What is a tabletop exercise?

Key takeaways

• A tabletop exercises decision-making and coordination, not technical response. The team works through "who decides what, when, with whose input" against a realistic scenario.
• For mid-market manufacturers, tabletops are the cheapest, fastest way to discover that the incident response plan does not actually work.
• The exercise has three formats: discussion-based (the standard tabletop), functional (with some operational involvement), and full-scale (with real systems and time pressure).
• Annual tabletops satisfy compliance; quarterly tabletops change behavior.
• ARG runs tabletops tied to actual findings from the continuous adversarial simulation, so the scenarios reflect real exposures the workforce has already encountered.

What does a tabletop exercise actually look like?

A tabletop is structured but not theatrical. A typical three-hour discussion-based tabletop runs through five phases:

1. Setup (15 minutes). Facilitator opens the room, sets ground rules (no judgment, the point is learning, what is said stays in the room), introduces participants, distributes the scenario brief.

2. Initial scenario (30 minutes). The facilitator describes the initial event. "It is Friday afternoon at 2 p.m. Your CFO has just received an email from the CEO requesting an urgent $400,000 wire to close an acquisition. The CEO is on a plane. The CFO is uncertain." The team responds: who calls whom, what verification runs, what decision gets made.

3. Injects (90 to 120 minutes). The facilitator introduces complications. The wire request escalates. A second message arrives from a "different sender". The IT team reports unusual login activity on the CEO's mailbox. A vendor calls about an unrelated payment that has not been processed. Each inject extends the scenario; the team works through their response.

4. Debrief (30 minutes). The facilitator stops the scenario and asks the team what worked, what did not, what gaps surfaced. The conversation is structured, not freeform: specific decisions are revisited, specific gaps are documented.

5. Documentation (later, 30 to 60 minutes). Facilitator writes a brief findings document: what was exercised, what was discovered, what corrective actions are required, who owns each.

The exercise is talk-based; no systems are touched. The point is to expose what the team would do under pressure when the decisions are real and the time is short.

The three formats: discussion-based, functional, full-scale

Three formats with progressively more realism and cost.

Discussion-based (tabletop). Talk-only. Participants discuss what they would do. Standard format for compliance, the most common for mid-market organizations. Cost: a half-day of participant time plus facilitator. Duration: two to four hours.

Functional. Adds limited operational involvement. Participants make real decisions, send real emails, contact real partners (with prior notification). Some systems are touched but no live production impact. More realistic; surfaces gaps in actual communication channels and authority. Duration: half-day to full-day.

Full-scale. Operational exercise with real systems and time pressure. The team responds to a realistic-looking scenario as if it were happening. Highest realism; highest cost; rarely appropriate for mid-market manufacturers because the operational risk of the exercise itself is meaningful.

For a 50 to 500 person manufacturer, discussion-based tabletops on a quarterly cadence, with an occasional functional exercise for high-priority scenarios, produces the right balance of effort to insight. Full-scale exercises are uncommon outside critical infrastructure and large enterprises.

Why most tabletop exercises fail to change behavior

Tabletops can be theater or they can be operational improvement. The failure modes that produce theater:

1. Generic scenarios. "What if there is a ransomware attack" produces generic answers. "What if ransomware encrypts your ERP on the Monday morning of month-end close, and your IT lead is on vacation" produces specific findings.
2. Wrong room. The IT team alone is not the incident response team. Without executives, operations, finance, and (where applicable) legal in the room, the exercise misses the decisions that actually matter.
3. No injects. A static scenario does not exercise adaptation. Injects (new information, complications, time pressure) force the team to make decisions under uncertainty, which is how real incidents play out.
4. No documentation. The conversation happens, gaps are surfaced, the room empties, and nothing changes. Without written findings and assigned corrective actions, the exercise is reabsorbed into background.
5. Annual cadence. Once a year is too rare to build muscle memory. Quarterly is roughly the minimum for the learning to compound.
6. No retest. Findings from one tabletop are supposed to drive changes that get retested. Without retest, the same gaps surface every exercise.
7. Facilitator does not push. A facilitator who lets the team self-validate produces theater. A facilitator who probes ("what if the CEO cannot be reached for two hours?", "what if your IR retainer is unavailable?") produces findings.

The fix in each case is structural. Tabletops that work share specific properties; tabletops that fail share other specific properties.

Examples of scenarios that produce real improvement

The best tabletop scenarios are specific, plausible, and uncomfortable. From ARG engagements:

• Wire fraud during executive travel. CFO receives a wire request matching a real visible business situation; CEO is on a flight; the deadline is end of day. Surfaces: callback verification habits, dual-approval workflow, social cost of refusing executive requests. See What is business email compromise (BEC)?.
• Ransomware reaching the engineering file server on Friday afternoon. EDR alerts; engineering files are encrypting; production stops Monday morning if not contained. Surfaces: containment decision authority, communication with prime contractors, backup restoration time, ransom decision framework. See What is a ransomware playbook?.
• OT vendor remote-access compromise. A vendor used to maintain SCADA systems is publicly disclosed as breached. Vendor's tools are running on multiple manufacturer servers. Surfaces: vendor incident response coordination, segmentation effectiveness, production decision authority. See What is the IT/OT convergence problem?.
• Deepfake CEO call during M&A discussion. During a known acquisition negotiation, finance receives a CEO call requesting an urgent wire. The voice matches; the context matches; the pressure is real. Surfaces: voice-verification protocols, executive impersonation defenses. See What is a deepfake CEO scam?.
• Physical breach during weekend with after-hours observation. Saturday night security camera shows unfamiliar person near network closet. Operator sees but does not respond immediately. Surfaces: after-hours alert response, escalation to law enforcement, evidence preservation.
• CUI exfiltration discovered during routine audit log review. Audit logs show large data transfer from engineering file share to an external endpoint over the prior weekend. Surfaces: DC3 reporting timeline for defense contracts, customer (prime) notification, regulatory disclosure requirements.

