The tabletop exercise has a complacency problem. Organizations run through their incident response plans, everyone nods along, and the debrief confirms what the team already knew. That’s partly by design. Traditional tabletops are organizational alignment tools, not real simulations. And because running separate sessions for technical staff, legal, executives, and operations isn’t realistic, most teams end up with a lowest-common-denominator exercise that goes just deep enough to check the compliance box.
In this episode, Cassio Goldschmidt, co-founder and CTO at Reflex Security, explains how Reflex replaces static, script-driven tabletops with adaptive AI-driven simulations that fight back, measure real human behavior under pressure, and surface the gaps that scripted exercises never reach. Joining him are Nick Espinosa, host of the nationally syndicated Deep Dive Radio Show, and Jay Wilson, CISO and CIO at Insurity.
Join the conversation on LinkedIn.
Want to know:
- Why do traditional tabletops train teams to know the plan rather than execute under pressure?
- What’s the difference between a team that panics and a team that chokes, and why does it matter?
- How does Reflex use AI agents to adapt the simulation based on what the team actually does?
- Can you run separate tabletops for technical, legal, and executive audiences without multiplying the workload?
- Is there a risk that security leaders optimize for the AI’s score rather than genuine preparedness?
- How does an AI agent joining a video conference change the way a tabletop runs?
- How hard should training be relative to the real thing?
Check out the episode for the answers you need.
Huge thanks to our sponsor, Reflex Security
Full Transcript
[Rich Stroffolino] Welcome to Security You Should Know. I’m your host, Rich Stroffolino. Today, we’re talking with Reflex Security and what they’re doing in adversarial crisis simulations. Very exciting category here. And the problem that they’re addressing here is that traditional tabletops don’t really give great simulations of adversarial behavior. They’re more perhaps organizational tools here.
Helping us get some answers to why this is a problem here are Nick Espinosa, host of the nationally syndicated Deep Dive Radio Show, and Jay Wilson, CISO and CIO at Insurity. Nick, I’m gonna start with you. Why aren’t tabletops getting the job done when it comes to giving that kind of realistic simulation here?
[Nick Espinosa] So I think the point of a tabletop, just in general, the name of the game here is resiliency, right? To really understand that resiliency. And aside from half the leadership not showing up at the time of these exercises, I think one of the real big issues that we have is complacency, in the sense that if you’re looking at the incident response plans that an organization would put together, tabletops tend to go straight off of the incident response plans, which you know really well.
But what if something’s on a tangent that pulls part of those incident response plans together that you just really haven’t prepared for? And so having that flexibility, having that resiliency, I think is really lacking in traditional tabletops if you’re doing it incorrectly, and Lord knows a lot of them are.
[Rich Stroffolino] Jay, I’m gonna come to you next. From your perspective, do you agree with Nick here? I mean, why are we seeing tabletops maybe not quite giving us that full picture?
[Jay Wilson] Definitely agree with Nick on everything he said. The thing I would add also with tabletops is that there’s a lot of different audiences to a tabletop, right? I might have a group of technical folks that wanna go deep on a technical problem on a tabletop. I might have my legal team. I might have my operations team. I might have my executives, and I don’t have the time in the day to run 10 different tabletops.
And so what ends up happening is you end up with a lowest common denominator tabletop, where you’re maybe touching on a little bit of each of those things that I just talked about, but you’re not really going deep. And so as a result, you get less interest and engagement from each of the parties.
[Rich Stroffolino] I never really thought about that, casting the widest net possible for those, and yeah, not really getting meaningfully deep there. Fantastic. I think we understand the core of the problem here. And today we’re gonna be talking with Cassio Goldschmidt, the co-founder and CTO at Reflex Security, helping us figure out what they’re doing to improve this situation, give us that more realistic simulation here.
So to start out, Cassio, I need the answers to three essential questions. How do I explain the value of your solution to my CEO? What does your solution do and what does it not do? And give us an idea of the pricing model. Can you help us out here?
[Cassio Goldschmidt] Of course. So every practitioner knows that the biggest amplifier of a breach is not how the company were breached, but really how to respond to that breach, and that’s exactly where Reflex Security tries to help people to do better response for the breaches. At the end of the day, it’s a human-centric thing that we have to actually work as a team to respond to the breaches.
As for what we do, we’re the first tabletop that fights back. Tabletop started in the 800s, and basically at that time was a game where general plays against general. Today, we actually do executives against PowerPoints, and a lot of things are missed when you do something against a static inject-based PowerPoint, and that’s one of the main problems that we actually solve.
The other question is about the pricing model, and that’s actually the best thing in my opinion because we solve three assets: time, personnel, and budget. For budget, for the price of one tabletop, you can do as many as you want. For personnel, you can do tabletops with smaller teams because agents can take the spot of people who are not there. And for the time, it just takes a few minutes to generate the tabletop scenarios and also the reports.
