It’s Not Magic, It’s Mechanics: Demystifying the OWASP Top 10 for AI
Welcome back to our series, “Behind the Scenes of Immersive One”! The following is a conversation with Sabrina Kayaci, Cybersecurity Engineer for Immersive One, and Rebecca Schimmoeller, Lead Product Marketing Manager. Today, we’re continuing the discussion on our Secure AI capability. “When developers hear ‘AI Security,’ they either start to sweat or eye-roll. It either feels like a black box where the old rules don’t apply, or it feels like inflated marketing hype. The truth is, AI vulnerabilities aren't magic; they are mostly just new manifestations of the classic flaws we’ve been fighting for decades. Once you map the new threats to the old patterns, the mystique fades. You realize it’s not magic to fear or hype to ignore—it’s just an engineering problem to solve.” Rebecca: Awesome frame, Sabrina. No matter where you sit on the spectrum—whether you’re anxious about the risks or skeptical of the buzz—AI security doesn't mean starting from zero. Developers should already have the muscle memory for this. Sabrina: Exactly. We aren't asking them to learn a new language; we're asking them to apply their existing fluency to a new dialect. That’s the core philosophy behind our new OWASP Top 10 for LLMs and GenAI collection. We tackle the problem that AI is often treated as a "new and daunting" field. By framing threats like Supply Chain Vulnerabilities or Excessive Agency as variations of known issues, we accelerate the learning curve. We strip away the "AI mysticism" to reveal the underlying mechanical flaw. Rebecca: I love "stripping away the mysticism." Let’s talk about how that works, starting with the big one everyone is concerned about—Prompt Injection. How do you take that from "scary AI jailbreak" to something a grounded engineer can fix? Sabrina: In the media, Prompt Injection is portrayed as this sentient ghost in the machine. In our lab, we treat it as an Input Validation failure. We show that the system is simply confusing "user input" with "system instructions." When a developer sees it through that lens, the eye-roll stops. It’s no longer hype; it’s just mixed context. And they know how to fix mixed context. We show them how to apply that architectural fix to an LLM. Rebecca: That maps perfectly. But looking at the curriculum, I see we go much deeper than just a standard "Top 10" checklist. Why was it important to go beyond the simple definitions? Sabrina: Because a definition tells you what something is, but it doesn't tell you how it impacts you. In the new OWASP LLM collection, we focus on Core Mechanics and Attack Vectors. We deconstruct threats like Data and Model Poisoning or Supply Chain vulnerabilities to show you exactly how they infiltrate a system. It’s the difference between knowing what an engine looks like and knowing how to take it apart. You need to understand the mechanics of the vulnerability to understand the potential impact—otherwise, you're just guessing at the fix. Rebecca: It sounds like we're upgrading their threat modeling software, not just their syntax. Sabrina: Yes, 100%. Look at Excessive Agency. That sounds like a sci-fi plot about a robot takeover. But when you do the lab, you realize it’s just "Broken Access Control" on steroids. It’s about what happens when you give an automated component too much permission to act on your behalf. Once a developer maps "Excessive Agency" to "Least Privilege," they stop worrying about the robot and start locking down the permissions. Rebecca: Is the goal to get them through all ten modules to earn a Badge? Sabrina: The OWASP Top 10 for LLMs Badge is the end state. It proves you have moved past the "sweat or eye-roll" reactive phase. To your manager, it signals you have a proactive, structured understanding of the AI risk landscape and can speak the language of secure AI. There’s no hype in that. Only value-add to you and your team. Final Thought Our OWASP Top 10 for LLMs collection is the antidote to AI security angst. For the developer, it demystifies the threat landscape, proving that their existing security instincts are the key to solving new problems. For the organization, it ensures that your AI strategy is built on a bedrock of engineering reality, rather than a shaky foundation of fear. [Access Collection]Boosting Cyber Readiness Together: Introducing The New AI In-Lab Assistant
