The Reality Gap in Incident Response Tabletops

Incident response (IR) planning is often approached as a documentation exercise. Organizations spend months drafting comprehensive playbooks, defining severity levels, and outlining escalation paths. Ideally, these documents serve as the organization's "muscle memory" during a crisis. However, as professionals who build and test IR programs, we frequently observe a critical distinction: what is documented in a playbook rarely matches the complex, human reality of a live incident.

This is where the Tabletop Exercise (TTX) proves its value. While often viewed by clients as a compliance requirement or a test of their technical defenses, a well-executed TTX is actually a stress test of organizational alignment. After all, truly creating “muscle memory” requires practicing the plan. The TTX reveals technical gaps and exposes the divergence between the Core IR team’s assumptions and the organization's actual decision-making appetite.

Through conducting these simulations across various industries, we have identified consistent patterns of failure that only emerge under the pressure of an incident.

The Divergence of Expectations

The most profound realization during a TTX is often that expectations are not shared universally. IR planning activities are typically conducted by a small cohort, including the Core IR team leader and technical subject matter experts. They document requirements based on their understanding of the business. But as with a real incident, the TTX involves broader business stakeholders as well, including executive leadership and operational teams that rely on the systems involved. Each group has a different understanding of the business. 

As a result, during a simulation, we frequently see a breakdown in consensus between that technical core, other operational teams, and executive leadership. 

In most cases, expectations diverge because of how the different groups perceive the risk of the incident. This disconnect becomes obvious during key decision points:

• Escalation Thresholds: The technical team may classify an event as "Severity 1" based on data volume, while leadership views it as "Severity 3" based on business impact (or vice versa).
• Regulatory Triggers: Stakeholders often hold conflicting views on what constitutes a reportable breach to a specific regulator.
• Ransomware Logistics: There is frequently confusion regarding who holds the ultimate authority to authorize a ransom payment, or at what specific time legal counsel or insurance carriers must be contacted.

The value of the TTX is that it forces these diverse stakeholders to provide input on a crisis simultaneously. It moves IR from a theoretical document to a shared executive mental model. This value is realized when decision points are debated within the scenario, exposing hidden discrepancies in how different teams interpret the IR playbook and forcing alignment before a real crisis occurs.

The "Rolodex" Failure and Third-Party Isolation

Another common finding in our TTX exercises involves the reliance on Third-Party Service Providers (TPSPs). Most organizations are acutely aware of the external vendors required to support an incident: Managed SOCs, forensic retainers, or legal counsel. The reliance is documented; the operational reality is not.

We often find that organizations identify who to call, but lack how to call them, especially outside business hours.

In a recent exercise, a client realized that while they had a retainer in place for incident support, the only contact information available to the incident commander was a general support line. During a critical point in the simulated incident (hypothetically 2:00 AM on a Saturday), the team was unable to activate their external support. In a real-world scenario, this would turn a manageable incident into a catastrophe due to a simple administrative gap.

The Executive Ransomware Shock

Executive-focused TTXs often reveal a startling lack of preparedness regarding the nuances of ransomware. Leadership teams are frequently shocked by the complexity of the decision-making process.

Many executives enter a TTX assuming the decision to pay or not pay is binary. Through the simulation, they confront the actual calculus: attempting to recover internally versus the cost of downtime, determining the value of the compromised data, and weighing the cost of potential regulatory fines if the data is leaked.

This is often compounded by regulatory blindsides. We frequently see clients realize during a scenario that they are subject to strict notification windows (e.g., 24 to 72 hours) for specific data types—requirements they were completely unaware of prior to the exercise.

Tooling: Alerting vs. Investigation

From a technical perspective, TTXs expose the difference between monitoring an incident and investigating one.

Organizations often invest heavily in tooling to identify incidents. However, during the 'fog of war' of a TTX, it often becomes unclear what tooling is in place to assist with the identification of live Indicators of Compromise (IOCs) and root cause analysis. The team can see the alert, but they lack the ad-hoc querying capability to determine the scope. As a result, executive decision-making is paralyzed; leaders are forced to wait for answers while the threat spreads, unable to determine if the alert is a minor glitch or a catastrophic data breach.

The Danger of the "Unknown" Exploit

Organizations often rely heavily on standard patching protocols, trusting that eliminating known vulnerabilities equates to a secure environment. However, TTXs highlight the risk of assuming that standard patching prevents all compromises.

While planning a TTX for a recent client, we performed a deep dive into the technical manuals of their proprietary software stack. Our team discovered an obscure API that could be theoretically abused to escalate a user's privileges. We built the tabletop scenario around this specific abuse case.

As the exercise unfolded, We came to understand that we had hit on an unpublished vulnerability that the client had not yet patched. It was a perfect storm: a scenario based on a real, unknown exploit that bypassed their standard defenses. 

Conclusion

A tabletop exercise should not be designed to be "won." If a client walks away from a TTX feeling that their plan was perfect, the exercise has likely failed.

The goal is to stress the system until cracks appear. By identifying these points of failure and the differing expectations in a conference room, organizations can close the gaps before they face the financial and reputational damage of a live adversary.

Don't wait for a crisis to test your readiness. Reach out to Coalfire to start building and refining your company's incident response playbooks now. 

Contributors: We’d like to thank our team members who contributed to this article: Connor Guerrieri, Jon Hutton, and Jonathan Knohl.