How would you plan and facilitate an incident-response tabletop exercise?
Expected Points
- ✓Set clear objectives and scope up front (what capability are we testing — detection, decision-making, comms, legal/PR coordination?) and pick a realistic, relevant scenario.2
- ✓Invite the right cross-functional participants: engineering/AppSec, IR/SOC, an incident commander, plus legal, comms/PR, and leadership — not just the security team.2
- ✓Facilitate by injecting the scenario in stages with escalating 'injects,' asking participants what they'd do, who they'd notify, and what authority they have to decide — surfacing gaps in runbooks and decision rights.2
- ✓Keep it blameless and time-boxed; the goal is to find process gaps, not to grade individuals.1
- ✓Probe key decision points: containment vs. uptime trade-offs, when/whether to notify customers and regulators (breach-notification timelines), and evidence preservation.2
- ✓Capture findings and produce a prioritized action plan with owners and due dates (update runbooks, fix tooling/access gaps, clarify roles); schedule a follow-up to verify closure.2
A good tabletop is a no-blame, scenario-driven walkthrough that tests the IR process and decision-making — roles, comms, escalation, and decision authority — and produces concrete action items, not a pass/fail grade.