🎯 Free Facilitator Pack · 12 Pages · 6 Scenarios

Run Your Own Tabletop Exercise
in 30 Minutes

Six fully facilitated scenarios. Scoring rubric. After-action template. Regulator notification cheat-sheet. Everything you need to run a meaningful incident response tabletop — without hiring a consultant.

✅ Ransomware during quarter-close ✅ CEO wire-fraud BEC ($340K) ✅ Insider threat exfil ✅ Vishing MFA reset attack

Tabletop Exercise Facilitator Pack 2026

What's inside

📋Executive intro — why tabletops, ROI, regulator expectations

🎯Facilitator quick-start — roles, 30-min vs 60-min format

🔴Scenario 1: Ransomware during quarter-close

💰Scenario 2: CEO wire-fraud BEC ($340K)

🕵️Scenario 3: Insider threat data exfil

🔗Scenario 4: Vendor/MSP compromise

📞Scenario 5: Vishing MFA reset attack

📰Scenario 6: Public breach on leak site

📊Scoring rubric + after-action template

⏰Regulator notification cheat-sheet

2.5× More likely to contain a breach in 24 hrs
after running at least one tabletop (IBM, 2025)

$4.88M Average cost of a data breach
(IBM Cost of a Data Breach Report 2025)

4+ Regulators that explicitly reference
tabletop exercises (SEC, NYDFS, HIPAA, FFIEC)

30min Minimum exercise format — enough
to expose critical gaps in any team

What's Inside

Six Facilitated Scenarios — Ready to Run

Each scenario includes a situation brief, three escalating injects to read aloud, discussion questions, common mistakes, and expected outcomes. Runs in 30 or 60 minutes.

📋

Facilitator Quick-Start

Roles (facilitator, scribe, observer), blameless ground rules, 30-min and 60-min timing formats. No cybersecurity expertise required to run these.

📊

Scoring Rubric

1–5 scoring across five dimensions: detect, contain, communicate, recover, and learn. Track improvement across exercises over time.

📝

After-Action Template

Fill-in-the-blank template for capturing decisions, gaps, action items with owners, scores, and next exercise date. Complete within 24 hours.

⏰

Regulator Notification Cheat-Sheet

SEC 4-day, HIPAA 60-day, GDPR 72-hour, NYDFS 72-hour, state AG 30–90 day timelines. Know the clocks before they start running.

The 6 Scenarios

Realistic Incidents. Real Decision Points.

These aren't theoretical exercises. Every scenario is based on actual breach patterns from FBI IC3, HHS OCR, SEC enforcement, and published incident reports. Your team will hit the same decision points real organizations face.

Scenario 1 · Ransomware

File Server Encrypted During Quarter-Close

Q1 close day. FS01 encrypting. 72-hour ransom demand. Backups untested 4 months. Data leak threat. Your team decides: who calls insurance, who owns the ransom decision, when does HIPAA clock start?

Scenario 2 · BEC Wire Fraud

CEO Wire Fraud — $340K Invoice Change

Lookalike domain. CFO traveling. AP coordinator ready to wire. Banking details changed. What is your exact OOB verification step — and what happens if the wire already went?

Scenario 3 · Insider Threat

Departing Engineer Exfil to Personal Drive

Last day on the job. DLP alert: source code + customer data uploaded to personal Google Drive. Still in exit interview. Personal AWS token still active. Do you confront him or preserve evidence first?

Scenario 4 · Vendor Compromise

MSP Credentials Abused for Lateral Movement

Your MSP was phished. Their account accessed your AD for 4 hours overnight. Threat intel: this group plants Cobalt Strike beacons 48-72 hrs before ransomware. Are you already compromised?

Scenario 5 · Vishing

IT Helpdesk Called by "CFO" for MFA Reset

Caller knows the CFO's employee ID, manager's name, and board meeting details. Requests MFA reset while "traveling." Your helpdesk policy either stops this or doesn't. Find out which before it matters.

Scenario 6 · Data Breach

Attacker Posts to Leak Site Before You Know

A security researcher emails you at 7 AM: ransomware group posted 50K customer records. Reporters calling. Legal wants a denial. IT sees no alerts. Third-party vendor's breach notification from 3 weeks ago sits unread.

Regulator Expectations

These Regulators Want Evidence of Tabletop Exercises

Tabletop documentation isn't just good practice — it's increasingly a regulatory expectation. The pack includes a notification deadline cheat-sheet so you know exactly which clocks start running when an incident occurs.

SEC Cyber Disclosure

4-business-day incident disclosure. Evidence of IR plan testing supports "reasonable" materiality determinations.

NYDFS Part 500 (2023)

Class A companies must conduct tabletop exercises as part of their incident response testing. Documented results required.

HIPAA / HHS OCR

OCR guidance explicitly references tabletop exercises for contingency plan testing under § 164.308(a)(7). Breach investigations ask for evidence.

FFIEC CAT

"Innovative" maturity tier requires regular tabletop exercises testing incident response capabilities. Results must drive program improvements.

Free Download

Get the Facilitator Pack — Free

Enter your work email and we'll send you the 12-page PDF immediately. No credit card. No sales call required.

✅ Pack on its way!

Check your inbox for the 12-page Tabletop Exercise Facilitator Pack. If it doesn't arrive in 5 minutes, check your spam folder.

Want us to facilitate a session for your team?

Our Executive and Business sessions include a fully facilitated tabletop with your actual leadership team, a structured debrief, and a written after-action report for compliance documentation.

Book a Facilitated Session →

Run Your Own Tabletop Exercisein 30 Minutes