If your executive team has not sat in a room, with the phones off, and argued for an hour about whether to pay a ransom, you will make that decision badly when it counts. And when it counts, you will have between forty-five minutes and ninety minutes to make it.

This is the exact tabletop exercise our consulting team runs with CEO / CFO / CISO / General Counsel / Head of Engineering leadership groups at mid-market companies. Three hours, ten injects, one written after-action. Use it. Modify it. Run it once a year, minimum.

Before the exercise

• Room: In-person, or a single shared video room. No side channels. Phones face-down.
• Roles: CEO, CFO, CISO / Head of Security, General Counsel, Head of Engineering, Head of People, Head of Communications, Incident Commander (facilitator — this is you or your partner).
• Scenario handout: One page. No spoilers. Background only: “You are a $80M-ARR SaaS company with 280 employees, approximately 4,000 customers, and a multi-tenant architecture on AWS. Today is Friday.”
• Ground rules: No mutual punishment for wrong answers. Every decision is logged. The facilitator can skip, accelerate, or repeat any inject.

Hour 1: Initial detection and containment (Injects 1–4)

Inject 1 (T+0 minutes): The alert

“Your EDR has fired 112 high-severity alerts in the last eight minutes, all against production Windows hosts. The on-call engineer messages the CISO: ‘I think we’re being encrypted. I’m seeing lsass.exe dumps and new local admin accounts on four domain controllers.'”

Decision required within 10 minutes: Who has authority to isolate production hosts from the network? Has that authority been pre-delegated? Can it be exercised at 7 PM on a Friday?

Inject 2 (T+15 minutes): The scope escalates

“Three customers have opened support tickets in the last ninety seconds reporting that their dashboards are returning HTTP 500 errors. Your status page has started auto-updating to ‘investigating.’ Your head of customer success is asking what to tell enterprise customers.”

Decision required within 20 minutes: What is the customer communications threshold? Who decides to publish a public incident notice? Have you drafted the ‘we are investigating a security incident’ template in advance, or are you writing it now under duress?

Inject 3 (T+35 minutes): The ransom note

“A README.TXT file appears on every reachable endpoint. It demands $4.2M in Bitcoin within 72 hours or 400GB of exfiltrated data will be published. The note names a known ransomware group and provides a Tor site address. Proof of exfiltration: screenshots of your engineering Slack, a sample of customer records, and an internal financial spreadsheet.”

Decision required within 30 minutes: Who has authority to negotiate? Do you engage a professional ransomware negotiator? Have you pre-selected one? Have you validated that paying would not violate sanctions (this group has OFAC implications)?

Inject 4 (T+50 minutes): The board finds out

“A board member saw the status page update and is calling the CEO directly. What is your answer when they ask, on speakerphone, ‘Are we paying?'”

Decision required: What governance does the CEO have to escalate this decision versus act unilaterally? Is there an emergency board procedure?

Hour 2: Operations and stakeholders (Injects 5–7)

Inject 5 (T+75 minutes): Restoration reality

“Your head of engineering reports: ‘We have immutable S3 backups of application data, but our Active Directory domain controllers, build pipelines, and CI/CD secrets are all encrypted or have been destroyed. Our best-case estimate for a clean rebuild is 96 hours. Our last tested restore of this scope was six months ago and took 41 hours, and that was without attackers still in the environment.'”

Decision required: Do you pay for the decryption key to avoid the 96-hour rebuild? How does the answer change if the rebuild is 240 hours?

Inject 6 (T+100 minutes): The legal and regulatory clock

“Your General Counsel advises: ‘We have data subjects in 11 US states, the EU, and two Canadian provinces. Our contractual notification obligations to enterprise customers range from 24 hours to 72 hours. GDPR’s 72-hour clock starts now. Our cyber insurance carrier requires notification within 24 hours or coverage is at risk.'”

Decision required: Who owns the regulatory notification matrix? Has it been pre-built? Is your cyber insurance broker’s emergency number in every senior leader’s phone?

Inject 7 (T+120 minutes): The media

“Your VP of Communications receives an email from a TechCrunch reporter: ‘We have confirmed with two sources that you are under ransomware attack and that customer data has been exfiltrated. We are publishing in four hours. Do you have a statement?'”

Decision required: Who speaks publicly? Is there a pre-approved holding statement? Has your CEO been media-trained on crisis response?

Hour 3: Decisions and aftermath (Injects 8–10)

Inject 8 (T+150 minutes): The ransom deadline

“It is now hour 71 of the 72-hour countdown. The attacker has reduced the demand to $2.6M. Your negotiator, if you engaged one, recommends a counter-offer of $1.8M. Your insurance carrier has indicated they will reimburse a ransom payment up to $2.5M. Three hours until the leak site publishes. Do you pay?”

Decision required: This is the hardest question of the exercise. Every answer is defensible, and every answer is wrong in some way. Let the room argue. Log who says what and why.

Inject 9 (T+180 minutes): The customer retention reality

“One week later. Eleven of your top fifty enterprise customers have paused new deployments pending an independent post-incident assessment. Two have triggered contract exit clauses. Annual recurring revenue impact estimate: $4.1M. Board is asking for a post-incident plan in ten days.”

Decision required: Who owns the customer re-trust plan? What evidence do customers want to see — SOC 2 attestation update, pentest, audit? How fast can you produce it?

Inject 10 (T+195 minutes): The lessons

“Thirty days later. The facilitator opens the floor: what are the three controls you wish had been in place thirty-one days ago? Who is accountable for putting them in place in the next ninety days? What does the board scorecard look like at the next meeting?”

After-action deliverables

Every tabletop should produce, within five business days:

1. A timeline of decisions made, by whom, and within what elapsed time.
2. A list of gaps discovered, categorized as process, technology, governance, or people.
3. Three-to-five prioritized remediation items with owner, due date, and budget estimate.
4. An updated ransomware playbook with any revisions informed by the exercise.
5. A one-page summary for the board, written in business language.

The single most important output

The most valuable thing a tabletop produces is not the after-action document. It is the fact that the first time your CEO says “are we paying a ransom” out loud is in a rehearsal, not a crisis. That sentence, spoken for the first time under real pressure, at 3 AM, with a reporter on the phone, is where companies make the decision that defines the next five years of their existence.

Run the rehearsal. If you want a facilitator who has done it forty times and can bring injects calibrated to your sector, our incident readiness team runs these engagements monthly. Start here.