By Karen Sprenger   /   Mar 2nd, 2024

Our Top 3 Evergreen Incident Response Tabletop Exercise Scenarios & Why These Should Be Part of Your Cybersecurity Plan

incident response tabletop exercise scenario imageAs a consultant, one of my favorite assignments is leading incident response tabletop exercise scenarios that help organizations discover their strengths and weaknesses. If you are not familiar with the term, the purpose of a tabletop exercise is to gather the incident response team including IT, management, public relations, legal counsel, etc. around a table (or a virtual table), preferably with pizza or cinnamon rolls in front of them (depends on the time of day), and talk through the team’s response to a given scenario using their incident response plan as a guide.

Why is it important to test your organization with incident response tabletop exercise scenarios? Everyone is talking about cyber resilience, which is your organization’s ability to effectively identify, respond to, and recover from a breach. It’s built around the concept that your organization likely will be breached and proactive preparation will help minimize the damage. Running incident response tabletop exercise scenarios is one of the best ways to test your organization’s cyber resilience. A well-run exercise has your team simulating an incident, executing the plan in a live practice scenario, identifying weaknesses or gaps, and ensuring that all members of the team are aware of and familiar with roles and responsibilities. There is broad agreement about the need for running these tabletop exercises: cybersecurity leaders, from NIST to industry associations and government agencies, agree that these are important for your organization’s incident response preparation. In fact, organizations with robust incident response planning AND testing programs (so tabletops!) as a routine part of their cybersecurity program decrease their risk and save an average of $1.49M when faced with a data breach, according to IBM’s Cost of a Data Breach Report 2023.

How to Implement Tabletop Exercises

In good news, you can run a tabletop exercise yourself using the scenarios we share below. In this blog, we cover my three favorite evergreen scenarios, but don’t forget to check out the top two tabletops we recommend for 2024 to stay ahead of current attack trends! This gives you five scenarios for your organization to practice and strengthen your cyber resilience!

However, many clients prefer to outsource this service and often bring us in to facilitate the tabletop exercises to help the group remain on track, provide third-party perspective, and provide experience and examples from real-world responses, as well as design scenarios for the exercise and introduce surprises along the way. For example, “Ok, Jenny, the only person who has access to that information is on vacation at a resort with no cell service and no email, now what are you going to do?” Clients also bring us in to facilitate when they want to be surprised by the scenario and approach the activity on equal footing with the rest of their team. It’s the best way to simulate a real cyberattack. Whether you run your tabletop exercise internally or outsource it to us, testing these scenarios is a crucial component of building your organization’s cyber resilience. If you’re a visual person, you can also watch this 4-minute tabletop exercises video.

Let’s look at a few incident response tabletop exercise scenarios and discover some of the questions you should ask during these exercises. After you are done reading these scenarios, I suggest reading my colleague’s blog on the common questions and gaps that are discovered during incident response tabletop exercise scenarios. It can really help you think through potential processes or security gaps.

Our 3 Favorite Incident Response Tabletop Exercise Scenarios

If you’re ready to run a tabletop exercise, here are brief outlines of a few of our team’s favorite scenarios to get you started. Note that in most cases, only the facilitator knows all of the details ahead of time. Their job is to then release those details throughout the exercise to guide the group’s discussion, as well as throw unexpected curveballs to help your group think about and plan how they will react to the unexpected.

Tabletop Exercise Scenario Example 1: Ransomware

This is by far our most requested scenario and leaves room for good discussion and planning. With the rise in ransomware, it’s crucial that your team reacts quickly and efficiently to stop the spread, preserve data, evaluate back-ups, evaluate ransom payments, and much more. Ransomware can be financially disastrous. Being prepared and closing any process and security gaps can minimize the damage.


After a long holiday weekend, the office early birds arrive at work and frantically contacts IT to report ransom messages on their computer screens. The IT team members rush to the office and find that the files on the server and workstation are all encrypted. It’s later determined that a user clicked a link in a phishing email which allowed attackers to install ransomware, not only on the local workstation but on shared server files as well, and it’s still spreading.

