What Is A Tabletop Exercise?

A standard tabletop exercise is something used by organizations to test their disaster recovery (DR) or business continuity plan (BCP). The idea is that you already have a plan for dealing with a problem, say a ransomware outbreak on your network, and you run a simulation to ensure that the plan is complete and understood by everyone who needs to be involved.

Why is A Tabletop Exercise Important?

This is a very good thing, and there are usually some rules around how these are run. For example, you normally have a scribe or someone to take notes, a person who is running the exercise and keeps people on track, as well as participants from all affected departments. Sometimes you have a gallery of people who are there to observe, but not participate.
When these are run well, they can be invaluable. Unfortunately more often than not these end with a long list of takeaway items that nobody ever gets around to completing, or worse, they are declared a success because no issues were found. The dirty secret about that is that no issues were found because the participants took what I like to call “the happy path”.

What Is “The Happy Path”

“The happy path” is what I like to call a perfect scenario:
    1)Ransomware hits, but it gets thwarted by our anti-virus.
    2) We have separate VLANs in our environment, so the attacker isn’t going to be able to get to any main system.
    3)Our connection to the Internet was just caused by a loose network cable in the networking closet, so plugging it in fixed everything.

How realistic are these?

Not completely out of the question, and some of these are great approaches, but they do nothing to actually test the rest of the plan. The worst thing about these types of outcomes is that the teams feel that tabletop exercises are a waste of time and are thus not done. When we went to school we had fire drills to ensure everyone knew how to exit the school safely. Pro athletes train and practice regularly to ensure they operate at peak levels during their games. Why wouldn’t we want to practice ensuring any damage done by some type of disaster is minimized by having a solid DR/BCP that can be executed against?
Disasters happen, and how you react to them when they do can have a serious impact on your business - for better or worse.

Enter Gamified Tabletop Exercises

A gamified tabletop exercise (TTX) is a standard tabletop but with some game elements added to it. In our definition, this includes the game element of chance being added. The concept is that whenever someone makes a choice, a die is rolled. The gamified TTXs that EliteSec run use a six-sided and a twenty-sided die for decision making. Depending on the decision made by a player and the choices available, one of those two die are chosen by the person running the exercise and it is used to determine if the choice was successful, unsuccessful, or something in between. The point is that not all choices are guaranteed to work, and sometimes there is a consequence of making a decision.
In making the outcomes random, you get a much more dynamic simulation - something much closer to reality. This is a great way to ensure aspects you may not have considered before are now brought to the forefront, allowing you to fill in any gaps. It also allows for “replay-ability” of your tabletops since you will likely get different results each time you go through it. I’ve also found that the players are a lot more engaged as they have to think on their feet.

Running Your Own Gamified Tabletop Exercise

A successful gamified tabletop exercise is a lot more than just rolling dice and having a good time - it takes experience, planning, and the ability to think on your feet when you are running one of these. Whomever is running the exercise plays the role similar to the “Dungeon Master” in a classic game of Dungeons & Dragons, meaning you have to be firm but fair. Planning ahead for potential choices people may make is a must. If you already have a DR/BCP to go off of, this is a bit easier since you will know the choices that people will make.
However if the choice doesn’t go as planned…


John Svazic

Information Security Professional with both offensive and defensive experience. CISSP, CISM, CEH, and OSCP certifications. Seeking to share my experiences and secure organizations to the best of my ability, regardless of the environment.

Specialties: Information/Cyber Security, Cloud Security, penetration testing, SIEMs (ELK, Graylog), DevOps, DevSecOps, policy creation/design, BC/DR, leadership, management, architecture, and process improvement.

Gamified Tabletop Workshop

Agenda August 20 (All times are Central Time USA)

8.00 AM
9.00 AM


What is a tabletop?
How are tabletops run?
What is a gamified tabletop?
Why change things?
9.00 AM
10.00 AM

Live Demo

Run a tabletop with the group
10.00 AM
10.30 AM


10.30 AM
11.00 AM


How well did we do as a company?
Anything that could have been better?
What did we do well?
What else should we have considered?
11.00 AM
12.00 PM

Examples of Disasters

Online sources to get started
Examples from the group
Examples from the news
Other sources for materials for disaster
Gamified Tabletop Workshop

Agenda August 21 (All times are Central Time USA)

8.00 AM
9.00 AM


Questions to ask yourself
What die to use?
Realistic scenarios
Pointers when you get stuck
9.00 AM
10.00 AM

Building a gamified tabletop

Getting started
Individual work on the tabletop
10.00 AM
10.30 AM


10.30 AM
11.30 AM

Test run of a tabletop

Get a volunteer to run through their tabletop
11.30 AM
12.00 PM


Key takeaways
Resources, feedback, etc.


Tactical Edge Virtual Summit 2020