How AI-Powered Tabletop Exercises Improve Incident Response Readiness

Summary

AI-powered tabletop exercises use adaptive simulation, OSINT-driven scenario design, and automated reporting to produce measurably better incident response outcomes than traditional tabletop exercises. This article explains how the technology works, what it replaces, and why it matters for security teams, CISOs, and managed security service providers (MSSPs).

‍

What Is an AI-Powered Tabletop Exercise?

An AI-powered tabletop exercise is a cybersecurity incident simulation where autonomous AI agents replace scripted inject cards, a human-like AI facilitator leads the discussion, and the entire exercise adapts in real time based on participant decisions.

‍

Traditional tabletop exercises follow a script. A facilitator reads a scenario, presents predetermined events on a fixed timeline, and moderates a group discussion. These exercises test knowledge. They do not test behavior under pressure.

‍

AI-powered tabletop exercises work differently. The scenario responds to what participants actually do. If the team makes a poor decision, the consequences cascade. If they respond well, the simulation adjusts to continue challenging them. There is no script.

‍

Reflex Security is the platform that pioneered this approach. It combines three capabilities that did not previously exist in a single product: automated OSINT-driven scenario design, adaptive AI simulation during the exercise, and evidence-backed after action reporting.

How Does OSINT-Driven Scenario Design Work?

OSINT stands for Open-Source Intelligence. It refers to publicly available information that can be collected and analyzed without requiring special access.

‍

Reflex Security uses OSINT to build tabletop scenarios automatically. The process takes three steps:

‍

Enter a company domain. The platform accepts any company's web address.
Automated intelligence collection. The platform scans job postings, DNS records, vendor relationships, executive profiles, news articles, patents, blogs, and publicly documented security incidents related to the organization.
Scenario generation. Within 10 to 15 minutes, the platform produces five customized scenarios. Each scenario includes specific subnets, registry keys, command and control infrastructure, and lateral movement paths consistent with the organization's actual technology environment.

‍

This process replaces weeks of manual preparation. Ron Dilley, SANS Faculty member and former Warner Bros CISO with decades of tabletop experience, described the comparison: "The good ones, they're a month's worth of work. And the reality is that this capability does an order of magnitude more data collection and analysis, and then creates everything in 40 minutes."

What Is Adaptive Simulation and How Does It Differ from Inject-Based Tabletops?

Inject-based tabletop exercises use predetermined event cards delivered on a fixed schedule. The facilitator introduces a new development every 15 to 20 minutes regardless of what participants have done.

‍

Adaptive simulation eliminates the script entirely. The AI generates events based on participant actions. Every decision shapes what happens next.

‍

Key differences between inject-based and adaptive tabletop exercises:

‍

Feature

Inject-Based Tabletop

Adaptive AI Simulation

Scenario progression

Fixed timeline, predetermined events

Real-time response to participant decisions

Consequences of bad decisions

None (next inject arrives on schedule)

Natural cascading consequences

Participant engagement

Discussion-based, hypothetical

Action-based, under pressure

Facilitator dependency

Requires expert human facilitator

AI facilitator adapts to every participant

Repeatability

Same experience every time

Different experience based on team performance

Data captured

Facilitator notes

Timestamped record of every action and decision

‍

The adaptive approach produces exercises that feel like real incidents. One security professional who had already completed six or seven traditional tabletops described the difference: "That excitement was not fake. That was spurred on. It is that good at getting the adrenaline up and running and adding stress for someone who does this a lot."

How Does the AI Facilitator Work During a Tabletop Exercise?

Reflex Security deploys an AI facilitator named Victoria. Victoria joins the video conference on Zoom, Google Meet, or Microsoft Teams and participates like another person in the room.

‍

Victoria performs several functions during the exercise:

‍

Asks probing questions by role. Victoria tailors questions to each participant's title and function. A CISO gets different questions than a legal counsel or a communications lead.
Challenges poor decisions. If a participant takes an action that would create problems in a real incident, Victoria raises the issue.
Manages AI agent cast. The simulation includes agents representing threat actors, journalists, board members, legal counsel, cyber insurance carriers, and regulators. Each agent behaves according to its role.
Tracks all actions. Every decision, communication, and mitigation action is logged for the after action report.

‍

Examples of industry-specific probing questions Victoria asks:

‍

Healthcare: "Your EHR system just went down. The ER has 12 patients who need medication reconciliation in the next hour. What is your manual fallback procedure?"
Financial services: "Regulators require suspicious activity reports within 24 hours. The compliance team has not been notified. Who owns that communication?"
Manufacturing: "Your SCADA systems show anomalous readings on Line 3. Do you shut down production or investigate while running? What is the cost per hour of downtime?"
SaaS and technology: "A customer's data export shows records that don't belong to them. Your SOC 2 audit is in three weeks. What is your breach notification timeline?"

What Does an AI-Generated After Action Report Include?

After every exercise, Reflex generates a comprehensive after action report (AAR) with a single click. The report is produced in Word format and typically exceeds 54 pages.

