Enter The Maze Challenge: Immersive’s Most Advanced Collection Yet
Today marks the release of the Maze Challenge, Immersive’s most advanced and cunningly designed offensive cybersecurity collection yet. This new series of labs is more than just a test of skills. It's a puzzle, a game, and a creative brain-bender, crafted by two of Immersive’s most brilliant minds: StefanApostol and SabrinaKayaci. Stefan, known to many as the "evil genius" behind the Human Connection Challenge, and Sabrina, who recently inspired our London community meetup attendees with her predictions on AI within the AppSec space, have teamed up to create something truly unique. We sat down with them to get their insights on what makes the Maze Challenge so special, so challenging, and so much fun. What was the main inspiration behind the maze theme, and how did you translate that narrative into a collection of technical labs? The core idea for the Maze Challenge, as Stefan explained, came from a shared love of games. "Both Sabrina and I are geeks. We like games, and we wanted to create a challenge with an overarching goal that was more than about earning a completion token." While our labs have always awarded tokens for completion, Stefan and Sabrina wanted to create a narrative that would engage users on a deeper level. "A maze is the perfect example of that," Stefan said. "We wanted to include a game element in these challenges." This isn't just a series of technical scenarios. It's a cohesive puzzle where each lab is a step toward a larger objective. The maze narrative encourages participants to think creatively, connecting different skills and techniques in a way that feels more like a game than a traditional capture the flag (CTF). I’ve heard that this is the most advanced lab collection yet. So, what makes these labs more challenging than the thousands of others in Immersive's catalogue? This collection is Immersive's most advanced to date, introducing a range of techniques not yet widely covered in the platform. The labs are a combination of real-world examples drawn from the creators' past experiences and internal testing, all woven together with a good deal of imagination. While the challenge covers a broad spectrum of offensive skills, including web, Linux, Windows, and Active Directory, Stefan was quick to name binary exploitation as an obvious concept that will have participants scratching their heads. The team collaborated with BenMcCarthy on this particular lab, and Ben being Ben, he poured all his creativity into it, making even Stefan nervous to attempt this mean challenge! Sabrina added that the real difficulty lies in the type of thinking required. "Some of them will really require outside-the-box thinking," she said. "They're unusual in a way that requires not just the technical skill, but some creativity and more critical thinking." This is a key theme throughout the collection. Participants can't rely on a simple, formulaic approach. Instead, they must be flexible and resourceful. Sabrina noted that some challenges will require "multiple sets of skills," forcing users to chain together their expertise in different areas to find a solution. Without giving away any spoilers, can you describe a moment in one of the labs that you're particularly proud of designing? Sabrina beamed as she recalled the Inner Maze lab. "I really enjoyed creating Inner Maze," she said, before adding a cryptic twist. "When you break out of that maze is when you're really trapped." She was particularly proud of her ability to create and then beat her own challenge, finding the exploit even more difficult than the design itself. Can you give users any hints or tips? The Maze Challenge is designed to be tough, and you should certainly expect it to be just that. However, the creators want everyone to have a fair shot, so they’ve some advice for those who might feel intimidated. Use the platform to your advantage. Stefan noted that around 98% of concepts within this challenge can be learned in the rest of our lab catalogue. “If you get stuck on a specific skill, take a break from the maze, find the relevant labs on the platform, and then come back with your newfound knowledge.” We encourage you to learn along the way, and persistence is always rewarded! Failure can be a sign of progress. Sabrina shared a key insight: "Sometimes it's important to take note of what it is you're doing that's failing... If you're failing at the same spot in a particular approach, that could actually mean that you're doing something right." Go figure that one out! Don't go it alone. Sabrina advises anyone starting their journey to ask others for advice and help. Our community help forum is a great resource for sharing knowledge and getting tips from fellow participants. We want you to have fun, and part of that fun is collaborating with your industry peers along the way. In the end, what do you hope participants will take away from this experience, beyond the technical skills? Stefan and Sabrina both hope it's a "desire for more challenges”! They also dropped a teaser for a community Halloween challenge… That’s all you’re getting for now! 👀 Want a head start? Join Stefan and Sabrina for a Labs Live webinar on August 19th. They’ll be solving the Improbable Maze lab live on the call, in collaboration with you. Attendees are encouraged to play along, offer their suggestions, methods, and frustrations. It’s the perfect opportunity to see the creators’ thought process and gain some momentum for your own journey through the maze. See you there!Cozy Bear? Not So Cozy…
