Why Drills Are the Future of Cybersecurity: Insights and Reflections on the Critical Role of Drills
My background After two decades in the world of penetration testing and offensive security, I joined Immersive as the Director of Technical Product Management. This new role represented more than just a career shift – it was an opportunity to leverage my deep-rooted experience of cybersecurity to make a tangible difference in how organisations prepare for the cyber threats of today and tomorrow. Throughout my career, I’ve had the joy of working on the front lines of cybersecurity, testing the defenses of organisations of all sizes, from startups to multinational corporations. I worked my way up from a junior consultant in a boutique company to the global head of attack simulation for one of the largest pure-play security consultancy firms in the world. I’ve seen firsthand how attackers operate, exploiting weaknesses not just in technology but in processes and human behavior. I’ve also seen the other side of the coin – what happens behind the scenes when a company identifies a breach and needs to investigate, contain, and recover from it. This journey has given me a unique perspective on the intricacies of cyber incidents – how they unfold, how they escalate, and how they can be mitigated if handled correctly. Over the years, I’ve come to understand that offensive security isn’t just about finding vulnerabilities; it’s about understanding the broader context of how security failures can impact an entire organisation and, most importantly, how to get back to business as usual. One of the key lessons I’ve learned from my time in offensive security is that real-world cyber incidents are rarely straightforward. They’re messy, unpredictable, and often involve a complex web of factors that go beyond the technical realm. In my experience, cyber incidents don’t happen in isolation; they’re the result of a combination of technical vulnerabilities, process failures, and human errors. Attackers don’t follow a script – they’re constantly adapting, finding creative ways to bypass defenses, exploit blind spots, and leverage misconfigurations or overlooked details. This nuanced understanding of how incidents unfold is often missing from the current training and exercising landscape. Realism vs textbook Many cyber resilience exercises available in the market today lack the depth and realism of a real-world attack, and that’s very difficult to capture, especially if you’ve never been exposed to it. Many exercises are built around predictable scenarios, focusing on textbook responses, and just don't capture those swings from tedium to confusion and then to panic. They’re also often performed in isolation, with the investigating/technical team making decisions and performing actions that wouldn’t be in their remit if it was a real incident. One of my all-time favourite incidents showed these to the extreme. It went from a simple ransomware investigation to identifying seven different threat actors in the environment, all with very different TTPs and MOs. You never pick up the other threat actors at the beginning of their attack, usually because they’ve compromised the same machines as the original actor, and you're left wondering why they’ve suddenly changed tactics. Then you get enough evidence to indicate it’s someone else, so now you have two investigations to perform. I’m not saying that all exercising should be done to that level, but I do feel that there’s a nice middle ground that can be achieved. Simulations can highlight things above and beyond simply probing a SIEM for answers to questions about the attack. Putting that into practice At Immersive, I have the privilege of bringing the lessons learned from years of offensive security into the realm of cyber resilience training. My goal over the last 12 months has been to help create more realistic, dynamic, and comprehensive simulations that mirror the true nature of cyber incidents. This means developing scenarios that go beyond the basics – not just testing the technical teams but also involving executives, legal teams, PR, and other stakeholders who play critical roles during a crisis. By integrating real-world attacker tactics, techniques, and procedures (TTPs) into exercises, we can help organisations build muscle memory for responding to incidents in a way that’s both informed and effective. It’s not just creating realistic simulations, it’s highlighting how the results of an investigation can influence the executive team's decision making and how the decisions made by leadership can either help or hinder an active investigation. This is what led to my involvement in building out Immersive Cyber Drills. But what are drills, I hear you ask? Here’s what our marketing team say: “Immersive Cyber Drill events enable simultaneous drilling of executive and technical leadership teams. These facilitated drills use multiple tools from our platform to evaluate an organisation's capacity to detect, respond to, and recover from cyberattacks through a mix of technical and non-technical drilling.” Ultimately, the goal is to empower organisations to respond confidently to the threats they face. Cyber resilience isn’t just about having the right tools or