AI-driven vs consultant-led tabletop exercises: an honest comparison
For twenty years, the tabletop exercise market has had one model: hire a consultancy, spend weeks on intake and scenario design, gather everyone in a room for an afternoon, and receive a PDF three weeks later. The model produces good exercises. It also produces, in most organizations, exactly one exercise per year — because that's what the budget and calendar survive.
AI changes the economics, and with them, the format. Here's an honest comparison — including where the traditional model still wins.
How the consultant-led model works today
A typical engagement: an intake workshop, two to four weeks of scenario preparation, a facilitated session (often half a day, on-site), and a findings report. The consultant brings real value at specific points — incident experience, the authority to challenge senior executives, and pattern knowledge from other clients' incidents.
The structural problems aren't the consultant's fault; they're the model's:
- Cost concentrates practice. At €10k+ per session, exercising becomes an annual event rather than a routine.
- Preparation doesn't compound. Next year's exercise restarts the intake; the scenario knowledge leaves with the consultant.
- Scheduling is the silent killer. Getting eight calendars and one consultant aligned pushes exercises back months — and a postponed exercise is usually a cancelled one.
- Documentation is manual. The transcript is whatever someone typed in the corner.
What AI-driven exercises change
An AI-native platform inverts the cost structure. Scenario design — the expensive part — is generated: from your organization profile (industry, size, revenue, systems, regulatory frameworks) and from your actual policy documents, which become the exercise's ground truth. Roles you can't staff are played by AI agents in character. Inject delivery, timing, and logging are automatic. The debrief report generates itself from the transcript.
The consequences compound:
- Frequency becomes the default. When an exercise costs minutes of preparation, quarterly or monthly practice is just a calendar entry. Response capability is built by cadence, not by one excellent afternoon.
- One defender can train. The traditional model needs a quorum; AI agents remove it. A solo security manager can run a full team exercise on a Tuesday morning.
- Evidence is a byproduct. Transcripts, response times, compliance scores, and follow-up actions exist automatically — which is precisely the Article 21 evidence trail NIS2 auditors ask for.
- Exercises test documents. Because scenarios are generated against your IR plan and policies, the exercise systematically exposes where those documents are silent or wrong.
Cost: a realistic comparison
| Consultant-led | AI-driven | |
|---|---|---|
| Per exercise | €5,000–€25,000 | Included in subscription (≈ €99–500/month) |
| Preparation time | 2–4 weeks | Minutes |
| Realistic frequency | 1×/year | Weekly to quarterly |
| Cost per practiced person per exercise | High and fixed | Falls with every session |
The honest framing: a year of an AI platform typically costs less than one consultant-led exercise, and produces ten times the practice hours.
Where consultants still win
Three scenarios where we'd recommend bringing in a human expert — yes, really:
- Board-level crisis exercises with political stakes. When the exercise's real purpose is getting a divided executive team aligned, an experienced moderator reading the room beats software.
- Inter-organizational simulations. Sector-wide or supply-chain exercises with multiple companies need a neutral orchestrator with convening power.
- The first-ever exercise in a low-maturity organization — where the consultant's job is partly organizational therapy: explaining why this matters, to people who don't yet believe it.
The hybrid approach
These models aren't exclusive. The pattern we see working: routine practice on the platform (monthly drills, quarterly team exercises, every new joiner runs one in onboarding) plus an annual consultant-led capstone for the board, informed by a year of platform debriefs showing exactly where the organization struggles. The consultant arrives with better data; the platform exercises get validated by an outside expert. Both get better.
How to choose
Ask one question: what's limiting your response capability today — expertise or repetition?
If your team has never exercised and your leadership needs convincing, start with one consultant-led session to build buy-in. If you know what good looks like and the problem is that practice happens once a year, the bottleneck is the model itself — and that's the problem AI-driven exercises remove.
Frequently asked questions
How much does a consultant-led tabletop exercise cost?
Typically €5,000 to €25,000 per exercise depending on scope, preparation depth, and firm — covering intake, scenario design, facilitation, and reporting. Multi-team or board-level exercises at larger firms run higher.
Are AI-run exercises realistic enough?
When grounded in your own policy documents and organization profile, AI-generated scenarios reference your actual systems, regulators, and procedures — often more specifically than a consultant's reusable template. The realism risk flips: the question to ask any platform is what the AI knows about *your* organization.
Do auditors accept AI-facilitated exercises as NIS2 evidence?
Auditors assess evidence, not facilitation method: scenario and objectives, participants, what happened, findings, and follow-up. A platform that produces transcripts and structured debrief reports generates stronger evidence than most manually-run exercises, where documentation is an afterthought.
How much preparation does an AI-driven exercise need?
Minutes, in practice: the scenario, roles, inject timeline, and incident ground truth are generated from your organization profile and selected policy documents. Your remaining preparation is deciding the objective and inviting the right people.
Can AI replace the human facilitator entirely?
For routine team exercises, yes — inject delivery, role-play, hints, and scoring can run automatically. For politically sensitive board exercises or inter-organizational crisis simulations, an experienced human moderator still adds judgment that software doesn't replicate.
Ready to practice it for real?
Generate a tabletop exercise tailored to your organization in minutes.
Sign upKeep reading
What NIS2 Article 21 actually requires for cybersecurity exercises
NIS2 doesn't just ask for technical controls. Article 21 expects you to test how well your organization responds — and to prove it. Here is what that means in practice.
How to run a tabletop exercise: a step-by-step guide
From objectives to debrief: the seven steps of a tabletop exercise that actually changes how your team responds — and the mistakes that flatten most of them.
Ransomware tabletop scenario: what a good exercise looks like
A strong ransomware tabletop is not 'your files are encrypted, discuss'. Here is the anatomy of a scenario that forces real decisions — with a sample inject timeline.