Starting at $3,500 CAD

Cybersecurity Tabletop Exercises — Find the Gaps Before an Attacker Does

Q: Do we need an existing incident response plan?

No. If you do not have one, the exercise will demonstrate exactly why you need one. Teams without a formal IR plan often discover during the exercise that critical decisions have no owner, communication chains do not exist and escalation procedures are assumed rather than documented. The After-Action Report will include recommendations for building your plan from the ground up.

Since 2006. CISSP, ISSAP and ISSMP certified. Interactive 3-phase inject methodology with After-Action Report in 48 hours.

Sherlock Forensics runs interactive cybersecurity tabletop exercises using a 3-phase inject methodology. We act as Game Master: facilitator, antagonist, observer and advisor. Your team faces a realistic cyber crisis scenario with escalating pressure. We document every gap and deliver an After-Action Report within 48 hours. Starting at $3,500 CAD.

Book a Tabletop Exercise See How It Works

Our Method

The Sherlock Forensics Approach

We don't hand your team a 50-question checklist. We run a live interactive scenario where your team makes real decisions under pressure. No scripts. No PowerPoints. Just your people, a crisis and 2 hours to find out if your plan actually works.

Most organizations have an incident response plan sitting in a shared drive somewhere. Maybe it was written three years ago by someone who has since left the company. Maybe it references a phone tree with numbers that no longer work. Maybe it assigns responsibilities to roles that have been restructured twice since the document was last updated. A tabletop exercise will expose every one of these problems in under two hours.

We play four distinct roles during every exercise. This is not a presentation. It is a controlled stress test of your people, your processes and your decision-making under duress.

Facilitator

We present the scenario, set the pace and keep the discussion moving. When conversations stall or drift into hypotheticals, we redirect to the decisions that matter right now. The clock is running. The attacker is not waiting for your team to reach consensus.

Antagonist

We throw wrenches into plans. "The phones are down too. Now what?" "Your backup admin is on vacation in a different time zone." "The CEO just forwarded a ransom email to all staff." Every inject is designed to test a specific assumption your team has never questioned.

Observer

While your team debates, we document every hesitation, disagreement and gap. Who deferred to whom. Which questions went unanswered. Where the plan broke down. Where someone improvised because no procedure existed. These observations form the backbone of your After-Action Report.

Advisor

Within 48 hours we deliver an actionable After-Action Report. Not a generic template filled with boilerplate. A specific document referencing the exact moments where your team struggled and providing concrete fixes. Read more about our incident response services.

The Process

The 3-Phase Inject Model

Every Sherlock Forensics tabletop exercise follows a structured escalation model. Each phase introduces new information and increasing pressure. The scenario starts ambiguous and ends with full-blown organizational crisis. This mirrors how real incidents unfold: slowly at first, then all at once.

First Sign of Trouble

A suspicious alert fires. An unusual login from an unfamiliar geography. A vendor reports something odd about their connection to your network. At this stage, the information is incomplete and ambiguous. Your team must decide: investigate quietly, escalate immediately, or wait for more data? We pose 3-5 core questions about initial triage, notification chains and early containment decisions.

30 minutes | 3-5 core questions | Detection and initial response
Escalation

The situation has gotten worse. Your website is down. Data exfiltration is confirmed. Systems are encrypted. The ambiguity from Phase 1 is gone and the reality is ugly. Now the decisions get harder: who authorizes a full network shutdown? How do you communicate with employees? Is your incident response checklist actually being followed, or has everyone abandoned it? We test communication breakdowns and authority gaps with 3-5 targeted questions.

30 minutes | 3-5 core questions | Containment and coordination
Crisis Point

Media is calling. Your regulatory notification deadline is approaching. Customer data has been confirmed exposed on a leak site. The board wants answers. Your cyber insurance carrier needs to be contacted within their SLA window. This phase tests everything outside the technical response: legal obligations, communications strategy, regulatory compliance, executive decision-making and crisis leadership. Explore sample scenarios on our tabletop exercise scenarios page.

30 minutes | 3-5 core questions | Crisis management and external communications
Wrap-Up and Initial Observations

The scenario is over. We debrief immediately while the experience is fresh. We share preliminary observations about what went well and what needs work. This is not the full After-Action Report. It is a verbal summary designed to give your team an immediate sense of their performance and the major gaps we observed. The detailed written report follows within 48 hours.

