Incident Response Tabletop Exercises
A plan you have never tested is a hypothesis. A tabletop exercise is how you test it. The team gathers, someone reads out a realistic incident scenario, and everyone talks through what they would actually do, step by step, while nothing is on fire. It is the cheapest way to find the gaps in your incident response plan before a real attacker does.
A plan you have never tested is a hypothesis. A tabletop exercise is how you test it. The team gathers, someone reads out a realistic incident scenario, and everyone talks through what they would actually do, step by step, while nothing is on fire. It is the cheapest way to find the gaps in your incident response plan before a real attacker does.
The point is not to pass. The point is to fail in the room, where failure costs nothing and teaches everything.
The kinds of drill
| Exercise type | What it does |
|---|---|
| Tabletop | A discussion-based walkthrough of a scenario. The team talks through decisions and the plan, with no live systems touched. Lowest cost, fastest to run. |
| Purple team | Red teamers mimic attacker actions, such as data exfiltration and ransomware deployment, while defenders respond. Tests detection and response together. |
| Red team / mock attack | A simulated attack, planned or unplanned, that pressure-tests whether the organization is caught flat-footed. Tests the real environment end to end. |
Not all exercises are the same. They range from a quiet conversation around a table to a live simulated attack on your real environment. Each tests something different.
How to run a tabletop
A good tabletop is structured, not a free-for-all. You walk the incident in order and stop at every point where the plan is supposed to give an answer, to see whether it actually does.
The most valuable moments are the uncomfortable ones. Practice the hard calls out loud: whether to pay a ransom, when to notify customers, who signs off on a public statement. It is far better to fumble that wording in a drill than under real duress.
[[INSIGHT: The gaps a tabletop finds are almost never technical. They are a missing phone number, an unclear reporting threshold, or a decision that turns out to have no owner. Those are exactly the things that cost hours during a real incident.]]
- A tabletop exercise pressure-tests your plan by walking a realistic scenario, with no live systems touched.
- Drills range from discussion-based tabletops to purple team and full mock attacks.
- Include legal, communications, and an executive decision-maker, not just IT.
- Practice the hard calls, like ransom decisions and customer notification, out loud.
- Capture every gap and feed it back into the plan, then schedule the next drill.
Frequently asked questions
What is an incident response tabletop exercise?
A discussion-based drill where the response team walks through a realistic incident scenario and talks through their decisions and the plan, without touching live systems.
How often should you run one?
Regularly. CIS Control 17.7 calls for conducting exercises, and practitioners recommend running them on a recurring schedule, such as quarterly, so the plan stays current with people and infrastructure.
Who should take part?
Not just IT. Include legal, communications, and an executive who can make decisions, because real incidents involve the whole organization, not only the security team.
What is the difference between a tabletop and a purple team exercise?
A tabletop is a discussion of a scenario with no live systems. A purple team exercise has red teamers carry out real attacker actions while defenders respond, testing detection and response together.
