Ransomware tabletop scenario: what a good exercise looks like
Every security team eventually runs a ransomware tabletop. Most of them run a weak one: "your files are encrypted, what do you do?" — followed by forty-five minutes of people describing, in general terms, things they would probably do. No clock, no escalation, no decision anyone can get wrong.
A good ransomware scenario is built differently. Here's the anatomy.
Why ransomware is the right first scenario
Ransomware is the rare scenario that stresses every layer of the organization at once: the SOC (detection, containment), IT (recovery, backups), legal (notification duties, the payment's legality), communications (customers, press), and the board (pay or not — a decision nobody else can take). It's also universally understood: nobody at the table needs the threat explained.
That breadth is exactly why a lazy version fails. If the scenario doesn't force the non-technical roles to act, they spend the hour as audience.
Anatomy of a strong scenario: the ground truth
Before any inject is written, the scenario needs an internally consistent set of facts — what we call the ground truth: what actually happened, when, to which systems, and what is true at each moment regardless of whether the team has discovered it yet.
A solid ransomware ground truth specifies:
- The entry point — a phished contractor account, three weeks ago, with the dwell time spent on reconnaissance and credential harvesting.
- The blast radius — which of your business systems are encrypted (name them: the ERP, the file servers, the e-commerce backend), and which are untouched.
- The backup state — backups exist, but the last verified restore is older than anyone remembers, and verification will take hours.
- The exfiltration question — data was staged and moved before encryption; evidence exists in the logs, but only if someone looks.
- The adversary's behavior — ransom amount (calibrated to your revenue — a real demand is a low single-digit percentage of annual revenue, not a movie number), deadline, and a leak-site threat.
The ground truth is what keeps the exercise honest: facilitator answers and AI role-players stay consistent because the facts are fixed, and the debrief can score against what was actually true.
A sample inject timeline (60 minutes)
| Time | Inject | Lands with |
|---|---|---|
| T+0 | EDR alert: mass file modification on two finance file servers | SOC |
| T+5 | Helpdesk tickets: users can't open files; odd extension | IT |
| T+12 | Ransom note found on a server desktop — deadline 72h, leak threat | SOC → all |
| T+20 | CFO reports the ERP is down; month-end close is tomorrow | Board/IT |
| T+28 | Log fragment shows large outbound transfer 3 days ago | SOC |
| T+35 | Journalist emails: "We hear you've been hit by ransomware. Comment?" | Comms |
| T+42 | Backup admin: last verified restore is 3 weeks old; verification ETA 12h | IT |
| T+50 | Insurer asks whether negotiation has started; legal flags notification clocks | Legal/Board |
Notice the pattern: each inject targets a specific role, severity rises, and the second half is dominated by decisions, not detection.
The decision points that matter
A ransomware exercise earns its time on five decisions:
- Isolate or observe? Pulling systems offline kills the attacker's access — and month-end close. Someone must own that trade-off explicitly.
- When does notification start? Exfiltration evidence turns "an IT incident" into a notifiable breach. The team must call the moment the NIS2 24-hour early warning and the GDPR 72-hour clock start — not discover afterwards that they started yesterday.
- Pay, negotiate, or refuse? The board decision. The exercise must force a position with a deadline, not allow "we'd consult our insurer" as the final answer.
- What do we tell customers, and when? Silence has a price; premature statements do too. Comms needs to draft something real, during the exercise.
- When are we 'recovered'? Restoring from possibly-compromised backups is a decision, not a task.
Roles beyond IT
The minimum cast for a ransomware tabletop that tests the organization rather than the SOC: incident lead, SOC/security analyst, IT/infrastructure, legal counsel, communications, and one executive with payment authority. Can't staff six people? This is precisely where AI role-players keep the exercise whole — the human players still face the CFO's impatience and the journalist's deadline, even if those roles are played by agents.
What good looks like in the debrief
Strong outcomes to look for: the isolation decision was taken inside fifteen minutes with stated rationale; the exfiltration evidence triggered the notification discussion without prompting; comms produced a holding statement before the journalist's deadline; the payment position was decided and documented; and — most valuable — a list of places where the IR plan was silent (who owns the leak-site threat? does the plan know the backup verification time?).
Variations to keep repeat exercises sharp
Once the team handles the standard scenario, rotate the pressure: the backups are encrypted too; the attacker contacts an employee directly; the incident lands on a Friday night with half the team unreachable; a second ransom note arrives claiming a different group — is it real? Each variant invalidates last time's muscle memory in exactly one place, which is what keeps the practice honest.
A ransomware tabletop is the cheapest rehearsal you'll ever get of the most expensive day your organization might face. Build it on a real ground truth, force the five decisions, and write down what the plan failed to tell you — that list is the exercise's real product.
Frequently asked questions
Should the scenario include a ransom payment decision?
Yes — it's the single most valuable decision to rehearse, because it cannot be delegated and most organizations have never discussed their position. The exercise should force it with a deadline and an uncomfortable price calibrated to your revenue.
How technical should a ransomware tabletop be?
Technical enough that the SOC role has real work (alerts, log fragments, IOCs), but the heart of the exercise is decisions: isolate or observe, pay or refuse, disclose when. If only technical people speak, the scenario is under-using the format.
Should backups fail in the scenario?
Partially, yes. Fully intact backups remove the central dilemma; fully destroyed backups remove hope and flatten engagement. The strongest variant: backups exist, but verification takes 12 hours and the last cycle may be compromised too.
When do we have to notify regulators in a ransomware incident?
Under NIS2, a significant incident requires an early warning within 24 hours and an incident notification within 72 hours; if personal data is breached, GDPR's 72-hour notification to the privacy regulator runs in parallel. The exercise should make the team decide when those clocks start.
How do you score performance in a ransomware exercise?
Against your own incident response plan: were the prescribed steps taken, in order, by the right role, in time? Add response times per inject and competency dimensions like decision-making and communication. Score against the plan, not against perfection — deviations often reveal plan defects, which is a finding, not a failure.
Ready to practice it for real?
Generate a tabletop exercise tailored to your organization in minutes.
Sign upKeep reading
What NIS2 Article 21 actually requires for cybersecurity exercises
NIS2 doesn't just ask for technical controls. Article 21 expects you to test how well your organization responds — and to prove it. Here is what that means in practice.
How to run a tabletop exercise: a step-by-step guide
From objectives to debrief: the seven steps of a tabletop exercise that actually changes how your team responds — and the mistakes that flatten most of them.
AI-driven vs consultant-led tabletop exercises: an honest comparison
Consultant-led tabletops cost thousands and happen once a year. AI-driven exercises cost a subscription and happen monthly. Here is where each model wins — without the vendor gloss.