InfoGuard Cyber Security and Cyber Defence Blog

Tabletop Exercises (TTX): Simulate Cyber Crises & Ensure Compliance

Written by Michael Jeitziner | 23 Mar 2026

At a time when digital threats such as cyberattacks, data leaks and technical disruptions are becoming increasingly complex and organisations of all sizes and industries are equally affected, tabletop exercises (TTX) are not only a tool for minimising risk, but also a key building block for compliance with national and international standards. They uncover weaknesses, shorten response times, strengthen cross-departmental collaboration and serve as reliable evidence for auditors, authorities, customers and partners.

Regular security tabletop exercises (TTX) in the context of ISO 27001, NIS2, BSI KRITIS or IEC 62443 prepare companies specifically for ransomware, supply chain and insider attacks. They help to test the ability to respond, optimise processes and document compliance requirements in a traceable manner. TTXs are therefore particularly relevant for:

  • Companies with critical infrastructures (e.g. energy, healthcare, transport, financial sector) that need to strengthen their cyber resilience and fulfil compliance requirements
  • Industrial companies in automation, production and logistics that rely on stable IT and OT systems
  • Service providers and suppliers in global supply chains with increased information security and incident response requirements
  • Organisations that process sensitive data or are heavily dependent on digital business processes

Tabletop Exercises (TTX) for compliance: crisis simulations according to ISO 27001, NIS2 & Co.

Modern security standards and laws require companies to have not only theoretical concepts, but also demonstrable effectiveness in an emergency. Regular security tabletop exercises (TTX) are therefore not just best practice, but often a mandatory measure to fulfil compliance requirements and reduce liability and reputational risks.

Numerous national and international regulations require organisations to regularly test and document their ability to respond to security incidents. These include:

  • FINMA RS 23/1, BaFin, DORA: Requires regular tabletop simulations as a key tool to demonstrate the practicability of emergency plans.
  • ISO 27001 (A.18.2.3): Requires regular testing of information security to verify the effectiveness of measures. Tabletop simulations are a key tool here to demonstrate the practicability of emergency plans.
  • NIS2 Directive (EU): Mandatory for operators of critical infrastructure. Companies must demonstrate their crisis response capability through exercises in order to fulfil the requirements of the directive.
  • IEC 62443 (OT safety): Specific to industrial automation systems. Simulations are part of the Cyber Security Management System (CSMS) and are used to secure production environments.
  • BSI KRITIS: In Germany, operators of critical infrastructures must carry out mandatory exercises to demonstrate their resilience to cyber attacks.
  • PCI DSS (payment transactions): For companies that process credit card data. Regular tests of IR response processes are mandatory.
  • Industry standards: Depending on the sector (e.g. healthcare with HIPAA), additional requirements apply.

  • Regularity, at least annually or in the event of significant changes to the IT landscape
  • Documentation of the results as proof of audits and compliance
  • Interdisciplinary participation of all relevant areas, from IT and management to legal and communication
  • Realistic scenarios including current threats such as ransomware, supply chain or insider attacks

To fulfil these requirements, companies should consider the following practical steps:

  • Carry out a risk analysis as a basis for selecting scenarios.

  • Clearly define roles and responsibilities in order to be able to act in a structured manner during the exercise.

  • Involve external moderators to obtain a neutral assessment and constructive feedback.

  • Carry out a follow-up with an action plan to eliminate identified weaknesses.

TTX walkthroughs: Step by step through the cyber crisis scenario

Before complex tabletop exercises (TTX) are carried out, walkthroughs provide a structured introduction and overview. As step-by-step reviews of security incidents, they help teams to familiarise themselves with processes and identify initial weaknesses without having to go straight into a full-scale simulation. Walkthroughs are particularly suitable for

  • Gradually introduce new employees or departments to security processes.

  • Identify basic gaps in incident response before they escalate into a larger exercise.

  • Reduce the effort required for later, more complex tabletop exercises by correcting known problems.

Walkthrough in Tabletop Exercises (TTX): an example

A typical scenario could be: "An employee opens an infected email attachment - what happens next?"

TTX walkthrough in 4 steps:

        1. Incident detection: the IT department identifies the infected email and recognises the security incident.

        2. Escalation to management: The incident is escalated to the management in order to train decisions at management level.

        3. Communication with affected parties: Customers, partners or authorities are informed to ensure transparency and trust.

        4. Containment of the incident: Technical and organisational measures are introduced to limit the impact.

An evaluation is carried out at the end (lessons learnt):
Which processes worked well - and where were there delays or gaps?

3 clear advantages of walkthroughs in TTX:

  • Less time and resources required compared to full Tabletop Exercises (TTX).

  • Ideal for introducing new teams or departments to security processes.

  • Basis for further development into more complex TTX, as central processes are already practised.

Successfully carry out tabletop exercises (TTX): A guide from preparation to follow-up

A well-prepared security tabletop simulation follows a clear and structured process to maximise learning success. The process can be divided into three main phases: Preparation - Execution - Follow-up.

Plan and prepare the simulation: Defining scenarios, teams and roles for TTX

The planning and preparation of a tabletop exercise (TTX) is crucial to ensure that the simulation is purposeful and realistic. The following steps are part of good preparation:

  • Goal definition: what is to be tested? (e.g. reaction to ransomware, data leak or system failure)

  • Team composition and involvement of all relevant departments: IT, management, communication, legal and external experts.

  • Realistic simulation scenario that matches the size of the company and industry.

  • Allocation of roles and clear assignment of tasks (e.g. crisis team, press spokesperson, IT forensics).

Carry out a crisis simulation: Step-by-step through TTX with interactive crisis exercises

Interactive discussion takes centre stage during the simulation. A neutral moderator ensures that the exercise is structured and that all aspects are taken into account.

  • A neutral moderator leads the exercise, asks questions and documents the reactions.
  • The team goes through the scenario step by step and makes decisions in real time as part of a moderated, interactive discussion.
  • Documentation: All decisions, reactions and problems encountered are recorded so that they can be analysed later.

Evaluating the simulation: Securing the results of the TTX, deriving measures, demonstrating compliance

Follow-up is crucial in order to derive concrete improvements from the simulation.

  • Evaluation: What went well? Where were there problems or delays?
  • Derive concrete measures and steps for improvement.
  • Reporting for internal verification and external audits.

Success factors for TTX: Sustainable crisis simulations in practice

Not every tabletop exercise automatically leads to the desired results. A TTX will only have a lasting effect if key success factors are taken into account:

  • Realistic, current scenarios (e.g. phishing, supply chain or insider attacks)

  • Interdisciplinary collaboration between IT, management, communication and legal departments

  • Regular implementation, at least annually or in the event of significant changes

  • Constructive error culture instead of apportioning blame

  • Consistent follow-up by incorporating results into risk management, processes and training

  • A professional, practical design that encourages commitment and participation

Conclusion: TTX as a central component of the security culture

Security Tabletop Exercises (TTX) are more than just compulsory tasks: They bring security processes to life, uncover gaps and strengthen teams' ability to respond to ransomware, supply chain attacks or insider threats. Simulations and incident response exercises help to test processes and ensure structured proof of compliance with standards such as ISO 27001, NIS2, KRITIS or IEC 62443.
Through realistic scenarios, companies learn to scrutinise processes, make decisions under pressure and systematically improve their resilience.

TTXs are not even a one-off project - they only work if they are regularly reflected upon and further developed. Those who prepare themselves in this way not only gain security, but also a deeper understanding of their own structures, risks and options for action.

 

Caption: Image generated with AI
View full post