← Back to Docs

Recipe: Incident tabletop exercise

A 90-minute facilitator-led drill that pressure-tests your detection pipeline, escalation path, and comms cadence without touching production.

Ingredients

  • 1 facilitator (neutral, runs the clock)
  • 1 scribe (captures timeline, gaps, decisions)
  • 3–6 players spanning SOC, IR, engineering, legal/comms
  • 1 pre-written scenario inject deck (4–6 injects)
  • Shared chat channel + video bridge
  • 60 min play + 30 min hotwash

Scenario skeleton

Inject 1 (T+0)

On-call receives a PagerDuty alert: anomalous outbound connection from a build-server to a never-before-seen IPv6 address on port 443. The binary initiating the connection is signed with a valid but recently-issued code-signing cert.

Inject 2 (T+15)

Threat-intel feed returns a hit: the destination IP overlaps with a known C2 cluster. The SOC declares a Sev-2 and pages the IR lead.

Inject 3 (T+30)

EDR telemetry shows the same binary beaconing from two additional hosts in the CI/CD subnet. Legal asks whether customer data was accessed.

Inject 4 (T+45)

A journalist tweets a screenshot of an internal dashboard. Comms drafts a holding statement. Executive sponsor joins the bridge.

Facilitator prompts

  • Who owns the decision to isolate the build subnet?
  • What artifact would you collect first for forensics?
  • At what point do you invoke the external breach coach?
  • How do you validate the code-signing certificate revocation?

Hotwash template

What worked: capture specific tooling, playbooks, or comms paths that held up.

What broke: identify single points of failure, missing runbooks, or decision-paralysis moments.

Action items: assign owner + due date for every gap. Rehearse the updated playbook within 30 days.