Realizing the Full Potential of Drill Mode in Crisis Simulator
Unless you’ve been living under a rock for the last decade or so, you already know cyber crises have become increasingly prevalent – posing significant threats to organizations worldwide. Organizations must continuously assess and improve their technical and non-technical teams’ knowledge, skills, and judgment to combat these challenges. This is where Immersive Labs’ Crisis Simulator comes into play. With single-player, drill, and presentation modes available, organizations can conduct team exercises that simulate real-world cyber crises in a number of different formats to prevent exercise fatigue. This allows organizations to create an exercising-first culture – as one tabletop exercise a year just isn’t enough. Let’s dig more into drill mode and learn how it helps users realize the true potential of cyber crisis planning. Crisis Simulator Drill Mode: What is it? Drill mode is a multiplayer crisis exercising format which allows participants to assume specific roles and tackle role-specific challenges. The goal is to strengthen their domain knowledge and develop muscle memory to more effectively deal with an actual crisis. A Crisis Sim administrator can assign clearly defined roles by aligning participants’ tasks with their actual job duties, ensuring the drills reflect real-life scenarios. Upon assignment, players receive notifications about their upcoming exercise, followed by a message signaling the start of their role-specific decision point or “inject.” Drill mode follows a sequential “pass the baton” style relay, allowing only one role to have an active task at any given time, with the completion of an active task triggering the next task. Some exercises may require players to complete multiple injects in succession, creating a cohesive and dynamic experience. Individual players’ decisions (good or bad) will significantly impact how the scenario unfolds for others, mimicking the interdependence and complexity of real crises. Benefits for Customers Drill mode was developed using direct customer feedback. Immersive Labs users were looking to exercise teams with role-relevant content to increase exercising engagement. With drill mode, and unlike competing solutions, participants aren’t expected to answer injects outside their area of expertise – ensuring a more focused and realistic experience. Drill mode’s emphasis on role-specific tasks promotes a more authentic depiction of how crisis responses really unfold. Recognizing no individual holds all decision-making power during a crisis, Drill mode reinforces collaboration and coordination among team members. Data gathered during a drill scenario allows teams to identify points of weakness and develop targeted training interventions. Drill mode also enables organizations to track the time needed for participants to complete each inject. This valuable metric provides insights into individual and team performance, giving organizations more data to refine their crisis response strategies and optimize resource allocation. Embracing Remote-First Work Environments With the proliferation of remote work, Crisis Simulator’s drill mode adapts nicely to evolving organizational needs. Players receive notifications and contribute when required. This remote-first approach enables seamless participation and ensures teams are well-prepared, regardless of geographical dispersion. Our micro-drills allow key contributors to allocate less than 10 minutes per decision point, significantly reducing their time commitment compared to traditional full-day drills. This efficient utilization of resources maximizes productivity and minimizes disruption to daily operations. Immersive Yourself Drill mode is a powerful feature within the Crisis Simulator that unleashes the true potential of cyber crisis planning. By assigning clearly defined roles to participants, organizations can conduct team exercises where each player assumes their actual job role in completing an assigned task. With a strategic and measurable approach to cyber crisis preparedness, Crisis Simulation with drill mode identifies weaknesses and promotes collaboration among team members. With the ability to track inject completion time, adapt to remote work environments, and offer versatile scenario options, drill mode empowers organizations to build greater resilience in the face of cyber threats.A Step-by-Step Guide to Hosting Your Own Hacktober Event
Organizing engaging, informative, and enjoyable cybersecurity events like Swisscom's Hacktober event doesn't have to be daunting. With strategic groundwork and relevant, interactive challenges, you can create a cybersecurity event that is both fun and educational. Are you considering hosting a similar cybersecurity event? This blog provides a step-by-step guide to creating an impactful event, resulting in a more skilled and prepared workforce.Feature Focus: Introducing the AI Scenario Generator
