[email protected]
Home Services Security Awareness Incident Response Tabletop Exercises
Incident Response Training

Practice the breach
before it's the
real thing.

Realistic, facilitated crisis simulations that test your people, processes, and playbooks under pressure — revealing gaps in your response before an attacker does.

Schedule a Tabletop View scenario types
Tabletop Exercise — Live Session  ·  In Progress
Active Scenario
Ransomware deployment detected across production infrastructure
T+01:47 8 participants
Scenario injects
T+0:00InjectSOC alerts to unusual outbound traffic from 3 servers. EDR flagging encrypted file activity.
T+0:32EscalateFinance reports they cannot access shared drives. IT confirms spread to 40% of endpoints.
T+1:15InjectRansom note found on CEO's workstation. $2.4M demand, 72-hour deadline.
T+1:47EscalateJournalist calls PR asking to comment on claims of stolen customer data posted online.
Overview

Your response is only as good as your last practice

A tabletop exercise is a facilitated, discussion-based simulation where your team works through a realistic cyber incident scenario in real time. No systems are touched — but the pressure, the decisions, and the gaps are completely real.

Most organizations have incident response plans. Far fewer have ever actually tested them. When a real breach hits, it's not the plan that fails — it's the people, communication, and coordination around it. A tabletop exercise reveals those gaps before an attacker does.

Our facilitators bring the mindset of an adversary and the experience of dozens of real incident responses. We design scenarios specifically for your industry, infrastructure, and likely threat actors — then guide your team through escalating crisis conditions that expose exactly where your response breaks down.

277d
Average time to identify a breach without a practiced response
3x
Faster containment for organizations with tested IR plans
100%
Of our exercises uncover previously unknown response gaps
What every exercise includes
Built to stress-test
your real response
Custom scenario design
Scenarios built around your industry, threat model, and real infrastructure
Expert facilitation
Led by practitioners with real-world incident response experience
Escalating injects
Realistic updates that force decisions under mounting pressure
Multi-team coordination testing
Cross-functional stress test: Security, IT, Legal, Comms, and Executive
Hot wash debrief
Immediate post-exercise discussion capturing real-time observations
After-action report
Detailed findings, gaps identified, and a prioritized improvement roadmap
Playbook recommendations
Specific updates to your IR plan and runbooks based on exercise findings
Scenario Types

Realistic scenarios for your real threat landscape

Most Common
Ransomware Attack
Encryption spreading across your infrastructure, ransom demand, data exfiltration claims, and mounting media pressure — all happening simultaneously.
ContainmentCommsRecoveryNegotiation
High Impact
Data Breach & Exfiltration
Customer PII or sensitive business data discovered in attacker hands. Tests breach notification obligations, regulatory reporting timelines, and customer communication.
GDPRNotificationLegalPR
Insider Threat
Malicious Insider
A trusted employee abusing access to steal data or sabotage systems. Tests detection, access revocation, HR coordination, and evidence preservation.
HR CoordinationForensicsAccess Control
Supply Chain
Third-Party Compromise
A critical vendor is breached and the attacker pivots into your environment. Tests vendor risk response, supply chain isolation, and third-party communication.
Vendor IsolationSupply ChainTrust Decisions
Cloud
Cloud Infrastructure Takeover
Compromised cloud credentials leading to unauthorized resource provisioning, data access, and privilege escalation across your AWS, Azure, or GCP environment.
IAM ResponseCloud ForensicsCost Impact
Social Engineering
Business Email Compromise
Executive impersonation leading to fraudulent wire transfer, credential theft, or unauthorized access. Tests financial controls, verification procedures, and executive comms.
Financial ControlsExec CommsFraud Response
How It Works

From scoping to after-action report

Every exercise is carefully designed around your organization before the session begins — and the learning continues long after it ends. Our facilitators manage every detail so your team can focus entirely on the scenario.

Phase 01
Pre-exercise scoping
We meet with your team to understand your infrastructure, existing IR plan, regulatory obligations, and the specific gaps you want to test. Participants, format, and scenario themes are agreed before any design begins.
Kickoff callIR plan reviewParticipant mappingThreat profiling
Phase 02
Scenario design & inject planning
Our team builds a custom scenario narrative, designs escalating injects calibrated to your environment, and prepares facilitator materials. Every detail is tailored — your industry, your technology stack, your regulatory exposure.
Custom narrativeEscalating injectsDecision triggers
Phase 03
Live exercise facilitation
A half-day or full-day session led by our facilitators. Your team works through the crisis in real time — making decisions, delegating actions, communicating across functions — while we observe and inject new developments.
Half-day or full-dayIn-person or remoteMulti-team
Phase 04
Hot wash debrief & after-action report
Immediately after the exercise, we run a structured debrief capturing what worked, what didn't, and why. Within two weeks you receive a full after-action report with prioritized recommendations and playbook updates.
Hot wash debriefAfter-action reportPlaybook updates
Participants

The right people in the room

A tabletop exercise is only as valuable as the people participating. We help you identify the right cross-functional participants to surface every decision point your response plan depends on.

