10. June 2026 | Print article |

The emergency plan that nobody practiced.

7 min read

Many companies have an incident response plan. Few have ever tested it under pressure. That difference is decisive in an emergency: organizations that regularly test their plan and have a well-rehearsed team incur significantly lower damage costs, according to IBM, than those whose plan sits untouched in a folder. The plan is the theory-tabletop exercises are the dress rehearsal.

Key Takeaways

  • An untested plan is just an assumption. A document that’s never been put through its paces under time pressure describes a best-case scenario. Without practice, the first gap only appears during a real incident.
  • Tabletop exercises expose costly gaps. Unclear decision-making authority, missing escalation paths, and uncertainty over who speaks to authorities or the press can waste hours in a crisis. In a drill, they take minutes to resolve.
  • Practice reduces damage costs. IBM reports that organizations with a tested plan and a well-coordinated team face significantly lower breach costs. The exercise is one of the most cost-effective security investments available.

Related:Security Awareness: Why Click Rates Measure the Wrong Thing  /  Backup Against Ransomware: 3-2-1-1-0 Over 3-2-1

What is a tabletop exercise? A tabletop exercise is a moderated dry run where the crisis team walks through a realistic attack scenario-without touching live systems. Participants make decisions under time pressure, uncover gaps in the incident response plan, and practice collaboration before a real crisis forces their hand.

The Plan in the Folder Meets 3:40 AM

An incident response plan looks flawless on paper. Roles are assigned, steps are numbered, contact lists are up to date. Then the phone rings at 3:40 AM-half the contact list is on vacation, and no one knows whether the on-call staffer or the CISO has the authority to shut down production. That’s when you find out if the plan is a tool or just a security blanket.

The gap rarely lies in the document itself, but in the assumptions about how people act under stress. A plan assumes clear heads, available contacts, and unambiguous responsibilities. A real crisis delivers the opposite. An exercise bridges that gap by creating the friction the document ignores.

What the Exercise Really Reveals

The most valuable insights from a tabletop exercise aren’t found in any plan. Who can halt production without waiting through three escalation levels? Who speaks to the regulator, who addresses the press-and who keeps the two apart? At what point does an IT incident become a board-level issue? These questions are resolved in minutes during a drill, but in a real incident, they cost hours-hours during which the damage continues to spread.

A well-run exercise also brings the right people together-people who would otherwise never meet: IT security, legal, communications, HR, and senior management. In a real crisis, these functions must collaborate within minutes. If they coordinate for the first time during the exercise, that’s a major win-long before an attacker ever breaches the network.

24 hrs.
Under NIS2, affected organizations have just 24 hours after becoming aware of a significant incident to submit their initial report to the BSI. Those who spend this window clarifying roles and reporting procedures usually miss the deadline.
Source: NIS2 Implementation, BSI Reporting Requirements

The Gaps That Keep Appearing

Across countless exercises, the same weaknesses resurface. First, decision-making authority: no one dares to make the costly call alone, so it gets passed up the chain-wasting time. Second, external communications, which under NIS2 are bound by strict deadlines yet often remain unresolved. Third, reliance on key individuals whose knowledge no one else possesses.

Then there’s the recovery interface. A crisis team can communicate flawlessly and still fail if the backup was never tested for an actual restore. That’s why tabletop exercises and restore tests go hand in hand: one tests decisions, the other tests whether the technology can even support them. Internal reporting channels should also be part of the same playbook.

The DACH Factor: NIS2 Tightens the Clock

In Germany, crisis communication is governed by a hard deadline. NIS2 requires affected organizations to submit an initial report to the BSI within 24 hours of becoming aware of a significant incident, followed by a detailed report within 72 hours. Those who spend this window figuring out who’s authorized to report-and what information to include-usually miss the deadline. A tabletop exercise with a built-in reporting clock makes these 24 hours tangible.

Then there’s the crisis team as a formal body. In many DACH organizations, it exists on paper but has never actually convened. Works councils come into play as soon as personal data or employment law implications arise. Bringing these stakeholders together for the first time during a real incident wastes time the reporting deadline won’t allow.

How to Run Your First Exercise Within the Next 90 Days

Getting started doesn’t require an expensive simulation environment. A realistic scenario-like a ransomware infection with encrypted production systems-a facilitator, and two hours with the right functions in the room are enough: IT security, legal, communications, HR, and a member of senior management. The scenario is escalated step by step, every decision is made aloud and documented. The outcome isn’t a grade but a list of gaps the plan didn’t cover. That list is the real result. Address it, refine it in two to three exercises per year, and the plan in the binder becomes a capability that holds up in a real crisis.

Frequently Asked Questions

How often should an incident response plan be tested?

A good rule of thumb is two to three times per year, with additional sessions after major changes to systems, organization, or regulations. More important than frequency is ensuring each exercise ends with a list of gaps-and that this list is addressed before the next one. That turns testing into a cycle of improvement rather than a box-ticking exercise.

How Does a Tabletop Exercise Differ from a Real Penetration Test?

A tabletop exercise tests decisions, roles, and communication at the table-without touching any systems. A penetration test, on the other hand, examines the technical vulnerabilities of the systems themselves. The two complement each other: the pentest reveals how an attacker gains access, while the tabletop exercise shows whether the organization can manage the incident afterward.

Who Should Participate in a Tabletop Exercise?

More than just IT. Alongside IT security, legal, corporate communications, HR, and a member of senior management should be at the table. These are precisely the interfaces where costly delays occur in an emergency-and this collaboration can only be practiced together.

What Role Does NIS2 Play in Incident Response Exercises?

NIS2 requires affected organizations to report a significant incident to the BSI within 24 hours of becoming aware of it. An exercise with a built-in reporting clock ensures that, in a real crisis, it’s clear who reports, what is reported, and when the clock starts ticking.

What Is the Most Important Outcome of an Exercise?

The list of uncovered gaps. A good feeling isn’t preparation. An exercise that finds no weaknesses was likely too easy. The real value emerges only when those gaps are closed afterward-and the next exercise tackles a tougher scenario.

Editor’s Picks

More from the MBF Media Network

cloudmagazin

Cloud Repatriation: When Bringing Workloads Back Pays Off

digital-chiefs

Build, Buy, or Partner: The Calculation Behind the Decision

mybusinessfuture

When the Update Itself Becomes the Entry Point

Cover image: AI-generated (June 2026)

Image source: AI-generated (June 2026), C2PA certificate embedded in image

Print article
Alec Chizhik

About the author: Alec Chizhik

More articles by

Also available in

FrançaisEspañolDeutsch
A magazine by Evernine Media GmbH