Running a Tabletop Exercise¶

Salient's TTX engine simulates realistic cybersecurity incidents, guiding your team through inject-by-inject decision-making and scoring responses against industry frameworks.

Exercise Flow¶

A typical exercise follows this path:

Select Scenario ──► Set Depth Level ──► Inject 1
                                           │
                                    Questions + Artifacts
                                           │
                                    Team Answers ──► Inject 2 ──► ... ──► Final Inject
                                                                              │
                                                                    Score ──► Mine Facts ──► Playbook

Scenario selection — choose from stock scenarios or generate one from threat intel
Depth level — Foundational, Intermediate, or Advanced
Inject presentation — narrative, questions, and supporting artifacts
Team response — open-ended or multiple-choice answers
Scoring — automated against NIST CSF, MITRE ATT&CK, CIS Controls v8
Fact mining — AI extracts organizational intelligence from answers
Playbook generation — incident response playbook from identified gaps

Depth Levels¶

Exercises adapt to your team's maturity:

Level	Audience	Focus
Foundational	New teams, awareness training	Basic IR concepts, roles, communication
Intermediate	Established teams	Technical response, tool usage, coordination
Advanced	Mature teams, red/blue	Complex scenarios, multi-vector attacks, decision trade-offs

Each level filters which questions and artifacts appear. The same scenario can be run at different depths for different audiences.

Artifact Rendering¶

Exercises include realistic artifacts that bring scenarios to life:

Email messages — phishing emails, executive communications, vendor notifications
Security alerts — EDR detections, SIEM correlations, IDS alerts
Log output — system logs, authentication logs, network captures
Ransom notes — attacker communications and demands

Artifacts render directly in the exercise UI with appropriate visual treatment (email formatting, terminal-style log output, etc.).

Adaptive Branching¶

Team decisions change the exercise path. If your team chooses to contain immediately rather than investigate first, subsequent injects reflect that choice — different questions, different pressures, different scoring implications.

Not just a quiz

Adaptive branching means two teams running the same scenario can have meaningfully different experiences based on their decisions. This is closer to real incident dynamics than a linear questionnaire.

AI Facilitation¶

When running exercises through the /ttx skill or MCP tools, Claude acts as the exercise facilitator:

Reads the organization's digital twin for context
Presents injects with appropriate framing
Asks follow-up questions based on team responses
Evaluates answers against the scoring rubric with organizational context
Mines facts from answers in real-time

Running via MCP¶

/ttx                    # Guided exercise flow
list_scenarios()        # Browse available scenarios
get_scenario("file")    # Load a specific scenario
save_session(...)       # Save answers after exercise
save_evaluation(...)    # Write AI scoring results

Scenarios · Scoring · Playbooks