Cyber Tabletop Exercise Kit
10 ready-to-run cyber incident tabletop exercises for security teams, executives, and boards. Each scenario includes facilitator script, discussion prompts, common failure modes, and after-action templates.
What's in the kit
| File | Scenario | Audience | Duration |
|---|---|---|---|
01-ransomware-vendor.md | Ransomware on a critical SaaS vendor | Exec/Board | 45–60 min |
02-insider-exfiltration.md | Insider data exfiltration discovered post-departure | Exec | 45 min |
03-deepfake-wire-fraud.md | AI deepfake wire fraud against finance | Finance + Exec | 30–45 min |
04-nation-state-vendor.md | Slow-burn nation-state compromise via vendor | CISO + Board | 60 min |
05-sec-disclosure-clock.md | SEC 4-day materiality decision under pressure | Exec + Legal | 45 min |
06-bec-cfo-impersonation.md | CFO impersonation BEC during M&A | Finance team | 30 min |
07-ransomware-pay-decision.md | Active ransomware: pay-or-not decision | CISO + Board + Legal | 60 min |
08-public-cloud-breach.md | Cloud bucket exposure + customer data | Eng + Comms + CISO | 45 min |
09-ai-prompt-injection.md | AI assistant exploited by prompt injection | CISO + Eng | 45 min |
10-supply-chain-dependency.md | Malicious dependency in production code | Engineering + CISO | 45 min |
Plus:
00-Facilitator-Guide.md— How to run any tabletop well99-After-Action-Template.md— Documentation template for every scenario
How to use this kit
Quarterly cadence (recommended)
Pick one scenario per quarter. Rotate through 4 different scenarios per year. Track decisions made, gaps found, and follow-up actions.
Annual minimum
If you can only do one tabletop per year, pick scenario #1 (Ransomware on Vendor) — most universal, most recognizable, most useful for boards. SEC Item 106 increasingly cites tabletop participation as evidence of board oversight.
Pre-incident readiness
Each scenario surfaces decisions you'd otherwise make in pressure. Practice produces better real decisions.
What every tabletop should produce
After each exercise:
- Decisions captured — what the team decided, what they deferred
- Gaps surfaced — what wasn't ready, what was unclear
- Action items — with owners and dates
- Updated IR plan — incorporating lessons
The 99-After-Action-Template.md provides this structure.
Licensing
Single-organization license. Modify scenarios freely with your company specifics. Tokenize with {{company}}, {{team}}, etc. for consistency. Don't redistribute externally.