Fresh DFIR scenarios every night, calibrated to each analyst’s skill vector, with session replay and MITRE-mapped telemetry your auditors can read. One platform for security leadership buying skills uplift and training managers buying content.
LevelUp for enterprise isn’t a single SKU. Pick the product that fits your buyer — or combine two. Every product runs on REACTOR, so the content is always AI-generated, fresh, and non-leakable.
DFIR scenario training for your SOC. Multi-stage campaigns with per-user variants, platform-side grading against MITRE ATT&CK, and a REACTOR-generated challenge stream that stays fresh.
Run a branded competition on LevelUp. AI-generated, fresh per event — no writeup leakage, no shared answers between attendees.
REST API for evaluating autonomous security agents against REACTOR-generated challenges. Real-world sandboxes, not stale benchmarks.
National cyber talent programmes and university CTF curricula. Split-infra — LevelUp generates, you deploy on your own cloud.
Train your OT defenders on calibrated Modbus, DNP3, S7, OPC-UA, and EtherNet/IP scenarios. Anomaly hunts, IR triage, safety-violation detection — fresh every week, no writeups.
Not isolated challenges — narrative campaigns. Seven-plus stages flowing from ticket triage through evidence analysis, MITRE mapping, onchain tracing, and executive write-up. Platform-side grading throughout.
Per-user variants via ScenarioInstance mean two analysts see the same campaign with different IOCs, actors, and timestamps. No shared answers, no writeup cribbing.
Mixed grading modes — ticket triage (verdict + IOCs + MITRE ATT&CK techniques, F1-scored) and question bank (one-answer-at-a-time, hash-compared). The analyst work that SOC teams actually do.
Our first flagship reconstructs a 2025 crypto-exchange compromise — supply-chain JS tamper, multisig delegatecall takeover, cross-chain laundering. Fictional brand, real technique fidelity.
Hand-curated campaigns built to your brief today. URL-to-scenario ingestion on the roadmap.
Every capability tied to a real buyer requirement — not a bullet on a slide.
Narrative DFIR scenarios — ticket triage, evidence analysis, MITRE mapping, executive write-up. Per-user variants via ScenarioInstance mean two analysts see different IOCs, actors, and timestamps on the same campaign. No shared answers.
Hand-curated scenarios built to your brief today. REACTOR-generated challenges against your category mix. Visible only to your team.
Keystroke cadence, tool usage, retry patterns, AI-vs-human model-specific signatures — plus every terminal keystroke and tool invocation replayable for instructor review. You can tell a learner apart from a prompt.
Per-analyst skill vector across every category. Cohort coverage maps, solve-rate trends, par ratios, time-in-category.
For sovereignty or on-prem requirements. REACTOR runs in our cloud, delivery runs on your AWS or GCP tenant — your data never leaves your infrastructure.
SAML 2.0 integration with your IdP. Training-hour attestations and control mappings aligned to GDPR, SOX, PCI-DSS, and NIST.
A planned REACTOR capability will ingest a real breach write-up and reconstruct it as a multi-stage scenario in a Docker sandbox. Not yet shipped — today we ship hand-curated, real-world-inspired campaigns.
The planned flow: paste a public breach report URL, REACTOR will read the advisory, extract the attack chain (initial access → lateral movement → exfiltration → impact), and reconstruct each stage as a deterministically-varied sandbox your analysts can actually work.
Today the Designer agent generates from category + skill-vector targets. The ingestion extension hands it a structured attack-chain brief instead. Same downstream pipeline (Validator, Calibrator, Deploy) — different front end.
Written up in a rekt.news post, a CISA advisory, a vendor PIR, or a DFIR retrospective. All fair game.
There’s no logo strip on this page because we’re early and we don’t fake reference customers. What we do have is a 9-agent pipeline running in production against every challenge you’ll ever see on the platform.
Designer drafts. Static Analysis lints. Validator builds and proves solvability end-to-end. Calibrator scores difficulty. Repair patches on stage failure. Deploy hardens and ships. The Evolution Worker reruns the whole catalogue nightly. No stage is LLM-alone — every agent reads and writes to SAGE, the open-source memory framework underneath, so one agent’s lesson becomes the next agent’s starting context.
That’s the defensibility: fresh, non-leakable, validated content at a rate a manual authoring team cannot match.
Incident Range turns landmark security incidents into multi-stage, real-incident-inspired DFIR investigations — fictionalized, defanged, and built on no real victim data. Your SOC and blue teams move through alert triage and forensic question-banks the way they would on a real case, with difficulty ELO-matched to each analyst. Three try-campaigns are ready to run today.
Inspired by a real supply-chain intrusion, fully fictionalized. A trusted build pipeline ships a tampered update and a quiet beacon wakes up across the estate. The analyst triages the first alert, reverses the planted artifact, hunts host and DNS telemetry for the backdoor, then chases the lateral movement and identity abuse to its root.
Inspired by a real exchange compromise, fully fictionalized. A malicious signing flow tricks approvers into authorizing a hostile upgrade, and a custody wallet empties in minutes. The analyst triages the drain alert, reconstructs how the signature was subverted, then traces the stolen funds hop-by-hop across mixers and bridges into a laundering timeline.
Inspired by a real water-utility intrusion, fully fictionalized. An exposed remote-support tool lets an actor pivot from IT to a flat control LAN and write a rogue Modbus setpoint to a chemical-dosing PLC. The analyst triages the SCADA alarm, reconstructs the IT→OT pivot, reads the malicious Modbus writes off the wire, and maps it to MITRE ATT&CK for ICS.
Each campaign opens on a SOC ticket. The analyst delivers a verdict with IOCs, MITRE ATT&CK techniques, and a containment call — scored platform-side, not on the honour system.
Triage hands off to staged question-banks over logs, on-chain traces, and supply-chain artifacts. One answer at a time, hash-compared, the way real investigations actually unfold.
Difficulty is matched to each analyst’s ELO and skill vector, so a junior and a lead work the same incident at the right stretch. Real-incident-inspired, defanged, no real victim data.
Today, Incident Range ships as guided investigations. Live, multi-host range emulation is coming soon.
A solutions engineer walks you through REACTOR against one of your rotations, SSO against your IdP, and a pricing quote shaped to your seat count.
You’ll see:
The full intake form captures your team size, compliance requirements, and timeline so the demo is tailored to your stack before we meet. Takes two minutes.