惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

C
Cisco Blogs
Schneier on Security
Schneier on Security
T
Tor Project blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
T
Tenable Blog
C
Cyber Attacks, Cyber Crime and Cyber Security
T
Threat Research - Cisco Blogs
C
CERT Recently Published Vulnerability Notes
Security Latest
Security Latest
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
NISL@THU
NISL@THU
L
Lohrmann on Cybersecurity
Scott Helme
Scott Helme
Webroot Blog
Webroot Blog
Project Zero
Project Zero
Google Online Security Blog
Google Online Security Blog
The Last Watchdog
The Last Watchdog
Spread Privacy
Spread Privacy
Hacker News: Ask HN
Hacker News: Ask HN
PCI Perspectives
PCI Perspectives
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
W
WeLiveSecurity
Attack and Defense Labs
Attack and Defense Labs
D
Darknet – Hacking Tools, Hacker News & Cyber Security
N
News | PayPal Newsroom
Help Net Security
Help Net Security
The Hacker News
The Hacker News
H
Heimdal Security Blog
O
OpenAI News
S
Security @ Cisco Blogs
N
News and Events Feed by Topic
Cyberwarzone
Cyberwarzone
Simon Willison's Weblog
Simon Willison's Weblog
G
GRAHAM CLULEY
www.infosecurity-magazine.com
www.infosecurity-magazine.com
博客园 - 叶小钗
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
Hacker News - Newest:
Hacker News - Newest: "LLM"
T
Tailwind CSS Blog
大猫的无限游戏
大猫的无限游戏
A
Arctic Wolf
I
Intezer
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
S
Security Affairs
P
Proofpoint News Feed
S
Secure Thoughts
腾讯CDC
Google DeepMind News
Google DeepMind News
量子位
罗磊的独立博客

Black Hills Information Security, Inc.

Bad Habits: An ANTISOC Operation Same Problem, Different Angles: When Red Team and Blue Team Actually Talk to Each Other How to Identify and Exploit New Vulnerabilities Swapper – A Pure Regex Match/Replace Burp Extension A Practical Guide to BloodHound Data Collection Network Engineering Basics Signed, Trusted, and Abused: Proxy Execution via WebView2 Getting Started In Pentesting – Advice From The BHIS Pentest Lead Cloud Security: Tips and Resources for Securing the Cloud Lessons From A Chatbot Incident Understanding GRC: How to Navigate Risks and Compliance Standards The “P” in PAM is for Persistence: Linux Persistence Technique Malware Analysis: How to Analyze and Understand Malware OSINT: How to Find, Use, and Control Open-Source Intelligence What to Do with Your First Home Lab When the SOC Goes to Deadwood: A Night to Remember Social Engineering and Microsoft SSPR: The Road to Pwnage is Paved with Good Intentions Common Cyber Threats Finding the Right Penetration Testing Company Deceptive-Auditing: An Active Directory Honeypots Tool The Curious Case of the Comburglar How to Set Smart Goals (That Actually Work For You) Inside the BHIS SOC: A Conversation with Hayden Covington Abusing Delegation with Impacket (Part 3): Resource-Based Constrained Delegation Why You Got Hacked – 2025 Super Edition Abusing Delegation with Impacket (Part 2): Constrained Delegation Abusing Delegation with Impacket (Part 1): Unconstrained Delegation GoSpoof – Turning Attacks into Intel Model Context Protocol (MCP) Bypassing WAFs Using Oversized Requests Getting Started with AI Hacking Part 2: Prompt Injection Wrangling Windows Event Logs with Hayabusa & SOF-ELK (Part 2) DomCat: A Domain Categorization Tool Wrangling Windows Event Logs with Hayabusa & SOF-ELK (Part 1) Microsoft Store and WinGet: Security Risks for Corporate Environments Default Web Content MailFail Commonly Abused Administrative Utilities: A Hidden Risk to Enterprise Security Stop Spoofing Yourself! Disabling M365 Direct Send Bypassing CSP with JSONP: Introducing JSONPeek and CSP B Gone Offensive Tooling Cheatsheets: An Infosec Survival Guide Resource DNS Triage Cheatsheet GraphRunner Cheatsheet Burp Suite Cheatsheet Impacket Cheatsheet Wireshark Cheatsheet Hashcat Cheatsheet EyeWitness Cheatsheet Nmap Cheatsheet Netcat (nc) Cheatsheet Hunt for Weak Spots in Your Wireless Network with Airodump-ng from the Aircrack-ng Suite Detecting ADCS Privilege Escalation Vulnerability Scanning with Nmap Getting Started with NetExec: Streamlining Network Discovery and Access How to Use Dirsearch Augmenting Penetration Testing Methodology with Artificial Intelligence – Part 3: Arcanum Cyber Security Bot How to Design and Execute Effective Social Engineering Attacks by Phone Abusing S4U2Self for Active Directory Pivoting Why Use a Macro Pad? Espanso: Text Replacement, the Easy Way Caging Copilot: Lessons Learned in LLM Security Augmenting Penetration Testing Methodology with Artificial Intelligence – Part 2: Copilot Augmenting Penetration Testing Methodology with Artificial Intelligence – Part 1: Burpference Intercepting Traffic for Mobile Applications that Bypass the System Proxy How to Root Android Phones Communicating Security to the C-Suite: A Strategic Approach Offline Memory Forensics With Volatility Getting Started with AI Hacking: Part 1 Go-Spoof: A Tool for Cyber Deception How to Test Adversary-in-the-Middle Without Hacking Tools Canary in the Code: Alert()-ing on XSS Exploits How to Hack Wi-Fi with No Wi-Fi Why Your Org Needs a Penetration Test Program Burp Suite Extension: Copy For Light at the End of the Dark Web Wi-Fi Forge: Practice Wi-Fi Security Without Hardware Avoiding Dirty RAGs: Retrieval-Augmented Generation with Ollama and LangChain Gone Phishing: Installing GoPhish and Creating a Campaign 5 Things We Are Going to Continue to Ignore in 2025 John Strand’s 5 Phase Plan For Starting in Computer Security Questions From a Beginner Threat Hunter GRC for Security Managers: From Checklists to Influence AI Large Language Models and Supervised Fine Tuning Attack Tactics 9: Shadow Creds for PrivEsc w/ Kent & Jordan One Active Directory Account Can Be Your Best Early Warning Introduction to Zeek Log Analysis Indecent Exposure: Your Secrets are Showing Creating Burp Extensions: A Beginner’s Guide Pitting AI Against AI: Using PyRIT to Assess Large Language Models (LLMs) The Top Ten List of Why You Got Hacked This Year (2023/2024) ICS Hard Knocks: Mitigations to Scenarios Found in ICS/OT Backdoors & Breaches Intro to Data Analytics Using SQL Finding Access Control Vulnerabilities with Autorize The Detection Engineering Process Cyber Risk Lessons We Can Learn From Hurricane Preparedness Intro to Desktop Application Testing Methodology What Is Penetration Testing? Adversary in the Middle (AitM): Post-Exploitation Pentesting, Threat Hunting, and SOC: An Overview QEMU, MSYS2, and Emacs: Open-Source Solutions to Run Virtual Machines on Windows
How to Lead Effective Tabletops
BHIS · 2026-03-18 · via Black Hills Information Security, Inc.

