CyberTabletop

CyberTabletop is an agentic AI cybersecurity tabletop platform for running live, scored incident response exercises.

It helps security teams move beyond static slide decks by combining AI-generated scenarios, adaptive injects, role-based player decisions, facilitator controls, real-time scoring, and structured debriefs.

Use it to rehearse ransomware, business email compromise, data breach, insider threat, DDoS, supply-chain, cloud, and custom cyber crisis scenarios with participants joining from their own devices.

Agentic AI Exercise Engine

CyberTabletop can act as an AI exercise designer, adaptive inject generator, and simulation partner while keeping a facilitator in control.

• AI Generated mode creates a complete scripted tabletop exercise before launch. Pick the incident type, difficulty, number of rounds, and organization context; CyberTabletop generates a reusable scenario for facilitator review.
• AI-Driven mode runs a fully adaptive exercise. The app generates injects during the live session based on the scenario configuration, facilitator context, and team decisions.
• Organization-aware prompts let admins provide business context so generated exercises feel closer to the environment being trained.
• Provider flexibility supports Anthropic Claude, Ollama, and deterministic scripted content. Ollama can support private/local model workflows.
• Facilitator-in-the-loop controls keep humans responsible for pacing, review, scoring, and debrief.

Why It Is Different

Traditional tabletop exercises are often slide decks and discussion notes. CyberTabletop turns the exercise into an interactive cyber simulation workspace:

• facilitators launch live sessions with join codes and role assignments,
• players make decisions from their own devices,
• injects advance the incident over time,
• scoring and response distribution show how the team reacted,
• debriefs connect decisions to lessons learned and NIST CSF-oriented gaps,
• AI can help create, adapt, and pressure-test the exercise instead of starting from a blank page.

Features

AI Exercise Design

• AI Generated and AI-Driven session modes
• Anthropic Claude and Ollama provider support
• Admin-editable AI prompts and provider configuration
• Organization context for more realistic scenario generation
• Deterministic scripted mode for built-in content and offline fallback

Live Tabletop Operations

• Facilitated sessions with lobby, join codes, and role assignment
• Role-based player decisions for incident response teams
• Built-in ransomware, BEC, DDoS, data breach, insider threat, APT, and supply-chain scenarios
• Scenario builder for custom phases, injects, and decision options
• Real-time facilitator controls for presenting injects and revealing outcomes

Scoring and Debrief

• Real-time scoring, leaderboard, response distribution, and scripted feedback
• NIST CSF-oriented debrief and gap-analysis outputs
• Decision history for after-action discussion
• Structured debrief workflow for turning exercise observations into improvements

Security and Operations

• Local authentication plus optional OIDC/SSO
• Enforced TOTP MFA for privileged roles, with optional MFA for players
• Role-based authorization and SOC-style audit logging
• Admin security dashboard for operational posture checks
• Docker Compose deployment with PostgreSQL, Redis, frontend, backend, and Nginx
• SBOMs, Docker Scout review notes, and release-hardening documentation

Security Posture

CyberTabletop is designed to be suitable for self-hosted internet-facing deployment when configured correctly, but operators remain responsible for their hosting environment, identity provider, TLS certificates, backups, monitoring, and incident response.

Current hardening includes:

• bcrypt password hashing
• short-lived JWT access tokens
• server-side hashed refresh tokens with rotation
• invite-gated registration support
• enforced TOTP MFA for SUPER_ADMIN, ORG_ADMIN, and FACILITATOR
• AES-256-GCM encryption for stored TOTP secrets
• bcrypt-hashed MFA recovery codes
• role-based authorization
• route-level input validation
• rate limiting
• audit logging
• Nginx security headers and CSP, including clickjacking protection, cross-origin isolation headers, and HSTS on HTTPS responses.
• loopback-only Docker port bindings by default
• no direct host exposure for PostgreSQL or Redis
• SSRF protections for organization website fetches

Known residual risks and deployment requirements are documented in SECURITY.md.

SBOM artifacts are published in sbom/ in CycloneDX JSON and SPDX JSON formats. The latest release-hardening notes are in docs/RELEASE_SECURITY_REVIEW.md.

The documents in docs/ are NIST SP 800-53 Rev. 5 alignment and assessment-support materials. They are not a certification, authorization to operate, or independent compliance attestation.

Use Cases

• SOC and incident response readiness drills
• Executive cyber crisis simulations
• Ransomware and business continuity exercises
• Business email compromise response training
• Insider threat and data breach workshops
• Supply-chain and cloud incident exercises
• University, cyber range, and security classroom labs
• Internal security awareness and decision-making practice

Internal organizational use is permitted by the source-available license. Hosted service, paid commercial training delivery, resale, white-labeling, and bundling into another commercial tool require separate permission.

AI Safety Notes

• Facilitators should review AI-generated exercise content before use.
• Do not submit secrets, credentials, regulated data, or live incident details to external AI providers unless your organization has approved that workflow.
• Use Ollama or another private model endpoint when exercises require local/private AI processing.
• The deterministic scripted provider does not require an external AI service.

License

CyberTabletop is source-available under the Business Source License 1.1.

The public license allows internal use by organizations, including commercial organizations, for their own tabletop exercises, security readiness, evaluation, development, testing, education, and research.

