Login Try Demo

Practice the breach before it happens

Interactive tabletop exercises your team can run on demand. Scored, benchmarked, and audit-ready.

Try the Demo View Pricing

No signup required. Try a demo scenario in 5 minutes.

Phase 1 / 3 Initial Detection
Phase 1 of 3

Initial Detection

Your phone woke you 6 minutes ago. You're now staring at Splunk from your laptop at the kitchen table. Three radiology file servers are under active encryption. Every minute you wait, it finds more targets.

Evidence Board
2 previous 1 new
Voicemail urgent
T+2
SC
Sarah Chen
CISO • MedSupply Corp
0:42
TRANSCRIPT
"I need the IR team on a bridge call now. We've got active encryption on radiology file servers and it's spreading. Do NOT reboot anything — we need to preserve forensic evidence. I'm invoking our cyber insurance policy."
! SIEM Alert critical New
T+0

CRITICAL: Mass File Encryption Detected — Radiology

Encryption Rate
~200 files/min (accelerating)
Process Chain
medsupply_connect.exe → cmd.exe → powershell.exe → cipher_svc.exe
C2 Beacon
185.220.101.34:443 (TOR exit node)
Affected Hosts
RAD-FS-01, RAD-FS-02, IMG-PROC-01
Perimeter Firewall Firewall
T+1
02:14:31WARNOutbound 185.220.101.34:443 — TLS to known TOR exit — RAD-FS-01
02:14:33ERRORDNS exfil pattern detected: 847 queries to c2.darkleaks.onion in 60s
02:14:35ERRORIDS signature match: LockBit 3.0 beacon handshake — RAD-FS-02
02:14:38INFOAuto-block rule applied: 185.220.101.34 added to deny list
02:14:41ERRORNew C2 channel: encrypted HTTPS to 91.132.45.67IMG-PROC-01
02:14:44WARNSMB lateral spread: \\RAD-FS-01\\PACS-SRV-03 port 445
02:14:47ERRORVolume shadow copy deletion on RAD-FS-02ransomware indicator

Key Questions

Discuss with your team:

  • 1 What is the blast radius if you wait 15 more minutes to gather data?
  • 2 Could isolating systems disrupt any active patient care at 3 AM?
  • 3 Is the vendor portal compromise confirmed enough to justify the disruption?
Decision

How should the team respond to this active encryption event?

A

Isolate affected systems immediately

Trigger CrowdStrike network containment on all three affected servers and the vendor portal host.

B

Gather more data before acting

Give the team 15 minutes to map the full scope before pulling the trigger on containment.

C

Monitor and wait for the day shift

Document everything and prepare a handoff for the 7 AM team. Night shift lacks CISO approval.

Your Decision
A Isolate affected systems immediately
Optimal
Immediate Consequence

Priya triggers CrowdStrike network containment at 02:54 AM. The encryption stops within 90 seconds. Final count: 18,247 encrypted files — all backed up within the last 4 hours.

Breach Cost $10.22M average cost per U.S. breach
IR Testing Saves $1.49M saved with IR plan testing
Detection Time 241 days to detect & contain

Sources: IBM Cost of a Data Breach 2025, Ponemon Institute

Built for SOC teams, IR leads, and CISOs

Scenarios mapped to MITRE ATT&CK® Real threat intelligence framework
Built by IR professionals From the incident response trenches
Audit-ready exports One-click PDF documentation
SOC 2HIPAAPCI DSSCMMCISO 27001

PCI DSS 4.0, SOC 2, and ISO 27001 require annual IR testing. Breachdeck makes it count.

HOW IT WORKS

1

GATHER

Your team joins a call or room. Share your screen with the command center.

2

BRIEF

The scenario unfolds. Evidence accumulates. Alerts fire. Emails arrive.

3

DECIDE

Discuss as a team. Debate the options. Make the call.

4

DEBRIEF

See your score and competency breakdown. Compare your performance to peer teams. Identify training gaps for your next session.

