Tabletop Exercise
Test your organization’s cyber incident response plan with scenario gameplay
The Tabletop Exercise evaluates your organization’s cyber crisis processes, tools and proficiency in responding to cyber attacks from both a strategic and technical response perspective. Mandiant consultants introduce multiple scenario injects based on real world experience in a roundtable environment. The organization’s response actions and decisions are observed through two exercise tracks: technical incident response and executive crisis management.
What you get
- Executive briefing on lessons learned from the exercises that includes a summary of how participants worked with their incident response plan, communications plan and escalation procedure
- Post-action report with a timeline of events, detailed analysis of participant activities and strategic recommendations for improving detection, response, containment and remediation
Benefits
- Conduct quick, efficient, non-invasive evaluations
- Identify gaps between documented and expected responses and actual behavior
- Get recommendations for improvement informed by real-world incident response best practices
M-Trends
M-Trends is an annual publication from FireEye Mandiant that contains insights based on frontline investigations of the most interesting and impactful cyber attacks of the year.
Comparing the two services
| Service Track | Technical | Executive |
| Objective | Assess and analyze an organization’s technical response capability to detect, respond to and contain an advanced threat. | Assess and analyze an organization’s crisis management capabilities in the event of an advanced threat through the lens of the executive team. |
| Engagement Timing | Planning: 1 week offsite Scenario gameplay: 1-2 days onsite Final report: 1 week |
Planning: 1 week offsite Scenario gameplay: 1-2 days onsite Final report: 1 week |
| Target Participants | Cyber security incident response team (CSIRT) Security manager Technical staff (such as those who work with network, server, email) |
Chief Information Security Officer (CISO) General C-suite executives Public relations and corporate communications General counsel |
| Focus Areas | When to isolate hosts on a network When to re-image a system How analysts should follow the defined IRP, communication plan, and escalation matrix When and how to engage third party vendors |
When to pay extortion or ransom threats Decision-making around the impact of containment tactics Breach disclosure requirements to regulators and key stakeholders Customer notification best practices Media communication best practices |
| Delivery Method | On-site scenario role play. | On-site scenario role play. |
Our approach
Before beginning a tabletop exercise, Mandiant experts first develop an understanding the client organization’s threat profile, operational environment and specific areas of concern. We conduct an on-site workshop with key individuals, and introduce evolving scenario injects based on attacker behavior, techniques and tactics observed during our incident response work.
During the exercise, we observe gameplay to determine how simulated actions and decisions run concurrent to or diverge from the organization’s documented plans and processes and the incident response best practices identified by Mandiant experts.
We offer two Tabletop Exercise tracks: technical incident response and executive crisis management. Best practice calls for each track to be conducted annually — separately or as part of a coordinated exercise. The Technical Incident Response track is ideal for security team management and staff looking to test their response process capabilities.
The Executive Crisis Management track is ideal for C-suite executives who want to test the effectiveness of their crisis response strategies.
After the workshop, we brief the organization in person and submit a written After-Action Report that includes a step-by-step summary of scenario inputs and responses.
Ready to get started?
Our security experts are
standing by to help you with an incident or
answer questions
about our consulting and managed detection and response services.