Blackbox Intelligence Group
Sign in
← All modules

Starter · Module 6

Module 6: Incident Response Tabletop Exercise

A three-turn tabletop simulation. Students role-play a school incident response team and decide what to do - and what to say to whom - during a live ransomware event.

Length
60 min
Level
intermediate
Track
Starter
Cadence
Free preview

Career paths

Incident Responder
Unlock this module →Request a review copyTry the free pack

Download 1-page brochure (PDF)·Share with admins, parents, or your CTE director.

What's in the lesson pack

Everything you need to teach this period.

Built by an OSCP-certified instructor who teaches this material every week. Print-ready, classroom-tested, copy-paste-able.

Teacher Guide

Locked

Lesson at a glance, learning objectives, vocabulary, pacing, mini-lessons, and discussion notes.

In-browser presenter

Locked

Full themed slide deck you can run live from your laptop. Speaker notes built in. Works offline once loaded.

PowerPoint (.pptx) export

Locked

Editable slide deck for districts that mandate PowerPoint or want to customize for their LMS.

Module overview

The full lesson plan, public.

Read everything before you commit. The plan, objectives, vocabulary, standards alignment, and pacing are open. Only the print-ready deliverables are gated.

Module 6 - Incident Response Tabletop Exercise

Lesson at a glance

| Field | Value | | ------------------- | ---------------------------------------------------------------- | | Grade band | 9–12 | | Total time | 60 minutes | | Difficulty | Intermediate | | Required materials | Role cards (5), inject sheets (3 turns), scribe sheet, projector | | Lab access | None - purely a discussion-and-decision exercise | | Standards alignment | NICE Framework K0026, K0042; CSTA 3A-IC-30 |

Safety: This is a simulation. No real systems are touched. The exercise is intentionally stressful - small teams, time pressure, imperfect information - because that is the muscle we are training.

Learning objectives

By the end of this lesson students will be able to:

  1. Identify the six phases of incident response: prepare, identify, contain, eradicate, recover, lessons learned.
  2. Make and defend containment decisions under time pressure with incomplete information.
  3. Write a clear, calm status update suitable for a non-technical leader (the principal, in this exercise).
  4. Distinguish between an operational decision (do we isolate this network segment?) and a communication decision (do we tell parents now or later?).

Vocabulary

  • Incident response (IR) - the structured process for handling a cybersecurity incident.
  • Indicator of compromise (IOC) - observable evidence of malicious activity.
  • Containment - actions that stop the incident from getting worse.
  • Eradication - removing the attacker’s access.
  • Recovery - restoring normal operations.
  • Tabletop exercise - a discussion-based rehearsal of an incident; no systems are actually touched.
  • Comms hold - a deliberate decision to delay public communication while facts are still uncertain.

Why this module is the capstone (teacher background)

Modules 1–5 built the components: ethics, identity, the human layer, the network, and prioritization. This module assembles them. The students spend 50 minutes pretending to be the school’s incident response team during a real-feeling ransomware event. There is no “right answer” - there are defensible answers and indefensible ones.

The most valuable thing this module trains is what defenders sound like under pressure: calm, structured, willing to say I don’t know yet, focused on the next decision rather than the blame.

Materials checklist

  • [ ] 5 printed Role Cards (below): Incident Commander, Technical Lead, Communications Lead, Records Lead, Liaison to Leadership.
  • [ ] 3 printed Inject Sheets (Turns 1, 2, 3).
  • [ ] Scribe Sheet for the Records Lead.
  • [ ] Timer (10-minute turns).
  • [ ] Optional: a stand-in for the principal (the teacher) who receives the status updates.

Pacing - minute-by-minute

| Time | Block | What happens | | ----- | --------------- | ---------------------------------------------------- | | 0–5 | Briefing | Phases of IR; the rules of the tabletop | | 5–10 | Roles | Assign role cards; teams of 5 | | 10–22 | Turn 1 | Initial discovery; first decisions; status update #1 | | 22–34 | Turn 2 | Escalation; new information; status update #2 | | 34–46 | Turn 3 | Decision point; status update #3 | | 46–55 | Hot wash | Whole-class debrief | | 55–60 | Lessons learned | Write one thing your team would do differently |

0–5 min · Briefing

Project the six phases of IR:

Prepare → Identify → Contain → Eradicate → Recover → Lessons Learned

Teacher script:

“In a real incident, you don’t walk these phases in a clean line. You loop. You go from Identify to Contain back to Identify when new information arrives. Today you will play three turns of an incident, and at the end of each turn you’ll write a 3-line status update for the principal - me. Calm, structured, factual. ‘I don’t know yet’ is a complete answer when it’s true. Guessing is not.”

