CISA's Cyber Tabletop Exercise Program (CTEP) gives critical infrastructure owners and operators ready-made, HSEEP-aligned exercise packages — a Situation Manual, scenario, discussion questions, and an After-Action Report — to validate cyber incident response without buying a thing. CyberICS extends that model: 300+ ready-to-run, CTEP/HSEEP-aligned tabletop exercises with AI facilitation, live MSEL injects, an automated hotwash, and audit-ready AARs — so any SLTT, federal, or private team can exercise on demand, in six languages.
CISA CTEP is built for any organization that wants to validate its cyber incident response through discussion-based exercises — across all 16 critical infrastructure sectors. CyberICS makes that program continuous: ready-to-run exercises for the owners and operators who must respond, and for the planners and facilitators who design and lead the conduct.
Any owner or operator that needs to rehearse cyber incident response — from a single utility to a multi-site operator — can run a CTEP/HSEEP-aligned tabletop, validate plans against a realistic scenario, and produce an AAR that proves the exercise happened and what it found.
CTEP is designed so exercise planners can self-serve. CyberICS gives planners and facilitators a complete HSEEP-aligned conduct kit — objectives, SitMan, MSEL injects, discussion questions, and an AI-generated AAR — without building each package from scratch.
CISA encourages critical infrastructure partners to exercise their cyber incident response plans regularly, and CISA CPG 4.D calls for validating response through exercises. A standing CyberICS program turns the CTEP model into a repeatable cadence — recurring conduct, MSEL injects, hotwash notes, and AARs retained as evidence — in your team's working language.
CTEP packages are built on the HSEEP exercise lifecycle. Because CyberICS literally runs discussion-based exercises end-to-end, it maps directly onto each CTEP/HSEEP element — from exercise objectives through the Improvement Plan and CPG 4.D evidence.
| Element | CTEP / HSEEP Component | What It Requires | CyberICS Capability | Coverage |
|---|---|---|---|---|
| HSEEP · Design | Exercise objectives & design | Define clear, measurable exercise objectives and scope aligned to capabilities being validated | Each CyberICS exercise ships with defined objectives, scope, and capability focus — ready to adopt or tailor to your CTEP design intent | Core |
| SitMan | Situation Manual (SitMan) | A participant document with scenario narrative, modules, and discussion questions that drives the tabletop | Every scenario provides the SitMan equivalent — narrative, staged modules, and discussion prompts — presented to participants in-platform | Core |
| MSEL | Master Scenario Events List (injects) | A sequenced list of injects/events that drive the scenario and prompt participant decisions | Live injects advance the scenario on a timeline, escalating pressure exactly as an MSEL does — manually or AI-paced | Core |
| HSEEP · Conduct | Facilitated discussion-based conduct | A facilitated, discussion-based exercise where participants talk through roles, decisions, and plans | Live Session mode runs real-time, multi-participant conduct with an AI facilitator prompting discussion at each step | Core |
| Hotwash | Hotwash | An immediate post-exercise debrief capturing participant feedback, strengths, and areas for improvement | The platform captures post-exercise feedback and decisions, structuring the hotwash inputs that feed the AAR | Core |
| AAR | After-Action Report (AAR) | A report documenting what happened, observations, strengths, and findings against the objectives | CyberICS auto-generates a structured AAR immediately after each exercise — observations, gaps, and framework references included | Core |
| IP | Improvement Plan (IP) | Corrective actions with owners and timelines that turn AAR findings into tracked improvements | The AAR's corrective-action recommendations form the Improvement Plan; gaps and remediation can be tracked over time | Supporting |
| CPG 4.D | Validate IR via exercises (CPG 4.D) | CISA CPG 4.D: validate the cyber incident response plan through regular exercising | Recurring exercises plus retained AARs provide the demonstrable evidence that the IR plan is exercised and validated | Supporting |
| 16 Sectors | Multi-sector scenario coverage | CTEP packages span the breadth of critical infrastructure; exercises should reflect sector-specific risk | 300+ scenarios across OT/ICS, healthcare, transportation, communications, and enterprise IT cover all 16 CI sectors' risk domains | Partial |
Three core capabilities work together to run, evaluate, and document a CTEP/HSEEP-aligned cyber tabletop exercise from objectives through Improvement Plan.
Live Session mode runs real-time, multi-participant conduct. The scenario plays out module by module, MSEL injects escalate on a timeline, and every step, decision, and host action is timestamped — the conduct record an evaluator needs.
Immediately after conduct, CyberICS generates a structured AAR — observations, strengths, gaps, and framework references — the artifact a planner files as proof the exercise happened and what it surfaced, ready to convert into an Improvement Plan.
The Compliance Dashboard assembles an exercise evidence package — conduct records, hotwash inputs, AARs, and an Improvement Plan summary — so a planner can demonstrate CPG 4.D exercising and a mature, recurring tabletop program.
Six high-fidelity cyber tabletop scenarios spanning critical infrastructure sectors — each ready to run as a CTEP/HSEEP-aligned exercise with SitMan narrative, MSEL injects, and an AI facilitator briefing included.
Ransomware on the business network threatens to cross into SCADA at an electric utility. The team works the scenario modules — containment, OT isolation, and external reporting — under escalating MSEL injects.
A remote operator HMI at a water treatment facility is accessed by an unauthorized actor attempting to alter chemical setpoints. The exercise drives detection, safety-system response, and public-health escalation decisions.
A ransomware event disrupts clinical systems and medical devices, forcing patient diversion. The tabletop exercises clinical continuity, IR coordination, and crisis communications across the health system.
An intrusion targets transportation control and logistics systems, threatening service and safety. The team coordinates OT incident response, operational fallback, and inter-agency reporting.
A cyber-induced outage at a communications provider cascades into dependent critical services. The exercise tests dependency mapping, restoration prioritization, and stakeholder coordination.
A coordinated campaign hits several interdependent CI sectors at once. A leadership-level CTEP-style exercise testing cross-sector coordination, SLTT/federal engagement, and unified incident command.
Plus 300+ additional ICS/OT and enterprise scenarios spanning all 16 critical infrastructure sectors. Browse the full library →
Every CyberICS exercise generates four categories of evidence supporting a CTEP/HSEEP-aligned program — from the After-Action Report through CPG 4.D exercise validation.
Structured AAR per exercise — observations, strengths, and findings against the objectives — the core HSEEP evaluation artifact.
Corrective actions seeded from AAR findings — owners, gaps, and remediation timeline ready to track to closure.
The SitMan-style scenario plus a timestamped conduct log and attendance roster documenting the exercise as run.
Consolidated package showing recurring exercises and AARs — the demonstrable evidence that the IR plan is exercised and validated.
CyberICS exercise evidence maps to multiple frameworks simultaneously. One exercise program — complete regulatory coverage.
Start with a free 14-day trial — no credit card required. Or speak with our team about a standing, CTEP/HSEEP-aligned tabletop program with AI facilitation and AARs across all 16 critical infrastructure sectors.
Also explore: NIST SP 800-82 Toolkit · CISA CPG Toolkit · NERC CIP Toolkit