Why Testing Matters

Even the best incident response plan is only theory until you test it. In the middle of a real security incident, stress levels rise, time pressure mounts, and communication channels quickly become strained. The organisations that respond effectively are those that have already rehearsed what to do and who to call, not for the first time, but as part of a deliberate cycle of preparation and improvement.

This article explains how to validate and strengthen your IR capability through structured exercises. It follows the first two parts of this series: developing an Incident Response Plan (IRP) and creating Incident Response Playbooks. With your plan and playbooks in place, the next step is to test them.

Need a clearer picture of your organisation’s incident response capability?

If you’re unsure whether your plans and playbooks would hold up during a real incident, explore our Incident Capability Validation. It’s a fixed-scope engagement designed to baseline and stress-test your response capability before the next serious event.

No plan or playbook survives first contact with a real incident. Testing allows your team to identify what works, what doesn’t, and where gaps exist before the next crisis occurs. It turns theoretical readiness into operational confidence.

Incident response testing isn’t just for large enterprises. Smaller or resource-constrained organisations often believe they lack the time or staff to run meaningful exercises. In reality, a well-facilitated tabletop exercise (TTX) with the right people can reveal more about your true state of preparedness than a dozen new security tools.

Before diving into how, it’s worth defining what kind of testing we mean.

What a Tabletop Exercise Is and Isn’t

A TTX is a structured, discussion-based activity where participants walk through a simulated incident scenario in a safe, low-pressure environment. It’s designed to test decision-making, communication, and coordination rather than technology.

Unlike a penetration test or red team engagement, a TTX doesn’t involve real systems or live attacks. Instead, it focuses on people, processes, and planning. The goal is to validate whether your IRP and playbooks are practical and clearly understood by everyone involved.

Tabletops can be as simple as a one-hour meeting around a whiteboard or as sophisticated as a multi-department, multi-day workshop with simulated media pressure and regulator notifications. The key is to make the exercise realistic and relevant to your organisation.

Why Testing and Exercises Are Essential

If you don’t test your IRP, your teams will likely discover weaknesses at the worst possible time: during an actual breach. Common pitfalls include unclear decision authority, delays in escalation, confusion over communication responsibilities, and missed regulatory deadlines.

Testing is the bridge between theory and readiness. It validates assumptions, strengthens coordination, and builds confidence across both technical and non-technical teams.

Types of Incident Response Exercises

IR exercises come in different forms, each suited to different levels of maturity.

Tabletop Exercises (TTX) are discussion-based and focus on coordination and decision-making. They’re ideal for introducing IR concepts to leadership teams or validating newly developed playbooks.

Functional Exercises (Rehearsals of Concept) involve limited simulations of specific actions, such as testing containment procedures, backup restoration, or communication channels. These exercises often use real tools and systems, but only for a defined scope.

Full Simulations or Red / Purple Team Exercises are comprehensive, live-fire tests that combine technical attack simulation with the full IR process. They’re suitable for mature organisations with well-established detection, response, and recovery capabilities.

For most mid-sized organisations, starting with TTXs is the most practical and valuable step. They’re low-cost, low-risk, and provide immediate insight into how well your people and processes will perform under pressure.

Not sure whether your current plans and playbooks are ready to be exercised?

Start with our Incident Response Plan & Playbooks: 10-Minute Quality Check. It’s a quick way to identify common gaps before running your first tabletop exercise.

How to Plan and Run an Effective Tabletop Exercise

Running an effective TTX doesn’t require a dedicated training facility or a large budget. What matters is clarity of purpose, realistic scenarios, and strong facilitation.

Step 1: Define Your Objectives

Before anything else, decide what you want to test. Are you focusing on communication between IT and legal? Do you want to test escalation paths or decision authority? Are you validating a new playbook? Clear objectives keep the session focused and measurable.

Step 2: Choose a Realistic Scenario

Pick a scenario that aligns with your environment and risk profile. Common options include:

• A phishing email leading to account compromise
• Insider data exfiltration from a shared drive
• Cloud storage misconfiguration resulting in data exposure
• A vendor system breach affecting your supply chain

Scenarios should be believable and relevant. Avoid over-complicating early exercises with nation-state adversaries or highly technical attacks.

Step 3: Identify Participants

Include the people who would be involved in a real incident: IT operations, security analysts, legal counsel, communications, HR, and leadership. Having decision-makers present ensures that discussions reflect realistic escalation and approval flows. It also helps to secure buy-in for security investments as a result of identified gaps.

