Crisis Sim Complete...Now What?
Picture it: you’ve designed, built, and exercised your first Crisis Sim. You're pleased with the scenario and satisfied to see your team sharpen their skills, deepen their understanding, and boost their incident readiness. You can bask in the glory of this job well done for a moment, but the journey of the Crisis Sim doesn’t end here. The devil is in the details of the exercise data. Completing the exercise and gathering the results is only the beginning of your journey of fostering people-centric cyber resilience! Not sure where to start? We’ve got you covered Remember how meticulously you mapped out those injects and options to build your scenario? The feedback options, the performance indicators, the branching paths, the exercise types? Your hard work is about to pay off. We’ve processed the exercise responses for you because you’ve earned it – and because there’s more work to be done. Next steps for managers Crafting outcomes from outputs You can expand on the work you’ve already put into the exercise by leveraging both the Results and the After Action Report (AAR) for your scenario in the Immersive platform. Follow these steps to access these items: Go to Crisis Sim in the Exercise tab. Locate your exercise. Hint: use the filters available on the left to show “ended” exercises. Click to open your “Ended” exercise. From there, you’ll see how to dive into the available outputs with a few clicks! If you need a bit more info, here are some additional guides from our Help Center: Where to find Crisis Sim exercise results & reports View Results After Action Report (AAR) Analyzing exercise results Results If you’re looking for granular data down to the details of each inject, you can find it here. In Results, you’ll see an overview including the summary from the exercise scenario, along with key details such as scoring and completion metrics. Need to examine responses to specific injects? In the platform, you can quickly drill down into each inject by using the navigation on the left-hand side of the report. By selecting an inject, you can review responses and start to see patterns that emerged throughout the exercise. If you’d prefer raw data, you can export a CSV file of your results. It's straightforward, packed with detail, and puts all the key metrics and figures within easy reach. Check out our documentation for more details on key information and metrics. This is an invaluable resource for anyone passionate about data! It allows you to establish a foundation, set comparative standards, and ultimately gauge and improve your cyber resilience – all with concrete data to back your efforts. If the mention of statistics and spreadsheets doesn't excite you, no worries, the Immersive platform generates an After Action Report for you 30 minutes after completion of your exercise. After Action Report (AAR) Enter the After Action Report! The AAR presents an interactive visualization of your data analysis, offering valuable insights at your fingertips. And, as a bonus, you can download it as a PDF. The AAR is more than a deliverable; it’s a guide to fostering a people-centric cyber resiliency culture. It offers an outline of the exercise and crucial data points that will help drive what you and your team do next. Overall performance, inject-by-inject analysis, and participant breakdown provide a comprehensive view of your team's current capabilities and readiness, wrapped up with relevant recommendations for you and your team. Remember, insights are only available for data that’s collected as part of your exercise, so make sure you offer ranked inject options and enable response confidence and feedback to maximize your exercising. This is defaulted in the Immersive Crisis Sim Catalog presentation scenarios. In the performance overview of the AAR, you'll encounter a high-level snapshot guide for your next steps. Think of this as a performance gauge (based on our experience with Immersive clients) that maps to the following: >=75%: Excellent >=50%: Good >= 25%: Fair >=0%: Needs improvement As you dive deeper into the AAR, these broader performance indicators unfold with more granular data, and you’ll be able to understand the gaps that exist in cyber resilience for your organization. Mind the gap By understanding your organization's current state, you can create targeted improvement plans, whether reinforcing strengths, addressing weaknesses, or identifying opportunities for further training and exercises. This provides a clear starting point for overall improvement and upskilling. Inject breakdowns help pinpoint your team's strengths and weaknesses. Imagine the exercise in a real-world scenario: would there be a data breach, or would operations continue as normal? Assess your team's confidence and accuracy in their responses to identify knowledge gaps and points of failure. Use these insights not to dwell on mistakes but to improve and ensure your team is well-prepared for future challenges. The participant breakdown takes this introspection into your team's capabilities a step further by plotting decision scores against confidence levels. This helps you understand the accuracy and confidence of your team’s responses. Are