Your first ransomware tabletop, a sample script

Most firms’ first ransomware tabletop is either a theatrical 3-hour meeting where nobody learns anything, or a productive 90-minute exercise that produces real operational improvements. The difference is the script.

A well-designed tabletop tests the plan, surfaces gaps, engages the right decision-makers and produces written output that changes how the organization operates afterward. A poorly-designed tabletop runs through a generic scenario, produces a generic discussion and ends without artifacts anyone remembers a week later.

Here is a working sample script for a first ransomware tabletop at a mid-market firm. The script is designed to be used literally. Pick the scenario closest to your environment, run the timing, produce the artifacts.

Before the exercise

Three things have to exist before the tabletop is worth running.

• A written incident response plan. Even a rough one. The tabletop is testing something; there has to be something to test.
• A documented scope. Who is participating, what systems are covered, what is out of scope.
• Confidentiality expectations set. Tabletop content often surfaces real weaknesses. Participants need to know that honest answers are the point.

Participants for a useful first tabletop:

• CEO or COO (or equivalent executive who would actually make decisions during a real incident)
• CFO
• General counsel or outside counsel
• Head of IT or CIO
• MSP lead engineer
• MDR provider lead analyst (optional but useful)
• Head of Communications or PR lead
• Operations lead
• Cyber insurance broker (useful to invite; often declines for scheduling but worth asking)

Target total: 6 to 10 people. More than 10 turns the exercise into a spectator event.

Time: 90 minutes. Longer loses energy; shorter misses depth.

Format: in-person preferred. Video acceptable. Hybrid works if the facilitation is disciplined.

Suggested scenario

A ransomware scenario that tests the most commonly-weak parts of a first-time program:

At 6:47 AM on a Wednesday, the overnight operations supervisor calls the IT on-call line. Multiple production systems are displaying ransomware messages. The overnight shift cannot access email, the ERP system or the file shares. The ransomware note demands $2.4 million in Bitcoin and provides a countdown timer showing 72 hours before “published to the dark web.”

This scenario tests the 6 AM decision moment (decisions made in the first hour frame the rest of the response) and includes the data-exfiltration threat that modern ransomware operators use to increase pressure.

Adapt the scenario to the firm’s actual environment. A manufacturer replaces “ERP system” with the specific system that runs production. A services firm replaces “overnight operations supervisor” with the first-alert person in that organization’s structure.

The 90-minute script

0 to 5 minutes, facilitator framing

The facilitator (usually the MSP security lead or an outside advisor) opens:

• This is a tabletop. Nobody is being graded.
• The goal is to test the plan and surface gaps, not to execute perfectly.
• Honest answers produce the most value. “I don’t know” is a valid answer.
• We will use the existing incident response plan as the reference point. If the plan is silent on a decision, we will note it.
• At the end we will produce an after-action review that names specific follow-ups.

Keep this short. Starting late on facilitation eats the exercise time.

5 to 15 minutes, initial notification and triage

Read the scenario above.

Questions for the group:

• Who gets the initial call from the overnight supervisor
• What does that person do in the next 10 minutes
• Who gets notified in the next 30 minutes, and by what mechanism
• Who has authority to call a Severity 1 incident
• Does the incident response plan define what Severity 1 triggers (notification of executive team, MSP, MDR, legal, broker, etc.)

Common gaps surfaced at this stage:

• Unclear who has authority to declare a Severity 1 incident
• Out-of-date phone tree or notification list
• Executive team members with old phone numbers
• MSP emergency line that routes to business-hours voicemail

15 to 30 minutes, containment and preservation

Inject 1: The IT lead reports that encryption is actively spreading. Three more systems have gone down since the first call 30 minutes ago.

Questions:

• Who has authority to disconnect systems from the network
• Are there systems that should not be disconnected under any circumstances (safety-critical, life-safety, regulated)
• Who is engaging the MDR provider for active-response work
• Who is engaging the incident response firm (if the plan specifies one)
• Is forensic evidence being preserved, or is the team focused only on stopping the spread

Common gaps:

• No decision rights on network-level containment
• Safety-critical systems not identified, leading to paralysis
• No incident response firm on retainer, leading to discovery during incident
• Forensic evidence not being preserved, limiting post-incident investigation

30 to 45 minutes, notifications

Inject 2: The general counsel asks what notifications are required and on what timeline.

