How to Run a Successful Ransomware Tabletop Exercise

how to run a ransomware tabletop image

How to Run a Successful Ransomware Tabletop Exercise

Ransomware continues to dominate the threat landscape. Organisations pour money into detection tooling, endpoint protection, and backup infrastructure, yet when an incident actually hits, the response is often chaotic. People don’t know who to call. Decisions get made by the wrong people. Communication breaks down. The technology works fine; the humans don’t.

That’s exactly what a tabletop exercise is designed to fix. A well-run ransomware tabletop stress-tests your incident response plan, surfaces gaps in your decision-making process, and builds the kind of muscle memory that only comes from rehearsal. This post walks through how to design and deliver one that actually achieves that.

What Makes a Tabletop Exercise Valuable

A tabletop is a discussion-based simulation. No systems get touched, no malware gets deployed. Participants gather, a scenario unfolds in phases, and the facilitator injects information that forces decisions. The value isn’t in finding technical gaps (a penetration test does that), it’s in finding procedural, communication, and decision-making gaps. You want to know: does your IR plan reflect reality? Do your people understand their roles? Can your leadership team make high-stakes decisions under pressure?

Done well, a tabletop produces a prioritised list of concrete actions your organisation can take to improve its resilience. Done poorly, it’s a box-ticking exercise that tells you nothing.

Scoping and Objectives

Before you write a single inject, you need to define what you’re testing. Common objectives for a ransomware tabletop include validating the escalation process from initial detection through to executive notification, testing backup and recovery decision-making, exploring ransom negotiation decision trees, and examining external communication processes including legal, PR, regulatory, and law enforcement.

The scope should match your audience. A technical tabletop with your SOC team looks very different from a strategic exercise with the executive leadership team. Many organisations benefit from running both, separately, and then a combined exercise once each group has some familiarity with the process. Trying to mix deeply technical discussion with executive-level decision-making in the same room often means you get neither done properly.

Also establish what’s out of scope. Participants need to know whether they’re expected to make real decisions (like actually calling your legal team) or simulated ones. Clarity here prevents confusion mid-exercise.

Building the Scenario

Your scenario needs to be believable. Generic ransomware scenarios produce generic responses. The more your scenario resembles your organisation’s actual environment, threat profile, and operating context, the more valuable the discussion will be.

A solid ransomware tabletop scenario typically progresses through several phases. Start with an initial indicator: something that could be real but ambiguous. A spike in failed authentications, an EDR alert that got triaged and closed, an employee reporting their desktop is behaving strangely. This phase tests your detection and triage processes.

From there, escalate. The next inject might confirm encryption is underway on a file server. Now you’re in containment mode. Who decides to isolate systems? What’s the blast radius of that decision? Do you have documented procedures or are people improvising?

Build in complexity as the exercise progresses. A few good inject categories to consider:

  • Backup failure: Your primary backups are encrypted too. Your offsite copies are 72 hours old. How does that change the decision-making calculus?
  • Data exfiltration confirmation: The attacker posts a sample of your data to their leak site. Now you have a regulatory disclosure obligation and a PR problem in addition to an operational one.
  • Ransom demand: $4.2 million in Bitcoin, 72-hour deadline. Who has authority to make that call? What’s your process for evaluating whether to engage?
  • Third party pressure: A major customer calls your CEO directly. A journalist emails your PR team. Your cyber insurer wants a status update. How do you handle external stakeholders while managing the response?
  • Employee involvement: Forensic analysis suggests the initial access came via a phishing email opened by a named employee. How does that get handled internally?

Sequence your injects so the scenario builds naturally, but don’t be afraid to adjust on the fly. A good facilitator reads the room and holds injects back or accelerates them depending on where the discussion is going.

Participants and Roles

Get the right people in the room. A ransomware incident touches almost every function in a business, and your tabletop should reflect that. At a minimum, consider including representatives from IT and security, legal, communications and PR, senior leadership or the board, finance (particularly if ransom payment is on the table), HR (for the employee notification angle), and your cyber insurer if you have one.

