Run a practical 60-minute tabletop exercise with this ready-to-use template: scenarios, roles, timeline, scoring metrics, and a debrief playbook.

A tabletop drill is a short, guided simulation of an incident run in a conference room (or video call) - no live systems, no actual outages. The purpose is simple: practice decisions, validate the playbook, surface unclear ownership, and make recovery steps repeatable. Doing a short, well-scoped drill quarterly means your team reacts faster and more calmly when a real incident hits.

This article gives you a ready-to-use 60-minute tabletop drill (can be shortened to 30 minutes or expanded to 90), a printable facilitator template, scripts for injects, scoring metrics, a debrief template, and product tips that speed drills and real incidents. Before drilling, make sure you have a documented incident response playbook to validate - the drill is only as useful as the plan it tests.

Drill outcomes & objectives (pick 2–3)

Keep the drill focused by selecting 2–3 clear outcomes before you begin:

  • Containment speedcan the team isolate an affected asset in the first 10 minutes?
  • Credential rotationdoes the team rotate and restore critical vault secrets for a priority account?
  • Communicationis there a clear internal and customer communications path and an approved message?
  • Evidence & triageare logs, screenshots, and timelines preserved and accessible?
  • Restorecan the team restore a priority service from the documented playbook?

Who should run this & roles

Keep the group small: 5–8 participants for a tight, effective drill.

Essential roles (assign in advance)

  • Facilitator (1) - runs the drill, reads the scenario, times segments, and injects prompts.
  • Recovery Lead (1) - makes triage decisions and calls the actions.
  • Technical Lead (1) - owns containment and restore steps.
  • Communications Lead (1) - drafts internal and external messages and coordinates stakeholder updates.
  • Evidence & Forensics (1) - documents evidence, timestamps, and custody.
  • Observer(s) / Scorer(s) (1–2) - watch behavior, log decisions, and capture lessons without participating in decisions.

Optional: legal/counsel, HR, or insurance rep for high-impact drills.

Drill timing & script (60-minute tabletop)

Prework (to assign before day)

Distribute the current incident playbook, recovery roster, and one-page shared vault access list. Ask attendees to review for 15–20 minutes pre-drill.

Facilitator: welcome, objectives (2–3), and ground rules - no live remediation, speak aloud, assume access per the shared vault snapshot. Confirm roles and where notes are captured (shared doc or the facilitator log).

Facilitator reads the scenario (see templates below). Clarify scope and initial assumptions - for example: attacker has admin session on mail server, or ransomware has encrypted a dev server.

Recovery Lead declares containment steps. Technical Lead states immediate isolation and evidence steps. Communications Lead drafts a 1-line internal alert. Evidence Lead begins documenting. Scoring focus: did the team (a) isolate quickly, (b) preserve evidence, (c) call the correct recovery lead?

Decision Round:

  • Q1Which accounts to rotate immediately? (Recovery Lead)
  • Q2Which backup do we restore first and why? (Technical Lead)
  • Q3Who engages the bank / vendor / law enforcement? (Communications/Legal)

Facilitator injects an update at minute 30 - for example: exfil logs found pointing to vendor X. Team revises decisions.

Team refines the restore plan and drafts a public/customer update. Technical Lead describes restore steps and estimated times. Evidence Lead confirms evidence chain readiness. Scoring focus: practicality of restore order, clarity of stakeholder comms, and whether the shared vault access process is clear.

Observers present 3 strengths and 3 improvement areas (facts only). Team captures immediate action items.

Facilitator: agree on 3 follow-ups, owners and due dates. Schedule a remediation check in 7 days.

Two ready scenarios (pick one or adapt)

Scenario A - Suspicious Login → Privilege Escalation

Good for: password/credential drills

Setup: At 09:12, an alert shows an admin console login from an unfamiliar IP. At 09:20, the admin account changed a vendor billing email and rotated a virtual card used for vendor payments. At 09:30, staff report outgoing phishing emails from the same account.

Key learning goals: fast containment of admin sessions, recovery of vendor billing and virtual card flows, vault policies and audit trails, communications to customers, and forensic evidence capture. This scenario mirrors the real-world signals described in our Suspicious Login playbook.

Injects:

  • 09:25: New session appears from a different geo.
  • 09:35: Customer reports unauthorized invoice sent.

Scoring checklist:

  • Did team stop outgoing emails?
  • Did they rotate vault secrets?
  • Did they cancel the affected virtual card and notify bank?

Scenario B - Ransomware on a Dev Server

Good for: backups/restore drills

Setup: At 08:40, monitoring shows multiple file modifications and an encrypted file extension on a development server. The server holds build artifacts and a nightly DB snapshot modified yesterday. Backups exist in cloud and local NAS; the vault holds the encryption passphrase and backup credentials.

Key learning goals: isolate infected host, choose correct backup for restore, validate backup integrity, ensure rotated credentials and vault access, and coordinate business continuity. Pair this scenario with your Backup & Recovery plan to validate restore procedures under pressure.

Injects:

  • 08:50: Ransom note appears claiming exfiltration (escalates to legal).
  • 09:10: Offsite backup shows a failed job 7 days ago.

Scoring checklist:

  • Did team select a clean backup and test restore?
  • Was encryption key management clear?
  • Did two-person approvals occur for destructive actions?

What to capture & evidence rules

Who

Person who made a call, contact info, timestamps.

What

Decision, rationale, and evidence referenced.

Where

Pointer to vault entry / shared doc / log file.

How

Steps performed and the result.

Keep raw artifacts (screenshots, logs) in an evidence folder in the shared vault as read-only.

Scoring & success metrics

Use simple, non-punitive scoring to track improvement over time:

Green

≥ 75%

Yellow

50–74%

Red

< 50%

Printable facilitator template

Copy this checklist as your double-sided A4 facilitator sheet:

  • Headerdrill title, date, time, facilitator name.
  • Objectiveslist 2–3 outcomes for this drill.
  • Rolestable with names & contact info.
  • Scenariopaste your chosen scenario (A or B).
  • Timeline & timeboxes0–5 kickoff · 5–10 scenario · 10–20 first 10m · 20–35 triage · 35–50 restore · 50–58 debrief · 58–60 close.
  • Inject schedulesimple table with minute & message.
  • Scoring gridfive scoring items with 0–2 point scale and total.
  • Evidence logartifact type · pointer · who collected · timestamp.
  • Post-drill remediation trackeraction | owner | due date | status.
  • Facilitator notesdo not solve - guide; keep time; keep injects simple.

Post-drill debrief: structure & questions

Use a 15–30 minute debrief after the drill or capture notes asynchronously. Five questions to answer:

Publish the debrief summary and remediation tracker in the shared vault and follow up at the agreed cadence.

Running remote drills (video call tips)

  • Use one shared doc for notes and a separate evidence folder in the shared vault.
  • Keep cameras optional; insist on clear audio and that each person names themselves before speaking.
  • Facilitator posts injects in chat (timestamped) and reads them aloud.
  • Observers maintain the scoring sheet and share scores at the end.

Product tie-ins (how Ivy speeds drills & real incidents)

Risk Checkup

Run during the drill to simulate priority fixes and test how remediation flows would work in real time. It also models triage ordering.

Shared Vaults

Use a drill snapshot of the shared vault so teams practice access and rotation without exposing live secrets. This tests both access flows and audit logs.

Site Scanner

Use to vet suspicious domains presented in injects - provides a fast vendor risk summary during triage. Pairs well with the Scan Before You Click habit.

Masked Emails & Virtual Cards

Include scenarios where attackers used social engineering - practice canceling virtual cards and disabling aliases. Feature availability varies by plan.

Feature availability and integrations may vary by plan and region; see getivy.ai. Masked emails forward messages to your inbox; forwarded messages are temporarily cached and handled per our Privacy Policy.

Sample calendar: run frequency & scale

Individual / Household

Tabletop every 6 months; mini 30-minute drill every quarter.

Small Teams (20 or fewer)

Quarterly tabletop + annual 90-minute full exercise.

Larger Orgs

Monthly tabletop for core teams, quarterly cross-team exercises, and annual full incident simulation with external responders.

Embed drills into the security habits routine you have already built - quarterly is the right cadence for most individuals and small teams.

KPIs & measurement for tabletop programs

  • Time to containment (avg) for drill - goal: reduce over time.
  • Percentage of reality-based action items closed within 7 days.
  • Scoring result trends - average drill score over time.
  • Number of playbook edits post-drill (fewer edits implies greater maturity).
  • Confidence rating by participants (pre/post survey).

Variations to try

  • Drill duration30 min vs 60 min vs 90 min - which gives the best debrief ROI?
  • Role mixingrotating Recovery Lead vs fixed Recovery Lead to test resilience.
  • Inject deliverylive chat vs scheduled email inject - measure timing and decision quality.
  • Scoring emphasistechnical vs communications weighting - test which improves post-drill remediation.

Ready to run your first drill?

Before you drill, make sure your incident response playbook is documented and your backup & recovery plan is tested. The drill validates both - and makes your team faster, calmer, and more coordinated when a real incident hits.