technologies – it’s about understanding the attacker’s mindset, anticipating their moves, and being prepared to act swiftly and decisively when an incident occurs. Building a foundation for Cyber Drills Instead of creating theoretical scenarios or low-risk simulations, we began building exercises that mirrored the attacks I’d seen work in my previous life. The aim was simple: make the drills feel as close to a real attack as possible while keeping the barrier to entry low enough that they’re still achievable to people just starting out. One of the biggest breakthroughs came when we built a standard environment that mimicked much of the corporate world's infrastructure. We then implemented these real-world attacks over the top of those environments and dropped the users in the middle of the attack. This transformed the experience from a disconnected series of technical challenges into a real narrative. Participants were now uncovering the motives behind attacks, following the trail of TTPs left by the attackers, and trying to predict where they went next. Very rarely do security teams get to investigate in a nice, peaceful manner – there are always questions coming from other areas of the business. Leaders aren't just responsible for understanding the attack, they also need to communicate with stakeholders, manage the internal teams, and make high-pressure decisions. As the Cyber Range Exercises (formerly Team Sims) became more realistic, it was clear that the Crisis Simulations used for the leadership team should follow suit. So we built Crisis Sims around the same attack narrative, putting participants in a situation where leadership had to make decisions that they didn’t know the answers to. If they did want to find out, they would need to ask the teams performing the investigation. This forced both teams to think strategically, communicate effectively, and most importantly, anticipate the other team's perspective and restrictions. We also introduced real-world elements like media scrutiny, conflicting priorities, and escalating pressures to mimic the experience of an actual cyber breach. The results were immediate. The teams were forced to think on their feet and develop genuine muscle memory in ways that couldn’t have been achieved through traditional tabletop exercises. And most importantly – they needed to talk to each other. This fusion of leadership training, technical training, and realism has resulted in teams leaving the drill with a stronger understanding of how to work cohesively as a team and how well they communicate across departments. It also provides a better understanding of the types of nuance that can crop up during a cyber breach. Share your thoughts For the analysts reading this article, what’s the hardest part of performing an investigation in your current organisation? For the executives, what’s one thing you wished all analysts knew about your role? And to everyone, during an investigation, what was your biggest panic moment that could have been easily avoided? Join me in this discussion by sharing your thoughts in the comments.Pieces of the Puzzle – The Power of Interconnected Cyber Drills
A crisis doesn’t respect boundaries – it unfolds in real time, demanding responses from every level, from technical teams to executives. That’s exactly what we set out to simulate with our recent cyber drill, “Pieces of the Puzzle”, a high-intensity exercise that pushed over 300 team members into the deep end of crisis response. What set this drill apart was its interconnectivity – no single person had the full picture, and every decision mattered. A crisis unfolds in pieces The exercise was built around two fictional companies: FusionArc – A cloud-based IT infrastructure provider suffering a cyberattack Orchid Logistics – A global supply chain company, FusionArc’s largest customer, facing operational chaos due to the breach. Day one simulated a cyberattack on FusionArc Solutions, with participants acting as the incident response team investigating and responding to a breach of critical systems and sensitive data. This day showcased Immersive’s cyber range capabilities and the importance of continuous upskilling. It allowed participants to practice incident response protocols and sharpen their ability to detect, analyze, and respond to cyber threats. Live technical demos showcase real-time analysis and response, bringing the simulation to life and highlighting the skills needed to combat cyberattacks. Day two shifted the perspective to Orchid Logistics, whose global operations across four major regions were thrown into turmoil due to the cascading impact of the attack. Each region had its own challenges, from disrupted healthcare supply chains in Europe to financial uncertainty in North America. Different teams’ operations, legal, communications, finance, and crisis management were forced to make critical decisions with incomplete and often conflicting information. This wasn’t just about testing individual teams. It was about stress-testing the connections between them because, in a crisis, decisions have consequences. Every action (or inaction) ripples outward, shaping how an incident unfolds and determining the effectiveness of the response. The design: controlled