When you think of a “cozy bear”, you might think of Winnie the Pooh or a faux fur throw by the fire, not a criminal hacker group that’s been active since 2008. There was an intrusion to TeamViewer, the most popular remote access software, on 26 June 2024. Evidence points accountability towards Russia’s Midnight Blizzard group, also known as APT29, the Dukes, and the Cozy Bear group. Not exactly the type of behavior you’d expect from a cozy bear, right? The Cozy Bear group has been observed using tools and techniques that target groups like government, healthcare and energy organizations. Its most common techniques include scanning (T1595.002) and exploitation (T1190) against vulnerable systems. It’s also associated with the notorious SolarWinds incident in 2021 that resulted in the first ever SEC charges against a CISO. It’s safe to say this bear isn’t hibernating, it’s on the prowl. All honey pots aside, Immersive Labs has a dedicated Threat Actor Lab for APT29 and a wealth of content around other attack types perpetuated by this malicious threat group. Ensure your teams aren’t caught in a bear trap by exploring or revisiting content designed specifically around this cyber espionage group: APT29: Threat Hunting with Elasticsearch Successful cyber threat hunting relies on a combination of information from cyber threat intelligence to detailed event logs via endpoints, network devices, and security tools. This lab collection gives you an opportunity to explore some of these concepts through the lens of an emulated APT29 attack scenario. APT29: Threat Hunting with Splunk These labs follow the same attack path as the above collection, but with different tactical and system focuses, providing an opportunity to explore concepts through the lens of an emulated APT29 attack scenario with Splunk. Brute Ratel: Extracting Indicators of Compromise Brute Ratel C4 is a commercial command and control (C2) framework for adversary simulation and red team engagements. This tool has been observed in the wild being used by nation-state actors, specifically APT29. The following labs are also based on this threat group’s known tactics, techniques, and procedures (TTPs) and exploits. Check them out: CVE-2019-19781 (Citrix RCE) – Defensive CVE-2019-19781 (Citrix RCE) – Offensive CVE-2020-5902 (F5 BIG-IP) – Defensive CVE-2020-5902 (F5 BIG-IP) – Offensive We may be having fun here, but your cyber readiness is no joke. Make sure your teams are up to date on the newest CVEs and that they’re well versed on established threat actors and attack vectors – so your organization stays out of the news 🙅♀️🐻📰 Share your thoughts! Do you like bear-themed articles? Do you plan to assign or bookmark these recommended labs? We’re beary eager for your feedback in the comments below!5 Pro Tips for Organizing an Effective Team Sim
While scheduling a Team Sim exercise in the Immersive Labs platform is very straightforward, I’m sharing a list of recommendations and tips for making sure your exercise goes the extra mile: 1. Define exercise objectives Know the purpose of the exercise to keep a laser focus and stop scope creep, which can dilute the exercise experience and learning takeaways. Is this a fun exercise that will encourage engagement, or is it a capability assurance exercise? Knowing your objective is essential for effective planning. For example, a fun exercise might include more guidance and hints than a capability assurance exercise. 2. Block out calendars in advance Identify your participant list as early as possible and send placeholders out to ensure the team’s availability. The more advance notice, the better. At a minimum, provide two weeks’ notice, but ideally one month. In some large-scale cases, whole Team Sim exercise programs are planned and booked out over six months in advance. 3. Host a briefing session These sessions provide a great chance to set the expectations and objectives of the exercise, communicate important exercise information, answer any questions, and, most importantly, get the team excited about it! We recommend organizing a briefing call the week before the exercise. 4. Run a systems test The last thing you’ll want to deal with when your exercise launches is any dreaded technical issues. Make sure you run a systems test early in the planning stages, leaving plenty of time for your organization to make any required configuration changes. You can find system requirement details here. 5. Assign preparation labs Some of the catalog exercises may use security tools unfamiliar to your organization. I believe in the benefits of vendor-agnostic learning when it comes to skills development, but understand that unfamiliar tools can be frustrating. If you have access to our hands-on labs, there are preparation labs available tailored for each catalog exercise. Assign these to participants a minimum of two weeks before the exercise. If you need any help or support with planning, ask a question in our Help and Support forum. Following these steps ensures clear expectations from your participants and a smooth lead-up to your exercise, which plays a big factor in making it a success! Do you have any hints or tips for other exercise planners and facilitators? What lessons have you learned, or where have you seen success? Let us know in the comments below.The Softer Side: Non-technical Benefits to Technical Team Exercises
