Between Two Sims: What To Focus On Between Exercises
We're back with another installment of our series for managers using Crisis Sim. If you haven’t already, be sure to check out Episode 1, which covers Crisis Sim outcomes for managers. The results and data from your first Crisis Sim exercise provided valuable insight into your team’s decision-making skills. But you know this isn’t a one-and-done thing – the landscape is ever changing. There are always new ways to arm yourself and your organization with knowledge and skills. Enhancing your cyber resiliency and improving the quality of your responses to incidents allows you to get back to the most fantastic and underrated aspect of your role as a cybersecurity professional – maintaining business-as-usual operations without interruptions. The opportunities are endless. Where should you focus your efforts? Episode 1 covered outcomes by means of the Results and After Action Report sections of the platform when you complete a Crisis Sim exercise. This blog post will shift gears to what goes on – or should be going on – between exercises. Next steps for managers between exercises Exercise debrief Host a debriefing session for exercise participants and any key stakeholders in your organization you’d like to gather feedback or additional insights from. Debriefing is a valuable process following any exercise, providing a structured opportunity for reflection and learning. Primarily, you’ll want to discuss successes, identify areas for improvement, and gather feedback. A successful exercise debrief will include: Clear expectations and ground rules Reflection on successes and challenges A review of existing processes and procedures Feedback on the scenario, delivery, and identifying improvements for the future Details around the lessons you learned from the exercise Defining action items and ownership Moreover, debriefing fosters open communication and builds trust within teams, strengthening their resilience and overall effectiveness. If you’re looking for additional guidance on debriefs, check out our guide in the Help Center! Internal review If time allows, take a step back and conduct an internal review with stakeholders and leadership. This can be an opportunity to identify trends or recurring patterns that might need a deeper dive, and allow you to determine what’s most important from a leadership perspective going forward. Be sure to consider the following in your internal review: Did you come across any knowledge gaps or assumptions that surprised you? Did you come across any areas of strength that were unexpected? Should you adjust the difficulty or coverage areas? Does the team need to be benchmarked against this same scenario in the future? What other organizational stakeholders should you bring in moving forward? And what will be important for them in Crisis Sim exercising? Implement insights Demonstrate your commitment to improving cyber resiliency by fostering a collaborative learning environment. Encourage open and honest dialogue where your team feels comfortable sharing their perspectives freely, without fear of judgment. This will help you identify both strengths and weaknesses, providing valuable insights that may not be apparent from your own perspective. By implementing changes based on this valuable feedback, you prove your dedication to continuous improvement. Your action plan A key component to improving your organizational cyber resilience is creating and executing an action plan with clear objectives, stakeholders, and deadlines. The After Action Report from your last exercise will provide a solid foundation, but these specifics will help you enhance its impact. Dive into the Inject and Participant Breakdown areas of the After Action Report – this will help you pinpoint your team’s strengths and weaknesses identified in the last exercise, or identify participants that could benefit from individualized training plans to accelerate their development. Using this existing information will help you specify the concepts or topics of priority for you to address between exercises, begin benchmarking progress, and explore additional scenarios down the road. Review scenarios and upskilling content relevant to the areas you identified as needing improvement from the last exercise. In Crisis Sim, you can leverage the existing scenarios in our catalogue, create a custom scenario (from scratch or using our templates), and even take our AI Scenario Generator for a spin! Tip: Exercise specific teams or individuals in Single Player mode between organization-wide sessions to give them additional opportunities to improve their decision-making process. Three key areas of focus between exercises You know your organization and teams best, so what works best for your program between Crisis Sim exercises is up to you. But we encourage prioritizing these areas: Debriefing and feedback sessions to get the most value out of your exercises Individualized or team-focused learning plans for upskilling – don’t forget to leverage relevant content in labs! Reviewing and updating internal processes and procedures that may be out of date or contradictory If you’ve recently completed your first Crisis Sim exercise and begun working on goals for improvement between exercises, what have you focused on? If you’ve completed many, what tips do you have for others? Join the discussion in the comments below!Transforming Bug Triage into Training: Inside the Making of Immersive AppSec Range Exercises
“We all know the pain of bug reports clogging up a sprint—we thought, what if we could transform that drain on time and morale into a challenge developers are excited to tackle?” Rebecca: Oh, I love that—turning bug backlog dread into bite-sized victories is brilliant. I’m excited to hear more, but first, congratulations on launching Immersive AppSec Range Exercises! This is a BIG deal! No one else does anything like this for developers. Naomi: Thanks! What can I say? My love for cybersecurity goes back to university capture-the-flag events. Pushing yourself outside your comfort zone with hands-on challenges is by far the fastest way to learn. My main goal was to bring that same energy to application security—there are loads of CTFs for pentesters, but not really for developers who need to sharpen their defensive and remediation skills. I also wanted this to be inherently team-friendly. Our individual AppSec labs are built for individual learning, but group dynamics demand different pacing and collaboration tools. Rebecca: Makes total sense. Offensive skills get the headlines, but developers need a solid, team-centric defensive playground too. So how did you translate that vision into the actual structure of our AppSec Range Exercises? Naomi: I anchored everything in the maintenance phase of the software lifecycle: Receive bug → Triage → Fix → Test → Merge. That mirrors real dev workflows, so participants don’t just patch vulnerabilities—they live the ticket management, version control, and testing cadence they’ll face on the job. [Inside scoop: When we build any security exercise, our team maps it to a real-world experience. In Immersive AppSec Range Exercises, a common SDLC workflow—teams learn best when they see exactly how it will play out in their daily sprints. ] Rebecca: I love that you’re training both