{"id":7735,"date":"2026-04-08T09:00:00","date_gmt":"2026-04-08T09:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=7735"},"modified":"2026-04-08T09:00:00","modified_gmt":"2026-04-08T09:00:00","slug":"the-tabletop-exercise-grows-up","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=7735","title":{"rendered":"The tabletop exercise grows up"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

In the early 1800s, Prussian officers began rehearsing battles around sand tables. They called it Kriegsspiel, and it worked because it forced them to make high-stakes decisions under pressure. Fast forward to today, and that same concept has become cybersecurity\u2019s go-to tool for crisis preparedness: the tabletop exercise. For good reason: it still works.<\/p>\n

Full disclosure: we are actively building in this space. That\u2019s partly why we\u2019ve spent so much time dissecting where these exercises fall short. The observations below come directly from the trenches. Lee and I have spent years facilitating these scenarios for everyone from growth-stage technology startups to massive global enterprises in highly regulated industries. What we\u2019ve observed consistently is that tabletops deliver genuine value. But at the same time, we both noticed that tabletop exercises also have a ceiling most experienced practitioners quietly acknowledge and rarely discuss openly.<\/p>\n

What tabletops built and where they stop<\/h2>\n

Here is what we like about tabletops: they put people in a room and force them to talk through a crisis before one arrives. It builds shared understanding of roles and escalation paths. It surfaces gaps between the documented plan and operational reality: the outdated contact list, the ambiguous chain of authority, the runbook written for infrastructure the organization no longer runs. It develops cross-functional trust between security, legal, communications and the executive team. And it satisfies compliance frameworks, including SOC 2, ISO 27001 and NIST that require documented evidence of incident response testing.<\/p>\n

Getting the extended team (e.g., legal, privacy, comms, support, engineering, infra) together results in genuine benefits to the shared understanding of roles, responsibilities and how an incident impacts all areas of a company. But traditional exercises carry a fundamental limitation of the medium. Most tabletops test knowledge of the plan. They do not test the ability to execute it.<\/p>\n

Scenarios are scripted. Injects arrive on a fixed schedule regardless of what the team decides. The crisis communications plan sits in a shared drive, but nobody has tested whether the holding statement holds up when a reporter calls. The incident response plan defines roles, but nobody has observed whether those roles function when three things go wrong at once. Participants discuss theory and knowledge of a plan. It\u2019s about what they would<\/em> do. They do not do it.<\/p>\n

Every experienced facilitator knows the moment: someone in the room challenges the premise and the facilitator asks participants to \u201csuspend disbelief.\u201d That phrase should give us pause. If the scenario requires suspension of disbelief, it is not building preparedness. It is building familiarity with a document.<\/p>\n

The gap between documentation and execution is well-documented. CISA\u2019s cyber exercise guidance<\/a> notes that discussion-based exercises alone are insufficient for validating operational readiness, yet that is what most organizations rely on. The Ponemon Institute reports that just over half of security teams believe their incident response plans are effective. Most face real incidents having never practiced under conditions that resemble one.<\/p>\n

Bring tabletops to life with AI<\/h2>\n

Advancement in AI agentic capabilities make it possible to address the traditional tabletop\u2019s primary limitation: the inability to respond dynamically to what the team actually does. For every action, there should be a reaction instead of a series of predefined injects that completely ignore the actions a team would take.<\/p>\n

Imagine if the roles that were previously absent (e.g., the threat actor, the journalist, the regulator, the customer) could respond to the team\u2019s decisions in real time rather than following a fixed sequence. Until recently, approximating this required hiring a crew of trained actors, which nobody does. AI allows us to have an adversary that adapts to defensive decisions rather than following a script. Now it\u2019s possible to have simulated stakeholders (e.g., press, regulators, customers) that react to the timing and substance of the team\u2019s communications. The possibility is that every decision could produce consequences that cascade forward, a fidelity of simulation that simply wasn\u2019t achievable at scale before.<\/p>\n

Using AI, we can change the nature of the exercise from discussion to practice. Organizations could observe whether their crisis processes hold up under realistic pressure. Is the incident response plan followed, or merely referenced? Does the incident commander maintain situational awareness while the team works parallel problems? Instead of self-reported intentions, observed behaviors could be logged, timestamped and mapped to frameworks like MITRE ATT&CK<\/a> <\/strong>and NIST CSF instead of assumptions carried forward into the next exercise?<\/p>\n

The frequency problem could also shift. When a traditionally facilitated exercise costs tens of thousands of dollars and requires weeks of preparation, most organizations run one annually at best. Skills atrophy between cycles. New team members never participate. The IBM and Ponemon Institute 2025 Cost of a Data Breach Report<\/a>, which surveyed more than 600 organizations across 17 industries, found that organizations testing incident response at least twice a year reduced breach costs by $1.49 million on average. If AI compresses preparation time and cost significantly, more frequent exercises become viable.<\/p>\n

Beyond frequency, there are possibilities traditional exercises structurally cannot offer. A well-configured AI-augmented exercise could be built around an organization\u2019s actual environment rather than a generic scenario. Generic scenarios produce generic learning. The gap between a simulated crisis and the real one is where preparedness quietly erodes.<\/p>\n

Perhaps most importantly, the nature of the scenario itself could change. Traditional exercises tend toward resolution: the team works the problem; the facilitator guides them through it and the exercise ends on a manageable note. An AI-driven approach could introduce compounding failures, unexpected escalations and realistic time pressure without a facilitator needing to manage the room\u2019s morale. The goal would be to find where the plan actually breaks instead of confirming it exists.<\/p>\n

And unlike a single annual exercise that produces a snapshot, repeated cycles could generate longitudinal data: whether response times improve, whether the same gaps recur, whether the program is measurably stronger than it was six months ago. That kind of trend data has been difficult to produce. It\u2019s also easy to over-index on. Metrics that show improving response times don\u2019t necessarily mean an organization is better prepared. They may mean the team is getting better at the simulation.<\/p>\n

The next step<\/h2>\n

The tabletop exercise has served our profession well. It brought structure to crisis preparedness, created a common language between security teams and business leadership and gave us a way to prepare before the real thing arrived.<\/p>\n

AI-augmented approaches offer the next step in that tradition: the ability to move from discussing a crisis to experiencing one. To test the communication materials that have never been tested. To observe whether the incident response plan is followed or merely referenced. To surface the gaps that scripted scenarios never reach.<\/p>\n

We do not think this replaces the skilled facilitator (the company CISO or consultant). The judgment-intensive post-mortem<\/em> debrief that follows a well-run exercise is absolutely essential. Think of it like basketball: a coach can only give you meaningful feedback if they\u2019ve seen you play. The AI-augmented exercise is the game; the post-mortem debrief is the coaching. What AI does is raise the floor so that the work of a good facilitator starts from a richer baseline of observed behavior rather than participant recall and self-assessment.<\/p>\n

The tabletop is ready to grow up. Whether your program is ready to grow with it depends less on the technology than on your organization\u2019s willingness to test its processes against something that actually pushes back.<\/p>\n

This article is published as part of the Foundry Expert Contributor Network.<\/strong>
Want to join?<\/a><\/strong><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

In the early 1800s, Prussian officers began rehearsing battles around sand tables. They called it Kriegsspiel, and it worked because it forced them to make high-stakes decisions under pressure. Fast forward to today, and that same concept has become cybersecurity\u2019s go-to tool for crisis preparedness: the tabletop exercise. For good reason: it still works. Full […]<\/p>\n","protected":false},"author":0,"featured_media":7736,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-7735","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7735"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7735"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7735\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/7736"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7735"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7735"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7735"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}