You may not offer CyberTabletop as a hosted service, managed service, SaaS product, paid commercial offering, white-labeled product, material feature of another commercial tool, or paid consulting/training/service delivery platform unless you have separate written permission from the maintainer.

See LICENSE and COMMERCIAL.md.

Because the license restricts some production/commercial uses before the Change Date, this project is not "open source" under the OSI Open Source Definition. Each specific version changes to the MIT License four years after that version is first publicly distributed.

Quick Start

For complete setup options, see docs/INSTALLATION.md.

For a full product walkthrough, see docs/USER_GUIDE.md.

Prerequisites

• Docker Desktop on Windows/macOS, or Docker Engine on Linux
• Node.js 20+ only if developing outside Docker

CyberTabletop is not Windows-only. The production stack runs Linux containers and is intended to work on Windows, macOS, and Linux hosts with Docker. The repository includes install.ps1 for Windows and install.sh for Linux/macOS.

1. Configure environment

Copy the example environment file and replace all CHANGE_ME values:

cp .env.example .env

Important production values:

• JWT_SECRET
• JWT_REFRESH_SECRET
• SESSION_SECRET
• MFA_ENCRYPTION_KEY
• POSTGRES_PASSWORD
• REDIS_PASSWORD
• INVITE_CODE

For local testing, the install scripts can generate local secrets and self-signed certificates.

2. Start the stack

Use the prebuilt images from GitHub Container Registry:

docker compose -p cybertabletop -f docker-compose.pull.yml pull
docker compose -p cybertabletop -f docker-compose.pull.yml up -d

Or build locally from source:

docker compose -p cybertabletop up -d --build

By default, Nginx binds only to localhost:

• https://localhost
• http://localhost

To expose the app behind a trusted reverse proxy or edge load balancer, configure HTTP_BIND, HTTPS_BIND, FRONTEND_URL, CORS_ORIGINS, and TLS settings deliberately.

3. Built-in scenarios

The backend container runs Prisma migrations and refreshes the built-in scripted scenario library automatically before starting. No separate seed command is required for a normal Docker install.

4. Open the app

Open https://localhost and accept the local self-signed certificate warning if you are using development certificates.

Registration is invite-gated by default when REQUIRE_INVITE=true. Use your configured INVITE_CODE to create accounts.

The first non-system account becomes SUPER_ADMIN. SUPER_ADMIN, ORG_ADMIN, and FACILITATOR users are required to enroll TOTP MFA before using protected application features.

User Roles

Role	Capabilities
SUPER_ADMIN	Full platform administration
ORG_ADMIN	Organization-level user and session administration
FACILITATOR	Create scenarios and run sessions
PLAYER	Join sessions and make decisions

Running an Exercise

For the detailed facilitator/player workflow, see docs/USER_GUIDE.md.

Facilitators:

1. Sign in with a facilitator or admin account.
2. Open Scenarios and select a built-in or custom scenario.
3. Create a session and configure exercise options.
4. Share the join code with participants.
5. Assign roles in the lobby.
6. Start the session, advance injects, and run the debrief.

Players:

1. Open /join.
2. Enter the join code.
3. Select or confirm the assigned role.
4. Make decisions during each inject.
5. Review feedback and debrief output.

Development

Backend:

cd backend
npm install
npx prisma generate
npm run build
npm run dev

Frontend:

cd frontend
npm install
npm run build
npm run dev

Useful checks:

cd backend && npm audit
cd frontend && npm audit

Project Structure

cybertabletop/
  backend/              Node.js, Express, Socket.io, Prisma
  frontend/             React, Vite, Tailwind
  nginx/                Reverse proxy and TLS configuration
  docs/                 Security and assessment-support documentation
  deployment/           Cloud deployment notes
  scenarios/            Scenario-related assets
  docker-compose.yml    Self-hosted Docker stack
  docker-compose.pull.yml
                         Self-hosted stack using prebuilt GHCR images
  SECURITY.md           Vulnerability reporting and hardening notes
  LICENSE               Business Source License 1.1

Container Images

Prebuilt images are published to GitHub Container Registry:

• ghcr.io/drdeathlabs/cybertabletop-backend:latest
• ghcr.io/drdeathlabs/cybertabletop-frontend:latest
• ghcr.io/drdeathlabs/cybertabletop-nginx:latest

The latest tag is published from the main branch. Commit-specific images are also published with sha- tags.

If docker pull reports an authorization error, open the repository's Packages page in GitHub and make the packages public.

Documentation

• Installation Guide
• User Guide
• Production Readiness
• Security Policy
• Commercial Use Terms
• Contributing
• Support

GitHub Safety Notes

Do not commit:

• .env
• TLS private keys or generated certificates
• Docker volumes
• logs
• node_modules
• frontend/backend dist folders

The included .gitignore is configured for these defaults, but always inspect git status before pushing.

Secret Handling

The Docker Compose stack reads secrets from .env and passes them into containers as environment variables. This is common for self-hosted Docker Compose deployments, but it is not the same thing as an encrypted secret store.

The DATABASE_URL value in docker-compose.yml is a template expanded from POSTGRES_USER, POSTGRES_PASSWORD, and POSTGRES_DB at runtime. It is not a hardcoded database password in the repository. Keep .env private, use long random values, and restrict host access to Docker and the deployment directory.

For production environments with stricter requirements, use your platform's secret manager or Docker secrets and inject the resulting values at deployment time.