Most tabletop exercises are structured conversations. A facilitator presents a scenario, poses a question, and the group discusses. Then comes the next inject card. And the next.
This format has a fundamental flaw: the exercise moves on a predetermined schedule regardless of what participants actually do.
The Problem with Injects
Inject-based tabletops are scripted. The facilitator has a list of events to introduce, a timeline to follow, and a set of expected responses to guide toward. If the team makes a poor decision at step three, the exercise still moves to step four on schedule.
This breaks realism in a specific way. In a real incident, bad decisions have consequences that cascade. If the security team notifies the wrong stakeholders, communication breaks down. If they fail to isolate a compromised segment, the attacker moves laterally. If they don't contact outside counsel before starting an investigation, privilege is lost.
In a scripted tabletop, none of that happens. The inject card arrives regardless. Participants learn, consciously or not, that their decisions don't actually matter to the outcome of the exercise. They can wait for the next card. They can give technically correct answers without committing to anything. The exercise becomes a discussion about what the team would do, not a test of what the team actually does under pressure.
Adaptive Simulation
Reflex Security takes a different approach. The platform has no script.
The simulation adapts in real time to participant decisions. Every action the team takes, every decision made or deferred, every stakeholder notified or overlooked, shapes what happens next. If the team makes a bad call, consequences follow naturally. If they respond well, the scenario adjusts to continue challenging them.
As one participant put it: "What's the best part about Reflex Security is that it's unscripted, right? There's no script behind. It's all based on your actions and reactions and what the attackers and defenders actually decide to do."
Participants cannot game an adaptive simulation by waiting for the next inject. There are no inject cards. The exercise responds to them.
Victoria and the Agent Cast
Reflex Security deploys an AI facilitator named Victoria. Victoria joins the video conference, asks probing questions tailored to each participant's role, and challenges decisions that would create problems in a real incident.
Victoria also manages a full cast of AI agents representing threat actors, journalists, board members, legal counsel, insurance carriers, and regulators. These agents behave according to their roles. A reporter will call for comment. An insurance carrier will ask about the organization's controls before covering the loss. A board member will want to know about regulatory exposure.
The questions Victoria asks are calibrated to the industry and the scenario. In healthcare: "Your EHR system just went down. The ER has 12 patients who need medication reconciliation in the next hour. What is your manual fallback procedure?" In financial services: "Regulators require suspicious activity reports within 24 hours. The compliance team has not been notified. Who owns that communication?" In manufacturing: "Your SCADA systems show anomalous readings on Line 3. Do you shut down production or investigate while running? What is the cost per hour of downtime?" In SaaS: "A customer's data export shows records that don't belong to them. Your SOC 2 audit is in three weeks. What is your breach notification timeline?"
These questions target the specific decisions that teams get wrong, and they surface those gaps in a controlled environment rather than during an actual incident.
The Investigation Console
Participants interact with the simulated environment through an investigation console. They can query it in plain English: search log files, pull endpoint telemetry, check network traffic. The console returns realistic data consistent with the scenario. Teams take mitigation actions, and those actions are tracked and evaluated.
This is a meaningful shift from discussion-based exercises. Participants are not just talking about what they would do. They are doing it, in a simulated environment, under time pressure, with consequences attached to their decisions.
The Facilitator Guide
Before each exercise, Reflex generates a Facilitator Guide. It contains the company background, a description of the scenario, key discussion questions, and guidance on what good answers look like and what gaps to listen for.
This document matters because it prepares facilitators with meaningful questions related to a multitude of topics that are impacted during an incident: communication, containment, regulatory compliance, company specifics. Having those questions ready ahead of time makes facilitator comments more insightful and saves preparation time.
What Stress Reveals
One participant who had completed six or seven tabletops before described the experience:
"That excitement, that all that I had not fake. That was spurred on... I'd already done six or seven of these... That's how engaging this is. It is that good at getting the adrenaline up and running and adding stress for someone who does this a lot."
That stress is the point. Incident response is a high-pressure activity. The skills that matter, decision-making under uncertainty, communication across organizations, prioritization when everything is on fire, only develop through practice that actually replicates pressure.
An exercise that feels like a board meeting produces board-meeting behavior. An exercise that feels like a real incident produces real incident behavior.
From Behavior to Results
The quality of facilitation determines what data the exercise produces. An adaptive simulation with a skilled AI facilitator generates a detailed record of every decision, every communication, every escalation, and every gap.
That data is only valuable if it is analyzed and acted on. The After Action Report is where exercises translate into organizational change, and that report is more honest and more useful than anything a traditional tabletop can produce.
The next article examines how to build an AAR that drives real improvement, and why the standard "what went well / what didn't" conversation is not sufficient.
The exercise is finished. Now what? In the next article, we look at how to turn tabletop data into evidence-backed reports that drive organizational change, including how to bring that data to a board of directors.
