In today's threat landscape, cybersecurity incidents are not just possible. They are highly probable, and for most organizations, eventually inevitable. As organizations rely more heavily on digital infrastructure, the stakes climb in step. For CIOs and CISOs, the challenge isn't only implementing the right controls. It's making sure your team is prepared to respond effectively when something does happen.
One of the most effective ways to build that preparedness is the tabletop exercise. Tabletop exercises create a structured, low-stakes environment where teams simulate a real incident and practice their response without the cost of an actual crisis. Done well, they don't just sharpen readiness. They expose the gaps your runbooks haven't found yet, and they build a culture of security awareness that propagates beyond the security team.
Why tabletops matter
The most expensive part of an incident is rarely the breach itself. It's the time spent figuring out who's supposed to do what, escalating through the wrong channels, and reconstructing decisions in the middle of the response. Industry research has consistently shown that organizations with regularly tested incident response plans contain breaches faster and at lower cost than those without. The reason is simple: rehearsed teams move faster than reading teams.
Tabletops are how you rehearse without lighting the building on fire. A facilitator walks the team through an incident scenario, pausing at decision points to ask: What do you do now? Who do you call? What systems do you isolate? How do you communicate to customers and the board? The answers reveal exactly where your plan is real and where it's aspirational.
What a good tabletop actually looks like
The shape of a useful tabletop varies, but the strongest exercises share a few characteristics:
- The scenario is plausible for your business. A generic ransomware playbook won't surface the specific weaknesses in your environment. Build the scenario around your actual systems, your actual vendors, your actual regulatory exposure.
- The right people are in the room. Security alone isn't enough. Legal, communications, executive leadership, IT operations, and key business owners all need to be present. The first time someone meets shouldn't be in the middle of a crisis.
- Decisions get made and timed. A good facilitator pushes for actual answers, not "we would call someone." If a decision takes 20 minutes in a tabletop, it will take longer under real pressure.
- The output is a punch list. The exercise is only valuable if it generates concrete action items: missing contact information, ambiguous escalation paths, untested backups, contracts with response time gaps. Those items get owners and dates.
Common gaps tabletops surface
Across the engagements we've run, a handful of issues come up over and over:
- Out-of-date contact lists. The IR plan references a vendor contact who left the company two years ago, or an after-hours number that rolls to voicemail.
- Decision authority is unclear. Nobody knows who has the authority to take a system offline, pay a ransom demand, or notify regulators. That ambiguity costs hours.
- Communications go in two different directions. Internal comms says one thing, the legal-approved external statement says another, and the CEO posts something different on LinkedIn.
- Backups aren't actually tested. The team is confident in the recovery plan until someone asks when it was last fully exercised.
- Third parties have keys you forgot they had. An MSP or platform vendor has standing privileged access that becomes a critical question mid-incident.
How often should you run them?
For most mid-market organizations, an annual full-scope tabletop with quarterly focused exercises strikes the right balance. The annual exercise pulls in the full executive cross-functional team. The quarterly ones can be smaller and more tactical: an EDR alert escalation walk-through, a vendor-compromise scenario for the procurement team, a phishing-to-domain-admin path for security and IT operations. The cadence keeps muscle memory current without consuming the calendar.
The bottom line
The phrase that gives this post its title comes from a CISO we worked with after a real incident. He told us, plainly: "When the attacker actually showed up, my team kept saying the same thing, almost on a loop. We were ready for that." That readiness didn't come from the plan document. It came from having walked the steps before, in a room, with the people who'd have to walk them again for real.
Tabletops aren't glamorous, and they're easy to defer. But the gap between an organization that has rehearsed and one that hasn't shows up in the first 30 minutes of an incident, and it doesn't close on its own.