mindset and muscle memory—jumping through the same process you’d use in production. Once you had that flow, what were the first steps to bring the framework to life? Naomi: Well, I knew that this project was going to need quite a few applications to house the functionality for the exercises, so I audited what we’d need from scratch versus what open source could handle. For ticketing, most OSS Kanban tools were overkill, so I built a lightweight app called Sprinter. Then for version control, we leaned on GitLab—it was quick to stand up and gave a familiar UI for branching and merges. Once those pieces clicked—vulnerabilities surfacing in Sprinter, code pushes in GitLab, and test runs in the Verification view—we had a minimally viable range exercise in action. Rebecca: A smart “build-what-you-must, borrow-where-you-can” approach. Seeing that prototype come together must’ve been so cool. Naomi: Absolutely. It was one thing to design on paper, but watching the pipeline live—tickets flow in Sprinter, GitLab merge requests, automatic test feedback—was a genuine “wow” moment. Rebecca: Speaking of “wow,” let’s talk scenarios. How did you land on “Blossom,” your vulnerable HR app in the Orchid Corp universe? Naomi: Well, we needed something with enough complexity to showcase the framework. HR apps hit three sweet spots: business logic richness, varied user roles, and sensitive data. Tying it into Orchid Corp—our fictional corporation for Immersive Cyber Drills—gave it narrative depth, especially for returning users of our Immersive One platform. Rebecca: And when you designed the actual vulnerabilities inside Blossom, what guided your choices? Naomi: I started with the OWASP API Top 10—that’s our gold standard for spotting the biggest threats. Then I looked at what slips through most scanners and frameworks—nuanced business-logic flaws and edge-case logic bugs—and made those the core of the challenge. To keep things well-rounded, I also added a few classics—things like IDOR, SSRF, and command injection—so every player gets a taste of both modern pitfalls and time-tested exploits. [Inside scoop: Mixing modern, real-world API flaws with a few known “gotchas” keeps Immersive AppSec learners guessing and builds confidence when they spot the unexpected.] Rebecca: I know you’re busy working on the next exercises we’ll release, but before we wrap, how did you test Blossom among developers and engineers? No doubt you wanted to make sure it delivered the right experience! Naomi: Yes, absolutely! We ran a pilot with our own Immersive engineers and a third party, creating a realistic dev team. Watching them collaborate—triaging, patching, merging—validated every piece of the design. Their feedback on pacing and hint levels let us polish the final release. It was one of my favourite days—seeing months of work click into place. After that, we shipped it to customers knowing it was battle-tested. Rebecca: This has been fantastic—thank you for sharing your full planning and development journey, Naomi! From initial vision to a live, collaborative exercise … I’m awed. You certainly put incredible thought and care into developing this revolutionary approach to AppSec training. Final Thought Security is a team sport, and training like Immersive AppSec Range Exercises is the fast track to confident, resilient DevSecOps teams. If you’re a developer or engineer looking to level up your remediation skills, have your team lead reach out to your Account Manager for a demo. In the meantime, watch a sneak peek of what your experience would be like in this demo below:Crisis Sim Complete...Now What?
Picture it: you’ve designed, built, and exercised your first Crisis Sim. You're pleased with the scenario and satisfied to see your team sharpen their skills, deepen their understanding, and boost their incident readiness. You can bask in the glory of this job well done for a moment, but the journey of the Crisis Sim doesn’t end here. The devil is in the details of the exercise data. Completing the exercise and gathering the results is only the beginning of your journey of fostering people-centric cyber resilience! Not sure where to start? We’ve got you covered Remember how meticulously you mapped out those injects and options to build your scenario? The feedback options, the performance indicators, the branching paths, the exercise types? Your hard work is about to pay off. We’ve processed the exercise responses for you because you’ve earned it – and because there’s more work to be done. Next steps for managers Crafting outcomes from outputs You can expand on the work you’ve already put into the exercise by leveraging both the Results and the After Action Report (AAR) for your scenario in the Immersive platform. Follow these steps to access these items: Go to Crisis Sim in the Exercise tab. Locate your exercise. Hint: use the filters available on the left to show “ended” exercises. Click to open your “Ended” exercise. From there, you’ll see how to dive into the available outputs with a few clicks! If you need a bit more info, here are some additional guides from our Help Center: Where to find Crisis Sim exercise results & reports View Results After Action Report (AAR) Analyzing exercise results Results If you’re looking for granular data down to the details of each inject, you can find it here. In Results, you’ll see an overview including the summary from the exercise scenario, along with key details such as scoring and completion metrics. Need to examine responses to specific injects? In the platform, you can quickly drill down into each inject by using the navigation on the left-hand side of the report. By selecting an inject, you can review responses and start to see patterns that emerged throughout the exercise. If you’d prefer raw data, you can export a CSV file of your results. It's straightforward, packed with detail, and puts all the key metrics and figures within easy reach. Check out our documentation for more details on key information and metrics. This is an invaluable resource for anyone passionate about data! It allows you to establish a foundation, set comparative standards, and ultimately gauge and improve your cyber resilience – all with concrete data to back your efforts. If the mention of statistics and spreadsheets doesn't excite you, no worries, the Immersive platform generates an After Action Report for you 30 minutes after completion of your exercise. After Action Report (AAR) Enter the After Action Report! The AAR presents an interactive visualization of your data analysis, offering valuable insights at your fingertips. And, as a bonus, you can download it as a PDF. The AAR is more than a deliverable; it’s a guide to fostering a people-centric cyber resiliency culture. It offers an outline of the exercise and crucial data points that will help drive what you and your team do next. Overall performance, inject-by-inject analysis, and participant breakdown provide a comprehensive view of your team's current capabilities and readiness, wrapped up with relevant recommendations for you and your team. Remember, insights are only available for data that’s collected as part of your exercise, so make sure you offer ranked inject options and enable response confidence and feedback to maximize your exercising. This is defaulted in the Immersive Crisis Sim