Cyber Tabletop Exercise Scenarios
A tabletop exercise (TTX) is a discussion-based session where key stakeholders walk through their response to a simulated cybersecurity incident. Tabletop exercises are the single most effective method for testing an incident response plan because they expose decision-making gaps, communication failures, and role confusion in a low-stakes environment. This guide provides ten ready-to-run scenarios covering the threat types most likely to affect organizations in 2026, with objectives, injects, and discussion prompts for each. These scenarios are drawn from 150+ real C-Suite exercises and are designed to surface the decisions that matter most under pressure.
The Cybersecurity and Infrastructure Security Agency (CISA) publishes tabletop exercise packages for critical infrastructure sectors, and NIST SP 800-84 provides the federal guidance on exercise program design. Both frameworks recommend scenario-based tabletop exercises as a core component of incident response readiness. The scenarios below build on these foundations with the operational specificity that comes from running exercises with real executive teams.
For a complete guide to planning, facilitating, and documenting tabletop exercises, see our How to Run a C-Suite Tabletop Exercise article.
What Makes a Tabletop Exercise Scenario Effective?
Not all scenarios produce equal learning. The most effective tabletop exercise scenarios share five characteristics that distinguish them from generic templates:
- Plausible and specific. The scenario must feel real to the participants. Generic scenarios produce generic discussions. Effective scenarios name specific systems, reference actual business processes, and reflect the organization's real threat landscape.
- Progressive escalation. The scenario should start with ambiguous signals and escalate through multiple injects that force increasingly difficult decisions. Each inject should introduce new information, new stakeholders, or new time pressure.
- Cross-functional decision points. The best scenarios force decisions that require coordination between technical, legal, communications, and executive functions. Single-function scenarios miss the coordination failures that cause real incidents to spiral.
- Time pressure. Regulatory clocks, media attention, and operational impact should create urgency that mirrors real incidents. Without time pressure, participants optimize endlessly instead of making imperfect decisions under constraints.
- No single correct answer. The scenario should present genuine trade-offs (speed vs. thoroughness, transparency vs. legal risk, containment vs. forensic preservation) that generate productive debate.
What Are the Most Common Tabletop Exercise Scenario Types?
The following ten scenario types cover the threat landscape most organizations face. Each entry describes the scenario premise, primary objectives, and the key decisions the exercise should surface.
| # | Scenario Type | Primary Objective | Key Decision Tested |
|---|---|---|---|
| 1 | Enterprise Ransomware | Test containment speed and pay/no-pay decision | Whether to disconnect systems, when to engage the insurer, pay or not pay |
| 2 | Data Exfiltration and Breach | Test notification obligations and evidence preservation | When to notify regulators, how to communicate with affected individuals |
| 3 | Supply Chain Compromise | Test third-party coordination and blast radius assessment | Whether to disconnect vendor access, customer notification scope |
| 4 | Business Email Compromise | Test financial controls and fraud response | Whether to reverse transactions, law enforcement engagement timing |
| 5 | Insider Threat | Test HR/legal/security coordination | Whether to confront vs. surveil, evidence handling for potential prosecution |
| 6 | Cloud Infrastructure Breach | Test shared responsibility model understanding | Cloud provider engagement, credential rotation scope, workload isolation |
| 7 | Distributed Denial of Service | Test business continuity and communications | Whether to engage DDoS mitigation service, customer communication timing |
| 8 | Zero-Day Exploitation | Test response to unknown vulnerabilities | Whether to take vulnerable systems offline before a patch exists |
| 9 | AI-Enabled Social Engineering | Test response to deepfake and AI-augmented attacks | How to verify identity during an incident, authentication fallback procedures |
| 10 | Destructive Wiper Attack | Test recovery capability and backup integrity | Recovery sequencing, whether backups are clean, business triage prioritization |
How Do You Structure an Enterprise Ransomware Scenario?
The enterprise ransomware scenario is the most frequently requested and consistently produces the most valuable learning. It tests containment speed, executive decision-making, regulatory notification, and the pay/no-pay decision that every organization must confront.
Scenario premise
At 2:47 AM on a Saturday, the SOC receives alerts from the EDR platform indicating rapid file encryption across multiple servers. By 3:15 AM, a ransom note appears on the desktop of the CFO's laptop. The demand is $2.5 million in cryptocurrency, with a 72-hour deadline before the attackers threaten to publish stolen data on a leak site. The IT team confirms that the ERP system, email servers, and file shares are affected. Backup status is unknown.
Injects
- Hour 1: The attackers email a sample of stolen data to the CEO's personal email address, proving exfiltration occurred before encryption.
- Hour 4: A journalist calls the communications team asking to confirm reports of a ransomware attack. The source is unknown.
- Hour 8: The DFIR team confirms that backups are partially compromised. The most recent clean backup for the ERP system is 72 hours old.
- Hour 24: The cyber insurance carrier asks whether you intend to pay and reminds you that OFAC compliance must be verified before any payment.