Step 4: Develop Injects and the Master Scenario Events List

An “inject” is a piece of information introduced during the exercise to move the discussion forward. Examples include:

• “You receive an alert from your cloud provider about unusual data access.”
• “A journalist emails the press office requesting comment.”
• “Your regulator calls asking if you’ve been affected by a similar breach.”

Injects prompt participants to react, communicate, and make decisions as they would in real life. In addition to the inject itself, your facilitator(s) should have a master events list in front of them during the exercise. This list can be as simple as a spreadsheet, but should include details like:

• The date and time an inject takes place

• Any additional information related to the adversary activity that caused the inject or observed behaviour

  • This context may or may not be provided to participants depending on the flow of the conversation and decisions during the exercise

• Mapping for TTPs back to frameworks like MITRE ATT&CK

• Tools or software the adversary or defenders might use during a particular inject

• Potential mitigations or data sources to use pre- and post-infection

• Expected outcomes, or what the defenders should do based on existing IR documentation like plans and playbooks

This additional information ensures the organisation and exercise participants are evaluated against a baseline and that any gaps or challenges can be directly tied back to existing plans or frameworks for future improvements.

Step 5: Facilitate Neutrally

A good facilitator keeps the discussion flowing and ensures everyone contributes. The session shouldn’t feel like an exam. The focus is learning, not pointing fingers or assigning blame. Encourage open discussion and challenge assumptions respectfully. Be prepared for difficult situations, like if someone says ’that would never happen,’ provide examples of when it has happened before (either at the participating organisation, or elsewhere).

Step 6: Capture Lessons Learned

Appoint a scribe or note-taker to capture key observations: what worked, what caused confusion, and what decisions were delayed. Part of the exercise should be testing existing documentation procedures:

• Do the participants keep a timeline of response activity?
• Is there a timeline of adversary or incident activity?
• Are communication paths opened at appropriate times or scheduled at reasonable intervals?
• If multi-day or multi-geography, do handovers take place? And do those meetings include all the relevant information?

Step 7: Assign Follow-Up Actions

Translate lessons into specific actions, such as updating contact lists, refining playbooks, or scheduling additional training.

Every exercise should feed back into your IRP and playbooks. Testing is part of an ongoing cycle, not a one-off event. Over time, this continuous improvement process matures your capability and builds institutional memory.

Best Practices for Effective Exercises

Start small. Your first tabletop doesn’t need to test the entire organisation. A focused, well-run 90-minute session can be more valuable than a sprawling, all-day event.

Make it realistic. Base scenarios on recent threat trends or incidents within your industry. Authenticity keeps participants engaged and ensures lessons are relevant.

Include leadership. Senior managers often make the most critical decisions during an incident; authorising containment, approving notifications, or communicating with the board. Their participation is vital.

Document everything. The outputs of an exercise, decisions, observations, and follow-ups, are what drive measurable improvement. Treat them as living records.

Close the loop. Testing isn’t about passing or failing; it’s about learning. Feed every lesson back into your plans, update your playbooks, and track progress over time.

Repeat regularly. Aim to conduct at least one exercise annually, or whenever there are major changes to personnel, infrastructure, or regulatory obligations.

Maintain evidence of exercises. Document scenarios, decisions, lessons learned, and remediation actions. This record helps demonstrate readiness to leadership, regulators, and insurers.

Continuous Improvement and Readiness

Exercises aren’t just about testing; they’re about building muscle memory. Each round of practice helps your team respond faster, coordinate better, and make decisions with greater confidence. Over time, regular testing transforms IR from a reactive scramble into a structured, coordinated capability.

By embedding testing into your IR lifecycle, you align with the continuous improvement principles found in frameworks like NIST CSF and ISO/IEC 27035. This approach ensures your organisation’s response evolves alongside changing threats, technologies, and business priorities.

Turning Plans into Practice

IR capability isn’t proven by having documents in a folder; it’s demonstrated through action – people coming together to solve realistic problems in a controlled environment before they have to do it for real.

Start simple. Schedule your first tabletop exercise within the next 90 days. Keep it focused, relevant, and short enough to encourage participation. Capture what you learn, update your plans and playbooks, and build from there.

If you’re unsure where to begin, start with our Incident Response Plan & Playbooks: 10-Minute Quality Check.

If you want to rehearse decision-making under pressure, explore our Cybersecurity Tabletop Exercises.

And if you need a structured baseline of your current capability, see our Incident Capability Validation.

The goal isn’t perfection, it’s building the coordination, confidence, and capability that allows your organisation to respond effectively when incidents occur.