Performing SOC Tabletop Exercise
When to Use
Use this skill when:
- Annual or semi-annual incident response testing is required (NIST, ISO 27001, PCI DSS compliance)
- New SOC analysts need exposure to major incident scenarios in a controlled environment
- Updated playbooks need validation before next real incident
- Cross-functional coordination (SOC, IT, Legal, PR, Executive) needs rehearsal
- Post-incident reviews reveal gaps requiring scenario-based training
Do not use as a replacement for technical purple team exercises — tabletop exercises test processes and decision-making, not technical detection capabilities.
Prerequisites
- Exercise facilitator with incident response experience
- Participant list: SOC analysts (Tier 1-3), SOC manager, IT operations, Legal, HR, Communications
- Conference room or video call with screen sharing capability
- Printed or digital scenario injects with timed release schedule
- Evaluation scorecard for assessing participant responses
- Existing incident response plan and playbooks for reference during exercise
Workflow
Step 1: Design Exercise Scenario
Create a realistic multi-phase scenario with escalating complexity:
tabletop_exercise:
title: "Operation Dark Harvest — Ransomware Attack Scenario"
exercise_id: TTX-2024-Q1
date: 2024-03-22
duration: 3 hours (09:00-12:00)
classification: TLP:AMBER (internal use only)
objectives:
1: "Test SOC team's ability to detect and triage ransomware indicators"
2: "Validate escalation procedures from Tier 1 to incident commander"
3: "Assess cross-functional communication with Legal, PR, and Executive leadership"
4: "Evaluate containment decision-making under time pressure"
5: "Test backup recovery procedures and business continuity activation"
participants:
- role: SOC Tier 1 Analyst (2 participants)
- role: SOC Tier 2 Analyst (2 participants)
- role: SOC Manager / Incident Commander
- role: IT Operations Lead
- role: CISO (or delegate)
- role: Legal Counsel
- role: Communications / PR
- role: Business Unit Leader (Finance)
scenario_background: >
Your organization is a mid-size financial services company with 2,500 employees.
The SOC operates 24/7 with 6 analysts per shift using Splunk ES and CrowdStrike Falcon.
It is Friday afternoon at 3:45 PM. The weekend IT skeleton crew starts at 5 PM.
Step 2: Create Timed Injects
Design scenario injects released at scheduled intervals:
injects:
inject_1:
time: "T+0 (3:45 PM)"
title: "Initial Alert"
content: >
Splunk ES generates a notable event: "Shadow Copy Deletion Detected"
on FILESERVER-03 (10.0.10.50, Finance Department file server).
The alert shows: vssadmin.exe delete shadows /all /quiet
Source user: svc_backup (service account)
This is the first alert from this host today.
questions:
- "What is your initial assessment of this alert?"
- "What additional data would you query in Splunk?"
- "Is this a Tier 1 triage item or immediate escalation?"
inject_2:
time: "T+10 minutes"
title: "Escalating Indicators"
content: >
While investigating the first alert, two more alerts fire:
1. "Mass File Modification Detected" — 2,847 files renamed with .locked extension
on FILESERVER-03 within 5 minutes
2. "Suspicious PowerShell Encoded Command" on WORKSTATION-118 (10.0.5.118)
— same svc_backup account used
CrowdStrike shows process tree: explorer.exe > cmd.exe > powershell.exe -enc [base64]
questions:
- "What is your updated assessment? What incident severity would you assign?"
- "What immediate containment actions would you take?"
- "Who needs to be notified at this point?"
- "How do you determine if this is confined to these two hosts?"
inject_3:
time: "T+25 minutes"
title: "Scope Expansion"
content: >
Enterprise-wide Splunk search reveals:
- 7 additional hosts showing .locked file extensions
- All affected hosts are in the Finance VLAN (10.0.10.0/24)
- svc_backup account was used to RDP to all affected hosts starting at 3:30 PM
- A ransom note "README_UNLOCK.txt" found on all affected hosts
- Ransom note demands 50 BTC, includes Tor payment portal link
- IT reports the svc_backup password was changed 2 days ago (not by IT team)
questions:
- "This is now a confirmed ransomware incident. What is your incident classification?"
- "Walk through your containment strategy — what do you isolate and in what order?"
- "Should you shut down the Finance VLAN entirely? What are the trade-offs?"
- "When and how do you notify executive leadership?"
inject_4:
time: "T+45 minutes"
title: "Business Impact and External Pressure"
content: >
The CFO calls the SOC Manager directly:
"We are closing the quarter-end books this weekend. Finance absolutely needs
access to FILESERVER-03 by Monday morning or we miss SEC filing deadlines."
