When a cyberattack hits an environment, there is no time to figure out who calls whom, where the playbooks are, or whether your response team has ever practiced together.
Tabletop exercises are not a nice‑to‑have. They are the closest thing to incident rehearsal that most organizations will ever do, and they determine how you perform when the pressure is real.
Featured Episode Deep Dive
This issue centers on Episode 93: OT Cybersecurity That Works: Tabletop Exercises, Critical Controls and Building Trust.
Why this episode matters right now: Episode 93 breaks down what makes tabletop exercises actually useful instead of security theater. The conversation covers scenario design, who needs to be in the room, and how to turn findings into real program improvements that show up in incident response, not just in reports.
3 Key Takeaways
Include operations, not just IT and security. OT incidents affect physical processes, so plant operations staff need to be in the room for tabletops, not just security and IT teams.
Scenarios need to reflect real threat actors. Generic “hacker breaks in” stories miss OT realities like living off the land in control systems, manipulating process values, or abusing remote access workflows.
After‑action findings must drive changes. A tabletop that produces a report nobody reads is worse than not running one, because it creates false confidence. Findings should feed directly into updates for playbooks, controls, and training.
From Annual Ceremony to Continuous Practice
Most organizations still treat tabletop exercises as an annual event. Once a year, executives and senior leaders gather in a conference room, walk through a scenario, and receive a polished report that quietly goes into a folder.
For OT, that model is not enough. The people who need practice are the ones who sit in control rooms, run plants, and coordinate with vendors and field teams during an incident. They need repetitions, not a single performance review.
A healthier pattern looks more like this:
Smaller, focused tabletops that happen monthly or quarterly.
Scenarios that rotate across plants, systems, and threats.
Different groups in the hot seat each time: operators one month, leadership the next, then a joint exercise.
Clear, tracked actions from each exercise that are revisited and tested again.
In other words, tabletops should feel more like fire drills than annual ceremonies. You run them often, you change variables, and you want muscle memory to kick in when something breaks.
AutoTableTop: Turning Tabletops into a System
This is where AutoTableTop (ATT) from ThreatGEN comes in and why Arcova is partnering with ThreatGEN and Clint Bodungen to bring it to clients.
Traditional tabletop exercises are manual. They require a facilitator, a written script, and a lot of human effort to set up, run, and document. AutoTableTop is built to make tabletop exercises:
Dynamic. It supports AI‑driven scenario generation and injects, so every run can be slightly different and tailored to your environment.
Frequent. Because setup and facilitation are partially automated, teams can run tabletops much more often without burning out staff.
Multi‑role. Multiple teams and roles can participate at the same time, including OT operations, IT, security, leadership, and vendors.
Grounded in your reality. You can bring IR and DR plans, network designs, and asset inventories into the platform so scenarios are built around your actual environment and processes, not generic templates.
Action oriented. The platform can help capture after‑action findings and recommendations in a structured way, making it easier to track and retest fixes.
Arcova’s role is to integrate AutoTableTop into client programs, aligning it with existing response plans, OT architectures, and business priorities. The goal is not to “gamify” tabletop for its own sake, but to create a continuous exercise system that builds real incident muscle memory over time.
Think of this as moving from “one big tabletop a year” to “a regular cadence of realistic drills, with the right people in the room, guided by a platform that keeps scenarios fresh and findings actionable.”
Tabletop Exercises as Fire Drills for OT
Fire drills work because they are:
Short, repeatable, and frequent.
Run with the actual people who will be in the building.
Based on the real layout, exits, and constraints of that environment.
OT tabletop exercises should follow the same pattern.
With tools like AutoTableTop, you can:
Run targeted drills that test a specific playbook or plant once a month.
Rotate scenarios: ransomware on an engineering workstation, misuse of remote access, loss of a critical historian, manipulation of safety instrumented systems.
Use your real diagrams, asset lists, and vendor contact structures so teams are not guessing in the moment.
Treat each exercise as both training and validation: does the plan work, and do the people know how to execute it?
The outcome is not “we completed a tabletop.” The outcome is “we know where our plans and our org chart fall apart, and we are fixing those gaps before a real attacker finds them.”
If you want to go deeper on tabletops and incident response in OT, these episodes line up well with this issue:
Episode 93: OT Cybersecurity That Works: Tabletop Exercises, Critical Controls and Building Trust. How to design tabletops that build trust and uncover real gaps, not just check boxes.
Episode 83: Inside Cyber Incident Response: Military Lessons, OT Challenges and the Power of Blameless Culture. Why blameless post‑incident reviews and debriefs matter as much as the exercise itself.
Episode 30: Navigating Cybersecurity Challenges: AI, Tabletop Exercises, and Operational Technology. An earlier conversation on building OT‑specific tabletop scenarios in environments where you cannot just shut systems down to test them.
Episode 98: The Striker Attack: What It Reveals About OT Cybersecurity and Why Tabletop Exercises Matter. A real‑world attack story used as a blueprint for what tabletop exercises in OT should be testing.
Quick Intel Brief
Regulators and public sector bodies increasingly recognize that exercises are a core part of resilience, not a side activity.
CISA and FEMA publish tabletop exercise guidance and packages that include critical‑infrastructure and OT‑relevant scenarios.
NERC’s GridEx, a large‑scale exercise for the electric sector, has consistently shown that the organizations that perform best are often the ones that practice the most, not just the ones with the largest security budgets.
Research and case studies on cyber exercises emphasize the value of repetition, cross‑functional participation, and realistic injects over one‑off events.
The lesson is consistent: organizations that rehearse together under semi‑realistic pressure respond better when it is not a drill.
Aaron’s Take
The best tabletop ever run did not reveal a zero‑day or a missing tool. It revealed that the person who owned the decision to take a critical system offline was unavailable during the scenario, and nobody knew who had backup authority.
That single finding was worth more than any technical control that could have been added. Exercises reveal organizational and decision‑making gaps that no scanner or SIEM dashboard will ever show.
Tabletops should be uncomfortable in a productive way. They should surface questions like:
Who really owns this decision if the primary contact is not available?
How do OT and IT talk to each other under pressure?
Who calls the regulator, the media, or the board, and based on what information?
You want to discover those gaps on a Tuesday morning tabletop, not at 2 a.m. during a real incident.
What To Do Next
Take inventory of your current tabletop practice. How often do you run them, who participates, and what actually changes afterward?
Identify one OT‑relevant scenario and schedule a smaller, focused tabletop in the next 30 days with OT operations, IT, and security all present.
Consider how a dynamic platform like AutoTableTop could fit into your program to increase frequency and realism without overwhelming your teams.
Review Episodes 93, 83, 30, and 98 with your incident response and OT teams. Use them as discussion starters to redesign your tabletop strategy.
What is your experience running tabletop exercises in OT environments? What has surprised you most, and what did you only learn when you simulated an incident?
Hit reply and share what you are seeing on the ground.
Aaron Crow
aaroncrow.ai · protectitallpod.com · LinkedIn