Cyber rehearsal platform that lets cleared defense teams simulate adversary campaigns in hours and train human-approved responses.

1. A $100 million round at unicorn valuation levels shows cyber-warfare infrastructure is maturing into a real procurement layer, which creates room for specialized workflow software around it.
2. Defense customers are signaling that AI adoption must keep human judgment central, which favors products built around operator approval and audit trails rather than full autonomy.
3. If cyber tasks that once took weeks can now be automated, readiness teams will feel immediate pressure to increase exercise tempo and refresh playbooks faster.
4. The same offensive tradecraft can be sold through red-team and incident-response simulation workflows first, giving a startup a practical wedge before buyers authorize broader operational use.

Catalyst. Twenty's funding, its human-in-the-loop positioning, and its claim that weeks-long cyber tasks can now be automated make rehearsal and operator readiness the newly urgent software control point for defense buyers.

The product ingests threat-intelligence notes, previous exercise artifacts, customer mission constraints, and approved playbooks to generate a draft adversary campaign and response tree for each rehearsal. A human controller reviews every step, edits injects, and approves what the system can simulate, preserving the manual evaluation posture that defense buyers require. During the exercise, the platform adapts inject timing, tracks operator decisions, and records which branches teams handled well or poorly. Afterward it creates a cited after-action package that links each recommendation back to the underlying scenario, operator actions, and approved doctrine. The first sell is not generic cyber AI; it is faster, repeatable mission rehearsal for one cleared program where readiness cycles already have budget and urgency.

What's different. Existing cyber ranges are usually content-poor infrastructure, while red-team services are labor-heavy and hard to repeat. This company would own the layer in between: the approved scenario graph, response tree, and operator-decision dataset for cleared mission rehearsals. That creates defensibility through proprietary rehearsal data, doctrine-linked approvals, and integrations into the workflows that decide readiness, not just raw cyber telemetry.

Jobs to be done

flowchart LR
  Buyer[Cyber exercise director] --> Pain[Weeks of manual scenario prep]
  Pain --> Product[Cyber rehearsal control plane]
  Product --> Outcome[More realistic drills with human-approved responses]

Executive takeaways

• The strongest signal is not autonomous offense but a workflow layer around it: Twenty’s funding and today’s validation vendors point to budget formation, while federal standards still force human review, documentation, and repeatable exercises [1][2][3][6][7][10][26][28].
• Beachhead demand is likeliest inside large federal primes and cleared integrators that already run recurring drills and need to compress manual prep under workforce strain [5][13][17][18][24][25][37].
• The market is crowded with cyber-range, BAS, and crisis-simulation vendors, but few products own doctrine ingestion, approval workflow, and cited after-action evidence for one cleared program [19][20][21][24][25][26][27][28][29][30][31].
• The immediate niche is probably tens of millions, not billions; venture scale depends on expanding from rehearsal design into the system of record for readiness, debrief, and mission knowledge [5][38][39][40].

Market definition

This startup sits between cyber ranges, breach-and-attack simulation, and incident-response exercises: software that turns threat reports and prior playbooks into repeatable mission-rehearsal scenarios, keeps humans in the approval loop, and produces after-action evidence. Adjacent cyber-range and BAS categories are already measurable and growing, but most current tools optimize environments or control validation rather than program-specific rehearsal control [6][7][19][24][26][28][30][32][38][39][40].

Customer and buyer

Primary users are cyber exercise directors, red/purple-team leads, and incident-response leaders inside large federal primes or cleared integrators; economic buyers are cyber program executives who own readiness outcomes, labor utilization, and contract performance. The most attractive first accounts are among the Washington Technology Top 100 contractor set, where recurring cyber programs and federal procurement muscle already exist [5][3][17][19][27].

