---
name: tabletop-scenario-generator
description: Generate a fresh tabletop exercise scenario on demand — narrative, injects with timing, facilitator notes, decision points, and after-action review prompts. Covers cyber, network outage, data loss, supplier failure, and physical incident themes.
version: 1.0.0
author: VantagePoint Networks
audience: BCP / DR Coordinators, CISOs, IT Managers, Incident Response Leads
output_format: Markdown — scenario pack, injects timeline, facilitator script, participant briefing, AAR prompts.
license: MIT
---

# Tabletop Scenario Generator

A Claude Code skill that builds a fresh tabletop exercise from a short brief. Output is ready to facilitate — no prep beyond printing.

## How to use this skill

1. Download this `SKILL.md` file.
2. Place it in `~/.claude/commands/` (macOS/Linux) or `%USERPROFILE%\.claude\commands\` (Windows).
3. In Claude Code, run `/tabletop-scenario-generator`. Pick a theme, a duration, and an audience.

## When to use this

- Annual / quarterly BCP / IR exercise is due and you want fresh material, not last year's scenario.
- Internal audit is coming and you need a dated tabletop to demonstrate exercise cadence.
- Cross-functional practice — first time running one with business stakeholders in the room.
- Regulatory requirement (NIS 2, ISO 27001, SOC 2, PCI, DORA).
- Onboarding — new senior engineers / managers walk through realistic scenarios.

## What you'll get

A Markdown scenario pack with:

1. **Cover sheet** — name, duration, audience, objectives.
2. **Scenario narrative** — the starting incident.
3. **Injects** — timed events that escalate or redirect the scenario.
4. **Facilitator script** — what to say at each inject, what questions to prompt.
5. **Decision points** — moments where participants must make a call.
6. **Expected responses** — what "good" looks like per decision point.
7. **Participant briefing** — handout for attendees with roles + ground rules.
8. **After-action review (AAR) prompts** — for the debrief.
9. **Metrics** — suggestions for what to measure (MTTD, MTTR, quality of comms, decision quality).

## Clarifying questions I will ask you

1. **Theme** — cyber (ransomware, BEC, phishing, insider, supply chain), network outage, data loss, cloud provider failure, physical (fire, flood), supplier failure, dependency failure (payment processor, IdP), mixed.
2. **Duration** — 60 / 90 / 120 minutes.
3. **Audience** — technical only (SOC/IR) / cross-functional (IT + Legal + Comms + Exec) / exec-only.
4. **Difficulty** — green (first-timers), amber (repeat), red (seasoned).
5. **Realism anchor** — your sector + rough size + key tech stack (so the scenario feels native).
6. **Constraints to include** — specific risk the sponsor wants tested (e.g., "our ability to invoke cyber insurance on a Friday night").
7. **Not-to-include** — anything off-limits (e.g., avoid PII leak scenarios if last week was a real PII leak).

## How I build scenarios

- **Realism over drama.** Base on plausible threats given your stack and sector.
- **One-liner intro.** The "something is wrong" moment.
- **Escalation path.** 4–8 injects that crank complexity without turning the exercise into a movie.
- **Decision points every 15 min** on average.
- **Curveball.** One mid-exercise twist (regulator calls, media picks up, second incident, key person unavailable).
- **Clean closure.** Don't leave participants hanging — there's a pathway to resolution.

