Tabletop Exercise Framework

Overview

Tabletop Exercise Framework is a soc operations tool that appears across soc operations workflows in this knowledge base. It is referenced as part of higher-level security analysis, investigation, monitoring, or validation activity rather than as an end in itself.

What It Is

Tabletop Exercise Framework is best understood as a soc-operations tool in this knowledge base. Its role is conceptual and system-facing rather than procedural: it gives analysts or defenders a structured way to examine evidence, model system behavior, or reason about security state.

How It Works

Tabletop Exercise Framework works by turning technical inputs into more interpretable outputs at the system level. Across the source skills, it appears as part of larger analysis, investigation, monitoring, or validation loops rather than as a standalone end state.

Core Concepts

• soc
• tabletop
• exercise
• incident response
• training
• nist
• playbook validation
• soc operations

Typical Workflow

• title: "Operation Dark Harvest — Ransomware Attack Scenario"
• exercise_id: TTX-2024-Q1
• duration: 3 hours (09:00-12:00)
• classification: TLP:AMBER (internal use only)
• 1: "Test SOC team's ability to detect and triage ransomware indicators"
• 2: "Validate escalation procedures from Tier 1 to incident commander"
• 3: "Assess cross-functional communication with Legal, PR, and Executive leadership"

Use Cases

• Annual or semi-annual incident response testing is required (NIST, ISO 27001, PCI DSS compliance)
• New SOC analysts need exposure to major incident scenarios in a controlled environment
• Updated playbooks need validation before next real incident
• Cross-functional coordination (SOC, IT, Legal, PR, Executive) needs rehearsal
• Post-incident reviews reveal gaps requiring scenario-based training
• Ransomware Attack: Multi-phase scenario testing detection, containment, ransom decision, and recovery
• Data Breach: Customer PII exposure testing notification requirements, legal obligations, and PR response
• Supply Chain Compromise: Third-party vendor breach impacting organizational systems and data
• Insider Threat: Employee data theft scenario testing HR, Legal, and security team coordination
• Business Email Compromise: CEO fraud wire transfer attempt testing financial controls and verification procedures

Limitations

• Output still depends on context, data quality, and surrounding analysis.
• The tool should be interpreted as part of a broader workflow, not as a complete answer by itself.
• Capabilities and visibility vary depending on environment, integrations, and available inputs.

Related Tools

• Archer, FEMA HSEEP, Immersive Labs, Infection Monkey

Sources

• performing-soc-tabletop-exercise