Practice the Bad Day—Safely, Quickly, with Proof
Tabletop Exercises (TTX) are facilitated, no-impact rehearsals of incidents, outages, and crises.
SolveForce runs TTX as an engineering system—clear objectives, realistic injects, time-boxed facilitation, measurable SLOs, and exportable evidence—so your teams learn fast, fix gaps, and auditors see the receipts.
Connective tissue:
🚨 IR → /incident-response • 📊 Evidence → /siem-soar
💾 Continuity → /cloud-backup • /backup-immutability • /draas
🔒 Security → /mdr-xdr • /ndr • /waf • /ddos • /dlp
☁️ Cloud → /cloud • 🔀 Network → /sd-wan • 🔐 Access → /ztna • /nac
🎯 Outcomes (Why run TTX with SolveForce)
- Confidence — teams know who does what under pressure.
- Speed — measurable improvements to MTTD/MTTC/RTO and comms timelines.
- Clarity — roles, authorities, and escalation paths exercised & fixed.
- Compliance — auditor-ready artifacts (agenda, injects, decisions, action items).
- Continuity — backups/DR playbooks validated and gaps closed.
🧭 Scope (What we exercise)
- Cyber — ransomware, data exfil, BEC, identity compromise, supply-chain / vendor breach, zero-day WAF patch.
- Availability — region outage, network brownout, DNS/PKI failure, CI/CD compromise.
- Business — fraud spikes, carding on checkout, insider misuse, critical vendor loss.
- Vertical-specific — OT/ICS faults (energy/utilities), PACS/EHR (healthcare), trading venue dislocation (finance), POS outage (retail), airport/terminal ops (aviation/maritime).
We tailor injects to your stack (EDR/XDR, SIEM/SOAR, ZTNA/SASE, SD-WAN, WAF/DLP, KMS/HSM, cloud providers).
🧱 TTX Building Blocks
- Objectives — e.g., contain ransomware in ≤ 30 minutes, publish exec comms in ≤ 2 hours, restore Tier-1 app in ≤ 60 minutes.
- Roles — Incident Commander, Comms Lead, IR Lead, Forensics, IT Ops, App Owner, Legal/Privacy, HR, Executive Sponsor, Third-Party/Vendor.
- Artifacts — run-of-show, inject deck, decision log, SLO board screenshots, evidence export, After-Action Report (AAR).
- Injects — timed prompts (screenshots, tickets, “customer” emails, regulator calls) that force decisions and show gaps.
- Rules of Engagement — no production changes; “assume data” only where realistic; facilitator keeps time & pressure.
🧭 Session Formats
Rapid 60-minute (quarterly):
1) 0–5 min: scope & roles • 5–10: scenario brief • 10–45: injects • 45–55: scoring • 55–60: next steps.
Deep-dive 120-minute (biannual):
- Phase 1: detection/triage • Phase 2: containment/eradication • Phase 3: recovery/communications • Phase 4: legal/regulatory.
- Optional parallel track for exec comms & customer care.
🧩 Scenario Packs (examples)
- Ransomware + exfil (double extortion) → EDR isolate, NAC quarantine, SOAR blocklists, clean-point restore, press & regulator comms.
- Cloud key leak → revoke roles/keys (KMS), SCP lockdown, rotate secrets, forensics on IaC pipeline.
- BEC / invoice fraud → identity step-up, mail tenant purge, finance controls, vendor notification.
- DDoS + bot surge → WAF rules, rate/quotas, Anycast withdraw, SD-WAN reroute, status page comms.
- Data egress from SaaS → DLP quarantine, session control (SASE), legal notification matrix.
- OT/ICS → PRP/HSR failover, PTP timing alarms, vendor access via ZTNA + PAM, config restore from immutable backups.
