TRAINING — Crisis Simulation
Tabletop
Exercises
Tabletop
Exercises
A facilitator-led incident response simulation that tests your organization's people, processes, and communication under realistic breach conditions — without touching your live environment. Identifies the gaps in your IR plan before a real incident forces the question.
A facilitator-led incident response simulation that tests your organization's people, processes, and communication under realistic breach conditions — without touching your live environment. Identifies the gaps in your IR plan before a real incident forces the question.
Why tabletop exercises
Why tabletop exercises
Most organizations discover their IR gaps during a real incident
Most organizations discover their IR gaps during a real incident
Most organizations discover their IR gaps during a real incident
A tabletop exercise simulates a breach scenario in a structured discussion format — no systems, no technical access, no live threat. Just your team, a realistic scenario, and a facilitator who knows what a real incident looks like.
Exposes gaps before attackers do
Unclear escalation paths, missing playbooks, and communication breakdowns are discovered in a safe environment — not during a live ransomware event at 2am.
SC-200
SC-300
AZ-500
Exposes gaps before attackers do
Unclear escalation paths, missing playbooks, and communication breakdowns are discovered in a safe environment — not during a live ransomware event at 2am.
SC-200
SC-300
AZ-500
Aligns technical and executive teams
Tabletop exercises are one of the only training formats where your CISO and your CFO sit in the same room and work through a breach together — building shared understanding of roles and responsibilities.
SC-300
SC-400
AZ-104
Aligns technical and executive teams
Tabletop exercises are one of the only training formats where your CISO and your CFO sit in the same room and work through a breach together — building shared understanding of roles and responsibilities.
SC-300
SC-400
AZ-104
Validates your IR plan on paper
Most IR plans have never been tested. A tabletop exercise puts your documented procedures under real pressure — identifying where the plan works, where it breaks down, and what's missing entirely.
AZ-104
AZ-500
SC-100
Validates your IR plan on paper
Most IR plans have never been tested. A tabletop exercise puts your documented procedures under real pressure — identifying where the plan works, where it breaks down, and what's missing entirely.
AZ-104
AZ-500
SC-100
HOW IT RUNS
From scoping to post-exercise report
A structured exercise with a clear beginning, middle, and end — and a documented output your security team can act on.
A structured exercise with a clear beginning, middle, and end — and a documented output your security team can act on.
OUR APPROACH
How an engagement runs
A structured, methodical process — from first contact through final report. No improvisation, no scope creep.
Scoping call
We discuss your organization's size, industry, existing IR plan maturity, and which audience track you want to run — executive, technical, or a combined exercise. We agree the scenario type and confirm participant list and logistics.
Scenario design
The scenario is built around your specific threat profile — attack vector, industry context, system types, and regulatory environment. Injects (new developments introduced mid-exercise) are planned to test decision-making under evolving conditions.
Facilitated exercise
The facilitator walks participants through the scenario — introducing injects, asking probing questions, and ensuring all key decisions and communications are discussed. The facilitator does not provide answers — the exercise surfaces what your team would actually do.
Live debrief
Immediately following the exercise, a structured debrief covers what went well, where the gaps were, and what decisions were made differently than your IR plan documents. Participants reflect on the exercise while the scenario is still fresh.
Post-exercise gap analysis report
A written report delivered within 5 business days — documenting observed gaps, decisions that deviated from the IR plan, missing procedures, and a prioritized list of remediation recommendations. The deliverable your security leadership can act on and present upward.
OUR APPROACH
How an engagement runs
A structured, methodical process — from first contact through final report. No improvisation, no scope creep.
OUR APPROACH
How an engagement runs
A structured, methodical process — from first contact through final report. No improvisation, no scope creep.
Scoping call
We discuss your organization's size, industry, existing IR plan maturity, and which audience track you want to run — executive, technical, or a combined exercise. We agree the scenario type and confirm participant list and logistics.
Scenario design
The scenario is built around your specific threat profile — attack vector, industry context, system types, and regulatory environment. Injects (new developments introduced mid-exercise) are planned to test decision-making under evolving conditions.
Facilitated exercise
The facilitator walks participants through the scenario — introducing injects, asking probing questions, and ensuring all key decisions and communications are discussed. The facilitator does not provide answers — the exercise surfaces what your team would actually do.
Live debrief
Immediately following the exercise, a structured debrief covers what went well, where the gaps were, and what decisions were made differently than your IR plan documents. Participants reflect on the exercise while the scenario is still fresh.
Post-exercise gap analysis report
A written report delivered within 5 business days — documenting observed gaps, decisions that deviated from the IR plan, missing procedures, and a prioritized list of remediation recommendations. The deliverable your security leadership can act on and present upward.
OUR APPROACH
How an engagement runs
A structured, methodical process — from first contact through final report. No improvisation, no scope creep.
What you receive
Three deliverables from every exercise
Three deliverables from every exercise
Three deliverables from every exercise
Every tabletop engagement produces concrete outputs — not just a discussion that disappears when the room empties.
01
Facilitated exercise session
A structured, realistic scenario run by an experienced IR practitioner — covering your chosen attack type, your team composition, and your industry context. Half-day or full-day format.
02
Live debrief session
An immediate post-exercise debrief covering key observations, decision points, and communication gaps identified during the scenario — while the experience is still clear in participants' minds.
03
Gap analysis report
A written report with documented gaps, observations, and a prioritized remediation roadmap — suitable for presentation to security leadership or the board as evidence of proactive security program management.
Why Hashmu
Taught by a practitioner, not just an instructor
Taught by a practitioner, not just an instructor
Most Microsoft authorized training is delivered by instructors who hold the MCT credential but have never operated the tools in a real enterprise environment. At Hashmu, every course is taught by someone who spent years running the same tools — at Microsoft's own global CIRT.
Authorized Microsoft Training Services Partner — official status to deliver Microsoft curriculum and issue recognized training completions
Microsoft Certified Trainer (MCT) — the vendor credential required to deliver official Microsoft courseware
98% five-star post-session student rating — consistently recognized for clarity, hands-on delivery, and real-world context
Get in touch
Find out how your team responds
before an attacker does.
Find out how your team responds
before an attacker does.
Start with a scoping call. We'll discuss your scenario options, your audience, and your timeline — and put together a proposal from there.
Start with a scoping call. We'll discuss your scenario options, your audience, and your timeline — and put together a proposal from there.
Book an exercise
Schedule a scoping call
30 minutes to define your scenario, audience, and format. No commitment required.
Contact us →
Response within 24 hours
Book an exercise
Schedule a scoping call
30 minutes to define your scenario, audience, and format. No commitment required.
Contact us →
Response within 24 hours