Simulation War Room Drills
Learn how to create and run realistic war room drills to test your incident response readiness
Simulation War Room Drills
Simulations allow you to conduct realistic war room drills without affecting production systems. Test your incident response procedures, train your team, and validate your playbooks in a safe, controlled environment.
What are Simulations?
Simulations are synthetic war room drills that create realistic incident scenarios using AI. Think of them as "fire drills" for your incident response team - complete with simulated meetings, workflow executions, and incident reports.
Why Use Simulations?
- Team Training - Onboard new team members with realistic incident scenarios
- Playbook Testing - Validate playbooks before using them in production
- Compliance Drills - Demonstrate incident preparedness for audits (GDPR, SOC 2, ISO 27001)
- Process Improvement - Identify gaps in your incident response procedures
- Risk Assessment - Test your response to specific risks from your risk register
Simulations vs. Real Incidents
Understanding the difference:
| Aspect | Real Incidents | Simulations |
|---|---|---|
| Impact | Affects production systems | No real actions performed |
| Data | Creates real records | Creates isolated simulated data |
| Workflows | Executes real actions (Jira, Slack) | Generates placeholder logs only |
| Purpose | Resolve actual issues | Training and testing |
| Visibility | Visible in dashboards | Hidden by default (can be shown) |
Creating a Simulation Scenario
Step 1: Choose Your Source
Navigate to Simulations in the sidebar and click + New Scenario.
You have three options for creating simulation scenarios:
Option A: Upload Risk Register
Upload a spreadsheet containing your organization's risks:
- Click Upload Risk Register
- Select an Excel or CSV file
- Tectra will parse the risks and let you select which ones to simulate
Risk Register Format: Should contain columns for risk name, description, likelihood, and impact.
Option B: Upload Context Document
Upload a document describing the scenario (SOP, runbook, incident report):
- Click Upload Context Document
- Select a PDF or document file
- Tectra will extract scenario details from the document
Supported Formats: PDF, DOCX, TXT
Option C: Create from Scratch
Manually define your scenario:
- Click Create from Scratch
- Enter scenario name and description
- Define the incident type and severity
Step 2: Select Risks (if using Risk Register)
If you uploaded a risk register:
- Review the parsed risks
- Select one or more risks to simulate
- Click Continue
The AI will use these risks to generate a realistic incident scenario.
Step 3: Configure Simulation Settings
Configure how the simulation will run:
Basic Settings
- Scenario Name: Descriptive name for this simulation
- Description: Optional details about what you're testing
- Framework: Choose ICS (Incident Command System) or JESIP framework
- Duration: How long the simulated incident should last (in minutes)
Advanced Settings
- Time Compression Factor: Speed up the simulation (e.g., 2x = 60 minutes compressed to 30)
- Participant Count: Number of simulated participants in meetings
- Inject Failures: Enable to simulate workflow failures and complications
Approval Node Settings
If your workflows include Approval Nodes, you can configure how they behave during simulations:
| Setting | Options | Description |
|---|---|---|
| Approval Outcome | Approved (default), Rejected, Random | What happens when a workflow hits an approval node |
| Approval Delay | 0-60 minutes | Simulated delay before the approval resolves |
How it works:
- Approved: All approval nodes automatically approve, allowing workflows to continue
- Rejected: All approval nodes automatically reject, testing rejection handling
- Random: Each approval node randomly approves or rejects (50/50 chance)
Important: In simulation mode, no real approval requests are created. The approval is resolved immediately (or after the configured delay) by the simulation system.
Use Case: Set approval outcome to "Rejected" to test how your workflows handle rejection scenarios, such as when legal counsel denies a communication plan.
Tip: Start with simple scenarios (no failures, shorter duration) before running complex drills.
Step 4: Add Context Documents
Upload supporting documents to make the AI-generated content more realistic:
- Runbooks - Standard operating procedures
- Incident Reports - Previous incident documentation
- Technical Specs - System architecture diagrams
- Contact Lists - Team rosters and escalation paths
The AI uses these documents to generate realistic meeting transcripts and incident details.
