Ally’s Beta release includes our Asa Scribe functionality and our instant TTX reporting. Invite Asa to your next exercise for free and see how it improves the value you deliver to clients.
Running tabletop exercises is the best way to optimize the incident management process. The key? Running them often. (Read: more than annually for compliance, please!)
First, you need an incident response plan (IRP) to test. Once you’ve established your IRP, you need to make sure people understand the plan and their role in it. Ideally, you’ll want to move people from “know there’s a document that exists somewhere” to having a deep understanding of the roles, incident classifications, escalation procedures, and IR playbooks associated with it.
That way, when a real incident happens, people start to react the right way based on what they’ve been taught or familiarized with.
TTX are a great way to do this - to bring together your various stakeholders who have a role, test your response to different situations, and adjust your plan to account for any findings.
It’s been shown that there’s a direct correlation between response times and the cost of a data breach (thanks IBM), so it’s incredibly important to consistently improve and optimize your processes. You can do this by building a program around tabletops.
Start with the audience and objectives. Who is this for, and what are your goals for the group? For example: Is this a technical group, or is it mainly executives? You can use a template to help you design a TTX (hi CISA!) or ask ChatGPT—either way works as long as it’s customized based on your organization and environment. (Or, if you need a good prompt, just ask us!)
As you design your TTX, find a relevant and engaging attack path. You can use MITRE ATT&CK to find an incident that is plausible for your org, or you can use a recent pentest or internal incident findings to inform your scenario.
After you plan the setting for your TTX, it’s time to set the timeline. For a 90-minute exercise, for example, you may only need 3-4 good injects.
Every good exercise starts with some“hype.” Get people excited for your tabletop exercise by making a teaser video or sharing a relevant breach with the participants so they can read ahead of your main event.
Don’t forget to invite Asa!
Last but not least, make sure you reserve time at the end of the scenario for a quick after-action summary ahead of your formal report. We recommend giving everyone a 15-minute snack break before coming back to review Asa’s findings and recommendations.
Ally saves you time, enabling you to move beyond the dreaded once-a-year-compliance-exercise. With the time savings our platform brings, you can run exercises more often, provide value faster, and use TTX to mature your incident response program.
The value of the exercise is partially what happens during the event, but importantly, it’s also what you do after to improve! When you run an exercise with Asa, you get immediate feedback. IR experts like you use the findings to refine their TTX programs, helping participants review the findings and get buy-in for what needs to be done next.
Ally also helps consultants running a TTX program track their action items over time to show the value your program is delivering. (We’ll have more capabilities to help with that soon!)
Each client receives a dedicated account, with account-level permissions so you can easily protect access to each client’s data. We then employ end-to-end encryption of all data in transit and at rest. We also apply role-based user authentication to every request in the platform and all events are logged and traceable.
We strive to provide enterprise-grade security across our platform. If you’d like more detailed information about how client data is used, stored, or handled, visit our Security page or inquire directly with security@ally.security.
While Ally is in its Beta release, it’s free for your first three client accounts and exercises.
Asa is your helpful Ally security assistant and scribe extraordinaire. She accompanies you on your quest to give your clients risk resilience and is there whenever you need a helping…arm.
Ally currently has a handful of available template exercises, and more are coming soon. Our security experts are currently working to build out a comprehensive TTX scenario library that will be available for customization and use by our customers. Email support@ally.security for more information or if you’d like help with scenario development.
You should run tabletop exercises with your clients for three main reasons: It builds your relationship with your clients, shows the value of what you offer, and secures buy-in—ultimately resulting in your clients improving their incident response protocols.
Tabletop exercises offer opportunities to show your clients the value of your services, using the gaps identified from the exercise to advance their security programs. They also allow IR consultants to build trust and become go-to advisors for their clients’ security needs.
When done right, TTX should also be a business driver. To do that, you need to create a program and make it efficient for your clients. You also need tools to make your offering scale as a facilitator -- this is where Asa comes in. Asa gives you the metrics and standardized reporting to stay efficient, while also showing your clients their progress over time.