In this blog, we’ll cover what this feature is and how you can use it. For this release, we’ve made creation as easy as possible. Just click Create with AI, add a title, and select options for organisational sector, attack vector, threat actor, and scenario size. This will generate a full scenario, from the briefing to the epilogue. You can even make a cuppa while it works!🪄✨ Once created, these scenarios can be published or edited and published in your organisation's catalogue. But how exactly does it work? Organisation admins can turn the AI Scenario Generator on and off in the platform settings area, so you’ll need this to be turned on if you want to try it out! Our AI Scenario Generator is currently only available to our Cyber Crisis Simulator customers. It’s based on technology provided by OpenAI, with generations based on publicly available data related to crisis management as well as our own Immersive Labs Crisis Sim catalogue. Organisation admins can choose to use the feature in a layered approach: No AI access at all: This means that your organisation has chosen not to enable the AI Scenario Generator. Without scenario sharing enabled: You can generate AI scenarios based only on the inputs shown in the generation box. With scenario sharing enabled: The AI will access specific parts of your previously published scenarios when generating new ones, ensuring the new scenario is highly relevant to your context. These settings can be updated on the organisation's settings page. If you’re keen to use the AI Scenario Generator but it’s not enabled in your organisation, you’ll need to discuss this with your internal Organization Administrator. If you’re an Organization Administrator and want to know more about the feature, contact your CSM. Tell me more about scenario sharing! If your organisation chooses to also enable scenario sharing, Immersive Labs will include specific information from any previous custom scenarios that you’ve published in the temporary “context window” for requests to our third-party AI vendor. A "context window" is an extension of the query sent to an AI model. It exists only during the processing of the query and isn’t saved by any third parties. The third-party AI vendor won’t use any of the information you share to train its models. Shared data will only ever be included in this temporary "context window" of generation and won’t be stored by the third-party AI vendor. The shared information includes scenario titles, descriptions, inject titles, and response options. It excludes feedback to response options, exercise information, reporting, account or organisation information fields, or metadata. Scenario sharing is designed to make the generated scenario more relevant to your particular context. You can still create scenarios using AI without scenario sharing, but your scenario will likely be more generic and less relevant to your particular organisational context. However, you can still edit the final version to make it more relevant to you – just like with our catalogue scenarios. Let’s not forget the human in the loop As with all things AI, we recommend that you review the AI output before publishing your scenario, to ensure it meets your needs. The AI Scenario Generator currently only generates text content, so you’ll probably want to add additional rich media, such as images or videos, to your scenario. To get the most out of your crisis simulation, we also recommend enabling, adding, changing, and checking certain elements. These include: Checking that you’re happy with the text formatting and narrative content Checking that you’re satisfied with the role listed Enabling and adding response feedback or performance indicators If you want to capture ranked response data, select the ranked options setting and add a rank (great, good, weak, okay) to each response option to suit your organisation's preferred situational response Turning on response confidence or justifications Get involved and share your thoughts! We know that AI is a hot topic and we’re keen to hear and capture your feedback and suggestions on this first release of our AI Scenario Generator as part of our user research taking place this November and December. If you want to participate in this research, you’ll be able to share your thoughts and experiences of using our AI tool and scenario creation more generally directly with our team. Comment below if you’d like to find out more, and we’ll contact you with further details! If you’re an Immersive Labs customer, you can find out more about the AI Scenario Generator in our FAQ guide.Crisis Sim Complete...Now What?