written by Glen Sorenson || Guest Author

How To Lead Effective Cybersecurity Tabletops

This article was originally published in the InfoSec Survival Guide: Green Book. Find it free online HERE or order your $1 physical copy on the Spearphish General Store.

Learn More by Having Fun

Imagine herding your team of proverbial cats for what they expect to be another eye-rolling “preparedness exercise.” But instead of the standard fare, you introduce a tabletop exercise (TTX) that’s less about enduring another meeting and more about engaging in a collaborative challenge. It’s like suddenly finding yourselves as the key players in a thrilling plot to outsmart security incidents, bad actors, and other subglobal disasters.

Tabletop exercises have long been a staple of security and BCDR activities, designed to simulate real-world scenarios for team training and preparedness. These exercises typically unfold boringly — in a meeting-style setting where participants discuss sterile scenarios. With some will and some skill, these monotonous exercises can be made much more engaging and even… gasp fun.

People do learn effectively (and arguably better) when they’re having a good time.

Make It a Game

You can build engaging TTXs by adding elements of gamification. This doesn’t have to be an all-or-nothing prospect. The benefits of a fun tabletop exercise are manyfold: identifying gaps in plans, improving team cohesion, and enhancing decision-making skills, all while making the dreaded drill a source of laughter and inspiration. It becomes the perfect blend of necessity and engagement, turning a chore into an intriguing, strategy-driven quest.

But How?

How do we craft and run a fun and effective TTX experience?

Know Your Audience

Is your TTX for a group of highly technical IT and security folks or do you have a mix of IT and non-technical business leaders?

Understand Your Objective

Are you training your technical IR team or are you raising awareness with business leaders?

Play with Assumptions

Don’t be afraid to make assumptions about the scenario and challenge assumptions made by the team. Yes, your EDR can’t be bypassed. No, your web app is not invulnerable behind a WAF. Yes, people will click links and cough up credentials and MFA codes.

Keep It Believable

Don’t feel bound by reality. You can invent a fictitious company and environment. It should be grounded in reality, but it doesn’t have to be real.

When there’s more fiction involvedegos and attachments to outcomes often become less involved.
This is a good thing.

Give players a character with a role that may be different than their normal daily self. Have someone play the company CFO bent on numbers, a Communications Manager more focused on their book deal, or the crazy Linux guy that has to use Microsoft technology against his will. Seriously, exaggerate roles and have fun with it. In doing so, you can greatly broaden worldviews.

Don’t Lose Sight of Reality

Bring in some realistic elements. Do a little homework.

A good source of inspiration is MITRE ATT&CK Framework and MITRE’s Cyber Threat Intelligence, which has a great deal of information about real-world campaigns, threat actors, and tooling. You should know the chain of events behind the scenes, but you don’t have to reveal every technical action.

Adapt and Be Flexible

You can shoot yourself in the foot if you plan too rigidly and the participants/players take it a direction you didn’t think of. Always do.

Randomize

Roll dice. When someone wants to take an action, determine how difficult the task is (a simple high, medium, or low will suffice) and make them roll dice to determine success or failure based on that difficulty. How many times in a real investigation have you wanted to examine logs for something specific, only to find you weren’t logging what you thought you were? Or the flip side, by some sheer miracle, an employee recognized unusual behavior, shut down their computer, and called the help desk?

Different IR roles (and characters if you’re using them) may have different strengths and weaknesses. Your legal counsel is probably not going to sift through logs and your crazy Linux guy may not be the best person to craft messages to customers. Modify dice rolls appropriately.

Bring pizza. Have fun. Learn. Grow!

For help structuring a gamified incident response, check out:

HackBack Gaming: hackbackgaming.com

Backdoors & Breaches: backdoorsandbreaches.com



Explore the Infosec Survival Guide and more… for FREE!

Get instant access to all issues of the Infosec Survival Guide, as well as content like our self-published infosec zine, PROMPT#, and exclusive Darknet Diaries comics—all available at no cost.

You can check out all current and upcoming issues here: https://www.blackhillsinfosec.com/prompt-zine/