Behind the Scenes of Immersive One: How Lab Builder is a Game-Changer for Cyber Readiness
“The best customer feedback we got was, we don’t need you to do everything for us.” Rebecca: Wait, seriously? Matt: Never more so. We built Lab Builder, a powerful Immersive One platform feature, for a reason: Organizations need a way to create, maintain, and publish their own labs—fast. Historically, our cyber team built every lab in Lab Forge. That worked for us, but it locked out partners and customers who wanted to address their unique needs—tools, environments, policies, and threats. They asked, “Can we do more by ourselves?” Lab Builder answers that. Rebecca: Absolutely. Since its debut last fall, Lab Builder has evolved so much. What are the biggest benefits for users today? Matt: There are two big ones. The first is the ability to curate content relevant to your organization, its threats, and its technologies—quickly. Second, realism. Teams can safely train with real-world code, internal apps, or even live malware—all in a secure, disposable environment. It’s as close to production as it gets, giving them an authentic experience with the exact tools and systems they use every day. The result? Faster upskilling, stronger readiness, and measurable gains in resilience. | “With Lab Builder, your organization can turn any piece of code or policy into hands-on training—instantly.” Rebecca: That almost sounds too easy—until you see the demo in action for yourself! Matt: Yes! The team is super proud of how streamlined it is. The core workflow is just five steps. Create a new lab. Then configure it, adding basics like the lab title, intro, learning outcomes, and gamification aspects like points users will get for completing the lab. From there, the focus is on building the briefing and tasks—drag-and-drop questions, code-review challenges, “find the flaw”, there’s lots to choose from. Then you’re ready to publish. Just assign your SME as Lab Creator, and they’re live on the same Immersive One platform they use every day. Rebecca: To me, the genius of that kind of design is in its accessibility. You’ve also invested heavily in the learner experience. Matt: Definitely. Engagement is a top priority, so we’re always building for the learners who need to know cyber—not only to support their organization’s cyber resilience strategy, but to grow professionally. We aim to remove every barrier to learning we can. Rebecca: I know you’re not one to boast, but how has the team modernized the UI? Matt: We’ve done a lot of work here, starting with completely rebuilding the theory labs interface, giving it a clean, responsive design that works seamlessly across desktop, tablet, or phone. We’ve been building toward that for our practical labs experience too. There are now intuitive panels, seamless task navigation, and instant feedback to guide learners every step of the way. We also turned Lab Builder into a true WYSIWYG (“what you see is what you get”) editor so Lab Creators see exactly what their teams will experience. We also baked in full WCAG compliance, with keyboard navigation and screen-reader support on every screen. Ultimately, we hope to bring every Immersive-built and custom lab into a single, unified front end in Immersive One—so no matter where you are, one clear interface delivers the same training experience. Rebecca: It’s this kind of due diligence that really makes a difference! Let’s talk about VMs. How do they fit in? Matt: Theory can only take you so far, so we released practical labs in the spring. Organizations spin up their own virtual machines in AWS (Amazon Web Services), share the AMI with our account, and import it straight into Lab Builder. Why does that matter? Because learners train in their exact production environments—internal tools, real vulnerable code, compliance setups. We support typical instance sizes—enough CPUs and RAM for most use cases. While we may roll out more environments in the future, AWS supports 99% of our existing customer base. That means the process feels native for Immersive One users; they can truly learn by doing. | “Build your VM. Import it. Assign it. All without leaving Immersive One.” Rebecca: Initially, only Org Admins could build custom labs. How did you expand access so that more team members could create labs, without being given full admin rights? Matt: We introduced the Lab Creator role this summer. Now you pick who builds labs—no full admin rights required. Rebecca: So smart. Now, in-house experts can build content without getting the keys to the kingdom. Matt: 100%. The team is laser-focused on leveling up Immersive One with every Lab Builder release because it’s so instrumental to the customer experience. In June, we added video support right in the briefing panels because some individuals learn best through short, engaging clips. We also rolled out a Machine Library stocked with pre-configured VMs—basically templates, from Kali Linux to reverse-engineering rigs—so you can drop assets in and start training immediately with zero VM building. You just need t And internal publishing functionality lets Lab Creators bundle custom labs into collections and share them across Organizations—think a self-service marketplace for specialized, high-value content. Rebecca: Honestly, Matt, what you’ve done with Lab Builder functionality is incredible. And I know you’re not done yet. Matt: Yeah, right—not at all. The team is already heads-down on an AI agent, but I won’t spoil it! Rebecca: Love that! Well, thanks again for meeting with me today, Matt. Maybe next time we can discuss ways customers or partners are already using Lab Builder to meet their unique needs—you know, deep-dive into specific use cases. Matt: Oh, absolutely—happy to share what customers are using Lab Builder for. Maybe we even host a webinar for that one? Would be fun to entertain some Q&A. Rebecca: Nice, let’s plan on it! Final Thought Lab Builder not only powers a customer-first UI and UX, it can help you transform every new threat, policy change, or internal tool into an interactive lab—on your timeline, with your exact requirements. Want to explore the possibilities? Contact your Account Manager for a personalized introduction to this powerful feature. In the meantime, preview how easy it is to customize learning by watching this quick demo: Meet Lab BuilderYour Guide to Effective AI Prompting
