Cyber Range Exercises: Tabletop, Crisis Simulation & Full-Spectrum Drills

What Is a Cyber Range?

A cyber range is a controlled, realistic environment where organisations can simulate cyberattacks and practise their response without risking production systems. Think of it as a flight simulator for cybersecurity -- a space where teams can make mistakes, learn from them, and build the muscle memory that matters when a real incident strikes at 2 AM on a Friday.

85%

of organisations that run exercises discover critical gaps in their incident response plans (Ponemon Institute, 2025)

The concept originated in military and intelligence communities, where classified networks were replicated to train operators against adversarial scenarios. By the early 2010s, the approach had migrated to the private sector as organisations recognised that theoretical knowledge and paper-based plans were insufficient preparation for the speed, chaos, and ambiguity of a real cyberattack. Today, cyber ranges have evolved from purely technical environments into sophisticated platforms that can simulate entire organisational crises -- not just the technical artefacts, but the human dynamics, regulatory pressures, and communication challenges that define real-world incidents.

Modern cyber ranges typically include virtualised network infrastructure that mirrors the client's actual environment, inject management systems that drive the scenario forward with timed events and surprises, participant tracking that captures actions and decisions for post-exercise analysis, and reporting engines that translate raw exercise data into actionable improvement recommendations. The best exercises feel real -- participants forget they are in a simulation because the pressure, ambiguity, and time constraints mirror what they would face in an actual incident.

ObsidianCorps operates its cyber range exercises through Scenarium, a purpose-built platform at scenarium.obsidiancorps.com that handles inject management, real-time coordination across multiple crisis cells, participant action tracking, and automated post-exercise reporting. Scenarium can power a simple two-hour tabletop or a multi-day full-spectrum operation involving dozens of participants across technical, legal, communications, and executive roles.

Why Cyber Range Exercises Matter

Cyber range exercises matter because they are the only reliable way to validate whether an organisation can actually respond to a cyber incident -- not in theory, but under pressure. Written policies and documented procedures are necessary but insufficient. Until people have been tested under realistic conditions, you cannot know whether your incident response plan will survive contact with reality.

Regulatory frameworks increasingly mandate this testing. The NIS2 Directive requires essential and important entities to conduct regular security testing, including exercises that validate incident response capabilities. DORA (Digital Operational Resilience Act) goes further, mandating threat-led penetration testing (TLPT) for significant financial entities and requiring that ICT risk management frameworks be validated through regular testing. ISO 27001, the international standard for information security management, expects organisations to test their incident response and business continuity plans at planned intervals.

24 hours

NIS2 early warning deadline -- organisations must notify the competent authority within 24 hours of a significant incident

Beyond compliance, exercises reveal the gaps that audits miss. An audit can verify that an incident response plan exists and contains the right sections. An exercise reveals that nobody knows who has the authority to shut down a production system, that the communications team has never drafted a breach notification under time pressure, or that the legal team does not know the CNPD notification deadline is 72 hours under GDPR and 24 hours for early warning under NIS2. These are the gaps that cost organisations millions when a real incident occurs.

Exercises also build cross-functional relationships that prove critical during real incidents. When a ransomware attack hits, the CISO needs to coordinate simultaneously with IT operations, legal counsel, communications, HR, executive leadership, and potentially regulators and law enforcement. If these people have never worked together under pressure, the real incident is the worst possible time to start building those relationships. Regular exercises create the trust, shared vocabulary, and established communication channels that enable effective crisis response.

Types of Cyber Range Exercises

Cyber range exercises come in many formats, each designed to test different capabilities and involve different participant groups. The right format depends on your objectives, the maturity of your team, your regulatory requirements, and the time and resources available. ObsidianCorps delivers all of the following exercise types, and frequently combines multiple formats within a single engagement.

