Skip to main content
📋 Free Download

Run your next cybersecurity tabletop in 30 minutes — with a real facilitator guide

6 facilitated scenarios, a scoring rubric, an after-action template, and a regulator notification cheat-sheet — in one playbook you can use today.

12-page playbook — download instantly
6 real-world scenarios, fully facilitated
Scoring rubric + after-action template
Playbook — 12 pages · 2026
What's inside the Tabletop Exercise Playbook
1
Ransomware during quarter close — encryptor hits during peak billing cycle
2
CEO BEC — $340K wire fraud — spoofed email, urgent tone, fake attorney
3
Insider data exfiltration — departing employee copies customer database
4
Vendor / MSP compromise — RMM tool used as pivot point
5
Vishing MFA reset attack — attacker calls helpdesk impersonating an employee
6
Leak-site data breach — ransomware group publishes stolen data
📊
Scoring rubric 1–5 — Detect, Contain, Communicate, Recover, Learn
📋
After-action template — makes sure something actually changes
⏱️
Regulator notification cheat-sheet — SEC, HIPAA, GDPR, NYDFS, FFIEC timelines
2.5× organizations that run tabletop exercises reduce breach costs by 2.5× (IBM, 2026)
$4.88M average cost of a data breach — tested IR capabilities reduce this
30 min to run your first scenario with this playbook

Why tabletop exercises matter

The difference between a tested IR plan and a PDF nobody has read

Most incident response plans sit in a shared folder. Nobody has read them. When a real incident hits, the team makes it up as they go. The Tabletop Exercise Playbook changes that — by making exercises fast, structured, and actually productive.

30-minute setup, not a week of prep

Every scenario includes a facilitator script, inject cards, and discussion prompts. You don't need to build anything from scratch. Pick a scenario, read the facilitator notes, and start the exercise.

📊

Scoring rubric that keeps discussions on track

Each scenario is scored 1–5 across five dimensions: Detect, Contain, Communicate, Recover, Learn. The rubric prevents the exercise from drifting into vague hypotheticals — every gap gets a score and a documented action.

📋

After-action template that forces real change

The after-action template has three mandatory fields: what went wrong, what changes, and who owns each change. Without this, exercises produce good feelings but no improvements.

⏱️

Regulator notification cheat-sheet included

SEC (4 business days for material incidents), HIPAA (60 days for breaches affecting 500+), GDPR (72 hours), NYDFS Part 500 (72 hours), FFIEC guidelines — the cheat-sheet gives you the clock and the contact for each regulator.

The scenarios

6 real-world incidents, fully facilitated

Each scenario includes a scenario brief, facilitator inject cards (3–4 injections per scenario), discussion prompts, and a scoring rubric entry. Built around real incidents with enough fictional scaffolding to be run without prior preparation.

1. Ransomware During Quarter Close

Encryptor hits at 5:00 PM on the last Friday of Q4. The billing team is working late. Production systems are offline. The team has to make the containment call — and it's not straightforward.

Ransomware · 45 min · IT + Finance

2. CEO BEC — $340K Wire Fraud

The CFO receives an urgent email from the CEO — wire transfer needed tonight for an acquisition. The email looks right, the timing is believable. Finance is about to execute. One person is suspicious.

BEC / Wire Fraud · 30 min · Finance + Legal

3. Insider Data Exfiltration

HR flags that a senior engineer gave two weeks' notice. IT monitoring shows elevated database downloads in the past 72 hours. The data could be customer records. What do you do now?

Insider Threat · 30 min · HR + IT + Legal

4. Vendor / MSP Compromise

Your MSP's RMM tool was breached. The attacker used it to access your network and exfiltrated 90 days of email. You get the call at 8 AM. The MSP doesn't know yet.

Supply Chain · 45 min · IT + Legal + Leadership

5. Vishing MFA Reset Attack

An attacker calls your helpdesk, impersonating an engineer who lost his phone. They know enough to pass the verification questions. Before you know it, a new device is enrolled and MFA is bypassed.

Social Engineering · 30 min · IT + Helpdesk + HR

6. Leak-Site Data Breach

A ransomware group publishes a sample of your customer data on their leak site. The press is starting to ask questions. Social media is picking it up. You have 48 hours before regulators start calling.

Data Breach + Extortion · 45 min · Legal + Comms + Leadership

Free download

Get the Tabletop Exercise Playbook

Enter your work email and we'll send the 12-page PDF instantly — 6 scenarios, scoring rubric, after-action template, and regulator notification cheat-sheet.

No spam. Unsubscribe anytime. Unsubscribe

Want a SecurEveryone facilitator to run the exercise?

We run tabletop exercises for IT teams, executive leadership, and cross-functional IR teams — with a written summary for your cyber insurer or auditor afterward.

Book a Session →