soc operations

Performing SOC Tabletop Exercise

Performs tabletop exercises for SOC teams simulating security incidents through discussion-based scenarios to test incident response procedures, communication workflows, and decision-making under pressure without impacting production systems. Use when organizations need to validate IR playbooks, train analysts, or meet compliance requirements for incident response testing.

exerciseincident-responsenistplaybook-validationsoctabletoptraining
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

When to Use

Use this skill when:

  • Annual or semi-annual incident response testing is required (NIST, ISO 27001, PCI DSS compliance)
  • New SOC analysts need exposure to major incident scenarios in a controlled environment
  • Updated playbooks need validation before next real incident
  • Cross-functional coordination (SOC, IT, Legal, PR, Executive) needs rehearsal
  • Post-incident reviews reveal gaps requiring scenario-based training

Do not use as a replacement for technical purple team exercises — tabletop exercises test processes and decision-making, not technical detection capabilities.

Prerequisites

  • Exercise facilitator with incident response experience
  • Participant list: SOC analysts (Tier 1-3), SOC manager, IT operations, Legal, HR, Communications
  • Conference room or video call with screen sharing capability
  • Printed or digital scenario injects with timed release schedule
  • Evaluation scorecard for assessing participant responses
  • Existing incident response plan and playbooks for reference during exercise

Workflow

Step 1: Design Exercise Scenario

Create a realistic multi-phase scenario with escalating complexity:

tabletop_exercise:
  title: "Operation Dark Harvest — Ransomware Attack Scenario"
  exercise_id: TTX-2024-Q1
  date: 2024-03-22
  duration: 3 hours (09:00-12:00)
  classification: TLP:AMBER (internal use only)
 
  objectives:
    1: "Test SOC team's ability to detect and triage ransomware indicators"
    2: "Validate escalation procedures from Tier 1 to incident commander"
    3: "Assess cross-functional communication with Legal, PR, and Executive leadership"
    4: "Evaluate containment decision-making under time pressure"
    5: "Test backup recovery procedures and business continuity activation"
 
  participants:
    - role: SOC Tier 1 Analyst (2 participants)
    - role: SOC Tier 2 Analyst (2 participants)
    - role: SOC Manager / Incident Commander
    - role: IT Operations Lead
    - role: CISO (or delegate)
    - role: Legal Counsel
    - role: Communications / PR
    - role: Business Unit Leader (Finance)
 
  scenario_background: >
    Your organization is a mid-size financial services company with 2,500 employees.
    The SOC operates 24/7 with 6 analysts per shift using Splunk ES and CrowdStrike Falcon.
    It is Friday afternoon at 3:45 PM. The weekend IT skeleton crew starts at 5 PM.

Step 2: Create Timed Injects

Design scenario injects released at scheduled intervals:

injects:
 
  inject_1:
    time: "T+0 (3:45 PM)"
    title: "Initial Alert"
    content: >
      Splunk ES generates a notable event: "Shadow Copy Deletion Detected"
      on FILESERVER-03 (10.0.10.50, Finance Department file server).
      The alert shows: vssadmin.exe delete shadows /all /quiet
      Source user: svc_backup (service account)
      This is the first alert from this host today.
    questions:
      - "What is your initial assessment of this alert?"
      - "What additional data would you query in Splunk?"
      - "Is this a Tier 1 triage item or immediate escalation?"
 
  inject_2:
    time: "T+10 minutes"
    title: "Escalating Indicators"
    content: >
      While investigating the first alert, two more alerts fire:
      1. "Mass File Modification Detected" — 2,847 files renamed with .locked extension
         on FILESERVER-03 within 5 minutes
      2. "Suspicious PowerShell Encoded Command" on WORKSTATION-118 (10.0.5.118)
         — same svc_backup account used
      CrowdStrike shows process tree: explorer.exe > cmd.exe > powershell.exe -enc [base64]
    questions:
      - "What is your updated assessment? What incident severity would you assign?"
      - "What immediate containment actions would you take?"
      - "Who needs to be notified at this point?"
      - "How do you determine if this is confined to these two hosts?"
 
  inject_3:
    time: "T+25 minutes"
    title: "Scope Expansion"
    content: >
      Enterprise-wide Splunk search reveals:
      - 7 additional hosts showing .locked file extensions
      - All affected hosts are in the Finance VLAN (10.0.10.0/24)
      - svc_backup account was used to RDP to all affected hosts starting at 3:30 PM
      - A ransom note "README_UNLOCK.txt" found on all affected hosts
      - Ransom note demands 50 BTC, includes Tor payment portal link
      - IT reports the svc_backup password was changed 2 days ago (not by IT team)
    questions:
      - "This is now a confirmed ransomware incident. What is your incident classification?"
      - "Walk through your containment strategy — what do you isolate and in what order?"
      - "Should you shut down the Finance VLAN entirely? What are the trade-offs?"
      - "When and how do you notify executive leadership?"
 
  inject_4:
    time: "T+45 minutes"
    title: "Business Impact and External Pressure"
    content: >
      The CFO calls the SOC Manager directly:
      "We are closing the quarter-end books this weekend. Finance absolutely needs
      access to FILESERVER-03 by Monday morning or we miss SEC filing deadlines."
      Additionally:
      - Legal asks if customer PII was on any affected servers
      - PR reports a journalist called asking about "cybersecurity issues at [company]"
      - The ransom note deadline is 48 hours
      - IT reports last verified backup of FILESERVER-03 is from Wednesday (3 days old)
    questions:
      - "How do you balance containment security with business pressure from the CFO?"
      - "What is your recommendation on ransom payment? Who makes this decision?"
      - "What information does Legal need to assess breach notification obligations?"
      - "How do you handle the media inquiry?"
      - "Can you recover from the 3-day-old backup? What data is lost?"
 
  inject_5:
    time: "T+70 minutes"
    title: "Forensic Discovery"
    content: >
      Tier 3 forensic analysis reveals:
      - Initial access was via compromised VPN credentials (svc_backup)
      - Credentials were found in a dark web dump from a third-party vendor breach
      - Attacker had access for 5 days before deploying ransomware
      - Evidence of data exfiltration: 15GB uploaded to Mega.nz over 3 days
      - Exfiltrated data includes customer PII (SSN, account numbers) for 12,000 clients
      - The ransomware variant is identified as LockBit 3.0
    questions:
      - "How does confirmed data exfiltration change your response?"
      - "What are the regulatory notification requirements? (SEC, state breach laws)"
      - "What is the timeline for customer notification?"
      - "Should you engage external IR firm? Law enforcement?"
      - "How do you handle the vendor who was the source of the credential compromise?"
 
  inject_6:
    time: "T+90 minutes"
    title: "Recovery Decision Point"
    content: >
      You are now 6 hours into the incident. Status:
      - All 9 affected hosts isolated
      - Finance VLAN segmented from corporate network
      - LockBit C2 domain blocked at firewall and DNS
      - No decryptor available for LockBit 3.0
      - Wednesday backup verified clean but 3 days of data missing
      - CEO asks for a full situation briefing in 30 minutes
    questions:
      - "Prepare a 5-minute executive briefing. What do you include?"
      - "What is your recovery plan and estimated timeline?"
      - "What monitoring will you put in place during and after recovery?"
      - "What immediate security improvements would you recommend?"

Step 3: Facilitate the Exercise

Facilitator Guide:

EXERCISE FACILITATION PROTOCOL
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
1. OPENING (10 min)
   - State exercise objectives and ground rules
   - Emphasize: "No wrong answers — this is about testing process, not individuals"
   - Remind participants this is a simulation — no actual systems are affected
   - Identify the exercise observer/scribe
 
2. INJECT DELIVERY (110 min)
   - Present each inject on screen, allow 2 min reading time
   - Ask guided questions to each role group
   - Allow discussion but keep on timeline
   - Inject additional pressure/complications as needed
   - Record decisions, rationale, and gaps identified
 
3. DISCUSSION RULES
   - Participants respond in-character (their actual role)
   - Reference actual playbooks and procedures when available
   - If participants are unsure, that IS the finding
   - Facilitator may add "hot injects" if discussion stalls
 
4. CLOSING (40 min)
   - Hot wash: Each participant shares one thing that went well, one gap
   - Facilitator summarizes key findings
   - Identify top 5 action items with owners and due dates