[Rich Stroffolino] All right, well, we’ve gotten a taste, we’ve gotten that overview there, those preliminaries. That’s fantastic, but I’m sure there are still a lot of questions from our panelists. So Jay, I’m gonna start with you. What other questions do you have for Cassio about Reflex Security?
[Jay Wilson] What problems are you trying to solve at its core? We talked about a few different issues that Nick and I face, but when you set out to build this company, what was the “Okay, I can solve this business problem” moment? And I like to elevate it from a security problem to a business problem because security is part of the business, right?
[Cassio Goldschmidt] Yes. So from my experience as a former CISO, what happens with a tabletop is that you just discuss the incident response plan, and you really don’t simulate things, so you’re actually missing quite a lot. So for example, when you simulate things, you’re going to see things such as responsibility overload. You’re going to see failure to escalate, failure in communication, and all those things that you mentioned, Jay, about the tabletop being important to actually simulate things for legal, for support, and get everyone involved is another thing that you solve with an agentic solution.
[Jay Wilson] Is there a KPI that would reflect those things? If I were able to move from one place to another, what would that KPI be? What needle am I pushing with your product?
[Cassio Goldschmidt] So for example, you have things such as using the right terminology in order to actually determine what’s going on during an incident. A lot of times people like us have to deal with a third-party incident, and then when a customer asks, we throw the third party under the bus saying the third party was hacked, and that was not the right thing to say while they’re investigating an incident. When you actually simulate an incident, you have things such as responsibility overload that when you do a tabletop you don’t see, or when there is a real incident happening, somebody takes over, has this dominant type of persona that is actually very counterproductive for the rest of the team. So while the KPIs that traditionally we try to get during an incident are things such as time to contain, time to detect, you get all the other things related to the group dynamics that you cannot get with the traditional tabletop.
[Rich Stroffolino] What else do you want to hear more about from Cassio?
[Nick Espinosa] Yeah. So I think one of the most interesting things thus far, as I was just going through all your literature, everything, your site, et cetera, is that you’re really heavily leveraging artificial intelligence, and we all know we do love ourselves some artificial intelligence until they turn Terminator.
But I wanna know, if an AI can now essentially just generate insanely realistic scenarios from public OSINT, are we then just entering an era where every single company’s attack surface is also going to be its training curriculum? When we have an absolute multitude of scenarios that AI can throw out, what really is making that relevant then to the clients to keep it focused?
[Cassio Goldschmidt] Yeah, I think what we see right now is with Claude Mythos and so on, a lot more attacks are going to happen, and those attacks are going to be very different, and sometimes we’re going to be dealing with multiple attacks, not only against us, against our sub-processors. And that’s where I think there’s a value on preparing for this kind of attacks using AI, because AI can find things that are blind spots that are out there, and that’s exactly the type of information that attackers are going to be leveraging in order to attack companies.
[Nick Espinosa] Right. And on the flip side of the AI side is the human side of this, right? And as far as I understand from your organization, you’re measuring human crisis behavior, everything from escalation, communication, leadership, decision-making, all this kind of stuff. So what have you as a company learned about the difference between teams that actually know the plan and teams that actually are able to execute under pressure when it comes to all of these various scenarios?
[Cassio Goldschmidt] We actually found two things. One is some teams panic and some other teams actually choke. And people use these interchangeably, but they are not.
Panic happens when people know too little. They’re not prepared, and they just freeze, or they actually go back to their primal instincts of what to do because of that. So for example, going and shutting down a system prematurely is one of the examples that we’ve seen. The other one is choking, right? It’s when teams actually know what they need to do, but then they start discussing and they never do anything. The analysis paralysis. And we actually can see those things when we simulate a realistic and engaging tabletop.
[Jay Wilson] Cassio, have you considered where this could lead, especially on the AI front? When I think about your product, what it makes me think about is why couldn’t a company help me build an AI agent response approach to the problems that you’re witnessing with the human behavior that Nick just outlined, right? Could I plug in a set of AI agents? Could you help me design a set of AI agents that would respond better than a human team?
[Cassio Goldschmidt] Yes. I think AI can be an excellent co-pilot to respond to things, but there’s always the human touch, right? At the end of the day, AI is going to displace a lot of the products that we have, and unfortunately a lot of people that we have, but the high-stake decisions still remain with people. And when you have different types of customers, even your response to them are going to be different depending on what those customers mean to your business, what they mean to society, right? And all the other things that you have to consider that, unless AI has an incredibly large context, it will never be responded to properly. And that’s where humans need to be trained in order to do the best job.