## Example output (excerpt)

Input: *"90 min, cross-functional (IT, Legal, Comms, COO), amber difficulty, retail bank SaaS provider, test cyber insurance activation and customer-notification decision making."*

```markdown
# Tabletop: "Crimson Tide" — ransomware impacting tokenisation service
**Duration:** 90 minutes · **Audience:** IT + Legal + Comms + COO · **Difficulty:** Amber
**Date run:** _(fill in)_  · **Facilitator:** _(fill in)_

## Objectives
1. Test the decision to activate the cyber insurance retainer within 4 hours.
2. Validate customer-notification decision tree under time pressure.
3. Exercise the regulator-notification clock (UK ICO + FCA where applicable).
4. Stress-test the escalation path to the CEO on a non-business day.

## Scenario intro (T+0)
It's Saturday 06:40 UTC. SOC on-call receives an alert that the tokenisation service API is returning 500 errors and internal monitoring shows several customer banks failing card-present transactions. At 06:52 the on-call sees ransom note files being written on the tokenisation fleet's shared filesystem. Service is paused. Initial forensics indicates a ransomware family consistent with a known affiliate of LockBit variants.

## Injects

### Inject 1 — T+15 min — Escalation
- Head of SecOps on-call joins. Requests full bridge.
- COO is at a family event, responds to text 10 minutes later.
- **Decision point:** who chairs the bridge if COO is slow to join?
- **Good answer:** pre-defined IC role holds the bridge; COO briefed asynchronously.

### Inject 2 — T+25 min — Customer impact confirmed
- Three customer banks have opened P1 tickets on the support portal.
- One is threatening escalation to the regulator.
- **Decision point:** do we issue a statement now, or wait for more signal?
- **Good answer:** brief holding statement within 60 minutes, full statement in 4 hours.

### Inject 3 — T+35 min — Cyber insurance
- The insurance broker's out-of-hours desk confirms the retainer is available but requires a formal notification via their online form.
- **Decision point:** activate insurance now or after we have more forensics?
- **Good answer:** activate immediately; retainer does not commit to claim.

### Inject 4 — T+50 min — Regulator awareness
- A tier-2 tech journalist has posted on X: "Hearing scheme-level card outage at BigSaaS. Anyone else?"
- Legal raises ICO 72-hour clock.
- **Decision point:** pre-emptive ICO notification? Customer notification?
- **Good answer:** start ICO drafting now; customer mass notification held pending confirmed data exfiltration (separate from availability outage).

### Inject 5 — T+65 min — Curveball
- Forensics finds evidence of staged data exfiltration on one cluster 72 hours ago.
- 1.2 GB of payload, unclear contents.
- **Decision point:** this is now a data incident, not just availability. Customer notification required?
- **Good answer:** data-subject notification path engaged; legal confirms GDPR Art 33 + FCA reporting clocks.

### Inject 6 — T+80 min — Recovery path + comms
- SecOps reports the immutable backup restore is viable; ETA to service resume: 3 hours.
- **Decision point:** announce specific recovery ETA publicly?
- **Good answer:** internal + customer comms with "restoration in hours, not days" framing; no specific time promise.

## Facilitator notes
- Open by setting the ground rule: no blame, no gotchas; this tests the process not the people.
- After each inject, 5 min discussion then 2 min action capture.
- Curveball inject (5) is the critical one — watch for whether the group pivots from "availability incident" to "data incident".
- Keep time; interrupt if an inject runs long — you have 90 min total.

## Participant briefing (hand out in advance)
[... attendee handout ...]

## After-action review (AAR) prompts
1. What went well? (3 things)
2. What didn't? (3 things)
3. Was the IC role clear within the first 15 min?
4. Did the decision points feel coached, or did you actually have to decide?
5. Were legal + comms + engineering aligned at each customer-comms decision?
6. What would we do differently in the first 60 min?
7. What's missing from our runbook that today exposed?
8. Actions with owners and due dates.

## Metrics captured during the exercise
- Time to formal IC declaration: _____ min
- Time to customer holding statement drafted: _____ min
- Time to insurance retainer activation: _____ min
- Time to ICO/FCA awareness recorded: _____ min
- Number of decision points reached: _____ / 6
- Number of decision points with explicit good answer achieved: _____ / 6

## Evidence pack (for audit)
- Attendance list
- Timeline of discussion
- Completed action items with owners + dates
- AAR outcomes document
- Retention: 3 years for ISO 27001 evidence; 7 years for regulated financial services
```

## What I won't do

- I won't re-use the same scenario text each run — injects vary based on inputs.
- I won't include personally identifying real incident details from other orgs.
- I won't make the scenario so abstract it's useless for practice.
- I won't omit decision points — a tabletop without decisions is theatre.

## Reference

- CISA Tabletop Exercise Packages (CTEPs)
- NIST SP 800-84 Guide to Test, Training, and Exercise Programs
- BCI Good Practice Guidelines
- FIRST.org BTLO / DFIR exercise principles

## Attribution

Built by **Hak** at **VantagePoint Networks**. MIT licensed.