Introduction
Running a tabletop exercise is the easy part. The harder challenge — the one most organizations fail at — is turning what happened in the room into something that actually changes how the organization responds to a real incident.
A tabletop exercise after-action report (AAR) is the structured document that captures what happened during a TTX, what the findings revealed, and what actions the organization must take before the next incident.
This guide is for security leaders, CISOs, board advisors, and risk committee members who run tabletop exercises but struggle to convert the discussion into inspectable, governance-ready outputs. If you've walked out of a TTX with a room full of observations and a blank page, here's where to start.
It covers:
- What an AAR must include to be governance-ready
- How to structure findings, gaps, and remediation owners
- A section-by-section template you can adapt immediately
- How to present AAR outputs to boards and risk committees
The core problem: most organizations treat the AAR as an administrative formality. Gaps identified in the exercise get written down, distributed once, and then deprioritized. The same weaknesses surface again — this time in a real incident, under real pressure, with real consequences.
TL;DR
- An AAR documents what was observed, what worked, what failed, and what must change as a result of the exercise.
- Complete AARs cover an executive summary, scenario overview, phase-by-phase findings, prioritized gaps, and corrective actions with named owners and deadlines.
- Complete the report within five to ten business days while observations are still accurate.
- Without a formal AAR, exercises generate discussion but rarely produce measurable improvement.
- Boards, audit committees, and regulators expect proof that TTX findings are tracked to closure — the AAR provides it.
What Is a Tabletop Exercise After-Action Report and Why It Matters
An AAR is not a meeting summary. It is a governance document — one that creates accountability by linking observed gaps directly to assigned corrective actions with named owners and deadlines.
That distinction matters. A meeting recap tells you what was discussed. An AAR tells you what broke, why it broke, who is responsible for fixing it, and when the fix is due.
How It Differs from the Hot Wash
The hot wash is the verbal debrief held immediately after the exercise closes. It captures initial reactions while the room is still engaged. NIST SP 800-84 distinguishes between the two clearly: the hot wash is informal and immediate; the AAR is the formal written product that makes findings durable, assignable, and auditable.
The hot wash feeds the AAR. The AAR is what survives the meeting.
What a Good AAR Actually Accomplishes
A well-constructed AAR surfaces:
- Decision-making breakdowns: who hesitated, who lacked authority, who contradicted each other
- Communication failures — where notifications stalled and the wrong people were looped in too late
- Plan-reality gaps: where documented procedures didn't match how people actually responded
- Capability gaps — what the team needed and didn't have
A real incident won't give you time to redesign your escalation tree. The exercise is the window.
Regulatory and Governance Expectations
That window also has a compliance dimension. Regulated industries face increasing pressure to document — not just conduct — exercises. Several frameworks directly reference testing, lessons learned, and improvement tracking:
| Framework | Relevant Requirement |
|---|---|
| NIST CSF 2.0 (ID.IM-02) | Improvements identified from security tests and exercises, including third parties |
| NIST CSF 1.1 (RS.IM-1/2) | Response plans incorporate lessons learned; response strategies are updated |
| HIPAA (45 CFR 164.308(a)(7)(ii)(D)) | Periodic testing and revision of contingency plans |
| NYDFS 23 NYCRR 500.16 | Annual testing of incident response and BCDR plans with critical staff |
| FTC Safeguards Rule (16 CFR 314.4(h)) | Written incident response plan with post-event evaluation and revision |
| SEC Regulation S-K Item 106 | Board oversight of cyber risk management disclosed publicly |
None of these frameworks mandate a TTX AAR by name. All of them expect documented testing, improvement tracking, board-level reporting, and evidence of remediation.
What Goes Into a TTX After-Action Report: A Practical Template
Every AAR should contain six core components, regardless of exercise scenario or organization size.
Cover Page and Exercise Overview
Capture the basics upfront:
- Exercise name, date, and location (or virtual platform)
- Scenario summary in two to three sentences
- Participating teams, roles, and named facilitator
- Document classification (internal, confidential, board-restricted)
This section creates the paper trail that regulators and auditors look for when validating that an exercise occurred.
