One operating model across scenario types
Keep the same run structure, participant workflow, and post-exercise scoring whether you are validating IR, resilience, or communications playbooks.
Exercise Library
Run the right tabletop without rebuilding the exercise from scratch.
TTXLab gives security, resilience, and governance teams one repeatable workflow across incident response, ransomware, continuity, communications, third-party risk, and executive crisis scenarios.
Featured executive tabletop
Executive Workplace Violence Crisis Tabletop
Practice first-hour leadership decisions for active assailant ambiguity, employee accountability, law coordination, family and media inquiries, continuity, and recovery.
Built for recurring readiness work, not one-off workshops
Choose the scenario type that matches the capability you want to validate, then run it through the same facilitation, scoring, and reporting workflow your team can reuse every quarter.
Role-based facilitation instead of slide decks
Prompt commanders, technical leads, legal, communications, and executives through the decisions they would own during a live incident.
Evidence that compounds over time
Turn each run into a transcript, score snapshot, and corrective-action trail that teams can compare quarter over quarter.
Scenario Coverage
Nine tabletop tracks.
One shared readiness baseline.
Compare exercise types, role mixes, tested capabilities, and scenario patterns before you launch the next run.
IR Incident Response
Coordinate detection, containment, eradication, and recovery actions.
Default Roles
Incident CommanderSOC AnalystIT LeadLegal CounselCommunications LeadHR Lead
What Gets Tested
- Detection and triage speed
- Cross-team escalation
- Containment decision-making
- Evidence preservation
- Post-incident review
Example Scenario
A SOC analyst flags anomalous outbound traffic from a payment processing server at 2 AM. The team must coordinate containment while preserving forensic evidence.Explore Incident Response→
WV Executive Workplace Violence
Practice executive crisis coordination for workplace violence and active assailant scenarios.
Default Roles
Crisis ManagerExecutive SponsorHR LeadLegal CounselCommunications LeadPhysical Security LeadFacilities LeadEmployee Accountability Lead
What Gets Tested
- Crisis activation
- Employee protective action communications
- Law enforcement and medical coordination
- Employee accountability and family support
- Business continuity and recovery planning
Example Scenario
Conflicting employee reports suggest a possible active assailant near headquarters. Leaders must activate crisis coordination, communicate with employees, coordinate with law enforcement, account for personnel, and plan continuity.Explore Executive Workplace Violence→
BCP Business Continuity Planning
Maintain critical business operations through disruptive events.
Default Roles
BCP CoordinatorOperations LeadIT LeadFacilities LeadHR LeadExecutive Sponsor
What Gets Tested
- Business impact assessment
- Alternate operations activation
- Stakeholder communication
- Recovery prioritization
Example Scenario
A regional data center loses power during peak hours. Teams must activate continuity plans and reroute critical services within the defined RTO.Explore Business Continuity Planning→
DR Disaster Recovery
Restore IT systems, applications, and data after outages.
Default Roles
DR LeadIT LeadApplication OwnerSystem OwnerVendor LiaisonCommunications Lead
What Gets Tested
- System restoration sequencing
- Backup validation
- RTO/RPO adherence
- Failover coordination
Example Scenario
A corrupted storage array takes the primary database offline. The team must restore from backups and verify data integrity before resuming operations.Explore Disaster Recovery→
CC Crisis Communication
Align internal and external communications during incidents.
Default Roles
Communications LeadExecutive SponsorLegal CounselHR LeadSocial Media LeadCustomer Support Lead
What Gets Tested
- Message consistency
- Stakeholder mapping
- Media response timing
- Internal alignment
Example Scenario
News outlets begin reporting on a suspected data breach before the company has confirmed details. The comms team must align internal and external statements under time pressure.Explore Crisis Communication→
RW Ransomware
Drive executive and technical response to ransomware events.
Default Roles
Incident CommanderSecurity LeadIT LeadLegal CounselFinance LeadLaw Enforcement Liaison
What Gets Tested
- Ransom decision framework
- Lateral movement containment
- Legal and regulatory notification
- Decryption assessment
- Business impact quantification
Example Scenario
Encrypted file extensions appear across shared drives and a ransom note demands payment in 48 hours. Leadership must decide on negotiation posture while technical teams isolate affected systems.Explore Ransomware→
VR Third-Party / Vendor Risk
Respond to disruptive events originating from critical vendors.
Default Roles
Vendor LiaisonProcurement LeadLegal CounselSecurity LeadBusiness Unit LeadCommunications Lead
What Gets Tested
- Vendor communication protocols
- Contractual obligation review
- Supply chain impact assessment
- Alternate vendor activation
Example Scenario
A critical SaaS provider notifies your team of a breach affecting shared credentials. The team must assess downstream exposure and activate contingency agreements.Explore Third-Party / Vendor Risk→
DB Data Breach Response
Handle confirmed exposure of sensitive customer and employee data.
Default Roles
Privacy OfficerLegal CounselSecurity LeadCommunications LeadCustomer Support LeadExecutive Sponsor
What Gets Tested
- PII exposure scoping
- Regulatory notification timelines
- Affected party communication
- Forensic chain of custody
Example Scenario
An engineer discovers a misconfigured S3 bucket has been publicly accessible for 72 hours containing employee PII. The team must scope the exposure and initiate breach notification procedures.Explore Data Breach Response→
IT Insider Threat
Coordinate cross-functional response to malicious or negligent insiders.
Default Roles
Insider Risk ManagerHR LeadLegal CounselSecurity LeadManagement RepresentativePhysical Security Lead
What Gets Tested
- Behavioral indicator recognition
- Cross-functional coordination
- Legal and HR engagement
- Access revocation procedures
Example Scenario
A departing employee's badge access logs show after-hours entry to a restricted area. IT flags large file transfers to personal cloud storage over the past week.Explore Insider Threat→
Dedicated pages for each exercise type
Each exercise type has its own scenario overview, default roles, tested capabilities, and example inject so buyers and operators can evaluate fit without guessing.
Incident Response
Practice detection, triage, escalation, containment, and recovery decisions in guided sessions with framework-mapped reports.
Explore Incident Response→Executive Workplace Violence
Practice crisis activation, protective-action communications, law enforcement coordination, employee accountability, continuity, and recovery without tactical instruction.
Explore Executive Workplace Violence→Ransomware
Rehearse ransom posture, recovery sequencing, law enforcement coordination, and stakeholder communications under realistic time pressure.
Explore Ransomware→Business Continuity
Practice alternate operations, recovery prioritization, and stakeholder communications during disruptive outages.
Explore Business Continuity→Disaster Recovery
Rehearse restore sequencing, backup validation, failover coordination, and stakeholder updates before a real outage.
Explore Disaster Recovery→Crisis Communications
Rehearse internal updates, external statements, media response, legal review, and executive alignment when minutes matter.
Explore Crisis Communications→Third-Party / Vendor Risk
Rehearse contractual response, downstream impact scoping, alternate vendor activation, and customer communications.
Explore Third-Party / Vendor Risk→Data Breach Response
Rehearse exposure scoping, regulatory notification timelines, affected-party communications, and evidence handling.
Explore Data Breach Response→Insider Threat
Practice how HR, legal, IT, and security coordinate when the threat may be coming from inside the organization.
Explore Insider Threat→Executive Workplace Violence
Practice first-hour leadership decisions for workplace violence, employee accountability, law enforcement coordination, continuity, and recovery.
Explore Executive Workplace Violence→