Having an incident response plan and knowing it works well are two very different things. If the plan has never been tested, then nobody really knows what happens when ransomware locks your file servers on a Friday afternoon. The plan may instruct to call someone and even provide specific contact details, but what if half the team has never actually read it? It may say “isolate affected systems,” but what if no one has ever walked through the steps to see whether they make sense in practice?
A tabletop exercise answers these questions before a real incident does. Most organizations that run one for the first time are surprised by how many gaps they uncover, and relieved they found them in a conference room instead of during an actual breach.
What a Tabletop Exercise Actually Looks Like
A tabletop exercise is, at its core, a structured conversation. Your team gathers in a conference room (or on a video call), a facilitator presents a scenario, and everyone talks through what they would actually do.
NIST defines it as a discussion-based exercise where personnel meet to validate plan content “by discussing their roles during an emergency and their responses to a particular emergency situation.” CISA adds that players usually sit in their own role (CEO, IT lead, communications rep), and the goal isn’t for everyone to perform perfectly. The goal is to work as a team and find the problem areas before an attacker does.
A typical exercise for an SMB runs somewhere between 90 minutes and 3 hours, and it looks something like this:
- The facilitator opens with a brief overview of the scenario and ground rules.
- The scenario unfolds in stages (called “injects”), each one adding new information that changes what participants need to decide.
- The group talks through their responses at each stage (who does what, who calls whom, what gets documented).
- The session ends with a short debrief (often called a hotwash) where the most important gaps get named right away.
The inject format is what keeps it feeling realistic without feeling overwhelming. An inject might start with “your IT manager gets an alert about unusual behavior on three workstations.” A later inject may add something like “the behavior has spread and two file servers are unreachable” or “an employee reports a ransom note on their screen.” Each step forces a new decision, and those decisions reveal where the plan holds up and where it doesn’t.
One thing that surprises a lot of organizations doing this for the first time is that the gaps that surface are rarely technical. They’re things like not knowing who has authority to shut systems down, not having an up-to-date contact list for outside counsel, or realizing that nobody has actually read the incident response plan in two years.
At the same time, no one is expected to have all the answers. The no-blame environment is part of the design. CISA’s own guidance notes that “the ones who rarely deal with security concerns are the ones who may need more practice,” and the exercise is structured around that reality. People come in playing themselves, they respond as best they can, and the gaps they expose become the to-do list. That’s the whole point.
Cybersecurity Scenarios Every SMB Should Practice
A tabletop doesn’t require sophisticated tools or a big security budget to run. The Center for Internet Security offers exercises designed to be completed in 15 minutes, specifically with smaller teams in mind. CISA provides over 100 free, ready-to-use tabletop packages covering ransomware, insider threats, phishing, and other scenarios, each with a facilitator guide, slides, and templates already built.
The question is which scenario to start with. Three scenarios come up again and again as the most useful for SMBs to practice, because they’re the most likely threats you’ll actually face, and because each one exposes a different category of gap.
Ransomware
Verizon’s 2025 Data Breach Investigations Report found that 88% of ransomware-related breaches involved small and midsize businesses, compared to 39% for large organizations. Ransomware operations today, like the Qilin group, actively target SMBs and simply adjust their ransom demands to match the size of the victim. These numbers make a ransomware tabletop the one exercise no SMB should skip.
Fortunately, a ransomware-focused tabletop exercise is straightforward to set up. Here’s one example:
- An alert comes in about unusual behavior on a few workstations.
- Then file servers go offline.
- Then a ransom note appears.
- The injects build, and at each stage your team has to make real decisions.
The decisions made during the exercise can reveal a lot of useful insights:
- Does anyone know the exact steps to isolate affected systems without taking down something critical in the process?
- Who has authority to make that call at 11pm on a Sunday?
- Is the CEO aware they may need to decide within hours whether to contact law enforcement?
- And are your backups actually clean, or are they on systems that were also encrypted?
