Incident Response Tabletop Exercise SOP¶
Sub-procedure of incident-response-sop.md
Overview¶
Detailed procedures for designing, facilitating, and reporting on incident response tabletop exercises. This sub-procedure covers scenario development, exercise execution, gap identification, and improvement recommendations.
Scope¶
Parent SOP: Incident Response Pillar: Protect (Security & Compliance) Service Area: Incident Response Tabletop Exercises
Prerequisites¶
- Parent SOP requirements met
- IR plan exists (current or being developed)
- Executive sponsor committed
- Key stakeholders available for exercise (2-4 hours)
- Exercise objectives defined
- Scenario relevance confirmed with client
Procedure¶
Step 1: Exercise Planning and Scoping¶
Objective: Define exercise objectives and scope
Exercise Planning Meeting Agenda:
| Topic | Duration | Purpose |
|---|---|---|
| Exercise objectives | 15 min | Define what success looks like |
| Participant identification | 15 min | Who needs to participate |
| Scenario selection | 30 min | Choose relevant scenario(s) |
| Logistics planning | 15 min | Date, time, location, format |
| Ground rules | 10 min | Establish exercise norms |
Exercise Objectives Examples:
| Objective Type | Example Objectives |
|---|---|
| Validation | Validate IR plan procedures and escalation paths |
| Training | Familiarize new team members with IR roles |
| Communication | Test communication channels and messaging |
| Decision-Making | Practice executive decision-making under pressure |
| Coordination | Improve coordination between departments |
| Compliance | Meet regulatory requirements for IR testing |
Participant Selection:
| Role | Why Critical | Minimum Participation |
|---|---|---|
| Executive Sponsor | Final decision authority | Required |
| IT/Security Leadership | Technical response coordination | Required |
| Legal Counsel | Regulatory and legal guidance | Required |
| Communications/PR | External messaging | Highly Recommended |
| HR | Employee-related aspects | Recommended |
| Business Unit Leaders | Business impact decisions | Recommended |
| Finance | Financial impact, insurance | As relevant |
| Facilities | Physical security aspects | As relevant |
Step 2: Scenario Development¶
Objective: Create realistic, relevant exercise scenario
Scenario Components:
| Component | Description | Development Approach |
|---|---|---|
| Background | Organization context, normal operations | Based on client environment |
| Initial Trigger | How incident is discovered | Realistic detection scenario |
| Injects | Evolving situation updates | Escalating complexity |
| Decision Points | Require participant choices | Key IR decisions |
| Complications | Realistic challenges | Time pressure, resource constraints |
| Resolution Path | Possible outcomes | Multiple valid approaches |
Standard Scenario Library:
| Scenario | Target Audience | Duration | Key Focus |
|---|---|---|---|
| Ransomware Attack | All organizations | 2-3 hours | Containment, payment decision, recovery |
| Data Breach/Exfiltration | Data-handling organizations | 2-3 hours | Detection, notification decisions |
| Business Email Compromise | Finance teams | 1.5-2 hours | Fraud detection, wire recall |
| Insider Threat | Larger organizations | 2-3 hours | HR coordination, evidence preservation |
| Third-Party Compromise | Organizations with vendors | 2-3 hours | Vendor coordination, scope determination |
| Phishing Campaign | All organizations | 1.5-2 hours | Detection, containment, user communication |
Scenario Development Template:
# [Scenario Name] Tabletop Exercise
## Background
[Organization context, current state, normal operations]
## Scenario Overview
[Brief description of the incident type and general situation]
## Exercise Timeline
### Hour 1: Initial Discovery (T+0 to T+30 min)
**Inject 1.1**: [Initial detection - what is observed]
**Discussion Questions**:
- Who needs to be notified?
- What is the initial severity assessment?
- What immediate actions should be taken?
**Inject 1.2**: [Additional information uncovered]
**Discussion Questions**:
- Does this change the severity assessment?
- What additional resources are needed?
- What containment actions are appropriate?
### Hour 2: Escalation (T+30 min to T+2 hours)
**Inject 2.1**: [Situation escalates - new information]
**Discussion Questions**:
- Who else needs to be involved?
- What are the business impact considerations?
- What are the legal/regulatory implications?
**Inject 2.2**: [External pressure - media, regulator, customer]
**Discussion Questions**:
- How do we respond to external inquiries?
- What is our communication strategy?
- What decisions need executive approval?
### Hour 3: Resolution (T+2 hours to T+24 hours simulated)
**Inject 3.1**: [Path to resolution]
**Discussion Questions**:
- What are the recovery priorities?
- How do we validate the threat is eliminated?
- What notifications are required?
**Inject 3.2**: [Post-incident considerations]
**Discussion Questions**:
- What lessons have we learned?
- What improvements should we make?
- How do we prevent recurrence?
