TTXLab gives security, resilience, and governance teams structured simulations with adaptive facilitation and audit-ready reports — no live facilitator required.
No demo call required. See a real exercise report in seconds.
IR Exercise — Ransomware Scenario
Acme Corp · Started 2:47 PM
How It Works
Sign in, name your workspace, and invite your team. You are ready to run exercises in minutes.
Choose an exercise type, set your scenario parameters, and align participant roles before launch.
Run a guided AI-facilitated session with adaptive injects, role-aware prompts, and transcript capture.
Export structured findings, scores, and remediation direction your leadership and audit teams can review.
Audit-Ready Reports
Every completed run ends in one structured artifact instead of scattered notes, screenshots, and ad hoc follow-up.
Communication
85%
Decision Making
72%
Escalation
68%
Procedures
88%
Legal was notified 12 minutes after containment. Target notification within 5 minutes of confirmed data exposure.
Communications team did not have pre-approved templates available. Pre-draft statements for top 3 scenario types.
No explicit evidence preservation step was triggered. Add forensic hold checklist to incident playbook.
Timestamped record of facilitator prompts, participant responses, and decision points from the full run.
Track all five scoring dimensions — communication, decision quality, role adherence, escalation, and procedural compliance — in one summary view.
Each recommendation is tied to recognized frameworks instead of unsourced generic AI guidance.
Export a structured artifact that leadership, compliance, and audit stakeholders can review quickly.
Exercise Library
Cover incident response, resilience, and communications drills with structure that lets teams compare runs over time instead of improvising a different process for each exercise.
Coordinate detection, containment, eradication, and recovery actions.
Default Roles
What Gets Tested
Example Scenario
A SOC analyst flags anomalous outbound traffic from a payment processing server at 2 AM. The team must coordinate containment while preserving forensic evidence.
Maintain critical business operations through disruptive events.
Default Roles
What Gets Tested
Example Scenario
A regional data center loses power during peak hours. Teams must activate continuity plans and reroute critical services within the defined RTO.
Restore IT systems, applications, and data after outages.
Default Roles
What Gets Tested
Example Scenario
A corrupted storage array takes the primary database offline. The team must restore from backups and verify data integrity before resuming operations.
Align internal and external communications during incidents.
Default Roles
What Gets Tested
Example Scenario
News outlets begin reporting on a suspected data breach before the company has confirmed details. The comms team must align internal and external statements under time pressure.
Drive executive and technical response to ransomware events.
Default Roles
What Gets Tested
Example Scenario
Encrypted file extensions appear across shared drives and a ransom note demands payment in 48 hours. Leadership must decide on negotiation posture while technical teams isolate affected systems.
Respond to disruptive events originating from critical vendors.
Default Roles
What Gets Tested
Example Scenario
A critical SaaS provider notifies your team of a breach affecting shared credentials. The team must assess downstream exposure and activate contingency agreements.
Handle confirmed exposure of sensitive customer and employee data.
Default Roles
What Gets Tested
Example Scenario
An engineer discovers a misconfigured S3 bucket has been publicly accessible for 72 hours containing employee PII. The team must scope the exposure and initiate breach notification procedures.
Coordinate cross-functional response to malicious or negligent insiders.
Default Roles
What Gets Tested
Example Scenario
A departing employee's badge access logs show after-hours entry to a restricted area. IT flags large file transfers to personal cloud storage over the past week.
Explore by exercise type
How the AI Works
A fast facilitator keeps the exercise moving. A deliberate adjudicator keeps the final report defensible. Two specialized models working together so your team gets practice that feels real and documentation that holds up.
Drives the live run by introducing injects, adapting scenario progression, and prompting the right role.
Scores responses, applies guardrails, and generates reporting your governance stakeholders can rely on.
CISA Template Library
Pricing
Start with a single exercise or lock in a recurring plan. Every tier includes full reporting and the complete exercise library.
Pay Per Exercise
$299
one-time purchase
$299/exercise
Best for one-off validation drills and first-time pilots.
Starter Annual
$999
per year · 4 exercises/year
$250/exercise — save $49 each
For smaller teams building baseline readiness without monthly overhead.
Professional
$199
per month · 12 exercises/year
~$199/exercise — save $100 each
For teams building recurring muscle memory through monthly exercises.
Enterprise
Custom
contract pricing
For multi-team organizations with centralized readiness governance.
Typically responds within 1 business day
FAQ
One exercise credit lets you run a single tabletop exercise session from start to finish, including AI facilitation, live injects, and a full post-exercise report. Credits do not expire within your billing period.
Yes. You can upgrade from Pay Per Exercise to Starter or Professional at any time. Your remaining credits carry forward, and the price difference is prorated.
All plans support up to 15 concurrent participants per exercise. Enterprise plans can accommodate larger groups and custom role configurations.
After an exercise completes, the report, transcript, and scoring artifacts remain accessible in your workspace for at least 90 days. Starter and Professional plans extend access for the duration of your subscription.
TTXLab uses a dual-AI architecture: a low-latency model drives the live facilitation, and a high-accuracy model handles scoring, gap analysis, and report generation. Both are hosted in SOC 2-aligned infrastructure.
Every exercise builds evidence your auditors, board, and regulators can review. Set up your workspace in minutes and run your first exercise today. Or browse the starter kit, review the Trust Center, or check recent changes in the changelog.
