Cyber tabletop exercise tool - Research & design
TryHackMe is a leading online, cloud-based cybersecurity training platform, used by individuals and academic institutions. It has over 4 million users and clients from top Fortune 400 companies, some of whom I had the chance to speak with about the project I was working on.
Tabletop Exercise (TTX) is a simulated threat exercise where participants discuss incident scenarios in a safe environment, offering an opportunity for practice.
❗Problem
Running cyber exercises is costly and time-consuming, they often miss the chance to test and improve their team’s response. As a result many companies aren’t ready for cyber attacks and end up taking bigger hits than necessary.
😫 "We would run more exercises if we had the resources. Without them, we stay underprepared…".
👑 My Role
I was hired as a contractor after TryHackMe’s co-founder, Ashu, heard this challenge from clients and wanted to explore it further. I conducted discovery research to define the problem and worked with teams across customer success, content, SMEs, and LLM experts. I shared insights, designed solutions, and iterated based on feedback.
⚙️ Methods used
🔎
Research
Desk study
Surveys
Competitors' solutions review
Interviews (users, clients & SMEs)
Contextual inquiry
🎯
Define
Affinity diagram
Personas
⚙️
Ideate
Task flows
Sketch
HMW workshop
🎨
Design
MVP
Concept testing & iteration
Low & high-fi designs
🎯 Research Goals
We kicked things off with desk and internal research, reading studies, blogs, watching videos, checking out conference talks, and spending a lot of time on Reddit (soon Reddit became my best buddy).
We were lucky to have some of our cybersecurity experts who helped us make sense of TTX: what it actually is, who’s involved, what challenges they face, and the language they use. That helped us figure out where to focus our research.
Companies: Understand why companies often neglect tabletop exercises.
Research Methods: Survey, Client interviews, Contextual enquiries
Competitors: Understand available solutions and their pros and cons.
Research Methods: Competitive analysis, Client interviews
Participants: Understand the pain points of participants and facilitators in tabletop exercises.
Research Methods: User interview, Survey, Contextual enquiries
🤔 Hypothesis
The desk and internal research gave us a solid starting point, helped identify what we still needed to learn, and allowed us to form our initial assumptions about the problem. We then created a hypothesis tree to guide our research and prioritized the key areas to focus on.
Hypothesis creation process
Screenshot from the hypothesis creation process.
TTXs are seen as expensive because they take a lot of time and people, so companies don’t run them as often as recommended.
Hypothesis 1
TTXs depend heavily on the moderator’s skill, which makes them stressful and hard to manage.
Hypothesis 2
It’s hard to measure how well people do in TTXs, so companies struggle to show clear results and thus see value.
Hypothesis 3
Some companies don’t think they’ll be attacked, so they don’t see TTXs as worth the time or cost.
Hypothesis 4
❓Survey
Even though we knew upfront that we wouldn’t have enough participants for super statistically significant data, given how niche our market was, we still ran the surveys to get ideas and figure out where to focus next. They also helped us collect contact info for follow-up interviews. We ran two surveys:
One for our clients about their challenges and opinions on TTX (thanks to our Customer Success team for helping share it).
One for TTX participants, shared through our Discord channel.
Some screenshots from the survey results
🔍 Research & Contextual Inquiry
Since presentation-style TTX exercises are the most common, we decided to go through one ourselves, from start to finish, to understand how they work and where things break down.
We brought in the MWR team to plan and run it. The full process had seven steps: initial call, onboarding doc, slide creation, artifacts, CSIRT TTX, CMT TTX, and the evaluation debrief. This wasn’t an easy decision, since it was quite expensive to hire the team and dedicate our tech team and executives for two full days, four-hour sessions each.
We sat in on all seven calls (4–7 hours each), asking questions and watching them build the materials live. It gave us a real feel for the work facilitators do.
It was a big effort, but the hands-on experience was worth it. Afterward, I mapped out all the steps and challenges we faced along the way.
User flow based on all our research
💬 User & Client interview Affinity diagram
We started with broad questions about the purpose and goals of TTX, then moved into specific challenges and pain points. We didn’t stop interviewing, even while sketching ideas, each round helped us test or adjust what we were thinking.
Recruiting TTX users or facilitators was tough, there just aren’t that many companies running TTXs, which is part of the problem we’re trying to solve. Luckily, our customer success team was amazing. They helped us bring in participants, including some tech giants.
