CISA’s Cybersecurity Tabletop Exercise Packages (CTEP) are structured, scenario-based exercise kits designed to help organisations test and improve their cyber incident preparedness through facilitated tabletop simulations.
Map
CISA Tabletop Exercise Packages - CTEP Cyber Scenarios
General Information
ISIG
The solution provides ready-to-use, scenario-based materials that help organisations simulate cyber incidents and strengthen their response coordination and decision-making capacity. The packages include facilitator guides, scenario narratives, injects, and evaluation tools that enable organisations to conduct structured discussion-based exercises without requiring technical simulation infrastructure.
The solution aims to improve organisational readiness by simulating cyber incidents in a controlled, discussion-based environment to identify gaps in response plans, clarify roles, and strengthen interdepartmental coordination.
Cybersecurity threats such as ransomware, phishing, supply chain compromise, insider threats, and operational technology (OT) disruption increasingly affect public institutions, critical infrastructure operators, and private enterprises. While many organisations possess cybersecurity policies and incident response plans, these are often untested under realistic decision-making conditions.
CISA developed the CTEP cybersecurity scenarios to bridge the gap between planning and operational readiness by offering standardised yet adaptable tabletop exercise materials that institutions can independently deploy.
Hazard Type
Geographical Scope - Nuts
Population Size
Population Density
Needs Addressed
While institutions have cyber response frameworks, they lack testing mechanisms, or operate in department silos, have unclear crisis communication chains, or have limited executive-level incident rehearsal. This leads to coordination delays, inconsistent messaging, and decision paralysis during real incidents.
The solution addresses the gap between policy existence and operational readiness. The primary purpose is to improve institutional cyber resilience by simulating crisis conditions and strengthening cross-functional response systems.
Unlike community-focused preparedness initiatives, this solution targets institutional vulnerability rather than demographic vulnerability.
However, indirectly, the solution addresses risks affecting:
- Citizens dependent on critical digital infrastructure
- Vulnerable populations reliant on essential services (healthcare, utilities, financial systems)
- Small and medium enterprises exposed to cyber threats
- Public service users
By strengthening institutional cyber response capacity, the solution reduces systemic risk that disproportionately affects digitally dependent populations during disruptions.
Although originally developed by a federal cybersecurity authority, the governance model during implementation becomes multistakeholder and often multilevel.
Cyber incidents require coordination between executive leadership, IT departments, legal teams, communications units, regulators, and in some cases law enforcement. Therefore, the governance purpose of the solution is to test and improve cross-functional decision-making structures rather than operate within a single administrative layer.
In practice, implementation fosters shared responsibility across departments and improves horizontal coordination mechanisms within organisations.
The CTEP cybersecurity scenarios represent advanced institutional preparedness tools. They do not focus on awareness-raising, but rather on stress-testing decision-making, escalation pathways, and crisis communication protocols under simulated incident conditions.
The exercises strengthen operational readiness by allowing institutions to rehearse cyber incidents in a controlled environment, identify weaknesses in response coordination, and revise internal procedures before a real incident occurs.
The solution requires only minimal physical infrastructure, typically a meeting space and documentation tools. However, it assumes that the implementing organisation has:
- A defined incident response structure
- Cybersecurity governance mechanisms
- Clearly assigned roles and responsibilities
- Some degree of digital system dependence
The solution is therefore adaptable across infrastructure levels, from moderately developed IT environments to highly complex critical infrastructure systems. Its low technical requirements increase accessibility while still enabling high-level strategic preparedness testing.
The purpose of engagement is to:
- Reveal gaps in response systems
- Improve coordination
- Clarify roles
- Strengthen institutional accountability
Engagement is structured around facilitated, scenario-based discussion.
Methods include:
- Moderated crisis simulation
- Role-based participation
- Cross-functional decision testing
- Structured debrief and evaluation
High — the exercise outcomes inform internal policy adjustments, protocol revisions, and structural reforms.
The solution builds:
- Organisational crisis literacy
- Executive cyber awareness
- Cross-department trust
- Repeatable preparedness culture
It institutionalises exercise-based learning.
Vulnerable Groups
Governance
Emergency Preparedness
Engagement Level
Empowerment Level
Implementation
- Pre-developed cybersecurity scenarios
- Structured inject-based discussion flow
- Facilitator guidance for quality control
- Evaluation and improvement tools
- Modular adaptability across sectors
Innovation lies in lowering the barrier to high-quality cyber crisis simulation without requiring costly technical environments.
The official packages are available in English.
However, as a structured methodological framework rather than a fixed curriculum, the materials can be translated and localised into other languages without technical modification.
Originally developed by the Cybersecurity and Infrastructure Security Agency (CISA), USA. However, the solution can be implemented by:
- National cybersecurity agencies
- Ministries of digital affairs
- Critical infrastructure operators
- Private corporations
- Regional cybersecurity networks
- Public-private partnerships
CISA has extensive experience in:
- National cyber risk governance
- Critical infrastructure protection
- Public-private security coordination
- National preparedness frameworks
Other implementing bodies should ideally possess:
- Incident response governance experience
- Organisational risk management capacity
- Crisis facilitation expertise
- Cybersecurity teams
- Executive leadership
- Legal departments
- Communications units
- IT departments
- External security advisors
- Regulatory bodies
- Select appropriate cybersecurity scenario
- Identify cross-functional participants
- Assign facilitator
- Conduct tabletop session
- Document findings
- Develop corrective action plan
- Integrate improvements
- Repeat periodically
- Staff time
- Facilitation capacity
- Documentation effort
No specialised hardware or simulation software required.
