Tabletop exercises are the secret weapon for building resilient AppSec teams. They're not just training; they're relationship builders, blind spot finders, and perfect activities for slow Friday afternoons. Plus, they make excellent interview questions to see how candidates think under pressure.
The best part? You can start running them today with zero budget and minimal preparation.
Why Tabletop Exercises Matter
Real incidents don't come with instruction manuals. They're messy, ambiguous, and happen at the worst possible times. Tabletop exercises let you practice the chaos in a safe environment where mistakes are learning opportunities, not career-limiting events.
They reveal gaps in your processes that you didn't know existed. They build muscle memory for crisis response. Most importantly, they strengthen relationships between teams who need to work together when things go wrong.
The Art of Good Scenarios
Good scenarios feel real because they could be real. They're specific enough to be actionable but flexible enough to allow for creative problem-solving. They have complications that mirror real-world messiness.
Start with scenarios close to home. Use your actual tech stack, your real team structure, your current processes. The closer to reality, the more valuable the exercise.
Scenario 1: "Going Live?"
You've just had your morning coffee when you're pulled into an emergency meeting. An application is scheduled to go live tomorrow, but your team just found a remote code execution vulnerability. The business team is adamant about the launch date - it's been advertised, customers are expecting it, and delays will cost millions.
What questions do you ask? Can you propose alternatives? How do you quantify risk? Who makes the final decision? What if the CEO overrules security concerns?
Twist: The developer who wrote the vulnerable code is on vacation in Bali with no phone service.
Scenario 2: "The Log4j Morning"
A vulnerability like Log4j or Heartbleed just dropped. It affects everything. Twitter is on fire. Your CEO just forwarded you a news article asking, "Are we affected?"
How do you identify affected applications? You have hundreds of services - who owns what? How do you prioritize fixes? What about third-party vendors? How do you communicate status when you don't know the full scope yet?
Twist: Your software inventory system hasn't been updated in six months.
Scenario 3: "No Bounty for You"
A security researcher emails claiming they've found a critical vulnerability in your main application. They refuse to go through your bug bounty program to avoid disclosure restrictions. They want to publish after 45 days, fixed or not, and they're fine forfeiting any bounty.
How do you verify they're legitimate? What if they demand unreasonable terms? How do you handle communication? What's your legal position? What if they go public before you're ready?
Twist: The researcher is 16 years old and located in a country with different disclosure laws.
Scenario 4: "The Leak"
A developer accidentally commits AWS credentials to a public GitHub repository. By the time you're notified, the commit has been public for four hours. It's been forked twice and indexed by credential scanning bots.
How quickly can you rotate credentials? What might have been accessed? How do you audit four hours of potential activity? Who needs to be notified? What about compliance requirements?
Twist: The credentials had admin access to production databases containing customer PII.
Scenario 5: "Dependency Confusion"
Your application was targeted via a dependency confusion attack. It was only detected because a service failed during deployment. The malicious package has been in your build pipeline for three days.
How do you determine what was compromised? Which builds are affected? What data might have been exfiltrated? How do you clean infected systems? How do you prevent recurrence?
Twist: The attack happened on a Friday afternoon before a three-day weekend.
Running Effective Exercises
Keep exercises short - 30 to 60 minutes. Long enough to dig deep, short enough to maintain energy. Include people from different teams. The security perspective is just one of many you need.
Designate a facilitator who introduces complications and keeps discussions moving. They're not participating; they're orchestrating. Their job is to make it realistic, not easy.
No laptops unless you're simulating actual response. This is about thinking and discussing, not googling solutions. The conversation is more valuable than the answer.
The Debrief Is Everything
After each scenario, identify what went well and what didn't. What processes were missing? What tools would have helped? Who should have been involved but wasn't?
Turn findings into action items. Missing runbook? Write it. Communication gap? Fix it. Tool needed? Build or buy it. Each exercise should make you better prepared for the next real incident.
Using Exercises in Interviews
Tabletop scenarios make excellent interview questions. They reveal how candidates think under pressure, how they prioritize, how they communicate. Do they panic or stay calm? Do they consider business impact or just technical issues?
Give candidates a scenario and watch how they work through it. The approach matters more than the answer. You want someone who asks good questions, considers stakeholders, and thinks about long-term implications.
Making It Regular
Schedule exercises regularly. Monthly is ideal, quarterly is minimum. Make them part of your team's rhythm. Rotate who creates scenarios - fresh perspectives keep exercises valuable.
Track improvements over time. Are you handling scenarios faster? With less confusion? With better outcomes? These metrics show the value of practice.
Start Simple, Build Complexity
Your first exercises don't need to be complex. Start with single-issue scenarios. As your team gets comfortable, add complications. Multiple simultaneous incidents. Conflicting priorities. Resource constraints.
The goal isn't to overwhelm but to prepare. Each exercise should stretch your capabilities just enough to promote growth without causing frustration.
Tabletop exercises are low-cost, high-value activities that make your team better at handling real incidents. They build relationships, reveal blind spots, and create muscle memory for crisis response. Start with one scenario next Friday afternoon. Your future incident-responding self will thank you.
Prefer video? I cover these scenarios and tips in this talk:
