Tabletop Incident Response Exercise
A 1-day simulated cyber-incident drill with your IR team — ransomware, BEC, data breach, supply-chain compromise. Test the plan. Find the gaps. Walk away with a ranked improvement list. No tooling required; maximum preparedness value per dollar.
What it is
A discussion-based exercise in which your incident response team walks through a realistic cyber incident — injects, decisions, escalations, external notifications — in a controlled facilitated setting. No technical systems are touched; nothing is at risk.
The purpose is simple: find the decisions your team can't make fast enough, the gaps in your playbook, the escalation paths that don't actually work, and the roles and responsibilities that no-one has practised. Incidents are not the time to discover this. Tabletop is.
Frequently chosen as a first engagement because it's low-cost, low-risk, high-value. Also one of the easiest to sell to boards because the output (a gap list) is directly actionable.
Who this is for
What you get
- Tailored scenario design — calibrated to your sector, threat profile, and existing IR maturity.
- 1-day facilitated exercise — typically 6 hours with breaks, covering detection through recovery + regulatory notification.
- Observer-notes transcript — decisions made, decisions struggled-with, gaps surfaced.
- Improvement report — prioritised recommendations across IR plan, playbooks, roles, escalations, comms, regulatory-notification process.
- Attendance record — for ISO 27001 / NESA audit evidence.
How we deliver
Pricing
Published range
Per exercise. Price driven by scenario complexity, attendee count, and whether it's in-person or virtual.
- Deposit: 50% at signing
- Net terms: Net-30
- Annual recurring: 20% discount on agreement
- ISO 27001 bundle: 10% discount when paired with ISO 27001 Implementation
Your cert-backed lead
Lead Facilitator
Manoj Prabhakaran
CPTS · CDSA · ISO 27001 Lead Auditor · GRC Mastery
Focus: Scenario design, facilitation, observation, improvement recommendations. Angle: offensive-security background means the injects are realistic — not "a hacker did something bad" but specific, credible attacker actions.
Frequently asked questions
What scenario do you run?
We pick a scenario calibrated to your sector, threat profile, and existing IR plan — typical choices: ransomware detection + containment, business-email-compromise fraud attempt, phishing-led credential compromise, data exfiltration, supply-chain compromise, or ransomware incident with regulatory-notification obligations. Scenario selected during scoping, tailored to your environment.
Who should attend?
Incident response team members (typically IT, security, legal, comms / PR, HR, executive sponsor). 6 – 12 people is ideal — small enough for everyone to participate, large enough to cover all decision roles. We also run executive-only versions for board and C-suite.
Do I need an IR plan for this to be useful?
No. If you don't have one, the exercise reveals exactly what's missing. You leave with a list of the decisions you couldn't make fast enough — that's the real output. If you do have a plan, the exercise stress-tests it.
Is this the same as a Red Team exercise?
No. Red Team is a live adversary simulation against real systems (launching in 2028). Tabletop is a discussion-based scenario walk-through — zero technical risk, zero tooling, high preparedness value. Much faster and cheaper.
You might also need
If ransomware hit tomorrow, would your team know exactly what to do in the first hour?
From AED 8k. 1 day of work. Changes everything. Written quote in 48 hours.
