The Unwinnable Crisis: How to Create Exercises That Prepare Teams for Real-World Uncertainty
This event has now ended. You can watch the recording here. Could your crisis training be setting leaders up to fail? Most crisis exercises are designed to test decision-making, but are they truly preparing leaders for real-world uncertainty? Explore this topic with Immersive's Crisis Sim Lead JonPaulGabriele one week on from AI-pril Fools: The Return of the Puppetmaster Virtual Crisis Sim LIVE. In a real crisis, leaders must: Act without having all the answers. Make tough decisions knowing there’s no perfect outcome. Adapt quickly as the situation escalates unpredictably. Yet many crisis training exercises provide too much structure, clarity, and a clear path to success. The reality is that not every crisis can be solved; sometimes, the best outcome is simply limiting the damage. What You’ll Learn Is your crisis training too predictable?: How structured exercises may be creating a false sense of preparedness. How to design a more realistic crisis exercise: Creating scenarios where leaders must navigate uncertainty, trade-offs, and irreversible consequences. Training leaders for decision-making under pressure: Why waiting for clarity can be more dangerous than acting on incomplete information. The hidden weakness in traditional crisis simulations: How to introduce complexity and unpredictability into your training. Measuring the effectiveness of your crisis training: Key questions to assess whether your exercises truly prepare teams for real crises. Key Takeaways Challenge your assumptions about crisis training. Are your exercises giving teams an artificial sense of control? Walk away with practical insights and learn how to design exercises that truly test leadership under uncertainty.Beyond the Situation Room: What Your Crisis Response Looks Like to the Outside World
#Recorded on 3rd July 2025 You've just experienced "Flip Reversal," a crisis simulation that put you in two critical seats: witnessing internal crisis leadership, and then becoming the external stakeholders reacting to their decisions. Now, let's dive deeper. This webinar goes beyond the exercise debrief to explore the critical gap between internal crisis management and external perception and how strategic choices made inside the "situation room" ripple outwards, shaping reactions from the media, regulators, partners, and the public. The webinar will cover: The perception gap: Why even well-intentioned internal decisions can be misinterpreted or amplified by external audiences. Anticipating stakeholder storms: Key strategies for proactively understanding and managing the diverse expectations and potential reactions of your critical stakeholders. From reaction to relationship: How to build robust external relationships before a crisis hits, turning potential adversaries into allies. The power of external influence: Understanding how stakeholder responses can directly impact the trajectory and outcome of your crisis. This webinar is for anyone who wants to deepen their understanding of crisis dynamics, and how to bridge the divide between internal action and external impact. Don't just manage a crisis; understand how it's truly perceived.Christmas Tree-Son🎄Virtual Crisis Simulation
This event has now ended. You can watch the recording here. --- Tis the Season to be jolly... but not so fast! The North Pole, a beacon of holiday cheer, faces a cybersecurity storm that threatens to derail preparations for the holiday season and expose its deepest secrets. A disgruntled elf has turned whistleblower, leaking confidential data and casting a shadow over Santa's operations. Can you navigate the chaos, protect the integrity of Christmas, and safeguard the spirit of the season? A Festive Cyber Thriller: Immerse yourself in a unique and engaging crisis scenario set against the backdrop of the North Pole. Real-World Challenges: Tackle realistic crisis and cybersecurity threats and dilemmas inspired by current events and industry concerns. Ethical Dilemmas: Face tough choices that test your crisis management principles and challenge your decision-making skills. Learning and Fun: Gain valuable insights into crisis management and cybersecurity while enjoying the festive spirit.The Softer Side: Non-technical Benefits to Technical Team Exercises