chaos with a purpose Running a cyber drill at this scale required intricate planning. Each element was carefully orchestrated to simulate the real-life confusion of a crisis where information is fragmented, priorities clash, and leaders must make tough choices under pressure. Key elements included: Dynamic information flow – Teams received updates in real-time, with technical teams feeding insights to crisis managers, who in turn had to make strategic decisions for the business. Regional decision-making – Each region had its own crisis management team (CMT), responsible for navigating localized challenges while staying aligned with global headquarters. Cross-functional dependencies – Operations, legal, finance, and public relations all faced their own unique crises relating to the cyberattack, as well as other unrelated business continuity disruptions. Their ability to coordinate responses mirrored the true complexity of a global business disruption. Escalating pressure – Timed injects (new crisis updates), roaming media roleplayers, and breaking news images forced participants to adapt rapidly, just as they would in a real cyber event. By layering these complexities, the exercise tested technical incident response and the entire organization’s ability to work as a single unit under duress. We looked at disaster recovery, crisis management, and business continuity all in the same cyber drill. The power of perspective (or lack of it) A key takeaway from the drill was how overwhelming it felt. No one had the full picture – teams made decisions with only their slice of the crisis, just like in the real world. We saw participants grappling with conflicting information, wondering why other teams weren’t responding as expected. Some felt completely isolated until they realized that the missing information was sitting with another team in another region, experiencing a completely different part of the crisis. This is why interconnected drills are vital. They teach organizations to connect the dots and reinforce a crucial lesson: in high-stakes environments, every decision shapes the crisis’s trajectory. Prove and improve: the true value of cyber drills Cyber drills aren’t just theoretical exercises. They test response plans, communication, and decision-making under pressure while revealing areas for improvement. This drill pushed participants to work under stress and exposed gaps not just in technical response, but in collaboration, escalation, and decision-making. These exercises matter because they don’t just reveal weaknesses – they build resilience before a real crisis strikes. What this means for your organization Cyber threats affect entire businesses – customers, partners, supply chains, and finances. The biggest risk isn’t the attack itself but poor coordination in the response. That’s why cross-team exercises are vital: technical teams must know how and when to escalate, crisis managers must grasp the stakes, and executives must make quick decisions with limited information. Cyber drills don’t always have to be this large, but they must be realistic. Even smaller exercises focused on decision-making across teams can expose gaps in communication and preparedness before a real crisis does. Final thoughts: crisis readiness is built, not assumed In the debrief of Pieces of the Puzzle, one theme emerged repeatedly: we are only as strong as our connections. The most prepared organizations aren’t just those with the best tools or plans – they’re the ones who practice together and strengthen the human elements. Cyber drills push teams to break silos, act under pressure, and manage uncertainty. If you’re not running them regularly, the question isn’t if you’ll struggle in a crisis – it’s when. No matter your industry, scale, or risk landscape, the key takeaway is this: crisis preparedness isn’t just about reacting – it’s about ensuring every piece of the puzzle fits before the crisis hits. Are your teams ready to prove and improve? Share your thoughts Has this inspired you to plan a drill? Do you have any questions about planning or execution and need some pointers? Have you run a drill or been to a drill event, and if so, how did it feel? I’d love to hear from you and help you reach your goals.Making the Most of the Custom Lab Builder: Tone of Voice
Now you can build your own labs in the Custom Lab Builder, we thought we’d provide some guidance on writing with a strong tone of voice to ensure your labs are as engaging as possible. This blog is the third in a series on making the most of the Lab Builder, looking at what we call the Four Cs. Ensuring your writing is… Conversational Concise Conscious Consistent The previous two posts looked at accessibility and inclusivity. This post focuses on tone of voice and how to write authentically to ensure your audience engages with the lab and remembers the message you’re trying to teach them. Writing well For most of your life, you’ve probably been told to write properly. Avoid contractions at all costs. Use complex sentences with plenty of fancy connecting words like “furthermore” and “moreover”. And never start a sentence with “and”. This formal style works really well for some industries. Academia is traditionally an incredibly formal area