Introduction
Cyber threats are no longer isolated technical events. They pose operational, economic, and national security risks that can disrupt hospitals, financial systems, transport networks, energy infrastructure, and public trust within hours.
According to IBM’s X-Force Threat Intel Report, in 2025 alone, 70% of cyberattacks globally targeted critical infrastructure environments. Healthcare providers experienced operational paralysis from ransomware campaigns. Manufacturing suffered due to vulnerabilities in connected operational technology. Energy, Utilities & Transport were heavily targeted by nation-states and hacktivists for espionage and geopolitical disruption, all of which cost millions in recovery efforts. Cyberattacks on critical infrastructure in Africa are surging, with ransomware and targeted breaches increasingly disrupting vital sectors. Criminal syndicates and state-aligned actors exploit the rapid digital transformation of the continent. An example is a State-owned logistics operator, Transnet, which was hit by a major ransomware attack, crippling operations at major ports like Durban (South Africa) and forcing the declaration of force majeure. Across sectors and regions, organisations learned the same difficult lesson resilience cannot be improvised during an incident.
Institutions that respond effectively during a crisis are rarely the ones with the most impressive policies on paper. They are the ones who have tested their people, validated their decision-making structures, and exercised their response processes before the pressure arrives.
The Problem of "Preparedness on Paper"
Many organisations possess incident response plans, business continuity frameworks, escalation matrices, and governance documents. Yet during real-world incidents, confusion often emerges immediately:
- Who owns the response?
- What triggers national-level escalation?
- Which systems are prioritised first?
- Who speaks publicly?
- How are regulators informed?
- What happens when suppliers are compromised?
- Can leadership make decisions under uncertainty?
A ransomware attack against a national utility provider may begin as a technical compromise but quickly evolve into a communications crisis, regulatory issue, operational outage, misinformation campaign, and geopolitical concern simultaneously. Without exercising these realities, organisations discover gaps only when disruption is already unfolding.
The Benefit of Tabletop Exercises (TTXs)
Tabletop Exercises (TTXs) are structured, scenario-driven engagements designed to test how organisations think, coordinate, communicate, and make decisions during crises. Unlike purely technical simulations, TTXs focus on human coordination under pressure.
A well-designed exercise does not merely ask “Can your systems recover?” It questions real determinants of resilience:
- Can leadership coordinate effectively under ambiguity?
- Can technical and non-technical teams operate together?
- Can regulators, CERTs, legal teams, and communications units align rapidly?
- Can decisions be made with incomplete information?
- Can cascading impacts across sectors be managed?
Why Critical Infrastructure Require a Different Approach
Critical National Infrastructure (CNI) environments face unique realities in that an incident affecting energy, healthcare, telecoms, finance, or transport rarely remains isolated. Dependencies between sectors mean disruption spreads quickly. A compromise within one organisation may affect payment systems, logistics chains, emergency services, or public confidence nationally. This is why modern exercises must evolve beyond basic ransomware scenarios.
At SudoForce, we design exercises that reflect contemporary threat realities, including Supply chain compromise, Insider-enabled attacks, Operational technology disruption, AI-enhanced social engineering, Coordinated misinformation campaigns, Cross-border cyber incidents, National-level coordination breakdowns, Data integrity attacks, Simultaneous physical and cyber disruption, etc.
The Most Valuable Outcome Is Not Technical
Just like technical testing controls, the objective of TTXs is to reveal assumptions before adversaries do. One of the greatest misconceptions about tabletop exercises is that their primary value lies in identifying technical weaknesses. The most significant outcomes are usually operational and human. TTXs reveal unclear governance structures, duplicated responsibilities, poor escalation pathways, communication bottlenecks, dependency risks, and decision-making paralysis, but more importantly, they build relationships for when a crisis occurs. When a real crisis occurs at 3 AM, that is not the moment for executives, regulators, sector leads, and responders to meet for the first time. Effective incident response depends heavily on familiarity, trust, and coordination established before an incident occurs.
What to Consider When Running a TTX
- TTXs should be based on attack patterns and not generic threats.
- Simulate unexpected developments that occur during real incidents.
- Don’t just dwell on technical mechanics; explore critical decision points.
- Get the right mix of participants.
- Each discussion should have a clear recommendation and outcome.
Exercising Is Becoming a Regulatory Expectation
Globally, resilience regulations are becoming stricter. Frameworks aligned with NIS2, as well as country-specific policies such as the UK Cyber Resilience Bill and broader national cyber resilience initiatives, increasingly expect organisations to demonstrate incident preparedness, which includes TTXs. This has shown that preparedness is no longer a “nice-to-have” capability. It is rapidly becoming a governance requirement.
From Exercising to Capability Development
At SudoForce, we approach exercises as part of a broader resilience lifecycle.
We DETECT emerging risks and threat patterns.
We DEFEND what matters through operational security and incident readiness.
We DELIVER governance and regulatory assurance.
And we DEVELOP sustainable cyber capability that lasts.
Our exercises are designed not just to evaluate organisations, but to strengthen them. Using our SudoSIM platform, we create immersive crisis environments that allow governments, regulators, enterprises, and critical infrastructure operators to experience realistic decision-making under pressure while improving collaboration across technical, operational, legal, and executive functions.
At SudoForce, we believe resilience isn’t built by avoiding crises but through preparation before they arrive.