your strongest team members operating confidently? Are those with knowledge gaps posing risks by overcompensating with confidence? Create an action plan This data helps you prioritize your next steps. Will you address weaknesses, reinforce existing skills, or increase exercise frequency to build confidence? There are plenty of upskilling routes to choose from. After each exercise, you'll see related Crisis Sim scenarios and lab content based on the threats and attack vectors encountered. When creating your action plan, you should consider the following outcomes and their related recommendations: Weaknesses identified at the individual level ⇢ Assign recommended lab content to key users, and reinforce the importance of upskilling by communicating the purpose of the content. Hint: Don’t forget to use assignment deadlines to effectively track progress and keep the team on track. The participants' skills resulted in high accuracy decision-making but low confidence ⇢ Reinforce strengths with clear communication of processes and expectations. Consider reviewing your internal playbooks! Are processes clear, concise, and aligned with organizational needs and expectations? Are policies current and up to date? Are there conflicting processes or policies within your organization? The team performed exceptionally across the board with high confidence ⇢ Test response readiness by exercising on a more difficult level scenario. Does the team excel in all areas, or is this an opportunity to better prepare? The landscape is constantly changing, and new threats are constantly emerging. Ensure your team has a wide breadth of knowledge and coverage by continuously proving their skills and encouraging further learning. Three essential steps to maximize your post-simulation impact Of course, you know your organization and teams best, so the Crisis Sim results are always best interpreted by you. Once you’ve analyzed and understood the results, prioritize these steps: Review the results and gather feedback promptly to identify growth opportunities. Did outcomes align with expectations, or were there surprises? Plan specific changes for future Crisis Sim exercises and build a strategic timeline. Should you adjust the difficulty or coverage areas? Is there time for additional training between exercises? Create an action plan with clear objectives, owners, and deadlines to ensure individual and team development. What other organizational stakeholders should you bring in moving forward? And what will be important for them in Crisis Sim exercising? Share your thoughts If you’ve recently completed your first Crisis Sim exercise, what will you do next? If you’ve completed many, what tips do you have for others? Join the discussion below!The Softer Side: Non-technical Benefits to Technical Team Exercises
In my role, I have the privilege of working with many different organizations through their technical exercise events and programs. One of the most rewarding aspects is seeing the spark ignite in the people as they band together to achieve a common objective. In this article, I’ll be sharing some of the common benefits I see emerge across organizations of all sizes, industries, and maturity levels, no matter the exercise's purpose. Encouraging curiosity and problem-solving Cyber Range Exercises provide a virtual network environment to explore. Defensive exercises focus on detecting and monitoring malicious activity, while offensive exercises involve exploiting vulnerabilities to uncover target information. Within these simulated environments, participants must utilize a wide array of skills and decide on the best approach, as the correct course of action isn't always obvious. This technical challenge is great for reinforcing knowledge and applying skills. I've seen players puzzle over unsuccessful methods, forcing them to rethink their approach entirely, asking plenty of “what if” questions before testing them out. This experimentation process educates players while simultaneously promoting lateral thinking and encourages sharing problem-solving insights. Improved communication Trawling through logs and analyzing (or preparing) a malicious payload usually calls for quiet focus. But in the real world, we’re rarely working alone. More often than not, investigations and tests happen in small teams, under pressure, and good communication becomes just as important as technical skill. That’s why team-based exercises reflect this reality. You’ve got to explain what you’re doing clearly, so everyone’s on the same page – both in terms of the situation and the technical jargon. Creating clear written logs and documentation matters too, especially in incidents where language may need to be adapted for different audiences. The most effective teams I've observed in these exercises prioritize organization. They set up a central place to track everything – whether that’s a Teams channel, a spreadsheet, or a crisis response tool – and they’re smart about assigning roles and carving out time to keep everyone synced up. Better distraction management A deliberate challenge I sometimes incorporate into technical exercises is surprise leadership requests for incident updates. This tests