TTXLab gives security, resilience, and governance teams guided simulations, role-based prompts, and audit-ready reports without waiting weeks for a facilitator.
No account or credit card required for the live demo.
Veteran-owned and operated.
IR Exercise — Ransomware Scenario
Acme Corp · Started 2:47 PM
How It Works
Create the workspace, add participants, and give each role a clear place in the run.
Select the exercise type, tune the scenario, and confirm who owns decisions, communications, and recovery.
The AI facilitator delivers injects, prompts the right roles, and captures the transcript as the team responds.
Export scores, findings, transcript detail, and remediation direction leadership and audit teams can use.
Audit-Ready Reports
Every completed run ends with scores, transcript context, findings, and action items in one artifact instead of scattered notes and screenshots.
Communication
85%
Decision Making
72%
Escalation
68%
Procedures
88%
Legal was notified 12 minutes after containment. Target notification within 5 minutes of confirmed data exposure.
Communications team did not have pre-approved templates available. Pre-draft statements for top 3 scenario types.
No explicit evidence preservation step was triggered. Add forensic hold checklist to incident playbook.
Timestamped record of facilitator prompts, participant responses, and decision points from the full run.
Track all five scoring dimensions — communication, decision quality, role adherence, escalation, and procedural compliance — in one summary view.
Each recommendation is tied to recognized frameworks instead of unsourced generic AI guidance.
Export a structured artifact that leadership, compliance, and audit stakeholders can review quickly.
Exercise Library
Run different tabletop scenarios through the same facilitation, scoring, and reporting workflow so teams can compare performance over time.
Coordinate detection, containment, eradication, and recovery actions.
Default Roles
What Gets Tested
Example Scenario
A SOC analyst flags anomalous outbound traffic from a payment processing server at 2 AM. The team must coordinate containment while preserving forensic evidence.Explore Incident Response→
Practice executive crisis coordination for workplace violence and active assailant scenarios.
Default Roles
What Gets Tested
Example Scenario
Conflicting employee reports suggest a possible active assailant near headquarters. Leaders must activate crisis coordination, communicate with employees, coordinate with law enforcement, account for personnel, and plan continuity.Explore Executive Workplace Violence→
Maintain critical business operations through disruptive events.
Default Roles
What Gets Tested
Example Scenario
A regional data center loses power during peak hours. Teams must activate continuity plans and reroute critical services within the defined RTO.Explore Business Continuity Planning→
Restore IT systems, applications, and data after outages.
Default Roles
What Gets Tested
Example Scenario
A corrupted storage array takes the primary database offline. The team must restore from backups and verify data integrity before resuming operations.Explore Disaster Recovery→
Align internal and external communications during incidents.
Default Roles
What Gets Tested
Example Scenario
News outlets begin reporting on a suspected data breach before the company has confirmed details. The comms team must align internal and external statements under time pressure.Explore Crisis Communication→
Drive executive and technical response to ransomware events.
Default Roles
What Gets Tested
Example Scenario
Encrypted file extensions appear across shared drives and a ransom note demands payment in 48 hours. Leadership must decide on negotiation posture while technical teams isolate affected systems.Explore Ransomware→
Respond to disruptive events originating from critical vendors.
Default Roles
What Gets Tested
Example Scenario
A critical SaaS provider notifies your team of a breach affecting shared credentials. The team must assess downstream exposure and activate contingency agreements.Explore Third-Party / Vendor Risk→
Handle confirmed exposure of sensitive customer and employee data.
Default Roles
What Gets Tested
Example Scenario
An engineer discovers a misconfigured S3 bucket has been publicly accessible for 72 hours containing employee PII. The team must scope the exposure and initiate breach notification procedures.Explore Data Breach Response→
Coordinate cross-functional response to malicious or negligent insiders.
Default Roles
What Gets Tested
Example Scenario
A departing employee's badge access logs show after-hours entry to a restricted area. IT flags large file transfers to personal cloud storage over the past week.Explore Insider Threat→
How the AI Works
A fast facilitator keeps the exercise moving. A deliberate adjudicator scores the run and builds the report. Two specialized models work together so practice feels live and the final artifact holds up in review.
Drives the live run by introducing injects, adapting scenario progression, and prompting the right role.
Scores responses, applies guardrails, and generates reporting your governance stakeholders can rely on.
CISA Template Library
Pricing
Buy one run, schedule quarterly practice, or build a monthly program. Every paid tier includes facilitated exercises, report exports, and the full exercise library.
Pay Per Exercise
$299
one-time purchase
$299/exercise
Best when you need one documented run for a pilot, audit cycle, or board update.
Starter Annual
$999
per year · 4 exercises/year
$250/exercise — save $49 each
For smaller teams that want a repeatable quarterly cadence without monthly billing.
Professional
$199
per month · 12 exercises/year
~$199/exercise — save $100 each
For teams running monthly exercises and tracking readiness improvements over time.
Enterprise
Custom
contract pricing
For multi-team organizations that need procurement support, governance, and rollout control.
Typically responds within 1 business day
FAQ
One exercise credit lets you run a single tabletop exercise session from start to finish, including AI facilitation, live injects, and a full post-exercise report. Credits do not expire within your billing period.
Yes. You can upgrade from Pay Per Exercise to Starter or Professional at any time. Your remaining credits carry forward, and the price difference is prorated.
All plans support up to 15 concurrent participants per exercise. Enterprise plans can accommodate larger groups and custom role configurations.
After an exercise completes, the report, transcript, and scoring artifacts remain accessible in your workspace for at least 90 days. Starter and Professional plans extend access for the duration of your subscription.
TTXLab uses a dual-AI architecture: a low-latency model drives the live facilitation, and a high-accuracy model handles scoring, gap analysis, and report generation. Both are hosted in SOC 2-aligned infrastructure.
Every exercise gives your team a transcript, scores, findings, and follow-up actions your leadership, auditors, and regulators can review. Try the live demo, or browse the starter kit, review the Trust Center, or check recent changes in the changelog.