Step 5: Link Playbooks
Select playbooks to test during the simulation:
- Browse available playbooks
- Select specific playbook scenarios you want to execute
- The simulation will track completion of playbook tasks
Use Case: Validate that your "Database Outage Response" playbook works correctly before a real incident.
Important: For compliance coverage tracking, ensure your playbook tasks have compliance tags assigned. See Compliance Framework Integration below.
Step 5b: Select Compliance Frameworks
Choose which compliance frameworks to evaluate during the simulation:
- Browse available compliance frameworks (GDPR, SOC 2, ISO 27001, etc.)
- Select frameworks relevant to this simulation scenario
- The simulation will track coverage of selected framework requirements
Requirement: Compliance frameworks must be created in the Compliance section before they appear here.
Step 6: Link Workflows
Select workflows to execute during the simulation:
- Choose workflows from your workflow library
- Workflows will execute in simulated mode (no real actions)
- Execution logs will show "Simulated: ..." messages
Important: Workflows will NOT perform real actions (no Jira tickets, Slack messages, or API calls during simulation).
Step 7: Generate Execution Plan
Click Generate Plan to have AI create the simulation schedule:
- Incident Details - AI-generated incident name, description, and severity
- Meeting Schedule - When simulated war room meetings will occur
- Workflow Triggers - When workflows will be automatically executed
- Participant Assignments - Who is involved in each activity
Review the plan and click Edit Plan if you want to make adjustments.
Step 8: Save Scenario
Click Save Scenario to save for future use.
You can now:
- Run the simulation immediately
- Edit the scenario configuration
- Clone to create variations
- Archive when no longer needed
Running a Simulation
Starting a Simulation
From the Scenarios tab:
- Find your scenario
- Click the Run button
- The simulation will execute automatically
What Happens During Execution
The simulation orchestrator will:
- Create a Synthetic Incident - Generate realistic incident details
- Generate Meeting Transcripts - AI creates simulated war room conversations
- Execute Workflows - Run workflows in simulation mode (no real actions)
- Track Playbook Completion - Monitor which playbook tasks are completed
- Close Incident - Mark the incident as resolved
- Generate Reports - Create incident report and simulation analysis
Duration: Most simulations complete in 5-10 minutes, regardless of simulated incident duration (thanks to time compression).
Monitoring Progress
While the simulation runs:
- Status Updates - Watch real-time progress in the UI
- Logs - View detailed execution logs
- Cancellation - You can cancel mid-execution if needed
Interpreting Simulation Results
Overview Tab
Shows high-level simulation metrics:
- Scenario Configuration - Framework, duration, settings used
- Execution Summary - Start/end times, status
- Key Metrics - Meetings created, workflows executed, playbook completion
Incident Report Tab
View the AI-generated incident report, including:
- Incident Timeline - Chronological list of events
- Actions Taken - What the team did during the incident
- Root Cause Analysis - AI-generated analysis of what went wrong
- Lessons Learned - Recommendations for improvement
Use Case: Share this report with auditors to demonstrate incident response preparedness.
Simulation Analysis Tab
Detailed analysis of how well your team performed:
Playbook Adherence
- Which playbook tasks were completed
- Which tasks were skipped or delayed
- Overall adherence percentage
SLA Performance
- Meeting response times
- Workflow execution times
- Breach analysis for any missed SLAs
Recommendations
AI-generated suggestions for improving your incident response:
- Process gaps identified
- Training opportunities
- Playbook improvements
Workflows Tab
View all simulated workflow executions:
- Execution Status - Completed, failed, or in-progress
- Node Logs - See what each workflow node would have done
- Simulated Actions - "Simulated: Created Jira ticket PROJECT-123" (no real ticket created)
Remember: These workflows did NOT perform real actions. Logs show what would have happened.