Step 4: Evaluate Participant Responses

Score responses against expected outcomes:

evaluation_criteria:
 
  detection_and_triage:
    expected: "Immediately recognize shadow copy deletion as ransomware precursor"
    scoring:
      excellent: "Correctly identified within 2 minutes, initiated proper escalation"
      adequate: "Identified after discussion, correct escalation path"
      needs_improvement: "Did not recognize significance, delayed escalation"
 
  containment_decision:
    expected: "Isolate affected hosts via EDR, segment Finance VLAN, preserve evidence"
    scoring:
      excellent: "Immediate isolation, correct priority order, evidence preservation"
      adequate: "Isolation performed but delayed or incomplete prioritization"
      needs_improvement: "Considered powering off hosts (destroys evidence) or delayed isolation"
 
  communication:
    expected: "Timely notification chain: SOC Manager -> CISO -> Legal -> Executive"
    scoring:
      excellent: "Proper notification within defined SLAs, clear and concise briefings"
      adequate: "Notifications made but slightly delayed or incomplete"
      needs_improvement: "Key stakeholders not notified, unclear communication"
 
  business_continuity:
    expected: "Balance security containment with business recovery needs"
    scoring:
      excellent: "Realistic recovery timeline communicated, alternative workarounds proposed"
      adequate: "Recovery discussed but timeline unclear"
      needs_improvement: "Overcommitted on timeline or ignored business impact"

Step 5: Generate After-Action Report

after_action_report:
  exercise: TTX-2024-Q1 "Operation Dark Harvest"
  date: 2024-03-22
  participants: 10
  duration: 3 hours
 
  executive_summary: >
    The tabletop exercise tested the organization's ransomware response capabilities
    across detection, containment, communication, and recovery phases. The SOC team
    demonstrated strong technical triage skills but gaps were identified in cross-
    functional communication and backup recovery procedures.
 
  strengths:
    - SOC analysts correctly identified ransomware indicators within first inject
    - Containment decision-making was swift and technically sound
    - Legal team was well-prepared on breach notification requirements
    - IT operations had clear understanding of backup recovery procedures
 
  gaps_identified:
    - gap_1:
        finding: "No documented procedure for notifying CISO after-hours"
        risk: High
        action: "Update escalation contacts with personal phone numbers and backup contacts"
        owner: SOC Manager
        due_date: 2024-04-05
 
    - gap_2:
        finding: "Backup recovery testing has not been performed in 6 months"
        risk: Critical
        action: "Schedule quarterly backup restoration drill"
        owner: IT Operations Lead
        due_date: 2024-04-15
 
    - gap_3:
        finding: "No pre-approved media holding statement for cyber incidents"
        risk: Medium
        action: "Draft and approve 3 holding statement templates with Legal"
        owner: Communications Lead
        due_date: 2024-04-10
 
    - gap_4:
        finding: "Service account (svc_backup) had Domain Admin privileges unnecessarily"
        risk: Critical
        action: "Audit all service accounts, implement least privilege"
        owner: IT Security
        due_date: 2024-04-01
 
    - gap_5:
        finding: "Unclear decision authority for ransom payment"
        risk: High
        action: "Document ransom payment decision tree with CEO/Board approval requirement"
        owner: CISO
        due_date: 2024-04-15
 
  metrics:
    overall_score: "72/100 (Adequate)"
    detection: "85/100 (Excellent)"
    containment: "80/100 (Good)"
    communication: "60/100 (Needs Improvement)"
    recovery: "65/100 (Needs Improvement)"
 
  next_exercise: "TTX-2024-Q2 — Data Breach / Insider Threat Scenario (June 2024)"

Step 6: Track Remediation and Follow-Up

--- Track action items from tabletop exercise
| inputlookup ttx_action_items.csv
| eval days_remaining = round((strptime(due_date, "%Y-%m-%d") - now()) / 86400)
| eval status_flag = case(
    status="Completed", "GREEN",
    days_remaining < 0, "RED — OVERDUE",
    days_remaining < 7, "YELLOW — DUE SOON",
    1=1, "GREEN"
  )
| sort - status_flag, days_remaining
| table gap_id, finding, owner, due_date, days_remaining, status, status_flag

Key Concepts

Term Definition
Tabletop Exercise Discussion-based simulation where participants walk through incident scenarios without executing technical actions
Inject Scenario update introducing new information, complications, or decisions for participants to address
Hot Wash Immediate post-exercise debrief where participants share observations and initial lessons learned
After-Action Report (AAR) Formal document capturing exercise findings, gaps, strengths, and remediation action items
Facilitator Exercise leader who presents injects, guides discussion, and ensures objectives are met
Decision Point Moment in the scenario requiring participants to choose between options with trade-offs