when it comes to the written word, as is the broadsheet newspaper realm. This is often to reflect the work’s sincerity, to avoid weakening a writer’s reputation, and to present ideas consistently and objectively. But Immersive Labs believes writing can be sincere and objective without being so... dull! Be conversational Copywriting is increasingly conversational, appearing everywhere from LinkedIn posts to the back of your milk carton. This style engages readers by feeling personal and authentic, aligning with Richard Mayer’s Personalization Principle, that people learn more deeply when words are conversational rather than formal. A human-to-human copywriting style makes sense for Immersive Labs, as we’re all about focusing on the humans behind the screens. When using the Lab Builder, we recommend writing your labs in an engaging, approachable style to create a modern, user-friendly learning environment. But conversational doesn’t mean sloppy. It’s about presenting ideas clearly and confidently, helping users feel at ease while they learn. Use everyday, concrete language Using fancy, complex words doesn’t make content better – it can actually distract readers and undermine clarity. Instead, prioritize clear, straightforward language to ensure your message is easy to understand, especially by users with cognitive disabilities. Avoid overly poetic phrases, figures of speech, idioms, or ambiguous language, which can confuse or overwhelm readers, including those with autism spectrum conditions. Strive for clarity to help users grasp your message the first time, keeping their needs front and centre. Address the reader Authenticity is all about gaining your reader’s trust. We recommend speaking directly to them in your custom labs by using “you” throughout your copy. This handy trick also avoids any ambiguity when it comes to practical tasks. Take the following example. “In this lab, the machine must be analyzed and IoCs must be extracted.” Instead of being vague and passive, we recommend talking directly to the reader and telling them exactly what they need to do. “In this lab, you need to analyze the machine and extract IoCs.” Or better yet, you can be even more direct by cutting that down even further: “In this lab, analyze the machine and extract IoCs.” Our labs and scenarios frequently talk directly to the reader. Users are more likely to stay engaged when they’re spoken to, not at. Use contractions Contractions instantly make your writing more conversational by mimicking natural speech. Combining words like "it is" to "it’s" or "you are" to "you’re" adds a touch of informality that feels approachable and inclusive. While once discouraged in formal writing, contractions are ideal for a modern learning environment, making text easier to read, understand, and remember. Be concise Writing in plain language is good for all users, but can make a massive difference for neurodivergent users, those who struggle to focus, those who hyperfocus, or maybe those who find reading difficult. We follow recommendations from the Advonet Group, the British Dyslexia Association, and Clark and Mayer’s Coherence Principle to ensure accessibility for a diverse audience – and you should too! Writing simply and clearly doesn’t mean trivializing content or sacrificing accuracy; it just makes your message easier to understand. After all, no one's ever complained that something's too easy to read! The difficulty comes when balancing this with technical content. How can you make advanced, complex cybersecurity topics clear and concise? Keep it short and sweet Sentences longer than 20 words become difficult to understand and can detract from the point being made. It’s easy for people’s minds to wander, so get to your point in as few words as possible. The same goes for paragraphs. Try and avoid long, dense walls of text. Nobody wants to read that, and it’s no good when thinking about accessibility. Keep your paragraphs to four or five lines, maximum. Get to the point Avoid adding unnecessary side notes to your labs, as they can distract from the main message and make learning harder. Unnecessary content distracts the learner’s attention from the main message, making them less likely to remember the core topic. It disrupts the connections between key messages and diverts the learner’s focus, making it harder to piece together the bigger picture. This is all down to cognitive load theory, which says that in general, humans can handle around four pieces of new information at any one time. To help users focus, stick to the lab's core topic and avoid overloading them with unrelated details. TL;DR When writing your labs with the Custom Lab Builder, ensure all your text is conversational to engage your users with the topic. And also make all your copy as concise as possible. Getting your message across in as few words as possible will reduce cognitive overload, boredom, and frustration. By focusing on being conversational, as well as being consistent and conscious (as we covered in the previous blog posts in this series), your readers will engage with your content better, remember the topic, and be able to put it into practice more easily – improving their cybersecurity knowledge and driving their cyber resilience. Share your thoughts! What do you think about these tone of voice tips when writing your custom labs? Have you tried to write your labs in a conversational yet concise way, and how did this go down with your users? Do you have any other suggestions for the community on how to write conversationally? We’d love to hear from you!Making the Most of Custom Lab Builder: A Guide to Writing Inclusively for All
