Which of the following activities would involve members of the incident response team and other stakeholders simulating an event?

Lessons learned sessions focus on analyzing past incidents to identify what worked and what didn’t. While these sessions may involve team discussions and stakeholder input, they do not simulate an event; instead, they review and reflect on real occurrences to improve future responses.

Digital forensics involves the investigation and analysis of digital evidence after an incident has occurred. This activity is generally conducted in a technical setting to gather and study data, rather than simulating an event with team participation. Thus, it lacks the interactive and scenario-based nature of a tabletop exercise.

Root cause analysis seeks to identify the underlying reasons for incidents after they happen. This process is analytical and retrospective, focusing on understanding failures rather than simulating responses to hypothetical scenarios. It does not engage the team in a simulation, differentiating it from a tabletop exercise.