Why This Matters
Most incident response plans look fine on paper. The gaps show up when something happens: Who calls whom? Who owns decisions? Where does evidence go? What do we tell customers, regulators, and leadership?
A short tabletop exercise is one of the fastest ways to find those gaps before they matter.
Minimal Prep (15 Minutes)
- Invite 4–8 people who would actually be involved (IT, operations, compliance, leadership, and your MSP if applicable).
- Bring your contact list, escalation path, and any vendor incident hotlines.
- Have a simple notes doc open to capture decisions and action items.
The 60-Minute Agenda
- 0–10 minutes: Scenario brief + roles (who is incident commander, comms lead, evidence lead).
- 10–25 minutes: Triage (what do we know, what do we do first, what systems are in scope).
- 25–40 minutes: Containment + evidence (what gets isolated, how logs are preserved, who talks to vendors).
- 40–55 minutes: Communications (internal message, customer-facing holding statement, regulator/examiner notification triggers).
- 55–60 minutes: Action items (owners + due dates) and next tabletop date.
What to Capture as Evidence
For regulated organizations, keep a lightweight record of the tabletop: attendees, date, scenario, key decisions, and assigned remediation. That single page often satisfies “show me governance and testing” questions.
Want a Scenario Pack?
If you want a ready-to-run tabletop scenario and a short evidence template, reach out and we can share a simple set you can reuse quarterly.