Help Center / Getting started
Getting started
This page covers what Klaxon is, the local-first / zero-network promise, how to open the app, how to declare your first incident, and a full worked sample.
On this page
What Klaxon is
Klaxon is two tools fused into one console:
- An incident-response war-room. When something goes wrong — ransomware, a lost laptop, a vendor breach — you declare an incident, assign roles, work the playbook, log every action to an append-only forensic timeline, attach evidence, and record who you communicated with and when.
- A breach-notification deadline engine. You enter the facts of the incident (what data, how many people, in which states, and which regulated-data flags apply). A deterministic rules engine then computes the exact set of who you must notify and by when — every U.S. state's individual and attorney-general notices, plus HIPAA, GDPR, DFARS, the SEC 8-K rule, CIRCIA, Canada's PIPEDA, and Québec's Law 25 — each with a live countdown clock.
It is a static browser app: plain HTML, CSS, and JavaScript, no build step and no install. You run it by opening a web page.
The local-first / zero-network promise
An active breach is the worst time to send sensitive details to a third-party SaaS — your network may be the very thing that's compromised. Klaxon is built around that reality:
- Everything is stored in your browser's localStorage. Incidents, the timeline, evidence hashes, tasks, the comms log — all of it stays on the machine you're using. There is no account and no sign-up to use the core console.
- The core console makes zero network calls. Once the page and its content packs have loaded, computing deadlines, sealing the timeline, generating letters, and running tabletops all happen offline, in the browser. You can compute deadlines even if your network is down.
- The cloud tier is strictly opt-in and additive. There is an optional cloud seam (sign-in, evidence publishing, and scheduled reminder push). It never runs unless you explicitly enable it, and the local incident path is never routed through it. If the cloud module fails to load, the war-room stays fully functional. See Security & privacy and Scheduled push.
Because data lives in one browser profile on one machine, treat that machine like the system of record: it is not automatically synced or backed up. Use the export functions (PIR, auditor bundle, .ics, letters) to get durable copies out. See Security & privacy → Backups.
Opening the app
Klaxon must be served over HTTP (not opened as a file:// path), because browsers block the fetch() calls that load the jurisdiction and playbook data when a page is opened directly from disk.
| # | Step |
|---|---|
| 1 | If you are using the hosted version, just open the app page — typically /app/index.html — from the site's navigation ("Open app"). |
| 2 | If you are running it yourself from the repository, start any static web server in the project folder. A simple one ships with Python: python3 -m http.server 8000 |
| 3 | Open the app at http://localhost:8000/app/index.html. The standalone deadline calculator is at /engine.html; the marketing home is /index.html. |
| 4 | You should see the console with six tabs across the top. If you instead see "Failed to load content packs," you opened it over file:// — see Troubleshooting. |
The six tabs at a glance
| Tab | What it does |
|---|---|
| Incidents | The war-room. Declare incidents, set facts, see the live obligation clock and reminder cascade, the append-only timeline, roles, tasks, evidence, comms log, and the "what-changed" law-update feed. |
| Playbooks | A library of eight curated runbooks mapped to the NIST incident-response lifecycle, with built-in notification-trigger checks. |
| Tabletop | Run one of six timed exercise scenarios, release injects, score against a rubric, and generate an after-action report. |
| Notification Engine | A standalone calculator: toggle states and flags, compute obligations, see substitute-notice and credit-monitoring helpers, and export the deadline calendar. |
| Letters | The jurisdiction-correct letter generator (individual, state AG, HHS, DFARS, GDPR, media, OPC, Québec CAI, substitute notice). |
| AI Copilot | Optional, off by default. A bring-your-own-key, client-direct AI assistant for prose only (summaries, drafts) — it never sets legal deadlines. |
Declaring an incident
- Open the Incidents tab.
- Click Declare incident.
- Enter a short title, for example "Ransomware — front office", and confirm.
- Klaxon creates the incident with a unique case ID (like INC-...), severity SEV2, status Open, and a discovery timestamp set to "now." It immediately seeds the append-only timeline with a "Incident declared" event.
- You are dropped into the incident detail view, where you'll set facts, assign roles, and work the response.
The discovery time is the legal clock anchor for most obligations. It defaults to the moment you declare, but you should correct it on the facts form to the actual moment of discovery — see how the clock anchor works.
A worked sample incident
Follow this end-to-end to see every core feature. It uses a realistic multi-state health-data breach.
| # | Do this | What you'll see |
|---|---|---|
| 1 | Incidents → Declare incident, title it "Sample — clinic data breach." | A new incident opens with a live timeline and empty obligation table. |
| 2 | In Incident facts, set Discovered at to a recent date/time. | This anchors the deadline clocks. |
| 3 | Check the data types Name, SSN, and PHI/health. | SSN drives credit-monitoring analysis; PHI triggers HIPAA. |
| 4 | Check the regulated-data flag HIPAA / PHI. | Turns on the HIPAA framework obligations. |
| 5 | In Affected individuals by state, enter CA:600, FL:200, WA:150. | Total affected becomes 950. |
| 6 | Click Update facts & recompute. | The Obligations & deadline clock table fills in. |
| 7 | Read the obligation table. | You should see: HIPAA Notify affected individuals (60 days) and Notify HHS OCR (500+, 60 days); per-state individual notices — Florida 30 days, Washington 30 days, California 30 days (SB 446); and a California AG notice because 600 ≥ the 500 threshold. Each row has a live mono countdown colored red / amber / green. |
| 8 | Notice the California AG row carries an amber "fallback — record notice date" pill. | California's AG clock runs 15 days after you notify residents. Until you record the real notice date, Klaxon anchors to the conservative latest lawful date. See post-individual AG clocks. |
| 9 | In Individual-notice date sent, per state, enter CA:2026-06-10 and recompute. | The California AG deadline re-anchors to 2026-06-25 (notice + 15 days), and the pill turns green: "from actual notice date." |
| 10 | On the right, fill in Roles and click Save roles. | The Incident Commander shows on the incident; a timeline event records the change. |
| 11 | Under Launch playbook, pick "Data Breach (PII/PHI Exfiltration)" and click Launch. | The playbook's steps become tracked tasks; notification-trigger steps are flagged. |
| 12 | Attach a file under Evidence. | The file is SHA-256 hashed in your browser; only the filename and hash are stored — the file itself is never uploaded. |
| 13 | Look at the badge next to the incident ID. | A green "timeline verified" badge — the timeline is sealed with a hash chain. See Timeline integrity. |
| 14 | Go to the Letters tab and pick "Notice to Affected Individuals." | The letter prefills from the incident facts and flags any missing required fields. Because SSN is involved in mandating states, the credit-monitoring clause is available. |
| 15 | Back on the incident, click PIR and Auditor bundle. | You get a Markdown Post-Incident Report and a JSON bundle for auditors / cyber-insurers. |
That is the whole core loop. Each step is documented in depth on its own page:
- The incident workflow — facts, roles, tasks, evidence, comms, timeline.
- Obligation clocks — how every deadline above was computed.
- Notification letters — generating and exporting letters.