Leveled Up TTX: Table Settings

Incident response teams know the drill: a vendor breach, an attacker with unclear motives, and the rush to contain the chaos. While tabletop exercises (TTXs) are designed to prepare teams for these scenarios, the absence of realistic interpersonal dynamics often leaves participants unprepared for real-world challenges. A poorly simulated scenario with flat, predictable interactions can hinder learning and fail to stress-test critical decision-making processes.

Through this series of articles, I will introduce a novel approach to TTX design using AI personas to mimic realistic actors in your scenarios. This first article, "Table Settings," focuses on laying the groundwork for crafting personas that not only enhance the realism of your exercises but also free facilitators from the burden of managing complex role-playing. The scenario we’ll explore—a politically motivated breach through a vendor network—sets the stage for showcasing how AI personas can transform your team’s preparation for the unpredictable.

If you need help learning the basics of prompt writing before we dive in, see my previous articles (here and here). In those we go from very basic prompts up to fairly complex prompts. This article will build on all of that and start to tie everything into one big functioning program.

To start us off, let's tell ChatGPT about the scenario we are about to run:

"I'm writing up a tabletop exercise for incident response. The scenario will be an activist hacked into one of your vendors via an RCE bug. They are protesting this company's involvement in some war and want to punish their customers as well. This vendor has some level of network access to your infrastructure. Do not respond to this message, just take note of the information."

This will give us a starting point for future prompts in this article. It is always good to give ChatGPT the context right from the start. I encourage you to expand this prompt to include whatever details you can think of to flesh out the scenario.

Remember that each of the prompts in this article can and should be modified to suit your needs. I recommend you think about the biggest risks to your organization and tailor your scenarios around that. Need help doing that? You can of course give ChatGPT some broad details about your company and have it come up with some potential ideas.

Cast of Characters

In any tabletop exercise, the characters involved can make or break the experience. Realistic personas inject life into the scenario, challenge participants, and create opportunities for meaningful learning. In this section, we will outline the core personas for our scenario—a politically motivated attack via a vendor—and show how to create them using structured prompts. By defining their characteristics and interactions, you’ll be able to create personalities that push your team to think critically and act decisively.

Key Persona Characteristics

To ensure consistency and realism, each persona will be defined using the following characteristics:

• Motivations: What drives this character’s actions?
• Expertise: The character’s knowledge and skill level in their domain.
• Goals: What the character is trying to achieve within the scenario.
• Skill Set: Specific abilities or knowledge they bring to the table.
• Tools: The resources or systems they use.
• Communication Style: How the character interacts with others—e.g., formal, technical, or emotional.
• Primary Targets: The systems, processes, or people they focus on during the incident.

These characteristics allow you to create personas that behave consistently and believably, providing participants with realistic challenges. In future articles, we will explore more characteristics to fully flesh out the personalities and introduce realistic and non-deterministic answers.

Vendor Characters

Vendors often play critical roles in real-world incidents, making them essential to your TTX. Use the following generator prompt to create potential vendor characters based on their likelihood of interacting with the scenario:

"Give me a list of 8 potential vendor characters that the TTX would interact with. Include a brief description of each and how they would interact with the exercise. Order them from most likely to interact to least likely."

Here’s an example output for the scenario:

1. Vendor IT Support Lead: The primary technical contact. Manages network access and incident response on the vendor side.
2. Vendor Incident Response Manager: Coordinates containment and communication efforts with the customer’s IR team.
3. Vendor Sales Account Manager: Acts as the liaison between the vendor and the client, managing expectations and commitments.
4. Vendor Product Developer: Works to patch vulnerabilities in the affected product.
5. Vendor Legal Counsel: Advises on contractual obligations and compliance with breach notification laws.
6. Vendor Social Media Manager: Manages public communications and social media crisis response.
7. Vendor Security Analyst: Investigates the attack vector and provides detailed findings to support remediation.
8. Vendor Facilities Manager: Handles physical security concerns that may overlap with the breach.

