After ActionAll whitepapers
Methodology Disclosure

After Action Report Auto-Drafting: From 4 Hours to 50 Milliseconds

A deterministic synthesis methodology for crisis exercise reports

After Action | Version 1.0 | April 2026

Executive Summary

The After Action Report (AAR) is the most valuable artifact a tabletop exercise produces. It translates 90 minutes of chaotic decision-making into a structured document with findings, strengths, action items, and a narrative executive summary. Done well, it drives remediation for the next 12 months. Done poorly, it sits in a shared drive.

The problem: AARs take facilitators 4–6 hours to write, often under time pressure after the exercise itself has consumed their day. When facilitators are overloaded, AARs slip. When AARs slip, clients disengage. When clients disengage, renewal rates drop.

After Action solves this with auto-draft AAR synthesis: a pure-function rule engine that takes exercise data (decisions, gaps, facilitator notes, readiness scores) and produces a fully populated AAR in under 50 milliseconds. The facilitator's job becomes review and refine, not write from scratch.

This whitepaper documents the synthesis rules.

1. The AAR Structure

Every After Action AAR contains:

  1. Executive Summary — 3–5 sentences framing the exercise outcome for leadership
  2. Scenario Narrative — what participants worked through
  3. Overall Rating — critical / high / medium / low severity
  4. Facilitator Notes — methodology, observations, caveats
  5. Findings — every gap, ranked by severity, with framework references
  6. Strengths — demonstrated capabilities and team behaviors worth celebrating
  7. Objective Results — per-objective "met / partial / not met" assessment
  8. Action Items — remediation tasks with owners, due dates, and priorities

Every field must be populated. Blank sections signal laziness to the client and damage trust.

2. The Synthesis Rules

2.1 Overall Rating Derivation

The rating is derived from the readiness score when available (most objective), falling back to gap severity distribution:

if readiness_score >= 80:      'low'       (minor adjustments only)
elif readiness_score >= 65:    'medium'    (moderate improvement opportunities)
elif readiness_score >= 45:    'high'      (significant gaps)
else:                          'critical'  (immediate attention required)

Fallback when no readiness score exists:

  • Any critical gap → 'critical'
  • Any high gap → 'high'
  • Any gap at all → 'medium'
  • No gaps → 'low'

2.2 Executive Summary Builder

The executive summary is assembled from 3–5 sentence templates that auto-insert exercise data. Example template:

Sentence 1 (opener):
  "On {date}, {org_name} completed a facilitated crisis exercise
   based on the '{scenario_title}' scenario{participant_clause}."

Sentence 2 (overall finding):
  IF readiness_score is available:
    "The exercise revealed {rating_label}, with an overall readiness
     score of {score}/100 measured across eight capability dimensions
     aligned to NIST 800-61."
  ELSE:
    "The exercise revealed {rating_label} across the team's incident
     response capabilities."

Sentence 3 (gap summary — only if gaps exist):
  IF critical_count > 0 OR high_count > 0:
    "{critical_count} critical and {high_count} high-severity gap(s)
     require immediate attention, with a structured remediation plan
     included below."
  ELIF open_gaps > 0:
    "{open_count} improvement opportunities were identified, prioritized
     by risk reduction impact."

Sentence 4 (engagement closing — only if decisions exist):
  IF decision_count > 0:
    "Participants contributed {decision_count} decisions across the
     scenario, providing the evidence base for the findings and
     recommendations in this report."

Why this works: Every sentence is grammatically complete regardless of which variables are filled in. Missing data gracefully omits entire sentences rather than producing fragments. The output reads like a human wrote it.

2.3 Scenario Narrative Builder

Auto-composed from 4 layered pieces of information:

  1. Scenario summary (if provided by the exercise designer) — used verbatim
  2. Adversary profile — "Scenario context — adversary profile: {actor}; initial vector: {vector}"
  3. Format and duration — "The exercise was delivered {remote|on-site} over {duration} minutes and structured around {inject_count} discrete injects"
  4. NIST coverage — "Inject coverage spanned {categories} phases of incident response, aligned to NIST 800-61"

Missing pieces are silently omitted.

2.4 Findings from Gaps

Only open gaps become findings. Remediated gaps stop being "findings" — they move into the strengths narrative as evidence of follow-through.

For each open gap:

Finding:
  title: gap.title
  description:
    IF gap.description exists: use it verbatim
    ELIF gap has inject reference: "identified during the exercise
      while participants responded to inject '{inject.title}'. It
      represents a gap between current capability and target readiness."
    ELSE: generic "identified during the exercise..."
  severity: gap.severity
  capability_area: gap.category
  inject_reference: inject.title or null
  sort_order: sorted by severity (critical → info) then by title

2.5 Strengths Generator

The strengths section is the hardest part to auto-generate — it requires identifying and narrating positive behaviors. After Action uses pattern matchers on the decision and score data:

Pattern 1: High-confidence decisions

IF count(decisions where confidence >= 4) >= 3:
  Emit: "Strong decision confidence across the team — {N} of {total}
  decisions were submitted with high confidence (4+ out of 5),
  indicating clear mental models and playbook familiarity."

