tabletop exercises

Boost readiness with tabletop exercises

Print Friendly, PDF & Email

The oft-quoted aphorism “no plan survives first contact with the enemy” is a modern paraphrase of a quotation from an 1871 essay about military strategy by Prussian Field Marshal Helmuth von Moltke the Elder. His point was not that planning for battle is a waste of time, but rather that plans should be flexible and include multiple options for responding to how the battle unfolds.

What was true then is still true today, and you’d be wise to develop a flexible plan for how your organization will respond to cyberattacks. A successful ransomware attack, data breach, DDoS attack, or other cybersecurity incident can unfold along many different paths, and you should be ready for all of them.

But no matter how thorough or flexible your plans are, they won’t be very useful unless you practice them regularly using tabletop exercises (TTEs).

TTEs have long been a part of crisis planning in preparation for a variety of crisis situations — natural disasters, active-shooter events, terrorist attacks, pandemic outbreaks, and so on. But they have only recently been widely implemented as part of cybersecurity planning, except among critical-infrastructure providers. If you haven’t been using them to test your readiness to act quickly and effectively in response to a cyberattack, you should definitely begin doing so now.

Benefits of tabletop exercises

There are many benefits to conducting TTEs on a regular cadence. Here are a few of the most important:

  1. Uncover plan weaknesses in a safe environment.
    In the middle of a crisis is the worst possible time to discover important shortcomings in your response plan. By gaming out your plan in a simulated crisis, you’ll find out what’s lacking and be able to amend your plans accordingly. And then repeat the whole process next time.
  2. Improve communication and coordination among internal and external teams.
    A well-designed TTE brings together key players from a wide variety of teams that may very rarely interact otherwise. These will include outside organizations such as your cyber-insurance provider, MSP, or MSSP, regulatory agencies, law enforcement, and others. Building relationships among all these players will significantly improve and accelerate your response when a real cyber incident occurs.
  3. Reduce recovery costs.
    Recovering from a major ransomware attack or data breach can be extremely costly. But if you take the time to conduct TTEs that result in a better plan that is executed quickly and correctly, you can end up taking a much smaller hit to the bottom line.

Keys to an effective tabletop exercise

It should go without saying that there are better and worse ways to conduct an effective TTE. Here are a few critical elements that go into a TTE that will optimize your organization’s response to a major cybersecurity incident.

  1. Clear communication and preparation.
    A large-scale TTE can be a daunting prospect for many employees. It’s important to clearly communicate in advance to everyone involved, so they understand the objectives and scope of the exercise and are fully bought in to the project.
  2. Make sure all the right players are involved.
    In addition to coordinating with external teams as described earlier, it’s important not to overlook anyone with a role to play. For instance, HR will need to communicate with employees, your comms team will need to execute on external communications and social media, sales and customer service teams will need to be ready to field customer inquiries, and other teams will need to communicate with ecosystem partners. For each of these teams, you’ll need to consider carefully which members can most reliably represent them in the TTE.
  3. Find the right balance between time and pressure.
    On one hand, an effective TTE should simulate the kind of time pressure that exists in a real crisis. On the other hand, a TTE is not a real crisis, and participants should have plenty of time to discuss alternative scenarios and to fully identify and develop a variety of responses. Finding the right balance is largely a matter of judgment on the part of the organizers.
  4. Follow up, revise, and iterate.
    A TTE is only as good as your follow-through on the findings of the exercise. Were there parts of the plan that need to be amended? Do certain teams need their roles more accurately documented? Do chains of command need to be clarified or changed? Following up on all these findings, making the changes needed, and then scheduling the next TTE with the revised plan is the key to ongoing, incremental improvement to your plans and to your organization’s ability to execute them effectively and efficiently.

Once you’ve established a regular cadence of TTEs, and once they are normalized as a basic element of your cybersecurity strategy, you’ll achieve improved peace of mind knowing that you’re as ready as you can be for an eventual crisis — and that just maybe your plans will indeed survive contact with the enemy.


The Cybersecurity & Infrastructure Security Agency (CISA) is part of the U.S. Department of Homeland Security, and it provides a wealth of handbooks and other resources to assist in developing plans and TTEs:


This white paper prepared by the Center for Internet Security provides a number of useful, specific exercises in a clearly presented format and increasing levels of complexity:

Scroll to top