Buying triggers

• An upcoming readiness drill or tabletop requires fresh scenarios, injects, and after-action evidence on a short clock. [6][7][35][36]
• A new contract award or compliance milestone tied to CMMC/DFARS forces the contractor to prove disciplined cybersecurity implementation and reporting. [3][4]
• Cyber workforce strain makes manual scenario authoring and review too dependent on scarce senior operators. [13][37]
• A recent incident or coverage gap pushes teams to refresh playbooks and validate response paths against current attacker behaviors. [14][15][16][27][32]

Willingness to pay

Budget willingness exists when the product is sold as a program-readiness or validation layer, not as generic training content: adjacent vendors sell through enterprise or federal motions, GSA channels, or custom plans rather than commodity per-seat pricing, and SCYTHE explicitly frames pricing around operating models rather than seat counts [5][19][28][30][31]. [5][19][28][30][31]

Category dynamics

Growth signal ~11%-23% CAGR across adjacent cyber-range and BAS categories

Validation signals

• Twenty’s $100M Series B and unicorn valuation show investors believe AI-enabled defense cyber operations can support standalone software layers.
• SimSpace’s federal and Florida public-sector proof points show cyber ranges are already procured outside elite military units.
• AttackIQ’s GSA-channel announcement suggests federal buyers will procure validation tooling when it fits existing vehicles.
• Immersive and RangeForce materials show buyers want repeated drills, measurable readiness, and non-lecture training.
• SCYTHE’s public pricing language and AttackIQ’s CTEM motion show buyers are shifting from one-off assessments to ongoing validation programs.

Regulatory & technical constraints

• Contractors handling FCI or CUI must align cyber processes with CMMC and related DFARS flowdown and assessment mechanics.
• Deployment architecture will need to map to FedRAMP baselines, impact levels, and authorization expectations if sold into government-connected environments.
• Exercise content must remain human-reviewed and auditable to satisfy incident-handling and AI-risk expectations.
• ATT&CK and open-source emulation lower technical barriers for buyers to self-build partial substitutes.

Competition comes from four adjacent camps: (1) cyber-range platforms such as SimSpace, RangeForce, and Immersive that help teams drill in realistic environments [19][20][21][24][25]; (2) BAS and adversary-validation vendors such as AttackIQ and SCYTHE that validate controls against ATT&CK-mapped behaviors [26][27][28][29][30][31]; (3) open-source emulation frameworks such as MITRE ATT&CK, Caldera, and Atomic Red Team that lower tooling barriers for internal teams [32][33][34]; and (4) manual services and tabletop workflows that still dominate approval-heavy exercises [6][7][35][36]. The gap is a cleared-program control plane that turns threat reports and prior drills into reusable scenario graphs, approval chains, and evidence-backed debriefs.

Why incumbents do not win by default

• Cloud platforms. Cloud and CTEM stacks help validate exposures, but they do not encode doctrine, buyer approvals, or multi-team rehearsal logic for a named federal program.
• Cyber range vendors. Range vendors own environment realism and drill delivery, but after-action content, doctrine mapping, and cross-exercise learning still sit outside the environment layer.
• BAS and validation vendors. BAS products prove control effectiveness in production-like environments, but they are optimized for validation rather than human-approved mission rehearsal and cited debrief packages.
• Services firms and primes. Trusted integrators can run exercises manually, but labor-heavy delivery does not compound into reusable scenario graphs or operator-decision datasets.

Cyber Rehearsal Control Plane sells into cleared federal contractors that already run recurring cyber drills but still author scenarios, injects, and after-action reports by hand. The beachhead is one quarterly adversary-emulation or incident-response rehearsal for a top-25 federal prime supporting a Combatant Command or Intelligence Community program, where the buyer is a cyber program executive and the user is the exercise director. The wedge is software that ingests threat reports, prior playbooks, and mission constraints to generate draft scenario graphs and response trees, while requiring human approval on every inject to fit NIST-style exercise practice and AI oversight expectations. This entry point is narrower than a cyber range or BAS platform, but it reaches budget faster because it attaches to an imminent exercise, new mission award, or post-incident retraining cycle rather than to a broad platform replacement. The modeled market is modest at the beachhead, with a $15M SAM and $3M year-3 SOM, so the company is only venture-interesting if it expands from rehearsal design into the system of record for readiness evidence, debriefs, and cross-program mission knowledge. The main missing facts are named customer deployments, observed procurement cycle length, and real pricing benchmarks for this exact workflow, so pricing and conversion assumptions remain testable operating assumptions rather than evidence-backed facts. Because the wedge is clear but proof is absent and incumbents are adjacent, the investor stance is Watch until one contractor pilot shows scenario build-time compression, operator trust, and pilot-to- program conversion.

Problem

• Cleared cyber programs still rely on bespoke scripting, spreadsheets, and senior operators to turn threat reports into exercise scenarios, which stretches rehearsal preparation from days or weeks into a scarce labor bottleneck.
• Buyers need more frequent and better-documented readiness drills, but they cannot adopt a black-box offensive system that bypasses human review, approval, and auditability.

