Cybersecurity Tabletop Exercise

Cybersecurity Tabletop Exercise Services Rehearse the Breach Before It Grades You

A cybersecurity tabletop exercise is a facilitated, discussion-based simulation in which your leadership and technical teams walk through a realistic attack scenario - ransomware detonating on a Friday night, a compromised executive mailbox, a vendor breach that touches your data - and practice every decision the real event would demand, without any real systems at risk. Petronella Technology Group designs and facilitates tabletop exercises built on 24 years of securing regulated businesses, real forensic casework, and the compliance frameworks your auditors and insurers actually check.

Facilitated by Real Incident Responders | CyberAB RPO #1449 | Securing Regulated Businesses Since 2002
What It Is

What Is a Cybersecurity Tabletop Exercise?

A cybersecurity tabletop exercise is a structured rehearsal of your incident response plan. A facilitator presents an evolving attack scenario in stages, and your team - executives, IT, legal, communications, operations - talks through what they would actually do at each stage: who declares an incident, who calls the insurer, who can authorize shutting down a production system, what you tell customers, and when the regulatory reporting clock starts. Nothing is touched technically. The exercise tests the plan, the people, and the decision-making, and it ends with a written after-action report that turns every stumble into a specific fix.

Key Takeaways

  • A tabletop exercise finds the gaps in your incident response plan while they are cheap to fix - in a conference room, not during a breach with revenue and evidence on the line.
  • Frameworks your business answers to already expect this: NIST SP 800-171 control 3.6.3 requires you to test your incident response capability, CMMC Level 2 assesses it, and cyber insurance applications increasingly ask when you last exercised your plan.
  • Petronella Technology Group exercises are written around your real environment and facilitated by practitioners who respond to actual incidents, including digital forensics work led by an NC-licensed examiner.
  • The deliverable is not a certificate of attendance: it is an after-action report with scored objectives, identified gaps, and a prioritized remediation roadmap you can hand to an assessor, an underwriter, or your board.

Why It Matters

A Plan That Has Never Been Rehearsed Is a Theory

Most businesses that have an incident response plan have never once run it. The first rehearsal happens during a real breach, which is the most expensive possible place to discover the plan has holes.

The failures a tabletop exposes are rarely technical. They are organizational, and they are remarkably consistent from company to company. The plan names an incident commander who left the company a year ago. Nobody in the room knows whether the business actually has cyber insurance, what it covers, or that the carrier requires notification before an outside firm is engaged. The after-hours contact list has never been tested at 2 AM on a Saturday. Leadership assumes IT can restore from backups, and IT assumes someone has verified those backups recently, and both assumptions are wrong at the same time. The communications lead drafts a customer notice on the spot and discovers no one can say what legal review it needs. Every one of those discoveries costs a few uncomfortable minutes in a tabletop exercise. In a live incident, each one costs hours or days, and the hours at the front of a breach are the ones that decide the outcome.

There is also a hard compliance dimension, and it is the reason many of our clients schedule their first exercise. NIST SP 800-171, the framework behind CMMC Level 2, contains control 3.6.3: test the organizational incident response capability. A defense contractor cannot honestly score that control without evidence of an actual test, and a facilitated tabletop with a written after-action report is exactly the artifact an assessor wants to see. NIST SP 800-61, the federal incident handling guide our NIST 800-61 incident response work is built around, recommends exercises as the core method for validating a response capability. HIPAA's Security Rule expects contingency plans to be tested and revised rather than filed away. And cyber insurance underwriters have joined the auditors: renewal questionnaires now regularly ask whether the incident response plan exists, when it was last exercised, and who facilitated. A dated after-action report answers all three questions before the premium conversation starts.

The evidence angle is the one businesses discover last, and it is where our forensics background changes the exercise. As Craig Petronella, MIT-certified cybersecurity professional, NC Licensed Digital Forensics Examiner (License #604180-DFE), and author of How Hackers Can Crush Your Business, has seen across real investigations and expert witness engagements, the instinctive first moves in a breach - wiping the infected machine, restoring over the top of it, deleting the suspicious account - routinely destroy the forensic record that insurers, lawyers, and regulators later demand. A good tabletop scenario forces that exact moment: the facilitator asks who preserves evidence before remediation begins, and the room goes quiet. Teams that have rehearsed that question once under no pressure answer it correctly under real pressure. Teams that have not, learn it from opposing counsel.

