Tabletop Exercise Facilitator Guide: Script, Scenario Injects, and Debrief Questions

One week before:

• Confirm participant list (6-10 people; include legal, comms, and an executive)
• Send scenario theme to participants (e.g., 'ransomware scenario') -- do NOT send injects in advance
• Book 90-120 minutes with no hard stop; participants should not leave mid-scenario
• Assign a scribe (separate from facilitator) to capture discussion and decisions
• Print or share: facilitator script, inject packets (one per participant), after-action report template

Day of:

• Set up a shared document for the scribe
• Arrange seating so all participants can see each other (roundtable preferred)
• Have your inject timeline printed with timestamps
• Brief the scribe: 'Capture decisions made, gaps identified, assumptions surfaced -- not a transcript'
• Set timer on your phone for each inject

Ground rules to read aloud at the start:

1. This is a no-fault environment. The goal is to find gaps, not assign blame.
2. Decisions made in this room are not binding -- this is hypothetical.
3. When I present an inject, respond as you would in a real incident.
4. If you're unsure what your organization would do, say so -- that's the most
   valuable answer you can give.
5. Phones on silent; one conversation at a time; all voices are equal in this room.

Welcome, everyone. Today we're running a tabletop exercise. My role is to present 
scenario information and ask questions. Your role is to discuss how your organization 
would respond.

A few important things about how this works:
- I will not tell you what the 'right' answer is. There usually isn't one.
- When I ask a question, I'm looking for your actual process, not the process 
  you wish you had.
- If someone says 'I don't know' or 'we don't have that,' write it down -- 
  that's exactly what this exercise is designed to surface.
- We have a scribe today: [NAME]. They're capturing decisions and gaps, 
  not a word-for-word transcript.
- We have [TIME AVAILABLE]. I'll keep us on track.

Any questions before we begin?

[Pause for questions. Address briefly.]

Okay. Let's start the scenario.

Scenario theme: A ransomware attack that begins with a phishing email and progresses to domain controller encryption.

Participants for this scenario: CISO/security lead, IT director, legal, communications/PR, CFO or executive sponsor

INJECT 1 (Minute 0) -- Read aloud:

It is a Tuesday morning. Your IT helpdesk receives three calls in 15 minutes from users 
reporting that files on their desktop have strange extensions they don't recognize. 
One user says their shared drive is also showing unfamiliar file names. 
At 9:14 AM, your SOC analyst opens a ticket and begins investigation.

Discussion: What are your immediate actions? Who is notified? Who makes the call 
to escalate this beyond the helpdesk?

Facilitator: Allow 10-12 minutes of discussion. Key gaps to listen for: Do they have an on-call escalation tree? Who has authority to isolate systems? Is there an IR plan they're referencing or improvising?

INJECT 2 (Minute 15) -- Read aloud:

Your analyst confirms: this is ransomware. Fourteen workstations are encrypted. 
The ransom note demands $450,000 in Bitcoin within 72 hours. 
The note also claims that 200GB of data was exfiltrated before encryption.

You have confirmed that three file servers are still online and appear unaffected.

Discussion: Do you isolate the affected workstations? What about the file servers? 
Who authorizes that decision? What is your communication to employees?

Facilitator: Push on the file server question. Isolating too quickly may destroy forensic evidence; waiting risks spread. There is no right answer -- the goal is to surface whether they have a decision framework.

Probing questions if discussion stalls:

• 'Who in this room has the authority to take a system offline?'
• 'What does your IR plan say about this situation?'
• 'If the affected user's manager calls and asks what happened, what do you tell them?'

INJECT 3 (Minute 30) -- Read aloud:

IT has confirmed the initial vector: a phishing email opened by a user in accounting 
3 days ago. The malware propagated via a service account with domain administrator 
privileges. Your domain controller is now showing signs of encryption.

Your backup vendor confirms your last clean backup was taken 6 hours before 
the infection began.

Discussion: Do you pay the ransom? Who makes that decision? 
What is your recovery timeline if you restore from backup? 
What are your regulatory notification obligations?