SEE IT IN ACTION

THE SCENARIO UNFOLDS

Every scenario is grounded in real-world threat intelligence. The tactics, techniques, and procedures mirror what adversaries actually use—so your team trains against the threats they'll face.

PHASE 1: INITIAL DETECTION

09:47 AM

Your Monday morning coffee is interrupted by a cascade of alerts. The security operations center has flagged unusual outbound traffic from a workstation in the finance department. At the same time, an employee has forwarded a suspicious email to the security team.

The clock is ticking. Every minute counts.

EVIDENCE ARRIVES

Realistic alerts from your SIEM. Phishing emails in your inbox. Slack messages from concerned employees. Evidence arrives through the same channels you use every day.

!
ALERT
Unusual outbound traffic detected

Unusual outbound traffic detected

Source
WORKSTATION-0147
Destination
185.220.101.42
Protocol
HTTPS (443)
Data volume
2.3 GB over 4 hours
Rule
Exfiltration - Large Upload
Severity
Critical
@
EMAIL
Weird email from "IT"

YOUR TEAM DEBATES

This is where tabletop exercises shine. Guided prompts help your team discuss how to leverage your incident response plan, which workflows to trigger, and who needs to be in the room.

Discussion Points

Consider these questions with your team:

  • 1What does our IR plan say about suspected data exfiltration?
  • 2At what point do we trigger the legal/privacy escalation workflow?
  • 3Who from leadership needs to be in the room for containment decisions?

MAKE THE CALL

In a real incident, every decision has consequences. Here, your choices drive the scenario forward—isolate too late and the attacker pivots. Escalate too early and you've disrupted the business.

Decision

How should we respond to the suspected data exfiltration?

A

Isolate the workstation immediately

Cut network access to prevent further exfiltration, accepting some forensic data loss.

B

Investigate further before acting

Gather more evidence to understand the full scope before taking disruptive action.

C

Alert management and legal

Escalate to leadership and begin breach notification assessment.

D

Contact the employee directly

Reach out to the user to understand what they were doing.

SEE THE CONSEQUENCES

Every decision has tradeoffs. See the immediate consequences of your choice and understand how it affects the rest of the exercise.

Your team chose:
AIsolate the workstation immediately
Optimal Decision
+Attacker connection severed
+Lateral movement prevented
~Some forensic data may be lost

KNOW WHERE YOU STAND

Track your team's performance over time. See how you stack up against peers in your industry. Know exactly where to focus your next training investment.

Competency Assessment

Containment82
Business Impact64
Communication94
Compliance52

You scored better than 72% of teams.

PRACTICE REAL THREATS. NOT POWERPOINT.

A growing library of hyper-realistic scenarios mapped to MITRE ATT&CK® techniques. New scenarios added monthly.

Operation Midnight Cipher — hospital data center with amber warning lights
FREE DEMO
RANSOMWARE

OPERATION MIDNIGHT CIPHER

A ransomware attack strikes a healthcare provider at 2:47 AM. You're the incident commander.

Try the Demo
3 phases ~5 min No account required
SILENT EXTRACTION
ADVANCED
APT / ESPIONAGE

SILENT EXTRACTION

APT41 has exfiltrated six months of clinical trial data from a pharma company. Discovered when a competitor publishes eerily similar results.

9 phases 120 min T1595.002
Healthcare
OPERATION CHARTPHANTOM
ADVANCED
ZERO-DAY / APT

OPERATION CHARTPHANTOM

A compromised open-source charting library has turned 340 financial institutions into beachheads. Notify the industry during a $6.8B merger — or stay silent?

7 phases 90 min T1189
Financial Services
GRID SHADOW
ADVANCED
SUPPLY CHAIN / OT

GRID SHADOW

Compromised firmware on smart grid relays deployed during a record heat wave. Roll back and risk grid safety, or keep running compromised systems?

7 phases 95 min T1195.002
Energy
CLONED PORTAL
INTERMEDIATE
DATA BREACH

CLONED PORTAL

A cloned government citizen services portal is harvesting SSNs. Discovered by a journalist, not your SOC. Disclose and risk trust — or stay quiet?