Why Prompting Matters for Crisis Simulations Think of AI as a highly intelligent, but literal, assistant. The quality of its output directly reflects the clarity and specificity of your instructions. For crisis simulations, this means: Relevance: Tailored scenarios that mirror your organization's unique risks, industry, and operational environment. Realism: Scenarios that feel authentic, with credible triggers, evolving complications, and realistic stakeholder reactions. Depth: Multi-layered scenarios that challenge your team's decision-making, communication, and collaboration skills. Actionability: Scenarios that provide clear learning objectives and reveal actionable insights for improving your crisis response plan. Core Principles of Effective Prompting Be Specific, Not Vague Bad Prompt "Generate a crisis." (Too generic, will give you a basic, unhelpful scenario.) Good Prompt "Generate a cybersecurity crisis scenario for a mid-sized e-commerce fashion retailer. The trigger is a ransomware attack that encrypts customer databases and disrupts order fulfillment." Why it works It defines the what (cybersecurity crisis, ransomware), the who (e-commerce fashion retailer, mid-sized), and the impact (encrypted databases, disrupted orders). Define your organisation and context using our drop down fields, and then add additional context. Industry (e.g., healthcare, finance, manufacturing, tech, retail) Threat (e.g., data breach, natural disaster, product recall, public relations nightmare, supply chain disruption, insider threat, workplace violence, financial fraud) Attack vector (e.g., phishing attack, severe weather event, manufacturing defect, viral social media post, disgruntled employee action, sudden market downturn) The more information the AI has about your specific context, the more tailored the scenario will be so consider adding further information such as: Company Size: (e.g., small startup, multinational corporation) Key Products/Services: (e.g., cloud-based software, physical goods, financial advisory) Target Audience: (e.g., B2B clients, general consumers, specific demographics) Geographic Scope: (e.g., local, national, global operations) Relevant Regulations/Compliance: (e.g., GDPR, HIPAA, industry-specific standards) Current Trends/Challenges: (e.g., supply chain issues, inflation, new technologies) Example: "Our company, 'Global Pharma Solutions,' is a multinational pharmaceutical company with a focus on novel drug development. We operate globally and are heavily regulated by the FDA and EMA. Generate a scenario reflecting a crisis involving a mislabeled drug batch, discovered shortly after market release in Europe and the US." Outline Key Stakeholders and Their Potential Reactions Realistic scenarios involve diverse stakeholders with varying interests and reactions. Internal: Employees, leadership, legal, HR, IT, communications, specific department teams. External: Customers, media, regulators, investors, suppliers, partners, general public, affected individuals. Desired Reaction: How should these stakeholders react? (e.g., panic, confusion, outrage, demanding answers, seeking legal action, offering support). Example: "Include reactions from panicked customers flooding social media, calls from concerned regulators, and an internal IT team struggling to diagnose the issue. Also, factor in a potential negative news story breaking on a major industry publication." Inject Complications and Escalation Crises rarely remain static. Build in elements that make the scenario evolve and become more challenging. Secondary Events: (e.g., power outage during a cyberattack, additional product defects discovered, key personnel unavailable) Information Gaps/Misinformation: (e.g., conflicting reports, rumors spreading on social media, difficulty in verifying facts) Ethical Dilemmas: (e.g., balancing transparency with legal implications, prioritizing different stakeholder needs) Time Constraints: (e.g., a critical decision needed within 30 minutes, public statement required by end of day) Example: "After the initial system outage, introduce a new complication: a cyber-espionage group claims responsibility on a dark web forum, threatening to release sensitive customer data if demands are not met, despite the initial incident being unrelated to a breach." Define the Learning Objectives (Optional, but Recommended) While the AI won't "know" your objectives, including them in your prompt can subtly guide its generation towards a scenario that helps you test specific aspects of your plan. Example: "The scenario should test our team's ability to communicate effectively under pressure," or "Focus on evaluating our supply chain resilience and alternative vendor protocols." By following these guidelines, you'll be well on your way to leveraging our AI crisis simulation feature to its fullest, preparing your team for any challenge the real world might throw at them. Happy simulating!People, Not Just Firewalls: Why OT Cybersecurity Starts with Training
The wake-up call no one wanted Just after midnight on September 22, 2024, a suspected ransomware attack forced operators at the Arkansas City, Kansas, water-treatment plant to switch to manual controls, anxiously safeguarding drinking water for the town’s residents. Downtime hurts more than you think According to the ITIC 2024 Hourly Cost of Downtime Survey, over 90% of mid-size and large organisations now put the price of a single hour of outage above $300,000, with 41% saying the bill tops $1 million. For OT industries, such as energy, costs can go up to $2.48 million per hour. When a cyber incident can drain six figures before a morning coffee break, prevention clearly beats recovery. Why training, not just tech, keeps the plant running Early threat spotting – Staff who know what an abnormal human-machine interface (HMI) screen looks like can isolate a rogue process long before malware reaches the production line. Fewer human-error openings – Phishing remains OT’s favourite attacker on-ramp; rehearsed teams click fewer