Tabletop Exercise

Texture Side Right Grey 01

Test your organization’s cyber incident response plan with scenario gameplay

The Tabletop Exercise evaluates your organization’s cyber crisis processes, tools and proficiency in responding to cyber attacks from both a strategic and technical response perspective. Mandiant consultants introduce multiple scenario injects based on real world experience in a roundtable environment. The organization’s response actions and decisions are observed through two exercise tracks: technical incident response and executive crisis management.


What you get

  • Executive briefing on lessons learned from the exercises that includes a summary of how participants worked with their incident response plan, communications plan and escalation procedure
  • Post-action report with a timeline of events, detailed analysis of participant activities and strategic recommendations for improving detection, response, containment and remediation


  • Conduct quick, efficient, non-invasive evaluations
  • Identify gaps between documented and expected responses and actual behavior
  • Get recommendations for improvement informed by real-world incident response best practices


M-Trends is an annual publication from FireEye Mandiant that contains insights based on frontline investigations of the most interesting and impactful cyber attacks of the year.

Download report

Comparing the two services

Service Track Technical Executive
Objective Assess and analyze an organization’s technical response capability to detect, respond to and contain an advanced threat. Assess and analyze an organization’s crisis management capabilities in the event of an advanced threat through the lens of the executive team.
Engagement Timing

Planning: 1 week offsite

Scenario gameplay: 1-2 days onsite

Final report: 1 week

Planning: 1 week offsite

Scenario gameplay: 1-2 days onsite

Final report: 1 week

Target Participants

Cyber security incident response team (CSIRT)

Security manager

Technical staff (such as those who work with network, server, email)

Chief Information Security Officer (CISO)

General C-suite executives

Public relations and corporate communications

General counsel

Focus Areas

When to isolate hosts on a network

When to re-image a system

How analysts should follow the defined IRP, communication plan, and escalation matrix

When and how to engage third party vendors

When to pay extortion or ransom threats

Decision-making around the impact of containment tactics

Breach disclosure requirements to regulators and key stakeholders

Customer notification best practices

Media communication best practices

Delivery Method On-site scenario role play On-site scenario role play

Our approach

Before beginning a tabletop exercise, Mandiant experts first develop an understanding the client organization’s threat profile, operational environment and specific areas of concern. We conduct an on-site workshop with key individuals and introduce evolving scenario injects based on attacker behavior, techniques and tactics observed during our incident response work.

During the exercise, we observe gameplay to determine how simulated actions and decisions run concurrent to or diverge from the organization’s documented plans and processes and the incident response best practices identified by Mandiant experts.

We offer two Tabletop Exercise tracks: Technical Incident Response and Executive Crisis Management. Best practice calls for each track to be conducted annually — separately or as part of a coordinated exercise. The Technical Incident Response track is ideal for security team management and staff looking to test their response process capabilities.

The Executive Crisis Management track is ideal for C-suite executives who want to test the effectiveness of their crisis response strategies.

After the workshop, we brief the organization in person and submit an After-Action Report that includes a step-by-step summary of scenario inputs and responses.

Ready to get started?

Our security experts are standing by to help you with an incident or answer questions about our
consulting and managed detection and response services.

+1 888-227-2721 +61 281034308 +32 28962867 +1 877-347-3393 +971 45501444 +358 942451151 +33 170612726 +49 35185034500 +852 3975-1882 +91 80 6671 1566 +353 (0)216019160 +39 0294750535 +81 3 4577 4401 +03 77248276 +52 5585268207 +31 207941289 +64 32880234 +48 223072296 +7 4954658084 +65 31585101 +27 105008408 +82 7076860238 +34 932203202 +94 788155851 +46 853520870 +886 2-5551-1268 +27873392 +44 2036087538 +842444581914