🏛️ CISA CTEP Toolkit

Run CISA CTEP-Aligned Cyber Tabletop Exercises
across all 16 critical infrastructure sectors

CISA's Cyber Tabletop Exercise Program (CTEP) gives critical infrastructure owners and operators ready-made, HSEEP-aligned exercise packages — a Situation Manual, scenario, discussion questions, and an After-Action Report — to validate cyber incident response without buying a thing. CyberICS extends that model: 300+ ready-to-run, CTEP/HSEEP-aligned tabletop exercises with AI facilitation, live MSEL injects, an automated hotwash, and audit-ready AARs — so any SLTT, federal, or private team can exercise on demand, in six languages.

HSEEP-aligned exercise design
Situation Manual (SitMan) + MSEL injects
Hotwash & After-Action Report (AAR)
CISA CPG 4.D tabletop alignment
All 16 critical infrastructure sectors
Start Free — 14-Day Trial 🏭 See the NIST SP 800-82 Toolkit → Talk to Our Team
Independence Note: CyberICS is an independent platform that supports CTEP/HSEEP-style cyber tabletop exercising. It is not affiliated with, sponsored by, or endorsed by CISA, and it does not replace the official CISA CTEP exercise packages, Situation Manuals, or any CISA program. Use CyberICS to design, run, and document HSEEP-aligned exercises alongside — not in place of — CISA's free CTEP resources, which remain available directly from CISA.
Who It's For

Critical Infrastructure Teams & the People Who Run Exercises

CISA CTEP is built for any organization that wants to validate its cyber incident response through discussion-based exercises — across all 16 critical infrastructure sectors. CyberICS makes that program continuous: ready-to-run exercises for the owners and operators who must respond, and for the planners and facilitators who design and lead the conduct.

Critical Infrastructure Owners & Operators

Across All 16 CI Sectors

Any owner or operator that needs to rehearse cyber incident response — from a single utility to a multi-site operator — can run a CTEP/HSEEP-aligned tabletop, validate plans against a realistic scenario, and produce an AAR that proves the exercise happened and what it found.

  • Energy, Water & Wastewater, and Chemical operators (IT + OT/ICS/SCADA)
  • Healthcare & Public Health and Emergency Services
  • Transportation Systems, Communications, and IT
  • Financial Services, Food & Agriculture, Manufacturing
  • Dams, Government Facilities, Defense Industrial Base, Nuclear
A CTEP/HSEEP-aligned tabletop directly exercises detection, escalation, and response decisions, and produces the SitMan, hotwash, and AAR an operator can file as evidence of an exercise.
Exercise Planners & Facilitators

SLTT, Federal & Private Sector

CTEP is designed so exercise planners can self-serve. CyberICS gives planners and facilitators a complete HSEEP-aligned conduct kit — objectives, SitMan, MSEL injects, discussion questions, and an AI-generated AAR — without building each package from scratch.

  • SLTT emergency managers & CISO offices running CTEP-style exercises
  • Federal agencies and field teams supporting CI partners
  • Private-sector exercise leads, BCP/DR and IR planners
  • MSSPs & consultancies facilitating exercises for multiple clients
  • Facilitators & data collectors capturing the hotwash and AAR inputs
HSEEP defines the exercise lifecycle — design & development, conduct, evaluation, and improvement planning. CyberICS supplies a reusable engine for every phase, so a planner can stand up a credible exercise in minutes.
🔄

An Exercise Cadence — Not a Once-a-Year Event

CISA encourages critical infrastructure partners to exercise their cyber incident response plans regularly, and CISA CPG 4.D calls for validating response through exercises. A standing CyberICS program turns the CTEP model into a repeatable cadence — recurring conduct, MSEL injects, hotwash notes, and AARs retained as evidence — in your team's working language.

