Read this before clicking Generate. The whole lifecycle takes about an hour of facilitator time end-to-end, and the artifact you produce is auditor-grade. This page covers how it works, what you’ll need, and what to do if something goes sideways during the drill.
You’ll need
An Enterprise tenant. The facilitator signs in to drive the drill; participants don’t need accounts.
Time budget
~5 minutes to generate, ~15 minutes to prep, 60–90 minutes to run, ~5 minutes to lock.
Outcome
A locked, auditor-traceable drill artifact in Veri-Vault, retained per your policy.
The lifecycle
Four stages, end-to-end.
Generate → Prepare → Run → Archive. The first stage is on you to click; the rest are mostly the system doing what it’s supposed to do.
Stage 1
Generate
Stage 2
Prepare
Stage 3
Run
Stage 4
Archive
Stage 1 of 4
Generate the tabletop.
Open the scan results page of any product — Veri-Guard, Veri-Tune, HIPAA, or Veri-Vault. The Generate IR Tabletop card sits on the page. Click it.
Optional: pick a specific failing control to focus the drill on. By default the AI picks the most-impactful realistic chain from your scan; selecting a control narrows the scenario to that gap as the entry vector.
Wait ~3–5 minutes. The bundle lands in Veri-Vault as an unlocked Template artifact, ready to share with participants or run immediately.
Re-generate freely. Enterprise has no per-month cap. If the first scenario isn’t the right shape for your team this quarter, generate another. Each generation is a separate Vault artifact with its own manifest hash.
Stage 2 of 4
Prepare the participants.
Export the Template copy (interactive HTML or PDF) and share it with everyone attending the drill. This gives them the scenario, the glossary, and the facilitator guide to read in advance — so when the drill starts, no one’s reading while the timer is running.
What’s in the Template copy: scenario, definitions, facilitator guide (opening script + discussion points + closing script), injects with timing visible, scoring rubric template (no scores yet), and the manifest header.
What’s NOT in the Template copy: any scoring fields, facilitator notes, or lock timestamp. Those don’t exist until the drill is run and locked.
Schedule the drill. 60–90 minutes is the right time budget. War room (in person) or video bridge both work. Add the Template copy as an attachment to the calendar invite.
Pick the facilitator. Usually the IC, CISO, or designated security leader. For HIPAA breach drills, the Privacy Officer typically chairs.
Stage 3 of 4
Run the drill.
At meeting time, the facilitator opens the drill in the portal and clicks Start drill. The timer begins.
Read the opening script from the facilitator guide. It frames the scenario as a test of your IR plan against your real posture — not a test of any individual’s response.
Walk the team through the scenario. The attack chain shows the realistic sequence; the team discusses how they’d respond at each step.
Injects auto-reveal on the timer. At T+5, T+10, T+25, etc. the next inject pops in. Facilitator can pause or skip ahead if the discussion runs long.
For each inject: facilitator types the team’s actual response into the notes field for that inject. The expected action is shown for facilitator reference (not visible in the participant Template copy).
At the end of the drill: the team self-scores the rubric by consensus — one number per criterion, 1 (poor) to 5 (excellent). Facilitator records the consensus scores.
Read the closing script from the facilitator guide.
Tip: if you’re running the drill with 6+ people, designate a separate “scribe” (often the security analyst) to type into the same portal session. The facilitator chairs the discussion; the scribe captures. Two people, one keyboard, still single-portal-user.
Stage 4 of 4
Lock and archive.
When the drill is done and every rubric criterion has been scored, the facilitator clicks Lock drill & save to Vault. This is the action that turns a draft into an artifact.
What locking does: stamps the artifact with the lock timestamp, the facilitator’s name, the source job ID, and a manifest hash. Generates a frozen PDF copy. Saves both formats to Veri-Vault.
After locking, the artifact is immutable. Scores and notes can’t be edited. That immutability is what makes the artifact auditor-acceptable.
A confirmation email goes to the facilitator with the Vault link and download links for both formats.
The artifact stays in Vault under your retention policy — six years for HIPAA covered entities, longer for SOC 2 evidence trails. WORM-equivalent immutability prevents tampering.
Roles & access
One facilitator drives. Everyone else attends.
Real IR tabletops are facilitator-driven. One person chairs the room, the team talks, the facilitator captures notes. The portal mirrors that exactly — only the facilitator needs to be signed in.