Catalog presentation scenarios. In the performance overview of the AAR, you'll encounter a high-level snapshot guide for your next steps. Think of this as a performance gauge (based on our experience with Immersive clients) that maps to the following: >=75%: Excellent >=50%: Good >= 25%: Fair >=0%: Needs improvement As you dive deeper into the AAR, these broader performance indicators unfold with more granular data, and you’ll be able to understand the gaps that exist in cyber resilience for your organization. Mind the gap By understanding your organization's current state, you can create targeted improvement plans, whether reinforcing strengths, addressing weaknesses, or identifying opportunities for further training and exercises. This provides a clear starting point for overall improvement and upskilling. Inject breakdowns help pinpoint your team's strengths and weaknesses. Imagine the exercise in a real-world scenario: would there be a data breach, or would operations continue as normal? Assess your team's confidence and accuracy in their responses to identify knowledge gaps and points of failure. Use these insights not to dwell on mistakes but to improve and ensure your team is well-prepared for future challenges. The participant breakdown takes this introspection into your team's capabilities a step further by plotting decision scores against confidence levels. This helps you understand the accuracy and confidence of your team’s responses. Are your strongest team members operating confidently? Are those with knowledge gaps posing risks by overcompensating with confidence? Create an action plan This data helps you prioritize your next steps. Will you address weaknesses, reinforce existing skills, or increase exercise frequency to build confidence? There are plenty of upskilling routes to choose from. After each exercise, you'll see related Crisis Sim scenarios and lab content based on the threats and attack vectors encountered. When creating your action plan, you should consider the following outcomes and their related recommendations: Weaknesses identified at the individual level ⇢ Assign recommended lab content to key users, and reinforce the importance of upskilling by communicating the purpose of the content. Hint: Don’t forget to use assignment deadlines to effectively track progress and keep the team on track. The participants' skills resulted in high accuracy decision-making but low confidence ⇢ Reinforce strengths with clear communication of processes and expectations. Consider reviewing your internal playbooks! Are processes clear, concise, and aligned with organizational needs and expectations? Are policies current and up to date? Are there conflicting processes or policies within your organization? The team performed exceptionally across the board with high confidence ⇢ Test response readiness by exercising on a more difficult level scenario. Does the team excel in all areas, or is this an opportunity to better prepare? The landscape is constantly changing, and new threats are constantly emerging. Ensure your team has a wide breadth of knowledge and coverage by continuously proving their skills and encouraging further learning. Three essential steps to maximize your post-simulation impact Of course, you know your organization and teams best, so the Crisis Sim results are always best interpreted by you. Once you’ve analyzed and understood the results, prioritize these steps: Review the results and gather feedback promptly to identify growth opportunities. Did outcomes align with expectations, or were there surprises? Plan specific changes for future Crisis Sim exercises and build a strategic timeline. Should you adjust the difficulty or coverage areas? Is there time for additional training between exercises? Create an action plan with clear objectives, owners, and deadlines to ensure individual and team development. What other organizational stakeholders should you bring in moving forward? And what will be important for them in Crisis Sim exercising? Share your thoughts If you’ve recently completed your first Crisis Sim exercise, what will you do next? If you’ve completed many, what tips do you have for others? Join the discussion below!The Softer Side: Non-technical Benefits to Technical Team Exercises
In my role, I have the privilege of working with many different organizations through their technical exercise events and programs. One of the most rewarding aspects is seeing the spark ignite in the people as they band together to achieve a common objective. In this article, I’ll be sharing some of the common benefits I see emerge across organizations of all sizes, industries, and maturity levels, no matter the exercise's purpose. Encouraging curiosity and problem-solving Cyber Range Exercises provide a virtual network environment to explore. Defensive exercises focus on detecting and monitoring malicious activity, while offensive exercises involve exploiting vulnerabilities to uncover target information. Within these simulated environments, participants must utilize a wide array of skills and decide on the best approach, as the correct course of action isn't always obvious. This technical challenge is great for reinforcing knowledge and applying skills. I've seen players puzzle over unsuccessful methods, forcing them to rethink their approach entirely, asking plenty of “what if” questions before testing them out. This experimentation process educates players while simultaneously promoting lateral thinking and encourages sharing problem-solving insights. Improved communication Trawling through logs and analyzing (or preparing) a malicious payload usually calls for quiet focus. But in the real world, we’re rarely working alone. More often than not, investigations and tests happen in small teams, under pressure, and good communication becomes just as important as technical skill. That’s why team-based exercises reflect this reality. You’ve got to explain what you’re doing clearly, so everyone’s on the same page – both in terms of the situation and the technical jargon. Creating clear written logs and documentation matters too, especially in incidents where language may need to be adapted for different audiences. The most effective teams I've observed in these exercises prioritize organization. They set up a central place to track everything – whether that’s a Teams channel, a spreadsheet, or a crisis response tool – and they’re smart about assigning roles and carving out time to keep everyone synced up. Better distraction management A deliberate challenge I sometimes incorporate into technical exercises is surprise leadership requests for incident updates. This tests the team's ability to rapidly consolidate information under pressure, dealing with the uncertainties of an active investigation. Teams with strong organization, detailed incident logs, and a dedicated spokesperson or team leader consistently manage these interruptions best. Practicing in a simulated setting helps teams stay productive and accurate, even when real-world distractions come into play. It builds the ability to block out noise, manage stakeholders, stay focused on individual tasks while keeping sight of team goals, and smoothly switch contexts when needed. Stronger team dynamics Unlike individual training, these exercises require participants to