The secret to hosting an engaging Crisis Sim
Before I start, it’s important to take a moment to acknowledge that I’m privileged to work with some fantastic experts. Immersive’s Crisis Sim lead, JonPaulGabriele, is our very own Daedalus, for any Greek mythology fans. That might make me Ariadne, helping people to navigate the labyrinth. I don’t know who the minotaur is – Greek analogies may not be my forte! JonPaulGabriele builds some fiendishly difficult scenarios that start out with a seemingly everyday occurrence, which quickly spirals out of control. It could involve coordinating a global response to an unprecedented disaster, dealing with a nation-state threat actor who’s holding your data to ransom, or even tracking down the missing Santa Claus. Whatever the situation, the principle behind every Crisis Sim is the same: to help people develop decision-making muscle memory and the ability to act with confidence when rapid decisions are required. I’m sure you’re already familiar with the importance of regular exercises, but it’s not you that we need to convince – it’s your chosen audience. We need to be able to capture their attention and get them to put their phones down. If they’re not present in the room and genuinely engaged with the exercise and its outputs and findings, you’re doomed to fail. So, how do we go about achieving this? Use storytelling I’m a big believer in the power of both storytelling and humour to pique people’s interest. Storytelling is an incredibly powerful technique to connect, persuade, and inspire people to act by tapping into shared experiences and emotions. In the words of Simon Sinek: “Stories allow us to visualize, empathize, and connect in ways that statistics never could.” I use stories when I’m setting the scene or outlining the details of the exercise we’re about to go through. Hopefully I’ll get an initial laugh, or an eye roll – those are just as good, quite frankly! Challenge echo chambers Making sure all voices and opinions are treated equally is critical to support learning and drive genuine change. Echo chambers don’t make for robust environments to test processes and decision-making abilities. It’s important to involve everyone as much as possible and avoid immediately ruling anything out – explore the ideas that people bring to the table in an open way. Creating a safe environment Being able to fail in a safe environment is essential to help people feel like they can speak up. I like to reference this somehow in my introduction to the exercise, just to let people know the kind of environment they’re entering, but you have to actually follow through. It can be small things, like observing who the big voices in the room are and making sure they don’t dominate. These voices are your friends when you need someone to speak up, but don’t let them take over. For quieter people, I try to notice when it looks like they have something to share and make some space in the room for them. It could be as simple as saying to someone: “It looked like you wanted to say something earlier. Would you like to share it with us now?”. A slightly more challenging approach might be something like: “Does anyone disagree with the previous statement?”. Or, you could soften this to: “Does anyone have a different view?”. You’ll need to gauge your audience and determine which approach is right for the room. Of course, this is harder to do online, but cut yourself some slack, too. You also need to be able to fail in a safe environment! Giving people space to speak up should make them feel more comfortable doing so – it’s a win-win. Set expectations The next thing I like to do in my introduction is some housekeeping. I’m an ex-project manager, and old habits die hard. Set expectations and provide clarity on what’s about to happen by outlining any specific rules, items, or actions that you want people to be aware of. If you’re doing something unusual or unexpected during the exercise, like with our recent Flip Reversal session, you’ll want to avoid any confusion, as this can lead to frustration and reduced engagement. Be kind to yourself Finally, remember that even people who regularly go on stage in front of large audiences are slaves to their body’s own systems and reactions. I always get nervous before doing anything like this, but since I know it’s going to happen, I can prepare for it. I write a script that I can practice out loud multiple times beforehand. It means I can read from it on the day and not rely on memory to make sure I’ve said all the things I want to cover. I know that it’s okay to feel nervous or anxious. It’s okay for my breathing to increase slightly or my hands to shake, or any of the other common reactions to being nervous. I don’t try and fight it – I know that as long as I’m prepared and can follow the steps I’ve mentioned above, the session will be a success. Bonus ideas Know who your experts in the room are. If it’s not you, don’t try and fill that role – it’ll be terrible for your credibility and confidence! Leverage the new AI Scenario Builder to uplift your exercise’s content. Get a colleague or friend to join you and present as a double act. You can bounce off each other and share the presenting load. Share your thoughts What are your tips for keeping people present and engaged during sessions like this? How do you overcome the nerves of presenting? Drop a comment below and let us know.Behind the Scenes of Immersive One: How Lab Builder is a Game-Changer for Cyber Readiness