Picture it: you’ve designed, built, and exercised your first Crisis Sim. You're pleased with the scenario and satisfied to see your team sharpen their skills, deepen their understanding, and boost their incident readiness. You can bask in the glory of this job well done for a moment, but the journey of the Crisis Sim doesn’t end here. The devil is in the details of the exercise data. Completing the exercise and gathering the results is only the beginning of your journey of fostering people-centric cyber resilience! Not sure where to start? We’ve got you covered Remember how meticulously you mapped out those injects and options to build your scenario? The feedback options, the performance indicators, the branching paths, the exercise types? Your hard work is about to pay off. We’ve processed the exercise responses for you because you’ve earned it – and because there’s more work to be done. Next steps for managers Crafting outcomes from outputs You can expand on the work you’ve already put into the exercise by leveraging both the Results and the After Action Report (AAR) for your scenario in the Immersive platform. Follow these steps to access these items: Go to Crisis Sim in the Exercise tab. Locate your exercise. Hint: use the filters available on the left to show “ended” exercises. Click to open your “Ended” exercise. From there, you’ll see how to dive into the available outputs with a few clicks! If you need a bit more info, here are some additional guides from our Help Center: Where to find Crisis Sim exercise results & reports View Results After Action Report (AAR) Analyzing exercise results Results If you’re looking for granular data down to the details of each inject, you can find it here. In Results, you’ll see an overview including the summary from the exercise scenario, along with key details such as scoring and completion metrics. Need to examine responses to specific injects? In the platform, you can quickly drill down into each inject by using the navigation on the left-hand side of the report. By selecting an inject, you can review responses and start to see patterns that emerged throughout the exercise. If you’d prefer raw data, you can export a CSV file of your results. It's straightforward, packed with detail, and puts all the key metrics and figures within easy reach. Check out our documentation for more details on key information and metrics. This is an invaluable resource for anyone passionate about data! It allows you to establish a foundation, set comparative standards, and ultimately gauge and improve your cyber resilience – all with concrete data to back your efforts. If the mention of statistics and spreadsheets doesn't excite you, no worries, the Immersive platform generates an After Action Report for you 30 minutes after completion of your exercise. After Action Report (AAR) Enter the After Action Report! The AAR presents an interactive visualization of your data analysis, offering valuable insights at your fingertips. And, as a bonus, you can download it as a PDF. The AAR is more than a deliverable; it’s a guide to fostering a people-centric cyber resiliency culture. It offers an outline of the exercise and crucial data points that will help drive what you and your team do next. Overall performance, inject-by-inject analysis, and participant breakdown provide a comprehensive view of your team's current capabilities and readiness, wrapped up with relevant recommendations for you and your team. Remember, insights are only available for data that’s collected as part of your exercise, so make sure you offer ranked inject options and enable response confidence and feedback to maximize your exercising. This is defaulted in the Immersive Crisis Sim Catalog presentation scenarios. In the performance overview of the AAR, you'll encounter a high-level snapshot guide for your next steps. Think of this as a performance gauge (based on our experience with Immersive clients) that maps to the following: >=75%: Excellent >=50%: Good >= 25%: Fair >=0%: Needs improvement As you dive deeper into the AAR, these broader performance indicators unfold with more granular data, and you’ll be able to understand the gaps that exist in cyber resilience for your organization. Mind the gap By understanding your organization's current state, you can create targeted improvement plans, whether reinforcing strengths, addressing weaknesses, or identifying opportunities for further training and exercises. This provides a clear starting point for overall improvement and upskilling. Inject breakdowns help pinpoint your team's strengths and weaknesses. Imagine the exercise in a real-world scenario: would there be a data breach, or would operations continue as normal? Assess your team's confidence and accuracy in their responses to identify knowledge gaps and points of failure. Use these insights not to dwell on mistakes but to improve and ensure your team is well-prepared for future challenges. The participant breakdown takes this introspection into your team's capabilities a step further by plotting decision scores against confidence levels. This helps you understand the accuracy and confidence of your team’s responses. Are your strongest team members operating confidently? Are those with knowledge gaps posing risks by overcompensating with confidence? Create an action plan This data helps you prioritize your next steps. Will you address weaknesses, reinforce existing skills, or increase exercise frequency to build confidence? There are plenty of upskilling routes to choose from. After each exercise, you'll see related Crisis Sim scenarios and lab content based on the threats and attack vectors encountered. When creating your action plan, you should consider the following outcomes and their related recommendations: Weaknesses identified at the individual level ⇢ Assign recommended lab content to key users, and reinforce the importance of upskilling by communicating the purpose of the content. Hint: Don’t forget to use assignment deadlines to effectively track progress