From Simulation to Strategy: Empowering Crisis Readiness at SANS
In this blog, I share my perspective as a cyber resilience advisor, exploring how SANS equipped its team to design and deliver exercises based on real-world incidents. What started as a one-time event has become an ongoing project to build internal capability and use the platform for continuous team development and upskilling. A tailored event On May 26, we ran a crisis simulation event with the cybersecurity team at SANS, an organization where cybersecurity plays a critical role in protecting aviation operations and national infrastructure. The scenario, adapted from the Immersive catalog, was tailored to the aviation industry and focused on a targeted malicious code attack exploiting the Follina vulnerability (CVE-2022-30190). It brought together the SOC, incident response, and IT/OT teams to work through a high-pressure situation that tested their ability to detect, contain, and recover from a cyberattack. While the simulation itself was valuable, what stood out most was the team’s immediate interest in expanding their internal capabilities and using the Immersive platform to create their own simulations in the future. Enabling ownership Following the event, we hosted two hands-on workshops to support the team in designing their own crisis simulations. The first workshop focused on developing familiarity with the platform. SANS explored the Crisis Simulation module, navigated the scenario catalog, and learned how to use existing content as templates to build custom scenarios. After participating in this workshop, the head of cybersecurity at SANS described it as “truly interactive, well-executed, and highly engaging… The hands-on approach and practical scenarios helped enhance our technical readiness and cross-team coordination”. The second workshop walked through the full development process, from discovery and design to development and build, helping the team shape a simulation based on a real incident from their organization. Together, we explored how simulations can be used not just for readiness, but as a practical upskilling tool grounded in real operational risk. A collaborative path forward What began as a single simulation has turned into an ongoing partnership. We’re now supporting the SANS team as they take ownership of their crisis readiness, developing internal simulations aligned with their environment, challenges, and goals. This is the value of Immersive in action: not just running simulations, but empowering teams to build their own scenarios. Creating a playbook for success While working with SANS, we used the Malicious Code: Incident Responder crisis simulation from the Immersive catalog as the foundation, changing the decision points (known as injects) to fit the roles that were participating in the simulation. After additional tweaks to the terminology and narrative to better represent the aviation industry, we were able to accurately model a realistic scenario for SANS. You can follow a similar process to create your own crisis simulation framework. Simply export a scenario from our catalog as a building block and personalize it to suit your industry and needs. Keep these tips in mind: Customize the terminology used in the scenario to reflect your organization. While many of our out-of-the-box scenarios refer to financial services or government, they can easily be adjusted. Use historical incidents to shape the crisis simulation and explore best practices. By cataloging events that have happened within your company or industry, newer employees can use this knowledge to better prepare for similar challenges in the future. Encourage teams to share knowledge using the platform based on their experience, so colleagues can learn from examples. Engage your own procedures and policies to create a playbook for the future. Beyond the tabletop: Expanding the value of crisis simulation Running a crisis simulation is just the beginning. Once a team has participated in a full-scale exercise, there’s a powerful opportunity to build on that momentum using the same tools to embed resilience deeper into the organization. Here are just a few ways teams can expand the impact: Explore team-based microsimulations to reinforce best practices. Use short, focused exercises (15–30 mins) to target the specific response skills of a single team. Engage in case study reflection exercises. Take a real incident (internal or public), build it into a learning scenario, and allow teams to step through the decision-making and ask: “What would we have done?”. Beyond crisis: Using the platform for everyday development Crisis simulations are powerful — but the platform can also support ongoing team growth outside of high-pressure scenarios. Beyond crisis response, organizations can use Immersive to: Onboard new team members. Introduce new joiners to tools, roles, and escalation paths through guided, scenario-based learning. Provide career development paths. Use simulations to expose team members to higher-level decision-making, preparing them for future roles in incident leadership or governance. Do you have any alternative use cases for crisis simulations beyond crisis response itself? Share them in the comments!More Immersive Cyber Drills: How Rich Media Can Bring a Scenario to Life
