Practice incident decisions before the real day
How to run a 30-minute incident response tabletop
A short tabletop works best when it is not trying to prove everything. Use 30 minutes to rehearse the first decisions your team would make during one realistic incident: who takes the lead, what facts matter, who gets notified, and what actions must happen next.
When this format fits
Use a 30-minute tabletop when the team needs a lightweight readiness check, a meeting-friendly exercise, or a first pass before a larger drill. It works well for ransomware triage, business email compromise, vendor outage, credential phishing, or a public service disruption.
Keep the scenario generic unless your organization has already approved what can be discussed. Avoid real credentials, sensitive incident details, regulated data, or infrastructure information that would create risk if copied into notes.
Recommended agenda
- 0-5 minutes: Set the rules. Name the scenario, the time box, the facilitator, and the scribe. Remind participants that the goal is useful decisions, not perfect answers.
- 5-10 minutes: Present the starting facts. Give the team the initial alert, affected system or process, known impact, and the first open question.
- 10-20 minutes: Walk through three injects. Each inject should force a decision: escalation, containment, communication, evidence handling, customer impact, vendor coordination, or leadership notification.
- 20-27 minutes: Capture the after-action discussion. Ask what worked, what was unclear, what slowed the team down, and what should change before the next exercise.
- 27-30 minutes: Assign owners. Pick no more than three follow-up actions, name an owner, and set a target date.
Three decision points to include
- Ownership: Who is the incident lead, and who has authority to make the next decision?
- Communication: Who needs to know now, who can wait, and what should not be said until facts are confirmed?
- Containment: What action reduces risk without destroying evidence or making business impact worse?
Facilitator checklist
- Choose one incident type and one business impact before the meeting.
- Prepare three injects, each with one decision the group must make.
- Assign a scribe before the exercise starts.
- Keep discussion moving when participants drift into tool details or blame.
- Close with actions, owners, and dates instead of a long lessons-learned debate.
What to record
The most useful notes are short and concrete: facts known at the time, assumptions the team made, decisions taken, questions that stayed open, and follow-up work. If your notes only say "improve communication" or "review process," the next meeting will start from the same foggy place.
Better action items sound like: "Update the ransomware escalation contact list," "Confirm who can approve external customer messaging," or "Create a vendor outage notification template."
Common mistakes
- Too much scenario: Long backstories eat the clock. Start with enough context to make the first decision.
- Too many participants: A short exercise works best with people who own real decisions or support them directly.
- No scribe: If no one captures decisions and follow-ups, the exercise becomes an interesting conversation instead of readiness work.
- No owner: Every follow-up action needs one accountable person, even if several teams help.
FAQ
Can this replace a full tabletop exercise?
No. A 30-minute tabletop is a focused rehearsal, not a complete program review. Use it to find obvious gaps, build rhythm, and prepare for deeper exercises.
How many injects should I use?
Three is usually enough for 30 minutes. More injects can work only if they are very short and the facilitator keeps the group moving.
Should the scenario be realistic?
Yes, but not sensitive. Use plausible details that match your business context without entering confidential systems, credentials, customer data, or real incident history.