Contact Us
Contact Us

Ransomware Tabletop Exercise: 60-Min Agenda + Decision Gates

Run a 60-minute ransomware tabletop exercise that forces real calls, decision gates, owners, and next steps. Copy-paste agenda and template.

SageSims

5/6/20256 min read

A leadership to running a ransomware tabletop exercise
A leadership to running a ransomware tabletop exercise

Ransomware Tabletop Exercise (60-Minute Agenda and Decision Gates Template)

Leaders align quickly under time pressure in a focused tabletop setting, created with AI.

Ransomware tabletop exercises, essential for cybersecurity preparedness, fail for a simple reason: they turn into open-ended talk. People debate tools, trade stories, and wait for perfect facts. In a real ransomware attack, you don’t get perfect facts. You get a clock, partial signals, and a team that needs to make calls that will upset someone.

A tight 60-minute ransomware tabletop exercise fixes that. It forces decisions under time pressure to test your incident response plan, then captures what you’ll change on Monday. The key is using decision gates, planned pause points where leaders must choose a path, assign an owner, and define what they need next.

This post gives you a copy-paste agenda, a decision gates template, and facilitator tips built for boards and exec teams tackling cybersecurity threats.

Key takeaways: 60-minute ransomware tabletop exercise agenda and decision gates

  • A decision gate is a pre-set pause where leaders must choose, document, and move.

  • The 60-minute flow is: rules, kickoff, timed injects, debrief, owned actions.

  • Have the incident response team and key stakeholders in the room: exec sponsor, IT/security, legal, comms, ops, HR, finance (board can observe).

  • The decisions that matter most: isolate systems, notify and escalate, shut down or keep running, restore or negotiate, handle communication (go public or targeted outreach).

  • Capture every call with: Decision, Owner, Time, Rationale, Next signal.

  • Measure success in decision-making by time to decide and role clarity, not by having a “perfect” answer.

The 60-minute ransomware tabletop exercise agenda (minute-by-minute template)

An executive team works through timed injects and fast decisions, created with AI.

Use a visible timer. Put it on a screen. Don’t hide it. Pressure is the point.

If you want extra scenario ideas to rotate in later, see AlertMedia’s examples of ransomware scenarios.

Minute-by-minute agenda (copy and run)

TimeFacilitator prompt (read it out loud)Output you must capture0 to 5“No blame. Speak from your role. State assumptions. Decide with imperfect info.” Assign roles. Pick one goal.Roles list, single goal, out-of-scope list5 to 10“Here’s what we know, and what we don’t.” Set the opening scene.Initial assumptions and first decision needed10 to 20Inject 1: encrypted file shares reported, help desk spike. “What’s our containment call?”Gate decision + owner + next signal20 to 27Inject 2: backup integrity is unclear. “Do we shut down anything?”Backup recovery call and business disruption rationale27 to 35Inject 3: attacker claims data theft, posts a sample claim.Notification stance, truth discipline message35 to 42Inject 4: a key vendor says they see suspicious traffic too.Vendor and insurer escalation actions42 to 50Inject 5: reporter asks for comment; employees are posting screenshots internally.Comms owner for out-of-band communication, message pillars, update cadence50 to 60“What are the fixes, with owners and dates?” Schedule next exercise.Action plan with 30/60/90-day dates

0 to 5 minutes: Set rules, roles, and the single goal

The facilitator sets ground rules to keep executives out of the weeds. No blame. No “we’d never let that happen.” Say what you’re assuming. Decide anyway.

Roles to assign (real names, not job titles): incident commander, IT/security lead, legal, comms, HR, finance, operations, executive sponsor (CEO or COO). If a board member is present, define “observer” vs “participant” up front.

Pick one goal, like “test containment and customer communication.” Out of scope for this hour: root cause forensics, detailed rebuild steps, tool configuration.

5 to 10 minutes: Scenario kickoff (what we know, what we do not know)

Opening scene: it’s a normal workday. A department reports they can’t open shared files. A security alert shows unusual admin logins. A server is behaving oddly. Orders are still flowing, but call volume is rising.

Unknowns you must assume: are backups clean, and did data leave the network.

Trend context for leaders: many 2025 attacks are human-led via phishing and combine malicious software for extortion plus disruption, not just encryption. That’s why speed and message control matter.

10 to 35 minutes: Run the scenario with timed injects and fast decisions

Run three fast rounds. After each inject, force one documented call:

  • “What is our decision?”

  • “Who owns it?”

  • “What’s the next update we need, and by when?”

Use one line of notes each time: Decision | Owner | Time | Rationale | Next signal. Stop debate once people repeat themselves. Make the call. Move.

35 to 50 minutes: Debrief that turns talk into fixes

Ask six questions, then capture gaps as backlog items:

  1. What went well?

  2. What slowed us down?

  3. Where did decision rights break?

  4. What info did we wish we had?

  5. Where did comms get messy?

  6. What would we do in the first 30 minutes next time?

Keep the output concrete: “Draft holding statement,” not “improve communications.”

50 to 60 minutes: Action items, owners, dates, and the next exercise

Write actions in this format: Item, Owner, Due date (30/60/90), Definition of done, Dependency. Schedule the next 60-minute run now (aim for 60 days) and change one variable: vendor breach, regulator call, peak-season outage.

