01
A mission lead pointing at a wall situational display while two operators in headsets execute commands at adjacent consoles during an active incident response
MISSION FIVE · CAPSTONE RESPOND
Mission Five · Capstone
RESPOND.
“Containment first. Recovery second. Adaptation third. In that order.”

A confirmed incident is active and the clock is on. You execute the response in order, contain, recover, adapt, drawing on the focus and the resilience measures you built across the missions. Then you close the loop and capture the lesson.

MISSION FIVE · MOD 10
00/00
UTC
02
Learn / Apply / Build / Simulate · the LABS framework, mapped to KSAT

OBJECTIVES

Mission Five of five. Six objectives, in the order you build them. Each marker below also tags the work that builds toward it.

Marker LABS KSAT Statement
L1(L)EARNKnowledgeKnow the response order and why it holds: contain stops the bleed, recover returns the platform to nominal, adapt stops the next one.
L2(L)EARNKnowledgeKnow the coordination pattern under pressure: the lead names the action, ops repeats it back, executes, and reports complete.
A1(A)PPLYSkillExecute containment and recovery for your role using the resilience measures you already have.
A2(A)PPLYSkillSequence a response so recovery never starts before containment is complete.
B1(B)UILDAbilityClose the loop on a live incident: contain, recover, and name one adaptation that would have prevented it.
S1(S)IMULATETaskRun a contain-recover-adapt response under time pressure on the platform, and work the scored in-platform objective.
MISSION FIVE · MOD 10
00/00
UTC
00
Mission Roadmap · your path through this mission, start to finish

MISSION ROADMAP

Start here01Mission brief
02Contain, recover, adapt
03Run the response
04Front-line transfer
Finish05Debrief & exam
follow the path left to right · each step builds on the one before
MISSION FIVE · MOD 10
00/00
UTC
02
Build on Mission Four · what each role does to respond

HOW YOU RESPOND

A confirmed incident is active and the clock is on. You respond in order: contain, then recover, then adapt. Here is what each role does, drawing on the playbooks and resilience measures you already have.

▷ MISSION LEAD

Focus: sequence and authorize.

  • · Hold the contain, recover, adapt order
  • · Authorize every action
  • · Report to the mission leader at each stage
  • · Name the one change to adapt
A mission lead standing at a supervisory console directing the team, with overview screens behind
▷ SATELLITE OPERATIONS

Focus: execute on the bus.

  • · Contain: drop the compromised ground station, cut the path
  • · Recover: restore on a clean credential
  • · Confirm telemetry is nominal
  • · Report each step complete
A satellite operator at a console watching cyan spacecraft-orbit and bus-health displays
▷ PAYLOAD OPERATIONS

Focus: execute on the payload.

  • · Contain: pause the affected tasking
  • · Recover: restore capture and downlink
  • · Confirm product is nominal
  • · Report each step complete
A payload operator at a console watching green earth-observation imagery and downlink displays
ORDER IS THE DISCIPLINE · Contain stops the incident getting worse, recover returns the platform to nominal, adapt stops the next one. Under pressure: the lead names the action, ops repeats it back, executes, and reports complete.
MISSION FIVE · MOD 10
00/00
UTC
03
In the platform · scored · operational skill validation

YOUR MISSION OBJECTIVE & QUESTIONS

You execute the response, then close the loop. Inside the Zendir operator platform you work a mission objective and answer ten fixed questions. The platform scores your answers, so this is operational skill validation, not a quiz. The final objective and questions are confirmed with Zendir.

▷ MISSION OBJECTIVE · IN-PLATFORM

Contain and recover from the confirmed incident with real operator actions, then close with an after-action.

SCENARIO · ZENDIR
Orbit: MEO · ~2,222 km · 70° inclination
Ground stations: Tokyo, Anchorage, Houston, Lima, Santiago
Tasking: Respond and recover under confirmed adversary activity
▷ TEN FIXED QUESTIONS · SCORED IN-PLATFORM
MISSION LEAD
Q1. Which data and interfaces are in scope of the confirmed cyber incident?
Q2. Which three numbers go at the top of every report?
Q3. What is the one-line lesson to hand to a peer who has not done the course?
SATELLITE OPERATIONS
Q4. How do you clear the cyber telemetry overlay on the Power Source (APID 201) packets?
Q5. Which ground station should be dropped from the commanding rotation, and why?
Q6. Which reaction wheel is jammed for the duration of the exercise?
Q7. What hidden text appears in the Power Source telemetry message?
PAYLOAD OPERATIONS
Q8. Which captured products must be quarantined as suspect?
Q9. What is the authoritative known-good source?
Q10. Which criteria must be met before releasing the hold on suspect products?

NOTE · Fixed questions, answered and scored in the Zendir platform as operational skill validation.

CLOSE THE LOOP · After the response, you close the loop: what happened, what worked, what didn’t, and the one change you carry forward.
MISSION FIVE · MOD 10
00/00
UTC
04
From the floor to the front lines · take it back to your organization

FROM THE FLOOR TO THE FRONT LINES

This work is not meant to stay on the operations floor. Take your after-action record back to your organization and start the work there. It is how you bring Security Operations, Satellite Operations, and Satellite Design and Engineering onto the same page.

▷ TAKE IT BACK

Walk your after-action record off the operations floor and into your own operations. Start this work with your team when you get back.