In my role, I have the privilege of working with many different organizations through their technical exercise events and programs. One of the most rewarding aspects is seeing the spark ignite in the people as they band together to achieve a common objective. In this article, I’ll be sharing some of the common benefits I see emerge across organizations of all sizes, industries, and maturity levels, no matter the exercise's purpose. Encouraging curiosity and problem-solving Cyber Range Exercises provide a virtual network environment to explore. Defensive exercises focus on detecting and monitoring malicious activity, while offensive exercises involve exploiting vulnerabilities to uncover target information. Within these simulated environments, participants must utilize a wide array of skills and decide on the best approach, as the correct course of action isn't always obvious. This technical challenge is great for reinforcing knowledge and applying skills. I've seen players puzzle over unsuccessful methods, forcing them to rethink their approach entirely, asking plenty of “what if” questions before testing them out. This experimentation process educates players while simultaneously promoting lateral thinking and encourages sharing problem-solving insights. Improved communication Trawling through logs and analyzing (or preparing) a malicious payload usually calls for quiet focus. But in the real world, we’re rarely working alone. More often than not, investigations and tests happen in small teams, under pressure, and good communication becomes just as important as technical skill. That’s why team-based exercises reflect this reality. You’ve got to explain what you’re doing clearly, so everyone’s on the same page – both in terms of the situation and the technical jargon. Creating clear written logs and documentation matters too, especially in incidents where language may need to be adapted for different audiences. The most effective teams I've observed in these exercises prioritize organization. They set up a central place to track everything – whether that’s a Teams channel, a spreadsheet, or a crisis response tool – and they’re smart about assigning roles and carving out time to keep everyone synced up. Better distraction management A deliberate challenge I sometimes incorporate into technical exercises is surprise leadership requests for incident updates. This tests the team's ability to rapidly consolidate information under pressure, dealing with the uncertainties of an active investigation. Teams with strong organization, detailed incident logs, and a dedicated spokesperson or team leader consistently manage these interruptions best. Practicing in a simulated setting helps teams stay productive and accurate, even when real-world distractions come into play. It builds the ability to block out noise, manage stakeholders, stay focused on individual tasks while keeping sight of team goals, and smoothly switch contexts when needed. Stronger team dynamics Unlike individual training, these exercises require participants to actively communicate, share knowledge, and rely on each other's strengths to achieve a common goal. Team members learn to understand each other's working styles, identify individual expertise, and build trust in their colleagues' abilities. The shared experience of overcoming technical challenges, even simulated ones, creates a sense of camaraderie and shared accomplishment. While every team comprises diverse personalities and communication styles, it's crucial that each individual feels comfortable and empowered to share their insights and findings. These contributions can significantly alter the outcome; for instance, a critical discovery during a technical investigation might directly influence the business's crisis response strategy. Increased efficiency The more a team works together responding to the exercise challenges, the more they develop shared understandings of processes and expectations, learn to delegate effectively, and identify bottlenecks in their collaborative efforts. Eliminating issues arising from a lack of confidence or familiarity with the team or processes is especially critical for incident response teams, leading to quicker response times and improved agility when situations change rapidly. After each exercise, I like to conduct a team debrief, which is crucial for reflecting on lessons learned. Prompting players to consider their individual strengths and challenges, alongside open discussion about team dynamics and processes, helps identify opportunities for improvement. Technical exercises are undoubtedly key to boosting individual technical proficiency. However, their even greater value lies in cultivating these skills alongside the crucial professional attributes demanded by our field. Considering the significant pressure and expectations placed on these teams to deliver trustworthy outcomes, ensuring their preparedness within a high-trust setting is essential. These are merely some of the advantages I've witnessed through these exercises. Share your thoughts What benefits have you experienced through technical exercising? Share your thoughts in the comments!Decoding Coding: Picking a Language
