An Ounce of Prevention Beats a Pound of Postmortem with Supply Chain Security
Supply chain security is all about protecting your organization from risks and threats that come from external parties and processes you rely on. But trust, like code, is a dependency. And risk? That’s a side effect. Case in point: this month, a widely used GitHub Action, tj-actions/changed-files, was compromised, proving that when the Git hits the fan, it can blow secrets across thousands of repos (CVE-2025-30066). It was a textbook case of a supply chain attack: a legitimate, trusted tool hijacked and used to compromise downstream users. Now, don’t get me wrong, we all love GitHub and a secure CI/CD pipeline. But when attackers injected malicious code into the action, stealing secrets like personal access tokens, npm tokens, and private RSA keys from affected CI/CD pipelines, over 23,000 repositories were exposed to cyber risk. This wasn’t a breach caused by a missed patch or weak password - it was a breach of inherited trust. It highlights a pressing truth: supply chain security isn’t just a technical problem. It’s a cultural one. It demands dynamic cyber resilience. And I know you’re tired of hearing about SolarWinds, Logs4Shell, and Kaseya. But it’s not just your security at stake – it’s everyone you rely on and everyone who relies on you. Even right now, we are watching The Biggest Supply Chain Hack Of 2025: 6M Records Exfiltrated from Oracle Cloud affecting over 140k Tenants 🙀 That’s why dependency monitoring, minimal permissions, and source validation are critical to securing your supply chain. In today’s software-driven world, trust is embedded in every layer of how we build and ship technology. We trust the tools, the teams, the platforms, the packages. To mitigate risks effectively, we need a clear understanding of them. Let’s explore approaching this with Immersive. Third-party risk management Business stakeholder lens: Procurement and vendor management teams must understand that security isn't just a checkbox during onboarding. Ongoing third-party risk reviews and SLAs with teeth are essential. Security leaders should train these teams to ask the right questions and recognize red flags. Risk ISO 28000 – Security Management Systems for Supply Chains NIST 800-53: Ep.20 – Supply Chain Risk Management Technical stakeholder lens: Security teams must know how to evaluate vendor security postures, monitor for changes, and validate that data flows are compliant and secure. Training should focus on threat modeling integrations and validating trust assumptions in vendor tooling. Secure Fundamentals: Security Patching Mobile Application Security Fundamentals: Inadequate Supply Chain Security Software supply chain Business stakeholder lens: Non-technical leaders should understand that open source and third-party code aren't free – they come with ongoing maintenance, monitoring, and potential exposure. Funding and prioritization decisions should reflect this risk. NCSC Cloud Security: Ep.9 – Supply Chain Security Stack Overflow Secure Fundamentals: Least Privileges Introducing the Cyber Kill Chain Technical stakeholder lens: Developers and AppSec teams need to understand transitive dependencies (a.k.a. shadow dependencies), know how to interpret Software Bill of Materials (SBOMs), and be trained to look beyond their own code. CI/CD workflows must be hardened, with guardrails baked into the process. CVE-2024-3094 (xz) – Supply Chain Compromise Events & Breaches: Monero Wallet Supply Chain Compromise Sunburst Supply Chain Compromise Collection Hardware and physical supply chain Business stakeholder lens: Especially in regulated or critical industries, leaders must ensure that logistics and sourcing teams are trained to recognize risks around counterfeit or tampered hardware. Business Continuity 101 NIST 800-53: Ep.11 – Physical and Environmental Protection IST 800-53: Ep.1 – Access Control Technical stakeholder lens: IT and SecOps teams should be trained on verifying hardware provenance, firmware integrity, and secure provisioning practices. This is often an overlooked area in cyber training programs. IoT & Embedded Devices: Supply Chain Hardware Tampering Data handling in the chain Business stakeholder lens: Legal and compliance teams must understand how data moves across vendors and jurisdictions. Training should focus on recognizing data sovereignty issues, breach notification responsibilities, and contractual risks. Compliance Data Handling Secure Fundamentals: The CIA Triad Secure Data Handling Technical stakeholder lens: Data engineers, architects, and security teams should be trained on protecting data in transit and at rest, especially when working with third-party platforms or integrations. Zero trust principles also apply. OWASP 2021: Ep.8 – Software and Data Integrity Failures Modern Encryption Operational resilience Business stakeholder lens: Executives and business continuity teams must recognize that vendor outages or upstream compromises can impact downstream. Tabletop exercises should incorporate supply chain attack scenarios. Recommended reading: House of cards: surviving a supply chain attack Labs: Cyber for Board Members: Ep.8 – Supply Chains Cyber for Executives: Ep.7 – Supply Chain Security NIST 800-53: Ep.6 – Contingency Planning NIST 800-53: Ep.8 – Incident Response Technical stakeholder lens: Incident response and engineering teams should be trained to detect and contain incidents involving third parties. This includes monitoring dependencies, rotating credentials, and updating playbooks for modern attack chains. No Labs this time! Exercising becomes critical: Cyber Training Essentials for Supply Chain Resilience Supply Chain: Template for Technical Teams You may not cause the vulnerability, but you'll own the breach. You can’t wait until the postmortem to start training your teams to see beyond the perimeter. A resilient cyber culture ensures that your people are ready to respond when trust is compromised. Supply chain security is a shared responsibility, but it starts with recognition and increasing cultural buy-in. At the end of the day, an ounce of prevention beats a pound of postmortem. Share your thoughts Did you learn anything surprising about the interconnectedness of supply chain risks? What do you think is the biggest hurdle to strong supply chain security? Share a practical tip or strategy that worked for you! Big thanks to ZacharyAbrams for assisting with content reviews and recommendations in today’s blog! Want laser-focused recommendations for your unique program needs? Chat with your CSM about Premium Support to work with legends like Zack! Get updates in your inbox on posts like this by following the Human Connection Blog!Cyber Drills and Outcome-Based Programs: A Hands-On Approach to Cyber Resilience
