Plans and facilitates tabletop exercises simulating ransomware incidents to test organizational readiness, decision-making, and communication procedures. Designs realistic scenarios based on current ransomware threat actors (LockBit, ALPHV/BlackCat, Cl0p), injects covering double extortion, backup destruction, and regulatory notification requirements. Evaluates participant responses against NIST CSF and CISA guidelines. Activates for requests involving ransomware tabletop, incident response exercise, or ransomware readiness drill.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versionperforming-ransomware-tabletop-exerciseExecute the skills CLI command in your project's root directory to begin installation:
Fetches performing-ransomware-tabletop-exercise from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate performing-ransomware-tabletop-exercise. Access via /performing-ransomware-tabletop-exercise in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
0
total installs
0
this week
8.6K
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
8.6K
stars
| name | performing-ransomware-tabletop-exercise |
| description | 'Plans and facilitates tabletop exercises simulating ransomware incidents to test organizational readiness, decision-making, and communication procedures. Designs realistic scenarios based on current ransomware threat actors (LockBit, ALPHV/BlackCat, Cl0p), injects covering double extortion, backup destruction, and regulatory notification requirements. Evaluates participant responses against NIST CSF and CISA guidelines. Activates for requests involving ransomware tabletop, incident response exercise, or ransomware readiness drill. ' |
| domain | cybersecurity |
| subdomain | ransomware-defense |
| tags | - ransomware - incident-response - tabletop-exercise - defense - preparedness |
| version | 1.0.0 |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | - PR.DS-11 - RS.MA-01 - RC.RP-01 - PR.IR-01 |
Do not use as a substitute for technical controls testing. Tabletop exercises validate procedures and decision-making, not technical detection or prevention capabilities.
Build a realistic scenario based on current threat actor TTPs:
Scenario Structure:
Phase 1: Initial Detection (30 min)
- SOC receives alert for suspicious process execution on file server
- EDR detects Cobalt Strike beacon on 3 workstations
- Inject: External threat intel report links C2 IP to LockBit affiliate
Phase 2: Escalation (30 min)
- Ransomware executes on 40% of servers during overnight hours
- Ransom note demands $2M in Bitcoin with 72-hour deadline
- Inject: Attackers contact media claiming data theft of customer PII
Phase 3: Decision Points (45 min)
- Backup assessment reveals immutable copies are intact but primary backups encrypted
- Legal advises on breach notification timeline (72 hours GDPR, varies by US state)
- Inject: Threat actor publishes sample of stolen data on leak site
Phase 4: Recovery and Communication (45 min)
- Recovery time estimate: 5-7 days from immutable backups
- Insurance carrier engages negotiation firm
- Inject: Major customer threatens contract termination without update within 24 hours
Scenario Variables to Customize:
Create the following documents for participants:
Key Decision Points to Include:
Facilitator Responsibilities:
Probing Questions by Phase:
Phase 1 - Detection:
Phase 2 - Escalation:
Phase 3 - Decision:
Phase 4 - Recovery:
Score each functional area against defined criteria:
| Evaluation Area | Score (1-5) | Criteria |
|---|---|---|
| Detection & Escalation | Timely incident declaration, proper chain of command | |
| Containment | Network isolation, credential reset, scope assessment | |
| Communication - Internal | Employee notification, executive briefing, documented decisions | |
| Communication - External | Regulatory notification, customer communication, media response | |
| Recovery Planning | Backup verification, recovery priority, RTO tracking | |
| Legal & Compliance | Breach notification timelines, evidence preservation, law enforcement engagement | |
| Business Continuity | Manual operations, customer impact mitigation, revenue loss estimation | |
| Payment Decision | Structured framework, legal review, OFAC sanctions check |
Produce an after-action report (AAR) within 5 business days:
AAR Contents:
| Term | Definition |
|---|---|
| Tabletop Exercise (TTX) | Discussion-based exercise where participants walk through a simulated incident scenario to test plans and procedures |
| Inject | New information introduced during the exercise to change the scenario and force additional decision-making |
| SITREP | Situation Report providing current status of the simulated incident at each exercise phase |
| After-Action Report (AAR) | Post-exercise document capturing findings, gaps, strengths, and remediation actions |
| Double Extortion | Ransomware tactic where attackers both encrypt data and threaten to publish stolen data unless ransom is paid |
| OFAC Check | Verification that ransom payment recipient is not on the US Treasury OFAC sanctions list, which would make payment illegal |
Context: A 5-hospital healthcare system conducts an annual ransomware tabletop. Previous exercise revealed gaps in HIPAA breach notification and clinical system recovery priority. This year's scenario simulates a double extortion attack targeting the EMR system.
Approach:
Pitfalls:
## Ransomware Tabletop Exercise - After Action Report
**Exercise Date**: [Date]
**Facilitator**: [Name]
**Scenario**: [Brief description]
**Duration**: [Hours]
**Participants**: [Count by department]
### Exercise Objectives
1. [Objective] - Met / Partially Met / Not Met
2. [Objective] - Met / Partially Met / Not Met
### Key Decisions Log
| Time | Decision Point | Decision Made | Rationale | Assessment |
|------|---------------|--------------|-----------|------------|
### Strengths Observed
1. [Strength]
### Gaps Identified
| Gap | Severity | Affected Area | Current State | Desired State |
|-----|----------|--------------|---------------|---------------|
### Remediation Actions
| Action | Owner | Deadline | Priority | Status |
|--------|-------|----------|----------|--------|
### Comparison to Previous Exercise
| Area | Previous Score | Current Score | Trend |
|------|---------------|--------------|-------|
Prerequisites
Time Estimate
15-45 minutes depending on use case complexity
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid when
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
Registry listing for performing-ransomware-tabletop-exercise matched our evaluation — installs cleanly and behaves as described in the markdown.
Solid pick for teams standardizing on skills: performing-ransomware-tabletop-exercise is focused, and the summary matches what you get after install.
performing-ransomware-tabletop-exercise has been reliable in day-to-day use. Documentation quality is above average for community skills.
performing-ransomware-tabletop-exercise reduced setup friction for our internal harness; good balance of opinion and flexibility.
We added performing-ransomware-tabletop-exercise from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
performing-ransomware-tabletop-exercise fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
Solid pick for teams standardizing on skills: performing-ransomware-tabletop-exercise is focused, and the summary matches what you get after install.
We added performing-ransomware-tabletop-exercise from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
performing-ransomware-tabletop-exercise fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
Solid pick for teams standardizing on skills: performing-ransomware-tabletop-exercise is focused, and the summary matches what you get after install.
showing 1-10 of 67