Cybersecurity tabletop exercises adapt to AI threats and analog defenses

TL;DR

Security teams are revising end-of-year tabletop exercises to reflect attackers' growing use of AI and the need to protect internal AI systems. Experts recommend mixing AI-driven scenario generation with analog controls, involving the right stakeholders, and rehearsing faster decision-making.

What happened

As organizations run traditional tabletop exercises simulating cyber incidents, incident responders and security leaders say the scenarios and objectives have shifted to reflect AI-driven threats. Experts cited rapid exploitation of newly published vulnerabilities — with some teams observing exploitation attempts within minutes — and the volume of telemetry modern SOCs must triage. Exercises now commonly include simulated AI-enabled phishing, accelerated reconnaissance, prompt injection and AI-driven data exfiltration, alongside scenarios aimed at compromised internal models or leaking LLMs. Practitioners advise using AI tools to craft realistic fakes and measure exercise outcomes, while simultaneously rehearsing low‑tech responses: mandatory out‑of‑band verification, reverting to minimal viable operations, and relying on offline golden copies of data. Security leaders also recommend tailoring participant groups by scenario (technical responders for SOC drills; legal, PR, HR and executives for high‑impact incidents) and engaging outside partners such as FBI field offices or CISA for larger, cross‑functional exercises.

Why it matters

• AI speeds attackers’ reconnaissance and exploitation, shortening the window defenders have to respond.
• Organizations’ growing use of AI increases potential attack surfaces, including model leakage and agent misuse.
• Tabletops that combine AI-generated realism with analog friction help test both technical detection and human decision processes.
• Involving executives and external agencies in tailored exercises improves organizational readiness for high‑impact incidents.

Key facts

• Experts report vulnerabilities can be attempted for exploitation within minutes of disclosure.
• A referenced SOC handled about 90 billion attack events per day, which were synthesized into roughly 26,000 correlated events and one incident requiring tier‑three human intervention per day.
• Tabletop scenarios now often include AI‑assisted phishing, prompt injection, misconfiguration, and AI‑driven data exfiltration.
• Google Cloud advisors recommend using AI to generate realistic test artifacts (for example, fakes) and to help measure exercise outcomes.
• Some consultants urge introducing analog controls—such as mandatory out‑of‑band verification—to slow adversaries that exploit AI speed.
• Experts suggest tailoring participant lists by scenario: technical teams for SOC drills; legal, PR, HR and senior leaders for reputational or insider incidents.
• Engaging local FBI field offices via a Cyber ASAC and involving CISA are recommended options for larger, full‑scale exercises.
• Financial services clients are specifically advised to include deepfake audio and video in their drills.

What to watch next

• Whether more organizations adopt AI to both craft and evaluate tabletop scenarios, and how they balance AI use with analog safeguards.
• An increase in tabletop inclusion of deepfakes and related verification drills, especially in financial services.
• Uptake of semiannual C‑suite participation and more frequent, targeted technical drills for operational leaders.

Quick glossary

• Tabletop exercise: A discussion‑based simulation where participants walk through roles, decisions and processes in response to a hypothetical incident.
• CVE (Common Vulnerabilities and Exposures): A standardized identifier for a publicly known cybersecurity vulnerability.
• Deepfake: Synthetic audio or video created using AI that can impersonate a real person's likeness or voice.
• SOC (Security Operations Center): A team or facility responsible for monitoring, detecting and responding to security incidents.
• Prompt injection: An attack that attempts to manipulate an AI model’s behavior by feeding it crafted inputs.

Reader FAQ

How often should organizations run tabletop exercises?
Experts recommend at least one or two exercises a year, with many suggesting twice yearly and semiannual participation for executives.

Should AI be used to create and evaluate exercises?
Yes: several advisors encourage using AI to generate realistic scenarios and to measure outcomes, while also cautioning against relying solely on AI.

Who should be included in tabletop exercises?
Participants should be tailored to the scenario—SOC and incident teams for technical drills; legal, PR, HR and senior leaders for high‑impact or reputational incidents.

Are external agencies useful to involve?
Reaching out to a local FBI Cyber ASAC or including CISA in full‑scale exercises is suggested to establish contacts and support.

SECURITY From AI to analog, cybersecurity tabletop exercises look a little different this year Practice makes perfect Jessica Lyons Fri 26 Dec 2025 // 17:01 UTC It's the most wonderful time of the year…

Sources

• From AI to analog, cybersecurity tabletop exercises look a little different this year
• Tabletop exercises look a little different this year
• Partnerships & Collaboration: JCDC AI Cyber Exercise Series
• Tabletop Exercises: From Military Roots to Modern Cyber …

Related posts

• Private blogging and journaling with AI-simulated readers for personal writing
• Use Hardware Touch for SSH: Prevent Key Theft with FIDO2 or Touch ID
• High Schooler Uses A.I. to Flag 1.5 Million Potential Space Objects from NEOWISE