Close this search box.

Tabletop Exercises

Mike Tyson famously said, “Everybody has a plan until they get punched in the mouth.” Keep this quote in mind throughout this page.

What Is a Tabletop Exercise?

Mike Tyson famously said, “Everybody has a plan until they get punched in the mouth.” Keep this quote in mind throughout this page. The truth is most organizations are not prepared for a ransomware attack. This statement seems counterintuitive; after all, there’s a lot of information available about ransomware attacks. It seems like every week there appear dozens of articles and countless webinars focused on helping organizations defend themselves against ransomware. How can anyone be unprepared at this point? Unfortunately, most victims still are unprepared, demonstrated by the fact that ransomware attacks are not only not slowing down, but increasing year after year.

One of the big areas of disconnect is between the knowledge about ransomware among security teams and what the rest of the company knows. One way to close that gap in knowledge is by engaging in tabletop exercises. In addition to helping to isolate weaknesses in security, ransomware tabletop exercises serve as a platform for security teams to educate the rest of the organization.

Raising awareness is only one goal of a ransomware tabletop exercise. In addition, organizations should plan to:
• Test the assumptions and effectiveness of incident response (IR) and disaster recovery (DR) plans
• Test the organization’s interaction with the cybersecurity DR plan
• Test the cybersecurity team’s escalation and response procedures
• Identify gaps in cybersecurity processes

Of course, to realize these goals, the right people need to be invited to participate in the exercise.

Getting the Right People Involved

One of the hardest parts of conducting a tabletop exercise is getting the right people involved. Everyone is busy and, like it or not, ransomware defense (and cybersecurity in general) is not top of mind for most people. This can make it difficult to get the necessary people involved in a tabletop exercise. But when a ransomware attack happens, you’ll need “all hands on deck.” Thus, getting the right people to attend a tabletop exercise is critical so that when an actual attack happens, all the respondents will have at least a passing familiarity with their roles and responsibilities.
Start Small
Most organizations want to conduct regular tabletop exercises, but if they’re seen as a waste of time by those outside of security and IT, it will be harder to get different departments to attend future sessions. If an organization has never conducted a tabletop exercise, it’s recommended that that initial planning and goal setting be conducted by a core group and that this group attempt a trial run.
Typically, a trial run consists of a meeting where representatives from various IT and security teams outline an attack scenario and walk through how the response is expected to proceed. This preliminary run-through allows the core teams to test some basic assumptions about who has what role in a ransomware response. The run-through contributes to a smooth experience during the actual exercise. This doesn’t mean that no mistakes will be found during the larger tabletop exercise—in fact, uncovering problems is a sign of a successful ransomware tabletop exercise. But a limited run-through allows the core teams to iron out the basic assumptions.
Who Are the Core Team Members for a Ransomware Tabletop Exercise?
It depends on the size of the organization and how labor is divided up between teams. Usually, the core team consists of some combination of teams responsible for:
• Incident Response/Cybersecurity
• IT
• Backups
This relatively small collection of expert staff will be responsible for planning the exercise, developing the scenario, and setting the goals for the exercise. The planning phase of the tabletop exercise can take as long as a month to put together. Someone from this team should be the facilitator of the exercise: the person who leads everyone through the scenario and drops little “surprises” along the way. Someone else from this group should be designated to be note-taker. Most likely, each attendee will take their own notes, and should be encouraged to, but there needs to be a single repository for reliable information as well.
Keep the Length of the Exercise in Mind
Most of the people involved in the exercise have busy schedules and will have trouble devoting an entire day to an exercise like this (though they’re more likely to attend if they know senior leadership is in attendance). For most organizations, half a day will be enough to run through a realistic attack scenario step by step, confirming dependencies, and finding flaws in the plan. Larger organizations may need a full day.

Even spending half a day in one of these exercises may be difficult for some people, but it’s important to emphasize that if a real ransomware attack happens, they’ll be spending days, if not weeks, focusing on nothing but that. So, devoting half to a full day to this exercise seems like a worthwhile trade-off.