Meetings Tab
View all simulated meetings:
- Meeting Details - Name, duration, participants
- AI-Generated Transcripts - Realistic conversation between team members
- Meeting Summaries - Key discussion points and decisions
Note: These are AI-generated transcripts, not real conversations.
Common Use Cases
Compliance Drills
Scenario: Quarterly GDPR data breach response drill
- Create scenario: "Customer PII Exposure via API Vulnerability"
- Link playbook: "GDPR Breach Response Procedures"
- Set framework: ICS
- Run simulation and generate report
- Share report with compliance team as evidence of preparedness
Result: Audit-ready documentation showing your team can respond to GDPR breaches.
Team Training
Scenario: Onboarding new incident commander
- Create scenario: "Production Database Outage"
- Enable failure injection to make it challenging
- Run simulation with new team member observing
- Review simulation analysis together
- Discuss what went well and what to improve
Result: New team member learns incident response procedures without production risk.
Playbook Validation
Scenario: Testing new "API Gateway Failure" playbook
- Create scenario matching the playbook's scope
- Link the new playbook
- Run simulation
- Review playbook adherence metrics
- Update playbook based on gaps identified
Result: Validated playbook ready for production use.
Risk Assessment
Scenario: Testing response to top 5 risks from risk register
- Upload risk register
- Select top 5 high-impact risks
- Create scenarios for each
- Run simulations monthly
- Track improvement in response times over time
Result: Demonstrated risk mitigation through regular testing.
Compliance Framework Integration
Simulations can track compliance with regulatory frameworks, providing evidence of your organization's incident response preparedness.
How Compliance Tracking Works
- Create Compliance Frameworks - Define frameworks and requirements in the Compliance section
- Tag Playbook Tasks - Add compliance tags to tasks that satisfy specific requirements
- Run Simulation - Execute simulation with linked playbooks
- View Coverage Report - Simulation report shows which requirements were met
Setting Up Compliance Tracking
Step 1: Create Compliance Frameworks
Navigate to Compliance in the sidebar:
- Click + New Framework
- Enter framework details:
- Name: e.g., "GDPR", "SOC 2 Type II", "ISO 27001"
- Description: Optional summary
- Add requirements:
- Requirement ID: e.g., "Art. 33", "CC7.4", "A.16.1.5"
- Requirement Name: e.g., "Breach Notification", "Incident Response"
- Description: What the requirement covers
- Save the framework
Step 2: Tag Playbook Tasks
Navigate to Playbooks and edit your playbook:
- Open a scenario
- Edit a task
- Click Add Compliance Requirement
- Select framework and requirement
- Save the playbook
Example: Tag the task "Notify supervisory authority within 72 hours" with [GDPR] - Breach Notification - Art. 33
Step 3: Link Playbooks to Simulation
When creating or editing a simulation scenario:
- In the Playbooks step, select playbooks with tagged tasks
- In the Compliance Frameworks step, select relevant frameworks
- Generate and run the simulation
Understanding Compliance Coverage Reports
After simulation completion, the report shows:
Compliance Coverage Section
- Overall Coverage: Percentage of framework requirements met
- Per-Framework Breakdown: Coverage for each selected framework
- Evidence: Which tasks satisfied which requirements
- Gaps: Requirements not covered by completed tasks
Interpreting Results
| Coverage | Meaning | Action |
|---|---|---|
| 100% | All selected requirements were met | Document for audit |
| 50-99% | Partial coverage | Review gaps and improve playbooks |
| 0% | No requirements met | Add compliance tags to playbook tasks |
Common Compliance Use Cases
GDPR Breach Notification Drill
- Create framework: "GDPR" with breach notification requirements
- Create playbook: "Data Breach Response" with tasks for:
- Assessing breach severity
- Documenting affected data subjects
- Notifying supervisory authority (tag: Art. 33)
- Notifying affected individuals (tag: Art. 34)
- Run simulation to verify coverage
SOC 2 Incident Response Audit
- Create framework: "SOC 2 Type II" with CC7.x requirements
- Tag existing playbook tasks with relevant controls
- Run quarterly simulations
- Share reports with auditors as evidence
ISO 27001 Certification Prep
- Create framework: "ISO 27001" with Annex A.16 requirements
- Map playbook tasks to information security incident controls
- Run simulations before certification audit
- Identify and remediate gaps
Troubleshooting Compliance Coverage
If you're seeing 0% compliance coverage:
- Check Playbook Tasks Have Tags: Edit your playbook and ensure tasks have compliance requirement tags
- Verify Framework Selection: Confirm the correct frameworks are selected in the simulation scenario
- Re-link Playbooks After Adding Tags: If you added tags after creating the scenario, re-select the playbook scenarios to refresh
- Confirm Tasks Are Being "Completed": The AI simulation must recognize task completion for coverage to register
See Playbooks Guide for detailed instructions on adding compliance tags.