These days, more and more jobs can benefit from being able to write simple scripts and programs, especially in cybersecurity. For example, pulling data from an API, scraping web pages, or processing large data files to extract information – the list of uses is virtually endless! Tempting as it is to dive right in, there are several things worth thinking about before you begin. This article will discuss one of the most important choices – selecting a language. What to consider when choosing a language A basic understanding of programming languages can make your life easier, increasing your adaptability and finesse in different environments. But with tons of languages like Python, Java, JavaScript, Go, Rust, and more, which one should you choose? Here are the crucial factors to consider: What's available Can you install whatever language you like to run your code, or are there limitations? If you have an enterprise-managed computer, you might not be able to install new software or languages, and you may need to use the default options. For Windows, this is PowerShell. Bash Script is the equivalent for Mac and Linux devices, and Python is often available too. Your personal experience and interest This one might sound obvious, but it does matter. We learn better and faster when we're invested in the subject. Look at your previous experiences. Have you worked with any programming languages before? Did you enjoy them? For example, if you had a good experience working with Python, let that guide your decision! That said, don't shy away from learning something new if there's a good reason or you’re curious to do so. What's trending in your organization Does your organization or team predominantly use a specific language? Not only would learning that one help you communicate better with your colleagues, but it could also give you an edge while working with systems developed in that language. Plus, there’ll be plenty of people to talk to if you get stuck! The language's capabilities and nature Like people, different languages have different strengths. Some are fantastic for web development (like JavaScript), while others are better suited for system-level programming (like C). Python is often an excellent choice. It's considered easy to learn, incredibly flexible, and powerful due to the huge catalog of packages available. While it isn't as fast as many other languages, for most purposes, it's usually more than fast enough. Java is a very widely used object-oriented programming language and can be extremely fast. The learning curve is steeper than Python, but there are loads of learning resources available. JavaScript (not to be confused with Java!) isn’t as useful for quick standalone scripts or applications, but it's the dominant language for websites and browsers, so understanding it is practically a superpower for testing and manipulating websites and applications. C and C++ allow low-level access to memory and offer a lot of flexibility – incredibly helpful when evaluating systems with these languages at their core. Available tools and training Great tools can make tough jobs easier. Certain programming languages have robust toolsets that can help automate your tasks. For instance, Python has a wide array of libraries and frameworks that make handling big projects a cinch while saving you time and effort – why reinvent the wheel when you can just import it? Take a look at what training is available for the language you’re interested in. Older and more popular languages are likely to have more to choose from, but there’s loads out there and a lot of it is free! Also, consider what tools you might already have access to within your organization. Community and support If a programming language has a large active community, it means help is readily available when you get stuck. Languages like Python, JavaScript, and Java have strong communities and plenty of online resources available. Scope for growth If you're planning to learn a language, why not pick one that's in demand? Check job boards, look at industry trends, and see if learning a particular language can give your professional growth a boost! Summary Remember, no language is “the best". The best is the one that suits your needs and circumstances. You might even find mastering multiple programming languages useful over time. Just like speaking multiple languages, the more you know, the better you can communicate in different environments! Once you understand some of the basic programming concepts, like variables and loops, it’s easier to learn a second or third language. Learning a programming language may initially seem like climbing a steep mountain. But once you get the hang of it, you'll realize that the view from the top was well worth the hike! Want to take the next step? Here are some lab collections that may help you learn a bit more about PowerShell and Python: PowerShell Basics Offensive PowerShell Introduction to Python Scripting Share your thoughts If you’re new to coding, tell us what language you’re trying out! Why did you pick it, and would you make the same choice again? Are there any specific challenges you found or any relevant experiences you’d like to share?Your Guide to Effective AI Prompting
