Tackling technical challenges: Attending Immersive’s cyber drill in London
I recently had the pleasure of attending a unique and highly engaging cyber drill in the heart of London, right next to the iconic Tower of London and Tower Bridge. These landmarks always leave me in awe, even though I was born and brought up in London. The event was attended by a combination of industry leaders, and even those early in their cyber journey. We took part in a dynamic crisis simulation and an intense technical exercise using the Immersive online platform. Mirroring real-world challenges First, we were presented with a realistic scenario covering a major cybersecurity incident at a fictional organisation. The cyber drill encouraged attendees to collaborate and decide on the best course of action through several interactive scenes. These interactive exercises closely mirrored the challenges and discussions we see during real-world incidents, accurately capturing the importance of involving necessary stakeholders and making timely but effective decisions. They also reflected the intense pressure of making informed decisions that could have severe consequences for the wider organisation. Testing technical abilities A highlight of this cyber drill, however, was the addition of a technical exercise. When I say technical, I mean technical! There was nothing toned down in this exercise. Attendees were given an opportunity to really get their hands dirty and use the impressive lab environments found on the Immersive platform, all specifically tailored for this cyber drill. This was as close as it could get to a technical cyber response exercise, but in a safe and friendly environment. I found myself analysing Splunk logs, threat hunting, and even decrypting data (or trying to at least) to find the underlying cause of this incident and aid my colleagues taking part in the wider crisis simulation. The technical exercise further highlighted the importance of continuous development and training within cybersecurity. My technical abilities were genuinely tested, and I loved “learning by doing”. It was also a pleasure to see peers who were tackling these technical challenges for the first time – something made less daunting by the intuitive Immersive platform. I was also reminded of the importance of seeing the bigger picture during these incidents. While focusing on the technical challenges was a lot of fun, it was even more enjoyable to see how obtaining critical data could inform the wider decision-making processes. The value of in-person engagements During the event, I found myself asking: could this cyber drill have taken place virtually? The answer was yes, of course it could. I’ve attended many virtual events and found them particularly useful and convenient. But would a virtual event have been as interactive and insightful as this was? Definitely not! Ever since the COVID pandemic took over our lives in 2020, we’ve gotten used to the remote way of life. It’s so convenient to jump onto remote calls from various parts of the world, but there always seems to be something missing. This event reminded me why in-person engagements have that special spark that remote events don’t. Whether it’s the informal chat over tea and sandwiches or the initial introduction at your table, these small human interactions are priceless and add more depth to our learning experiences than we may appreciate. I found that once you take away the titles or certifications, we’re all people united by a shared purpose of protecting those around us, be they at work or at home. Knowledge sharing and collaboration I met with industry leaders and cyber professionals, all facing remarkably similar challenges in their own sectors. It was a good reminder that we’re never alone in the world of cyber. There are colleagues out there who demonstrate cyber resilience daily and bring their own unique method to the madness. I thoroughly enjoyed knowledge sharing and collaborating with these other professionals – their fresh perspectives and external views were extremely insightful. The threats we face in cybersecurity are similar across different industries, but it’s the wider consequences that seem to differ. Colleagues from other sectors were open to sharing their knowledge and expertise with the audience. This cyber drill was a great reminder about the value of teamwork in cybersecurity. We all play an important role, be it technical or not. In the rapidly evolving world of cybersecurity, there's something for everyone, and I look forward to the next event!When the Lights Went Out at Heathrow: A Crisis That Was Never Meant to Be “Won”
In the early hours of March 21, 2025, a fire broke out at the North Hyde electrical substation in West London, just a few miles from Heathrow Airport. Within hours, a local infrastructure incident had triggered widespread disruption across the global aviation ecosystem. Flights were grounded, operations were halted, passengers were stranded, and local residents were left without power. Suddenly, one of the most connected airports in the world found itself completely disconnected. This wasn’t just a power failure, it was a systems failure. The fire itself was severe yet containable, but what unfolded afterward exposed far deeper vulnerabilities. It has since been claimed that Heathrow had “enough power” from other substations, which now raises difficult but fair questions: If there was enough power, why shut the airport down completely? If there wasn’t, why wasn’t the site resilient enough to handle a failure like this? And most importantly, how did one single point of failure have this much impact on such a critical national and international asset? These are the questions that will dominate the post-crisis scrutiny, but while many rush to applaud or condemn, I think the truth lies somewhere more uncomfortable. Crisis leadership isn’t about perfect outcomes Crisis response is never clean. It’s messy, fast-moving and incomplete. You make decisions with partial data, under pressure, in real time. And in the majority of cases, you choose between bad and worse – which is exactly what Heathrow’s leadership team faced: Compromised infrastructure Uncertainty about the integrity of power and systems Thousands of passengers on site and mid-flight en route to the airport Global operations and supply chain at risk The common response is, “we need to tackle all of these problems” – and rightly so – but what people often forget is that in a crisis, you don’t have the resources, time, or information to tackle everything at once. Heathrow's leadership chose safety and containment, and in just under 24 hours, they were back online again. That’s impressive. That’s recovery under pressure, and that’s business continuity in action. But it doesn’t mean everything was done right, and it certainly doesn’t mean we shouldn’t ask hard questions. “Enough power” means nothing without operational continuity Having backup power doesn’t mean having functional operations. Power alone doesn’t run an airport – systems, processes, and people do. If the backup didn’t maintain critical systems like baggage handling, communications, lighting, or security, then the airport was right to shut down. However, the next question is, why didn’t those systems have their own layers of protection, and where was the true resilience? This leads us to the real issue: this wasn’t just about Heathrow, it was about the entire ecosystem. Resilience isn’t just a plan – it’s a whole system of dependencies The recent disruption is a real reminder that resilience doesn’t just live inside an organization. It lives across every partner, vendor, and hidden dependency. In critical services like aviation, the biggest vulnerabilities are often outside the walls of your own operation. There’s a web of partners involved in keeping an airport running: Power providers Facilities management IT and communications vendors Outsourced security Maintenance crews Air traffic systems Second and third-tier subcontractors Many of these providers sit outside the organization’s direct control, yet their failures become your crisis in an instant. True resilience requires more than internal readiness, it demands visibility across the whole supply and vendor chain, coordination protocols with external stakeholders, and clear ownership of critical functions. When something breaks in the background, you won’t have time to figure out who’s responsible; you’ll only care about who can fix it. So identifying and (most importantly) testing and exercising your supply chain is paramount. This wasn’t a “winnable” crisis – and that’s the point I’ll discuss this concept further in my upcoming webinar, The Unwinnable Crisis: How to Create Exercises That Prepare Teams for Real-World Uncertainty, but the Heathrow disruption is a perfect case study. This was never going to be a clean “win.” No plan could have delivered a flawless response, and no leader could have avoided disruption entirely. Instead, this crisis asked a different question: When everything seems to be falling apart, can you contain the damage, protect your people, and recover quickly? That’s the real test. It’s what separates the theoretical resilience plans from the operational reality. Heathrow passed parts of that test, but the system around it has questions to answer, and every other organization watching should be asking the same thing: “How many hidden dependencies are we one substation, one outage, one contractor failure away from exposing?” The next crisis may not give you a warning, and it certainly won’t give you time to figure out who’s holding it all together. Crisis leadership isn’t about perfection; it’s about being ready for the moment when no perfect option exists. The question now is, what did it reveal that we can’t afford to ignore? Ready to prepare for true crisis readiness? Join me for the upcoming community webinar, The Unwinnable Crisis: How to Create Exercises That Prepare Teams for Real-World Uncertainty on April 11. We’ll explore what true crisis readiness looks like and how you prepare your team to lead when there is no “win” – only choices.Level Up Your Resilience: Unlocking the Power of Cyber Drills with Immersive
Hello Immersive Community! You're already familiar with our hands-on learning and real-world scenarios to level up your cyber skills. You've seen how our labs and exercises can boost individual capabilities and build stronger teams. But are you ready to dive deep into ways to develop your organization's resilience? Today, we're diving into a crucial aspect of building true cyber readiness: Cyber Drilling. You might have heard the term before, but to really understand its comprehensive power and how it can improve your security posture, we're excited to highlight The Definitive Guide to Cyber Drilling. This is your essential resource, explaining everything from fundamental concepts to advanced implementation strategies for realistic cyber attack simulations that exercise both your technical and business leadership teams. In this series, we'll explore what a comprehensive Cyber Drilling program entails and, more importantly, how you, as part of the Immersive community, can leverage it to strengthen your organization's defenses – all laid out within the guide. As Phil Venables, CISO of Google Cloud, wisely stated, "The best training of all is a drill, exercise, or even a live-fire event. Having drills and exercises that get as close to reality as possible and test your people as well as your systems is ideal." 1 This isn't just about individual skill anymore; it's about how your entire organization performs when faced with a real-world cyber crisis – a concept thoroughly explored in the guide. Beyond Individual Labs: The Organizational View You've mastered individual labs, honed your threat hunting skills in Cyber Ranges, and perhaps even navigated crisis scenarios using simulations. These are vital building blocks. Cyber Drilling, as detailed in The Definitive Guide, applies that foundation to a broader organizational context, simulating real attacks to test technical prowess, communication, decision-making under pressure, and the effectiveness of your incident response plans across different teams. Think of Cyber Drilling as the ultimate "stress test" for your cyber defenses. It moves beyond theoretical knowledge and puts your collective capabilities to the test in a safe environment, revealing strengths and identifying areas for improvement you might not uncover through individual training alone – a comprehensive overview of which is provided in the guide. Why Should the Immersive Community Embrace Cyber Drills? As valued community members, you already understand the power of immersive learning. Cyber Drills are the natural evolution of that approach, offering significant benefits for your organization: Prove Your Readiness: Cyber Drills allow you to demonstrate the impact of your Immersive investment by showcasing your team's response capabilities. Identify Organizational Weaknesses: The methodologies explain how drills expose broader organizational gaps. Optimize Your Incident Response: Practical guidance helps you test and refine your plans. Enhance Team Cohesion: The principles highlight how drills improve collaboration. Demonstrate Value to Stakeholders: Use the frameworks to provide tangible evidence of preparedness. What Makes a Cyber Drill Effective? Just like our individual labs are designed for maximum learning impact, effective Cyber Drills share key characteristics: Leveraging Multiple Skills Creating Realistic Pressure Emphasizing Clear Communication Providing a Comprehensive View Mirroring Real-World Threats Tailored to Your Needs Driving Continuous Improvement What's Next? This is just the first step in understanding the power of Cyber Drilling. In the upcoming parts of this series, we'll delve into the practicalities of implementing these powerful exercises within your organization, building upon the foundation you've already established with Immersive – all based on the comprehensive insights within The Definitive Guide: Part 2: Planning and Executing Effective Cyber Drills: We'll explore how to define your objectives and develop scenarios. Part 3: Analyzing Results and Building a Culture of Continuous Improvement: We'll discuss how to interpret drill data and drive improvements. Unlock the full potential of your preparedness and enhance your organization's cyber resilience through the strategic practice of Cyber Drilling, which begins with The Definitive Guide to Cyber Drilling.The Softer Side: Non-technical Benefits to Technical Team Exercises
In my role, I have the privilege of working with many different organizations through their technical exercise events and programs. One of the most rewarding aspects is seeing the spark ignite in the people as they band together to achieve a common objective. In this article, I’ll be sharing some of the common benefits I see emerge across organizations of all sizes, industries, and maturity levels, no matter the exercise's purpose. Encouraging curiosity and problem-solving Cyber Range Exercises provide a virtual network environment to explore. Defensive exercises focus on detecting and monitoring malicious activity, while offensive exercises involve exploiting vulnerabilities to uncover target information. Within these simulated environments, participants must utilize a wide array of skills and decide on the best approach, as the correct course of action isn't always obvious. This technical challenge is great for reinforcing knowledge and applying skills. I've seen players puzzle over unsuccessful methods, forcing them to rethink their approach entirely, asking plenty of “what if” questions before testing them out. This experimentation process educates players while simultaneously promoting lateral thinking and encourages sharing problem-solving insights. Improved communication Trawling through logs and analyzing (or preparing) a malicious payload usually calls for quiet focus. But in the real world, we’re rarely working alone. More often than not, investigations and tests happen in small teams, under pressure, and good communication becomes just as important as technical skill. That’s why team-based exercises reflect this reality. You’ve got to explain what you’re doing clearly, so everyone’s on the same page – both in terms of the situation and the technical jargon. Creating clear written logs and documentation matters too, especially in incidents where language may need to be adapted for different audiences. The most effective teams I've observed in these exercises prioritize organization. They set up a central place to track everything – whether that’s a Teams channel, a spreadsheet, or a crisis response tool – and they’re smart about assigning roles and carving out time to keep everyone synced up. Better distraction management A deliberate challenge I sometimes incorporate into technical exercises is surprise leadership requests for incident updates. This tests the team's ability to rapidly consolidate information under pressure, dealing with the uncertainties of an active investigation. Teams with strong organization, detailed incident logs, and a dedicated spokesperson or team leader consistently manage these interruptions best. Practicing in a simulated setting helps teams stay productive and accurate, even when real-world distractions come into play. It builds the ability to block out noise, manage stakeholders, stay focused on individual tasks while keeping sight of team goals, and smoothly switch contexts when needed. Stronger team dynamics Unlike individual training, these exercises require participants to actively communicate, share knowledge, and rely on each other's strengths to achieve a common goal. Team members learn to understand each other's working styles, identify individual expertise, and build trust in their colleagues' abilities. The shared experience of overcoming technical challenges, even simulated ones, creates a sense of camaraderie and shared accomplishment. While every team comprises diverse personalities and communication styles, it's crucial that each individual feels comfortable and empowered to share their insights and findings. These contributions can significantly alter the outcome; for instance, a critical discovery during a technical investigation might directly influence the business's crisis response strategy. Increased efficiency The more a team works together responding to the exercise challenges, the more they develop shared understandings of processes and expectations, learn to delegate effectively, and identify bottlenecks in their collaborative efforts. Eliminating issues arising from a lack of confidence or familiarity with the team or processes is especially critical for incident response teams, leading to quicker response times and improved agility when situations change rapidly. After each exercise, I like to conduct a team debrief, which is crucial for reflecting on lessons learned. Prompting players to consider their individual strengths and challenges, alongside open discussion about team dynamics and processes, helps identify opportunities for improvement. Technical exercises are undoubtedly key to boosting individual technical proficiency. However, their even greater value lies in cultivating these skills alongside the crucial professional attributes demanded by our field. Considering the significant pressure and expectations placed on these teams to deliver trustworthy outcomes, ensuring their preparedness within a high-trust setting is essential. These are merely some of the advantages I've witnessed through these exercises. Share your thoughts What benefits have you experienced through technical exercising? Share your thoughts in the comments!Pieces of the Puzzle – The Power of Interconnected Cyber Drills
A crisis doesn’t respect boundaries – it unfolds in real time, demanding responses from every level, from technical teams to executives. That’s exactly what we set out to simulate with our recent cyber drill, “Pieces of the Puzzle”, a high-intensity exercise that pushed over 300 team members into the deep end of crisis response. What set this drill apart was its interconnectivity – no single person had the full picture, and every decision mattered. A crisis unfolds in pieces The exercise was built around two fictional companies: FusionArc – A cloud-based IT infrastructure provider suffering a cyberattack Orchid Logistics – A global supply chain company, FusionArc’s largest customer, facing operational chaos due to the breach. Day one simulated a cyberattack on FusionArc Solutions, with participants acting as the incident response team investigating and responding to a breach of critical systems and sensitive data. This day showcased Immersive’s cyber range capabilities and the importance of continuous upskilling. It allowed participants to practice incident response protocols and sharpen their ability to detect, analyze, and respond to cyber threats. Live technical demos showcase real-time analysis and response, bringing the simulation to life and highlighting the skills needed to combat cyberattacks. Day two shifted the perspective to Orchid Logistics, whose global operations across four major regions were thrown into turmoil due to the cascading impact of the attack. Each region had its own challenges, from disrupted healthcare supply chains in Europe to financial uncertainty in North America. Different teams’ operations, legal, communications, finance, and crisis management were forced to make critical decisions with incomplete and often conflicting information. This wasn’t just about testing individual teams. It was about stress-testing the connections between them because, in a crisis, decisions have consequences. Every action (or inaction) ripples outward, shaping how an incident unfolds and determining the effectiveness of the response. The design: controlled chaos with a purpose Running a cyber drill at this scale required intricate planning. Each element was carefully orchestrated to simulate the real-life confusion of a crisis where information is fragmented, priorities clash, and leaders must make tough choices under pressure. Key elements included: Dynamic information flow – Teams received updates in real-time, with technical teams feeding insights to crisis managers, who in turn had to make strategic decisions for the business. Regional decision-making – Each region had its own crisis management team (CMT), responsible for navigating localized challenges while staying aligned with global headquarters. Cross-functional dependencies – Operations, legal, finance, and public relations all faced their own unique crises relating to the cyberattack, as well as other unrelated business continuity disruptions. Their ability to coordinate responses mirrored the true complexity of a global business disruption. Escalating pressure – Timed injects (new crisis updates), roaming media roleplayers, and breaking news images forced participants to adapt rapidly, just as they would in a real cyber event. By layering these complexities, the exercise tested technical incident response and the entire organization’s ability to work as a single unit under duress. We looked at disaster recovery, crisis management, and business continuity all in the same cyber drill. The power of perspective (or lack of it) A key takeaway from the drill was how overwhelming it felt. No one had the full picture – teams made decisions with only their slice of the crisis, just like in the real world. We saw participants grappling with conflicting information, wondering why other teams weren’t responding as expected. Some felt completely isolated until they realized that the missing information was sitting with another team in another region, experiencing a completely different part of the crisis. This is why interconnected drills are vital. They teach organizations to connect the dots and reinforce a crucial lesson: in high-stakes environments, every decision shapes the crisis’s trajectory. Prove and improve: the true value of cyber drills Cyber drills aren’t just theoretical exercises. They test response plans, communication, and decision-making under pressure while revealing areas for improvement. This drill pushed participants to work under stress and exposed gaps not just in technical response, but in collaboration, escalation, and decision-making. These exercises matter because they don’t just reveal weaknesses – they build resilience before a real crisis strikes. What this means for your organization Cyber threats affect entire businesses – customers, partners, supply chains, and finances. The biggest risk isn’t the attack itself but poor coordination in the response. That’s why cross-team exercises are vital: technical teams must know how and when to escalate, crisis managers must grasp the stakes, and executives must make quick decisions with limited information. Cyber drills don’t always have to be this large, but they must be realistic. Even smaller exercises focused on decision-making across teams can expose gaps in communication and preparedness before a real crisis does. Final thoughts: crisis readiness is built, not assumed In the debrief of Pieces of the Puzzle, one theme emerged repeatedly: we are only as strong as our connections. The most prepared organizations aren’t just those with the best tools or plans – they’re the ones who practice together and strengthen the human elements. Cyber drills push teams to break silos, act under pressure, and manage uncertainty. If you’re not running them regularly, the question isn’t if you’ll struggle in a crisis – it’s when. No matter your industry, scale, or risk landscape, the key takeaway is this: crisis preparedness isn’t just about reacting – it’s about ensuring every piece of the puzzle fits before the crisis hits. Are your teams ready to prove and improve? Share your thoughts Has this inspired you to plan a drill? Do you have any questions about planning or execution and need some pointers? Have you run a drill or been to a drill event, and if so, how did it feel? I’d love to hear from you and help you reach your goals.Experience-Driven and Intrinsic Learning in Cybersecurity
Experience-driven learning Experience-driven learning can take many forms, including: Practical simulations Role-playing exercises Individual hands-on learning Team-based exercising For example, some employees may be presented with micro exercises that pivot around key risk areas such as device security, data handling or social engineering. Others may participate in a tabletop exercise that simulates a ransomware attack, allowing them to practice incident response, crisis management, and recovery procedures in a safe and engaging environment. More technical teams can experience a real attack on real infrastructure in a cyber range, working together to identify and understand the attack using defensive and forensic tools. These types of activities foster intrinsic learning, driven by personal interest and the desire for self-improvement rather than external rewards like grades or promotions. These types of activities also engage natural human behaviours related to gamified learning, both individually and as a team. Intrinsic learning Intrinsic learning can be particularly valuable, especially in the context of cybersecurity, because it allows employees to develop a deeper understanding and appreciation of the subject matter beyond what is required for their job. This approach to learning is not only more engaging and effective but also helps organizations identify areas for improvement and potential vulnerabilities. Intrinsic learning can also help foster a culture of continuous learning within the workforce. By encouraging employees to pursue their interests and explore new areas of cybersecurity, organizations can create an environment where individuals feel empowered to take ownership of their learning and seek out new opportunities for growth and development. To make your cybersecurity training more experiential and foster intrinsic motivation for learning, consider the following steps: Align with personal goals