In my role, I have the privilege of working with many different organizations through their technical exercise events and programs. One of the most rewarding aspects is seeing the spark ignite in the people as they band together to achieve a common objective. In this article, I’ll be sharing some of the common benefits I see emerge across organizations of all sizes, industries, and maturity levels, no matter the exercise's purpose. Encouraging curiosity and problem-solving Cyber Range Exercises provide a virtual network environment to explore. Defensive exercises focus on detecting and monitoring malicious activity, while offensive exercises involve exploiting vulnerabilities to uncover target information. Within these simulated environments, participants must utilize a wide array of skills and decide on the best approach, as the correct course of action isn't always obvious. This technical challenge is great for reinforcing knowledge and applying skills. I've seen players puzzle over unsuccessful methods, forcing them to rethink their approach entirely, asking plenty of “what if” questions before testing them out. This experimentation process educates players while simultaneously promoting lateral thinking and encourages sharing problem-solving insights. Improved communication Trawling through logs and analyzing (or preparing) a malicious payload usually calls for quiet focus. But in the real world, we’re rarely working alone. More often than not, investigations and tests happen in small teams, under pressure, and good communication becomes just as important as technical skill. That’s why team-based exercises reflect this reality. You’ve got to explain what you’re doing clearly, so everyone’s on the same page – both in terms of the situation and the technical jargon. Creating clear written logs and documentation matters too, especially in incidents where language may need to be adapted for different audiences. The most effective teams I've observed in these exercises prioritize organization. They set up a central place to track everything – whether that’s a Teams channel, a spreadsheet, or a crisis response tool – and they’re smart about assigning roles and carving out time to keep everyone synced up. Better distraction management A deliberate challenge I sometimes incorporate into technical exercises is surprise leadership requests for incident updates. This tests the team's ability to rapidly consolidate information under pressure, dealing with the uncertainties of an active investigation. Teams with strong organization, detailed incident logs, and a dedicated spokesperson or team leader consistently manage these interruptions best. Practicing in a simulated setting helps teams stay productive and accurate, even when real-world distractions come into play. It builds the ability to block out noise, manage stakeholders, stay focused on individual tasks while keeping sight of team goals, and smoothly switch contexts when needed. Stronger team dynamics Unlike individual training, these exercises require participants to actively communicate, share knowledge, and rely on each other's strengths to achieve a common goal. Team members learn to understand each other's working styles, identify individual expertise, and build trust in their colleagues' abilities. The shared experience of overcoming technical challenges, even simulated ones, creates a sense of camaraderie and shared accomplishment. While every team comprises diverse personalities and communication styles, it's crucial that each individual feels comfortable and empowered to share their insights and findings. These contributions can significantly alter the outcome; for instance, a critical discovery during a technical investigation might directly influence the business's crisis response strategy. Increased efficiency The more a team works together responding to the exercise challenges, the more they develop shared understandings of processes and expectations, learn to delegate effectively, and identify bottlenecks in their collaborative efforts. Eliminating issues arising from a lack of confidence or familiarity with the team or processes is especially critical for incident response teams, leading to quicker response times and improved agility when situations change rapidly. After each exercise, I like to conduct a team debrief, which is crucial for reflecting on lessons learned. Prompting players to consider their individual strengths and challenges, alongside open discussion about team dynamics and processes, helps identify opportunities for improvement. Technical exercises are undoubtedly key to boosting individual technical proficiency. However, their even greater value lies in cultivating these skills alongside the crucial professional attributes demanded by our field. Considering the significant pressure and expectations placed on these teams to deliver trustworthy outcomes, ensuring their preparedness within a high-trust setting is essential. These are merely some of the advantages I've witnessed through these exercises. Share your thoughts What benefits have you experienced through technical exercising? Share your thoughts in the comments!AI-pril Fools: The Return of the Puppetmaster Virtual Crisis Sim LIVE
