Who should participate in a cyber tabletop?

The full response chain: technical responders, CISO, CEO or designee, General Counsel and outside counsel, CFO, communications, HR, and any sector-specific stakeholders. Technical-only tabletops miss the coordination gaps that dominate real incidents.

How long does a tabletop exercise take?

Most cyber tabletops run 90 minutes to 4 hours, with 2 to 3 hours being typical for a meaningful executive exercise. The hot wash and AAR follow-through add additional time but should not be skipped.

How often should we run tabletops?

At minimum annually. Mature programs run quarterly tabletops on rotating scenarios (ransomware, BEC, third-party breach, public disclosure) and additional executive tabletops semi-annually. Critical infrastructure entities often run tabletops more frequently.

What is the difference between a tabletop and a red team exercise?

A tabletop is a discussion-based simulation; participants talk through decisions and actions. A red team exercise involves actual adversary activity against real systems, simulating an attacker. Both have value; tabletops surface coordination gaps, red teams surface technical detection gaps.

Tabletop Exercise - Cyber Incident Simulation

A tabletop exercise (TTX) is a facilitated, discussion-based simulation of a cyber incident in which participants work through their roles, decisions, and communications without operating real systems. Tabletops are the most cost-effective way to validate an incident response plan, surface coordination gaps, and prepare executives and counsel for high-stakes decisions before a real incident forces them to make those decisions for the first time.

Source: derived from standard incident response practice; codified in NIST SP 800-84 (Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities), CISA tabletop exercise packages, and FFIEC Business Continuity Management.

Tabletop Exercise Format

Facilitator: leads the exercise, presents injects, manages timing
Players: the response team, executives, counsel, and any third parties whose role is being exercised
Observers: capture decisions, gaps, and lessons learned
Scenario: a realistic incident with sufficient detail to drive meaningful discussion
Injects: scheduled developments that introduce new information or decision points
Hot wash: an immediate post-exercise debrief while observations are fresh
After action report: the documented findings and recommendations

Scope of a Useful Tabletop

The most useful tabletops involve the full response chain: technical responders, the CISO, the CEO or designee, the General Counsel and outside counsel, the CFO, communications, HR, and any sector-specific stakeholders. Technical-only tabletops miss the coordination gaps that dominate real incidents. C-suite-only tabletops miss the operational realities the technical team must navigate.

Common Tabletop Mistakes

Scenarios that are too unrealistic to drive serious discussion
Scenarios that are too realistic and reveal sensitive details inappropriately
No facilitator or an unskilled facilitator
No structured documentation of decisions, gaps, and lessons
No follow-through on recommendations after the exercise
Treating the tabletop as a checkbox rather than as preparation

Run tabletops your team will remember

IR-OS supports tabletop exercise facilitation, structured documentation, and the AAR follow-through that turns tabletops into real preparation.

Start free

Tabletop Exercise - Cyber Incident Simulation

Tabletop Exercise Format

Scope of a Useful Tabletop

Common Tabletop Mistakes

Related Terms

Run tabletops your team will remember