Built for serious incident response training

Every feature exists because a real incident response team needed it. No padding, no feature-for-feature's-sake — just a complete training platform that mirrors how real incidents actually work.

Scenario Execution

Every scenario plays out differently based on your decisions. No timelines, no passive slides — just injects, choices, and consequences.

Branching injects

Scenarios branch based on the decisions your team makes. Choose the wrong action and the situation escalates; choose well and you contain it faster. No two exercises play the same.

Four consequence levels

Every decision option is labelled: Optimal, Suboptimal, Poor, or Catastrophic. Participants see the consequences unfold, not just told they were wrong.

Inject types

Structured inject types give context at a glance: 🚨 Alert, ⚡ Escalation, 📋 Consequence, ✅ Resolution. Suggested actions include priority level and suggested assignee role.

Mandatory decision gates

The scenario pauses until the Incident Commander commits to a decision. No skipping, no hand-waving — the exercise only progresses when the team decides.

Exercise pause/resume

Facilitators can pause the exercise at any time for discussion, Q&A, or a teaching moment — then resume exactly where you left off.

Decision time tracking

How long did it take to decide? Every decision records the time taken. Slow decisions under pressure are a signal. Your debrief will surface it.

👥

Real-Time Multiplayer

Host live exercises for your whole team in seconds. No installs, no accounts required for participants — just share a 6-character code.

6-character session codes

Host a session and share a code like XK9P2R. Anyone with the code joins instantly — no invite links, no email sign-up, no friction.

Incident Commander and Viewer roles

The Incident Commander makes binding decisions. Viewers observe and can suggest actions in real time. Mirrors the dynamics of a real response — one decision-maker, team input.

WebSocket real-time sync

All exercise state — injects, decisions, actions, participant list — syncs instantly across every connected participant via WebSocket. No polling, no refresh.

Action suggestions from viewers

Viewers aren't just watching. They can suggest actions that the IC can accept, delegate, or dismiss. Captures the chaos of a real incident response call.

Shared action tracker

Track actions with priority, owner, due date, and status (Open / In Progress / Done). The whole team sees the same board in real time.

🤖

AI-Powered Features

AI that actually understands your organization — generating scenarios tailored to your infrastructure and providing insight-driven debrief feedback.

AI scenario generation

Describe your organization structure once. The AI generates scenarios tailored to your specific technology stack, roles, and dependencies — not generic templates.

AI Mode (free-form actions)

Instead of picking from predefined options, participants describe what they want to do in their own words. AI generates realistic consequences based on their actual actions.

Dynamic scenario adaptation

In AI Mode, the scenario evolves based on team decisions. The AI maintains context: elapsed time, stakeholder sentiment, active constraints — for a realistic simulation.

AI debrief feedback

After the exercise, AI analyses your decision path and generates specific, actionable feedback. Not generic — it knows which decisions you made and why they mattered.

AI executive summary (TL;DR)

One-click AI-generated TL;DR for leadership. Captures what happened, what decisions were made, and what gaps were identified — ready to paste into a report.

🗺️

Organisation Profiling

Map your real infrastructure before you run a scenario. Understand your dependencies, identify single points of failure, and generate tailored scenarios.

Systems mapping

Catalogue your digital systems, physical infrastructure, human elements, and security tools. Assign criticality ratings: Critical, High, Medium, Low.

Dependency relationships

Define how systems depend on each other. Mark upstream and downstream dependencies. Understand cascading failures before they happen.

Blast Radius Explorer

Select any system, simulate its failure, and see exactly which downstream systems are impacted. Discover the blast radius of any outage without downtime.

Role and org structure

Define your teams, roles, and reporting hierarchy. Visualised as an org pyramid. Scenarios and suggested actions reference your actual roles.

Setyl integration

Already using Setyl for IT asset management? Connect your account and import your real asset inventory, apps, departments, and locations automatically.

Scenario Fidelity score

The platform scores your organisation profile completeness. Higher fidelity → more realistic, targeted scenarios. The score is a useful nudge to keep your profile current.

📊

Debrief & Analytics

Turn exercises into evidence. Multi-dimensional scoring, gap analysis, and exportable reports that stand up to compliance and board scrutiny.

Multi-dimensional performance scoring

Scoring across five dimensions: Decision Quality (consequence-based), Response Speed (time analysis), Confidence Level, Action Management (completion rate), and Thoroughness.

Decision path visualisation

See exactly which branches you took through the scenario. Understand the path not taken — what would have happened if you'd decided differently.

Consequence summary

At-a-glance breakdown of optimal, suboptimal, poor, and catastrophic decisions made during the exercise. Spot patterns across exercises over time.

Gap capture framework

Structured reflection in four categories: People, Process, Technology, and Vendors. The same four pillars used in post-incident reviews — practice using them.

Exercise history & statistics

Full searchable history of all past exercises — scenario, difficulty, participants, date, score, duration. Track your team's readiness over time.

Export: Markdown, JSON, PDF

Export full debrief data as Markdown for documentation, JSON for integration with your SIEM/ticketing system, or a professional PDF for leadership reports.

🔒

Auth, Security & Storage

Enterprise-grade security and flexibility. Bring your own identity provider, bring your own storage. We don't need your data.

SAML SSO

Authenticate with any SAML 2.0 identity provider. Okta, Azure AD, Google Workspace, PingFederate — if it speaks SAML 2.0, it works. Setup takes minutes via the built-in wizard.

Auth-optional mode

No auth? No problem. The platform works fully without authentication for individual users or teams managing their own access. Enable auth when you need it.

Per-user credential encryption

Credentials are encrypted using keys derived per-user: HKDF-SHA256(master key, userId) → AES-256-GCM encryption. Even with database access, credentials are opaque.

Pluggable storage backends

Browser (IndexedDB, works offline), SQLite (self-hosted), AWS DynamoDB, Azure Cosmos DB, Google Firestore. Connect your own storage — your data stays in your infrastructure.

Secure session cookies

JWT session tokens via httpOnly cookies with 8-hour expiry. Tokens are never accessible to JavaScript — no XSS risk for session theft.

Local-first / offline capable

Browser storage mode requires no server. Run exercises with zero network connectivity. Ideal for air-gapped environments or offline-first security.

See it in action

The best way to understand Incident Tabletop is to run a drill. The free tier gives you full access to solo exercises — no account required.