ransomware tabletop exercise
Ransomware tabletop exercise — real injects, real decisions, real AAR.
Ransomware is the scenario every buyer asks for first, and the one most off-the-shelf tabletops do worst. Annual Tabletop's ransomware scenarios are built around the constrained decisions that actually matter: when to pay, when to isolate, when to call CISA, who talks to the press.
What this page covers
A practitioner-level guide, not a keyword page.
- Why most ransomware tabletops fail (and how ours are different).
- The constrained decisions the exercise forces your team to make.
- The framework crosswalks your AAR will carry.
- Which segment in our library matches your environment.
Most ransomware tabletops are awareness theater — a slide deck where the facilitator reads a story and the room agrees to call the CISO. That's not an exercise. That's a meeting.
Annual Tabletop's ransomware scenarios are built around what IR actually is: a sequence of time-boxed, constrained decisions made under incomplete information. Atlas runs injects that force the team to pick a lane — confirm, acknowledge, or defer — and then makes you live with the consequence in the next inject.
The AAR captures every decision, scores them against your plan, and carries the framework crosswalks your specific environment needs. A county gets an HSEEP / CTEPs AAR. A hospital gets a HIPAA AAR. A regional bank gets an FFIEC AAR. Same exercise engine; segment-tuned artifact.
Recommended scenarios
Start with these.
- RansomwareAdvanced
County Election Systems — Ransomware 14 Days Before the General
Your county BoE's ePollbook vendor reports a confirmed ransomware encryption event 14 days before the November general election. Walk the room through containment, COOP activation, and public communication under HSEEP.
- NIST 800-84
- FEMA HSEEP
- CISA CTEPs
- NIST CSF 2.0
- RansomwareIntermediate
MSP Client Ransomware — Multi-Tenant Blast Radius
A ransomware event at one of your managed clients turns out to share a tenant boundary with three others. Walk the partner playbook for containment, customer comms, and cross-tenant notification.
- NIST CSF 2.0
- NIST 800-84
- SOC 2 CC7.4/CC7.5
- Business Email CompromiseIntro
Wire Fraud via BEC — The Auditor's Favorite SMB Scenario
A finance lead authorizes a $187K wire to a 'new vendor' after a CEO email thread that turns out to be a BEC. Run the response your SOC 2 / cyber-insurance underwriter wants documented.
- SOC 2 CC7.4/CC7.5
- HIPAA §164.308
- FFIEC
- PCI 12.10
FAQ
Questions practitioners ask
Do you cover 'to pay or not to pay'?
Yes. That's one of the most instructive injects. We don't give you a right answer — we force the team to articulate theirs, with counsel and leadership in the room.What about double-extortion scenarios?
Covered. The scenario escalates if the team chooses containment paths that assume data-only encryption.Is this realistic enough for my IR team?
The scenarios are built with practitioners. The injects are grounded in documented incidents. Feedback from our design partners says the constrained-decision format is what separates us from vendors doing slideware.Can you customize to my environment?
Custom scenarios are available as an add-on on Enterprise tiers. Most buyers find the stock library covers 80%+ of what they need.