Your Tabletop Exercise Is Lying to You

Key takeaways 

• Most tabletops have drifted into compliance theatre. They generate audit evidence without testing genuine readiness. 

• Common failure modes include scripted scenarios, clean data, calm participants, and facilitators who steer teams toward the answers in the plan. 

• Real incidents look nothing like these drills. Dwell time, external discovery, and incomplete telemetry are the norm. 

• Exercises that build readiness create friction, surface political dynamics, and force decisions with partial information. 

• Operational readiness depends on technical readiness. The decisions made in a tabletop assume backups, telemetry, forensic tools, identity recovery, and in-house skills are actually there when needed. 

• Boards, auditors, and insurers are starting to ask for evidence of capability, not just evidence of participation. 

Intro 

Most CISOs have been through a tabletop exercise that felt too neat. The team was calm. The scenario progressed cleanly. The injects arrived on a predictable schedule. Everyone left the room feeling prepared. 

That feeling is the problem. 

Tabletops have quietly become one of the most over-rated assurance activities in cybersecurity. They still appear in incident response plans, audit workpapers, and cyber insurance questionnaires. But in many organisations, they have drifted from serious readiness testing into something closer to theatre. The exercise is done. The box is ticked. The capability remains unproven.

How tabletops became compliance theatre 

The incentives pushed in one direction. NIS2, DORA, ISO 27001, PCI DSS, and most cyber insurance policies expect organisations to test their incident response plans regularly. Auditors want documented evidence. Insurers want confirmation that the last drill happened within the renewal window. 

None of this is wrong. Tested plans are better than untested ones. 

The issue is that the evidence of testing has become more important than what the test revealed. A report titled “Tabletop Exercise Completed, 14 November 2025” satisfies the auditor whether the exercise stressed the team or sedated them. Over time, the incentive becomes predictability, not pressure. Scenarios get reused. Participants get rehearsed. Facilitators avoid challenging the room because a difficult exercise produces findings that are awkward to close before the next audit. 

The result is a strange kind of confidence. Leadership believes the organisation has tested its response. The response has not been tested. It has been performed. 

The comfortable lies tabletops tell you 

A well-run exercise should surface uncomfortable truths. A compliance-driven one hides them. These are the most common lies baked into a weak tabletop. 

“We have the data we need to make decisions.” In real incidents, logs are incomplete, endpoint telemetry is missing in specific segments, and the SIEM shows a partial picture. Tabletops usually hand teams clean indicators and complete timelines. 

“The key people will be available.” Exercises happen during business hours with leadership in the room. Real incidents strike at 03:40 on a Sunday, when the incident commander is on holiday and the comms lead is on parental leave. 

“Decisions will be made cleanly.” In real incidents, decisions happen under legal pressure, commercial pressure, regulatory deadlines, and executive panic. Most tabletops do not model any of this. 

“The plan will work.” Plans are optimistic by nature. Under test they miss obvious things. What happens when your MDR provider is also breached? When the comms lead is the person whose mailbox was compromised? When your cyber insurance notification window collides with a bank holiday? 

“Everyone agrees on what happened.” Real incidents are political. Product teams resist containment. Legal resists early disclosure. Business units push to resume operations before forensics is complete. Tabletops rarely reproduce these fault lines. 

What real incidents actually look like 

The data from frontline IR work is clear. Mandiant’s M-Trends 2025 report found that organisations in EMEA had a median dwell time of 22 days, compared with 9 days in JAPAC and an 11-day global median. Only 43% of intrusions were detected internally. The majority came to light through external notification, often from law enforcement, a third party, or the attacker themselves delivering a ransom demand. 

IBM’s 2025 Cost of a Data Breach Report put the global average breach lifecycle at 241 days, split between identification and containment. Those numbers describe the reality our IR teams see across engagements in the UK, Europe, and the maritime sector. 

A typical exercise compresses this kind of chaos into two hours, with a facilitator steering the group toward the desired conclusions. The outcome is a team that has rehearsed a story, not a team that has been tested. 

This matters because the gap between rehearsed behaviour and real behaviour widens under pressure. Teams that have only practised in clean conditions make avoidable mistakes in dirty ones. In our incident response work, the pattern is consistent. Organisations with mature-looking IR documentation often lose the first 24 to 48 hours to decisions they had never actually made before, only written down. 

Principles for exercises that actually test readiness 

The tabletop format is not the problem. The execution is. The exercises that improve readiness share a small number of principles. 

Test decisions, not knowledge. A good exercise forces choices under pressure with incomplete information. Who authorises paying a ransom? Who decides when to take a production system offline at peak trading? Who signs off the regulator notification if legal is still debating the wording? Knowledge questions like “what is our RTO?” can be answered from documentation. Decisions cannot. 

Introduce the mess. Effective scenarios model time pressure, missing people, conflicting priorities, and missing data. Injects should escalate in ways the team cannot anticipate. A media enquiry arriving 40 minutes before a regulator deadline is worth more than an hour of technical discussion about malware. 

Include the full chain. Technical response is only part of an incident. Legal, communications, HR, finance, procurement, and at least one business unit leader all have a role. If they are not in the room, the exercise is not testing real readiness. 

Use facilitators willing to push back. A skilled facilitator asks the question the team is avoiding, challenges assumptions, and escalates pressure when decisions are being deferred. The role is not to keep the room comfortable. 

