InfoGuard AG (Headquarter)
Lindenstrasse 10
6340 Baar
Switzerland
InfoGuard AG
Stauffacherstrasse 141
3014 Bern
Switzerland
InfoGuard Deutschland GmbH
Frankfurter Straße 233
63263 Neu-Isenburg
Germany
InfoGuard Deutschland GmbH
Landsberger Straße 302
80687 Munich
Germany
InfoGuard Deutschland GmbH
Am Gierath 20A
40885 Ratingen
Germany
InfoGuard GmbH
Kohlmarkt 8-10
1010 Vienna
Austria
In 2025, the InfoGuard CSIRT handled over 350 cyber incidents, representing a substantial increase of approximately 20 percent compared to the previous year. This trend was already evident in the first half of the year: complex attacks increased by a remarkable 115 percent compared to the same period the previous year. In practice, the InfoGuard CSIRT identified recurring gaps in incident readiness at many organizations. What is particularly noteworthy here is not so much the absence of strategies, but rather their unavailability and the lack of feasibility in an emergency.
Companies must regularly train their incident response capabilities using TTX to identify technical and organizational vulnerabilities, derive targeted measures to strengthen cyber resilience, and ensure their ability to act in the event of a crisis. After all, cyber resilience does not arise from an ever-increasing number of tools or the mere existence of emergency plans, but rather from consistent visibility of the attack surface, context-based attack analyses, and the ability to act effectively at the decisive moment—and this ability must be practiced.
TTXs are not knowledge quizzes or tests. They simulate cyber crisis situations based on concrete scenarios and enable existing cybersecurity and recovery processes to be tested under realistic conditions. In doing so, technical and organizational vulnerabilities are revealed.
Regularly running through realistic crisis scenarios with a focus on decision-making, communication, and recovery strengthens the ability to act in an emergency.
From the perspective of our Computer Security Incident Response Team (CSIRT), TTXs can be compared to a three-act model in which the situation gradually escalates.
From the perspective of the Computer Security Incident Response Team (CSIRT), Tabletop Exercises (TTX) can be understood as a dynamic decision-making process in which a crisis situation develops step by step, escalates, and is subsequently evaluated in a structured manner.
A crisis does not begin in a vacuum, but within a specific operational context. Participants are placed in a realistic initial scenario, assume their roles in crisis management, and receive an initial situation report. Based on this, they decide on initial escalations, communication channels, and priorities.
Typically, the setup includes key framework conditions such as the timing, the current organizational situation, the availability of key personnel, and ongoing business or regulatory events.
This creates a realistic starting point where crises often coincide with operational or strategic pressures. The initial scenario can be triggered, for example, by a security incident such as a successful phishing attack, a tip from a supplier, or an external media inquiry.
From this moment on, operational decision-making begins: What happens first, who is informed, and which areas take priority?
In this phase, the initial situation is gradually expanded. The exercise leaders introduce additional information into the simulation that alters the situation, increases the pressure to make decisions, and creates new priorities.
These so-called injects represent defined events that add dynamism to the course of the crisis and force participants to make new decisions.
Typical examples include:
With each inject, the assessment of the situation shifts. Decisions must be made amid uncertainty and under increasing pressure, revealing where processes, roles, or communication channels reach their limits.
The learning effect arises not only during the simulation but also in the structured evaluation that follows.
After the tabletop exercise concludes, a joint debriefing takes place in which the course of events is systematically reviewed:
The evaluation focuses primarily on decision-making processes, communication, understanding of roles, escalation logic, and technical competencies and skills—not on detailed technical analyses of individual systems. This is where it becomes clear whether the exercise has yielded genuine insights into crisis management capabilities.
Attack scenarios that are too general or theoretical make it difficult to make realistic decisions and reduce the value of the insights gained. Without a concrete organizational and crisis context, participants lack a tangible basis for action.
If TTXs are conducted primarily to meet regulatory requirements, decision-making processes and practical operational capabilities quickly take a back seat.
Without clearly defined objectives, the exercise veers off course, rewards improvisation over structured process quality, and leaves leaders in the dark about the effectiveness of the incident response plan.
Tabletop exercises should test not only technical response measures but also alternative communication channels and manual procedures. These are often neglected in practice.
Crisis management is not just an IT issue. Management, communications, legal, data protection, and relevant departments must be involved early on.
Without structured evaluation and concrete measures, the learning effect remains limited and identified weaknesses are not addressed in a sustainable manner.
Effective tabletop exercises follow a methodological framework that ensures exercises are not only conducted but also systematically evaluated and translated into concrete improvements. The focus is on realism, decision-making quality, and sustainable learning outcomes.
Effective tabletop exercises are based on organization-specific, realistic scenarios. These take into account the industry, maturity level, and business model and are based on actual incidents or plausible threat scenarios. The goal is to focus on real-world decision-making rather than abstract theory.
For tabletop exercises to be successful, they deliberately create uncertainty, pressure to prioritize, and information asymmetry, as this is the only way to make the quality of decisions visible and assessable under realistic conditions.
The entire exercise process is documented and evaluated in a structured manner. This creates a traceable history of decisions and communications that serves as the basis for concrete improvement measures, process adjustments, and targeted retests.
From the CSIRT’s perspective, it is repeatedly evident in practice that organizations fail not only in the technical management of an incident but also in decision-making, communication, and coordination under pressure.
Tabletop exercises (TTX) address precisely this core issue. They create a protected yet realistic framework in which crisis situations are simulated, decisions are made under pressure, and cross-organizational dependencies become apparent. What matters most is not the individual exercise itself, but the quality of its design: realistic scenarios, targeted decision-making dynamics, and structured debriefing together form the foundation for lasting learning outcomes.
When designed correctly, TTXs are more than just a training format—they are a key tool for systematically strengthening an organization’s crisis management and decision-making capabilities.
Drawing on our experience in handling real-world cyber incidents, we guide and support companies in the design, facilitation, execution, and evaluation of tabletop exercises, leveraging our in-depth knowledge from daily incident response and CSIRT operations. The goal is not a perfect exercise, but rather the identification of potential vulnerabilities and actionable insights for real-world scenarios.
Caption: AI-generated image