Built for serious incident response training
Every feature exists because a real incident response team needed it. No padding, no feature-for-feature's-sake — just a complete training platform that mirrors how real incidents actually work.
Scenario Execution
Every scenario plays out differently based on your decisions. No timelines, no passive slides — just injects, choices, and consequences.
Branching injects
Scenarios branch based on the decisions your team makes. Choose the wrong action and the situation escalates; choose well and you contain it faster. No two exercises play the same.
Four consequence levels
Every decision option is labelled: Optimal, Suboptimal, Poor, or Catastrophic. Participants see the consequences unfold, not just told they were wrong.
Inject types
Structured inject types give context at a glance: 🚨 Alert, ⚡ Escalation, 📋 Consequence, ✅ Resolution. Suggested actions include priority level and suggested assignee role.
Mandatory decision gates
The scenario pauses until the Incident Commander commits to a decision. No skipping, no hand-waving — the exercise only progresses when the team decides.
Exercise pause/resume
Facilitators can pause the exercise at any time for discussion, Q&A, or a teaching moment — then resume exactly where you left off.
Decision time tracking
How long did it take to decide? Every decision records the time taken. Slow decisions under pressure are a signal. Your debrief will surface it.
Real-Time Multiplayer
Host live exercises for your whole team in seconds. No installs, no accounts required for participants — just share a 6-character code.
6-character session codes
Host a session and share a code like XK9P2R. Anyone with the code joins instantly — no invite links, no email sign-up, no friction.
Incident Commander and Viewer roles
The Incident Commander makes binding decisions. Viewers observe and can suggest actions in real time. Mirrors the dynamics of a real response — one decision-maker, team input.
WebSocket real-time sync
All exercise state — injects, decisions, actions, participant list — syncs instantly across every connected participant via WebSocket. No polling, no refresh.
Action suggestions from viewers
Viewers aren't just watching. They can suggest actions that the IC can accept, delegate, or dismiss. Captures the chaos of a real incident response call.
Shared action tracker
Track actions with priority, owner, due date, and status (Open / In Progress / Done). The whole team sees the same board in real time.
AI-Powered Features
AI that actually understands your organization — generating scenarios tailored to your infrastructure and providing insight-driven debrief feedback.
AI scenario generation
Describe your organization structure once. The AI generates scenarios tailored to your specific technology stack, roles, and dependencies — not generic templates.
AI Mode (free-form actions)
Instead of picking from predefined options, participants describe what they want to do in their own words. AI generates realistic consequences based on their actual actions.
Dynamic scenario adaptation
In AI Mode, the scenario evolves based on team decisions. The AI maintains context: elapsed time, stakeholder sentiment, active constraints — for a realistic simulation.
AI debrief feedback
After the exercise, AI analyses your decision path and generates specific, actionable feedback. Not generic — it knows which decisions you made and why they mattered.
AI executive summary (TL;DR)
One-click AI-generated TL;DR for leadership. Captures what happened, what decisions were made, and what gaps were identified — ready to paste into a report.
Organisation Profiling
Map your real infrastructure before you run a scenario. Understand your dependencies, identify single points of failure, and generate tailored scenarios.
Systems mapping
Catalogue your digital systems, physical infrastructure, human elements, and security tools. Assign criticality ratings: Critical, High, Medium, Low.
Dependency relationships
Define how systems depend on each other. Mark upstream and downstream dependencies. Understand cascading failures before they happen.
Blast Radius Explorer
Select any system, simulate its failure, and see exactly which downstream systems are impacted. Discover the blast radius of any outage without downtime.
Role and org structure
Define your teams, roles, and reporting hierarchy. Visualised as an org pyramid. Scenarios and suggested actions reference your actual roles.
Setyl integration
Already using Setyl for IT asset management? Connect your account and import your real asset inventory, apps, departments, and locations automatically.
Scenario Fidelity score
The platform scores your organisation profile completeness. Higher fidelity → more realistic, targeted scenarios. The score is a useful nudge to keep your profile current.
Debrief & Analytics
Turn exercises into evidence. Multi-dimensional scoring, gap analysis, and exportable reports that stand up to compliance and board scrutiny.
Multi-dimensional performance scoring
Scoring across five dimensions: Decision Quality (consequence-based), Response Speed (time analysis), Confidence Level, Action Management (completion rate), and Thoroughness.
Decision path visualisation
See exactly which branches you took through the scenario. Understand the path not taken — what would have happened if you'd decided differently.
Consequence summary
At-a-glance breakdown of optimal, suboptimal, poor, and catastrophic decisions made during the exercise. Spot patterns across exercises over time.
Gap capture framework
Structured reflection in four categories: People, Process, Technology, and Vendors. The same four pillars used in post-incident reviews — practice using them.
Exercise history & statistics
Full searchable history of all past exercises — scenario, difficulty, participants, date, score, duration. Track your team's readiness over time.
Export: Markdown, JSON, PDF
Export full debrief data as Markdown for documentation, JSON for integration with your SIEM/ticketing system, or a professional PDF for leadership reports.
Auth, Security & Storage
Enterprise-grade security and flexibility. Bring your own identity provider, bring your own storage. We don't need your data.
SAML SSO
Authenticate with any SAML 2.0 identity provider. Okta, Azure AD, Google Workspace, PingFederate — if it speaks SAML 2.0, it works. Setup takes minutes via the built-in wizard.
Auth-optional mode
No auth? No problem. The platform works fully without authentication for individual users or teams managing their own access. Enable auth when you need it.
Per-user credential encryption
Credentials are encrypted using keys derived per-user: HKDF-SHA256(master key, userId) → AES-256-GCM encryption. Even with database access, credentials are opaque.
Pluggable storage backends
Browser (IndexedDB, works offline), SQLite (self-hosted), AWS DynamoDB, Azure Cosmos DB, Google Firestore. Connect your own storage — your data stays in your infrastructure.
Secure session cookies
JWT session tokens via httpOnly cookies with 8-hour expiry. Tokens are never accessible to JavaScript — no XSS risk for session theft.
Local-first / offline capable
Browser storage mode requires no server. Run exercises with zero network connectivity. Ideal for air-gapped environments or offline-first security.
See it in action
The best way to understand Incident Tabletop is to run a drill. The free tier gives you full access to solo exercises — no account required.