1

Tabletop Exercises

Discussion-based exercises where participants walk through a cyber incident scenario verbally, making decisions and discussing responses without touching live systems. Tabletop exercises are low-cost, low-risk, and highly effective for testing decision-making processes, communication flows, and escalation procedures. They typically run two to four hours and can involve participants from technical teams through to executive leadership. Ideal as a starting point for organisations that have never run exercises before, or for testing newly developed incident response plans.

2

Red Team / Blue Team Exercises

Adversarial exercises where a red team (attackers) attempts to compromise the organisation's defences while a blue team (defenders) detects, investigates, and responds. These exercises test technical security controls, detection capabilities, and the operational effectiveness of SOC analysts and incident responders. Red/blue exercises can range from a focused four-hour engagement targeting specific attack vectors to multi-week campaigns simulating advanced persistent threats. ObsidianCorps provides experienced red team operators and structured exercise frameworks.

3

Capture the Flag (CTF)

Competitive cybersecurity challenges where participants solve technical puzzles covering areas such as cryptography, reverse engineering, web exploitation, forensics, and network analysis. CTFs are excellent for skill assessment, team building, and identifying talent within security teams. ObsidianCorps designs custom CTF events tailored to the client's technology stack and skill development priorities, with difficulty levels from beginner to advanced. CTFs can be run as standalone events or integrated into larger training programmes.

4

Technical Drills

Focused, hands-on exercises where participants work in realistic environments to practise specific technical skills -- SIEM analysis, malware triage, forensic investigation, firewall rule management, or vulnerability remediation. Technical drills typically involve SOC analysts, incident responders, and system administrators working through scenarios in a virtualised environment that mirrors the client's actual infrastructure. These drills build the procedural muscle memory that enables rapid response during real incidents.

5

Full-Spectrum Crisis Simulations

The most comprehensive exercise format, involving multiple crisis cells operating simultaneously: technical teams hunting threats and containing the attack, legal counsel assessing regulatory obligations and liability, communications teams handling media inquiries and stakeholder notifications, and executive leadership making strategic decisions under pressure. Non-technical participants receive their own realistic injects -- journalist phone calls, GDPR deadline warnings, board member pressure, regulator inquiries. Full-spectrum exercises are the closest simulation to a real organisational crisis.

6

Skill Testing & Assessment

Structured assessment programmes that measure individual and team competencies against defined skill frameworks. Skill testing goes beyond traditional certifications by evaluating how people perform under realistic conditions, not just what they know in theory. ObsidianCorps uses practical scenarios to assess technical proficiency, analytical thinking, communication skills, and decision-making quality. Results inform targeted training plans and team composition decisions.

7

E-Learning Modules

Self-paced online training content that complements live exercises by building foundational knowledge, reinforcing exercise lessons, and maintaining security awareness between exercise cycles. ObsidianCorps e-learning modules cover topics from phishing awareness and password hygiene for general staff through to advanced incident response procedures for technical teams. E-learning ensures continuous skill development without the scheduling overhead of live exercises.

Beyond Technical: The Full-Spectrum Approach

Most cyber range providers focus exclusively on the technical dimension of incident response: SOC analysts hunting indicators of compromise in a SIEM, incident responders executing containment procedures, forensic analysts imaging drives. These technical skills are essential, but they represent only one layer of what happens during a real cyber crisis. When a ransomware attack encrypts your production environment, the technical response is running in parallel with a dozen other critical workstreams that most exercises never touch.

Consider what actually happens in the first hours of a major cyber incident. The CISO briefs the CEO and board, who must decide whether to pay a ransom, how much operational disruption to accept, and what to communicate to shareholders. Legal counsel is calculating GDPR notification deadlines (72 hours to the CNPD), assessing contractual obligations to clients, and evaluating potential personal liability for directors under NIS2. The communications team is drafting press statements while fielding calls from journalists who have already heard rumours. HR is managing employee anxiety and access revocation for compromised accounts. The procurement team is engaging emergency vendors. Regulator notification workflows are being activated. Insurance claims are being prepared. And all of this is happening simultaneously, under extreme time pressure, with incomplete information.