Could Your Team Answer the 2 AM Questions Today?

Who declares the incident? Who calls the carrier? Who can take production down? If any answer is "we would figure it out," a half-day exercise will fix that this month.

What We Deliver

What a Petronella Tabletop Exercise Includes

A tabletop is only as good as its scenario and its debrief. We invest in both ends: design that reflects your real environment going in, and documentation you can act on coming out.

Exercise Design & Facilitation

  • A custom scenario written around your actual systems, industry, and compliance obligations, not a generic slide deck reused across every client.
  • Staged injects that escalate realistically: the first alert, the discovery that backups are affected, the reporter calling the front desk, the ransom note with a deadline.
  • Facilitation by practitioners who handle real incidents and forensic investigations, so hard questions get asked the way a real breach would ask them.
  • Executive and technical tracks that can run together or separately, so board-level decisions and hands-on containment both get exercised.

After-Action & Improvement

  • A written after-action report scoring performance against the exercise objectives, with every gap tied to a specific, owned remediation item.
  • Compliance-ready evidence: documentation formatted to support NIST SP 800-171 control 3.6.3, CMMC assessment, HIPAA contingency testing, and insurance renewal questions.
  • Incident response plan updates, so the lessons change the actual document instead of living in meeting notes.
  • A prioritized roadmap connecting exercise findings to concrete fixes, from backup verification to escalation procedures to monitoring coverage.

Many clients pair an annual exercise with an incident response retainer, so the team that rehearses the breach with you is the same team that responds to a real one, or run it alongside our incident response services when a plan needs to be built first.


Before vs After

The Same Team, Before and After One Exercise

One facilitated afternoon changes how a business experiences its next incident. The difference is rehearsal.

Before the First Tabletop

The plan is a document

An incident response plan exists somewhere, names people who may have left, and has never been read by half the people it assigns roles to.

Decisions have no owner

Nobody can say who declares an incident, who can take production offline, or whether the insurer must approve the response firm before work starts.

Assumptions go untested

Backups are assumed good, contact lists are assumed current, and evidence handling is assumed to be someone's job. None of it has been checked.

After a Petronella Tabletop

The plan has been driven

Every named role has practiced its decisions once, the plan is updated with what the exercise exposed, and the next rehearsal has a date.

Authority is settled

Declaration, escalation, spending, and shutdown authority are written down and known, so the first hour of a real incident starts with action.

Gaps became a roadmap

The after-action report converts every stumble into an owned remediation item, and the documentation satisfies assessors and underwriters.


Comparison

Template Download vs DIY Session vs Facilitated Exercise

There are free tabletop templates on the internet, and running one internally beats doing nothing. Here is what changes when a practitioner designs and facilitates it.

FactorTemplate DownloadDIY Internal SessionPetronella Facilitated
Scenario realismGeneric, ignores your environmentLimited to threats your team already imaginesBuilt on your systems, industry, and real casework
Hard questions askedNoneColleagues rarely pressure colleaguesIndependent facilitator with forensic experience
Executive engagementLowOften skippedDedicated leadership track and decision injects
After-action reportNoneMeeting notes, if anyone writes themScored objectives, gaps, owned remediation roadmap
Compliance evidenceNoWeak, self-attestedFormatted for CMMC 3.6.3, HIPAA, and insurers
Plan actually improvesNoSometimesPlan updates included in the engagement

CISA publishes free tabletop exercise packages, and they are a genuinely useful starting point. What they cannot do is know your environment, press your specific weak points, or produce evidence an assessor will weigh. That is the facilitation gap this service closes.

How It Works

How We Design and Run Your Exercise

Six steps from scoping call to remediation roadmap, typically delivered inside three to four weeks.

