Tabletop Exercises: How to Test Your Incident Response Plan.

When a Galway-based manufacturing firm ran its first tabletop exercise in 2025, the result was uncomfortable — and invaluable. The scenario was a ransomware attack discovered on a Monday morning. Within twenty minutes of the simulated incident, three critical gaps appeared: nobody was certain who had authority to take systems offline, the contact number for their IT support provider was in an email system that was also "encrypted" in the scenario, and the GDPR breach notification clock had been ticking for two hours before anyone mentioned the Data Protection Commission. No data was lost, no systems were actually affected, and the firm had two weeks to fix all three problems before a real incident could exploit them. That is exactly what a tabletop exercise is designed to do.

What a Tabletop Exercise Is

A tabletop exercise is a structured discussion in which key people across your business walk through a simulated cyber incident scenario in a meeting room environment. Nobody touches any systems. Nobody is under real pressure. The scenario is guided by a facilitator who introduces events and complications as the discussion progresses, and participants work through how they would respond, who would make which decisions, and what the communication chain looks like.

The exercise is not a test to pass or fail. It is a diagnostic — a safe way to surface the assumptions, gaps, and misunderstandings that live in every incident response plan and that will matter enormously when the plan has to be executed for real under time pressure. The NCSC Ireland recommends that organisations conduct regular exercises as part of a mature incident response programme, and it is increasingly an expectation under NIS2 for businesses in scope of that directive.[^1]

Does your leadership team know who makes the call to take systems offline during a ransomware attack — and who they call first? Book a free 20-minute strategy call — we facilitate tabletop exercises for Irish SMEs and can show you what your current plan would look like under pressure.

How to Design a Useful Exercise

The most important design decision is the scenario. It needs to be credible and relevant to your business. For an Irish accountancy firm in Sligo, a Business Email Compromise scenario involving a fraudulent payment instruction is more relevant than a nation-state attack on industrial control systems. For a healthcare provider in Donegal, a ransomware scenario that locks clinical records and forces a question about patient safety is closer to home.

Once you have a scenario, build it out with a timeline of injected events — new pieces of information the facilitator introduces to move the discussion forward. A ransomware exercise might begin with "Your IT manager has just called to say several computers won't boot and are showing an unusual screen." Then thirty minutes later: "A journalist has emailed asking whether you can confirm reports of a cyberattack." Then later: "Your backup solution provider has just advised that the backup server was also encrypted." Each inject forces a new decision and reveals new gaps.

The right people to include in a tabletop exercise are not just IT staff. The most valuable participants are leadership and management, because many of the hardest decisions in a real incident are not technical — they are commercial, legal, and reputational. Your legal advisor, finance director, communications lead, and any relevant department heads should be in the room. The more cross-functional the group, the more gaps the exercise will expose.

What Good Facilitation Looks Like

A skilled facilitator does not let participants skip past difficult decisions. When someone says "we would contact our IT provider," the facilitator asks: who specifically, using what number, and what if they are unavailable? When someone says "we would notify the DPC," the facilitator asks: who drafts the notification, within what timeframe, and has anyone confirmed the 72-hour window under GDPR? These follow-up questions are where the real learning happens.

The facilitator should also introduce pressure. In a real incident, decisions have to be made with incomplete information, under time constraints, with phone calls coming in simultaneously. Injecting that pressure into the discussion — "the CEO is being called by a journalist right now, what do you tell them?" — tests whether your team can hold their process together when it is not comfortable.

An Garda Síochána's National Cyber Crime Bureau (NCCB) emphasises that preparation and planning are the most effective defences against the impact of cyber attacks. Businesses that have rehearsed their response consistently perform better in real incidents — the decisions are faster, the communication is clearer, and the recovery is quicker.[^2]

After the Exercise

The debrief is where the exercise pays off. Within 48 hours of completing the session, document what was discussed, what gaps were identified, and what actions were agreed. Assign an owner and a deadline to each action. Common outputs from a first tabletop exercise include an updated contact list with out-of-band phone numbers, a clearer decision-making authority matrix, a revised communication template for notifying customers and regulators, and specific technical controls that need to be in place before the next exercise.

The Data Protection Commission expects organisations to demonstrate that they have procedures in place to handle a data breach effectively, including the 72-hour notification requirement.[^3] A documented tabletop exercise — with evidence of the follow-on actions taken — is exactly the kind of record that shows regulators you take your obligations seriously.

The businesses that recover fastest from cyber incidents are not the ones that were never attacked — they are the ones that practised their response before it happened.

What to Do Next

Three actions will help you start building this capability into your business:

1. Schedule a tabletop exercise this quarter. It does not need to be elaborate. A two-hour session with your leadership team, a simple ransomware scenario, and a written debrief is enough to surface the most critical gaps. Do it before the end of the financial quarter — not after a breach.

2. Build an offline contact list. One of the most consistent findings in tabletop exercises is that critical contact information lives in email systems that may be inaccessible during an incident. Print and store a one-page contact sheet — IT provider emergency line, legal counsel, insurance broker, NCSC Ireland (1800 CYBER1), and your DPC notification contact.

3. Run it again in six months. A single exercise is a start. Twice-yearly exercises with progressively more complex scenarios build genuine organisational resilience. Each exercise should test whether the actions from the previous debrief have been completed.

Related Reading

• Building an Incident Response Plan: A Template for Irish SMEs
• What Happens to a Small Business After a Cyber Attack
• Business Continuity Planning for Cyber Incidents

[^1]: NCSC Ireland — Advice for Organisations: https://www.ncsc.gov.ie/advice-for-organisations/ [^2]: An Garda Síochána — Cyber Crime: https://www.garda.ie/en/crime/cyber-crime/ [^3]: Data Protection Commission — Breach Notification: https://www.dataprotection.ie

Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.