72 hours

GDPR breach notification deadline to the CNPD -- most organisations discover during exercises that they cannot meet this timeline

The full-spectrum approach replicates this reality. In an ObsidianCorps full-spectrum exercise, different crisis cells run in parallel, each receiving their own scenario-appropriate injects. Technical teams see alerts in their SIEM and malware samples on compromised endpoints. Legal counsel receives simulated regulatory correspondence and must calculate notification deadlines. The communications team gets phone calls from simulated journalists and must draft statements in real time. Executives receive pressure from simulated board members and must make decisions with incomplete information. The exercise coordination team manages inject timing to create realistic cascading pressure across all cells.

This is where most organisations discover their real vulnerabilities. Not in their firewall rules or EDR configuration, but in the human layers: the CISO who cannot clearly brief a non-technical board, the legal team that does not know whether DORA or NIS2 notification deadlines apply first, the communications team that has never drafted a breach notification under time pressure, the executive who makes decisions based on incomplete information without acknowledging uncertainty. These soft-skill gaps are invisible to traditional technical exercises but determine the outcome of real crises.

ObsidianCorps designs exercises with injects specifically crafted to surface these gaps. A journalist calls the communications team and asks whether customer data was compromised -- before the forensic team has finished its analysis. The CNPD sends a simulated inquiry requesting details within 48 hours. A major client's CISO calls to ask about supply chain impact. A board member calls the CEO demanding to know why they learned about the incident from the press. These injects create the realistic pressure that separates an exercise from a workshop.

How We Design Exercises

Every ObsidianCorps exercise follows a structured lifecycle designed to maximise learning value and ensure that findings translate into measurable security improvements. The process is tailored to each client's context -- their actual infrastructure, regulatory environment, industry sector, and organisational maturity.

1

Phase 1: Scoping & Objectives

We begin with a thorough scoping session to understand the client's goals, participants, constraints, and regulatory requirements. What are you trying to test? Which teams need to be involved? What regulatory frameworks apply? How much time is available? The scoping phase produces clear exercise objectives, a participant list with role assignments, and agreement on exercise format, duration, and ground rules.

2

Phase 2: Scenario Design & Inject Timeline

Our exercise designers create a realistic scenario tailored to the client's industry, technology stack, and threat landscape. The scenario includes a detailed inject timeline -- the sequence of events, information releases, and surprise developments that drive the exercise forward. Every inject is mapped to specific learning objectives and designed to test particular capabilities. For full-spectrum exercises, separate inject tracks are created for each crisis cell.

3

Phase 3: Platform Setup & Rehearsal

The scenario is loaded into Scenarium, our exercise management platform. Technical environments are configured, inject delivery mechanisms are tested, and observer roles are assigned. For complex exercises, we conduct a dry run with the client's exercise coordinators to ensure smooth execution. Scenarium handles real-time inject delivery, participant action tracking, and inter-cell communication management.

4

Phase 4: Live Execution

The exercise runs with ObsidianCorps facilitators managing inject delivery, observing participant responses, and adjusting scenario difficulty in real time based on participant performance. Observers are embedded in each crisis cell to capture detailed notes on decision-making quality, communication effectiveness, and process adherence. The exercise can be paused for teaching moments or accelerated if participants are handling well.

5

Phase 5: Hot Debrief

Immediately after exercise completion, we conduct a structured hot debrief with all participants. This is the most valuable learning moment -- emotions are still fresh, mistakes are vivid, and participants are most receptive to feedback. The hot debrief covers what went well, what could be improved, and what surprised participants. Key findings are captured for the formal report.

6

Phase 6: Reporting & Recommendations

Within two weeks of the exercise, ObsidianCorps delivers a comprehensive exercise report including: executive summary, detailed timeline of events and decisions, assessment of technical and non-technical performance, gap analysis against exercise objectives, and prioritised recommendations for improvement. The report provides the evidence base for updating incident response plans, investing in training, and demonstrating compliance to regulators.

