security-operations-tabletop-exercise-facilitator
by LocoLoboZ
Design, facilitate, and document professional security incident response tabletop exercises and after-action reports.
- Design realistic incident scenarios with timed technical and business injects
- Validate internal IR playbooks and cross-functional escalation workflows
- Produce audit-ready After Action Reports and remediation action trackers
Secure checkout via Stripe
Included in download
- Design realistic incident scenarios with timed technical and business injects
- Validate internal IR playbooks and cross-functional escalation workflows
- Ready for including Claude Code
- Includes example output and usage patterns
See it in action
A real example of what this skill takes in and produces.
Sample input
Design a three-hour ransomware security operations tabletop exercise for Tier 1 analysts, Tier 2 analysts, the SOC manager, IT operations, legal, communications, and executive stakeholders. Keep tooling generic and produce a facilitator guide, timed inject schedule, evaluation scorecard, and after-action report template.
Sample output
The skill produces an exercise planning brief confirming objectives, participants, and duration, a timed inject schedule with six escalating injects covering detection, triage, containment, executive briefing, communications, and recovery decisions, a facilitator guide with role-based discussion prompts and observer notes for each inject, an evaluation scorecard assessing process quality, decision making, escalation, communication, and documentation, and an after-action report structure separating strengths, gaps, risks, root causes, actions, owners, and validation points. All tooling references are marked as generic placeholders.
Design, facilitate, and document professional security incident response tabletop exercises and after-action reports.
Secure checkout via Stripe
Included in download
- Design realistic incident scenarios with timed technical and business injects
- Validate internal IR playbooks and cross-functional escalation workflows
- Ready for including Claude Code
- Includes example output and usage patterns
- Instant install
See it in action
A real example of what this skill takes in and produces.
Sample input
Design a three-hour ransomware security operations tabletop exercise for Tier 1 analysts, Tier 2 analysts, the SOC manager, IT operations, legal, communications, and executive stakeholders. Keep tooling generic and produce a facilitator guide, timed inject schedule, evaluation scorecard, and after-action report template.
Sample output
The skill produces an exercise planning brief confirming objectives, participants, and duration, a timed inject schedule with six escalating injects covering detection, triage, containment, executive briefing, communications, and recovery decisions, a facilitator guide with role-based discussion prompts and observer notes for each inject, an evaluation scorecard assessing process quality, decision making, escalation, communication, and documentation, and an after-action report structure separating strengths, gaps, risks, root causes, actions, owners, and validation points. All tooling references are marked as generic placeholders.
About This Skill
High-Fidelity Security Tabletop Facilitation
This skill automates the complex process of designing, running, and documenting professional security operations tabletop exercises (TTX). Instead of spending days drafting scenarios and injects, developers and security leads can generate comprehensive exercise packages tailored to their specific stack and playbooks.
What it does
- Architects realistic multi-stage incident scenarios (Ransomware, BEC, Supply Chain, etc.).
- Generates timed "injects" with specific evidence artifacts (log snippets, alerts, tickets).
- Validates existing IR playbooks and cross-functional escalation workflows.
- Produces professional After Action Reports (AAR) with strength/gap analysis and remediation trackers.
Why use this skill
Prompting a generic AI often results in shallow, linear stories. This skill follows a rigorous evaluation framework, forcing participants to make hard decisions at each stage. It integrates context from your SIEM, EDR, and SOAR tools to create realistic technical hurdles while managing the non-technical aspects like legal, PR, and executive briefings. It ensures your IR drills are audit-ready and demonstrate measurable resilience improvement.
Supported Deliverables
- Exercise Plan: Strategy, scope, and objectives.
- Facilitator Guide: Detailed prompts, expected answers, and observer notes.
- Inject Schedule: A timeline of technical and business developments.
- Scorecard & AAR: Structured evaluation of team performance and gap identification.
Use Cases
- Design realistic incident scenarios with timed technical and business injects
- Validate internal IR playbooks and cross-functional escalation workflows
- Produce audit-ready After Action Reports and remediation action trackers
- Test communication lines between technical teams and executive leadership
How to Install
mkdir -p ~/.claude/skills && curl -sL https://www.agensi.io/api/install/security-operations-tabletop-exercise-facilitator | tar xz -C ~/.claude/skills/Free skills install directly. Paid skills require purchase - use the download button above after buying.
Reviews
No reviews yet - be the first to share your experience.
Only users who have downloaded or purchased this skill can leave a review.
Early access skill
Be the first to review this skill.
Only users who have downloaded or purchased this skill can leave a review.
Security Scanned
Passed automated security review
Permissions
No special permissions declared or detected
Works with any agent that supports the Universal SKILL.md standard, including Claude Code, Codex CLI, Cursor, VS Code Copilot, Gemini CLI, and any agent that supports the Universal SKILL.md standard. Requires user-supplied exercise objectives and organisational context.
Creator
I design and publish skills built from real professional practice across three areas: cyber security consulting, business operations, and AI workflow engineering. My cyber security skills draw on active advisory work spanning governance, risk, compliance, assurance, and executive reporting. They are built for practitioners who need structured, defensible outputs - not generic templates. My business operations skills cover the day-to-day work of running a consulting practice: bookkeeping, financial tracking, expense reconciliation, and marketing content - designed to reduce repetitive overhead and keep outputs consistent. My AI platform and workflow skills are built for people who want to get more out of Claude and similar platforms - covering prompt engineering, skill architecture, automation pipelines, and agent enhancement. Every skill I publish has been tested in production use before it reaches the marketplace. If it is here, it works.
Frequently Asked Questions
Learn More About AI Agent Skills
More Premium Skills
designing-hybrid-context-layers
Architects the right retrieval strategy for every query — teaching your agent when to use RAG, a knowledge graph, or a temporal index instead of defaulting to vector search for everything.
consumer-motivation-analyzer
Go beyond surface-level feedback to uncover the psychological drivers and hidden motivations behind buyer behavior.
Bounty Security Pattern Master Library — 399 Vulnerability Patterns
A premium library of 399 vulnerability patterns and DeFi attack vectors for AI-driven bug hunting and security audits.
diagnosing-rag-failure-modes
RAG fails quietly. It retrieves documents, returns confident-looking answers, and misses the question entirely — because the question required connecting facts across documents, reasoning about sequence, or tracing causation. This skill gives you a five-question diagnostic checklist that classifies any failing query as either RAG-safe or structurally RAG-incompatible, then maps it to the specific failure pattern and the architectural fix that resolves it.