the team's ability to rapidly consolidate information under pressure, dealing with the uncertainties of an active investigation. Teams with strong organization, detailed incident logs, and a dedicated spokesperson or team leader consistently manage these interruptions best. Practicing in a simulated setting helps teams stay productive and accurate, even when real-world distractions come into play. It builds the ability to block out noise, manage stakeholders, stay focused on individual tasks while keeping sight of team goals, and smoothly switch contexts when needed. Stronger team dynamics Unlike individual training, these exercises require participants to actively communicate, share knowledge, and rely on each other's strengths to achieve a common goal. Team members learn to understand each other's working styles, identify individual expertise, and build trust in their colleagues' abilities. The shared experience of overcoming technical challenges, even simulated ones, creates a sense of camaraderie and shared accomplishment. While every team comprises diverse personalities and communication styles, it's crucial that each individual feels comfortable and empowered to share their insights and findings. These contributions can significantly alter the outcome; for instance, a critical discovery during a technical investigation might directly influence the business's crisis response strategy. Increased efficiency The more a team works together responding to the exercise challenges, the more they develop shared understandings of processes and expectations, learn to delegate effectively, and identify bottlenecks in their collaborative efforts. Eliminating issues arising from a lack of confidence or familiarity with the team or processes is especially critical for incident response teams, leading to quicker response times and improved agility when situations change rapidly. After each exercise, I like to conduct a team debrief, which is crucial for reflecting on lessons learned. Prompting players to consider their individual strengths and challenges, alongside open discussion about team dynamics and processes, helps identify opportunities for improvement. Technical exercises are undoubtedly key to boosting individual technical proficiency. However, their even greater value lies in cultivating these skills alongside the crucial professional attributes demanded by our field. Considering the significant pressure and expectations placed on these teams to deliver trustworthy outcomes, ensuring their preparedness within a high-trust setting is essential. These are merely some of the advantages I've witnessed through these exercises. Share your thoughts What benefits have you experienced through technical exercising? Share your thoughts in the comments!
Introduction to Elastic: Ep.9 - ES|QL
I’m stuck on question 18 i need this to complete the lab. The question says ‘Perform a final query using all of the techniques used in the previous questions. What is the average speed per hour for ALL trips that start in the borough of “Brooklyn” and end in the borough of “Manhattan”? Provide your answer to at least three decimal places. any ideas?Christmas Tree-Son🎄Virtual Crisis Simulation
This event has now ended. You can watch the recording here. --- Tis the Season to be jolly... but not so fast! The North Pole, a beacon of holiday cheer, faces a cybersecurity storm that threatens to derail preparations for the holiday season and expose its deepest secrets. A disgruntled elf has turned whistleblower, leaking confidential data and casting a shadow over Santa's operations. Can you navigate the chaos, protect the integrity of Christmas, and safeguard the spirit of the season? A Festive Cyber Thriller: Immerse yourself in a unique and engaging crisis scenario set against the backdrop of the North Pole. Real-World Challenges: Tackle realistic crisis and cybersecurity threats and dilemmas inspired by current events and industry concerns. Ethical Dilemmas: Face tough choices that test your crisis management principles and challenge your decision-making skills. Learning and Fun: Gain valuable insights into crisis management and cybersecurity while enjoying the festive spirit.When the Lights Went Out at Heathrow: A Crisis That Was Never Meant to Be “Won”
In the early hours of March 21, 2025, a fire broke out at the North Hyde electrical substation in West London, just a few miles from Heathrow Airport. Within hours, a local infrastructure incident had triggered widespread disruption across the global aviation ecosystem. Flights were grounded, operations were halted, passengers were stranded, and local residents were left without power. Suddenly, one of the most connected airports in the world found itself completely disconnected. This wasn’t just a power failure, it was a systems failure. The fire itself was severe yet containable, but what unfolded afterward exposed far deeper vulnerabilities. It has since been claimed that Heathrow had “enough power” from other substations, which now raises difficult but fair questions: If there was enough power, why shut the airport down completely? If there wasn’t, why wasn’t the site resilient enough to handle a failure like this? And