Tabletop Exercise
Facilitator
Mark Lynd has facilitated over 150 incident response tabletop exercises across SLED, Commercial, and Enterprise organizations. As a 5x CIO/CISO, he designs scenarios based on real threat intelligence and delivers documented after-action reports your insurer will accept.
A Skilled Facilitator Reveals the Gaps in Your Plan Before an Attacker Does.
Every organization has an incident response plan. Most of them have never been tested. The first time your team practices the plan shouldn't be during an actual attack.
Mark Lynd has facilitated over 150 tabletop exercises. He knows the five failure patterns that appear in almost every exercise: the incident commander nobody can name, the escalation chain with disconnected numbers, the authority gaps that cost critical time, the backup systems that share compromised credentials, and the legal and communications teams that have never been in the room before.
His exercises are designed to find those gaps — in a controlled environment, with documented findings, and with a prioritized remediation plan your team can act on immediately.
Tabletop Exercise Formats
Executive Tabletop Exercise
A 2–3 hour exercise designed for C-Suite and senior leadership. Focuses on decision-making authority, external communication, business continuity, and board notification. Scenario is customized to your industry and threat profile.
Participants: CEO, CFO, CISO, CIO, General Counsel, Communications, Board Members
Duration: 2–3 hours
Technical IR Tabletop
A 3–4 hour exercise for security operations, IT, and incident response teams. Focuses on detection, containment, eradication, and recovery procedures. Tests technical runbooks and tool effectiveness.
Participants: CISO, SOC team, IT operations, network security, forensics
Duration: 3–4 hours
Full-Organization Exercise
A half-day exercise that runs parallel tracks for executive decision-making and technical response. The most comprehensive format — reveals the communication gaps between leadership and technical teams that are invisible in single-track exercises.
Participants: All stakeholders — executive, technical, legal, communications, HR
Duration: 4–6 hours
Scenario Types
Ransomware and double extortion
Data breach and regulatory notification
Business continuity and disaster recovery
Supply chain compromise
Insider threat
Cloud service outage
Operational technology (OT) attack
Combined physical-cyber incident
How It Works
Scoping Call
30-minute call to understand your threat profile, IR plan maturity, and exercise objectives.
Scenario Design
Custom scenario based on your industry, recent threat intelligence, and organizational gaps.
Exercise Delivery
2–4 hour facilitated exercise with your leadership team, including injects and decision points.
After-Action Report
Documented findings, gap analysis, and prioritized remediation recommendations within 5 business days.
Read Mark on Incident Response and Tabletop Exercises
Frequently Asked Questions
What is a tabletop exercise facilitator?
A facilitator guides your leadership team through a simulated cyberattack scenario, presents complications, asks probing questions, and documents gaps in your response — before an attacker reveals them.
How many tabletop exercises has Mark facilitated?
Over 150 across SLED, Commercial, and Enterprise organizations, covering ransomware, data breach, BCP, supply chain, insider threat, and OT scenarios.
What scenarios does Mark facilitate?
Ransomware, double extortion, data breach, business continuity, supply chain compromise, insider threat, cloud outage, OT attack, and combined physical-cyber incidents. All customized to your industry and threat profile.
Why are tabletop exercises required for cyber insurance?
Many insurers require evidence of exercises within the last 12 months as a condition of coverage. Organizations with documented results see 50–60% premium reductions. Mark provides a documented after-action report your insurer will accept.
Schedule a Tabletop Exercise
150+ exercises. Custom scenarios. Documented findings your insurer will accept.