Cyber incident live-play exercises

Jun 18, 2024 | Cyber Incident Exercising

Practise your cyber incident response plan with live-play exercises to simulate a cyber attack in real time.

The Cyber Incident Exercising (CIE) scheme was developed by the National Cyber Security Centre (NCSC) to help a wide range of UK businesses find a high-quality provider to help them rehearse, evaluate and improve their cyber incident response plan.

This blog will particularly focus on understanding live-play exercises

The frequency and sophistication of cyber attacks have increased to the point that, for most organisations, it is not a case of if, but when an incident will occur. In order to be prepared, your organisation not only needs to plan for the worst, but practise that response plan, a bit like you would schedule a fire drill.

It is particularly important to exercise cyber incidents which will have a significant impact on your organisation. Typically, these incidents will have the potential for a serious operational, financial, or regulatory impact on your business and can be classified as Category 3, 4 and 5 incidents on the UK’s Cyber Attack categorisation system. Such a cyber incident could be a security risk originating from within your organisation that leads to a data breach or a ransomware attack delivered by phishing email. It could involve just your IT team, or the whole company and may stray into the realms of informing regulators, customers and partners and managing the press. Your incident response plan should cover all of these eventualities, and it is important that you practice who would deal with what and how.

Organisations that have good incident response plans that are regularly rehearsed and reviewed are best placed to respond to cyber attacks and can get back up and running again quicker than those without.

The Cyber Incident Exercising (CIE) scheme assures that providers of Cyber Incident Exercising services have met the NCSC’s rigorous quality and security standards and have the skills and experience to run table-top and live-play cyber exercises. Organisations that already have cyber incident response plans in place can find an assured provider to help them test and make improvements before a cyber attack occurs. An Assured Service Provider will identify the scope of a cyber incident exercise so that it can be tailored to the unique characteristics and requirements of your organisation. This customisation ensures that the exercise aligns with your specific threats, infrastructure, and regulatory environment and is accessible to all participants.

What is the difference between table-top and live-play exercising?

Table-top exercises

Participants gather in a room or in a virtual meeting to discuss and simulate a hypothetical cyber incident scenario. Tabletop exercises provide an opportunity for participants to discuss their roles and responsibilities, review procedures, and identify gaps in their response plans through facilitated discussions. These exercises are suitable for organisations that are in the early stages of developing their incident response plan or have limited resources.

Live-play exercises

Participants actively respond to a simulated cyber incident with real-time engagement that allows them to experience the pressure and urgency associated with a genuine cyber incident. The pace and timeline of a given cyber incident scenario is governed by an experienced exercise controller and team members execute their roles and responsibilities in response to controlled injects. If appropriate, exercising can involve real systems and tools and the cyber incident exercising professionals may emulate the behaviour of real threat actors. Live play exercises are best suited to mature organisations looking for in-depth validation of plans.

What are the key elements of live-play cyber incident exercising?

Realistic Scenario: A live-play exercise starts with the development of a realistic and relevant cyber incident scenario. This scenario could be a ransomware attack, data breach, or a sophisticated malware intrusion. The goal is to create a situation that mirrors potential real-world threats that the organisation may face.

Active Participation: Participants in a live-play exercise are actively engaged in responding to the simulated incident. This often includes members of the organisation’s incident response team, IT staff, security personnel, and sometimes external stakeholders like law enforcement or incident response partners.

Response to Injects: Exercise injects are like carefully planned surprises or challenges that are added to the scenario. They’re meant to make the exercise more realistic by mimicking the unpredictable unfolding of a real-life situation. Different participants will receive credible written or verbal ‘injects’ during the exercise which will provide information and updates for their assessment and response.

Dynamic Environment: Unlike tabletop exercises that are more discussion-based, live-play exercises create a dynamic environment where events unfold in real-time. This dynamic nature allows participants to experience the pressure and urgency associated with a genuine cyber incident.

Technical Challenges: Depending upon the client organisation and the type of threats they face, the exercise might include technical challenges that require participants to apply their skills in real-time. This could involve tasks such as identifying the source of an attack, analysing malicious code, containing the incident, and restoring affected systems. In the same way, it may be appropriate for participants to use the actual tools and technologies that they would use in a real incident response situation such as security monitoring tools or forensics tools.

Communication and Collaboration: The exercise often emphasises communication and collaboration among team members. Effective communication is crucial during a cyber incident, and the exercise may evaluate how well team members coordinate their efforts and share information.

Post-Exercise Analysis: After the live-play exercise concludes, there is a debriefing session where participants and facilitators analyse the response, identify strengths, and highlight lessons learned and areas for improvement. This analysis will be captured in a report and is crucial for refining incident response plans, updating procedures, and enhancing overall cybersecurity preparedness.


A live-play cyber incident exercise provides an immersive and realistic testing environment, particularly for an organisation’s technical team, allowing them to practice and refine their incident response capabilities in a hands-on manner. It helps identify weaknesses in all aspects of incident response and ensures that the organisation is better prepared to handle real cyber threats.

Cyber Incident Exercise Providers will have conducted thorough research on recent cyber threats, attack trends, and emerging vulnerabilities. They will leverage threat intelligence sources to help you understand the tools, tactics, and procedures employed by real threat actors. All of this information is used to craft realistic attack scenarios that is appropriate for your organisation’s size, sector and technologies. NCSC Assured Service Providers for cyber incident exercising will bring years of industry experience and expertise to help you develop your response abilities and increase your cyber resilience.

How do I find an Assured Service Provider for CIE to work with my organisation?

For organisations that want to plan and practise their response to a cyber incident in a safe environment, you can contact an Assured Service Provider in Cyber Incident Exercising.

You can find a list of NCSC Assured Cyber Incident Exercising providers here.