Cyber Crisis Management

A plan that hasn't been practised
is a paper tiger.

An Incident Response Tabletop is a structured exercise in which your crisis team works through a realistic cyber incident. Decision-making, communication and escalation under real pressure.

Plan a tabletop exercise Get in touch

What is an Incident Response Tabletop?

An Incident Response Tabletop is a facilitated exercise in which your crisis team works through a realistic cyber incident scenario. The focus is on decision-making, communication and escalation, not technical execution. DEFION designs a custom scenario based on the most relevant threats to your organisation, facilitates the session and delivers a written improvement report.

The Service

Make mistakes in safety, not during the real thing

The team designs a custom scenario based on the most probable and impactful threats for your organisation. Ransomware, data breaches, supply chain compromise or insider threat: the scenario is realistic and tailored to your sector and risk profile.

During the exercise, participants are confronted with a developing incident. New information becomes available, the situation escalates, media ask questions, the regulator wants a notification. The team observes, facilitates and challenges participants to make decisions.

After the exercise comes a debriefing with observations, strengths and improvement points. The tabletop is a safe environment to make mistakes, so you do not have to make them during a real incident.

Why it matters

Crisis response is a team skill that requires practice

People freeze under pressure they have never experienced

Crisis response involves decision-making under extreme uncertainty and time pressure. Without prior practice, even well-prepared individuals can become paralysed. Tabletop exercises build the muscle memory for crisis decision-making.
Communication breaks down across silos during incidents

Technical teams, management, legal and communications rarely work together under pressure. Tabletops reveal communication gaps between departments before they cause real damage during an actual incident.
NIS2 and ISO 27001 require periodic exercises

Both frameworks require organisations to regularly test their incident response capability. A facilitated tabletop with documented outcomes provides the evidence regulators and auditors require.

Scope

What the exercise covers

Custom scenario design

Crisis team exercise (management, IT, communications, legal)

Decision-making under pressure

Communication exercise (internal, external, regulators, media)

Reporting obligation scenarios (GDPR, NIS2)

Escalation procedures

Business continuity considerations

Written improvement report

Methodology

How we run a tabletop

Preparation

Intake, custom scenario design based on your sector and risk profile, participant selection and logistics.

Briefing

Introduction to the scenario and ground rules. Setting the stage: the crisis team gathers, the incident begins.

Exercise

Phased scenario with injects: new information, escalations, media questions, regulatory notifications. Real pressure, safe environment.

Debriefing

Immediate observations from the facilitator, discussion of strengths and improvement points with the full team.

Report

Written report with detailed observations, identified gaps and concrete recommendations for improving IR procedures.

What You Receive

Deliverables

Custom scenario design
Facilitated tabletop exercise (half or full day)
Immediate debriefing with the team
Written report with observations and recommendations
Improvement plan for IR procedures
Documentation for NIS2 and ISO 27001 audit evidence

For Whom

For crisis teams that want to be ready

Crisis teams wanting to practise collaboration and decision-making

The exercise reveals how your team functions under pressure: where communication breaks down, where decisions stall and what needs to be prepared better.

Boards wanting to understand what a cyber incident means

Senior leaders gain first-hand experience of the decisions and trade-offs involved. This creates urgency for investment and preparation.

Organisations needing to demonstrate NIS2 or ISO 27001 exercise requirements

The facilitated session and written report provide the documentation regulators and auditors require.

Organisations that recently had an incident

After an incident, a tabletop helps process lessons learned and validate that the improved procedures actually work.

Tech stack

Vendor-agnostic by design

DEFION works with the tooling you already have, or brings ours. No vendor lock-in.

Frequently Asked Questions

FAQ

Who should participate?

The crisis team: board or senior management, IT management, security, communications, legal and possibly HR and operations. The exercise is most valuable when participants match the real crisis team.

How realistic is the scenario?

The scenario is based on real threats to your sector and organisation. It feels real: new information comes in gradually, the situation escalates, media ask questions, there is time pressure. Participants regularly describe it as "surprisingly stressful".

How long does a tabletop take?

Half a day (3 to 4 hours) for a basic exercise. A full day for a comprehensive exercise with multiple scenarios or deeper analysis. Preparation typically takes 1 to 2 weeks.

Do we need an existing IR plan?

A tabletop is most valuable when there is already a base IR plan. But even without a plan the exercise is useful: it makes painfully clear what is missing and creates urgency to build it.

How often should we exercise?

At minimum annually. Ideally twice a year with different scenarios. NIS2 and ISO 27001 require periodic exercises.

Incident Response Readiness

More information →

Incident Response Retainer

More information →

Incident Response Service

More information →

Compromise Assessment

More information →