Incident Response Tabletop: Scripts, Injects, and a Two-Hour Pack That Works

Purpose. This hands-on guide gives you everything needed to run a professional, defensible incident-response tabletop exercise (TTX): scripts, schedules, injects, scorecards, and capture forms. It is designed for a first run in two hours (remote or in-person), but the materials scale to half-day and full-day formats. Use it to test decision-making, documentation, cross-team coordination, and legal/compliance readiness—not just technical fixes.

Scenario library (pick one)

Facilitator script (runnable)

Scenario brief — “Cloud key leak with potential exfiltration” (sample)

• At 08:02 UTC, security receives an alert from a public Git scanning bot about a leaked AWS access key apparently belonging to a build system user.
• At 08:17, CloudTrail shows ListObjects and GetObject requests from an unrecognized IP range against a bucket storing invoices and some employee files.
• At 08:29, egress monitoring flags a 7.4 GB download to the same IP range.
• At 08:35, your customer support channel receives two unusual emails asking about account deletions.

MSEL / Injects (Master Scenario Events List)

Participant handouts (print-ready)

[Time]  [Owner]  [Decision/Action]                [Evidence/Link]             [Next review]
08:10   IC       Opened incident bridge            /bridges/2025-IR01          09:00
08:14   Tech     Key disabled; rotation plan       playbooks/kms-rotate.md     08:40
08:22   Legal    Privilege memo opened             /legal/IR01-priv-memo.docx  Continuous
    

“Simple graphics”: capacity bar & swimlanes (visual aids)

Legal     [##########------] 60%
Technical [##############--] 80%
Comms     [####------------] 20%
IC/Scribe [########--------] 50%
      

08:10  IC   |--Open bridge--|------Decisions cadence------|
08:12  Tech |--Isolate keys-|--Logs export--Scope calc----|
08:14  Legal|--Privilege memo-|--Insurer notice--AG matrix|
08:25  Comms|--Internal memo draft-|----Holding line------|
      

Scoring & evidence: how to grade the exercise

Score outcomes to make improvement budgets defensible. Use objective timings and artifacts, not opinions.

Pass criteria examples. 80% of targets met; all critical decisions captured with approver/time; improvement plan with owners and dates published within 72 hours.

Facilitator tips for remote tabletop

• Use a single video room + a locked chat channel; disable side-DMs for decisions.
• Pin the timeline document; make the scribe share screen; capture decisions in real time.
• Time-box answers; use parking lot for deep dives; call “decide/commit” at the limit.
• Record the session for note accuracy (check local policy/consent); keep artifacts under privilege.

Templates you can copy-paste

1) Holding statement (external)

We are investigating a security incident that affected certain systems. We have contained the activity,
engaged leading security experts, and notified law enforcement. If our investigation determines that
information was accessed or acquired, we will notify affected individuals and regulators as required.
  

2) Internal bulletin (need-to-know)

Please do not contact external parties or post on social media about today’s investigation.
If you receive unusual emails or calls, forward to the incident channel. Follow reset prompts.
All updates will come from the Incident Commander.
  

FAQ

1) How often should we run table-tops?

At least quarterly for the enterprise and after any material incident. Run focused “micro-TTX” drills monthly for high-risk workflows (identity, backups, vendor breach).

2) Do we need technical labs, or is discussion enough?

For first-timers, a discussion-based tabletop is best; add functional elements (log pulls, ticket creation, comms drafts) in later rounds to validate muscle memory.

3) Who must attend?

IC, Legal/Privacy, Security Ops/Forensics, Comms/PR, affected Business Owners, and IT Ops. Optional: HR (if employee data), Compliance, Data Protection Officer, and Insurance liaison.

4) What makes a scenario “good”?

It stresses decisions you actually face (e.g., ransomware with exfil), fits your tech stack, and forces cross-team trade-offs (contain vs. preserve; disclose vs. hold).

5) How do we avoid hindsight bias?

Reveal facts only through injects, forbid “I would have” speculation, and require evidence for claims. The scribe captures decisions with times and approvers.

6) How do we measure success?

Use objective timers, count of decisions captured, completeness of comms drafts, notification matrix readiness, and a 30-day improvement plan with measurable owners.

7) Can we use a vendor’s real name as the attacker path?

Yes, but keep details neutral and avoid defamatory statements. Use “Processor A” if legal prefers. Map obligations from the DPA regardless.

8) Do we simulate law enforcement requests?

Include an inject offering an LE hold; require a written request and a review cadence. Document when the hold lifts and how clocks resume.

9) What artifacts must we keep?

Timeline, decision log, scenario pack, comms drafts, notification matrix, and the AAR/Improvement Plan. Store under legal privilege when appropriate.

10) How do we keep senior leaders engaged?

Assign the CEO/GM a role (e.g., approve statement, decide on restoration risk). Keep a visible scoreboard and end with a short, budget-tied improvement plan.

Technical Basis & Legal Sources (U.S.-centric, adaptable)

• NIST SP 800-61 (Computer Security Incident Handling Guide) — lifecycle, roles, evidence handling; ideal backbone for tabletop objectives.
• NIST Cybersecurity Framework 2.0 — map exercise outcomes to Respond and Recover functions and to Govern (accountability, metrics, reporting).
• ISO/IEC 27035-1/-2 — international incident-management process; useful for global subsidiaries and certification alignment.
• FEMA HSEEP doctrine — exercise design/evaluation methodology (objectives → MSEL → AAR/IP) adaptable to cyber table-tops.
• CISA tabletop packages / #StopRansomware — public inject ideas, ransomware response checklists, readiness guidance.
• HIPAA Security Rule (45 CFR §164.308(a)(6)) and Breach Notification Rule — require security incident procedures and, when applicable, patient/regulator notices; table-tops demonstrate readiness.
• GLBA Safeguards Rule (16 CFR Part 314) — mandates an incident-response program for non-bank financial institutions; exercises support “reasonable” security claims.
• SEC Cybersecurity Disclosure Rule (Form 8-K Item 1.05) — public companies need processes to determine materiality “without unreasonable delay”; table-tops prove governance capacity.
• 50-state breach laws (U.S.) — “most expedient time” or explicit deadlines; exercises strengthen documentation and timeliness defenses.

Disclaimer

This information is for general educational purposes only and does not constitute legal advice. It does not replace an attorney, does not create an attorney–client relationship, and may not reflect the most current legal developments. Consult qualified counsel licensed in your jurisdiction for advice about your specific facts and deadlines.

Conclusion

A strong tabletop is a rehearsal for the first 72 hours: it pressures teams to coordinate, document, and communicate under uncertainty. Use this pack to run a realistic two-hour drill, keep a privileged record of decisions, and leave with a budget-defensible improvement plan. Repeat quarterly, rotate scenarios, and track metrics like time-to-bridge, time-to-legal, notification readiness, and restoration gates. The muscle you build here pays off when the real call comes in.