Incident Response tabletop exerciseincident responseIR scenariosTTX

Tabletop Exercise Pack

Name: Tabletop Exercise Pack
Brand: ciso.diy
Price: 149.00 USD
Availability: InStock

10 research-calibrated IR scenarios, a 13-tab program management system, and a 687-paragraph facilitator guide — plus an ecosystem map that turns every buyer into a full IR practice.

Most tabletop products sell you scenarios. This product sells you a tabletop exercise PROGRAM — and it's the first product in the ciso.diy catalog explicitly engineered as a traffic funnel for the broader breach-response ecosystem.

The Ecosystem Map tab (Tab 2) is the strategic differentiator. It's not a resource list — it's a six-stage customer journey that positions this workbook as the middle layer of a complete IR practice: Assess Maturity (ir.breached.company), Understand Cost (ircost.breached.company), Learn From History (breached.company), Equip Your Room (tabletopsec.com), Run Exercises (this workbook), Reference Tooling (incidentresponse.tools). Every buyer who follows the embedded workflow visits 4–5 properties in the process of getting value from one purchase.

10 Scenarios — each researched and calibrated for realistic escalation:

S1 Ransomware w/ Exfiltration (Intermediate, 90min) — $4.2M→$6.8M ransom escalation, backup corruption discovered at hour 24, journalist tip-off. The industry workhorse scenario.

S2 BEC + Wire Fraud (Intermediate, 60min) — $847K unauthorized wire, attacker had IMAP access for 3 weeks, 2 more fraudulent wires in queue.

S3 Insider Threat (Advanced, 90min) — 4.2GB exfiltrated before departure, competitor announces hire, IP assignment agreement gap surfaces.

S4 Supply Chain (Advanced, 90min) — HR/payroll SaaS vendor breach, 40% of their customers affected, $100K liability cap in MSA.

S5 Cloud ATO (Intermediate, 75min) — SIM-swap MFA bypass, $40K crypto mining spun up, insurance attestation gap (claimed 100% MFA, actual 94%).

S6 Third-Party Breach (Advanced, 90min) — Someone ELSE has your customer list and is weaponizing it, viral LinkedIn post, state AG inquiry.

S7 Deepfake CEO Fraud (Executive, 60min) — $2.3M wire from Teams call with AI-generated CEO video + voice, cloned from YouTube content.

S8 Breach During Audit (Advanced, 90min) — The SEC 4-day rule test. Auditors find 7-month dwell time, board meeting in 48 hours, 10-Q due in 10 days.

S9 Wiper / Destructive (Advanced, 90min) — No ransom, just destruction. 400 endpoints hit, domain controllers destroyed, war exclusion clause in cyber insurance triggered.

S10 Physical-Cyber (Advanced, 90min) — Terminated contractor's badge still active, USB drive accessed domain controller rack, rootkit installed, logs deleted.

Hybrid architecture — Tab 6 (Scenario Library) is the menu with quick-reference cards and full detail (Brief, Injects, Decision Points, Regulatory mapping) for all 10 scenarios. Tab 7 (Run Exercise) is the working engine — copied fresh for each session. Contains Exercise Context, Ground Rules (read aloud), Pre-Exercise Check-In, 5 Inject capture slots, Live Observations, Parking Lot, and Hotwash structure. Rich per-scenario depth without 10 redundant tabs.

Program-level layer — what no competitor ships:

Exercise Calendar — 12-month program pre-populated with recommended quarterly rhythm (Q1 high-probability, Q2 executive, Q3 advanced, Q4 regulatory).

Participant Roster — 30-row roster with IR role dropdown, attendance tracking, mandatory markers.

Decision Log — 30-row evidence layer for every decision made, with quality ratings.

After-Action Report — 10-section structured template (Executive Summary, Scenario Overview, Detailed Findings, Decisions Analyzed, Recommendations, Comparative Analysis, Next Exercise Recommendations, Distribution).

Gap Tracker — THE critical tab. 28 rows capturing findings across ALL exercises with a Re-Emerged? column that catches when closed gaps return — the most important program maturity signal.

Maturity Scorecard — 10 dimensions scored across 4 exercises with auto-calculated averages and color-scale gradients.

Executive Dashboard — Auto-calculates from other tabs using 16 formulas: Exercises Run, Total Gaps, Critical Open, Gaps Closed, Re-Emerged Gaps, Latest Maturity. Auto-generates a program status recommendation and 6 pre-written board talking points. Zero manual board report writing.

Resources & Links tab (Tab 13) — clickable hyperlinks to every ecosystem property: breached.company, ir.breached.company, ircost.breached.company, incidentresponse.tools, tabletopsec.com, tabletopsec.com/scenarios, cisomarketplace.com, cisomarketplace.services, compliancehub.wiki — plus CISA, NIST, and industry ISACs.

Facilitator Guide — 23 sections, 687 paragraphs. Strongest sections: Section 9 (facilitating technical teams vs executives), Section 10 (exact 90-minute timing grid + pace cues), Section 11 (the 3 deadliest facilitation mistakes), Section 14 (writing an AAR that actually drives change), Section 19 (TabletopSec physical-digital integration), Section 20 (annual program cadence), Section 21 (FAQ: convincing leadership, no IR plan yet, external facilitator, CEO participation).