Your data stays where you put it
Incident Tabletop is designed for security teams who expect security tooling to be held to the same standard. No shared cloud database, no hidden telemetry, no black-box infrastructure.
Privacy by default
Your exercise data stays on your device by default. The browser storage mode uses your browser's own IndexedDB — no data leaves your machine unless you explicitly connect a cloud backend. You choose your data residency.
Bring your own infrastructure
We do not operate shared cloud storage for exercise data. When you need persistence beyond your browser, you connect your own: SQLite (self-hosted), AWS DynamoDB, Azure Cosmos DB, or Google Firestore. Your keys, your data, your control.
Enterprise identity — your rules
SAML 2.0 SSO means authentication happens through your own identity provider. We never see your passwords. Session tokens are short-lived (8-hour JWT), stored in httpOnly cookies, and inaccessible to JavaScript.
Encrypted credentials
Any credentials you store (API keys, storage credentials) are encrypted per-user using keys derived with HKDF-SHA256 and encrypted with AES-256-GCM. Without the master key, stored credential values are opaque — even with database access.
Where does your data go?
Browser mode (default)
Exercise data written to your browser's IndexedDB. Never transmitted over the network. Works fully offline.
No server neededSelf-hosted (SQLite)
Data stored in a SQLite database on a server you control. You own the file, the backups, and the access.
Your infrastructureCloud backends
AWS DynamoDB, Azure Cosmos DB, or Google Firestore — using credentials you provide. Data lives in your cloud account.
Your cloud accountTechnical security details
For security engineers and auditors who want specifics.
Session Security
- JWT session tokens via JOSE library
- Stored in httpOnly, Secure, SameSite=Lax cookies
- Not accessible to JavaScript — mitigates XSS session theft
- 8-hour session expiry with no silent renewal
- SAML Service Provider certificates auto-generated (RSA 2048, self-signed)
Credential Encryption
- Per-user key derivation: HKDF-SHA256(master_key, userId, info)
- Encryption: AES-256-GCM with random IV per value
- Keys never stored — derived at runtime from master key + user ID
- Master key stored in server environment variables, never in the database
Storage Security
- Browser mode: IndexedDB — browser sandbox, no network transmission
- SQLite: file system access — you manage permissions
- Cloud storage: uses your own cloud account credentials
- No shared Incident Tabletop cloud database for exercise data
- Storage backend is independently configurable from authentication
Network & Transport
- WebSocket connections for multiplayer — authenticated via session cookie on upgrade
- All HTTP traffic should be served over TLS (your reverse proxy / CloudFront)
- No third-party analytics by default — analytics are opt-in via environment variable
- No tracking pixels, no ad networks, no data sharing
Authentication
- SAML 2.0 SP implementation via samlify
- Works with any SAML 2.0-compliant IdP: Okta, Azure AD, Google Workspace, PingFederate, etc.
- Auth-optional mode: platform runs without any authentication if not needed
- Middleware validates session on every request — no stale token bypass
- User ID injected as a request header by middleware, never trusted from client
Open Source & Auditability
- Source code is available for review — no security through obscurity
- Dependencies auditable via package-lock.json
- No compiled or obfuscated server-side code
- Self-hostable — your security team can review the entire codebase before deployment
Found a security issue?
We take security reports seriously. If you believe you've found a vulnerability, please contact us privately before public disclosure. We aim to acknowledge reports within 48 hours and resolve critical issues within 14 days.
Please encrypt sensitive reports with our PGP key. [PGP key — placeholder, add before launch]
See also: Privacy Policy and Terms of Service. Questions? Email us.