Last time we looked at why tabletop exercises matter and how they can reveal the cracks MSPs don’t notice until it’s too late. The reality is simple: you don’t rise to the occasion when an incident hits, you fall back on whatever you’ve practiced. In Part Two, we’ll focus on the dollars and cents-- and why a couple pots of coffee is a far better investment than buying your attacker their next yacht.
Here’s the thing: a tabletop is fake, but the lessons are real and a whole lot cheaper. An internal tabletop run by you costs time and maybe some coffee. A real breach? That cost you a new boat… for the hacker.
Incident responders alone can run north of $300 an hour per person-- in fact that is what I used to charge when I ran my MSSP. The cost is likely higher now. Then stack on breach coaches, forensics teams, lawyers, PR damage control, and that’s only if you even have cyber liability insurance to soften the blow.
Let’s be honest: insurance isn’t your get-out-of-jail-free card. Most policies come with more fine print than a bad mortgage. Didn’t follow your own policies to the letter? Claim denied. Didn’t run regular exercises? Claim denied. Forgot to sacrifice a goat under a full moon? You guessed it: claim denied. Insurance adjusters are professional “gotcha” hunters, and they’ll happily remind you of the clause you skimmed right past when the policy was signed.
Meanwhile, the ransom isn’t getting any friendlier. Hackers aren’t stupid. They’re combing through bank records before they lock you up, so when they drop the ransom note, it’s for exactly the amount they know you can pay. No guesswork. No mercy.
A tabletop? Two hours in a conference room, maybe some donuts, and a facilitator to keep things moving. That’s it. You get the same gut-check moments without the million-dollar invoice attached. And for bonus points: many cyber liability insurance policies now require evidence of tabletop exercises. So not only are you preparing your team for the inevitable, but you’re also keeping your insurance viable. That’s as close as you’re going to get to a “win-win” in this industry.
A tabletop exercise only works if people can see themselves in it. If your scenario sounds like it was ripped out of some generic playbook-- “Company A uses System B, then Hacker C attacks System D”-- your team will tune out faster than a Teams meeting late on a Friday afternoon. The good ones are tailored to your environment. Drop in the actual system names your people touch every day. Use the applications they know, the vendors they work with, the communication tools they rely on. Nothing wakes up a room faster than hearing, “Your ConnectWise instance was just compromised,” or, “Every Salesforce record is being exfiltrated in real time.” Suddenly, it’s not hypothetical. It’s personal.
The point is to make the exercise feel close enough to home that people get pulled into the story. That’s when the conversations get real, and that’s when you uncover the gaps that matter.
One of the biggest pitfalls with tabletop exercises is turning them into a nerd-only show. If all you do is debate firewall rules or which log file to grep, you’ve missed the point. The technical bits are important, but they’re not the whole game.
The real value comes when you connect the dots to business risk. How does downtime affect client deliverables? Who calls the customers when their data is exposed? Does legal get looped in before or after the ransom note shows up? When does payroll run next? These are the questions that leadership, HR, finance, and even marketing need to wrestle with.
Because here’s the hard truth: a breach isn’t just a technical problem. It’s a business crisis. A terrifying one at that. And if your tabletop doesn’t bring the whole organization into the room, you’re not running an exercise, you’re running a LAN party with extra paperwork.
Running a tabletop might sound intimidating, like you need a Hollywood script, a cast of hackers, and a crystal ball to predict every curveball. In reality, it’s a lot simpler than people think. You don’t need to know every answer to every question your players throw at you. In fact, you shouldn’t.
Your job as facilitator isn’t to be the all-knowing guru. It’s to keep the story moving, to steer the conversation back to business risk, and to make sure the exercise doesn’t get stuck in the weeds of technical wizardry. If leadership is debating client impact, reputational damage, or whether insurance will actually pay out, congratulations, you’re winning.
And remember: perfection is the enemy of progress. If you wait until you’ve built the “perfect” scenario, you’ll never run one. A tabletop doesn’t have to be flawless to be effective. The point is to get people thinking, talking, and making mistakes before the stakes are real.
And much in the same way, real incidents don’t wait until you’re “ready.” Hackers don’t care if your playbook is perfectly polished. Tabletop exercises give you a chance to trip, stumble, and learn in a safe space without a seven-figure invoice attached.
If you’re wondering where to start, we’ve already built several scenarios we give away to our partners. You can run them internally or with your clients. It’s an easy way to protect yourself, help your clients, and yes, even make a little money along the way. The only thing standing in the way is carving out the time to actually do it.
Hackers don’t wait for you to feel ready. You can either roleplay disaster on your terms, or live through one on theirs, and explain to your CEO why some guy in Russia just named his yacht after your company.