‍

The AAR includes:

‍

Minute-by-minute progression of the entire exercise
Direct quotes from exercise transcripts as evidence for each finding
MITRE ATT&CK mapping showing which attack techniques were detected, contained, or missed
NIST CSF alignment showing incident response maturity against a recognized framework
Team dynamics analysis including communication effectiveness, leadership behaviors, individual contributions, and gaps in team skills
Action items with assigned owners and deadlines, integrated with ticketing systems

‍

Traditional AARs rely on participant recall and facilitator notes. They reflect consensus, not evidence. Reflex AARs use timestamped data from the exercise itself.

How Do AI-Powered Tabletop Exercises Support Board Reporting?

Quarterly exercises produce trend data that CISOs can present to boards of directors.

‍

One CISO described the approach: "As a CISO, I want to take the executive level information out of that after action, and plot that over multiple quarters, and bring to my board: we're taking information security and incident response seriously. We're planning and we're training because we fight like we train. And here's the metrics that show where we started, and how we're progressing."

‍

Annual exercises produce a single data point. Quarterly exercises produce a trend line that demonstrates continuous improvement. That trend line is a more compelling narrative for boards, auditors, and cyber insurance carriers than a one-time compliance artifact.

How Can MSSPs Use AI-Powered Tabletop Exercises?

Managed security service providers face a specific challenge: building credibility at a new client site without weeks of discovery.

‍

Reflex addresses this in three ways:

‍

Instant scenario generation. Enter the client's domain and receive customized scenarios in minutes, not weeks.
Facilitator Guide. A pre-exercise document containing company background, technologies in scope, and discussion questions with suggested answers and common gaps.
AI agents for missing participants. When a participant cannot attend the exercise (e.g. company CEO or external counsel), AI agents can fill their roles. CEOs, CFOs, and COOs are encouraged to attend the AAR readout instead.

‍

What Compliance Frameworks Require Tabletop Exercises?

Multiple regulatory and compliance frameworks require or recommend tabletop exercises as evidence of incident response preparedness:

‍

SOC 2 (CC7.4–CC7.5): SOC 2 common criteria include incident-response controls and periodic evaluation/testing of incident-response.
PCI DSS 4.0 (Requirement 12.10.2): Requires annual testing of incident response procedures
HIPAA Security Rule (45 CFR 164.308): Requires to implement procedures for periodic testing and revision of contingency plans
DORA (EU Digital Operational Resilience Act): Requires a digital operational resilience testing programme, requires at least yearly testing
CMMC 2.0 (Practice IR.L2-3.6.3): Requires testing incident response capability; NIST SP 800-171 identifies tabletop exercises as one accepted method.
GDPR (Article 32): Requires regular testing of security measures; Article 33 sets the 72-hour breach-notification rule.
NIST SP 800-84: Specifically guides on conducting tabletop exercises to test IT plans.

‍

Industry-Specific Regulations & Data Privacy Laws

NYDFS (Financial Services): Requires a written incident response plan, and DFS guidance says the plan should be tested and include senior leadership
FISMA/FedRAMP: Requires annual testing of the Incident Response Plan, and FISMA-aligned NIST controls include incident-response testing.

‍

AI-powered tabletop exercises satisfy these requirements while producing more detailed evidence than traditional approaches.

Frequently Asked Questions About AI-Powered Tabletop Exercises

How long does an AI-powered tabletop exercise take?

Scenario generation takes 10 to 15 minutes. The exercise itself typically runs 60 to 120 minutes. The after action report is generated in minutes after the exercise concludes.

How much does a traditional tabletop exercise cost compared to AI-powered?

Traditional consulting-led tabletop exercises typically cost $30,000 to $80,000 per engagement and require weeks of preparation. AI-powered platforms enable quarterly exercises at a fraction of that cost.

Can AI-powered tabletops replace human facilitators entirely?

The platform supports both fully autonomous and hybrid facilitation. Victoria can lead the entire exercise, or a human facilitator can use the Facilitator Guide and AI agents as support tools.

What size organization benefits most from AI-powered tabletop exercises?

Organizations of all sizes benefit, from startups preparing for SOC 2 audits to enterprises running complex multi-team exercises. MSSPs use the platform to serve clients across the spectrum.

Do participants need technical training to use the platform?

No. Participants interact through a video conference and a web-based investigation console. Questions are asked in plain English. No specialized training is required.

How does Reflex Security handle data privacy during exercises?

Scenarios are built from publicly available OSINT data. No internal systems are accessed. The platform does not require integration with the organization's production environment.

‍

About the Author

‍

Cassio Goldschmidt is the Co-founder and CTO of Reflex Security. He is a multiple award winner cybersecurity veteran with over 20 years of experience, a U.S. patent holder, and an RSA and BlackHat Conference speaker. Previously, he served as CISO at ServiceTitan, guiding its security program from startup through IPO. Cassio is also the founder of the OWASP Los Angeles chapter and contributed articles to numerous publications, including Forbes, CSO online, and MSSP Alert.

‍

About Reflex Security

‍

Reflex Security is an AI-powered crisis simulation platform that transforms static tabletop exercises into dynamic, adaptive training experiences. The platform uses OSINT-driven scenario design, autonomous AI agents, and evidence-backed reporting to help organizations and MSSPs build measurable incident response capability. Learn more at reflexsecurity.io.

‍

Related articles in this series:

‍