Facilitator
Drives the drill from the portal.
Signs in to the portal as a member of an Enterprise tenant. Opens the drill, advances injects, types the team’s responses, records consensus rubric scores, and clicks Lock at the end. The drill artifact is stamped with their name as the lock authority.
Usually the IC, CISO, or designated security leader. For HIPAA breach drills, the Privacy Officer often chairs. For DR drills, the infrastructure or DR lead.
Participants
Attend. No portal access required.
Don’t need portal access. Don’t need any Veri-Tech account at all. Receive the Template copy by email before the drill, attend in person or via Teams/Zoom, and reference the exported HTML or PDF during the discussion.
Typical participant list: IT lead, identity admin, application owner, legal counsel, communications lead, CFO (if a pay-vs-restore decision could be invoked).
Why one driver is the right shape.
Trying to coordinate eight people typing into a shared portal during a 90-minute drill is worse than meeting minutes — voices get talked over, attribution gets messy, and the artifact turns into a transcript instead of a decision record. One facilitator capturing the team’s consensus responses in flight is how regulated tabletops have been documented for decades. Auditors recognize the pattern.
Because participants don’t need portal access, you can also include anyone you want in the drill — internal team, external IR retainer, board observer, outside counsel — without provisioning a single new account.
Resilience
What if something goes wrong during the drill?
Drills run live with humans in a room. Things happen. The system is built to survive most of them without losing your work.
If this happens
What the system does
Facilitator’s laptop crashes mid-drill
Browser local autosave runs every 30 seconds; portal-side autosave runs every 60 seconds. Open the drill on another machine, sign in, see “Drill in progress — Resume?” Pick up where you left off.
Internet drops during the drill
Local autosave keeps state; the drill continues offline. When the connection returns, state syncs to the portal. No data lost.
A real incident happens during the drill
Pause and lock as a partial drill. The artifact records “Drill terminated at T+25 due to real incident; only 3 of 7 criteria scored.” Auditor sees the truth, including the partial-completion annotation.
Drill runs over time
Skip remaining injects (the artifact records them as “not exercised”) and lock with what you have. Run a second drill later with the unscored injects, or generate a new tabletop focused on the gaps you didn’t cover.
Facilitator forgets to lock
State persists in the portal for 24 hours after last activity. The system sends an email reminder if a drill remains unlocked past that window. After 72 hours of inactivity the draft is discarded; you’ll need to regenerate.
Participant disagrees with a rubric score
Capture the dissent in the notes field for that criterion. The rubric still gets a number for the consensus, but the artifact preserves the disagreement in the team’s own words. Auditors prefer this to a fake consensus.
Wrong scenario was generated
Generate another. Enterprise has no per-month cap. The wrong-scope draft can be discarded or locked with annotation. If discarded, the audit log records the deletion and reason.
The artifact
Two copies. One canonical record. Multiple delivery paths.
The artifact has a clear lifecycle: pre-drill Template, post-drill Record, both with two formats (interactive HTML + frozen PDF). Vault is the canonical home; off-portal sharing is encouraged for the use cases that need it.
Template copy
Pre-drill orientation material.
Read-only copy generated immediately after the AI run completes. Shared with participants before the drill so they arrive prepared.
Off-portal sharing: encouraged. Email to participants and auditors who don’t have portal access. Manifest provenance follows the file.
Auditor delivery paths.
Most external auditors don’t have portal access to your tenant, so the standard delivery is off-portal — the Record artifact is self-contained and auditor-readable without a Veri-Tech account.
Email the Record PDF. Frozen, self-contained, includes the manifest hash and the Vault path back to the canonical entry.
Email the interactive HTML (single self-contained file). Same content as the PDF, plus the live scoring rubric and inline notes the team filled in.
Print the Record PDF for paper-only audit binders. The footer on every page identifies the artifact by drill ID, source job ID, and lock timestamp.
FAQ
Questions facilitators actually ask.
What if I'm new to running tabletops? What do I do?
Read the facilitator guide before the drill. The opening script is written to be read out loud. The discussion points give you anchors when the team goes quiet. The closing script lets you wrap cleanly without trailing off. If you get stuck mid-drill, the worst-case fallback is 'skip to the next inject' — and even that produces an honest artifact.
Can I edit the AI-generated scenario before running?
