In this blog, I share my perspective as a cyber resilience advisor, exploring how SANS equipped its team to design and deliver exercises based on real-world incidents. What started as a one-time event has become an ongoing project to build internal capability and use the platform for continuous team development and upskilling. 

A tailored event

On May 26, we ran a crisis simulation event with the cybersecurity team at SANS, an organization where cybersecurity plays a critical role in protecting aviation operations and national infrastructure.

The scenario, adapted from the Immersive catalog, was tailored to the aviation industry and focused on a targeted malicious code attack exploiting the Follina vulnerability (CVE-2022-30190). 

It brought together the SOC, incident response, and IT/OT teams to work through a high-pressure situation that tested their ability to detect, contain, and recover from a cyberattack. 

While the simulation itself was valuable, what stood out most was the team’s immediate interest in expanding their internal capabilities and using the Immersive platform to create their own simulations in the future.

Enabling ownership

Following the event, we hosted two hands-on workshops to support the team in designing their own crisis simulations.

The first workshop focused on developing familiarity with the platform. SANS explored the Crisis Simulation module, navigated the scenario catalog, and learned how to use existing content as templates to build custom scenarios.

After participating in this workshop, the head of cybersecurity at SANS described it as “truly interactive, well-executed, and highly engaging… The hands-on approach and practical scenarios helped enhance our technical readiness and cross-team coordination”.

The second workshop walked through the full development process, from discovery and design to development and build, helping the team shape a simulation based on a real incident from their organization. 

Together, we explored how simulations can be used not just for readiness, but as a practical upskilling tool grounded in real operational risk.

A collaborative path forward

What began as a single simulation has turned into an ongoing partnership. We’re now supporting the SANS team as they take ownership of their crisis readiness, developing internal simulations aligned with their environment, challenges, and goals. 

This is the value of Immersive in action: not just running simulations, but empowering teams to build their own scenarios.

Creating a playbook for success

While working with SANS, we used the Malicious Code: Incident Responder crisis simulation from the Immersive catalog as the foundation, changing the decision points (known as injects) to fit the roles that were participating in the simulation. 

After additional tweaks to the terminology and narrative to better represent the aviation industry, we were able to accurately model a realistic scenario for SANS. 

You can follow a similar process to create your own crisis simulation framework. Simply export a scenario from our catalog as a building block and personalize it to suit your industry and needs. Keep these tips in mind:

• Customize the terminology used in the scenario to reflect your organization. While many of our out-of-the-box scenarios refer to financial services or government, they can easily be adjusted. 
• Use historical incidents to shape the crisis simulation and explore best practices. By cataloging events that have happened within your company or industry, newer employees can use this knowledge to better prepare for similar challenges in the future.
• Encourage teams to share knowledge using the platform based on their experience, so colleagues can learn from examples. Engage your own procedures and policies to create a playbook for the future.

Beyond the tabletop: Expanding the value of crisis simulation

Running a crisis simulation is just the beginning. Once a team has participated in a full-scale exercise, there’s a powerful opportunity to build on that momentum using the same tools to embed resilience deeper into the organization. 

Here are just a few ways teams can expand the impact:

• Explore team-based microsimulations to reinforce best practices. Use short, focused exercises (15–30 mins) to target the specific response skills of a single team. 

• Engage in case study reflection exercises. Take a real incident (internal or public), build it into a learning scenario, and allow teams to step through the decision-making and ask: “What would we have done?”.

Beyond crisis: Using the platform for everyday development

Crisis simulations are powerful — but the platform can also support ongoing team growth outside of high-pressure scenarios. 

Beyond crisis response, organizations can use Immersive to:

• Onboard new team members. Introduce new joiners to tools, roles, and escalation paths through guided, scenario-based learning.

• Provide career development paths. Use simulations to expose team members to higher-level decision-making, preparing them for future roles in incident leadership or governance.

Do you have any alternative use cases for crisis simulations beyond crisis response itself? Share them in the comments!