By Dan Mayple - Senior Product Manager, TryHackMe
It’s very rare to hear anyone in the cyber security space question the underlying value of tabletop exercises. Getting teams together to thoroughly discuss and interrogate their incident response is unavoidably important. According to security leaders in our community, it can also be a source of dread: disruptive, expensive and difficult to justify.
With high price tags comes significant scrutiny, and for ‘classic’ tabletops, the math doesn’t add up.
"We paid 10K for a glorified dungeons and dragons game"
A conventional tabletop takes more time than what’s officially allotted to the exercise. The scoping calls, the project planning and the validation take precious time from managers for largely avoidable admin.
With this time commitment, the impact on readiness should be demonstrable. But here again, tabletops fall short. SOC teams we work with tell us that clinical tabletop scenarios are often stuck in theory, and far removed from their actual tactics and working styles. Content is stale, and with planning locked in so far in advance, teams struggle to justify adding more tabletops to the calendar. Even if they did, an increase in volume alone wouldn’t make them more relevant to improving team readiness.
Cyber security teams need tabletop autonomy
It’s not that SOC teams want to eliminate tabletop exercises. They just want the freedom and flexibility to run fresh, relevant exercises that actually improve their playbooks, clarify decision ownership, and expose response gaps. They want tabletops that don’t take up five figures of budget and months to deploy, and that maintain the psychological safety of intra-team collaboration, without consultants and facilitators.
Tabletops shouldn’t be luxury items
We built TryHackMe tabletops around these priorities, focused on making tabletops a regular part of how SOC teams work and gauge opportunities for improvement.
We know SOC and IR teams are time-poor, and always hungry for insights. AI makes our tabletops genuinely self-serve, launching exercises that reflect each team’s unique stack, tooling, architecture and threat landscape in minutes. This way, tabletops can really be a monthly or quarterly standard, evolving with your team environment. And crucially, teams can run them without external facilitation: AI provides clear questions and injects keep the sessions moving while maintaining the safe-space thinking needed for teams to do their best work.
When the barriers lower, opportunities for engagement and experiment increase. When run the way our clients run them, tabletops can become an embedded part of capability building, offering genuine reference points that reveal weaknesses in process, tooling and ownership.
Maturing with tabletops
When tabletops with actual impact are run regularly, teams start to see the immediate strategic value of the exercises. Expectations of the exercises evolve: they start to want more than conversation alone.
They want to retain organizational context, saving profiles for their environment instead of re-explaining it every session.
They want to bring real artefacts into the exercise, using their own playbooks, logs, and documentation to ground discussions in reality.
And they want clear, audit-ready outputs that show what’s improving, what isn’t, and where attention should go next.
That’s why TryHackMe tabletops are designed to mature with the team. You can start with lightweight, self-serve exercises, and adopt deeper capabilities as tabletops shift from occasional practice to a core part of readiness and assurance.
For teams running tabletops regularly, these capabilities turn individual sessions into a connected body of work that compounds learning, strengthens runbooks, and builds confidence over time.
These tabletops are the antithesis of the ‘classic, pricey and drawn out TTX’, and they’re built to empower teams to own their capability building.
Curious what a self-serve, AI-driven tabletop looks like in practice? Take a closer look.
Ghost