We’re passionate about creating an empowering, collaborative learning environment. That’s why we’re excited to introduce the AI In-Lab Assistant – an intelligent chatbot right inside your lab environment. We want you to solve challenges independently. The new AI assistant is designed to provide hints and tips on a lab, offering guidance without giving away the answer. The aim is to enhance your learning experience, ensuring you're always ready for what’s next. 🔎 Finding your on-demand learning companion Getting started is simple. Open a lab, and you’ll see a sparkle icon in the top right corner of your screen. Clicking this sparkle icon opens the chatbot interface. If the window obstructs your view, you can reposition the chatbot by dragging its top bar. If you need to hide it, click the cross in the top right of the pop-up window or the sparkle icon again. 🔬 How can the assistant help me? We specifically designed this chatbot to help with lab-related queries and tasks inside the lab environment. You can ask it to summarize the lab briefing, help you understand key concepts (such as "what is a SIEM?"), or assist with specific questions (for instance, "I need help with Task 3!"). The chatbot will give you hints and tips without giving you the exact answer. For example, if you're tackling enumeration, it might suggest commands like nmap, netstat, or cat. If you're working on privilege escalation, it may encourage you to think about commands like sudo, su, or to look for SUID binaries. Our sophisticated technology takes snapshots of practical and cloud labs, capturing the necessary context to understand activities on the virtual machine or the command line interface. ✅ Key boundaries and quick tips We want you to get the most out of the new AI In-Lab Assistant. It keeps to the following main points: It won’t give away the answer: We intentionally designed the chatbot to encourage independent completions, not to directly give you the answer. If you ask outright for the answer to a question, it’ll provide hints for you to figure it out yourself. It only applies to lab content: While you can input any query, the chatbot can only answer questions related to the lab you’re currently in. If you ask a non-lab-related question, such as "how’s the weather today in Bristol?", it’ll tell you it doesn’t have access to real-time data. Instead, it’ll encourage you to ask a question about the lab. History isn’t retained: To start a new chat, click the plus icon next to the New chat button in the top left of the chatbot window. This will clear the current history. Note that you’ll lose your conversation history when you exit a lab or start a new one. The chatbot can only retain seven questions before forgetting them. Exclusions: The AI In-Lab Assistant is available in most labs, but isn’t available in custom labs, adaptive assessments, or any demonstrate labs. 🔐 Data security and feedback you can trust We want to be upfront about our technology and security because we value authenticity. Our AI service was built using OpenAI. We prioritize your data security, so we only store your account UUID in the AI service database. We don’t store any other personally identifiable information (PII) except what you explicitly input as queries, which OpenAI will also receive. Crucially, we don’t ingest any custom content labs into our AI service, and the service doesn’t have access to any customer data. We rely on your input to keep improving! You can provide feedback on every response using the thumb-up or thumb-down icons found directly underneath the chatbot’s reply. We monitor this feedback to improve the AI In-Lab Assistant over time. 💁🏻♀️ And don’t forget… If you’d prefer to speak to real humans for hints and tips on your favorite labs, head to the Community and navigate to the Help Forum. If you aren’t satisfied with the AI In-Lab Assistant’s responses or have technical issues with the feature, reach out to Customer Support via the Help Center.Elevating Cyber Resilience: How GenAI is Revolutionizing Crisis Simulations
Cyber threats have become a pervasive force within the business world, elevating the need for regular cyber resilience exercises into an organization-wide imperative. Genuine resilience is about more than prevention. It’s the agility to identify, respond to, and recover seamlessly from disruptions, ensuring uninterrupted business operations. This approach, which acknowledges the inevitability of a cyber event, is the hallmark of truly resilient organizations. Crisis simulations and cyber exercises are core to cultivating this resilience. Traditional cyber exercises, often static and presentation-driven, tend to serve as theoretical validations. While valuable for reviewing playbooks and pinpointing theoretical vulnerabilities, they frequently fall short of genuinely testing incident response and crisis handling capabilities, particularly in the dynamic, high-pressure environment of a real-world attack. The sheer velocity of modern cyber threats, frequently powered by sophisticated AI, demands a new level of precision and relevance in simulations. This is where Generative AI (GenAI) comes in. It can transform how we design and execute tabletop-style cyber crisis simulations, making them profoundly relevant and impactful. The challenge of an unpredictable threat landscape While traditional crisis simulations are beneficial, they have certain limitations. The first is that it’s difficult and time-consuming to create realistic scenarios that reflect the latest threat actor tactics, techniques, and procedures (TTPs), and are meticulously tailored to an organization's unique infrastructure and risk profile. Analysts will also dedicate extensive hours to research, developing intricate narratives and manually