Loading...
Expert Guidance
Best Practices
Learn from incident response experts how to run tabletop exercises that actually improve your security posture.
Core Principles
Focus on Learning, Not Testing
Create a safe environment where participants can learn without fear of judgment or repercussions.
Make It Realistic
Use scenarios based on actual threats your organization faces, not generic templates.
Document Everything
Capture decisions, gaps, and insights in real-time. The debrief is only as good as your notes.
Follow Through
Identify action items during the exercise, assign owners, and track completion. Don't let insights go to waste.
Planning Best Practices
Set your exercise up for success before you even start
DO This
- Define clear, measurable objectives for the exercise
- Include all relevant stakeholders (SOC, IT, legal, comms, leadership)
- Select a scenario that matches your current threat landscape
- Prepare injects in advance with realistic details
- Brief participants on format and expectations
- Schedule enough time (2-3 hours minimum)
- Assign a dedicated facilitator and scribe
AVOID This
- Don't make the scenario too easy (no learning happens)
- Don't make it too hard (team gets overwhelmed)
- Don't turn it into a training session or lecture
- Don't skip stakeholders who would be involved in real incidents
- Don't run exercises without clear objectives
- Don't forget to test your equipment (screens, tools, etc.)
- Don't schedule it during busy periods
Facilitation Best Practices
How to run the exercise effectively
Ask Open-Ended Questions
Instead of "Would you call the CISO?", ask "Who needs to be notified and when?"
Tip: Forces deeper thinking and reveals assumptions
Embrace Awkward Silence
Give people time to think. Don't fill every pause. Silence drives better discussions.
Tip: Count to 10 before moving on from a question
Challenge Assumptions Respectfully
If someone says "We'd restore from backup," ask "How long would that take? Who has access?"
Tip: Helps identify gaps in procedures and tools
Stay Scenario-Focused
When discussions drift to "we should buy tool X," note it but return to the scenario.
Tip: Use a parking lot for off-topic items
Document Live
Have a dedicated scribe capturing decisions, gaps, and action items in real-time.
Tip: Use Breakpoint's built-in documentation features
No Blame Culture
Focus on process and procedure gaps, not individual performance.
Tip: Remind participants this is a learning environment
Post-Exercise Best Practices
Capture learnings and drive improvement
1
Hot Debrief
Immediately after the exercise, discuss what happened while it's fresh
2
Identify Gaps
What was unclear? What procedures broke down? What tools were missing?
3
Assign Actions
Create specific action items with owners and deadlines
4
Track Progress
Follow up on action items. Re-test areas where gaps were found.
The #1 Mistake
Running an exercise, identifying gaps, and then... doing nothing about them. The exercise only has value if you act on the findings.
Fix:
Before ending the debrief, assign every gap or improvement area to a specific owner with a deadline. Schedule a follow-up meeting to review progress.
In-Depth Guides
Read our comprehensive blog posts for more detailed best practices
How to Conduct an Incident Response Tabletop Exercise
Complete step-by-step guide to planning, executing, and analyzing tabletop exercises
Read more
Creating Effective Tabletop Exercise Scenarios
Learn how to design realistic, engaging scenarios that test the right capabilities
Read more
Incident Response Best Practices 2025
Latest best practices for incident response planning and execution
Read more
How to Run a Ransomware Tabletop Exercise
Specific guidance for ransomware scenarios with decision frameworks
Read more
How to Test Your Incident Response Plan
Different testing methodologies and when to use each approach
Read more
NIST Incident Response Framework Guide
Understanding and implementing the NIST IR framework
Read more
Put Best Practices Into Action
Breakpoint makes it easy to implement these best practices with built-in templates, AI-powered recommendations, and automated documentation.