Our tip? If you want to use TTX to grow your business, or if you’re adding it as part of your retainer, specify what is included and go beyond the traditional 1x/year exercise cadence. Start with a technical exercise with the client’s IT and/or security team. Then move to an executive exercise with the broader team with incident response responsibilities (legal, exec, PR/communications, and HR all should be included). If you’re client is onboarding a new key hire or implementing a major procedural change (hey, let’s test that new AI policy), these are all good times to engage.
The number one issue with TTX is that they just aren’t engaging—at least, not the old ones. This problem stems from a handful of underlying other problems, like scenario relevance, facilitator quality, and the time commitment involved.
A good facilitator guides the exercise, monitors engagement, and ultimately “makes” the tabletop exercise experience for participants. Tools like Asa help you focus on the exercise at hand without worrying about taking comprehensive exercise notes—freeing you up to run the best TTX possible. Asa also helps you to wow your clients by immediately delivering almost immediate, actionable insights for their security program.
A strong incident response tabletop program shouldn’t be a once-a-year checkbox, but an ongoing effort. Start by setting clear goals—like involving all key stakeholders, improving cross-team coordination, and making regular updates to the IRP. Build the program into a rhythm: monthly lunch-and-learn sessions led by rotating team members, quarterly exercises with core incident response roles, and executive-level sessions twice a year. Use real-world inputs like recent security incidents or pentest findings to shape each scenario, and be sure to share what you learn and adjust your plan as needed along the way.
Yes—a good facilitator is the lifeblood of the tabletop exercise. They make or break the experience for the participants, and ultimately are the ones that secure stakeholder buy-in, resources, and support for an ongoing TTX schedule.
If you’re new to TTX and want to improve and practice your facilitation, we recommend that you participate in some online exercises to start. There are many groups that run free Backdoors and Breaches events online. Alternatively, if you come from a Dungeon Master background or have mastered the art of storytelling, you may be well suited to being an exercise facilitator—you may just need to refine your craft.
The best starting point to build an exciting tabletop scenario is the news. Pick a topic that’s relevant to your business, whether it’s ransomware, BEC, or an insider threat, and find the real-world incidents that have impacted organizations like yours. From there, focus on making it relevant to your audience – that’s what will keep them engaged throughout.
When running an executive tabletop exercise, start by securing buy-in—make sure participants understand the business impact of the scenario, such as potential revenue loss or reputational damage, and why their time matters. Build engagement beforehand with a teaser like a short video or scenario backstory. During the session, focus on strategic decision-making tied to executive priorities like revenue, customer trust, or employee retention. Present tough trade-offs to highlight the risks and their role in responding, and keep the session focused and under 90 minutes. Finally, deliver the after-action report quickly and use the momentum to drive needed changes.
In a traditional exercise, you should include all key stakeholders in your incident response plan. This often includes a subset of your executive and infosec teams, as well as representatives from IT, HR, legal, communications, and finance.
If you’re going beyond the once-a-year compliance exercise, consider including additional groups. What scenarios could impact teams who are integral to customer trust, corporate reputation, or employee relations? Decide what’s important to the organization you’re serving and focus on the stakeholders in those areas.
While people often think of traditional exercises being 3-4 hours, you can get a lot of value from exercises that can be completed in 1-2 hours. Our recommendation is to break things down and do them more often as opposed to the “big bang” mega-exercise.
No matter how long your exercise takes, make sure to save dedicated time at the end, about 15-30 minutes, for a retrospective. And make sure Asa attends your exercise so you can quickly go from running your exercise to discussing action items in a meaningful way.
Running tabletops once a year is like going to the gym once a year. It’s not enough. In order to build muscle memory, enact change, and improve response times, you need to set up an exercise cadence and actively manage the program. We generally recommend quarterly exercises at a minimum, and for active programs they can be done more frequently.
After a TTX, stakeholders should expect to understand where they are performing well, where their areas of risk are, and the next steps to secure those risks. A quality after-action report and personalized explanation from the facilitator will be key in establishing this level of understanding with the client(s).
The unexpected wins. The client curveballs. The chaos you couldn’t have scripted if you tried. Dear Asa is your space to share the stories that don’t make it into the official post-incident report. Script, submit, and enjoy a chance to be featured or quoted in an upcoming post.
