MODULES
UTC
01
MODULE 10 SIMULATION EXERCISE
Module Ten · Capstone Simulation
INCIDENT RESPONSE
EXERCISE.

Kinetic + Cyber + Electronic Warfare.

“The capstone is not about a single domain. It is about the moment all three converge and the operator must choose which to address first.”

Execute a complete incident-response lifecycle across kinetic, cyber, and electronic-warfare domains in a coordinated multi-vector engagement.

90 MINUTES · 15 min instruction · 60 min simulation · 15 min review

FUNCTION FIVE · MOD 10
01/10
MODULES
UTC
02
Learn, Apply, Build, Simulate

LABS Learning Objectives.

LABS ComponentTypeStatement
(L)EARNKnowledgeKnowledge of the full incident response lifecycle: detection, triage, containment, eradication, recovery, and documentation.
(L)EARNKnowledgeKnowledge of compensating controls and adaptive playbooks for concurrent Kinetic, Cyber, and Electronic Warfare threats.
(A)PPLYSkillSkill in triaging ambiguous, concurrent multi-domain indicators to prioritize response actions.
(A)PPLYSkillSkill in activating compensating controls and following adaptive playbooks while managing an active incident.
(B)UILDAbilityAbility to synthesize concurrent threat indicators across multiple domains into a coherent incident timeline.
(S)IMULATETaskExecute a complete incident response lifecycle including detection, triage, compensating control activation, mission continuity, and incident documentation across concurrent Kinetic, Cyber, and EW threats within the 40-minute capstone window.
FUNCTION FIVE · MOD 10
02/10
MODULES
UTC
03

Exercise Scenario Briefing.

This is the capstone exercise. Students face three concurrent domain threats and must execute the full incident response lifecycle: detection, triage, containment, eradication, recovery, and documentation. Unlike previous exercises, there is no baseline phase, the scenario begins with active threat indicators requiring immediate triage and prioritization.

▷ CONCURRENT THREATS
  • Kinetic: ASAT test generates debris field requiring conjunction assessment
  • Cyber: Ground station intrusion alert triggered
  • EW: Jamming on primary command uplink during response
▷ EXERCISE STRUCTURE
  • Phase 1: Multi-domain detection and triage
  • Phase 2: Response, continuity, and documentation
  • Full incident response lifecycle required
  • Instructor guidance for prioritization decisions
FUNCTION FIVE · MOD 10
03/10
MODULES
UTC
04
Prioritizing Under Pressure

Phase 1: Multi-Domain Incident Detection and Triage.

A suspected ASAT test generates a debris field requiring conjunction assessment. Simultaneously, a ground station intrusion alert is triggered. Students must prioritize triage: conjunction avoidance maneuver first (time-critical orbital safety), then isolate the compromised ground terminal and switch command authority to the backup station.

  • Debris field conjunction data indicates potential collision within orbital period
  • Conjunction avoidance maneuver is time-critical and takes priority
  • Ground station intrusion alert: unauthorized access to command terminal
  • Isolate compromised terminal and switch command authority to backup
  • Instructors guide students through the prioritization logic
TRIAGE PRINCIPLE
When everything is on fire, triage by reversibility: orbital collision is permanent, ground station compromise is recoverable. Prioritize accordingly.
FUNCTION FIVE · MOD 10
04/10
MODULES
UTC
05
Completing the Incident Response Lifecycle

Phase 2: Response Execution, Continuity, and Documentation.

EW jamming activates on the primary command uplink during the response window. Students switch to the backup frequency, confirm mission continuity across all three satellites, and begin documenting the incident using the course taxonomy while the response is still active. Documentation is structured as a guided template.

▷ RESPONSE ACTIONS
  • Switch to backup uplink frequency to restore command authority
  • Confirm conjunction avoidance maneuver executed successfully
  • Verify all three satellites maintain mission continuity
  • Confirm compromised ground terminal remains isolated
▷ INCIDENT DOCUMENTATION
  • Timeline of events across all three domains
  • Classification of each threat by exposure domain
  • Response actions taken and their outcomes
  • Coordinated vs independent event assessment
DOCUMENTATION
If you cannot document the incident while it is happening, critical details will be lost. Documentation is part of the response, not an afterthought.
FUNCTION FIVE · MOD 10
05/10
MODULES
UTC
06
Capstone Exercise

Instructor Guidance Notes.

This is the most complex exercise in the course. Instructors should:

  • Allow students to struggle with prioritization before providing guidance
  • Reinforce the triage-by-reversibility principle for concurrent threats
  • Ensure students document while responding, not after
  • Guide students to assess whether the three events are coordinated
  • Validate that students confirm mission continuity across all satellites
  • Debrief the full incident response lifecycle after exercise completion
FUNCTION FIVE · MOD 10
06/10
MODULES
UTC
07

Feedback Requested from Zendir.

The following questions will help finalize this capstone exercise design. We welcome any additional recommendations.

  • Can your platform present real-time consequences of response decisions (e.g., delayed maneuver results in collision)?
  • Is incident documentation achievable within the platform during active simulation?
  • How do you recommend calibrating capstone complexity for students who have completed Modules 6–9?
  • What capstone exercise formats have worked best on your platform in prior engagements?
  • Can three concurrent domain events be injected and managed within a single simulation instance?
COLLABORATION
Scenario design is open for Zendir’s input. We want exercises that work well on your platform.
FUNCTION FIVE · MOD 10
07/10
MODULES
UTC
08
Kinetic + Cyber + Electronic Warfare

Exposure Domain References.

▷ KINETIC
NOTEPhysical destruction through direct force. ASAT weapons, kinetic kill vehicles, orbital debris. Assets cannot be physically protected or repaired once deployed.
▷ CYBER
NOTEExploitation through software, firmware, and network access. Command injection, malicious firmware, data exfiltration. Persistent, stealthy, difficult to attribute.
▷ ELECTRONIC WARFARE
NOTEDenial of the electromagnetic spectrum. Jamming, spoofing, interference. Controls what operators can and cannot communicate. Timing reveals adversary intent.
CAPSTONE PRINCIPLE
Adversaries do not confine themselves to a single domain. Your analysis must not either.
FUNCTION FIVE · MOD 10
08/10
MODULES
UTC
09

Exercise Summary.

PhaseFocusDomains
Phase 1Multi-domain detection, triage, and prioritizationKinetic + Cyber
Phase 2Response execution, mission continuity, and documentationKinetic + Cyber + EW
Full Spectrum Space Cybersecurity Professional, All 10 Modules Complete.
Students have progressed from single-domain baseline operations through multi-domain correlation to a full incident response lifecycle capstone. The progressive complexity model ensures each skill builds on the foundation established in previous modules.
FUNCTION FIVE · MOD 10
09/10
MODULES
UTC
10
MODULE 10

Course Complete.

Full Spectrum Space Cybersecurity Professional

SCORP² Practitioner | eHs® | TLP-GREEN

FUNCTION FIVE · MOD 10
10/10