Tabletop Exercises: The 90-Minute Investment That Determines How Your Next Breach Ends
Cybool Security Team
Incident Response
The hardest moment of an incident is not the breach itself. It is the first hour, when senior leaders are making decisions they have never rehearsed, in a vocabulary they do not fully command, while operations is asking whether to take systems down and PR is asking what to tell the press.
A tabletop exercise simulates that hour. It is not a technical drill, it is not a penetration test, and it does not require an emergency. It is a 60–90 minute facilitated discussion in which the leadership team works through a realistic scenario, articulates decisions, and exposes gaps in roles, authority, and communication. Done well, it is the single highest-leverage activity in a security program.
Most organizations do not run them. The ones that do, almost universally, wish they had started years earlier.
What a Tabletop Actually Looks Like
The basic structure of a tabletop is straightforward:
- A facilitator presents an opening scenario — "It is Tuesday at 14:00. Your SOC reports a confirmed ransomware encryption event affecting your ERP and shared file servers. Approximately 60% of your file shares are inaccessible."
- The participants — typically CEO, CFO, COO, CISO, IT director, legal counsel, head of communications — talk through what they would do, in what order, and who would make which decisions.
- The facilitator periodically injects new information ("Update: the ransom note demands USD 800,000 in Bitcoin within 72 hours" / "Update: a journalist has called the press line for comment").
- The exercise lasts 60–120 minutes and ends with a structured debrief.
No systems are touched. No technical work happens. The cost is meeting time and the facilitator’s fee.
What Tabletops Reliably Expose
Across the tabletops Cybool has facilitated for mid-market customers in 2025–2026, the same six gaps appear repeatedly:
1. Decision authority is ambiguous. The written incident-response plan names a "Crisis Manager" but does not define what decisions that person can make unilaterally versus what requires CEO sign-off. In the exercise, this surfaces within the first 15 minutes when someone asks "can we authorize ransom negotiation engagement?" and four people give different answers.
2. The communications plan does not survive contact with reality. Most organizations have a template press statement but no answer to "what do we say to our top three customers within the first 4 hours?" or "who calls our regulator?" or "what does the all-hands look like on day two when employees are asking if their personal data is exposed?"
3. Backup recovery time has been overestimated. When asked how long full recovery from backups would take, the IT director typically quotes a number. When asked when that number was last validated by an actual restore, the answer is usually "I think we tested last year." Often the realistic answer is 5–10× the assumed timeline.
4. Cyber insurance notification timing is unclear. When the policy actually requires notification within 24–72 hours, the room typically does not know who calls the broker, who has the policy number, or what counts as "becoming aware" of a covered event. Coverage gets voided here more often than from any other failure mode.
5. The board is missing from the playbook. Most plans describe escalation to the executive team but not to the board. When the scenario reaches "the New York Times has called," the room usually has no answer to whether the board has been informed, in what cadence, or by whom.
6. The legal-engagement-of-DFIR sequence is wrong. Best practice is to engage outside counsel first, who then engages the DFIR firm, so the investigation falls under attorney-client privilege. Most organizations call the DFIR firm directly, creating discoverable communications that can later be subpoenaed. This is one of the most cleanly fixable gaps a tabletop exposes.
Choosing the Scenario
The scenario matters less than the discipline of running the exercise, but some scenarios produce more learning than others. Three that consistently surface useful gaps:
Ransomware with ransom demand and data leak threat. This stress-tests every part of the plan: technical containment, business continuity, ransom decisioning, regulatory notification, customer communication, and board engagement.
Insider data theft. A departing employee has exfiltrated customer data to a personal cloud account. This tests legal and HR coordination, the relationship with law enforcement, and the customer-notification process — all areas that pure-ransomware drills do not exercise.
Supply-chain compromise. A vendor your customers depend on has been breached, and you are receiving incoming questions about exposure. This tests how you respond when you are not the breach victim but are affected by one, which is increasingly the most common 2026 scenario.
After the Tabletop
The debrief is where the value compounds. A useful debrief produces:
- A short list of decisions the team got right under pressure
- A specific list of gaps in the IR plan, with named owners and 30 / 60 / 90-day remediation timelines
- One or two playbooks that need to be written (e.g., "ransom decisioning matrix" or "first-4-hour customer-communication template")
- A date for the next tabletop, with a different scenario
The single biggest predictor of value is whether the gap list gets converted into a remediation tracker. Tabletops without follow-through become security-theater. Tabletops with disciplined follow-through measurably improve incident outcomes — both Cybool’s direct observation and broader industry data support a 30–60% reduction in mean time to recover for organizations that run quarterly tabletops with closed-loop remediation.
The 90-Minute Math
A typical tabletop costs roughly:
- 90 minutes of meeting time for 8 people (12 person-hours)
- 1–2 days of facilitator time, depending on whether it is internal or external
- Half a day of follow-up remediation planning
Against the average mid-market incident cost — which in LATAM and Europe runs USD 800,000 to USD 4.5 million depending on industry and scope — the return on that investment is impossible to argue with. The companies that have not yet run one are not pricing the risk correctly.
The single most useful security project most mid-market organizations can run in the next 30 days is a tabletop. It does not require new tools, new vendors, or new budget. It requires 90 minutes on calendars that already exist.
Cybool facilitates tabletop exercises for customers as part of standard incident-response readiness engagements. Half-day workshops include scenario design, facilitation, and a written gap-remediation tracker. Schedule a tabletop or explore our incident-response services.