“The best customer feedback we got was, we don’t need you to do everything for us.” Rebecca: Wait, seriously? Matt: Never more so. We built Lab Builder, a powerful Immersive One platform feature, for a reason: Organizations need a way to create, maintain, and publish their own labs—fast. Historically, our cyber team built every lab in Lab Forge. That worked for us, but it locked out partners and customers who wanted to address their unique needs—tools, environments, policies, and threats. They asked, “Can we do more by ourselves?” Lab Builder answers that. Rebecca: Absolutely. Since its debut last fall, Lab Builder has evolved so much. What are the biggest benefits for users today? Matt: There are two big ones. The first is the ability to curate content relevant to your organization, its threats, and its technologies—quickly. Second, realism. Teams can safely train with real-world code, internal apps, or even live malware—all in a secure, disposable environment. It’s as close to production as it gets, giving them an authentic experience with the exact tools and systems they use every day. The result? Faster upskilling, stronger readiness, and measurable gains in resilience. | “With Lab Builder, your organization can turn any piece of code or policy into hands-on training—instantly.” Rebecca: That almost sounds too easy—until you see the demo in action for yourself! Matt: Yes! The team is super proud of how streamlined it is. The core workflow is just five steps. Create a new lab. Then configure it, adding basics like the lab title, intro, learning outcomes, and gamification aspects like points users will get for completing the lab. From there, the focus is on building the briefing and tasks—drag-and-drop questions, code-review challenges, “find the flaw”, there’s lots to choose from. Then you’re ready to publish. Just assign your SME as Lab Creator, and they’re live on the same Immersive One platform they use every day. Rebecca: To me, the genius of that kind of design is in its accessibility. You’ve also invested heavily in the learner experience. Matt: Definitely. Engagement is a top priority, so we’re always building for the learners who need to know cyber—not only to support their organization’s cyber resilience strategy, but to grow professionally. We aim to remove every barrier to learning we can. Rebecca: I know you’re not one to boast, but how has the team modernized the UI? Matt: We’ve done a lot of work here, starting with completely rebuilding the theory labs interface, giving it a clean, responsive design that works seamlessly across desktop, tablet, or phone. We’ve been building toward that for our practical labs experience too. There are now intuitive panels, seamless task navigation, and instant feedback to guide learners every step of the way. We also turned Lab Builder into a true WYSIWYG (“what you see is what you get”) editor so Lab Creators see exactly what their teams will experience. We also baked in full WCAG compliance, with keyboard navigation and screen-reader support on every screen. Ultimately, we hope to bring every Immersive-built and custom lab into a single, unified front end in Immersive One—so no matter where you are, one clear interface delivers the same training experience. Rebecca: It’s this kind of due diligence that really makes a difference! Let’s talk about VMs. How do they fit in? Matt: Theory can only take you so far, so we released practical labs in the spring. Organizations spin up their own virtual machines in AWS (Amazon Web Services), share the AMI with our account, and import it straight into Lab Builder. Why does that matter? Because learners train in their exact production environments—internal tools, real vulnerable code, compliance setups. We support typical instance sizes—enough CPUs and RAM for most use cases. While we may roll out more environments in the future, AWS supports 99% of our existing customer base. That means the process feels native for Immersive One users; they can truly learn by doing. | “Build your VM. Import it. Assign it. All without leaving Immersive One.” Rebecca: Initially, only Org Admins could build custom labs. How did you expand access so that more team members could create labs, without being given full admin rights? Matt: We introduced the Lab Creator role this summer. Now you pick who builds labs—no full admin rights required. Rebecca: So smart. Now, in-house experts can build content without getting the keys to the kingdom. Matt: 100%. The team is laser-focused on leveling up Immersive One with every Lab Builder release because it’s so instrumental to the customer experience. In June, we added video support right in the briefing panels because some individuals learn best through short, engaging clips. We also rolled out a Machine Library stocked with pre-configured VMs—basically templates, from Kali Linux to reverse-engineering rigs—so you can drop assets in and start training immediately with zero VM building. You just need t And internal publishing functionality lets Lab Creators bundle custom labs into collections and share them across Organizations—think a self-service marketplace for specialized, high-value content. Rebecca: Honestly, Matt, what you’ve done with Lab Builder functionality is incredible. And I know you’re not done yet. Matt: Yeah, right—not at all. The team is already heads-down on an AI agent, but I won’t spoil it! Rebecca: Love that! Well, thanks again for meeting with me today, Matt. Maybe next time we can discuss ways customers or partners are already using Lab Builder to meet their unique needs—you know, deep-dive into specific use cases. Matt: Oh, absolutely—happy to share what customers are using Lab Builder for. Maybe we even host a webinar for that one? Would be fun to entertain some Q&A. Rebecca: Nice, let’s plan on it! Final Thought Lab Builder not only powers a customer-first UI and UX, it can help you transform every new threat, policy change, or internal tool into an interactive lab—on your timeline, with your exact requirements. Want to explore the possibilities? Contact your Account Manager for a personalized introduction to this powerful feature. In the meantime, preview how easy it is to customize learning by watching this quick demo: Meet Lab BuilderYour Guide to Effective AI Prompting
Why Prompting Matters for Crisis Simulations Think of AI as a highly intelligent, but literal, assistant. The quality of its output directly reflects the clarity and specificity of your instructions. For crisis simulations, this means: Relevance: Tailored scenarios that mirror your organization's unique risks, industry, and operational environment. Realism: Scenarios that feel authentic, with credible triggers, evolving complications, and realistic stakeholder reactions. Depth: Multi-layered scenarios that challenge your team's decision-making, communication, and collaboration skills. Actionability: Scenarios that provide clear learning objectives and reveal actionable insights for improving your crisis response plan. Core Principles of Effective Prompting Be Specific, Not Vague Bad Prompt "Generate a crisis." (Too generic, will give you a basic, unhelpful scenario.) Good Prompt "Generate a cybersecurity crisis scenario for a mid-sized e-commerce fashion retailer. The trigger is a ransomware attack that encrypts customer databases and disrupts order fulfillment." Why it works It defines the what (cybersecurity crisis, ransomware), the who (e-commerce fashion retailer, mid-sized), and the impact (encrypted databases, disrupted orders). Define your organisation and context using our drop down fields, and then add additional context. Industry (e.g., healthcare, finance, manufacturing, tech, retail) Threat (e.g., data breach, natural disaster, product recall, public relations nightmare, supply chain disruption, insider threat, workplace violence, financial fraud) Attack vector (e.g., phishing attack, severe weather event, manufacturing defect, viral social media post, disgruntled employee action, sudden market downturn) The more information the AI has about your specific context, the more tailored the scenario will be so consider adding further information such as: Company Size: (e.g., small startup, multinational corporation) Key Products/Services: (e.g., cloud-based software, physical goods, financial advisory) Target Audience: (e.g., B2B clients, general consumers, specific demographics) Geographic Scope: (e.g., local, national, global operations) Relevant Regulations/Compliance: (e.g., GDPR, HIPAA, industry-specific standards) Current Trends/Challenges: (e.g., supply chain issues, inflation, new technologies) Example: "Our company, 'Global Pharma Solutions,' is a multinational pharmaceutical company with a focus on novel drug development. We operate globally and are heavily regulated by the FDA and EMA. Generate a scenario reflecting a crisis involving a mislabeled drug batch, discovered shortly after market release in Europe and the US." Outline Key Stakeholders and Their Potential Reactions Realistic scenarios involve diverse stakeholders with varying interests and reactions. Internal: Employees, leadership, legal, HR, IT, communications, specific department teams. External: Customers, media, regulators, investors, suppliers, partners, general public, affected individuals. Desired Reaction: How should these stakeholders react? (e.g., panic, confusion, outrage, demanding answers, seeking legal action, offering support). Example: "Include reactions from panicked customers flooding social media, calls from concerned regulators, and an internal IT team struggling to diagnose the issue. Also, factor in a potential negative news story breaking on a major industry publication." Inject Complications and Escalation Crises rarely remain static. Build in elements that make the scenario evolve and become more challenging. Secondary Events: (e.g., power outage during a cyberattack, additional product defects discovered, key personnel unavailable) Information Gaps/Misinformation: (e.g., conflicting reports, rumors spreading on social media, difficulty in verifying facts) Ethical Dilemmas: (e.g., balancing transparency with legal implications, prioritizing different stakeholder needs) Time Constraints: (e.g., a critical decision needed within 30 minutes, public statement required by end of day) Example: "After the initial system outage, introduce a new complication: a cyber-espionage group claims responsibility on a dark web forum, threatening to release sensitive customer data if demands are not met, despite the initial incident being unrelated to a breach." Define the Learning Objectives (Optional, but Recommended) While the AI won't "know" your objectives, including them in your prompt can subtly guide its generation towards a scenario that helps you test specific aspects of your plan. Example: "The scenario should test our team's ability to communicate effectively under pressure," or "Focus on evaluating our supply chain resilience and alternative vendor protocols." By following these guidelines, you'll be well on your way to leveraging our AI crisis simulation feature to its fullest, preparing your team for any challenge the real world might throw at them. Happy simulating!People, Not Just Firewalls: Why OT Cybersecurity Starts with Training
The wake-up call no one wanted Just after midnight on September 22, 2024, a suspected ransomware attack forced operators at the Arkansas City, Kansas, water-treatment plant to switch to manual controls, anxiously safeguarding drinking water for the town’s residents. Downtime hurts more than you think According to the ITIC 2024 Hourly Cost of Downtime Survey, over 90% of mid-size and large organisations now put the price of a single hour of outage above $300,000, with 41% saying the bill tops $1 million. For OT industries, such as energy, costs can go up to $2.48 million per hour. When a cyber incident can drain six figures before a morning coffee break, prevention clearly beats recovery. Why training, not just tech, keeps the plant running Early threat spotting – Staff who know what an abnormal human-machine interface (HMI) screen looks like can isolate a rogue process long before malware reaches the production line. Fewer human-error openings – Phishing remains OT’s favourite attacker on-ramp; rehearsed teams click fewer bad links. Regulatory head-start – Standards such as IEC 62443 demand demonstrable cyber