Lesson 1 of 5
In Progress

TTX Introduction

1.     Table Top Exercise Introduction

A table top exercise (TTX) is a discussion, intended as a thought exercise, to walk through a problem. The ACD-Moderated scenarios will focus on roles, responsibilities, and process combined with a review of actual resources and capabilities to examine situation. The objective of each table top exercise is to facilitate discussion, identify additional gaps, and promote understanding of Incident Response techniques.

Each TTX consists of:

  • TTX Delivery Guide

The Delivery Guide contains the scenario-specific instructions for the ACD team. These instructions include:

  • Hidden Incident Details

These details are not immediately presented to Participants. An example could be that “there are 5 compromised systems”. The ACD delivery team can deviate from the details during the Workshop to deliver the most effective Workshop possible.

  • Incident Objectives

Are considerations of the incident response effort that the customer should discover on their own. Ideally the customer will think of these things – like discovering the scope of the breach, and if not the Moderator must lead the

  • TTX Participant Brief

An outline of the scenario: this is the starting point of the response exercise.

There are two distinct roles for the ACD Team delivering a workshop:

  • Moderator:
    Is the primary discussion leader, responsible for ensuring the Workshop is productive.
  • Note-Taker:
    The second ACD team member assists the Moderator in guiding discussion and takes notes on the TTX. The notes will be sent to the Customer after the Workshop: this is not a formal report and should summarize the major elements of the TTX response. If, for example, the customer determines that they should be able to perform a function but cannot perform that function this should be included in the note.


The delivery of a TTX is very dependent upon the moderator to:

  • Keep the Participants focused
  • Facilitate relevant ad-hoc discussions while steering the Participants way from non-beneficial tangents
  • Adapt the scenario as it unfolds to stay relevant
  • Steer the Participants to the Hidden Incident Details
  • Explore topics covered within the Incident Objectives

2.     Delivery Instructions

3.1.    Pre-Arrival

  1. Determine the Workshop Participant Class Size
  2. Customize the scenario to fit the client environment
    1. If a web proxy with category-based blocking is not present adjust the scenario
    1. Make the change  to a local copy of BOTH the TTX Participant Brief (PPT) and to the TTX Guide for this workshop
  3. Print Three (3) copies of the TTX Delivery Guide
    1. One copy is for each ACD moderator, one to be left with the main customer point of contact.
    1. Do not email the TTX Delivery Guide to the customer
  4. Print One (1) copy of the TTX Participant Brief for each Workshop Participant, plus (1) spare OR email this to the
    1. Do not email the TTX Participant Brief to the customer prior to the workshop delivery
  5. The ACD Delivery team shall decide which is the primary moderator and which is the note-taker
  6. The ACD moderator shall confirm the Customer Point of Contact has arranged a suitable discussion space for the TTX. A large round-table is better than a classroom-like environment.
    1. Recommend that the Customer have a large whiteboard available to facilitate discussion.
    1. Encourage the participation of any supporting teams that may be relevant to the selected TTX.

3.2.    On-Site

  • The ACD Team will introduce themselves, and role, to the Workshop participants
  • Review the flow and intent of a TTX
  • Distribute the TTX Participant Brief to each participant and/or display the brief on a display within the discussion area
  • Begin the TTX, with the note-taker taking notes

3.3.    Off-Site

The notes will be cleaned up (remove typos and make it legible) and sent it to the customer. No more than an hour should be taken for this task.