When running a cyber drill, it’s useful to have a consistent and cohesive sense of the story throughout. The use of branding and rich media (videos and audio related to the theme) can engage participants through a sense of world-building and storytelling. Imagine your company drill looking like your company — logo, color scheme, font and all. The Brand It’s a good idea to start with all the assets needed to create the custom content. In my case, I created a logo and color scheme for a fictional news company, CHANNEL 6 News. The intention was to create a consistent look and feel for the news updates we would use. Using a simple color palette and classic news branding style, I could then create a virtual website for news updates using presentation software. This allows for ease of editing and can be presented full-screen to look like a webpage. A key requirement of the project was to create content that could be edited by anyone — no special software needed. This is just a slide in a presentation! The slide format could be used to represent a company website, a news outlet, or anything to aid the storytelling. Each slide in the presentation is a copy of the previous, but the news story is changed (title, image, and copy). Rich Media Video is engaging; it grabs our attention and helps with immersion. Video that has relevant branding and specifics has the chance to immerse participants even further. Continuing with the Channel 6 News theme, I used an AI video generator to create a news presenter intro and outro, all within a single prompt to maintain a consistent look. I also created a graphical intro in professional video editing software, aligning the branding and adding stock backing music. Using a more stripped-back video editing app, such as Google Vids, templates can be created with the intro and outro already in place. In between, video clips and voiceover (also generated) provide the main content of the news update. These templates allow for quick editing by anyone without the need for expert software. Download the MP4, and we’re ready to slot it into a cyber drill! Here's an example of the intro/outro and small amount of content between. Company Videos Immersive has a fictional company it uses for Crisis Sims called Orchid Corp. We have brand assets (logos, graphics, etc.) that we use to create print and digital media. I created employee welcome videos using stock media and generated voiceover audio, which ended up being fairly convincing. Now, imagine your company assets in whatever type of video you want. Perhaps a news broadcast, maybe an internal or external press release on the crisis situation. The more entertaining and interesting the content, the more immersion and engagement. Prove and Improve Running drills with custom videos will capture your audience’s attention and imagination. There's a great opportunity to review how the media can be adjusted for further storytelling depth. It could be effective to have the story evolve at a future drill, building on the actions taken previously. Having templates for the content, such as a news update clip, means that significant time is saved in preparation and a consistent feel is kept across drills.Immersive x CSIDES - Crisis Sim on the pier
This is a ticketed event - Tickets available here! Ready to experience a dramatic and engaging Crisis Simulation on the pier in Weston? We're teaming up with CSIDES to give you chance to experience what it's like when crisis hits a business and decisions need to be made to get to a good place. This is an interactive exercise for all levels of expertise. All you need is to turn up and join in! ## MORE DETAILS STILL TO BE FINALISED, watch this space From CSIDES: CSIDES is a community conference run by Defend Together CIC (Registered: 16182563), a not-for-profit organisation founded by experienced professionals with a passion for information & cyber security, and investment in UK coastal communities. The CSIDES event will include information & cyber security related talks and activities run by the community, for the community. It’s a conference for anyone interested in the industry and a forum for learning, sharing ideas, getting involved and networking. CSIDES is also working with local and central government to improve investment, as well as security awareness & literacy in UK coastal communities, who have historically been underrepresented. We are also proud to be building a larger network of community-driven CSIDES conferences throughout the UK that support inclusion, innovation, and growth in our coastal communities.Elevating Cyber Resilience: How GenAI is Revolutionizing Crisis Simulations
Cyber threats have become a pervasive force within the business world, elevating the need for regular cyber resilience exercises into an organization-wide imperative. Genuine resilience is about more than prevention. It’s the agility to identify, respond to, and recover seamlessly from disruptions, ensuring uninterrupted business operations. This approach, which acknowledges the inevitability of a cyber event, is the hallmark of truly resilient organizations. Crisis simulations and cyber exercises are core to cultivating this resilience. Traditional cyber exercises, often static and presentation-driven, tend to serve as theoretical validations. While valuable for reviewing playbooks and pinpointing theoretical vulnerabilities, they frequently fall short of genuinely testing incident response and crisis handling capabilities, particularly in the dynamic, high-pressure environment of a real-world attack. The sheer velocity of modern cyber threats, frequently powered by sophisticated AI, demands a new level of precision and relevance in simulations. This is where Generative AI (GenAI) comes in. It can transform how we design and execute tabletop-style cyber crisis simulations, making them profoundly relevant and impactful. The challenge of an unpredictable threat landscape While traditional crisis simulations are beneficial, they have certain limitations. The first is that it’s difficult and time-consuming to create realistic scenarios that reflect the latest threat actor tactics, techniques, and procedures (TTPs), and are meticulously tailored to an organization's unique infrastructure and risk profile. Analysts will also dedicate extensive hours to research, developing intricate narratives and manually injecting variables to ensure a robust challenge. However, this can sometimes result in a predictable exercise that doesn't fully prepare teams for the inherent chaos and unpredictability of a real-world incident. The human element in cyber resilience is also key. As Oliver Newbury, a member of Immersive's board of directors, recently emphasized: "Security is about people, process, and technology. I would have expected as much focus on upskilling people as on implementing new tools. It's the people using those tools who ultimately prevent breaches." Static simulations often fail to truly engage and challenge human teams, limiting their ability to build crucial muscle memory for swift decision-making under pressure. Elevating your crisis simulations with GenAI So, how does GenAI fit into the picture? This powerful technology can create novel content based on patterns learned from vast datasets. In doing so, it offers an unprecedented opportunity to inject realism and adaptability into crisis simulations. Just imagine the possibilities: Hyper-realistic scenario generation: GenAI can analyze current threat intelligence, recent attack patterns, and insights into your organization's specific weak spots to generate realistic and precisely tailored crisis scenarios. This ensures each exercise directly reflects the most pertinent and dangerous threats, making the experience far more impactful for your teams. Optimized playbook stress testing: GenAI doesn't just ease the exercise creation process – it can analyze your existing playbooks and processes. It can then generate crisis scenarios specifically designed to stress-test your response plans, ensuring they’re robust and effective under pressure. This helps validate that your playbooks and processes are truly ready for action. Realistic communications and media drills: In addition to the technical aspects, GenAI can simulate realistic internal and external communications during a crisis. It can generate mock press releases, social media posts, and even stakeholder questions, exercising your communications team's ability to manage public perception and share accurate information under pressure. This is critical for protecting your brand reputation during a breach. Instant feedback and analysis: After an exercise, GenAI can quickly crunch the data generated during the simulation, giving you detailed insights into team performance, response times, decision accuracy, and where you can improve. This speeds up the feedback loop, helping you tweak and strengthen your resilience strategies much faster. Tailored learning journeys: After an exercise, GenAI can analyze how an individual or team performed, then recommend follow-up scenarios or activities to address weaknesses or enhance key skills. This allows for truly personalized and continuously improving readiness programs. Think about the recent explosion of sophisticated, AI-driven attacks, from deepfake scams to highly targeted ransomware. Organizations have to be ready for these advanced threats, and old methods alone might not cut it. GenAI lets us simulate these next-gen attacks with a level of detail we couldn't even dream of before. This ensures teams aren’t just prepared for what's already happened – they’re ready for what's coming. Empowering your people It’s important to remember that GenAI is here to improve human expertise, not replace it. Just as information recall differs from true knowledge, GenAI is augmenting the critical "knowledge work" in cybersecurity, rather than replacing it. Our real value isn’t just in what we know, but how we apply, interpret, and synthesize that knowledge to drive meaningful outcomes. Our job is to use tools like GenAI to empower our organizations and teams and provide them with realistic and effective exercise environments. GenAI offloads the rote, time-consuming tasks of content creation and data sifting, freeing us up to focus on high-value actions such as analyzing results, mentoring teams, and fine-tuning strategic responses. This pushes us towards the "wisdom work" that truly defines expertise in cyber resilience. Building a culture of constant improvement The ultimate goal of bringing GenAI into crisis simulations is to build a culture of constant improvement, where cyber readiness isn’t just a checklist item, but a deep-seated organizational habit. By immersing our teams in hyper-relevant, dynamic, and challenging scenarios, we build the confidence, skills, and muscle memory they need to ride out the inevitable cyber storms with resilience and agility. How are you using GenAI to improve your cyber resilience? Share your thoughts and experiences in the comments below!The secret to hosting an engaging Crisis Sim
Before I start, it’s important to take a moment to acknowledge that I’m privileged to work with some fantastic experts. Immersive’s Crisis Sim lead, JonPaulGabriele, is our very own Daedalus, for any Greek mythology fans. That might make me Ariadne, helping people to navigate the labyrinth. I don’t know who the minotaur is – Greek analogies may not be my forte! JonPaulGabriele builds some fiendishly difficult scenarios that start out with a seemingly everyday occurrence, which quickly spirals out of control. It could involve coordinating a global response to an unprecedented disaster, dealing with a nation-state threat actor who’s holding your data to ransom, or even tracking down the missing Santa Claus. Whatever the situation, the principle behind every Crisis Sim is the same: to help people develop decision-making muscle memory and the ability to act with confidence when rapid decisions are required. I’m sure you’re already familiar with the importance of regular exercises, but it’s not you that we need to convince – it’s your chosen audience. We need to be able to capture their attention and get them to put their phones down. If they’re not present in the room and genuinely engaged with the exercise and its outputs and findings, you’re doomed to fail. So, how do we go about achieving this? Use storytelling I’m a big believer in the power of both storytelling and humour to pique people’s interest. Storytelling is an incredibly powerful technique to connect, persuade, and inspire people to act by tapping into shared experiences and emotions. In the words of Simon Sinek: “Stories allow us to visualize, empathize, and connect in ways that statistics never could.” I use stories when I’m setting the scene or outlining the details of the exercise we’re about to go through. Hopefully I’ll get an initial laugh, or an eye roll – those are just as good, quite frankly! Challenge echo chambers Making sure all voices and opinions are treated equally is critical to support learning and drive genuine change. Echo chambers don’t make for robust environments to test processes and decision-making abilities. It’s important to involve everyone as much as possible and avoid immediately ruling anything out – explore the ideas that people bring to the table in an open way. Creating a safe environment Being able to fail in a safe environment is essential to help people feel like they can speak up. I like to reference this somehow in my introduction to the exercise, just to let people know the kind of environment they’re entering, but you have to actually follow through. It can be small things, like observing who the big voices in the room are and making sure they don’t dominate. These voices are your friends when you need someone to speak up, but don’t let them take over. For quieter people, I try to notice when it looks like they have something to share and make some space in the room for them. It could be as simple as saying to someone: “It looked like you wanted to say something earlier. Would you like to share it with us now?”. A slightly more challenging approach might be something like: “Does anyone disagree with the previous statement?”. Or, you could soften this to: “Does anyone have a different view?”. You’ll need to gauge your audience and determine which approach is right for the room. Of course, this is harder to do online, but cut yourself some slack, too. You also need to be able to fail in a safe environment! Giving people space to speak up should make them feel more comfortable doing so – it’s a win-win. Set expectations The next thing I like to do in my introduction is some housekeeping. I’m an ex-project manager, and old habits die hard. Set expectations and provide clarity on what’s about to happen by outlining any specific rules, items, or actions that you want people to be aware of. If you’re doing something unusual or unexpected during the exercise, like with our recent Flip Reversal session, you’ll want to avoid any confusion, as this can lead to frustration and reduced engagement. Be kind to yourself Finally, remember that even people who regularly go on stage in front of large audiences are slaves to their body’s own systems and reactions. I always get nervous before doing anything like this, but since I know it’s going to happen, I can prepare for it. I write a script that I can practice out loud multiple times beforehand. It means I can read from it on the day and not rely on memory to make sure I’ve said all the things I want to cover. I know that it’s okay to feel nervous or anxious. It’s okay for my breathing to increase slightly or my hands to shake, or any of the other common reactions to being nervous. I don’t try and fight it – I know that as long as I’m prepared and can follow the steps I’ve mentioned above, the session will be a success. Bonus ideas Know who your experts in the room are. If it’s not you, don’t try and fill that role – it’ll be terrible for your credibility and confidence! Leverage the new AI Scenario Builder to uplift your exercise’s content. Get a colleague or friend to join you and present as a double act. You can bounce off each other and share the presenting load. Share your thoughts What are your tips for keeping people present and engaged during sessions like this? How do you overcome the nerves of presenting? Drop a comment below and let us know.
Your Guide to Effective AI Prompting
Why Prompting Matters for Crisis Simulations Think of AI as a highly intelligent, but literal, assistant. The quality of its output directly reflects the clarity and specificity of your instructions. For crisis simulations, this means: Relevance: Tailored scenarios that mirror your organization's unique risks, industry, and operational environment. Realism: Scenarios that feel authentic, with credible triggers, evolving complications, and realistic stakeholder reactions. Depth: Multi-layered scenarios that challenge your team's decision-making, communication, and collaboration skills. Actionability: Scenarios that provide clear learning objectives and reveal actionable insights for improving your crisis response plan. Core Principles of Effective Prompting Be Specific, Not Vague Bad Prompt "Generate a crisis." (Too generic, will give you a basic, unhelpful scenario.) Good Prompt "Generate a cybersecurity crisis scenario for a mid-sized e-commerce fashion retailer. The trigger is a ransomware attack that encrypts customer databases and disrupts order fulfillment." Why it works It defines the what (cybersecurity crisis, ransomware), the who (e-commerce fashion retailer, mid-sized), and the impact (encrypted databases, disrupted orders). Define your organisation and context using our drop down fields, and then add additional context. Industry (e.g., healthcare, finance, manufacturing, tech, retail) Threat (e.g., data breach, natural disaster, product recall, public relations nightmare, supply chain disruption, insider threat, workplace violence, financial fraud) Attack vector (e.g., phishing attack, severe weather event, manufacturing defect, viral social media post, disgruntled employee action, sudden market downturn) The more information the AI has about your specific context, the more tailored the scenario will be so consider adding further information such as: Company Size: (e.g., small startup, multinational corporation) Key Products/Services: (e.g., cloud-based software, physical goods, financial advisory) Target Audience: (e.g., B2B clients, general consumers, specific demographics) Geographic Scope: (e.g., local, national, global operations) Relevant Regulations/Compliance: (e.g., GDPR, HIPAA, industry-specific standards) Current Trends/Challenges: (e.g., supply chain issues, inflation, new technologies) Example: "Our company, 'Global Pharma Solutions,' is a multinational pharmaceutical company with a focus on novel drug development. We operate globally and are heavily regulated by the FDA and EMA. Generate a scenario reflecting a crisis involving a mislabeled drug batch, discovered shortly after market release in Europe and the US." Outline Key Stakeholders and Their Potential Reactions Realistic scenarios involve diverse stakeholders with varying interests and reactions. Internal: Employees, leadership, legal, HR, IT, communications, specific department teams. External: Customers, media, regulators, investors, suppliers, partners, general public, affected individuals. Desired Reaction: How should these stakeholders react? (e.g., panic, confusion, outrage, demanding answers, seeking legal action, offering support). Example: "Include reactions from panicked customers flooding social media, calls from concerned regulators, and an internal IT team struggling to diagnose the issue. Also, factor in a potential negative news story breaking on a major industry publication." Inject Complications and Escalation Crises rarely remain static. Build in elements that make the scenario evolve and become more challenging. Secondary Events: (e.g., power outage during a cyberattack, additional product defects discovered, key personnel unavailable) Information Gaps/Misinformation: (e.g., conflicting reports, rumors spreading on social media, difficulty in verifying facts) Ethical Dilemmas: (e.g., balancing transparency with legal implications, prioritizing different stakeholder needs) Time Constraints: (e.g., a critical decision needed within 30 minutes, public statement required by end of day) Example: "After the initial system outage, introduce a new complication: a cyber-espionage group claims responsibility on a dark web forum, threatening to release sensitive customer data if demands are not met, despite the initial incident being unrelated to a breach." Define the Learning Objectives (Optional, but Recommended) While the AI won't "know" your objectives, including them in your prompt can subtly guide its generation towards a scenario that helps you test specific aspects of your plan. Example: "The scenario should test our team's ability to communicate effectively under pressure," or "Focus on evaluating our supply chain resilience and alternative vendor protocols." By following these guidelines, you'll be well on your way to leveraging our AI crisis simulation feature to its fullest, preparing your team for any challenge the real world might throw at them. Happy simulating!Beyond the Situation Room: What Your Crisis Response Looks Like to the Outside World
