Skip to content
Cyber Toolbox
Features

Everything the workspace does — in one place

Cyber Toolbox unifies governance, response, remediation and simulation around a single case engine. Each feature builds on the last — and stays out of the way until it's needed.

WorkspaceGovernanceResponseExposureIntelligenceReportingOperator experienceEnterprise
Workspace
CommunityStandardProfessionalEnterprise

Unified case workspace

Incidents and exposures share the same workspace shell — sticky header, tabs, sidebar, real-time channel. No more "two products in one product".

  • Sticky header with severity, phase, commander and OT scope.
  • Tabs adapt to case type — Procedures for incidents, Assessment for exposures.
  • Real-time channel updates the team the moment something changes.
StandardProfessionalEnterprise

Operator command centre

A dashboard that answers "what needs me?" — not just "how many open cases do we have?". The first thing you see at 09:00 is the queue you need to work today.

  • "Needs me now" surfaces cases where you're commander or have unfinished checklist items.
  • RFIs awaiting your reply, sorted by priority.
  • Timers in the red zone across every case you touch.
  • Recent escalations at org level for situational awareness.
Governance
CommunityStandardProfessionalEnterprise

Standard incident playbooks

Pre-built playbooks for the scenarios that actually happen — ransomware, BEC, insider, OT/ICS — versioned, ownable, mapped to NIST and ISO.

  • Every playbook is a sequence of structured steps with owners, expected duration, evidence and gate criteria.
  • Snapshot-locked at attachment time so a mid-incident playbook update never disrupts an open case.
  • Mermaid phase-flow diagrams render in both authoring and live-case modes.
ProfessionalEnterprise

GRC content library

Pre-built incident response policies, standards and procedures aligned to the frameworks your auditors recognise — yours to fork and own.

  • Six-layer hierarchy — policy → standard → procedure → playbook → runbook → automation.
  • Cross-reference tokens (PB-, PROC-, STD-, POL-) auto-link in any markdown surface.
  • Versioned by design — every artefact has an owner, version and parent.
Response
ProfessionalEnterprise

Simulations / Exercise mode

Run tabletop and dry-run exercises against the same playbooks, checklists and activity log you use for live response. Practised muscle memory, not slide-deck theatre.

  • Exercise cases tagged separately and excluded from "needs me" surfaces.
  • Replay a previous tabletop to seed a new scenario quickly.
  • After-action report uses the same PIR template — so lessons translate to live.
Exposure
StandardProfessionalEnterprise

Exposure management playbooks

Playbooks for Gartner's CTEM stages — Scope, Discover, Prioritise, Validate, Mobilise, Verify — applied to vulnerabilities, control gaps, audit findings.

  • Per-asset register replaces flat "affected_assets" lists.
  • Severity bands derive interim and full remediation SLAs automatically.
  • Verification gate before close — no marking your own homework.
Intelligence
ProfessionalEnterprise

CTI workbench

Threat intelligence as a first-class citizen. Personas, Diamond Model, RFIs and indicators threaded through every case.

  • Per-actor personas with linked TTPs.
  • Diamond Model entry per case to connect adversary, capability, infrastructure, victim.
  • RFI inbox routes intelligence requests to the right analyst.
Reporting
ProfessionalEnterprise

Post-incident reporting

A guided PIR walkthrough that pulls TTD, TTC and TTR from the immutable activity log — five-whys prompts, timeline pre-population, action items materialised as tasks.

  • Time-to-Detect, Time-to-Contain and Time-to-Resolve computed from phase transitions.
  • 5-whys captured as structured root-cause factors, not free text.
  • Action items become assignable tasks so improvements actually land.
Operator experience
ProfessionalEnterprise

Integrations

Connect the platform to the systems your response already touches — identity, ticketing, SIEM, paging, comms.

  • Webhooks on every case event for downstream automation.
  • Outbound to Slack, Teams, PagerDuty and email.
  • Inbound from SIEM and ticketing for case auto-declaration.
Enterprise
StandardProfessionalEnterprise

Single sign-on

Authenticate against the identity provider you already trust. OAuth on Standard; SAML on Professional; SAML + SCIM provisioning on Enterprise.

  • OAuth via Microsoft 365 or Google.
  • SAML 2.0 with attribute-based role mapping.
  • SCIM provisioning for joiner-mover-leaver automation.
Enterprise

Incident governance

For organisations with a regulated reporting line — committees, attestations, audit trails and board reporting that meet a regulator's bar.

  • Committee structure with named roles and attestation flows.
  • Audit log of governance actions separate from case content.
  • Board reporting templates pre-populated from case data.
Which plan unlocks what?

Compare features against Community · Standard · Professional · Enterprise

Pricing maps the features above to four plans — Community is free, Professional is the recommended fit for most teams, and Enterprise unlocks dedicated tenancy plus incident governance.

See pricing

Want a tour driven by your scenario?

Bring a recent (anonymised) incident or exposure and we'll walk it through the workspace live.

Book a demoSee pricing