performing-soc-tabletop-exercise

# Performing SOC Tabletop Exercise ## When to Use Use this skill when: - Annual or semi-annual incident response testing is required (NIST, ISO 27001, PCI DSS compliance) - New SOC analysts need exposure to major incident scenarios in a controlled environment - Updated playbooks need validation before next real incident - Cross-functional coordination (SOC, IT, Legal, PR, Executive) needs rehearsal - Post-incident reviews reveal gaps requiring scenario-based training **Do not use** as a replacement for technical purple team exercises — tabletop exercises test processes and decision-making, not technical detection capabilities. ## Prerequisites - Exercise facilitator with incident response experience - Participant list: SOC analysts (Tier 1-3), SOC manager, IT operations, Legal, HR, Communications - Conference room or video call with screen sharing capability - Printed or digital scenario injects with timed release schedule - Evaluation scorecard for assessing participant responses - Existing incident response plan and playbooks for reference during exercise ## Workflow ### Step 1: Design Exercise Scenario Create a realistic multi-phase scenario with escalating complexity: ```yaml tabletop_exercise: title: "Operation Dark Harvest — Ransomware Attack Scenario" exercise_id: TTX-2024-Q1 date: 2024-03-22 duration: 3 hours (09:00-12:00) classification: TLP:AMBER (internal use only) objectives: 1: "Test SOC team's ability to detect and triage ransomware ind...