We use cookies to collect anonymous data to help us improve your site browsing experience.

Click 'Accept all cookies' to agree to all cookies that collect anonymous data. To only allow the cookies that make the site work, click 'Use essential cookies only.' Visit 'Set cookie preferences' to control specific cookies.

Set cookie preferences

Your cookie preferences have been saved. You can change your cookie settings at any time.

Publication - Corporate report

Scottish Cyber Activity Report 2026

Published
25 March 2026
Directorate
Digital Directorate
Topic
Public sector
ISBN
9781807750565

The Scottish Cyber Activity Report (SCAR) 2026 is the first of an annual publication from the Scottish Cyber Coordination Centre (SC3) giving a comprehensive, data-driven assessment of cyber activity across Scotland's public sector.

View supporting documents Supporting documents

3. Exercising

The cyber exercising workstream is one of the core pillars of the SC3. This workstream’s primary objective is to enhance the cyber resilience of Scotland’s public sector by ensuring organisations develop, maintain, and routinely test practical incident response capabilities.

Through simulated high‑pressure cyber scenarios across technical, operational, and strategic levels, the workstream enables organisations to:

  • Identify vulnerabilities and gaps within existing incident response processes.
  • Test the effectiveness of their response plans in a safe, controlled environment.
  • Strengthen operational coordination and decision‑making.
  • Improve technical incident handling and strategic crisis management.

The cyber exercising workstream aims to support public sector bodies toward a state of practically tested cyber resilience, ensuring they are able to effectively identify, respond to, and recover from cyber incidents through the following:

  • Strengthening preparedness by:
    • Encouraging public sector organisations to prepare for the most common cyber attack scenarios.
    • Facilitating testing and improvement of Cyber Incident Response Plans (CIRPs) and playbooks.
    • Building sector‑wide capability by developing a cadre of trained cyber exercising practitioners across the Scottish public sector to enhance resilience and increase exercising activity.
  • Ensuring robust response processes such that:
    • All organisations have current, well‑tested response plans.
    • National‑level incident response processes are coordinated, robust, and effective.

3.1. Exercising in Numbers

In the past 12 months, 64% of Scottish public sector organisations have reported they have carried out cyber exercising to test their cyber resilience arrangements. Whilst it is encouraging to see the uptake in exercising, there is still a significant number of public sector organisations that are not currently realising the benefits of cyber exercising. 58% of organisations have reported undertaken tabletop exercising in the last year and 23% of organisations reported having undertaken live play exercises.

A variety of tools and approaches have been utilised to deliver exercises across the sector including SC3 facilitated sessions, third party and Cyber Incident Response specialist facilitated exercises, as well as internal exercises using NCSC’s Exercise in a Box resources and the TTX Gym online cyber exercising tool among others. The following table shows the most common cyber exercising scenarios used across the Scottish public sector in the last year broken down by type of exercise:

Scenario explored in exercise Tabletop exercises Live play exercises
Ransomware attack 79 21
Data leak 38 10
Third party compromise 27 9
Supply chain 29 5
Managing a vulnerability disclosure 14 6
Other 35 14

Over the past few years, the SC3 Exercising Workstream has directly supported or facilitated 19 cyber exercises across the Scottish public sector. The figures in the table below illustrate the uptake of the cyber exercising support offer from SC3. Most of these exercises tested both the strategic and operational readiness of the organisations taking part in the exercise.

Sector 2025 2024
Central Government 7 0
Health 0 1
Local authority 3 7
Multi sector 1 0
Total 11 8

3.2. Exercising Themes

Common themes continue to emerge across the public sector and feedback gathered from organisations engaging in cyber exercising activities highlights strong support for continued and expanded exercising.

1. Exercises Build Engagement and Confidence

  • Initial scepticism is common, but attitudes shift positively once exercises conclude and lessons are shared.
  • Participants value the confidence, competence, and decision‑making insights gained from TTXs.
  • Exercises also function as effective team‑building activities.

2. Localised Scenarios Are More Effective

  • Staff respond better to bespoke, locally relevant scenarios than generic materials.
  • Highlights the need for configurable scenario templates tailored to organisational contexts.

3. Resource Constraints Limit Follow‑Through

  • Exercises routinely surface long lists of lessons, but many organisations lack capacity to implement them.
  • Some organisations have not yet exercised due to staffing/resource shortages.
  • Indicates value in shared SC3 support, templates, and potentially facilitation services.

Contact

Email: SC3@gov.scot

Back to top