For a manageable exercise, select up to four personas. Let’s say you choose characters 1 through 4. Here’s the next step:

"Let's use characters 1 through 4. Write up a ChatGPT prompt for each with instructions on how they are to interact with the TTX. Include in these prompts Motivations, Expertise, Goals, Skill Set, Tools, Communication Style, and Primary Targets for each if applicable."

The output of that prompt will give you enough to feed back into ChatGPT to creative interactive characters for your audience. If you'd like to try out the characters, ask ChatGPT to "give me four example questions each personality would get during the TTX." I will go more into these interactions in the next section.

Attacker Personas

No incident scenario is complete without a well-defined adversary. For this exercise, the attackers are peace activists targeting a vendor for their involvement in a controversial war. Their goal is to punish the vendor and its customers by exposing vulnerabilities and leaving behind messages calling for an end to all wars. Given that we laid out the scenario in the first prompt, we don't need to feed it much more data to get a prompt for creating an attacker personality.

To create the attacker persona, use the following prompt:

"Now give me the same style prompt for an attacker persona fitting this scenario."

This attacker persona will challenge your IR team by introducing unexpected tactics, emotional messaging, and strategic goals that require careful handling. By defining the attacker’s motivations, expertise, and tools, you ensure their role in the exercise drives meaningful engagement. You can also expand that prompt to include specific requests of the personality like how verbose its answers are or if it is deceitful in its answers.

The Dialogue

In any tabletop exercise, ensuring that personas respond consistently and believably is critical to maintaining the realism and effectiveness of the scenario. This section explores common pitfalls, provides examples of out-of-character responses, and offers techniques for crafting dialogue that stays true to the personas and scenario.

Out-of-Character Responses

Out-of-character responses occur when a persona provides information or acts in ways inconsistent with their defined role. For example:

Example: The Vendor Product Developer gives a legal opinion:

“Our liability in this situation is limited under Section 14 of our contract, so you don’t need to worry about any financial impact.”

Why that response doesn't work: A Product Developer lacks legal expertise and would not be involved in liability discussions. Such a response undermines the exercise by misrepresenting the persona’s boundaries and reducing credibility.

Scenario Misalignment

Another issue arises when responses do not align with the given scenario, such as referencing unrelated incidents or ignoring the established facts. For instance:

Example: The Vendor IT Support Lead says:

“The attackers seem to have stolen large amounts of customer data, and we’re preparing breach notifications.”

Why It’s a Problem: In the defined scenario, the attackers gained limited access to database servers, but there’s no evidence of data theft. This creates unnecessary confusion and disrupts the narrative.

Personas must stay within their defined knowledge boundaries. A persona stepping outside their expertise, such as a Product Developer discussing legal liabilities, can break immersion. Use a prompt like this to reinforce boundaries:

“Stay within the knowledge limits of your persona. If you are not expected to have expertise in a certain area, acknowledge this and defer to the appropriate role. For instance, the IT Support Lead should not provide detailed technical findings—refer those questions to the Security Operations Manager. Maintain realistic boundaries to avoid breaking character.”

This keeps the exercise grounded and ensures personas respond in ways that align with their defined roles.

Techniques for Consistent and Believable Responses

To maintain consistency and realism in persona responses, start by ensuring all personas share a common understanding of the scenario. This avoids conflicting answers and confusion during the exercise. Use the following prompt to establish this shared narrative:

“All vendor personas should share the same understanding of the incident: (1) The attack exploited an RCE vulnerability, (2) the attacker gained limited access to database servers, (3) mitigation efforts are underway, (4) the fix is expected to be rolled out tonight. Ensure your responses reflect this shared narrative.”

By grounding every response in the same set of facts, you can prevent misaligned answers that could derail the exercise. Feel free to change and expand that set of facts to fit your particular scenario. You should also revisit it if any of the personas start to hallucinate.

Establishing a consistent tone is equally important. To ensure responses are professional, cautious, and cooperative, set tone parameters for the personas. For instance:

“All vendor personas must adopt a professional, cautious, and cooperative tone during the tabletop exercise. Prioritize customer reassurance while avoiding blame. Ensure responses reflect a commitment to transparency without overpromising.”