bad links. Regulatory head-start – Standards such as IEC 62443 demand demonstrable cyber competence; fines for non-compliance often dwarf the cost of training. Three quick wins Quick win What it looks like The win Role-based micro-modules Deliver bite-sized, job-specific training. e.g. Modbus for SOC analysts, cyber awareness for OT Engineers. Builds practical, role-relevant cyber instincts. Table-top drills Simulate a cyber incident alert and map “who calls whom, who shuts what”. Prepares teams for real-world response. Visible leadership Get managers in the room with frontline staff during training. Makes security a shared responsibility. Bottom line Tools catch packets; people catch trouble. Invest in your workforce’s OT-security skills today, and the next midnight alarm could become just another drill instead of headline news. Learn more at my Labs Live OT Special Sign up for my Labs Live OT Special on July 15 as I tackle a brand new OT lab collaboratively, with you on a webinar. Register your attendance here! Share your thoughts Thoughts or questions? Drop them in the comments. Let’s keep the conversation (and the plant) running.Operational Technology: What It Is, Why It Matters, and Why Cybersecurity Can’t Wait
What is OT? Operational technology refers to the hardware and software systems that monitor and control physical devices, processes, and infrastructure. This includes everything from the systems that manage electricity generation and water treatment to manufacturing lines, railway signals, and building automation. Think programmable logic controllers (PLCs), SCADA systems, and human-machine interfaces (HMIs). Unlike IT, which focuses on data, OT is about controlling the physical world, keeping lights on, water flowing, trains running, and factories producing. Why is OT important? OT is the backbone of our critical infrastructure. A malfunction or compromise in these systems doesn’t just result in data loss; it can cause physical damage, safety incidents, environmental harm, or massive economic disruption. In other words, OT is where digital risk becomes real-world impact. Why is OT cybersecurity becoming critical? Historically, OT networks were isolated; the so-called “air gap” kept them separate from the internet and IT systems. But that gap has been shrinking fast: IT/OT convergence means OT systems are increasingly connected to enterprise networks for efficiency, monitoring, and remote access. Legacy systems not designed with cybersecurity in mind are being exposed to new threats. Ransomware and other attacks are now hitting OT environments, either indirectly as collateral damage from IT infections or directly as intentional targets – as seen in the Colonial Pipeline incident. The result? OT systems are now in the crosshairs of threat actors, but they often lack the same level of visibility, patching, and protection that IT environments enjoy. Share your thoughts Have you encountered OT in your role? What challenges have you faced? Drop a comment and let’s build some shared knowledge. Ready to double down on OT? Sign up for my Labs Live OT Special on July 15 as I tackle a brand new OT lab collaboratively, with you on a webinar. Register your attendance here!The Human Edge Beyond Pentesting – Building True Cyber Resilience
The Human Edge Beyond Pentesting – Building True Cyber Resilience Pentest vs. Red Team: Understanding the Core Difference Many cybersecurity vendors are rebadging pentesting as attack simulations or red teaming, often at a higher cost. However, there's a clear difference: Pentesting (Penetration Testing): The overarching goal of penetration testing is to find vulnerabilities within an environment in order to create a remediation plan. Reporting focuses on documenting as many vulnerabilities as possible in the allotted timeframe. Red Teaming (Attack Simulation): In contrast, red teaming is used to validate the efficacy of the defensive (blue) team. It is not looking for vulnerabilities per se, it is about achieving the objectives while trying to avoid detection. Reporting focuses on finding defensive gaps and assessing the blue team's response capabilities. The ultimate goal is to simulate real-world adversaries and determine if the defensive team has the telemetry to detect them. The key takeaway is that if the engagement isn't assessing your detection capabilities, it is not a red team. When Does Red Teaming Truly Add Value? While valuable, red teaming isn't always the most cost-effective solution, and really it is usually only effective in these three scenarios: When You Have a Regulatory Requirement: Industries with specific regulations, such as BEST, TIBER, FEER, CORIE, and AASE, often mandate regulatory red teams, which have standardized approaches and qualifications. When You Have a Very Mature Organization: Your organization has addressed all other possible security issues and has limited justification for further spending, a Red Team can provide a level of assurance that few other testing strategies can match. However, if you have known, unaddressed issues, red teaming rapidly loses value as the simulated attackers will typically take the easiest route to compromise and report on issues you are already aware of. When You Need a "Burning Platform": Sometimes, demonstrating the potential severity of a worst-case scenario is necessary to secure critical budget increases. Red teaming can effectively highlight how badly wrong things could go, aiding CISOs in getting the needed resources. However, it's important to note that more cost-effective methods often offer a better return on investment than red teaming outside these specific use cases. Purple teaming offers a more holistic approach to measuring your blue team's capability while also having a much higher knowledge transfer rate. Attack path mapping is far more comprehensive in discovering what attackers can do and what vulnerabilities or misconfigurations can be chained together to achieve compromise. The Pitfalls of Misaligned Red Teaming Several factors can hinder the benefits of red teaming outside the identified use cases: Resource Intensive: Red teaming is both costly and time-consuming. Potentially Divisive: It can sometimes lead to conflict between teams or erode trust within an organization. Weak Follow-Up: Lessons learned from red team exercises are often not translated into actionable steps, or worse completely ignored. Limited Scope: It may fail to explore cascading impacts and real-world disruptions. Insufficient Business Focus: Without an understanding of broader business consequences, the exercise's value can be limited. Increased Risk: Poorly executed red teaming can introduce wasted effort or unnecessary investigations. Often Undetected: A significant number of red team operations do not trigger alerts or go unnoticed by defensive teams. This last point highlights the importance of understanding why an attack wasn't detected, by asking: Was an alert generated? Was it marked as a false positive? Was a process followed? Was the process correct? Enhancing Cyber Resilience: A Holistic Approach Cyber resilience is not just about products or individual tools; it's about the application of skilled and motivated people, understanding and utilizing technology, and implementing reliable and repeatable processes and detections. The focus should be on building a robust, layered defense that understands, anticipates, and mitigates all phases of the attack chain, recognizing that the perimeter is no longer the sole objective for attackers. To truly improve cyber resilience, organizations need to focus on three key areas: Security Posture: Continuously assess and strengthen your foundational security. Detection Capability: Improve your ability to identify and triage malicious activity. Response Capability: Enhance your team's efficiency and effectiveness in reacting to and recovering from incidents. This involves exposing defenders to real-world Tactics, Techniques, and Procedures (TTPs) relevant to their environment. Furthermore, understanding the capabilities and blind spots of both your security team and defensive tooling is crucial for applying and testing effective mitigations and proving resiliency. Practical Approaches to Building Resilience To achieve true benefit from simulations, organizations must prepare individuals and teams before and after the simulation. This involves a cycle of "Prepare & Protect" and "Detect & Respond". Effective training and exercises are vital for different audiences: Individual Preparation: Hands-on labs can provide technical training for various roles, including defensive cybersecurity professionals, penetration testers, developers, application security experts, and cloud & infrastructure security personnel. Technical Team Exercises (Team Sim): These focus on the technical aspects of cyber attack and response using pre-configured cyber range scenarios. Participants investigate or perform simulated attacks using real cybersecurity tools and techniques in a safe environment/sandbox. Executive & Business Exercises (Crisis Sim): Moving beyond traditional tabletop exercises, Crisis Sim puts teams into dynamic crisis simulations with real crises, dynamic storylines, and contextual media. This helps measure and benchmark responses to inform crisis strategies and build muscle memory through regular exercising. By understanding the distinct roles of pentesting and red teaming, strategically applying attack simulations, and investing in comprehensive training across all levels of the organization, businesses can genuinely enhance their cyber resilience and gain the human edge over cyber attacks.From XSS and SQLi to AI-generated code and supply-chain compromise: How application security is evolving
Keeping up with vulnerabilities is like playing a never-ending game of whack-a-mole. One day, we were knee-deep in XSS payloads and buffer overflows; the next, developers everywhere were plugging SQL injection holes with duct tape and regex. A lot of our earlier tech wasn’t built with security in mind – or at least not at the forefront of our minds. But over the past two decades, the culture has changed, and developers are shifting left. Programming languages, as well as the frameworks and ecosystems around them, are evolving and adapting to evade security threats. XSS: From everyday headache to “mostly handled” Remember when cross-site scripting (XSS) was every web developer’s nightmare? In the 2000s, it seemed like every other website was vulnerable. If you were lucky, your users’ only punishment was an annoying pop-up. If not, credentials and session cookies were up for grabs. Modern languages and frameworks took proactive steps in their designs. Today, many of them have built-in protections against common vulnerabilities like XSS. Some examples are: React, Angular, Vue: Automatically escape output by default. You have to go out of your way to render raw HTML (and they make you feel guilty about it). Django, Ruby on Rails, ASP.NET Core: Templates escape user input by default. Browsers: Even they pitch in, with features like Content Security Policy (CSP). It’s still possible to write a vulnerable application, but the bar is higher. As a result, attackers have a bigger hurdle to jump over. This is thanks to the evolution of how languages and frameworks approach security – not as a feature, but as the default. SQL injection: OR 1=1 is mostly history SQL injection once powered major data breaches. Now, parameterized queries have become the norm, and we’re on our way to leaving those days behind. Object-Relational Mappers (ORMs) like SQLAlchemy, Entity Framework, and Hibernate generate safe SQL. Most modern languages make string concatenation in queries unnecessary (and uncool). Even PHP, once infamous for its “raw SQL everywhere” approach, now encourages prepared statements and offers safe database APIs. Not a perfect world, but much improved. It’s crucial to keep in mind, however, that technology shouldn’t be relied upon uncritically to keep applications secure. Developers must do their due diligence. Memory mischief: The rise of Rust (and memory-managed languages) C and C++ are legendary for performance. And legendary for buffer overflows, use-after-free, and all manner of memory mischief. Enter memory-safe languages: Java, C#, Python: Garbage collection and managed memory eliminate entire classes of bugs. Rust: Takes it up a