Adversarial Exposure Validation
Breach & Attack Simulation

How to run a successful cybersecurity tabletop exercise?

Oct 22, 2025 6 min read

Chun-Han Lee

Digital Marketing Manager

Neena Sharma

Head of Product and Customer Marketing

TL;DR

  • A tabletop exercise is a guided, scenario-based simulation that allows an organization to discuss, evaluate, and improve its cyber incident response and recovery readiness.
  • Its especially beneficial for non-technical staff and senior stakeholders as it clarifies their role and expected response in a cyberseucirty crisis.
  • Keeping tabletop exercises straightforward and running them regularly are the keys to success.
  • Always remember to implement follow-up plans to close the security gaps identified during the exercise.

What Is a Tabletop Exercise?

A tabletop exercise is a guided, scenario-based simulation that allows an organization to discuss, evaluate, and improve its cyber incident response and recovery readiness. It helps teams identify gaps in their plans and strengthen overall resilience against evolving threats.

You can see tabletop exercises as fire drills, it happens regularly each quarter or each month in some cases. It’s necessary and helps build muscle memories by making people aware of their role and responsibilities when a cyberattack hits the business. Various regulations like HIPAA, NIST, NIS2, DORA and PCI DSS demand tabletop exercises to test incident response plans.

It is often discussion-based with minimum technical involvement, done in a low-pressure environment and focused on team collaboration. Many tabletop exercises today rely on manual work or excel sheets. And all these lead to a major drawback of traditional tabletop exercises: hard to scale due to high cost of time and resources. But, there are now tool available like OpenAEV that are helping organizations to standardize, automate and scale tabletop exercises.

How Do Tabletop Exercises Work?

In a standard tabletop exercise, there are three things the most important: plan, engage and learn.

Planning phase

  • Identify the objective, the participants and their role
  • Design the scenario or exercise plan. It could incorporate various cyber threat vectors including ransomware, insider threats, phishing or be specific to a sector. Each organization has its own unique current state of exposure and this planning stage is crucial to ensure that the most exploitable attack paths or processes are validated.

Engaging phase

  • Simulate the planned scenario and have all participants actively engaging in the discussion and contributing solutions. Interactivity is the key, just like how everyone should be involved during a real attack.
  • Take decisions. The IT team controls the damage, legal team preserve evidence and assess regulatory consequences, PR team prepare public statement, marketing team prepares customer communications and so on.
  • Capture issues and document timelines as the scenario goes.

Learning phase

  • Debrief and feedback. Review the results of the exercise with metrics. With OpenAEV, we help organizations assess their readiness from three aspects: prevention, detection and vulnerability on a 100% scale. Tangible metrics allow teams to better answer the question: what did we do well and where can we improve?
  • Recommendations and follow-up plans. Base on the drill result, form a near-term follow up plan to make sure different teams are aware of their security gaps and take actual actions before the next exercise to mitigate the gap.

Our open-source AEV (adversarial exposure management) platform, OpenAEV is designed to include these kind of needs. You can easily set up a tabletop exercise from scratch on OpenAEV (here is our step-to-step guide). If you’re looking for more common scenarios, we also have a scenario library on our XTM Hub where we regularly update new scenarios for our community to implement.

Click here to learn about how one of our customers scaled their tabletop exercises globally and reduced the preparation time by 80%.

Why Are Tabletop Exercises Important?

Standard tabletop exercises bring organizations various benefits.

  • From the business perspective, it is cost-effective, it improves team communication and most importantly, it identifies security gaps before real incidents.
  • In terms of compliance and risk management, it breaks down team silos, meets regulatory requirements, empowers non-technical staff in cybersecurity and brings up security awareness as a whole.

But it doesn’t stop here. Modern tabletop exercises can prepare organizations even better with continuous and targeted drills.

Real incidents don’t announce themselves with a calendar invite. Neither should your readiness tests.” Samuel Hassine, CEO of Filigran

These cyber drills become most valuable to different teams when they are done often with scenarios just like what we face in real-life. Through each simulation, everyone in the team can learn to make decisions under pressure, communicate calmly and identify security gaps to improve overall security postures continuously.

For organizations to benefit from these regular exercises, the key lies in reasonable cost and easiness of deployment. You can explore community edition of our AEV platform on your own and build your program from there.

Best practice: keep it precise and regular

Gartner states that one of the key use cases for adversarial exposure management is improve exposure awareness. And this is exactly what organizations need to achieve with regular, effective tabletop exercises.

Automate your tabletop exercises so you can continuously test your team in various scenarios. Keep these drills in micro-dose size so your team can continuously get their memory renewed with most relevant and up-to-date best practices on current attack scenarios. Identify and respond to today’s problem with the latest process that has been tested and practiced instead of what’s written on the incident response plan last quarter.

It’s also good to keep in mind that perfection is not the goal but communication is in these tabletop exercises. These cyber crisis scenarios help your team to identify areas of improvements, security gaps and prepare them better when facing pressure. In the long run, these will increase exposure validation capabilities as a whole for your organization.

Common pitfalls: don’t forget the human readiness

“Security is as much about people as it is about technology.” Samuel, Hassine, CEO of Filigran

Tabletop exercises should not been seen just as a test. They are learning opportunities for both technical and non-technical teams. Define a clear and simple objective for each practice makes sure all involved teams have an aligned focus. The post-incident feedback ensures the pros and cons of this drill are addressed in detail and follow-up actions are taken to mitigate security gaps.

People is the key. Tabletop exercises are the means to ensure everyone can mobilize calmly when real incident happens. Your organization’s cyber resilience comes with practice.

Conclusion

Train your team with tabletop exercises allows regular validation of your cybersecurity posture while building awareness and good practices across your IT team, PR team, Legal team and executive team.

Start your first exercise today with OpenAEV on our free live demo environment!

Try OpenAEV today

Read more

Explore related topics and insights

Stay up to date with everything at Filigran

Sign up for our newsletter and get bi-monthly updates of Filigran major events: product updates, upcoming events, latest content and more.

It appears your browser has strict tracking prevention enabled, which may be blocking HubSpot forms and other features. To ensure full functionality, please turn off tracking prevention and refresh the page or contact us at