TL;DR
Australian SMBs are directly in the crosshairs — the ACSC is actively tracking ClickFix campaigns distributing Vidar Stealer through compromised WordPress sites targeting Australian infrastructure, critical cPanel/WHM vulnerabilities being exploited in the wild, and state-sponsored actors compromising Western logistics and technology companies. A two-hour tabletop exercise with your leadership team is the single most effective way to find the cracks in your incident response plan before a real attacker does. This post gives you the complete playbook: five realistic 2026 scenarios, role assignments, a scoring rubric, and an after-action report template you can use today.
Why Tabletop Exercises Matter for SMBs — Not Just Enterprises
Most Australian SMBs carry cyber insurance, have a backup strategy, and maybe even a written incident response plan sitting in a drawer. The gap between having a plan and being able to execute it under pressure is where businesses succeed or fail. Tabletop exercises expose that gap cheaply and safely.
The ACSC's latest advisories confirm that threat actors are not just targeting big corporates. The ClickFix campaign uses fake WordPress captcha prompts to trick staff into running malicious PowerShell commands — a technique that works just as well on a 20-person accounting firm in Melbourne as it does on a government agency. Russian GRU actors are targeting logistics companies — that includes the small freight forwarders and warehouse operators across Australia's supply chain.
Three things a tabletop exercise reveals that a written plan cannot:
- Decision-making bottlenecks. Who approves the decision to shut down email? Who authorises payment or refuses it? Who talks to the ACSC? If the answer is "the owner" and the owner is overseas, you have a problem.
- Communication failures. If your primary communication channel is email and email is compromised, how does the incident team coordinate? Most teams discover this gap mid-exercise.
- Tool and access gaps. Do you have offline copies of your incident response plan, contact lists, and critical credentials? Can your IT provider access systems if the office network is encrypted?
Recommendation: Schedule your first exercise within 30 days. Block two hours. Order lunch. Make it low-stakes — the goal is learning, not performance review.
Running Your Exercise: The 2-Hour Format with Roles and Scenarios
Roles to Assign (5-10 participants)
| Role | Who | Responsibility |
|---|---|---|
| Facilitator | External consultant or IT lead | Reads scenario injects, tracks time, keeps discussion moving |
| Incident Commander | Operations manager or GM | Makes go/no-go decisions, coordinates team |
| IT Lead | Internal IT or MSP contact | Provides technical reality checks (what can we actually do?) |
| Communications Lead | Marketing or office manager | Manages internal messaging, customer notification, media |
| Legal/Compliance | External lawyer (dial-in is fine) | Advises on breach notification obligations under Privacy Act |
| Business Owner/CEO | Managing director | Budget authority, strategic decisions (pay ransom? shut down?) |
| Note-taker | Admin or EA | Documents decisions, timeline, gaps — critical for the after-action report |
The NIST IR Framework Structure for Your Exercise
Run each scenario through these six phases. The facilitator introduces the scenario (Preparation/Detection), then the team works through Containment, Eradication, Recovery, and Lessons Learned in real-time discussion:
- Preparation — What alerts or indicators would we see? Who notices first?
- Detection & Analysis — How do we confirm it's real? How do we scope it?
- Containment — What do we isolate first? What's the blast radius?
- Eradication — How do we remove the threat actor and close the entry point?
- Recovery — In what order do we restore systems? How do we verify they're clean?
- Lessons Learned — What failed? What needs to change in the next 30 days?
Five Scenario Cards for 2026
Scenario 1: Ransomware on the File Server Monday 9:42 AM. Staff report files on the shared drive have odd extensions. A ransom note appears on desktops demanding 2.3 BTC. The backup server is on the same network and shows unusual CPU activity.
Scenario 2: Business Email Compromise with Invoice Fraud Your accounts team forwards an email thread from the CEO requesting an urgent payment of $47,000 to a new supplier. The email looks legitimate — headers show it came from a lookalike domain (yourcompany.com.au vs yourcompnay.com.au). Payment was authorised 20 minutes ago.
Scenario 3: Cloud Misconfiguration Data Leak A researcher notifies you that your AWS S3 bucket containing customer PII (names, emails, Medicare numbers) has been publicly accessible for six weeks. You have 4,200 customers across Australia.
Scenario 4: Insider Threat via Departing Employee Your senior developer gave notice on Friday. Monday morning, USB activity logs show 3.4 GB of data copied. Their access is still active across GitHub, AWS, and your production database.
Scenario 5: Supply Chain Compromise Your managed IT provider notifies you they've been breached. They have administrative access to your Microsoft 365 tenant, all endpoints, and your firewall. You don't know if your environment has been accessed.
Measuring Decision-Making: Scoring Rubric
Score each phase of the exercise on three dimensions using a 1-5 scale:
| Dimension | 1 (Weak) | 3 (Adequate) | 5 (Strong) |
|---|---|---|---|
| Speed of decision | No clear decision-maker identified; circular discussion | Decision made after reasonable debate | Clear owner makes timely call with available info |
| Accuracy of action | Wrong containment action or none proposed | Mostly right but misses second-order effects | Correct priority actions with escalation paths |
| Communication | No notification plan; ad-hoc updates to stakeholders | Internal comms planned but external gaps | Clear internal, customer, regulator, and media plan |
Target score: 36/45 across all six NIST phases. Below 24 means your plan needs significant work before the next exercise in 90 days.
