COMMENTARY: This article highlights a simple but important problem: many teams talk about incident response, but they rarely practice it in a realistic way. Traditional tabletop exercises often turn into discussions instead of real decision-making under pressure. But simulation-based exercises show how people actually behave during an incident, not just what they say they would do. Incident response is not just a technical issue. It depends on how security, legal, communications, and leadership work together when something goes wrong. Tools can make exercises more realistic, but the real value comes from watching how teams communicate, make decisions, and coordinate when the pressure is real.
Teams often struggle during incidents, not because they lack technology, but because they have not practiced working through one together. Many tabletop exercises still rely more on discussion than simulation. Participants talk through what they would do, but they do not make decisions under realistic pressure. That gap becomes clear when an actual breach forces teams to coordinate in real time.
Traditional tabletops often use scripted injects, generic threat scenarios, and a turn-taking format that bears little resemblance to how incidents unfold. Communication plans may remain largely untested because no meaningful communication takes place. Tradeoffs such as disclose versus protect the brand, or shut systems down versus keep operations running, may never fully materialize because the scenario does not force a choice. Participants leave with a useful conversation, but not always with evidence of how the team performs under pressure.
This is the gap the industry should address. The value of tabletop exercises is well established, but the format can be strengthened.
The Missing Half of Incident Preparedness
Breach and Attack Simulation (BAS) tools and red team exercises test technical controls and the ability to contain an attack. But incidents are not only technical events. From my experience responding to incidents across Fortune 500 companies, high-growth SaaS environments, and consulting engagements at Aon/Stroz Friedberg, the breakdowns often occur at the human layer: decisions about containment, customer communication, notification order, and how Legal and Communications align under deadline pressure.
A real incident affects far more than the security team. Support may field customer calls, legal may evaluate disclosure obligations under HIPAA or state breach notification laws, communications may draft external messaging while executives demand answers, and HR may manage internal fallout. Palo Alto Networks' Unit 42 Incident Response Report notes that the median time from initial compromise to ransom demand has dropped to under three days, leaving little time to establish a coordination model once an incident begins.
What often determines whether a company emerges from a breach with its reputation intact is how the team reacts and coordinates as a unit. As Harvard Business Review noted in a recent piece on collective resilience, cybersecurity preparedness is increasingly understood as an organizational capability, not just a technical one. Those capabilities are built through repeated practice under realistic conditions, not discussion alone. Customers ultimately judge a company by how it responds, not only by which tools it has deployed.
From Discussion to Simulation: The Evolution of the Tabletop
The traditional tabletop format was developed before it was possible to simulate the reactions of the many actors involved in a real incident. Law enforcement, cyber insurers, customers, reporters, executives, regulators, and board members all respond differently depending on what information they have and when they receive it. For years, facilitators compensated with scripted injects and curated prompts. That constraint is changing. Newer tabletop platforms use AI-driven role play to preserve the cross-functional conversation and strategic thinking that make tabletop exercises useful while adding a more dynamic sense of consequence.
Participant decisions can change the scenario in real time. Notify customers early and the exercise moves in one direction. Delay disclosure and the media response may look different. Send external communications before legal review and the exercise can escalate accordingly.
For managed security service providers (MSSPs), the post-exercise debrief is one of the most valuable steps. When the simulation ends, the MSSP can review decisions made, the timing of those decisions, where escalation broke down, and what followed from each choice. The discussion is grounded in observed behavior rather than hypothetical intentions, which makes recommendations more specific and actionable.
Every Action Produces a Reaction
In a simulation-based exercise, participants join a video call, face a realistic threat, and make decisions in real time. The platform models the reactions of relevant actors: customers calling in, a reporter seeking comment, an executive demanding a status update, or a cyber insurer asking for documentation. The focus shifts to group dynamics and human interaction: who takes charge, who freezes, whether Sales gets briefed before a key account calls, and whether Legal and Communications align on notification timing.
See the Team Play to Coach the Team
A basketball coach who has never watched the team play together cannot offer much useful guidance. The same is true in incident response. A more adaptive simulation can help an MSSP observe the team working through containment, eradication, and recovery as a unit, under pressure, with each choice producing consequences. Because the scenario responds to decisions rather than following a script, it can surface real behaviors instead of rehearsed answers.
The after-action report that follows can document breakdowns in coordination, gaps in escalation procedures, and evidence of what worked. A discussion-based tabletop may produce a summary of what participants said they would do. A simulation-based exercise can provide a more concrete view of what they actually did.
That distinction matters for MSSPs. A well-designed, realistic simulation can reveal gaps that a generic theoretical conversation may miss. The more specific the gaps identified, the more specific the remediation recommendations can be. That specificity can build trust by showing the client that the MSSP understands the client’s environment, team dynamics, and risk posture. It can also create more informed conversations about controls, services, and priorities.
A Scalable Service Line Built on Faster, Better Preparation
Traditional tabletop exercises often required substantial preparation: researching the client environment, building a scenario, scripting injects, coordinating stakeholders, and writing a post-exercise report from facilitator notes. That workload made frequent exercises impractical for many organizations and difficult for MSSPs to deliver at scale. It also contributed to the use of generic, lightly customized exercises that did not always feel credible to participants.
More adaptive platforms can compress that preparation cycle by helping generate scenarios against the client's environment and threat profile, support the live exercise, and produce a more detailed after-action report grounded in documented participant behavior. The result can be a service delivered more frequently, with greater customization and more consistent output. Preparedness begins to shift from a one-time project to an ongoing practice.
When evaluating platforms to deliver this service, MSSPs should look for three things: scenario customization tied to the client's industry and technology environment; role-playing that responds credibly to participant decisions rather than following rigid branches; and reporting detailed enough to support internal review and, where needed, compliance discussions. Cyber insurers increasingly require documented and tested incident response plans, and frameworks from HIPAA to CMMC are raising expectations around demonstrated readiness, not just documented policy. MSSPs that can deliver evidence-based preparedness may be better positioned to act as trusted advisors rather than commodity vendors.
Putting It into Practice
Start with a client whose leadership already sees cyber readiness as a business issue. Run a focused 60- to 90-minute simulation built around a threat relevant to that organization: a vendor compromise, a ransomware event, or credential theft that escalates to data exfiltration. Include technical staff, communications, legal, support, sales, and HR. Let the scenario run. Observe how the team coordinates, or where it does not. Deliver the report with specific findings. Then discuss what ongoing preparedness should look like and what the identified gaps suggest about current controls and service needs.
Breaches are no longer a question of if, but when. The difference between an organization that recovers and one that struggles often comes down to preparation. Organizations that weather the next incident will be the ones that practiced together under pressure, with decisions that carried visible consequences. AI-enabled tabletop exercises may represent an important step in how that preparation is delivered, and MSSPs that adopt more realistic readiness models early may help shape expectations for the market.
MSSP Alert Perspectives columns are written by trusted members of the managed security services, value-added reseller and solution provider channels or MSSP Alert's staff. Do you have a unique perspective you want to share? Check out our guidelines here and send a pitch to suparna.bhasin@cyberriskalliance.com.