most importantly, how did one single point of failure have this much impact on such a critical national and international asset? These are the questions that will dominate the post-crisis scrutiny, but while many rush to applaud or condemn, I think the truth lies somewhere more uncomfortable. Crisis leadership isn’t about perfect outcomes Crisis response is never clean. It’s messy, fast-moving and incomplete. You make decisions with partial data, under pressure, in real time. And in the majority of cases, you choose between bad and worse – which is exactly what Heathrow’s leadership team faced: Compromised infrastructure Uncertainty about the integrity of power and systems Thousands of passengers on site and mid-flight en route to the airport Global operations and supply chain at risk The common response is, “we need to tackle all of these problems” – and rightly so – but what people often forget is that in a crisis, you don’t have the resources, time, or information to tackle everything at once. Heathrow's leadership chose safety and containment, and in just under 24 hours, they were back online again. That’s impressive. That’s recovery under pressure, and that’s business continuity in action. But it doesn’t mean everything was done right, and it certainly doesn’t mean we shouldn’t ask hard questions. “Enough power” means nothing without operational continuity Having backup power doesn’t mean having functional operations. Power alone doesn’t run an airport – systems, processes, and people do. If the backup didn’t maintain critical systems like baggage handling, communications, lighting, or security, then the airport was right to shut down. However, the next question is, why didn’t those systems have their own layers of protection, and where was the true resilience? This leads us to the real issue: this wasn’t just about Heathrow, it was about the entire ecosystem. Resilience isn’t just a plan – it’s a whole system of dependencies The recent disruption is a real reminder that resilience doesn’t just live inside an organization. It lives across every partner, vendor, and hidden dependency. In critical services like aviation, the biggest vulnerabilities are often outside the walls of your own operation. There’s a web of partners involved in keeping an airport running: Power providers Facilities management IT and communications vendors Outsourced security Maintenance crews Air traffic systems Second and third-tier subcontractors Many of these providers sit outside the organization’s direct control, yet their failures become your crisis in an instant. True resilience requires more than internal readiness, it demands visibility across the whole supply and vendor chain, coordination protocols with external stakeholders, and clear ownership of critical functions. When something breaks in the background, you won’t have time to figure out who’s responsible; you’ll only care about who can fix it. So identifying and (most importantly) testing and exercising your supply chain is paramount. This wasn’t a “winnable” crisis – and that’s the point I’ll discuss this concept further in my upcoming webinar, The Unwinnable Crisis: How to Create Exercises That Prepare Teams for Real-World Uncertainty, but the Heathrow disruption is a perfect case study. This was never going to be a clean “win.” No plan could have delivered a flawless response, and no leader could have avoided disruption entirely. Instead, this crisis asked a different question: When everything seems to be falling apart, can you contain the damage, protect your people, and recover quickly? That’s the real test. It’s what separates the theoretical resilience plans from the operational reality. Heathrow passed parts of that test, but the system around it has questions to answer, and every other organization watching should be asking the same thing: “How many hidden dependencies are we one substation, one outage, one contractor failure away from exposing?” The next crisis may not give you a warning, and it certainly won’t give you time to figure out who’s holding it all together. Crisis leadership isn’t about perfection; it’s about being ready for the moment when no perfect option exists. The question now is, what did it reveal that we can’t afford to ignore? Ready to prepare for true crisis readiness? Join me for the upcoming community webinar, The Unwinnable Crisis: How to Create Exercises That Prepare Teams for Real-World Uncertainty on April 11. We’ll explore what true crisis readiness looks like and how you prepare your team to lead when there is no “win” – only choices.Cyber Drills and Outcome-Based Programs: A Hands-On Approach to Cyber Resilience
