Designing an engaging and realistic TTX for an organisation

We met Matias Sliafertas and Federico Pacheco at 2025 TF-CSIRT Meeting & FIRST Regional Symposium Europe where they led an interactive workshop on cybersecurity tabletop exercises (TTXs) which guided the participants through the comprehensive design and execution of TTXs tailored for both executive (C-level) and technical teams. We invited both of them to share their tips and tricks on designing an interactive and realistic TTX for an organisation.

Matías Sliafertas is an Information & Cyber Security professional with over 20 years of experience leading governance, risk management, business continuity, and regulatory compliance programs across multinational and governmental environments. He has authored multiple cybersecurity publications and teaches information security at various universities. He currently serves as Information Security Manager at TUI within the GRC area and previously held senior leadership roles, including CISO at BASE4 Security and Executive Director at JPMorgan Chase, overseeing regional cybersecurity and technology controls in Latin America and Canada.

Federico Pacheco is a cybersecurity professional with 25+ years of experience and a background in electronic engineering. Author of five books and over 20 academic papers on cybersecurity and education. Speaker at major conferences such as RSA, BlackHat, FIRST, and Defcon. With more than two decades of teaching experience, he currently serves as Director of Cybersecurity Services at BASE4 Security, leading multidisciplinary teams.

1. From your experience, what is the recipe for designing a good tabletop exercise?

A good tabletop exercise (TTX) should be built on a clear structure, realistic context, and measurable objectives. Based on our published methodologies and practical experience, the “recipe” begins with a well-defined goal and scope, because every design decision must derive from what the organization needs to validate, improve or learn.

A solid TTX combines:

  1. Explicit objectives and scope.
  2. Realistic scenarios, aligned with the organization’s risks, assets, and industry threats, all together need to make a realistic story.
  3. A coherent and technically consistent storyline, enriched with MITRE ATT&CK-based TTPs when appropriate , and of course you can argue that always a new zero-day can appear but try to don’t use that wildcard for everything. 
  4. Clear roles and responsibilities for players, coordinators and observers.
  5. A structure that enables measurable outcomes, such as through the ENISA–NIST parameter-mapping model we developed for quantifying improvements.

2. What are your tips and tricks for making it work?

1. Keep scenarios understandable, complexity should arise from decision-making, not from the situation. You can use as many resources are available, from images, sound and customized evidence for the more technical exercise.
2. Design injects with purpose: every event must test a process, communication path, or be an igniter to drive a conversation during an exercise, prepare something to test or communicate a decision circuit.
3. Create a Welcome Package to set clear expectation, rules, interaction dynamics, and behavioral expectations.
4. Prepare logistics meticulously, room, schedule, channels, breaks, communications, Food!, if it will be virtual or a mix virtual-on premise, have good audio and video it’s crucial, so the focus remains on the exercise, not operational friction.
5. Encourage discussion, not winning, a TTX is a learning activity, not a test or competition. We are not playing to “win”, we are playing to create culture, to enable teamwork and to understand improvement opportunities.
6. Capture decisions without influencing outcomes and close with a structured Hot Wash to gather insights, perceptions, and gaps while they are still fresh, much of those will be important part of the report.

3. Do you use different methods for designing practice sessions for management team and/or operational team?

Yes, absolutely, and the distinction is essential. Management teams and operational/technicals teams face different cognitive and procedural challenges, so the exercises must reflect that. Management should be focused in a more crisis-oriented exercise, emphasizing the strategic view, decision-making, communications internally and externally, legal and of course business impact and possible strategies. When we design the inject for this audience, we always try to include ambiguity, incomplete information, and external pressure in order to exercise how to make the right questions, how to reach the right team and of course practice decision-making showing potential impacts. We generally focus on reputation, regulatory exposure, and collateral effects (e.g., media, customers, shareholders).
On the other hand, a more operational or technical exercises should emphasize detection, analysis, containment, forensics, and of course remediation. We use technically grounded injects (logs, alerts, third-party notifications) and follow an attack chain supported by MITRE ATT&CK-based TTPs.

4. From your experience, who can be/should be/usually is the person or role initiating the practice session within the organisation?

Initiation varies depending on maturity, structure, and regulatory context of each company, but it almost always comes from a function responsible for risk, business continuity, cybersecurity or information security, or compliance. However, we had occasions when we were contacted by HR or the top management directly.

5. What about frequency of doing them? Any tips?

Frequency should reflect the organisation’s maturity, risk profile, and operational needs. Based on our experience, we recommend at least one major TTX per year, it is a healthy baseline for most organisations. But it is really tied up to the maturity of the organisation, and how fast the solved or the action they took after the first TTX. In some cases TTXs are used to drive awareness, improve senior management understanding/view and get support/resources to continue to align information security/cybersecurity to support business objectives. But on the other hand, you don’t need to always think about big exercises – in a more agile way you can plan micro TTXs for teams during their weekly or monthly team meetings and combining both elements of team building and TTX.

Other news and stories

SOCcare December 2025: RondoDox Campaign: Routers Beware
SOCcare December 2025: RondoDox Campaign: Routers Beware
Engaging management and operational teams to do trainings, TTXs, practice sessions, etc.
Weekly cyber drills? How to make them a mission possible
Weekly cyber drills? How to make them a mission possible
How to design and lead multi-organisational and multi-national TTXs?
How to design and lead multi-organisational and multi-national TTXs?
NRD Cyber Security liquidates NRD Bangladesh
NRD Cyber Security liquidates NRD Bangladesh
What impact might NIS2 have on Africa?
What impact might NIS2 have on Africa?
What impact might NIS2 have on South America?
What impact might NIS2 have on South America?
How Lithuania stepped up its game with the NIS2 directive
How Lithuania stepped up its game with the NIS2 directive