Why Prompting Matters for Crisis Simulations Think of AI as a highly intelligent, but literal, assistant. The quality of its output directly reflects the clarity and specificity of your instructions. For crisis simulations, this means: Relevance: Tailored scenarios that mirror your organization's unique risks, industry, and operational environment. Realism: Scenarios that feel authentic, with credible triggers, evolving complications, and realistic stakeholder reactions. Depth: Multi-layered scenarios that challenge your team's decision-making, communication, and collaboration skills. Actionability: Scenarios that provide clear learning objectives and reveal actionable insights for improving your crisis response plan. Core Principles of Effective Prompting Be Specific, Not Vague Bad Prompt "Generate a crisis." (Too generic, will give you a basic, unhelpful scenario.) Good Prompt "Generate a cybersecurity crisis scenario for a mid-sized e-commerce fashion retailer. The trigger is a ransomware attack that encrypts customer databases and disrupts order fulfillment." Why it works It defines the what (cybersecurity crisis, ransomware), the who (e-commerce fashion retailer, mid-sized), and the impact (encrypted databases, disrupted orders). Define your organisation and context using our drop down fields, and then add additional context. Industry (e.g., healthcare, finance, manufacturing, tech, retail) Threat (e.g., data breach, natural disaster, product recall, public relations nightmare, supply chain disruption, insider threat, workplace violence, financial fraud) Attack vector (e.g., phishing attack, severe weather event, manufacturing defect, viral social media post, disgruntled employee action, sudden market downturn) The more information the AI has about your specific context, the more tailored the scenario will be so consider adding further information such as: Company Size: (e.g., small startup, multinational corporation) Key Products/Services: (e.g., cloud-based software, physical goods, financial advisory) Target Audience: (e.g., B2B clients, general consumers, specific demographics) Geographic Scope: (e.g., local, national, global operations) Relevant Regulations/Compliance: (e.g., GDPR, HIPAA, industry-specific standards) Current Trends/Challenges: (e.g., supply chain issues, inflation, new technologies) Example: "Our company, 'Global Pharma Solutions,' is a multinational pharmaceutical company with a focus on novel drug development. We operate globally and are heavily regulated by the FDA and EMA. Generate a scenario reflecting a crisis involving a mislabeled drug batch, discovered shortly after market release in Europe and the US." Outline Key Stakeholders and Their Potential Reactions Realistic scenarios involve diverse stakeholders with varying interests and reactions. Internal: Employees, leadership, legal, HR, IT, communications, specific department teams. External: Customers, media, regulators, investors, suppliers, partners, general public, affected individuals. Desired Reaction: How should these stakeholders react? (e.g., panic, confusion, outrage, demanding answers, seeking legal action, offering support). Example: "Include reactions from panicked customers flooding social media, calls from concerned regulators, and an internal IT team struggling to diagnose the issue. Also, factor in a potential negative news story breaking on a major industry publication." Inject Complications and Escalation Crises rarely remain static. Build in elements that make the scenario evolve and become more challenging. Secondary Events: (e.g., power outage during a cyberattack, additional product defects discovered, key personnel unavailable) Information Gaps/Misinformation: (e.g., conflicting reports, rumors spreading on social media, difficulty in verifying facts) Ethical Dilemmas: (e.g., balancing transparency with legal implications, prioritizing different stakeholder needs) Time Constraints: (e.g., a critical decision needed within 30 minutes, public statement required by end of day) Example: "After the initial system outage, introduce a new complication: a cyber-espionage group claims responsibility on a dark web forum, threatening to release sensitive customer data if demands are not met, despite the initial incident being unrelated to a breach." Define the Learning Objectives (Optional, but Recommended) While the AI won't "know" your objectives, including them in your prompt can subtly guide its generation towards a scenario that helps you test specific aspects of your plan. Example: "The scenario should test our team's ability to communicate effectively under pressure," or "Focus on evaluating our supply chain resilience and alternative vendor protocols." By following these guidelines, you'll be well on your way to leveraging our AI crisis simulation feature to its fullest, preparing your team for any challenge the real world might throw at them. Happy simulating!I’m ready to put up MITREE 🎄 – but is my business ready with MITRE ATT&CK?
This blog post reviews the MITRE ATT&CK framework and discusses which tactics and techniques should warrant your attention over the upcoming holiday season. We’ll also show you how to use Immersive Labs to review your skills coverage, identify resource dependencies, and assign timely and relevant content using the MITRE ATT&CK framework.Balance Your Business with the Buzz
The question begs for a prioritisation exercise. You need to create a dynamic program structure to address security priorities and the highest-volume threats, while keeping your finger on the pulse. Let’s dig into how you can balance your priorities Balance role-based learning and skills growth with day-to-day job responsibilities. These learning plans often look like a longer-term goal with continuous growth and skills progression. Some of our favourite Immersive Labs Career Paths (courtesy of the man, the myth, the legend ZacharyAbrams, our Senior Cyber Resilience Advisor are: Network Threat Detection Introduction to Digital Forensics Incident Response and Digital Forensics You can also create your own Career Paths! Buzz your team’s interest and pique security knowledge around the top routinely exploited vulnerabilities and priority threats. Latest CVEs and threats This collection should be a holy grail for referencing and assigning labs on the latest and most significant vulnerabilities, ensuring you can keep yourself and your organisation safe. Incorporate trending and priority threats like #StopRansomware with the below collections: Ransomware In this collection, you’ll learn about the different strains of ransomware and how they operate. Malicious Document Analysis Phishing and malicious documents are major malware attack vectors. Learn to analyse various file types and detect hidden malware. Balance out the flurry of CVEs and news trends with timely and relevant industry content: Financial services customers often prioritise Risk, Compliance, and Data Privacy Collections, or our entire Management, Risk, and Compliance path. We also have a great “Immersive Bank” Mini-Series for a simulated red team engagement against a fictitious financial enterprise. The series walks through the various stages of a simulated targeted attack, starting with information gathering and gaining access, before moving to pivoting and account abuse. Automotive customers might be interested in our CANBus collection to learn more about the CANBus technology in modern cars, and the security threats it faces. We’ve also seen interest in our IoT and Embedded Devices collection and OT/ICS For Incident Responders path! Telecommunications customers may be particularly interested in a more timely lab, such as threat actor Volt Typhoon, which recently made headlines with an attack on ISPs. Due to the group's focus on ISPs, telecom, and US infrastructure, we recommend reviewing its TTPs and mapping them against labs in the Immersive Labs MITRE ATT&CK Dashboard. Other threats may be of higher priority for your sector – reach out to your CSM or Ask a Question in the community to learn suggestions from your peers! Buzz about the latest and most active threat actors and malware because, let's bee real, everyone wants to keep their finger on the pulse of the latest security happenings. Finance, healthcare, defence, government, and national political organisations are on high alert around Iranian-Backed Cyber Activity. The following content on common attack vectors from these groups is valuable to organisations today: IRGC and relevant malware labs: APT35 Peach Sandstorm Tickler Malware Citrix Netscaler CVEs: CVE-2019-19781 (Citrix RCE) – Defensive CVE-2019-19781 (Citrix RCE) – Offensive F5 BIG-IP CVEs: CVE-2022-1388 (F5 BIG-IP) – Defensive CVE-2022-1388 (F5 BIG-IP) – Offensive What would this all look like as part of my program? I like to think of it as a waterfall method, but make sure you consider the overall learning requirement relative to your team’s workloads. Annual: Role-based career paths with a longer duration (doesn’t have to be annual – you can set more frequent targets if that’s better for your team) for completion to meet individual growth and organisation training goals. Quarterly to bi-monthly: ‘Timely training’ with IL Collections or Custom Collections. This might include a mix of “Balance” around industry-relevant content, upskilling to bridge skills gaps, or “Buzzy” content addressing incident retrospective findings that require skills triage, or an industry trend like the rise in Ransomware or Threat Actor risks for your sector, as you reprioritize your internal threat landscape through the year. AdHoc: ‘Threat Sprint’ assignments with new CVE and threat actor labs as a small custom collection with 7-10 day turnarounds per 2-3 hours of content to address quick priority topics. Make sure to get feedback from your teams on capacity. But, don’t bee afraid to iterate as you upskill your teams, stay stinger-sharp against adversaries, and hive a great time delivering on the business outcomes your organisation is looking for. Share your thoughts Have you mastered balancing business with the buzz? Comment below with your successes, failures, and ideas for effective balanced cybersecurity upskilling programs! Stay safe out there in the field, and keep an eye out (or five) for new articles based on recent events in the cybersecurity space. Get updated in your inbox on posts like this by "following" The Human Connection Blog!From Simulation to Strategy: Empowering Crisis Readiness at SANS