In 73% of the ransomware tabletop exercises we have facilitated, the first 90 minutes were consumed by a single question: who has the authority to take the ERP system offline? Pre-authorize this decision before the exercise, or the exercise will teach you why you must.
How Do You Design a Supply Chain Compromise Scenario?
Supply chain scenarios test a dimension that most internal-only scenarios miss: your ability to coordinate a response when the attack vector is outside your control and the blast radius extends to your customers.
Scenario premise
Your organization receives notification from a critical SaaS vendor that their platform was compromised and that customer data may have been accessed. The vendor provides limited details and a timeline that suggests the compromise has been active for 45 days. Your security team confirms that the vendor has API-level access to your customer database. The vendor's incident response is being managed by their own legal team, and information sharing is limited.
Key decisions to surface
- Do you disconnect the vendor's API access immediately, knowing it will break production workflows?
- What is your independent notification obligation if the vendor's breach exposed your customers' data?
- How do you assess blast radius when the vendor is controlling the forensic investigation?
- Do you notify your customers before the vendor notifies theirs?
- What contractual rights do you have to demand forensic evidence from the vendor?
What Should an Insider Threat Scenario Test?
Insider threat scenarios are uniquely valuable because they test the coordination between security, HR, legal, and management that external-attack scenarios often miss. The tension between investigation and employee rights creates decision points that are difficult to rehearse outside of a tabletop exercise.
Scenario premise
The DLP system flags a senior engineer who has been transferring large volumes of proprietary source code to a personal cloud storage account over the past two weeks. HR confirms the employee recently gave notice and accepted a position with a direct competitor. The employee has administrative access to production systems and has not yet been informed of the investigation.
Key decisions to surface
- Do you confront the employee immediately or continue monitoring to understand the full scope?
- When does the investigation move from HR-led to security-led to law-enforcement-led?
- How do you preserve evidence for potential civil or criminal proceedings while maintaining the employment relationship?
- When do you revoke the employee's access, and how do you do so without alerting them?
- What are your obligations regarding the competitor who may be receiving your intellectual property?
How Do You Measure the Effectiveness of a Tabletop Exercise?
Running the exercise is only half the value. The other half comes from structured measurement and follow-through. Effective measurement focuses on three dimensions:
Decision quality. Did the team make informed, timely decisions at each critical juncture? Were decisions consistent with the IR plan? Where decisions diverged from the plan, was the divergence justified by scenario circumstances or did it reveal a plan gap?
Coordination effectiveness. Did information flow between functions (technical, legal, communications, executive) without critical delays? Were all required stakeholders engaged at the right time? Did any function operate in isolation when coordination was needed?
Time to key milestones. Measure the time from initial detection to: IR plan activation, first containment action, legal counsel engagement, regulator notification decision, executive briefing, and external communication. Compare these to your target SLAs and regulatory deadlines.
| Metric | Target | What It Reveals |
|---|---|---|
| Time to activate IR plan | < 30 minutes | Severity classification speed and on-call effectiveness |
| Time to first containment action | < 1 hour | Pre-authorized decision clarity and technical readiness |
| Time to engage legal counsel | < 2 hours | Retainer status and escalation path clarity |
| Time to regulator notification decision | < 4 hours | Regulatory awareness and legal coordination |
| Number of decision bottlenecks | 0 | Authority gaps and approval chain problems |
| Gaps identified in IR plan | Tracked to remediation | Plan maturity and exercise effectiveness |
Every gap identified during an exercise should be logged with an owner, a severity rating, and a remediation deadline. Organizations that run exercises without structured follow-through are investing time without capturing the return. See our After-Action Review template for the documentation structure.
When Should You Use an AI-Facilitated Tabletop Exercise?
Traditional tabletop exercises require significant preparation time: developing scenarios, writing injects, coordinating schedules, and training a facilitator. This preparation burden is the primary reason organizations run exercises less frequently than they should.
AI-facilitated tabletop exercises reduce this burden by generating scenario injects dynamically based on participant responses, adapting the difficulty level in real time, and producing structured after-action documentation automatically. The IR-OS AI Tabletop Facilitator enables organizations to run exercises more frequently with less preparation overhead.
AI facilitation is particularly effective for:
- Increased exercise frequency. Organizations that can only justify quarterly exercises with traditional facilitation can run monthly exercises with AI facilitation.
- Scenario variation. AI-generated injects ensure that repeat exercises with the same scenario type produce different decision points, preventing participants from rehearsing memorized responses.
- Consistent documentation. Every decision, discussion point, and gap is captured automatically, ensuring that the after-action review is comprehensive regardless of facilitator skill.
- On-demand availability. New team members, organizational changes, or emerging threats can trigger an exercise without waiting for the next scheduled session.
AI facilitation does not replace human-led exercises for executive-level tabletops where relationship dynamics and organizational politics are part of the learning. It augments the exercise program by making frequent, focused sessions practical.
Run your next tabletop exercise with AI facilitation
The IR-OS AI Tabletop Facilitator generates dynamic scenarios, adapts injects in real time, and produces structured after-action reports -- so you can exercise more frequently with less preparation.
Start free