How to Build a Cyber Exercise

Q: How long does it take to build a cyber exercise?

A basic tabletop exercise can be built in 1-2 days. A functional or full-scale exercise typically requires 2-6 weeks of preparation. Platforms like Drillber reduce planning time to under an hour by automating scenario delivery and role assignment.

Q: What frameworks should a cyber exercise follow?

NIST 800-61 defines the four phases every IR exercise should test: Preparation, Detection and Analysis, Containment/Eradication/Recovery, and Post-Incident Activity. MITRE ATT&CK provides the technique-level detail for realistic scenario design.

Q: Who should participate in a cyber exercise?

At minimum: IR Lead, CISO, Legal, and Communications. For full exercises, add IT/Infrastructure and an Executive or Board representative for business continuity decisions.

Quick Answer

To build a cyber exercise: (1) define one specific objective, (2) pick a format (tabletop is easiest), (3) design a scenario mapped to MITRE ATT&CK, (4) assign roles in advance, (5) facilitate without solving, (6) run an After-Action Review within 48 hours, and (7) report findings in business language to leadership. Follow NIST 800-61 as your structural guide.

Most security teams know they should run cyber exercises. Few know how to build one that actually surfaces real gaps.

Here's the short version.

📘 The standard behind this guide: NIST 800-61 NIST Special Publication 800-61 is the U.S. government's guide to computer security incident handling. Think of it as the agreed-upon playbook for how professional IR teams should operate — covering four phases: Preparation → Detection & Analysis → Containment, Eradication & Recovery → Post-Incident Activity. The steps below follow this lifecycle, so your exercise tests what actually matters when a real incident hits.

What objective should your cyber exercise test?

Don't start with a scenario. Start with a question you need answered.

Can our IR team contain a ransomware incident within the first two hours?
Do IT, legal, and comms know who calls who — and when?
Does our detection tooling generate alerts fast enough to matter?

One objective per exercise. Vague objectives produce vague results.

Which exercise format is right for your team?

Tabletop — Participants talk through the scenario. No systems touched. Best for testing decisions and communication. Easiest to run.

Functional — Teams execute actual playbook steps in a simulated environment. Higher fidelity, more preparation.

Full-Scale — End-to-end drill with live systems and real stakeholders. For mature programs or compliance requirements.

Start with a tabletop. You'll find enough gaps to keep you busy.

How do you design a realistic cyber exercise scenario?

Generic ransomware scenarios waste everyone's time. Use your threat intelligence: what attack vectors are hitting your industry right now?

Then map the scenario to MITRE ATT&CK techniques — Initial Access, Lateral Movement, Impact. This gives the exercise technical precision and makes the debrief actionable.

Plan 5–8 injects: the pieces of information you feed participants to advance the scenario — a SIEM alert, a help desk ticket, a legal question about notification obligations.

Who should participate in a cyber exercise?

A cyber incident doesn't stay inside the SOC. Get the right people in the room:

IR Lead — technical containment
CISO — escalation and resource decisions
Legal — regulatory notification, liability
Comms — internal and external messaging
Executive — business continuity

Brief participants on their roles before the drill. The exercise tests decision-making, not job knowledge.

How do you facilitate a tabletop exercise effectively?

Your job as facilitator is to surface decisions, not make them. Keep momentum: if the team stalls, inject new information. Set time limits on each phase. Document every decision and every gap in real time — that's your raw material for the debrief.

📘 NIST 800-61 calls this the "Detection & Analysis" and "Containment" phases — the two most time-critical parts of any incident. Your exercise should create real pressure on both: can the team identify what's happening and decide how to contain it before the window closes?

What happens after the exercise — the After-Action Review

This is where the value is.

What went well?
Where did the team stall?
Which playbook steps were skipped under pressure?
What's missing — a tool, a contact, an approval authority?

Rank findings by impact. Assign every gap an owner and a deadline. Unassigned findings don't get fixed.

📘 In NIST 800-61 language, this is "Post-Incident Activity" �

Frequently Asked Questions

What is a cyber tabletop exercise?

A cyber tabletop exercise is a discussion-based simulation where security teams talk through a realistic attack scenario to test decision-making, communication, and incident response procedures — without touching live systems. It follows the NIST 800-61 incident response lifecycle.

How long does it take to build a cyber exercise?

A basic tabletop can be built in 1–2 days. Functional exercises require 2–6 weeks. Platforms like Drillber reduce planning to under an hour by automating scenario delivery, role assignment, and reporting.

What frameworks should a cyber exercise follow?

NIST 800-61 defines the four IR phases every exercise should test: Preparation, Detection & Analysis, Containment/Eradication/Recovery, and Post-Incident Activity. MITRE ATT&CK provides technique-level detail for realistic scenario design.

Who should participate in a cyber exercise?

At minimum: IR Lead, CISO, Legal, and Communications. Full exercises should include IT/Infrastructure and an Executive for business continuity decisions. Brief all participants on their roles before the drill starts.

How often should organizations run cyber exercises?

Best practice is one major tabletop per quarter, with monthly mini-drills for specific playbooks. Many compliance frameworks (DORA, NIST CSF, NIS2) now require documented evidence of regular exercises.

⚡

Drillber Security Team

Practitioners who have planned, facilitated, and analyzed hundreds of cyber exercises across enterprise, government, and MSSP environments. Drillber is built on NIST 800-61 and MITRE ATT&CK frameworks.