Tips & Best Practices
Creating Realistic Scenarios
- Use Real Documents - Upload actual runbooks, SOPs, and incident reports for realistic AI outputs
- Be Specific - Detailed risk descriptions produce better simulation content
- Match Production - Configure settings to match your real incident response (framework, team size)
Running Effective Drills
- Start Simple - First simulation without failures, then gradually increase complexity
- Regular Cadence - Run simulations monthly or quarterly (like fire drills)
- Vary Scenarios - Test different incident types (security, infrastructure, data)
- Track Trends - Compare simulation results over time to measure improvement
Analyzing Results
- Focus on Gaps - Use simulation analysis to identify process weaknesses
- Update Playbooks - Revise playbooks based on what didn't work
- Team Retrospectives - Discuss simulation results with your team
- Document Improvements - Track changes made based on simulation findings
Saving Scenarios
- Reusable Templates - Create scenarios for common incident types
- Clone & Modify - Start with a working scenario and adjust for variations
- Archive Old Scenarios - Keep your scenario list clean and relevant
Data Isolation
Viewing Simulated Data
By default, simulated data is hidden from production views:
- Incident Lists - Simulated incidents don't appear
- Dashboard Metrics - Counts exclude simulated data
- Search Results - AI assistant ignores simulated incidents
Enabling Simulated Data View
To view simulated data:
- Look for the "Show simulated data" checkbox
- Enable it to see both real and simulated records
- Simulated records are clearly marked with a badge
Available On: Incident lists, meeting lists, workflow execution lists
Why Data Isolation Matters
- Accurate Metrics - Your dashboards show real production data only
- Clean Queries - AI assistant provides relevant answers (not simulation noise)
- No Confusion - Team members won't accidentally reference simulated incidents
Troubleshooting
Simulation Execution Failed
Problem: Simulation status shows "failed" or "error"
Solutions:
- Check scenario configuration for errors
- Ensure linked playbooks and workflows exist and are not archived
- Verify context documents uploaded successfully
- Try running a simpler scenario to isolate the issue
- Contact support if problem persists
AI-Generated Content Seems Unrealistic
Problem: Meeting transcripts or incident reports don't match your organization
Solutions:
- Upload more context documents (runbooks, previous incident reports)
- Provide more detailed risk descriptions
- Ensure framework selection matches your actual incident response
- Add specific terminology and acronyms in context documents
Cannot Find Simulated Data
Problem: Can't see meetings or incidents created during simulation
Solution: Enable "Show simulated data" checkbox in the list view. Simulated data is hidden by default to keep production views clean.
Workflows Not Executing as Expected
Problem: Workflow didn't run during simulation or shows unexpected results
Solutions:
- Remember: Workflows execute in simulated mode (no real actions)
- Check workflow execution logs for "Simulated: ..." messages
- Verify workflow triggers are configured correctly
- Ensure workflow is not in draft status
Playbook Tasks Not Tracked
Problem: Simulation analysis shows 0% playbook adherence
Solutions:
- Ensure playbooks are properly linked in scenario configuration
- Verify playbook scenarios are selected (not just the playbook)
- Check that workflows create the required entities (incidents, tickets, etc.)