Tools & Systems

  • FEMA HSEEP: Homeland Security Exercise and Evaluation Program providing exercise planning methodology
  • Tabletop Exercise Framework (NIST SP 800-84): NIST guide for planning and conducting IT security exercises
  • Immersive Labs: Platform for cybersecurity crisis simulation and tabletop exercise management
  • Infection Monkey: Open-source breach simulation for technical validation of tabletop findings
  • Archer: GRC platform for tracking exercise findings and remediation action items

Common Scenarios

  • Ransomware Attack: Multi-phase scenario testing detection, containment, ransom decision, and recovery
  • Data Breach: Customer PII exposure testing notification requirements, legal obligations, and PR response
  • Supply Chain Compromise: Third-party vendor breach impacting organizational systems and data
  • Insider Threat: Employee data theft scenario testing HR, Legal, and security team coordination
  • Business Email Compromise: CEO fraud wire transfer attempt testing financial controls and verification procedures

Output Format

TABLETOP EXERCISE SUMMARY — TTX-2024-Q1
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Scenario:     Operation Dark Harvest (Ransomware)
Date:         2024-03-22 (09:00-12:00 UTC)
Participants: 10 (SOC: 5, IT: 1, Legal: 1, Comms: 1, Exec: 2)
Duration:     3 hours (6 injects delivered)
 
SCORES:
  Detection & Triage:    85/100  Excellent
  Containment:           80/100  Good
  Communication:         60/100  Needs Improvement
  Recovery Planning:     65/100  Needs Improvement
  Overall:               72/100  Adequate
 
KEY FINDINGS:
  [+] Strong: Ransomware indicators correctly identified immediately
  [+] Strong: EDR isolation procedure well understood
  [-] Gap: No after-hours CISO notification procedure
  [-] Gap: Backup recovery untested for 6 months
  [-] Gap: No pre-approved media statement templates
  [-] Gap: Service account over-privileged (Domain Admin)
  [-] Gap: Ransom payment decision authority undefined
 
ACTION ITEMS: 5 (Critical: 2, High: 2, Medium: 1)
NEXT EXERCISE: TTX-2024-Q2 (June 2024) — Insider Threat Scenario
Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 1

api-reference.md2.5 KB

API Reference: SOC Tabletop Exercise Agent

Overview

Manages SOC tabletop exercise lifecycle: scenario generation from templates, participant tracking, inject delivery, response scoring, and after-action report generation.

Dependencies

Package Version Purpose
json stdlib Report serialization
datetime stdlib Exercise scheduling and IDs

Core Functions

create_exercise(scenario_type, participants, duration_hours=3)

Creates a structured tabletop exercise from a scenario template.

  • Parameters: scenario_type (str) - one of ransomware, data_breach, supply_chain; participants (list[dict]) - role/count pairs
  • Returns: dict - full exercise object with phases and objectives

score_response(category, score)

Scores participant response in a specific evaluation category.

  • Parameters: category (str) - one of detection_and_triage, containment_decision, communication, business_continuity; score (int) - 0-100
  • Returns: dict - category, score, rating, weight

calculate_overall_score(scores)

Computes weighted average across all scored categories.

  • Parameters: scores (list[dict]) - output from score_response
  • Returns: float - overall score

generate_after_action_report(exercise, scores, gaps, strengths)

Produces the formal after-action report document.

  • Parameters: exercise (dict), scores (list), gaps (list[dict]), strengths (list[str])
  • Returns: dict - AAR with scores, findings, and next exercise date

Scenario Templates

Template Phases Focus Areas
ransomware 6 injects Detection, containment, ransom decision, recovery
data_breach 4 injects DLP, insider threat, PII notification
supply_chain 4 injects Vendor compromise, lateral movement, credential reset

Scoring Criteria

Category Weight Rating Thresholds
detection_and_triage 25% >=85 Excellent, >=70 Good, >=55 Adequate
containment_decision 25% >=85 Excellent, >=70 Good, >=55 Adequate
communication 25% >=85 Excellent, >=70 Good, >=55 Adequate
business_continuity 25% >=85 Excellent, >=70 Good, >=55 Adequate