1

Scope Objectives & Compliance Drivers

2

Build the Scenario Around Your Environment

3

Brief Participants & Set Ground Rules

4

Facilitate the Exercise & Escalate Injects

5

Debrief & Score Against Objectives

6

Deliver After-Action Report & Roadmap

We start by agreeing on what the exercise must prove: a defense contractor preparing for a CMMC assessment needs documented evidence against control 3.6.3, a medical practice needs its HIPAA contingency procedures pressure-tested, and a company burned by a near miss usually wants its escalation and communication paths examined hardest. Scenario design comes next, and it is where the value concentrates: we interview a small planning group confidentially, learn your architecture, your critical business processes, and your compliance posture, and write injects that will feel uncomfortably plausible to the people in the room. On exercise day a facilitator runs the scenario in stages over two to four hours, escalating pressure the way a real incident does, while an observer captures every decision, delay, and open question. The debrief happens while memory is fresh, and within days you receive the after-action report: objectives scored, gaps identified, and a remediation roadmap with owners and priorities. Clients who run exercises annually treat the previous report as the baseline, which is how a response capability measurably matures instead of resetting every year. Teams that discover their detection coverage was the weak link often pair the follow-up work with our managed cybersecurity services, so the next exercise starts from better telemetry.

Book the Rehearsal Before the Performance

A scoping call takes twenty minutes. We will identify your most realistic scenario, the compliance evidence you need, and the participants who should be in the room.

Why Petronella

Facilitators Who Respond to Real Incidents

Anyone can read injects off a slide. The quality of a tabletop comes from the experience behind the questions.

Petronella Technology Group has secured regulated businesses and DoD contractors since 2002, and our tabletop practice is an extension of real response work rather than a training product. We operate a 24/7 Security Operations Center and a Managed XDR Suite, we investigate actual breaches, and Craig Petronella serves as a cybersecurity expert witness, which means our facilitators have watched the exact failure patterns your exercise is designed to expose: the cleanup that destroyed the evidence, the notification deadline missed because scoping took too long, the wire that left because nobody rehearsed the fraud playbook. Those investigations are where our scenario injects come from. Craig has also written about these failure modes at length in How Hackers Can Crush Your Business and, for defense contractors, in the CMMC 2.0 Certification Guide, and the same themes run through his Encrypted Ambition podcast conversations with founders and security leaders.

The compliance fluency matters just as much. As a CyberAB Registered Provider Organization (RPO #1449) with a team of CMMC Registered Practitioners, BBB A+ rated since 2003, we know exactly what a CMMC assessor accepts as evidence for a tested incident response capability, what HIPAA expects of contingency plan testing, and what underwriters look for on a renewal application, and we format the after-action report so it serves all three without rework. For businesses across Raleigh, Durham, and the Research Triangle, and regulated clients nationwide, that means one engagement produces both a sharper response team and the paperwork the outside world demands. When an exercise reveals technical gaps, the same team can close them, from penetration testing that validates the fixes to threat intelligence that keeps the next scenario current.

"Craig and his team treat your business like it's their own. That level of care and dedication is rare, and it's why we keep coming back."

Milo Rivera, verified TrustIndex review

Use Cases

When Businesses Schedule Their First Tabletop

Almost nobody wakes up wanting a tabletop exercise. These are the four moments that actually put one on the calendar.

The CMMC assessment is booked. A defense contractor preparing for CMMC Level 2 reaches control 3.6.3 in the self-assessment and realizes there is no evidence the incident response capability has ever been tested. A facilitated exercise with a dated after-action report closes that gap in one engagement, and because the scenario involves CUI on the network, the same session pressure-tests the DFARS 72-hour reporting path the assessor will ask about.

The insurance renewal asks the question. The cyber policy application now wants to know whether the incident response plan has been exercised in the last twelve months and who facilitated. Answering no invites premium increases or exclusions; answering yes with an independent facilitator and a written report strengthens the submission. Several clients schedule their tabletop annually, sixty days before renewal, for exactly this reason.

The close call. A phishing email got clicked and nothing bad happened, this time, but the response was improvised chaos: nobody knew who to tell, the machine was reimaged before anyone thought about evidence, and leadership found out from a hallway conversation. The near miss becomes the mandate. We turn the real event into the opening inject, which makes the exercise land with unusual force because everyone in the room remembers the confusion. Pairing the exercise with our free phishing security test shows whether the click itself is still likely.

The program is maturing. A business that has built real defenses - monitoring, backups, response plan, maybe a retainer - wants to know whether the pieces work together under pressure. For these clients the tabletop is a graduation exam, and the scenario gets harder: simultaneous injects, an unavailable key person, a backup restore that fails mid-exercise. The after-action report becomes the security roadmap for the following year, and the exercise repeats annually against last year's baseline.

