In a recent Rubrik survey of more than 1,600 IT and security leaders, 90% of respondents said their organizations experienced a cyberattack within the last year. Given the near inevitability of a cyber incident, regular testing of incident response procedures should play a significant part in any organization’s business continuity planning.
 

Both tabletop exercises (TTXs) and crisis simulations are valuable tools for preparing organizations for real-world emergencies, but they differ significantly in their approach. Rather than opting for one over the other, they work best when the findings from one inform the other.
 

Neither technique is unique to cybersecurity programs. These exercises are used by militaries where “war gaming” can help determine the best course of action, by relief agencies to improve disaster response procedures, and public relations firms to limit the fallout from an adverse event, to name a few.

 

Tabletop Exercises vs. Crisis Simulations
 

So what are the differences between these two approaches? Here’s a quick comparison:
 

Tabletop exercises:
 

• Are discussion-based: TTX participants gather in informal, low-stress environments (often around a table) to talk through a hypothetical crisis scenario.
   

• Focus on plans and procedures: The main goal is to review and discuss existing emergency plans, policies, and procedures. Participating helps groups clarify roles, solidify responsibilities, and understand decision-making processes.
   

• Provide low realism, but high flexibility: TTXs are less realistic than simulations because they don't involve actual execution of tasks. This makes them cost-effective, easy to organize, and highly flexible for exploring various "what-if" scenarios, including identifying gaps in planning.
   

• Excel in certain scenarios: TTXs are excellent for initial planning, familiarizing teams with protocols, identifying planning weaknesses, promoting collaborative problem-solving, and increasing risk awareness.
   

Crisis simulations:
 

• Are action-oriented and immersive: Crisis simulations are designed to replicate real-world crisis scenarios as closely as possible. Participants actively engage in responding to simulated events.
   

• Focus on execution and decision-making under pressure: These exercises aim to build "muscle memory" by requiring participants to make quick decisions, communicate effectively, and execute their roles under pressure. They often involve real-time input (e.g., mock news feeds, social media updates, phone calls, and role-players acting as journalists or authorities).
   

• Provide high realism, but are more resource-intensive: Crisis simulations can be more complex, requiring more preparation, resources, and often specialized software or facilitators to create the immersive environment.
   

• Take TTX findings a step further: Crisis simulations provide hands-on experience, test incident response capabilities in dynamic settings, promote team coordination, help uncover vulnerabilities in real-time responses, and allow for the practical application of skills.
   

In essence, tabletop exercises are like a "walk-through" or a "rehearsal" for a theater production, where cast members allocate time to discuss the play at a high level. Crisis simulations, on the other hand, are more akin to a "dress rehearsal," where the company actually runs through the play, including all of the unexpected twists and real-time consequences of learning a new, complex, and coordinated activity.

 

TTXs and Crisis Simulations: Better Together
 

In some senses, the differences between these two approaches is their strength. TTXs can be set up quickly, require less time and money, and can realistically be performed more frequently than simulations. This helps to keep teams’ minds on common pitfalls that could affect incident response activities of all types. 
 

Crisis simulations, on the other hand, typically offer a higher level of detail, realism, and real-world “pressure” that is difficult to match with a TTX. This ensures teams are fully prepared not only for different types of incidents, but also to handle the most common roadblocks likely to arise when solving them. 
 

Both are crucial for comprehensive crisis preparedness, with tabletop exercises often serving as a foundation for more complex simulations. For example, an analyst may calculate the risk a certain threat presents a business. If the threat is sufficiently high, select personnel may want to determine its plausibility with a tabletop walkthrough. If the threat is both a significant risk and plausible, it may be deserving of a crisis simulation.

 

 

This process is repeated as an organization builds its understanding of how their defensive capabilities stack up to a range of threats, and where gaps in their response capabilities may exist. In well-rounded resilience planning, these response capabilities are mapped against the minimum level of resources the business needs to continue functioning—also known as the “minimum viable business.” Security teams can then focus on closing these gaps for the most critical business systems.
 

Smart, efficient incident response planning should focus on identifying the highest risk, highest probability threats and then developing the capabilities to recover should an incident occur. One way to accomplish this involves a virtuous cyber of testing the feasibility of a cyber threat through a TTX, and then by drilling down into the specifics of a response through a carefully considered, realistic crisis simulation.
 

This approach naturally favors resilience planning activities on incidents most likely to impact business continuity. By using a blend of TTX activities and crisis simulations, organizations preserve flexibility without sacrificing depth. Given the importance of backup and recovery capabilities under the frenetic and high-stakes conditions of active incident response—along with the statistical likelihood of an incident—regular and well-designed planning exercises are an essential investments with strong ROI potential.