Cybersecurity Tabletop Exercise Services Rehearse the Breach Before It Grades You
A cybersecurity tabletop exercise is a facilitated, discussion-based simulation in which your leadership and technical teams walk through a realistic attack scenario - ransomware detonating on a Friday night, a compromised executive mailbox, a vendor breach that touches your data - and practice every decision the real event would demand, without any real systems at risk. Petronella Technology Group designs and facilitates tabletop exercises built on 24 years of securing regulated businesses, real forensic casework, and the compliance frameworks your auditors and insurers actually check.
What Is a Cybersecurity Tabletop Exercise?
A cybersecurity tabletop exercise is a structured rehearsal of your incident response plan. A facilitator presents an evolving attack scenario in stages, and your team - executives, IT, legal, communications, operations - talks through what they would actually do at each stage: who declares an incident, who calls the insurer, who can authorize shutting down a production system, what you tell customers, and when the regulatory reporting clock starts. Nothing is touched technically. The exercise tests the plan, the people, and the decision-making, and it ends with a written after-action report that turns every stumble into a specific fix.
Key Takeaways
- A tabletop exercise finds the gaps in your incident response plan while they are cheap to fix - in a conference room, not during a breach with revenue and evidence on the line.
- Frameworks your business answers to already expect this: NIST SP 800-171 control 3.6.3 requires you to test your incident response capability, CMMC Level 2 assesses it, and cyber insurance applications increasingly ask when you last exercised your plan.
- Petronella Technology Group exercises are written around your real environment and facilitated by practitioners who respond to actual incidents, including digital forensics work led by an NC-licensed examiner.
- The deliverable is not a certificate of attendance: it is an after-action report with scored objectives, identified gaps, and a prioritized remediation roadmap you can hand to an assessor, an underwriter, or your board.
A Plan That Has Never Been Rehearsed Is a Theory
Most businesses that have an incident response plan have never once run it. The first rehearsal happens during a real breach, which is the most expensive possible place to discover the plan has holes.
The failures a tabletop exposes are rarely technical. They are organizational, and they are remarkably consistent from company to company. The plan names an incident commander who left the company a year ago. Nobody in the room knows whether the business actually has cyber insurance, what it covers, or that the carrier requires notification before an outside firm is engaged. The after-hours contact list has never been tested at 2 AM on a Saturday. Leadership assumes IT can restore from backups, and IT assumes someone has verified those backups recently, and both assumptions are wrong at the same time. The communications lead drafts a customer notice on the spot and discovers no one can say what legal review it needs. Every one of those discoveries costs a few uncomfortable minutes in a tabletop exercise. In a live incident, each one costs hours or days, and the hours at the front of a breach are the ones that decide the outcome.
There is also a hard compliance dimension, and it is the reason many of our clients schedule their first exercise. NIST SP 800-171, the framework behind CMMC Level 2, contains control 3.6.3: test the organizational incident response capability. A defense contractor cannot honestly score that control without evidence of an actual test, and a facilitated tabletop with a written after-action report is exactly the artifact an assessor wants to see. NIST SP 800-61, the federal incident handling guide our NIST 800-61 incident response work is built around, recommends exercises as the core method for validating a response capability. HIPAA's Security Rule expects contingency plans to be tested and revised rather than filed away. And cyber insurance underwriters have joined the auditors: renewal questionnaires now regularly ask whether the incident response plan exists, when it was last exercised, and who facilitated. A dated after-action report answers all three questions before the premium conversation starts.
The evidence angle is the one businesses discover last, and it is where our forensics background changes the exercise. As Craig Petronella, MIT-certified cybersecurity professional, NC Licensed Digital Forensics Examiner (License #604180-DFE), and author of How Hackers Can Crush Your Business, has seen across real investigations and expert witness engagements, the instinctive first moves in a breach - wiping the infected machine, restoring over the top of it, deleting the suspicious account - routinely destroy the forensic record that insurers, lawyers, and regulators later demand. A good tabletop scenario forces that exact moment: the facilitator asks who preserves evidence before remediation begins, and the room goes quiet. Teams that have rehearsed that question once under no pressure answer it correctly under real pressure. Teams that have not, learn it from opposing counsel.
Could Your Team Answer the 2 AM Questions Today?
Who declares the incident? Who calls the carrier? Who can take production down? If any answer is "we would figure it out," a half-day exercise will fix that this month.
What a Petronella Tabletop Exercise Includes
A tabletop is only as good as its scenario and its debrief. We invest in both ends: design that reflects your real environment going in, and documentation you can act on coming out.
Exercise Design & Facilitation
- A custom scenario written around your actual systems, industry, and compliance obligations, not a generic slide deck reused across every client.
- Staged injects that escalate realistically: the first alert, the discovery that backups are affected, the reporter calling the front desk, the ransom note with a deadline.
- Facilitation by practitioners who handle real incidents and forensic investigations, so hard questions get asked the way a real breach would ask them.
- Executive and technical tracks that can run together or separately, so board-level decisions and hands-on containment both get exercised.
After-Action & Improvement
- A written after-action report scoring performance against the exercise objectives, with every gap tied to a specific, owned remediation item.
- Compliance-ready evidence: documentation formatted to support NIST SP 800-171 control 3.6.3, CMMC assessment, HIPAA contingency testing, and insurance renewal questions.
- Incident response plan updates, so the lessons change the actual document instead of living in meeting notes.
- A prioritized roadmap connecting exercise findings to concrete fixes, from backup verification to escalation procedures to monitoring coverage.
Many clients pair an annual exercise with an incident response retainer, so the team that rehearses the breach with you is the same team that responds to a real one, or run it alongside our incident response services when a plan needs to be built first.
Scenarios We Run Most Often
Every scenario is customized to your environment, but most engagements start from one of these four families, chosen to match your most realistic threat.
Ransomware Detonation
Encryption spreads across file servers on a Friday night, backups may be affected, and a ransom note sets a deadline. Tests containment authority, backup reality, the pay-or-rebuild decision, and who calls the insurer and when.
Business Email Compromise
A finance-team mailbox has been quietly controlled for weeks and a six-figure wire has gone to the wrong account. Tests fraud response, bank and carrier notification, forensic scoping, and how you determine what else was read.
Data Breach & Exfiltration
Customer or patient data has left the network and a journalist knows before you do. Tests evidence preservation, breach notification obligations, communications discipline, and legal engagement under a running clock.
Compliance-Clock Incident
Suspicious activity touches a system holding CUI or PHI, and DFARS 72-hour reporting or HIPAA notification deadlines start running. Tests scoping speed, reporting accuracy, and whether your plan matches NIST SP 800-61.
The Same Team, Before and After One Exercise
One facilitated afternoon changes how a business experiences its next incident. The difference is rehearsal.
The plan is a document
An incident response plan exists somewhere, names people who may have left, and has never been read by half the people it assigns roles to.
Decisions have no owner
Nobody can say who declares an incident, who can take production offline, or whether the insurer must approve the response firm before work starts.
Assumptions go untested
Backups are assumed good, contact lists are assumed current, and evidence handling is assumed to be someone's job. None of it has been checked.
The plan has been driven
Every named role has practiced its decisions once, the plan is updated with what the exercise exposed, and the next rehearsal has a date.
Authority is settled
Declaration, escalation, spending, and shutdown authority are written down and known, so the first hour of a real incident starts with action.
Gaps became a roadmap
The after-action report converts every stumble into an owned remediation item, and the documentation satisfies assessors and underwriters.
Template Download vs DIY Session vs Facilitated Exercise
There are free tabletop templates on the internet, and running one internally beats doing nothing. Here is what changes when a practitioner designs and facilitates it.
| Factor | Template Download | DIY Internal Session | Petronella Facilitated |
|---|---|---|---|
| Scenario realism | Generic, ignores your environment | Limited to threats your team already imagines | Built on your systems, industry, and real casework |
| Hard questions asked | None | Colleagues rarely pressure colleagues | Independent facilitator with forensic experience |
| Executive engagement | Low | Often skipped | Dedicated leadership track and decision injects |
| After-action report | None | Meeting notes, if anyone writes them | Scored objectives, gaps, owned remediation roadmap |
| Compliance evidence | No | Weak, self-attested | Formatted for CMMC 3.6.3, HIPAA, and insurers |
| Plan actually improves | No | Sometimes | Plan updates included in the engagement |
CISA publishes free tabletop exercise packages, and they are a genuinely useful starting point. What they cannot do is know your environment, press your specific weak points, or produce evidence an assessor will weigh. That is the facilitation gap this service closes.
How We Design and Run Your Exercise
Six steps from scoping call to remediation roadmap, typically delivered inside three to four weeks.
Scope Objectives & Compliance Drivers
Build the Scenario Around Your Environment
Brief Participants & Set Ground Rules
Facilitate the Exercise & Escalate Injects
Debrief & Score Against Objectives
Deliver After-Action Report & Roadmap
We start by agreeing on what the exercise must prove: a defense contractor preparing for a CMMC assessment needs documented evidence against control 3.6.3, a medical practice needs its HIPAA contingency procedures pressure-tested, and a company burned by a near miss usually wants its escalation and communication paths examined hardest. Scenario design comes next, and it is where the value concentrates: we interview a small planning group confidentially, learn your architecture, your critical business processes, and your compliance posture, and write injects that will feel uncomfortably plausible to the people in the room. On exercise day a facilitator runs the scenario in stages over two to four hours, escalating pressure the way a real incident does, while an observer captures every decision, delay, and open question. The debrief happens while memory is fresh, and within days you receive the after-action report: objectives scored, gaps identified, and a remediation roadmap with owners and priorities. Clients who run exercises annually treat the previous report as the baseline, which is how a response capability measurably matures instead of resetting every year. Teams that discover their detection coverage was the weak link often pair the follow-up work with our managed cybersecurity services, so the next exercise starts from better telemetry.
