Episode 13 — Run Cyber Exercises That Improve Response: Tabletop, Functional, Full-Scale
In this episode, we’re going to talk about cyber exercises in a way that makes them feel like a practical tool for improvement rather than a performance or a stressful event people try to survive. New learners often imagine exercises as either boring meetings where everyone pretends, or extreme simulations that only big organizations can run. The truth is that exercises are one of the fastest ways to turn incident response from a written plan into a working capability, because they reveal gaps in roles, decisions, communication, and readiness long before a real attacker forces those gaps into the open. A good exercise is not judged by how dramatic it feels, but by whether it produces better response behavior the next time something happens. We’ll cover three common types of exercises, tabletop, functional, and full-scale, and we’ll focus on what each one is meant to test. The goal is to help you recognize what makes an exercise useful, how to avoid common failures, and how to translate exercise outcomes into real improvements.
Tabletop exercises are the simplest to understand and often the easiest to run, because they are discussion-based rather than action-based. In a tabletop, a scenario is presented, and participants talk through what they would do, who would do it, and what decisions would be made at key moments. The value is that you can test roles, authority, communication, and escalation without needing any systems to be touched. Tabletop exercises are great for beginners because they teach the logic of incident response and expose whether people understand the plan and their responsibilities. They also reveal whether the organization has clear decision paths, such as who can approve containment actions or who is allowed to communicate externally. A common weakness of tabletops is that people can drift into storytelling, where they assume everything works perfectly, but a well-run tabletop keeps asking practical questions about evidence, timelines, and dependencies. In plain terms, a tabletop is like walking through a fire drill on paper, where the goal is to spot where the exits are unclear before smoke fills the hallway.
Functional exercises take the next step by testing parts of the response process in a more realistic, operational way, without necessarily involving the entire organization. In a functional exercise, teams might practice activating the incident response process, using the real communication channels, updating the real tracking system, building a timeline, or coordinating a handoff, but they are still not necessarily making full technical changes to production systems. The key difference from tabletop is that functional exercises test whether the process actually works when people have to do it, not just talk about it. For example, it’s one thing to say we will notify the right people, and another thing to actually find the correct contacts quickly and deliver a clear message. Functional exercises reveal friction points like missing contact lists, unclear escalation triggers, or confusion about where the source of truth lives. They also expose how long coordination steps take in real time, which matters during an actual incident. For beginners, you can think of a functional exercise like rehearsing a play on the actual stage, where you discover that some moves are awkward only when you try them.
Full-scale exercises are the most intense and the most realistic because they aim to simulate an incident as if it were truly happening, with multiple teams acting in real time and often with technical actions included. In a full-scale exercise, responders may investigate simulated evidence, make containment decisions, coordinate with operations, communicate with leadership, and practice recovery steps, all while the scenario evolves. Full-scale exercises can be incredibly valuable, but they require careful planning because they can disrupt normal work and create confusion if the boundaries are unclear. The point is not to scare people or to prove who is smartest, but to test whether the organization can sustain disciplined response when the situation is messy. Full-scale exercises are also where teamwork and fatigue become visible, because long-running scenarios expose how well handoffs and communication discipline hold up over time. For beginners, a full-scale exercise is like a realistic scrimmage in sports, where the goal is to discover weaknesses in coordination and execution before a real competition. When run well, it produces concrete lessons about readiness that a tabletop cannot fully reveal.
To understand what makes exercises improve response, it helps to focus on what you are measuring, because without measurement, an exercise becomes theater. Good exercises measure whether roles were clear, whether escalation happened at the right times, whether the source of truth remained accurate, whether communications were consistent, and whether decisions balanced containment, recovery, and business impact. They also measure whether documentation was maintained, because documentation is what allows learning and accountability later. The exam often tests these themes indirectly, because strong incident leadership relies on the same fundamentals. If an exercise does not produce clear observations about these fundamentals, it is unlikely to improve response. Improvement comes from discovering the specific moments where confusion occurred and then changing the system so that confusion is less likely next time. That is why exercises are a form of controlled failure, where you intentionally allow weaknesses to surface in a safe environment. For beginners, it’s important to see exercises as diagnostics, not as certifications of excellence.
A major reason exercises fail is that participants treat them like a test of personal intelligence rather than a test of the response system. When people feel judged, they hide uncertainty, avoid escalation, and pretend they know more than they do, which produces false confidence. A strong exercise leader creates psychological safety, meaning it is acceptable to say I don’t know, and it is acceptable to ask for clarification, because the purpose is to discover gaps. This does not mean the exercise is casual or sloppy; it means honesty is valued over performance. Exercises also fail when the scenario is too unrealistic, because people disengage and treat it like a game. A scenario should be realistic enough to trigger the real decisions the organization would face, such as whether to isolate a system or how to communicate to leadership. Exercises also fail when goals are too broad, because participants cannot focus and observers cannot measure anything. A useful exercise has a clear purpose, such as testing escalation paths or testing the handoff between investigation and recovery coordination.