competence; fines for non-compliance often dwarf the cost of training. Three quick wins Quick win What it looks like The win Role-based micro-modules Deliver bite-sized, job-specific training. e.g. Modbus for SOC analysts, cyber awareness for OT Engineers. Builds practical, role-relevant cyber instincts. Table-top drills Simulate a cyber incident alert and map “who calls whom, who shuts what”. Prepares teams for real-world response. Visible leadership Get managers in the room with frontline staff during training. Makes security a shared responsibility. Bottom line Tools catch packets; people catch trouble. Invest in your workforce’s OT-security skills today, and the next midnight alarm could become just another drill instead of headline news. Learn more at my Labs Live OT Special Sign up for my Labs Live OT Special on July 15 as I tackle a brand new OT lab collaboratively, with you on a webinar. Register your attendance here! Share your thoughts Thoughts or questions? Drop them in the comments. Let’s keep the conversation (and the plant) running.Operational Technology: What It Is, Why It Matters, and Why Cybersecurity Can’t Wait
What is OT? Operational technology refers to the hardware and software systems that monitor and control physical devices, processes, and infrastructure. This includes everything from the systems that manage electricity generation and water treatment to manufacturing lines, railway signals, and building automation. Think programmable logic controllers (PLCs), SCADA systems, and human-machine interfaces (HMIs). Unlike IT, which focuses on data, OT is about controlling the physical world, keeping lights on, water flowing, trains running, and factories producing. Why is OT important? OT is the backbone of our critical infrastructure. A malfunction or compromise in these systems doesn’t just result in data loss; it can cause physical damage, safety incidents, environmental harm, or massive economic disruption. In other words, OT is where digital risk becomes real-world impact. Why is OT cybersecurity becoming critical? Historically, OT networks were isolated; the so-called “air gap” kept them separate from the internet and IT systems. But that gap has been shrinking fast: IT/OT convergence means OT systems are increasingly connected to enterprise networks for efficiency, monitoring, and remote access. Legacy systems not designed with cybersecurity in mind are being exposed to new threats. Ransomware and other attacks are now hitting OT environments, either indirectly as collateral damage from IT infections or directly as intentional targets – as seen in the Colonial Pipeline incident. The result? OT systems are now in the crosshairs of threat actors, but they often lack the same level of visibility, patching, and protection that IT environments enjoy. Share your thoughts Have you encountered OT in your role? What challenges have you faced? Drop a comment and let’s build some shared knowledge. Ready to double down on OT? Sign up for my Labs Live OT Special on July 15 as I tackle a brand new OT lab collaboratively, with you on a webinar. Register your attendance here!The Human Edge Beyond Pentesting – Building True Cyber Resilience
The Human Edge Beyond Pentesting – Building True Cyber Resilience Pentest vs. Red Team: Understanding the Core Difference Many cybersecurity vendors are rebadging pentesting as attack simulations or red teaming, often at a higher cost. However, there's a clear difference: Pentesting (Penetration Testing): The overarching goal of penetration testing is to find vulnerabilities within an environment in order to create a remediation plan. Reporting focuses on documenting as many vulnerabilities as possible in the allotted timeframe. Red Teaming (Attack Simulation): In contrast, red teaming is used to validate the efficacy of the defensive (blue) team. It is not looking for vulnerabilities per se, it is about achieving the objectives while trying to avoid detection. Reporting focuses on finding defensive gaps and assessing the blue team's response capabilities. The ultimate goal is to simulate real-world adversaries and determine if the defensive team has the telemetry to detect them. The key takeaway is that if the engagement isn't assessing your detection capabilities, it is not a red team. When Does Red Teaming Truly Add Value? While valuable, red teaming isn't always the most cost-effective solution, and really it is usually only effective in these three scenarios: When You Have a Regulatory Requirement: Industries with specific regulations, such as BEST, TIBER, FEER, CORIE, and AASE, often mandate regulatory red teams, which have standardized approaches and qualifications. When You Have a Very Mature Organization: Your organization has addressed all other possible security issues and has limited justification for further spending, a Red Team can provide a level of assurance that few other testing strategies can match. However, if you have known, unaddressed issues, red teaming rapidly loses value as the simulated attackers will typically take the easiest route to compromise and report on issues you are already aware of. When You Need a "Burning Platform": Sometimes, demonstrating the potential severity of a worst-case scenario is necessary to secure critical budget increases. Red teaming can effectively highlight how badly wrong things could go, aiding CISOs in getting the needed resources. However, it's important to note that more cost-effective methods often offer a better return on investment than red teaming outside these specific use cases. Purple teaming offers a more holistic approach to measuring your blue team's capability while also having a much higher knowledge transfer rate. Attack path mapping is far more comprehensive in discovering what attackers can do and what vulnerabilities or misconfigurations can be chained together to achieve compromise. The Pitfalls of Misaligned Red Teaming Several factors can hinder the benefits of red teaming outside the identified use cases: Resource Intensive: Red teaming is both costly and time-consuming. Potentially Divisive: It can sometimes lead to conflict between teams or erode trust within an organization. Weak Follow-Up: Lessons learned from red team exercises are often not translated into actionable steps, or worse completely ignored. Limited Scope: It may fail to explore cascading impacts and real-world disruptions. Insufficient Business Focus: Without an understanding of broader business consequences, the exercise's value can be limited. Increased Risk: Poorly executed red teaming can introduce wasted effort or unnecessary investigations. Often Undetected: A significant number of red team operations do not trigger alerts or go unnoticed by defensive teams. This last point highlights the importance of understanding why an attack wasn't detected, by asking: Was an alert generated? Was it marked as a false positive? Was a process followed? Was the process correct? Enhancing Cyber Resilience: A Holistic Approach Cyber resilience is not just about products or individual tools; it's about the application of skilled and motivated people, understanding and utilizing technology, and implementing reliable and repeatable processes and detections. The focus should be on building a robust, layered defense that understands, anticipates, and mitigates all phases of the attack chain, recognizing that the perimeter is no longer the sole objective for attackers. To truly improve cyber resilience, organizations need to focus on three key areas: Security Posture: Continuously assess and strengthen your foundational security. Detection Capability: Improve your ability to identify and triage malicious activity. Response Capability: Enhance your team's efficiency and effectiveness in reacting to and recovering from incidents. This involves exposing defenders to real-world Tactics, Techniques, and Procedures (TTPs) relevant to their environment. Furthermore, understanding the capabilities and blind spots of both your security team and defensive tooling is crucial for applying and testing effective mitigations and proving resiliency. Practical Approaches to Building Resilience To achieve true benefit from simulations, organizations must prepare individuals and teams before and after the simulation. This involves a cycle of "Prepare & Protect" and "Detect & Respond". Effective training and exercises are vital for different audiences: Individual Preparation: Hands-on labs can provide technical training for various roles, including defensive cybersecurity professionals, penetration testers, developers, application security experts, and cloud & infrastructure security personnel. Technical Team Exercises (Team Sim): These focus on the technical aspects of cyber attack and response using pre-configured cyber range scenarios. Participants investigate or perform simulated attacks using real cybersecurity tools and techniques in a safe environment/sandbox. Executive & Business Exercises (Crisis Sim): Moving beyond traditional tabletop exercises, Crisis Sim puts teams into dynamic crisis simulations with real crises, dynamic storylines, and contextual media. This helps measure and benchmark responses to inform crisis strategies and build muscle memory through regular exercising. By understanding the distinct roles of pentesting and red teaming, strategically applying attack simulations, and investing in comprehensive training across all levels of the organization, businesses can genuinely enhance their cyber resilience and gain the human edge over cyber attacks.From XSS and SQLi to AI-generated code and supply-chain compromise: How application security is evolving
Keeping up with vulnerabilities is like playing a never-ending game of whack-a-mole. One day, we were knee-deep in XSS payloads and buffer overflows; the next, developers everywhere were plugging SQL injection holes with duct tape and regex. A lot of our earlier tech wasn’t built with security in mind – or at least not at the forefront of our minds. But over the past two decades, the culture has changed, and developers are shifting left. Programming languages, as well as the frameworks and ecosystems around them, are evolving and adapting to evade security threats. XSS: From everyday headache to “mostly handled” Remember when cross-site scripting (XSS) was every web developer’s nightmare? In the 2000s, it seemed like every other website was vulnerable. If you were lucky, your users’ only punishment was an annoying pop-up. If not, credentials and session cookies were up for grabs. Modern languages and frameworks took proactive steps in their designs. Today, many of them have built-in protections against common vulnerabilities like XSS. Some examples are: React, Angular, Vue: Automatically escape output by default. You have to go out of your way to render raw HTML (and they make you feel guilty about it). Django, Ruby on Rails, ASP.NET Core: Templates escape user input by default. Browsers: Even they pitch in, with features like Content Security Policy (CSP). It’s still possible to write a vulnerable application, but the bar is higher. As a result, attackers have a bigger hurdle to jump over. This is thanks to the evolution of how languages and frameworks approach security – not as a feature, but as the default. SQL injection: OR 1=1 is mostly history SQL injection once powered major data breaches. Now, parameterized queries have become the norm, and we’re on our way to leaving those days behind. Object-Relational Mappers (ORMs) like SQLAlchemy, Entity Framework, and Hibernate generate safe SQL. Most modern languages make string concatenation in queries unnecessary (and uncool). Even PHP, once infamous for its “raw SQL everywhere” approach, now encourages prepared statements and offers safe database APIs. Not a perfect world, but much improved. It’s crucial to keep in mind, however, that technology shouldn’t be relied upon uncritically to keep applications