After this lesson, you will be able to: Lead a tabletop exercise from start to finish, making decisions at each stage of the incident as if you were the IR lead.
Tabletop exercises are how real security teams stress-test their plans without setting anything on fire. This lesson gives you a complete scenario and walks you through the decisions that get made at each phase.
A tabletop is a written-and-spoken simulation of a security incident. No tools, no logs, just decisions. Participants assume real roles (IR lead, comms, legal, exec sponsor, on-call engineer) and walk through what they would do given the information available at each step. The artefact is a list of decision points where the plan was unclear, the comms didn't work, or the runbooks didn't fit reality, those become the post-tabletop action items.
What was in place that helps you right now?
Is there an IR playbook for credential compromise? Where is it stored? Can you find it in 30 seconds?
Is there a known on-call schedule? Who is on shift?
Is there a pre-approved escalation path to legal and comms? Or do you need an exec sign-off?
Is MFA enforced? On admin accounts specifically?
Is there a SIEM that lets you query sign-in events across all users? Do you have query access right now?
Confirm scope before sounding the alarm.
Query the SIEM: how many accounts have signed in from the suspicious IP in the last 30 days?
Query for any privileged accounts in that set
Query for MFA prompts that were denied (push fatigue evidence?)
Identify the BUSINESS IMPACT: which apps does each compromised account have access to?
Decide if this is a Sev-1 (immediate, board-level), Sev-2 (significant), or Sev-3 (contained); document your reasoning
Buy time by limiting attacker's options.
Force a password reset on all confirmed-compromised accounts
Force a session revocation across SSO (Entra: 'Revoke all sessions'; Okta: similar)
For users that show MFA fatigue evidence, also reset MFA factors
If there's CFOO/CTO/CEO involvement (privileged accounts), notify Legal and Comms immediately
Draft a one-paragraph internal Slack update for the wider engineering channel; have your manager sign off before posting
Remove the threat and restore trust.
Check sign-in logs for anything the compromised accounts did since the first suspicious login. Were emails sent? Files downloaded?
If data was accessed, document what and notify the data owners + Legal
Verify all reset accounts can sign back in cleanly
Review firewall and IAM rules for changes the attacker might have made (new app passwords, new MFA methods, OAuth grant additions)
Decide on the comms posture: do affected users get a personalised email? An all-hands announcement? Both?
Turn this into improvement.
Write the IR report (1-2 pages, see the cs-vuln-cve template, adapt for IR)
Identify root cause: was MFA on those accounts? Was the SIEM query you needed available? Was the playbook usable?
List 3-5 concrete action items: 'Enable phishing-resistant MFA on all admin accounts by <date>'; 'Add CISA KEV-style monitoring for credential-stuffing IPs.'
Schedule a 30-minute team-wide review of the incident within 2 weeks
File each action item as a Jira ticket with owner and deadline
Treating containment as eradication. Resetting passwords doesn't remove a backdoor. Forgetting comms. Engineers blast updates internally; legal and comms find out from a board member, not great. No timeline. Every IR report needs a timeline (when did detection occur, when did containment occur, etc.). Reconstruct it from logs as you go. Skipping the post-incident review. The action items are the actual deliverable; everything before was just getting to the table. Treating tabletops as performance. The whole point is to find gaps; if you 'pass' a tabletop, you ran it wrong.
Pick the cleanest answer.
Sign in and purchase access to unlock this lesson.