Book the Rehearsal Before the Performance
A scoping call takes twenty minutes. We will identify your most realistic scenario, the compliance evidence you need, and the participants who should be in the room.
Facilitators Who Respond to Real Incidents
Anyone can read injects off a slide. The quality of a tabletop comes from the experience behind the questions.
Petronella Technology Group has secured regulated businesses and DoD contractors since 2002, and our tabletop practice is an extension of real response work rather than a training product. We operate a 24/7 Security Operations Center and a Managed XDR Suite, we investigate actual breaches, and Craig Petronella serves as a cybersecurity expert witness, which means our facilitators have watched the exact failure patterns your exercise is designed to expose: the cleanup that destroyed the evidence, the notification deadline missed because scoping took too long, the wire that left because nobody rehearsed the fraud playbook. Those investigations are where our scenario injects come from. Craig has also written about these failure modes at length in How Hackers Can Crush Your Business and, for defense contractors, in the CMMC 2.0 Certification Guide, and the same themes run through his Encrypted Ambition podcast conversations with founders and security leaders.
The compliance fluency matters just as much. As a CyberAB Registered Provider Organization (RPO #1449) with a team of CMMC Registered Practitioners, BBB A+ rated since 2003, we know exactly what a CMMC assessor accepts as evidence for a tested incident response capability, what HIPAA expects of contingency plan testing, and what underwriters look for on a renewal application, and we format the after-action report so it serves all three without rework. For businesses across Raleigh, Durham, and the Research Triangle, and regulated clients nationwide, that means one engagement produces both a sharper response team and the paperwork the outside world demands. When an exercise reveals technical gaps, the same team can close them, from penetration testing that validates the fixes to threat intelligence that keeps the next scenario current.
"Craig and his team treat your business like it's their own. That level of care and dedication is rare, and it's why we keep coming back."
Milo Rivera, verified TrustIndex reviewWhen Businesses Schedule Their First Tabletop
Almost nobody wakes up wanting a tabletop exercise. These are the four moments that actually put one on the calendar.
The CMMC assessment is booked. A defense contractor preparing for CMMC Level 2 reaches control 3.6.3 in the self-assessment and realizes there is no evidence the incident response capability has ever been tested. A facilitated exercise with a dated after-action report closes that gap in one engagement, and because the scenario involves CUI on the network, the same session pressure-tests the DFARS 72-hour reporting path the assessor will ask about.
The insurance renewal asks the question. The cyber policy application now wants to know whether the incident response plan has been exercised in the last twelve months and who facilitated. Answering no invites premium increases or exclusions; answering yes with an independent facilitator and a written report strengthens the submission. Several clients schedule their tabletop annually, sixty days before renewal, for exactly this reason.
The close call. A phishing email got clicked and nothing bad happened, this time, but the response was improvised chaos: nobody knew who to tell, the machine was reimaged before anyone thought about evidence, and leadership found out from a hallway conversation. The near miss becomes the mandate. We turn the real event into the opening inject, which makes the exercise land with unusual force because everyone in the room remembers the confusion. Pairing the exercise with our free phishing security test shows whether the click itself is still likely.
The program is maturing. A business that has built real defenses - monitoring, backups, response plan, maybe a retainer - wants to know whether the pieces work together under pressure. For these clients the tabletop is a graduation exam, and the scenario gets harder: simultaneous injects, an unavailable key person, a backup restore that fails mid-exercise. The after-action report becomes the security roadmap for the following year, and the exercise repeats annually against last year's baseline.
Who Should Run a Tabletop Exercise
If your business has an incident response plan that has never been rehearsed, or a compliance framework that requires testing it, a tabletop exercise is the highest-leverage half day on your security calendar. Businesses across Raleigh, Durham, the Research Triangle, and nationwide run theirs with Petronella Technology Group because the facilitators have lived the scenarios they write.
Explore Related Services
Cybersecurity Tabletop Exercise Questions
What is a cybersecurity tabletop exercise?
How long does a tabletop exercise take?
Who should participate in a tabletop exercise?
What does a cybersecurity tabletop exercise cost?
Does CMMC require tabletop exercises?
Do tabletop exercises help with HIPAA or cyber insurance?
How often should we run a tabletop exercise?
What deliverables do we receive after the exercise?
Last Updated: July 2026
The Breach Will Test Your Team Either Way
Petronella Technology Group, Inc. - 5540 Centerview Dr., Suite 200, Raleigh, NC 27606. Securing the Triangle and businesses nationwide since 2002.