Simulating attacks: how to use tabletop exercises in incident response

With AI-fuelled cyber-incidents on the rise and ransomware used in 44% of attacks, incident response is on everyone’s radar. As part of this, it is widely agreed that simulating attacks is the best way to prepare for a real breach, with tabletop exercises a method recommended by the UK’s National Cyber Security Centre (NCSC).

Among the benefits, tabletop exercises simulate a real-life attack so firms can put incident response plans to the test, including decision-making processes, communications and technical measures.

When done well, tabletop exercises can expose blind spots and help response teams “build the muscle memory needed to act fast when the real thing hits”, says Adam Harrison, managing director in the cyber security practice at FTI Consulting.

So what types of tabletop exercises are available and how can you use them in your business?

Realistic attack scenarios

Tabletop exercises generally fall into two main styles. The first are “structured, discussion-based sessions that walk participants through the scenario” with guidance from incident response experts, according to Chris Taylor, principal incident response analyst at NormCyber. “They give staff the chance to explore decision-making, communication, teamwork and escalation in a safe and controlled environment,” he explains.

The second style is simulations – also known as “live-play exercises” – which are more immersive, says Taylor. “Much like triggering a fire alarm without prior warning, they test how well teams react with no notice, script or guidance, making them ideal for mature teams who want to stress-test their processes.”

Scenarios can vary widely. Some focus on specific entry points, such as a phishing email or a compromised device, says Taylor. “Others zoom out to broader impacts – ransomware, for example, where the real challenge is figuring out how attackers gained access, what’s been affected, and how to contain the threat before it spirals. Or, in the event of an insider threat, what happens when someone with legitimate access has gone rogue?”

Common scenarios include ransomware attacks, accidental data loss, or broader crisis events such as supply chain attacks or sector-wide outages, says Dave Harvey, KPMG UK’s cyber response lead. “The best ones are informed by threat intelligence, real-world incidents or vulnerabilities within your own environment.”

Christopher Crummey, director for executive and board cyber services at Sygnia says most of the firm’s customers are asking for simulations including multi-extortion ransomware scenarios. “These exercises typically begin with the operational disruption caused by encrypted ‘crown jewels’, then layer in the exfiltration of sensitive data – which brings privacy, legal and regulatory concerns to the forefront.”

Exercises such as these force executives to wrestle with “critical questions”, he says: “How transparent will the company be in external communications? What are the legal and disclosure obligations across jurisdictions? And ultimately, what factors should drive the high-stakes decision of whether to pay or not pay the ransom?”

Challenges in performing tabletop exercises

Although there are clear benefits to tabletop exercises, firms also need to be aware of the challenges when integrating them into their strategy.

For example, companies should ensure exercises are tailored to business and employee needs. Poorly designed exercises include ones that are too generic, easy, or “divorced from an organization’s actual risks”, says Harrison. These will provide “little benefit” and “you will quickly lose the interest of the audience”, he warns.

Taking this into account, it’s key to develop a scenario pitched at the right level for the audience and the cyber security maturity of the organization, he says.

Attitudes are important. Firms should be aware that tabletop exercises can expose challenging truths. “These exercises can be uncomfortable, surfacing weaknesses in process, resourcing or leadership,” Harrison says. “The culture of the organization and the willingness of participants to engage in the exercise in a constructive manner will have significant impact on the success.”

Companies also need to ensure they are prioritizing tabletop exercises so all relevant stakeholders can be involved. Finding time to coordinate schedules to perform the exercises can be an issue, says Travis Deforge, director of cyber security at Abacus Group. “With busy calendars, finding the time and commitment for approximately two separate one-hour sessions can be difficult. Ensuring the scenarios are well-developed and that sessions are regularly booked in advance can help to overcome this.”

How to include tabletop exercises in your strategy

When implementing tabletop exercises into your incident response strategy, they must be bespoke to your organization and threat intelligence-led, says Stephanie Albertina-Wright, principal consultant at Unit 42, Palo Alto Networks. “They should be based on scenarios and threats your organization is most likely to face, and consider your company's unique environment, risks and priorities,” she advises.

Start with having the right documentation in place. You need a clear, usable incident response plan that outlines key processes, roles and responsibilities, says Albertina-Wright. “The exercise's purpose is to test and validate your existing plan, instead of building one from scratch.”

The formula is simple, she adds: “Pick a realistic scenario, gather the right people, and walk through your incident response plan together, discussing actions and decisions as the situation unfolds.”

Tabletop exercises should be “embedded in the organization’s incident response lifecycle”, says Harrison. As part of this, they should be performed regularly – at least once a year, he advises.

For proactive businesses, an annual run is “a solid baseline”, agrees Albertina-Wright. “But if you’ve got an inexperienced team or have made major changes, you can run them every three to six months to keep everyone updated."

Yet at the same time, it’s important to note that implementing the lessons learned is a key part of using tabletop exercises. They are only useful if you follow up, warns Harvey. “You need to evaluate what happened, identify gaps and feed those lessons back into your plans and procedures. Otherwise, it’s just a one-off event with no improvement.”

To keep them current, link tabletop exercises to current intelligence or geopolitical events, regulatory updates or recent incidents, Harvey advises. “Don’t forget to reassess your scenarios and objectives each time against your key risks. Just repeating the same exercise every year won’t cut it.”