Tabletop Exercises: The Easiest Way to Level Up Your Cyber Readiness

A tabletop exercise (TTE or TTX) is a structured role-playing scenario that walks your firm through a simulated cybersecurity incident; think ransomware attack, stolen credentials, or an accidental client data exposure. Most firms believe they’re ready for an incident. The truth? Many aren’t even close. It’s not just a hypothetical drill. It’s a way to pressure-test how your firm would actually respond, using your existing tools, policies, and communication channels. A TTE tests your defenses, policies, and planning in a close-to-real-world situation. Thanks to the wealth of real-world incident data available today, these exercises are usually based on actual cases. They even include twists mid-scenario (known as “injects”) to simulate the chaos and surprises that happen during real attacks. For those skeptical of TTEs, there is ample evidence that they reduce the damage from incidents, helping a firm recover faster and reducing costs. Cyber insurance has become a big proponent of TTEs, often providing discounts for conducting TTEs or providing services to assist firms with conducting them.

TIP: Looking for a free option to get your firm started with TTEs? The US government provides free packages for various scenarios through CISA: CISA Tabletop Exercise Packages | CISA

Do TTEs really make a difference?

At a recent cybersecurity event, Bob Miller (founder of IRGame.ai) and CGP’s managing partner sat next to each other on the flight home. Using industry data, especially from cyber insurance, they came to the realization of what they jokingly called the Miller-Bolander theorem: the biggest impact of TTEs comes from the first two or three that a firm conducts. Imagine a scale of one to ten on how prepared a firm is for reacting to an incident, where one is zero preparation or experience, and ten is the equivalent of a professional cybersecurity incident response company. Every law firm starts at one. The first TTE moves the firm from a one to a three. The second TTE moves the firm from a three to a five. To get to a six, a firm will have to conduct several TTEs. After that, it takes more effort to keep moving the needle—but that early jump is where the most value lies. The real risk isn’t doing them imperfectly—it’s not doing them at all. The lesson is that doing nothing has an exponential negative impact versus conducting even one TTE per year.

Interested in running a TTE without having to build everything from scratch? Clear Guidance Partners (CGP) offers facilitated tabletop exercises powered by IRGame.ai. We handle the planning, scripting, and facilitation—so your team can focus on the experience. Whether it’s your first exercise or your fifth, we tailor the scenario to your firm’s size, practice areas, and existing policies. Our goal is to deliver real-world value, not generic check-the-box training.