Strategy, Uncategorised

Incident response tabletop exercise checklist

30th January 2026
Team sitting round a table

A tabletop exercise is a facilitator-led, role-based discussion in which your team works through a realistic cyber exercise, such as data breaches or cyberattack scenarios, making decisions as if the incident were live.

Dealing with a ransomware attack? Our expert team can guide you through every step of the recovery process. Regain control with Zensec – trusted support when it matters most.

The goal is to reveal whether your incident response plan, decision-making, and coordination actually work under pressure, and to produce specific improvements you can implement.

If you want your own tabletop exercise to produce changes you can execute, treat it like an operational rehearsal. That starts with a checklist.

Why exercises matter

In the modern landscape, cyber threats are constantly evolving. Your organisation must align with best practices and guidance from the UK government to prevent cyber attacks and costly data breaches.

When you conduct regular tabletop exercises, you move beyond theoretical readiness into proactive emergency management.

What you should have in place before you run a tabletop

Have a current incident response plan that exercise participants can access and reference during the session. If the plan needs formalising or refreshing before you exercise it, start with Zensec’s guide to creating a cyber incident response plan.

Confirm you have a working contact and escalation path that reflects reality, including out-of-hours coverage and third-party contacts. Decide how you will capture the session, including who will take notes and how you will turn the outcomes into an improvement plan with owners and deadlines.

Roles to assign for the session

When creating an exercise planning team, assign a neutral facilitator who controls pacing and introduces scenario updates. Ensure participants act in their real roles and make the decisions they would make in production. If you include observers, they should assess process quality without steering decisions. Assign a note-taker who consistently captures decisions, rationale, and gaps.

Scenario selection: choose the pressure you want to test

Pick an exercise scenario that reflects your highest risk pathways and your most fragile dependencies. Make it specific enough to feel real and broad enough to test cross-functional behaviours and business operations.

The best scenarios force decisions under uncertainty and bring in external pressure, such as senior leadership demands, customer impact, and third-party dependencies.

While many scenarios focus on digital threats, it’s important to also consider physical security breaches and natural disasters to test your emergency plan and disaster recovery capabilities.

Incident response tabletop exercise checklist

This is the operational checklist. Use it as a run sheet.

A. Define purpose and scope

  • Write a one-paragraph purpose statement that describes what the exercise is validating.
  • Define scope boundaries: systems, teams, locations, and third parties included.
  • Define what is out of scope to keep the discussion from drifting.
  • Set success criteria based on decisions and timing, not general impressions.
  • Decide on the format and duration, and document them in the exercise brief.
  • Confirm the exercise will be discussion-based to test decisions, not a technical hands-on response.
  • Establish a strategic approach for how the findings will influence long-term crisis management.

B. Build the planning team and logistics

  • Assign the facilitator, note-taker, and evaluator.
  • Confirm participants include decision-makers beyond IT, including leadership, human resources, legal or compliance, and communications.
  • Confirm that the business owner of the affected service will be represented.
  • Confirm everyone understands their specific roles and responsibilities during the exercise.
  • Prepare a shared note space and ensure all key stakeholders can access it.
  • Set ground rules: no blame, speak plainly, make decisions, capture gaps.
  • Plan at least one realistic friction point, such as an unavailable approver.

C. Prepare the materials

  • Distribute the incident response plan and any relevant playbooks in advance.
  • Validate the contact list and escalation path before the session.
  • Prepare the scenario brief and the initial incident description.
  • Prepare injects and discussion questions that gradually reveal information and force trade-offs.
  • Prepare prompts for external pressure, such as customer queries or media interest.
  • Prepare the note template to capture time, decision, owner, rationale, and follow-up.
  • Prepare a short list of assumptions that participants must confirm or challenge.

D. Run the exercise

  • Open by restating objectives, scope, and ground rules.
  • Read the scenario set-up and confirm shared understanding.
  • Assign an incident manager early and record who takes the role.
  • Confirm the incident classification process and who can declare an incident.
  • Confirm the first emergency response action and what business impact is acceptable.
  • Confirm evidence handling steps and who owns evidence preservation decisions.
  • Confirm the internal notification process and who receives the first update.
  • Confirm the decision points for engaging external support, such as IR retainers or vendors.
  • Confirm communications ownership for internal updates, customers, and public statements.
  • Introduce injects at planned times and require decisions rather than discussion loops.
  • Force a trade-off decision that impacts operations and capture the approval path.
  • Confirm recovery approach, including restore priorities, disaster recovery protocols, and dependency constraints.
  • Close the scenario with a final situation update and a summary of decisions made.

E. Capture outcomes in a way you can act on

  • Record decisions with rationale, not just the final answer.
  • Record what information was missing and how it would be obtained in real life.
  • Capture plan gaps such as unclear roles, unclear thresholds, or missing playbooks.
  • Identify capability gaps, such as insufficient logging, weak access controls, or backup uncertainty.
  • Convert each gap into a concrete action with an owner and due date.
  • Identify any approvals that were ambiguous or delayed and define fixes.
  • Identify any third-party dependencies that are not contractually or operationally clear.

F. Debrief and produce the after-action report

  • Run an immediate debrief focused on what worked, what failed, and what was unclear.
  • Draft the after-action report and circulate it within an agreed timeframe.
  • Publish the improvement plan with owners and deadlines.
  • Update the incident response plan, playbooks, and contact lists based on findings.
  • Communicate changes to relevant teams and confirm they are understood.
  • Schedule the next tabletop and decide what to test next time.

Common tabletop mistakes to actively prevent

The most common failure is treating the session as a discussion rather than a rehearsal.

Another is failing to reference the plan, which means you are not testing it. Outdated contact lists and unclear escalation paths show up repeatedly and should be treated as high-priority fixes for business continuity.

Delaying incident manager assignment is a strong indicator that coordination will be slow in a real cybersecurity incident. Weak communications, ownership and approval paths become obvious once external pressure is introduced.

How to use this checklist inside your organisation

If you are starting from zero, run a short tabletop first and aim for a small number of high-quality decisions, along with a short improvement plan you can complete quickly. If you already have an established incident response plan, use the checklist to validate that it is usable under pressure and that cross-functional coordination works without confusion.