Other AI tabletop tools generate generic scenarios. Veri-Tech generates yours — composed from the gaps your most recent Veri-Guard, Veri-Tune, HIPAA, or Veri-Vault scan actually found. Not a template. Not a stock attack chain. Your environment, your gaps, your drill — auditor-grade, generated in about five minutes, with a live multi-attendee runner, AI Coaching, three audience-tailored exports, and an immutable audit chain that ties everything back to that source scan by SHA-256.
Available on Enterprise. Every plan can preview a live, interactive demo per product card below — no commitment, no tokens consumed.
“Scan. Drill. Lock. Repeat.”
Each Veri-Tech product feeds a different category of tabletop. Click any card to try the live interactive demo — full runner, AI Coaching, downloadable evidence artifacts, no tokens consumed.
Conditional Access gaps. MFA bypass paths. Legacy auth. When Veri-Guard flags these, the tabletop walks through what happens when an attacker actually exploits them — detection time, containment quality, eradication completeness.
“Legacy-auth bypass leads to mass mailbox exfiltration” — the attacker exploits 14 finance accounts your scan flagged as still authenticating via IMAP.
Personal-device theft. Missing App Protection Policies. Weak compliance posture. Tune surfaces the gaps; the tabletop walks through what happens when one device gets lost or stolen unlocked — session-revoke speed, breach-determination process, user-comms quality.
“Personal phone with no MAM policy leaks corporate Outlook cache” — an engineer’s stolen phone is unlocked, Outlook is open, refresh tokens valid 90 days.
HIPAA scans surface administrative, physical, and technical safeguard gaps. The tabletop walks the §164.402 4-factor analysis and the §164.404 notification cascade — decision-authority clarity, notification-timeline knowledge, sanction-policy invocation.
“Misdirected fax exposes 312 patient records to competitor’s office” — the no-attacker, internal-process-failure shape that drives most real HIPAA breaches.
Vault posture — backup count, age, immutability window, restore-test recency — feeds a tabletop that exercises your pay-vs-restore decision tree under time pressure. Tests restore-time reality, Vault delete-attack survivability, comms-cascade discipline.
“Ransomware encrypts production AND attempts to encrypt backup vault” — your WORM window holds, but you’ve never validated restore time and the SLA clock is running.
Compliance as code. Audits as outputs. Run all four over a year and you’ve documented a tested IR program across Protect, Detect, Respond, and Recover — without four different vendors, four different consultants, or four different write-from-scratch projects.
Generic tabletops test your IR plan’s structure. They read correctly out loud and tell you nothing about whether your real environment would have stopped the attacker. We do the opposite. The drill is a pentest for your IR plan, generated from the gaps your most recent scan actually found.
“Ransomware hits the file server” exercises your IR plan’s words. It does not exercise the 14 finance accounts your scan flagged as still using IMAP. A pentest tests posture; we generate from posture.
Composing a realistic tabletop from scratch — credible attack chain, timed injects, scoring rubric, and the documentation an auditor will accept — is a multi-day exercise for someone who already has a day job. So most teams skip it.
HIPAA §164.308(a)(8) wants periodic evaluation. SOC 2 CC7.4 wants response based on evaluation. ISO 27001 A.5.24 wants planning that reflects your threat environment. The auditor walk-through wants a drill that exercised your real gaps.
This is the part that’s changed since most people last looked at “AI tabletop” tooling. We don’t generate a PDF and call it done. We generate an entire drill workflow — pre-freeze edits, live multi-attendee execution, AI Coaching post-lock, three audience-tailored exports, an immutable audit chain.
Type your real role labels — "M365 Admin", "VP IT", "External IR Retainer". Used in scenario participants + IR-plan owners + AI Coaching attribution.
One click on any scan results page. ~3–5 min later the drill bundle lands in Vault — scenario, facilitator guide, injects, rubric, IR plan with RTO/RPO.
Tighten scenario, sharpen injects, adjust rubric. Each save appends a versioned blob with its own SHA-256 — auditors see the full edit chain.