actively communicate, share knowledge, and rely on each other's strengths to achieve a common goal. Team members learn to understand each other's working styles, identify individual expertise, and build trust in their colleagues' abilities. The shared experience of overcoming technical challenges, even simulated ones, creates a sense of camaraderie and shared accomplishment. While every team comprises diverse personalities and communication styles, it's crucial that each individual feels comfortable and empowered to share their insights and findings. These contributions can significantly alter the outcome; for instance, a critical discovery during a technical investigation might directly influence the business's crisis response strategy. Increased efficiency The more a team works together responding to the exercise challenges, the more they develop shared understandings of processes and expectations, learn to delegate effectively, and identify bottlenecks in their collaborative efforts. Eliminating issues arising from a lack of confidence or familiarity with the team or processes is especially critical for incident response teams, leading to quicker response times and improved agility when situations change rapidly. After each exercise, I like to conduct a team debrief, which is crucial for reflecting on lessons learned. Prompting players to consider their individual strengths and challenges, alongside open discussion about team dynamics and processes, helps identify opportunities for improvement. Technical exercises are undoubtedly key to boosting individual technical proficiency. However, their even greater value lies in cultivating these skills alongside the crucial professional attributes demanded by our field. Considering the significant pressure and expectations placed on these teams to deliver trustworthy outcomes, ensuring their preparedness within a high-trust setting is essential. These are merely some of the advantages I've witnessed through these exercises. Share your thoughts What benefits have you experienced through technical exercising? Share your thoughts in the comments!Decoding Coding: Picking a Language
These days, more and more jobs can benefit from being able to write simple scripts and programs, especially in cybersecurity. For example, pulling data from an API, scraping web pages, or processing large data files to extract information – the list of uses is virtually endless! Tempting as it is to dive right in, there are several things worth thinking about before you begin. This article will discuss one of the most important choices – selecting a language. What to consider when choosing a language A basic understanding of programming languages can make your life easier, increasing your adaptability and finesse in different environments. But with tons of languages like Python, Java, JavaScript, Go, Rust, and more, which one should you choose? Here are the crucial factors to consider: What's available Can you install whatever language you like to run your code, or are there limitations? If you have an enterprise-managed computer, you might not be able to install new software or languages, and you may need to use the default options. For Windows, this is PowerShell. Bash Script is the equivalent for Mac and Linux devices, and Python is often available too. Your personal experience and interest This one might sound obvious, but it does matter. We learn better and faster when we're invested in the subject. Look at your previous experiences. Have you worked with any programming languages before? Did you enjoy them? For example, if you had a good experience working with Python, let that guide your decision! That said, don't shy away from learning something new if there's a good reason or you’re curious to do so. What's trending in your organization Does your organization or team predominantly use a specific language? Not only would learning that one help you communicate better with your colleagues, but it could also give you an edge while working with systems developed in that language. Plus, there’ll be plenty of people to talk to if you get stuck! The language's capabilities and nature Like people, different languages have different strengths. Some are fantastic for web development (like JavaScript), while others are better suited for system-level programming (like C). Python is often an excellent choice. It's considered easy to learn, incredibly flexible, and powerful due to the huge catalog of packages available. While it isn't as fast as many other languages, for most purposes, it's usually more than fast enough. Java is a very widely used object-oriented programming language and can be extremely fast. The learning curve is steeper than Python, but there are loads of learning resources available. JavaScript (not to be confused with Java!) isn’t as useful for quick standalone scripts or applications, but it's the dominant language for websites and browsers, so understanding it is practically a superpower for testing and manipulating websites and applications. C and C++ allow low-level access to memory and offer a lot of flexibility – incredibly helpful when evaluating systems with these languages at their core. Available tools and training Great tools can make tough jobs easier. Certain programming languages have robust toolsets that can help automate your tasks. For instance, Python has a wide array of libraries and frameworks that make handling big projects a cinch while saving you time and effort – why reinvent the wheel when you can just import it? Take a look at what training is available for the language you’re interested in. Older and more popular languages are likely to have more to choose from, but there’s loads out there and a lot of it is free! Also, consider what tools you might already have access to within your organization. Community and support If a programming language has a large active community, it means help is readily available when you get stuck. Languages like Python, JavaScript, and Java have strong communities and plenty of online resources available. Scope for growth If you're planning to learn a language, why not pick one that's in demand? Check job boards, look at industry trends, and see if learning a particular language can give your professional growth a boost! Summary Remember, no language is “the best". The best is the one that suits your needs and circumstances. You might even find mastering multiple programming languages useful over time. Just like speaking multiple languages, the more you know, the better you can communicate in different environments! Once you understand some of the basic programming concepts, like variables and loops, it’s easier to learn a second or third language. Learning a programming language may initially seem like climbing a steep mountain. But once you get the hang of it, you'll realize that the view from the top was well worth the hike! Want to take the next step? Here are some lab collections that may help you learn a bit more about PowerShell and Python: PowerShell Basics Offensive PowerShell Introduction to Python Scripting Share your thoughts If you’re new to coding, tell us what language you’re trying out! Why did you pick it, and would you make the same choice again? Are there any specific challenges you found or any relevant experiences you’d like to share?Secure Code Comments: One Easy Way to Steward Your Application Security Culture