This event has now ended. You can watch the recording here. _______________________________________________________________________________________________ Don't be fooled by the date – this is no laughing matter. The Puppetmaster is back, and this time, your communication lifelines are their target. Prepare to face a crisis simulation where the very channels you rely on for connection and collaboration become instruments of chaos. "AI-pril Fools' Day" will test your team's ability to navigate a world where information is weaponized, trust is eroded, and the boundaries between reality and deception are blurred. Can you regain control of the narrative and outsmart the Puppetmaster, or will you become entangled in their web of AI-powered manipulation? Information Warfare: Experience the challenges of misinformation, disinformation, and the manipulation of truth in the digital age. Security Breaches & Operational Disruptions: Face a cascade of security incidents and operational challenges Ethical Dilemmas & Difficult Decisions: Make critical choices with incomplete information and far-reaching consequences. The AI Enigma: Confront the unpredictable nature of AI and its potential for both good and evil in the hands of a master manipulator. The Puppetmaster is waiting. Are you ready to play their game? Register your attendance here#LoveHacked Virtual Crisis Sim LIVE
This event has now ended. You can watch the recording here. ------------------------------------------------------------------------------------------------- Don't Let Your Valentine's Day Go Viral... for the Wrong Reasons! Roses are red, violets are blue, but what happens when Cupid's arrow delivers a cyberattack, too? This Valentine's Day put your crisis response skills to the test with our virtual crisis simulation, #LoveHacked. Experience the chaos of a QR code phishing attack. Make critical decisions under pressure to protect your reputation and key stakeholders. Learn how to navigate the golden hour of a digital crisis.Learning Outcomes Don't get caught unprepared! Sign up now for #LoveHacked and ensure your Valentine's Day is filled with love, not losses.Your Guide to Effective AI Prompting
Why Prompting Matters for Crisis Simulations Think of AI as a highly intelligent, but literal, assistant. The quality of its output directly reflects the clarity and specificity of your instructions. For crisis simulations, this means: Relevance: Tailored scenarios that mirror your organization's unique risks, industry, and operational environment. Realism: Scenarios that feel authentic, with credible triggers, evolving complications, and realistic stakeholder reactions. Depth: Multi-layered scenarios that challenge your team's decision-making, communication, and collaboration skills. Actionability: Scenarios that provide clear learning objectives and reveal actionable insights for improving your crisis response plan. Core Principles of Effective Prompting Be Specific, Not Vague Bad Prompt "Generate a crisis." (Too generic, will give you a basic, unhelpful scenario.) Good Prompt "Generate a cybersecurity crisis scenario for a mid-sized e-commerce fashion retailer. The trigger is a ransomware attack that encrypts customer databases and disrupts order fulfillment." Why it works It defines the what (cybersecurity crisis, ransomware), the who (e-commerce fashion retailer, mid-sized), and the impact (encrypted databases, disrupted orders). Define your organisation and context using our drop down fields, and then add additional context. Industry (e.g., healthcare, finance, manufacturing, tech, retail) Threat (e.g., data breach, natural disaster, product recall, public relations nightmare, supply chain disruption, insider threat, workplace violence, financial fraud) Attack vector (e.g., phishing attack, severe weather event, manufacturing defect, viral social media post, disgruntled employee action, sudden market downturn) The more information the AI has about your specific context, the more tailored the scenario will be so consider adding further information such as: Company Size: (e.g., small startup, multinational corporation) Key Products/Services: (e.g., cloud-based software, physical goods, financial advisory) Target Audience: (e.g., B2B clients, general consumers, specific demographics) Geographic Scope: (e.g., local, national, global operations) Relevant Regulations/Compliance: (e.g., GDPR, HIPAA, industry-specific standards) Current Trends/Challenges: (e.g., supply chain issues, inflation, new technologies) Example: "Our company, 'Global Pharma Solutions,' is a multinational pharmaceutical company with a focus on novel drug development. We operate globally and are heavily regulated by the FDA and EMA. Generate a scenario reflecting a crisis involving a mislabeled drug batch, discovered shortly after market release in Europe and the US." Outline Key Stakeholders and Their Potential Reactions Realistic scenarios involve diverse stakeholders with varying interests and reactions. Internal: Employees, leadership, legal, HR, IT, communications, specific department teams. External: Customers, media, regulators, investors, suppliers, partners, general public, affected individuals. Desired Reaction: How should these stakeholders react? (e.g., panic, confusion, outrage, demanding answers, seeking legal action, offering support). Example: "Include reactions from panicked customers flooding social media, calls from concerned regulators, and an internal