Executive Summary and Key Takeaways
Write this section for a board member, not a security analyst. It should:
- Fit on one page
- Contain 3–5 plain-language takeaways
- Offer a brief assessment of overall readiness posture
- List the top corrective priorities
No technical jargon. No acronym soup. If your general counsel can't read it in three minutes and understand what needs to happen, rewrite it.
Exercise Design and Objectives
Document the stated objectives, scenario phases, and methodology. This section serves two purposes: it provides context for interpreting the findings, and it creates a baseline for measuring improvement in future exercises. Capture at minimum:
- Stated objectives for each phase
- Scenario design and inject sequence
- Methodology (discussion-based, functional, hybrid)
- Baseline metrics or maturity markers you're testing against
Phase-by-Phase Observations and Findings
This is the analytical core of the document — the section that separates a useful AAR from a compliance checkbox. Structure findings by exercise phase and organize them thematically. For each phase, capture:
- What decision points were reached
- How participants actually responded (not how the plan says they should)
- Where escalation broke down or stalled
- Where communication failed or was delayed
- Where plans and reality diverged
The Institute for Security and Technology's Counter Ransomware Initiative AAR provides a useful thematic pattern, organizing findings around information sharing gaps, coordination and operational friction, and victim-centric response failures. That structure translates well to most enterprise exercises.
Gaps, Strengths, and Recommendations
Use a three-column structure:
| What Worked | Gap or Failure | Corrective Action |
|---|---|---|
| Reinforce and document | Risk that must be addressed | Specific task, named owner, deadline |
One rule: vague recommendations are not actionable. "Improve communication" cannot be assigned or measured. "Update the incident response plan to assign communication authority to the CISO by Day 2 of a declared incident, owned by [Name] and due by [Date]" can be.
Appendices
Include supporting materials that substantiate the findings:
- Participant list with roles
- Scenario injects used during the exercise
- Exercise timeline
- Relevant policies or plans that were tested
- Decision logs captured in real time during the exercise
How to Write a Tabletop Exercise After-Action Report Step-by-Step
Step 1: Capture Observations During the Exercise
Assign a dedicated observer role — someone who is not a participant and whose only job is documentation. They should log decision points, hesitations, notable exchanges, and gaps in real time using a structured template. Free-form notes miss the details that matter most.
Step 2: Conduct the Hot Wash Immediately After
Hold a structured 30-to-60-minute debrief the moment the exercise closes. Prompt participants with three questions:
- What went well?
- What broke down or created friction?
- What did you wish you had known or had available?
Capture responses verbatim. This raw input becomes the source material for the AAR.
Step 3: Analyze and Categorize Findings by Theme
Move from raw observations to structured findings. Group issues by category:
- Decision rights — who had authority, who didn't, where it was ambiguous
- Escalation paths — where notifications stalled or went to the wrong person
- Communication — internal and external messaging gaps
- Technical capability — tools, access, or data that were unavailable
- Third-party dependencies — vendor or partner response gaps
Assign a severity or priority level to each, and identify whether the root cause is a people, process, or technology issue. That categorization drives the corrective action plan.
Step 4: Draft the AAR and Validate with Participants
Draft the AAR within five business days. Circulate it to exercise participants for factual accuracy before finalizing. The CISO or exercise lead should sign off before distribution.
The AAR is not a blame document. Keep the tone diagnostic and improvement-focused throughout. If participants believe the report assigns fault, future exercises produce sanitized, risk-averse responses — which defeats the purpose entirely.
Step 5: Present Findings to Leadership and Assign Action Owners
Present AAR findings to the board or executive leadership within ten business days. Follow this structure:
- Lead with the executive summary
- Present the top 3–5 gaps framed as business risks, not technical issues
- Propose corrective actions with named owners
- Attach 30/60/90-day milestones to each item
- Schedule a follow-up checkpoint before the next board cycle
Findings without owners and deadlines are observations. To become commitments, each item needs a name, a date, and a defined standard for what "done" means. Tyson Martin's advisory work emphasizes this directly: "Vendor committed to fix" is not done. "Evidence received and validated" is done.
Common Mistakes That Make AARs Ineffective
Even well-written AARs fail. Here are the patterns that kill them.
Filing it and moving on. Findings get documented, distributed, and then deprioritized when the next operational priority lands. Every corrective action needs a named owner, a deadline, and a scheduled check-in back to leadership — not a one-time distribution.