Pattern 2: Sustained engagement

IF unique_participants >= 3 AND total_decisions >= participants * 2:
  Emit: "Sustained engagement throughout the exercise — {participants}
  participants contributed an average of {avg} decisions each,
  demonstrating consistent focus across all injects."

Pattern 3: Remediation discipline

IF remediated_gaps > 0:
  Emit: "Active remediation discipline — {N} previously identified
  gap(s) have already been closed, showing follow-through between
  exercises."

Pattern 4: Strong capability areas

IF readiness_score exists:
  strong_areas = capability_areas where score >= 75
  IF strong_areas is not empty:
    Emit: "Demonstrated capability strength in {top 3 areas}
    (all scoring 75+ against the eight-dimension readiness model)."

Fallback: If no patterns match, emit a generic "The team committed time and attention to running this exercise — the single most important predictor of crisis response maturity."

This pattern-matching approach guarantees at least one strength is always emitted, avoiding the awkward empty-strengths problem that breaks narrative tone.

2.6 Action Items with Smart Due Dates

Every open gap produces one action item. Due dates are derived from severity:

critical: due +14 days from now
high:     due +30 days
medium:   due +60 days
low:      due +90 days
info:     due +120 days

Why these thresholds: Aligned with NIST 800-61 remediation velocity expectations. Critical findings should be addressed within two weeks because attackers don't wait. Low findings can wait a quarter without materially changing risk posture.

Owner is inherited from gap.owner if present, otherwise null (the client has to assign).

2.7 Facilitator Notes Auto-Draft

The facilitator notes section is the most subjective, so the auto-drafter produces a data snapshot rather than prose:

Auto-drafted from exercise data. Review and update before shipping.

Data snapshot:
  • Injects: {count}
  • Decisions: {count}
  • Open gaps: {open}/{total}
  • Participants: {count}
  • Readiness score: {score}/100

This gives the facilitator a baseline to edit. They can replace it entirely with their own observations, or append to it.

3. Performance

The entire synthesis runs in under 50 milliseconds on typical exercise data (10–20 injects, 30–50 decisions, 5–15 gaps). This is faster than a database round-trip.

Why it matters: The facilitator can hit "Auto-draft" during the debrief while the exercise is still fresh in everyone's memory. There's no "come back later when it's done" delay that would break the flow.

4. The Review Workflow

The auto-draft is not the final AAR. It's a first draft. The facilitator's job is to:

  1. Read the executive summary and adjust the tone for this specific client
  2. Refine the scenario narrative with observations that weren't in the structured data
  3. Add specific findings that emerged from participant discussions but weren't logged as gaps
  4. Edit strengths to name specific team members who did well
  5. Review action items and add implementation details the gap tracker didn't capture
  6. Approve and ship via the "Ship to Client" button

This is a 5-minute task, not a 4-hour task. The auto-draft preserves the facilitator's judgment while eliminating the blank-page problem.

5. Why Rule-Based, Not LLM

5.1 Determinism

Every input produces the same output. This is critical for:

  • Audit defensibility — you can reproduce an AAR months later
  • Regression testing — tests pin exact outputs
  • Regulatory review — auditors can inspect the rules

LLMs are non-deterministic by design. Even with temperature=0, small prompt changes cause large output changes.

5.2 Speed

50ms vs. 5-15 seconds for an LLM call. The facilitator experience is immediate.

5.3 Cost

Zero marginal cost per draft. LLM API calls cost money per generation. Across thousands of AARs per year, this compounds.

5.4 No dependency on external services

The engine runs with no network, no API keys, no vendor. The platform can operate even if OpenAI, Anthropic, and every LLM provider goes offline.

5.5 When LLM augmentation helps

Optional: An LLM can be layered on top of the rule-based output to:

  • Improve prose fluency in the executive summary
  • Suggest alternative phrasings for findings
  • Translate the AAR into other languages

But the rule-based output is always the source of truth. The LLM polishes; it doesn't decide.

6. Integration with the Delivery Loop

The auto-draft engine is called from two places:

6.1 Review Queue one-click

From /app/ops/review-queue, Scotty clicks "Auto-draft" on any SLA-breached exercise. The engine runs, the AAR is created in the database, findings and action items are seeded, and the editor opens.

6.2 Ops Engagement Detail page

When an engagement has a completed exercise but no AAR, the empty state on /app/ops/engagements/[id] shows an "Auto-draft" button that triggers the same flow.

6.3 Ship-to-client integration

After editing, the "Ship to Client" button marks the AAR as status='shipped', sets shipped_at, sends an email to every client-role member of the client org, and makes the AAR visible in the client portal. The visibility gate in loadClientDashboard filters out AARs that aren't shipped — clients never see drafts.

This closes the loop: exercise data → auto-draft → review → ship → client notification → portal visibility → action item assignment → remediation.

7. Licensing

The auto-draft synthesis rules, pattern matchers, and severity-to-due-date mappings are proprietary trade secret. The full source is in src/lib/aar-draft.ts and licensed via licensing@afteraction.dev.

© 2024-2026 After Action. Auto-draft methodology is proprietary. Contact licensing@afteraction.dev for commercial terms.

Commercial licensing

The methodology is disclosed here for transparency. Implementation is proprietary trade secret, distributed as source under commercial terms. For carrier integrations, OEM embedding, or academic citation, contact the licensing team.

licensing@afteraction.dev