"The most valuable exercises are the ones where people forget they are in a simulation. When the communications manager is visibly stressed about a journalist call, when the legal team is arguing about notification deadlines, when the CEO is making difficult trade-off decisions with incomplete data -- that is when you know the exercise is working. Those are the moments that build the resilience organisations need when a real crisis hits."

OR

Omar Ramadan

Security Lead, ObsidianCorps

Scenario Examples

ObsidianCorps designs exercises around realistic scenarios that reflect the actual threat landscape facing organisations in Luxembourg and the Greater Region. Each scenario is customised to the client's industry sector, regulatory obligations, infrastructure, and organisational structure. Below are representative examples of the scenarios we deliver.

12+

scenario types available, each customised to the client's industry, regulatory environment, and organisational structure

1

Ransomware Attack with Regulatory Notification

A sophisticated ransomware attack encrypts critical business systems while attackers exfiltrate sensitive data. Technical teams must contain the attack, determine the scope of data compromise, and support recovery operations. Legal counsel must assess GDPR and NIS2 notification obligations and prepare regulatory filings. Communications must manage media inquiries and customer notifications. Executives must decide on ransom payment, business continuity priorities, and stakeholder communication strategy.

Roles involved: SOC analysts, incident responders, legal counsel, communications/PR, CISO, CEO, DPO

2

Supply Chain Compromise

A trusted software vendor's update mechanism has been compromised, delivering malware to all customers using the product. The client discovers they are one of hundreds of affected organisations. Technical teams must identify affected systems and contain lateral movement. Legal must assess third-party liability and contractual obligations. Communications must coordinate with the vendor's public statements and manage client inquiries. This scenario tests inter-organisational coordination and supply chain risk management.

Roles involved: IT operations, security analysts, procurement, legal, vendor management, communications

3

Data Breach with GDPR Implications

A database containing personal data of EU citizens is discovered on a dark web forum. The source is traced to an unpatched web application. Technical teams must determine what data was exposed, patch the vulnerability, and conduct forensic analysis. The DPO must lead the CNPD notification process within the 72-hour deadline. Legal must assess individual notification requirements and potential liability. Communications must prepare data subject notifications. This scenario specifically tests GDPR response maturity.

Roles involved: Security analysts, DPO, legal counsel, communications, HR (if employee data), customer relations

4

Insider Threat

Anomalous data exfiltration is detected from a privileged user account. Investigation reveals a departing employee may be stealing intellectual property and client data before joining a competitor. This scenario uniquely tests the intersection of cybersecurity, HR, and legal -- technical containment must be balanced against employment law, evidence preservation requirements, and the possibility that the activity has an innocent explanation. It challenges assumptions about trust and tests whether security teams can investigate discreetly.

Roles involved: SOC analysts, HR, legal counsel, management, forensic investigators

5

DDoS with Business Continuity Activation

A sustained distributed denial-of-service attack takes down customer-facing services during a critical business period. Technical teams must implement mitigation measures while maintaining core services. Business continuity plans are activated. Customer service teams handle the surge in complaints. Communications must manage public messaging about service disruption. Executives must make decisions about service priorities and resource allocation. This scenario tests business continuity planning and crisis communication under sustained pressure.

Roles involved: Network engineers, SOC, business continuity team, customer service, communications, executives

Measuring What Matters

Traditional exercise assessment focuses almost entirely on technical metrics: Did the SOC analyst find the indicator of compromise? How quickly was the malware sample identified? Was the firewall rule correctly configured? These metrics are necessary but radically incomplete. They measure whether the security team can do their job, but they say nothing about whether the organisation as a whole can survive a crisis.