Facilitator: Do not weigh in on paying the ransom. Let the team debate. Key question: is legal in the room? Do they know their notification obligations (GDPR 72 hours, SEC 4 business days, state breach laws)? Does anyone know the backup recovery time?

INJECT 4 (Minute 50) -- Read aloud:

A reporter from a tech publication contacts your communications team asking for 
comment on a ransomware attack affecting your organization. A screenshot of your 
ransom note has appeared on a ransomware group's leak site.

Discussion: What is your external communication strategy? 
Do you confirm the attack publicly? Who is authorized to speak to media?

Facilitator: This is where comms and legal earn their seat at the table. Does the organization have a breach communication template? Does anyone know who the authorized spokesperson is?

INJECT 5 (Minute 65) -- Read aloud:

It is now 72 hours after initial detection. You have:
- Restored 60% of affected systems from backup
- Notified your cyber insurer
- Received a law enforcement (FBI) contact
- Not paid the ransom

The attackers have published a sample of the exfiltrated data online, 
claiming it includes employee PII.

Discussion: What are your obligations to affected employees? 
Who is conducting the forensic investigation -- internal team or external firm? 
What metrics are you reporting to your board?

Scenario theme: A developer's AWS access key is exposed publicly and used by a threat actor.

Participants: Security lead, cloud/DevOps lead, legal, engineering manager

INJECT 1 (Minute 0):

Your monitoring system fires an alert at 2:17 AM: an AWS GuardDuty finding of type 
'UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom' for a developer's access key.
The API calls are originating from an IP in Eastern Europe.

The developer is on vacation and not reachable by their personal phone.

Discussion: What are your immediate actions? 
Do you deactivate the key without confirming with the developer? 
Who has the authority to make that call at 2 AM?

INJECT 2 (Minute 18):

You've deactivated the key. A post-mortem on the API calls shows: 
- 47 S3 buckets were listed
- The contents of 3 buckets were copied to an external endpoint
- A new IAM user was created with Administrator access
- 14 EC2 instances were launched (now terminated)

The developer's key was found in a public GitHub repository -- 
committed 9 days ago in a configuration file.

Discussion: What data was in those S3 buckets? Do you know immediately? 
What do you do about the new IAM user? 
What are your GDPR/breach notification obligations if customer PII was in those buckets?

INJECT 3 (Minute 35):

Your cloud team confirms one of the three accessed S3 buckets contained 
customer records including names, email addresses, and hashed passwords. 
Approximately 14,000 customer records were in the bucket.

Discussion: When and how do you notify affected customers? 
What is your messaging? Do you know which customers were affected? 
What changes do you make to prevent this from happening again?

Debrief questions for this scenario:

• Do we have a process for rotating all credentials for an account when one is compromised?
• How quickly can we determine what data is in an S3 bucket?
• Who has authority to deactivate a developer's credentials without their consent?
• Do we scan our GitHub repositories for exposed secrets on a schedule?

Scenario theme: A departing employee exfiltrates customer data before their last day.

Participants: Security lead, HR director, legal, IT director, business unit manager

INJECT 1 (Minute 0):

Your DLP system alerts that a user has uploaded 3.4GB of data to a personal 
Google Drive account over the past 48 hours. The user submitted their resignation 
5 days ago and their last day is in 3 days.

The data appears to include files from the company's CRM and shared drives.

Discussion: What do you do? Do you confront the employee? 
Do you revoke their access immediately? 
Who needs to be in this conversation -- HR, legal, their manager?

Facilitator: This scenario has significant HR and legal complexity. Push on: do they have a policy? Can IT revoke access before the last day? Who makes that call?

INJECT 2 (Minute 20):

Legal advises that you should preserve evidence before taking any action 
that might alert the employee. IT has made a forensic image of the user's laptop.

The employee's manager calls you directly asking why security is involved with their employee.

Discussion: What do you tell the manager? 
Is the manager a need-to-know party at this point? 
What is the risk of the manager tipping off the employee?

INJECT 3 (Minute 38):

After confronting the employee on their last day with HR and legal present, 
they deny any wrongdoing and claim the files were work they planned to use 
as portfolio examples (not customer data specifically).