notch with ownership semantics, preventing data races and dangling pointers at compile time. A lot of system-level work has migrated to these “safer” languages, and the impact is apparent in everything from embedded devices to operating systems (hello, Rust in the Linux kernel). The new frontiers: AI and supply chain attacks Just as one threat starts to become old news, new threats emerge. Two of these are: Supply chain compromise The SolarWinds breach and NPM “event-stream” incident have put supply chain attacks in the spotlight over the last decade. It goes to highlight that you can write perfect code and still get breached because a dependency many levels deep was compromised. Some of the changes we’re seeing as a result: Package registries are adopting MFA and signing requirements. Software Bill of Materials (SBOM) is becoming a must-have, especially in regulated industries. But the battle is ongoing. If anything, our code is more interconnected than ever, and the rise of “vibe coding” is complicating matters further. AI-generated code AI tools like GitHub Copilot and ChatGPT are generating millions of code snippets. This is a double-edged sword. You get increased productivity, but the code is often vulnerable. This is partly a reflection of the insecurities in the code that the models were trained on. I asked ChatGPT 4.5 to identify the vulnerability in the following code and it couldn't. Can you? Leave a reply with your thoughts! @limits(calls=6, period=60) @app.route("/change-password", methods=["POST"]) def change_password(): user = session.get("user") if not user: return jsonify({"message": "Unauthorised"}), 401 data = request.get_json() password = data.get("new_password") if not password: return jsonify({"message": "Password is required"}), 400 if not db.change_password(user, password): return jsonify({"message": "Failed to change password"}), 500 return jsonify({"message": "Password changed successfully"}), 200 @limits(calls=6, period=60) @app.route("/login", methods=["GET", "POST"]) def login(): data = request.get_json() user = data.get("user") password = data.get("password") if not user or not password: return jsonify({"message": "Username and password are required"}), 400 if not db.authenticate(user, password): return jsonify({"message": "Invalid username or password"}), 401 session["user"] = user return jsonify({"message": "Logged in successfully"}), 200 The changes I expect to see going forward are: Guidelines and governance for AI-generated code: Programming languages or coding standards may soon explicitly include guidelines, validation rules, or security frameworks tailored to AI-assisted coding, ensuring generated code adheres to secure patterns. Work is already being done to create rules files for improved security. Integrated security checks at the IDE level: IDEs may embed deeper vulnerability scanning and real-time feedback directly within coding processes. Development environments or compilers may also come integrated with validation tools specifically attuned to potential weaknesses inherent in AI-generated code. Increased reliance on static/dynamic security analysis tools: Enhanced automated scanning integrated into CI/CD pipelines, detecting flaws pre-deployment. Keeping people in the loop: Security awareness should be a top priority, so everyone is ready for the worst-case scenario. Proving and improving skills: Developers’ training should increasingly emphasize secure coding, particularly when assisted by AI tools. At the current stage, thorough PR reviews are more crucial than ever. As with any code, always review and test AI-generated code, especially for security-sensitive logic. AI is a tool, not an auditor. Security: Not a feature, but a default Application security has come a long way from the Wild West days of the early internet. The biggest shift in the software development landscape is that security is no longer a bolt-on. Modern programming languages and ecosystems try to make the secure path the easy path. Defaults are safe (escaped output, parameterized queries), dangerous operations are noisy (compiler warnings, explicit function names), and security updates are automated (thanks to package managers and CI/CD integrations). Of course, attackers are creative, and the landscape is always shifting. But the evolution of programming languages, as well as the surrounding tools and communities, means developers have a fighting chance. While we face newer threats like AI-generated code vulnerabilities and supply chain compromise, the foundations are getting stronger. The key is to keep learning, stay skeptical, and use the tools at your disposal properly. The biggest shift I would like to see is the human element no longer being viewed as the “weakest link”. The moles never stop popping up, but now, at least, we have better mallets – and the resources to help us use them.From Abstract to Action: Immersive One's Compliance Solution
We're in an age of rapid digitization. Different industries are embracing technologies like artificial intelligence (AI) and cloud solutions, driven by the ambition to shift from analog to digital. This transformation demands robust cyber resilience, but the sheer complexity of compliance with regulations and frameworks is a major challenge for organizations. It can be hard for staff to understand something that feels abstract or disconnected from their roles, and organizations often struggle to bring it to life. Proving adherence to standards is one thing; ensuring every team member understands their role in safeguarding digital health is another. Here’s how we’re creating services to help. Cutting through the complexity One of the toughest hurdles in today's digital landscape is evidencing compliance with regulations and frameworks. As a reminder, here’s the difference between the two: A regulation is a legally binding rule or order, often enforced by a government authority. A framework is a structured set of guidelines, principles, or best practices designed to help an organization achieve a specific goal or comply with regulations. It can be difficult to demonstrate the value of compliance and help your team understand the importance of aligning with a structured framework to meet regulatory demands. That’s where Immersive One, powered by our Cyber Resilience Advisory Services, can cut through the complexity. We transform abstract compliance into tangible, impactful experiences that resonate throughout organizations. It’s not just about ticking boxes – we support a deep alignment with your digital strategy, focusing on both regulations and structured frameworks. This ensures your organization not only meets compliance requirements but can quantifiably prove and improve its risk reduction efforts, giving your board clarity and confidence. Bringing the CAF framework to life In my role as Cyber Resilience advisor at Immersive, I’ve operationalised Cyber Assessment Framework (CAF) objectives A-D with a public healthcare customer by leveraging our Crisis Simulation product. Here’s how a framework like CAF truly comes alive: Our customer ran weekly live engagement sessions, resulting in an impressive 1,200 users actively interacting with the program. Following these sessions, participants gained access to a curated collection of labs, each focused on specific CAF principles and tailored to their individual roles. The customer can now prove and improve their alignment with this important resilience framework. When it comes to customer requirements, we deliver content at pace. Recognizing the immediate need to prepare for the NIS2 Directive's implementation, we identified a critical requirement: to exercise the mandated reporting uplifts proactively. In addition to understanding the new rules, organizations need to build familiarity and competence before a real-life crisis. This led to the development of one of our first Crisis Simulations specifically designed around NIS2. The simulation delivers exceptional value by immersing teams in the entire NIS2 reporting lifecycle. It ensures that compliance isn't just understood but instinctive, making your organization truly resilient to NIS2’s demands. Try it out The NIS2 Directive is rapidly becoming a regulatory priority across the EU and is relevant for any organization operating in or with Europe. Are you ready for it? If you’re a customer, the NIS2 Crisis Sim is available to try on Immersive One now: ShareYourDocs Breach – NIS2 Reporting.Feature Focus: Crisis Sim Presentation Mode Uplifts
Here at Immersive, we're constantly striving to push the boundaries of cyber education and make our simulations as realistic and impactful as possible. We believe that truly effective learning happens when you're immersed in a genuinely challenging and engaging scenario. That's why we're incredibly excited to announce a significant uplift to the UI and UX of our Crisis Sim Presentation Mode. These aren't just cosmetic tweaks; they’re impactful changes, requested by you, designed to elevate the realism and engagement of your crisis simulation exercises, making the experience more dynamic and true-to-life for you and your team. A modern makeover for a seamless experience First impressions matter, and we’ve given the Presentation Mode UI a thorough modernization. This refresh delivers a cleaner, more intuitive aesthetic that’s not just pleasing to the eye, but also enhances clarity and reduces cognitive load during high-stakes scenarios. Our goal was to create an environment that feels contemporary and professional, reflecting the gravity of the simulated situations. Crucial UX enhancements for heightened realism Beyond the visual refresh, we've implemented several key UX changes that directly address the need for increased realism and participant engagement: The optional countdown timer: Feel the pressure build! In a real crisis, time is often a critical factor. Now, with the addition of an optional countdown timer, facilitators can introduce this vital element directly into the Presentation Mode. This isn't just about a ticking clock; it's about replicating the pressure and time constraints that decision-makers face in genuine incident response. This subtle yet powerful addition can significantly heighten the sense of urgency and consequence for participants, driving more active and strategic thinking. Navigating back: review and reflect in read-only mode Ever wished you could quickly refer back to a previous piece of information during a fast-paced crisis? Now you can! We've introduced the ability to navigate back to previous injects in a read-only mode. This means participants can revisit past communications, intelligence, or decisions without impacting the live progression of the exercise. This feature fosters better situational awareness and allows for more informed decision-making, mirroring the investigative and analytical processes that occur during a real incident. Companion App integration: all your content, always on hand Perhaps one of the most impactful changes for participant engagement is the surfacing of all content and static rich media directly on the Companion App. Previously, certain elements might have been facilitator-driven. Now, everything from critical intelligence reports to simulated news articles, social media feeds, and relevant imagery is immediately accessible to participants on their personal devices. This comprehensive content delivery ensures that participants have all the necessary information at their fingertips, enabling them to actively participate, analyze, and collaborate without disruption. It transforms the Companion App into a truly indispensable tool for the exercise, fostering deeper immersion and a more authentic crisis experience. Why these changes matter Our core mission at Immersive is to make learning about cybersecurity as effective and memorable as possible. These updates to Crisis Sim Presentation Mode directly serve that mission by: Increasing realism: By incorporating elements like time pressure and readily accessible information, we're making our simulations more closely resemble the complexities and demands of real-world cyber crises. Boosting engagement: When participants have all the information they need at their fingertips and can actively interact with the scenario, their engagement levels naturally soar. This leads to more meaningful learning outcomes and a greater retention of critical skills. Enhancing learning outcomes: A more realistic and engaging environment naturally fosters better decision-making skills, improved teamwork, and a deeper understanding of crisis management principles. These enhancements will provide an even more powerful and immersive experience for both facilitators and participants. We're confident that these changes will lead to even more impactful learning and a greater readiness to tackle the cyber challenges of tomorrow. Share your thoughts We can't wait for you to experience the difference, and we’d love to hear your thoughts on the changes. Log in to your Immersive platform and explore the enhanced Crisis Sim Presentation Mode today!ISO 27001 and the Immersive One Platform: Strengthening Your Information Security Posture