Decision gates template: the calls that must be made, fast

Leaders document options and owners at a decision gate, created with AI.

Decision gates are planned pause points in the incident response plan. They reduce confusion to enhance cyber resilience, speed alignment, and create an audit trail of who decided what, when, and why. RedLegg’s guidance on running ransomware tabletop exercises that prepare teams aligns with this idea: push toward decisions, not discussion.

Use this reusable template:

GateTriggerOptionsDecision ownerNext info needed1. ContainmentEncryption signals, lateral movement, EDR alertsIsolate, shut down, limited opsCISO + COO, CEO awareScope, crown jewels, safety impact2. NotifyMaterial impact risk, extortion claim, legal clockEscalate internal, call insurer/counsel, law enforcementGC + CEOWhat we can say now, next update time3. RecoverDowntime pain, backup questions, negotiation contactRestore, rebuild, negotiate, pay or don’tCEO with GC/CFO/CISO, board oversightBackup integrity, sanctions risk, harm4. CommunicateCustomer impact, reporter inquiry, employee confusionGo public, targeted outreach, hold statementComms lead + GCMessage pillars, channels, cadence

Gate 1: Containment and business disruption (isolate now, or keep running)

Stop rule example: if encryption is confirmed on 3 systems, initiate containment by isolating affected network segments within 15 minutes. Tradeoff is simple: spread risk versus uptime. Owner is usually the CISO with the COO, with CEO awareness.

Gate 2: Notification and escalation (who must know, by when)

Decide who gets called now: CEO, GC, comms, board chair, insurer, outside counsel, forensics. For a data breach threshold driven by regulatory compliance, apply “truth discipline”: share what’s known, what’s not known, and when the next update will land.

Gate 3: Recovery approach (restore, rebuild, or negotiate)

Rehearse this recovery strategy because stress breaks plans. Inputs you must demand: verified backup integrity, downtime tolerance, legal limits, sanctions risk, customer harm, safety impact. Threshold example: if backups are verified clean and RTO is acceptable, don’t negotiate.

Gate 4: External communications (go public, stay quiet, or targeted outreach)

Pick one spokesperson. Set message pillars. Align internal and external updates so employees don’t learn “the truth” from rumors. Consistency builds trust faster than detail.

Facilitator setup, scoring, and common failure points (so the hour is not wasted)

Invite 8 to 12 stakeholders across security/IT, ops, legal, comms, HR, finance, plus an exec sponsor. Prep three things: a one-page threat assessment snapshot of critical systems, your escalation chart, and a draft holding statement. Keep constraints real (remote leaders, after-hours, limited data) to practice in a risk-free environment before a real crisis. For broader tabletop exercise best practices beyond ransomware (such as a supply chain attack), Cypfer’s overview of cybersecurity tabletop exercises is a helpful reference.

Score in real time (1 to 5):

  • Time to first containment decision

  • Clarity of decision owner

  • Quality of assumptions

  • Consistency of communications

  • Ability to prioritize cybersecurity systems

  • Quality of action list with owners

Common failure points: waiting for perfect info, unclear authority, and “tool talk” that avoids leadership calls.

FAQs: 60-minute ransomware tabletop exercises and decision gates

How often should we run a ransomware tabletop exercise?

At least twice a year for a simulated event, plus after major changes (new ERP, cloud migration, M&A, new critical vendor). Rotate scenarios and participants.

Should the board participate, or just observe?

Either works. Observing supports oversight. Participating tests cybersecurity governance calls. Define what decisions are management-owned vs board oversight before you start.

Do we need to include a ransom payment decision in the exercise?

Yes. Even if the policy is “never pay,” the pressure shows up. Practice thresholds and required inputs so the discussion doesn’t take over the hour.

What if our team gets the wrong answer during the tabletop?

That’s useful. Document the lessons learned, assumptions, then turn gaps into owned fixes. Speed and role clarity matter as much as the choice.

How do we keep it non-technical for executives?

Anchor everything on business continuity impact and decision gates. Push deep technical steps into a separate operational drill.

What’s the best way to prove improvement over time?

Track time to decide, repeat role clarity scoring, and close action items within 30 to 90 days.

Conclusion

A 60-minute ransomware tabletop exercise works when it forces decisions, uses decision gates, and ends with owners, dates, and an after-action report. It should feel like a live bridge call, not a workshop. Run it once and you’ll see where authority blurs, where facts get stuck, and where your story fractures.

How SageSims can help: SageSims runs board and executive leadership simulations that pressure-test these exact tradeoffs with timed injects and disciplined debriefs, so your team leaves with a decision system that holds your information security together. If you want to rehearse this with real tension and clean outputs, start with SageSims high-stakes decision rehearsal services and schedule a 60-minute session in the next 30 days.

Challenge: Would your decision system hold up during a ransomware attack when the timer starts?

Hero image brief:

  • 16:9, photo-realistic, minimalist composition with negative space

  • Warm New England natural light, modern boardroom or war-room setting

  • Focused leaders in a decision moment, subtle tension, no clichés

  • No readable text, no logos, no watermarks, no identifiable brands

Get In Touch
Let Us Contact You

info@sagesims.com

© 2025. All rights reserved.

+1 (206) 679-1685