Top Cyber Tabletop Exercise Scenarios Businesses Rehearsed in 2023

Date: 16 January 2024

Featured Image

Cyber Crisis Tabletop Exercises took unprecedented priority for businesses worldwide in 2023. As cyber crime escalated to new heights, both in number and complexity, rehearsing relevant cyber tabletop exercise scenarios became critical for security-focussed organisations. 

In this blog, we explore the most popular incident response tabletop exercise scenarios that our clients worldwide practised for during their cyber simulation drills. These include:

1. Ransomware Attacks
2. Data Theft
3. Insider Threat
4. Supply Chain Attack
5. Zero-Day Exploit

A major part of building cyber resilience is creating effective cybersecurity plans and policies. These include your cyber incident response plan, cybersecurity policy, ransomware response checklist and incident response playbooks.

However, the most critical component of cyber resilience is rehearsing what’s in these documents and practising decision-making for a real cyber crisis. All of this can be achieved through regular cyber attack tabletop exercises. 

During a cyber crisis tabletop exercise, a carefully selected list of participants from your organisation responds to a simulated attack scenario as if it were real. It puts your team under pressure to think, act and take decisions like they would in an actual cybersecurity incident.

For this simulated cyber attack drill to be really effective and yield the desired outcomes, it is critical that you choose the right cyber attack tabletop exercise scenario to rehearse. 

New call-to-action

The experts at Cyber Management Alliance created a comprehensive list of the top cyber tabletop exercise scenarios to rehearse. You can refer to this list when designing your own cyber tabletop exercise. You can also take inspiration from the top scenarios our clients practised for globally in the year gone by.

The below list is indicative of the most common, yet threatening scenarios that every organisation must be prepared for. While our clients significantly bolstered their cyber resilience by rehearsing these scenarios in 2023, they continue to be relevant and important in 2024. (Back to the Top)


5 Most Popular Cyber Exercise Scenarios in 2023

Ransomware Attacks 

The most common yet the most menacing cybercrime example of 2023, ransomware attacks brought many large organisations to their knees. No wonder almost every business wanted to prepare for this worst-case event. 

During a ransomware attack, the cyber criminal either locks you out of your systems, encrypts your data or threatens to leak it. In many cases, they do both until you agree to pay up a ransom - something that’s never, ever recommended. 

A popular ransomware tabletop exercise scenario focuses on employees being unable to access any data on a Monday Morning. They are greeted with a ransom message demanding a huge payment in cryptocurrency to unlock the business-critical data. 

This scenario checks how well-trained your staff is in the initial ransomware response steps. It evaluates the agility and effectiveness of communication amongst various departments such as HR, legal, finance, Public Relations and the technical teams. It helps your team practise decision-making under pressure and helps them really zero in on what they would do in case they’re really greeted with this ransom message on their computers one day.      (Back to the Top)

Data Theft

Again, one highly prevalent and seriously damaging cyber crisis scenario. This tabletop scenario rests on highly sensitive customer data being leaked on the dark web, indicating a substantial breach affecting thousands of customers. This situation not only risks significant regulatory fines but can also potentially lead to financial losses and severe damage to the company's reputation. 

This cyber tabletop exercise scenario tests the incident response plan specifically tailored for data breaches. It focuses on the process of notifying the individuals impacted by the breach as well as notifying regulators. 

By rehearsing this scenario, our clients evaluated the existing capabilities of their current technology stacks in detecting and preventing the exfiltration of sensitive data. They were able to identify gaps that needed immediate plugging. It also assessed the effectiveness of communication strategies and gauged the organisation's capacity to handle and mitigate the public relations fallout resulting from the data breach. (Back to the Top)

Insider Threat

This scenario typically focuses on a disgruntled employee leveraging privileged credentials to compromise sensitive or critical business data. Unusual system access patterns and data transfers begin to become apparent. 

We often layer the scenarios with injects to make them all the more absorbing for the participants in the cyber simulation drill. In this scenario, we usually add an inject like the suspected insider’s immediate resignation.  

This scenario immediately tests your organisation’s technological detection measures for data exfiltration and data exposure. It also helps the tabletop exercise participants to rehearse how they would respond to a suspected insider threat. It evokes enthusiastic participation from HR, PR and legal teams. 

The effectiveness of internal investigations and communication protocols is gauged as is the team’s conversancy with the Data Breach Incident Response Plans and protocols.  (Back to the Top)

Back To Top

New call-to-action

Supply Chain Attack

In a globalised world where most businesses rely heavily on third-party vendors and complex supply chains, we encouraged our clients to seriously practise for this scenario in 2023. The backdrop of vicious supply chain attacks like MOVEit, Okta and 3CX made this all the more critical.

In a Supply Chain Attack scenario, you rehearse for a major supplier's systems having been compromised. You then get a notification from the supplier that the infection has most likely spread to your organisation as well. This cyber drill scenario tests your organisation’s capability to detect supplier-based attacks and contain lateral movement. 

You also test your team’s ability to communicate and coordinate with affected suppliers. How well you’re able to implement a contingency plan becomes apparent. Of course, the effectiveness of your incident response plan in relation to supply chain based attacks also becomes clear. (Back to the Top)

Zero-Day Exploit 

A zero-day exploit will usually be the work of an advanced criminal. This scenario was particularly rehearsed by clients who have robust technology infrastructure in place. With this scenario, they are forced to deal with the reality of a newly discovered zero-day exploit in one of their foundational software packages. It threatens to compromise their systems and put their mature cybersecurity processes under intense pressure.

A cyber tabletop exercise based on this critical scenario evaluates the possible ramifications of the exploit on your organisation's systems and data. It catalyses a critical review of your existing incident response plan and incident response playbook for addressing urgent exploits. It will assess how capable your team is of formulating an immediate strategy to mitigate risks until an appropriate patch becomes available.

Back To Top

New call-to-action

You can choose any of the above scenarios for your cyber tabletop exercise in 2024. Practising for scenarios such as these or those that are more specific to your business can significantly boost your organisational cyber resilience posture. 

If you’re now inspired to plan, produce and host a cybersecurity drill in your organisation, you can check out our Masterclass on Conducting a Cyber Tabletop Exercise. It has been created by the world’s top cyber tabletop facilitator and contains invaluable insights from years of experience in conducting these exercises for our global clients. 

You might also want to use our Cyber Attack Tabletop Exercise PPT and Cyber Attack Tabletop Exercise PDF Template for more help.  (Back to the Top)

Get Email Updates on our Latest News

Simply enter you details in the form below to subscribe:

  • Or call us on:
  • +44 (0) 203 189 1422