What are cyber drills and outcome-based programs? Cyber drills vs. outcome-based programs Cyber drills Prove Outcome-based programs Improve Simulate a realistic cyberattack to test response capabilities Ongoing, structured programs to build and improve security operations Benchmark security preparedness at a given point in time Measure progress over time with defined success metrics Team-based exercises that focus on immediate response Tailored multi-year programs that address specific security gaps One-off or periodic events Continuous learning and improvement The key difference is that cyber drills test and prove preparedness and expose improvement areas; outcome-based programs address the improvement areas and enhance an organization’s ability to detect, respond, and recover from cyber threats. Combined, these approaches provide sustainable, robust cyber resilience. Designing an effective outcome-based program To implement an outcome-based program successfully, organizations must consider the following factors: 1. Understanding business objectives and risk tolerance Before designing a program, it’s crucial to understand: Business goals – what is the organization trying to achieve? Risk appetite – how much risk is the company willing to take? Regulatory requirements – what compliance standards must be met? 2. Defining measurable outcomes Success should be based on quantifiable improvements, such as: Reduced incident response time Fewer security breaches Improved threat detection capabilities More substantial alignment with regulatory requirements 3. Tailoring the program to the organization Organizations are unique, and outcome-based programs must be customized to fit: Risk assessment results Threat landscape Technology stack and processes Security team capabilities 4. Implementing and monitoring progress A phased approach ensures better adoption: Pilot phase – test the program with a small team before full deployment Phased rollout – implement step-by-step to ensure success Continuous reporting – regularly track metrics and adjust the program as needed 5. Demonstrating ROI and business value To gain leadership buy-in, organizations must: Showcase case studies of successful implementations Use data-driven insights to highlight improvements Demonstrate long-term value beyond compliance Example: A multi-year cybersecurity resilience program A well-structured outcome-based program can span multiple years, evolving as threats change. Year 1 – Conduct cyber drills, crisis and incident response exercises and assessments, and document response plans. Develop improvement plans and program scope. Year 2 – Technical and executive training, incident handling exercises. Year 3 – Advanced cybersecurity drills, scenario-based threat modeling, multi-team exercising. Process and policy stress testing. Year 4 – Purple teaming, improving collaboration between defense and offense teams. Year 5 – Full-scale red teaming and supply chain cyber drills. This approach ensures that organizations continuously prove and improve rather than just react to incidents. Final thoughts: The future of cybersecurity training Moving from traditional cybersecurity upskilling to cyber drills and outcome-based programs requires: A shift in mindset – focus on long-term resilience, not just one-time testing. Cross-department collaboration – security is not just IT’s responsibility; leadership buy-in is crucial. Expertise in design and delivery – outcome-based programs must be well-structured and measurable. By embracing cyber drills and outcome-based cybersecurity training programs, organizations can stay ahead of threats and build a stronger, lasting security culture. Share your thoughts Is your organization ready to move beyond traditional cyber upskilling? Where do you feel the biggest challenge lies, out of the three points mentioned above? Have you had success in overcoming these challenges? If so, share how with the community. Let’s build a cybersecurity strategy that delivers accurate, measurable results.Understanding CVE-2024-21412: A Zero-Day Exploit Targeting Windows Users
What is CVE-2024-21412? CVE-2024-21412 is a security feature bypass vulnerability in Windows Defender SmartScreen. SmartScreen typically evaluates the safety of downloaded files and displays warnings for unrecognised or suspicious ones. But this vulnerability allows attackers to circumvent warnings and install malware on unsuspecting systems. Which systems are affected? CVE-2024-21412 impacts a broad range of Windows systems, including: Windows 10 (various versions) Windows 11 (various versions) Windows Server 2019 and later versions How can this vulnerability be used against your systems? Attackers exploited CVE-2024-21412 by crafting a Windows Internet shortcut (.url file) that pointed to another .url file on a remote SMB share. This technique tricked the system into automatically executing the file at the final location, bypassing SmartScreen's security warnings. Researchers even created a proof-of-concept exploit, demonstrating how easy the vulnerability is to exploit. Attackers also abused the Microsoft Search Protocol (MSP) to deceive users. They crafted malicious links that appeared to point to local files, but in reality, connected to an attacker-controlled server. This tricked users into opening malicious files without realising they were downloading them from an external source. How to protect your organisation Microsoft addressed CVE-2024-21412 with a patch released in mid-February 2024. Installing this patch is crucial to mitigate the risk associated with this vulnerability. In addition to patching, organisations should implement comprehensive monitoring and detection systems to identify and mitigate threats across all stages of an attack. This includes using intrusion detection systems, firewalls, and security information and event management (SIEM) tools to monitor network traffic and system activity for suspicious behaviour. Organisations should also consider employing advanced real-time behaviour analytics to monitor unusual activity and identify potential threats, even when they bypass traditional security measures. This involves analysing user and system behaviour patterns to detect anomalies that could indicate an attack. Conclusion CVE-2024-21412 highlights the importance of cybersecurity awareness and proactive measures, which can be mitigated with improved organisational cyber resilience and regular patching policies. As always, staying informed about potential vulnerabilities is a crucial step in reducing the risk of your organisation being attacked. Recommended content To learn how to detect this vulnerability in a sandboxed environment, check out the following lab: CVE-2024-21412 (SmartScreen Bypass) – Elastic Log Analysis. In this lab, you'll use ElasticSearch to detect the presence of malicious URL files in logs. Share your thoughts Have you seen this vulnerability being exploited in the wild? Have you patched your systems yet? Share your thoughts by commenting in the thread below.Breaking Down Walls to Make Way for AI
The rapid rise in the popularity and application of AI has been unprecedented. We are actively experiencing the dawn of a revolutionary chapter in technology and innovation, but it also feels a little like this, don't you think? AI is everywhere. Even where you didn’t ask for it, or frankly may not want it. Its rise brings security risks that require comprehensive, strategic management. Are you training your teams on AI security risks? Are you reviewing procedures to protect your business as the threat surface expands? You’re not alone. Let’s get into how we’re guiding customers through these challenges. Immersive can provide knowledge, skills building, and engaging challenges for your teams to address risks from different angles. Artificial intelligence foundations To protect an organization, you need to know what you’re protecting from. These are some of our core recommendations: AI for Business Gain an understanding of various risks associated with implementing and integrating AI in a business context. These risks include understanding the challenges of implementation, potential issues in day-to-day AI utilization, and the broader implications of AI on operations. These labs will equip individuals with the knowledge to effectively leverage AI, while being mindful of these risks. AI Fundamentals Learn about emerging threats, generative AI models, and prompt injection attacks. Gain a comprehensive understanding of AI's implications in cybersecurity, AI-related security risks, and gain practical experience mitigating those risks. Build knowledge around internal risks AI often enters businesses through productivity tools or internal chatbots, like ChatGPT, for HR or finance queries. Using internal AI apps creates risks around data access, data handling, privilege management, improper use of LLM, and compliance considerations (or consequences). Some of these considerations are also relevant for external risks with AI. Here are some collections to get your team’s gears turning around AI-adjacent considerations and internal risk: Cloud Security Identity and Access Management Secrets and Encryption in AWS NIST – Guidelines on Security and Privacy in Public Cloud Computing (800-144) Risk and Compliance ISO 22381 – Security and Resilience for Identification Systems ISO 27014 – Governance of Information Security ISO 27018 – Protecting Private Data in Public Clouds ISO 28000 – Security Management Systems for Supply Chains ISO 31000 – Risk Management Let’s not forget – with new tools comes new access and alerting patterns. You’ll need to ensure your Digital Forensics and Incident Response (DFIR) teams are ready for new signal analysis and identifying corresponding indicators of compromise (IoCs) with new technologies. Digital Forensics Introduction to Digital Forensics Digital Forensics Threat Hunting – Theory Threat Hunting Introduction to Incident Response and Forensics in AWS Upskill to protect your business from external risk As customer-facing AI expands, so does your threat surface. The risks remain rooted in attacks humans conduct today; they’re just becoming more sophisticated with AI. If threat actors use AI maliciously against your business, you might see advanced social engineering attacks. This could include sophisticated phishing attacks or AI-generated voice, image, or video to manipulate users into disclosing credentials. Here are a few hands-on content recommendations that will keep your team response ready: Events and Breaches Gain familiarity with some of the biggest cyber events and most infamous data breaches in hacking history. Buckle up for interactive labs that will get you thinking about real-world events and how AI could affect these types of scenarios. Events and Breaches: Data Exposure Events and Breaches: Phishing Fraud Events and Breaches: Data Leaks Emerging Threats Attackers are quick to adopt new tools and tactics, giving them a first-mover advantage. Labs in this collection will get you hands-on with the latest methods used by threat actors around the globe. These labs aren’t explicitly focused on AI threats, but since AI threats are rooted in legacy techniques, this collection will help your team prepare for the variations AI may introduce. There are also increased risks with publicly facing AI tools that are integrated into internal databases or systems. These non-human identities have access to potentially sensitive databases, making them inherently open to prompt injection attacks in addition to legacy techniques. Here are some of our content recommendations to prepare your teams explicitly for these types of AI challenges: Fundamental AI Algorithms Gain a deep understanding of various AI algorithms and their practical applications in cybersecurity. Engage with labs on machine learning, deep learning, specific algorithms, and complete tasks such as implementing algorithms and analyzing results. Practitioners will gain hands-on experience in applying AI techniques to enhance cybersecurity measures and mitigate cyber threats. AI Challenges Test your knowledge and skills around AI security risks such as AI plugin injections, function calling, and prompt injection attacks. Complete hands-on exercises to find vulnerabilities in AI systems, beat the bot, and actively exploit vulnerable LLM implementations. Staying ahead in a rapidly evolving tech landscape requires continuous learning and skill-building. But readiness doesn’t just stop there. You must also be well-practiced in handling new and challenging situations. Regular exercises, like prompt injection attack detection and AI-driven social engineering tabletop drills, are essential for keeping your teams prepared. As threats evolve, Immersive will continue to deliver integrated labs and industry-leading exercising capabilities so your teams are ready to protect your business. Share your thoughts What skills are critical for your team to mitigate AI risks? Did you beat our AI Challenges? Are you hungry for another byte 👾? Comment below! Stay ready in the face of increased risks – bot or not. Get updates in your inbox on posts like this by following the Human Connection Blog!Human Connection Challenge: Season 1 – Scanning Walkthrough Guide (Official Version)