While traditional code comments focus on explaining the code's functionality, security-focused comments are crucial to promoting secure coding practices throughout the development lifecycle (SDLC). By making this simple tactic part of your natural workflow, you can assert your knowledge and become a security champion. Let's explore how integrating security comments into your code can benefit you and the security team. Leading Forward Using Secure Code Comments Integrating security into your daily coding isn't just about ticking requirement boxes; it's about building a security mindset that makes you indispensable. Secure-code comments are low-hanging fruit for sharing knowledge, learning from others, and making security a seamless part of your day. Senior developers and application security champions can quickly and effectively educate other developers about best practices without leaving the comfort of their Integrated Development Environment (IDE). Best practice for code comments suggests emphasizing the why, not the what. Security-focused comments are no different. Meanwhile, they play a crucial role in promoting secure coding practices, enabling teams to: Explain Key Security Moves: Share the rationale behind specific security measures, such as input validation, encryption, and access control mechanisms. Flag Red Flags: Spot potential weaknesses in your code, like SQL injection, cross-site scripting (XSS), and unprotected data. Share Knowledge: Link to relevant security standards, guidelines, and resources and facilitate efficient code reviews. Enhancing Code with Security Comments–Two Examples Example 1: Preventing SQL Injection with Parameterized Queries (Python) Let’s consider a simplified Python function, which performs a simple insert operation into a database: def insert_user(conn, name, email): """ Inserts a new user into the 'user' table. Args: conn: A sqlite3 connection object. name: The name of the user. email: The email address of the user. Returns: None This function uses a parameterized query to prevent SQL injection vulnerabilities. See: CWE-89 https://cwe.mitre.org/data/definitions/89.html By using placeholders (e.g., `?`) and passing the actual values as separate arguments, we avoid direct string concatenation. This ensures that user-supplied input cannot be manipulated to modify SQL commands. """ sql = """INSERT INTO user (name, email) VALUES (?, ?)""" cur = conn.cursor() cur.execute(sql, (name, email)) conn.commit() cur.close() As you can see, in addition to the regular docstring, we succinctly mention why we’re using parameterized queries over string concatenation. We also reference a CWE and provide a link for anyone who wants to learn more. With just three extra sentences in a function comment, we’ve given less experienced developers who are code spelunking a quick lesson (or reminder) about why and how to prevent SQL injection. Example 2: Mitigating XSS Vulnerabilities with DOMPurify (React) Let’s take a look at another example, this time on a React frontend. Here, we’re knowingly doing something potentially dangerous but effectively communicating to other developers the mitigations applied. /** * Displays user-generated HTML content, sanitizing it with DOMPurify to prevent XSS vulnerabilities. * * This component uses `dangerouslySetInnerHTML` because the content being displayed *must* include HTML markup. * Alternatives like rendering plain text or using a limited subset of HTML tags are not sufficient for this use case. See: https://kanban.system/t/123 * **Security Considerations:** * * **CWE-79 (Improper Neutralization of Special Elements used in an HTML Page): https://cwe.mitre.org/data/definitions/79.html * This code directly addresses CWE-79 by sanitizing the user-provided HTML before rendering it. Without sanitization, malicious * users could inject JavaScript code that would be executed in the context of the website, leading to * XSS attacks. * * **Why not just use textContent?** If we used `textContent` or similar methods, any HTML tags in the user * input would be treated as plain text and displayed as-is. This would prevent XSS, but it would * also defeat the purpose of allowing users to input HTML in the first place. * * **Why DOMPurify?** DOMPurify is a widely used and well-maintained library specifically designed for * sanitizing HTML. It's more robust and secure than attempting to create a custom sanitization * solution. It handles a wide range of potential XSS attack vectors. * * @param {string} htmlContent The user-generated HTML content. This is assumed to be untrusted. * @returns {JSX.Element} The sanitized HTML rendered within a div. */ function SafeHTMLDisplay({ htmlContent }) { const sanitizedHTML = DOMPurify.sanitize(htmlContent); return ( <div dangerouslySetInnerHTML={{ __html: sanitizedHTML }} /> ); } This time we go into more detail about the why. Let’s break it down: First, it’s important to acknowledge that the original approach isn’t best practice. Second, you can level up developer awareness about alternative options.Then, connect the dots for maximum impact, sharing why this approach is required to satisfy product requirements. Finally, it’s important to detail security considerations with CWE IDs, codifying the weakness you’re proactively mitigating; yes, you can even justify the introduction of another dependency compared to a custom implementation. Any future developer tasked with modifying the comment feature will quickly understand the importance of keeping this mitigation rather than “cleaning up the code” because it still functions “the same” without it. As an AppSec developer or security champion, you’ve just avoided another security report being raised because of a regression introduced by an over-eager junior developer. It's well worth the 15 lines of extra code. Even better, any security engineer performing a secure code review will be much more confident that their developer understands why they wrote the code the way they did. This knowledge, in turn, expedites that coveted ‘approve’ on their pull request, reducing the time to get the code safely into production. Identifying and codifying vulnerabilities with Find the Flaw Setting the tone with security-focused comments largely falls to the lead developer or security champion, presenting an easy opportunity for aspiring champions to stand out. Remember, the goal is to identify and codify weaknesses in code before or as it is being written; this approach ensures others can craft easy-to-understand security comments too. Whether you’re just starting out or looking to grow your skillset, Immersive AppSec’s Find the Flaw collections provide ample opportunities to build critical DevSecOps muscle memory. You’ll learn to identify various common vulnerabilities in code and recognize what CWE IDs they correspond to. Writing security-focused comments will feel like second nature when you're coding up a storm! Beyond Code Comments: Empowering Your Manager to Recognize the Power of AppSec Training Code comments are a valuable AppSec tool, albeit only one piece of the puzzle. To cultivate a developer-led security culture, organizations need managers who recognize the power of comprehensive training programs for their elite developers. These programs support proactive developers with the knowledge and skills to build secure applications from the ground up. As a result, the organization achieves development velocity SLAs and application security simultaneously. Remember to share your experience learning by doing, gaining the attackers’ perspective, which Immersive Labs AppSec offers. Your manager and teammates should recognize the value of using safe, real-world scenarios and interactive exercises, such that the training you do (now) targets the problems you have (now). Share your thoughts Check out this Find the Flaw collection and then share your thoughts with The Human Connection community: For developers: Does adding security rationale to your comments feel like an ‘easy enough' lift? For security champions: Are you already using this technique or something similar? How have you convinced other developers to adopt this style of commenting?When the Lights Went Out at Heathrow: A Crisis That Was Never Meant to Be “Won”
