Drillber lets security teams plan, execute, and debrief incident response exercises — with MITRE ATT&CK mapping, NIST CSF tracking, and an AI facilitator that keeps the pressure on.
Most teams run their TTX drills in PowerPoint and email. Results live in someone's notebook — if they exist at all.
Scenarios are written in Word, distributed via email, and manually tracked in spreadsheets that are out of date before the exercise even starts.
Without a system, there's no way to compare how fast your team actually responded versus how fast they should have — so gaps stay invisible.
CISOs need to prove coverage to auditors. Without MITRE and NIST mapping built in, you're guessing which TTX scenarios actually hit your gaps.
Participants need accounts, VPN access, or a meeting invite. Real exercises require zero friction so everyone can focus on the scenario.
From scenario design to post-exercise report in a single, purpose-built platform.
Build realistic threat scenarios with actor profiles, event chains, and drag-to-reorder sequencing. Every event maps to the MITRE ATT&CK technique it exercises.
Facilitators drive the exercise from a live dashboard. Inject events on demand or auto-schedule them. Start → Pause → Resume → Complete with a single click.
Participants get a unique link by email — no account, no VPN, no app to install. Works on mobile. Each player sees only their assigned events.
Instant post-exercise reports show SLA compliance per event, NIST CSF coverage breakdown, MITRE technique coverage, and gap analysis — ready for the CISO and auditors.
An AI co-facilitator evaluates participant responses in real time, injects follow-on pressure, and generates a hotwash debrief — so your human facilitator can focus on the room.
Assign accountable owners, contributing responders, and informed stakeholders to every event. Group membership is resolved automatically so no one falls through the cracks.
Register PCs, VMs, servers, cloud services, databases, IoT, SCADA, and vendor systems. Tag business impact and data sensitivity, then link assets directly to scenario events.
Multi-tenant data isolation, AES-256-GCM encryption for PII, bcrypt passwords, JWT auth, and a global rate limiter — security platform secured by design.
Participants receive dramatic mission-briefing emails with their unique exercise link. In dev mode, all comms are written to a local file — no accidental spam.
Create a threat scenario with actor profiles and an event chain. Map each event to MITRE techniques and NIST stages. Assign RACI and link assets.
Select a scenario, name the exercise, and hit Start. The platform emails participants their unique links automatically.
Inject events from the facilitator dashboard — manually or on a timer. Participants respond on their devices in real time. The AI co-facilitator adds pressure and follow-ups.
Mark the exercise complete and generate the post-exercise report. SLA compliance, NIST coverage %, MITRE technique map, and gap analysis — ready to share.
Every scenario event is tagged to industry frameworks automatically — so reporting is never an afterthought.
50+ searchable ATT&CK techniques available for each event. Post-exercise reports show which techniques were exercised and which are still uncovered — giving you a defensible proof of coverage.
Events are tagged to Identify, Protect, Detect, Respond, and Recover. The sidebar shows live coverage % as you build. The report breaks it down for your compliance team.
The AI facilitator evaluates participant responses against your IR playbook — detect, investigate, respond, contain, recover — and scores adherence automatically.
Drillber supports every role in a TTX — from the CISO approving the scenario to the SOC analyst responding to events on their phone.
Roles supported out of the box:
Join the early access program and get a guided onboarding session, your first scenario built with you, and 3 months free.
No credit card. No sales pressure. Reply within 24 hours.