injecting variables to ensure a robust challenge. However, this can sometimes result in a predictable exercise that doesn't fully prepare teams for the inherent chaos and unpredictability of a real-world incident. The human element in cyber resilience is also key. As Oliver Newbury, a member of Immersive's board of directors, recently emphasized: "Security is about people, process, and technology. I would have expected as much focus on upskilling people as on implementing new tools. It's the people using those tools who ultimately prevent breaches." Static simulations often fail to truly engage and challenge human teams, limiting their ability to build crucial muscle memory for swift decision-making under pressure. Elevating your crisis simulations with GenAI So, how does GenAI fit into the picture? This powerful technology can create novel content based on patterns learned from vast datasets. In doing so, it offers an unprecedented opportunity to inject realism and adaptability into crisis simulations. Just imagine the possibilities: Hyper-realistic scenario generation: GenAI can analyze current threat intelligence, recent attack patterns, and insights into your organization's specific weak spots to generate realistic and precisely tailored crisis scenarios. This ensures each exercise directly reflects the most pertinent and dangerous threats, making the experience far more impactful for your teams. Optimized playbook stress testing: GenAI doesn't just ease the exercise creation process – it can analyze your existing playbooks and processes. It can then generate crisis scenarios specifically designed to stress-test your response plans, ensuring they’re robust and effective under pressure. This helps validate that your playbooks and processes are truly ready for action. Realistic communications and media drills: In addition to the technical aspects, GenAI can simulate realistic internal and external communications during a crisis. It can generate mock press releases, social media posts, and even stakeholder questions, exercising your communications team's ability to manage public perception and share accurate information under pressure. This is critical for protecting your brand reputation during a breach. Instant feedback and analysis: After an exercise, GenAI can quickly crunch the data generated during the simulation, giving you detailed insights into team performance, response times, decision accuracy, and where you can improve. This speeds up the feedback loop, helping you tweak and strengthen your resilience strategies much faster. Tailored learning journeys: After an exercise, GenAI can analyze how an individual or team performed, then recommend follow-up scenarios or activities to address weaknesses or enhance key skills. This allows for truly personalized and continuously improving readiness programs. Think about the recent explosion of sophisticated, AI-driven attacks, from deepfake scams to highly targeted ransomware. Organizations have to be ready for these advanced threats, and old methods alone might not cut it. GenAI lets us simulate these next-gen attacks with a level of detail we couldn't even dream of before. This ensures teams aren’t just prepared for what's already happened – they’re ready for what's coming. Empowering your people It’s important to remember that GenAI is here to improve human expertise, not replace it. Just as information recall differs from true knowledge, GenAI is augmenting the critical "knowledge work" in cybersecurity, rather than replacing it. Our real value isn’t just in what we know, but how we apply, interpret, and synthesize that knowledge to drive meaningful outcomes. Our job is to use tools like GenAI to empower our organizations and teams and provide them with realistic and effective exercise environments. GenAI offloads the rote, time-consuming tasks of content creation and data sifting, freeing us up to focus on high-value actions such as analyzing results, mentoring teams, and fine-tuning strategic responses. This pushes us towards the "wisdom work" that truly defines expertise in cyber resilience. Building a culture of constant improvement The ultimate goal of bringing GenAI into crisis simulations is to build a culture of constant improvement, where cyber readiness isn’t just a checklist item, but a deep-seated organizational habit. By immersing our teams in hyper-relevant, dynamic, and challenging scenarios, we build the confidence, skills, and muscle memory they need to ride out the inevitable cyber storms with resilience and agility. How are you using GenAI to improve your cyber resilience? Share your thoughts and experiences in the comments below!The secret to hosting an engaging Crisis Sim
