Improving incident preparedness with TryHackMe’s new tabletop exercises (TTX) product

We’ve launched a free TTX product that allows SOC and IR teams to create custom tabletop exercises within minutes. Organisations can use AI to tailor tabletop scenarios to their environment by providing details on their industry, common attack types, architecture and more.

Improving incident preparedness with TryHackMe’s new tabletop exercises (TTX) product

In today’s rapidly evolving threat landscape, attackers are getting better and faster than SOC and IR teams can keep up with. We’ve seen examples of this not only with recent breaches at companies like M&S and Cartier, but with threat actors like Famous Chollima rapidly changing their tradecraft to advance their goals.

While organisations focus on preventative measures to protect against these threats, it’s equally important to answer the question of “what happens when we get breached” not just “if we get breached”

The best way for organisations to prepare for an incident is to have an actual incident. The second-best way is with a simulated incident, like a tabletop exercises. Running these exercises will not only allow them to understand how their processes and procedures work in practice but also build muscle memory for a team on how to effectively identify, contain, and remediate these threats. More specifically, tabletop exercises allow organisations to:

  • Simulate realistic incidents in a safe environment to test detection, decision-making, and escalation
  • Reveal gaps in tooling, processes, and communication chains before they become liabilities
  • Improve team maturity, reduce panic in real-world events, and shorten incident timelines
  • Ensure that response plans work not just on paper, but in practice

Why organisations aren’t running more and frequent tabletop exercises

Many organisations struggle to run frequent, high-impact tabletop exercises (TTXs) due to resource, time, and expertise constraints. Designing and facilitating realistic scenarios is often a manual, time-consuming process - one that requires deep knowledge of the team’s environment and threat landscape. As a result, exercises are often too generic, disconnected from actual risks, and run too infrequently to drive meaningful improvements.

Even when teams want to invest in readiness, they face barriers: uncertainty around facilitation, limited bandwidth to tailor scenarios to their actual organisation, and challenges in demonstrating preparedness before real incidents occur. The overhead - both in effort and cost - prevents many teams from building a regular rhythm of exercises that could boost maturity and help benchmark incident response capabilities over time.

When exercises do happen, they’re often forgettable. Teams get stuck running the same tired scenarios that feel boring through use of power-point slides and unrealistic, failing to reflect the complexity of real attacks. Customised TTXs break that pattern by delivering immersive, relevant simulations that test and challenge your team.

How TryHackMe can help

We’ve launched a free TTX product that allows SOC and IR teams to create custom tabletop exercises within minutes. Organisations can use AI to tailor tabletop scenarios to their environment by providing details on their industry, common attack types, architecture and more. Each generation of a scenario with the same options will provide teams with unique exercises that add elements of realism and replayability:

The TTX exercise is structured with three different injects that mimic an attacker's life cycle and is aligned to the NIST incident handling lifecycle to provide teams with structure and standardisation on how they perform incident response:

Each inject contains a narrative update and an artefact to provide realistic incident scenarios to organisations. A facilitator within the organisation is provided discussion prompts (this could typically be a SOC manager, SOC lead or anyone that is comfortable facilitating discussions) to engage the team, after which, the teams votes on the right decision for their scenario:

After each decision, organisations are given feedback on their selected action. We’ve also added a response score as part of the exercise to show organisations how their decisions change over time:

Once organisations complete an exercise - we provide an evaluation report to holistically show how the team performed across various stages of the attacker lifecycle, and whether they took the most effective action aligned to each stage of the NIST incident handling lifecycle.

Closing thoughts and our end goal

TryHackMe wants to enable teams to make the most effective decisions for their organisations during a cyber incident. This comes with time and practice. Our product takes the pain out of planning and running a TTX to allow organisations to run these more frequently and build their muscle memory on how to respond to cyber incidents before they actually occur.

This version of our product is currently in beta and we’d love feedback to make it work for SOC and IR teams. We also have a lot of great improvements planned to product that include:

  • Enhanced gamification mechanics to simulate the pressures of real incidents
  • Customisation options to make TTXes more bespoke to organisations
  • Exercises that allow organisations to practice that technical side of incident response