ISO 27001 SMB Starter Pack — $147
Threat intelligence is one thing — having the policies and controls to respond is another. Get the complete ISO 27001 starter kit for SMBs.
Get the Starter Pack →Downloadable Tabletop Exercise Template
Scenario Card Template
SCENARIO: [Title]
DATE/TIME OF DETECTION: [e.g., Tuesday 2:15 PM]
INITIAL INDICATOR: [What triggered awareness]
INJECT 1 (T+0 min): [First situation description]
INJECT 2 (T+15 min): [Complication — e.g., "CEO is unreachable"]
INJECT 3 (T+30 min): [Escalation — e.g., "Media has contacted reception"]
INJECT 4 (T+45 min): [Resolution path — e.g., "Backup integrity confirmed"]
KEY DECISION POINTS:
- [ ] Do we isolate the network?
- [ ] Do we notify the ACSC?
- [ ] Do we engage external IR support?
- [ ] Do we notify affected customers?
- [ ] Do we pay the ransom?
EXPECTED OUTCOME: [What good looks like]After Action Report Template
EXERCISE: [Name] DATE: [Date]
PARTICIPANTS: [Names and roles]
SCENARIO(S) RUN: [Which scenarios]
SECTION 1: TIMELINE OF EVENTS AND DECISIONS
| Time | Event/Inject | Decision Made | By Whom | Time Taken |
SECTION 2: STRENGTHS IDENTIFIED
1. [What worked well]
2. [What worked well]
3. [What worked well]
SECTION 3: GAPS AND WEAKNESSES
1. [Gap] — Severity: [H/M/L] — Remediation: [Action + Owner + Date]
2. [Gap] — Severity: [H/M/L] — Remediation: [Action + Owner + Date]
3. [Gap] — Severity: [H/M/L] — Remediation: [Action + Owner + Date]
SECTION 4: SCORING SUMMARY
| NIST Phase | Speed | Accuracy | Comms | Total |
| Preparation | /5 | /5 | /5 | /15 |
| Detection | /5 | /5 | /5 | /15 |
| Containment | /5 | /5 | /5 | /15 |
| Eradication | /5 | /5 | /5 | /15 |
| Recovery | /5 | /5 | /5 | /15 |
| Lessons Learned | /5 | /5 | /5 | /15 |
| TOTAL | | | | /90 |
SECTION 5: ACTION ITEMS
| # | Action | Owner | Due Date | Status |
SECTION 6: NEXT EXERCISE
Scheduled date: [90 days out]
Focus area: [Address top gap from this exercise]FAQ
How often should we run tabletop exercises? At minimum, twice per year. If you're in a regulated industry (healthcare, financial services, government supply chain), quarterly. After any significant change — new IT provider, cloud migration, major software rollout — run a targeted 60-minute exercise.
We don't have a formal incident response plan. Should we write one first? No — run the exercise first. A tabletop will tell you exactly what your plan needs to cover. Writing a plan in a vacuum produces a document that looks good but doesn't work. Exercise first, document what you learn, then formalise.
What if we use an external IT provider or managed security service? They should participate, ideally as the IT Lead role. If your MSP has incident response obligations in their contract, the exercise tests whether they can actually deliver under pressure. Many SMBs discover their MSP's "24/7 support" means a helpdesk ticket queue, not a live incident commander.
Do we need to report exercise results to the ACSC or our insurer? No — exercise results are internal. However, running regular exercises and documenting them strengthens your position with cyber insurers during policy renewal and demonstrates reasonable steps if you ever face a regulatory inquiry after a real breach.
Conclusion
The threats targeting Australian businesses in 2026 are not theoretical. The ACSC is actively advising on WordPress-based malware campaigns hitting local infrastructure, critical vulnerabilities in cPanel being exploited with a CVSS score of 9.3, and state-sponsored actors breaching Western logistics and technology companies. Your incident response plan is only as good as your team's ability to execute it at 9:42 AM on a Monday when the phone starts ringing.
Start with one two-hour exercise. Use the templates above. Assign roles from your actual team. Run one scenario — the ransomware scenario is the best starting point for most SMBs. Document what you learn. Fix the gaps. Run it again in 90 days. That cycle is how small teams build resilience without enterprise budgets.
Ready to find the gaps in your incident response before an attacker does? Visit consult.lil.business for a free cybersecurity assessment tailored to Australian SMBs — we'll help you design and facilitate your first tabletop exercise.
References
- ASD ACSC Advisory — ClickFix Distributing Vidar Stealer via WordPress Targeting Australian Infrastructure
- ASD ACSC Alert — Active Exploitation of cPanel/WHM Critical Vulnerability (CVE-2026-4194)
- NIST Special Publication 800-61 Rev. 2 — Computer Security Incident Handling Guide
- ASD ACSC Advisory — Defending Against China-Nexus Covert Networks of Compromised Devices
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →