More Immersive Cyber Drills: How Rich Media Can Bring a Scenario to Life
When running a cyber drill, it’s useful to have a consistent and cohesive sense of the story throughout. The use of branding and rich media (videos and audio related to the theme) can engage participants through a sense of world-building and storytelling. Imagine your company drill looking like your company — logo, color scheme, font and all. The Brand It’s a good idea to start with all the assets needed to create the custom content. In my case, I created a logo and color scheme for a fictional news company, CHANNEL 6 News. The intention was to create a consistent look and feel for the news updates we would use. Using a simple color palette and classic news branding style, I could then create a virtual website for news updates using presentation software. This allows for ease of editing and can be presented full-screen to look like a webpage. A key requirement of the project was to create content that could be edited by anyone — no special software needed. This is just a slide in a presentation! The slide format could be used to represent a company website, a news outlet, or anything to aid the storytelling. Each slide in the presentation is a copy of the previous, but the news story is changed (title, image, and copy). Rich Media Video is engaging; it grabs our attention and helps with immersion. Video that has relevant branding and specifics has the chance to immerse participants even further. Continuing with the Channel 6 News theme, I used an AI video generator to create a news presenter intro and outro, all within a single prompt to maintain a consistent look. I also created a graphical intro in professional video editing software, aligning the branding and adding stock backing music. Using a more stripped-back video editing app, such as Google Vids, templates can be created with the intro and outro already in place. In between, video clips and voiceover (also generated) provide the main content of the news update. These templates allow for quick editing by anyone without the need for expert software. Download the MP4, and we’re ready to slot it into a cyber drill! Here's an example of the intro/outro and small amount of content between. Company Videos Immersive has a fictional company it uses for Crisis Sims called Orchid Corp. We have brand assets (logos, graphics, etc.) that we use to create print and digital media. I created employee welcome videos using stock media and generated voiceover audio, which ended up being fairly convincing. Now, imagine your company assets in whatever type of video you want. Perhaps a news broadcast, maybe an internal or external press release on the crisis situation. The more entertaining and interesting the content, the more immersion and engagement. Prove and Improve Running drills with custom videos will capture your audience’s attention and imagination. There's a great opportunity to review how the media can be adjusted for further storytelling depth. It could be effective to have the story evolve at a future drill, building on the actions taken previously. Having templates for the content, such as a news update clip, means that significant time is saved in preparation and a consistent feel is kept across drills.Tackling technical challenges: Attending Immersive’s cyber drill in London
I recently had the pleasure of attending a unique and highly engaging cyber drill in the heart of London, right next to the iconic Tower of London and Tower Bridge. These landmarks always leave me in awe, even though I was born and brought up in London. The event was attended by a combination of industry leaders, and even those early in their cyber journey. We took part in a dynamic crisis simulation and an intense technical exercise using the Immersive online platform. Mirroring real-world challenges First, we were presented with a realistic scenario covering a major cybersecurity incident at a fictional organisation. The cyber drill encouraged attendees to collaborate and decide on the best course of action through several interactive scenes. These interactive exercises closely mirrored the challenges and discussions we see during real-world incidents, accurately capturing the importance of involving necessary stakeholders and making timely but effective decisions. They also reflected the intense pressure of making informed decisions that could have severe consequences for the wider organisation. Testing technical abilities A highlight of this cyber drill, however, was the addition of a technical exercise. When I say technical, I mean technical! There was nothing toned down in this exercise. Attendees were given an opportunity to really get their hands dirty and use the impressive lab environments found on the Immersive platform, all specifically tailored for this cyber drill. This was as close as it could get to a technical cyber response exercise, but in a safe and friendly environment. I found myself analysing Splunk logs, threat hunting, and even decrypting data (or trying to at least) to find the underlying cause of this incident and aid my colleagues taking part in the wider crisis simulation. The technical exercise further highlighted the importance of continuous development and training within cybersecurity. My technical abilities were genuinely tested, and I loved “learning by doing”. It was also a pleasure to see peers who were tackling these technical challenges for the first time – something made less daunting by the intuitive Immersive platform. I was also reminded of the importance of seeing the bigger picture during these incidents. While focusing on the technical challenges was a lot of fun, it was even more enjoyable to see how obtaining critical data could inform the wider decision-making processes. The value of in-person engagements During the event, I found myself asking: could this cyber drill have taken place virtually? The answer was yes, of course it could. I’ve attended many virtual events and found them particularly useful and convenient. But would a virtual event have been as interactive and insightful as this was? Definitely not! Ever since the COVID pandemic took over our lives in 2020, we’ve gotten used to the remote way of life. It’s so convenient to jump onto remote calls from various parts of the world, but there always seems to be something missing. This event reminded me why in-person engagements have that special spark that remote events don’t. Whether it’s the informal chat over tea and sandwiches or the initial introduction at your table, these small human interactions are priceless and add more depth to our learning experiences than we may appreciate. I found that once you take away the titles or certifications, we’re all people united by a shared purpose of protecting those around us, be they at work or at home. Knowledge sharing and collaboration I met with industry leaders and cyber professionals, all facing remarkably similar challenges in their own sectors. It was a good reminder that we’re never alone in the world of cyber. There are colleagues out there who demonstrate cyber resilience daily and bring their own unique method to the madness. I thoroughly enjoyed knowledge sharing and collaborating with these other professionals – their fresh perspectives and external views were extremely insightful. The threats we face in cybersecurity are similar across different industries, but it’s the wider consequences that seem to differ. Colleagues from other sectors were open to sharing their knowledge and expertise with the audience. This cyber drill was a great reminder about the value of teamwork in cybersecurity. We all play an important role, be it technical or not. In the rapidly evolving world of cybersecurity, there's something for everyone, and I look forward to the next event!No Sleep on State-Backed Threats: Train for Cyber Conflict Before It Starts
In 2025, the cybersecurity landscape isn’t just evolving – it’s accelerating. State-backed cyberattacks, geopolitical tensions, and a fragmented regulatory environment have placed cyber resilience squarely at the top of boardroom agendas. But while the threats are growing, clear directives and unified mandates are not. Cybersecurity leaders are left asking: If federal policy won’t dictate readiness, how can we validate that we’re prepared? The policy gap: Why the One Big Beautiful Bill won’t save us Despite its sweeping scope, the recently passed One Big Beautiful Bill Act (H.R.1, P.L. 119-21) is notably silent on cybersecurity policy. It includes: Investments of $150M to the Department of Defense for business system modernization, including AI-aided financial auditing $200M for AI-enabled audit systems $20M to DARPA cybersecurity research efforts $250M for Cyber Command’s AI “lines of effort” $685M toward military cryptographic modernization, including quantum benchmarking While these appropriations equip government agencies to modernize and strengthen cyber and crypto capabilities, they stop short of mandating new cross-industry controls, standards, or compliance obligations for private sector entities. Organizations can’t depend on Washington to drive cyber resilience strategy, given how dynamic the landscape is today. Instead, leaders must build proactive, measurable programs rooted in industry frameworks like NIST CSF, ISO 27001, and MITRE ATT&CK. At the same time, they need to monitor shifting government priorities (vis-à-vis risks), evolving state-level regulations, and sector-specific requirements like the Digital Operational Resilience Act for financial services. In short, cyber resilience remains an internal obligation, not an external mandate. The stakes are rising: Salt Typhoon breach proves it’s about people In June 2025, a DHS memo confirmed that Salt Typhoon, a Chinese state-linked hacking group, gained extensive, months-long access to a U.S. Army National Guard network. This breach wasn’t just a military problem – it highlighted systemic risks across civilian infrastructure, state governments, and critical services. The attackers stole administrative credentials, internal diagrams, network configurations, and PII of service members, creating opportunities for lateral movement and follow-on attacks against civilian sectors. As Ellis, a cybersecurity advisor quoted in the memo, pointed out: "An intrusion on a National Guard isn't a 'military only' operation. States regularly engage their Guard to assist with cyber defense of civilian infrastructure." This breach underscores the harsh reality that cyber adversaries aren’t bound by the Law of Armed Conflict – and they’re fully prepared to target civilian infrastructure as part of their strategy. Cyberwar is official: NATO’s Article 5 sets a new precedent NATO now explicitly recognizes cyberattacks as potential triggers for Article 5 collective defense measures. This isn’t about responding to routine ransomware or phishing scams – it’s about preparing for strategic-level attacks that can disrupt economies, paralyze infrastructure, or compromise national defense. To meet this challenge, NATO is expanding joint cyber exercises like Locked Shields and Cyber Coalition, simulating real-world adversaries and integrating civilian infrastructure into their scenarios. Our key lesson? Modern conflict starts in cyberspace – and organizations need to train for it before the first packet hits. Train like the threat is already inside 1. State-sponsored threat actor playbooks Train your team to recognize and respond to APT tactics in the wild. From credential harvesting to stealthy exfiltration, hands-on simulations build muscle memory against real adversary behaviors – not textbook theory. Get hands-on with Threat Actors: Salt Typhoon and explore a recent SNAPPYBEE Campaign Analysis to see how the group uses backdoors to conduct espionage operations. Our complete Threat Actors collection covers a wide range of threat groups and their TTPs, providing practical simulations that build muscle memory against real adversary behaviors. We’ve talked about APT29 before 🙅♀️🐻 and they remain an active threat. Refresh with APT29: Threat Hunting with Splunk and dig into practical nation-state threat intelligence and IOC analysis. 2. Salt Typhoon TTP training Defend against the tactics actually used in the Salt Typhoon breach: Lateral movement: Our MITRE ATT&CK collection covers lateral movement tactics, providing comprehensive training on how attackers move within a network and how to defend against such actions. Credential compromise: The Credential Access collection offers practical experience in understanding and mitigating credential access vulnerabilities, which is crucial for defending against credential compromise. Network reconnaissance: Our Reconnaissance collection focuses on various techniques and tools used for gathering information, which can help in understanding and defending against network reconnaissance. Data exfiltration: Another hit for the Incident Response collection! These labs are specifically designed to teach incident responders how to detect data exfiltration. Put your team in the hot seat and test their response before the next real-world incident hits. 3. AI-readiness for cyber defenders AI is transforming both red and blue team tactics. Prepare with practical training to drive understanding of AI model risks (e.g. prompt injection, data leakage) and build skills defending AI-enabled environments before attackers exploit them. The AI Fundamentals collection offers a broader understanding of AI's role in cybersecurity, covering topics like data ethics, TensorFlow for machine learning, and emerging threats. The AI Challenges collection focuses on identifying vulnerabilities in AI systems, such as AI plugin injection and prompt injection attacks, providing hands-on experience in mitigating AI security risks. Together, these collections provide comprehensive training on both understanding and defending AI-enabled environments against potential threats. 4. Incident response: No-doze drills Run full-cycle incident response simulations, from detection to containment to recovery. Focus on the messy middle: ambiguous alerts, cross-team coordination, and real-time decision-making under pressure. Train with our Introduction to Incident Response and Incident Response collections. These collections cover the entire incident response process, including detection, containment, and recovery, with an emphasis on cross-team coordination and real-time decision-making. Then, test your skills with our new Cyber Range Exercise inspired by Salt Typhoon with simulated malware, or our Crisis Simulations focused on nation-state attacks. 5. Critical infrastructure and IT/OT defense modules Your OT environment isn’t off-limits to adversaries. Practice defending blended IT/OT networks, identify cascading risks, and rehearse failover processes when the grid comes under cyber-fire. Explore the following collections that are part of our new Operational Technology offering: OT: Fundamentals OT: Threats and Vulnerabilities OT: Devices and Protocols These labs are valuable for practicing defense strategies in blended IT/OT networks and understanding cascading risks in critical infrastructure. You can also experience actual incidents like the Norwegian Dam Compromise: Campaign Analysis! Conclusion: Build cyber resilience before the next state-backed attack The One Big Beautiful Bill won’t mandate cyber resilience. NATO knows cyberwar is already here. And Salt Typhoon’s breach shows that the human element is still the biggest vulnerability facing businesses, entities, and nation states alike. That’s why continuous skills development, validated readiness, and real-world scenario training aren’t optional. Adhere to tested frameworks and operational rigor for your people, processes, and technology. Share your thoughts If you’re not sleeping on state-backed threats, set the alarm and kickstart your team’s readiness. Have you prioritized specific procedures or skills in response to the latest nation-state activity from groups like Salt Typhoon? Share your tips (or your favorite preparedness quote) in the comments below! Train like it’s game day – because for state-backed threats, it already is. Stay sharp and threat-ready by following the Human Connection blog for more updates like this.The Human Edge Beyond Pentesting – Building True Cyber Resilience
The Human Edge Beyond Pentesting – Building True Cyber Resilience Pentest vs. Red Team: Understanding the Core Difference Many cybersecurity vendors are rebadging pentesting as attack simulations or red teaming, often at a higher cost. However, there's a clear difference: Pentesting (Penetration Testing): The overarching goal of penetration testing is to find vulnerabilities within an environment in order to create a remediation plan. Reporting focuses on documenting as many vulnerabilities as possible in the allotted timeframe. Red Teaming (Attack Simulation): In contrast, red teaming is used to validate the efficacy of the defensive (blue) team. It is not looking for vulnerabilities per se, it is about achieving the objectives while trying to avoid detection. Reporting focuses on finding defensive gaps and assessing the blue team's response capabilities. The ultimate goal is to simulate real-world adversaries and determine if the defensive team has the telemetry to detect them. The key takeaway is that if the engagement isn't assessing your detection capabilities, it is not a red team. When Does Red Teaming Truly Add Value? While valuable, red teaming isn't always the most cost-effective solution, and really it is usually only effective in these three scenarios: When You Have a Regulatory Requirement: Industries with specific regulations, such as BEST, TIBER, FEER, CORIE, and AASE, often mandate regulatory red teams, which have standardized approaches and qualifications. When You Have a Very Mature Organization: Your organization has addressed all other possible security issues and has limited justification for further spending, a Red Team can provide a level of assurance that few other testing strategies can match. However, if you have known, unaddressed issues, red teaming rapidly loses value as the simulated attackers will typically take the easiest route to compromise and report on issues you are already aware of. When You Need a "Burning Platform": Sometimes, demonstrating the potential severity of a worst-case scenario is necessary to secure critical budget increases. Red teaming can effectively highlight how badly wrong things could go, aiding CISOs in getting the needed resources. However, it's important to note that more cost-effective methods often offer a better return on investment than red teaming outside these specific use cases. Purple teaming offers a more holistic approach to measuring your blue team's capability while also having a much higher knowledge transfer rate. Attack path mapping is far more comprehensive in discovering what attackers can do and what vulnerabilities or misconfigurations can be chained together to achieve compromise. The Pitfalls of Misaligned Red Teaming Several factors can hinder the benefits of red teaming outside the identified use cases: Resource Intensive: Red teaming is both costly and time-consuming. Potentially Divisive: It can sometimes lead to conflict between teams or erode trust within an organization. Weak Follow-Up: Lessons learned from red team exercises are often not translated into actionable steps, or worse completely ignored. Limited Scope: It may fail to explore cascading impacts and real-world disruptions. Insufficient Business Focus: Without an understanding of broader business consequences, the exercise's value can be limited. Increased Risk: Poorly executed red teaming can introduce wasted effort or unnecessary investigations. Often Undetected: A significant number of red team operations do not trigger alerts or go unnoticed by defensive teams. This last point highlights the importance of understanding why an attack wasn't detected, by asking: Was an alert generated? Was it marked as a false positive? Was a process followed? Was the process correct? Enhancing Cyber Resilience: A Holistic Approach Cyber resilience is not just about products or individual tools; it's about the application of skilled and motivated people, understanding and utilizing technology, and implementing reliable and repeatable processes and detections. The focus should be on building a robust, layered defense that understands, anticipates, and mitigates all phases of the attack chain, recognizing that the perimeter is no longer the sole objective for attackers. To truly improve cyber resilience, organizations need to focus on three key areas: Security Posture: Continuously assess and strengthen your foundational security. Detection Capability: Improve your ability to identify and triage malicious activity. Response Capability: Enhance your team's efficiency and effectiveness in reacting to and recovering from incidents. This involves exposing defenders to real-world Tactics, Techniques, and Procedures (TTPs) relevant to their environment. Furthermore, understanding the capabilities and blind spots of both your security team and defensive tooling is crucial for applying and testing effective mitigations and proving resiliency. Practical Approaches to Building Resilience To achieve true benefit from simulations, organizations must prepare individuals and teams before and after the simulation. This involves a cycle of "Prepare & Protect" and "Detect & Respond". Effective training and exercises are vital for different audiences: Individual Preparation: Hands-on labs can provide technical training for various roles, including defensive cybersecurity professionals, penetration testers, developers, application security experts, and cloud & infrastructure security personnel. Technical Team Exercises (Team Sim): These focus on the technical aspects of cyber attack and response using pre-configured cyber range scenarios. Participants investigate or perform simulated attacks using real cybersecurity tools and techniques in a safe environment/sandbox. Executive & Business Exercises (Crisis Sim): Moving beyond traditional tabletop exercises, Crisis Sim puts teams into dynamic crisis simulations with real crises, dynamic storylines, and contextual media. This helps measure and benchmark responses to inform crisis strategies and build muscle memory through regular exercising. By understanding the distinct roles of pentesting and red teaming, strategically applying attack simulations, and investing in comprehensive training across all levels of the organization, businesses can genuinely enhance their cyber resilience and gain the human edge over cyber attacks.Level Up Your Resilience: Analyzing Results and Building a Culture of Continuous Improvement
Welcome back for the final instalment of our series on Cyber Drills! In Parts 1 and 2: Level Up Your Resilience: Unlocking the Power of Cyber Drills with Immersive Level Up Your Resilience: Planning and Executing Effective Cyber Drills with Immersive we explored the fundamental importance of Cyber Drills and the critical steps involved in planning and executing them, all while highlighting the comprehensive guidance offered by The Definitive Guide to Cyber Drilling. Now, we arrive at the crucial stage that transforms a drill from a one-time event into a driver of lasting improvement: analyzing the results and fostering a culture of continuous learning. As Chapter Two: Post-Exercise Analysis of The Definitive Guide outlined, the insights gained from a Cyber Drill are only truly valuable if translated into actionable next steps. This chapter, along with the principles woven throughout the entire guide, provides the framework for turning your drill experiences into tangible enhancements in your cyber resilience. Post-Drill Analysis: Uncovering Key Insights: Once the Cyber Drill is complete, the real work begins. The Definitive Guide emphasizes the need for a thorough analysis of the drill results, focusing on assessing performance against the outlined objectives. This involves: Leveraging Platform Data: Using a platform like Immersive’s, analyze the data generated during the drill to identify areas of strength and weakness in technical execution. Gathering Participant Feedback: The Guide recommends capturing feedback from all participants to understand their experiences, challenges, and suggestions for improvement. Facilitator Debriefs: Conduct debrief sessions with the facilitation team to gather their observations and lessons learned regarding the scenario flow, participant engagement, and any unexpected issues. Identifying Key Findings: Based on the data and feedback, pinpoint the most significant areas for improvement in processes, communication, technical skills, and incident response plans. Reporting and Governance: Communicating Value and Driving Action: The Guide highlights the importance of easy-to-follow reporting requirements and establishing governance processes to ensure that the insights from Cyber Drills lead to tangible changes. This includes: Tailored Reporting: Develop reports that are relevant to different stakeholders, from technical teams to executive leadership, clearly outlining the findings and their implications. Actionable Recommendations: Ensure that reports include specific and measurable recommendations for improvement. Integration with Existing Processes: Feed the findings and action items into your existing security processes, such as incident response plan updates, training programs, and technology deployments. Executive Communication: Clearly communicate the value and ROI of your Cyber Drilling program to leadership, demonstrating how it contributes to overall cyber resilience. Building a Culture of Continuous Improvement: A successful Cyber Drilling program is not a one-off exercise; it's an ongoing commitment to learning and adaptation. The Definitive Guide emphasizes the importance of fostering a culture where: Learning is Valued: Encourage participants to view drills as learning opportunities rather than pass/fail tests. Feedback is Encouraged: Create a safe space for open and honest feedback. Iteration is Key: Use the insights from each drill to refine your scenarios, processes, and training programs for future exercises. Micro-Drills for Continuous Training: As mentioned, consider incorporating "micro-drills" for more frequent, bite-sized opportunities for learning and measurement. Why Immersive for Cyber Drilling: Immersive provides a powerful platform to support your entire Cyber Drilling journey. Our integrated solutions, combining Cyber Range Exercises, Crisis Sim, and Labs, enable you to: Create realistic and customizable scenarios. Engage both technical and leadership teams. Generate measurable results and insightful data. Track progress and demonstrate tangible improvements. By embracing the principles outlined in The Definitive Guide to Cyber Drilling and leveraging the capabilities of Immersive, you can move beyond simply assuming readiness to demonstrably proving and continuously improving your organization's cyber resilience. This concludes our series on Cyber Drills. We invite you to join us on a journey toward a more resilient future. You can download the full Definitive Guide to Cyber Drilling here.Level Up Your Resilience: Planning and Executing Effective Cyber Drills with Immersive
Welcome back, Immersive Community! In Part 1 of this blog series, we laid the groundwork for understanding the critical role of Cyber Drills in building true organizational cyber resilience, highlighting the comprehensive insights found in The Definitive Guide to Cyber Drilling. Now, we move from theory to practice. How do you actually plan and execute impactful Cyber Drills within your organization? This instalment will guide you through the essential steps, drawing directly from the information shared in our definitive guide. As Chapter Two: Program Planning and Preparation emphasizes, a successful Cyber Drill doesn't just happen – it's the result of careful thought and strategic execution. Let's break down the key phases: Defining Your Objectives: Before you even think about scenarios, you need to know what you want to achieve. What specific aspects of your cyber resilience are you looking to test and improve? The Definitive Guide outlines the importance of aligning your drill objectives with broader business goals and conducting a maturity assessment to tailor your program effectively. Ask yourselves: Are we primarily aiming to test our incident response plan? Do we want to evaluate cross-functional communication during a crisis? Are we looking to identify technical skill gaps in specific teams? Is regulatory compliance a key driver for our drilling program? Clearly defined objectives should serve as your “North Star” throughout the entire process. Scenario Development: Crafting Realistic Challenges: With your objectives in place, the next crucial step is designing scenarios to effectively challenge your teams. The Guide's section on Scenario Development provides guidance on creating "severe but plausible scenarios" that resonate with your industry and potential threats. Remember to: Ground Scenarios in Reality: Draw inspiration from real-world incidents and threat intelligence (The Guide highlights the importance of CTI). Consider Operational Disruptions: As noted in The Definitive Guide, real-world cyberattacks often coincide with other disruptions. Incorporate Multi-Skill Requirements: Design scenarios that require participants to utilize technical skills AND communication and decision-making. Introduce Pressure: Effective drills create a safe but high-intensity environment. The Cyber Drill Timeline: Strategic Execution: The Definitive Guide provides a clear roadmap for the Cyber Drill timeline, emphasizing the iterative nature of the process and the crucial role of stakeholder involvement. Key stages include: Discovery: Clearly defining objectives, scope, and requirements. Design: Developing the scenario and practical logistics. Build: Creating the exercise materials, lab paths, and communication aids. Enable: Ensuring participants and facilitators are prepared. Deliver: Executing the drill according to the plan. Participant Engagement: Fostering Collaboration: The Definitive Guide stresses the importance of clear instructions, open communication, and encouraging feedback to maximize participant engagement. Remember to: Provide pre-drill information and relevant training materials. Facilitate open communication channels during the exercise. Encourage participants to think critically and collaborate effectively. By following these planning and execution principles, you can create powerful and insightful exercises that truly test and strengthen your organization's cyber resilience. In Part 3, we'll delve into the critical final stage: analyzing the results of your Cyber Drills and building a culture of continuous improvement, all by using the comprehensive framework from The Definitive Guide. Stay tuned!Level Up Your Resilience: Unlocking the Power of Cyber Drills with Immersive
Hello Immersive Community! You're already familiar with our hands-on learning and real-world scenarios to level up your cyber skills. You've seen how our labs and exercises can boost individual capabilities and build stronger teams. But are you ready to dive deep into ways to develop your organization's resilience? Today, we're diving into a crucial aspect of building true cyber readiness: Cyber Drilling. You might have heard the term before, but to really understand its comprehensive power and how it can improve your security posture, we're excited to highlight The Definitive Guide to Cyber Drilling. This is your essential resource, explaining everything from fundamental concepts to advanced implementation strategies for realistic cyber attack simulations that exercise both your technical and business leadership teams. In this series, we'll explore what a comprehensive Cyber Drilling program entails and, more importantly, how you, as part of the Immersive community, can leverage it to strengthen your organization's defenses – all laid out within the guide. As Phil Venables, CISO of Google Cloud, wisely stated, "The best training of all is a drill, exercise, or even a live-fire event. Having drills and exercises that get as close to reality as possible and test your people as well as your systems is ideal." 1 This isn't just about individual skill anymore; it's about how your entire organization performs when faced with a real-world cyber crisis – a concept thoroughly explored in the guide. Beyond Individual Labs: The Organizational View You've mastered individual labs, honed your threat hunting skills in Cyber Ranges, and perhaps even navigated crisis scenarios using simulations. These are vital building blocks. Cyber Drilling, as detailed in The Definitive Guide, applies that foundation to a broader organizational context, simulating real attacks to test technical prowess, communication, decision-making under pressure, and the effectiveness of your incident response plans across different teams. Think of Cyber Drilling as the ultimate "stress test" for your cyber defenses. It moves beyond theoretical knowledge and puts your collective capabilities to the test in a safe environment, revealing strengths and identifying areas for improvement you might not uncover through individual training alone – a comprehensive overview of which is provided in the guide. Why Should the Immersive Community Embrace Cyber Drills? As valued community members, you already understand the power of immersive learning. Cyber Drills are the natural evolution of that approach, offering significant benefits for your organization: Prove Your Readiness: Cyber Drills allow you to demonstrate the impact of your Immersive investment by showcasing your team's response capabilities. Identify Organizational Weaknesses: The methodologies explain how drills expose broader organizational gaps. Optimize Your Incident Response: Practical guidance helps you test and refine your plans. Enhance Team Cohesion: The principles highlight how drills improve collaboration. Demonstrate Value to Stakeholders: Use the frameworks to provide tangible evidence of preparedness. What Makes a Cyber Drill Effective? Just like our individual labs are designed for maximum learning impact, effective Cyber Drills share key characteristics: Leveraging Multiple Skills Creating Realistic Pressure Emphasizing Clear Communication Providing a Comprehensive View Mirroring Real-World Threats Tailored to Your Needs Driving Continuous Improvement What's Next? This is just the first step in understanding the power of Cyber Drilling. In the upcoming parts of this series, we'll delve into the practicalities of implementing these powerful exercises within your organization, building upon the foundation you've already established with Immersive – all based on the comprehensive insights within The Definitive Guide: Part 2: Planning and Executing Effective Cyber Drills: We'll explore how to define your objectives and develop scenarios. Part 3: Analyzing Results and Building a Culture of Continuous Improvement: We'll discuss how to interpret drill data and drive improvements. Unlock the full potential of your preparedness and enhance your organization's cyber resilience through the strategic practice of Cyber Drilling, which begins with The Definitive Guide to Cyber Drilling.The Softer Side: Non-technical Benefits to Technical Team Exercises
In my role, I have the privilege of working with many different organizations through their technical exercise events and programs. One of the most rewarding aspects is seeing the spark ignite in the people as they band together to achieve a common objective. In this article, I’ll be sharing some of the common benefits I see emerge across organizations of all sizes, industries, and maturity levels, no matter the exercise's purpose. Encouraging curiosity and problem-solving Cyber Range Exercises provide a virtual network environment to explore. Defensive exercises focus on detecting and monitoring malicious activity, while offensive exercises involve exploiting vulnerabilities to uncover target information. Within these simulated environments, participants must utilize a wide array of skills and decide on the best approach, as the correct course of action isn't always obvious. This technical challenge is great for reinforcing knowledge and applying skills. I've seen players puzzle over unsuccessful methods, forcing them to rethink their approach entirely, asking plenty of “what if” questions before testing them out. This experimentation process educates players while simultaneously promoting lateral thinking and encourages sharing problem-solving insights. Improved communication Trawling through logs and analyzing (or preparing) a malicious payload usually calls for quiet focus. But in the real world, we’re rarely working alone. More often than not, investigations and tests happen in small teams, under pressure, and good communication becomes just as important as technical skill. That’s why team-based exercises reflect this reality. You’ve got to explain what you’re doing clearly, so everyone’s on the same page – both in terms of the situation and the technical jargon. Creating clear written logs and documentation matters too, especially in incidents where language may need to be adapted for different audiences. The most effective teams I've observed in these exercises prioritize organization. They set up a central place to track everything – whether that’s a Teams channel, a spreadsheet, or a crisis response tool – and they’re smart about assigning roles and carving out time to keep everyone synced up. Better distraction management A deliberate challenge I sometimes incorporate into technical exercises is surprise leadership requests for incident updates. This tests the team's ability to rapidly consolidate information under pressure, dealing with the uncertainties of an active investigation. Teams with strong organization, detailed incident logs, and a dedicated spokesperson or team leader consistently manage these interruptions best. Practicing in a simulated setting helps teams stay productive and accurate, even when real-world distractions come into play. It builds the ability to block out noise, manage stakeholders, stay focused on individual tasks while keeping sight of team goals, and smoothly switch contexts when needed. Stronger team dynamics Unlike individual training, these exercises require participants to actively communicate, share knowledge, and rely on each other's strengths to achieve a common goal. Team members learn to understand each other's working styles, identify individual expertise, and build trust in their colleagues' abilities. The shared experience of overcoming technical challenges, even simulated ones, creates a sense of camaraderie and shared accomplishment. While every team comprises diverse personalities and communication styles, it's crucial that each individual feels comfortable and empowered to share their insights and findings. These contributions can significantly alter the outcome; for instance, a critical discovery during a technical investigation might directly influence the business's crisis response strategy. Increased efficiency The more a team works together responding to the exercise challenges, the more they develop shared understandings of processes and expectations, learn to delegate effectively, and identify bottlenecks in their collaborative efforts. Eliminating issues arising from a lack of confidence or familiarity with the team or processes is especially critical for incident response teams, leading to quicker response times and improved agility when situations change rapidly. After each exercise, I like to conduct a team debrief, which is crucial for reflecting on lessons learned. Prompting players to consider their individual strengths and challenges, alongside open discussion about team dynamics and processes, helps identify opportunities for improvement. Technical exercises are undoubtedly key to boosting individual technical proficiency. However, their even greater value lies in cultivating these skills alongside the crucial professional attributes demanded by our field. Considering the significant pressure and expectations placed on these teams to deliver trustworthy outcomes, ensuring their preparedness within a high-trust setting is essential. These are merely some of the advantages I've witnessed through these exercises. Share your thoughts What benefits have you experienced through technical exercising? Share your thoughts in the comments!Global Cyber Drills: Dates, Locations, and VIP Experiences
Our Cyber Drills Roadshow is kicking off in North America! I’m thrilled to share that in just one week, we will launch the North American leg of our 2025 Cyber Drill roadshow. In addition to constantly evolving our onsite programs (you’ll never experience the same Cyber Drill twice), our team has elevated our venues and agendas for 2025. You now have the opportunity to enhance your Cyber Drill experience and stay after the drill for a custom VIP experience. Learn more about our VIP experiences and register now below! Cyber Drill Dallas 🏈 Date: April 2 Time: 1:00 PM - 5:00 PM Location: AT&T Stadium - home of the Dallas Cowboys Register now and opt to join us for a VIP stadium tour! Cyber Drill Los Angeles 🥇 Date: April 16 Time: 1:00 PM - 5:00 PM Location: LA Memorial Coliseum Register now and opt to join us for a private tour of the LA Memorial Coliseum! Cyber Drill Chicago 🏙️ Date: May 14 Time: 1:00 PM - 5:00 PM Location: Morgan’s on Fulton Register now and opt to join us for a celebratory drinks reception with 360 views of the Chicago skyline. Community Exclusive As an exclusive announcement for our community, we’re thrilled to share that we have three additional Cyber Drills coming soon and you’re the first to know! Follow our events page to get notifications hot off the press as soon as our Cyber Drill events are added. Coming Soon ⛰️ Bern, Switzerland 💂 London, UK 🍎 New York City, USA Share Your Thoughts I hope to see you there! If you’re already registered, let me know what city you’ll be joining us in by replying in the comments, and if you're not already registered to attend, is there a city or location that you’d like to see a Cyber Drill next? Let me know in the comments! ⬇️When the Lights Went Out at Heathrow: A Crisis That Was Never Meant to Be “Won”
In the early hours of March 21, 2025, a fire broke out at the North Hyde electrical substation in West London, just a few miles from Heathrow Airport. Within hours, a local infrastructure incident had triggered widespread disruption across the global aviation ecosystem. Flights were grounded, operations were halted, passengers were stranded, and local residents were left without power. Suddenly, one of the most connected airports in the world found itself completely disconnected. This wasn’t just a power failure, it was a systems failure. The fire itself was severe yet containable, but what unfolded afterward exposed far deeper vulnerabilities. It has since been claimed that Heathrow had “enough power” from other substations, which now raises difficult but fair questions: If there was enough power, why shut the airport down completely? If there wasn’t, why wasn’t the site resilient enough to handle a failure like this? And most importantly, how did one single point of failure have this much impact on such a critical national and international asset? These are the questions that will dominate the post-crisis scrutiny, but while many rush to applaud or condemn, I think the truth lies somewhere more uncomfortable. Crisis leadership isn’t about perfect outcomes Crisis response is never clean. It’s messy, fast-moving and incomplete. You make decisions with partial data, under pressure, in real time. And in the majority of cases, you choose between bad and worse – which is exactly what Heathrow’s leadership team faced: Compromised infrastructure Uncertainty about the integrity of power and systems Thousands of passengers on site and mid-flight en route to the airport Global operations and supply chain at risk The common response is, “we need to tackle all of these problems” – and rightly so – but what people often forget is that in a crisis, you don’t have the resources, time, or information to tackle everything at once. Heathrow's leadership chose safety and containment, and in just under 24 hours, they were back online again. That’s impressive. That’s recovery under pressure, and that’s business continuity in action. But it doesn’t mean everything was done right, and it certainly doesn’t mean we shouldn’t ask hard questions. “Enough power” means nothing without operational continuity Having backup power doesn’t mean having functional operations. Power alone doesn’t run an airport – systems, processes, and people do. If the backup didn’t maintain critical systems like baggage handling, communications, lighting, or security, then the airport was right to shut down. However, the next question is, why didn’t those systems have their own layers of protection, and where was the true resilience? This leads us to the real issue: this wasn’t just about Heathrow, it was about the entire ecosystem. Resilience isn’t just a plan – it’s a whole system of dependencies The recent disruption is a real reminder that resilience doesn’t just live inside an organization. It lives across every partner, vendor, and hidden dependency. In critical services like aviation, the biggest vulnerabilities are often outside the walls of your own operation. There’s a web of partners involved in keeping an airport running: Power providers Facilities management IT and communications vendors Outsourced security Maintenance crews Air traffic systems Second and third-tier subcontractors Many of these providers sit outside the organization’s direct control, yet their failures become your crisis in an instant. True resilience requires more than internal readiness, it demands visibility across the whole supply and vendor chain, coordination protocols with external stakeholders, and clear ownership of critical functions. When something breaks in the background, you won’t have time to figure out who’s responsible; you’ll only care about who can fix it. So identifying and (most importantly) testing and exercising your supply chain is paramount. This wasn’t a “winnable” crisis – and that’s the point I’ll discuss this concept further in my upcoming webinar, The Unwinnable Crisis: How to Create Exercises That Prepare Teams for Real-World Uncertainty, but the Heathrow disruption is a perfect case study. This was never going to be a clean “win.” No plan could have delivered a flawless response, and no leader could have avoided disruption entirely. Instead, this crisis asked a different question: When everything seems to be falling apart, can you contain the damage, protect your people, and recover quickly? That’s the real test. It’s what separates the theoretical resilience plans from the operational reality. Heathrow passed parts of that test, but the system around it has questions to answer, and every other organization watching should be asking the same thing: “How many hidden dependencies are we one substation, one outage, one contractor failure away from exposing?” The next crisis may not give you a warning, and it certainly won’t give you time to figure out who’s holding it all together. Crisis leadership isn’t about perfection; it’s about being ready for the moment when no perfect option exists. The question now is, what did it reveal that we can’t afford to ignore? Ready to prepare for true crisis readiness? Join me for the upcoming community webinar, The Unwinnable Crisis: How to Create Exercises That Prepare Teams for Real-World Uncertainty on April 11. We’ll explore what true crisis readiness looks like and how you prepare your team to lead when there is no “win” – only choices.
