This is the fifth post in this series addressing my perspective on the current state of Cybersecurity Incident Response training and an approach to improve interest, participation, and expanded learning.
Part I can be found here.
Part II can be found here.
Part III can be found here.
Part IV can be found here.
Part V: Side Quests
Not Every Member of the Party Swings a Sword!
The main campaign may be shared, but no two paths through it are the same. While the battle unfolds at the center, each member of the party is pulled into their own fight. Some are deciphering signals. Others are managing fallout. Some are making decisions with incomplete information and no time to wait.
When the campaign begins, the party may gather at the same table, but they do not experience the same story. Some speak immediately, while others wait. Some look for confirmation before acting, others move on instinct.
The alarm sounds. The signals begin to surface. What appears to be a single unfolding incident quickly fractures into multiple realities, each shaped by role, visibility, and responsibility. While one team is tracing indicators through logs and alerts, another is weighing regulatory thresholds. Somewhere else, messaging is already forming, even as facts remain uncertain. Leadership, removed from the technical noise, is asked to make decisions that carry consequence without the benefit of complete clarity.
This is where many tabletop exercises fall short…
They present a single narrative and expect uniform engagement. A shared storyline becomes a shared experience, and in doing so, it flattens the complexity that defines real incidents. The result is participation without immersion, discussion without tension, and outcomes that feel more rehearsed than revealed.
A well-designed exercise does not treat the organization as a single player. It treats it as a party.
Myth
There is comfort in simplicity. A single scenario is easier to design, easier to facilitate, and easier to control. Everyone receives the same injects, hears the same updates, and responds within the same frame of reference.
But that is not how incidents unfold…
A single storyline does not require a single experience.
Security teams operate in a world of signals, ambiguity, and constant validation. Legal and compliance teams operate in a world of thresholds, obligations, and consequence. Communications must act before certainty arrives, shaping narratives while they are still forming. Leadership must decide, often quickly, with incomplete and sometimes conflicting information.
When all participants are placed into the same version of the story, the exercise becomes diluted. It may be understood, but it does not translate into action. And without that tension, without that friction, the most important lessons remain just out of reach.
Side Quests (Role-Based Paths)
The strength of the tabletop is not solely in the main narrative. It also is in how that narrative branches.
Each role should be pulled into its own thread of the story, receiving information that reflects what they would realistically see, when they would see it, and in the form they would expect. These are the side quests. Not distractions from the main event, but essential components of it.
The Security Operations team may begin with scattered alerts. Some appear unrelated. Others hint at coordination. The challenge is not simply detection, but interpretation. What matters? What can be ignored? When does something become escalation-worthy?
Legal and Compliance are not watching alerts. That information is all ancient magical runes they cannot read and do not want to learn. They are watching implications. At what point does this become a reportable event? What thresholds have been crossed? What obligations begin to activate, even as the technical picture remains incomplete?
Communications is already moving, whether invited to or not. Internal stakeholders are asking questions. External pressure may begin to surface. The narrative is forming, and if it is not shaped intentionally, it will be shaped elsewhere.
Leadership is pulled into the space where all of these threads converge. Not to understand every detail, but to make decisions that carry weight. Shut down systems or maintain availability. Disclose early or wait for clarity. Accept risk or attempt control.
You start to see that each of these paths is connected, but none of them are identical. This is where the exercise starts to reflect how incidents actually unfold.
Controlled Information Asymmetry
In a real incident, no one has the full picture. One team is working from SIEM alerts, another is working from a help desk ticket. Neither realizes they are looking at the same incident. Unfortunately, information arrives in fragments, shaped by tools, roles, and timing. Some teams know more, some know less, and no one knows everything.
This asymmetry is not a flaw. It is the environment.
When tabletop exercises distribute the same information to all participants at the same time, they remove one of the most critical elements of incident response: the need to communicate, to question, and to reconcile differing perspectives.
By controlling the flow of information, by allowing some teams to see early indicators while others remain unaware, the exercise begins to mirror reality. Gaps emerge. Assumptions are made. Teams begin operating on different assumptions, and the gaps show up quickly. And within that space, something important happens. Teams begin to reach for each other, not because they are told to, but because they need to.
The fog of war is not something to be designed out of the exercise. It is something to be designed into it.
Branching Paths and Consequence
Not every decision should lead to the same outcome.
If signals are recognized early and acted upon decisively, the scenario may move toward containment. If they are dismissed or misunderstood, the incident may expand. If communication falters, delays compound and risk increases. If alignment is strong, response becomes more fluid, even under pressure.
These branches do not need to be complex to be effective. They need to be meaningful. Participants should feel that their decisions influence the direction of the exercise. Not in a gamified sense of winning or losing, but in a way that reflects consequence. Actions shape outcomes. Inaction does as well.
This is where replayability begins to emerge. The same scenario, approached differently, reveals different lessons. Over time, the exercise evolves from a single event into a living campaign.
The Dungeon Master
In this structure, the facilitator is no longer simply presenting a scenario. They are guiding it.
Pacing becomes critical. Introduce information too quickly, and teams become overwhelmed. Too slowly, and momentum fades. Injects must be timed to maintain pressure while allowing space for decision making.
Adjustment is equally important. If a team moves quickly and effectively, the scenario can respond in kind. If confusion takes hold, the facilitator can choose whether to let that confusion play out or provide subtle guidance to keep the exercise productive.
The facilitator becomes the thread that holds the campaign together, ensuring that each role remains engaged, that each path remains relevant, and that the overall narrative continues to move forward.
Measuring What Matters
As these role-based paths unfold, both strong and weak patterns begin to surface.
Where did communication break down? Where did it excel? Which decisions were delayed, and why? Where did uncertainty create hesitation, and where did clarity enable action?
These are the moments that matter.
Not whether every step of a playbook was followed, but whether the organization moved with cohesion, with awareness, and with intent. Whether teams operated in isolation or as a coordinated unit. Whether decisions aligned with risk, or avoided it.
These observations do not conclude the exercise. They prepare it for what comes next. Because once the campaign ends, the question is no longer what happened. It is what was learned.
Do you want to learn more about how Secure Ideas can team-up with you on your next Table-Top campaign? Feel free to email me at Giovanni.Cofre@SecureIdeas.com.
About The Author:
Giovanni Cofré has joined Secure Ideas with 25+ years of IT experience, specializing in network security for corporate, OT, and e-commerce environments since 2000. He is committed to mentoring security professionals and promoting security awareness. His experience spans multiple industries in both private and public sectors, where he has implemented security frameworks based on CIS CSC, HITRUST, PCI, GDPR, and NIST standards. Giovanni is skilled in vulnerability assessment, penetration testing, and developing practical security processes. His notable work in e-commerce and energy industries includes establishing secure coding practices and maturing enterprise security strategies. Giovanni focuses on environment-specific practices that meet business needs while building resilient infrastructures.
Read More by Giovanni: Operational Technology’s use of Wireless Networks