secure. Developers must do their due diligence. Memory mischief: The rise of Rust (and memory-managed languages) C and C++ are legendary for performance. And legendary for buffer overflows, use-after-free, and all manner of memory mischief. Enter memory-safe languages: Java, C#, Python: Garbage collection and managed memory eliminate entire classes of bugs. Rust: Takes it up a notch with ownership semantics, preventing data races and dangling pointers at compile time. A lot of system-level work has migrated to these “safer” languages, and the impact is apparent in everything from embedded devices to operating systems (hello, Rust in the Linux kernel). The new frontiers: AI and supply chain attacks Just as one threat starts to become old news, new threats emerge. Two of these are: Supply chain compromise The SolarWinds breach and NPM “event-stream” incident have put supply chain attacks in the spotlight over the last decade. It goes to highlight that you can write perfect code and still get breached because a dependency many levels deep was compromised. Some of the changes we’re seeing as a result: Package registries are adopting MFA and signing requirements. Software Bill of Materials (SBOM) is becoming a must-have, especially in regulated industries. But the battle is ongoing. If anything, our code is more interconnected than ever, and the rise of “vibe coding” is complicating matters further. AI-generated code AI tools like GitHub Copilot and ChatGPT are generating millions of code snippets. This is a double-edged sword. You get increased productivity, but the code is often vulnerable. This is partly a reflection of the insecurities in the code that the models were trained on. I asked ChatGPT 4.5 to identify the vulnerability in the following code and it couldn't. Can you? Leave a reply with your thoughts! @limits(calls=6, period=60) @app.route("/change-password", methods=["POST"]) def change_password(): user = session.get("user") if not user: return jsonify({"message": "Unauthorised"}), 401 data = request.get_json() password = data.get("new_password") if not password: return jsonify({"message": "Password is required"}), 400 if not db.change_password(user, password): return jsonify({"message": "Failed to change password"}), 500 return jsonify({"message": "Password changed successfully"}), 200 @limits(calls=6, period=60) @app.route("/login", methods=["GET", "POST"]) def login(): data = request.get_json() user = data.get("user") password = data.get("password") if not user or not password: return jsonify({"message": "Username and password are required"}), 400 if not db.authenticate(user, password): return jsonify({"message": "Invalid username or password"}), 401 session["user"] = user return jsonify({"message": "Logged in successfully"}), 200 The changes I expect to see going forward are: Guidelines and governance for AI-generated code: Programming languages or coding standards may soon explicitly include guidelines, validation rules, or security frameworks tailored to AI-assisted coding, ensuring generated code adheres to secure patterns. Work is already being done to create rules files for improved security. Integrated security checks at the IDE level: IDEs may embed deeper vulnerability scanning and real-time feedback directly within coding processes. Development environments or compilers may also come integrated with validation tools specifically attuned to potential weaknesses inherent in AI-generated code. Increased reliance on static/dynamic security analysis tools: Enhanced automated scanning integrated into CI/CD pipelines, detecting flaws pre-deployment. Keeping people in the loop: Security awareness should be a top priority, so everyone is ready for the worst-case scenario. Proving and improving skills: Developers’ training should increasingly emphasize secure coding, particularly when assisted by AI tools. At the current stage, thorough PR reviews are more crucial than ever. As with any code, always review and test AI-generated code, especially for security-sensitive logic. AI is a tool, not an auditor. Security: Not a feature, but a default Application security has come a long way from the Wild West days of the early internet. The biggest shift in the software development landscape is that security is no longer a bolt-on. Modern programming languages and ecosystems try to make the secure path the easy path. Defaults are safe (escaped output, parameterized queries), dangerous operations are noisy (compiler warnings, explicit function names), and security updates are automated (thanks to package managers and CI/CD integrations). Of course, attackers are creative, and the landscape is always shifting. But the evolution of programming languages, as well as the surrounding tools and communities, means developers have a fighting chance. While we face newer threats like AI-generated code vulnerabilities and supply chain compromise, the foundations are getting stronger. The key is to keep learning, stay skeptical, and use the tools at your disposal properly. The biggest shift I would like to see is the human element no longer being viewed as the “weakest link”. The moles never stop popping up, but now, at least, we have better mallets – and the resources to help us use them.From Abstract to Action: Immersive One's Compliance Solution
We're in an age of rapid digitization. Different industries are embracing technologies like artificial intelligence (AI) and cloud solutions, driven by the ambition to shift from analog to digital. This transformation demands robust cyber resilience, but the sheer complexity of compliance with regulations and frameworks is a major challenge for organizations. It can be hard for staff to understand something that feels abstract or disconnected from their roles, and organizations often struggle to bring it to life. Proving adherence to standards is one thing; ensuring every team member understands their role in safeguarding digital health is another. Here’s how we’re creating services to help. Cutting through the complexity One of the toughest hurdles in today's digital landscape is evidencing compliance with regulations and frameworks. As a reminder, here’s the difference between the two: A regulation is a legally binding rule or order, often enforced by a government authority. A framework is a structured set of guidelines, principles, or best practices designed to help an organization achieve a specific goal or comply with regulations. It can be difficult to demonstrate the value of compliance and help your team understand the importance of aligning with a structured framework to meet regulatory demands. That’s where Immersive One, powered by our Cyber Resilience Advisory Services, can cut through the complexity. We transform abstract compliance into tangible, impactful experiences that resonate throughout organizations. It’s not just about ticking boxes – we support a deep alignment with your digital strategy, focusing on both regulations and structured frameworks. This ensures your organization not only meets compliance requirements but can quantifiably prove and improve its risk reduction efforts, giving your board clarity and confidence. Bringing the CAF framework to life In my role as Cyber Resilience advisor at Immersive, I’ve operationalised Cyber Assessment Framework (CAF) objectives A-D with a public healthcare customer by leveraging our Crisis Simulation product. Here’s how a framework like CAF truly comes alive: Our customer ran weekly live engagement sessions, resulting in an impressive 1,200 users actively interacting with the program. Following these sessions, participants gained access to a curated collection of labs, each focused on specific CAF principles and tailored to their individual roles. The customer can now prove and improve their alignment with this important resilience framework. When it comes to customer requirements, we deliver content at pace. Recognizing the immediate need to prepare for the NIS2 Directive's implementation, we identified a critical requirement: to exercise the mandated reporting uplifts proactively. In addition to understanding the new rules, organizations need to build familiarity and competence before a real-life crisis. This led to the development of one of our first Crisis Simulations specifically designed around NIS2. The simulation delivers exceptional value by immersing teams in the entire NIS2 reporting lifecycle. It ensures that compliance isn't just understood but instinctive, making your organization truly resilient to NIS2’s demands. Try it out The NIS2 Directive is rapidly becoming a regulatory priority across the EU and is relevant for any organization operating in or with Europe. Are you ready for it? If you’re a customer, the NIS2 Crisis Sim is available to try on Immersive One now: ShareYourDocs Breach – NIS2 Reporting.Feature Focus: Crisis Sim Presentation Mode Uplifts
Here at Immersive, we're constantly striving to push the boundaries of cyber education and make our simulations as realistic and impactful as possible. We believe that truly effective learning happens when you're immersed in a genuinely challenging and engaging scenario. That's why we're incredibly excited to announce a significant uplift to the UI and UX of our Crisis Sim Presentation Mode. These aren't just cosmetic tweaks; they’re impactful changes, requested by you, designed to elevate the realism and engagement of your crisis simulation exercises, making the experience more dynamic and true-to-life for you and your team. A modern makeover for a seamless experience First impressions matter, and we’ve given the Presentation Mode UI a thorough modernization. This refresh delivers a cleaner, more intuitive aesthetic that’s not just pleasing to the eye, but also enhances clarity and reduces cognitive load during high-stakes scenarios. Our goal was to create an environment that feels contemporary and professional, reflecting the gravity of the simulated situations. Crucial UX enhancements for heightened realism Beyond the visual refresh, we've implemented several key UX changes that directly address the need for increased realism and participant engagement: The optional countdown timer: Feel the pressure build! In a real crisis, time is often a critical factor. Now, with the addition of an optional countdown timer, facilitators can introduce this vital element directly into the Presentation Mode. This isn't just about a ticking clock; it's about replicating the pressure and time constraints that decision-makers face in genuine incident response. This subtle yet powerful addition can significantly heighten the sense of urgency and consequence for participants, driving more active and strategic thinking. Navigating back: review and reflect in read-only mode Ever wished you could quickly refer back to a previous piece of information during a fast-paced crisis? Now you can! We've introduced the ability to navigate back to previous injects in a read-only mode. This means participants can revisit past communications, intelligence, or decisions without impacting the live progression of the exercise. This feature fosters better situational awareness and allows for more informed decision-making, mirroring the investigative and analytical processes that occur during a real incident. Companion App integration: all your content, always on hand Perhaps one of the most impactful changes for participant engagement is the surfacing of all content and static rich media directly on the Companion App. Previously, certain elements might have been facilitator-driven. Now, everything from critical intelligence reports to simulated news articles, social media feeds, and relevant imagery is immediately accessible to participants on their personal devices. This comprehensive content delivery ensures that participants have all the necessary information at their fingertips, enabling them to actively participate, analyze, and collaborate