The NIST Cybersecurity Framework 2.0 (February 2024) introduced a sixth core Function — GOVERN — alongside the familiar IDENTIFY, PROTECT, DETECT, RESPOND, and RECOVER. CyberICS provides 335 ready-to-run ICS/OT tabletop exercises mapped to all six CSF Functions, with AI-generated After Action Reports and audit-ready evidence for NIST CSF Profiles and Implementation Tiers.
NIST CSF 2.0 defines four Implementation Tiers describing the rigour of cybersecurity risk management practices. CyberICS exercises build evidence for Tier advancement.
Cybersecurity risk management is not formalised. Risk is managed reactively with limited organisational awareness. Exercise evidence from CyberICS establishes baseline incident documentation and identifies foundational gaps — the first step toward Tier advancement.
Risk management practices are approved by management but not yet established as organisation-wide policy. CyberICS exercises surface the gap between documented policy and actual practice — enabling targeted improvement programmes at the process level.
Cybersecurity practices are formally approved, expressed as policy, and applied consistently. CyberICS exercises validate documented procedures against live team performance and generate evidence of policy adherence — supporting Tier 3 self-assessment claims.
Cybersecurity practices are continuously improved based on lessons learned and predictive indicators. CyberICS exercises test advanced scenarios, validate institutional knowledge under pressure, and feed the After Action Report cycle into ongoing improvement evidence.
Each tabletop exercise generates evidence mapped to specific CSF subcategories. The CyberICS compliance dashboard automatically tracks your coverage across all six Functions.
| Function | Category Code | Subcategory Description | How CyberICS Covers It | Metric |
|---|---|---|---|---|
| GOVERN | GV.OC-01 | Organisational mission and risk tolerance defined and communicated | AAR governance gap tracking surfaces misalignment between stated mission and exercise outcomes | Policy gap count |
| GOVERN | GV.RM-01 | Risk management objectives established, communicated, and monitored | Per-framework evidence packages document exercise findings against defined risk objectives | Risk register alignment |
| IDENTIFY | ID.AM-01 | Asset inventory: hardware assets within the organisation are catalogued | Scenario scope definition requires asset identification; exercises surface undocumented OT assets | Assets in scope |
| IDENTIFY | ID.RA-01 | Asset vulnerabilities are identified and documented | Post-exercise gap mapping identifies and records asset-level vulnerabilities uncovered in scenario play | Vuln count per exercise |
| PROTECT | PR.AT-01 | Users and privileged users are provided with awareness and training on cybersecurity risks (PR.AT) | Exercise participation records demonstrate active staff engagement; AI coaching reinforces role-based awareness | Staff trained % |
| PROTECT | PR.PS-01 | Configuration management policies, processes, and procedures are established and followed | Evidence package review documents policy maintenance activities and configuration gap findings | Policy review cycle |
| DETECT | DE.CM-01 | Networks and systems are monitored to find potentially adverse events (fn-badge fn-de) | Scenario inject timing measures team detection latency against the simulated threat event clock | Detection latency |
| DETECT | DE.AE-02 | Potentially adverse events are analysed to better characterise the threat | Hotwash findings and AI AAR document team analysis quality and alert-to-action decision time | Alert-to-action time, MTTD |
| RESPOND | RS.MA-01 | Response activities are coordinated with internal and external stakeholders (fn-badge fn-rs, RS.MA) | AAR action items document stakeholder coordination quality; Multi-Channel Inject Delivery tests comms paths | MTTR benchmarks |
| RECOVER | RC.RP-01 | The recovery plan is executed during or after a cybersecurity incident | Exercise recovery steps are timestamped and documented; AI AAR records RTO achievement vs. planned target | RTO vs actual |
MTTD (Mean Time To Detect) and MTTR (Mean Time To Respond) are automatically tracked per exercise step in the CyberICS analytics dashboard and exported on PDF Page 5.
Every CyberICS exercise generates four categories of compliance evidence supporting NIST CSF 2.0 Function outcome demonstration, Profile gap analysis, and Tier advancement.
AI-generated PDF mapping exercise findings to CSF Functions and subcategory outcomes. Available in EN, FR, PT, ES, DE, IT within minutes of exercise completion.
Documents current and target Profile outcomes with exercise log backing. Links exercise performance data to specific subcategory outcomes defined in your organisational Profile.
Evidences Tier advancement with timestamped exercise logs, participation records, and gap-to-remediation tracking demonstrating continuous improvement practices over time.
Links IDENTIFY Function findings directly to PROTECT and DETECT improvement actions. Gaps are automatically pushed to ServiceNow or Jira as remediation tickets with CSF subcategory tags.
Six high-fidelity scenarios mapped to NIST CSF 2.0 Functions — ready to run without customisation, with AI facilitator briefing and post-exercise evidence generation included.
Threat actor encrypts EMS workstations, demanding $4.2M ransom. Teams must invoke IR procedures, coordinate with regulators, and execute recovery plans — exercising GOVERN, RESPOND, and RECOVER Functions under time pressure.
Unusual lateral movement detected in SCADA network. Teams validate detection playbooks and analyst decision-making under time pressure — directly exercising DE.CM and DE.AE subcategory outcomes alongside RESPOND Function coordination.
Malicious update deployed to 14 PLCs via compromised vendor update mechanism. Teams execute vendor risk procedures and supply chain containment — exercising IDENTIFY asset enumeration and PROTECT supply chain controls.
Terminated engineer uses retained credentials to access historian and remotely alter setpoints. Tests PAM procedures and governance controls — directly evidencing GV.OC, ID.AM, and PR.AA (access management) subcategory outcomes.
Coordinated DDoS on corporate network masks simultaneous OT manipulation. Teams distinguish IT from OT events, invoke correct response playbooks, and recover services — exercising all three operational CSF Functions.
Simultaneous cyber incidents at three hospital sites overwhelm the IR team. Tests escalation paths, mutual aid agreements, and executive communication — exercising GOVERN oversight and RESPOND coordination subcategories under crisis conditions.
Plus 329 additional NIST CSF 2.0-mapped scenarios across Pharma, Chemical, Water, Rail, Defence Industrial Base, and more. Browse the full library →
CyberICS exercise evidence maps to multiple frameworks simultaneously. One exercise program — complete regulatory coverage.
Start with 3 free exercises — no credit card required. Generate CSF Function-mapped After Action Reports from day one.
Also explore: IEC 62443 Toolkit · NERC CIP Toolkit · CISA CPG Toolkit