Sample Questions for Discussion:

How do you contain and stop the spread?

Do you have viable backups and system images?

Would you ever consider paying the ransom, and who makes that decision?

Is this covered by cyber insurance? (Do you have cyber insurance?)


You have backups, but only on tape and it will take 10 days to restore everything. Does that change your course of action? Can the organization survive a 10-day outage, or are there alternative plans in place?


Tabletop Exercise Scenario Example 2: Cyber Extortion

Cyber extortion is an increasingly common scenario that can have many negative impacts for your organization, both operationally and from a public relations perspective. This can be a stand-alone scenario or used as a curveball during ransomware, since this type of incident can happen alone, during a ransomware attack, or even after a ransom is paid.


The CEO arrives Friday morning to a voicemail in which a digitally altered voice claims that they have stolen all the organization’s files and will release them publicly if a ransom is not paid.

Sample Questions for Discussion:

How can your organization be certain that your data has been stolen?

What is your organization’s policy regarding ransom payments?

Who should be notified?

What is the role of IT at this time?

Is this a data breach? Who decides?


An internationally known cybersecurity journalist calls for a quote after hearing rumors on the dark web about the theft of your data. Do you comment? Who decides? Who issues the statement?


Tabletop Exercise Scenario Example 3: Information Stealing Trojans

Information stealing trojans can have wide-reaching impacts and can also facilitate other types of cyberattacks, like business email compromise and ransomware. Once again, this scenario also works well as a curveball during other types of exercises.


The head of accounting alerts your executive team that four customers have contacted them with questions about the new payment directions and routing information you emailed. The bad news: you never sent that email. The executive team immediately contacts your IT team who finds information stealing trojans (malicious software designed to steal usernames, passwords, banking credentials, and files) are found in your organization’s environment.

Sample Questions for Discussion:

How do we stop the theft of our information?

How long have they been there and how do we find out?

Who needs to be notified?

What has been stolen so far?


You discover that the attackers not only stole your information, but they are also monitoring your emails. You discover this when the hackers inject themselves into an email thread. What do you need to do now? How will you communicate if the attacker can read your emails?


General Considerations

When running these scenarios, focus on your organization and don’t forget to discuss:

  • How internal communications should be handled and by whom
  • Where documentation is stored
  • The downtime tolerance for your critical systems

Remember to focus on processes, not individual performance. Most importantly, before the exercise ends, identify the person who will oversee and coordinate updates to your incident response plan based on the findings during the exercise. Set a deadline so that the changes are made in a timely manner, before they are forgotten in the hustle and bustle of daily workloads.

While I’ve only provided three scenarios, our team suggested many more, including Ben Kast’s excellent suggestion of insider threats, and Dan Featherman’s great reminder not to forget preparation for recovery and business continuity in the midst of natural disasters. Maybe they can help me write a Part 2 to this post!

We hope you find this information helpful! Contact us if you would like help running incident response tabletop exercise scenarios for your organization.

About the Author

Karen Sprenger

Karen Sprenger is the COO and chief ransomware negotiator at LMG Security. She has more than 25 years of experience in cybersecurity and information technology, and she is a noted cybersecurity industry expert, speaker, and trainer. Karen is also the co-author of a new book, Ransomware and Cyber Extortion: Response and PreventionShe speaks at many events, including those held by Wall Street Journal Cyber Pro, Fortinet, the Internal Legal Tech Association, and the Volunteer Leadership Council. Karen is a GIAC Certified Forensics Examiner (GCFE) and Certified Information Systems Security Professional (CISSP) and holds her bachelor’s degree in music performance (yes, really). In her spare time, Karen considers “digital forensics” a perfectly acceptable answer to the question, “But what do you do for fun?” A lifelong Montanan, she lives in Missoula with oodles of poodles.