In the early hours of March 21, 2025, a fire broke out at the North Hyde electrical substation in West London, just a few miles from Heathrow Airport. Within hours, a local infrastructure incident had triggered widespread disruption across the global aviation ecosystem. Flights were grounded, operations were halted, passengers were stranded, and local residents were left without power. Suddenly, one of the most connected airports in the world found itself completely disconnected. This wasn’t just a power failure, it was a systems failure. The fire itself was severe yet containable, but what unfolded afterward exposed far deeper vulnerabilities. It has since been claimed that Heathrow had “enough power” from other substations, which now raises difficult but fair questions: If there was enough power, why shut the airport down completely? If there wasn’t, why wasn’t the site resilient enough to handle a failure like this? And most importantly, how did one single point of failure have this much impact on such a critical national and international asset? These are the questions that will dominate the post-crisis scrutiny, but while many rush to applaud or condemn, I think the truth lies somewhere more uncomfortable. Crisis leadership isn’t about perfect outcomes Crisis response is never clean. It’s messy, fast-moving and incomplete. You make decisions with partial data, under pressure, in real time. And in the majority of cases, you choose between bad and worse – which is exactly what Heathrow’s leadership team faced: Compromised infrastructure Uncertainty about the integrity of power and systems Thousands of passengers on site and mid-flight en route to the airport Global operations and supply chain at risk The common response is, “we need to tackle all of these problems” – and rightly so – but what people often forget is that in a crisis, you don’t have the resources, time, or information to tackle everything at once. Heathrow's leadership chose safety and containment, and in just under 24 hours, they were back online again. That’s impressive. That’s recovery under pressure, and that’s business continuity in action. But it doesn’t mean everything was done right, and it certainly doesn’t mean we shouldn’t ask hard questions. “Enough power” means nothing without operational continuity Having backup power doesn’t mean having functional operations. Power alone doesn’t run an airport – systems, processes, and people do. If the backup didn’t maintain critical systems like baggage handling, communications, lighting, or security, then the airport was right to shut down. However, the next question is, why didn’t those systems have their own layers of protection, and where was the true resilience? This leads us to the real issue: this wasn’t just about Heathrow, it was about the entire ecosystem. Resilience isn’t just a plan – it’s a whole system of dependencies The recent disruption is a real reminder that resilience doesn’t just live inside an organization. It lives across every partner, vendor, and hidden dependency. In critical services like aviation, the biggest vulnerabilities are often outside the walls of your own operation. There’s a web of partners involved in keeping an airport running: Power providers Facilities management IT and communications vendors Outsourced security Maintenance crews Air traffic systems Second and third-tier subcontractors Many of these providers sit outside the organization’s direct control, yet their failures become your crisis in an instant. True resilience requires more than internal readiness, it demands visibility across the whole supply and vendor chain, coordination protocols with external stakeholders, and clear ownership of critical functions. When something breaks in the background, you won’t have time to figure out who’s responsible; you’ll only care about who can fix it. So identifying and (most importantly) testing and exercising your supply chain is paramount. This wasn’t a “winnable” crisis – and that’s the point I’ll discuss this concept further in my upcoming webinar, The Unwinnable Crisis: How to Create Exercises That Prepare Teams for Real-World Uncertainty, but the Heathrow disruption is a perfect case study. This was never going to be a clean “win.” No plan could have delivered a flawless response, and no leader could have avoided disruption entirely. Instead, this crisis asked a different question: When everything seems to be falling apart, can you contain the damage, protect your people, and recover quickly? That’s the real test. It’s what separates the theoretical resilience plans from the operational reality. Heathrow passed parts of that test, but the system around it has questions to answer, and every other organization watching should be asking the same thing: “How many hidden dependencies are we one substation, one outage, one contractor failure away from exposing?” The next crisis may not give you a warning, and it certainly won’t give you time to figure out who’s holding it all together. Crisis leadership isn’t about perfection; it’s about being ready for the moment when no perfect option exists. The question now is, what did it reveal that we can’t afford to ignore? Ready to prepare for true crisis readiness? Join me for the upcoming community webinar, The Unwinnable Crisis: How to Create Exercises That Prepare Teams for Real-World Uncertainty on April 11. We’ll explore what true crisis readiness looks like and how you prepare your team to lead when there is no “win” – only choices.Cyber Drills and Outcome-Based Programs: A Hands-On Approach to Cyber Resilience
