← Back to articles

Preparing for the Future: The Role of AI in Cybersecurity Tabletop Exercises

January 5, 2026

It's the most wonderful time of the year for corporate security teams to conduct tabletop exercises—simulating hypothetical cyberattacks or emergencies to test incident response processes and bolster preparedness for real incidents. As Wendi Whitmore, Chief Security Intelligence Officer at Palo Alto Networks, notes, “We're ultimately testing how resilient the organization is. It’s not if we get attacked, but how quickly we respond and contain these attacks.”

The Increasing Pace of AI-Driven Threats

This year, organizations must consider the rapid evolution of AI technology—both as a tool used by attackers to find vulnerabilities and as a weapon for defenders. Google Cloud’s Enrique Alvarez highlights, “Threat actors are exploiting CVEs at an increased rate with AI.” He emphasizes incorporating scenarios where a recently published CVE is exploited instantly after release, sometimes within five minutes, according to Whitmore.

Whitmore adds, “On the defender side, our SOC handles about 90 billion attack events daily. We synthesize these into around 26,000 correlated threats, with roughly one requiring human intervention each day.” The proliferation of AI accelerates this process, expanding the attack surface for enterprises.

The Dual Challenge: Attackers and Defenders Using AI

Criminals and nation-state actors are integrating AI into their arsenals, enabling more targeted, convincing phishing attacks, faster reconnaissance, and rapid exploitation of stolen data. Conversely, defenders need to ensure their AI systems—such as large language models (LLMs)—are secure, guarding against leaks and unauthorized data access.

Adapting Tabletop Exercises to AI Realities

Incident responders recommend updating tabletop exercises to confront two key realities:

  • Attackers leveraging AI to operate at unprecedented speed, stealth, and scale.
  • Attackers targeting the AI systems deployed by organizations.

Tanmay Ganacharya of Microsoft suggests, “Simulating adaptive, AI-powered phishing campaigns and attack chains, as well as scenarios involving prompt injection, misconfiguration, and data exfiltration, prepares teams for emerging threats.”

The ultimate purpose of these exercises is educational: to familiarize both senior leadership and technical teams with potential threats, improve response procedures, and identify areas needing enhancement.

Using AI to Fight AI

Organizations can use AI proactively within their simulation strategies. Bill Reid from Google Cloud recommends, “Create AI-generated fake scenarios to test your defenses.” Taylor Lehman emphasizes that AI can also help craft detailed, realistic scenarios by analyzing an organization’s environment, including threats, vulnerabilities, assets, and stakeholders.

Deepfakes—especially in financial services—are a specific deepening threat, causing organizations to incorporate AI-generated fake videos and audio into their training drills. David Wong from Mandiant points out that AI accelerates all phases of cyberattacks, not just through deepfakes, but across the entire attack lifecycle.

Practical Measures During Exercises

When simulating a deepfake CEO demanding a transfer, the focus should shift from detection software to procedural checks—like out-of-band verification via phone. Alvarez advises engaging local FBI Cyber Agents or CISA for participating in full-scale exercises, fostering external partnerships and information sharing.

Anton Chuvakin of Google recommends caution, “Instead of relying solely on AI to fight AI, introduce analog friction—such as offline verification methods—to slow down adversaries and reinforce manual, process-driven controls.” He advocates practicing reverting to minimum viable operations and trusting processes over technology.

Who Should Participate?

Experts agree on the importance of regular, tailored tabletop exercises—ideally at least twice a year. These should involve different groups depending on the scenario:

  • C-suite and Board Members: For high-impact, executive decision scenarios, such as AI-powered breaches or reputational risks, semiannual involvement is recommended.
  • Security Operations and Incident Response Teams: For more technical drills, including ransomware simulations and insider threat scenarios, more frequent exercises are advised.
  • Operational Leadership: Deputy, director, and SOC leaders should engage regularly to ensure readiness for day-to-day threats.

Ganacharya emphasizes, “Include alternate responders in every exercise—real incidents rarely align perfectly with planned responses.”

Final Thoughts: Embracing Preparedness in an AI-Driven Landscape

As AI continues to shape cybersecurity threats and defenses, organizations must evolve their preparation strategies accordingly. Conducting regular, scenario-specific tabletop exercises—leveraging AI to simulate threats and test responses—will be crucial in building resilience against tomorrow's attacks.