Stress-test Your Plans and Playbooks Before the Real Crisis Hits
The time to test your incident response plan is not in the heat of the moment. A cybersecurity tabletop exercise (TTX) is a structured, discussion-based simulation that helps teams rehearse roles, validate decision-making, and surface gaps in plans, playbooks, and escalation paths before a real incident occurs.
At Lykos Defence, we design and facilitate bespoke cyber tabletop exercises tailored to your environment, sector, and threat landscape. Whether you’re preparing for ransomware, insider threats, supply chain compromise, or data breaches, our exercises are designed to pressure-test your people, plans, and procedures in a low-stakes, no-fault environment. We focus on preparedness and resilience: clarity, coordination, and repeatable execution when it matters.
If you’re looking for an incident response tabletop exercise, an executive cyber crisis exercise, or a cross-functional cyber crisis drill, a well-designed TTX is the most practical way to prove whether your organisation can execute its plan under pressure.
What We Deliver
Every engagement is designed to produce a practical outcome, not just a workshop. That typically includes a tailored scenario pack, a facilitated session, and a written report with clear, prioritised recommendations. Where helpful, we also provide playbook-focused observations so your team can tighten decision points, escalation criteria, and handoffs between technical and business stakeholders.
Standard TTXs
A structured, discussion-based walkthrough of a realistic incident tailored to your environment. These exercises focus on coordination, roles and responsibilities, escalation paths, and playbook execution. Ideal for organisations developing or validating their response plan.
Executive Cyber Crisis Drills
Designed for senior leadership, these scenarios focus on crisis coordination, public communication, regulatory obligations, and decision-making under pressure. This type of exercise is ideal for boards, risk committees, or executive teams seeking clarity on their roles during a major breach.
Hybrid Exercises
Often, the most realistic test involves everyone. We design cross-functional exercises that blend technical injects with executive decision points. Hybrid exercises simulate full-scale incidents like multi-site ransomware outbreaks or vendor compromise with legal and PR implications.
Gamified TTXs
Our most popular offering blends traditional tabletop scenarios with elements of chance, strategy, and scoring, transforming a typical run-through into an engaging simulation. Teams make decisions based on unfolding injects, with dice rolls and modifiers reflecting your existing controls like EDR, SIEM, segmentation, and monitoring. The result is a highly memorable exercise that surfaces gaps in both process and tooling, and makes preparedness practice genuinely engaging.
Practical Incident Response Exercises
Built for technical teams, these inject-driven exercises simulate realistic threats like credential compromise, lateral movement, ransomware, or cloud misuse, often combining aspects of each. Participants examine forensic artefacts, interpret logs or alerts, and make tactical decisions on containment, communication, and recovery. A hands-on test of detection, investigation, and collaboration.
Why Run a Cybersecurity Tabletop Exercise?
- Reveal weak spots in your existing incident response plans and playbooks
- Clarify roles and responsibilities across business and technical teams, as well as partners and other third parties
- Improve cross-department communication when every second counts
- Fulfil compliance and audit requirements (ISO 27001, NIST, ASD Essential Eight, etc.)
- Gain executive buy-in by demonstrating real-world risk and readiness
- Build familiarity with your processes, plans, and procedures so teams can act decisively when a real incident occurs
How It Works
Discovery and Scoping
We work with you to understand your existing incident response structure, key assets, and risk profile. This shapes the exercise scenario and objectives. We’ll request details from you about your existing plans and procedures via a Request for Information (RFI) to ensure relevance and plausibility.
Scenario Design
We craft a tailored narrative, complete with injects, adversary behaviour, and business impact. Scenarios are realistic, relevant, and thought-provoking.
Facilitated Session
A Lykos Defence facilitator runs the session, guiding participants through each phase of the incident and prompting discussion, decision-making, and escalation.
Debrief and Recommendations
After the exercise, we deliver a detailed report outlining strengths, challenges, and clear, actionable recommendations to improve your cyber resilience.
A TTX engagement might look like this:
| Date | Milestone |
|---|---|
| Jan 29 | Kickoff Meeting: Discovery and scoping |
| Feb 05 | RFI Return Deadline: Provide any relevant documentation to Lykos Defence for review |
| Feb 12 | Midpoint Planning Meeting: Discuss the draft scenario and validate suitability, identify any required modifications |
| Feb 19 | Control Package Delivery: Final scenario and plan delivered ahead of the exercise |
| Feb 26 | Facilitated Tabletop Session: We run the exercise, whether on-site or remote |
| Mar 12 | Report Delivery |
| Mar 19 | Optional Debrief Meeting: Covers the observations and recommendations, any remaining queries, and identifies next steps |
NB: Use this indicative timeline as a general guide; projects can take more or less time depending on factors such as your teams’ availability, turnaround of RFI materials, and the complexity of the environment.
Who Should Attend?
Our exercises are cross-functional by design. Typical participants include:
- Executive Leadership (CIO, CISO, CEO, Board Members)
- IT and Security Teams
- Legal and Compliance
- Communications and PR
- Business Continuity and Crisis Management Teams
Ready to Put Your Plan to the Test?
Don’t wait until your worst day to find out your response plan doesn’t work. A well-run cybersecurity tabletop exercise is one of the most cost-effective ways to build readiness and resilience.
Book a free discovery call to see how we can help prepare your team for what’s next.
Frequently Asked Questions
A cybersecurity tabletop exercise (often abbreviated as a TTX) is a facilitated, discussion-based simulation of a realistic cyber incident. It allows organisations to rehearse decision-making, validate incident response plans and playbooks, and clarify roles and responsibilities without the pressure of a live incident.
Unlike purely technical tests, a cyber tabletop exercise focuses on how people, processes, and governance work together under stress, making it a core preparedness activity for organisations of all sizes.
Yes. The terms cybersecurity tabletop exercise and incident response tabletop exercise are often used interchangeably. Both describe a structured exercise designed to test how an organisation would respond to a cyber incident.
Our approach is deliberately preparedness-focused. We use tabletop exercises to validate plans, playbooks, and decision-making before an incident occurs, rather than providing live incident response services.
Most sessions run between two and six hours, depending on complexity, scenario depth, and number of participants. Expect to spend some time with our team before the exercise to ensure it suits your needs. More bespoke exercises taking place across geographies or multiple days are also possible.
After the exercise, we'll deliver an after-action report with both executive-level and technical recommendations within one to two weeks.
It can be. We tailor each exercise to your organisation’s maturity and preparedness goals. Some tabletop exercises focus primarily on executive decision-making, business impact, and communications, while others include detailed technical injects for security and IT teams.
We’ll agree on the scope during an initial kickoff call to ensure the exercise is appropriately balanced and delivers useful outcomes for all participants.
Yes. Every engagement includes an after-action report outlining key observations, strengths, gaps, and prioritised recommendations. These findings are designed to be practical and actionable, helping teams improve plans, playbooks, and coordination.
A facilitated debrief session to walk through the findings and discuss next steps is also available.
Pricing depends on the scope, complexity, and level of tailoring required. Our engagements are generally fixed-fee and reflect the effort involved in scenario design, facilitation, and reporting, as well as our experience with real-world and simulated incidents.
Smaller, less complex tabletop exercises based on common adversary tactics typically start around AUD $20,000. More tailored or multi-team exercises, including executive crisis simulations or gamified scenarios, usually start around AUD $35,000.