From Heralds to Heroes: Turn Security Champions Into AppSec Multipliers With TTX

Cyber Trends, Threats, Guides, and News
CLICK HERE TO DOWNLOAD THIS IMAGE & COLOR IT IN!

Modern AppSec teams have been charged with defending the kingdom from cyber threats across an ever-expanding battlefield. More specifically, they are asked to steward hundreds of developers moving at full gallop, track how AI reshapes the land, and stay ahead of software supply chain threats that grow more cunning by the hour.

A noble quest indeed, but not one that can be completed alone. That is where the Security Champion enters the tale. Embedded within engineering teams, these Champions carry AppSec knowledge to the places where code is forged. By building a Security Champions program, AppSec teams empower trusted allies to help their peers spot danger from afar, and teach them how to respond when the gates are breached.

Cybersecurity tabletop exercises are the proving grounds where these Security Champion heralds become incident response heroes. In this guide, you’ll learn how to craft and level up a Security Champion program, take a journey through a one-year roadmap for weaving in tabletop exercises, and peruse three AppSec TTX scenarios built to strengthen incident response.

How Security Champions Support AppSec Teams on an Expanding Battlefield

The cyber battlefield has widened beyond the view of what most application security sentinels can oversee on their own. As threats continue to multiply, AppSec teams need trusted Security Champions embedded across engineering chapters to extend influence and strengthen the kingdom from within.

The Reality of Modern Application Security

In many strongholds, a lone AppSec paladin may be charged with shielding the work of hundreds of engineers, sometimes at ratios nearing 1:500. Across a sprawling array of repositories, applications, and release pipelines, new code is oft forged at a blistering pace.

AI-enabled development and coding copilots hasten output, while also introducing potential  weak points that must be surveyed. Third-party dependencies and software supply chain security threats open new roads that bandits can use to sneak into the kingdom. These compounding factors cause the attack surface to grow faster than application security teams can recruit, train, and station new guards.

As shadowy new threats enter the realm, traditional AppSec strategies have to be reconsidered. Mandatory annual training, dust-covered security policy scrolls, ticket-driven review queues, and one-off awareness campaigns are not enough to safeguard applications.

To successfully defend their kingdoms, AppSec teams must complement these traditional defenses with strategies that scale influence across every engineering guild in the realm. Simply put, modern AppSec teams cannot inspect every blade, patrol every road, or command every security decision made across engineering. To endure, they must trade control for influence, spreading secure coding judgment throughout the realm and empowering others to enact their will.

Cue Our Hero: The Security Champion

Since the central AppSec council cannot be there to guard every road, it must raise trusted allies within local engineering chapters. Security Champions are developers, architects, and technical leaders who carry application security knowledge into the code smithy. The goal is not to turn every developer into a full-fledged AppSec paladin, but to knight local advocates who can identify risk early, ensure secure coding practices, and help their teams respond with confidence when goblins strike.

As you may have guessed, potential Champions often ask “what’s in it for me?” before taking the position. It should be communicated that the role offers more than a fancy title etched onto a shield. Being a Security Champion creates opportunities for professional growth and influence over decisions that other devs may not have, such as reviewing security designs, threat models, and release readiness. Recognition, worthy rewards, and direct incident exposure at the war table help Champions sharpen their IR instincts and carry themselves with greater confidence.

On the flip side of the coin, executives often ask “what’s in it for the kingdom?” A strong Security Champion program extends AppSec influence across DevSecOps teams without needing to build (or purchase) new castle fortifications. By stationing trusted advocates within code forges, organizations can snuff out risks sooner, advance secure-by-design development, clear obstacles from the road to release, and strengthen resilience as AI becomes woven into software development spells.

How Security Champions Extend AppSec Influence Across Engineering

A Security Champion carries the AppSec torch by translating central guidance into local context. By gathering peers around meaningful cybersecurity activities and creating opportunities to practice under pressure, these Champions transform security culture from distant doctrine into a living discipline.

Why Security Champion Programs Work

Security Champions know the terrain their teams travel every day. Because they stand side-by-side with other developers, they understand the local architecture, release cadence, business priorities, and daily frustrations that may be invisible to a central AppSec council. This proximity allows Security Champions to translate broad application security guidance into practical decisions their peers can apply, without slowing the march.