Design scenarios around real risk. A generic ransomware scenario is less useful than one built from credible intelligence on the sector, supply chain, or attack surface. For maritime operators, that means scenarios involving OT, satellite communications, or port systems. For financial services, it means scenarios aligned to DORA threat-led penetration testing. For public sector bodies, it means supply chain compromise through a known critical vendor. 

Measure outcomes, not participation. The after-action report should name specific decisions made, specific decisions deferred, and specific capability gaps. Findings like “communication could be improved” signal that the exercise did not probe deeply enough. 

Operational readiness assumes technical readiness 

Most tabletops focus on people and decisions. That is the right instinct, but it is only half of being ready. 

Every operational decision in an exercise rests on a technical capability. The decision to isolate a host assumes you can isolate it remotely. The decision to restore from backup assumes the backup is intact, accessible, and recent. The decision to revoke privileged access assumes someone in the room actually knows how to do that across every identity provider in the estate. If those foundations are weak, the tabletop is testing decisions the team will not be able to act on.

A few areas matter most. 

Backups and recovery. Knowing backups exist is not enough. Confirm when they were last tested under restore conditions, how long a full restore actually takes for the systems that matter, whether immutability has been verified rather than assumed, and whether the backup infrastructure is segregated from the production identity plane. Ransomware groups target backup systems first for a reason. 

Forensic tooling and acquisition. Evidence collection runs alongside containment. Confirm in advance that you have the tooling and authority to collect memory, disk, and cloud logs from any system in scope, sufficient storage for the volumes involved, and a named person who knows how to use it under pressure. If acquisition starts with a procurement conversation, the timeline is already lost. 

EDR and SIEM coverage. Coverage gaps are the silent killer of incident response. Confirm what is genuinely covered, where the blind spots are (legacy systems, OT, third-party SaaS, contractor endpoints), and how long logs are retained. Many investigations stall because retention ended before the dwell time did. 

Identity recovery. Modern incidents are identity incidents. Tabletops rarely test what happens when Active Directory, the cloud IdP, or privileged access management is the thing that has been compromised. Recovery procedures for tier-zero systems should be documented, tested, and held outside the systems they protect. 

Internal skillset. Decisions in a tabletop assume someone can execute them. Map the technical skills your IR plan relies on, then check honestly who holds those skills, whether they are available out of hours, and what happens when the named person is unavailable or is the subject of the investigation. 

A tabletop that exposes operational gaps is useful. One that also exposes technical readiness gaps is more useful. Run both, and run them together.

How to fix your next tabletop 

These are the practical adjustments that separate a useful exercise from a performative one. 

Before the exercise, pick a scenario grounded in the last 12 months of incidents in your sector, not a generic template. Write injects that require real decisions, not information recall. Invite participants from legal, comms, HR, and at least one operational business unit. Deliberately withhold some of the data the team would ideally have. Brief the facilitator to escalate pressure rather than relieve it. Sanity-check the technical assumptions the scenario rests on (backups, telemetry, tooling, identity recovery) before the exercise, so findings about decisions are not muddled by findings about capability. 

During the exercise, introduce an out-of-hours element at some point, where key people are unavailable or responses are delayed. Place one participant in an observer-only role with notes on who actually made decisions and who deferred. Force at least one decision with a 30-minute deadline. Introduce a media, customer, or regulator inject that requires a statement within the exercise window. 

After the exercise, deliver an after-action report with specific, named capability gaps, owners, and deadlines. Test the same scenario variant six months later to check whether the gaps have closed. Share sanitised findings with the board, framed against business impact, not technical detail. 

Organisations that take this seriously stop running one tabletop a year as a compliance artefact. They run shorter, sharper exercises more often, with different scenarios, different participants, and different pressure points. Over time this builds muscle memory rather than performative readiness.

What CISOs should walk away with 

If the goal is audit evidence, almost any exercise will do. 

If the goal is readiness, the test is simple. Did the last tabletop leave anyone uncomfortable? Did it expose a specific decision the team could not make cleanly? Did it generate findings that led to real changes in the plan? 

If the answer is no, the exercise was theatre. 

The organisations that weather real incidents are not the ones with the best-looking IR plans. They are the ones whose teams have been tested under conditions close enough to a real attack that the response is reflexive. 

ThreatScene designs and facilitates incident response exercises that test capability rather than document it, across ransomware simulation, crisis exercises, and IR readiness engagements. If your last tabletop felt too comfortable, that is worth a conversation. Get in touch to scope a realistic exercise for your environment.

Stay ready. Stay resilient. Stay operational.

Curated with purpose, delivered with precision | ThreatScene Team

REFERENCES

1. Mandiant M-Trends 2025 Report: https://cloud.google.com/blog/topics/threat-intelligence/m-trends-2025
2. Mandiant M-Trends 2025 (via SC Media coverage): https://www.scworld.com/brief/exploits-still-top-entry-point-says-mandiant-report
3. IBM Cost of a Data Breach Report 2025: https://www.ibm.com/reports/data-breach
4. NIS2 Directive (Directive (EU) 2022/2555): https://eur-lex.europa.eu/eli/dir/2022/2555/oj
5. DORA Regulation (Regulation (EU) 2022/2554): https://eur-lex.europa.eu/eli/reg/2022/2554/oj