SCOR Practitioner — Session 10: Incident Response Exercise

MODULE 10

INCIDENT RESPONSE EXERCISE

Capstone: Kinetic + Cyber + Electronic Warfare

Execute a complete incident response lifecycle across three domains

60 Minutes | 10 min instruction + 40 min simulation + 10 min break

MODULE 10 — INCIDENT RESPONSE EXERCISESCORP²

LABS Learning Objectives

Learn, Apply, Build, Simulate

LABS Component	Type	Statement
(L)EARN	Knowledge	Knowledge of the full incident response lifecycle: detection, triage, containment, eradication, recovery, and documentation.
(L)EARN	Knowledge	Knowledge of compensating controls and adaptive playbooks for concurrent Kinetic, Cyber, and Electronic Warfare threats.
(A)PPLY	Skill	Skill in triaging ambiguous, concurrent multi-domain indicators to prioritize response actions.
(A)PPLY	Skill	Skill in activating compensating controls and following adaptive playbooks while managing an active incident.
(B)UILD	Ability	Ability to synthesize concurrent threat indicators across multiple domains into a coherent incident timeline.
(S)IMULATE	Task	Execute a complete incident response lifecycle including detection, triage, compensating control activation, mission continuity, and incident documentation across concurrent Kinetic, Cyber, and EW threats within the 40-minute capstone window.

SCORP² Practitioner | eHs®TLP-GREEN

MODULE 10 — INCIDENT RESPONSE EXERCISESCORP²

Exercise Scenario Briefing

This is the capstone exercise. Students face three concurrent domain threats and must execute the full incident response lifecycle: detection, triage, containment, eradication, recovery, and documentation. Unlike previous exercises, there is no baseline phase — the scenario begins with active threat indicators requiring immediate triage and prioritization.

CONCURRENT THREATS

Kinetic: ASAT test generates debris field requiring conjunction assessment
Cyber: Ground station intrusion alert triggered
EW: Jamming on primary command uplink during response

EXERCISE STRUCTURE

Phase 1: Multi-domain detection and triage
Phase 2: Response, continuity, and documentation
Full incident response lifecycle required
Instructor guidance for prioritization decisions

The capstone tests everything: baseline knowledge, domain recognition, cross-domain correlation, response execution, and documentation — all under time pressure.

SCORP² Practitioner | eHs®TLP-GREEN

MODULE 10 — INCIDENT RESPONSE EXERCISESCORP²

Phase 1: Multi-Domain Incident Detection and Triage

Prioritizing Under Pressure

A suspected ASAT test generates a debris field requiring conjunction assessment. Simultaneously, a ground station intrusion alert is triggered. Students must prioritize triage: conjunction avoidance maneuver first (time-critical orbital safety), then isolate the compromised ground terminal and switch command authority to the backup station.

Debris field conjunction data indicates potential collision within orbital period
Conjunction avoidance maneuver is time-critical and takes priority
Ground station intrusion alert: unauthorized access to command terminal
Isolate compromised terminal and switch command authority to backup
Instructors guide students through the prioritization logic

TRIAGE PRINCIPLE

When everything is on fire, triage by reversibility: orbital collision is permanent, ground station compromise is recoverable. Prioritize accordingly.

SCORP² Practitioner | eHs®TLP-GREEN

MODULE 10 — INCIDENT RESPONSE EXERCISESCORP²

Phase 2: Response Execution, Continuity, and Documentation

Completing the Incident Response Lifecycle

EW jamming activates on the primary command uplink during the response window. Students switch to the backup frequency, confirm mission continuity across all three satellites, and begin documenting the incident using the course taxonomy while the response is still active. Documentation is structured as a guided template.

RESPONSE ACTIONS

Switch to backup uplink frequency to restore command authority
Confirm conjunction avoidance maneuver executed successfully
Verify all three satellites maintain mission continuity
Confirm compromised ground terminal remains isolated

INCIDENT DOCUMENTATION

Timeline of events across all three domains
Classification of each threat by exposure domain
Response actions taken and their outcomes
Coordinated vs independent event assessment

DOCUMENTATION

If you cannot document the incident while it is happening, critical details will be lost. Documentation is part of the response, not an afterthought.

SCORP² Practitioner | eHs®TLP-GREEN

MODULE 10 — INCIDENT RESPONSE EXERCISESCORP²

Instructor Guidance Notes

Capstone Exercise

This is the most complex exercise in the course. Instructors should:

Allow students to struggle with prioritization before providing guidance
Reinforce the triage-by-reversibility principle for concurrent threats
Ensure students document while responding, not after
Guide students to assess whether the three events are coordinated
Validate that students confirm mission continuity across all satellites
Debrief the full incident response lifecycle after exercise completion

The capstone should feel challenging but achievable. Students have practiced every individual skill in Modules 6–9. This exercise connects them into a complete workflow.

SCORP² Practitioner | eHs®TLP-GREEN

MODULE 10 — INCIDENT RESPONSE EXERCISESCORP²

Feedback Requested from Zendir

The following questions will help finalize this capstone exercise design. We welcome any additional recommendations.

Can your platform present real-time consequences of response decisions (e.g., delayed maneuver results in collision)?
Is incident documentation achievable within the platform during active simulation?
How do you recommend calibrating capstone complexity for students who have completed Modules 6–9?
What capstone exercise formats have worked best on your platform in prior engagements?
Can three concurrent domain events be injected and managed within a single simulation instance?

COLLABORATION

Scenario design is open for Zendir’s input. We want exercises that work well on your platform.

SCORP² Practitioner | eHs®TLP-GREEN

MODULE 10 — INCIDENT RESPONSE EXERCISESCORP²

Exposure Domain References

Kinetic + Cyber + Electronic Warfare

KINETIC

Physical destruction through direct force. ASAT weapons, kinetic kill vehicles, orbital debris. Assets cannot be physically protected or repaired once deployed.

CYBER

Exploitation through software, firmware, and network access. Command injection, malicious firmware, data exfiltration. Persistent, stealthy, difficult to attribute.

ELECTRONIC WARFARE

Denial of the electromagnetic spectrum. Jamming, spoofing, interference. Controls what operators can and cannot communicate. Timing reveals adversary intent.

CAPSTONE PRINCIPLE

Adversaries do not confine themselves to a single domain. Your analysis must not either.

SCORP² Practitioner | eHs®TLP-GREEN

MODULE 10 — INCIDENT RESPONSE EXERCISESCORP²

Exercise Summary

Phase	Focus	Domains
Phase 1	Multi-domain detection, triage, and prioritization	Kinetic + Cyber
Phase 2	Response execution, mission continuity, and documentation	Kinetic + Cyber + EW

Full Spectrum Space Cybersecurity Professional — All 10 Modules Complete.
Students have progressed from single-domain baseline operations through multi-domain correlation to a full incident response lifecycle capstone. The progressive complexity model ensures each skill builds on the foundation established in previous modules.

SCORP² Practitioner | eHs®TLP-GREEN

✓

Course Complete

Full Spectrum Space Cybersecurity Professional

Modules 1–5: Concept of operations, threat modeling, detection engineering, incident response, adversary management
Module 6: Kinetic domain — baseline operations and DA-ASAT response
Module 7: Non-Kinetic Physical domain — ADCS modes and horizon sensor dazzling
Module 8: Cyber domain — payload operations and malicious firmware
Module 9: Cross-domain — Kinetic + EW correlation
Module 10: Capstone — full incident response lifecycle across three domains

The Methodology Is Yours. Defend the Domain.

SCORP² Practitioner | eHs® | TLP-GREEN