New release · IR.L2-3.6.1 / 3.6.2 / 3.6.3

IR Tabletop & AAR Evidence Kit

A productized incident response tabletop and After-Action Review system for CMMC 2.0 Level 2. AI-drafted custom scenarios, MITRE ATT&CK overlay, and an immutable evidence bundle the assessor can verify in minutes.

CMMC 2.0 Level 2–Aligned · MITRE ATT&CK Mapped · Single-Tenant SaaS · 6-Year Retention

Request a DemoSee the CUI Enclave

Why most IR tabletops don’t survive a C3PAO

Calendar invites, a slide deck, and a Word doc capturing the meeting notes. That’s how the typical defense-industrial-base small business runs IR rehearsals — and it’s exactly what fails an assessor reviewing IR.L2-3.6.1 / 3.6.2 / 3.6.3. The Kit replaces that with a structured workflow: every decision is timestamped, every finding is linked to a control and a corrective action, the drafter and approver are different humans, and the whole thing exports as a hash-verifiable evidence bundle.

Three controls, one defensible record

The Kit is purpose-built for the three Incident Response practices an assessor will actually press you on.

IR.L2-3.6.1

Establish IR capability

Documented plan, roles, training, and exercise cadence captured per-tenant and re-provable on demand.

IR.L2-3.6.2

Track, document, report

Every inject decision, response, finding, and corrective action is timestamped and signed — not narrative recall.

IR.L2-3.6.3

Test the IR capability

Tabletop, walkthrough, or functional. Methodology + justification baked into the AAR for the C3PAO.

Two control families. One MacTech Training platform.

The IR Tabletop & AAR Evidence Kit ships inside the same MacTech Training app that delivers your CMMC Awareness & Training (AT) coursework. One login, one tenant, one audit trail — six CMMC practices covered out of the box.

Awareness & Training

CUI Enclave User Training

Role-based courseware with quiz attestations, completion records, and per-user evidence — the same workflow your team already uses for annual security awareness, now mapped directly to CMMC AT requirements.

  • AT.L2-3.2.1Security risks & awareness — role-tailored modules
  • AT.L2-3.2.2Role-based training for security duties
  • AT.L2-3.2.3Insider threat awareness & reporting
See the training catalog
Incident Response

IR Tabletop & AAR Evidence Kit

AI-drafted scenarios, MITRE ATT&CK overlay, live facilitator console, and an immutable evidence bundle — covering the three IR practices the assessor will press hardest on.

  • IR.L2-3.6.1Establish IR capability — plan, roles, training, exercises
  • IR.L2-3.6.2Track, document, and report incidents
  • IR.L2-3.6.3Test the IR capability — tabletop, walkthrough, functional
You’re here
Both delivered ontraining.mactechsolutionsllc.com

What You Get

An end-to-end workflow from scenario authoring to assessor handoff. No additional tooling required.

Single-tenant SaaS workflow

Wizard-driven planning, live facilitator console, AAR drafting, approver signoff, and offline evidence bundle — one URL, one tenant, no shared infrastructure.

AI custom scenario generator

Describe an incident specific to your environment — supply-chain compromise, insider exfiltration, vendor MSP breach. Claude drafts a CMMC-aligned tabletop with 6–8 injects, MITRE TTPs, and objective pass criteria. You review and refine before save.

Seeded scenario library + difficulty levels

Four production-ready scenarios out of the box (ransomware, account compromise, lost device, insider). Each runs as Management, Mixed, or Technical — same scenario, audience-appropriate framing.

MITRE ATT&CK overlay

Every attacker inject is mapped to MITRE techniques (e.g. T1078.003, T1486). Reporting and recovery decisions are correctly tagged as non-attacker. Visible in the live console and in the final AAR.

AI-assisted AAR drafting

Sub-second drafts of executive summary, timeline narrative, strengths, gaps, and evidence-reviewed sections — built from the actual inject responses captured during execution. Reviewer always edits before save.

Immutable evidence bundle

SHA-256 hashed manifest, append-only audit log, optional RFC 3161 timestamp, separation-of-duties enforced (drafter ≠ approver), 6-year retention with legal-hold support — packaged as a single ZIP for the assessor.

Compose a custom scenario in a single prompt

Stop adapting generic ransomware decks. Describe the incident your team actually needs to rehearse — the language, the systems, the people, the pressure — and get a draft that’s already control-mapped and assessor-ready.

  • AI drafts 6–8 injects with realistic IT/security signals

  • Pass criteria are objective (time bounds, specific actions, named artifacts)

  • Control allow-list constrained — no hallucinated NIST IDs

  • Refine with follow-up prompts — no need to start over

Request a DemoCheck Your IR Readiness
Scenario Composer
Prompt:
“A vendor MSP’s RMM tool is compromised and pushes a malicious update to our Windows Server 2025 hosts. The team must detect, contain, and brief the contracting officer.”
→ Drafting…
Title + summary + narrative
7 injects · T+0 → T+90
4 MITRE TTPs mapped
9 NIST controls validated
Review · Refine · Save to library
claude-sonnet-4-5
Scenario draft
claude-haiku-4-5
AAR drafting
Zod + DB
Two-layer validation

A typical 75-minute exercise

Every inject is timestamped, control-mapped, and (for attacker injects) MITRE-tagged. The facilitator sees the full timeline live; the assessor sees it in the final AAR.

OffsetInjectControlsMITRE
T+0Initial detection inject (SIEM alert / user report)
IR.L2-3.6.2
T1078.003
T+15Containment decision — isolate, monitor, or escalate
IR.L2-3.6.1IR.L2-3.6.2
T1059.001
T+30Scope analysis — what data was reached
IR.L2-3.6.2
T1486
T+45External reporting decision — DC3, contracting officer, MSP
IR.L2-3.6.1
— non-attacker
T+60Recovery validation — backups, account state, baseline integrity
IR.L2-3.6.2
— non-attacker
T+75Lessons-learned capture — findings + corrective actions
IR.L2-3.6.3
— non-attacker

What the assessor receives

  • Exercise plan + scope + methodology justification
  • Timestamped roster of participants by role
  • Per-inject decision log with status, notes, response time
  • Approved AAR with executive summary + timeline narrative
  • Findings keyed to NIST control IDs
  • Corrective Action Register (CAR) with milestones + owners
  • SHA-256 manifest of every artifact + audit log
  • Optional RFC 3161 trusted timestamp token

Defensibility built-in

  • HMAC-signed service-to-service bridge to compliance plane
  • Immutable audit table — append-only, hash-chained
  • Drafter ≠ approver enforced at API + DB CHECK constraint
  • Clerk SSO with org-scoped role enforcement
  • 6-year retention with legal-hold override
  • Single-tenant Postgres on Microsoft Azure
  • FedRAMP-aligned hosting posture
  • Deterministic, reproducible bundle export

From scenario draft to signed AAR — one workflow, one tenant, one bundle.

AI-assisted authoring. Immutable evidence. Drafter / approver separation. Built for the C3PAO, not the calendar invite.

Run a Defensible IR Tabletop in One Sitting

Start with a discovery call. We’ll walk through a sample scenario live, show the evidence bundle the C3PAO sees, and scope deployment to your tenant.

Contact Us for a DemoTake the Readiness Assessment