[Nick Espinosa] But I think that also speaks to something else that traditionally tabletop exercises have been, and they’re there to produce comfort, right? Everybody agrees they did the exercise, everybody agrees on the outcome and all of that, but your product kind of seems like it’s designed to produce discomfort, right?
[Cassio Goldschmidt] Yes.
[Nick Espinosa] So how much psychological stress is actually useful before it becomes counterproductive? You mentioned when we panic because we don’t have enough information, we might go into shutdown mode and all of that. But where’s the balance between creating that discomfort, that sense of urgency, versus something that’s actually effective?
[Cassio Goldschmidt] Yes. I think we should make the training harder than actually the reality, right? And people who use the product, they actually reported saying, “Hey, this really feels real. This made my heart beat faster.” And when I see, for example, a social media post that is simulated from a customer or from somebody on the internet, it really makes me more nervous about it, and that is exactly what happens when you have an incident, and that’s how you should train in order to get the best results.
[Jay Wilson] I like that mantra. We should make training harder than reality. I’m sure my staff would have something to say about that given my phishing simulation tests that I run on them. But the other question I had for you was wrapped around how we’re seeing AI transform attack surface management and automate pen testing on the other side of the business, and how that could potentially interface with what you’re doing on the tabletop front.
In other words, we’re moving from an era where I hire a company and a human to go do pen testing to hiring a piece of software to continuously test my surface area, and it’s actually as good or better in many cases from what I’ve seen. And I don’t know about your experience, Nick, but that’s what I’m starting to see in the space.
[Nick Espinosa] Yeah.
[Jay Wilson] And I’m curious how that can interface and potentially provide more value in the context of tabletop, because I think of tabletop today as, well, I’m doing this, it’s an annual tabletop, we’re getting people familiar with the process. But the reality is we have a lot of different surface areas. I have a lot of different teams, and maybe it’s more about taking tabletop and elevating it across the business as opposed to going back to the compliance need of doing a tabletop.
[Cassio Goldschmidt] You’re absolutely right, and that’s what a system or a platform like Reflex Security can help you with. You can run different tabletops for different audiences, and you don’t need the entire set of employees in order to run one. For example, if you want to run a technical tabletop for your incident responders, you might have an external counsel, for example, that is an agent that people have to consult, make sure that whatever they are doing is according to the legal procedures that a company has to follow. Or you can have a tabletop for your privacy team where an agent will be the incident responder and will respond to things in plain English. So if you want, you can separate the teams, you can make people actually work together or not, and you can run as many times as you want. So at the end of the day, you end up getting better results because you can actually mix and match or train the people in specific areas that you want.
[Rich Stroffolino] We’ve got time for one more question from the panel.
[Nick Espinosa] Well, I just actually have a tangent to that that I think is actually important, just to riff here, because one of the things that you’re offering essentially is automated after-action reports, right? And that has to be a rather objective thing for the AI to put out based on whatever its analysis is. But the question that has already been asked: is there a danger here that security leaders can start optimizing for the score that the AI would give them rather than the wisdom that should come in learning the actual objective response to it?
[Cassio Goldschmidt] Yes. And I think anybody who did traditional tabletops actually kind of knows what the next question’s going to be. Just instinctively, we’ve been there, we know what happens in a ransomware attack and so on. Reflex Security is adaptive, so it really depends on what the team does, what they discuss, and things like that, that the AI agents will adapt and will come up with a different curveball for people to actually deal with, right? Think of it like a chess game. The first movement might be very similar, but after that, it just goes in very different ways, even if you play the same scenario.
[Rich Stroffolino] All right, Cassio, what’s one thing we didn’t ask about that we need to know?
[Cassio Goldschmidt] There are so many things I wish we had time to talk about, but one of them is that the platform is human-centric. Besides the web platform where you actually send emails, you see social media posts and so on, we also have a component that is based on a video conference. So an agent actually joins the video conference and will help to co-pilot this tabletop, and she will listen to everything that people are saying and doing in the platform, all the research, mitigation, response to emails, and will actually move things forward. So that’s one of the things that I wish we had more time to talk about.
[Rich Stroffolino] Well, we would love to have you back, Cassio, and very excited by what I’m hearing today. I think this is a really exciting space, and some really fantastic opportunities here to shake things up with what we think a tabletop is capable of and really what we can expect out of it. That’s just about it for this episode of Security You Should Know.
To learn more, head on over to reflexsecurity.io. If you have any feedback for this show, send it to us at feedback@ciso-dev.davidspark.dcgws.com. A huge thank you to Nick and Jay for helping us learn more about what Reflex Security is all about. And thank you, Cassio, for your time and being game to answer all of these questions.
And thank you for listening to Security You Should Know.