Cyber Tabletop Exercise Platform

Run realistic IR drills your team won't forget

Drillber lets security teams plan, execute, and debrief incident response exercises — with MITRE ATT&CK mapping, NIST 800-61 tracking, and an AI facilitator that keeps the pressure on.

Get Started Free See How It Works
No login required for participants
PII encrypted at rest
AI Facilitator included
MITRE ATT&CK + NIST 800-61
AES-256-GCM Encrypted
Multi-Tenant Isolation
GDPR-Ready
NIST 800-61 r2 Benchmarks
The Problem

Tabletop exercises are broken.
Here's why.

Most teams run their TTX drills in PowerPoint and email. Results live in someone's notebook — if they exist at all.

Spreadsheet chaos

Scenarios are written in Word, distributed via email, and manually tracked in spreadsheets that are out of date before the exercise even starts.

No SLA measurement

Without a system, there's no way to compare how fast your team actually responded versus how fast they should have — so gaps stay invisible.

Framework coverage gaps

CISOs need to prove coverage to auditors. Without MITRE and NIST mapping built in, you're guessing which TTX scenarios actually hit your gaps.

Participation friction

Participants need accounts, VPN access, or a meeting invite. Real exercises require zero friction so everyone can focus on the scenario.

Features

Everything you need to run a professional TTX

From scenario design to post-exercise report in a single, purpose-built platform.

Scenario Builder

Build realistic threat scenarios with actor profiles, event chains, and drag-to-reorder sequencing. Every event maps to the MITRE ATT&CK technique it exercises.

MITRE ATT&CK Event chains Actor profiles

Live Exercise Control

Facilitators drive the exercise from a live dashboard. Inject events on demand or auto-schedule them. Start → Pause → Resume → Complete with a single click.

Real-time 5s refresh Pause tracking

Zero-Friction Participation

Participants get a unique link by email — no account, no VPN, no app to install. Works on mobile. Each player sees only their assigned events.

No login required Mobile-ready Unique tokens

Post-Exercise Reports

Instant post-exercise reports show SLA compliance per event, NIST 800-61 coverage breakdown, MITRE technique coverage, and gap analysis — ready for the CISO and auditors.

SLA compliance Gap analysis NIST 800-61 %

AI Facilitator Agent

An AI co-facilitator evaluates participant responses in real time, injects follow-on pressure, and generates a hotwash debrief — so your human facilitator can focus on the room.

Claude-powered Auto-inject Hotwash debrief

RACI per Event

Assign accountable owners, contributing responders, and informed stakeholders to every event. Group membership is resolved automatically so no one falls through the cracks.

Accountable Responsible Informed

Asset Registry

Register PCs, VMs, servers, cloud services, databases, IoT, SCADA, and vendor systems. Tag business impact and data sensitivity, then link assets directly to scenario events.

SCADA / ICS Cloud Business impact

Enterprise Security Built In

Multi-tenant data isolation, AES-256-GCM encryption for PII, bcrypt passwords, JWT auth, and a global rate limiter — security platform secured by design.

AES-256-GCM Multi-tenant JWT

Mission-Briefing Notifications

Participants receive dramatic mission-briefing emails with their unique exercise link. In dev mode, all comms are written to a local file — no accidental spam.

Email delivery Dev safe mode
How It Works

From scenario to debrief in four steps

1

Build Your Scenario

Create a threat scenario with actor profiles and an event chain. Map each event to MITRE techniques and NIST stages. Assign RACI and link assets.

2

Launch the Exercise

Select a scenario, name the exercise, and hit Start. The platform emails participants their unique links automatically.

3

Inject & Respond

Inject events from the facilitator dashboard — manually or on a timer. Participants respond on their devices in real time. The AI co-facilitator adds pressure and follow-ups.

4

Review the Report

Mark the exercise complete and generate the post-exercise report. SLA compliance, NIST coverage %, MITRE technique map, and gap analysis — ready to share.

Framework Coverage

Built on the standards your auditors expect

Every scenario event is tagged to industry frameworks automatically — so reporting is never an afterthought.

MITRE ATT&CK

Attack Technique Mapping

50+ searchable ATT&CK techniques available for each event. Post-exercise reports show which techniques were exercised and which are still uncovered — giving you a defensible proof of coverage.

NIST 800-61

NIST 800-61 Phase Coverage

Events are tagged to Detect, Contain, Eradicate, Recover, and Post-Incident. The sidebar shows live coverage % as you build. The report breaks it down for your compliance team.

AI Playbook Assessment

IR Playbook Evaluation

The AI facilitator evaluates participant responses against your IR playbook — detect, investigate, respond, contain, recover — and scores adherence automatically.

By the Numbers

Designed for real security teams

50+
MITRE ATT&CK techniques mapped
5
NIST 800-61 phases tracked
7
Role types (CISO → SOC Analyst)
0
Accounts needed to participate
Who It's For

One platform, every stakeholder

Drillber supports every role in a TTX — from the CISO approving the scenario to the SOC analyst responding to events on their phone.

Roles supported out of the box:

CISO
SOC Analyst
IR Lead
CTO / CIO
Legal / Compliance
PR / Communications
Facilitator
Observer
Auditor
Org Admin
+ Custom roles
Ready to Start?

Run your first exercise today

Sign up for free and get instant access. No credit card required. Includes onboarding and a guided walkthrough.

Create Account →

14-day free trial. 30-minute first-time setup. No payment required to get started.