Pack · 8 Scenarios

Tabletop Exercise Scenarios Pack

Eight ready-to-run scenarios for security, IT, legal, privacy, and executive teams. Each scenario includes scene-setting, timed injects, and the decisions that usually expose gaps in a global incident response program.

Facilitation guide

  • Run each scenario in 60–90 minutes with a named facilitator and scribe.
  • Reveal injects on a clock, not all at once. Pressure surfaces the real gaps.
  • Capture decisions, decision owners, and information gaps in the timeline.
  • Close with three written outcomes: what worked, what didn't, who owns the fix and by when.

1 · Ransomware in the European Subsidiary

Audience · Exec, IT, Legal, Comms, Privacy, Finance

At 04:12 local time, EDR fires mass-encryption alerts across the EU manufacturing subsidiary. Production halts; ERP is unreachable. Initial scope appears to include domain controllers and a backup server.

Timed injects

  • 30 min: Threat actor posts on leak site naming the company.
  • 2 hr: Works council representative asks for written impact statement.
  • 6 hr: Cyber insurer requires panel-counsel engagement before any negotiation.
  • 24 hr: GDPR 72-hour clock runs; CSIRT requests NIS2 early-warning notification.

Decisions to surface

  • Who authorizes plant shutdown and customer notification?
  • Pay-or-not policy, and how it's documented for board and insurer.
  • Notification sequencing: regulator, customers, employees, public.

2 · Business Email Compromise & Wire Fraud

Audience · Finance, Treasury, IT, Legal, Exec

Accounts Payable processed three wires totaling US$2.4M to an updated supplier account. The supplier denies receiving funds. M365 logs show a long-running inbox rule hiding replies from the controller.

Timed injects

  • 1 hr: Bank confirms first wire already debited from beneficiary account.
  • 3 hr: A second AP analyst reports an in-progress wire request.
  • Day 2: Customer asks whether their data was accessed.

Decisions to surface

  • Wire-recall workflow and who triggers it.
  • Whether to invoke fidelity / crime insurance coverage.
  • Disclosure path if customer data was exposed in compromised mailboxes.

3 · Insider Data Exfiltration

Audience · HR, Legal, Security, IT, Exec

DLP and DSPM flag a departing sales director uploading 14 GB of CRM data to personal cloud storage during their notice period. Their NDA is on file but the destination service is outside corporate sanction.

Timed injects

  • 2 hr: Employee's manager reports they are joining a direct competitor.
  • Day 1: Counsel asks for a forensic preservation hold.
  • Day 3: Two key customers report being approached with insider information.

Decisions to surface

  • Access revocation timing vs. evidence preservation.
  • Litigation hold scope and communication.
  • How to handle the competitor and the affected customers.

4 · Critical SaaS / Third-Party Compromise

Audience · IT, Security, Procurement, Legal, Exec

A tier-1 SaaS provider hosting customer support data discloses a breach affecting all tenants. Their notice is sparse, blames a 'sophisticated attacker', and provides no IOCs.

Timed injects

  • 4 hr: Customers begin asking whether their tickets and attachments were exposed.
  • Day 1: Regulator in two jurisdictions asks for written impact assessment.
  • Day 2: Vendor announces a security update with required customer action.

Decisions to surface

  • How to verify scope without the vendor's cooperation.
  • Contractual remedies and alternative provider strategy.
  • Multi-jurisdiction notification timing alignment.

5 · Cloud Admin Account Takeover

Audience · Cloud Eng, IT, Security, Exec

An MFA-fatigue attack succeeds against a cloud platform engineer. The attacker creates new IAM identities, exfiltrates a snapshot, and deletes CloudTrail / Activity Log destinations in the primary region.

Timed injects

  • 1 hr: Cost alert: thousands of GPU instances spun up in an unused region.
  • 3 hr: Backup retention policy on the exfiltrated database is altered.
  • Day 1: Customer reports unusual API traffic from your cloud range.

Decisions to surface

  • Containment vs. forensic preservation in a live cloud environment.
  • Customer-impact communications under ambiguous evidence.
  • Long-term changes: PIM, JIT, log immutability, region pinning.

6 · OT / Industrial Control Incident

Audience · OT, IT, Safety, Plant Mgmt, Exec, Legal

A safety-instrumented system at a chemical plant enters a fail-safe mode after anomalous commands originate from an engineering workstation. The vendor's remote-support VPN was active at the time.

Timed injects

  • 30 min: Plant manager wants permission to override the safe state.
  • 2 hr: Local regulator becomes aware via news report.
  • Day 1: Vendor declines to share remote-session logs without contract amendment.

Decisions to surface

  • Authority to keep plant offline; safety vs. revenue tradeoff.
  • Independent forensic engagement and chain-of-custody.
  • Long-term remote-access architecture (jump host, MFA, session recording).

7 · AI / LLM Misuse and Data Leakage

Audience · Security, Privacy, Product, Legal, Exec

An internal LLM-powered support assistant is found returning fragments of another customer's personal data in responses. A researcher posts a reproducible prompt on social media.

Timed injects

  • 2 hr: Privacy regulator asks for written explanation.
  • Day 1: Three enterprise customers invoke contractual audit rights.
  • Day 2: Engineering proposes a model rollback that breaks two paying features.

Decisions to surface

  • Take-down vs. mitigate-in-place posture.
  • Notification scope across jurisdictions.
  • Permanent guardrails: data segmentation, prompt-isolation, RAG access control.

8 · Regulator Inquiry After a Public Incident

Audience · Legal, Privacy, Security, Comms, Exec

Six weeks after a previously disclosed incident, a regulator opens a formal inquiry citing potential under-reporting. They request evidence of governance, board oversight, and control effectiveness over the prior 18 months.

Timed injects

  • Day 3: Board chair asks for an independent assessment.
  • Day 7: Plaintiff law firm files a class action; discovery requests follow.
  • Day 14: Second regulator in another region opens a coordinated inquiry.

Decisions to surface

  • Privilege strategy around forensic reports and internal communications.
  • Single source of truth for board reporting and control evidence.
  • External communications cadence with customers, employees, and the market.

Want one of these facilitated for your team?

Dephiant runs facilitated cyber tabletop exercises with global executive, legal, and operational teams — in person or distributed, in your time zones.

Book a tabletopIR plan starter →