What is a Tabletop Exercise?

What a Tabletop Exercise Involves

A tabletop exercise is typically a 2-4 hour facilitated discussion where a scenario is introduced and key stakeholders work through their responses. The facilitator presents the scenario in stages — initial discovery, escalation, additional information reveals, decision points — and asks participants how they would respond at each stage. Participants include representatives from the functions that would be involved in a real incident: IT and security, legal counsel, communications, finance, executive leadership, and sometimes board members.

The scenario is designed to stress-test specific aspects of the incident response program. A ransomware tabletop might reveal that there is no clear decision authority for paying a ransom, that the legal team does not know the organization's notification obligations, that the communications team has no pre-approved messaging for different incident types, or that the backup recovery process has never been tested and the recovery time objective is unrealistic. These gaps are identified in a low-pressure discussion rather than discovered during an actual crisis.

Why Tabletop Exercises Work

Crisis response degrades under pressure. Decisions that seem straightforward in calm conditions become difficult when time pressure, incomplete information, conflicting priorities, and stakeholder stress are all present simultaneously. Tabletop exercises build the mental models and communication patterns that enable teams to perform under pressure — not because the exercise replicates the stress of a real incident, but because participants have thought through the scenarios, encountered the decision points, and established the relationships that effective crisis response requires.

The most consistent finding in tabletop exercises is communication gap identification. Who calls the CEO? What does the CEO tell the board? Who speaks to regulators? Who speaks to the media? What do employees get told, and when? These questions have answers in the incident response plan. Tabletop exercises reveal whether anyone knows those answers under pressure and whether the answers are actually workable when applied to a realistic scenario.

Tabletop Exercises in the PE Context

PE sponsors are increasingly including tabletop exercises in portfolio company security programs for two reasons: cyber insurance underwriters now commonly require evidence of tabletop exercise completion, and M&A due diligence increasingly evaluates incident response preparedness as a component of operational risk assessment.

Portfolio-level tabletop exercises — where the PE sponsor's operating partners and portfolio company CEOs or CFOs participate together — serve an additional function: they align the escalation path from portfolio company to sponsor level, ensuring that when an incident occurs, the sponsor receives timely, accurate information and can mobilize resources appropriately. A tabletop exercise that surfaces the finding that a portfolio company CEO would not notify the sponsor until after engaging external counsel is a valuable discovery made in a conference room rather than during an active incident.

Real-World Example: The Tabletop That Revealed a $50M Decision Nobody Owned

In a Cloudskope tabletop exercise for a PE portfolio company in the healthcare sector, the ransomware scenario reached a decision point: the attacker has demanded $4M in ransom, backups are partially encrypted, and estimated recovery time without payment is 6 weeks. The board asked: who makes the payment decision? After discussion, it emerged that no one in the room had the authority to approve a payment of that size without board approval, the board approval process would take a minimum of 5 days, and the cyber insurance policy required insurer notification and approval before any ransom payment. None of these requirements were reflected in the incident response plan. The 30-minute tabletop discussion of this decision point drove a governance change that defined clear authority levels and pre-approved decision frameworks for ransom scenarios before a real event tested the process.