What are cyber drills and outcome-based programs? Cyber drills vs. outcome-based programs Cyber drills Prove Outcome-based programs Improve Simulate a realistic cyberattack to test response capabilities Ongoing, structured programs to build and improve security operations Benchmark security preparedness at a given point in time Measure progress over time with defined success metrics Team-based exercises that focus on immediate response Tailored multi-year programs that address specific security gaps One-off or periodic events Continuous learning and improvement The key difference is that cyber drills test and prove preparedness and expose improvement areas; outcome-based programs address the improvement areas and enhance an organization’s ability to detect, respond, and recover from cyber threats. Combined, these approaches provide sustainable, robust cyber resilience. Designing an effective outcome-based program To implement an outcome-based program successfully, organizations must consider the following factors: 1. Understanding business objectives and risk tolerance Before designing a program, it’s crucial to understand: Business goals – what is the organization trying to achieve? Risk appetite – how much risk is the company willing to take? Regulatory requirements – what compliance standards must be met? 2. Defining measurable outcomes Success should be based on quantifiable improvements, such as: Reduced incident response time Fewer security breaches Improved threat detection capabilities More substantial alignment with regulatory requirements 3. Tailoring the program to the organization Organizations are unique, and outcome-based programs must be customized to fit: Risk assessment results Threat landscape Technology stack and processes Security team capabilities 4. Implementing and monitoring progress A phased approach ensures better adoption: Pilot phase – test the program with a small team before full deployment Phased rollout – implement step-by-step to ensure success Continuous reporting – regularly track metrics and adjust the program as needed 5. Demonstrating ROI and business value To gain leadership buy-in, organizations must: Showcase case studies of successful implementations Use data-driven insights to highlight improvements Demonstrate long-term value beyond compliance Example: A multi-year cybersecurity resilience program A well-structured outcome-based program can span multiple years, evolving as threats change. Year 1 – Conduct cyber drills, crisis and incident response exercises and assessments, and document response plans. Develop improvement plans and program scope. Year 2 – Technical and executive training, incident handling exercises. Year 3 – Advanced cybersecurity drills, scenario-based threat modeling, multi-team exercising. Process and policy stress testing. Year 4 – Purple teaming, improving collaboration between defense and offense teams. Year 5 – Full-scale red teaming and supply chain cyber drills. This approach ensures that organizations continuously prove and improve rather than just react to incidents. Final thoughts: The future of cybersecurity training Moving from traditional cybersecurity upskilling to cyber drills and outcome-based programs requires: A shift in mindset – focus on long-term resilience, not just one-time testing. Cross-department collaboration – security is not just IT’s responsibility; leadership buy-in is crucial. Expertise in design and delivery – outcome-based programs must be well-structured and measurable. By embracing cyber drills and outcome-based cybersecurity training programs, organizations can stay ahead of threats and build a stronger, lasting security culture. Share your thoughts Is your organization ready to move beyond traditional cyber upskilling? Where do you feel the biggest challenge lies, out of the three points mentioned above? Have you had success in overcoming these challenges? If so, share how with the community. Let’s build a cybersecurity strategy that delivers accurate, measurable results.Understanding CVE-2024-21412: A Zero-Day Exploit Targeting Windows Users
What is CVE-2024-21412? CVE-2024-21412 is a security feature bypass vulnerability in Windows Defender SmartScreen. SmartScreen typically evaluates the safety of downloaded files and displays warnings for unrecognised or suspicious ones. But this vulnerability allows attackers to circumvent warnings and install malware on unsuspecting systems. Which systems are affected? CVE-2024-21412 impacts a broad range of Windows systems, including: Windows 10 (various versions) Windows 11 (various versions) Windows Server 2019 and later versions How can this vulnerability be used against your systems? Attackers exploited CVE-2024-21412 by crafting a Windows Internet shortcut (.url file) that pointed to another .url file on a remote SMB share. This technique tricked the system into automatically executing the file at the final location, bypassing SmartScreen's security warnings. Researchers even created a proof-of-concept exploit, demonstrating how easy the vulnerability is to exploit. Attackers also abused the Microsoft Search Protocol (MSP) to deceive users. They crafted malicious links that appeared to point to local files, but in reality, connected to an attacker-controlled server. This tricked users into opening malicious files without realising they were downloading them from an external source. How to protect your organisation Microsoft addressed CVE-2024-21412 with a patch released in mid-February 2024. Installing this patch is crucial to mitigate the risk associated with this vulnerability. In addition to patching, organisations should implement comprehensive monitoring and detection systems to identify and mitigate threats across all stages of an attack. This includes using intrusion detection systems, firewalls, and security information and event management (SIEM) tools to monitor network traffic and system activity for suspicious behaviour. Organisations should also consider employing advanced real-time behaviour analytics to monitor unusual activity and identify potential threats, even when they bypass traditional security measures. This involves analysing user and system behaviour patterns to detect anomalies that could indicate an attack. Conclusion CVE-2024-21412 highlights the importance of cybersecurity awareness and proactive measures, which can be mitigated with improved organisational cyber resilience and regular patching policies. As always, staying informed about potential vulnerabilities is a crucial step in reducing the risk of your organisation being attacked. Recommended content To learn how to detect this vulnerability in a sandboxed environment, check out the following lab: CVE-2024-21412 (SmartScreen Bypass) – Elastic Log Analysis. In this lab, you'll use ElasticSearch to detect the presence of malicious URL files in logs. Share your thoughts Have you seen this vulnerability being exploited in the wild? Have you patched your systems yet? Share your thoughts by commenting in the thread below.Why Drills Are the Future of Cybersecurity: Insights and Reflections on the Critical Role of Drills