The actual exercise should involve people from all the necessary departments and at least one person from the organization’s leadership team. Leadership support and participation are important because they show that the tabletop exercise is serious and has the attention of the entire organization.
A Smaller Trial Run Is Particularly Important
Because your’e asking top leadership to participate in the main exercise, the smaller trial run is particularly important to let the core team work out any kinks before conducting the exercise with the broader team. That doesn’t mean that flaws in your responses should be hidden from leadership. The exercise should run as smoothly as possible, even while revealing weaknesses in the organization’s current procedures.
At a minimum, attendees to the tabletop exercise should include representatives from:
Each of these departments may have a critical role to play in responding to a ransomware incident. From actually dealing with the cleanup, to communication with employees, partners, press, attackers, and customers, everyone needs to know what to expect.

Having the legal team present (or outside legal counsel if there’s no in-house legal team) during the tabletop exercise is helpful, because there’s a good chance that your legal team will be leading your IR. At the very least, your IR team will be running everything through your legal team. If your organization is hit by a ransomware attack, there’s a very good chance it will become public, and if it becomes public, lawsuits will follow. Assume that IR, reporting, and communications will all flow through the legal team in a ransomware attack and conduct tabletop exercises accordingly.

Have an Incident Response Retainer? You Might Have a Tabletop Exercise

With ransomware attacks as pervasive as they are right now, most IR companies don’t have any time to spare for non-clients. To ensure they can get help if needed, many organizations put down a retainer with an IR company. The organization fills out the necessary paperwork and gives a down payment against a future incident.

What happens if you go through the year and wind up not needing outside IR? Usually, the retainer goes away and the organization starts again the next year. But many IR companies allow their clients to apply the retainer to a tabletop exercise.

This is especially useful for smaller organizations that don’t have experience running their own tabletop exercises. Bringing experts in to conduct the tabletop exercise allows the team to learn from the IR company and helps to ensure that money isn’t wasted.

Running Tabletop Exercises on a Regular Basis

During a ransomware tabletop exercise, responses should be based on what’s documented in an organization’s IR and DR plans. As discussed on the “Creating Disaster Recovery and Incident Response Plans” page, IR and DR plans should be dynamic, evolving as the organization and the threats change.
As IR and DR plans change, they need to be tested …
… to ensure that the assumptions in those plans work out as expected. A tabletop exercise is a great way to carry out the tests. Not every change to IR and DR plans requires a full-fledged tabletop exercise, but every change should be tested to ensure it doesn’t break any dependencies.
When an organization makes big changes to IR and DR plans or as ransomware attacks continue to evolve, new tabletop exercises should be conducted. This allows everyone in the organization to be familiar with the changing plans and the evolution of ransomware attacks
Not every organization can conduct tabletop exercises when changes are made to IR and DR plans, some organizations have to schedule regular tabletop exercises instead. How often should an organization run ransomware tabletop exercises? Ideally, it should be done annually, but that may not be realistic. Getting the necessary personnel, possibly from around the country or the world, for a half day or longer is hard enough. To add to the time requirements, there may be other tabletop scenarios independent of ransomware that also need to be run, so an annual tabletop exercise devoted exclusively to ransomware may be difficult. If annual tabletop exercises aren’t realistic, they should occur no more than 18 months apart. Ransomware tactics change drastically over an 18-month period, IT and security teams have to rely on intelligence to keep up-to-date with those changes. Delaying the exercise any longer than that will likely mean that the IR and DR plans that most of the participants are familiar with are severely outdated.

Creating Plausible Scenarios

A successful tabletop exercise …
… both educates staff and achieves the other goals laid out at the start of the exercise. The key to having a successful ransomware tabletop exercise is to create a ransomware scenario that’s realistic—that mimics actual ransomware attacks happening today—and seriously tests the ability of the security team to respond to such an attack.
Data to mimic a ransomware attack …
… attack is freely available from many places. For example, The DFIR Report provides step-by-step information about how a ransomware actor got into their honeypot, moved laterally through the network, exfiltrated potentially sensitive data, and installed the ransomware. Taking a scenario laid out by a site like that can help the facilitator walk through a ransomware attack and see how the different teams respond to the attack.

Dungeon Master

If you’ve ever played Dungeons & Dragons, you’re familiar with the concept of the Dungeon Master. The Dungeon Master is responsible for game play as the players move through the world created by the Dungeon Master. Being a facilitator in a ransomware tabletop exercise is a lot like being a Dungeon Master. Following these five rules will make you a good facilitator or Dungeon Master.
Step 1 – The exercise is about the participants, not you. Make the exercise enjoyable for the participants while accomplishing the goals laid out by the core team.

Step 2 – Be adaptable. You might not get the response you’re expecting to some of the scenarios. When that happens, work through why the participant responded that way and be prepared to adapt.

Step 3 – Read the room. If everyone is staring at their phones or rapidly losing interest, don’t be afraid to take an unscheduled break and try to get everyone back on track. This is especially true if one or two people are involved in the minutiae of a specific task.
Their discussion might be important, but if it goes on too long, have them take it offline. Ask them to come up with a resolution and report back to the larger team in the follow-up report.

Step 4 – Change the “Dice Rolls.” The goal of the tabletop exercise is not to embarrass or “call out” any of the teams; it’s to make the response to a ransomware attack more successful. If, during the course of the exercise, you uncover serious deficits on one of the teams, don’t dwell on the problem, but note it down and work with the team to improve their processes. In this way you make everyone more secure overall without humiliating any team.
Step 5 – Steal. Just like everyone else participating in the exercise, you are very busy. You might have been given time to facilitate this exercise, but facilitation takes a lot of work, so don’t be afraid to steal ideas from others who have conducted these same exercises. Doing so saves time and you can adapt the scenarios specifically for your organization. Use your time wisely.



An organization that isn't prepared to run its own ransomware tabletop exercise can often outsource the capability to a third party. Companies such as KnowBe4 offer services that can help facilitate a tabletop exercise, while other companies such as TrustPeers and GroupSense offer fully outsourced ransomware tabletop exercises.


If an organization doesn't want to fully outsource this task, there are often sector-specific ransomware tabletop exercise templates available, usually at no cost. Organizations that are members of their sector’s Information Sharing and Analysis Center (ISAC) should reach out to see what resources are available. There are ISACs for State, Local, and Tribal Governments (MS-ISAC), the Financial Sector (FS-ISAC), Healthcare (H-ISAC), Retail and Hospitality (RS-ISAC), Water (WaterISAC), Automotive (Auto-ISAC), and many others. In addition, there are plenty of freely available general templates for conducting exercises. There are a lot of resources to help organizations launch and continue to run ransomware tabletop exercises—don’t hesitate to take advantage of them.

Get More Ransomware Tools Directly In Your Inbox

Sign Up To Receive Our Monthly Ransomware Newsletter
Don’t worry, we hate spam too

Really Test Assumptions

As stated earlier, one of the goals of a ransomware tabletop exercise is to not “call out” other teams for failures, but to understand where the gaps are in your cybersecurity and incident response plans. Your ransomware tabletop exercise should test the assumptions made by the different teams to make sure your IR and DR processes actually work in the ways they’re assumed to work.
Sample flowchart of the start of a typical ransomware attack
An example of testing assumptions is shown in the flowchart above. This chart represents just the initial access phase step of a ransomware attack, where an attacker gains access to the organization through a credential reuse attack.
Start with understanding how …
… a credential reuse attack would be detected (assuming it would be recognized at all) and follow up by asking what actions would be taken. Is this type of attack considered a high priority or a low priority, and what are the response time differences between high-priority attacks and low-priority attacks?
The idea to thoroughly understand your detection capabilities and how the Security Operation Center (SOC) views these types of events. Are they going to be largely ignored until it’s too late, or will the SOC be able to detect the activity during the ransomware attacker’s reconnaissance phase? If these events are considered low priority, why is that? Are IR teams inundated with these types of alerts to the point that responding to them all would take up more time than they’re worth? How can detection be improved so that potentially riskier alerts, even if they look like typical low-priority alerts, get more attention? This risk classification works not only with cybersecurity events, but with all processes in the IR plan.
The process for notifying employees of a ransomware attack
The process starts out simply enough with a decision to alert employees, as shown in the above flowchart. The process is owned by human resources, with input from the legal team, and email as the delivery method. But what happens when email is down because the Exchange Server itself is encrypted (an increasingly common tactic)? Is there a backup communications plan? There might not be a backup plan: The IR plan may have been put together before encrypting mail servers became a common tactic. But it’s important to identify that hole and determine how or if to fix it. The team may decide that notifying employees is a low priority and that notification can wait until the mail server is restored from backup.
It’s important to use these decisions points to determinem, as a group, what needs to be done.
Is each step an acceptable risk that doesn’t require any adjustment, or do adjustments need to be made to internal processes or the IR and DR plans?
The note taker should be documenting all of these decisions, as well as who owns them, so that each team can follow up on the areas for which they’re responsible.

Note to Reader: Pay Attention

One of the biggest mistakes that organizations make the first time they organize a ransomware tabletop exercise is to skimp on the food. Don’t just supply pizza: Have nice food catered for the morning and afternoon. This may sound silly, but good food will help keep people relaxed, realize this is a serious exercise, and, most importantly, encourage them to participate in future exercises.

Following Up and Making Improvements

Honestly, the ransomware tabletop exercise is the most enjoyable part of preparing for a ransomware attack. If it’s set up correctly, the exercise is carried out in a comfortable, relaxed atmosphere with good food, and everyone feels empowered by getting to understand what’s working well and what needs improvement in the organization’s ransomware prevention, detection, and IR and DR plans.
The tabletop exercise is just the beginning.
If you adhere to the guidelines laid out here, there will be a good deal of follow-up work to do across a number of teams. Some of these tasks will be simple process changes, whereas other tasks will require time, personnel, and budget.
Remember, the purpose is to help prevent or mitigate the effects of a successful ransomware attack.
The tasks agreed to during the exercise help meet that goal, so follow up is important to ensure they’re completed in a timely manner (when possible). If they can’t be completed in a timely manner (especially the high-priority tasks), other compensating controls may need to be put into place.
Designate someone to collate and assign tasks, then agree on a timeline for completion.
In addition, each of the tasks should be ranked according to priority. Because these tasks will fall across many different departments, it’s probably not a good idea to rank them using a numbering system (i.e., from 1 to n). Instead, consider ranking them High, Medium, or Low. That allows the team to assign items a similar priority across multiple departments. Then set a deadline for the different levels: for instance, high-priority items have to be completed within six months, medium-priority within nine months, and low-priority within the next year (these timelines are simply examples; each organization has to assess their own risk).
In the end, a successful ransomware tabletop exercise will help educate everyone involved about what’s involved in a ransomware attack and in the ransomware recovery process. The exercise will also help everyone understand more about the organization’s processes and how they can be improved.

Get Your Copy of Ransomware:
Understand. Prevent. Recover

It’s the ransomware resource you can’t afford to be without. 437 Pages of ransomware know-how. Stay ahead of the cybercriminals: get your copy now!


Download The "Running Ransomware Tabletop Exercises" Cheat Sheet

Tabletop exercises are key to preventing Ransomware. Grab this free PDF resource today

Share This Resource With Others

Embed The “Running Ransomware Tabletop Exercises” resource on your site or blog using this code.

Is This Your Business?
Get In Touch

Contact Us To Sponsor Your Business Listing & Learn More About The Benfits.

Before You Go!
Sign up to stay up to date with everything ransomware

Sign Up To Receive Our Monthly Ransomware Newsletter
Don’t worry, we hate spam too

JUST RELEASED: The 2024 State of Ransomware Survey is in.


Free Download Now &
Stay Ahead In Future

Sign Up To Receive Our Monthly Ransomware Newsletter
Don’t worry, we hate spam too
Share via
Copy link
Powered by Social Snap