What are cyber drills and outcome-based programs? Cyber drills vs. outcome-based programs Cyber drills Prove Outcome-based programs Improve Simulate a realistic cyberattack to test response capabilities Ongoing, structured programs to build and improve security operations Benchmark security preparedness at a given point in time Measure progress over time with defined success metrics Team-based exercises that focus on immediate response Tailored multi-year programs that address specific security gaps One-off or periodic events Continuous learning and improvement The key difference is that cyber drills test and prove preparedness and expose improvement areas; outcome-based programs address the improvement areas and enhance an organization’s ability to detect, respond, and recover from cyber threats. Combined, these approaches provide sustainable, robust cyber resilience. Designing an effective outcome-based program To implement an outcome-based program successfully, organizations must consider the following factors: 1. Understanding business objectives and risk tolerance Before designing a program, it’s crucial to understand: Business goals – what is the organization trying to achieve? Risk appetite – how much risk is the company willing to take? Regulatory requirements – what compliance standards must be met? 2. Defining measurable outcomes Success should be based on quantifiable improvements, such as: Reduced incident response time Fewer security breaches Improved threat detection capabilities More substantial alignment with regulatory requirements 3. Tailoring the program to the organization Organizations are unique, and outcome-based programs must be customized to fit: Risk assessment results Threat landscape Technology stack and processes Security team capabilities 4. Implementing and monitoring progress A phased approach ensures better adoption: Pilot phase – test the program with a small team before full deployment Phased rollout – implement step-by-step to ensure success Continuous reporting – regularly track metrics and adjust the program as needed 5. Demonstrating ROI and business value To gain leadership buy-in, organizations must: Showcase case studies of successful implementations Use data-driven insights to highlight improvements Demonstrate long-term value beyond compliance Example: A multi-year cybersecurity resilience program A well-structured outcome-based program can span multiple years, evolving as threats change. Year 1 – Conduct cyber drills, crisis and incident response exercises and assessments, and document response plans. Develop improvement plans and program scope. Year 2 – Technical and executive training, incident handling exercises. Year 3 – Advanced cybersecurity drills, scenario-based threat modeling, multi-team exercising. Process and policy stress testing. Year 4 – Purple teaming, improving collaboration between defense and offense teams. Year 5 – Full-scale red teaming and supply chain cyber drills. This approach ensures that organizations continuously prove and improve rather than just react to incidents. Final thoughts: The future of cybersecurity training Moving from traditional cybersecurity upskilling to cyber drills and outcome-based programs requires: A shift in mindset – focus on long-term resilience, not just one-time testing. Cross-department collaboration – security is not just IT’s responsibility; leadership buy-in is crucial. Expertise in design and delivery – outcome-based programs must be well-structured and measurable. By embracing cyber drills and outcome-based cybersecurity training programs, organizations can stay ahead of threats and build a stronger, lasting security culture. Share your thoughts Is your organization ready to move beyond traditional cyber upskilling? Where do you feel the biggest challenge lies, out of the three points mentioned above? Have you had success in overcoming these challenges? If so, share how with the community. Let’s build a cybersecurity strategy that delivers accurate, measurable results.Is Your Team Really Ready for a Cyberattack? (Prove It, Don't Hope It)
Cyberattacks are increasingly frequent and sophisticated. According to the Identity Theft Resource Center (ITRC)’s 2024 Data Breach Report, they remain the primary root cause of data breaches, with Financial Services replacing Healthcare as the most targeted industry. The message is clear: no organization is safe. The recent breach at Change Healthcare/UnitedHealth Group, which exposed the health data of around a third of Americans, shows that the scope of modern cyberattacks extends beyond individual organizations. This isn't just a data breach; it's proof that a single vulnerability can disrupt healthcare operations, impact patient care, and erode public trust. Building a cyber-ready workforce isn’t optional – it’s essential. This isn't about hoping you're prepared; it's about proving it. What "cyber-ready" means in practice A cyber-ready workforce goes beyond having an IT security team. It means everyone, from the front lines to the C-suite, understands their role in preventing and responding to cyber threats. First-line responders (IT security, SOC analysts): These are your digital defenders, constantly monitoring threats. But they're not just monitoring alerts; they're dissecting the attack, isolating the threat, and preserving digital evidence like detectives on a case. They react instantly to alerts, following incident response procedures to identify and contain attacks, aiming for rapid isolation to limit damage. Mid-level managers (team leads, department heads): These are your field commanders during a crisis. They're not just relaying information; they're making tough calls under pressure, coordinating teams, and ensuring everyone stays