and keep the team on track. The participants' skills resulted in high accuracy decision-making but low confidence ⇢ Reinforce strengths with clear communication of processes and expectations. Consider reviewing your internal playbooks! Are processes clear, concise, and aligned with organizational needs and expectations? Are policies current and up to date? Are there conflicting processes or policies within your organization? The team performed exceptionally across the board with high confidence ⇢ Test response readiness by exercising on a more difficult level scenario. Does the team excel in all areas, or is this an opportunity to better prepare? The landscape is constantly changing, and new threats are constantly emerging. Ensure your team has a wide breadth of knowledge and coverage by continuously proving their skills and encouraging further learning. Three essential steps to maximize your post-simulation impact Of course, you know your organization and teams best, so the Crisis Sim results are always best interpreted by you. Once you’ve analyzed and understood the results, prioritize these steps: Review the results and gather feedback promptly to identify growth opportunities. Did outcomes align with expectations, or were there surprises? Plan specific changes for future Crisis Sim exercises and build a strategic timeline. Should you adjust the difficulty or coverage areas? Is there time for additional training between exercises? Create an action plan with clear objectives, owners, and deadlines to ensure individual and team development. What other organizational stakeholders should you bring in moving forward? And what will be important for them in Crisis Sim exercising? Share your thoughts If you’ve recently completed your first Crisis Sim exercise, what will you do next? If you’ve completed many, what tips do you have for others? Join the discussion below!When the Lights Went Out at Heathrow: A Crisis That Was Never Meant to Be “Won”
In the early hours of March 21, 2025, a fire broke out at the North Hyde electrical substation in West London, just a few miles from Heathrow Airport. Within hours, a local infrastructure incident had triggered widespread disruption across the global aviation ecosystem. Flights were grounded, operations were halted, passengers were stranded, and local residents were left without power. Suddenly, one of the most connected airports in the world found itself completely disconnected. This wasn’t just a power failure, it was a systems failure. The fire itself was severe yet containable, but what unfolded afterward exposed far deeper vulnerabilities. It has since been claimed that Heathrow had “enough power” from other substations, which now raises difficult but fair questions: If there was enough power, why shut the airport down completely? If there wasn’t, why wasn’t the site resilient enough to handle a failure like this? And most importantly, how did one single point of failure have this much impact on such a critical national and international asset? These are the questions that will dominate the post-crisis scrutiny, but while many rush to applaud or condemn, I think the truth lies somewhere more uncomfortable. Crisis leadership isn’t about perfect outcomes Crisis response is never clean. It’s messy, fast-moving and incomplete. You make decisions with partial data, under pressure, in real time. And in the majority of cases, you choose between bad and worse – which is exactly what Heathrow’s leadership team faced: Compromised infrastructure Uncertainty about the integrity of power and systems Thousands of passengers on site and mid-flight en route to the airport Global operations and supply chain at risk The common response is, “we need to tackle all of these problems” – and rightly so – but what people often forget is that in a crisis, you don’t have the resources, time, or information to tackle everything at once. Heathrow's leadership chose safety and containment, and in just under 24 hours, they were back online again. That’s impressive. That’s recovery under pressure, and that’s business continuity in action. But it doesn’t mean everything was done right, and it certainly doesn’t mean we shouldn’t ask hard questions. “Enough power” means nothing without operational continuity Having backup power doesn’t mean having functional operations. Power alone doesn’t run an airport – systems, processes, and people do. If the backup didn’t maintain critical systems like baggage handling, communications, lighting, or security, then the airport was right to shut down. However, the next question is, why didn’t those systems have their own layers of protection, and where was the true resilience? This leads us to the real issue: this wasn’t just about Heathrow, it was about the entire ecosystem. Resilience isn’t just a plan – it’s a whole system of dependencies The recent disruption is a real reminder that resilience doesn’t just live inside an organization. It lives across every partner, vendor, and hidden dependency. In critical services like aviation, the biggest vulnerabilities are often outside the walls of your own operation. There’s a web of partners involved in keeping an airport running: Power providers Facilities management IT and communications vendors Outsourced security Maintenance crews Air traffic systems Second and third-tier subcontractors Many of these providers sit outside the organization’s direct control, yet their failures become your crisis in an instant. True resilience requires more than internal readiness, it demands visibility across the whole supply and vendor chain, coordination protocols with external stakeholders, and clear ownership of critical functions. When something breaks in the background, you won’t have time to figure out who’s responsible; you’ll only care about who can fix it. So identifying and (most importantly) testing and exercising your supply chain is paramount. This wasn’t a “winnable” crisis – and that’s the point I’ll discuss this concept further in my upcoming webinar, The Unwinnable