Phases include:
- Planning phase
- Exercise execution
- Evaluation and reporting
- Policy adjustment
Exercises typically last half-day to full-day.
Experience of the Implementing Organisation in DRM
Target Audience
Resources Required
Timeframe & Phases
Participation Results
- Leadership engagement significantly improves overall organisational preparedness.
- Cyber crises are governance crises, not only technical incidents.
- Interdepartmental communication gaps often become visible only during simulation.
- Structured debriefs are critical for turning discussion into measurable improvement.
- Preparedness improves most when exercises are repeated periodically rather than conducted as one-off events.
The exercises demonstrate that institutional resilience grows through practice, reflection, and iterative refinement.
One of the main challenges in implementing cybersecurity tabletop exercises is securing meaningful participation from senior leadership. To address this, the exercise packages are designed to emphasise governance, legal, reputational, and operational implications, ensuring leadership recognises its decision-making role.
Another challenge is cross-department coordination. Cyber incidents require collaboration between IT teams, communications units, legal departments, and operational management, yet these actors may not regularly train together. The tabletop format deliberately places participants in shared scenario discussions, strengthening horizontal coordination and clarifying role boundaries.
A further challenge relates to realism. If scenarios feel too abstract or generic, participants may disengage. The cybersecurity packages mitigate this by providing structured injects and adaptable scenario frameworks that organisations can localise to their own risk landscape, making the exercise context-specific and credible.
A key implementation risk is low institutional commitment, where exercises are conducted as compliance exercises rather than learning opportunities. Mitigation involves strong facilitation, clear learning objectives, and post-exercise debriefs that prioritise improvement over blame.
Another risk is overconfidence bias. Participants may believe existing plans are sufficient without critically testing them. The structured scenario injects and guided discussion questions are specifically designed to challenge assumptions, expose decision bottlenecks, and highlight cascading impacts, thereby countering complacency.
There is also a risk that lessons identified during the exercise are not translated into concrete improvements. To mitigate this, the packages include after-action reporting templates and improvement planning tools. These help organisations formally document findings, assign responsibilities, and integrate updates into existing cybersecurity and continuity plans.
Risk & Mitigation Plan
Scalability and Sustainability
The solution follows a self-sustaining institutional model. Once an organisation integrates tabletop exercises into its regular risk governance cycle, the process becomes embedded in organisational culture.
Sustainability is strengthened when exercises are incorporated into:
• Annual risk management reviews
• Cybersecurity strategy updates
• Business continuity planning cycles
• Leadership training programmes
Long-term impact depends on institutionalising repetition rather than treating exercises as one-off events.
The CISA Cybersecurity Tabletop Exercise Packages are highly scalable because they are modular and scenario-based. They can be implemented:
• At local, regional, national, or organisational level
• In single institutions or multi-stakeholder environments
• Within small agencies or complex critical infrastructure systems
The scenario framework allows adaptation to different sectors, including healthcare, finance, energy, transportation, and government administration. While originally developed in a U.S. context, the structure is transferable internationally.
Because the materials are template-based rather than prescriptive, they can be localised to reflect jurisdiction-specific regulations, threat landscapes, and governance structures.
The solution is innovative in governance and preparedness methodology rather than digital complexity. It leverages:
- Scenario engineering
- Structured crisis simulation methodology
- Organisational systems thinking
- Standardised exercise design frameworks
The technological component is intentionally minimal to maximise scalability and accessibility.
The core materials are publicly available and free to use, which significantly reduces direct costs. However, implementation requires internal staff time, coordination effort, and potentially facilitator expertise.
Direct Costs may include:
• Staff time allocated to preparation and participation
• External facilitator support (if not conducted internally)
• Venue or logistical arrangements
Operational Costs include:
• Periodic exercise repetition
• Updating scenarios to reflect evolving cyber threats
• Follow-up improvement planning and policy revisions
Because the exercises are discussion-based and do not require specialised technical equipment, financial barriers are relatively low compared to full-scale operational simulations.
- Sustainability requires formal integration into governance cycles. When exercises are embedded into annual risk management, business continuity planning, or cybersecurity strategy reviews, they become part of routine institutional practice rather than isolated events.
- Leadership ownership is critical. When executive leadership recognises cyber risk as a governance issue and participates directly, exercises are more likely to be repeated and institutionalised.
- Without structured after-action reporting and accountability mechanisms, identified gaps may remain unaddressed. Sustainable impact requires assigning responsibility for improvements and revisiting those actions in subsequent exercises.
- Cyber threats evolve rapidly, so scenario materials must be periodically updated to remain relevant. Institutions that treat exercises as static compliance tools risk diminishing learning value.
- Organisations that train internal facilitators reduce dependency on external expertise and lower long-term operational costs, strengthening institutional resilience over time.