That last question is especially important because ransomware can encrypt backups too, especially when they’re stored on systems connected to the same network. A lot of organizations learn during a tabletop that their backup strategy wouldn’t actually survive the scenario they’re rehearsing.
Business Email Compromise (BEC)
BEC doesn’t get the same headlines as ransomware, but the financial damage is significant. The FBI’s Internet Crime Complaint Center reported $2.77 billion in BEC losses in 2024 across more than 21,000 complaints. The average loss per incident works out to around $129,000, which is the kind of number that causes serious problems for an organization with under 100 employees.
The scenario typically boils down to this:
- Someone in finance gets an email that appears to be from the CEO asking for an urgent wire transfer to a new vendor. Or a vendor emails to say their banking details have changed.
- The email looks legitimate.
- There’s time pressure.
- The request comes from apparent authority.
A BEC tabletop tends to surface two things. First, organizations often don’t have a documented process for verifying payment changes or large wire transfers out-of-band (meaning a separate phone call to a known number, not a reply to the same email thread). Second, when fraud does occur, speed matters more than most people realize.
The FBI’s guidance for BEC victims is to contact your financial institution immediately and request the recipient bank freeze the transfer because the window during which you can prevent the worst from happening closes fast. Practicing who makes that call, and what information they need to provide, is worth a tabletop exercise that can take less than two hours.
Insider Threat
Because it feels awkward to rehearse a situation where the problem is one of your own people, many organizations skip this scenario when practicing incident response, but that’s exactly why it’s worth your time and attention.
There are two main types of insider threats you should practice:
- Intentional: a departing employee downloads customer lists or sensitive project files before their last day, or a current employee deliberately exfiltrates data for a competitor.
- Unintentional: an employee uploads a sensitive file to a personal cloud account to work from home, or forwards a contract to the wrong email address.
Both of these scenarios happen, and both require your team to respond in ways that go well beyond what IT can handle alone. To do that, you need to know who is allowed to investigate employee activity, how HR and legal get involved, and what decisions IT can make independently versus what requires sign-off from leadership. Information like this is almost never written down clearly in an incident response plan, and you’re unlikely to figure it out until you’re sitting in a room walking through the scenario together.
Turning Exercise Insights Into Improvements
Running the exercise is only half the work. What happens in the days after determines whether it was useful or just a meeting.
The immediate output is typically a document called an after-action report (AAR), and it captures what the exercise revealed (gaps, confused decision points, outdated contact information, and more). Each finding gets a corrective action, an owner, and a deadline. When the actions are followed through, the exercise produces a security posture that’s measurably better than it was before the room met.
Examples of improvements that commonly come out of a first tabletop exercise include:
- Updating the incident response plan to reflect how the organization actually works, not how it was supposed to work when the plan was written.
- Clarifying who has authority to make specific decisions during an incident (system shutdowns, ransom decisions, notifying regulators, engaging outside counsel).
- Building out-of-band verification procedures for wire transfers and payment changes.
- Reviewing backup configurations to confirm they would actually survive a ransomware attack.
- Establishing or updating contact lists for law enforcement, cyber insurance, legal counsel, and your IT or security provider.
- Scheduling targeted training for staff who struggled with specific parts of the scenario.
Some of these fixes are quick, while others require actual changes to systems, policies, or vendor relationships.
Another major benefit of a tabletop exercise and the resulting AAR with a completed improvement plan is that it serves as documented evidence for compliance purposes. Most frameworks that require incident response testing (PCI DSS, CMMC, HIPAA) want proof that you did something with the results, and a completed AAR gives you both: a better-prepared organization and a paper trail that satisfies your auditor.
Conclusion
A tabletop exercise is a low-cost, low-disruption way to find out where your plan breaks down before an attacker does, and you don’t need a big security team to run one. You need a few hours, the right people in the room, and a willingness to sit with some uncomfortable answers.
If you’re not sure where to start, or you want a facilitator who can run the exercise, document the findings, and help you act on them, that’s something OSIbeyond does for organizations across the DC, Maryland, and Virginia area. Schedule a call with our team and we can talk through what a first exercise would look like for your organization.