Vague findings that can't be assigned. "Communication needs improvement" and "roles were unclear" are observations, not corrective actions. Every finding must translate into a specific, testable task. If you can't assign it to a person with a deadline, rewrite it.
Writing for a technical audience only. If the board member, general counsel, or CFO can't read the executive summary and understand what it means for the business, the AAR won't drive governance-level decisions. Technical detail belongs in the appendices. The executive summary belongs to the decision-makers.
Skipping the hot wash. Without an immediate structured debrief, observations fade fast. The nuance of who hesitated, what was said, and where the room went quiet disappears within 48 hours. Skip it and you're writing the AAR from memory, not evidence.
Turning AAR Findings Into Actionable Governance Improvements
Completing the AAR moves nothing forward on its own. The real measure is closed corrective actions and updated governance artifacts.
Building the Corrective Action Plan
Prioritize gaps by two factors: risk severity and feasibility. High-severity, high-feasibility items go in the 30-day window. Longer-lead structural changes go in the 60- or 90-day window. Each item needs:
- A named owner (not a team — a person)
- A specific deadline
- A defined evidence standard for closure
- Integration into the organization's existing risk register or governance reporting
Without that integration, AAR findings disappear after the initial debrief.
Which Governance Artifacts to Update
TTX findings should drive changes to specific documents — the ones that either hold or fail in a real incident:
- Incident response plan — decision rights, notification sequences, who calls the board and when
- Escalation thresholds — at what dollar value, downtime duration, or data sensitivity level does the response tier change
- Decision authority matrices — who approves exceptions, who can shut systems down, who owns vendor go/no-go decisions
- Communication trees — contact lists, pre-approved vendors, outside counsel engagement protocols
- Vendor notification procedures — which third parties must be notified, in what order, and within what timeframe
FEMA's HSEEP guidance treats the improvement plan as a dynamic document, continually updated as corrective actions close and new exercises surface new gaps. In practice, this means scheduling the next exercise before the current AAR cycle fully closes — so momentum doesn't stall between reviews.
When to Bring in Outside Help
For boards and executive teams who want to move from documentation to execution, working with a board-level cyber advisor can help translate AAR outputs into governance improvements that hold.
This matters most when exercises surface systemic gaps: breakdowns in decision rights, escalation authority, or board-level communication protocols that require governance redesign, not just policy edits.
Tyson Martin's advisory work with boards and risk committees specifically addresses this gap: converting tabletop outcomes into board-ready governance improvements, clear decision rights, and inspectable 90-day remediation plans that give leadership a concrete framework to review and hold management accountable against.
Frequently Asked Questions
What is the difference between a hot wash and an after-action report?
The hot wash is an immediate verbal debrief held right after the exercise to capture initial reactions while the room is still fresh. The AAR is the formal written document produced afterward that structures those observations into findings, gap analysis, and a corrective action plan with named owners.
Who should be responsible for writing the tabletop exercise after-action report?
The AAR is typically written by the exercise facilitator or a designated scribe working closely with the CISO or security lead. It should be reviewed by exercise participants for factual accuracy before the CISO signs off and distributes it to leadership.
How long after a tabletop exercise should the AAR be completed?
Draft the AAR within five business days while observations are still accurate. Finalize and distribute within ten business days to maintain momentum on corrective actions and keep ownership assignments from going cold.
What sections should every tabletop exercise after-action report include?
Every AAR should cover the exercise overview, an executive summary, phase-by-phase findings, identified gaps and strengths, and a corrective action plan with named owners and deadlines. The full structure — including required appendices — is detailed in the template above.
How do you present tabletop exercise AAR findings to a board of directors?
Lead with the executive summary in plain language, frame gaps as business risks rather than technical issues, and present a prioritized corrective action plan with named owners and 30/60/90-day milestones. The goal is a governance decision — not a technical briefing.
Can a tabletop exercise after-action report satisfy regulatory or compliance requirements?
Yes — a well-documented AAR with a corrective action plan serves as evidence of due diligence under frameworks including NIST CSF, HIPAA, and the SEC's cybersecurity disclosure rules. Documentation and retention requirements vary by industry, so confirm the specifics with your legal or compliance team before submission.
