Running a cyber security exercise is an immersive and effective way for you to evaluate and practise the skills and decision-making mechanisms you need to respond to cyber incidents. However, designing and facilitating an exercise can be a complex and difficult task. TTX Gym helps by providing a custom-designed tool specifically to help produce consistent, effective, and insightful exercising experiences.
Exercising is one of the most cost-effective ways an organisation can test its ability to respond to cyber incidents. By running an exercise using TTX Gym, you can establish how effective your current defence and response mechanisms are, improve your colleagues' internal relationships and skills (specifically their ability to deal with an actual cyber attack), and identify areas for further improvement.
TTX Gym is best suited for use in interactive, facilitator-led training. The tool itelf can be used in a standalone manner, but it is designed to be able to present a 'participant view' to those interacting with the scenario, as well as a separate 'facilitator' view for the organiser to control the exercise progression and ensure that appropriate notes and outcomes are recorded.
The ideal set-up for TTX Gym in 'in-person' sessions is for the faciltator to use a laptop or device running TTX Gym, with an additional monitor or TV connected to display the participant view, which will appear as a separate tab or browser window. For 'online' or 'hybrid' exercises, the participant view can be presented via screen (or window) sharing from the facilitator's device.
Choosing an existing exercise from the Exercise Library is the easiest way for beginners to get started with TTX Gym. The Library is populated with a wide range of scenarios that cover a variety of themes and situations, and the exercises themselves can be searched and filtered using the controls in the sidebar.
To find out more about an exercise, simply click on the tumbnail and a description will appear. From here, you can choose to either 'launch' the exercise, which will take you to TTX Gym with the selected scenario loaded and ready to go, or you can choose to 'download' the scenario file for modifcation and customisation. (see below for more on this).
TTX Gym has two views, the primary 'facilitator' window and the 'participant' window. The facilitator window shows the scenario, laid out in stages. each stage can be expanded to see the content, facilitator prompts, and questions.
To begin the exercise, use the controls at the bottom to navigate through each stage. The active stage will be coloured blue, and once all stage questions are answered then the stage will turn green to indicate completion. Stages can be freely navigated, in any order, and the completion of stages or the answering of questions is at the discretion of the facilitator.Note that responses and notes cannot be altered unless the stage is 'active'.
At the completion of the exercise, or when desired by the facilitator, an output report can be generated to record progress.
The participant window is a key element of TTX Gym. It allows people attending the exercise to experinece a specific, tailored view that relays content stage by stage. The participant view can be spawned by the facilitator as a seperate tab, and presented on a second screen or over video conferencing. This will autoamtically update as the facilitator moves through the stages. At the completion of the exercise, or when desired by the facilitator, an exercise summary can be shown via the participant window.
TTX Gym uses scenario files formatted in a specific way. These TTXF files use 'Markdown'-style syntax and so are easy to read, change, or create from scratch, to offer unlimited customisation of exercises.
A guide to the file format is below. These can simply be loaded directly in to TTX Gym or shared with others.
This guide explains how to create configuration files that define stages, questions, variables, and facilitator prompts with markdown-enhanced content. Follow this structure and syntax to build properly formatted and feature-rich files.
The configuration file is structured into stages, which contain information content along with optional questions, facilitator prompts, and discussion points. Each 'content' type has specific indicators to denote its purpose (see 'Key-Value Variables' below for more info).
Each scenio file should begin with a 'title' and 'summary' variable:
! title: Example Scenario Title
! summary
Example scenario summary.
This can spread across multiple lines or paragraphs.
Stages define major sections in your file. Use @ followed by the stage name.
Example:
@ Initial Incident
Everything after this line belongs to this stage until the next stage declaration.
Each stage can have any of the elements described below, but should always have a 'content' variable that defines the content to be displayed to participants on the presenter view.
Define variables using !followed by a key and value separated by a colon
(:). For multi-line values, omit the colon.
Examples:
! author: Jane Doe
! content
This is a multi-line description.
It continues on multiple lines.
Use ? to define an assessment question for the stage. Answers are listed under it,
each starting with
+There can be multiple questions per stage, each will contribute towards the
indicative 'score' for the stage. This scoring assumes an order of preference of answer,
increasing from first (0%) to last (100%).
Example:
? What core systems are included in vulnerability assessments?
+ None
+ Some centrally managed systems
+ Most centrally managed systems
+ All centrally managed systems
Use # prompts to declare facilitator prompts. These prompts will not appear on the
'participant view', but will be shown below the stage content in the 'facilitator view'. Each
prompt starts with
+
Example:
# prompts
+ Ask the team about their incident response plan.
+ Discuss the potential risks of delaying action.
+ Encourage brainstorming on containment strategies.
Use # discussion to declare discussion points. These prompts will appear on the
'participant view', to encourage disuccssion among participants and enable fuller answers to the
stage questions. Each prompt starts with
+
Example:
# discussion
+ Do you regularly update and test your incident response plan?
+ Discuss the potential risks of delaying action
+ Do you have a designated board member with responsibility for security incidents?
Enhance your stage 'content' using Markdown. Below are supported features:
Wrap text in ** for bold.
**Important:** Take immediate action.
Output: Important: Take immediate action.
Wrap text in * for italics.
This is *italicized* text.
Output: This is italicized text.
Use - for bullet points and numbers followed by . for numbered lists.
- Item 1
- Item 2
1. Step one
2. Step two
Output:
Use ~ for blockquotes.
~ This is a quoted statement.
Output:
This is a quoted statement.
Use % to embed an image. Format: %[alt text](url)
%[Sample Image](https://example.com/image.jpg)
Output: An image appears with the given URL.
Here’s a complete configuration file:
! title: Security Breach Response Plan
! author: Jane Doe
! summary
This scenario depicts an unusal login to a critical system.
@ Stage 1: Identification
! content
An unusual login attempt was detected.
%[Incident Diagram](https://example.com/diagram.png)
The incident response process should be invoked.
# prompts
+ Ask the team to identify possible attack vectors.
+ Discuss recent security training and preparedness.
+ Explore options for immediate response.
? What action should be taken first?
+ Notify the security team
+ Investigate the login origin
+ Block the IP address
@ Stage 2: Containment
! content
Contain the breach by isolating affected systems.
# prompts
+ Review logs for additional suspicious activity.
+ Coordinate with IT to isolate compromised systems.
+ Plan a communication strategy for stakeholders.
? How confident are you in your response procedures
+ Not at all
+ Somewhat
+ Mostly
+ Completely
Use this guide to create structured, readable, and actionable configuration files.