- Review playbook task completion criteria
Compliance Coverage Shows 0%
Problem: Simulation report shows 0% compliance coverage even though playbooks are linked
Solutions:
- Add Compliance Tags to Playbook Tasks: This is the most common cause. Navigate to Playbooks, edit your playbook, and add compliance requirement tags to individual tasks
- Create Compliance Frameworks First: Ensure you've created compliance frameworks in the Compliance section with requirements defined
- Select Frameworks in Scenario: Verify you've selected the relevant compliance frameworks when configuring the simulation scenario
- Re-link Playbooks After Adding Tags: If you added compliance tags after the simulation scenario was created, you need to re-select the playbook scenarios to refresh the reference
Key Point: Compliance coverage requires explicit task-to-requirement mappings. Simply linking a playbook is not enough - the tasks within that playbook must have compliance tags.
FAQ
Q: Will simulations affect my real incidents or data?
A: No. Simulations are completely isolated and create no real actions. All data is marked as simulated and hidden from production views.
Q: How long does a simulation take to run?
A: Typically 5-10 minutes, regardless of the simulated incident duration. Time compression allows a "4-hour incident" to execute in minutes.
Q: Can I use simulations for compliance audits?
A: Yes! Simulation reports provide audit-ready evidence of incident response preparedness. Many organizations use them for GDPR, SOC 2, and ISO 27001 compliance.
Q: Why isn't my simulation showing any compliance requirements being met?
A: Compliance coverage requires two things: (1) Compliance frameworks with requirements defined in the Compliance section, and (2) Playbook tasks tagged with those requirements. If you're seeing 0% coverage, go to Playbooks, edit your playbook, and add compliance requirement tags to individual tasks. Then re-select the playbook scenarios in your simulation scenario.
Q: Do simulated workflows create real Jira tickets or Slack messages?
A: No. Workflows execute in simulated mode and do NOT perform real external actions. Logs show "Simulated: ..." messages indicating what would have happened.
Q: How do Approval Nodes work in simulations?
A: Approval nodes are automatically resolved based on your scenario configuration. By default, they auto-approve so workflows continue. You can set the Approval Outcome to "Rejected" to test rejection handling, or "Random" for unpredictable outcomes. No real approval requests are created during simulations - the resolution is handled by the simulation system.
Q: Can I edit a simulation after it's run?
A: You can edit the scenario configuration and re-run it. Each run creates a new simulation instance with fresh AI-generated content.
Q: How do I share simulation results with my team?
A: Navigate to the simulation run detail page and share the URL. All tabs (overview, incident report, analysis) are viewable by anyone with access to the simulation.
Q: Can I run multiple simulations simultaneously?
A: Yes. Each simulation runs independently and won't interfere with others.
Q: What's the difference between "Clone" and "Re-run"?
A:
- Re-run: Execute the same scenario again (generates new AI content)
- Clone: Create a copy of the scenario to modify and save as a new scenario
Q: How are simulated meetings different from real meetings?
A: Simulated meetings have AI-generated transcripts showing what a realistic war room conversation might look like. They're not real recordings, but they provide training value and context for the simulation.
Q: Can I customize the AI-generated content?
A: Indirectly, yes. Upload context documents (runbooks, past incidents) and provide detailed risk descriptions to influence the AI's output. The more context you provide, the more realistic the content.
Q: Are simulations included in my plan?
A: Simulation availability depends on your Tectra subscription plan. Contact your account manager for details on simulation limits and pricing.
Next Steps
- Create Your First Scenario - Start with a simple scenario to learn the system
- Test a Playbook - Validate one of your existing playbooks
- Schedule Regular Drills - Set up monthly or quarterly simulation cadence
- Train Your Team - Use simulations for onboarding and continuous training
Need help? Contact support@tectra.ai or visit our support page.