In 2025, cyber attacks occur every 39 seconds on average as per some estimates. A projected 160 reports of daily attacks emerge in the US alone. The frequency and sophistication of these attacks continue to rise, driven by factors like the increased use of Artificial Intelligence (AI), remote work, and the expansion of the attack surface in expanding digital infrastructures globally.
Given these numbers, one resounding question must be answered by every business: Will your people know what to do when the worst happens to you?
If you’re unsure what your answer to the above question is, cyber security drills may just be what your business needs. Cyber tabletop exercises don’t just test technology; they build muscle memory in your teams, ensuring that every role—technical and non-technical—can respond swiftly and effectively when an incident occurs.
These simulated cyber attack drills are crucial for identifying weaknesses in your incident response plans and processes before a real attack strikes. By regularly engaging in these exercises, you can significantly reduce the potential impact of a cybersecurity breach.
Ultimately, cyber security drills transform theoretical knowledge into practical readiness.
In this blog, we’ll walk you through practical examples of cyber security drills and realistic tabletop exercise scenarios that you can implement to strengthen your organisation’s cyber resilience in 2025.
A cyber security drill is a practice-based exercise designed to simulate a real-world cyber incident. Its primary purpose is to rigorously test your organisation’s preparedness and resilience in the face of digital threats.
It tests the effectiveness of your IT infrastructure and security tools. But more importantly, it’s a litmus test for the awareness, training, and response capabilities of employees across all relevant departments. A cyber security drill is also the perfect way to validate the efficiency and clarity of your incident response plans.
Are your communication protocols well established? Does your team know of the escalation procedures? What are the decision-making frameworks and do the primary decision-makers know their roles and responsibilities well?
You can get clear answers to all these questions with effective cyber tabletop exercises.
But to be truly effective, cyber security drills should be meticulously designed to mirror the actual real-world risks and threat landscape that your specific business faces. The cyber drill scenario should be highly relevant and challenging, providing a realistic test of your organisation's resilience.
In the next section, we look at some of the most relevant cyber tabletop exercises scenarios in the threat landscape of 2025.
Here are some practical cyber security drill examples you can adapt to your organisation in 2025:
Scenario: A simulated, highly targeted phishing campaign is launched to assess employee vigilance and adherence to cybersecurity protocols.
Execution: Develop realistic phishing email templates, potentially mimicking internal communications, popular services, or urgent requests. These emails should contain malicious links or attachments designed to log user interaction, not to cause actual harm. Send the phishing emails to a select group or the entire organisation, carefully scheduling the campaign to avoid disruption and maximise impact.
Track key metrics to evaluate the effectiveness of the test. These metrics include the number of employees who clicked on the malicious link. Track the percentage of employees who correctly identified and reported the phishing email through established channels. Observe if employees followed security policies, such as verifying suspicious emails or refraining from entering credentials on untrusted sites.
Objective: The primary goal of a phishing email test is to measure employee awareness and compliance with security policies. This cyber tabletop exercise example will let you identify areas for improvement in security training. Ultimately it will reduce the organisation's vulnerability to real-world phishing attacks. It serves as a practical, hands-on learning experience that highlights the importance of individual vigilance in maintaining organisational security.
Scenario: A simulated ransomware attack has successfully encrypted critical file servers, rendering essential data inaccessible. The objective of this exercise is to evaluate the coordinated response of the IT, Legal, and Public Relations (PR) teams.
Execution: In this scenario, what you need to test is the IT Response and Recovery, and how the Legal and PR teams handle the attack situation. Assess the initial detection and containment of the ransomware. Evaluate how quickly data recovery is activated and how smooth is the restoration of services and systems to operational status.
This cyber tabletop exercise scenario also tests the company’s understanding of legal obligations related to data breaches. It assesses how well prepared your legal team is for potential litigation or investigations.
This cyber security drill example will also help in testing how concise the communication strategies for internal and external stakeholders are. You can see how well the PR and Communications team handles public perception and reputation during and after the incident. You should evaluate your holding statements and press releases as well as the handling of media inquiries during this drill.
Objective: This exercise will highlight any gaps in current incident response plans. It will help you identify areas for improvement in inter-departmental communication, and ensure all teams are prepared to effectively manage a real-world ransomware event.