The importance of continuous evidence When audits or investigations happen, it’s not enough to say you’ve got things under control – you need to prove it. That means having solid evidence of your security posture, how it’s been implemented, and a continued commitment to it. Without that, the risk of fines and reputational damage goes up. Being able to demonstrate continuous evidence is crucial for staying in line with the latest directives and regulations. How Immersive can help Immersive helps organizations implement compliance frameworks like ISO 27001 by providing evidence of due diligence, simplifying the human element of security, and enabling gradual expansion of security measures. Depending on your priorities, or where you perceive your biggest gaps to be, these are some of the areas you can leverage in the Immersive platform: Improving the speed and quality of response to emerging threats. Increasing efficacy in recruitment, retention, and career development. Reducing cloud and application vulnerabilities early in the Software Development Life Cycle (SDLC). Here are three practical ways Immersive supports ISO 27001 compliance: 1. Hands-On Labs These labs ensure people across different roles get the right training and skill development. Security and technical teams have varying needs, and our labs help meet those needs by aligning practical learning to specific job functions. A general theme is how failing to provide proper training isn’t just a missed opportunity – it can be seen as negligence. An organization is responsible for providing training tools, which should be aligned with specific roles. Here are some of the ISO 27002 sections that our Hands-On Labs align with: 5.4, 5.7, 6.1, 6.3, 8.7, and 8.27. For more details, see the ISO 27002 implementation guide. 2. Crisis Sim All frameworks emphasize properly exercising staff and those with decision-making responsibilities. This covers everything from traditional tabletop exercise (TTX) at the board level to hands-on scenarios for teams further down the organization. Proving these exercises are happening effectively can be challenging. Traditional exec-level sessions are expensive, time-consuming, and hard to scale. Crisis Sim helps to solve this. It offers a practical, scalable way to run structured exercises across different teams and roles, including the supply chain. Here are some of the ISO 27002 sections that our Crisis Sim solution addresses: 5.4, 5.20, 5.24, 5.34, and 8.16. For more details, see the ISO 27002 implementation guide. 3. Workforce Plenty of areas in the ISO 27001 framework apply to the entire organization, not just technical teams. In some cases, we already have content such as labs and workforce exercises that can be used right away. But often, the focus is on your own internal policies and procedures – and that’s where our customizable templates and lab-building tools come in. The Immersive Workforce methodology gives you a structured way to train your people and show that they truly understand and can apply those policies in real-world scenarios. It’s all about making security awareness practical, measurable, and tailored to your organization. Our Workforce methodology meets the following ISO 27002 sections: 5.10, 5.17, 5.27, 5.34, 6.3, 6.7, and 8.1. For more details, see the ISO 27002 guide. Turning compliance into confidence By tapping into the full power of the Immersive platform, organizations can go beyond just checking compliance boxes. They can actively show due diligence, streamline compliance efforts, and proactively strengthen their information security posture. From hands-on training and crisis simulations to workforce assessments, Immersive provides the tools and methodologies needed to ensure that individuals at all levels are equipped to understand, apply, and uphold robust security practices. Ultimately, this leads to a more secure environment, reduced risk, and clearly demonstrates an organization's commitment to protecting its valuable information assets. Share your thoughts How is your organization approaching ISO 27001 compliance? Drop a comment below and let us know what’s worked, or what you’re still figuring out. For more details on strengthening your information security posture, check out these sources: ISO 27001 framework ISO 27002 implementation guide (for ISO27001) NIS2 DORAMicrosoft Sentinel: Threat Hunting Tools You Could Be Missing Out On
As a SOC analyst, incident responder, or cloud security engineer using Microsoft Sentinel as your SIEM, you’ll be familiar with its standard features, such as incidents, analytics rules, and threat intelligence. However, you might not be so familiar with workbooks, which enable data visualisation and dynamic reporting, or notebooks, which empower you to document threat hunts and build replayable incident response playbooks. Let’s look at how these Microsoft Sentinel features can improve your incident response and threat hunting. Eyes on: monitoring metrics with workbooks One key advantage of workbooks is their ability to dynamically visualise data from a range of sources across your Microsoft environment and beyond. This provides obvious security advantages via monitoring of metrics such as request rates, egress traffic, CPU utilisation, and management plane actions. If your workbook dashboard shows an unexpected spike in requests to a sensitive resource, it could be a sign that something isn’t quite right. Visualising