Hello, and welcome back to this next TomCast from GuardSight; we are a tactical cybersecurity-as-a-service organization dedicated to helping businesses protect their data, their assets, and their endpoints.

Today we are diving into the topic of tabletop exercises. We will define for you what they are, why they are performed, when they should be performed, and who should be performing them. Ok, let’s jump in!


What is a tabletop exercise? While there are many different types of tabletop exercises, these are limited to exercises surrounding the topic of cybersecurity. So, having said that, a cybersecurity tabletop exercise is typically an activity that helps prepare the organization for a security incident.

It is a training mechanism that enhances security breach and incident preparedness by conducting security incident simulations using scenarios tailored towards the particular organization that needs to be trained. These exercises highlight any gaps in an organizational incident response plan; these gaps or flaws can then be addressed which can enhance the target organizations security posture and readiness.

Various questions are answered during a tabletop exercise that help this type of readiness enhancement. For example, a few of those questions might be:

“When a breach occurs, what happens?”

“Who is responsible for what, when, how, or why?”

“What roles do the various departments play within the organization during an incident?”

“During the response, who is the main point of contact and what level of authority does that point of contact have?”

“What other resources are available or not available?”

“Do you have compliance requirements your organization must adhere to?”

“What communications need to go out, i.e., who needs to be notified in case of a security incident?”

These are just a sampling of the questions that will be answered during the exercise.


Ok, so, great, we know what a tabletop exercise is and why they should be conducted, but when should an organization conduct them? When depends on the type of organization and the readiness of the organization or the level or preparedness.

If an organization has never experienced an incident and/or has never conducted a tabletop exercise, the more often the better. Some organizations conduct these exercises monthly, some quarterly, some annually. The target organization needs to determine their cadence, but this is an area to definitely error on the side of caution and of being more prepared, i.e.: conducting them more frequently versus less frequently.


Some organizations lack the expertise to conduct a tabletop exercise as not all organizations out there are security-based or security-focused. Organizations like these can, however, reach out to external managed security services providers (MSSP’s) that perform these types of activities. Externally conducted exercises can help all types of organizations since the external set of “eyes” can see process or procedure flaws that the internal sets might not.

Small to medium sized businesses can find immediate value through performing tabletop exercises. Even organizations that are enterprise level/global will see the immediate return on investment from them. Why? Remember the old saying regarding cybersecurity? The more complex your solution, the less secure you actually are? Well, global organizations are vastly complex, and tabletop exercises help these organizations identify areas that require the most attention to defend against cyber threats.

Tabletop exercises can be performed at any time, but they are often paired with some type of assessment of the target organization. A vulnerability or penetration assessment, or a general cybersecurity posture-type of assessment can benefit greatly from holding one of these at the same time. These could potentially help the target organization with their overall cybersecurity threat detection capabilities.


Ok, awesome! We now know what tabletop exercises are, who should be performing them, and when they should be conducted. What types of exercise examples are there? Here are a few scenarios that a team might present to conduct a TTX (the acronym for tabletop exercise):

“One of your employees received an email that appeared to be legitimate from their financial institution requesting account and login information in order to update their system. The employee clicked the link and a large red window appeared with a malicious message indicating organizational data would be broadcasted across the web if a ransom wasn’t paid by a specific date.”

“One of the network administrators in the organization recently found what appeared to be an old USB thumb drive on the bench just outside the facility entrance. They plugged it into their system while being logged in with administrative permissions, and now it appears that users are having issues accessing network shares and data.”

“Your organization has recently migrated to the cloud and all of the legal departments sensitive documents have been converted to electronic format and stored in the cloud. You see a headline that your cloud service provider has experienced a breach and that several of their customers have been affected.”

“Someone showed up at the organizations facility this morning posing as the local electrician, but the regular electrician that normally shows up was just here last week. This person requested access to a number of rooms within the facility that the normal person never really needed to access.”

These examples are real-world examples of incidents that have occurred in various locations worldwide, which is why they are used to help better prepare businesses to combat these incidents. When conducting tabletop exercises, think of scenarios that could possibly happen to your organization. Make them as real as possible so your organizational security posture can benefit as much as possible from the exercise. These are not site evaluations; they are not regulatory checks that could adversely impact your business. Be as honest and up-front as you are able; the outcomes will maximize your security readiness.

We here at GuardSight thank you for taking the time to listen to this TomCast. For more information on various cybersecurity tips head on over to our website and check out more TomCasts. Those are located over on www.guardsight.com/tomcast. Or, if you would like more information on what GuardSight can do for you, head on over to www.guardsight.com and contact us. There are several free cybersecurity tools out there that can help you improve your overall security posture. We’d love to hear from you! Thanks!