Tabletop Exercise Templates
An IRP that has never been practiced fails under pressure. Tabletop exercises rehearse the response without touching production systems. Run one per quarter for each severity tier.
30-minute tabletop structure:
1. Scenario briefing (5 min)
. Facilitator reads the scenario. No solutions yet.
2. Initial response round (10 min)
. Each role states what they would do in the first 15 minutes
. Who declares the incident? Who is notified?
3. Escalation decision (5 min)
. Does this escalate to P1? Who makes that call?
. Is legal/compliance notification required?
4. Containment discussion (5 min)
. What gets isolated? Can the business continue during containment?
. Who authorizes taking down a production system?
5. Debrief (5 min)
. What gaps did the scenario reveal?
. What needs to be added to the IRP?
Example scenarios to practice:
| Scenario | Key Questions |
|---|---|
| Attacker has valid admin credentials | How do you invalidate all sessions without locking out everyone? |
| Ransomware on 3 of 10 servers | Isolate vs. restore from backup vs. pay? What is the decision authority? |
| Developer accidentally commits AWS root keys to public GitHub | How fast can you rotate? Who owns that? |
| DDoS taking down public API | Do you rate-limit aggressively or scale horizontally? At what cost threshold? |
| Insider threat. employee exfiltrating customer data | How do you preserve evidence without tipping off the subject? |
After each tabletop, update the IRP with any gaps discovered. The exercise is only useful if it changes the plan.
Related Articles
- How To Set Up Incident Response Plan For Data Breach
- Secure Communication Plan Template for Organizations
- Cloud Storage Security Breach History: Compromised
- Best Hardware Security Key Comparison: A Developer’s Guide
- Air Gapped Computer Setup For Maximum Security Practical
- AI Coding Assistant Session Data Lifecycle Built by theluckystrike. More at zovo.one