CISO / Security Lead
Owns the response — tests strategy, escalation, and decision authority
CTO / Engineering
Technical containment, system isolation, and recovery decisions
IR / SOC Team
Detection, analysis, evidence preservation, and containment actions
Legal / Compliance
Regulatory notification obligations, evidence handling, and liability
Communications / PR
Customer, media, and stakeholder messaging under crisis conditions
Executive Leadership
High-stakes decisions, board communication, and business continuity
IT Operations
Infrastructure management, backup recovery, and vendor coordination
HR / People Ops
Critical for insider threat scenarios — access revocation and investigation
What your team walks away with
Clear visibility into response gaps
Specific breakdowns in communication, decision-making, or process that would cost you time in a real incident
A more cohesive response team
Shared mental model of roles, escalation paths, and decision authority across all functions
Updated IR plan and playbooks
Targeted revisions to your existing documentation based on what actually broke during the exercise
Audit-ready documentation
Exercise evidence satisfying HIPAA, PCI-DSS, SOC 2, and cyber insurance requirements
Reduced time to contain
Teams that have practiced respond faster, make fewer errors, and contain incidents at lower cost
Why It Matters

You can't learn to fight a fire during the fire

Surface gaps before attackers find them
Discover the holes in your response plan, communication chains, and escalation paths in a safe environment — not when a real incident is unfolding at 2am.
Dramatically reduce breach costs
Organizations with tested IR plans contain incidents 3x faster. Faster containment means less data exposed, less downtime, and substantially lower total incident cost.
Meet compliance requirements
HIPAA, PCI-DSS, SOC 2, and most cyber insurance policies require or incentivize documented IR testing. Our after-action reports satisfy those requirements directly.
Align your entire organization
Security, Legal, Comms, and Executive teams often have conflicting assumptions about who decides what during a breach. A tabletop aligns everyone before those conflicts matter.
Build leadership confidence
Executives and board members gain confidence that the organization knows how to respond. Demonstrated preparedness is increasingly important to investors, insurers, and partners.
Improve with every exercise
Annual tabletops track measurable improvement in response time, decision quality, and cross-team coordination — giving you a clear picture of how your program is maturing.
Compliance & Insurance

Satisfying regulators and insurers

Incident response testing isn't just best practice — it's increasingly mandated by regulators and required or incentivized by cyber insurers. Our after-action documentation is designed to satisfy all of them.

HIPAA
HIPAA Security Rule
Requires documented IR procedures and periodic testing of contingency plans under 45 CFR § 164.308(a)(6).
PCI-DSS
PCI-DSS v4.0 Requirement 12.10
Requires an IR plan to be implemented and tested at least annually, with documented roles and communication procedures.
SOC 2
SOC 2 CC7.3 & CC7.4
Requires procedures for responding to and recovering from security incidents, including testing of response procedures.
NIST CSF
NIST CSF Respond & Recover Functions
Tabletop exercises directly address the Respond and Recover functions of the NIST Cybersecurity Framework at every maturity tier.
Cyber Ins.
Cyber Insurance Requirements
Most carriers now require documented IR testing. Demonstrated preparedness can reduce premiums and improve coverage terms.
Frameworks & standards covered
HIPAAPCI-DSS v4 SOC 2 Type IINIST CSF 2.0 ISO 27001GLBA CMMCNY DFS Cyber Insurance
After-action report includes
Exercise scope, objectives, and participant list
Full scenario narrative and inject timeline
Documented observations per phase and team
Gap analysis with root cause and business impact
Prioritized remediation recommendations
IR plan and playbook update recommendations
Compliance attestation language for auditors and insurers
Why Radical Security

Facilitators who've lived real incidents

Our facilitators aren't trainers reading from a script — they're practitioners who have managed real ransomware responses, real data breaches, and real crisis communications. That experience makes the difference between a checkbox exercise and one that genuinely prepares your team.

Built Around You
No off-the-shelf scenarios. Every exercise is designed around your specific infrastructure, your industry's threat landscape, and the gaps you most need to test.
Real Practitioner Insight
Our facilitators bring firsthand experience from actual incident responses — adding context and credibility that makes every inject feel genuinely realistic.
Cross-Functional by Design
We deliberately involve Legal, Comms, and Executive teams — not just security. The most costly IR failures happen at the seams between teams, and that's where we focus.
Actionable Every Time
Every exercise ends with a specific, prioritized improvement plan — not a generic set of best practices. We measure progress year-over-year so you can see your program maturing.

Ready to stress-test your incident response?

Let's talk about your team, your threat model, and what a tabletop exercise designed specifically for your organization looks like.

Schedule a Tabletop
Custom scoping at no charge. No commitment required.
Explore More

Related programs

Security Awareness Training
Role-based training modules that teach employees to recognize phishing, social engineering, and insider threats.
Tabletop Exercises
Facilitated incident response simulations that test your team's decision-making under real crisis conditions.
Penetration Testing
Technical testing of your infrastructure — pairing well with phishing simulation to cover both human and technical attack surfaces.
Virtual CISO
Strategic security leadership to build the ongoing security awareness program phishing simulations feed into.