#Recorded on 3rd July 2025 You've just experienced "Flip Reversal," a crisis simulation that put you in two critical seats: witnessing internal crisis leadership, and then becoming the external stakeholders reacting to their decisions. Now, let's dive deeper. This webinar goes beyond the exercise debrief to explore the critical gap between internal crisis management and external perception and how strategic choices made inside the "situation room" ripple outwards, shaping reactions from the media, regulators, partners, and the public. The webinar will cover: The perception gap: Why even well-intentioned internal decisions can be misinterpreted or amplified by external audiences. Anticipating stakeholder storms: Key strategies for proactively understanding and managing the diverse expectations and potential reactions of your critical stakeholders. From reaction to relationship: How to build robust external relationships before a crisis hits, turning potential adversaries into allies. The power of external influence: Understanding how stakeholder responses can directly impact the trajectory and outcome of your crisis. This webinar is for anyone who wants to deepen their understanding of crisis dynamics, and how to bridge the divide between internal action and external impact. Don't just manage a crisis; understand how it's truly perceived.#LoveHacked Virtual Crisis Sim LIVE
This event has now ended. You can watch the recording here. ------------------------------------------------------------------------------------------------- Don't Let Your Valentine's Day Go Viral... for the Wrong Reasons! Roses are red, violets are blue, but what happens when Cupid's arrow delivers a cyberattack, too? This Valentine's Day put your crisis response skills to the test with our virtual crisis simulation, #LoveHacked. Experience the chaos of a QR code phishing attack. Make critical decisions under pressure to protect your reputation and key stakeholders. Learn how to navigate the golden hour of a digital crisis.Learning Outcomes Don't get caught unprepared! Sign up now for #LoveHacked and ensure your Valentine's Day is filled with love, not losses.The Unwinnable Crisis: How to Create Exercises That Prepare Teams for Real-World Uncertainty
This event has now ended. You can watch the recording here. Could your crisis training be setting leaders up to fail? Most crisis exercises are designed to test decision-making, but are they truly preparing leaders for real-world uncertainty? Explore this topic with Immersive's Crisis Sim Lead JonPaulGabriele one week on from AI-pril Fools: The Return of the Puppetmaster Virtual Crisis Sim LIVE. In a real crisis, leaders must: Act without having all the answers. Make tough decisions knowing there’s no perfect outcome. Adapt quickly as the situation escalates unpredictably. Yet many crisis training exercises provide too much structure, clarity, and a clear path to success. The reality is that not every crisis can be solved; sometimes, the best outcome is simply limiting the damage. What You’ll Learn Is your crisis training too predictable?: How structured exercises may be creating a false sense of preparedness. How to design a more realistic crisis exercise: Creating scenarios where leaders must navigate uncertainty, trade-offs, and irreversible consequences. Training leaders for decision-making under pressure: Why waiting for clarity can be more dangerous than acting on incomplete information. The hidden weakness in traditional crisis simulations: How to introduce complexity and unpredictability into your training. Measuring the effectiveness of your crisis training: Key questions to assess whether your exercises truly prepare teams for real crises. Key Takeaways Challenge your assumptions about crisis training. Are your exercises giving teams an artificial sense of control? Walk away with practical insights and learn how to design exercises that truly test leadership under uncertainty.The Human Edge Beyond Pentesting – Building True Cyber Resilience
The Human Edge Beyond Pentesting – Building True Cyber Resilience Pentest vs. Red Team: Understanding the Core Difference Many cybersecurity vendors are rebadging pentesting as attack simulations or red teaming, often at a higher cost. However, there's a clear difference: Pentesting (Penetration Testing): The overarching goal of penetration testing is to find vulnerabilities within an environment in order to create a remediation plan. Reporting focuses on documenting as many vulnerabilities as possible in the allotted timeframe. Red Teaming (Attack Simulation): In contrast, red teaming is used to validate the efficacy of the defensive (blue) team. It is not looking for vulnerabilities per se, it is about achieving the objectives while trying to avoid detection. Reporting focuses on finding defensive gaps and assessing the blue team's response capabilities. The ultimate goal is to simulate real-world adversaries and determine if the defensive team has the telemetry to detect them. The key takeaway is that if the engagement isn't assessing your detection capabilities, it is not a red team. When Does Red Teaming Truly Add Value? While valuable, red teaming isn't always the most cost-effective solution, and really