3x

more gaps identified when measuring soft skills alongside technical competencies compared to technical-only assessment

ObsidianCorps measures both technical competencies and the soft skills that determine crisis outcomes. On the technical side, we assess detection time (how quickly teams identify the threat), containment time (how quickly the attack is isolated), accuracy of forensic analysis, correctness of technical remediation steps, and adherence to documented procedures. These are the traditional metrics, and they matter.

But we go further. We assess communication quality: Was the CISO's brief to the board clear, accurate, and appropriately scoped for a non-technical audience? Was uncertainty acknowledged rather than hidden? Did information flow effectively between crisis cells, or did silos form? We assess decision-making quality: Were decisions made at the appropriate authority level? Were trade-offs explicitly acknowledged? Were decisions documented for post-incident review? We assess coordination effectiveness: Did teams request help when needed? Did handoffs between teams work smoothly? Were external stakeholders (regulators, clients, vendors) engaged at the right time?

This holistic assessment produces a far richer picture of organisational resilience than technical metrics alone. It identifies the specific areas where investment in training, process improvement, or organisational change will have the greatest impact on real-world crisis outcomes. Our post-exercise reports provide evidence-based recommendations that address both technical and human factors, giving CISOs the data they need to justify investments and demonstrate improvement to boards and regulators.

Who Should Run These Exercises

Cyber range exercises are not exclusively for large enterprises with dedicated SOC teams. Any organisation that handles sensitive data, operates critical services, or is subject to cybersecurity regulations benefits from structured exercises. The format and complexity scale to match the organisation.

1

CISOs & Security Managers

Exercises validate your incident response plans, identify gaps before real incidents expose them, and provide evidence of security programme effectiveness for board reporting and regulatory compliance. Regular exercises also build the cross-functional relationships you need during a real crisis. If you are presenting cybersecurity risk to the board, exercise results provide concrete, evidence-based metrics that resonate with non-technical stakeholders.

2

Technical Security Teams

SOC analysts, incident responders, and forensic investigators need regular practice under realistic conditions to maintain and develop their skills. Just as surgeons practise procedures and pilots use flight simulators, security professionals need hands-on experience with attack scenarios they have not seen before. Exercises expose knowledge gaps, test tool proficiency, and build the procedural muscle memory that enables rapid response.

3

Compliance Officers

NIS2, DORA, and ISO 27001 all require regular testing of security and incident response capabilities. Exercises provide the documented evidence of testing that auditors and regulators expect. Beyond compliance, exercises reveal whether your organisation can actually meet the notification deadlines and reporting requirements these frameworks mandate. A DORA-regulated entity that has never practised its ICT incident notification process is taking a significant compliance risk.

4

HR & Learning Development

Cyber exercises are a powerful training tool that goes beyond traditional classroom learning. They develop critical thinking, communication under pressure, cross-functional teamwork, and decision-making skills that are valuable far beyond cybersecurity. Exercises also provide objective skill assessment data that informs training investment decisions and career development planning.

5

Executives & Board Members

Executives who have participated in a crisis simulation make better decisions during real incidents. They understand the trade-offs, the time pressures, and the information gaps that characterise cyber crises. Executive participation also sends a powerful signal to the organisation that cybersecurity is a leadership priority, not just a technical function. The ROI of executive exercise participation is measured in faster, better-informed decisions when a real crisis occurs.

FAQ

Frequently Asked Questions

Common questions about cyber range exercises and crisis simulations

What is a cyber range?

A cyber range is a controlled, realistic environment where organisations simulate cyberattacks and practise their response without risking production systems. Modern cyber ranges go beyond purely technical exercises to include decision-making, communication, regulatory notification, and crisis management components. ObsidianCorps operates its exercises through the Scenarium platform, which manages inject delivery, participant tracking, and automated reporting.

How long does a cyber range exercise take?

Exercise duration depends on format and objectives. A focused tabletop exercise can run in two to three hours. A technical red/blue team exercise typically takes four to eight hours. A full-spectrum crisis simulation involving multiple crisis cells runs six to twelve hours, sometimes spread across two days. Planning and preparation typically require two to four weeks before the exercise, and the post-exercise report is delivered within two weeks after.