Time’s Up! Congratulations to everyone who completed Lab 2: Scanning from the Human Connection Challenge: Season 1. In this walkthrough, I'll share some strategies for efficiently completing the lab, based on my perspective as the author. Remember, there are often multiple ways to approach a challenge, so if you used a different method and succeeded, that's perfectly fine! The goal is to learn, and I hope these notes help clarify any steps and reinforce key concepts for the next challenge. This challenge has now ended, but the lab remains available for practice. While prizes are no longer up for grabs, you can still complete the lab and use this walkthrough guide for support if needed. I’ve also used placeholders in some of the commands that would give away an answer directly, so if you see anything enclosed in angle brackets, such as <name server>, please make sure you replace it with the actual value, such as nameserver. With all that considered, let's get started. Overview Task: Identify the name server records of tinytown.bitnet. 1. What is the IP of the first name server for tinytown.bitnet? You’ll first need to open a Terminal on the Kali desktop. Next, you’ll need to query the DNS Server IP (found in the Machines panel) about the tinytown.bitnet domain using the nslookup (Name Server Lookup) tool. You’re specifically looking for NS (Name Server) records, so you can use the -type=ns parameter with nslookup to specify this: nslookup -type=ns tinytown.bitnet [DNS Server IP] The output of this command will return two name servers for the domain labelled with 1 and 2. Your next step is to identify what IP address is associated with the first name server (1). To do this, you can use nslookup along with the name server, domain, and DNS Server IP: nslookup <name server>1.tinytown.bitnet [DNS Server IP] This command will then return an IP address for the name server. 2. What is the IP of the second name server for tinytown.bitnet? As you’ve already identified both name servers, you’ll just need to run the previous command, except with the second (2) name server: nslookup <name server>2.tinytown.bitnet [DNS Server IP] You’ll then find the IP address associated with it. Task: Identify port service information for Target 1. 3. What service version is running on port 53? A network scanning tool like Nmap can help you identify the service version running on a specific port. To do this with Nmap, you can use the -sV option for service detection: nmap -sV [Target 1 IP Address] The output will show what service version is running on port 53. 4. What is the full service banner of port 22? There are a couple of ways to find the full service banner of port 22 – such as with Nmap or Netcat. If you’re using Nmap, you can modify the previous command to include the “banner” script along with the port number: nmap -sV -script=banner [Target 1 IP Address] -p22 The command line will then display the service banner from port 22. You can alternatively use netcat to manually connect to the SSH server. When a client connects, Netcat may present a banner that contains version information. To use Netcat, you’ll need the nc command along with the Target 1 IP address and specify you want to connect to port 22: nc [Target 1 IP Address] 22 When you run this command, the banner appears before the terminal hangs. Task: Identify a token on one of the ports. 5. What is the token? With the previous Nmap command, you initially found that three ports were open on Target 1. However, you’ll need to do a more thorough network scan to find another open port, one not initially found with the previous scans. To do this, you can expand your port scan to cover a much wider range by using Netcat to scan for open ports from 1 through 9000: nc -zvn <Target 1 IP Address> 1-9000 Here, -z will scan for listening services but won’t send any data, -v is verbose mode, which provides more detailed information, and -n tells Netcat not to resolve hostnames via DNS. This command will reveal a fourth open port. Now, you can use Netcat to connect to this port: nc <Target 1 IP Address> <open port> The token will then be displayed in the terminal. Task: Scan the TLS configuration on Target 2. 6. How many protocols are enabled? To scan for SSL/TLS configurations, you can use the sslscan tool. By default, sslscan scans port 443 and will return supported server ciphers, certificate details, and more. You can use sslscan like this: sslscan <Target 2 IP Address> The returned output will be verbose, but you can find and count the number of enabled protocols under the SSL/TLS Protocols subheading. 7. Name an enabled protocol. Using the previous output, name one of the enabled protocols. 8. What exploit are the protocols NOT vulnerable to? Using the same output, scroll down through the results until you find a subheading that’s named after a vulnerability and contains a similar string to: <Protocol> not vulnerable to <vulnerability name> The vulnerability has the same name as the subheading. Task: Identify and extract information from an SMB share on Target 3. 9. What Disk shared directory can you access? To extract information from an SMB (Server Message Block) share, you can use the smbclient tool. First, you’ll need to list the SMB shares on the target using the -L flag (the list/lookup option) with: smbclient -L //<Target 3 IP> You’ll then be prompted for a password, but you can press Enter to skip this. A list of SMB shares will then be displayed, three of which are shown to be a Disk type, so you know the answer will be one of these. You can now begin to go through the list and try to connect to the shares with: smbclient //<Target 3 IP>/<Sharename> However, this time when you’re prompted for a password and you press Enter, you might encounter a message when you try and connect to a share: NT_STATUS_ACCESS_DENIED If you attempt to connect to all shares, you’ll find you can connect to one share without a password. You’ll then be greeted with the following prompt to show the successful connection: smb: \> 10. What is the token stored in the directory? Now that you’re connected, you can execute commands to interact with the SMB share. If you run ls, you’ll find a token.txt file in the current directory. You can then download the file from the share onto your local machine with: get token.txt On the Kali desktop, open the Home folder and the token.txt will be inside. Open this file and find the token. 11. What is the username stored in the directory? After you’ve run ls in the SMB share, you’ll find not only token.txt, but also a file named creds.txt. Use the same command as you just did previously to download the file onto your machine: get creds.txt This file will also be downloaded to the Home folder, where you can find a username and password. Task: Identify open services on Target 3. Task: Connect to Target 3 with the previously found credentials. 