As Champions settle into the role, their influence fortifies the kingdom in several ways:

  • Vulnerabilities are discovered before they cross the bridge into production
  • Secure coding discipline spreads across engineering chapters
  • Communications travel faster when crisis descends
  • AppSec tools earn stronger adoption because Champions can explain their value in local context
  • Teams rely less on the central AppSec council to manually guide every decision

AppSec councils seeking a wider view of the Security Champion landscape can consult Katilyst’s 2025 State of Security Champions Report, a field guide drawn from real-world benchmarks that charts how successful programs set priorities, mark victories, and grow into battle-tested orders. Those findings point toward a deeper truth explored in BBC’s The Human Side of Cybersecurity, which reveals how security culture takes root when trusted peers make security practical, visible, and shared.

Side Quests That Successful Security Champions Use to Engage Teams

A worthy Security Champion does not merely carry decrees from the AppSec council and nail them to the door of the engineering guild hall. They gather devs around the fire for engaging, collaborative experiences. During these side quests, questions can be asked, warnings can be shared, and hard-won application security knowledge can pass from one craftsperson to the next.

Common activities Champions can use to keep engineers engaged include:

  • Lunch and learns where teams imbibe lessons on emerging threats, secure coding, and recent incidents
  • Guest speakers who arrive from distant corners of the cybersecurity realm, bearing tales of epic feats and specialized wisdom
  • Office hours where developers can raise questions before imp-sized concerns become production-sized monsters
  • Capture the Flag events that turn security problem-solving into a tourney of skill, cunning, and fellowship
  • Secure coding workshops that help teams practice defending the applications they craft
  • Threat landscape briefings that reveal which forces pose the greatest threat to the kingdom

These types of side quests give Champions many ways to build trust, curiosity, and camaraderie within their local guild hall.

The Next Step: Experiential Learning

Stagnation is the bane of Security Champion programs. While knowledge-sharing side quests like the ones described above are tremendously valuable, they alone will not maintain engagement forever. That’s where experiential learning comes into play.

This is where developers a given safe arena to test how they would communicate, investigate, escalate, and act during an incident. Instead of memorizing guidance, they learn how secure coding principles, AppSec tools, and the incident response plan hold up when the castle is under siege.

The question for every Security Champion becomes clear: how can the guild rehearse the battle before the enemy reaches the gates? The answer is the tried-and-true tabletop exercise.

How Cybersecurity Tabletop Exercises Turn Security Champions Into Heroes

Tabletop exercises give Security Champions a proving ground where they can rally their engineering teams and run through scenarios based around local risks. Upon conclusion, these teams can carry lessons learned back to the code forge.

Why Tabletop Exercises Outperform Passive Security Training

Cybersecurity is a discipline best mastered through hands-on practice. By pitting engineering teams up against relevant threats that pose an actual threat to their application, they’re forced to use their knowledge and collaborate in a way that levels up security skills.

Security Champions serve as scouts for the Facilitator, revealing which threats are gathering nearest to their team’s gates. A Champion’s knowledge helps shape a tabletop exercise around real architectures, workflows, and weaknesses.

Throughout a TTX quest, Champions:

  • Identify threats that will feel immediate and relevant to their engineering chapter
  • Help the Facilitator temper injects based on these threats
  • Advocate for the tabletop exercise as a worthy investment of engineering time
  • Promote attendance and rally the party to the table
  • Carry findings from the exercise back to the code forge as team-level action items
  • Reinforce lessons after the tabletop’s conclusion

Three Security Champion Program Engagement Challenges Solved by Tabletop Exercises

Most Security Champion programs begin like a bright beacon kindled on a high watchtower, illuminated with promise and visible across the realm. Over time, that beacon tends to fade as program engagement diminishes. Cybersecurity tabletop exercises help keep the flame alive by casting away these three common Security Champion program challenges.

Challenge 1: Keeping the Security Champions Engaged

Much of this scroll has covered engineering team engagement, but what of the Security Champions themselves? A Champion will not remain inspired if their only duty is to serve as a messenger, carrying decrees back and forth from the AppSec council to their local guild hall. They need a seat at the table, where their knowledge of local systems, workflows, and weaknesses can visibly shape how the kingdom prepares for danger.