My background After two decades in the world of penetration testing and offensive security, I joined Immersive as the Director of Technical Product Management. This new role represented more than just a career shift – it was an opportunity to leverage my deep-rooted experience of cybersecurity to make a tangible difference in how organisations prepare for the cyber threats of today and tomorrow. Throughout my career, I’ve had the joy of working on the front lines of cybersecurity, testing the defenses of organisations of all sizes, from startups to multinational corporations. I worked my way up from a junior consultant in a boutique company to the global head of attack simulation for one of the largest pure-play security consultancy firms in the world. I’ve seen firsthand how attackers operate, exploiting weaknesses not just in technology but in processes and human behavior. I’ve also seen the other side of the coin – what happens behind the scenes when a company identifies a breach and needs to investigate, contain, and recover from it. This journey has given me a unique perspective on the intricacies of cyber incidents – how they unfold, how they escalate, and how they can be mitigated if handled correctly. Over the years, I’ve come to understand that offensive security isn’t just about finding vulnerabilities; it’s about understanding the broader context of how security failures can impact an entire organisation and, most importantly, how to get back to business as usual. One of the key lessons I’ve learned from my time in offensive security is that real-world cyber incidents are rarely straightforward. They’re messy, unpredictable, and often involve a complex web of factors that go beyond the technical realm. In my experience, cyber incidents don’t happen in isolation; they’re the result of a combination of technical vulnerabilities, process failures, and human errors. Attackers don’t follow a script – they’re constantly adapting, finding creative ways to bypass defenses, exploit blind spots, and leverage misconfigurations or overlooked details. This nuanced understanding of how incidents unfold is often missing from the current training and exercising landscape. Realism vs textbook Many cyber resilience exercises available in the market today lack the depth and realism of a real-world attack, and that’s very difficult to capture, especially if you’ve never been exposed to it. Many exercises are built around predictable scenarios, focusing on textbook responses, and just don't capture those swings from tedium to confusion and then to panic. They’re also often performed in isolation, with the investigating/technical team making decisions and performing actions that wouldn’t be in their remit if it was a real incident. One of my all-time favourite incidents showed these to the extreme. It went from a simple ransomware investigation to identifying seven different threat actors in the environment, all with very different TTPs and MOs. You never pick up the other threat actors at the beginning of their attack, usually because they’ve compromised the same machines as the original actor, and you're left wondering why they’ve suddenly changed tactics. Then you get enough evidence to indicate it’s someone else, so now you have two investigations to perform. I’m not saying that all exercising should be done to that level, but I do feel that there’s a nice middle ground that can be achieved. Simulations can highlight things above and beyond simply probing a SIEM for answers to questions about the attack. Putting that into practice At Immersive, I have the privilege of bringing the lessons learned from years of offensive security into the realm of cyber resilience training. My goal over the last 12 months has been to help create more realistic, dynamic, and comprehensive simulations that mirror the true nature of cyber incidents. This means developing scenarios that go beyond the basics – not just testing the technical teams but also involving executives, legal teams, PR, and other stakeholders who play critical roles during a crisis. By integrating real-world attacker tactics, techniques, and procedures (TTPs) into exercises, we can help organisations build muscle memory for responding to incidents in a way that’s both informed and effective. It’s not just creating realistic simulations, it’s highlighting how the results of an investigation can influence the executive team's decision making and how the decisions made by leadership can either help or hinder an active investigation. This is what led to my involvement in building out Immersive Cyber Drills. But what are drills, I hear you ask? Here’s what our marketing team say: “Immersive Cyber Drill events enable simultaneous drilling of executive and technical leadership teams. These facilitated drills use multiple tools from our platform to evaluate an organisation's capacity to detect, respond to, and recover from cyberattacks through a mix of technical and non-technical drilling.” Ultimately, the goal is to empower organisations to respond confidently to the threats they face. Cyber resilience isn’t just about having the right tools or technologies – it’s about understanding the attacker’s mindset, anticipating their moves, and being prepared to act swiftly and decisively when an incident occurs. Building a foundation for Cyber Drills Instead of creating theoretical scenarios or low-risk simulations, we began building exercises that mirrored the attacks I’d seen work in my previous life. The aim was simple: make the drills feel as close to a real attack as possible while keeping the barrier to entry low enough that they’re still achievable to people just starting out. One of the biggest breakthroughs came when we built a standard environment that mimicked much of the corporate world's infrastructure. We then implemented these real-world attacks over the top of those environments and dropped the users in the middle of the attack. This transformed the experience from a disconnected series of technical challenges into a real narrative. Participants were now uncovering the motives behind attacks, following the trail of TTPs left by the attackers, and trying to predict where they went next. Very rarely do security teams get to investigate in a nice, peaceful manner – there are always questions coming from other areas of the business. Leaders aren't just responsible for understanding the attack, they also need to communicate with stakeholders, manage the internal teams, and make high-pressure decisions. As the Cyber Range Exercises (formerly Team Sims) became more realistic, it was clear that the Crisis Simulations used for the leadership team should follow suit. So we built Crisis Sims around the same attack narrative, putting participants in a situation where leadership had to make decisions that they didn’t know the answers to. If they did want to find out, they would need to ask the teams performing the investigation. This forced both teams to think strategically, communicate effectively, and most importantly, anticipate the other team's perspective and restrictions. We also introduced real-world elements like media scrutiny, conflicting priorities, and escalating pressures to mimic the experience of an actual cyber breach. The results were immediate. The teams were forced to think on their feet and develop genuine muscle memory in ways that couldn’t have been achieved through traditional tabletop exercises. And most importantly – they needed to talk to each other. This fusion of leadership training, technical training, and realism has resulted in teams leaving the drill with a stronger understanding of how to work cohesively as a team and how well they communicate across departments. It also provides a better understanding of the types of nuance that can crop up during a cyber breach. Share your thoughts For the analysts reading this article, what’s the hardest part of performing an investigation in your current organisation? For the executives, what’s one thing you wished all analysts knew about your role? And to everyone, during an investigation, what was your biggest panic moment that could have been easily avoided? Join me in this discussion by sharing your thoughts in the comments.