Spectator URL for observers + Participant URL for attendees (role-tagged input per inject). Click Drop on each inject — pacing audit recorded.
Session locks WORM. Claude writes AI Coaching, exec brief, team debrief in ~30–60s. Three exports + audit chain ready to send to auditor / board / team.
The second you click Lock, Claude reviews every team response, every score, every inject-timing drift, and the org-shape roster you ran against. ~30–60 seconds later you have a structured coaching artifact that names what went well, what fell short, and the three IR-plan changes that would have moved the needle.
“The team executed competent containment-first response under pressure, recognizing the legacy-auth gap as root cause in the first 10 minutes and pushing a Conditional Access block before the attacker could pivot beyond the initial five mailboxes. Detection time was strong; the §164.402 4-factor analysis was invoked deliberately when Legal joined. Where points were lost: eradication completeness (inbox-rule sweep was scoped to known-affected mailboxes only) and AP queue audit discipline (reactive, not systematic).”
Build pre-baked AP queue audit checklist for incident response. Catches second-wire attempts that follow the same modified-banking-instructions pattern. Owner: Finance + IR retainer. Effort: S. Linked: NIST CSF RS.AN-3, SOC 2 CC7.4.
Same data drives the Team Debrief PDF and Executive Brief PDF (see next section).
Auditors want raw evidence with checksums. Your team wants a polished training tool with the coaching narrative. The board wants a one-pager with risk and cost. The same drill produces all three, automatically.
Raw structured evidence with per-file SHA-256 cross-references back to the source scan job. Session.json + feedback.json + exec-brief.json + drill bundle (v0 AI baseline plus every facilitator edit) + manifest with the full audit chain.
Multi-page polished training tool. Per-inject AI coaching with what-went-well + what-fell-short callouts, per-criterion calibration tables, top-3 IR plan recommendations, pacing audit, glossary. Use it for the next new hire’s IR onboarding.
One page. Board-memo voice. Performance assessment in business-impact framing, top gaps with risk + cost numbers, top recommendations with resource asks and estimated ROI, readiness summary suitable for the cover line of a board memo.
Read-only timer + current inject + delivery progress. Refreshes every 3 seconds. Hand to security leadership, observers, anyone watching but not participating. Works on a conference-room TV.
Each attendee picks their role from your org-shape roster (M365 Admin, VP IT, External IR Retainer, etc.), then submits a written answer per inject. Submissions stream to the facilitator screen in real time, role-tagged. On Drop they’re locked into the evidence record with full attribution — which role said what at which T+N drill-clock minute.
At drill kickoff the facilitator hands out two URLs. Spectator for observers, Participant for the IR team. Per-role written submissions stream onto the facilitator’s screen in real time and get locked into the evidence record on Drop — with attribution. The auditor can see which role said what at which T+N minute, six years from now.
Hold the drill in-person, fully remote, or split. The pacing audit and per-role attribution don’t change.
Set your team’s actual role labels once in Settings — M365 Admin, Service Manager, External IR Retainer, whatever your lexicon is. The AI uses those exact labels in scenario participants, IR plan owners, AI Coaching recommendations, the auditor manifest’s orgShape field, and the participant role-picker.
Drills generated for your tenant read like they were written by someone who works there. Auditors notice; participants engage.
Need a one-drill exception — mock training, MSP-managed client, third-party audit dress-rehearsal? Override the size bucket per drill without touching tenant-wide settings.
Every artifact carries the checksum of its source. An auditor walking the chain can prove the drill was generated from a scan you actually ran, that the version the team ran was the version that got locked, that the coaching feedback came from the locked session — without trusting Veri-Tech’s word for any of it.
WORM-equivalent immutability. Scores, notes, timestamps, manifest hash — all frozen at the moment of Lock. Edits to a locked artifact are not possible.
During retention the artifact cannot be deleted by any single user action. Hard system-level constraint. Survives even a frustrated admin clicking every button.
