BNM RMiT · NACSA · ISO 22301-Aligned

Cybersecurity Tabletop Exercise Facilitation

Test your people, your plans and your decisions — before an attacker does. Facilitated tabletops for Malaysian boards, executives and SOC teams.

Schedule a Tabletop Talk to an Expert

Why tabletops

In every real Malaysian incident we've responded to, the technical containment was rarely the slow part. The slow part was decision-making — who approves the ransom conversation, when to notify BNM, what the Bursa announcement should say, whether to engage law enforcement, and which customers to call first. Tabletops are how you compress that decision time from days to hours, before the clock is actually running.

They are also the highest-leverage cyber investment for board-level engagement. One serious 3-hour tabletop will do more for executive cyber literacy than a year of slide-deck briefings.

Our facilitation methodology

Scoping

Joint workshop with the CISO + executive sponsor. Objectives, audience, scenario, success criteria, observers.

Scenario design

Custom scenario rooted in real Malaysian-sector threats. Injects timed across the session. Inject pack QA'd against your actual environment.

Pre-brief

30-minute pre-brief with the executive sponsor and observers. Ground rules, safe-space framing, observation criteria.

Facilitated exercise

Half-day or full-day. Facilitator runs the timeline; co-facilitator captures observations; senior advisor injects expert challenges.

Hot wash & AAR

30-minute hot wash immediately after, followed by formal After-Action Review with structured observations and gap register.

Report & playbook update

Exercise report, prioritised remediation register, refreshed IR playbook sections, executive readout for the board.

Sample scenarios we've facilitated

Ransomware double-extortion

Threat actor encrypts SAP + Active Directory, threatens to leak customer PII. Tests: ransom decision, comms, PDPA notification, restore strategy, board engagement.

Malicious insider

Departing senior engineer exfiltrates source code and customer data. Tests: detection, HR-Legal-IT handoff, evidence preservation, regulator and law-enforcement engagement.

Vendor / supply-chain compromise

Managed service provider breach exposes your environment. Tests: third-party contracts, RMiT 10.51 outsourcing obligations, joint incident response, customer comms.

BNM RMiT incident-reporting drill

Material technology incident requiring 1-hour BNM notification. Tests: detection-to-decision time, who signs the notification, factual accuracy under pressure.

Ministry-level / NCII breach

NCII operator scenario under Cyber Security Act 2024 — incident-notification timeline, NACSA coordination, sector-regulator engagement, ministerial briefing.

Cloud admin credential theft

Privileged Azure / AWS account compromise. Tests: blast-radius assessment, IAM kill-switch, customer impact triage, post-incident hardening.

Deliverables

• Custom scenario pack and inject timeline
• Facilitator observation log
• After-Action Review report
• Risk-rated gap register with owners and due dates
• Marked-up updates to your IR playbook / call tree
• Executive readout deck for the board / risk committee
• Maturity benchmark vs Malaysian sector peers

Frequently asked questions

What is a cybersecurity tabletop exercise?

A tabletop is a facilitator-led, discussion-based simulation of a cyber incident. Participants — typically executives, IT, security, legal, comms and HR — work through an unfolding scenario in real time, making the same decisions they would in a real breach. No production systems are touched. The goal is to test plans, decision-making and inter-team handoffs in a safe environment.

How is a tabletop different from a red team or pentest?

Pentests and red teams test technical controls. Tabletops test people, plans and decisions. The two are complementary: a red team might prove your EDR misses a specific TTP; a tabletop will reveal that even when EDR alerts, the Head of Comms has no pre-approved language for a Bursa announcement, and the legal team disagrees on PDPA notification timing.

Who should attend?

Crisis Management Team (CMT) including the CEO or COO, CIO, CISO, Head of Legal, Head of Comms / IR, Head of HR, Head of Operations, and the on-call SOC / IR leads. We strongly recommend keeping the same attendees for board-level exercises and a separate, more technical version for SOC and IR teams.

What do we leave with?

A formal exercise report with a gap register, prioritised remediation actions, updates to your IR playbook, a refreshed call tree and an executive readout for the board. We also benchmark your maturity against peers in the same Malaysian sector so leadership has context for the gaps.

Does this satisfy BNM RMiT exercise expectations?

Yes. BNM's RMiT Policy Document expects financial institutions to conduct regular cyber incident-response exercises, including engagement with senior management. Our tabletop deliverables — exercise plan, observation log, after-action review, remediation register — are structured to drop directly into BNM examiner evidence packs.

Schedule your first tabletop

Typical lead time 3-4 weeks from scoping to exercise day. Board-ready report inside 10 working days.

Schedule a Tabletop