Ransomware Tabletop Exercises: Planning and Execution

Ransomware tabletop exercises are structured simulation sessions in which organizational stakeholders walk through a predefined ransomware attack scenario to test decision-making, communication protocols, and response procedures — without triggering live systems. The Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) both identify tabletop exercises as a foundational preparedness activity for organizations across critical infrastructure sectors. This page covers the formal definition and regulatory context of these exercises, their structural mechanics, the scenario types most commonly deployed, and the decision criteria that determine exercise scope, frequency, and format.

Definition and scope

A ransomware tabletop exercise is a discussion-based exercise type classified by FEMA's Homeland Security Exercise and Evaluation Program (HSEEP) as a seminar-level event: participants talk through simulated conditions rather than physically deploying tools or activating response infrastructure (FEMA HSEEP Doctrine, 2020). Within the HSEEP taxonomy, tabletop exercises sit between seminars (pure instruction) and functional exercises (live role activation), making them the standard entry point for organizations building ransomware response muscle before committing to full-scale drills.

CISA's Stop Ransomware initiative explicitly recommends tabletop exercises as part of its Pre-Ransomware Notification Initiative and broader resilience guidance. NIST Special Publication 800-84, Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities, establishes the technical baseline for exercise design, including facilitation structure, scenario injects, and after-action reporting (NIST SP 800-84).

The scope of a ransomware tabletop typically spans 3 to 6 hours for a single-session format and may extend across multiple days for enterprise-scale organizations with distributed response teams. Participants commonly include representatives from IT security, legal, communications, executive leadership, and — in regulated sectors — compliance personnel who must navigate obligations under frameworks such as HIPAA (45 CFR Part 164), the NIST Cybersecurity Framework, and sector-specific requirements from regulators including the HHS Office for Civil Rights and the SEC.

The ransomware providers available through this reference network document threat actors and known attack patterns that feed directly into realistic exercise scenario design.

How it works

A ransomware tabletop exercise follows a phased structure grounded in the HSEEP model. Each phase produces specific outputs that feed into subsequent stages.

1. Planning and design — A designated exercise planning team defines objectives, selects the scenario, identifies participants, and develops a Master Scenario Events List (MSEL). The MSEL is the sequenced list of injects — simulated events delivered during the exercise — that drives participant decision-making. For ransomware scenarios, injects typically map to attack phases drawn from the MITRE ATT&CK framework, specifically the tactics documented under the Ransomware technique cluster (TA0040 Impact).

2. Pre-exercise documentation review — Participants review relevant plans before the session: Incident Response Plans (IRPs), Business Continuity Plans (BCPs), and any sector-specific notification procedures. NIST SP 800-61, Computer Security Incident Handling Guide, provides the reference framework most organizations align their IRPs against (NIST SP 800-61 Rev. 2).

3. Facilitated exercise session — A trained facilitator presents injects at defined intervals. Participants verbally walk through their responses: who makes decisions, what communications go out, which vendors are contacted, when legal counsel engages, and what triggers a ransom payment consideration. The facilitator tracks gaps, hesitations, and unresolved decision points in real time.

4. Hotwash — An immediate debrief conducted at the session's close, capturing first-order observations before memory degrades. Hotwash outputs feed the formal after-action process.

5. After-Action Report (AAR) and Improvement Plan (IP) — The AAR documents findings against stated objectives; the IP converts findings into discrete corrective actions with assigned owners and deadlines. HSEEP mandates this output structure for federally supported exercises, and the format has become the de facto standard for private-sector programs as well.

The distinction between a tabletop exercise and a functional exercise is operational activation: a tabletop produces no live alerts, no actual system changes, and no real notifications to external parties. A functional exercise tests whether systems and personnel can execute — tabletops test whether personnel know what to execute.

Common scenarios

Ransomware tabletop scenarios cluster into four recognized types, differentiated by attack vector, impact profile, and the decision pressures they generate.

Single-site encryption event — A threat actor compromises one facility or business unit through a phishing email, deploys ransomware, and encrypts local file shares. This is the baseline scenario used in initial-maturity exercises. It tests IRP activation, IT isolation procedures, and internal escalation chains.

Double-extortion scenario — Encryption is combined with pre-exfiltration of sensitive data. The threat actor threatens public release or sale of the data if payment is not made. This scenario forces legal, privacy, and communications teams into the exercise and tests notification obligations under statutes such as HIPAA's Breach Notification Rule (45 CFR §164.400–414) and state breach notification laws. The ransomware provider network purpose and scope section of this reference network addresses the threat actor landscape relevant to these scenarios.

Operational technology (OT) / industrial control system (ICS) impact — Ransomware propagates from IT networks into OT environments, threatening operational continuity in manufacturing, energy, or healthcare delivery. This scenario type is specifically addressed in CISA's advisory AA22-040A, which covers ransomware affecting industrial control systems.

Supply chain or managed service provider (MSP) vector — A third-party vendor or MSP is compromised first, and ransomware propagates to client organizations through trusted network connections. This scenario tests vendor risk management protocols and the contractual and notification obligations that govern third-party relationships.

For organizations seeking structured scenario libraries, CISA publishes free ransomware exercise packages through the Stop Ransomware portal, including tabletop exercise kits aligned to sector-specific threat profiles.

Decision boundaries

Several structural factors determine the appropriate format, scope, and frequency of ransomware tabletop exercises. These boundaries are not advisory preferences — they reflect regulatory expectations, organizational risk profiles, and documented program maturity standards.

Regulatory obligations: Organizations subject to HIPAA, the NIST Cybersecurity Framework (CSF), or NERC CIP standards face explicit or implied exercise requirements. HIPAA's Security Rule (45 CFR §164.308(a)(8)) requires covered entities to conduct periodic technical and non-technical evaluations of security controls, which regulators have interpreted to encompass structured exercises. NERC CIP-008-6 mandates that bulk electric system entities test incident response plans at least once every 15 months, with tabletop exercises qualifying as an accepted testing method (NERC CIP-008-6).

Maturity-based format selection: Organizations conducting their first ransomware exercise typically begin with a single-scenario tabletop focused on IRP activation. Organizations with established programs progress to multi-inject exercises, cross-functional participation spanning 12 or more roles, and scenarios that incorporate regulatory notification timelines. Full-scale functional exercises represent a separate program tier and require operational activation of response infrastructure.

Frequency benchmarks: CISA's exercise guidance recommends at minimum 1 tabletop exercise per year for organizations in critical infrastructure sectors. Organizations that have experienced a ransomware incident within the prior 24 months, or that have undergone significant technology or personnel changes, typically require more frequent sessions to validate updated plans.

Ransom payment decision protocols: Exercises that include a payment decision inject surface a distinct compliance boundary. The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) issued an advisory in 2020 clarifying that ransomware payments to sanctioned entities or individuals may violate the International Emergency Economic Powers Act (IEEPA), regardless of whether the payer was aware of the sanctions nexus (OFAC 2020 Ransomware Advisory). Tabletop exercises that walk decision-makers through payment scenarios must incorporate this legal boundary as a structured inject.

Exercise documentation: After-action reports from tabletop exercises may be subject to discovery in litigation following an actual incident. Legal counsel involvement in exercise design — particularly regarding privilege assertions over AAR documents — represents a recognized risk management consideration within the exercise planning phase.

Additional context on how this reference network structures ransomware-related professional and service information is available in the how-to-use this ransomware resource section.