Tabletop Exercise Design: Running a Real IR Drill at a Texas SMB

A tabletop exercise is a discussion-based simulation of an incident. The participants — typically the executive team, IT/security leadership, legal counsel, and key operational managers — work through a hypothetical incident scenario, making the decisions they would make in a real event, with a facilitator injecting events and observing.

It is NOT a technical drill (that's a "functional exercise" or "red team engagement"). It is NOT a fire drill. It is NOT a presentation about IR.

The output is a list of things that surprised participants — moments where someone said "wait, who actually has authority to do that?" or "I assumed our cyber insurance broker would handle that." Those moments are what you fix.

Phase 1: Pre-Brief (15 minutes)

• Facilitator describes the format: this is a discussion exercise, not a test
• Participants introduce roles
• Ground rules: no judgment, the goal is to find gaps, what's said in the room stays in the room
• Brief on the scenario: industry, organization size, time of day, what the organization does

Phase 2: Scenario Setup (10 minutes)

Facilitator describes the inciting event. Examples that work for Texas SMBs:

• Help desk receives multiple tickets about file share access errors at 7:45 AM Monday
• Outside contractor reports they received a payment redirect email purportedly from your AP department
• Your CEO's executive assistant reports approving an MFA push she didn't initiate
• An employee's laptop displays a ransom note demanding $400,000
• Your bank calls to verify an unusual $1.8M wire transfer to an unfamiliar account
• A vendor's SOC notifies you of credential dumps from their environment that include your domain

Phase 3: Decision Rounds (90-120 minutes)

The facilitator advances time and injects new information at each round. Participants discuss what they would do, who would do it, what authority they need, what tools they would use, who they would notify.

Good injects to use:

• "It's now 9:15 AM. The CEO wants an update. What do you tell them?"
• "Your forensics provider is asking for $50,000 to start. Who approves that decision and how fast?"
• "A reporter from Houston Business Journal is on the phone. Who talks to them?"
• "The attacker is demanding $500,000 in bitcoin within 48 hours or they publish 12TB of data including patient records. What's your position?"
• "Your largest client just emailed asking if their data is involved. What do you tell them?"
• "OCR has opened a HIPAA breach inquiry. Do you have outside counsel ready?"

Phase 4: Hot Wash (30 minutes)

Immediate after-action discussion while it's fresh. What worked? What didn't? Where did people get stuck? What questions came up that nobody could answer? What assumptions turned out to be wrong?

Phase 5: Written After-Action Report (drafted within 7 days)

Documents the scenario, the participants, the discoveries, the action items, and the owner + due date for each action item. Distributed to executive sponsor + participants. Reviewed at the next quarterly leadership meeting.

• Nobody actually knows the IR retainer phone number — and the contract has expired
• Outside counsel is "the firm we use for general business" — and they have no breach response experience
• The cyber insurance policy has a $10,000 deductible that requires the CFO's approval — and the CFO is on vacation
• The backup is technically immutable but nobody has tested whether they can actually recover it (see our backup validation guide)
• The CISO and CIO disagree on who has authority to take production systems offline
• Notification timing is unclear — HIPAA says 60 days; FTC Safeguards says ASAP; Texas H.B. 300 says 60 days; the contracts with key clients say 24 hours
• The press response template doesn't exist and the marketing director is on PTO

Each of these is a fixable gap that, discovered in a tabletop, becomes a 30-day action item. Discovered in a real incident, each becomes a multi-million-dollar problem.

• Annually at minimum — required by most cyber insurance carriers in 2026
• After any material change in IT environment, leadership team, or regulatory scope
• After any actual incident as part of the after-action process

The facilitator should be someone who has run tabletop exercises before and is independent enough to push back on weak answers. Internal facilitation rarely works (people are too polite to colleagues). Options:

• Your incident response retainer firm (most include 1 tabletop per year in retainer)
• Your cybersecurity insurance broker (some offer this as a value-add)
• A vCISO engagement — see our vCISO service
• An MSSP or MSP+ provider with mature IR practice

For Texas SMBs that have never run a tabletop, or whose last tabletop was a 30-minute presentation in 2023: schedule a 3-hour session for next quarter, use the BEC + ransomware scenario, invite executive team + IT/security leadership + outside counsel, and produce a real after-action report. The discoveries will surprise you.

Related: Ransomware insurance prerequisites, incident response services, ransomware first 72 hours guide.

• Houston cybersecurity
• The Woodlands cybersecurity
• Sugar Land cybersecurity
• Austin cybersecurity