The cybersecurity tabletop exercise that produces decisions, not a filed PDF
How to run a cybersecurity tabletop exercise that surfaces real gaps and ends with named owners and dates, instead of a 3-hour meeting that produces a PDF for the auditor and nothing else.
· Jake Schaaf, Founder of Atticus Rowan
A firm we spoke with had run a tabletop the prior year. The description sounded thorough. A vendor came in with a slide deck, a facilitator read a scenario off the screen, the room worked through it for the better part of 3 hours, everyone nodded and a polished PDF landed in the compliance folder a few weeks later. It checked the box the cyber insurance application asked about. Then nobody looked at it again.
We asked one question. During the exercise, who did you decide would declare the incident and authorize the first spend. Nobody in the room could answer. The tabletop had run for 3 hours and produced no decision anyone remembered. It produced a document, not readiness.
That is the failure pattern for most tabletops. This post is about the other version, the 90-minute exercise that ends with a short list of named owners and dates and actually changes how the organization would respond. If you want a ready-made scenario and inject set to run, our first ransomware tabletop script gives you the literal script. This post is the companion, how to run any tabletop so it produces decisions instead of a filed PDF.
Why the 3-hour version fails
The theatrical tabletop fails for reasons that are easy to name once you see them.
- It is a presentation, not an exercise. A facilitator reading a scenario while the room listens is a lecture. Nobody is forced to decide anything, so nobody surfaces what they do not know.
- The wrong people are in the room. A tabletop staffed entirely with IT cannot answer whether the firm pays a ransom, who calls the insurer or who talks to customers. Those are business decisions. If no decision-maker is present, the exercise cannot reach the decisions that matter.
- It rewards nodding. When the scenario is generic and no one is pressed for a specific answer, the group agrees with the facilitator and moves on. Agreement feels like progress. It is not.
- It ends without artifacts. No named owners, no dates, no one-page summary that lands the same week. The value evaporates. Six months later the same gaps are still there.
The tell is simple. Ask anyone who attended what they personally committed to do afterward. If they cannot answer, the tabletop was theater.
The value is the gaps, not the exercise
Here is the reframe that changes everything. The tabletop itself is worthless. The gaps it surfaces are the entire point.
A good tabletop is a controlled way to discover the questions your plan cannot answer before a real incident forces you to answer them at 6 AM under pressure. Every we do not know is a finding. Every decision the group makes slowly, or argues about, or defers to someone who is not in the room, is a gap in the plan.
This changes how you run the exercise. You are not there to demonstrate that the plan works. You are there to find where it breaks. A tabletop where everything goes smoothly and every question has a clean answer is either a firm with an unusually mature program, or a tabletop that was not pushed hard enough. In our experience the second is far more common.
The most useful moment in any tabletop is silence. The facilitator asks who has authority to declare a Severity 1 incident, and the room goes quiet. That silence is worth more than the entire slide deck.
The decisions a real tabletop forces
A tabletop that works pushes the room to make specific calls, not to recite policy. The decisions that consistently surface the most are the ones that cross the line between IT and the business.
- Who declares the incident. Someone has to say this is now a Severity 1 event, and that declaration triggers the rest of the response. Most firms discover during the tabletop that no one is formally named. Their IR plan, if they have one, has no incident commander.
- Who calls the insurer. Cyber policies carry notification requirements and often mandate the carrier’s own incident response panel. Calling the wrong firm first can void coverage. The tabletop surfaces whether anyone has read the claim instructions.
- Do we pay. The ransom decision is rarely pre-thought. Who has authority, what OFAC sanctions exposure exists, what the insurer’s role is. The room usually argues, which is exactly the point. Arguing about it in a tabletop is far cheaper than arguing about it live.
- Who talks to customers. And to employees, and to a reporter if one calls. Without a named communications owner and a holding statement, the vacuum fills with rumor.
Each of these is a decision, not a document. The tabletop that works ends each inject by writing down who decided and what they decided, or by writing down that no one could.
Named owners and dates, or it did not happen
The output of a working tabletop is short and specific. Not a 40-page report. A one-page after-action with three sections.
- What the plan handled well. A few items. This is honest, not filler.
- What the plan did not handle. The gaps, stated plainly.
- Follow-up actions. 5 to 10 items, each with one named owner and one target date.
A gap with no owner is a gap that reappears at the next tabletop unchanged. A follow-up list of 30 items is a wish list nobody completes. The discipline is to convert the most important gaps into a handful of actions someone actually owns, then track them to done. Distribute the one-page summary within 5 business days while the exercise is still fresh. A report that lands 3 weeks later lands on a desk nobody is looking at.
90 minutes, not 3 hours
The good tabletop is shorter than the bad one. Ninety minutes is enough to run one scenario, work through 2 to 3 injects, force the key decisions and hold a structured after-action. Longer than that and energy drains, executives start checking their phones and the exercise turns back into a spectator event.
The trade is deliberate. You cover less ground and go deeper. One scenario worked hard beats three scenarios skimmed. The narrower the scenario, the sharper the decisions it forces, and the sharper the decisions, the clearer the gaps.
Where Atticus Rowan fits
Atticus Rowan runs incident response tabletops for managed-services clients as a standard part of the engagement, not as an annual box to check. Facilitating from the MSP side works because we know the client environment well enough to build a realistic scenario, and we have enough outside perspective to push back when the room reaches for an optimistic answer that would not survive a real incident.
We also work with firms that have no in-house security team at all, where the tabletop doubles as the first honest look at what would actually happen during an incident. Our post on incident response with no in-house team covers that model. Our solutions page outlines the broader engagement.
If your last tabletop produced a PDF nobody remembers, or you have never run one, schedule a discovery call. We can scope a 90-minute exercise calibrated to your environment and the specific decisions that would stress-test your current plan.
Related insights
More on Incident response →April 20, 2026
Post-incident review, what to document, what to change
A practical format for the post-incident review that produces operational improvements instead of blame, scar-tissue over-correction or a forgotten document nobody reads again.
April 20, 2026
Incident response when you don't have an in-house team
How small and mid-market firms actually respond to cybersecurity incidents without a dedicated security team, from MDR coverage to IR-firm retainers to executive decision-making during the first 4 hours.
April 20, 2026
Your first ransomware tabletop, a sample script
A working sample script for a mid-market firm's first ransomware tabletop exercise, including agenda, scenario, injects, decision points and the artifacts it should produce.