This helps create a unified communication style that builds trust among participants and reflects realistic behavior in high-pressure situations. ChatGPT can be very creative in the tone it uses, so it is best to set rules in place to ensure it stays professional.

Finally, anchoring each response to the persona’s motivations ensures their behavior remains consistent and believable. For example:

“Anchor your responses to your persona’s motivations. If your character is motivated by protecting the vendor’s reputation, ensure every interaction reflects this priority. If your role focuses on mitigating technical risk, avoid veering into legal or reputational concerns. Stay motivated by your role’s defined priorities.”

By aligning answers with motivations, you add depth and realism to every interaction, creating a richer and more immersive exercise.

Through these techniques, your personas will deliver consistent, authentic, and engaging responses that drive the success of your tabletop exercise.

Split Personalities

Managing multiple personas in a tabletop exercise can be challenging, especially when working with AI-driven characters. A key element of success is ensuring that ChatGPT understands which persona is speaking and maintains their distinct characteristics throughout the exercise. This section provides techniques to manage multiple personas seamlessly, encouraging clarity, collaboration, and consistency.

Addressing Personas by Name or Role

One of the simplest ways to ensure clarity is to start your questions by addressing the specific persona you wish to engage. In a real-world incident, team members often rely on clear, direct communication to avoid confusion, especially during high-pressure situations. Replicating this in your tabletop exercise is essential to maintaining realism. For example:

“Vendor Security Operations Manager, can you clarify the containment measures?”

Explicitly naming or referencing a persona ensures that ChatGPT aligns its response with the persona’s defined expertise, preventing generic or misplaced answers. This technique mirrors how organizations rely on clarity of roles to streamline incident response efforts.

Encouraging Escalation

In complex scenarios, tasks or questions often require escalation to someone with greater expertise or authority. Including escalation in your prompts ensures that the exercise mimics real-world workflows. For example, an IT Support Lead might identify the root cause of an issue but require the Security Operations Manager to assess its broader impact. Use prompts like:

“IT Support Lead, could you escalate this to the Security Operations Manager and share their findings?”

This creates a dynamic interaction, encouraging personas to simulate collaborative workflows. By reflecting how responsibilities are delegated in real incidents, this technique trains participants to rely on appropriate escalation paths, reinforcing realistic decision-making under pressure.

Engaging Multiple Personas

In many incident response scenarios, challenges require input from multiple perspectives to address overlapping concerns or conflicting priorities. For instance, decisions about public communication may involve technical, legal, and strategic considerations. To replicate this complexity in your TTX, structure questions to engage all relevant personas simultaneously. For example:

“CISO and Legal Counsel, how do you suggest we communicate this to stakeholders while balancing technical and legal considerations?”

This approach mirrors real-world decision-making processes, where collaboration is essential for addressing multifaceted issues. It ensures that ChatGPT generates responses that reflect the interplay of expertise between different roles, creating a more immersive and realistic exercise.

Prompting Collaboration

Collaboration is critical in real-world incidents, where effective communication and teamwork often determine the success of response efforts. Your TTX personas should reflect this dynamic, ensuring realistic interactions. Use this prompt to encourage teamwork:

“All personas must collaborate closely. When responding, reference input from another persona if their area of expertise overlaps with your own. Acknowledge prior contributions and build on them to maintain consistency.”

For instance, if the IT Support Lead identifies a vulnerability, the Security Operations Manager might build on this input by outlining containment measures, while the CISO ties these actions into the broader strategy. This collaborative approach reinforces shared understanding and highlights the importance of cross-functional coordination. By fostering teamwork among personas, you create a more immersive and impactful exercise that mirrors real-world dynamics.

Conclusion

Designing effective tabletop exercises is both an art and a science. With the right tools and techniques, such as the use of AI personas, you can create scenarios that push your team to think critically, adapt quickly, and collaborate effectively. The methods I covered in this article provide a foundation for crafting immersive and realistic exercises.

As you put these ideas into practice, remember that every exercise is an opportunity to learn and improve for both your audience and yourself. Embrace the challenges and use them to refine your approach. In the next article, you and I will take these concepts further, showing you how to ensure consistency and scalability as your TTX scenarios grow more complex.