IT team struggling to diagnose the issue. Also, factor in a potential negative news story breaking on a major industry publication." Inject Complications and Escalation Crises rarely remain static. Build in elements that make the scenario evolve and become more challenging. Secondary Events: (e.g., power outage during a cyberattack, additional product defects discovered, key personnel unavailable) Information Gaps/Misinformation: (e.g., conflicting reports, rumors spreading on social media, difficulty in verifying facts) Ethical Dilemmas: (e.g., balancing transparency with legal implications, prioritizing different stakeholder needs) Time Constraints: (e.g., a critical decision needed within 30 minutes, public statement required by end of day) Example: "After the initial system outage, introduce a new complication: a cyber-espionage group claims responsibility on a dark web forum, threatening to release sensitive customer data if demands are not met, despite the initial incident being unrelated to a breach." Define the Learning Objectives (Optional, but Recommended) While the AI won't "know" your objectives, including them in your prompt can subtly guide its generation towards a scenario that helps you test specific aspects of your plan. Example: "The scenario should test our team's ability to communicate effectively under pressure," or "Focus on evaluating our supply chain resilience and alternative vendor protocols." By following these guidelines, you'll be well on your way to leveraging our AI crisis simulation feature to its fullest, preparing your team for any challenge the real world might throw at them. Happy simulating!From Simulation to Strategy: Empowering Crisis Readiness at SANS
In this blog, I share my perspective as a cyber resilience advisor, exploring how SANS equipped its team to design and deliver exercises based on real-world incidents. What started as a one-time event has become an ongoing project to build internal capability and use the platform for continuous team development and upskilling. A tailored event On May 26, we ran a crisis simulation event with the cybersecurity team at SANS, an organization where cybersecurity plays a critical role in protecting aviation operations and national infrastructure. The scenario, adapted from the Immersive catalog, was tailored to the aviation industry and focused on a targeted malicious code attack exploiting the Follina vulnerability (CVE-2022-30190). It brought together the SOC, incident response, and IT/OT teams to work through a high-pressure situation that tested their ability to detect, contain, and recover from a cyberattack. While the simulation itself was valuable, what stood out most was the team’s immediate interest in expanding their internal capabilities and using the Immersive platform to create their own simulations in the future. Enabling ownership Following the event, we hosted two hands-on workshops to support the team in designing their own crisis simulations. The first workshop focused on developing familiarity with the platform. SANS explored the Crisis Simulation module, navigated the scenario catalog, and learned how to use existing content as templates to build custom scenarios. After participating in this workshop, the head of cybersecurity at SANS described it as “truly interactive, well-executed, and highly engaging… The hands-on approach and practical scenarios helped enhance our technical readiness and cross-team coordination”. The second workshop walked through the full development process, from discovery and design to development and build, helping the team shape a simulation based on a real incident from their organization. Together, we explored how simulations can be used not just for readiness, but as a practical upskilling tool grounded in real operational risk. A collaborative path forward What began as a single simulation has turned into an ongoing partnership. We’re now supporting the SANS team as they take ownership of their crisis readiness, developing internal simulations aligned with their environment, challenges, and goals. This is the value of Immersive in action: not just running simulations, but empowering teams to build their own scenarios. Creating a playbook for success While working with SANS, we used the Malicious Code: Incident Responder crisis simulation from the Immersive catalog as the foundation, changing the decision points (known as injects) to fit the roles that were participating in the simulation. After additional tweaks to the terminology and narrative to better represent the aviation industry, we were able to accurately model a realistic scenario for SANS. You can follow a similar process to create your own crisis simulation framework. Simply export a scenario from our catalog as a building block and personalize it to suit your industry and needs. Keep these tips in mind: Customize the terminology used in the scenario to reflect your organization. While many of our out-of-the-box scenarios refer to financial services or