12. What is the token stored in the user's /Documents directory? For this final task, you first need to scan the target using Nmap. You’ll find that if you attempt to scan the target without using the -Pn flag, you’ll get a response saying that the host seems down. However, if you run Nmap with -Pn, you’ll find some ports are open: nmap -Pn <Target 3 IP Address> However, the ports returned from this command don’t offer a way to connect to the target. You’ll also need to scan the 6000 most popular ports: nmap -Pn --top-ports 6000 <Target 3 IP Address> These results will now show two additional ports are open regarding the Web Services Management (Wsman) protocol, which is used to communicate with remote machines and execute commands. One of the tools that implement this protocol is Windows Remote Management (WinRM) which is Microsoft’s implementation of Wsman. Knowing this, you can now use Metasploit to interact with the target. In your terminal, run: msfconsole Once loaded, you can use the the following auxiliary module to connect to a system with WinRm enabled and execute a command with: set cmd ls You’ll then need to set the following options, using the credentials you found in the creds.txt file: set username <username> set password <password> set rhosts <Target 3 IP Address> Next, you need to set the cmd option with the command you want to run. If you use the ls command, you’ll be able to find what out files are in the directory you connect to: set cmd ls With all the options set, you can now run the module: run The results of the executed command will be printed on the screen and also saved to a directory, but both show the existence of a token.txt file in the current directory. You can now set the cmd option to type token.txt in Metasploit: set cmd type token.txt Once set, use the run command to send the updated command: run The contents of token.txt will then be displayed on the screen and outputted to a file. Tools For this challenge, you’ll use a range of tools including: Nslookup Nmap Netcat Sslscan Smbclient Metasploit Tips You can use different tools and parameters within those tools to scan for and find information, so don’t be afraid to try out a few different things! If you want to learn more about some of the tools within this lab, take a look at the following collections: Reconnaissance Nmap Infrastructure Hacking Introduction to Metasploit Post Exploitation with Metasploit Conclusion The steps I’ve laid out here aren’t the only way to find the answers to the questions, as long as you find the answer, you did it – well done! If you found another way to find some of these answers and think there’s a better way to do it, please post them in the comments below! I hope you enjoyed the challenge and I’ll see you for the next one.Experience-Driven and Intrinsic Learning in Cybersecurity
Experience-driven learning Experience-driven learning can take many forms, including: Practical simulations Role-playing exercises Individual hands-on learning Team-based exercising For example, some employees may be presented with micro exercises that pivot around key risk areas such as device security, data handling or social engineering. Others may participate in a tabletop exercise that simulates a ransomware attack, allowing them to practice incident response, crisis management, and recovery procedures in a safe and engaging environment. More technical teams can experience a real attack on real infrastructure in a cyber range, working together to identify and understand the attack using defensive and forensic tools. These types of activities foster intrinsic learning, driven by personal interest and the desire for self-improvement rather than external rewards like grades or promotions. These types of activities also engage natural human behaviours related to gamified learning, both individually and as a team. Intrinsic learning Intrinsic learning can be particularly valuable, especially in the context of cybersecurity, because it allows employees to develop a deeper understanding and appreciation of the subject matter beyond what is required for their job. This approach to learning is not only more engaging and effective but also helps organizations identify areas for improvement and potential vulnerabilities. Intrinsic learning can also help foster a culture of continuous learning within the workforce. By encouraging employees to pursue their interests and explore new areas of cybersecurity, organizations can create an environment where individuals feel empowered to take ownership of their learning and seek out new opportunities for growth and development. To make your cybersecurity training more experiential and foster intrinsic motivation for learning, consider the following steps: Align with personal goals Empower team members to align upskilling pathways with their career aspirations and professional development. Emphasize real-world relevance Showcase how the skills learned directly apply to current cybersecurity challenges and job responsibilities. Provide autonomy Allow learners to freely explore different topics and skills. Create a supportive environment Encourage peer-to-peer learning and mentorship opportunities to build a culture of continuous improvement. Celebrate progress Recognize and highlight individual and team achievements to boost confidence and motivation. Implement adaptive challenges Gradually increase difficulty levels, ensuring learners are consistently challenged but not overwhelmed - the right level of learning is more important than the quantity. Encourage reflection Prompt learners to analyse their performance after each exercise, especially team-based, fostering a growth mindset and self-awareness. Facilitate knowledge sharing Organize regular debriefing sessions where individuals can discuss their experiences and insights gained from the training. Connect to organizational impact Demonstrate how improved cybersecurity skills contribute to the overall success and resilience of the organization. Provide immediate feedback Leverage Immersive Labs' real-time feedback mechanisms to help individuals understand their progress and areas for improvement. By implementing these steps, you can create a more engaging and intrinsically motivating cybersecurity training experience, fostering a culture of continuous learning and skill development within your organization. Conclusion Incorporating intrinsic and experience-driven exercises into your cyber resilience strategy can be an effective way of measuring and improving your overall resilience. Today, the need to exercise effectively has become a key feature of many cyber security frameworks and directives such as ISO27001, NIS2 and DORA, requiring organisations to maintain proof with policies and procedures underpinned by data and results. What have you experienced in your own upskilling journeys to get you where you are today, have you found some ways work better than others; Individual, team, hands-on, theory, classroom? What are your favourite ways to learn and stay motivated with the ever-changing cyber landscape right now? Share your stories and insights in the comments below!Making the Most of the Custom Lab Builder: Tone of Voice