these metrics in near-real-time graphs helps spot early signs of compromise and speeds up detection. The other, often overlooked advantage of metrics in workbooks comes from a management perspective. Microsoft Azure offers many template workbooks for common data reporting needs, including the Cybersecurity Maturity Model Certification and Azure Security Benchmark workbooks. Up-to-date reporting on performance against these core security benchmarks is critical for security engineers to identify insecure points in your Microsoft estate. For CISOs and SOC managers, the capability to track improvements in KPI metrics like Mean Time to Triage or Mean Time to Repair can prove invaluable in monitoring SOC performance and evidencing the positive effects of realistic training. This can be achieved using the Security Operations Efficiency Workbook offered as a template workbook. To learn more about monitoring metrics with workbooks, check out the newly released Azure Workbooks: Monitoring Metrics lab. Diving deep: security analysis with workbooks From a security perspective, workbooks can be a powerful tool if you get creative. The ability to query logs and metric data across a wide range of sources means you can combine information to enhance threat intelligence and identify unusual behavior in investigations through visual comparison of standard baseline activities. Workbooks can build complex queries into logs from a range of sources, including sign-in logs, Windows Event logs, networking logs, and resource activity logs. By cleverly designing log queries within your workbooks, you can visually detect anomalous activity and chart this in workbook reports that can be shared across a SOC team. Graphically representing data in workbooks can have numerous advantages. By visualising resource relationships, you can easily identify shadow IT or resources deployed by threat actors for persistence, such as a lone resource in a location your business doesn’t use. For another example, you can diagram external collaborations in Microsoft Teams or email connections in Microsoft Outlook to identify anomalous behaviour and hunt for potential risks. By visualising data dynamically in workbooks, you can boost security analysis and threat hunting across every stage of the Cyber Kill Chain. Our Microsoft Sentinel: Security Analysis with Workbooks lab covers this further. Improved response: incident investigations with notebooks Microsoft Sentinel integrates Jupyter notebooks into the Microsoft Azure portal, enabling you to run and document code during SIEM investigations in Microsoft Sentinel. If you’re in a SOC team, notebooks provide some seriously useful advantages: Readable code for other analysts: By tracking your steps in a notebook using markdown, you can explain your queries, capture outputs, and make your work easy for another analyst to understand. Standardise your analysis and response: Once you've made a notebook for a specific security event, you can reuse it whenever a similar incident occurs. This gives you a step-by-step guide to analyse and respond to the new incident. Share incident response knowledge: Notebooks are also very easy to share with other people. If you want to train a more junior team member in how to analyse and respond to that specific security event, you can share the notebook with them. This reduces reliance on individuals, helps to prevent silos, and teaches other members of your team. Improve your response: The next time a specific security event occurs, you may realise that other data sources or queries can be helpful to investigate. It's very easy to add to and develop your notebook. This means you can improve your response over time as you iterate on the work you've already done. For hands-on experience getting to grips with notebooks, check out the Microsoft Sentinel: Introduction to Notebooks lab. Tracking threat actors: hunting with notebooks It’s not just the inherent advantages of Jupyter notebooks that this feature brings to the table. By enabling sophisticated automation and log querying, notebooks in Microsoft Sentinel can offer detailed investigation guides, empowering your threat hunting and incident response teams. By connecting natively to Microsoft Sentinel workspaces, notebooks can query Log Analytics log tables to investigate recent activity, sign-in logs, requests, and more. By collating this information into a centralised location, your investigation can seamlessly track a threat actor’s movements through your estate. Then, by storing these queries in a notebook, you can reuse them repeatedly, which can rapidly reduce investigation times for commonly occurring incidents. The example below shows a saved query that displays any write operations against a virtual machine with a provided name. It’s reusable, repeatable, and reliable. By standardising incident investigations and creating reusable, documented queries for threat hunting, you can reduce time wasted by rewriting the same playbooks repeatedly, greatly improving your SOC team's efficiency. The new Microsoft Sentinel: Threat Hunting with Notebooks lab gives hands-on experience tracking a realistic threat actor who has compromised a Microsoft Azure account. Beyond workbooks and notebooks: Empowering your SOC team Workbooks and notebooks are handy tools in Microsoft Sentinel, but they form only a small part of the arsenal. The newly released Microsoft Sentinel: Threat Hunting with Notebooks and Workbooks collection is ideal for SOC analysts, incident responders, forensics specialists, and cloud/security engineers who use Microsoft Sentinel as their SIEM and want to expand their knowledge. By adding this collection to our existing Microsoft Sentinel content, we cover the core areas of the Microsoft Sentinel (SC-200) certification while offering more advanced content for experienced SIEM users. Gain a competitive edge by building hands-on experience in realistic scenarios so you can use Microsoft Sentinel to its fullest potential. Share your thoughts Why not give this content a try and let me know how you got on? Remember, if you need help with a lab or want to collaborate with other community members, share your question on the Help forum!
