After attending conferences, I like to take notes and share the talks that stood out to me. This one was from WiCyS 2026 (Women in Cybersecurity) Annual Conference, held in Washington DC.
Most organisations have an incident response plan sitting in a folder somewhere. A DR plan. A business continuity plan. What this session challenged was whether any of those plans have actually been stress tested before the moment they're needed most. That's exactly what a Tabletop Exercise, or TTX, is for.
A TTX is a structured, discussion-based scenario designed to test your existing plans before a real incident forces the test on you. Your IR plan covers the technical side and runbooks. Your DR plan deals with the severe impact of an incident. Your BC plan looks at how the organisation keeps essential operations running, finance, payroll, and everything else that can't just stop. All three need to be tested together, and that's where most organisations fall short.
Because when an incident happens, it doesn't just affect IT. It hits the entire organisation. So the first question any TTX should answer is: who is actually in the room? Legal, finance, HR, communications and PR all need a seat at the table. If the only people running through the scenario are technical teams, the gaps you find will only be technical gaps.
The key objectives of a well-run TTX are simulating an incident response, identifying gaps, building cyber awareness across the organisation, and ultimately improving response times. But the speaker was clear that a TTX should never feel comfortable. It should look different every time, and it should be designed for you to lose.
That means embracing complexity. The worst thing that can happen in your organisation is different from every other organisation, so start by talking to all your teams and finding out what that actually is. Generic scenarios produce generic outcomes. If people in the room are sitting there thinking "this would never happen to us," the exercise has already failed. Scenarios need to be custom, specific, and honestly a little uncomfortable.
At the same time, there's a careful balance to strike with the people involved. The goal is not to catch employees out or prove they don't know anything. It's to uncover gaps in processes, not in people. Facilitation matters enormously here. Blame has no place in a TTX. Every gap uncovered should be treated as a valuable discovery, framed positively, and turned into action.
That action lives in the post-TTX lessons learned session, and critically, it should involve all departments, not just IT. Gaps, improvements, timelines, and measurable checkpoints should all come out of it. And then it should happen again. TTX is not a one-time event. Every new threat, every change to your IR plan, is a reason to run another one.
The Q&A at the end of the session filled in some useful practical detail. For customising scenarios, Backdoors and Breaches is a free resource worth starting with, though the speaker encouraged tailoring it rather than using it off the shelf. AI can help build scenarios too, just avoid putting proprietary information into it. On length, three to four hours is a reasonable target depending on the size of the organisation. On frequency, annually at minimum, but revisit whenever the IR plan changes significantly.
A few things that stuck with me from the room: keep the group to no more than 30 people, one representative from each department, anything larger gets chaotic and unwieldy. The CISO should be the one driving the invitations and decisions about who is involved. And executives should show up, even briefly. They don't need to stay the whole time, but they need to understand their role when it counts.
The speaker described the ideal TTX format as a choose your own adventure. Decisions made early shape what happens later, just like a real incident. Which means the best time to make your worst mistakes is in that room, not at 2am when the alerts are firing.
These are my notes from the session, not a transcript. If you were there and see it differently, or have thoughts, drop a comment below :)