Why Run Tabletop Exercises?
Tabletop exercises are discussion-based sessions where team members walk through simulated security incidents. They help you:- Test incident response procedures without real-world consequences
- Identify gaps in processes and communication
- Train staff on roles and responsibilities during incidents
- Meet compliance requirements for security awareness
- Build muscle memory for high-pressure situations
CISA recommends organizations conduct tabletop exercises at least annually, with more frequent exercises for critical infrastructure sectors.
Key Features
Scenario Authoring
Create custom exercises with modules, timed injections, and discussion questions.
Exercise Runner
Real-time facilitation with pause, advance, and timing controls.
Participant Portal
Asynchronous participation support with response collection.
Scenario Library
8 pre-built scenarios covering common attack types.
Pre-Built Scenarios
The framework includes ready-to-use scenarios across different attack types and difficulty levels:| Scenario | Attack Type | Difficulty |
|---|---|---|
| Ransomware Response | Ransomware | Beginner |
| Phishing Campaign | Phishing | Beginner |
| Supply Chain Compromise | Supply Chain | Intermediate |
| Social Engineering Attack | Social Engineering | Intermediate |
| Data Breach Investigation | Data Breach | Advanced |
| Insider Threat | Insider Threat | Advanced |
| Business Email Compromise | BEC | Intermediate |
| Cloud Infrastructure Attack | Cloud Security | Advanced |
Installation
Prerequisites
- Node.js 18 or later
- npm package manager
Quick Start
Production Build
To create a distributable application:dist folder.
Creating an Exercise
1
Start a New Scenario
Open the application and select “Create New Scenario” from the dashboard. Enter a title, description, and learning objectives.
2
Add Modules
Break your exercise into modules representing incident phases (e.g., Detection, Containment, Eradication, Recovery). Each module can have its own timing and objectives.
3
Create Injections
Add timed injection events that introduce new information during the exercise. These prompt decision-making and simulate real incident evolution.
4
Add Discussion Questions
For each module, create discussion questions with facilitator guidance notes. These drive the conversation during the exercise.
5
Set Difficulty and Time
Configure the overall difficulty level and estimated duration. This helps participants prepare appropriately.
Running an Exercise
As a Facilitator
- Load your scenario file (
.ctep.json) - Brief participants on the scenario background
- Use the runner controls to start the exercise
- Advance through modules and trigger injections as needed
- Guide discussions using the facilitator notes
- Track elapsed time and participant engagement
As a Participant
For asynchronous participation:- Receive the participant package (
.ctep-participant.json) from your facilitator - Open the file in the Participant Portal
- Review the scenario and answer discussion questions
- Export your responses (
.ctep-response.json) - Send the response file back to the facilitator
File Formats
The framework uses three file types with checksum verification:| Extension | Purpose | Contains |
|---|---|---|
.ctep.json | Complete scenario | All content including facilitator notes |
.ctep-participant.json | Participant version | Sanitized content without facilitator answers |
.ctep-response.json | Participant responses | Submitted answers for facilitator review |
Technical Stack
- Framework: Electron for cross-platform desktop support
- Frontend: React 19 with TypeScript
- State Management: Zustand with persistence
- Build Tool: Vite with electron-vite configuration
Next Steps
After setting up the framework:- Run a pilot exercise with a small group to test your setup
- Customize pre-built scenarios for your organization’s context
- Document lessons learned and update procedures based on findings
- Schedule regular exercises on your security calendar