Skip to main content

Tabletop Exercises

Tabletop exercises are facilitated walkthroughs of simulated incidents. They test your team's response procedures without a real incident, identifying gaps in communication, decision-making, and resource availability. ConcertoGRC supports both Incident Response and BC/DR exercise types with AI-generated scenarios, role-based participants, live facilitation with phase transitions, structured response collection, and AI-generated after-action reports.

Overview

Access from Security Operations → Tabletop Exercises in the sidebar.

Tabletop Exercises page showing header with New Exercise button, six stat cards (Total 1, Planning 1, Scheduled 0, In Progress 0, Completed 0, Cancelled 0), search bar with All Statuses and All Types filters, and exercise table with columns for Title, Type, Status, Owner, Scheduled, Scenarios, and Participants showing one Ransomware Incident Response exercise

Summary Statistics

The top bar shows live counts by lifecycle status:

  • Total — All exercises
  • Planning — Being prepared
  • Scheduled — Date set, not yet started
  • In Progress — Currently running
  • Completed — Finished, results available
  • Cancelled — Exercise cancelled

Click any stat card to filter the table.

Exercise Table

ColumnDescription
TitleExercise name (click to open detail page)
TypeIncident Response or BC/DR (color-coded label)
StatusLifecycle status
OwnerExercise facilitator/owner
ScheduledScheduled date
ScenariosCount of scenario injects
ParticipantsCount of participants

Use the search bar and dropdown filters to find exercises by title, status, or type.

Exercise Types

TypeDescription
Incident ResponseSecurity incident scenarios — breach, ransomware, unauthorized access, insider threat
BC/DRBusiness continuity and disaster recovery — system outage, vendor failure, natural disaster

Creating an Exercise

Click + New Exercise to open the planning wizard.

Step 1: Exercise Type

Choose between Incident Response and BC/DR with visual cards describing each type.

Step 2: Scope & Objectives

  • Sub-type — More specific scenario category (e.g., Ransomware, Data Breach, Insider Threat for IR; System Outage, Vendor Failure, Natural Disaster for BC/DR)
  • Title — Auto-suggested or manual exercise name
  • Description — Scope and objectives
  • Learning Objectives — Add multiple objectives that define what the exercise should test

Step 3: Organizational Context

Select which organizational data to include as context for AI scenario generation:

  • Vendors & Third Parties
  • Applications & Systems
  • Open Vulnerabilities
  • Recent Incidents
  • Policies & Procedures
  • Risk Register
  • Key Personnel

Step 4: Schedule & Participants

  • Estimated Duration — 30 minutes, 1 hour, 1.5 hours, 2 hours, or 3 hours
  • Scheduled Date — When to run the exercise (optional)
  • Participants — Add platform users (optional, can add later)

Step 5: Review

Summary of all settings before creation.

Exercise Detail Page

Exercise detail page showing breadcrumb (Exercises / Planning / Incident Response), title (Ransomware Incident Response Q2 2026), header fields (Status: Planning, Owner: Unassigned, Scheduled Date, Duration: 90 min), action buttons (Preview as Participant, Preview as Facilitator, Start Exercise), six tabs (Details, Scenarios 3, Participants 3, Observations, Responses, Report), and Details tab showing Description, Learning Objectives (4 items), and Timeline

The detail page is a full-page workspace for planning and running an exercise.

  • Breadcrumb — Navigation showing status and type badges
  • Title — Inline editable exercise name
  • Status — Dropdown (Planning, Scheduled, In Progress, Completed, Cancelled)
  • Owner — Dropdown to assign a facilitator
  • Scheduled Date — Date/time picker
  • Duration (min) — Estimated duration in minutes
  • Preview as Participant — Preview the exercise from a participant's perspective
  • Preview as Facilitator — Preview the facilitator's live control view
  • Start Exercise — Begin the live exercise (visible when scenarios exist)

Details Tab

  • Description — Exercise scope and objectives
  • Learning Objectives — Numbered list of what the exercise should test
  • Timeline — Created, started, and completed timestamps

Scenarios Tab

Scenarios tab showing 3 injects with drag-to-reorder instruction, Regenerate with AI button, and three scenario cards: 1 Initial Scenario — Anomalous Encryption Activity Detected (5m), 2 Escalation — Ransom Note Discovered (5m), 3 External Pressure — Media Inquiry Received (4m), plus Add Inject button

Scenarios are the inject cards presented to participants during the exercise. Each scenario includes:

FieldDescription
TitleScenario headline
Inject TypeHow the information arrives (see types below)
Narrative TextDetailed scenario description
Avatar MoodTone of the scenario presentation (Calm, Concerned, Urgent, Encouraging)
Time AllowedHow long participants have to respond
Scenario ClockDisplay time shown to participants (e.g., "02:14 AM")
Expected ActionsWhat a good response looks like
Facilitator NotesPrivate notes for the facilitator
Response OptionsPer-role structured choices for participants

Scenarios can be drag-and-drop reordered. Click + Add Inject to create a manual scenario, or Regenerate with AI to have AI generate scenarios based on the exercise context and learning objectives.