Before I start, it’s important to take a moment to acknowledge that I’m privileged to work with some fantastic experts. Immersive’s Crisis Sim lead, JonPaulGabriele, is our very own Daedalus, for any Greek mythology fans. That might make me Ariadne, helping people to navigate the labyrinth. I don’t know who the minotaur is – Greek analogies may not be my forte! JonPaulGabriele builds some fiendishly difficult scenarios that start out with a seemingly everyday occurrence, which quickly spirals out of control. It could involve coordinating a global response to an unprecedented disaster, dealing with a nation-state threat actor who’s holding your data to ransom, or even tracking down the missing Santa Claus. Whatever the situation, the principle behind every Crisis Sim is the same: to help people develop decision-making muscle memory and the ability to act with confidence when rapid decisions are required. I’m sure you’re already familiar with the importance of regular exercises, but it’s not you that we need to convince – it’s your chosen audience. We need to be able to capture their attention and get them to put their phones down. If they’re not present in the room and genuinely engaged with the exercise and its outputs and findings, you’re doomed to fail. So, how do we go about achieving this? Use storytelling I’m a big believer in the power of both storytelling and humour to pique people’s interest. Storytelling is an incredibly powerful technique to connect, persuade, and inspire people to act by tapping into shared experiences and emotions. In the words of Simon Sinek: “Stories allow us to visualize, empathize, and connect in ways that statistics never could.” I use stories when I’m setting the scene or outlining the details of the exercise we’re about to go through. Hopefully I’ll get an initial laugh, or an eye roll – those are just as good, quite frankly! Challenge echo chambers Making sure all voices and opinions are treated equally is critical to support learning and drive genuine change. Echo chambers don’t make for robust environments to test processes and decision-making abilities. It’s important to involve everyone as much as possible and avoid immediately ruling anything out – explore the ideas that people bring to the table in an open way. Creating a safe environment Being able to fail in a safe environment is essential to help people feel like they can speak up. I like to reference this somehow in my introduction to the exercise, just to let people know the kind of environment they’re entering, but you have to actually follow through. It can be small things, like observing who the big voices in the room are and making sure they don’t dominate. These voices are your friends when you need someone to speak up, but don’t let them take over. For quieter people, I try to notice when it looks like they have something to share and make some space in the room for them. It could be as simple as saying to someone: “It looked like you wanted to say something earlier. Would you like to share it with us now?”. A slightly more challenging approach might be something like: “Does anyone disagree with the previous statement?”. Or, you could soften this to: “Does anyone have a different view?”. You’ll need to gauge your audience and determine which approach is right for the room. Of course, this is harder to do online, but cut yourself some slack, too. You also need to be able to fail in a safe environment! Giving people space to speak up should make them feel more comfortable doing so – it’s a win-win. Set expectations The next thing I like to do in my introduction is some housekeeping. I’m an ex-project manager, and old habits die hard. Set expectations and provide clarity on what’s about to happen by outlining any specific rules, items, or actions that you want people to be aware of. If you’re doing something unusual or unexpected during the exercise, like with our recent Flip Reversal session, you’ll want to avoid any confusion, as this can lead to frustration and reduced engagement. Be kind to yourself Finally, remember that even people who regularly go on stage in front of large audiences are slaves to their body’s own systems and reactions. I always get nervous before doing anything like this, but since I know it’s going to happen, I can prepare for it. I write a script that I can practice out loud multiple times beforehand. It means I can read from it on the day and not rely on memory to make sure I’ve said all the things I want to cover. I know that it’s okay to feel nervous or anxious. It’s okay for my breathing to increase slightly or my hands to shake, or any of the other common reactions to being nervous. I don’t try and fight it – I know that as long as I’m prepared and can follow the steps I’ve mentioned above, the session will be a success. Bonus ideas Know who your experts in the room are. If it’s not you, don’t try and fill that role – it’ll be terrible for your credibility and confidence! Leverage the new AI Scenario Builder to uplift your exercise’s content. Get a colleague or friend to join you and present as a double act. You can bounce off each other and share the presenting load. Share your thoughts What are your tips for keeping people present and engaged during sessions like this? How do you overcome the nerves of presenting? Drop a comment below and let us know.Behind the Scenes of Immersive One: How Lab Builder is a Game-Changer for Cyber Readiness
