TTX and TTP Replay: The Win-Win Combo We Undervalue

TTX and TTP Replay: The Win-Win Combo We Undervalue

TTX and TTP Replay: The Win-Win Combo We Undervalue 1200 630 Andrew Heller

Most organizations still run tabletop exercises and detection tests in isolation. It looks structured; it looks mature; it gives leaders something to show. It’s not.

Readiness does not come from polished scenarios executed in separate silos. Real readiness comes when you pair a tabletop exercise (TTX) with a tactics-techniques-procedures (TTP) replay so one exposes the cracks and the other verifies the fixes.

Anything less is guesswork.

Tabletop Exercises: They Expose the Human and Process Gaps

A tabletop is not a performance. It’s not about reciting the incident response plan. It’s about surfacing the breakdowns that only appear under pressure:

  • Who freezes when decisions get messy
  • Who over-communicates or under-communicates
  • Which escalation paths fail
  • Where regulatory or contractual reporting gets missed
  • Which decisions drag or never get made

Tabletops strip away the illusion of coordination. They reveal organizational muscle memory — or the lack of it. That includes political friction, processes that look clean on paper but fall apart in motion, and assumptions about tools, data, or ownership that collapse under real threat pressure.

Tabletops test people and playbooks. They answer the question:
If this attack lands, can we coordinate a response at all?

What they don’t answer:
Did your security stack ever detect the attack in the first place?

TTP Replay: It Shows What Your Controls Actually Do

While TTX asks “Can we respond?”,
TTP replay asks “Can we detect and stop what matters?”

Replay real adversarial behaviors — not canned demos:

  • Ransomware staging
  • Living-off-the-land pivots
  • Credential theft and reuse
  • Cloud privilege escalation
  • Data exfiltration through approved channels

Then ask the questions that actually matter:

  • Did the controls fire?
  • Did the SOC see it?
  • Did logging exist where you assumed it did?
  • Did detection rules find the signal or drown in noise?
  • Did your product stack behave the way the vendor promised?

TTP replay turns “we think we would catch that” into “here is what the telemetry shows.”

It’s the difference between believing you’re secure and proving it.

Why You Need Both

Run only a TTX and you improve plans.
Run only a TTP replay and you improve detections.
Run them together and you uncover the truth.

When you pair the two:

  • Leadership sees where decisions bottleneck
  • Engineers see exactly where detections fail
  • Both groups see the same attack from different angles
  • Controls are validated, not assumed
  • Readiness becomes evidence-backed

One exercise works the brain of the organization.
The other works the nervous system.

TTX exposes the cracks.
TTP replay verifies the fixes.
Together, they create a defensible, data-backed security posture.

A Practical Way To Combine TTX and TTP Replay

You don’t need a large program. You need one real scenario and discipline.

  1. Pick a real threat scenario
    • Ransomware in a specific business unit.
    • Compromise of a critical SaaS provider.
    • Cloud identity misuse.
  2. Run the tabletop
    • Capture assumptions, decisions, owners, and escalation paths.
  3. Convert the scenario into a TTP playbook
    • Define the exact attacker behaviors relevant to your environment.
  4. Replay the TTPs against your environment
    • Collect alert data, logging visibility, detection gaps, and response times.
  5. Map the telemetry back to the tabletop
    • Show what was assumed versus what the stack actually did.
  6. Fix and re-test
    • Tune detections.
    • Update playbooks.
    • Clarify ownership.
    • Re-run targeted portions to confirm improvement.

This loop produces:

  • Sharper decision playbooks
  • Cleaner telemetry
  • Evidence leadership can defend to boards, auditors, and regulators
  • Teams collaborate more and learn from each other

The gap is real. Organizations self-assess their readiness at 94 percent but achieve only about 22 percent accuracy in realistic decision drills — and take a median 29 hours to contain simulated attacks (Immersive, 2025).

Where Lares Fits

This is the work Lares teams focus on every day.

We design the tabletop.
We design the TTP replay.
We tie both together into one narrative of proof.

You see how an attack behaves in your world — from leadership decisions down to raw telemetry. You see what fails, what works, and what must change.

Our goal is simple:
Expose the cracks.
Verify the fixes.
Demonstrate real readiness.

That’s what a defensible security posture looks like.

👉 Meet with Lares

References

Immersive. (2025, November 17). Overconfidence is the new cyber risk: Immersive’s 2025 Cyber Workforce Benchmark Report exposes a global readiness illusion. Business Wire. https://www.businesswire.com/news/home/20251117812771/en/

 

Contributors: Mark Arnold VP Advisory Services, Michael Crouch Adversarial Collaboration, Purple Team Engineer, Andrew Heller Marketing Manager

You might also like
One of the following
From Compliance to Combat: Why Financial Services Still Bleed
AI Didn't Breach You. Your Configuration Did.
The MFA That Wasn’t (Part 2)
From Compliance to Combat: Why Financial Services Still Bleed

Where There is Unity, There is Victory

[Ubi concordia, ibi victoria]

– Publius Syrus

Contact Lares Consulting logo (image)

Continuous defensive improvement through adversarial simulation and collaboration.

Call Us

(720) 600-0329

Email Us

sales@lares.com

©2025 Lares, a Damovo Company | All rights reserved.
Enter your
text here