The rollercoaster of emotions that comes with responding to a critical security incident is real, and nothing I say will fully capture that feeling.

Because of that, it’s nearly impossible to ever prepare perfectly. But what you can do is practice in a safe, low-stress environment so the team isn’t figuring things out for the first time during a real outage.

Enter the Table Top Exercise (TTX) - an informal discussion-based simulation where the team plays through different roles and decisions against a hypothetical incident scenario.

The main goal isn’t to break systems - it’s to practice processes, collaboration, and decision-making so that when something actually goes wrong, you’ve already worked through the hard parts together.

TTX’s are often a compliance checkbox once a year, but I’d argue that you should run them as often as your team finds them useful.

And putting a TTX together is easier than you think. Let’s run through the essentials.

The Roles

In order to run a successful TTX, there are various positions you’ll need to fill:

1. TTX Master - Facilitator and scenario driver. Usually a senior person who keeps the discussion moving, drops prompts when things stall, and ensures the exercise stays on track.

2. Incident Commander - Leads the simulated response from open to close. Owns investigation, mitigation, and the overall course of action.

3. Incident Deputy - Supports the Commander and owns documentation during the exercise (notes, timeline, decisions).

4. SME (Subject-Matter Expert) - Brought in as needed (network, app, infra, legal, comms). Provide technical depth and business context.

5. Cross-Functional Roles - (Optional) Invite representatives from IT, product, legal, PR, customer success - whoever you’d need for a real incident.

Ground Rules

Set up expectations up front so the exercise is productive:

1. Focus on the Exercise, not the Incident - The scenario is artificial. Don’t get hung up on perfect realism. Prioritize process, communication, and decision-making.

2. Work on Collaboration - Lean into your role. Ask questions. Play the worst-case assumptions and test your team’s response paths.

3. No “Right” Answers - Encourage discussion and divergent thinking. That’s where the learning happens.

4. Practice Like You Play - Capture timeline entries, decisions, artifacts, and open questions. The incident documentation plays a key part in your response and Post Mortem.

What You Need

Incident Response Processes

A TTX is only as good as the processes it tests. The objective isn’t just to talk through a made-up incident - it’s to walk your team through your actual IR process from end to end and make sure everyone knows how to execute when the clock is ticking.

At a minimum, your team should have:

• An Incident Response documentation process (how you track timelines, artifacts, action items, meeting notes, etc.)

• A Post-Mortem Process (how you capture root cause, lessons learned, improvement items, etc.)

If you don’t have either in place, I got you covered. Check out my articles How to Create Incident Response Documentation and How to Improve Your Security Posture After a Security Incident.

TTX Scenario

The scenario is the backbone of your exercise. Write it up in advance so the session flows smoothly.

A good scenario provides just enough detail to keep the conversation moving, but leaves plenty of space for the team to problem solve.

A few tips:

• Use real services and systems that exist in your environment.

• Include specific assets like service accounts, container names, or endpoints to keep it grounded.

• Keep it open-ended so the team has room to ask questions, pivot, and collaborate.

Want a free set of Google Slides for your next TTX? Subscribers get it free on Cybersec OS!

- Today’s Sponsor -

IRHQ is a modern suite of tools designed to help security teams respond faster, reduce risk, and stay audit-ready. It’s the first platform to combine:

• Incident Management - track and resolve incidents efficiently

• Built-in Post Mortem Frameworks - turn every incident into actionable and trackable action items

• Advanced Analytics - measure performance, spot trends, and improve security posture

• Compliance Reporting - simplify audits and show evidence of strong controls

Take control of your IR operations and make IRHQ your go-to Incident Response Headquarters.

Learn More

Running Through the Incident Scenario

When I run a TTX, I like to structure it around a simple, repeatable flow:

Event → Outcome → Artifact

1. Event: A short 1–2 sentence description of something that happens.

2. Outcome: A summary of what results/findings from that event.

3. Artifact: A deliverable that supports the outcome (for example, logs, screenshots, or emails).

This flow keeps the incident moving in a way that feeds on itself.

I’ll typically repeat this 3-5 times throughout the exercise to create a natural rhythm and progression.

The Beginning

Start with an alert.

It could be a SIEM alert, a ticket from another team, or a low-level monitoring event that doesn’t seem like a big deal at first glance. The key is to make it realistic enough to start a conversation about risk, triage, and initial response steps.