Another important exercise concept is injects, which are pieces of new information introduced during the scenario to drive decision-making. An inject might be a report of suspicious activity, an update that a critical system is down, a message from an external partner, or evidence that data might have been exposed. Injects are powerful because they force the team to adapt, and adaptation is what incidents require. In tabletops, injects keep the discussion grounded by preventing people from assuming the best-case path. In functional and full-scale exercises, injects help test communication and tracking because they arrive like real incident updates and must be recorded and acted upon. For beginners, injects are like plot twists that simulate the uncertainty of real incidents, where new facts appear and old assumptions must be revised. A well-run exercise uses injects to test whether the team updates its situational awareness and adjusts priorities rather than clinging to the first theory. That behavior is a strong signal of incident leadership maturity.
Exercises also provide a safe way to practice decision tradeoffs, which are central to incident leadership and central to many exam questions. A typical tradeoff is containment versus business continuity, where a fast isolation action might stop harm but disrupt operations. Another tradeoff is speed versus evidence integrity, where changing systems quickly might destroy evidence needed for understanding and accountability. Another tradeoff is transparency versus certainty, where stakeholders want answers but the team must avoid communicating unconfirmed claims. A good exercise forces these tradeoffs to appear, because that is where leadership decisions matter most. The purpose is not to find a perfect answer, because real incidents rarely offer perfect options, but to practice making defensible decisions with clear reasoning and proper escalation. When teams practice these tradeoffs, they become less reactive and more disciplined. For beginners, the important lesson is that exercises build judgment, not just familiarity with procedures.
A common challenge is turning exercise observations into real improvements, because organizations often run an exercise, write notes, and then return to normal life without changing anything. This is where after-action follow-through becomes critical, because improvement only happens when lessons become changes in policies, playbooks, training, or operational capabilities. If an exercise reveals that escalation triggers were unclear, the improvement might be clarifying those triggers and training people on them. If it reveals that contact information was outdated, the improvement might be establishing ownership and maintenance of contact lists. If it reveals that the timeline became inconsistent, the improvement might be clarifying who owns the source of truth and practicing handoffs. The point is that exercise outcomes should become specific actions with owners and deadlines, otherwise the exercise becomes wasted effort and can even reduce morale. This also ties to team wellbeing, because repeating the same failure patterns is exhausting and discouraging. For beginners, it helps to remember that the exercise is only the discovery step, and the follow-through is what creates real readiness.
Different exercise types also fit different learning goals, and part of incident leadership is choosing the right exercise type for what you want to improve. If your organization is new to incident response or roles are unclear, a tabletop may be the best starting point because it builds shared understanding and reveals basic governance gaps. If roles are understood but process execution is weak, a functional exercise can test activation, tracking, and communication in a realistic way without the complexity of full simulation. If the organization is mature and wants to test coordination across many teams, a full-scale exercise can reveal deeper issues like fatigue, handoff failures, and multi-team prioritization conflicts. Choosing the wrong exercise type can create frustration, like running a full-scale exercise before basic roles are clear, which will mostly produce confusion rather than useful insight. The exam may not ask you to choose exercise types explicitly, but it often tests whether you understand that practice should match goals. Being able to connect the exercise type to the capability you want to build shows leadership thinking.
Another practical point is that exercises should include the people who make decisions, not just the people who do technical work. Incidents are shaped by authority and stakeholder involvement, so exercises that exclude decision-makers can create a false sense of readiness. For example, if an exercise includes isolating a critical system, the people who would approve that action should be involved, because the approval process itself is part of response. Exercises can also test communication and notification paths, which often involve legal, compliance, and executives, especially when data exposure is possible. This does not mean decision-makers need to attend every exercise, but it means key decision points should be exercised with the right participants at least sometimes. For beginners, the lesson is that incident response is organizational, not just technical, and exercises should reflect that reality. When the right stakeholders practice together, future incidents move faster because trust and expectations have been established.
To close, cyber exercises improve response when they are designed as learning tools that reveal specific gaps and drive real change. Tabletop exercises build shared understanding and test roles and decision logic through discussion, functional exercises test whether processes work in real time, and full-scale exercises simulate the complexity and stress of real incidents across many teams. Exercises become valuable when they measure the fundamentals of incident leadership, like clarity of ownership, accurate tracking, disciplined communication, timely escalation, and defensible decision-making under uncertainty. They fail when they become theater, when participants feel judged, or when lessons are not converted into follow-through actions. When exercises are run with clear goals and honest evaluation, they build the calm confidence that comes from having practiced the hard parts before they become real. That is exactly the kind of readiness an incident leader needs, and it is exactly the kind of thinking this certification expects you to demonstrate.