7 phases 90 min T1594
Government
DEAD MAN'S SWITCH
INTERMEDIATE
INSIDER THREAT

DEAD MAN'S SWITCH

A departing admin planted time-delayed destructive scripts. 48 hours until they fire — two days before finals for 30,000 students.

6 phases 75 min T1078
Education

Every threat your team should practice.

RansomwareData BreachInsiderSupply ChainBECAPTCloudOT/ICS

WHY BREACHDECK

TRADITIONAL APPROACH

$25K+ consultant engagement
Once a year (if you're lucky)
No measurement or scoring
PowerPoint scenarios
Facilitator required

BREACHDECK

Starting at $4K/year
As often as you want
Scored + benchmarked
Evidence that feels real
Run it yourselves

Better exercises. A fraction of the cost. On your schedule.

A traditional tabletop exercise: $25,000+

Or train your team all year:

STARTER

$4,000 per year

One scenario per year with unlimited runs — ideal for annual compliance exercises

  • 1 scenario per year, unlimited runs
  • Choose from 5 core scenarios
  • SSO authentication
  • Full debrief & scoring
  • PDF report export
  • Email support
Start with Starter

TEAM

$8,000 per year

Full access for teams that train continuously

  • Everything in Starter
  • Unlimited scenarios & runs
  • Full scenario library
  • Team benchmarking
  • Advanced analytics & reporting
  • Priority support
Get Started

ENTERPRISE

Let's talk

Tailored to your environment and threat landscape

  • Everything in Team
  • SCIM provisioning
  • Custom-built scenarios
  • Dedicated account manager
  • SLA & uptime guarantee
Contact Sales

Still deciding? The demo takes 5 minutes and requires nothing.

▶ Try the Demo

FREQUENTLY ASKED QUESTIONS

PRODUCT

How long does an exercise take?

Most exercises run 30–60 minutes depending on scenario complexity and team discussion depth. Beginner scenarios start at 30 minutes; advanced scenarios with multiple decision branches take closer to 60.

How many people can participate?

Exercises work best with 4–12 participants. One person shares their screen with the command center while the full team discusses and debates decisions together.

Do I need a facilitator?

No. Breachdeck guides the exercise automatically—presenting evidence, prompting decisions, and managing the scenario timeline. Your team focuses on response, not logistics.

What do I get at the end of an exercise?

A scored debrief with competency breakdowns across containment, communication, compliance, and business impact. You also get a one-click PDF export for audit documentation and team review.

COMPLIANCE & AUDIT

Which frameworks require tabletop exercises?

PCI DSS 4.0 (Req 12.10.2), SOC 2 (CC7.1/CC7.2), ISO 27001 (A.16.1.5), and GDPR (Article 32) all require periodic testing of incident response plans. HIPAA and CMMC have similar requirements.

What documentation does Breachdeck produce?

Each exercise generates a timestamped PDF report with scenario details, team decisions, outcome analysis, and competency scores. Reports are designed to satisfy auditor expectations for IR plan testing evidence.

Can I use exercise reports for SOC 2 / HIPAA / PCI DSS audits?

Yes. Reports include the exercise date, participants, scenario scope, decisions made, and scored outcomes—the key evidence auditors look for when reviewing IR testing controls.

SCENARIOS & REALISM

How realistic are the scenarios?

Every scenario is mapped to the MITRE ATT&CK framework and modeled on real-world attack patterns. Evidence artifacts include SIEM alerts, email threads, system logs, and executive communications.

Are scenarios based on real incidents?

Scenarios are inspired by real-world attack patterns and publicly documented incidents, adapted into interactive exercises with branching decision trees and multiple outcome paths.

How often are new scenarios added?

New scenarios are added monthly to cover emerging threats and evolving attack techniques. The scenario library spans ransomware, data breaches, insider threats, supply chain attacks, BEC, and more.

Can I request custom scenarios?

Enterprise plans include custom scenario development tailored to your industry, threat landscape, and compliance requirements. Contact us to discuss your needs.