📐 SLO Guardrails (TTX success metrics)
| Metric / SLO | Target (Recommended) |
|---|---|
| MTTD (Sev-1 simulated) | ≤ 5–10 min (SIEM correlation) |
| MTTC (containment start) | ≤ 15–30 min (EDR/NAC/SOAR actions) |
| Exec comms (initial brief) | ≤ 60–120 min |
| Legal/regulatory assessment ready | ≤ 2–4 h |
| DR decision & launch (Tier-1) | ≤ 30–60 min |
| Evidence pack completeness | = 100% (agenda, injects, decisions, logs) |
| Action item closure (critical items) | ≤ 30 days |
We publish before/after deltas per team and per control (WAF, ZTNA, EDR, DLP, DR).
🧪 Scoring Rubric (maturity snapshot)
- Detection (0–5) — alert quality, signal routing, SIEM rules.
- Containment (0–5) — speed, approvals, SOAR efficacy, blast-radius control.
- Eradication (0–5) — playbooks, forensics handoff, key/secret rotation.
- Recovery (0–5) — clean-point identification, backup immutability, DR runbooks.
- Comms (0–5) — internal & external cadence, regulator mapping, customer care.
- Governance (0–5) — roles clarity, decision logs, evidence export, follow-through.
📄 After-Action Report (AAR) template
1) Scenario & objectives
2) Timeline & decisions (who/what/when/why)
3) SLO results (hit/miss, deltas)
4) Gaps & root causes (people/process/tech)
5) Action items (owner, due date, priority)
6) Control updates (playbooks, SOAR, policies, IaC)
7) Evidence bundle (links to SIEM exports, screenshots, artifacts)
🧰 What We Exercise (controls & runbooks)
- IR playbooks — ransomware, BEC, exfil, key leak, DDoS, insider, OT. → /incident-response
- SOAR automations — isolate/kill/block, revoke/rotate, WAF patch, DR launch. → /siem-soar
- Backup/DR — Object-Lock verification, clean-point catalog, warm/hot DR tiers. → /cloud-backup • /backup-immutability • /draas
- Access — ZTNA/SASE attach times, NAC quarantine, PAM elevation/recording. → /ztna • /sase • /nac • /pam
- Boundary — WAF/Bot rules, DDoS posture, API quotas. → /waf • /ddos
🛠️ Implementation Blueprint (No-Surprise Rollout)
1) Set objectives & scope (Sev level, systems, teams, regulators).
2) Collect inputs (org chart, runbooks, contact map, SLAs/SLOs).
3) Draft scenario & injects (aligned to your stack; include red-team or vendor calls).
4) Schedule & logistics (hybrid participants, war-room chat, timer, recorder).
5) Run TTX (facilitator cadence; decision & time logging; SLO scoring).
6) AAR & evidence pack (export to SIEM; executive summary).
7) Remediate & re-test (30/60/90-day closure; follow-up micro-TTX).
✅ Pre-Exercise Checklist
- 🎯 Objectives, success criteria, SLOs.
- 👥 Participants & backups; authority to decide.
- 🧭 Systems in scope (apps, cloud, network, identity, data).
- 🧰 Current playbooks & approver matrix (isolation, WAF patch, DR, comms).
- 🔐 Keys/secrets posture (KMS/HSM), break-glass accounts, vault access.
- ☁️ Backup/DR readiness (immutable sets, recent test-restore).
- 📊 SIEM/SOAR dashboards; logging completeness; evidence destinations.
- 🗓️ Timebox, facilitator, scribe, observers; recording policy.
🧩 Industry Packs (add-ons)
- Healthcare (HIPAA/42 CFR Part 2), Finance (PCI/SOX/SWIFT), Public sector (NIST/CJIS/FedRAMP), OT/ICS (NERC CIP/62443), Retail (CDE), Media (pre-release content), Logistics (yard/port), Aviation/Maritime (ICAO/IMO/TSA).
🔄 Where TTX Fits (Recursive View)
1) Grammar — simulated decisions traverse your /connectivity & /networks-and-data-centers.
2) Syntax — executed across /cloud and security stack via /siem-soar.
3) Semantics — /cybersecurity playbooks preserve truth; backups/DR prove recoverability.
4) Pragmatics — /solveforce-ai analyzes outcomes and proposes safe improvements.
5) Foundation — consistent terms via /primacy-of-language.