Solution

• The product ingests threat reports, prior playbooks, and mission constraints to generate draft adversary campaigns, response trees, and exercise injects for one named rehearsal.
• Controllers approve, edit, or reject every inject before use, creating a human-governed workflow that matches defense expectations for oversight and evidence.
• The platform records operator decisions and outputs a cited after-action package, so each rehearsal compounds into reusable scenario graphs and measurable learning.

Why we win

• We sell the approval and evidence workflow that sits between labor-heavy exercise design and infrastructure-heavy cyber ranges, instead of competing head-on as another range or BAS product.
• Human-approved scenario graphs, doctrine-linked provenance, and cross-exercise after-action data create stickiness that manual services and generic validation tools do not naturally capture.
• The first proof point is operationally simple and budget-linked: compress one exercise cycle from weeks to hours without lowering realism.

Milestones

flowchart LR
  Wedge[One named contractor rehearsal] --> MVP[Scenario draft and approval workflow]
  MVP --> Proof[Prep-time savings and trusted after-action evidence]
  Proof --> Expansion[Multi-program subscriptions and partner-led distribution]

Founding team

Experiment roadmap

Risk assessment

What must be true

• Exercise directors must accept AI-generated scenario drafts when every inject remains human-approved.
• One rehearsal cycle must reduce scenario-authoring time by at least 50% without lowering realism scores.
• Contractors must buy through an existing budget or channel path instead of forcing a multi-year platform procurement.
• Range and BAS incumbents must remain partners or partial substitutes rather than bundling the full workflow fast enough to collapse the wedge.
• The company must expand from one pilot into multiple programs so the business is not capped at low single-program ARR.

Open diligence questions

• Which budget owner signs the first check for a rehearsal-control product inside a federal prime?
• How much rehearsal data can be used on contractor-side or unclassified systems before a higher-assurance deployment is required?
• What realism and provenance evidence would senior controllers require before trusting AI-generated inject drafts?
• How long is the shortest credible pilot-to-production path through a reseller, subcontract, or approved vehicle?
• Which incumbent partner is most likely to open distribution without owning the approval and evidence workflow?

Model sanity

• Revenue engine. Base-case revenue is driven by active paid programs rising from 2 at Y1 exit to 10 at Y3 exit at roughly $300K annualized value per program.
• Must go right. The first two paid rehearsals must convert and the first partner route must help the company reach 6 active programs before it adds a second seller.
• Model breaks if. If procurement slips a quarter and realized ACV falls toward $280K, downside cash turns slightly negative before Y3 ends.
• Next-round proof. The next round is best justified once 6 active programs, 2-3 contractor accounts, and one repeatable channel path prove the workflow is becoming a system of record.

Scenarios

Sensitivity

flowchart LR
  TargetAccounts --> PaidPilots
  PaidPilots --> ActivePrograms
  ActivePrograms --> Revenue
  Revenue --> GrossProfit
  GrossProfit --> Cash

Flags: The model treats pilots and recurring programs at the same $25K monthly rate; if pilots price lower or require unpaid setup work, Y1-Y2 revenue will be overstated. · Cash collections are modeled in-period even though federal contractors can pay 60-120 days after invoice and procurement paperwork could extend that further. · Base case still ends Y3 slightly EBITDA negative, so the next round depends on channel proof and multi-program expansion more than on profitability. · The beachhead SAM is only $15M, so venture-scale upside still requires expansion into adjacent public-sector or critical-infrastructure readiness programs after Y3.

• Procurement cycles drag. Cleared defense buyers may take too long to approve new software even if the workflow pain is real. Mitigation: Land first through contractors that already own exercise delivery budgets and start with one advisory rehearsal workflow rather than a broad platform replacement.
• Incumbent cyber-range vendors bundle the wedge. Range providers or services firms could add basic AI scenario generation and slow adoption of an independent product. Mitigation: Own the harder layer of cited scenario graphs, human-approval logging, and cross-exercise learning that infrastructure vendors rarely capture well.
• Trust breaks if generated scenarios are unrealistic. One poorly grounded exercise could make operators view the system as synthetic noise instead of usable tradecraft support. Mitigation: Require human approval on every inject, start with constrained playbook libraries, and show citation trails from source doctrine to generated scenarios.