focused on the mission. They escalate issues to senior leadership and keep all stakeholders informed. Senior leadership (C-Suite, board members): These leaders understand that cybersecurity is a core business risk, not just an IT problem. They champion a security-first culture, prioritize cybersecurity investments, and understand a breach's potential financial, legal, and reputational fallout. The cost of being unprepared: a ripple effect of damage Think about the impact of a successful cyberattack on your customers, your employees, and your reputation. It's not just numbers on a spreadsheet; it's real-world consequences. Imagine the chaos: systems down, customer data compromised, the phone ringing off the hook with angry clients. The financial costs are staggering, with IBM’s Cost of a Data Breach report stating the average data breach now costs $4.45 million, and that number increases yearly. Then comes the reputational damage: lost customer trust, negative press, and long-term brand erosion. Operations stall, workflows are disrupted, and productivity plummets. Legal fees, regulatory fines, and the potential for crippling fines for non-compliance with laws like GDPR, HIPAA, and DORA add further strain. It's a domino effect that could threaten your organization’s survival. Building effective response through cyber drills and resilience programs Cyber drills are the cornerstone of a robust cyber resilience program. They’re practical, hands-on simulations that allow your team to practice responding to real-world threats in a safe space before a real crisis hits. To maximize their effectiveness, cyber drills should be: Realistic: Simulate real-world attacks, including ransomware attacks, data breaches, supply chain disruptions, and social engineering attempts. Incorporate threat actors' latest tactics and techniques to prepare your team for anything. Comprehensive: Involve all relevant teams, from technical responders to senior leadership, with clear roles and responsibilities. Drills should assess technical skills, communication, coordination, and decision-making under pressure. Regular: Conducted frequently to keep skills sharp and procedures up-to-date. A continuous drilling program is ideal. Analyzed: Every drill is a learning opportunity. Conduct thorough post-incident reviews to identify areas for improvement, document lessons learned, and update incident response plans. Building a fortress: your comprehensive resilience program True resilience goes beyond drills. It's about creating a multi-layered defense. Imagine building a fortress around your organization. Cyber drills are the practice battles, but a comprehensive resilience program is the complete defense system. You start with an early warning system: your threat intelligence feeds, providing insights into the latest attack methods. Next, you educate everyone, creating a human firewall through continuous security awareness training and micro-exercises (like simulated phishing emails). You then fortify your defenses by proactively scanning for and patching vulnerabilities (vulnerability management). Finally, you develop a detailed battle plan: your incident response plan, a meticulously documented and regularly tested strategy for handling attacks. This comprehensive approach is key to long-term resilience. Resilience is practiced, refined, and ready for battle. Reducing burnout: the human element of cyber resilience Cybersecurity is a relentless, high-stakes 24/7 battle. The constant pressure to defend against evolving threats takes a toll – leading to burnout, decreased productivity, and a weaker security posture. Recognizing this human element is crucial. Building a resilient team requires proactive support. Invest in training, development, and exercising to keep skills sharp and confidence high. Promote work-life balance by encouraging breaks, vacations, and unplugging after hours. Proper rest is essential for sustained performance. Crucially, cultivate a supportive work environment. Create a space where team members feel comfortable asking for help, sharing concerns, and admitting vulnerabilities without judgment. Open communication and collaborative problem-solving are vital. Celebrate successes and acknowledge the hard work of your cybersecurity professionals. A valued, supported team is an engaged, resilient team – your best defense against evolving threats. Ready to empower your workforce and build a cyber-resilient organization? Waiting for a cyberattack to happen is a recipe for disaster. Proactive preparation is the only way to protect your organization. Building a cyber-ready workforce is an ongoing process, but it's an investment that will pay off in the long run. Share your thoughts What are your biggest challenges in building a truly cyber-ready workforce? Share your experiences and challenges in the comments below.Pieces of the Puzzle – The Power of Interconnected Cyber Drills
