Operation Tobacco Road

Welcome to Operation Tobacco Road!

Operation Tobacco Road is a full-scale technical cybersecurity exercise designed to train network defenders and information security personnel how to identify and respond to cyber threat actors in an enterprise environment. The exercise is designed based on lessons learned from real-world cybersecurity incidents.

The exercise consists of 5 teams of defensive cyber operations (Blue Teams). They will work for an assigned network owner (CIO) to identify and respond to the cyber threat actor (Red Team).

The exercise will take place over five days in Raleigh at North Carolina's State Emergency Operations Center.

Operation Tobacco Road 2024 Key Information

Welcome to the second annual Operation Tobacco Road! For those of you who participated last year, we're glad to have you back. For those of you participating for the first time; we're glad you joined us!

Here are some important updates to this year's event:

  • This event is now occurring twice! Once in July and once in September.
  • The exercise has been expanded to include two additional teams for each iteration.

Exercise Design:

  • Range is built on the USCYBERCOM Persistent Cyber Training Environment (PCTE).
  • Exercise will progress in difficulty each day, with a culminating event on the last day.
  • Capture the Flag built into the exercise.
  • Day 1 is range familiarization, tool validation, and risk assessment.
  • Days 2-5 progress along a centralized theme with various injects simulating real adversary tactics and techniques.
  • Each day has a “Purple Hour” built in - Red Team reviews their attacks with Blue Team at the end of the exercise period.
OTR 24

Across the board, these exercises serve two major purposes. First, they help to validate existing plans, policies, procedures, and capabilities. Testing how different organizations and agencies at all levels of government and in critical infrastructure sectors will collaborate in response to an emergency verifies that their plans will be effective when a real-world cybersecurity incident arises. Second, these exercises help participants identify resource requirements, capacity constraints, and potential areas for improvement.

The Operation Tobacco Road Exercise currently uses the Persistent Cyber Training Environment (PCTE), a US Cyber Command training environment. The live training environment allows participants to work together in an environment that mirrors the same infrastructure that they see in networks they are responsible for defending on a day-to-day basis.

Operating against teams emulating the tactics and techniques of real-world cyber threat actors, participants test their capability to recognize, identify, and respond to malicious cyber activity.

The scenario runs in a low-stress, no-fault environment where participants are encouraged to collaborate and challenge assumptions.

Operation Tobacco Road is unique in that it moves beyond the theoretical and into the world of the practical, where real-time results and consequences of incident response choices become clear. It isn’t discussion-based like a typical tabletop exercise and instead puts participants on the spot just like they would be in a real cybersecurity scenario. The exercise also fosters relationship building between IT staff, cyber experts, and peer organizations.

Provides exercise support to the Blue Teams during the exercise to include technical and non-technical guidance


  • Lead Controller (LC): Provides timely and efficient management of the exercise. Provides troubleshooting assistance.
  • Observer Controller (OC): Embedded with Red Team. Subject matter experts on Blue Team training objectives. Works directly with TO to control the flow of scenario events to the Blue Teams.
  • Technical Observer (TO): Embedded with Blue Team. Observation and documentation. Responsible for evaluating and documenting Blue Team actions.

Blue Team Organization

  • What is a Blue Team?: Defensive security professionals responsible for maintaining internal network defenses against cyber-attacks and threats.

Who is eligible to participate? IT professionals of all skill levels from North Carolina State, Tribal, Local Government, including K-12 Schools, Critical Infrastructure, UNC System, or the NC Community College System.

If you are interested in participating, please contact us at info.operationtobaccoroad@army.mil for any inquiries.

What tools will be used by the Blue Teams?.

  • NSM (Zeek)
  • Suricata (IDS)
  • Elastic
  • Kali Linux
  • Windows Sysinternals
  • PowerShell
  • NMAP
  • Putty
  • BurpSuite - Free Edition
  • Flare VM

Feel free to contact us at info.operationtobaccoroad@army.mil for any inquiries.

Operation Tobacco Road 2024:

  • Day 1: Range Familiarization, Network Validation, and Tool Validation
  • Day 2: Live Red | Blue Team event
  • Day 3: Live Red | Blue Team event
  • Day 4: Live Red | Blue Team event
  • Day 5: Culminating Event and After Action Review

OTR 2023 Photo Gallery

Column Paragraph