Assign a facilitator whose job is to drive the scenario, inject information, and keep discussion moving without letting it stall. The facilitator should not be a participant. They need the mental bandwidth to observe what’s happening, track what’s being said, and note where the gaps are. A skilled facilitator also knows when to push back: “You said you’d escalate to the CEO. How? They’re on a transatlantic flight. What’s your fallback?”

Assign a dedicated note-taker. You will not remember everything that gets said, and the gaps you identify in the moment are the most valuable output of the exercise. Capture them in real time.

Brief participants in advance so nobody is walking in cold. They should know the format, the scenario context up to the starting point, and their notional role. You’re not testing whether people can read a room; you’re testing whether your IR process holds up under scrutiny.

Running the Exercise

Open with a brief framing session. Restate the objectives, confirm ground rules (this is a simulation, there are no wrong answers, the goal is to learn), and give everyone a chance to settle. A 10 to 15 minute warm-up discussion around the current threat landscape can help get people into the right headspace.

Then kick off the scenario. Present the first inject and let the discussion flow. Your job as facilitator is to ask probing questions rather than steer toward particular answers. If a team says they’d contain by taking down the network segment, ask them to walk through exactly how that happens: who authorises it, who executes it, how long it takes, what the business impact is. The depth of that discussion is where the value lives.

Keep the exercise moving. A full ransomware tabletop with a mixed audience typically runs three to four hours. If you’re going longer than that, people lose focus. If you’re shorter than two hours, you probably haven’t gone deep enough. Build in a short break after the first major decision point.

Time-box discussions when they go circular. It’s common for groups to get stuck debating whether a particular technical decision is the right one. That’s a useful signal, but you don’t need to resolve it in the room. Note it as a gap and move on.

The Hot Wash

Reserve the last 30 to 45 minutes for a structured debrief, often called a hot wash. This is where participants reflect on what went well, what didn’t, and what needs to change. Go around the room and ask each person what their key takeaway is. You’ll often get insights here that didn’t surface during the scenario itself.

Frame the debrief positively. The goal is improvement, not blame. If your backup process turned out to be completely untested and nobody knew the recovery procedure, that’s a gap you’ve now identified in a safe environment rather than during a real incident. That’s a win.

The Report and Follow-Through

A tabletop with no follow-through is a waste of everyone’s time. Within a week of the exercise, produce a concise report that captures the scenario and objectives, a summary of key discussion points, identified gaps with a risk rating, and recommended actions with owners and target dates.

Keep the action list realistic. Five to ten concrete, prioritised actions that will actually get done are worth infinitely more than a 40-item list that gets filed and forgotten. Get sign-off from leadership on the action plan and schedule a follow-up to track progress.

Consider scheduling a re-run in six to twelve months. Organisational resilience isn’t a one-time project. Threats evolve, your environment changes, new people join. Regular exercises are how you build and maintain genuine preparedness rather than a false sense of it.

Common Mistakes to Avoid

The most common failure mode is running a tabletop that confirms your existing IR plan works rather than genuinely challenging it. Build injects that break assumptions. Don’t let the exercise validate a rosy version of reality.

A close second is running an exercise without executive attendance and then being surprised when the report recommendations don’t get actioned. Leadership buy-in isn’t optional. If the CISO is the only senior person in the room, you’re going to struggle to get organisational change out the other end.

Finally, avoid the temptation to make the scenario too technical too quickly. The most important discussions in a ransomware tabletop are usually about communication, authority, and decision-making. Those conversations happen when the scenario is realistic but not so technically dense that half the room disengages.

Closing Thoughts

Ransomware tabletop exercises are one of the highest-value investments an organisation can make in its incident response capability. The mechanics are straightforward, but the execution requires careful planning, a realistic scenario, and a facilitator who can drive meaningful discussion without leading witnesses.

If you’re running these internally, invest time in building scenarios that reflect your actual environment and threat profile. If you’re bringing in external help, look for a team that understands both the technical realities of ransomware operations and the organisational dynamics of incident response. The exercise is only as good as the quality of the conversation it generates.

Silverback Cyber delivers bespoke tabletop exercises and incident response advisory services to organisations across the UK. Get in touch to discuss how we can help you test and strengthen your ransomware preparedness.

Contact Us today and see how we can help

SILVERBACK CYBER LTD.
SC861297

Navigation

Silverback Cyber
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.