# Cyber Tabletop Exercise Kit

10 ready-to-run cyber incident tabletop exercises for security teams, executives, and boards. Each scenario includes facilitator script, discussion prompts, common failure modes, and after-action templates.

---

## What's in the kit

| File | Scenario | Audience | Duration |
|---|---|---|---|
| `01-ransomware-vendor.md` | Ransomware on a critical SaaS vendor | Exec/Board | 45–60 min |
| `02-insider-exfiltration.md` | Insider data exfiltration discovered post-departure | Exec | 45 min |
| `03-deepfake-wire-fraud.md` | AI deepfake wire fraud against finance | Finance + Exec | 30–45 min |
| `04-nation-state-vendor.md` | Slow-burn nation-state compromise via vendor | CISO + Board | 60 min |
| `05-sec-disclosure-clock.md` | SEC 4-day materiality decision under pressure | Exec + Legal | 45 min |
| `06-bec-cfo-impersonation.md` | CFO impersonation BEC during M&A | Finance team | 30 min |
| `07-ransomware-pay-decision.md` | Active ransomware: pay-or-not decision | CISO + Board + Legal | 60 min |
| `08-public-cloud-breach.md` | Cloud bucket exposure + customer data | Eng + Comms + CISO | 45 min |
| `09-ai-prompt-injection.md` | AI assistant exploited by prompt injection | CISO + Eng | 45 min |
| `10-supply-chain-dependency.md` | Malicious dependency in production code | Engineering + CISO | 45 min |

Plus:

- `00-Facilitator-Guide.md` — How to run any tabletop well
- `99-After-Action-Template.md` — Documentation template for every scenario

---

## How to use this kit

### Quarterly cadence (recommended)

Pick one scenario per quarter. Rotate through 4 different scenarios per year. Track decisions made, gaps found, and follow-up actions.

### Annual minimum

If you can only do one tabletop per year, pick **scenario #1 (Ransomware on Vendor)** — most universal, most recognizable, most useful for boards. SEC Item 106 increasingly cites tabletop participation as evidence of board oversight.

### Pre-incident readiness

Each scenario surfaces decisions you'd otherwise make in pressure. Practice produces better real decisions.

---

## What every tabletop should produce

After each exercise:

1. **Decisions captured** — what the team decided, what they deferred
2. **Gaps surfaced** — what wasn't ready, what was unclear
3. **Action items** — with owners and dates
4. **Updated IR plan** — incorporating lessons

The `99-After-Action-Template.md` provides this structure.

---

## Licensing

Single-organization license. Modify scenarios freely with your company specifics. Tokenize with `{{company}}`, `{{team}}`, etc. for consistency. Don't redistribute externally.