Questions:

• What regulatory notifications apply (state AG, sector regulator, HIPAA, federal law enforcement)
• What customer notification obligations apply (contractual or regulatory)
• What is the cyber insurance carrier’s required notification timeline
• What is the broker’s role
• Who is handling public communications
• What holding-statement exists for employees

Common gaps:

• Regulatory notification obligations not pre-mapped
• Cyber insurance policy sitting in a drawer without anyone having read the claim instructions
• No communications plan, resulting in rumor-driven internal and external messaging

45 to 60 minutes, recovery and operational continuity

Inject 3: The CFO asks when systems will be restored and what operational decisions need to be made in the meantime.

Questions:

• What is the documented RTO for each critical system
• What is the actual expected time to recovery (often different from the RTO, which surfaces here)
• Are there immutable backups that were not reached by the attacker
• Is there a tested restore runbook
• What manual or workaround processes can keep operations running during the recovery window
• What financial impact is being estimated

Common gaps:

• RTOs documented but never tested
• Backups that may or may not be compromised, uncertain until restore attempt
• No manual-mode procedures for operational continuity
• No clear owner of the financial impact estimate

60 to 75 minutes, the ransom decision

Inject 4: The incident response firm reports that decryption without the ransomware operator’s key is unlikely. Backups are available for most systems but some data from the last 48 hours is unrecoverable. The ransomware operator has dropped their demand to $1.4 million.

Questions:

• Who has authority to decide whether to pay
• What factors inform the decision (sanctioned entities, OFAC compliance, ability to decrypt even with key, reputational considerations)
• What role does the cyber insurance carrier play in the decision
• What role does law enforcement play
• If the decision is not to pay, what is the plan for the unrecoverable 48 hours of data

This is often the most illuminating part of the tabletop because the ransom decision is rarely pre-thought and surfaces multiple levels of organizational ambiguity.

75 to 90 minutes, after-action review

The facilitator leads a structured review:

• Three things the plan handled well
• Three things the plan did not handle well
• Five specific follow-up actions with named owners and target dates

This list is the most valuable artifact of the exercise. It should be distributed in writing within 5 business days and tracked to completion.

Common output from a first tabletop

A representative list of follow-up actions from first-time tabletops:

• Update the phone tree with current contact numbers
• Document Severity 1 declaration authority
• Add cyber insurance carrier to the notification tree with the actual claim-filing instructions
• Engage an incident response firm on retainer before the next incident
• Document safety-critical systems that require manual approval before network-level containment
• Test the immutable backup restore capability with a documented full restore
• Build a holding statement for employees and a media holding statement
• Pre-brief the executive team on OFAC compliance for ransom decisions
• Add the MDR provider’s emergency contact to the plan
• Schedule the second tabletop in 6 months

Not every action will be in every firm’s list. Most firms produce 5 to 10 meaningful follow-ups from a well-run first tabletop.

After the tabletop

Within 5 business days:

• Distribute the written after-action review to all participants and the executive team
• Assign each follow-up to a named owner with a target date
• Schedule a 30-day check-in to review progress

Within 90 days:

• Complete the tractable follow-ups
• Update the incident response plan to reflect what was learned
• Communicate the revised plan to all affected stakeholders

Within 12 months:

• Run the second tabletop with a different scenario
• Use the prior after-action review to compare progress

Where we fit

Atticus Rowan runs incident response tabletops for managed-services clients as a standard element of the engagement. The facilitator role works well from the MSP side because the MSP knows the client environment well enough to design realistic scenarios, but has enough outside perspective to push back on optimistic assumptions.

If your firm has not run a ransomware tabletop in the last 12 months, or has run them nominally without surfacing real operational gaps, schedule a discovery call. We can scope a first-tabletop engagement calibrated to your environment and the specific scenarios that would stress-test your current plan.