How To Use TTX Gym

Running a cyber security exercise is an immersive and effective way to evaluate and practise the skills and decision-making mechanisms you need to respond to cyber incidents. TTX Gym helps by providing a custom-designed tool to produce consistent, effective, and insightful exercising experiences.

Planning Your Exercise

TTX Gym is best suited for use in interactive, facilitator-led training. The tool can be used in a standalone manner, but it is designed to present a participant view to those interacting with the scenario, as well as a separate facilitator view for the organiser to control exercise progression and ensure appropriate notes and outcomes are recorded.

Ideal setup: For in-person sessions, the facilitator uses a laptop running TTX Gym with an additional monitor or TV for the participant view. For online or hybrid exercises, the participant view can be shared via screen sharing.

Exercising is one of the most cost-effective ways an organisation can test its ability to respond to cyber incidents. By running an exercise using TTX Gym, you can establish how effective your current defence and response mechanisms are, improve colleagues' internal relationships and skills, and identify areas for further improvement.

Using the Exercise Library

Choosing an existing exercise from the Exercise Library is the easiest way for beginners to get started. The Library is populated with a wide range of scenarios covering a variety of themes and situations, and can be searched and filtered using the controls in the sidebar.

To find out more about an exercise, click on the thumbnail and a description will appear. From here, you can choose to either launch the exercise — which will take you to TTX Gym with the selected scenario loaded and ready to go — or choose to download the scenario file for modification and customisation (see Creating and Modifying Scenarios below).

Using the TTX Gym Tool

TTX Gym has two views: the primary facilitator window and the participant window. The facilitator window shows the scenario laid out in stages — each stage can be expanded to see the content, facilitator prompts, and questions.

To begin the exercise, use the controls at the bottom to navigate through each stage. The active stage will be coloured blue, and once all stage questions are answered the stage will turn green to indicate completion. Stages can be freely navigated in any order; the completion of stages or the answering of questions is at the discretion of the facilitator. Note that responses and notes cannot be altered unless the stage is active.

At the completion of the exercise, or when desired by the facilitator, an output report can be generated to record progress.

The Participant Window

The participant window allows people attending the exercise to experience a specific, tailored view that relays content stage by stage. It can be spawned by the facilitator as a separate tab and presented on a second screen or over video conferencing. This will automatically update as the facilitator moves through the stages. At the completion of the exercise, an exercise summary can be shown via the participant window.

Creating and Modifying Scenarios

TTX Gym uses scenario files formatted in a specific way. These TTXF files use Markdown-style syntax and so are easy to read, change, or create from scratch, offering unlimited customisation of exercises.

A guide to the file format is below. Scenario files can be loaded directly into TTX Gym or shared with others.

Tip: For convenience, a scenario builder tool for easily creating TTXF files in the correct format is available here.

The TTXF File Structure and Syntax

This guide explains how to create configuration files that define stages, questions, variables, and facilitator prompts with markdown-enhanced content. Follow this structure and syntax to build properly formatted and feature-rich files.

The configuration file is structured into stages, which contain information content along with optional questions, facilitator prompts, and discussion points. Each 'content' type has specific indicators to denote its purpose.

Each scenario file should begin with a title and summary variable. An optional image variable can also be provided — if present, it will appear as a thumbnail in the facilitator sidebar and as a blurred background on the participant screen:

! title: Example Scenario Title
! image: https://example.com/cover.jpg
! summary
Example scenario summary.
This can spread across multiple lines or paragraphs.

Sigil

Purpose

Example

Metadata / key-value variable

! title: My Scenario

Stage declaration

@ Initial Incident

Array block (prompts / discussion)

# prompts

Array item

+ Ask about incident response

Assessment question (shown on participant screen)

? What action is taken first?

Assessment question (hidden from participant screen)

?- Internal facilitator question

Correct answer (quiz mode)

++ Notify the security team

! image

Scenario cover image URL — shown as thumbnail in facilitator sidebar and blurred background on participant screen

! image: https://example.com/img.jpg

1. Stages @ sigil

Stages define major sections in your file. Use @ followed by the stage name. Everything after this line belongs to this stage until the next stage declaration. Each stage should always have a content variable that defines the content displayed to participants on the presenter view.

@ Initial Incident

2. Key-Value Variables ! sigil

Define variables using ! followed by a key and value separated by a colon. For multi-line values, omit the colon — everything on subsequent lines until the next directive becomes the value. Blank lines within a multi-line value are preserved and rendered as paragraph breaks.

! author: Jane Doe
! content
This is the first paragraph of a description.