🇺🇸 English 🇫🇷 Français 🇵🇹 Português 🇪🇸 Español 🇩🇪 Deutsch 🇮🇹 Italiano
CTEP / HSEEP Exercise Lifecycle Mapping

CTEP / HSEEP Elements → CyberICS Capability

CTEP packages are built on the HSEEP exercise lifecycle. Because CyberICS literally runs discussion-based exercises end-to-end, it maps directly onto each CTEP/HSEEP element — from exercise objectives through the Improvement Plan and CPG 4.D evidence.

CTEP / HSEEP Element Reference

Coverage: Core = platform directly delivers the element  |  Supporting = platform validates / documents it  |  Partial = scenario content covers the area

Element CTEP / HSEEP Component What It Requires CyberICS Capability Coverage
HSEEP · Design Exercise objectives & design Define clear, measurable exercise objectives and scope aligned to capabilities being validated Each CyberICS exercise ships with defined objectives, scope, and capability focus — ready to adopt or tailor to your CTEP design intent Core
SitMan Situation Manual (SitMan) A participant document with scenario narrative, modules, and discussion questions that drives the tabletop Every scenario provides the SitMan equivalent — narrative, staged modules, and discussion prompts — presented to participants in-platform Core
MSEL Master Scenario Events List (injects) A sequenced list of injects/events that drive the scenario and prompt participant decisions Live injects advance the scenario on a timeline, escalating pressure exactly as an MSEL does — manually or AI-paced Core
HSEEP · Conduct Facilitated discussion-based conduct A facilitated, discussion-based exercise where participants talk through roles, decisions, and plans Live Session mode runs real-time, multi-participant conduct with an AI facilitator prompting discussion at each step Core
Hotwash Hotwash An immediate post-exercise debrief capturing participant feedback, strengths, and areas for improvement The platform captures post-exercise feedback and decisions, structuring the hotwash inputs that feed the AAR Core
AAR After-Action Report (AAR) A report documenting what happened, observations, strengths, and findings against the objectives CyberICS auto-generates a structured AAR immediately after each exercise — observations, gaps, and framework references included Core
IP Improvement Plan (IP) Corrective actions with owners and timelines that turn AAR findings into tracked improvements The AAR's corrective-action recommendations form the Improvement Plan; gaps and remediation can be tracked over time Supporting
CPG 4.D Validate IR via exercises (CPG 4.D) CISA CPG 4.D: validate the cyber incident response plan through regular exercising Recurring exercises plus retained AARs provide the demonstrable evidence that the IR plan is exercised and validated Supporting
16 Sectors Multi-sector scenario coverage CTEP packages span the breadth of critical infrastructure; exercises should reflect sector-specific risk 300+ scenarios across OT/ICS, healthcare, transportation, communications, and enterprise IT cover all 16 CI sectors' risk domains Partial
Platform Capabilities

How CyberICS Powers a CTEP-Aligned Exercise

Three core capabilities work together to run, evaluate, and document a CTEP/HSEEP-aligned cyber tabletop exercise from objectives through Improvement Plan.

🎲
SitMan · MSEL · Conduct

Structured Exercise Execution

Live Session mode runs real-time, multi-participant conduct. The scenario plays out module by module, MSEL injects escalate on a timeline, and every step, decision, and host action is timestamped — the conduct record an evaluator needs.

  • SitMan-style narrative, modules & discussion prompts
  • Timeline-driven MSEL injects
  • Per-participant attendance & decision log
  • Session date, scope, and duration metadata
📋
Hotwash · AAR

AI-Generated After-Action Report

Immediately after conduct, CyberICS generates a structured AAR — observations, strengths, gaps, and framework references — the artifact a planner files as proof the exercise happened and what it surfaced, ready to convert into an Improvement Plan.

  • Observations mapped to exercise objectives
  • Strengths and areas for improvement
  • Corrective-action recommendations (Improvement Plan seed)
  • Multilingual output (EN/FR/PT/ES/DE/IT)
📄
CPG 4.D Evidence

Exercise Evidence Package

The Compliance Dashboard assembles an exercise evidence package — conduct records, hotwash inputs, AARs, and an Improvement Plan summary — so a planner can demonstrate CPG 4.D exercising and a mature, recurring tabletop program.