Now you can build your own labs in the Custom Lab Builder, we thought we’d provide some guidance on writing with a strong tone of voice to ensure your labs are as engaging as possible. This blog is the third in a series on making the most of the Lab Builder, looking at what we call the Four Cs. Ensuring your writing is… Conversational Concise Conscious Consistent The previous two posts looked at accessibility and inclusivity. This post focuses on tone of voice and how to write authentically to ensure your audience engages with the lab and remembers the message you’re trying to teach them. Writing well For most of your life, you’ve probably been told to write properly. Avoid contractions at all costs. Use complex sentences with plenty of fancy connecting words like “furthermore” and “moreover”. And never start a sentence with “and”. This formal style works really well for some industries. Academia is traditionally an incredibly formal area when it comes to the written word, as is the broadsheet newspaper realm. This is often to reflect the work’s sincerity, to avoid weakening a writer’s reputation, and to present ideas consistently and objectively. But Immersive Labs believes writing can be sincere and objective without being so... dull! Be conversational Copywriting is increasingly conversational, appearing everywhere from LinkedIn posts to the back of your milk carton. This style engages readers by feeling personal and authentic, aligning with Richard Mayer’s Personalization Principle, that people learn more deeply when words are conversational rather than formal. A human-to-human copywriting style makes sense for Immersive Labs, as we’re all about focusing on the humans behind the screens. When using the Lab Builder, we recommend writing your labs in an engaging, approachable style to create a modern, user-friendly learning environment. But conversational doesn’t mean sloppy. It’s about presenting ideas clearly and confidently, helping users feel at ease while they learn. Use everyday, concrete language Using fancy, complex words doesn’t make content better – it can actually distract readers and undermine clarity. Instead, prioritize clear, straightforward language to ensure your message is easy to understand, especially by users with cognitive disabilities. Avoid overly poetic phrases, figures of speech, idioms, or ambiguous language, which can confuse or overwhelm readers, including those with autism spectrum conditions. Strive for clarity to help users grasp your message the first time, keeping their needs front and centre. Address the reader Authenticity is all about gaining your reader’s trust. We recommend speaking directly to them in your custom labs by using “you” throughout your copy. This handy trick also avoids any ambiguity when it comes to practical tasks. Take the following example. “In this lab, the machine must be analyzed and IoCs must be extracted.” Instead of being vague and passive, we recommend talking directly to the reader and telling them exactly what they need to do. “In this lab, you need to analyze the machine and extract IoCs.” Or better yet, you can be even more direct by cutting that down even further: “In this lab, analyze the machine and extract IoCs.” Our labs and scenarios frequently talk directly to the reader. Users are more likely to stay engaged when they’re spoken to, not at. Use contractions Contractions instantly make your writing more conversational by mimicking natural speech. Combining words like "it is" to "it’s" or "you are" to "you’re" adds a touch of informality that feels approachable and inclusive. While once discouraged in formal writing, contractions are ideal for a modern learning environment, making text easier to read, understand, and remember. Be concise Writing in plain language is good for all users, but can make a massive difference for neurodivergent users, those who struggle to focus, those who hyperfocus, or maybe those who find reading difficult. We follow recommendations from the Advonet Group, the British Dyslexia Association, and Clark and Mayer’s Coherence Principle to ensure accessibility for a diverse audience – and you should too! Writing simply and clearly doesn’t mean trivializing content or sacrificing accuracy; it just makes your message easier to understand. After all, no one's ever complained that something's too easy to read! The difficulty comes when balancing this with technical content. How can you make advanced, complex cybersecurity topics clear and concise? Keep it short and sweet Sentences longer than 20 words become difficult to understand and can detract from the point being made. It’s easy for people’s minds to wander, so get to your point in as few words as possible. The same goes for paragraphs. Try and avoid long, dense walls of text. Nobody wants to read that, and it’s no good when thinking about accessibility. Keep your paragraphs to four or five lines, maximum. Get to the point Avoid adding unnecessary side notes to your labs, as they can distract from the main message and make learning harder. Unnecessary content distracts the learner’s attention from the main message, making them less likely to remember the core topic. It disrupts the connections between key messages and diverts the learner’s focus, making it harder to piece together the bigger picture. This is all down to cognitive load theory, which says that in general, humans can handle around four pieces of new information at any one time. To help users focus, stick to the lab's core topic and avoid overloading them with unrelated details. TL;DR When writing your labs with the Custom Lab Builder, ensure all your text is conversational to engage your users with the topic. And also make all your copy as concise as possible. Getting your message across in as few words as possible will reduce cognitive overload, boredom, and frustration. By focusing on being conversational, as well as being consistent and conscious (as we covered in the previous blog posts in this series), your readers will engage with your content better, remember the topic, and be able to put it into practice more easily – improving their cybersecurity knowledge and driving their cyber resilience. Share your thoughts! What do you think about these tone of voice tips when writing your custom labs? Have you tried to write your labs in a conversational yet concise way, and how did this go down with your users? Do you have any other suggestions for the community on how to write conversationally? We’d love to hear from you!Making the Most of Custom Lab Builder: A Guide to Writing Inclusively for All