30 minutes | Debrief and preliminary findings

Pressure Points

What We Probe For

Every organization has blind spots. Most are invisible until an incident forces them into the open. These are the questions that make experienced professionals pause. If your team cannot answer them confidently in a simulation, they will not answer them under the pressure of an active breach.

Who has authority to shut down production systems? If the answer is "the CISO" and the CISO is unavailable, you have a single point of failure protecting your entire infrastructure.
Where is the IR plan stored? Can anyone find it right now? If it lives on a network share and the network is encrypted by ransomware, your plan is locked inside the problem it was supposed to solve.
Who speaks to media? Is there a backup? One wrong statement to a reporter during an active breach can cause more damage than the breach itself. The person speaking needs to be designated in advance, not decided in the moment.
"Shut down" vs "Isolate" — does your team know the difference? Shutting down a compromised server destroys volatile memory evidence. Isolating it preserves everything. If your team defaults to pulling the power cable, your incident response is starting from behind.
Who contacts your cyber insurance carrier? What is the SLA? Most cyber insurance policies have notification windows measured in hours, not days. Missing that window can void coverage entirely. See our cyber insurance approved vendor page for more on this.
Can your backup person actually perform the recovery? Have they ever done it? Having a documented backup procedure and having a person who has successfully executed that procedure are two different things.
If your CISO is on a flight, who takes charge? Succession of command during a cyber incident is not a nice-to-have. It is the difference between a coordinated response and a room full of people waiting for permission to act.

The Deliverable

The After-Action Report

Within 48 hours of your exercise, we deliver a formal After-Action Report. This is not a pass/fail scorecard. It is a structured gap analysis that documents what we observed, quantifies the risk and provides specific remediation steps. Every finding is framed constructively: "The exercise revealed an opportunity to..." not "You're doing this wrong."

The report is formatted for multiple audiences. Your technical team gets actionable fixes. Your executives get a risk summary. Your auditors and insurers get documented evidence that you conducted the exercise and are actively remediating findings. The following table shows the format of each finding:

What Happened (The Gap)	The Risk	Our Suggestion (The Fix)
No one could locate the incident response plan during the first inject phase.	During a real incident, the team operates from memory and improvisation. Critical steps are missed. Containment is delayed.	The exercise revealed an opportunity to store the IR plan in an offline location accessible during a network outage. Print copies for key personnel. Host a secondary digital copy outside your primary infrastructure.
Three different people claimed authority to authorize a network shutdown. No one deferred.	Conflicting authority during an incident causes delays and internal friction. Attackers benefit from every minute of indecision.	The exercise revealed an opportunity to formalize shutdown authority in the IR plan with a clear chain of command and documented succession order.
The team did not know the cyber insurance notification SLA.	Late notification to the insurer can void coverage or reduce the payout. A $2M policy becomes worthless if the SLA is missed.	The exercise revealed an opportunity to document the carrier's notification requirements and assign a specific person to handle insurer communication within the first hour of an incident.
No one on the team had ever performed a full backup restoration.	Backup procedures exist on paper but have never been validated. Recovery time during a real incident is unknown and untested.	The exercise revealed an opportunity to schedule quarterly backup restoration drills. Assign a primary and secondary person for recovery and document expected recovery time objectives.

The report concludes with a prioritized remediation roadmap. Items are ranked by risk severity and implementation effort, so your team knows exactly what to fix first. The roadmap aligns with NIST Cybersecurity Framework categories and can be mapped directly to your existing risk register.

For teams building their incident response capability from scratch, the After-Action Report pairs directly with our incident response retainer service. Fix the gaps we find, then test again.

Use Cases

Who Needs This

Companies with Cyber Insurance

Many cyber insurance policies now require annual tabletop exercises as a condition of coverage or renewal. Failing to conduct them can result in denied claims when you need coverage most. Our After-Action Report provides the documented evidence your insurer expects to see. Learn more about our role as a cyber insurance approved vendor.

SOC 2 / ISO 27001 / CMMC

Compliance frameworks require documented evidence of incident response testing. A tabletop exercise satisfies this requirement and produces audit-ready documentation. SOC 2 Type II auditors specifically look for evidence that IR plans have been tested and that findings were remediated. Our report is structured to meet these requirements directly. See our compliance penetration testing services.

