Tabletop
Exercises
A simulated cyber incident, played out in one afternoon. Your team makes the decisions - the gaps surface now, not during a breach.
2-4 h session · 4-12 per team · CZ / EN · from €2,000
This exercise is available on its own - the better path is the Retained Security Partner retainer, where you get it automatically once your security maturity is ready.
The Problem
An incident plan nobody has rehearsed
- Nobody is sure who declares the incident, who calls the lawyer, who tells customers.
- Escalation lives in one person's head. Decisions that need minutes take hours.
- "Do we pay?" gets debated for the first time under real pressure.
ISO 27001 ISO 27001 The international standard for an information security management system. It expects incident response arrangements to be exercised and improved, not just written down. and the CIS Controls CIS Controls A prioritised set of practical safeguards. Control 17 covers incident response management and expects regular response exercises. both expect incident response to be exercised, not just documented. Where NIS2 NIS2 An EU directive that raises security duties for many medium and large companies. Management approves and oversees incident handling and can be held personally accountable. applies, management is accountable for it.
The Exercises
Choose your exercise
Executive Tabletop
For boards and leadership teams
- The ransom decision
- Disclosure to customers & regulator
- Statement to the press
Operational Tabletop
For IT and security teams
- Escalation & triage choices
- Handover between IT and management
- Evidence vs. fast recovery
Tailored Tabletop
For any team, any seniority
- Mixed groups, cross-department
- 4-12 per team, parallel teams
- Objectives set at scoping
Non-profits: pro-bono or discounted exercises possible for selected organisations. Ask.
Scenarios
Known attack paths, played on your organisation
Most incidents follow well-known paths. The exercise follows them too - tailored to your size, your teams, and your pain points.
Ransomware
Systems encrypted, deadline running. Who decides - and what do customers hear on day one?
Supply chain compromise
Your key vendor is breached. What do your contracts give you - and what is plan B?
Data breach
Personal data gone, the 72-hour GDPR GDPR The EU data protection law. A breach of personal data may have to be reported to the supervisory authority within 72 hours, and affected people may have to be informed. clock running. Legal, comms, and investigation compete for the same people.
Departing insider
An admin leaves on bad terms. What can they still reach, what did they take - and who notices?
Deepfake & AI abuse
A fake video of your CEO is spreading - and a cloned voice is asking finance to pay. Reputation first, fraud close behind.
Your scenario
The incident that worries you most - built from your environment at scoping.
Delivery
Structured, not chaotic
The exercise runs on a purpose-built exercise platform: the scenario keeps moving, and the debrief works from evidence, not memory.
Timed injects
An inject Inject A scripted development delivered during the exercise: an email, a call, a media report. Injects move the scenario forward and force the team to react, just as a real incident would. - an email, a call, a media report - arrives on a managed timeline. Pressure stays realistic.
Every decision logged
Responses, decisions, and timing captured as the exercise runs.
Parallel teams
Teams of 4-12 play the same scenario, compared side by side.
Objective debrief
Where time was lost, which decisions stalled, what nobody noticed.
Preferred for executive groups. Travel is billed separately - most economical when combined with other on-site work.
Suits smaller exercises and remote-first teams - practise where the incident would hit you.
Method: Aligned with NUKIB NUKIB The Czech national cyber and information security agency. & ENISA ENISA European Network and Information Security Agency exercise guidance
Requirements
Inputs I need from you
A sponsor and objectives. One scoping call settles what the exercise tests.
The right people in the room. Those who would own the incident, 4-12 per team.
Honest input on how things work. Key systems, suppliers, decision-makers.
Book at least one month ahead. Scenario and inject design take time.
No incident response plan? Not a blocker.
A first exercise is the fastest way to find out what your plan must contain. If you have one, the exercise shows exactly where to revise it.
Pricing
Indicative pricing
excl. travel
What affects the final price
Group Size & Parallel Teams
One team of 4-12 is the baseline; each extra team adds facilitation and debrief work.
On-site Travel
Flights, hotel, and travel time are not included in the exercise price and are billed separately - most economical combined with other on-site work.
Scenario Depth 1 month lead time
A single-thread scenario costs less than a deep simulation of your suppliers and media pressure.
Process
How We Collaborate
Objectives, audience, format, language. 30 minutes, free.
Written from your systems, suppliers, and decision chain. This is the month of lead time.
2-4 hours, facilitated. Injects on a timeline, decisions logged, hot debrief at the end.
After-action report with prioritised fixes, plus a follow-up call a few weeks later.
Book at least one month ahead - the scenario is written from your inputs, not pulled off a shelf.
After the Exercise
The findings need an owner
The exercise will almost certainly surface gaps in your incident response. The after-action report turns them into a prioritised fix list - what you do with it is up to you.
If you want help, the Retained Security Partner retainer works through the findings with you - steadily, at your tempo.
Scope an exercise
A free 30-minute call settles objectives, audience, and format - before you commit to anything.
Hands-on labs or workshops instead? See Trainings & Workshops.
Whole-workforce behaviour change? See the Human Risk Programme.
