Practice the Bad DayβSafely, Quickly, with Proof
Tabletop Exercises (TTX) are facilitated, no-impact rehearsals of incidents, outages, and crises.
SolveForce runs TTX as an engineering systemβclear objectives, realistic injects, time-boxed facilitation, measurable SLOs, and exportable evidenceβso your teams learn fast, fix gaps, and auditors see the receipts.
- π (888) 765-8301
- βοΈ contact@solveforce.com
Connective tissue:
π¨ IR β /incident-response β’ π Evidence β /siem-soar
πΎ Continuity β /cloud-backup β’ /backup-immutability β’ /draas
π Security β /mdr-xdr β’ /ndr β’ /waf β’ /ddos β’ /dlp
βοΈ Cloud β /cloud β’ π Network β /sd-wan β’ π Access β /ztna β’ /nac
π― Outcomes (Why run TTX with SolveForce)
- Confidence β teams know who does what under pressure.
- Speed β measurable improvements to MTTD/MTTC/RTO and comms timelines.
- Clarity β roles, authorities, and escalation paths exercised & fixed.
- Compliance β auditor-ready artifacts (agenda, injects, decisions, action items).
- Continuity β backups/DR playbooks validated and gaps closed.
π§ Scope (What we exercise)
- Cyber β ransomware, data exfil, BEC, identity compromise, supply-chain / vendor breach, zero-day WAF patch.
- Availability β region outage, network brownout, DNS/PKI failure, CI/CD compromise.
- Business β fraud spikes, carding on checkout, insider misuse, critical vendor loss.
- Vertical-specific β OT/ICS faults (energy/utilities), PACS/EHR (healthcare), trading venue dislocation (finance), POS outage (retail), airport/terminal ops (aviation/maritime).
We tailor injects to your stack (EDR/XDR, SIEM/SOAR, ZTNA/SASE, SD-WAN, WAF/DLP, KMS/HSM, cloud providers).
𧱠TTX Building Blocks
- Objectives β e.g., contain ransomware in β€ 30 minutes, publish exec comms in β€ 2 hours, restore Tier-1 app in β€ 60 minutes.
- Roles β Incident Commander, Comms Lead, IR Lead, Forensics, IT Ops, App Owner, Legal/Privacy, HR, Executive Sponsor, Third-Party/Vendor.
- Artifacts β run-of-show, inject deck, decision log, SLO board screenshots, evidence export, After-Action Report (AAR).
- Injects β timed prompts (screenshots, tickets, βcustomerβ emails, regulator calls) that force decisions and show gaps.
- Rules of Engagement β no production changes; βassume dataβ only where realistic; facilitator keeps time & pressure.
π§ Session Formats
Rapid 60-minute (quarterly):
1) 0β5 min: scope & roles β’ 5β10: scenario brief β’ 10β45: injects β’ 45β55: scoring β’ 55β60: next steps.
Deep-dive 120-minute (biannual):
- Phase 1: detection/triage β’ Phase 2: containment/eradication β’ Phase 3: recovery/communiΒcations β’ Phase 4: legal/regulatory.
- Optional parallel track for exec comms & customer care.
𧩠Scenario Packs (examples)
- Ransomware + exfil (double extortion) β EDR isolate, NAC quarantine, SOAR blocklists, clean-point restore, press & regulator comms.
- Cloud key leak β revoke roles/keys (KMS), SCP lockdown, rotate secrets, forensics on IaC pipeline.
- BEC / invoice fraud β identity step-up, mail tenant purge, finance controls, vendor notification.
- DDoS + bot surge β WAF rules, rate/quotas, Anycast withdraw, SD-WAN reroute, status page comms.
- Data egress from SaaS β DLP quarantine, session control (SASE), legal notification matrix.
- OT/ICS β PRP/HSR failover, PTP timing alarms, vendor access via ZTNA + PAM, config restore from immutable backups.