government, they can easily be adjusted. Use historical incidents to shape the crisis simulation and explore best practices. By cataloging events that have happened within your company or industry, newer employees can use this knowledge to better prepare for similar challenges in the future. Encourage teams to share knowledge using the platform based on their experience, so colleagues can learn from examples. Engage your own procedures and policies to create a playbook for the future. Beyond the tabletop: Expanding the value of crisis simulation Running a crisis simulation is just the beginning. Once a team has participated in a full-scale exercise, there’s a powerful opportunity to build on that momentum using the same tools to embed resilience deeper into the organization. Here are just a few ways teams can expand the impact: Explore team-based microsimulations to reinforce best practices. Use short, focused exercises (15–30 mins) to target the specific response skills of a single team. Engage in case study reflection exercises. Take a real incident (internal or public), build it into a learning scenario, and allow teams to step through the decision-making and ask: “What would we have done?”. Beyond crisis: Using the platform for everyday development Crisis simulations are powerful — but the platform can also support ongoing team growth outside of high-pressure scenarios. Beyond crisis response, organizations can use Immersive to: Onboard new team members. Introduce new joiners to tools, roles, and escalation paths through guided, scenario-based learning. Provide career development paths. Use simulations to expose team members to higher-level decision-making, preparing them for future roles in incident leadership or governance. Do you have any alternative use cases for crisis simulations beyond crisis response itself? Share them in the comments!Flip Reversal: The 360 Crisis Experience
Ever watched a crisis unfold and thought, "I'd have done that differently?" Now's your chance. ###This event was recorded on 27th June 2025. Join us for Flip Reversal, a crisis simulation with a twist! We're turning the tables on traditional exercises to give you a unique, 360-degree view of crisis management in an industry that's proven time and time again to be a top target for cyberattacks– the financial services sector. Instead of immediately putting you in the hot seat, you’ll first get a live, inside look at a leadership team as they grapple with an escalating, high-stakes crisis, complete with financial, reputational, and regulatory risks. See their decision-making process, the internal discussions, and the immediate pressures they face – a true behind-the-scenes insight! But you won't just be watching. As their response unfolds, you’ll step into the shoes of crucial external stakeholders such as the media, regulatory bodies, institutional investors, boards, supply chain partners, and more. Based on the live team's actions, you’ll decide how these stakeholders react. Will the media run a critical exposé? Will regulators impose sanctions or demand capital injections? Your choices will shape the consequences. Why you can't miss Flip Reversal: See it From the Other Side: Gain invaluable insight into how crisis responses are perceived and the impact they have externally. Behind-the-Scenes Access: Understand the unfiltered pressures and dynamics within a team managing a crisis. Challenge Your Assumptions: Observe a response and decide if you would have acted differently. React & Lead: Experience the challenge of both influencing a crisis as a stakeholder and leading a response team through the aftermath.Pieces of the Puzzle – The Power of Interconnected Cyber Drills
A crisis doesn’t respect boundaries – it unfolds in real time, demanding responses from every level, from technical teams to executives. That’s exactly what we set out to simulate with our recent cyber drill, “Pieces of the Puzzle”, a high-intensity exercise that pushed over 300 team members into the deep end of crisis response. What set this drill apart was its interconnectivity – no single person had the full picture, and every decision mattered. A crisis unfolds in pieces The exercise was built around two fictional companies: FusionArc – A cloud-based IT infrastructure provider suffering a cyberattack Orchid Logistics – A global supply chain company, FusionArc’s largest customer, facing operational chaos due to the breach. Day one simulated a cyberattack on FusionArc Solutions, with participants acting as the incident response team investigating and responding to a breach of critical systems and sensitive data. This day showcased Immersive’s cyber range capabilities and the importance of continuous upskilling. It allowed participants to practice incident response protocols and sharpen their ability to detect, analyze, and respond to cyber threats. Live technical demos showcase real-time analysis and response, bringing the simulation to life and highlighting the skills needed to combat cyberattacks. Day