A cyber tabletop exercise is an excellent way to test an organization's incident response readiness. Tabletop exercises are good for talking through the who, what, when, where, and how of a situation.

Industry professionals tend to argue how frequent to perform it and the going consensus is annually. But i agree with REDLEGG's article requesting it to be done more frequently if not quarterly. Other than maintaining good cyber hygiene and adhering to a system development lifecycle process, tabletop exercises also comply with NIST SP800:84.

TTX should go through these processes:

  1. Introduction and defining the GOAL of the exericise
  2. Assess the situation (Predefined scenarios)
  3. Re-validate assumptions
  4. Identify security and organizational implications
  5. Develop a course of action
  6. Develop recommendations

Guestlist should include these teams:

  1. Executive management
  2. Information Security
  3. Information Technology
  4. Audit
  5. Physical security
  6. Risk management
  7. Legal
  8. Finance
  9. Vendors
  10. Public Relations

The TTX Facilitator leads the:

  1. Incident response tabletop exercise
  2. Hot wash session
  3. Lessons learned session

Hot wash session happens immediately after the tabletop exercise so that we can collect initial feedback and have the opportunity to ask for clarification if need be.

Sample cybersecurity tabletop exercises:

  1. SANS data breach scenarios
  2. Treasury department template for small/midsize financial institutions


  1. https://www.cisecurity.org/white-papers/six-tabletop-exercises-prepare-cybersecurity-team/
  2. https://www.redlegg.com/advisory-services/tabletop-exercise-pretty-much-everything-you-need-to-know
  3. https://blog.rapid7.com/2017/07/05/running-an-effective-tabletop-exercise/
  4. https://www.dhs.gov/cisa/national-cyber-exercise-and-planning-program
  5. https://www.umassp.edu/procurement/bids/umass-system-wide-cyber-security-tabletop-exercise