By helping the tabletop exercise Facilitator forge realistic scenarios, Champions bring engineering context into incident response discussions and earn greater trust from their peers. The more influence Champions have over TTX quests and the program at large, the more willing they’ll be to continue carrying the AppSec banner.

Challenge 2: Breaking the Curse of Security Awareness Fatigue

Even the finest side quests can lose their luster when played too often. Lunch and learns, workshops, and threat briefings remain valuable, but developers may start to tune out after many seasons of similar activities.

A tabletop exercise breaks that spell. It summons the engineering party into a living skirmish, where they must investigate clues, debate choices, and actively work together while the sands of time apply pressure. Because the scenario is grounded in the applications and systems they protect, every decision feels linked to reality.

Challenge 3: Turning Security Culture Into a Chronicle of Progress

From the outside looking in, security culture can feel like an invisible enchantment. Leaders may sense it strengthening across the realm, but typically struggle to show how or where it has taken hold.

Tabletop exercises leave evidence behind. Through them, Security Champions and AppSec leaders can track:

  • Who was present at the table
  • Risks discovered during the scenario
  • Action items conjured from exercise findings
  • Preparedness gaps sealed over time
  • Repeat participation from Champions and developers
  • Results compared across engineering guild halls

These measures turn culture into a chronicle, giving the AppSec council something it can study, share, and use to guide future efforts.

Level Up Program Engagement Through Gamification of TTX

Adventurers are more likely to answer cybersecurity summons when their deeds are properly recognized. By awarding experience points for meaningful tabletop exercise contributions, Security Champions can turn participation into an unfolding campaign that rewards curiosity, courage, and follow-through.

A tabletop exercise XP scorecard might include:

  • Ask a courageous question at the table: 10 XP
  • Attend a tabletop exercise: 20 XP
  • Recruit another guild member to the party: 25 XP
  • Identify a security risk: 50 XP
  • Close an action item forged during a TTX: 100 XP

At key milestones, the AppSec council can reward its most active adventurers with:

  • Gift cards for the first, second, and third-place finishers
  • Lunch with the CISO or another leadership council member
  • An extra day of PTO (with HR approval!)
  • Recognition during an engineering all-hands assembly, or in the company newsletter

The goal is to encourage behaviors that strengthen cyber resilience by making them visible and celebrated. Pupose-built platforms like Katilyst help you complete that quest at scale by automating Security Champion workflows, infusing gamification elements like achievements and rewards, and transforming activity from tools like Jira and GitHub into real-time insight on participation and program impact.

A One-Year Roadmap for Integrating Tabletop Exercises Into a Security Champions Program

Throughout a Security Champion program’s first year, AppSec leaders should recruit their party of heroes, forge alliances around preparedness, embark upon the first TTX quest, and measure how each subsequent quest strengthens incident response. Below is a campaign map which charts how to reach these milestones.

Q1: Gather the Party and Define the Quest

The onset of your journey is all about assembling your fellowship. Recruit developers, architects, and technical leaders who are respected within their respective engineering chapters, then define responsibilities that are worthy of the Champion title. Rather than setting forth with a blank campaign map, you can turn to the open source Security Champion Program Success Guide for assistance.

Your chosen heroes should be positioned as preparedness knights who have taken up the noble quest of helping AppSec extend its influence. Scribe specific duties into the Security Champion charter, including support for recurring cybersecurity tabletop exercises.

Finally, establish the rewards that will keep the party inspired. Recognition from leadership, professional development opportunities, decision-making authority, and an XP-based gamification system can all give Champions and their teams a reason to continue supporting application security.

Q2: Forge Alliances Around Preparedness

With the party assembled, Security Champions should join forces with AppSec leaders, incident response teams, and tabletop exercise Facilitators to scout out the threats gathering closest to the kingdom. Convening these houses will help reveal which applications, dependencies, AI initiatives, and workflows deserve a place in the first TTX quest.

Champions should then unfurl local maps detailing team architecture, release processes, communication paths, and known weak points. This context helps the Facilitator shape a scenario that feels rooted in the systems developers actually defend.

As plans are set, begin presenting tabletop participation as an exciting new way to sharpen security skills. When teams see the activity as both intriguing and relevant to their own work, they are far more likely to answer the summons.

