What Makes an Incident Response Tabletop Exercise Successful?

We’ve talked previously about why an incident response tabletop exercise can be a useful tool for your security program. But taking a step back, let’s take a closer look at what makes an incident response tabletop exercise successful. While a tabletop exercise can be a great way to step through your incident response process on a regular basis to ensure everyone is trained and it stays up-to-date, it’s usually best to customize it to your team’s needs to make sure it’s a meaningful experience. This can mean making it more/less interactive, more/less technical, or over a shorter/longer period of time. Further, maybe you are required to be PCI DSS compliant, and you’re using an SAQ that requires you to exercise your incident response process annually (Requirement 12). Tabletops can be a great way to accomplish that compliance need while maturing your IR program.

At the most basic level, a tabletop exercise is a simulation. You get your entire incident response team (or as many as you can) into a room and you respond to a simulated or fake incident scenario as you would if it actually happened. The purpose is twofold:

  1. You get a chance to exercise your documented Incident Response Plan and ensure it has a sufficient level of detail, stays updated, and addresses the nuances of different situations.
  2. Your IR team gets a chance to work through the response process in a controlled environment, learning and training how things should go without the pressures of a real incident.

Some of the elements that make up a successful tabletop exercise include:


Exercises should be based on real, possible incident’s that your team is likely to encounter. It’s always a good idea to start with the most critical or most likely incident’s you’ll face. Most of the time, each exercise will focus on a single incident or incident category. If you’re in charge of planning the exercise, you’ll want a pretty detailed scenario that is specific enough to feel real. Try and answer some of the likely questions that will come up ahead of time, so the process doesn’t feel as ad hoc.

Additionally, make sure the processes that being run through are as real as possible. Take notes and document like you would a real incident to uncover any shortcomings in that process. Document any difficult discussions you have and the decisions that are made for future use. Call the numbers and contact the individuals that will need to be involved (without raising any unnecessary alarms of course) to make sure their contact information is valid and up-to-date. Spin-up any testing or response tools and make sure the people in-charge of using them know how they work and can utilize them in a timely manner.

Element of Time

One of the hardest things to capture during an incident response tabletop exercise is an element of time. How much time do you have to find the root cause? How long will it actually take you? How much time will it take to bring in a 3rd-party forensics firm? When does the business want to report to the public?

Trying to track time during your exercise will give everyone an extra sense of reality and hammer home some of the panic associated with a real incident. You don’t want to go over the top with this, but if everyone has a good idea of realistic response times for each phase of an incident, it improves the decision-making process as a whole.


One of the most overlooked elements of incident response is the communications tree that occurs. An incident response tabletop exercise is the perfect time to understand the levels of communication expected and gain control of who you tell about an incident and when. During an incident, if you tell too many people you risk the incident either leaking or spiraling out of control before you have a handle on it from the technical perspective. And if you tell too few, the leadership may not have the visibility they need about what’s going on, causing them to make poor decisions or disclose information publicly that is inappropriate for the circumstances.

Whatever the case may be, you want to have templates and a specific list of personnel to tell at each stage and each point of escalation. You want to understand as a team who’s on point to make each critical decision from a leadership perspective to avoid miscommunication and arguments when the time comes. Walking through this and ensuring all players understand the role they play is just as important as the technical response.


You want as many members of the core Incident Response team that you will be expecting to perform IR duties to be present as possible. This gives them all the chance to work together and interact. Everyone can get more comfortable with the personalities at play and it helps everyone get comfortable in the role they’ll be asked to play. A real incident is all about teamwork, and the way everyone interacts with leadership and handles their duties.


incident response tabletop exercise
As silly as it may sound, using a die or a D20 is a great to introduce random chance into a tabletop exercise and can help emulate uncertainty.

This works better for some teams than others, really depending on your comfort level and the type of people you are dealing with. But if you can make a tabletop exercise truly interactive, with elements of randomization (e.g. rolling a die), real decision trees (e.g. choose path A or path B), and timely decision making (e.g. if you can contain this incident within 2 hours, you get a gift card), we’ve found it makes the process more enjoyable and more successful. Retention is better then the IR team is engaged and they are more likely to remember particularly difficult decisions, outcomes, or risk factors.