Cyber Security Drill Examples: A Visual Guide for Objectives and Key Takeaways
Scenario: A trusted vendor's systems are compromised. The malware is now spreading into your own systems. Initial alerts indicate unusual activity in your environment tied directly to the vendor’s access channels. Critical systems may now be exposed, sensitive data is at risk, and business operations could soon be disrupted.
Execution: In this cyber tabletop exercise scenario, you will be able to see how watertight your third-party security is. Participants are walked through the unfolding crisis in phases, simulating the real-world escalation of a supply chain breach.
In the discovery Phase, the SOC identifies anomalous activity linked to the vendor’s account. Suspicious outbound connections and privilege escalations are observed. Leadership is briefed on the situation.
In the next phase, teams must decide whether to cut off all vendor access immediately—risking operational disruption—or keep access live for investigation. Incident response teams must coordinate with the vendor to validate the compromise and exchange intelligence.
You will be able to evaluate how equipped your team is to handle a supply chain breach. What are your incident containment strategies? Is your team able to quickly implement immediate actions to isolate affected systems and prevent further malware proliferation? Core discussions should include communication protocols with the vendor and internal stakeholders.
It will also test how potentially affected customers are handled. You can also assess the steps for data recovery and system restoration and if they’re effective enough.
Objective: The core purpose of this exercise is to test and strengthen your organisation’s ability to respond to a vendor-originated attack. The focus, of course, is on third-party Risk Management. Through this cyber drill scenario, you'll be able to evaluate how effectively your teams can work with compromised vendors and assess contractual obligations.
This drill will test executive and technical leadership’s ability to balance business continuity with security containment. Stress-testing existing incident response playbooks for supply chain breaches is a highlight of this tabletop exercise example. Post this cyber drill, you should walk away with solid insights into how effectively your business can isolate threats, protect core assets, and restore operations quickly while maintaining stakeholder trust.
Scenario: A disgruntled employee with privileged access decides to sabotage critical systems before leaving the organisation. They have corrupted sensitive data, disabling security controls and planting backdoors. The malicious actions bypass many external security measures because the insider already has legitimate access. Suddenly, critical business operations grind to a halt.
Execution: Security teams notice unusual activity, such as mass file deletions. HR informs leadership that the employee recently resigned or was put on notice.
Technical teams must decide whether to immediately terminate the insider’s access—risking data loss if systems are already compromised—or monitor activity further to understand the full scope. Leadership must decide how to prioritise restoration of services while handling potential fallout from customers and regulators. Legal and HR teams must coordinate on disciplinary actions, law enforcement engagement, and employee communications.
Objective: The primary purpose of this exercise is to test the organisation’s preparedness for malicious insider threats. The first and foremost aspect of cybersecurity this cyber drill example will highlight is how effectively insider access is monitored, restricted, and revoked. You’ll also be able to test how quickly unusual activity is identified and escalated.This exercise should help you validate coordination between security, IT, HR, legal, and executive leadership during a sensitive internal crisis.
Running a cyber security drill example once in a while is not enough. True organisational resilience against sophisticated cyber threats isn't built on sporadic, isolated efforts. Instead, it stems from a continuous commitment to realistic cyber security drills. Executive-level engagement is equally important. This holistic approach ensures that both leadership and technical teams are poised to respond effectively when faced with the chaos of a real-world cyber attack.
At Cyber Management Alliance, we understand the critical importance of proactive defence. We specialise in empowering organisations to design and execute impactful drills and tabletop exercises that go beyond theoretical knowledge. Our expert-led exercises simulate real-world cyber attack scenarios, allowing your teams to practice their response in a controlled yet challenging environment. This hands-on experience, guided by global leaders in cyber preparedness, is invaluable for identifying weaknesses and refining processes.
From NCSC Assured Cyber Incident Planning and Response training to custom playbooks and expert-led exercises, we are the global leaders in preparing businesses to withstand the chaos of modern cyber attacks.
Our expertise ensures that your organisation is not just reacting to threats, but proactively testing and fortifying its resilience before attackers exploit vulnerabilities. The time to test your defences is now, not when you're already under siege.