In this blog, I share my perspective as a cyber resilience advisor, exploring how SANS equipped its team to design and deliver exercises based on real-world incidents. What started as a one-time event has become an ongoing project to build internal capability and use the platform for continuous team development and upskilling. A tailored event On May 26, we ran a crisis simulation event with the cybersecurity team at SANS, an organization where cybersecurity plays a critical role in protecting aviation operations and national infrastructure. The scenario, adapted from the Immersive catalog, was tailored to the aviation industry and focused on a targeted malicious code attack exploiting the Follina vulnerability (CVE-2022-30190). It brought together the SOC, incident response, and IT/OT teams to work through a high-pressure situation that tested their ability to detect, contain, and recover from a cyberattack. While the simulation itself was valuable, what stood out most was the team’s immediate interest in expanding their internal capabilities and using the Immersive platform to create their own simulations in the future. Enabling ownership Following the event, we hosted two hands-on workshops to support the team in designing their own crisis simulations. The first workshop focused on developing familiarity with the platform. SANS explored the Crisis Simulation module, navigated the scenario catalog, and learned how to use existing content as templates to build custom scenarios. After participating in this workshop, the head of cybersecurity at SANS described it as “truly interactive, well-executed, and highly engaging… The hands-on approach and practical scenarios helped enhance our technical readiness and cross-team coordination”. The second workshop walked through the full development process, from discovery and design to development and build, helping the team shape a simulation based on a real incident from their organization. Together, we explored how simulations can be used not just for readiness, but as a practical upskilling tool grounded in real operational risk. A collaborative path forward What began as a single simulation has turned into an ongoing partnership. We’re now supporting the SANS team as they take ownership of their crisis readiness, developing internal simulations aligned with their environment, challenges, and goals. This is the value of Immersive in action: not just running simulations, but empowering teams to build their own scenarios. Creating a playbook for success While working with SANS, we used the Malicious Code: Incident Responder crisis simulation from the Immersive catalog as the foundation, changing the decision points (known as injects) to fit the roles that were participating in the simulation. After additional tweaks to the terminology and narrative to better represent the aviation industry, we were able to accurately model a realistic scenario for SANS. You can follow a similar process to create your own crisis simulation framework. Simply export a scenario from our catalog as a building block and personalize it to suit your industry and needs. Keep these tips in mind: Customize the terminology used in the scenario to reflect your organization. While many of our out-of-the-box scenarios refer to financial services or government, they can easily be adjusted. Use historical incidents to shape the crisis simulation and explore best practices. By cataloging events that have happened within your company or industry, newer employees can use this knowledge to better prepare for similar challenges in the future. Encourage teams to share knowledge using the platform based on their experience, so colleagues can learn from examples. Engage your own procedures and policies to create a playbook for the future. Beyond the tabletop: Expanding the value of crisis simulation Running a crisis simulation is just the beginning. Once a team has participated in a full-scale exercise, there’s a powerful opportunity to build on that momentum using the same tools to embed resilience deeper into the organization. Here are just a few ways teams can expand the impact: Explore team-based microsimulations to reinforce best practices. Use short, focused exercises (15–30 mins) to target the specific response skills of a single team. Engage in case study reflection exercises. Take a real incident (internal or public), build it into a learning scenario, and allow teams to step through the decision-making and ask: “What would we have done?”. Beyond crisis: Using the platform for everyday development Crisis simulations are powerful — but the platform can also support ongoing team growth outside of high-pressure scenarios. Beyond crisis response, organizations can use Immersive to: Onboard new team members. Introduce new joiners to tools, roles, and escalation paths through guided, scenario-based learning. Provide career development paths. Use simulations to expose team members to higher-level decision-making, preparing them for future roles in incident leadership or governance. Do you have any alternative use cases for crisis simulations beyond crisis response itself? Share them in the comments!Team Sim: Best Approaches for Your Team