State the rules:

  1. Decisions are made by the team, not by individuals.
  2. The Incident Commander breaks ties.
  3. The Records Lead writes everything down.
  4. Status updates go to the principal at the end of each turn - no exceptions.

5–10 min · Role cards

Form teams of 5. Hand each member one of these:

Incident Commander (IC)

You run the meeting. You make the final call when the team disagrees. You are not the smartest person in the room - you are the one keeping the room moving. You watch the clock.

Technical Lead

You translate the technical inject into options. You answer: what can we do, and what does it cost (downtime, money, lost data)? You don’t make the decision; you give the IC three options when one is needed.

Communications Lead

You decide what gets said, to whom, and when. You write the status update at the end of each turn with the Records Lead. You also draft the one-line message to staff if it goes out.

Records Lead

You write everything down: decisions, who made them, time, and the reason. You are the team’s memory and the basis of the post-incident report. Use the Scribe Sheet.

Liaison to Leadership

You are the only voice that talks to the principal (the teacher). You deliver the status update and bring the principal’s questions back to the team. You do not improvise - you say what the team agreed to say.

10–22 min · Turn 1 - Inject

Tuesday, 8:42 a.m. - Three teachers report to the front office that their classroom laptops are showing a red full-screen message: “Your files have been encrypted. Pay 0.5 BTC to the address below within 72 hours or the key will be destroyed. Do not power off the machine.” IT confirms 14 endpoints across two classrooms now show the same message. The school WiFi appears to be working. The student information system is up. Backup status from last night’s job: unknown - it’s still queued waiting for tape rotation.

Team must decide in this turn:

  1. Containment: do we isolate the affected classroom’s network segment from the rest of the school? (Yes / No / Need more info - defend it.)
  2. Power policy: the ransom note says do not power off. What do we tell teachers? (Power off / Leave on and disconnect from network / Need IT to look first.)
  3. Communications: who hears about this in the first hour? (Staff? Parents? Students? Nobody yet?)
  4. Status update #1 to the principal - 3 lines.

The Records Lead captures every decision with time and reasoning.

Discussion-leader notes (for the teacher):

  • Most teams will want to power machines off. Push back: if you power off, you may lose forensic evidence in memory, and modern ransomware sometimes encrypts during shutdown. The defensible answer is to disconnect from the network without powering off, then await IT.
  • Teams that go straight to telling parents are skipping a step. The first hour is for facts, not announcements. A comms hold with a decision-by time is acceptable. No comms ever is not.

22–34 min · Turn 2 - Inject

Tuesday, 9:55 a.m. - IT has now isolated the two classrooms. They report that the malware appears to have come in via a malicious document attachment opened by a substitute teacher Monday afternoon. Of the 14 affected endpoints, 11 are confirmed encrypted and 3 are partially encrypted and may be recoverable. The substitute teacher’s account also accessed three shared drives Monday afternoon. Two of those drives now show signs of encryption. One of those drives contains the unencrypted school nurse’s daily log of student health-office visits. Backups: last night’s job did not complete; the most recent good backup is from Sunday night.

Team must decide in this turn:

  1. Scope: do we isolate the file server hosting the affected drives? (Cost: every teacher loses access to shared drives for the rest of the day.)
  2. Account containment: do we disable the substitute teacher’s account? (Almost certainly yes - but who calls the substitute?)
  3. Data protection: the nurse’s log is potentially health information. Does that change our communications timeline?
  4. Status update #2 to the principal - 3 lines.

Discussion-leader notes:

  • The health information detail is the curveball. Most cohorts realize within seconds that this changes the comms timeline; others miss it. Don’t hint - let the team find it. If they don’t, the hot wash will surface it.
  • A team that disables the substitute’s account immediately is fine. A team that disables it and schedules a phone call from leadership to the substitute is better.

