Cybersecurity Meets Water Operations
ThreatGEN® partnered with the Water Environment Association of Texas (WEAT) to power the McKim and Creed Cybersecurity Exhibition Event at the 2026 Texas Water Operations Challenge in San Antonio on April 29, 2026. AutoTableTop™ version 2.0 served as the platform for a ransomware crisis management exercise in which 16 competition teams, composed of working water and wastewater plant operators, maintenance technicians, laboratory staff, and collection systems professionals — responded to a simulated ransomware attack on a water treatment facility’s SCADA/HMI systems.
What made this deployment unique was not just the exercise itself, but the depth of analysis it enabled. We ran 20 exercises from the same scenario configuration before the competition to establish a baseline, then compared those results against the 16 live competition teams — producing what we believe is the first published study comparing tool-expert performance against domain-expert performance on the same AI-driven tabletop exercise. Every exercise — all 36 of them — generated a complete After-Action Report (ARR) automatically and within seconds of the end of the exercise, demonstrating how AutoTableTop™ version 2.0‘s built-in analysis replaces the manual post-exercise work that makes traditional tabletop programs so resource-intensive.
| 16 Competition Teams | 20 Pre-Study Trials | 8.0 Highest Avg (Operators) | 0 Casualties Across All Trials |
ThreatGEN provides a complete exercise package for AutoTableTop™ version 2.0 facilitators to run tabletop exercises based on this scenario, along with our full analysis. The package includes a Settings File, a Baseline Study Report (20-trial transcript and AAR analysis with optimized demo script), a Case Study (comparative analysis of tool experts vs. domain experts with competition AAR findings), and a Case Study Presentation.
Why this Scenario is important?
Water and wastewater utilities are classified as one of the 16 critical infrastructure sectors by CISA. Ransomware attacks on water systems — including the 2021 Oldsmar, Florida incident and the 2023 Aliquippa (see our MWAA AutoTable™ scenario), Pennsylvania attack — have demonstrated that these facilities are active targets. Yet the operators who run these plants daily are rarely included in cybersecurity tabletop exercises because traditional exercises require technical cybersecurity knowledge to participate. AutoTableTop™ 2.0 changes that equation: this scenario proves that water operators can engage meaningfully in crisis management exercises at the beginner level, producing outcomes that match or exceed those of cybersecurity-aware participants.
Best Practice — Create, Store, Exercise, Improve
Most tabletop exercise platforms treat each exercise as a standalone event — you run it, you debrief it, you move on. At ThreatGEN, we believe that approach leaves enormous value on the table. The real power of AutoTableTop™ version 2.0 is that it makes tabletop exercises repeatable, measurable, and continuously improving — without requiring the manual analysis work that traditional exercises demand.
The Best Practice: Run the Same Scenario Multiple Times
The ThreatGEN best practice for AutoTableTop™ version 2.0 is straightforward:
- Create a scenario tailored to your organization, industry, and threat landscape. Configure the settings once — company profile, participants, difficulty level, exercise objectives. Critically, this is not a static, pre-scripted scenario. AutoTableTop™ version 2.0’s agentic AI engine generates a unique exercise every time it is executed — different narrative paths, different adversary escalations, different injects — even when launched from the same configuration. The settings define the parameters of the crisis; the AI creates the experience on the fly. This means teams can never “memorize” the exercise, and every run produces genuinely new decision points.
- Store it. AutoTableTop™ version 2.1 introduces organization-level scenario storage, so your team can save, share, and reuse scenario configurations across the organization without rebuilding them each time.
- Exercise it — repeatedly. Run the same scenario with different teams, at different intervals, or with the same team over time to measure improvement. Because the agentic AI generates a unique exercise every run, teams face fresh challenges each time — there is no answer key to study, no script to memorize. The scenario configuration is the starting point; the AI creates a different crisis experience from it every time.
- Let the platform do the analysis. AutoTableTop™ version 2.0 automatically generates a comprehensive After-Action Report (ARR) at the conclusion of every exercise — complete with crisis response metrics, successful action identification, improvement areas, operational learnings, safety recommendations, and per-turn scoring. No manual analysis required.
This is the methodology we used for the Texas Water scenario. We ran 20 exercises from a single scenario configuration before the competition, and 16 more during the live event. Despite sharing the same settings, no two exercises played out identically — the agentic AI generated different narratives, different adversary actions, and different pressure points each time. Yet every run produced a complete AAR automatically. The comparative analysis in this case study was built entirely from those platform-generated reports — we didn’t need external analysts, manual scoring rubrics, or post-exercise interviews. The platform captured everything.
