Tabletop Exercises

February 24, 2026
Clock Icon 5 min read

Security threats should not be taken lightly and complacency can cause serious breaches resulting in costly financial and even legal issues. Regularly reviewing and refreshing security protocols is integral to ensuring that systems and processes remain effective and ready to defend against modern security threats. Tabletop exercises play an important role in reviewing systems as they enable businesses to explore their potential responses to security breaches and identify any gaps before an incident occurs. In this article we will outline what tabletop exercises are and how you can use them within your organisation to prepare for and protect against security threats. 

What is a Tabletop Exercise? 

A tabletop exercise is a simple, discussion-based activity during which teams discuss how they would respond to a fictional security threat. Tabletop exercises are group activities which help organisations to prepare for a variety of different crises. They enable those partaking in the exercise to understand their roles and responsibilities, as well as those of others in their team, during a security threat.

Employees having a discussion about security

Tabletop exercises are used to prepare for a variety of different threats and they are commonly used in cybersecurity. However, they can be used in a wide range of environments. For example, the Terrorism (Protection of Premises) Act 2025, also known as Martyn’s Law, places a responsibility on certain premises to consider the risks posed by terrorism and how they would respond to a terrorist attack. Tabletop exercises can be an incredibly effective way to help an organisation comply with Martyn’s Law as they can examine whether the procedures they have in place are appropriate and effective at keeping people safe. 

Purpose of Tabletop Exercises

Tabletop exercises are a cost effective way to put participants in the mindset of a real world emergency in a safe and controlled setting. This allows teams to discuss their roles and the actions that they would take as if the incident were real. Teams can therefore use tabletop exercises to ensure that everyone understands their roles and can work well together in a crisis. They can also be used to test the robustness of systems that are already in place and to identify any potential lapses. 

It’s important to note that these exercises are not intended to highlight blame or to ‘catch people out.’ They are an opportunity to test the efficacy of security awareness and security protocols before a real world incident occurs. 

Expert Icon

Looking for More?

Our wide range of Business Essentials Courses, such as Cyber Security Awareness and Martyn’s Law, can provide you with in-depth knowledge on how to effectively manage potential security threats.

How to Conduct a Tabletop Exercise

As mentioned, tabletop exercises are used in many different fields to test security protocols. However, regardless of the industry, following certain steps can ensure that tabletop exercises are effective and comprehensive. Jack Eisenhauer of the Nexight Group approaches tabletop exercises with three core steps that help to shape the exercise before, after and during the discussion. 

These stages are:

Design drop down menu

  • Clarify objectives and outcomes with a clear understanding of what you hope to achieve during the exercise. 
  • Choose the right team and participants such as key-decision makers who would be involved in a real world scenario.
  • Design a realistic and interactive scenario that will prompt active participation.

Engage drop down menu

  • Create an interactive, no fault space that builds trust and encourages discussions. Begin the exercise by making it clear that this is a learning opportunity and encourage people to ask questions and make mistakes.
  • Ask probing questions to facilitate valuable insights. You can prepare a script in advance but be flexible and responsive to what is actually being discussed. 
  • Capture lessons learnt and any issues that you come across as you go, don’t rely on notetakers. Visual tools and timelines can help you to see how decisions unfold as an event escalates.

Learn drop down menu

  • Prepare a comprehensive, after-action report after the exercise has finished that includes documentation of the exercise itself as well as potential areas for improvement. 
  • Create a specific plan using the report to identify simple and specific goals. It can be helpful to ensure these goals are SMART, enabling you to choose practical and attainable goals. 
  • Provide tools and guidance to boost learning and to support the improvement highlighted by the exercise.

It’s important to remember when conducting a tabletop exercise that they are team discussions and should involve numerous different people. Whilst the individual who organises the exercise and creates the scenario may be a senior member of the team, everyone who takes part in the exercise is important and should be treated as such. 

Avoid having just one person lead the exercise and dictate the outcomes, especially if this does not reflect the position that someone would have in a real world situation. To support a collaborative environment allow the team to act as they would, including autonomously where appropriate, so that everyone can exercise what their responsibilities would be in a real situation. 

Group discussion in the workplace

It can be helpful to have a facilitator, who may be someone external to the department or organisation, to guide the exercise as they will know when to take a step back so that the team can act of their own volition. 

Tabletop Exercises Examples

Below you will find 5 brief examples of tabletop exercise scenarios. The efficacy of a tabletop exercise often lies in its believability and similarity to a real world event. As such, it’s important when preparing a tabletop exercise that the scenario you create is relevant to you. The scenarios provided below are intentionally broad so that you can tailor them to your specific environment. 

  1. Ransomware attack via phishing email – A member of the finance team has received an email from a customer stating that they are unable to make a payment. The email has an attached file claiming to be a screenshot of the error message that the customer is seeing. The email address is different from the customer’s typical address and there are several spelling mistakes in the email. 
  1. Fire evacuation – A visitor informs the receptionist that they noticed smoke coming from a large refuse bin at the back of the building. They chose not to get any closer to investigate, but they suspect there may be a small fire.  
  1. Malware infection – Whilst working remotely, a member of HR inserts a USB stick that has been infected with malware into their company laptop. 
  1. Physical security breach – A member of staff mentions seeing a courier trying to enter the back of the premises. After checking CCTV you see that an unauthorised individual has successfully gained entry to a restricted area of the building. 
  1. Third party provider breach – The provider that you use for cloud storage across your organisation informs you of a breach which has impacted their infrastructure. Though they provide you with limited details, they can confirm that your customer data has been accessed. 

As mentioned above, when designing a tabletop exercise it should be realistic for your setting and have clear objectives and outcomes. As such, it can be helpful to identify key discussion points for each scenario which can help to guide the exercise. For example, discussion points for Scenario 5 may include: 

  • How can the scope of the breach be assessed with limited information from the provider?
  • When should backup systems be activated? 
  • When should customers be informed? 

As with the scenarios themselves, these discussion points should be tailored to your environment and the people working on the tabletop exercise. 

How Often Should Tabletop Exercises be Conducted? 

There is no set timeframe for how often tabletop exercises should be conducted. The regularity of these exercises is greatly dependent upon your environment, team and resources. Tabletop exercises enable organisations to check that everyone is aware of their roles and responsibilities during a security threat and that there are no gaps in protocol. As such, if a tabletop exercise highlights that a team fully understands their responsibilities, can act in a timely and autonomous manner and that there are no or minimal security risks, it should not need to be conducted several times over. In this instance, focus can shift to maintaining the protocols and processes which are working effectively. 

However, if a tabletop exercise highlights a lack of awareness of responsibilities and significant security risks, then it can be helpful to repeat these exercises once improvements have been made. 

Tabletop exercises should be conducted regularly to ensure that systems reflect changes both externally, such as the discovery of a new type of threat and internally, such as leadership changes. Whilst different industries and sectors have different needs, a good general rule of thumb is to conduct tabletop exercises at least twice a year. However, the regularity must reflect the needs of your specific organisation as some organisations may require more frequent exercises than others. 

Employees having a discussion in the workplace

Tabletop exercises are a cost effective and timely way to ensure that security standards are maintained and that teams know what to do in the event of a security breach. Taking the time to make these exercises realistic and specific to your setting enables you to accurately and collaboratively prepare for a wide variety of crises. Tabletop exercises should be conducted with a ‘no fault’ approach so that employees feel confident to make mistakes that they can learn from and to improve their understanding of how to respond to a potential threat. 

Further Resources:

Tags:

Safety ManagementWorkplace Safety