What is Executive Tabletop Exercises?
The Armorstack Executive Tabletop Exercise is a facilitated scenario-driven simulation that tests executive and board decision-making under a realistic cyber incident scenario. Most organizations have incident response plans on paper but have never rehearsed them at the executive level — the people who will make the decisions that matter when ransomware shuts down operations at 2 AM or a regulatory examiner demands an explanation in 4 business days. The tabletop exercise brings that rehearsal to the executive team before the real event. Armorstack facilitators design and run 3–4 hour scenario exercises using timed injects that force participants to make real decisions: when to notify regulators, whether to pay a ransom, how to communicate with customers, when to invoke the business continuity plan, how to manage the media. Scenario options include ransomware with operational shutdown, business email compromise with wire fraud, insider data exfiltration, third-party breach with notification obligations, and regulatory incident with examiner engagement. The after-action report identifies gaps in roles, playbooks, communication, and decision authority — and provides specific remediation recommendations.
Deliverables
What You Get
- Custom scenario design: 1–2 scenarios tailored to industry and risk profile
- Pre-exercise participant briefing materials
- Facilitated 3–4 hour tabletop with timed inject sequence
- Real-time gap documentation by Armorstack observer
- After-action report: gaps in roles, playbooks, communication, and decision authority
- Remediation recommendations with ownership and timeline
- Executive summary for board reporting or audit evidence
Audience
Who This Is For
needing to rehearse incident decisions before a real event forces improvised responses under pressure
wanting to experience an incident scenario firsthand and demonstrate active oversight of cyber risk management
needing incident response exercise documentation for SOC 2, CMMC 2.0, HIPAA, NYDFS, or cyber insurance audit evidence
Process
How It Works
Scenario Design
Discovery call to understand industry, regulatory environment, participant roster, and specific risk areas to test. Custom scenario pack designed with 2–3 inject sequences.
Pre-Exercise Distribution
Participant roles and scenario background distributed 5–7 business days before exercise. Full scenario not disclosed in advance.
Facilitated Exercise
3–4 hour facilitated exercise with timed injects. Armorstack facilitator drives scenario, Armorstack observer documents decisions and gaps.
After-Action Report
Detailed after-action report with gap findings, remediation recommendations, and executive summary. Delivered within 5 business days.
Pricing
Investment
Timeline: Scenario design 2–3 weeks; exercise day; report within 5 business days
Every engagement begins with a scoping call and written proposal. Work begins only after the engagement agreement is executed.
Differentiators
Why Armorstack
Scenarios and debrief in business language — regulatory exposure, operational impact, reputational risk — not technical security language. Executives engage, not glaze over.
After-action report structured for SOC 2 CC9, HIPAA contingency planning, CMMC 2.0 IR domain, NYDFS 500.16, and cyber insurance evidence requirements.
Scenarios built on actual incident patterns — current ransomware group tactics, active BEC techniques, real regulatory response timelines. Not generic fictional scenarios from 2018.
The exercise tests decisions, not technical knowledge. Who authorizes ransom payment? Who notifies the regulator? Who manages the press call? These are the gaps that matter.
FAQ
Frequently Asked Questions
What scenarios are available?
Standard scenario library: ransomware with operational shutdown and ransom demand, business email compromise with completed wire transfer, insider data exfiltration by a departing employee, third-party breach at a payroll or EHR vendor triggering notification obligations, regulatory incident with OCR or state AG inquiry, and supply-chain compromise. AI-specific scenarios (deepfake fraud, LLM prompt injection) are available as a VERITY AI tabletop exercise.
Who should participate?
Core participants: CEO or COO, CFO, GC, CISO (or vCISO), CIO, and Head of HR. Optional: CPO, CMIO (for healthcare), CCO (for financial services), communications director, and board observer. Board-only tabletops are available for audit committee exercises.
How does this satisfy compliance requirements?
SOC 2 CC9.9 (incident response testing), HIPAA §164.308(a)(7) Contingency Plan Testing, CMMC 2.0 Practice IR.2.092 (perform incident response), NYDFS 500.16 (incident response plan test), and cyber insurance renewal documentation all recognize tabletop exercises as evidence of incident response program maturity. Armorstack provides a compliance-mapped after-action report.
Can we do this remotely?
Yes. Remote tabletop exercises via video conference are fully supported and effective. In-person exercises provide more realistic pressure and side-conversation capture, but remote exercises are appropriate for distributed executive teams and board members in multiple locations.
Continue Exploring
Related Services
Ready to Engage Executive Tabletop Exercises?
Every VERITY RISK engagement begins with a scoping call and a written proposal. No commitments until scope, deliverables, and pricing are agreed upon.