  • Exercise attendance & completion roster
  • AAR archive across exercise cycles
  • Gap & remediation (Improvement Plan) timeline
  • CPG 4.D exercise-validation summary
Scenario Library

CTEP-Aligned Scenarios Across the 16 CI Sectors

Six high-fidelity cyber tabletop scenarios spanning critical infrastructure sectors — each ready to run as a CTEP/HSEEP-aligned exercise with SitMan narrative, MSEL injects, and an AI facilitator briefing included.

Energy · Electric
SitMan + MSEL
Ransomware Spreads from IT to Grid OT

Ransomware on the business network threatens to cross into SCADA at an electric utility. The team works the scenario modules — containment, OT isolation, and external reporting — under escalating MSEL injects.

Energy SCADA CPG 4.D
Water · Wastewater
SitMan + MSEL
Unauthorized HMI Access at a Treatment Plant

A remote operator HMI at a water treatment facility is accessed by an unauthorized actor attempting to alter chemical setpoints. The exercise drives detection, safety-system response, and public-health escalation decisions.

Water ICS HSEEP
Healthcare & Public Health
SitMan + MSEL
Hospital Ransomware & Patient Diversion

A ransomware event disrupts clinical systems and medical devices, forcing patient diversion. The tabletop exercises clinical continuity, IR coordination, and crisis communications across the health system.

Healthcare IoMT AAR
Transportation Systems
SitMan + MSEL
Signaling & Logistics OT Disruption

An intrusion targets transportation control and logistics systems, threatening service and safety. The team coordinates OT incident response, operational fallback, and inter-agency reporting.

Transportation OT SLTT
Communications
SitMan + MSEL
Telecom Provider Outage & Cascading Impact

A cyber-induced outage at a communications provider cascades into dependent critical services. The exercise tests dependency mapping, restoration prioritization, and stakeholder coordination.

Communications Resilience CPG 4.D
Multi-Sector / Regional
SitMan + MSEL
Regional Multi-Sector Cyber Crisis

A coordinated campaign hits several interdependent CI sectors at once. A leadership-level CTEP-style exercise testing cross-sector coordination, SLTT/federal engagement, and unified incident command.

Multi-Sector HSEEP Governance

Plus 300+ additional ICS/OT and enterprise scenarios spanning all 16 critical infrastructure sectors. Browse the full library →

Evidence Artifacts

Audit-Ready Documentation for Every Exercise

Every CyberICS exercise generates four categories of evidence supporting a CTEP/HSEEP-aligned program — from the After-Action Report through CPG 4.D exercise validation.

📝
After-Action Report (AAR)

Structured AAR per exercise — observations, strengths, and findings against the objectives — the core HSEEP evaluation artifact.

AAR
🧾
Improvement Plan (IP)

Corrective actions seeded from AAR findings — owners, gaps, and remediation timeline ready to track to closure.

IP
📋
SitMan & Conduct Record

The SitMan-style scenario plus a timestamped conduct log and attendance roster documenting the exercise as run.

SitMan
📁
CPG 4.D Exercise Evidence

Consolidated package showing recurring exercises and AARs — the demonstrable evidence that the IR plan is exercised and validated.

CPG 4.D

Explore the Full Regulatory Toolkit Library

CyberICS exercise evidence maps to multiple frameworks simultaneously. One exercise program — complete regulatory coverage.

Ready to Run Your Next Cyber Tabletop on Demand?

Start with a free 14-day trial — no credit card required. Or speak with our team about a standing, CTEP/HSEEP-aligned tabletop program with AI facilitation and AARs across all 16 critical infrastructure sectors.

Also explore: NIST SP 800-82 Toolkit  ·  CISA CPG Toolkit  ·  NERC CIP Toolkit