Performs tabletop exercises for SOC teams simulating security incidents through discussion-based scenarios to test incident response procedures, communication workflows, and decision-making under pressure without impacting production systems. Use when organizations need to validate IR playbooks, train analysts, or meet compliance requirements for incident response testing.
Use this skill when:
Do not use as a replacement for technical purple team exercises — tabletop exercises test processes and decision-making, not technical detection capabilities.
Create a realistic multi-phase scenario with escalating complexity:
tabletop_exercise:
title: "Operation Dark Harvest — Ransomware Attack Scenario"
exercise_id: TTX-2024-Q1
date: 2024-03-22
duration: 3 hours (09:00-12:00)
classification: TLP:AMBER (internal use only)
objectives:
1: "Test SOC team's ability to detect and triage ransomware indicators"
2: "Validate escalation procedures from Tier 1 to incident commander"
3: "Assess cross-functional communication with Legal, PR, and Executive leadership"
4: "Evaluate containment decision-making under time pressure"
5: "Test backup recovery procedures and business continuity activation"
participants:
- role: SOC Tier 1 Analyst (2 participants)
- role: SOC Tier 2 Analyst (2 participants)
- role: SOC Manager / Incident Commander
- role: IT Operations Lead
- role: CISO (or delegate)
- role: Legal Counsel
- role: Communications / PR
- role: Business Unit Leader (Finance)
scenario_background: >
Your organization is a mid-size financial services company with 2,500 employees.
The SOC operates 24/7 with 6 analysts per shift using Splunk ES and CrowdStrike Falcon.
It is Friday afternoon at 3:45 PM. The weekend IT skeleton crew starts at 5 PM.
Design scenario injects released at scheduled intervals: