This post will guide you through how to build tabletops that simulate pressure, prioritize realism, and provoke learning.

🎯 What a Tabletop Is—and Is Not

• It’s not a penetration test: No command-line exploits or red team payloads
• It’s not a disaster film: It’s not about chaos—it’s about decision-making under stress
• It’s not just IT’s problem: Legal, PR, HR, and executive teams must be involved
• It is: A scenario-based rehearsal of roles, communication, recovery procedures, and escalation decisions

🧩 Designing the Right Scenario

• Scenario realism: Use recent threat models—ransomware, supply chain compromise, SaaS outage, cloud credential leak
• Cross-functional relevance: Ensure the scenario affects multiple business units and requires coordinated decisions
• Pressure escalation: Introduce variables mid-scenario (e.g., media leak, regulator call, second system failure)
• Uncertainty: Withhold perfect information—simulate unclear logs, bad intel, or missing communication

The best tabletops replicate the tempo and ambiguity of real incidents.

👥 Who Needs to Be at the Table?

• Incident commander or executive lead – Drives strategy and prioritization
• IT/Cloud operations – Handles system and infrastructure response
• Security (SOC/IR) – Provides threat context and risk analysis
• Legal & compliance – Guides regulatory timelines, breach notification
• HR & communications – Coordinates internal comms, employee impacts
• Third-party stakeholders (optional) – Simulate vendor dependencies or managed service providers

BC/DR plans fail at the seams—get everyone who owns a seam in the room.

📋 Key Artifacts to Prepare

• Scenario deck: Step-by-step reveal of scenario elements with timestamps
• Injects: Timed disruptions, alerts, or news drops to steer the simulation
• Participant roles: Clear expectations of who is playing their real-world role vs. observing
• Rules of engagement: Explain “game rules”—how time, communication, and decisions will be handled

🧠 How to Facilitate for Impact

• Ask probing questions: “How would you communicate this?” “Where is the playbook?” “Who makes the call?”
• Stay neutral: The facilitator is not the adversary—you’re guiding discovery, not trapping teams
• Adapt in real time: If a team goes off-script or finds a creative solution—follow the rabbit trail

The best tabletops feel like a tense but structured conversation—not a performance.

🧾 Debrief Like You Mean It

• Capture observations live: Use a notetaker or recorder to avoid memory bias
• Rate responses: What worked? What stalled? What required executive clarity?
• Follow with action items: Don’t file the report and forget—assign owners and deadlines
• Celebrate participation: Publicly thank contributors and encourage learning culture

📣 Final Thought

The value of a tabletop isn’t measured in perfect answers—it’s measured in the gaps you find and close before a real incident forces your hand. Real resilience is built when your teams rehearse not what to do when everything works—but what to do when nothing does.

Want help designing a scenario, facilitating a simulation, or building your tabletop library? Let’s talk.