Want to learn how tabletop exercises can grow your MSP practice? Talk to Our Team ✉
Free Whitepaper · Instant Download

You Played the Game.
Now Build the Program.

You've seen what a well-run tabletop exercise pulls out of a room. This guide shows you how to turn that into a service your clients pay for every year and thank you for every time an incident doesn't spiral.

Download the Free Guide
100% free. No form. No email required.
IRGame Whitepaper Cover
5M+
SMBs with cyber insurance who have never practiced their response plan
90 min
Average exercise runtime. No systems touched. No live environment at risk.
5–15%
Cyber insurance premium credits available for documented exercise history
4
Major regulatory frameworks now requiring documented IR testing
Inside the Guide

Everything You Need to Get Started

Written for MSP teams who want to add tabletop exercises as a recurring, billable service. Straight to the point, with nothing you have to filter out.

🎯
The Business Case
Five million-plus small businesses carry cyber insurance they have never tested. The guide explains why that gap exists, what it costs them when an incident hits, and how to frame that conversation with your clients.
⚙️
What a Program Looks Like
The guide walks through the 90-minute exercise format, who belongs in the room, and what you produce at the end: a findings report, compliance documentation, and a clear record of your role in helping the client fix what the exercise exposed.
📋
The Onboarding Advantage
MSPs who run a tabletop during onboarding close more project deals and lose fewer clients to competitors. The exercise shows the client what their gaps actually are, and it shows them who found those gaps.
⚖️
Regulatory Requirements
PCI-DSS 4.0, HIPAA, GLBA Safeguards, and CMMC now explicitly require documented IR testing. The guide breaks down exactly what each framework mandates so you can have an informed risk conversation with every client.
🛡️
The Insurance Dimension
Carriers now ask, at application and at renewal, when the organization last tested its response plan. Clients who cannot answer that question are seeing premium increases of 15 to 25 percent. Clients who can are qualifying for credits. That is a concrete number to put in front of any decision-maker.
📈
Pricing & Packaging
How to scope, price, and package tabletop exercises for your market. Covers standalone onboarding use, quarterly recurring delivery, and bundling with broader security services so you can match the model to the client.
Why Now

The Rules Changed.
Annual Exercises Are No Longer Optional.

For years, tabletop exercises were a best practice. Organizations ran them because preparedness matters. That is still true. But it is no longer the primary reason clients need to do this every year.

Multiple regulatory frameworks and the cyber insurance market now require documented evidence that organizations have tested their incident response plans. The question has moved from whether to do it to how to prove they did.

Your clients are going to get asked that question at their next renewal. The guide prepares you to answer it with them.

PCI-DSS 4.0
Annual testing, explicitly required as of March 2025 Req. 12.10.4 mandates documented IR testing. Organizations that cannot demonstrate this cannot pass a QSA assessment.
HIPAA
IR plan testing required in enforcement settlements OCR has cited failure to test IR plans as an aggravating factor in penalty calculations and now routinely requires annual exercises as a condition of resolution agreements.
GLBA
IR program testing required for covered financial institutions Applies beyond traditional banks. Mortgage brokers, auto dealers, tax preparers, and financial advisors all fall under the rule.
CMMC 2+
IR capabilities must be demonstrated, not just written down Defense contractors seeking certification at Level 2 and above need to show they have actually tested their capabilities.
Heard It Firsthand

What the Community Is Saying

People who have run the game with their teams and seen what it surfaces.

★★★★★

"If y'all haven't seen what Bob Miller is doing, you really should. It's a long-form deep dive into a gamified incident response tabletop."

WS
Wes Spencer
Co-Founder, Empath
★★★★★

"I've played the game several times and it amazes me how every single time there has been something new to learn!"

DM
Degly Mendez
CEO, Avanzar IT Systems
★★★★★

"Beltex Insurance has been leveraging IRGame for our MSP partners and policyholders for a year now. The data does not lie — the more prepared a business is, the faster the incident gets contained, the sooner they're back to 100%, and it minimizes the cost of claims!"

Dustin Bolander
Dustin Bolander
Founder, Beltex Insurance
Free Download

Ready to Build Something
Your Clients Actually Need?

Download the guide and share it with your team. The first chapter takes about 90 seconds to read and gives you everything you need to start the conversation with your next client.

Download Free Whitepaper
No account needed for the download.