Skip to content

Scenarios

Scenarios are the blueprints for tabletop exercises. Each scenario defines a cybersecurity incident with injects, questions, scoring rubrics, and control mappings.

Stock Scenarios

Salient ships with pre-built scenarios covering common incident types:

  • Ransomware — encryption event, negotiation decisions, recovery planning
  • Phishing / BEC — credential compromise, lateral movement, executive impersonation
  • Data breach — exfiltration discovery, regulatory notification, forensics
  • Insider threat — suspicious employee activity, investigation, HR coordination
  • Supply chain — third-party compromise, blast radius assessment, vendor communication

Stock scenarios include all three depth levels and full control mappings.

Custom Scenarios from Org Profile

When the twin has enough context, the AI generates scenarios tailored to your organization:

/ttx
> Generate a scenario based on our org profile

The generator considers:

  • Your tech stack (targets tools you actually use)
  • Your team structure (involves roles that exist)
  • Known gaps (exercises weaknesses identified in past sessions)
  • Industry (uses attack patterns relevant to your sector)

Threat-Intel-Driven Scenarios

Ingest a real threat article and generate an exercise from it:

# Step 1: Ingest the threat intel
ingest_threat_intel(url="https://example.com/apt-report")

# Step 2: Generate a scenario tailored to your org
generate_scenario_from_intel(threat_intel_id=1)

The generator cross-references the threat's TTPs against your twin to produce a scenario that is both realistic (based on real threats) and relevant (targeted at your environment).

Scenario JSON Schema

Scenarios follow a structured JSON format:

{
  "scenario_title": "Ransomware Incident Response",
  "description": "A ransomware attack targets production systems...",
  "injects": [
    {
      "step": 1,
      "title": "Initial Detection",
      "details": "At 6:47 AM, your EDR solution alerts...",
      "analysis": ["Key considerations for this phase..."],
      "questions": [
        {
          "prompt": "What is your first action upon receiving this alert?",
          "type": "open",
          "guidance": ["Verify the alert", "Assess scope", "Notify IR lead"],
          "scoring_rubric": {
            "keywords": ["verify", "scope", "notify"],
            "max_score": 10
          },
          "control_mappings": {
            "nist_csf": ["DE.AE-2", "RS.CO-2"],
            "mitre_attack": ["T1486"],
            "cis_controls_v8": ["CIS.17.1"]
          }
        }
      ],
      "references": ["https://attack.mitre.org/techniques/T1486/"]
    }
  ],
  "reference_links": ["https://www.cisa.gov/ransomware"]
}

Key Fields

Field Required Description
scenario_title Yes Display title
description Yes Brief incident summary
injects Yes Array of exercise phases
injects[].questions[].type Yes open (free text) or multi (multiple choice)
injects[].questions[].scoring_rubric No Keywords and max score for automated scoring
injects[].questions[].control_mappings No NIST CSF, MITRE ATT&CK, CIS v8 references

Importing Scenarios

Upload custom scenarios via the Scenario Import page (drag-and-drop JSON) or the create_scenario MCP tool.

Scoring · Running Exercises