Can we customize the scenario for our industry?

Every scenario Sherlock Forensics runs is custom. We base it on your industry, technology stack, regulatory environment and threat profile. A healthcare organization gets a scenario involving patient data and HIPAA notification timelines. A financial services firm gets a scenario involving wire fraud and regulatory reporting. Generic off-the-shelf scenarios do not produce useful results.

Process

How a Cybersecurity Tabletop Exercise Actually Works

Since 2006. CISSP, ISSAP and ISSMP certified. Custom scenarios. Three escalating injects. After-Action Report within 48 hours.

A cybersecurity tabletop exercise follows three phases: pre-exercise scoping (1-2 weeks), the exercise itself (2 hours with 3 escalating scenario injects) and post-exercise delivery (After-Action Report within 48 hours). Sherlock Forensics designs custom scenarios based on your industry and threat profile. No checklists. No generic templates. Pressure-tested decision-making with real consequences mapped.

Phase 0

Pre-Exercise (1-2 Weeks Before)

The exercise starts long before anyone sits down at the table. We run a scoping call with your point of contact to understand the landscape. Industry. Technology stack. Team structure. Reporting lines. Who makes decisions when the CISO is on a plane and unreachable.

We review your existing incident response plan. Most organizations have one. Most have never tested it under pressure. We read it not to judge it but to understand what your team believes the plan says versus what the plan actually requires. That gap between belief and documentation is where tabletop exercises deliver their highest value.

From the scoping call we design a custom scenario based on your actual threat profile. A manufacturing firm with OT/IT convergence gets a different scenario than a healthcare network managing patient records. A financial services company dealing with wire fraud and regulatory reporting deadlines faces different pressures than a SaaS platform managing customer data across jurisdictions. We do not use generic templates. The scenario reflects threats that are plausible for your organization specifically.

We then select participants. The right room includes IT, legal, HR, executive leadership and communications. The wrong room is just the security team talking to themselves. Incident response is a business function. The exercise must reflect that reality.

Finally we confirm logistics. Room booking or video conference link. Duration (2 hours standard). Ground rules. No phones. No email. Full attention. This is a simulation and it demands the same focus as the real thing.

Day Of

Day of Exercise (2 Hours)

Two hours. Three injects. Each inject escalates the scenario and forces the team to make harder decisions with less certainty. We facilitate. We observe. We take notes. We do not lecture during the exercise. The learning happens through the experience itself.

Inject 1 / 30 Minutes

First Alert

We present the initial indicator of compromise. An anomalous login. A phishing report. An EDR alert. Something your SOC would realistically see on a Tuesday morning. The team discusses: Who do we notify? What do we contain? Do we escalate? We observe how decisions are made and who makes them. We take detailed notes on assumptions, hesitations and disagreements.

Inject 2 / 30 Minutes

Escalation

The situation gets worse. Lateral movement confirmed. Data exfiltration suspected. A second system is compromised. The initial containment plan is no longer sufficient. The team must adjust their response while managing the uncertainty of incomplete information. This is where we begin probing vague answers. When someone says "we would just restore from backup," we ask the follow-up questions that the real incident would force them to answer.

Inject 3 / 30 Minutes

Full Crisis

Maximum pressure. The media has the story. A regulatory notification deadline is approaching. Customers are asking questions on social media. The board wants a briefing in one hour. Legal needs to know if notification obligations are triggered. HR is fielding internal questions. The team must manage simultaneous priorities with competing urgencies. This inject separates organizations that have rehearsed crisis response from those that have only documented it.

Wrap-Up / 30 Minutes

Initial Observations

We share high-level observations with the group. Patterns we noticed. Moments where the team performed well. Moments where the team stalled. No formal recommendations yet. Those come in the After-Action Report. The wrap-up is a debrief, not a grading session. We want the team to leave feeling like they learned something, not like they were evaluated.

Technique

The Probing Technique

This is where a Sherlock Forensics tabletop separates itself from a compliance checkbox exercise. When a team gives a comfortable answer, we push past it.

Team: "We would just restore from backup."

Sherlock: "Who has the encryption key for the backup? Is that person in the room right now?"

Team: "Our IT director manages that."

Sherlock: "Your IT director is on vacation in a different time zone. It is 2 AM where they are. What do we do now?"

Every team has a plan until the plan depends on a single person who is unavailable. Every team has a backup strategy until the backup requires credentials that three people share and nobody has documented. Every team knows who to call until the person they need to call is the one whose account was compromised.

The probing technique forces teams past their comfortable assumptions and into the reality of execution under pressure. We are not trying to embarrass anyone. We are simulating what a real incident does naturally: it finds the weakest link in your response chain and breaks it at the worst possible moment.

This is the difference between reading questions from a checklist and running a tabletop that produces actionable intelligence. The checklist confirms that a plan exists. The probing technique tests whether the plan actually works when the people responsible for executing it are stressed, tired or unavailable. NIST's SP 800-84 Guide to Test, Training, and Exercise Programs outlines why facilitated discussion-based exercises produce better outcomes than scripted walkthroughs.