it is usually only effective in these three scenarios: When You Have a Regulatory Requirement: Industries with specific regulations, such as BEST, TIBER, FEER, CORIE, and AASE, often mandate regulatory red teams, which have standardized approaches and qualifications. When You Have a Very Mature Organization: Your organization has addressed all other possible security issues and has limited justification for further spending, a Red Team can provide a level of assurance that few other testing strategies can match. However, if you have known, unaddressed issues, red teaming rapidly loses value as the simulated attackers will typically take the easiest route to compromise and report on issues you are already aware of. When You Need a "Burning Platform": Sometimes, demonstrating the potential severity of a worst-case scenario is necessary to secure critical budget increases. Red teaming can effectively highlight how badly wrong things could go, aiding CISOs in getting the needed resources. However, it's important to note that more cost-effective methods often offer a better return on investment than red teaming outside these specific use cases. Purple teaming offers a more holistic approach to measuring your blue team's capability while also having a much higher knowledge transfer rate. Attack path mapping is far more comprehensive in discovering what attackers can do and what vulnerabilities or misconfigurations can be chained together to achieve compromise. The Pitfalls of Misaligned Red Teaming Several factors can hinder the benefits of red teaming outside the identified use cases: Resource Intensive: Red teaming is both costly and time-consuming. Potentially Divisive: It can sometimes lead to conflict between teams or erode trust within an organization. Weak Follow-Up: Lessons learned from red team exercises are often not translated into actionable steps, or worse completely ignored. Limited Scope: It may fail to explore cascading impacts and real-world disruptions. Insufficient Business Focus: Without an understanding of broader business consequences, the exercise's value can be limited. Increased Risk: Poorly executed red teaming can introduce wasted effort or unnecessary investigations. Often Undetected: A significant number of red team operations do not trigger alerts or go unnoticed by defensive teams. This last point highlights the importance of understanding why an attack wasn't detected, by asking: Was an alert generated? Was it marked as a false positive? Was a process followed? Was the process correct? Enhancing Cyber Resilience: A Holistic Approach Cyber resilience is not just about products or individual tools; it's about the application of skilled and motivated people, understanding and utilizing technology, and implementing reliable and repeatable processes and detections. The focus should be on building a robust, layered defense that understands, anticipates, and mitigates all phases of the attack chain, recognizing that the perimeter is no longer the sole objective for attackers. To truly improve cyber resilience, organizations need to focus on three key areas: Security Posture: Continuously assess and strengthen your foundational security. Detection Capability: Improve your ability to identify and triage malicious activity. Response Capability: Enhance your team's efficiency and effectiveness in reacting to and recovering from incidents. This involves exposing defenders to real-world Tactics, Techniques, and Procedures (TTPs) relevant to their environment. Furthermore, understanding the capabilities and blind spots of both your security team and defensive tooling is crucial for applying and testing effective mitigations and proving resiliency. Practical Approaches to Building Resilience To achieve true benefit from simulations, organizations must prepare individuals and teams before and after the simulation. This involves a cycle of "Prepare & Protect" and "Detect & Respond". Effective training and exercises are vital for different audiences: Individual Preparation: Hands-on labs can provide technical training for various roles, including defensive cybersecurity professionals, penetration testers, developers, application security experts, and cloud & infrastructure security personnel. Technical Team Exercises (Team Sim): These focus on the technical aspects of cyber attack and response using pre-configured cyber range scenarios. Participants investigate or perform simulated attacks using real cybersecurity tools and techniques in a safe environment/sandbox. Executive & Business Exercises (Crisis Sim): Moving beyond traditional tabletop exercises, Crisis Sim puts teams into dynamic crisis simulations with real crises, dynamic storylines, and contextual media. This helps measure and benchmark responses to inform crisis strategies and build muscle memory through regular exercising. By understanding the distinct roles of pentesting and red teaming, strategically applying attack simulations, and investing in comprehensive training across all levels of the organization, businesses can genuinely enhance their cyber resilience and gain the human edge over cyber attacks.