two shifted the perspective to Orchid Logistics, whose global operations across four major regions were thrown into turmoil due to the cascading impact of the attack. Each region had its own challenges, from disrupted healthcare supply chains in Europe to financial uncertainty in North America. Different teams’ operations, legal, communications, finance, and crisis management were forced to make critical decisions with incomplete and often conflicting information. This wasn’t just about testing individual teams. It was about stress-testing the connections between them because, in a crisis, decisions have consequences. Every action (or inaction) ripples outward, shaping how an incident unfolds and determining the effectiveness of the response. The design: controlled chaos with a purpose Running a cyber drill at this scale required intricate planning. Each element was carefully orchestrated to simulate the real-life confusion of a crisis where information is fragmented, priorities clash, and leaders must make tough choices under pressure. Key elements included: Dynamic information flow – Teams received updates in real-time, with technical teams feeding insights to crisis managers, who in turn had to make strategic decisions for the business. Regional decision-making – Each region had its own crisis management team (CMT), responsible for navigating localized challenges while staying aligned with global headquarters. Cross-functional dependencies – Operations, legal, finance, and public relations all faced their own unique crises relating to the cyberattack, as well as other unrelated business continuity disruptions. Their ability to coordinate responses mirrored the true complexity of a global business disruption. Escalating pressure – Timed injects (new crisis updates), roaming media roleplayers, and breaking news images forced participants to adapt rapidly, just as they would in a real cyber event. By layering these complexities, the exercise tested technical incident response and the entire organization’s ability to work as a single unit under duress. We looked at disaster recovery, crisis management, and business continuity all in the same cyber drill. The power of perspective (or lack of it) A key takeaway from the drill was how overwhelming it felt. No one had the full picture – teams made decisions with only their slice of the crisis, just like in the real world. We saw participants grappling with conflicting information, wondering why other teams weren’t responding as expected. Some felt completely isolated until they realized that the missing information was sitting with another team in another region, experiencing a completely different part of the crisis. This is why interconnected drills are vital. They teach organizations to connect the dots and reinforce a crucial lesson: in high-stakes environments, every decision shapes the crisis’s trajectory. Prove and improve: the true value of cyber drills Cyber drills aren’t just theoretical exercises. They test response plans, communication, and decision-making under pressure while revealing areas for improvement. This drill pushed participants to work under stress and exposed gaps not just in technical response, but in collaboration, escalation, and decision-making. These exercises matter because they don’t just reveal weaknesses – they build resilience before a real crisis strikes. What this means for your organization Cyber threats affect entire businesses – customers, partners, supply chains, and finances. The biggest risk isn’t the attack itself but poor coordination in the response. That’s why cross-team exercises are vital: technical teams must know how and when to escalate, crisis managers must grasp the stakes, and executives must make quick decisions with limited information. Cyber drills don’t always have to be this large, but they must be realistic. Even smaller exercises focused on decision-making across teams can expose gaps in communication and preparedness before a real crisis does. Final thoughts: crisis readiness is built, not assumed In the debrief of Pieces of the Puzzle, one theme emerged repeatedly: we are only as strong as our connections. The most prepared organizations aren’t just those with the best tools or plans – they’re the ones who practice together and strengthen the human elements. Cyber drills push teams to break silos, act under pressure, and manage uncertainty. If you’re not running them regularly, the question isn’t if you’ll struggle in a crisis – it’s when. No matter your industry, scale, or risk landscape, the key takeaway is this: crisis preparedness isn’t just about reacting – it’s about ensuring every piece of the puzzle fits before the crisis hits. Are your teams ready to prove and improve? Share your thoughts Has this inspired you to plan a drill? Do you have any questions about planning or execution and need some pointers? Have you run a drill or been to a drill event, and if so, how did it feel? I’d love to hear from you and help you reach your goals.
