By Karen Sprenger   /   Dec 6th, 2022

Our Top 3 Incident Response Tabletop Exercise Scenarios & Why These Should Be Part of Your Cybersecurity Plan

incident response tabletop exercise scenario imageAs a consultant, one of my favorite assignments is leading incident response tabletop exercise scenarios that help organizations discover their strengths and weaknesses. If you are not familiar with the term, the purpose of a tabletop exercise is to gather the incident response team including IT, management, public relations, legal counsel, etc. around a table (or a virtual table), preferably with pizza or cinnamon rolls in front of them (depends on the time of day), and talk through the team’s response to a given scenario using their incident response plan as a guide.

Why is it important to test your organization with incident response tabletop exercise scenarios? The purpose of these activities is to review the plan, identify weaknesses or gaps, and ensure that all members of the team are aware of and familiar with roles and responsibilities. There is broad agreement about the need for running these tabletop exercises: cybersecurity leaders, from NIST to industry associations and government agencies, agree that these are important for your organization’s incident response preparation. In fact, a recent study by IBM found that if a data breach victim has a trained IR team they have an average reduction of $250,000 in their breach costs. But, it’s about more than just having a team, it’s also hinges on the IR team’s preparation and training. You can learn more about what tabletop exercises are and the ROI they deliver in this 4-minute tabletop exercises video.

Clients often bring us in to facilitate the tabletop exercises to help the group remain on track, provide third-party perspective, and provide experience and examples from real-world response, as well as design scenarios for the exercise and introduce surprises along the way. (“Ok, Jenny, the only person who has access to that information is on vacation at a resort with no cell service and no email, now what are you going to do?”)

Clients also bring us in to facilitate when they want to be surprised by the scenario and approach the activity on equal footing with the rest of their team. It’s the best way to simulate a real cyberattack.

Let’s look at a few incident response tabletop exercise scenarios and discover some of the questions you should ask during these exercises. After you are done reading these scenarios, I suggest reading my colleague’s blog on the common questions and gaps that are discovered during incident response tabletop exercise scenarios. It can really help you think through potential process or security gaps.

Our 3 Favorite Incident Response Tabletop Exercise Scenarios

If you’re ready to run a tabletop exercise, here are brief outlines of a few of our team’s favorite scenarios to get you started. Note that in most cases, only the facilitator knows all of the details ahead of time. Their job is to then release those details throughout the exercise to guide the group’s discussion, as well as throw unexpected curveballs to help your group think about and plan how they will react to the unexpected.

Tabletop Exercise Scenario Example 1: Ransomware

This is by far our most requested scenario and leaves room for good discussion and planning. With the rise in ransomware, it’s crucial that your team reacts quickly and efficiently to stop the spread, preserve data, evaluate back-ups, evaluate ransom payments and much more. Ransomware can be financially disastrous. Being prepared and closing any process and security gaps can minimize the damage.


After a long holiday weekend, the office early birds arrive at work and frantically contact IT to report ransom messages on their computer screens. The IT team members rush to the office and find that the files on the server and workstation are all encrypted. It’s later determined that a user clicked a link in a phishing email which allowed attackers to install ransomware, not only on the local workstation but on shared server files as well, and it’s still spreading.

Sample Questions for Discussion:

How do you contain and stop the spread?

Do you have viable backups and system images?

Would you ever consider paying the ransom, and who makes that decision?

Is this covered by cyber insurance? (Do you have cyber insurance?)


You have backups, but only on tape and it will take 10 days to restore everything. Does that change your course of action? Can the organization survive a 10-day outage, or are there alternative plans in place?


Tabletop Exercise Scenario Example 2: Cyber Extortion

Cyber extortion is an increasingly common scenario that can have many negative impacts for your organization, both operationally and from a public relations perspective. This can be a stand-alone scenario or used as a curveball during ransomware, since this type of incident can happen alone, during a ransomware attack, or even after a ransom is paid.


The CEO arrives Friday morning to a voicemail in which a digitally altered voice claims that they have stolen all the organization’s files and will release them publicly if a ransom is not paid.

Sample Questions for Discussion:

How can your organization be certain that your data has been stolen?

What is your organization’s policy regarding ransom payments?

Who should be notified?

What is the role of IT at this time?

Is this a data breach? Who decides?


An internationally known cybersecurity journalist calls for a quote after hearing rumors on the dark web about the theft of your data. Do you comment? Who decides? Who issues the statement?


Tabletop Exercise Scenario Example 3: Information Stealing Trojans

Information stealing trojans can have wide-reaching impacts and can also facilitate other types of cyberattacks, like business email compromise and ransomware. Once again, this scenario also works well as a curveball during other types of exercises.


The head of accounting alerts your executive team that four customers have contacted them with questions about the new payment directions and routing information you emailed. The bad news, you never sent that email. The executive team immediately contacts your IT team who finds information stealing trojans (malicious software designed to steal usernames, passwords, banking credentials, and files) are found in your organization’s environment.

Sample Questions for Discussion:

How do we stop the theft of our information?

How long have they been there and how do we find out?

Who needs to be notified?

What has been stolen so far?


You discover that the attackers not only stole your information, but they are also monitoring your emails. You discover this when the hackers inject themselves into an email thread. What do you need to do now? How will you communicate if the attacker can read your emails?


General Considerations

When running these scenarios, focus on your organization and don’t forget to discuss:

  • How internal communications should be handled and by whom
  • Where documentation is stored
  • The downtime tolerance for your critical systems

Remember to focus on processes, not individual performance. Most importantly, before the exercise ends, identify the person who will oversee and coordinate updates to your incident response plan based on the findings during the exercise. Set a deadline so that the changes are made in a timely manner, before they are forgotten in the hustle and bustle of daily workloads.

While I’ve only provided three scenarios, our team suggested many more, including Ben Kast’s excellent suggestion of insider threats, and Dan Featherman’s great reminder not to forget preparation for recovery and business continuity in the midst of natural disasters. Maybe they can help me write a Part 2 to this post!

We hope you find this information helpful! Contact us if you would like help running incident response tabletop exercise scenarios for your organization.

About the Author

Karen Sprenger

Karen Sprenger is the COO and chief ransomware negotiator at LMG Security. She has more than 25 years of experience in cybersecurity and information technology, and she is a noted cybersecurity industry expert, speaker, and trainer. Karen is also the co-author of a new book, Ransomware and Cyber Extortion: Response and PreventionShe speaks at many events, including those held by Wall Street Journal Cyber Pro, Fortinet, the Internal Legal Tech Association, and the Volunteer Leadership Council. Karen is a GIAC Certified Forensics Examiner (GCFE) and Certified Information Systems Security Professional (CISSP) and holds her bachelor’s degree in music performance (yes, really). In her spare time, Karen considers “digital forensics” a perfectly acceptable answer to the question, “But what do you do for fun?” A lifelong Montanan, she lives in Missoula with oodles of poodles.