A crisis doesn’t respect boundaries – it unfolds in real time, demanding responses from every level, from technical teams to executives. That’s exactly what we set out to simulate with our recent cyber drill, “Pieces of the Puzzle”, a high-intensity exercise that pushed over 300 team members into the deep end of crisis response. What set this drill apart was its interconnectivity – no single person had the full picture, and every decision mattered. A crisis unfolds in pieces The exercise was built around two fictional companies: FusionArc – A cloud-based IT infrastructure provider suffering a cyberattack Orchid Logistics – A global supply chain company, FusionArc’s largest customer, facing operational chaos due to the breach. Day one simulated a cyberattack on FusionArc Solutions, with participants acting as the incident response team investigating and responding to a breach of critical systems and sensitive data. This day showcased Immersive’s cyber range capabilities and the importance of continuous upskilling. It allowed participants to practice incident response protocols and sharpen their ability to detect, analyze, and respond to cyber threats. Live technical demos showcase real-time analysis and response, bringing the simulation to life and highlighting the skills needed to combat cyberattacks. Day two shifted the perspective to Orchid Logistics, whose global operations across four major regions were thrown into turmoil due to the cascading impact of the attack. Each region had its own challenges, from disrupted healthcare supply chains in Europe to financial uncertainty in North America. Different teams’ operations, legal, communications, finance, and crisis management were forced to make critical decisions with incomplete and often conflicting information. This wasn’t just about testing individual teams. It was about stress-testing the connections between them because, in a crisis, decisions have consequences. Every action (or inaction) ripples outward, shaping how an incident unfolds and determining the effectiveness of the response. The design: controlled chaos with a purpose Running a cyber drill at this scale required intricate planning. Each element was carefully orchestrated to simulate the real-life confusion of a crisis where information is fragmented, priorities clash, and leaders must make tough choices under pressure. Key elements included: Dynamic information flow – Teams received updates in real-time, with technical teams feeding insights to crisis managers, who in turn had to make strategic decisions for the business. Regional decision-making – Each region had its own crisis management team (CMT), responsible for navigating localized challenges while staying aligned with global headquarters. Cross-functional dependencies – Operations, legal, finance, and public relations all faced their own unique crises relating to the cyberattack, as well as other unrelated business continuity disruptions. Their ability to coordinate responses mirrored the true complexity of a global business disruption. Escalating pressure – Timed injects (new crisis updates), roaming media roleplayers, and breaking news images forced participants to adapt rapidly, just as they would in a real cyber event. By layering these complexities, the exercise tested technical incident response and the entire organization’s ability to work as a single unit under duress. We looked at disaster recovery, crisis management, and business continuity all in the same cyber drill. The power of perspective (or lack of it) A key takeaway from the drill was how overwhelming it felt. No one had the full picture – teams made decisions with only their slice of the crisis, just like in the real world. We saw participants grappling with conflicting information, wondering why other teams weren’t responding as expected. Some felt completely isolated until they realized that the missing information was sitting with another team in another region, experiencing a completely different part of the crisis. This is why interconnected drills are vital. They teach organizations to connect the dots and reinforce a crucial lesson: in high-stakes environments, every decision shapes the crisis’s trajectory. Prove and improve: the true value of cyber drills Cyber drills aren’t just theoretical exercises. They test response plans, communication, and decision-making under pressure while revealing areas for improvement. This drill pushed participants to work under stress and exposed gaps not just in technical response, but in collaboration, escalation, and decision-making. These exercises matter because they don’t just reveal weaknesses – they build resilience before a real crisis strikes. What this means for your organization Cyber threats affect entire businesses – customers, partners, supply chains, and finances. The biggest risk isn’t the attack itself but poor coordination in the response. That’s why cross-team exercises are vital: technical teams must know how and when to escalate, crisis managers must grasp the stakes, and executives must make quick decisions with limited information. Cyber drills don’t always have to be this large, but they must be realistic. Even smaller exercises focused on decision-making across teams can expose gaps in communication and preparedness before a real crisis does. Final thoughts: crisis readiness is built, not assumed In the debrief of Pieces of the Puzzle, one theme emerged repeatedly: we are only as strong as our connections. The most