Language shapes how people perceive and engage with content, so it’s crucial to consider the kind of words you use. Using outdated terminology can offend and disengage learners, as well as hurt a company’s reputation. This blog is the second in a series on making the most of the Lab Builder, looking at what we call the Four Cs. Ensuring your writing is… Conscious Consistent Conversational Concise The previous post in this series looked at accessibility. In this post, we’ll explore what it means to write consciously and inclusively, share practical tips, and show how our platform supports this critical effort. Why is inclusive language important? Inclusive language avoids bias, respects diversity, and ensures accessibility for all. In cybersecurity, it means using terms that foster collaboration and trust, avoiding outdated or harmful phrases, and creating welcoming and empowering content The Quality Team at Immersive Labs is committed to staying up to date with how language changes in the cyber industry. We regularly undertake research and speak to other industry professionals to ensure that our language is appropriate. Words to avoid We recommend avoiding specific terms that some people may find offensive, and some socially charged language that may have negative connotations. Non-inclusive language to avoid Preferred inclusive versions Whitelist/Blacklist Allowlist/Denylist White hat/Black hat hackers Ethical/Unethical hackers Master/Slave Leader/Follower, Primary/Replica, Primary/Standby Grandfathered Legacy status Gendered pronouns (e.g. assuming “he/him/his”) They, them, their Gendered pronouns (e.g. “guys”) Folks, people, you all, y’all Man hours, man power Hours, engineer hours, workforce, staffing Man-in-the-middle attack Machine-in-the-middle attack Sanity check Quick check, confidence check, coherence check Dummy value Placeholder value, sample value Crazy, insane Amazing, incredible, or any other appropriate adjective Socially charged words Preferred inclusive versions Native Built-in, default, pre-installed, integrated, core Abort Stop, cancel, end, force quit Cripple Disable, impair, damage, destroy, ruin Kill Stop, force quit, close, shut down Trigger Activate, initiate, cause, launch Unsure if a phrase you’ve used could be seen as offensive? Ask yourself: is this the most accurate and appropriate choice? Often, you can find a more descriptive word and avoid using these examples. Top tips for inclusive language Use writing tools Tools like Grammarly can help identify problematic words or phrases. You can create customized lists in Grammarly, which will then flag when a word has been used in your writing. Additionally, there are many inclusive language guides available online. Keep it short and sweet Use short sentences and paragraphs. Shorter sentences are easier to read, scan, and understand – especially for those with cognitive disabilities. Aim for sentences around 10–15 words, with variation for a natural flow. Avoid sentences longer than 20 words, as they can be harder to follow. Read aloud Proofread your work aloud to catch awkward phrasing, overly complex sentences, or insensitive terms. Hearing the words can help identify spots where clarity or tone might need improvement. Get a second opinion Ask a colleague to review your final version. A fresh set of eyes can spot language that might be unclear, inappropriate, or overly complicated. Share your thoughts Now that Lab Builder is here and you’ve had a chance to create your own content, how have you made your content more inclusive? We’re always looking to stay up to date, so if you have any further suggestions to add to our list of words to avoid or any other tips, let us know! We’d love to learn from you and grow the collective community knowledge.Making the Most of the Custom Lab Builder: Writing With Accessibility in Mind
What if someone tried to access your content who was visually impaired? Or who had cognitive difficulties? Or who was hard of hearing? Would they be able to understand the information you’ve provided and improve their cyber resilience? Our in-house copyediting team has created a series of articles to help you craft high-quality labs, aligned to the rigorous processes we follow. We embrace what we call the Four Cs to ensure all labs are: Consistent Conscious Conversational Concise These articles delve into each of these principles, showing how to implement them in your labs to create content that resonates with readers, enhances learning, and boosts cyber resilience. This post highlights how being conscious of your formatting can enhance accessibility for assistive technology users and how consistent formatting improves navigation for everyone. Rich text formatting Rich text formatting tools like subheadings, bullet points, lists, and tables in the Custom Lab Builder help organise information for easier scanning, better retention, and improved comprehension. Using these will ensure your content is consistent, accessible, and reader-friendly for everyone! Rich text formatting elements carry specific meaning, which assistive technologies rely on to convey information to specific users. Headings Visually, headings represent hierarchy through different font styling and allow users to quickly scan content. Programmatically, they allow users who can’t see or perceive the visual styling to access the same structural ability to scan. Heading elements should reflect the structure of the content. So your title should go in ‘Heading 1’ formatting, your next subheading will go in ‘Heading 2’ formatting, and so on. To ensure your content reads correctly to screen reader users, don’t use HTML heading styling to represent emphasis, and don’t use bold to make text appear like a heading. Lists (bullets/numbering) Always use bullets or numbered lists using the provided formatting to convey a list. A screen reader will announce that the following information is a list. Links How a link is formed significantly impacts usability. Consider the following sentence: “To find out more about this topic, complete our Intro to Code Injection lab here.” Links are interactive elements, which means you can navigate to them using the tab key. A user who relies on screen magnification to consume content may choose to tab through content to see what's available. The example above would be communicated as just “here”, which provides no context. They’d need to manually scroll back to understand the link’s purpose. Always use descriptive link text that clearly indicates its destination. Avoid ambiguous phrases like “here”. If that’s not possible, ensure the surrounding text provides clear context. “To find out more about this topic, complete our Intro to Code Injection lab.” Bold Only use bold for emphasis! Avoid italics, capital letters, or underlining (reserved for hyperlinks) to prevent confusion. Consistency in formatting reduces cognitive load, making your text more accessible. Bold stands out, provides better contrast, and helps readers quickly identify key information. Avoid italics With 15–20% of the population having dyslexia, italics are worth avoiding because research shows it’s harder for this user group to read italic text. Italics can sometimes bunch up into the next non-italic