One operating model across scenario types
Keep the same run structure, participant workflow, and post-exercise scoring whether you are validating IR, resilience, or communications playbooks.
Exercise Library
Run the right tabletop exercise without reinventing the format each time.
TTXLab gives security, resilience, and governance teams one repeatable operating model across incident response, ransomware, continuity, communications, and third-party risk scenarios.
Built for recurring readiness work, not one-off workshops
Choose the scenario type that matches the capability you want to validate, then run it through the same facilitation, scoring, and reporting workflow your team can reuse every quarter.
Role-based facilitation instead of slide decks
Guide commanders, technical leads, legal, and communications through the same decision sequence they would follow during a live incident.
Evidence that compounds over time
Turn each run into a consistent transcript, score snapshot, and corrective-action trail that teams can compare quarter over quarter.
Scenario Coverage
Eight exercise tracks.
One shared readiness baseline.
Compare exercise types, role mixes, tested capabilities, and scenario patterns before you launch the next run.
IR Incident Response
Coordinate detection, containment, eradication, and recovery actions.
Default Roles
Incident CommanderSOC AnalystIT LeadLegal CounselCommunications LeadHR Lead
What Gets Tested
- Detection and triage speed
- Cross-team escalation
- Containment decision-making
- Evidence preservation
- Post-incident review
Example Scenario
A SOC analyst flags anomalous outbound traffic from a payment processing server at 2 AM. The team must coordinate containment while preserving forensic evidence.
BCP Business Continuity Planning
Maintain critical business operations through disruptive events.
Default Roles
BCP CoordinatorOperations LeadIT LeadFacilities LeadHR LeadExecutive Sponsor
What Gets Tested
- Business impact assessment
- Alternate operations activation
- Stakeholder communication
- Recovery prioritization
Example Scenario
A regional data center loses power during peak hours. Teams must activate continuity plans and reroute critical services within the defined RTO.
DR Disaster Recovery
Restore IT systems, applications, and data after outages.
Default Roles
DR LeadIT LeadApplication OwnerSystem OwnerVendor LiaisonCommunications Lead
What Gets Tested
- System restoration sequencing
- Backup validation
- RTO/RPO adherence
- Failover coordination
Example Scenario
A corrupted storage array takes the primary database offline. The team must restore from backups and verify data integrity before resuming operations.
CC Crisis Communication
Align internal and external communications during incidents.
Default Roles
Communications LeadExecutive SponsorLegal CounselHR LeadSocial Media LeadCustomer Support Lead
What Gets Tested
- Message consistency
- Stakeholder mapping
- Media response timing
- Internal alignment
Example Scenario
News outlets begin reporting on a suspected data breach before the company has confirmed details. The comms team must align internal and external statements under time pressure.
RW Ransomware
Drive executive and technical response to ransomware events.
Default Roles
Incident CommanderSecurity LeadIT LeadLegal CounselFinance LeadLaw Enforcement Liaison
What Gets Tested
- Ransom decision framework
- Lateral movement containment
- Legal and regulatory notification
- Decryption assessment
- Business impact quantification
Example Scenario
Encrypted file extensions appear across shared drives and a ransom note demands payment in 48 hours. Leadership must decide on negotiation posture while technical teams isolate affected systems.
VR Third-Party / Vendor Risk
Respond to disruptive events originating from critical vendors.
Default Roles
Vendor LiaisonProcurement LeadLegal CounselSecurity LeadBusiness Unit LeadCommunications Lead
What Gets Tested
- Vendor communication protocols
- Contractual obligation review
- Supply chain impact assessment
- Alternate vendor activation
Example Scenario
A critical SaaS provider notifies your team of a breach affecting shared credentials. The team must assess downstream exposure and activate contingency agreements.
DB Data Breach Response
Handle confirmed exposure of sensitive customer and employee data.
Default Roles
Privacy OfficerLegal CounselSecurity LeadCommunications LeadCustomer Support LeadExecutive Sponsor
What Gets Tested
- PII exposure scoping
- Regulatory notification timelines
- Affected party communication
- Forensic chain of custody
Example Scenario
An engineer discovers a misconfigured S3 bucket has been publicly accessible for 72 hours containing employee PII. The team must scope the exposure and initiate breach notification procedures.
IT Insider Threat
Coordinate cross-functional response to malicious or negligent insiders.
Default Roles
Insider Risk ManagerHR LeadLegal CounselSecurity LeadManagement RepresentativePhysical Security Lead
What Gets Tested
- Behavioral indicator recognition
- Cross-functional coordination
- Legal and HR engagement
- Access revocation procedures
Example Scenario
A departing employee's badge access logs show after-hours entry to a restricted area. IT flags large file transfers to personal cloud storage over the past week.
Start with a guided entry point
Use our dedicated landing pages when you want a scenario-specific overview for incident response or ransomware planning.
Incident Response
Adaptive facilitation for containment, escalation, legal coordination, and recovery planning.
Explore Incident Response →Ransomware
Pressure-test ransom decisions, recovery sequencing, and executive communications under time pressure.
Explore Ransomware →