Q3: Begin the Tabletop Campaign and Establish a Cadence

About half a year after the Security Champion program’s inception, the party should be ready to take its place at the war table. Launch the first tabletop exercise, then establish a repeatable cadence of quarterly or semiannual quests so preparedness becomes etched into the kingdom’s culture.

Align each exercise with realm-wide changes, such as major product launches, AI initiatives, cloud migrations, or other engineering milestones. When a TTX arrives beside a real business priority, teams can practice incident response against the most relevant dangers.

Q4: Chronicle Progress and Keep the Flame Alive

As year’s end approaches, the AppSec council should begin reviewing what each quest has revealed (even if you’ve only run a single quest by this point). The goal is to show how the Security Champions program is strengthening incident response and closing gaps across the realm.

Use a tool like Katilyst to track measures such as:

  • Participation rates across engineering chapters
  • Risks uncovered during each quest
  • Action items completed after each quest
  • Time required to remediate identified gaps
  • Known gaps that continually rear their heads in exercises
  • Participant sentiment gathered through surveys and dialogue

Armed with this knowledge, AppSec teams can easily discover where tabletop exercises and the greater Security Champion program are showing value, as well as what needs improvement.

AppSec Tabletop Exercises: Three Scenarios Security Champions Can Bring to Their Teams

Every engineering chapter is responsible for a different corner of the realm, so no single tabletop scenario will challenge them all in the same way. The three AppSec tabletop exercise scenarios below square off against AI security, software supply chain security, and exposed-secret risks.

Scenario 1: An AI Assistant Shapes Vulnerable Code

A trusted coding companion accidentally slips a hidden weakness into an application, forcing the engineering party to uncover and patch the flaw before it’s used to blow down the castle walls.

Why This Scenario Matters

AI coding assistants have taken up code-smithing roles faster than many organizations can establish governance, review standards, and deliver acceptable-use decrees. This danger extends beyond simply outputting inaccurate code. In June 2026, researchers disclosed an Agentjacking attack that could feed evil spells to AI coding agents through malicious error reports, potentially causing an agent to execute attacker-controlled code on developer machines. AI is a powerful weapon, but can become a cursed blade in the wrong hands.

The Security Champion’s Role

Security Champions stand closest to the code forge and often see how developers actually use copilots and coding agents. They can help the Facilitator understand which tools are permitted, where AI-generated code enters the development lifecycle, and which gaps may remain hidden from the central AppSec council.

Questions for the War Table

  • What guardrails protect the kingdom from insecure AI-generated code?
  • Must developers review and validate AI output before it crosses the bridge to production?
  • What business tomes and data scrolls may be shared with AI systems?
  • Who holds dominion over AI security and governance decisions?
  • Could SAST or other AppSec controls identify vulnerabilities introduced by an AI assistant?
  • How would the team unearth AI-generated weaknesses after deployment?

Scenario 2: A Trusted Open Source Dependency Is Tainted

A corrupted package slips into the software supply chain, forcing the engineering party to discover which applications drank from the tainted well, and purge the threat before it spreads.

Why This Scenario Matters

Modern applications are built with open source components, meaning a single corrupted dependency could endanger an entire village of systems. In June 2026, attackers compromised a Mastra npm maintainer account and poisoned more than 140 packages, potentially exposing developer workstations, CI/CD pipelines, credentials, and downstream software. This highlights how one rotten ingredient can spoil every potion brewed from it.

The Security Champion’s Role

Security Champions can tell the Facilitator which open source libraries the guild depends upon, how each package enters the build, and where a corrupted component might be capable of spreading. When a trusted package turns traitor, Champions help trace the breach across applications, rally the right engineers, and guide the party toward a safe rollback before the damage reaches the depths of the castle.

Questions for the War Table

  • How quickly could the party identify every application using a tainted dependency?
  • Who holds the authority to cast the compromised package out of the build?
  • Which rollback path returns the the guild back to safety?
  • How would engineering chapters be warned of the danger?
  • Which credentials, developer machines, or CI/CD systems may have been poisoned?
  • What new wards could keep another corrupted component from entering the castle?

Scenario 3: A Public Repository Reveals the Kingdom’s Secrets

A developer accidentally commits powerful credentials to a public repository, leaving the kingdom’s sensitive texts written upon an open scroll for enemies to discover.