Step 3: Exercise Facilitation¶
Objective: Conduct effective tabletop exercise
Exercise Agenda:
| Phase | Duration | Activities |
|---|---|---|
| Introduction | 15 min | Welcome, objectives, ground rules, scenario overview |
| Exercise | 90-120 min | Scenario injects, discussions, decisions |
| Break (optional) | 10 min | Mid-exercise break for longer exercises |
| Conclusion | 15 min | Scenario resolution, key takeaways |
| Hot Wash | 30 min | Immediate feedback, initial observations |
Facilitation Ground Rules:
| Rule | Explanation |
|---|---|
| No wrong answers | Exercise is for learning, not evaluation |
| Stay in role | Respond as you would in a real incident |
| Think out loud | Share reasoning, not just decisions |
| Build on others | Collaborative problem-solving |
| Capture gaps | Note issues for post-exercise discussion |
| No technology | Focus on process, not looking up answers |
Facilitator Techniques:
| Technique | When to Use | Example |
|---|---|---|
| Probing Questions | Dig deeper into decisions | "Walk me through your reasoning..." |
| Devil's Advocate | Challenge assumptions | "What if legal counsel is unavailable?" |
| Time Pressure | Add realism | "The CEO is asking for an update in 10 minutes..." |
| Role Assignment | Ensure participation | "Sarah, as IT lead, what's your recommendation?" |
| Redirect | Get back on track | "Let's focus on the immediate decision..." |
| Summarize | Confirm understanding | "So we're agreed that the first step is..." |
Observer/Note-Taker Responsibilities:
| Responsibility | Documentation |
|---|---|
| Decisions Made | What was decided, by whom |
| Gaps Identified | Unclear procedures, missing information |
| Process Issues | Where the plan didn't work |
| Communication Issues | Unclear escalation, missing contacts |
| Positive Observations | What worked well |
| Quotes | Notable statements for report |
Step 4: Exercise Documentation¶
Objective: Capture exercise conduct and observations
Documentation During Exercise:
| Element | Capture Method | Owner |
|---|---|---|
| Decisions | Written notes by observer | SBK Observer |
| Timeline | Timestamps for key events | SBK Observer |
| Gaps Identified | Note cards or shared doc | All participants |
| Process Issues | Note cards or shared doc | All participants |
| Action Items | Tracked list | SBK Facilitator |
Hot Wash Questions:
| Question | Purpose |
|---|---|
| What worked well? | Identify strengths |
| What didn't work as expected? | Surface issues |
| Where did we get stuck? | Identify gaps |
| What would you do differently? | Capture improvements |
| What surprised you? | Identify blind spots |
| What do we need to practice more? | Training needs |
Step 5: After-Action Report Development¶
Objective: Document findings and recommendations
After-Action Report Structure:
| Section | Content |
|---|---|
| Executive Summary | Key findings, priority recommendations |
| Exercise Overview | Objectives, participants, scenario summary |
| Exercise Conduct | Timeline, decisions made, key discussions |
| Observations | What worked, what didn't, gaps identified |
| Findings | Categorized issues with severity |
| Recommendations | Prioritized improvement actions |
| Action Items | Specific tasks, owners, timelines |
| Appendices | Scenario materials, participant list |
Finding Categories:
| Category | Examples |
|---|---|
| Plan/Documentation | Missing procedures, unclear roles |
| Communication | Notification gaps, unclear escalation |
| Technical | Tool gaps, capability limitations |
| Training | Knowledge gaps, unfamiliarity with procedures |
| Coordination | Department coordination issues |
| Decision-Making | Unclear authority, slow decisions |
Finding Severity Levels:
| Severity | Definition | Recommendation Timeline |
|---|---|---|
| Critical | Would significantly impair incident response | Immediate (30 days) |
| High | Would delay or complicate response | Short-term (60 days) |
| Medium | Would reduce response efficiency | Medium-term (90 days) |
| Low | Improvement opportunity | As resources allow |
Recommendation Template:
| Field | Content |
|---|---|
| Finding ID | Unique identifier |
| Finding | Description of the issue |
| Impact | Effect on incident response |
| Recommendation | Specific improvement action |
| Priority | Critical/High/Medium/Low |
| Owner | Responsible party |
| Target Date | Completion timeline |
| Resources | What's needed to implement |
Step 6: Follow-Up and Plan Updates¶
Objective: Ensure findings lead to improvements
Follow-Up Process:
| Timeframe | Activity | Owner |
|---|---|---|
| T+1 week | Deliver after-action report | SBK |
| T+2 weeks | Review and discuss findings | Client + SBK |
| T+4 weeks | Begin implementing recommendations | Client |
| T+8 weeks | Check-in on implementation progress | SBK |
| T+12 weeks | Verify high-priority items completed | SBK |
IR Plan Updates:
| Update Type | When to Update |
|---|---|
| Procedure Changes | When gap in procedure identified |
| Contact Updates | When contact information issues found |
| Role Clarification | When role confusion identified |
| Communication Templates | When messaging issues found |
| Playbook Additions | When new scenario insights gained |
Deliverables¶
| Deliverable | Format | Owner |
|---|---|---|
| Exercise Scenario | Word/PDF | SBK Consultant |
| Facilitator Guide | Word/PDF | SBK Consultant |
| Observer Notes | Notes document | SBK Observer |
| After-Action Report | SBK Consultant | |
| Recommendations Matrix | Excel | SBK Consultant |
| Updated IR Plan | Word/PDF | SBK (if contracted) |
| Follow-Up Check-In Summary | Email/Document | SBK Consultant |
Quality Gates¶
- Exercise objectives clearly defined
- Scenario relevant to organization
- All key stakeholders participated
- Exercise completed within planned timeframe
- Hot wash conducted immediately after
- All observations documented
- Findings categorized and prioritized
- Recommendations are actionable
- After-action report delivered within 1 week
- Action items assigned with owners and dates
Related Documents¶
- Parent SOP: Incident Response
- IR Planning SOP
- IR Execution SOP
- Cross-Pillar SOPs
- Tabletop Scenario Library
Last Updated: February 2026 Parent SOP: incident-response-sop.md