Incident Response Tabletop Generator
Generate cybersecurity tabletop exercise scenarios for IR planning. Enter values for instant results with step-by-step formulas.
Worked Examples
Example 1: Healthcare Ransomware Exercise
Problem: Hospital with 2,000 employees, Epic EHR system, conducts tabletop for ransomware affecting clinical systems.
Solution: Scenario covers: patient safety during outage, HIPAA breach determination, downtime procedures, vendor (Epic) coordination, and patient notification. Injects include media attention and patient diversion needs.
Result: Identified gaps: paper-based downtime procedures outdated, vendor contact info missing, unclear patient communication ownership
Example 2: Financial Services Data Breach
Problem: Regional bank tests response to customer account data exfiltration scenario.
Solution: Scenario includes: regulatory notification timeline (72 hours), customer communication, fraud monitoring activation, and SEC/FINRA considerations. Injects escalate with dark web sale discovery.
Result: Identified gaps: legal counsel weekend contact unclear, customer notification templates need update, fraud team capacity questions
Example 3: Manufacturing OT Incident
Problem: Manufacturer tests response to operational technology compromise affecting production.
Solution: Scenario bridges IT/OT divide, includes production safety considerations, supply chain impacts, and customer notification about delays. Injects include safety system concerns.
Result: Identified gaps: IT/OT communication protocols, safety shutdown authority, customer contract review needed
Frequently Asked Questions
What is a tabletop exercise?
A tabletop exercise is a discussion-based session where team members walk through a simulated incident scenario. No actual systems are affectedβparticipants discuss how they would respond to each development (inject). It tests plans, identifies gaps, and builds team coordination.
Who should participate in tabletop exercises?
Core: IT, Security, Legal, Communications/PR. Extended: Executive leadership, HR, Operations, Customer Service, key business units. External: Consider including legal counsel, insurance, PR agency, and key vendors for comprehensive exercises.
How often should we conduct tabletop exercises?
Minimum annually, ideally quarterly for different scenarios. After major incidents, org changes, or new threats. Vary scenarios to cover different threat types, and include both technical and business-focused exercises.
What makes a good tabletop scenario?
Realistic and relevant to your industry, appropriate complexity for participants, clear injects that prompt decisions, ambiguity to encourage discussion, and adaptable based on participant responses.
How do I measure tabletop exercise success?
Metrics: participation, decision quality, time to key decisions, identified gaps, action items generated. Success is finding weaknesses safelyβa 'perfect' exercise probably wasn't challenging enough.
What are injects in tabletop exercises?
Injects are new information or developments introduced during the exercise to simulate how incidents evolve. They test decision-making, communication, and adaptability. Good injects create tension and force difficult choices.