A common issue in Team Sim exercises is when one player works in isolation, leaving others behind and missing the chance to build key team skills. To get the most out of a Team Sim exercise, the focus should be on teamwork – it’s in the name! Whether your team is meeting for the first time or has worked together every day for many years, here are some common characteristics and actions I’ve consistently seen in the best-performing teams: 1. Team leader Regardless of the person’s day-to-day role, a nominated team leader is the essential glue for any team. Some responsibilities I’ve seen effective team leaders adopt include chairing discussions, driving the group to a consensus and a clear decision, being the team’s representative for exercise manager communications, ensuring the team stays organized, and encouraging a positive experience for every member. 2. Pre-exercise team meeting A good plan will start the team on solid footing. High-performing teams bring everyone together before starting the exercise to agree on the approaches and rules of engagement. If you’re meeting the team for the first time, taking the time for introductions is critical to a comfortable environment. 3. Clear communication channels Establishing clear communications for sharing technical information and virtual conferencing details (if required). We recommend setting up a temporary private messaging group in your organization’s approved communications platform. Every team member should know how and where to ask questions or ask for support. 4. Blocked out exercise time Depending on how you approach the exercise (more on this later), teams that reserve time in their calendars in advance tend to have greater attendance and engagement. The effectiveness of team exercises depends on factors like team size, communication medium (in-person, virtual, or hybrid), time zones, skill levels, and goals. For example, do you want to put a well-known team to the test or have junior members learn from experienced analysts? In the spirit of collaboration, we have some tried and tested team approaches that we know work well in bringing people together. Each approach has its advantages and disadvantages, so bear this in mind when thinking about what works best for you and your team. One Team This involves the entire team working through the exercise together, either in person or virtually, maintaining constant communication and progressing at the same pace. This is the most common approach and is great for information sharing and peer learning. However, in larger teams, there’s a higher risk of some members falling behind, reducing their engagement. Chairperson Somewhat contrary to our earlier sentiments, this approach requires players to conduct portions of the exercise tasks alone, before coming together as a team during regular checkpoint meetings to discuss and validate each other's answers and findings. The team must agree on an answer before a chairperson submits the answer to a question in Team Sim. This is a slower approach, but it provides every player a chance to experience the whole exercise while encouraging knowledge sharing and exposure to different approaches and styles. Relay This is best for geographically split teams and perfect for exercising handover communication! Teams work on segments (e.g., specific time blocks or question sets) and pass their findings to the next team. Handoffs should mirror real incidents, addressing findings, uncertainties, and further investigations. A post-exercise debrief is a great opportunity to review and improve handover processes and communication skills. Team Strengths No two people are the same, and you may have specialists or people with particular strengths you can lean on. As you progress through the exercise and require different skills and knowledge, engaging those specialists can be an effective way to tackle a problem as a true team. Identify those strengths early on so you know what's in your team’s arsenal! Want a challenge? Do the opposite and encourage the team to use the skills they find challenging! If you want to save a copy of these approach ideas, check out our Team Sim Player Guide, which you can download and share. Share your thoughts This isn’t an exhaustive list of approaches; be creative with your team to find what works best for you. If you’ve participated in a Team Sim exercise before, let us know your tips for creating a top-class team dynamic!