A blank line above creates a new paragraph.
This line continues the same paragraph.

The following global variables are recognised at the top of the file (before any @ stage declarations):

Variable

Purpose

! title

Scenario name — shown in the facilitator title bar

! author

Scenario author name (optional)

! summary

Introductory content shown on the first screen before stages begin

! conclusion

Custom debrief text shown on the finish screen (optional)

! image

URL of a cover image — displayed as a 16:9 thumbnail in the facilitator sidebar and as a blurred background on the participant screen (optional)

3. Questions ? sigil

Use ? to define an assessment question for the stage. Answers are listed under it, each starting with +. There can be multiple questions per stage — each will contribute towards the indicative score for the stage. Scoring assumes an order of preference increasing from first (0%) to last (100%).

? What core systems are included in vulnerability assessments?
+ None
+ Some centrally managed systems
+ Most centrally managed systems
+ All centrally managed systems

By default all questions are shown on both the facilitator view and the participant screen. To define a question that is only visible to the facilitator — for example an internal scoring note or a question you don't want to prompt participants with — use ?- instead of ?. The question will still be answered and scored normally, but will not appear on the participant screen.

?- How would you rate the team's overall response readiness?
+ Poor
+ Developing
+ Proficient
+ Exemplary

'Quiz' style questions are also supported, where only one option is correct and the rest are false. For these question types, answers are scored as 100% for a correct answer and 0% for an incorrect one. To use this type, define a question as normal but denote the correct answer using ++ instead of +.

4. Facilitator Prompts # prompts

Use # prompts to declare facilitator prompts. These will not appear on the participant view, but will be shown below the stage content in the facilitator view. Each prompt starts with +.

# prompts
+ Ask the team about their incident response plan.
+ Discuss the potential risks of delaying action.
+ Encourage brainstorming on containment strategies.

5. Discussion Points # discussion

Use # discussion to declare discussion points. These will appear on the participant view, to encourage discussion and enable fuller answers to stage questions. Each prompt starts with +.

# discussion
+ Do you regularly update and test your incident response plan?
+ Discuss the potential risks of delaying action.
+ Do you have a designated board member with responsibility for security incidents?

Markdown Syntax

Enhance your stage content using Markdown. The following features are supported within multi-line content fields:

Syntax

Description

Output

**text**

Bold text

Important text

*text*

Italic text

Italicized text

- item

Bullet list

• Item

1. item

Numbered list

1. Item

~ text

Blockquote

Quoted statement

%(url)

Embed image at full width

Image rendered from URL

%(url | 50%)

Embed image scaled to a percentage of its natural size, or at an absolute size (e.g. 200px). Uses a pipe | as delimiter to avoid conflicts with URLs containing commas

Image at specified scale

(blank line)

A blank line between paragraphs of content creates a visible paragraph break when rendered. Lines without a blank line between them are joined into one paragraph

Paragraph spacing

Tip: The pipe character (|) was chosen as the image scale delimiter because it is not a valid unencoded character in URLs — so even URLs containing commas will be parsed correctly. For example: %(https://cdn.example.com/img?a=1,b=2 | 60%)

Full Example

Here is a complete configuration file demonstrating all features:

! title: Security Breach Response Plan
! author: Jane Doe
! image: https://example.com/cover-photo.jpg
! summary
This scenario depicts an unusual login to a critical system.
Participants will be asked to consider their organisation's response procedures.

@ Stage 1: Identification
! content
An unusual login attempt was detected on a critical system at 02:14.

A blank line above creates a new paragraph when rendered.
%(https://example.com/diagram.png | 80%)

The incident response process should be invoked immediately.

# prompts
+ Ask the team to identify possible attack vectors.
+ Discuss recent security training and preparedness.
+ Explore options for immediate response.

# discussion
+ What does your incident response plan say about out-of-hours alerts?
+ Who holds the authority to invoke the response process?

? What action should be taken first?
+ Notify the security team
+ Investigate the login origin
+ Block the IP address

?- How would you rate the team's initial response readiness?
+ Poor
+ Developing
+ Proficient
+ Exemplary

@ Stage 2: Containment
! content
Contain the breach by isolating affected systems.

# prompts
+ Review logs for additional suspicious activity.
+ Coordinate with IT to isolate compromised systems.
+ Plan a communication strategy for stakeholders.

? How confident are you in your response procedures?
+ Not at all
+ Somewhat
+ Mostly
+ Completely

? Which system was used to detect the initial alert?
+ No detection system in place
+ Manual log review
++ SIEM / automated monitoring
+ Third-party managed detection

Use this guide to create structured, readable, and actionable scenario files.