Why Repetition Matters
Running a scenario once tells you how a team responds to a crisis. Running it multiple times tells you something far more valuable:
- Consistency: Does the team make the same mistakes repeatedly, or do they improve? Our 20-trial pre-study showed that passive responses (“OK,” “wait for instructions“) scored 0 every single time — a pattern that only becomes visible through repetition.
- Pattern recognition: Across multiple runs, the AAR’s reveal systemic strengths and weaknesses. In our study, public communication was flagged as an improvement area in over half of all AAR’s — a finding that wouldn’t surface from a single exercise.
- Scoring trends: The automated scoring provides a measurable baseline. When the same team runs the same scenario quarterly, score trends tell you whether your training program is working. Our data showed that compound-action inputs (combining multiple related actions in a single response) consistently scored 7–8, while single-action inputs scored 5–6 — a coaching insight that directly improves future performance.
- Cross-team benchmarking: When different teams run the same scenario, their AAR’s become directly comparable. At the Texas Water competition, Team 3 received “Excellent” containment while Team 12 received “Fair” — from the same scenario. The platform’s consistent scoring made that comparison meaningful and defensible.
How This Study Validates the Approach
For this case study, we went further than most organizations would need to. We had our technical support team — people who know AutoTableTop™ inside and out but have no water industry experience — run the scenario 20 times to establish a baseline. We then compared those results against 16 teams of actual water operators at the Texas Water Operations Challenge. The comparison revealed that:
- The platform’s automatic AAR’s correctly distinguished between high-quality and low-quality crisis management responses regardless of who was participating.
- Operators who had never seen the platform produced the highest single-exercise score of either group (8.0 average), validating that the scoring engine evaluates crisis management quality — not tool familiarity.
- The AARs from both groups generated actionable, differentiated recommendations — not generic boilerplate.
Organizations using AutoTableTop™ version 2.0 don’t need to replicate this level of analysis. The platform does the heavy lifting. Create your scenario, store it, run it with your teams, and let the automatically generated AARs guide your improvement. Run it again next quarter and compare. That’s the best practice.
Best Practice Summary
Create once. Store it. Exercise repeatedly. Let the platform analyze. Each AutoTableTop™ version 2.0 exercise automatically generates a complete After-Action Report (ARR) with scoring, metrics, improvement areas, and recommendations. Run the same scenario with different teams for cross-team benchmarking, or with the same team over time to measure improvement.
Version 2.1’s organization-level scenario storage makes this workflow seamless — save your scenario configuration once and deploy it across your organization whenever you’re ready.
Key Findings — Tool Expertise vs. Domain Expertise
The central finding of this case study is that tool familiarity raises the floor, but domain expertise raises the ceiling. The pre-study team (Group A) achieved a higher mean average score (6.5 vs. 6.1) through optimized phrasing and turn-count management. But the competition’s top team produced the single highest-performing trial of either group — an 8.0 average from a team of water operators who had never seen AutoTableTop™ before.
| Metric | Group A (Tool Experts) | Group B (Operators) |
|---|---|---|
| Trials / Teams | 20 | 16 |
| Mean Average Score | 6.5 | 6.1 |
| Highest Individual Average | 7.5 | 8.0 |
| Average Turns Per Trial | 6.7 | 5.4 |
| % Scoring 8 At Least Once | 85% | 63% |
Competition Awards (Top 3 by Total Score)
| 🥇 | WSSC Water Diffusers — 94 points, 14 turns |
| 🥈 | Sacramento SacSewer Warriors — 67 points, 10 turns |
| 🥉 | Fort Worth Funky Town Legends — 38 points, 6 turns |
Highest Average Score: Fort Worth Funky Town Lady Legends — 8.0 average (4 turns, all scored 8/10). The highest average of any trial in either group.
What Operators Said That Tool Experts Never Did
The most striking differences between the two groups were qualitative. Water operators brought responses grounded in daily plant operations that no amount of tool familiarity could replicate:
| Operator Response | What It Means | Team |
|---|---|---|
| “Run in-hand” | Industry jargon for manual/local equipment operation | 7 |
| “Grab samples” | Lab procedure for water quality verification | 11 |
| “Disconnect PLC network” | Precise OT isolation language | 9 |
| “Paper logs for permit compliance” | Regulatory fallback when digital systems fail | 10 |
| “Test water post-incident” | Verify attacker didn’t alter treatment parameters | 8 |
| “Contact cyber insurance” | Risk management and policy compliance awareness | 9 |
| “Alert other facilities on network” | Cross-utility breach notification | 9 |
| “Verify PII compromise” | Data privacy consideration | 6 |
None of these responses appeared in any of the 20 pre-study trials. The scoring engine correctly recognized and rewarded this operational specificity, confirming that AutoTableTop™ version 2.0 evaluates crisis management quality — not cybersecurity vocabulary.