Yes — but you do it in the portal, not by hand-editing markdown. Open the unlocked drill in Vault and click Edit Template in the top right of the drill detail page. The scenario sections become editable inline: scenario summary, threat actor, attack chain (add / remove / reorder steps), definitions, facilitator opening and closing scripts, discussion points, injects (add / remove / retime), and rubric criteria with weights and thresholds. Save creates a new revision. Vault retains both — the AI-generated baseline (locked under its own manifest from the moment of generation) and your edited revision (a separate manifest that references the baseline as its parent). When you run the drill, the locked Record artifact records which revision was actually run, with the baseline preserved alongside it. If your edit volume is high — you're rewriting most of the scenario — regenerating with a different control selection is usually faster than editing.
How often should we run these?
Quarterly is the most-cited regulatory expectation. Annual at minimum to satisfy HIPAA §164.308(a)(8) periodic evaluation. If you have multiple NIST CSF pillars to cover (Protect, Detect, Respond, Recover), drill one per quarter — Identity-attack in Q1, Device-compromise in Q2, Breach-notification in Q3, DR in Q4. Different team, different scenario, real coverage.
Can I run the same scenario twice?
Yes. Open the locked drill in Vault and click Re-run this scenario in the top right of the detail page. A fresh drill instance opens with the same Template content — same scenario, same injects, same rubric — but a new manifest hash, new lock timestamp, and whoever runs it this time recorded as the new facilitator. Useful for: same scenario / different team (drill IT in March, drill Finance in June with the same scenario to compare responses); pre- and post-remediation (drill the legacy-auth scenario in Q1 as baseline, apply remediation, drill it again in Q3 as the improvement check); MSPs running the same scenario across multiple client tenants. Both artifacts coexist in Vault. The new manifest records derivedFromTemplateOf pointing at the original manifest hash, so the Vault detail page surfaces 'Re-run of Drill X; locked YYYY-MM-DD' — auditors see the lineage automatically.
What if our IR plan doesn't exist or is incomplete?
Run the drill anyway. The drill exposes gaps in your IR plan — that's a feature. The scoring rubric will surface low scores in the relevant criteria (decision authority, communication cascade, etc.), and those become Phase-2 remediation items mapped back to the source scan finding. A drill against a weak IR plan is more useful than no drill.
What if my team won't engage / treats it as a joke?
Two leverage points. First, share the Template copy in advance — people who've read the scenario tend to take the drill more seriously. Second, frame the post-drill scoring rubric as the team's self-assessment, not an individual performance review. The rubric scores the team, not the people. Engagement usually follows when participants realize the drill is finding gaps in the system, not gaps in them.
Can someone else view the locked artifact in the portal later?
Yes — within the portal, anyone who has access to your tenant's Vault can open the locked artifact via the Vault detail page (/vault/tabletops/{drillId}). External auditors usually don't have portal access, though, so the standard pattern is off-portal sharing: email the Record PDF, email the interactive HTML, or print the PDF for paper audit binders. All three formats are self-contained, identify themselves uniquely via drill ID + source job ID + lock timestamp in the footer, and include the manifest hash. The auditor doesn't need a Veri-Tech account to verify any of it.
What if I find a real bug in the AI-generated scenario after locking?
The locked artifact stays as-is — that's the immutability guarantee. To follow up, generate a new tabletop. The portal does the linking automatically — you don't paste manifest hashes by hand. The Generate dialog includes a 'Reason for regenerating' prompt with preset options (Found error in scenario after running / Update for new scan findings / Different team running same scenario / Other free-text) plus a picker for the original drill it follows up on. The reason and the original manifest hash get written into the new artifact's manifest under a relationships block. After locking the new drill, the Vault detail page surfaces both ends of the link — viewing the original drill you see 'Followed up by Drill Y (locked YYYY-MM-DD; reason: ...)'; viewing the new one you see 'Follow-up to Drill X (locked YYYY-MM-DD; reason: ...)'. Auditors clicking either artifact get the full chain. Because the chain is system-enforced, no one can quietly fork a drill without leaving the audit trail behind. That's why this pattern is auditor-preferred over silent edits.
Ready to run one
You’re prepped. Click Generate from any scan.
The Generate IR Tabletop card lives on every Veri-Guard, Veri-Tune, HIPAA, and Veri-Vault scan results page. About 90 minutes from now, your team will have run their first auditor-grade drill.