Empower team members to align upskilling pathways with their career aspirations and professional development. Emphasize real-world relevance Showcase how the skills learned directly apply to current cybersecurity challenges and job responsibilities. Provide autonomy Allow learners to freely explore different topics and skills. Create a supportive environment Encourage peer-to-peer learning and mentorship opportunities to build a culture of continuous improvement. Celebrate progress Recognize and highlight individual and team achievements to boost confidence and motivation. Implement adaptive challenges Gradually increase difficulty levels, ensuring learners are consistently challenged but not overwhelmed - the right level of learning is more important than the quantity. Encourage reflection Prompt learners to analyse their performance after each exercise, especially team-based, fostering a growth mindset and self-awareness. Facilitate knowledge sharing Organize regular debriefing sessions where individuals can discuss their experiences and insights gained from the training. Connect to organizational impact Demonstrate how improved cybersecurity skills contribute to the overall success and resilience of the organization. Provide immediate feedback Leverage Immersive Labs' real-time feedback mechanisms to help individuals understand their progress and areas for improvement. By implementing these steps, you can create a more engaging and intrinsically motivating cybersecurity training experience, fostering a culture of continuous learning and skill development within your organization. Conclusion Incorporating intrinsic and experience-driven exercises into your cyber resilience strategy can be an effective way of measuring and improving your overall resilience. Today, the need to exercise effectively has become a key feature of many cyber security frameworks and directives such as ISO27001, NIS2 and DORA, requiring organisations to maintain proof with policies and procedures underpinned by data and results. What have you experienced in your own upskilling journeys to get you where you are today, have you found some ways work better than others; Individual, team, hands-on, theory, classroom? What are your favourite ways to learn and stay motivated with the ever-changing cyber landscape right now? Share your stories and insights in the comments below!More Immersive Cyber Drills: How Rich Media Can Bring a Scenario to Life
When running a cyber drill, it’s useful to have a consistent and cohesive sense of the story throughout. The use of branding and rich media (videos and audio related to the theme) can engage participants through a sense of world-building and storytelling. Imagine your company drill looking like your company — logo, color scheme, font and all. The Brand It’s a good idea to start with all the assets needed to create the custom content. In my case, I created a logo and color scheme for a fictional news company, CHANNEL 6 News. The intention was to create a consistent look and feel for the news updates we would use. Using a simple color palette and classic news branding style, I could then create a virtual website for news updates using presentation software. This allows for ease of editing and can be presented full-screen to look like a webpage. A key requirement of the project was to create content that could be edited by anyone — no special software needed. This is just a slide in a presentation! The slide format could be used to represent a company website, a news outlet, or anything to aid the storytelling. Each slide in the presentation is a copy of the previous, but the news story is changed (title, image, and copy). Rich Media Video is engaging; it grabs our attention and helps with immersion. Video that has relevant branding and specifics has the chance to immerse participants even further. Continuing with the Channel 6 News theme, I used an AI video generator to create a news presenter intro and outro, all within a single prompt to maintain a consistent look. I also created a graphical intro in professional video editing software, aligning the branding and adding stock backing music. Using a more stripped-back video editing app, such as Google Vids, templates can be created with the intro and outro already in place. In between, video clips and voiceover (also generated) provide the main content of the news update. These templates allow for quick editing by anyone without the need for expert software. Download the MP4, and we’re ready to slot it into a cyber drill! Here's an example of the intro/outro and small amount of content between. Company Videos Immersive has a fictional company it uses for Crisis Sims called Orchid Corp. We have brand assets (logos, graphics, etc.) that we use to create print and digital media. I created employee welcome videos using stock media and generated voiceover audio, which ended up being fairly convincing. Now, imagine your company assets in whatever type of video you want. Perhaps a news broadcast, maybe an internal or external press release on the crisis situation. The more entertaining and interesting the content, the more immersion and engagement. Prove and Improve Running drills with custom videos will capture your audience’s attention and imagination. There's a great opportunity to review how the media can be adjusted for further storytelling depth. It could be effective to have the story evolve at a future drill, building on the actions taken previously. Having templates for the content, such as a news update clip, means that significant time is saved in preparation and a consistent feel is kept across drills.
