Incident Response Tabletop

Phase 2: Scenario Design

1. Create a realistic incident scenario
   • Initial detection signal (alert, customer report, security tool)
   • Escalating injects at timed intervals
   • Ambiguous information requiring investigation
   • Decisions points requiring trade-offs
   • External stakeholder communication triggers
   • Resolution path (but do not share with participants)
2. Prepare injects (new information introduced during exercise)

Scenario Timeline

Phase 3: Participant Preparation

1. Prepare participants
   • Send pre-exercise briefing (objectives, not scenario details)
   • Remind participants to bring laptops, access to tools
   • Share ground rules (no real system changes, time compression)
   • Assign exercise roles (IC, communications, technical leads)
   • Provide reference materials (runbooks, escalation paths, contact lists)
2. Brief observers on evaluation criteria
3. Set up exercise communication channels (separate from production)

Role Assignments

Phase 4: Exercise Facilitation

1. Run the tabletop exercise
   • Set the scene and deliver initial inject
   • Allow participants to discuss and respond naturally
   • Introduce injects at planned intervals
   • Ask probing questions to test depth of response
   • Observe but do not lead (let gaps surface naturally)
   • Track decisions made and rationale
   • Note areas of confusion or disagreement
   • Time-compress as needed to cover full scenario
2. Capture observations in real-time

Facilitator Probing Questions

• "Who needs to be notified at this point?"
• "What would you communicate to customers?"
• "Where would you find the runbook for this?"
• "What is your rollback plan?"
• "How do you confirm the incident is fully resolved?"
• "What regulatory notifications are required?"

Phase 5: After-Action Review

1. Conduct debrief immediately after exercise
   • What went well?
   • What surprised participants?
   • Where did confusion or delays occur?
   • Were runbooks and documentation adequate?
   • Were the right people in the room?
   • Were communication templates effective?
   • What would participants do differently?
2. Document all findings

Gap Analysis

Phase 6: Improvement Plan

1. Prioritize identified gaps
2. Assign remediation actions with owners and deadlines
3. Update runbooks and procedures based on findings
4. Schedule follow-up exercises to validate improvements
5. Share lessons learned with broader organization

Improvement Actions

Counter-Rationalizations

Output Format

• Exercise Summary: Scenario, participants, and timeline
• Response Evaluation: How well teams performed at each phase
• Gap Analysis: Identified weaknesses with severity
• Improvement Plan: Remediation actions with owners and deadlines
• Lessons Learned: Key takeaways for the organization

Action Items

• Design realistic scenario with timed injects
• Prepare participants and assign roles
• Facilitate exercise and capture observations
• Conduct after-action review
• Document gaps and assign remediation actions
• Update runbooks and procedures based on findings
• Schedule next tabletop exercise (quarterly recommended)