prepared organizations aren’t just those with the best tools or plans – they’re the ones who practice together and strengthen the human elements. Cyber drills push teams to break silos, act under pressure, and manage uncertainty. If you’re not running them regularly, the question isn’t if you’ll struggle in a crisis – it’s when. No matter your industry, scale, or risk landscape, the key takeaway is this: crisis preparedness isn’t just about reacting – it’s about ensuring every piece of the puzzle fits before the crisis hits. Are your teams ready to prove and improve? Share your thoughts Has this inspired you to plan a drill? Do you have any questions about planning or execution and need some pointers? Have you run a drill or been to a drill event, and if so, how did it feel? I’d love to hear from you and help you reach your goals.Experience-Driven and Intrinsic Learning in Cybersecurity
Experience-driven learning Experience-driven learning can take many forms, including: Practical simulations Role-playing exercises Individual hands-on learning Team-based exercising For example, some employees may be presented with micro exercises that pivot around key risk areas such as device security, data handling or social engineering. Others may participate in a tabletop exercise that simulates a ransomware attack, allowing them to practice incident response, crisis management, and recovery procedures in a safe and engaging environment. More technical teams can experience a real attack on real infrastructure in a cyber range, working together to identify and understand the attack using defensive and forensic tools. These types of activities foster intrinsic learning, driven by personal interest and the desire for self-improvement rather than external rewards like grades or promotions. These types of activities also engage natural human behaviours related to gamified learning, both individually and as a team. Intrinsic learning Intrinsic learning can be particularly valuable, especially in the context of cybersecurity, because it allows employees to develop a deeper understanding and appreciation of the subject matter beyond what is required for their job. This approach to learning is not only more engaging and effective but also helps organizations identify areas for improvement and potential vulnerabilities. Intrinsic learning can also help foster a culture of continuous learning within the workforce. By encouraging employees to pursue their interests and explore new areas of cybersecurity, organizations can create an environment where individuals feel empowered to take ownership of their learning and seek out new opportunities for growth and development. To make your cybersecurity training more experiential and foster intrinsic motivation for learning, consider the following steps: Align with personal goals Empower team members to align upskilling pathways with their career aspirations and professional development. Emphasize real-world relevance Showcase how the skills learned directly apply to current cybersecurity challenges and job responsibilities. Provide autonomy Allow learners to freely explore different topics and skills. Create a supportive environment Encourage peer-to-peer learning and mentorship opportunities to build a culture of continuous improvement. Celebrate progress Recognize and highlight individual and team achievements to boost confidence and motivation. Implement adaptive challenges Gradually increase difficulty levels, ensuring learners are consistently challenged but not overwhelmed - the right level of learning is more important than the quantity. Encourage reflection Prompt learners to analyse their performance after each exercise, especially team-based, fostering a growth mindset and self-awareness. Facilitate knowledge sharing Organize regular debriefing sessions where individuals can discuss their experiences and insights gained from the training. Connect to organizational impact Demonstrate how improved cybersecurity skills contribute to the overall success and resilience of the organization. Provide immediate feedback Leverage Immersive Labs' real-time feedback mechanisms to help individuals understand their progress and areas for improvement. By implementing these steps, you can create a more engaging and intrinsically motivating cybersecurity training experience, fostering a culture of continuous learning and skill development within your organization. Conclusion Incorporating intrinsic and experience-driven exercises into your cyber resilience strategy can be an effective way of measuring and improving your overall resilience. Today, the need to exercise effectively has become a key feature of many cyber security frameworks and directives such as ISO27001, NIS2 and DORA, requiring organisations to maintain proof with policies and procedures underpinned by data and results. What have you experienced in your own upskilling journeys to get you where you are today, have you found some ways work better than others; Individual, team, hands-on, theory, classroom? What are your favourite ways to learn and stay motivated with the ever-changing cyber landscape right now? Share your stories and insights in the comments below!