Output Schema

{
  "exercise_id": "TTX-2026-Q1",
  "overall_score": "72/100 (Adequate)",
  "scores": {"detection_and_triage": "85/100 (Excellent)"},
  "gaps": [{"finding": "...", "risk": "High", "owner": "SOC Manager"}],
  "strengths": ["Ransomware indicators correctly identified"]
}

Scripts 1

agent.py8.2 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""SOC tabletop exercise management agent with scenario generation and scoring."""

import datetime


SCENARIO_TEMPLATES = {
    "ransomware": {
        "title": "Ransomware Attack Scenario",
        "phases": [
            {"time": "T+0", "inject": "Shadow copy deletion detected on file server",
             "questions": ["Initial assessment?", "What data sources to query?"]},
            {"time": "T+10", "inject": "Mass file encryption with .locked extension across 7 hosts",
             "questions": ["Severity assignment?", "Containment actions?", "Notification chain?"]},
            {"time": "T+25", "inject": "Ransom note found, data exfiltration confirmed",
             "questions": ["Containment strategy order?", "Executive notification plan?"]},
            {"time": "T+45", "inject": "CFO demands access for SEC filing, media inquiry received",
             "questions": ["Business vs security balance?", "Ransom payment recommendation?"]},
            {"time": "T+70", "inject": "Forensics reveal 5-day dwell time, 15GB exfiltrated PII",
             "questions": ["Regulatory notifications?", "Law enforcement engagement?"]},
            {"time": "T+90", "inject": "Recovery decision point, CEO briefing in 30 minutes",
             "questions": ["Executive briefing content?", "Recovery timeline?"]},
        ],
    },
    "data_breach": {
        "title": "Data Breach / Insider Threat Scenario",
        "phases": [
            {"time": "T+0", "inject": "DLP alert: large data transfer to personal cloud storage",
             "questions": ["Initial triage steps?", "Who to involve?"]},
            {"time": "T+15", "inject": "Employee identified is in notice period, accessing HR data",
             "questions": ["Containment approach?", "Legal considerations?"]},
            {"time": "T+30", "inject": "Evidence of systematic data collection over 2 weeks",
             "questions": ["Forensic preservation?", "HR and Legal coordination?"]},
            {"time": "T+50", "inject": "Customer PII confirmed in exfiltrated data",
             "questions": ["Breach notification timeline?", "Regulatory requirements?"]},
        ],
    },
    "supply_chain": {
        "title": "Supply Chain Compromise Scenario",
        "phases": [
            {"time": "T+0", "inject": "Vendor software update contains backdoor, CISA advisory published",
             "questions": ["Impact assessment scope?", "Vendor communication?"]},
            {"time": "T+15", "inject": "Affected software deployed on 40% of endpoints",
             "questions": ["Isolation strategy?", "Business continuity?"]},
            {"time": "T+35", "inject": "C2 beaconing detected from 12 hosts",
             "questions": ["Containment priority order?", "Evidence preservation?"]},
            {"time": "T+55", "inject": "Attacker accessed domain controller via compromised agent",
             "questions": ["Credential reset plan?", "Recovery sequence?"]},
        ],
    },
}

EVALUATION_CRITERIA = {
    "detection_and_triage": {"weight": 25, "max_score": 100},
    "containment_decision": {"weight": 25, "max_score": 100},
    "communication": {"weight": 25, "max_score": 100},
    "business_continuity": {"weight": 25, "max_score": 100},
}


def generate_exercise_id():
    now = datetime.datetime.now()
    quarter = (now.month - 1) // 3 + 1
    return f"TTX-{now.year}-Q{quarter}"


def create_exercise(scenario_type, participants, duration_hours=3):
    if scenario_type not in SCENARIO_TEMPLATES:
        raise ValueError(f"Unknown scenario: {scenario_type}. Choose from: {list(SCENARIO_TEMPLATES)}")
    template = SCENARIO_TEMPLATES[scenario_type]
    exercise = {
        "exercise_id": generate_exercise_id(),
        "title": template["title"],
        "date": datetime.datetime.now().isoformat(),
        "duration_hours": duration_hours,
        "classification": "TLP:AMBER",
        "participants": participants,
        "phases": template["phases"],
        "objectives": [
            "Test detection and triage capabilities",
            "Validate escalation procedures",
            "Assess cross-functional communication",
            "Evaluate containment decision-making",
            "Test recovery procedures",
        ],
    }
    return exercise