Why This Scenario Matters

Exposed secrets are a familiar AppSec danger with an immediate path to action. In May 2026, a CISA contractor was found to have maintained a public GitHub repository containing highly privileged AWS GovCloud keys, tokens, plaintext passwords, and credentials for internal systems. Some of the exposed cloud keys reportedly remained valid for 48 hours after the repository was eradicated.

The Security Champion’s Role

Security Champions know where their guild keeps its keys, how those keys pass from hand to hand, and which habits tend to leave the treasury door ajar. They can help the Facilitator trace the paths that critical information takes through repositories, code reviews, and credential stores, then reveal where the kingdom’s defenses are weakest. When an exposed key is discovered, Champions can sound the alarm, summon the right engineers, and help seal the breach before marauders reach the crown jewels.

Questions for the War Table

  • How quickly would sentries detect secrets exposed in a public repository?
  • Which keys, tokens, and credentials must be revoked first?
  • Who determines whether an enemy used the exposed secrets?
  • Which engineering chapters, leaders, customers, or authorities must receive warning?
  • How far could an adversary travel using the revealed credentials?
  • What new seals (such as secret scanning and stronger code review practices) could prevent this in the future?

Takeaway

Modern application security teams cannot achieve victory on an expanding battlefield via central command alone. Through the might of their Security Champions, AppSec councils extend their influence into engineering chapters. By wielding AppSec support in one hand and the power of TTX in the other, these heralds become heroes who bolster preparedness across the kingdom.

Frequently Asked Questions

What is a Security Champion in application security?

A Security Champion is a developer, architect, or technical leader who promotes application security within an engineering team. Security Champions help identify risks early, encourage secure coding, improve adoption of AppSec tools, and support stronger security decisions throughout the DevSecOps lifecycle.

How do cybersecurity tabletop exercises improve a Security Champions program?

Cybersecurity tabletop exercises improve a Security Champions program by giving Champions and engineering teams hands-on incident response practice. Champions help identify relevant threats, provide context about local architecture and workflows, encourage participation, and turn exercise findings into practical security improvements.

What is the Security Champion’s role in a tabletop exercise?

The Security Champion’s role in a tabletop exercise is to support the Facilitator and connect the scenario to the engineering team’s work. Champions can recommend relevant risks, explain local systems and processes, promote attendance, participate in discussions, and reinforce action items after the exercise. The Facilitator remains responsible for designing and leading the tabletop exercise.

What are effective AppSec tabletop exercise scenarios?

Effective AppSec tabletop exercise scenarios reflect threats that engineering teams could realistically encounter. Examples include an AI coding assistant introducing vulnerable code, a compromised open source dependency affecting the software supply chain, and credentials exposed in a public repository. These scenarios can test SAST coverage, secure coding practices, communication procedures, and the incident response plan.

The Next Step on Your Journey

Security Champions bring their teams to the table. Ally helps the Facilitator make that gathering count.

Our Build tool shrinks the hours-long scenario creation process into a trial that takes just a few moments. Once you’ve drafted your quest, ditch PowerPoint and use the Run tool to help with delivery. Featuring anonymous Party Voting and a dynamic impact score based on customizable Impact Metrics, this tool puts the power in the hands of the Facilitator in both online and in-person sessions. Once the dust settles, an After-Action Report is conjured for executives within minutes.

Ready to turn your next tabletop into a valuable proving ground for AppSec heroes? Book a demo, and let’s chat about how we can empower your next campaign.

Stanley Harris
Stanley Harris
Stanley Harris is the CEO and Co-founder of Katilyst, where he helps organizations build and scale Security Champion programs. He is passionate about using behavioral science and gamification to make security engagement more motivating, measurable, and long-lasting.
Read more

About Ally Security

Ally is here to support facilitators, which in turn creates a virtuous cycle where exercises take less time, provide more value, are run more frequently, and can make every organization can be better prepared.

Book a demo!
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Have a great IR story? Tell Asa!

The unexpected wins. The client curveballs. The chaos you couldn’t have scripted if you tried. Dear Asa is your space to share the stories that don’t make it into the official post-incident report. Script, submit, and enjoy a chance to be featured or quoted in an upcoming post.

Share my story