DOWNLOAD · Fill the after-action with your team, then download it as a PDF or a DOC to take to your work center.
MISSION FIVE · MOD 10
00/00
END
COURSE COMPLETE FULL SPECTRUM · SPACE CYBER PROFESSIONAL
Mission Five complete · the course is yours

COURSE COMPLETE.

You began without a shared vocabulary. You now hold an incident-response plan, three role playbooks, two briefing sheets, every detection report, and a live after-action, each a PDF you take into the real world where what you practiced here becomes real impact.

More than that, you trained against a Malware Information Sharing Platform (MISP) taxonomy and the information-sharing posture of the Space Information Sharing and Analysis Center. Space collective defense is not waiting on more training, it is waiting on more participating teams, and you are one. Remember the role: you do not have to be the expert in every console or signature. Security Operations, Satellite Operations, and Satellite Design & Engineering may come from different organizations, and the Full Spectrum professional is the one who builds the cross-functional team across them and gives it one shared language.

WHAT TO DO NEXT
Take the after-action’s adaptation back to the team that runs your real platform and make the one change it names. Then share whatever finding your team is permitted to share, through Space-ISAC.
⌂ COURSE HOME
END
MISSION FIVE · MOD 10
00/00
'; var blob=new Blob(['',html],{type:'application/msword'}); var url=URL.createObjectURL(blob); var a=document.createElement('a'); a.href=url; a.download=name+'.doc'; document.body.appendChild(a); a.click(); document.body.removeChild(a); setTimeout(function(){URL.revokeObjectURL(url);},1000); }); }); })();
REFERENCE LIBRARY

Standards, Policies & Sources

The instruments this course aligns to. Each element links to its primary source.

U.S. National Security Space Policy

CNSS Policy No. 12 (CNSSP-12)Information-assurance policy for national security space systems. CNSS Instruction 1200 (CNSSI 1200), Aug 2025Implementing requirements: on-board intrusion detection, hardware root-of-trust, patch management. DoDI 8581.01Information-assurance policy for space systems used by the DoD. Space Policy Directive 5 (SPD-5), 2020First comprehensive U.S. cybersecurity principles for space systems.

Executive Orders

EO 14144 (Jan 16, 2025)Strengthening and Promoting Innovation in the Nation’s Cybersecurity. EO 14306 (Jun 6, 2025)Sustaining select efforts, amending EO 13694 and EO 14144.

NIST Standards & FISMA

NIST SP 800-53 Rev. 5Security and privacy controls; IR-3 incident-response testing. NIST SP 800-37 Rev. 2Risk Management Framework; continuous monitoring and annual control assessment. NIST IR 8270Introduction to Cybersecurity for Commercial Satellite Operations. NIST IR 8401Satellite Ground Segment cybersecurity framework profile. NIST IR 8441Cybersecurity Framework Profile for Hybrid Satellite Networks. NIST SP 800-160 Vol. 2 Rev. 1Cyber resiliency goals: Anticipate, Withstand, Recover, Adapt. FISMAFederal Information Security Modernization Act; annual program review obligation.

Threat Frameworks (analytic layer)

MITRE ATT&CKAdversary tactics and techniques knowledge base. MITRE CAPECCommon Attack Pattern Enumeration and Classification; dictionary of attack patterns that exploit known weaknesses. MITRE D3FENDKnowledge graph of defensive countermeasures and techniques, mapped to ATT&CK (NSA-funded, maintained by MITRE). SPARTASpace Attack Research and Tactic Analysis (The Aerospace Corporation). ESA Space ShieldEuropean Space Agency space-system threat framework.

EU & Global

NIS2 Directive (EU 2022/2555)Risk management and 24h/72h incident reporting; space sector in scope. EU Space Act (proposal, 25 Jun 2025)Space-specific resilience and cybersecurity obligations; extraterritorial scope. ENISA Space Threat LandscapeEuropean threat landscape and recommendations for space operators. Cyber Resilience Act (CRA)Connected hardware/software requirements; applies from December 2027.

Open-Source Vocabulary & Tooling

METEORSTORM MISP taxonomyThe course vocabulary, live and open source in the MISP taxonomy repository. MISP / CIRCLComputer Incident Response Center Luxembourg, maintainers of MISP. RootAPublic-domain open detection language (YAML) used in Module 04 to write portable signatures. (github.com/UncoderIO/Roota) Uncoder.IOOpen-source IDE and translation engine that ports RootA rules across SIEM, EDR, and XDR formats. SpaceCOP & Indicators of BehaviorDHS S&T + Aerospace Corp. on-board intrusion-detection prototype. CROO (Cyber Resilience On-Orbit)Proof Labs on-board IDS for the Space Force.

Community & Reporting

Space ISACSpace Information Sharing and Analysis Center. Air & Space Forces MagazineWaterman, “New Cybersecurity Rules for Pentagon’s Commercial Satellite Vendors,” Nov 19, 2025. Via Satellite“DHS Wants Satellite Volunteers to Test New Cyber Tools,” Nov 17, 2025. Defense Daily“New National Space Cybersecurity Policy Emphasizes Intrusion Detection,” Nov 18, 2025. Mayer Brown legal analysis“Securing the Final Frontier,” Dec 11, 2025 (US and EU regulatory map).