N2CON TECHNOLOGY
Open menu

Incident Response Tabletop Exercises (TTX): A Practical Guide

A tabletop exercise is a low-stress way to pressure-test your incident response plan. It surfaces the real blockers: unclear roles, missing access, weak communications, and gaps in backups/logging.

Note: This is general information and not legal advice.

Last reviewed: January 2026
On this page

Executive Summary

What it is
A facilitated scenario discussion that tests decisions, roles, and procedures without touching production systems.
Why it matters
  • Most failures during incidents are operational (coordination, access, comms), not technical.
  • Exercises convert “we should do X” into an owned improvement plan.
  • Frameworks and questionnaires often ask whether incident response is tested.
What good looks like
  • Clear roles: incident commander, IT, security, leadership, legal, communications.
  • Known escalation paths (including after-hours).
  • A written After Action Report / Improvement Plan with owners and timelines.

Common failure modes

  • No decisions recorded: the meeting happens, but nothing turns into an improvement plan.
  • Too technical: the exercise ignores leadership/comms decisions (often the hardest part).
  • Missing access: nobody has the right admin roles, Multi-Factor Authentication (MFA) recovery, or vendor contacts when it matters.
  • Backups not included: recovery timelines are guessed, not tested.
  • Unclear notification thresholds: "when do we tell customers/insurers?" becomes chaos under pressure.

How to run a practical TTX

  1. Pick a scenario: ransomware, account takeover, vendor compromise, lost laptop with sensitive data.
  2. Define objectives: decision-making, communications, containment authority, recovery readiness.
  3. Assign roles: clarify who leads, who approves containment actions, and who talks externally.
  4. Run timed injects: introduce new facts (press inquiry, insurance request, evidence of lateral movement, etc.).
  5. Capture gaps: missing tooling/access, unclear procedures, and policy gaps.
  6. Write AAR/IP: owners + due dates + prioritized sequence.

Sample scenario: Lost laptop

Tommy is traveling for work. He leaves his laptop at the airport security checkpoint and doesn't realize it until he lands. It's 9pm. He calls IT.

Now the questions start:

  • Who takes this call? Is there an after-hours number, or does Tommy just hope someone sees his email?
  • What's the first containment action? Remote wipe? Disable account? Both? Who has the authority and access to do it right now?
  • What data was on that laptop? Local files? Synced cloud folders? Cached credentials? How do you even find out?
  • Was the disk encrypted? Can you prove it? Where's that record?
  • Was the laptop locked or unlocked when lost? Tommy thinks it was locked. How confident are you?
  • Who needs to be notified? Just IT? Leadership? Legal? Your cyber insurance carrier? Clients whose data might have been on the device?
  • Does this trigger breach notification? Depends on the data, the encryption status, and your regulatory obligations. Who makes that call?

This single scenario — a lost laptop — exposes gaps in: after-hours escalation, MDM access, encryption verification, data classification, and notification policy. That's why it's a great tabletop exercise.

Other scenarios to consider

Phishing / business email compromise

Bob clicks a link in an email that looks like it's from Microsoft. He enters his password. Twenty minutes later, someone is sending emails from his account asking the finance team to wire money.

  • How do you know Bob's account is compromised? Do you have alerts for impossible travel or suspicious sign-ins?
  • What does Bob have access to? Email, SharePoint, sensitive file shares, financial systems?
  • How do you contain it? Reset password? Revoke sessions? Disable the account entirely?
  • Did the attacker set up mail forwarding rules or grant themselves access to Bob's mailbox?
  • Who else got that phishing email? How do you find out?

Ransomware

Monday morning, employees start reporting they can't open files. The file server shows everything renamed with a .locked extension. There's a ransom note demanding Bitcoin.

  • Who decides whether to pay? (This should be a leadership decision, with IT providing technical input.)
  • How long can the business operate without those files? Hours? Days?
  • When were your last backups? Are they also encrypted? Have you ever tested a restore?
  • Who talks to the press if this leaks? What about customers?
  • Does your cyber insurance require you to call them before taking certain actions?

Vendor breach

Your payroll provider sends a notice: they experienced a security incident and your employee data may have been accessed.

  • What data did they have? Full SSNs? Bank account numbers? Home addresses?
  • Are you obligated to notify employees? Regulators? Within what timeframe?
  • Do you have a record of what you shared with this vendor?
  • Who in your organization owns the vendor relationship and the response?

Operations & evidence

  • At least annually: a tabletop exercise for your highest-risk scenarios.
  • After major changes: new identity provider, new backup platform, major vendor change, merger/migration.
  • Evidence: keep the agenda, attendee list, scenario, and an AAR/IP summary.

Common Questions

What is a tabletop exercise (TTX)?

A tabletop exercise is a facilitated scenario discussion that tests decisions, roles, and procedures without touching production systems. It surfaces real blockers like unclear roles, missing access, weak communications, and gaps in backups or logging in a low-stress environment.

How often should we run tabletop exercises?

At least annually for your highest-risk scenarios. Also run exercises after major changes: new identity provider, new backup platform, major vendor change, or merger/migration. The goal is continuous improvement, not one-time compliance.

What scenarios should we practice?

Common high-value scenarios include: lost/stolen laptop with company data, phishing/business email compromise, ransomware attack, and vendor breach notification. Each scenario exposes different gaps in after-hours escalation, access controls, data classification, and communication processes.

What makes a tabletop exercise effective?

Clear roles (incident commander, IT, security, leadership, legal, communications), timed injects that introduce new facts, capturing gaps and decisions, and—most importantly—a written After Action Report with owners and timelines for improvement actions.

What evidence should we keep from tabletop exercises?

Keep the agenda, attendee list, scenario description, and an AAR/IP (After Action Report / Improvement Plan) summary. Frameworks and questionnaires often ask whether incident response is tested—this documentation proves it.

Sources & References

Want a tabletop exercise that improves readiness?

We can facilitate a realistic TTX and turn it into a prioritized improvement plan your team can execute.

Contact N2CON