The forensic review confirms customer PII was in the exfiltrated files. 
The employee has now left the building.

Discussion: Do you involve law enforcement? 
What are your obligations to notify affected customers? 
What process change would have prevented this?

Debrief questions:

• Do we have a formal offboarding security checklist?
• When does IT receive notice that an employee has resigned?
• Do we have DLP policies tuned for high-volume exfiltration to personal cloud storage?
• Who has authority to initiate a forensic investigation on an employee's device?

Use these when discussion stalls, circles back to the same point, or becomes overly technical:

To surface decision authority:

• 'Who in this room has the authority to make that call right now?'
• 'If that person is unavailable, who's the backup?'
• 'Is that documented somewhere, or is it assumed?'

To surface plan gaps:

• 'Does your incident response plan address this specific situation?'
• 'How would you know which customers were affected?'
• 'What's your recovery time objective for this system -- do you know it offhand?'

To surface communication gaps:

• 'What do you tell employees while this is happening?'
• 'What if a customer calls your support line asking if their data was affected?'
• 'When does the board find out, and who tells them?'

To surface assumptions:

• 'You said you'd call the IR firm -- do you have a retainer in place? Do you have their number saved?'
• 'You mentioned backups -- do you know when the last clean backup was taken?'
• 'You said you'd notify legal -- who specifically, and in what timeframe?'

To manage overconfident responses:

• 'Help me understand what that process looks like step by step.'
• 'Who executes that, and have they practiced it recently?'
• 'What could go wrong with that approach?'

Run the debrief immediately after the scenario while details are fresh.

Debrief facilitator script:

Great work today. Before we wrap up, I want to capture what we learned together.
I'll ask a few structured questions, and I want honest answers -- remember, 
no-fault environment.

1. What worked well? What decisions or processes felt strong?
   [Allow 3-4 responses. Capture them.]

2. Where did we hesitate or disagree? Those were our gaps.
   [This is the most important question. Spend 5-7 minutes here.]

3. What assumptions did we make that we should verify?
   Examples: 'We assumed we had a backup from 6 hours ago.'
   [Capture each assumption as a follow-up action.]

4. What three things would we do differently if this were real?
   [Capture as action items with owners and dates.]

5. What do we need to add or change in our IR plan as a result of today?
   [Capture as action items.]

Complete this within 48 hours of the exercise while memories are fresh.

Tabletop Exercise After-Action Report

Date: [DATE] Scenario: [SCENARIO NAME] Participants: [NAMES AND ROLES] Facilitator: [NAME] Scribe: [NAME]

Scenario summary: [2-3 sentences describing the scenario tested]

What worked well:

• [Item 1]
• [Item 2]

Gaps identified:

Assumptions that require verification:

• Backup recovery time objective: verify actual RTO from last restore test
• Legal notification timelines: confirm current GDPR/state law requirements with legal
• IR firm contract: confirm retainer is active and 24/7 response is included

Action items:

Next exercise recommendation: [Scenario theme for next exercise based on gaps found today]

Mistake 1: Solving problems for the team When the team gets stuck, the instinct is to help. Don't. Say: 'This is exactly the kind of situation we want to surface. Let's note that as a gap and keep moving.' The gap is the output.

Mistake 2: Moving too fast through injects If a discussion is rich and on-topic, let it run. The inject timeline is a guide, not a strict schedule. Skip an inject if needed -- it's better to go deep on two scenarios than shallow on five.

Mistake 3: Letting the technical person dominate Tabletops surface communication and authority gaps, not just technical ones. If the conversation becomes a detailed technical discussion, redirect: 'While IT is working the technical problem, what is legal doing? What is communications preparing?'

Mistake 4: No scribe Facilitating and taking notes simultaneously is impossible. The facilitator who tries to do both will either manage the room badly or lose the insights. Assign a dedicated scribe every time.

Mistake 5: Skipping the after-action report The tabletop without follow-through is a useful conversation that generates no change. Block 2 hours within 48 hours of the exercise to write and distribute the AAR. If action items have no owners and dates, they will not happen.