Each scenario maps to a specific business reality at a mid-market manufacturer. Each one surfaces specific workflow gaps that turn into corrective actions.

How to scope a tabletop for a mid-market manufacturer

Scoping decisions determine whether the exercise produces useful findings or compliance theater.

1. Pick one scenario. A two-to-four-hour tabletop covers one scenario well or three scenarios poorly. Discipline matters.
2. Make it real. Use names, departments, actual workflow, current threats. "Your AP clerk Sarah" surfaces specific findings; "the AP team" surfaces generic responses.
3. Invite the decision-makers. Executive sponsor, IT lead, operations lead, finance lead, legal where applicable. The exercise is wasted if the people in the room cannot make the decisions the scenario requires.
4. Inject realistic complications. Three to five injects spread across the exercise. Each one raises stakes or introduces uncertainty.
5. Constrain the time. A scenario with no time pressure feels academic. Compress decisions: "you have 30 minutes to decide" or "the wire executes at 4 p.m.".
6. Plan the debrief in advance. Specific questions ready for the discussion: did the IR plan match what we actually did, where did communication break down, what would have changed the outcome.
7. Capture corrective actions on the spot. Action items, owners, target dates documented in the room before the meeting ends.
8. Schedule the retest. Six to twelve weeks later, retest the gaps. The retest is what closes the loop.

Best practices for facilitating and de-briefing tabletops

The facilitator's job is to surface findings, not to entertain.

1. Set ground rules first. No-judgment frame; what is discussed stays in the room; the point is learning. The rules let people surface real gaps.
2. Prepare injects in advance. Pre-written, sequenced, calibrated to the scenario. Improvised injects produce uneven exercises.
3. Push, do not lead. Ask "what do you do next?" rather than "you should do X". The team's actual response is the data.
4. Watch for theater. "We would call the IR provider" is the response that needs probing: which provider, what number, who calls, how long does response take, what authority does the provider have to act.
5. Track time. A two-hour tabletop drifts into three hours without time discipline. The discipline is part of the exercise.
6. Document silence. Moments when the team does not know what to do are findings. The silence is the data.
7. Debrief structurally. Specific questions: What did we do well? What did we do poorly? What would have happened in production? What changes by next quarter? The structure is the difference between debrief and conversation.
8. Write the findings within 48 hours. While memory is fresh. Distribute to participants for confirmation. Add to the corrective action backlog.

Tabletop exercise FAQs

How long should a tabletop exercise last?

Two to four hours for a discussion-based tabletop. Half-day to full-day for a functional exercise with more participants. Multi-day for full-scale exercises with operational involvement. For most mid-market manufacturers, three-hour discussion-based tabletops on a quarterly cadence produce the best return on time invested.

Who should be in the room for a tabletop?

The executive sponsor (CEO or COO), the IT lead, the operations lead, the finance lead (for incidents involving wire fraud or insurance claims), and legal counsel where applicable. For OT-specific scenarios, the engineering lead. The defining criterion: anyone who would make a real decision during a real incident.

How often should tabletops run?

Annually as a minimum. Quarterly as a healthy cadence. Several frameworks (NIST CSF 2.0, ISO 27001, CMMC) expect at least annual exercise. The cadence that actually changes behavior is quarterly, with each exercise covering a different scenario.

Does a tabletop satisfy any compliance requirement?

Yes. NIST CSF (RS.MA-04), NIST SP 800-171 (IR-3 testing), CMMC, ISO 27001 (Annex A.5.30), and most cyber insurance underwriting questionnaires reference tabletop or equivalent testing of incident response plans. The documented exercise (date, participants, scenario, findings, corrective actions) is the evidence.

How ARG runs tabletops tied to actual simulation findings

ARG runs tabletops as part of the integrated engagement, with scenarios drawn from findings the continuous adversarial simulation has surfaced for the specific client. The exercise is not generic; it reflects exposures the workforce has actually encountered.

Tabletops are facilitated by David Ashby, with technical injects from James Wall. The structure follows the discussion-based format described above, with scenario selection driven by recent engagement findings.

A typical engagement cadence:

• Year 1, Quarter 1 (during on-site engagement weeks). Initial tabletop with the executive team and IT lead. Scenario is broad (a major incident covering several scenario types) to surface foundational gaps in the incident response plan.
• Year 1, Quarter 2. Tabletop focused on findings from the continuous simulation: typically a BEC or vishing scenario reflecting attacks ARG has actually run against the workforce.
• Year 1, Quarter 3. Tabletop focused on an OT or production-affecting scenario: ransomware reaching engineering systems, vendor compromise, or supply chain incident.
• Year 1, Quarter 4. Tabletop reviewing the year's incidents and findings, with an annual-cycle scenario (CMMC reporting, insurance renewal, board review).

Findings from each tabletop feed into the same monthly operational packet as the rest of the engagement. Corrective actions land in the risk register. Retests in subsequent quarters confirm whether the corrective actions held.

For founding clients, four tabletops per year are included in the monthly retainer. The output supports NIST CSF, NIST SP 800-171, CMMC, and cyber insurance evidence requirements.

Apply as a founding client or see how the engagement works for the full delivery cycle.