word, which can be difficult to comprehend or distracting to read. Media If you’re adding media to your labs, such as videos and images, it’s especially important to consider those who use assistive technologies. These users need to have the same chance of understanding the content as everyone else. They shouldn’t miss out on crucial learning. What is alternative text? Alt text describes the appearance and function of an image. It’s the written copy that appears if the image fails to load, but also helps screen reading tools describe images to visually impaired people. Imagine you’re reading aloud over the phone to someone who needs to understand the content. Think about the purpose of the image. Does it inform users about something specific, or is it just decoration? This should help you decide what (if any) information or function the images have, and what to write as your alternative text. Videos Any videos you add to your lab should have a transcript or subtitles for those who can’t hear it. Being consistent Consistency is a major thinking point for accessibility. We recommend adhering to a style guide so all of your labs look and feel consistent. We recommend thinking about the structure of your labs and keeping them consistent for easy navigation. In our labs, users expect an introduction, main content, and a concluding “In This Lab” section outlining the task. This helps users recognize certain elements of the product. It reduces distraction and allows easier navigation on the page. For example, some users prefer diving into practical tasks and referring back to the content if they need it. By using the same structure across your lab collections, your users will know exactly where to find the instructions as soon as they start. TL;DR It’s crucial to focus on accessibility when writing your custom labs. Utilise the built-in rich text formatting options in the Custom Lab Builder (and stay consistent with how you use them!) to ensure your labs are easy to navigate for every single user. By being conscious and consistent with your formatting, every user will engage with your content better, remember the topic, and be able to put it into practice more easily, improving their cybersecurity knowledge and driving their cyber resilience. No matter how they consume content. Keep your eyes peeled for the next blog post in this series, which will look at inclusive language. Share your thoughts! There’s so much information out there on creating accessible content. This blog post just focused on the language, structure, and current formatting options available in the Custom Lab Builder. Have you tried to make your labs or upskilling more accessible, and how did this go down with your users? Do you have any other suggestions for the community on how to write content with accessibility in mind? Share them in the comments below!From Feng Shui to Surveys: How User Feedback Shapes Immersive Labs
We’ve all been asked to give product feedback in one way or another – a pop-up message after completing a purchase, an email asking how your visit went, or a poll appearing on your social media feed. They all have one thing in common: a real person behind them, looking for valuable insights. I’m one of those people! My role as Senior UX Researcher involves speaking to Immersive users and gathering their feedback to help the company make tangible improvements. UX, or user experience, is at the heart of what I do. And it’s been around for longer than you might think. What is UX? It’s believed that the origins of UX began in 4000 BC with the ancient Chinese philosophy of Feng Shui, the spatial arrangement of objects in relation to the flow of energy. In essence, designing the most user-friendly spaces possible. A short skip to 500 BC, and you can see UX at play with the Ancient Greeks' use of ergonomic principles (also known as human factors), defined as “an applied science concerned with designing and arranging things people use so that the people and things interact most efficiently and safely.” In short, people have been concerned about creating great user experiences for thousands of years. How does Immersive get feedback? Bringing you back to the present day, let me walk you through a recent research study undertaken with Immersive Labs users and what their experiences and feedback led to. In May this year, we sent out a survey to our users asking them about their needs for customised content. The feedback was given directly to the team working on the feature, helping to inform their design choices and confirm or question any assumptions they had about user needs. In July, we invited users, including Training Manager and community member mworkman to take part in a pilot study for the Custom Lab Builder, giving them exclusive access to the first iteration of the feature. They could use the builder in their own time, creating real examples of custom labs using their own content and resources. This gave them a realistic experience and highlighted issues along the way. What does Immersive do with that feedback? In August, those users joined a call with us to provide their feedback and suggestions. From these calls, we gained insights and statistics that were presented to the entire Product Team, voicing our customers’ needs. We then used this to shape the direction of the lab builder feature before its release. Customers told us that they wanted to create labs based on their own internal policies and procedures, which would require more flexible question-and-answer formats for tasks. They also wanted more formatting options and the ability to add media to labs. In response to this feedback, we increased the number of task format types from three to five, and we’ll continue to add to this. We also added the ability to include multiple task formats in the same lab. Users also now have the option to upload images and include rich text within their custom labs, enhancing the layout and customisation experience. The Custom Lab Builder was released in October 2024 with an update pushed in December, and we’re still working on improving it! Throughout this first quarter of 2025, we’ve released more new features, including drag and drop, free text questions, and instructional tasks in the Lab Builder. How can you get involved? Once again, we’ll be calling on our users to give feedback on their experiences with these features, continuing to involve you in our design process to ensure that our products and experiences reflect what users are looking for. Throughout 2025, Immersive Labs will be providing opportunities for our users to come along to feedback sessions, have their opinions heard through surveys, and many more exciting chances to talk to the people behind the product. Follow our Community Forum for hot-off-the-press opportunities! For more guidance on Lab Builder, visit our Help Center.