without disruption. It transforms the Companion App into a truly indispensable tool for the exercise, fostering deeper immersion and a more authentic crisis experience. Why these changes matter Our core mission at Immersive is to make learning about cybersecurity as effective and memorable as possible. These updates to Crisis Sim Presentation Mode directly serve that mission by: Increasing realism: By incorporating elements like time pressure and readily accessible information, we're making our simulations more closely resemble the complexities and demands of real-world cyber crises. Boosting engagement: When participants have all the information they need at their fingertips and can actively interact with the scenario, their engagement levels naturally soar. This leads to more meaningful learning outcomes and a greater retention of critical skills. Enhancing learning outcomes: A more realistic and engaging environment naturally fosters better decision-making skills, improved teamwork, and a deeper understanding of crisis management principles. These enhancements will provide an even more powerful and immersive experience for both facilitators and participants. We're confident that these changes will lead to even more impactful learning and a greater readiness to tackle the cyber challenges of tomorrow. Share your thoughts We can't wait for you to experience the difference, and we’d love to hear your thoughts on the changes. Log in to your Immersive platform and explore the enhanced Crisis Sim Presentation Mode today!ISO 27001 and the Immersive One Platform: Strengthening Your Information Security Posture
The importance of continuous evidence When audits or investigations happen, it’s not enough to say you’ve got things under control – you need to prove it. That means having solid evidence of your security posture, how it’s been implemented, and a continued commitment to it. Without that, the risk of fines and reputational damage goes up. Being able to demonstrate continuous evidence is crucial for staying in line with the latest directives and regulations. How Immersive can help Immersive helps organizations implement compliance frameworks like ISO 27001 by providing evidence of due diligence, simplifying the human element of security, and enabling gradual expansion of security measures. Depending on your priorities, or where you perceive your biggest gaps to be, these are some of the areas you can leverage in the Immersive platform: Improving the speed and quality of response to emerging threats. Increasing efficacy in recruitment, retention, and career development. Reducing cloud and application vulnerabilities early in the Software Development Life Cycle (SDLC). Here are three practical ways Immersive supports ISO 27001 compliance: 1. Hands-On Labs These labs ensure people across different roles get the right training and skill development. Security and technical teams have varying needs, and our labs help meet those needs by aligning practical learning to specific job functions. A general theme is how failing to provide proper training isn’t just a missed opportunity – it can be seen as negligence. An organization is responsible for providing training tools, which should be aligned with specific roles. Here are some of the ISO 27002 sections that our Hands-On Labs align with: 5.4, 5.7, 6.1, 6.3, 8.7, and 8.27. For more details, see the ISO 27002 implementation guide. 2. Crisis Sim All frameworks emphasize properly exercising staff and those with decision-making responsibilities. This covers everything from traditional tabletop exercise (TTX) at the board level to hands-on scenarios for teams further down the organization. Proving these exercises are happening effectively can be challenging. Traditional exec-level sessions are expensive, time-consuming, and hard to scale. Crisis Sim helps to solve this. It offers a practical, scalable way to run structured exercises across different teams and roles, including the supply chain. Here are some of the ISO 27002 sections that our Crisis Sim solution addresses: 5.4, 5.20, 5.24, 5.34, and 8.16. For more details, see the ISO 27002 implementation guide. 3. Workforce Plenty of areas in the ISO 27001 framework apply to the entire organization, not just technical teams. In some cases, we already have content such as labs and workforce exercises that can be used right away. But often, the focus is on your own internal policies and procedures – and that’s where our customizable templates and lab-building tools come in. The Immersive Workforce methodology gives you a structured way to train your people and show that they truly understand and can apply those policies in real-world scenarios. It’s all about making security awareness practical, measurable, and tailored to your organization. Our Workforce methodology meets the following ISO 27002 sections: 5.10, 5.17, 5.27, 5.34, 6.3, 6.7, and 8.1. For more details, see the ISO 27002 guide. Turning compliance into confidence By tapping into the full power of the Immersive platform, organizations can go beyond just checking compliance boxes. They can actively show due diligence, streamline compliance efforts, and proactively strengthen their information security posture. From hands-on training and crisis simulations to workforce assessments, Immersive provides the tools and methodologies needed to ensure that individuals at all levels are equipped to understand, apply, and uphold robust security practices. Ultimately, this leads to a more secure environment, reduced risk, and clearly demonstrates an organization's commitment to protecting its valuable information assets. Share your thoughts How is your organization approaching ISO 27001 compliance? Drop a comment below and let us know what’s worked, or what you’re still figuring out. For more details on strengthening your information security posture, check out these sources: ISO 27001 framework ISO 27002 implementation guide (for ISO27001) NIS2 DORA