Crisis: How to Create Exercises That Prepare Teams for Real-World Uncertainty, but the Heathrow disruption is a perfect case study. This was never going to be a clean “win.” No plan could have delivered a flawless response, and no leader could have avoided disruption entirely. Instead, this crisis asked a different question: When everything seems to be falling apart, can you contain the damage, protect your people, and recover quickly? That’s the real test. It’s what separates the theoretical resilience plans from the operational reality. Heathrow passed parts of that test, but the system around it has questions to answer, and every other organization watching should be asking the same thing: “How many hidden dependencies are we one substation, one outage, one contractor failure away from exposing?” The next crisis may not give you a warning, and it certainly won’t give you time to figure out who’s holding it all together. Crisis leadership isn’t about perfection; it’s about being ready for the moment when no perfect option exists. The question now is, what did it reveal that we can’t afford to ignore? Ready to prepare for true crisis readiness? Join me for the upcoming community webinar, The Unwinnable Crisis: How to Create Exercises That Prepare Teams for Real-World Uncertainty on April 11. We’ll explore what true crisis readiness looks like and how you prepare your team to lead when there is no “win” – only choices.Between Two Sims: What To Focus On Between Exercises
We're back with another installment of our series for managers using Crisis Sim. If you haven’t already, be sure to check out Episode 1, which covers Crisis Sim outcomes for managers. The results and data from your first Crisis Sim exercise provided valuable insight into your team’s decision-making skills. But you know this isn’t a one-and-done thing – the landscape is ever changing. There are always new ways to arm yourself and your organization with knowledge and skills. Enhancing your cyber resiliency and improving the quality of your responses to incidents allows you to get back to the most fantastic and underrated aspect of your role as a cybersecurity professional – maintaining business-as-usual operations without interruptions. The opportunities are endless. Where should you focus your efforts? Episode 1 covered outcomes by means of the Results and After Action Report sections of the platform when you complete a Crisis Sim exercise. This blog post will shift gears to what goes on – or should be going on – between exercises. Next steps for managers between exercises Exercise debrief Host a debriefing session for exercise participants and any key stakeholders in your organization you’d like to gather feedback or additional insights from. Debriefing is a valuable process following any exercise, providing a structured opportunity for reflection and learning. Primarily, you’ll want to discuss successes, identify areas for improvement, and gather feedback. A successful exercise debrief will include: Clear expectations and ground rules Reflection on successes and challenges A review of existing processes and procedures Feedback on the scenario, delivery, and identifying improvements for the future Details around the lessons you learned from the exercise Defining action items and ownership Moreover, debriefing fosters open communication and builds trust within teams, strengthening their resilience and overall effectiveness. If you’re looking for additional guidance on debriefs, check out our guide in the Help Center! Internal review If time allows, take a step back and conduct an internal review with stakeholders and leadership. This can be an opportunity to identify trends or recurring patterns that might need a deeper dive, and allow you to determine what’s most important from a leadership perspective going forward. Be sure to consider the following in your internal review: Did you come across any knowledge gaps or assumptions that surprised you? Did you come across any areas of strength that were unexpected? Should you adjust the difficulty or coverage areas? Does the team need to be benchmarked against this same scenario in the future? What other organizational stakeholders should you bring in moving forward? And what will be important for them in Crisis Sim exercising? Implement insights Demonstrate your commitment to improving cyber resiliency by fostering a collaborative learning environment. Encourage open and honest dialogue where your team feels comfortable sharing their perspectives freely, without fear of judgment. This will help you identify both strengths and weaknesses, providing valuable insights that may not be apparent from your own perspective. By implementing changes based on this valuable feedback, you prove your dedication to continuous improvement. Your action plan A key component to improving your organizational cyber resilience is creating and executing an action plan with clear objectives, stakeholders, and deadlines. The After Action Report from your last exercise will provide a solid foundation, but these specifics will help you enhance its impact. Dive into the Inject and Participant Breakdown areas of the After Action Report – this will help you pinpoint your team’s strengths and weaknesses identified in the last exercise, or identify participants that could benefit from individualized training plans to accelerate their development. Using this existing information will help you specify the concepts or topics of priority for you to address between exercises, begin benchmarking progress, and explore additional scenarios down the road. Review scenarios and upskilling content relevant to the areas you identified as needing improvement from the last exercise. In Crisis Sim, you can leverage the existing scenarios in our catalogue, create a custom scenario (from scratch or using our templates), and even take our AI Scenario Generator for a spin! Tip: Exercise specific teams or individuals in Single Player mode between organization-wide sessions to give them additional opportunities to improve their decision-making process. Three key areas of focus between exercises You know your organization and teams best, so what works best for your program between Crisis Sim exercises is up to you. But we encourage prioritizing these areas: Debriefing and feedback sessions to get the most value out of your exercises Individualized or team-focused learning plans for upskilling – don’t forget to leverage relevant content in labs! Reviewing and updating internal processes and procedures that may be out of date or contradictory If you’ve recently completed your first Crisis Sim exercise and begun working on goals for improvement between exercises, what have you focused on? If you’ve completed many, what tips do you have for others? Join the discussion in the comments below!The Softer Side: Non-technical Benefits to Technical Team Exercises