Do we need technical staff to participate?

Not necessarily. Tabletop exercises and crisis simulations are specifically designed to include non-technical participants -- legal counsel, communications teams, HR, and executive leadership. These participants receive scenario-appropriate injects that test their specific responsibilities during a cyber incident. Some of the most valuable exercise outcomes come from testing the interfaces between technical and non-technical teams.

What is the difference between a tabletop exercise and a cyber range?

A tabletop exercise is discussion-based: participants talk through a scenario and make decisions verbally without touching live systems. A cyber range exercise includes hands-on technical components where participants interact with simulated or real systems. In practice, the most effective exercises combine both: technical teams work in the cyber range environment while management and support functions participate in a tabletop format, with both groups receiving coordinated injects that create realistic cross-functional pressure.

How often should we run exercises?

ObsidianCorps recommends at least one comprehensive exercise per year, with smaller focused exercises quarterly. NIS2 and DORA both require regular testing of incident response capabilities, and ISO 27001 expects testing at planned intervals. Organisations in highly regulated sectors such as finance (CSSF-supervised) should consider more frequent exercises. The cadence should also increase after significant organisational changes, infrastructure migrations, or following a real incident.

Can exercises be customised to our industry?

Absolutely. Every ObsidianCorps exercise is tailored to the client's industry sector, regulatory environment, technology stack, and organisational structure. We design scenarios around threats that are realistic for your specific context -- a financial services firm faces different threat scenarios than a healthcare provider or a logistics company. Scenarios also incorporate the specific regulatory frameworks that apply to your organisation, whether that is CSSF circulars, DORA, NIS2, or sector-specific regulations.

What is a full-spectrum crisis simulation?

A full-spectrum crisis simulation is the most comprehensive exercise format, involving all organisational functions that would be activated during a real cyber crisis. Multiple crisis cells operate simultaneously: technical teams handle the cyber response, legal assesses regulatory obligations, communications manages media and stakeholder messaging, and executives make strategic decisions. Each cell receives its own realistic injects. This format tests not just technical capabilities but communication, coordination, and decision-making across the entire organisation.

How do you measure exercise effectiveness?

We measure both technical competencies (detection time, containment time, forensic accuracy, procedural adherence) and soft skills (communication quality, decision-making under pressure, cross-functional coordination, stakeholder management). This dual assessment produces a comprehensive picture of organisational resilience and identifies specific areas where investment in training or process improvement will have the greatest impact. Results are benchmarked against exercise objectives agreed during the scoping phase.

Do you provide a report after the exercise?

Yes. Within two weeks of the exercise, ObsidianCorps delivers a comprehensive report including an executive summary, detailed event timeline, performance assessment against objectives, gap analysis, and prioritised recommendations. The report is designed to be actionable -- each finding includes specific remediation steps and suggested timelines. Reports also serve as compliance evidence for NIS2, DORA, and ISO 27001 audit requirements.

What platform do you use?

ObsidianCorps uses Scenarium (scenarium.obsidiancorps.com), our purpose-built exercise management platform. Scenarium handles inject management, real-time coordination across multiple crisis cells, participant action tracking, inter-cell communication, and automated post-exercise reporting. The platform can be used standalone or integrated into larger exercise frameworks. It supports everything from a simple two-hour tabletop to a multi-day full-spectrum operation.

Ready to Test Your Cyber Resilience?

ObsidianCorps delivers cyber range exercises that go beyond technical drills to test your entire organisation's crisis response capability. From tabletop exercises to full-spectrum simulations, we design exercises that reveal the gaps that matter -- before a real incident does.

Plan Your Exercise Explore Scenarium Platform

No obligation. Free initial consultation to scope your exercise.

Cyber Range Exercises: From Technical Drills to Full-Spectrum Crisis Simulations

Table of Contents