Exercise Themes — What Participants Faced
- Ransomware discovery on SCADA/HMI systems during a routine shift change
- Transition from automated to manual plant operations under crisis conditions
- DFIR engagement and cybersecurity resource mobilization without in-house cyber staff
- Regulatory compliance maintenance (permit requirements, water quality standards) during degraded operations
- Public communication strategy including social media misinformation management
- Cross-facility and multi-agency coordination (law enforcement, regulatory bodies, neighboring utilities)
- Post-incident process verification — ensuring the attacker didn’t alter treatment parameters
- Cyber insurance and legal stakeholder coordination
- Lessons learned documentation and prevention strategy development
- Incident command structure activation for non-traditional (cyber) emergencies
Exercise Files — Scenario Package for AutoTableTop™ version 2.0
Download these files to study prior to running the Texas Water 2026 ransomware crisis management exercise in AutoTableTop™ version 2.0, along with the complete baseline study, case study, and presentation materials. To run the exercise, none of the
| Description | File | Download |
|---|---|---|
| Comprehensive baseline report analyzing 20 controlled trials with integrated ARR findings, MITRE ATT&CK TTP analysis, scoring pattern analysis, five-phase decision framework, optimized 6-input demo script with quick reference card, expert review by Randy Petersen (SJRA), and recommended competition settings. | Pre-Study Report |  Download |
| Post-study case study comparing 20 pre-study trials (tool experts) against 16 live competition teams (domain experts) with consolidated competition AAR analysis, scoring pattern comparison, operator-specific response catalog, revised demo script with operator-authentic alternative phrasings, and seven key conclusions. | Case Study | Download |
| 10-slide presentation covering study design, competition results, operator vs. tool expert response patterns, AAR findings, scoring patterns, conclusions, and implications for AutoTableTop™ 2.0. Uses ThreatGEN® branding. | Presentation | Download |
Water & Wastewater Cybersecurity Resources
The following resources informed the scenario development and provide additional context for water/wastewater cybersecurity preparedness:
- CISA — Water and Wastewater Systems Sector: cisa.gov/water-and-wastewater-systems-sector
- EPA — Cybersecurity for Water Utilities: epa.gov/waterriskassessment/epa-cybersecurity-water-sector
- WaterISAC — Water Information Sharing and Analysis Center: waterisac.org
- AWWA — Cybersecurity Guidance (ANSI/AWWA J100): awwa.org/cybersecurity-guidance
- WEAT — Water Environment Association of Texas: weat.org
- NACWA — “10 Practical Steps to Reduce SCADA Cybersecurity Risk” by Randy Petersen (SJRA) — referenced in the expert review section of the pre-study report
- SCADA User Group: scadausergroup.org — co-founded by Randy Petersen; ThreatGEN® is a Tier 1 Sponsor
- MITRE ATT&CK for ICS: attack.mitre.org/techniques/ics/
Getting Started — How to Run This Exercise
Option 1 — Quick Start: Download the Settings File above and upload it into the AutoTableTop™ 2.0 settings screen. The AI engine will generate a complete ransomware crisis management exercise calibrated for water/wastewater operators. Use the Baseline Study Report’s Quick Reference Card (final page) as a facilitator guide.
Option 2 — Full Deployment with Repeated Exercises: Follow the best practice methodology described above. Upload the Settings File, run the scenario with an initial team to establish a baseline, then deploy it to additional teams or run it with the same team at regular intervals. Compare AARs across runs to measure improvement and identify persistent gaps — no manual analysis required.
Option 3 — Competition Format: Use the concise verbosity setting and the revised Quick Reference Card (from the Case Study) which includes operator-authentic alternative phrasings. The 6-input demo script fits within a 30-minute competition time slot.
Available in AutoTableTop™ 2.0
This scenario is available as a built-in scenario template within the AutoTableTop™ 2.0 simulation platform. Navigate to the scenario selection screen, select “Texas Water Treatment Facility — Ransomware Crisis”, and customize it for your organization’s specific environment, staff, and network architecture before running your tabletop exercise.
This is an AutoTableTop™ version 2.0 scenario. It will be updated for version 2.1 when that release becomes available. All downloadable files above are compatible with the current 2.0 platform.
Copyright 2026 by Derezzed Inc. D/B/A ThreatGEN, all rights reserved.