Cyber Simulations and Tabletop Exercises
Cyber simulation exercises, in particular tabletop and gold team exercises, involving executives and senior decision-makers, are one of the most effective ways for New Zealand organisations to improve cyber resilience.
The New Zealand National Cyber Security Centre (NCSC) has repeatedly highlighted the importance of exercising incident response plans, noting that regular testing helps ensure organisations know “what to do in the event of a cyber incident.” Increasingly, regulators, insurers, auditors and boards are also expecting organisations to demonstrate not just that plans exist, but that they have been tested in realistic conditions.
A well-run tabletop exercise places organisational teams into a simulated cyber crisis. Participants are forced to make decisions with incomplete information, conflicting priorities and escalating operational impacts. In many cases, the technical compromise itself becomes secondary to the broader organisational challenges that emerge such as media scrutiny, legal obligations, customer communications, operational continuity, third-party dependencies and reputational risk.
For organisations undertaking these exercises for the first time, the findings can be enlightening. Teams often discover that escalation pathways are unclear, roles overlap, or key decisions have never been discussed in advance. It is common to identify uncertainty around who manages and authorises customer notifications, who engages regulators, whether extortion demands or ransom payments would ever be considered, or how business continuity processes will operate if core systems are unavailable. A cyber simulation creates a controlled environment where organisations can safely expose weaknesses before a real incident does. Even relatively short tabletop exercises frequently reveal significant gaps in communication, governance and operational readiness.
However, after working with some of our clients for several years, we have found that the most significant benefits are seen in organisations that repeat these exercises year after year. We have seen how ongoing simulation programmes fundamentally improve organisational maturity and help normalise cyber incidents as executive-level business risks rather than purely IT problems.
When a real incident occurs, we see that teams who have repeatedly practised incident response scenarios are noticeably calmer and more structured in their response. They understand escalation thresholds. They know who needs to be involved. They understand how information flows during a crisis. Most importantly, they are less likely to lose valuable time debating basic process questions during the early stages of an incident. Mature organisations also treat simulation findings as formal improvement actions, tracking remediation activities over time and measuring whether identified weaknesses are being reduced between exercises.
Many organisations begin with highly facilitated tabletop workshops where participants sit together in a single room and work collaboratively through a scenario with guidance from facilitators. These exercises are intentionally supportive and educational in nature, helping participants understand incident response processes, clarify responsibilities and become familiar with the pressures associated with a cyber event. For organisations undertaking their first simulation or who have new team members, this approach is often the most effective way to build confidence and establish baseline capability.
However, as organisations repeat exercises and their maturity develops, we have seen a noticeable recent shift toward a demand for far more realistic and operationally demanding simulations. Increasingly, our more experienced clients are requesting complex scenarios designed to deliberately stress test decision-making, communication pathways and escalation processes under pressure.
These advanced simulations involve multiple concurrent response streams operating in separate “war rooms”, including technical response teams, executive management groups and board-level participants, each receiving different pieces of information at different times throughout the exercise. This design better replicates the fragmented, high-pressure and fast-moving operating environment commonly experienced during real cyber incidents, where technical responders may have incomplete forensic visibility, executives are dealing with operational and reputational consequences, and boards are receiving strategic risk updates independently.
The result is a far more immersive and realistic exercise environment that tests not only technical response capability, but also organisational coordination, leadership communication, decision authority and crisis governance maturity.
Our more experienced simulation clients demonstrate how cyber resilience is built through repetition, refinement and realistic practice. With repeated exercises we see a shift from reactive behaviour toward coordinated decision-making. Discussions become faster, terminology becomes standardised, and teams develop greater confidence operating under pressure and ambiguity.
Over the last year we have seen a positive shift in the cyber simulation exercise landscape with more organisations willing to learn, grow and stress test their processes in a safe space. We continue to believe that consistently undertaking simulation exercises year after year and growing this capacity through increasingly realistic scenarios will ensure organisations respond more effectively when a real crisis eventually occurs.
About the Bulletin:
The NZ Incident Response Bulletin is a monthly high-level executive summary containing some of the most important news articles that have been published on Forensic and Cyber Security matters during the last month. Also included are articles written by Incident Response Solutions, covering topical matters. Each article contains a brief summary and if possible, includes a linked reference on the web for detailed information. The purpose of this resource is to assist Executives in keeping up to date from a high-level perspective with a sample of the latest Forensic and Cyber Security news.
To subscribe or to submit a contribution for an upcoming Bulletin, please either visit https://incidentresponse.co.nz/bulletin or send an email to bulletin@incidentresponse.co.nz with the subject line either “Subscribe”, “Unsubscribe”, or if you think there is something worth reporting, “Contribution”, along with the Webpage or URL in the contents. Access our Privacy Policy.
This Bulletin is prepared for general guidance and does not constitute formal advice. This information should not be relied on without obtaining specific formal advice. We do not make any representation as to the accuracy or completeness of the information contained within this Bulletin. Incident Response Solutions Limited does not accept any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, when relying on the information contained in this Bulletin or for any decision based on it.
Incident Response Solutions 