Who It Is For

Who Should Run a Tabletop Exercise

Defense contractors facing CMMC Level 2 Healthcare practices under HIPAA Law firms holding privileged data Financial services and CPA firms Manufacturers with downtime exposure Businesses renewing cyber insurance Teams with a plan that has never been tested Anyone who just had a close call

If your business has an incident response plan that has never been rehearsed, or a compliance framework that requires testing it, a tabletop exercise is the highest-leverage half day on your security calendar. Businesses across Raleigh, Durham, the Research Triangle, and nationwide run theirs with Petronella Technology Group because the facilitators have lived the scenarios they write.

Related Solutions

Explore Related Services

FAQ

Cybersecurity Tabletop Exercise Questions

What is a cybersecurity tabletop exercise?
A cybersecurity tabletop exercise is a facilitated, discussion-based simulation of a cyberattack. A facilitator presents an evolving scenario, such as ransomware or a compromised email account, and your leadership and technical teams talk through the decisions the real event would require: declaring the incident, containing it, preserving evidence, notifying insurers and regulators, and communicating with customers. No live systems are touched. The output is a written after-action report identifying what worked, what failed, and what to fix.
How long does a tabletop exercise take?
The exercise session itself typically runs two to four hours, and most clients schedule it as a half day so the debrief happens while memory is fresh. The full engagement, from scoping call through scenario design to delivered after-action report, usually spans three to four weeks. Participants spend meaningful time only on exercise day; the design burden is ours.
Who should participate in a tabletop exercise?
More than just IT. A breach is a business event, so the room should include an executive with real authority, the people who run your systems, and whoever owns legal, finance, communications, and operations decisions. One of the most common exercise findings is that a critical decision, like taking production offline or approving an emergency spend, belongs to someone who was never told they owned it. We often run an executive track and a technical track so both levels get exercised properly.
What does a cybersecurity tabletop exercise cost?
Cost depends on scope: a single-scenario half-day exercise for one team costs less than a multi-track engagement with custom executive and technical sessions and plan-update work. We scope each exercise to your size, objectives, and compliance drivers after a short discovery conversation rather than quoting a generic figure. Clients with an incident response retainer can often apply retainer hours toward the exercise. Call 919-348-4912 to discuss options.
Does CMMC require tabletop exercises?
CMMC Level 2 assesses NIST SP 800-171 control 3.6.3, which requires organizations to test their incident response capability. The framework does not mandate the tabletop format specifically, but a facilitated exercise with a dated after-action report is the most practical evidence most contractors can produce for that control. Our exercises for defense contractors are designed around CUI scenarios and DFARS reporting obligations so the documentation maps directly to what an assessor asks for.
Do tabletop exercises help with HIPAA or cyber insurance?
Yes on both counts. HIPAA's Security Rule expects contingency plans to be tested and revised, and an exercised incident response capability is strong evidence of that. Cyber insurance applications increasingly ask whether the response plan has been exercised recently and by whom; a facilitated exercise with independent documentation strengthens the renewal submission. We format the after-action report so it can serve your assessor, your underwriter, and your board without rework.
How often should we run a tabletop exercise?
Annually at minimum, which matches what most compliance frameworks and insurers expect, and additionally after any major change: new leadership, a merger or acquisition, a significant system migration, or a real incident. Mature programs vary the scenario each year and score against the previous after-action report, which turns the exercise from a checkbox into a measurable maturity curve.
What deliverables do we receive after the exercise?
A written after-action report containing the scenario and injects as run, performance scored against the agreed objectives, every identified gap with a specific owned remediation item, and a prioritized roadmap. Where the engagement includes plan work, you also receive the updated incident response plan itself. The report is formatted as compliance evidence for NIST SP 800-171 control 3.6.3, CMMC assessment, HIPAA contingency testing, and insurance renewal questionnaires.

Last Updated: July 2026

The Breach Will Test Your Team Either Way

Petronella Technology Group, Inc. - 5540 Centerview Dr., Suite 200, Raleigh, NC 27606. Securing the Triangle and businesses nationwide since 2002.