In total, we had 10 interviews. These were remote, semi-structured interviews, each lasting 40 minutes to an hour. Some patterns started to emerge as early as the second interview.
⚖️ Competitive review
This was one of those steps in our process that we never fully started or finished—it was ongoing while we were coming up with the idea, researching, defining, and designing the solution.
Our competitors kept their products pretty hidden. We had to dig through Vimeo and YouTube to find anything, and some videos had fewer than 10 views (mostly from our team, I bet). We also read Reddit threads, joined Discord discussions, and tested the most commonly mentioned formats ourselves—like the Dungeons & Dragons-style TTX.
Ironically, our biggest competition is PowerPoint. But if everyone agrees slide decks are boring, why are they still the default? It’s not clear why others haven’t nailed it.
After identifying the key needs and pain points, we took another look at competitor products. This time, instead of doing my usual SWOT or feature comparison, I focused on how each product actually solves the problems we uncovered.
👽 Personas
When we began our research, we started with persona hypotheses and assumptions. After the interviews, we updated the personas based on what we learned, and this is what we created.
CSIRT TTX participant: Handles the technical side of the cyber crisis, like SOC simulations, forensics, and IT systems.
Crisis Management TTX participant: Focuses on fast decision-making and managing the response during the crisis.
Facilitator: Plans the TTX, builds the storyline, runs the session, keeps the team on track, and evaluates how it went.
TTX Customer: Decides whether to buy or approve the use of the TTX product.
CSIRT TTX PARTICIPANT
Responsabilities
Uses technical tools and simulations to detect, contain, and eradicate an attack
Refers to playbooks to ensure actions are aligned with procedures
Communicates with teammates to find solutions
Reports findings to higher management
Escalates to Crisis Management team
Keeps track of time to ensure tasks are completed within the deadline.
"If the scenario is not relevant to the organization, it's very easy to loose focus."
Goals and needs
Hands-on experience with simulations and relevant context.
Identify potential gaps in the organization’s incident response plans.
Improve coordination and communication with team members during incidents.
Test and improve the effectiveness of existing incident response plans and tools/
Problems
Shy and uncomfortable speaking in front of large teams.
Finds sessions that are too theoretical or slide-based to be unengaging and less useful.
Frustrated when TTX tools and simulations don’t accurately reflect real-world environments or when they malfunction.
🧠 "How Might We" workshop
Based on the pain points from our research, we ran a "How Might We" (HMW) workshop to list possible solutions for problems participants and facilitators face during TTX. Since there were many challenges, we focused on the ones that matched our main hypotheses. Later, these HMWs...
🔀 Task Flows
All the research and brainstorming led to the next step: creating simple task flows for our key processes to help me start sketching solutions. Ashu (our co-founder and key stakeholder in this product), Marta (our head of content engineering), our product manager Dan, and I spent a full day together to align on what the product could be. We had a lot of important discussions, especially around the CSIRT and CMT exercise flows.
Key decisions made:
We’re building a product to test the full TTX lifecycle, including CSIRT and CMT, with two connected exercises and escalation.
For the MVP, we’ll start with the CSIRT exercise.
Exercises will be generated by AI.
The exercise will be based on the NIST framework.
The facilitator role will be replaced by AI.
We are aiming for open-ended AI-driven discussion.
Ai will give instant evaluation and lessons learned after the exercise.
✍🏻 Skething
Sketching is my favorite part. It doesn’t even feel like work. I sketch ideas everywhere: on the bus, train, plane, even while waiting at the doctor’s office. The tricky part is I end up with so many sketches that it’s hard to decide what to share with the team and what to keep in the vault.
Here are some examples I sketched for the CSIRT TTX exercises:
💨 MVP with Bolt.new
We used the Bolt.new prompt-to-code tool to build a simple MVP version of our idea, showing real-time AI interaction with participants and generating scenarios.
While it sounded great, we ran into a lot of bugs, like the AI accepting any answer as correct, and it took some time to figure things out.
I got a lot of help from our prompt engineer and content engineers to make sure the AI generated adequate scenarios for testing.
An MVP created with using bolt.new.
🧪 Concept testing
With help from our CE team, we brought in another round of clients to test our quick MVP and value prop. We ran 10 interviews with cyber teams from major companies across different maturity levels.
The big win: clients were excited, asking, “When can we use this?” and “We’d start as soon as it’s ready.”
The main concern: AI behavior, accuracy, and trust.
Positive feedback
They love the idea. Client #2 summed it up well: “It’s not something you couldn’t do on your own, it’s something you don’t have time to do on your own.”
