Nearly three out of every five (57%) significant cyber incidents involve attacks the cybersecurity team had not prepared for, suggesting CISOs need to re-evaluate — and in some cases recommit to — their tabletop strategies.
According to the Cytactic 2025 State of Cyber Incident Response Management (CIRM) Report, which surveyed “480 senior US cybersecurity leaders, including 165 CISOs,” that 57% figure “reveals a major vulnerability. Organizations often train for known threats like ransomware, but these incidents prove that the real chaos comes from the unexpected.”
As a result, security teams may be ill-equipped to handle novel threats if they don’t continuously refresh their tabletops, the report concluded. “The true benefit comes from the ability to make these exercises relevant and realistic,” according to the report. “By building simulations that are tailor-made to the organization, industry, sector, risk, and threat profile, these exercises become more than just a security drill. They transform into a critical tool for alignment across the entire business.”
Analysts and cybersecurity consultants see multiple problems with how enterprises conduct tabletops and other preparation exercises, ranging from not getting realistic enough to testing grand but unlikely attack scenarios.
One consultant, who asked that his name not be used, gave an example of a recent tabletop where the enterprise had purchased burner phones for all relevant personnel so that they could communicate securely in case the attacker was monitoring communications.
In the attack exercise, management insisted on participants actually using their burners in the run through only to find that many employees took a long time to find the burner phones because they didn’t remember where they were hidden.
In another instance, SOC staffers found the lists of people that need to be contacted during a major breach. But when the CISO insisted the team actually call, message, or email those contacts, they discovered that many of the phone numbers or messaging addresses were disabled.
“It really is impossible to prepare specifically for an attack,” says Will Townsend, a VP and principal analyst at Moor Insights & Strategy. “You can have the best plan, but bouncing emails and not being able to find the backup phones, that’s a problem.”
Focus on roleplaying smaller attacks
Vincent Stoffer, CTO for security vendor Corelight,suggests CISOs focus more on smaller breaches rather than massive attacks.
“Many tabletop exercises specifically focus on the technical elements from the bottom up [and] over-index on dramatic breaches rather than realistic adversary tactics,” Stoffer says, adding that, regardless of the size of the attack, most cybercriminals prefer subtle tactics that are often not anticipated.
“Attackers more often succeed through subtle behaviors like lateral movement or quiet data exfiltration that don’t get simulated enough,” Stoffer says. Attackers are “going to use whatever methods will get them access to the objective, usually the crown jewels, complete compromise of an Active Directory, identity server, PII, etc. They may start very slowly and methodically to avoid detection, or they may use well-worn but generally less alarm raising techniques for initial access like phishing or credential harvesting. Once they have established a foothold in the organization, they can move quickly and quietly using the knowledge they’ve gained in the environment, the observed tools, etc., to avoid triggering alarms.”
What he sees most enterprise cybersecurity teams testing, however, is quite different.
“Contrast this with a simulated exercise that relies more on a hypothesis or specific trigger like an alert that a host has been infected with malware. While it’s still testing the system and process for IR [incident response], it’s going to generally require less critical thinking, exploration, and discovery to play out the scenario,” Stoffer points out. “This leads to further trotting the well-worn path that the SOC team knows and understands, which while still helpful as an exercise, I would argue that more is gained by approaching the exercise using more subtle and realistic attack methods.”
Jeff Pollard, VP and principal analyst at Forrester, stresses that working through the details of contacting people is often overlooked.
“The problem with tabletops is that we try to do too much at once,” Pollard says, suggesting a focus on things such as “the CISO is on a plane and can’t talk right now. Do we have to talk with customers? How many calls does the CEO need to be on? Can we use the COO for some of those? What about partners?”
Pollard also echoes concerns about burner phone problems. “We bought everyone burner phones, but do we know where they are? Are they charged? Do [staffers] know the number of their burner phone? In case of a full system outage, did someone think to store paper?”
Erik Avakian, technical counselor at Info-Tech Research Group, sees a lot of enterprises practicing tabletops for the wrong reasons.
“A lot of these folk are only doing it once a year and sometimes they are just doing it for their compliance and insurance, just as a checkbox,” Avakian observes. He encourages CISOs to “really play it out” and to match the tension, stress, and timing of an actual attack. “Everyone has their breaking point. We need to learn those things.”
Future-proof attack scenarios
As for the central problem of not knowing what kind of attacks to plan for, Avakian suggests using internal teams or partners to roleplay the most likely attack vectors. To save money, he encourages enterprises to partner with universities for imaginative threat planning and to work with vertical-specific ISACs.
Ivan Shefrin, executive director for managed services at Comcast Business, offers specific suggestions on the kinds of attacks where he would encourage exercises to focus.
“Traditional training exercises tend to focus on familiar threats or perimeter attacks, but we’re seeing attackers constantly find new ways to breach corporate networks. Take low-effort, drive-by compromises. They require no user interaction beyond visiting a malicious site, bypassing awareness training entirely, which is why technical controls remain mission-critical,” Shefrin says.
“Then there are high-speed, short-burst DDoS attacks, which probe and test defenses without setting off alarms. We observed increased use of these attacks, with many lasting fewer than 10 seconds,” he adds. “We also noted a surge in carpet-bombing DDoS, where attackers spread traffic across multiple IP addresses or subnets simultaneously to complicate mitigation. Such attacks can evade defenses that focus on a single IP while overwhelming networks in aggregate.”
Brian Levine, a former federal prosecutor who today serves as the executive director of a directory of former government and military specialists called FormerGov, says CISOs need to get comfortable with the fact that these tabletops “are going to be more reactive than proactive because we can speculate what the next thing is going to be, but we might be wrong.”
Some specific advice from Levine is to not assume that the enterprise is always going to be the target. Roleplay scenarios where different global partners are attacked, he says. “Your options [with a partner being attacked] may be more limited, but you still have options.”
Levine also encourages CISOs to relax and not panic that they can’t test everything. “You’re not going to be able to test every scenario through a tabletop,” he says. “But by testing some, you will build muscle memory.”
See also:
Tabletop exercises explained: Definition, examples, and objectives
How to conduct a tabletop exercise
4 tabletop exercises every security team should run
Tabletop exercise scenarios: 3 real-world examples
No Responses