Legitimate deletion during retention (GDPR right-to-be-forgotten, etc.) requires a second admin’s approval and a recorded reason. Audit log captures both.
The auditor doesn’t want a checklist or a vendor’s template. They want a drill that exercised your real gaps, with provenance that ties to evidence they can independently verify.
Covered entities must perform periodic technical and nontechnical evaluation. A drill generated from a real scan, run by your team, retained for six years in Vault, is exactly what the clause was written to require.
Expects incident-response procedures to be informed by an evaluation of detected events. Tabletop output that names the specific scan findings driving each scenario gives the auditor a clean line from evaluation to procedure to drill.
Calls for incident-response planning that reflects the organization’s threat environment. Drills generated from your scan findings are, by definition, aligned to your threat environment. Auditor-readable provenance in the manifest closes the loop.
Every locked drill becomes a data point on the trends dashboard. Quarterly averages per category, latest vs best, trend arrows, click-through to the locked record. The page your CISO presents at the quarterly board meeting and your auditor walks first at audit kickoff.
Annual is the regulatory floor. Quarterly is the recommendation. Run all four categories over a year and the dashboard is the program-maturity narrative.
Try the trends demoSample data — real customers see their own quarterly trend across every locked drill.
The tabletop is facilitator material; auditor evidence is the scan + the manifest proving the drill was generated from that scan. Every bundle ships with an opening facilitator script that frames the drill as a test, not a transcript, and a footer telling the facilitator to verify scenario specifics against their tenant. You review the AI output the way you’d review any external playbook before facilitating. The pre-freeze edit chain (with SHA-256 per version) is itself the auditor evidence that you reviewed.
Yes — that’s the whole point of the pre-freeze edit flow. Every section is editable until the first session is created against the bundle. Each save appends a versioned blob with its own SHA-256; the freeze event is captured with timestamp + UPN. Auditors see both the AI baseline and your edits, with the full chain.
Claude reviews the locked session: every team response, every score, every inject-timing drift, the org-shape roster. It produces a performance tier with rationale, per-inject feedback, per-criterion calibration notes (“your 3 is generous because the threshold for 3 is X”), top-3 IR plan recommendations with owner/effort/framework links, and a pacing observation. You don’t have to trust it — it’s a structured second opinion, not the auditor evidence. The auditor evidence is the locked session itself.
No. Your IR plan defines roles, escalation paths, contact trees, decision authority — the durable structure. The tabletop tests that plan against the specific gaps your scan found. Plan stays as written; drill exercises whether it works in practice. AI Coaching’s top-3 recommendations feed back into your IR-plan update cycle.
The facilitator hands out two URLs at drill kickoff. Spectator URL is read-only — timer + current inject + delivery progress, refreshes every 3s. Participant URL: each attendee picks their role from your org-shape roster and submits written answers per inject. Submissions stream onto the facilitator’s screen role-tagged, locked into the evidence record on Drop. Works in-person, remote, or split.
NIST CSF is baked into every category by design (Protect / Detect / Respond / Recover — one per product). FedRAMP IR-3, PCI-DSS 12.10.2, NYDFS 500.16, state breach laws — all reference periodic incident-response exercises that this feature satisfies in spirit. The manifest gives you the documentary anchor. If you’re aligning to a framework not listed, book a call.
Generate another. Enterprise has no per-month cap; you can run drills against every scan that matters. The wrong-scope artifact stays in Vault under its manifest unless you delete it — which is recorded in the audit log, so an auditor reviewing the activity trail sees a coherent story rather than missing artifacts.
Because a free guide is the static-template approach this whole feature is designed to replace. Drills only work as auditor-grade evidence when they’re tied to your scan findings. A generic PDF is exactly the artifact auditors are starting to reject. The free preview on every product’s scan-results page lets you see the shape of what you’d get without committing to a plan.
Auditor-grade evidence, live multi-attendee runner, AI Coaching, three audience-tailored exports, immutable audit chain. On Enterprise, every scan can produce one.
“Engineers shouldn’t also be the audit team.”
