Who should attend a ransomware tabletop?

At minimum: the CEO/owner, the senior IT leader, the head of finance, legal counsel (or outside counsel on call), and whoever owns customer communications. For organizations subject to HIPAA or PCI-DSS, include the compliance lead.

How often should we run a tabletop?

Annually at the executive level. Quarterly for the IT/security team itself. After any major staff change, new system deployment, or industry incident, run a focused mini-tabletop on the change.

Do we need a facilitator?

Strongly recommended. An internal facilitator is fine for the first run-through; an external facilitator surfaces the gaps your team has learned to walk around.

Resource · Exercise playbook

Ransomware Tabletop Exercise

A self-contained 90-minute exercise you can run with your leadership team this quarter. Scenario, injects, decision points, debrief — everything you need to find the gaps before an attacker does.

Designed for SMBs · Industry-agnostic · 90 minutes

Setup (15 minutes before the meeting)

Room: a single conference room or video call. No phones on the table — they're a real distraction in real incidents too.
Attendees: owner / CEO · senior IT lead · finance lead · legal · communications lead · operations lead. 5-8 people is ideal.
Roles: one facilitator (reads injects, keeps time, doesn't participate in decisions), one notetaker, one timekeeper.
Ground rules: no blame. The goal is to surface gaps, not to find who to fire. Anything said in the room stays in the room until the formal debrief.

The scenario

It is 6:47 AM on a Tuesday. The on-call IT engineer wakes up to a phone call from the warehouse manager: "None of the computers will boot. Every screen has a red message about Bitcoin." Initial check shows: 80% of endpoints are encrypted. The shared file server is encrypted. The backup server is also encrypted. The phone system is up. Email (cloud-hosted) is up. The accounting system is hosted by a third party — status unknown.

Start the clock. The team has 90 minutes (compressed time) to work through the first six hours of the incident.

The injects (facilitator reads aloud)

Inject 1 — 6:50 AM (5 minutes in)

"The ransom note on every screen demands 8 BTC (~$640,000 at today's rate). The payment portal gives you 72 hours before the price doubles. The note claims they've also exfiltrated 240 GB of data and will publish it if you don't pay."

Decision points:

Who calls whom right now? Who is the incident commander?
Do you contact law enforcement? Cyber insurance? Legal counsel? In what order?
What do you tell employees arriving for the morning shift?

Inject 2 — 7:30 AM (40 minutes in)

"Your cyber insurance carrier returns your call. They will only honor the policy if you use their pre-approved incident response firm. The IR firm is available — they can have a remote team online in 90 minutes. Their fee is $50,000 retainer plus $400/hour."

Decision points:

Does the policy actually cover ransomware payment? Business interruption? Forensics?
What's the answer if the IR firm tells you to pay the ransom? What if they tell you not to?
Who has signing authority for the retainer? Do they have it right now if the systems are down?

Inject 3 — 8:45 AM (75 minutes in)

"The backup vendor says: yes, the on-site backups are encrypted, but they have a 48-hour-old offsite snapshot. Recovery time to restore everything is estimated at 36 hours. There is also a 3-week-old monthly snapshot available immediately."

Decision points:

What systems do you restore first? What's the recovery priority list and where is it written down?
Do you have laptops or other hardware to run on while production environments are restored?
What do you do with the 48 hours of transaction data you'll lose? Reconstructable from email / paper / partners?

Debrief (last 15 minutes)

The facilitator runs three rounds:

What worked? Each attendee names one decision the team made well.
What's missing? Each attendee names one gap — a missing document, missing authority, missing capability, missing relationship.
What's our 30/60/90? The team picks the top three gaps and assigns owners + dates.

The notetaker turns the debrief into a one-page memo with three columns: Gap · Owner · Due date. Circulate within 48 hours.

Free download

Get the printable PDF

Same content, formatted as a one-click checklist you can hand to a vendor, a board member, or your insurance carrier. No spam — we use your email only to send the PDF and (optionally) a one-time follow-up.

Print-friendly, branded layout
Auditor-ready format
Updated for 2026 standards

Want us to facilitate the exercise?

We run tabletop exercises for SMBs and professional offices. An outside facilitator surfaces the gaps your team has learned to walk around.

Schedule a facilitated tabletop