Language shapes how people perceive and engage with content, so it’s crucial to consider the kind of words you use. Using outdated terminology can offend and disengage learners, as well as hurt a company’s reputation. This blog is the second in a series on making the most of the Lab Builder, looking at what we call the Four Cs. Ensuring your writing is… Conscious Consistent Conversational Concise The previous post in this series looked at accessibility. In this post, we’ll explore what it means to write consciously and inclusively, share practical tips, and show how our platform supports this critical effort. Why is inclusive language important? Inclusive language avoids bias, respects diversity, and ensures accessibility for all. In cybersecurity, it means using terms that foster collaboration and trust, avoiding outdated or harmful phrases, and creating welcoming and empowering content The Quality Team at Immersive Labs is committed to staying up to date with how language changes in the cyber industry. We regularly undertake research and speak to other industry professionals to ensure that our language is appropriate. Words to avoid We recommend avoiding specific terms that some people may find offensive, and some socially charged language that may have negative connotations. Non-inclusive language to avoid Preferred inclusive versions Whitelist/Blacklist Allowlist/Denylist White hat/Black hat hackers Ethical/Unethical hackers Master/Slave Leader/Follower, Primary/Replica, Primary/Standby Grandfathered Legacy status Gendered pronouns (e.g. assuming “he/him/his”) They, them, their Gendered pronouns (e.g. “guys”) Folks, people, you all, y’all Man hours, man power Hours, engineer hours, workforce, staffing Man-in-the-middle attack Machine-in-the-middle attack Sanity check Quick check, confidence check, coherence check Dummy value Placeholder value, sample value Crazy, insane Amazing, incredible, or any other appropriate adjective Socially charged words Preferred inclusive versions Native Built-in, default, pre-installed, integrated, core Abort Stop, cancel, end, force quit Cripple Disable, impair, damage, destroy, ruin Kill Stop, force quit, close, shut down Trigger Activate, initiate, cause, launch Unsure if a phrase you’ve used could be seen as offensive? Ask yourself: is this the most accurate and appropriate choice? Often, you can find a more descriptive word and avoid using these examples. Top tips for inclusive language Use writing tools Tools like Grammarly can help identify problematic words or phrases. You can create customized lists in Grammarly, which will then flag when a word has been used in your writing. Additionally, there are many inclusive language guides available online. Keep it short and sweet Use short sentences and paragraphs. Shorter sentences are easier to read, scan, and understand – especially for those with cognitive disabilities. Aim for sentences around 10–15 words, with variation for a natural flow. Avoid sentences longer than 20 words, as they can be harder to follow. Read aloud Proofread your work aloud to catch awkward phrasing, overly complex sentences, or insensitive terms. Hearing the words can help identify spots where clarity or tone might need improvement. Get a second opinion Ask a colleague to review your final version. A fresh set of eyes can spot language that might be unclear, inappropriate, or overly complicated. Share your thoughts Now that Lab Builder is here and you’ve had a chance to create your own content, how have you made your content more inclusive? We’re always looking to stay up to date, so if you have any further suggestions to add to our list of words to avoid or any other tips, let us know! We’d love to learn from you and grow the collective community knowledge.Making the Most of the Custom Lab Builder: Writing With Accessibility in Mind
What if someone tried to access your content who was visually impaired? Or who had cognitive difficulties? Or who was hard of hearing? Would they be able to understand the information you’ve provided and improve their cyber resilience? Our in-house copyediting team has created a series of articles to help you craft high-quality labs, aligned to the rigorous processes we follow. We embrace what we call the Four Cs to ensure all labs are: Consistent Conscious Conversational Concise These articles delve into each of these principles, showing how to implement them in your labs to create content that resonates with readers, enhances learning, and boosts cyber resilience. This post highlights how being conscious of your formatting can enhance accessibility for assistive technology users and how consistent formatting improves navigation for everyone. Rich text formatting Rich text formatting tools like subheadings, bullet points, lists, and tables in the Custom Lab Builder help organise information for easier scanning, better retention, and improved comprehension. Using these will ensure your content is consistent, accessible, and reader-friendly for everyone! Rich text formatting elements carry specific meaning, which assistive technologies rely on to convey information to specific users. Headings Visually, headings represent hierarchy through different font styling and allow users to quickly scan content. Programmatically, they allow users who can’t see or perceive the visual styling to access the same structural ability to scan. Heading elements should reflect the structure of the content. So your title should go in ‘Heading 1’ formatting, your next subheading will go in ‘Heading 2’ formatting, and so on. To ensure your content reads correctly to screen reader users, don’t use HTML heading styling to represent emphasis, and don’t use bold to make text appear like a heading. Lists (bullets/numbering) Always use bullets or numbered lists using the provided formatting to convey a list. A screen reader will announce that the following information is a list. Links How a link is formed significantly impacts usability. Consider the following sentence: “To find out more about this topic, complete our Intro to Code Injection lab here.” Links are interactive elements, which means you can navigate to them using the tab key. A user who relies on screen magnification to consume content may choose to tab through content to see what's available. The example above would be communicated as just “here”, which provides no context. They’d need to manually scroll back to understand the link’s purpose. Always use descriptive link text that clearly indicates its destination. Avoid ambiguous phrases like “here”. If that’s not possible, ensure the surrounding text provides clear context. “To find out more about this topic, complete our Intro to Code Injection lab.” Bold Only use bold for emphasis! Avoid italics, capital letters, or underlining (reserved for hyperlinks) to prevent confusion. Consistency in formatting reduces cognitive load, making your text more accessible. Bold stands out, provides better contrast, and helps readers quickly identify key information. Avoid italics With 15–20% of the population having dyslexia, italics are worth avoiding because research shows it’s harder for this user group to read italic text. Italics can sometimes bunch up into the next non-italic word, which can be difficult to comprehend or distracting to read. Media If you’re adding media to your labs, such as videos and images, it’s especially important to consider those who use assistive technologies. These users need to have the same chance of understanding the content as everyone else. They shouldn’t miss out on crucial learning. What is alternative text? Alt text describes the appearance and function of an image. It’s the written copy that appears if the image fails to load, but also helps screen reading tools describe images to visually impaired people. Imagine you’re reading aloud over the phone to someone who needs to understand the content. Think about the purpose of the image. Does it inform users about something specific, or is it just decoration? This should help you decide what (if any) information or function the images have, and what to write as your alternative text. Videos Any videos you add to your lab should have a transcript or subtitles for those who can’t hear it. Being consistent Consistency is a major thinking point for accessibility. We recommend adhering to a style guide so all of your labs look and feel consistent. We recommend thinking about the structure of your labs and keeping them consistent for easy navigation. In our labs, users expect an introduction, main content, and a concluding “In This Lab” section outlining the task. This helps users recognize certain elements of the product. It reduces distraction and allows easier navigation on the page. For example, some users prefer diving into practical tasks and referring back to the content if they need it. By using the same structure across your lab collections, your users will know exactly where to find the instructions as soon as they start. TL;DR It’s crucial to focus on accessibility when writing your custom labs. Utilise the built-in rich text formatting options in the Custom Lab Builder (and stay consistent with how you use them!) to ensure your labs are easy to navigate for every single user. By being conscious and consistent with your formatting, every user will engage with your content better, remember the topic, and be able to put it into practice more easily, improving their cybersecurity knowledge and driving their cyber resilience. No matter how they consume content. Keep your eyes peeled for the next blog post in this series, which will look at inclusive language. Share your thoughts! There’s so much information out there on creating accessible content. This blog post just focused on the language, structure, and current formatting options available in the Custom Lab Builder. Have you tried to make your labs or upskilling more accessible, and how did this go down with your users? Do you have any other suggestions for the community on how to write content with accessibility in mind? Share them in the comments below!
Detecting Sliver - Team Sim
Hello, Cyber Team Sim - Detecting Sliver Following the Debrief/answers - I'm stuck on Answer 1. our velociraptor hunts are coming back as "access is denied" - limiting us to continue any further in the lab. It is run on the Analyst Windows machine. Wondering if you have any tips or tricks for us to grant access Best regards, MartinNew Team Sim Content: (Defensive) Operation Vulpes
Operation Vulpes is a defensive scenario and marks a return of using Splunk as the SIEM solution. This scenario sees Orchid Corporation reeling from the aftermath of a ransomware attack. Defenders will need to determine the attacker's path to compromise and infect the network and use information provided by a law enforcement agency to attempt to recover files. Users will need to use a variety of tools and defensive disciplines to solve the scenario – not just the SIEM solution. This sim also utilizes our new user noise generation framework to simulate user web browsing activity on end-user devices. This spawns the Edge browser as a domain user and visits internal and external websites to add additional noise to logs collected by Splunk. Why have we created this content? This Team Sim adds a level of complexity and realism by introducing actual ransomware. So you and your teams can exercise and prepare for the worst-case scenario. (Please be aware that Immersive Labs created the ransomware for exercise purposes only and includes failsafes to control its execution.) In addition, the sim uses popular tools within security stacks, so the simulation is true to life. What are we publishing? A new Team Sim exercise, Operation Vulpes, which will be viewable in the Team Sim catalog for all Team Sim customers. Who is this content for? This Team Sim is primarily focused on testing the defensive and technical capabilities of the following roles: SOC analysts Incident responders Threat hunters Check it out now!Team Sim: Best Approaches for Your Team
A common issue in Team Sim exercises is when one player works in isolation, leaving others behind and missing the chance to build key team skills. To get the most out of a Team Sim exercise, the focus should be on teamwork – it’s in the name! Whether your team is meeting for the first time or has worked together every day for many years, here are some common characteristics and actions I’ve consistently seen in the best-performing teams: 1. Team leader Regardless of the person’s day-to-day role, a nominated team leader is the essential glue for any team. Some responsibilities I’ve seen effective team leaders adopt include chairing discussions, driving the group to a consensus and a clear decision, being the team’s representative for exercise manager communications, ensuring the team stays organized, and encouraging a positive experience for every member. 2. Pre-exercise team meeting A good plan will start the team on solid footing. High-performing teams bring everyone together before starting the exercise to agree on the approaches and rules of engagement. If you’re meeting the team for the first time, taking the time for introductions is critical to a comfortable environment. 3. Clear communication channels Establishing clear communications for sharing technical information and virtual conferencing details (if required). We recommend setting up a temporary private messaging group in your organization’s approved communications platform. Every team member should know how and where to ask questions or ask for support. 4. Blocked out exercise time Depending on how you approach the exercise (more on this later), teams that reserve time in their calendars in advance tend to have greater attendance and engagement. The effectiveness of team exercises depends on factors like team size, communication medium (in-person, virtual, or hybrid), time zones, skill levels, and goals. For example, do you want to put a well-known team to the test or have junior members learn from experienced analysts? In the spirit of collaboration, we have some tried and tested team approaches that we know work well in bringing people together. Each approach has its advantages and disadvantages, so bear this in mind when thinking about what works best for you and your team. One Team This involves the entire team working through the exercise together, either in person or virtually, maintaining constant communication and progressing at the same pace. This is the most common approach and is great for information sharing and peer learning. However, in larger teams, there’s a higher risk of some members falling behind, reducing their engagement. Chairperson Somewhat contrary to our earlier sentiments, this approach requires players to conduct portions of the exercise tasks alone, before coming together as a team during regular checkpoint meetings to discuss and validate each other's answers and findings. The team must agree on an answer before a chairperson submits the answer to a question in Team Sim. This is a slower approach, but it provides every player a chance to experience the whole exercise while encouraging knowledge sharing and exposure to different approaches and styles. Relay This is best for geographically split teams and perfect for exercising handover communication! Teams work on segments (e.g., specific time blocks or question sets) and pass their findings to the next team. Handoffs should mirror real incidents, addressing findings, uncertainties, and further investigations. A post-exercise debrief is a great opportunity to review and improve handover processes and communication skills. Team Strengths No two people are the same, and you may have specialists or people with particular strengths you can lean on. As you progress through the exercise and require different skills and knowledge, engaging those specialists can be an effective way to tackle a problem as a true team. Identify those strengths early on so you know what's in your team’s arsenal! Want a challenge? Do the opposite and encourage the team to use the skills they find challenging! If you want to save a copy of these approach ideas, check out our Team Sim Player Guide, which you can download and share. Share your thoughts This isn’t an exhaustive list of approaches; be creative with your team to find what works best for you. If you’ve participated in a Team Sim exercise before, let us know your tips for creating a top-class team dynamic!Defend as One: Breaking Down Technical Barriers Across an Organisation Through Technical Team Exercising
This article details how a public healthcare account used Immersive Labs’ Cyber Team Simulation for a cross-departmental May Day programme, benchmarking national cyber capabilities. As their Cyber Workforce Advisor, I’ll outline the steps taken, from planning to execution, to achieve this strategic programme.
