For years, the tabletop exercise was the thing you had to talk people into.
You knew it mattered. Everybody nodded. Then it slid to next quarter, because nothing was on fire and the calendar was full.
That argument is over. Now the board wants one scheduled. Your insurer asked about your last one before they'd quote the renewal. Legal has opinions. The exercise you used to defend is suddenly something other people are putting on your calendar.
So what changed?
Not one thing. Five of them, and none is new on its own. They just all showed up at once.
Start with the regulators. "Test your incident response plan" lived in the recommendations column of every framework you have ever mapped against, and recommended is easy to ignore. Recommended waits. Then it picked up a deadline and a number. The SEC's disclosure rule wants an 8-K on a material cyber incident within four business days of the moment you decide itis material, and it has been on the books since December 2023.
Here is the part most coverage gets backwards. Enforcement cooled off this past year. The SEC walked away from its SolarWinds case in November 2025, and there is a live petition to kill the rule outright. Do not mistake that for relief. The rule still stands. The clock still runs. And the pressure that came off the SEC did not evaporate. It moved. It moved to shareholder suits. It moved to state regulators. It moved into the breach-notification clauses buried in your customer contracts, the ones Legal signed and nobody reads until it is too late.
The hard part never had much to do with the SEC anyway. The hard part is the materiality call itself. That is not a clean technical judgment. That is legal, finance, comms, and security landing on one decision while a clock runs, and you are the one expected to get them in a room. The only way to know whether your organization can do that in four business days is to have done it once when the stakes were fake.
Europe did not cool off at all. DORA has applied to financial entities since January 2025, and it asks for scenario-based resilience testing out loud. NIS2 is pushing the same expectation across more sectors as member states transpose it.
And then there is the thing CISOs do not say out loud at conferences but absolutely think about on the drive home. When the SEC named the SolarWinds CISO personally, that was the first time it had ever put a security professional's own name on the complaint. The case is over now. It did not un-ring the bell. For two years, every CISO watching understood that "what did you know, and what did you do about it" could show up someday with their name on it. A documented exercise, with findings and fixes that got closed, is one of the cleaner answers to that question.
The insurers are less philosophical about it. Your cyber renewal questionnaire gets longer and nosier every year. Underwriters now grade incident response maturity directly. They grade it when they price the policy. They grade it harder when they adjudicate a claim. A tested plan and an untested one are not the same risk, and insurers have stopped pretending otherwise. That quietly rewires the politics of the whole thing. You used to have to sell a tabletop to your own leadership. Now it sits on a checklist the CFO already cares about, because it has a line to premium cost and a line to whether a claim pays out clean. It moved off your wish list and onto somebody else's.
Then there is the shape of the incident itself, which has outgrown the security team. The threat side did its part. Ransomware victim counts climbed hard in 2025. By one widely cited tracker, the number of organizations posted to leak sites rose roughly 58% year over year. You already know the tactical shift: more crews skip encryption entirely and go straight to stealing the data and threatening to publish it. But the tactics are not the part that should keep you up. The coordination is. When a brewing giant suspends operations across Japan after an attack, or two banks get hit through one vendor they happened to share, the response stops being something the security org runs. It becomes something the security org has to conduct. Legal, comms, the executive team, regulators, suppliers, customers, all of them, often inside the same day.
The tabletop is where the seams show. It is where you learn that nobody agrees on who has the authority to pull a revenue-generating system offline. It is where you watch legal and comms discover they have completely different instincts about the materiality call. You want to find that out in a conference room with bad coffee. Not at 2 a.m. on day three, with a reporter already holding the story. Run the exercise once and the real thing becomes a faster, quieter version of a conversation you have already had. Skip it and you are doing introductions during the worst week of the year.
AI broke the playbook you already wrote. It changed the attack and your maintenance burden at the same time. On offense, AI-generated phishing and deepfake voice and video went from party trick to commodity. Deepfake-as-a-service kits were sitting there for sale in 2025. The scenario where someone in finance takes a very convincing video call from "the CFO" approving a transfer is not a thought experiment anymore. And you wrote most of the playbooks in that binder before any of that was a realistic way in. On defense, the gap is one your own people opened, quietly, with good intentions. IBM's 2025 Cost of a Data Breach report tied "shadow AI, "meaning ungoverned AI tools nobody approved, to measurably higher breach costs. Most breached organizations in that report had no AI governance policy at all. New ways in. New exposure already inside. Both mean new scenarios. And a scenario you have never walked through is a scenario your plan does not actually cover. It just looks like it does.
The last push comes from above your seat. The SEC rule still makes the company describe how its board oversees cyber risk, which means your directors must be able to say something true about it, and they get there by asking you. Shareholder suits keep framing breach losses as a governance failure, which raises the temperature on every board conversation you walk into. Boards have stopped wanting assurance. They want evidence. Not "we have an incident response plan." They want "we tested it, here is what broke, here is what we have closed since." A tabletop is one of the few things in your whole program that hands you that on demand: a scenario, a list of gaps, a record of fixes. That is most of why the request now comes down the org chart instead of up from your team.
Line the five up and they are all asking you the same question from different chairs. Regulators, insurers, attackers, AI, your own board. Not "do you have a plan." They want to know whether you have ever actually run it.
A binder answers the first question. Only a rehearsal answers the second. And the second is the one everyone is asking now.
This is the shift we watch up close at Reflex Security. The teams that handle incidents well are almost never the ones with the thickest documentation. They are the ones who have already sat in the room together, made the ugly calls under fake pressure, and found where the plan tears before a real adversary found it for them.
The exercise is not the deliverable. The muscle memory is.
You do not rise to the occasion. You fall to the level of your preparation. So go run the thing. Go break your response plan in a room where breaking it is free.
Because everybody is about to find out whether you did.