34–46 min · Turn 3 - Inject

Tuesday, 11:30 a.m. - IT has confirmed the malware family. A free decryption key was published last week by a security research firm; restoration is technically possible for the encrypted files. Estimated time to restore: 8 hours of staff effort. The district’s cyber insurance carrier is on the phone and asking whether the school is planning to pay the ransom. The principal has been asked by a parent at the front desk what is going on; staff have noticed the IT activity. The local newspaper has not contacted the school but is monitoring district social media.

Team must decide in this turn:

  1. Pay or not pay: with a free decryptor available and confirmed working, the team’s recommendation to leadership is…?
  2. Resumption: when does normal classroom activity resume - today, tomorrow, or after full restoration?
  3. External communications: a one-paragraph message to parents - when does it go out, and what does it say?
  4. Status update #3 to the principal - 3 lines, plus the draft parent message.

Discussion-leader notes:

  • With a free decryptor, “do not pay” is the obvious recommendation. The team’s job is to say it clearly to leadership and the insurer.
  • The parent message is the lesson. Calm, factual, names the next update time. Not “everything is fine” (that’s a guess); not “a major cyberattack” (that’s a panic). Something like: “This morning, a small number of classroom computers were affected by a ransomware incident. We isolated the affected systems quickly. Student data is being assessed; no evidence at this time of broad data exposure. We will share an update at 4 p.m. today.”

46–55 min · Hot wash (whole-class debrief)

Bring the room together. Use these prompts in order:

  1. What did your team get right in Turn 1? (Capture wins on the board.)
  2. What did your team change between Turn 1 and Turn 2? This is the loop - Identify → Contain → back to Identify when new information arrives.
  3. Who first noticed the health-information detail? (Highlight the person who caught it; teach the room to read every inject for the buried datum.)
  4. What was the hardest decision? (Most cohorts say the parent communication or the don’t-power-off-but-disconnect.)
  5. What did your team’s status updates have in common? Calm voice, named the time, said I don’t know yet when true.

55–60 min · Lessons learned

Each team writes one thing they would do differently next time, on a sticky note or the board. The IC reads them out. Collect for the next class - these become the seeds of the team’s real playbook.

Differentiation and supports

  • Below grade level / EL: Pair them with a strong Records Lead role; the Scribe Sheet provides scaffolding for participation.
  • Above grade level: After the exercise, ask them to draft the post-incident report structure: timeline, decisions, what went well, what to fix, action items with owners.
  • IEP/504 - anxiety around speaking under pressure: Roles are pre-assigned to remove ambiguity; the Liaison role is structured and predictable. The Records Lead is also a low-speaking-pressure role.

Common student misconceptions

  • “Pay the ransom because we don’t want to lose the data.” With a free decryptor, paying funds the next attack and is often illegal under sanctions. Even without a free decryptor, paying is a leadership decision with legal and insurance implications, not the technical team’s call.
  • “Power everything off immediately.” Memory may contain forensic evidence. Disconnect first; power off only on IT’s direction.
  • “Don’t tell parents until it’s fully resolved.” You can’t maintain a comms hold for days. Schedule the next update window. “By 4 p.m.” is calm; “we’ll let you know” is not.

Career connection

  • Incident response analyst / consultant - $80K–$160K. Runs versions of this exercise as a real engagement.
  • CISO / Director of IT Security - $150K–$300K. Owns the decision the Liaison delivers to leadership.
  • Cyber insurance underwriter - $90K–$140K. The voice on the phone in Turn 3.
  • Crisis communications lead - $90K–$150K. Writes the parent message you drafted.

Assessment

  • Formative: Status updates at the end of each turn - calm, structured, name the next decision time.
  • Summative: The lessons-learned note + the parent message draft. Rubric in the Answer Key.

Scribe Sheet (Records Lead - print on the back of the role cards)

| Time | Decision | Who decided | Why (one line) | | ----- | -------- | ----------- | -------------- | | 8:50 | | | | | 9:05 | | | | | 9:20 | | | | | 10:00 | | | | | 10:20 | | | | | 10:40 | | | | | 11:35 | | | | | 11:50 | | | |

The Scribe Sheet is the artifact. A team that has a Scribe Sheet has a post-incident report. A team that doesn’t, doesn’t.

Ready to use this in class?

Unlock the full Starter edition.

All teacher guides, worksheets, scenarios, quizzes, answer keys, and the in-browser presenter for every module in the track. Site-license pricing for schools and districts. Free review copies for verified educators.

View pricingRequest review copySee full curriculum