Security Incident Tabletop Exercise

Practice the security incident response. The format.

Scenarios

Security incidents are rare, high-stakes, and uniquely confusing because they cross technical, legal, and communications boundaries simultaneously. The tabletop exercise is the only practical way to rehearse the response without an actual breach. The team walks through a hypothetical scenario, role-plays the response, and finds the gaps that would otherwise only surface during a real event.

The scenarios that produce the most learning:

• Ransomware on a production system.: The most common high-impact scenario in 2026. An attacker has encrypted production databases and demands payment. The exercise covers how to detect, contain, decide on payment, restore from backups, communicate with customers, and engage law enforcement. Each of these is a distinct workstream with its own owners.
• Data breach with customer data exposure.: A misconfigured S3 bucket, a stolen API key, an SQL injection that exfiltrated user records. The exercise covers the legal notification timeline (which varies by jurisdiction and data type), the customer comms strategy, the regulatory disclosures, and the technical containment.
• Insider threat.: An employee or contractor with privileged access misuses it. The exercise covers detection (what audit signals would catch this?), containment (how do you remove access without alerting the actor?), legal coordination (what evidence-handling does HR and legal require?), and aftermath (what changes to access control prevent recurrence?).
• Supply-chain compromise.: A third-party library, vendor, or build tool was compromised, and the malicious code shipped to production. The exercise covers how you discovered it, how you assess the blast radius, how you communicate with customers who may be affected downstream, and how you change your dependency-management practices.
• Tested annually, minimum.: Each scenario gets a half-day exercise once a year. Larger organizations rotate through scenarios so different incidents get rehearsed in different quarters. The cadence prevents the runbook from going stale and keeps the team's skills warm.

The point of the scenario is not to predict the actual incident; it is to rehearse the response patterns that any real incident will require. Whichever specific incident eventually happens, the team has practiced the muscles.

Participants

Security incidents are cross-functional by nature. The exercise must include all the functions that would be involved in a real one. Skipping any of them produces a rehearsal that does not match the real-incident shape.

• Security team.: The detect, contain, and forensic functions. Their role is to identify the scope of the compromise, block ongoing access, and preserve evidence for later investigation.
• Engineering.: The remediation function. Their role is to deploy the fixes, restore from backups, rotate compromised credentials, and bring the system back to a known-good state. The exercise tests their ability to do this under pressure with security oversight.
• Legal.: The compliance and regulatory function. Their role is to determine notification requirements, manage external counsel, coordinate with law enforcement if appropriate, and protect the company's legal position throughout the incident.
• Communications.: The customer and external-comms function. Their role is to draft customer notifications, prepare PR responses, manage social media reaction, and coordinate with the legal team on what can and cannot be said publicly.
• Executive leadership.: The decision-making function. Some choices (whether to pay ransom, whether to disclose to customers before regulators require, whether to engage law enforcement) require executive sign-off. Their participation in the exercise is what tests whether the escalation paths actually work.
• Cross-functional by design.: The exercise is the only time these groups practice working together at incident pace. Each of them does their own work the rest of the year; the tabletop is when they rehearse the coordination.

The participation list is the single biggest driver of the exercise's value. A tabletop with only the security team is a security drill; a tabletop with all of these functions is an incident response rehearsal.

Output

The exercise is not the deliverable. The deliverable is the action items the exercise produced. A tabletop that ends with everyone saying "that was useful" but no concrete follow-up has wasted everyone's time.

• Gaps identified.: Each scenario surfaces specific gaps: a runbook step that does not work, a decision that nobody had authority to make, a communication channel that was not staffed, a third-party contact whose number is wrong. The exercise scribe captures every gap as it surfaces.
• Action items with owners and deadlines.: Each gap becomes an action item assigned to a specific person with a specific deadline. "Update the customer notification template by Q2 end. Owner: Comms lead." Generic action items go nowhere; specific ones close.
• Updated runbook.: The runbook is revised based on what the exercise revealed. Steps that did not work get rewritten. Decisions that surfaced during the exercise get added to the decision tree. The runbook is a living document, kept current by these exercises.
• Drives security investment.: The gaps the exercise surfaces feed directly into the security team's roadmap. Detection blind spots get instrumentation. Communication gaps get tooling. Coordination friction gets process changes. The exercise is the highest-quality input the security team has into where to invest.
• Tracked across exercises.: Action items from the previous exercise are reviewed at the next one. Gaps that were supposed to be closed but were not get re-flagged. Patterns across exercises (the same kind of gap surfaces every quarter) point to deeper structural issues.

Tabletop exercises are the cheapest insurance against the worst class of incident. They cost a half-day per quarter and they catch the gaps that would otherwise surface only during a real breach. Nova AI Ops integrates with the security team's incident management system, surfaces the action items from each tabletop into a tracked backlog, and connects the gaps to actual operational telemetry so the next exercise builds on the last one instead of starting from scratch.