Inject Types

TypeDescription
Initial ScenarioOpening scenario setting the stage
InjectStandard scenario or challenge
Decision PointCritical decision moment requiring participant action
EscalationSituation escalates in severity
CurveballUnexpected twist or complication
External PressureExternal event affecting response (media, regulator, customer)
ResolutionFinal resolution scenario

Response Options

Each scenario can define structured response choices per participant role. Each choice has a label and a tag:

TagColorMeaning
CommitGreenPositive, approved decision
CautionAmberRisk-aware, measured decision
EscalateBlueRequests higher authority or expertise
RiskyRedHigh-risk or discouraged decision

Participants Tab

Manage exercise participants with role assignments:

RoleDescription
FacilitatorExercise moderator, controls the flow
Incident CommanderLeads the response, makes final decisions
Team LeadDepartment or function-specific lead
CommunicationsCommunications and PR lead
LegalLegal and compliance lead
TechnicalTechnical and engineering lead
ExecutiveExecutive-level decision maker
ObserverWatch-only, no active participation
ParticipantGeneral participant

Add participants from platform users or as external participants (name and email). External participants receive a magic link invitation to join the exercise.

Observations Tab

Record observations during and after the exercise:

FieldDescription
TypeStrength, Gap, Improvement, or Note
SeverityCritical, High, Medium, Low, or Info
DescriptionWhat was observed
Policy ReferenceLink to a relevant policy (optional)
ScenarioWhich scenario the observation relates to (optional)

Responses Tab

View all participant responses to scenario injects. Each response shows the participant name, related scenario, response text or selected choices, response time, and choice tags.

Report Tab

After the exercise completes, generate an AI-powered After-Action Report containing:

  • Executive Summary — Overall assessment of exercise performance
  • Strengths — Capabilities demonstrated effectively
  • Gaps — Weaknesses and capability gaps with severity ratings
  • Recommendations — Improvement items with priority, owner, and timeline
  • Compliance Mappings — How exercise outcomes map to framework requirements
  • Participant Metrics — Individual performance observations

The report can be downloaded as a PDF and linked to an Evidence Request for compliance documentation.

Exercise Lifecycle

PLANNING → SCHEDULED → IN_PROGRESS → COMPLETED

                                     CANCELLED
StatusDescription
PlanningExercise being prepared — adding scenarios, participants, and context
ScheduledDate set, invitations sent, not yet started
In ProgressLive exercise running with active phase transitions
CompletedFinished — results, observations, and report available
CancelledExercise cancelled (can cancel from any state)

Live Exercise Facilitation

When the facilitator clicks Start Exercise, the system enters live mode with a phase-based flow:

Brief → Incoming → Collect → Reveal → Debrief
PhaseDescription
BriefFacilitator sets the scene, reviews ground rules and role assignments
IncomingScenario inject is presented to participants with narrative and context
CollectParticipants submit their responses (text or structured choices) with a countdown timer
RevealFacilitator reveals expected actions, discusses actual responses
DebriefFinal discussion — capture lessons learned and recommendations

The facilitator advances through phases using controls in the live view. A timer can be started for each phase to keep the exercise on schedule. Phases cycle through Incoming → Collect → Reveal for each scenario inject, then move to the final Debrief.

Live Views

Facilitator View — Full control panel with phase advancement, timer controls, scenario management, and response monitoring.

Facilitator preview showing dark-themed presentation with scenario inject card (Anomalous Encryption Activity Detected), phase controls (Brief, Incoming, Collect, Reveal, Debrief), countdown timer, participant roster with roles and response status, expected actions panel, and facilitator notes — full exercise control interface

Participant View — Scenario presentation with role-specific guidance prompts and response submission.

Participant preview showing dark-themed scenario inject with role-based prompt for Incident Commander, discussion questions, response textarea for submitting actions, and structured response options with Commit, Caution, Escalate, and Risky tags

External Participants — Access via magic link, same participant view without platform login.

AI Features

Scenario Generation

AI generates realistic scenario injects based on:

  • Exercise type and sub-type
  • Organization context (vendors, systems, vulnerabilities, incidents, policies)
  • Learning objectives
  • Industry and compliance framework context

Generated scenarios include inject types, narratives, avatar moods, time allocations, and role-specific response options.

After-Action Report

AI analyzes participant responses, observations, and exercise outcomes to generate a structured report with findings, recommendations, and compliance mappings.