half to three hours in length. The goal is to review process and procedures, not conduct hands-on activities. The scenario themes change with time, and topics for a TTX today include:

·     Ransomware response

·     Attacker infiltration and detection

·     Data exfiltration/intellectual property loss

·     Business Continuity Planning/Disaster Recovery

·     Executive awareness and planning

·     Insider threat detection and response

·     Legal and corporate crisis communications

It is common for a TTX to be concluded with a recap, key lessons, and a documented report. For those organizations in which sharing such a report with auditors is normal practice, consider asking your vendor to write an auditor-friendly report that includes priority levels to the recommendations. Overall, our exercise types are strongly influenced by the Homeland Security Exercise and Evaluation Program (HSEEP).

What’s the goal of doing a TTX?

The TTX goal is to help an organization evaluate common challenges. If your organization is trained and well-practiced at running through these challenges, it will help you get back to business as usual more rapidly. You may have some unique questions, but we frequently see these seven familiar challenges from our customers that need to be answered to increase incident readiness and resilience.

1.   Is our IR planning complete and fit for purpose?

2.   Are we prepared for emerging threats?

3.   Do our process flows for IR work without gaps?

4.   Are our policies, standards, and playbooks sufficient?

5.   Do staff understand roles and responsibilities(including executive involvement)?

6.   Is staffing adequate for IR activities?

7.   Are critical services covered in planning?

Where to start

If you have nothing in place yet, go online and look for a default template and some process guides (high-level checklists that focus on what, not how), or find a consultant who can help you get started so you can move on to more structured procedures. The focus is on understanding your processes and procedures, to understand what you would do, not going through the details of how you would do it. You will go through the specifics of how to do things when you create a standard operating procedures(SOP) playbook or activities specific checklists.

Here is a very simple example of road signs that may influence your starting level of exercise.

Tabletop Decision Tree - What best fits you?

The various levels of tabletop exercises

Responding to a cyber incident is not the same at every level of the organization, so there are distinct levels based on the roles and staff involved. Similarly, if your organization is not familiar with TTXs, you will want to start with a workshop. Workshops are also beneficial for organizations that want to start their process by validating their current plans and capabilities.


Consider a workshop as your starting point. It is not an exercise; it’s how you prepare for future exercises. During a workshop you will discuss the structure of the exercises, so you and your team know what to expect. You will also determine what to examine in your first exercise, such as specific capabilities and preparedness for a specific exercise. Finally, you will create or verify a sample playbook that describes at least one action that will be executed based on data input and triggered by one or more events.

Bronze TTX: A cybersecurity incident preparedness exercise

The next level of TTX is the Bronze. This tabletop exercise is aimed at technical and senior security staff, and it’s designed as the starting point for organizations that are not currently in a regular TTX cycle. Think of a Bronze exercise as the section leader for a firehouse. The firehouse has different companies all working in the same house in rotation. These teams are very tactical in organizing and leading the response.

During aBronze TTX, expect to walk through your existing incident response plans. These exercises are designed to identify deficiencies in your IR plans, including technical, planning, and procedural issues. During the exercise, expect to:

·     Uncover potential gaps in your planning and capabilities

·     Ensure that team members are comfortable with their roles and responsibilities during an incident

·     Walk through technical scenarios specific to a single incident

Following the completion of your Bronze TTX, you will normally receive a detailed report that summarizes the session, including observations and recommendations from the team that led your exercise. You will also get an executive summary that you can use to follow up on gaps, roles, and responsibilities. It will help you plan your next exercise, so you can iterate and practice for diverse types of incidents, as well as ensure that your team is ready and well exercised.

Silver TTX: Geared to senior security leadership

Silver tabletop exercises expand the exercise to involve focused leadership towers, including the legal team, corporate communications, privacy, compliance, and backup and data recovery. The Silver TTX exercises the leaders of all the companies in the firehouse, to continue the earlier metaphor. All these leaders are at the execution level, making the command-and-control decisions that lead the team through the Bronze exercises.

A SilverTTX expands the roles and responsibilities involved in the exercise upward and outward from the security and incident response (IR) teams who were involved in the Bronze TTX. This TTX allows teams to exercise their roles in the IR decision-making process. These critical efforts emphasize the importance of participating and supporting IR planning for teams outside of the security function. During a Silver TTX, you will also plan annual efforts in incident response and work together to set goals for senior leadership teams.

Gold TTX: Designed for senior corporate leadership

Gold tabletop exercises are designed specifically for senior corporate leadership.During a Gold TTX, you will typically go through scenarios that involve breach management, public relations, critical exposures (such as mergers and acquisitions), board-level risk, and communicating status during these scenarios. A key focus normally includes understanding the type and pace of information available during an incident and the types of decisions that will need to be considered. In a fire department, this exercise is the one focused on the fire chief and those she reports to, for example, the mayor, board of elected officials, and the fire commissioner. In your organization, the C-level executives – the chief financial officer, chief operating officer, chief executive officer, chief technology officer, general counsel, and so on, are also accountable to the board of directors.

These Gold exercises assist with your incident response program development, long-term planning and funding decisions, assessing the maturity of your IR function, and helping your senior corporate leadership review their crisis management skills and capabilities.

Who needs to do which tabletop exercise and when?

Your overall goal is to have an organization that is well practiced and trained, so that if you do experience a critical incident, you can get back to business as usual quickly. Tabletop exercises are part of this, and different types of exercises are right at various times. Small companies may not do a lot of TTX, but big companies frequently do more of them because they have more divisions, functions, and legal and compliance requirements.

A great way to advance is by working through the different exercises in progressing order.Start with a Workshop or Bronze, move up to Silver, and then Gold. Depending on the size of the organization, a smaller org for example, may do a splitBronze/Gold, where the exercise starts with Bronze and then a few weeks later is picked up by Gold. This method gives smaller companies time to learn from the TTX, make suggestions, and have a better Gold TTX experience.

To make a long-term impact, there should be a standardized process in place — you cannot start with a Gold TTX and expect to be successful if you don’t have underlaying processes, an IR Plan, or experience at the Bronze and Silver level — you are training at each level so that you can be successful at the next one. Running tabletop exercises at your organization increases your readiness and resilience in case of a critical incident because your team spent the time and energy necessary to identify key issues and gaps before a problem occurs.

Learn how incident response is different in the cloud

Don't miss these stories:

Want to see the future of IR for cloud and SaaS? Request a demo of IR2