Again, keep it open-ended. Your goal is to give the team just enough context to start discussing what they’d do next.

The Middle

This is the core of your exercise.

Plan for 3-5 events that progressively build the story and test different aspects of your IR process. Each event and outcome should be plausible and prompt critical thinking or decision making.

The idea is to come up with different things that could reasonably be found along the way while attempting to resolve the incident.

Each event/outcome should be something that could be thought up by the team through discussion.

A few tips:

• Assign fictional timestamps to events to simulate a real timeline

• Include clear details on actors, systems, and actions involved.

• Where possible, provide artifacts like JSON logs, screenshots, or mock files to give the scenario more realism.

The middle of the TTX is where you’ll see collaboration, decision making, and process testing come to life.

The End

Close the scenario in a logical way for your exercise - whether it ends in a true positive or false positive is up to you.

This phase is also about reflection. Ask questions that help the team assess how well they worked together and what could be improved, such as:

• Was there an appropriate time along the way to communicate with stakeholders?

• Were there any temporary actions that could have been taken along the way?

• Were any response actions taken too early?

• Was there a better way to contain the threat?

As TTX Master, make sure to call out key learning objectives and check in with each participant. How confident do they feel with the tools, the processes, and their role in the response?

The goal is simple: identify opportunities for training and process improvement before a real incident forces you to.

Running Through the Post Mortem

The Post Mortem is just as important as the incident itself. It’s the time for all stakeholders to come together, reflect, and identify new areas for improvement.

The purpose here isn’t just to review what happened, it’s to practice running an effective Post Mortem so that when a real incident occurs, everyone already knows the process, their roles, and what’s expected of them.

This stage also gives the team experience in formally identifying root causes and spotting opportunities for improvement. Even in a simulated TTX scenario, there’s almost always something you can take away - whether it’s a process gap, documentation gap, or miscommunication that could slow you down in a real event.

The goal: make continuous improvement second nature, no matter if it’s a real incident or a practice run.

If you haven’t established your Post Mortem process yet, check out my article How to Improve Your Security Posture After a Security Incident. It walks through exactly how to build one.

The Cybersec Café Discord is officially live! Join a growing community of cybersecurity professionals who are serious about leveling up. Connect, collaborate, and grow your skills with others on the same journey. From live events to real-world security discussions — this is where the next generation of defenders connects. Join for free below.

Join Now!

Measuring Success

As TTX Master, your role is to observe how the team performs and identify where things can improve. Here are a few key areas to watch during the exercise:

1. Understanding of IR Processes - Make sure there’s no friction when it comes to spinning up resources, following playbooks, or referencing documentation. This is your chance to test how well your written processes actually hold up in practice.

2. Communication and Collaboration - Watch how the team interacts under simulated pressure. Are they collaborating effectively? Are leaders guiding the conversation and fostering clear, open communication?

3. Technical Familiarity - Pay attention to how comfortable the team is with the technologies involved. Misunderstandings here can reveal gaps in knowledge or training that could slow response time in a real incident.

4. Role Execution - Each role should feel natural and defined. The Incident Commander should take clear ownership and direction, while the Incident Deputy maintains strong documentation and support. SMEs should demonstrate confidence within their areas of expertise.

While there’s no single metric for success in a TTX, your job as facilitator is to take notes on any friction points, process gaps, or miscommunications that arise.

After the exercise, talk to your team. Gather their feedback, ask how comfortable they felt, and capture their perspectives on what worked and what didn’t.

Just like a SaaS company talks to its customers to understand pain points, you should talk to your team to understand yours.

That’s how you improve your IR processes, your confidence, and ultimately - your security posture.

And finally, run TTXs often. Don’t limit them to a once-a-year compliance checkbox. Rotate roles, mix up scenarios, and give everyone the opportunity to build the experience and composure needed to thrive when the real thing hits.

Securely Yours,

Ryan G. Cox

P.S. The Cybersec Cafe follows a weekly cadence.

Each week, I deliver a Deep Dive on a cybersecurity topic designed to sharpen your perspective, strengthen your technical edge, and support your growth as a professional - straight to your inbox.

. . .

For more insights and updates between issues, you can always find me on Twitter/X or my Website. Let’s keep learning, sharing, and leveling up together.