Boards of Directors

Board members have a fiduciary duty to oversee cybersecurity risk. Participating in or reviewing the results of a tabletop exercise demonstrates due diligence. Our executive-level tabletop is designed for non-technical participants and focuses on governance decisions, regulatory obligations and organizational impact rather than technical minutiae.

Untested IR Plans

If your organization has an incident response plan that has never been exercised, you do not have an incident response plan. You have a document. The only way to know if it works is to test it. We have run exercises where the team discovered within the first ten minutes that their plan referenced a vendor relationship that ended two years ago.

Investment

Pricing

Standard

$3,500 CAD

2-hour interactive tabletop exercise

Custom scenario based on your industry and threat profile
3-phase inject methodology
Up to 15 participants
Full facilitation, observation and documentation
After-Action Report within 48 hours
Prioritized remediation roadmap
Virtual or on-site delivery

Executive / Board

$5,000 CAD

Board-level tabletop exercise

Scenario focused on governance and fiduciary decisions
Regulatory notification and media response injects
Non-technical language throughout
Board-ready After-Action Report
Cyber insurance compliance documentation
Prioritized remediation roadmap
Virtual or on-site delivery

Custom Full-Day

Quote

Multi-scenario full-day engagement

Multiple scenarios run sequentially
Combined technical and executive participants
Extended inject phases with deeper complexity
Real-time scenario branching based on team decisions
Extended After-Action Report with cross-scenario analysis
On-site preferred
Contact us for a consultation

All prices in Canadian dollars. Travel expenses for on-site delivery outside Metro Vancouver quoted separately. For organizations requiring quarterly exercises, ask about our annual retainer pricing.

Questions

Tabletop Exercise FAQ

What is a cybersecurity tabletop exercise?

An interactive discussion-based simulation where your team walks through a realistic cyber incident scenario. There is no live technical testing. Instead, participants talk through their roles, decisions and escalation procedures while a facilitator introduces escalating pressure through scenario injects. The goal is to identify gaps in your incident response plan, communication chains and decision-making authority before a real incident exposes them. For a deeper look at the process, visit our how tabletop exercises work page.

How long does a tabletop exercise take?

Standard exercises run 2 hours. This includes three 30-minute inject phases plus a 30-minute wrap-up with initial observations. Executive and board-level sessions follow the same 2-hour format but focus on governance decisions, regulatory notification and media response rather than technical response procedures. Full-day custom engagements with multiple scenarios are available by consultation.

Who should participate?

IT leadership, security operations, legal counsel, HR, executive leadership, communications and any team responsible for business continuity. The most valuable exercises include people outside IT because real incidents require coordination across the entire organization. If your CFO has never been in the same room as your security team during a simulated crisis, that is a gap worth closing.

Do we need an existing incident response plan?

No. If you don't have one, the exercise will demonstrate exactly why you need one. Teams without a formal IR plan often discover during the exercise that critical decisions have no owner, communication chains don't exist and escalation procedures are assumed rather than documented. The After-Action Report will include recommendations for building your plan from the ground up. See our incident response checklist for a starting point.

How often should we run tabletop exercises?

Annually at minimum. Cyber insurance policies increasingly require them as a condition of coverage. Organizations pursuing SOC 2, ISO 27001 or CMMC certification need documented evidence of regular incident response testing. After significant organizational changes such as mergers, leadership turnover or major infrastructure changes, run an additional exercise to validate updated procedures. The CISA Tabletop Exercise Packages provide additional guidance on exercise frequency.

What is the After-Action Report?

A formal gap analysis delivered within 48 hours of the exercise. It documents every gap, hesitation and disagreement observed during the simulation. Each finding includes what happened, the associated risk and a specific remediation suggestion. The report concludes with a prioritized roadmap so your team knows exactly what to fix first. It is formatted for submission to auditors, insurers and board governance committees.

Get Started

Your IR Plan Has Never Been Tested. Fix That.

Book a tabletop exercise and find out in 2 hours what would otherwise take a real breach to discover. Built by the same team that delivers incident response and incident response retainer services across Canada. Browse our scenario library to see what your team will face.

Since 2006CISSP, ISSAP, ISSMP certified604.229.1994

Call 604.229.1994

Ready to Test Your Incident Response Plan?

Call us or send a message. We will scope your exercise, confirm your participant list and schedule the session. Most exercises are booked within two weeks of initial contact.