Running the TTX through a chat with AI got positive feedback. Some were cautious about accuracy, but as client #5 put it: “If you get the accuracy right and AI doesn’t hallucinate, I’m down for it and ready to use tomorrow.”
The flow for creating scenarios, the questions, and the time-steps all got
great feedback.
The tools / network diagram gets a lot of ”wow”s :D ! even though a few suggested extra tools.
The evaluation also gets a lot of positive feedback. Client #3 said “It would take us a long time to create this numbers at this level, this is very useful. “ and comments like this we heard from other clients as well.
Surprisingly, some clients said they’d be open to uploading their playbooks (after removing sensitive info) to create more custom scenarios.
Negative feedback
If every exercise ends in escalation, it might feel like the technical team always fails, which could be discouraging.
The product is very different from what's commonly used (like PowerPoint), which could make adoption and trust harder.
AI hallucinations and lack of trust in AI are real concerns. Client #8 said “At some point I am going to be nervous about what is this Ai going to spit out to my team members, employees, I am nervous how is AI going to engage them, what is going to demand of them”
Using AI in cybersecurity training might worry customers due to security risks. 2 clients said they can’t use AI tools for security reasons, but one said, “We don’t use anything that doesn’t have AI.”
The rational behind the company health metrics, and evaluation criteria how transparent it will be.
Writing might be too much for some participants, one suggested voice-to-text-to-voice.
🎨 Final screens
Based on the feedback from the concept testing, I did a ton of tweaking when designing Release 1. The main two edits are below:
For the first release, we’re starting with multiple-choice questions from AI instead of open-ended ones, easier to manage and reduces the risk of hallucinations.
We’ll offer up to five scenarios, created by our content engineers, so the TTX initiator can choose one before using AI to generate new ones.
Some flows needed low-fidelity designs first, but for parts like TTX generation, I went straight to high-fidelity. It’s early, so there’ll be plenty of tweaks and feedback. Having a component library helped speed things up.
Scenario Selection: Users can either choose from pre-made scenarios or generate a new one.
Scenario Generation: To generate a custom scenario, the TTX initiator answers a few questions, which the AI uses to create it.
Lobby Page: Participants can review the scenario, roles, and structure of the exercise. They can also invite others and assign roles.
Participant Invitation: When inviting participants, the initiator can assign roles to each person.
Exercise Page: Users track their progress, pick answers, view participants, and check who has voted. The left side shows the evolving narrative with artifacts.
Vote results & instant feedback: Once everyone votes, they see how their choices affected the exercise in real time.
Evaluation Generation Page: Shows the evaluation process as it's being built.
Evaluation Page: Offers both team and individual assessments, with a summary and a detailed section-by-section breakdown. The “lessons learned” section is one of the most important parts.
Live Product
📝 Lessons learned
This project was complex, with multiple personas, each having different pain points, and quite a few risks. Still, we had great collaboration with content engineers, SMEs, clients, top management, and customer success. That said, there were a few things we could have prevented, like these:
Interviewing users with strong client bias limited the diversity of insights. Having Ashu on some calls might have introduced bias, as users may have felt less comfortable sharing honest feedback.
Having Ashu, our co-founder on some calls might have introduced bias, as users may have felt less comfortable sharing honest feedback.
We didn’t assess Ai and technical feasibility early enough, which led to avoidable iterations.
Aligning product design with content engineering, dev and LLM teams sooner would have streamlined the process.
💬 Feedback From My Supervisor
I had the pleasure of working with Tsov on a particularly complex and ambitious project at TryHackMe. She led the end-to-end discovery, user research, and prototyping for a major new product initiative, taking on a scope that spanned well beyond core design work.
Tsov conducted user interviews, researched adjacent products, and gathered insights to shape our strategy. She wore multiple hats — not just as a designer building wireframes, mockups, and clickable prototypes, but also stepping into a product management role to scope features, manage stakeholders, and drive the project forward. She even used AI tools like Bolt to build functional MVPs we could test with real users.
Throughout the project, Tsov was highly self-organized, adaptable, and proactive. She worked independently where needed but was also a strong collaborator across our team. Despite the complexity and steep cybersecurity learning curve, she handled challenges with creativity, initiative, and a positive attitude.
I’d happily recommend Tsov to any team looking for a talented, flexible designer who can take ownership, communicate clearly, and deliver high-quality work from concept through to launch.