Deliverable

Post-Exercise (Within 48 Hours)

Within 48 hours of the exercise we deliver a written After-Action Report. This is not a summary email. It is a structured document designed for executive review and operational follow-through.

The After-Action Report includes:

Gap and Risk Matrix: Every gap identified during the exercise mapped to its associated risk. If the team could not identify who authorizes external communications, that gap is documented with the risk of uncoordinated messaging during a real incident.
Prioritized Remediation Recommendations: Fixes ranked by impact and effort. Quick wins that can be implemented in days alongside longer-term process improvements that require planning and budget.
Participant Performance Observations: Anonymized observations about team dynamics, decision-making patterns and communication effectiveness. These are framed constructively. The goal is improvement, not blame.
Follow-Up Exercise Recommendation: Optional follow-up exercise in 6 months to test whether the identified gaps have been addressed. Many clients run Sherlock-facilitated exercises annually and internal exercises quarterly using the AAR as a foundation.

The After-Action Report is the permanent artifact of the exercise. It justifies the investment to leadership. It provides the roadmap for improvement. It documents due diligence for regulatory and compliance purposes. Organizations subject to frameworks like FISMA, SOC 2, PCI DSS or HIPAA can use the AAR as evidence of their security testing program.

Quality

Good vs Bad Tabletop Exercises

Not all tabletop exercises are created equal. The difference between a useful exercise and a wasted afternoon comes down to facilitation quality, scenario design and the willingness to create real discomfort in the room.

Bad: Reading questions from a compliance checklist and recording yes/no answers.

Good: Live scenario with escalating pressure that forces real decisions under uncertainty.

Bad: Telling participants they are wrong during the exercise and correcting them in real time.

Good: Letting the team struggle through the problem. That is where learning happens. Formal advice comes in the After-Action Report.

Bad: Generic off-the-shelf scenarios that could apply to any organization in any industry.

Good: Custom scenarios based on the organization's actual technology stack, threat profile and regulatory environment.

Bad: Only inviting the security team. The CISO and SOC already know how to respond.

Good: Including legal, HR, communications and executive leadership. Incident response is a business function.

Bad: No written deliverable after the exercise. Observations stay in the facilitator's head.

Good: Structured After-Action Report delivered within 48 hours with gap analysis and prioritized remediation.

For scenario ideas tailored to specific industries, see our tabletop exercise scenarios page. For a broader view of our incident response methodology, visit incident response services.

Questions

Tabletop Exercise Process FAQ

Can we run a tabletop exercise remotely?

Yes. Sherlock Forensics runs tabletop exercises over video conference with the same inject model and probing technique used in person. Remote exercises work well for distributed teams and multi-site organizations. The only requirement is that all participants can see shared screen content and communicate in real time. We have facilitated remote exercises for teams spread across four time zones with no loss in exercise quality.

What happens if our team completely fails the exercise?

That is the point. A tabletop exercise is designed to surface gaps before a real incident forces you to discover them under pressure. Failing in a controlled environment with no real consequences is far better than failing during an actual breach with regulators, customers and media watching. Every gap identified during the exercise is a gap your team can fix before it matters. The organizations that get the most value from tabletop exercises are the ones willing to be honest about their weaknesses.

Do you provide a template we can reuse for future exercises?

The After-Action Report includes enough detail for your team to run internal exercises between Sherlock-facilitated sessions. It documents the scenario structure, inject progression and identified gaps. Many clients use the AAR as the foundation for quarterly internal tabletops and then bring Sherlock Forensics back annually for a full facilitated exercise with a new custom scenario. This cadence keeps your team sharp without requiring external facilitation every time.

How is a tabletop exercise different from a penetration test?

A penetration test evaluates your technology by attempting to exploit vulnerabilities in your networks, applications and infrastructure. A tabletop exercise evaluates your people and processes by simulating an incident scenario and observing how your team responds. Pentests answer the question of whether an attacker can get in. Tabletops answer the question of what happens after they do. Most organizations need both. We recommend running a tabletop exercise after a penetration test so the scenario can incorporate real findings from your environment.

Can we customize the scenario for our specific industry?

Every scenario Sherlock Forensics runs is custom. We base it on your industry, technology stack and regulatory environment. A healthcare organization gets a scenario involving patient data exfiltration and HIPAA notification timelines. A financial services firm gets a scenario involving wire fraud and regulatory reporting. A manufacturing company gets a scenario involving OT/IT compromise and production shutdown. Generic off-the-shelf scenarios do not produce useful results because they do not test the specific decisions your team would face.

Get Started

Run a Tabletop Exercise That Actually Tests Your Team

Contact Sherlock Forensics to schedule a scoping call. We will assess your organization's threat profile and design a custom scenario that tests the decisions your team would face during a real incident. See our tabletop exercise services, explore scenario examples or review our incident response checklist before we talk.

Since 2006CISSP, ISSAP, ISSMP certified604.229.1994

Contact Sherlock Forensics Call 604.229.1994

Schedule Your Tabletop Exercise

Call or email to start the scoping process. We will have a custom scenario designed within two weeks and your team pressure-tested within three.

Call 604.229.1994

Phone: 604.229.1994
Email: info@sherlockforensics.com