def score_response(category, score):
    if category not in EVALUATION_CRITERIA:
        raise ValueError(f"Unknown category: {category}")
    criteria = EVALUATION_CRITERIA[category]
    clamped = max(0, min(score, criteria["max_score"]))
    if clamped >= 85:
        rating = "Excellent"
    elif clamped >= 70:
        rating = "Good"
    elif clamped >= 55:
        rating = "Adequate"
    else:
        rating = "Needs Improvement"
    return {"category": category, "score": clamped, "rating": rating, "weight": criteria["weight"]}


def calculate_overall_score(scores):
    total_weighted = sum(s["score"] * s["weight"] for s in scores)
    total_weight = sum(s["weight"] for s in scores)
    return round(total_weighted / total_weight, 1) if total_weight > 0 else 0


def generate_after_action_report(exercise, scores, gaps, strengths):
    overall = calculate_overall_score(scores)
    if overall >= 85:
        overall_rating = "Excellent"
    elif overall >= 70:
        overall_rating = "Good"
    elif overall >= 55:
        overall_rating = "Adequate"
    else:
        overall_rating = "Needs Improvement"
    report = {
        "exercise_id": exercise["exercise_id"],
        "title": exercise["title"],
        "date": exercise["date"],
        "participants": len(exercise["participants"]),
        "duration_hours": exercise["duration_hours"],
        "scores": {s["category"]: f"{s['score']}/100 ({s['rating']})" for s in scores},
        "overall_score": f"{overall}/100 ({overall_rating})",
        "strengths": strengths,
        "gaps": gaps,
        "next_exercise": f"TTX-{datetime.datetime.now().year}-Q{((datetime.datetime.now().month - 1) // 3 + 2) % 4 + 1}",
    }
    return report


def print_exercise_summary(exercise):
    print(f"TABLETOP EXERCISE: {exercise['title']}")
    print("=" * 50)
    print(f"ID:            {exercise['exercise_id']}")
    print(f"Date:          {exercise['date']}")
    print(f"Duration:      {exercise['duration_hours']} hours")
    print(f"Participants:  {len(exercise['participants'])}")
    print(f"Classification:{exercise['classification']}")
    print(f"\nPHASES ({len(exercise['phases'])} injects):")
    for i, phase in enumerate(exercise["phases"], 1):
        print(f"  Inject {i} [{phase['time']}]: {phase['inject']}")
        for q in phase["questions"]:
            print(f"    - {q}")


def print_report(report):
    print(f"\nAFTER-ACTION REPORT - {report['exercise_id']}")
    print("=" * 50)
    print(f"Overall Score: {report['overall_score']}")
    for cat, score in report["scores"].items():
        print(f"  {cat}: {score}")
    print(f"\nStrengths: {len(report['strengths'])}")
    for s in report["strengths"]:
        print(f"  [+] {s}")
    print(f"\nGaps: {len(report['gaps'])}")
    for g in report["gaps"]:
        print(f"  [-] {g['finding']} (Risk: {g['risk']}, Owner: {g['owner']})")


if __name__ == "__main__":
    participants = [
        {"role": "SOC Tier 1 Analyst", "count": 2},
        {"role": "SOC Tier 2 Analyst", "count": 2},
        {"role": "SOC Manager", "count": 1},
        {"role": "IT Operations Lead", "count": 1},
        {"role": "CISO", "count": 1},
        {"role": "Legal Counsel", "count": 1},
        {"role": "Communications Lead", "count": 1},
    ]
    exercise = create_exercise("ransomware", participants)
    print_exercise_summary(exercise)
    scores = [
        score_response("detection_and_triage", 85),
        score_response("containment_decision", 80),
        score_response("communication", 60),
        score_response("business_continuity", 65),
    ]
    gaps = [
        {"finding": "No after-hours CISO notification procedure", "risk": "High", "owner": "SOC Manager"},
        {"finding": "Backup recovery untested for 6 months", "risk": "Critical", "owner": "IT Ops Lead"},
    ]
    strengths = [
        "Ransomware indicators correctly identified immediately",
        "EDR isolation procedure well understood",
    ]
    report = generate_after_action_report(exercise, scores, gaps, strengths)
    print_report(report)
Keep exploring