Tabletop exercises are one of the highest-leverage preparation activities we recommend to clients. They are also one of the most consistently underused: when they happen, they tend to rehearse the wrong parts of an incident, and the parts that are hardest in a real incident go unpracticed.
The typical tabletop scenario walks the technical-investigation pathway: an incident is detected, the SOC investigates, indicators are extracted, the technical team coordinates triage and containment. This work is necessary, and it is the work the SOC team already practices every time a real alert fires.
The hard parts of incident response — the parts that actually go wrong in real incidents — are almost never the technical investigation. They are the communication and decision flow: who has authority to declare an incident, who notifies executive leadership and when, who decides on customer or regulator communications, who approves spending money on emergency engagement of external responders, who briefs the board, who handles the press.
These are the questions that we see real incidents fail on. The technical investigation is usually competent; the communications and decision flow is usually improvised. Improvisation in a high-pressure communications scenario is what produces the wording in the press release that the regulator quotes back at you eighteen months later.
A tabletop that actually rehearses the hard parts has a different shape from a tabletop that rehearses technical investigation. The participants include legal, communications, executive sponsors, and ideally external counsel — not just the SOC and IT teams. The scenario escalates beyond the technical layer into the regulatory clock and the public-affairs dimension. The facilitator presses on the decision points rather than letting the conversation revert to comfortable technical territory.
The output of a good tabletop is not a list of technical detection gaps. It is a list of decision-flow ambiguities, communications-playbook holes, and authority-escalation questions that need formal answers before the next live incident. Resolving those produces materially better real-incident outcomes.
We design and facilitate roughly a dozen of these exercises a year for clients across our sectors. The most common finding across all of them is the same: there is no pre-approved external-communication template for the first regulatory notification, and there is no clear decision authority for who can approve such a template under time pressure. That single finding closes more risk than any technical-detection finding from the same exercise.
If you are scoping a tabletop, scope it around the decision-flow dimension rather than the technical investigation. If you do not have an external facilitator, find one — the questions an external facilitator can ask under controlled conditions are not the questions an internal lead can comfortably ask of their own executive team.