Additionally:
- Legal asks if customer PII was on any affected servers
- PR reports a journalist called asking about "cybersecurity issues at [company]"
- The ransom note deadline is 48 hours
- IT reports last verified backup of FILESERVER-03 is from Wednesday (3 days old)
questions:
- "How do you balance containment security with business pressure from the CFO?"
- "What is your recommendation on ransom payment? Who makes this decision?"
- "What information does Legal need to assess breach notification obligations?"
- "How do you handle the media inquiry?"
- "Can you recover from the 3-day-old backup? What data is lost?"
inject_5:
time: "T+70 minutes"
title: "Forensic Discovery"
content: >
Tier 3 forensic analysis reveals:
- Initial access was via compromised VPN credentials (svc_backup)
- Credentials were found in a dark web dump from a third-party vendor breach
- Attacker had access for 5 days before deploying ransomware
- Evidence of data exfiltration: 15GB uploaded to Mega.nz over 3 days
- Exfiltrated data includes customer PII (SSN, account numbers) for 12,000 clients
- The ransomware variant is identified as LockBit 3.0
questions:
- "How does confirmed data exfiltration change your response?"
- "What are the regulatory notification requirements? (SEC, state breach laws)"
- "What is the timeline for customer notification?"
- "Should you engage external IR firm? Law enforcement?"
- "How do you handle the vendor who was the source of the credential compromise?"
inject_6:
time: "T+90 minutes"
title: "Recovery Decision Point"
content: >
You are now 6 hours into the incident. Status:
- All 9 affected hosts isolated
- Finance VLAN segmented from corporate network
- LockBit C2 domain blocked at firewall and DNS
- No decryptor available for LockBit 3.0
- Wednesday backup verified clean but 3 days of data missing
- CEO asks for a full situation briefing in 30 minutes
questions:
- "Prepare a 5-minute executive briefing. What do you include?"
- "What is your recovery plan and estimated timeline?"
- "What monitoring will you put in place during and after recovery?"
- "What immediate security improvements would you recommend?"
Step 3: Facilitate the Exercise
Facilitator Guide:
EXERCISE FACILITATION PROTOCOL
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
1. OPENING (10 min)
- State exercise objectives and ground rules
- Emphasize: "No wrong answers — this is about testing process, not individuals"
- Remind participants this is a simulation — no actual systems are affected
- Identify the exercise observer/scribe
2. INJECT DELIVERY (110 min)
- Present each inject on screen, allow 2 min reading time
- Ask guided questions to each role group
- Allow discussion but keep on timeline
- Inject additional pressure/complications as needed
- Record decisions, rationale, and gaps identified
3. DISCUSSION RULES
- Participants respond in-character (their actual role)
- Reference actual playbooks and procedures when available
- If participants are unsure, that IS the finding
- Facilitator may add "hot injects" if discussion stalls
4. CLOSING (40 min)
- Hot wash: Each participant shares one thing that went well, one gap
- Facilitator summarizes key findings
- Identify top 5 action items with owners and due dates
Step 4: Evaluate Participant Responses
Score responses against expected outcomes:
evaluation_criteria:
detection_and_triage:
expected: "Immediately recognize shadow copy deletion as ransomware precursor"
scoring:
excellent: "Correctly identified within 2 minutes, initiated proper escalation"
adequate: "Identified after discussion, correct escalation path"
needs_improvement: "Did not recognize significance, delayed escalation"
containment_decision:
expected: "Isolate affected hosts via EDR, segment Finance VLAN, preserve evidence"
scoring:
excellent: "Immediate isolation, correct priority order, evidence preservation"
adequate: "Isolation performed but delayed or incomplete prioritization"
needs_improvement: "Considered powering off hosts (destroys evidence) or delayed isolation"
communication:
expected: "Timely notification chain: SOC Manager -> CISO -> Legal -> Executive"
scoring:
excellent: "Proper notification within defined SLAs, clear and concise briefings"
adequate: "Notifications made but slightly delayed or incomplete"
needs_improvement: "Key stakeholders not notified, unclear communication"
business_continuity:
expected: "Balance security containment with business recovery needs"
scoring:
excellent: "Realistic recovery timeline communicated, alternative workarounds proposed"
adequate: "Recovery discussed but timeline unclear"
needs_improvement: "Overcommitted on timeline or ignored business impact"
Step 5: Generate After-Action Report
after_action_report:
exercise: TTX-2024-Q1 "Operation Dark Harvest"
date: 2024-03-22
participants: 10
duration: 3 hours
executive_summary: >
The tabletop exercise tested the organization's ransomware response capabilities
across detection, containment, communication, and recovery phases. The SOC team
demonstrated strong technical triage skills but gaps were identified in cross-
functional communication and backup recovery procedures.