π SLO Guardrails (TTX success metrics)
| Metric / SLO | Target (Recommended) |
|---|---|
| MTTD (Sev-1 simulated) | β€ 5β10 min (SIEM correlation) |
| MTTC (containment start) | β€ 15β30 min (EDR/NAC/SOAR actions) |
| Exec comms (initial brief) | β€ 60β120 min |
| Legal/regulatory assessment ready | β€ 2β4 h |
| DR decision & launch (Tier-1) | β€ 30β60 min |
| Evidence pack completeness | = 100% (agenda, injects, decisions, logs) |
| Action item closure (critical items) | β€ 30 days |
We publish before/after deltas per team and per control (WAF, ZTNA, EDR, DLP, DR).
π§ͺ Scoring Rubric (maturity snapshot)
- Detection (0β5) β alert quality, signal routing, SIEM rules.
- Containment (0β5) β speed, approvals, SOAR efficacy, blast-radius control.
- Eradication (0β5) β playbooks, forensics handoff, key/secret rotation.
- Recovery (0β5) β clean-point identification, backup immutability, DR runbooks.
- Comms (0β5) β internal & external cadence, regulator mapping, customer care.
- Governance (0β5) β roles clarity, decision logs, evidence export, follow-through.
π After-Action Report (AAR) template
1) Scenario & objectives
2) Timeline & decisions (who/what/when/why)
3) SLO results (hit/miss, deltas)
4) Gaps & root causes (people/process/tech)
5) Action items (owner, due date, priority)
6) Control updates (playbooks, SOAR, policies, IaC)
7) Evidence bundle (links to SIEM exports, screenshots, artifacts)
π§° What We Exercise (controls & runbooks)
- IR playbooks β ransomware, BEC, exfil, key leak, DDoS, insider, OT. β /incident-response
- SOAR automations β isolate/kill/block, revoke/rotate, WAF patch, DR launch. β /siem-soar
- Backup/DR β Object-Lock verification, clean-point catalog, warm/hot DR tiers. β /cloud-backup β’ /backup-immutability β’ /draas
- Access β ZTNA/SASE attach times, NAC quarantine, PAM elevation/recording. β /ztna β’ /sase β’ /nac β’ /pam
- Boundary β WAF/Bot rules, DDoS posture, API quotas. β /waf β’ /ddos
π οΈ Implementation Blueprint (No-Surprise Rollout)
1) Set objectives & scope (Sev level, systems, teams, regulators).
2) Collect inputs (org chart, runbooks, contact map, SLAs/SLOs).
3) Draft scenario & injects (aligned to your stack; include red-team or vendor calls).
4) Schedule & logistics (hybrid participants, war-room chat, timer, recorder).
5) Run TTX (facilitator cadence; decision & time logging; SLO scoring).
6) AAR & evidence pack (export to SIEM; executive summary).
7) Remediate & re-test (30/60/90-day closure; follow-up micro-TTX).
β Pre-Exercise Checklist
- π― Objectives, success criteria, SLOs.
- π₯ Participants & backups; authority to decide.
- π§ Systems in scope (apps, cloud, network, identity, data).
- π§° Current playbooks & approver matrix (isolation, WAF patch, DR, comms).
- π Keys/secrets posture (KMS/HSM), break-glass accounts, vault access.
- βοΈ Backup/DR readiness (immutable sets, recent test-restore).
- π SIEM/SOAR dashboards; logging completeness; evidence destinations.
- ποΈ Timebox, facilitator, scribe, observers; recording policy.
𧩠Industry Packs (add-ons)
- Healthcare (HIPAA/42 CFR Part 2), Finance (PCI/SOX/SWIFT), Public sector (NIST/CJIS/FedRAMP), OT/ICS (NERC CIP/62443), Retail (CDE), Media (pre-release content), Logistics (yard/port), Aviation/Maritime (ICAO/IMO/TSA).
π Where TTX Fits (Recursive View)
1) Grammar β simulated decisions traverse your /connectivity & /networks-and-data-centers.
2) Syntax β executed across /cloud and security stack via /siem-soar.
3) Semantics β /cybersecurity playbooks preserve truth; backups/DR prove recoverability.
4) Pragmatics β /solveforce-ai analyzes outcomes and proposes safe improvements.
5) Foundation β consistent terms via /primacy-of-language.
π Schedule a High-Impact Tabletop (and get evidence you can hand to auditors)
- π (888) 765-8301
- βοΈ contact@solveforce.com