In my role, I have the privilege of working with many different organizations through their technical exercise events and programs. One of the most rewarding aspects is seeing the spark ignite in the people as they band together to achieve a common objective. In this article, I’ll be sharing some of the common benefits I see emerge across organizations of all sizes, industries, and maturity levels, no matter the exercise's purpose. Encouraging curiosity and problem-solving Cyber Range Exercises provide a virtual network environment to explore. Defensive exercises focus on detecting and monitoring malicious activity, while offensive exercises involve exploiting vulnerabilities to uncover target information. Within these simulated environments, participants must utilize a wide array of skills and decide on the best approach, as the correct course of action isn't always obvious. This technical challenge is great for reinforcing knowledge and applying skills. I've seen players puzzle over unsuccessful methods, forcing them to rethink their approach entirely, asking plenty of “what if” questions before testing them out. This experimentation process educates players while simultaneously promoting lateral thinking and encourages sharing problem-solving insights. Improved communication Trawling through logs and analyzing (or preparing) a malicious payload usually calls for quiet focus. But in the real world, we’re rarely working alone. More often than not, investigations and tests happen in small teams, under pressure, and good communication becomes just as important as technical skill. That’s why team-based exercises reflect this reality. You’ve got to explain what you’re doing clearly, so everyone’s on the same page – both in terms of the situation and the technical jargon. Creating clear written logs and documentation matters too, especially in incidents where language may need to be adapted for different audiences. The most effective teams I've observed in these exercises prioritize organization. They set up a central place to track everything – whether that’s a Teams channel, a spreadsheet, or a crisis response tool – and they’re smart about assigning roles and carving out time to keep everyone synced up. Better distraction management A deliberate challenge I sometimes incorporate into technical exercises is surprise leadership requests for incident updates. This tests the team's ability to rapidly consolidate information under pressure, dealing with the uncertainties of an active investigation. Teams with strong organization, detailed incident logs, and a dedicated spokesperson or team leader consistently manage these interruptions best. Practicing in a simulated setting helps teams stay productive and accurate, even when real-world distractions come into play. It builds the ability to block out noise, manage stakeholders, stay focused on individual tasks while keeping sight of team goals, and smoothly switch contexts when needed. Stronger team dynamics Unlike individual training, these exercises require participants to actively communicate, share knowledge, and rely on each other's strengths to achieve a common goal. Team members learn to understand each other's working styles, identify individual expertise, and build trust in their colleagues' abilities. The shared experience of overcoming technical challenges, even simulated ones, creates a sense of camaraderie and shared accomplishment. While every team comprises diverse personalities and communication styles, it's crucial that each individual feels comfortable and empowered to share their insights and findings. These contributions can significantly alter the outcome; for instance, a critical discovery during a technical investigation might directly influence the business's crisis response strategy. Increased efficiency The more a team works together responding to the exercise challenges, the more they develop shared understandings of processes and expectations, learn to delegate effectively, and identify bottlenecks in their collaborative efforts. Eliminating issues arising from a lack of confidence or familiarity with the team or processes is especially critical for incident response teams, leading to quicker response times and improved agility when situations change rapidly. After each exercise, I like to conduct a team debrief, which is crucial for reflecting on lessons learned. Prompting players to consider their individual strengths and challenges, alongside open discussion about team dynamics and processes, helps identify opportunities for improvement. Technical exercises are undoubtedly key to boosting individual technical proficiency. However, their even greater value lies in cultivating these skills alongside the crucial professional attributes demanded by our field. Considering the significant pressure and expectations placed on these teams to deliver trustworthy outcomes, ensuring their preparedness within a high-trust setting is essential. These are merely some of the advantages I've witnessed through these exercises. Share your thoughts What benefits have you experienced through technical exercising? Share your thoughts in the comments!