strengths:
- SOC analysts correctly identified ransomware indicators within first inject
- Containment decision-making was swift and technically sound
- Legal team was well-prepared on breach notification requirements
- IT operations had clear understanding of backup recovery procedures
gaps_identified:
- gap_1:
finding: "No documented procedure for notifying CISO after-hours"
risk: High
action: "Update escalation contacts with personal phone numbers and backup contacts"
owner: SOC Manager
due_date: 2024-04-05
- gap_2:
finding: "Backup recovery testing has not been performed in 6 months"
risk: Critical
action: "Schedule quarterly backup restoration drill"
owner: IT Operations Lead
due_date: 2024-04-15
- gap_3:
finding: "No pre-approved media holding statement for cyber incidents"
risk: Medium
action: "Draft and approve 3 holding statement templates with Legal"
owner: Communications Lead
due_date: 2024-04-10
- gap_4:
finding: "Service account (svc_backup) had Domain Admin privileges unnecessarily"
risk: Critical
action: "Audit all service accounts, implement least privilege"
owner: IT Security
due_date: 2024-04-01
- gap_5:
finding: "Unclear decision authority for ransom payment"
risk: High
action: "Document ransom payment decision tree with CEO/Board approval requirement"
owner: CISO
due_date: 2024-04-15
metrics:
overall_score: "72/100 (Adequate)"
detection: "85/100 (Excellent)"
containment: "80/100 (Good)"
communication: "60/100 (Needs Improvement)"
recovery: "65/100 (Needs Improvement)"
next_exercise: "TTX-2024-Q2 — Data Breach / Insider Threat Scenario (June 2024)"
Step 6: Track Remediation and Follow-Up
--- Track action items from tabletop exercise
| inputlookup ttx_action_items.csv
| eval days_remaining = round((strptime(due_date, "%Y-%m-%d") - now()) / 86400)
| eval status_flag = case(
status="Completed", "GREEN",
days_remaining < 0, "RED — OVERDUE",
days_remaining < 7, "YELLOW — DUE SOON",
1=1, "GREEN"
)
| sort - status_flag, days_remaining
| table gap_id, finding, owner, due_date, days_remaining, status, status_flag
Key Concepts
| Term | Definition | |------|-----------| | Tabletop Exercise | Discussion-based simulation where participants walk through incident scenarios without executing technical actions | | Inject | Scenario update introducing new information, complications, or decisions for participants to address | | Hot Wash | Immediate post-exercise debrief where participants share observations and initial lessons learned | | After-Action Report (AAR) | Formal document capturing exercise findings, gaps, strengths, and remediation action items | | Facilitator | Exercise leader who presents injects, guides discussion, and ensures objectives are met | | Decision Point | Moment in the scenario requiring participants to choose between options with trade-offs |
Tools & Systems
- FEMA HSEEP: Homeland Security Exercise and Evaluation Program providing exercise planning methodology
- Tabletop Exercise Framework (NIST SP 800-84): NIST guide for planning and conducting IT security exercises
- Immersive Labs: Platform for cybersecurity crisis simulation and tabletop exercise management
- Infection Monkey: Open-source breach simulation for technical validation of tabletop findings
- Archer: GRC platform for tracking exercise findings and remediation action items
Common Scenarios
- Ransomware Attack: Multi-phase scenario testing detection, containment, ransom decision, and recovery
- Data Breach: Customer PII exposure testing notification requirements, legal obligations, and PR response
- Supply Chain Compromise: Third-party vendor breach impacting organizational systems and data
- Insider Threat: Employee data theft scenario testing HR, Legal, and security team coordination
- Business Email Compromise: CEO fraud wire transfer attempt testing financial controls and verification procedures
Output Format
TABLETOP EXERCISE SUMMARY — TTX-2024-Q1
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Scenario: Operation Dark Harvest (Ransomware)
Date: 2024-03-22 (09:00-12:00 UTC)
Participants: 10 (SOC: 5, IT: 1, Legal: 1, Comms: 1, Exec: 2)
Duration: 3 hours (6 injects delivered)
SCORES:
Detection & Triage: 85/100 Excellent
Containment: 80/100 Good
Communication: 60/100 Needs Improvement
Recovery Planning: 65/100 Needs Improvement
Overall: 72/100 Adequate
KEY FINDINGS:
[+] Strong: Ransomware indicators correctly identified immediately
[+] Strong: EDR isolation procedure well understood
[-] Gap: No after-hours CISO notification procedure
[-] Gap: Backup recovery untested for 6 months
[-] Gap: No pre-approved media statement templates
[-] Gap: Service account over-privileged (Domain Admin)
[-] Gap: Ransom payment decision authority undefined
ACTION ITEMS: 5 (Critical: 2, High: 2, Medium: 1)
NEXT EXERCISE: TTX-2024-Q2 (June 2024) — Insider Threat Scenario