“The best customer feedback we got was, we don’t need you to do everything for us.” Rebecca: Wait, seriously? Matt: Never more so. We built Lab Builder, a powerful Immersive One platform feature, for a reason: Organizations need a way to create, maintain, and publish their own labs—fast. Historically, our cyber team built every lab in Lab Forge. That worked for us, but it locked out partners and customers who wanted to address their unique needs—tools, environments, policies, and threats. They asked, “Can we do more by ourselves?” Lab Builder answers that. Rebecca: Absolutely. Since its debut last fall, Lab Builder has evolved so much. What are the biggest benefits for users today? Matt: There are two big ones. The first is the ability to curate content relevant to your organization, its threats, and its technologies—quickly. Second, realism. Teams can safely train with real-world code, internal apps, or even live malware—all in a secure, disposable environment. It’s as close to production as it gets, giving them an authentic experience with the exact tools and systems they use every day. The result? Faster upskilling, stronger readiness, and measurable gains in resilience. | “With Lab Builder, your organization can turn any piece of code or policy into hands-on training—instantly.” Rebecca: That almost sounds too easy—until you see the demo in action for yourself! Matt: Yes! The team is super proud of how streamlined it is. The core workflow is just five steps. Create a new lab. Then configure it, adding basics like the lab title, intro, learning outcomes, and gamification aspects like points users will get for completing the lab. From there, the focus is on building the briefing and tasks—drag-and-drop questions, code-review challenges, “find the flaw”, there’s lots to choose from. Then you’re ready to publish. Just assign your SME as Lab Creator, and they’re live on the same Immersive One platform they use every day. Rebecca: To me, the genius of that kind of design is in its accessibility. You’ve also invested heavily in the learner experience. Matt: Definitely. Engagement is a top priority, so we’re always building for the learners who need to know cyber—not only to support their organization’s cyber resilience strategy, but to grow professionally. We aim to remove every barrier to learning we can. Rebecca: I know you’re not one to boast, but how has the team modernized the UI? Matt: We’ve done a lot of work here, starting with completely rebuilding the theory labs interface, giving it a clean, responsive design that works seamlessly across desktop, tablet, or phone. We’ve been building toward that for our practical labs experience too. There are now intuitive panels, seamless task navigation, and instant feedback to guide learners every step of the way. We also turned Lab Builder into a true WYSIWYG (“what you see is what you get”) editor so Lab Creators see exactly what their teams will experience. We also baked in full WCAG compliance, with keyboard navigation and screen-reader support on every screen. Ultimately, we hope to bring every Immersive-built and custom lab into a single, unified front end in Immersive One—so no matter where you are, one clear interface delivers the same training experience. Rebecca: It’s this kind of due diligence that really makes a difference! Let’s talk about VMs. How do they fit in? Matt: Theory can only take you so far, so we released practical labs in the spring. Organizations spin up their own virtual machines in AWS (Amazon Web Services), share the AMI with our account, and import it straight into Lab Builder. Why does that matter? Because learners train in their exact production environments—internal tools, real vulnerable code, compliance setups. We support typical instance sizes—enough CPUs and RAM for most use cases. While we may roll out more environments in the future, AWS supports 99% of our existing customer base. That means the process feels native for Immersive One users; they can truly learn by doing. | “Build your VM. Import it. Assign it. All without leaving Immersive One.” Rebecca: Initially, only Org Admins could build custom labs. How did you expand access so that more team members could create labs, without being given full admin rights? Matt: We introduced the Lab Creator role this summer. Now you pick who builds labs—no full admin rights required. Rebecca: So smart. Now, in-house experts can build content without getting the keys to the kingdom. Matt: 100%. The team is laser-focused on leveling up Immersive One with every Lab Builder release because it’s so instrumental to the customer experience. In June, we added video support right in the briefing panels because some individuals learn best through short, engaging clips. We also rolled out a Machine Library stocked with pre-configured VMs—basically templates, from Kali Linux to reverse-engineering rigs—so you can drop assets in and start training immediately with zero VM building. You just need t And internal publishing functionality lets Lab Creators bundle custom labs into collections and share them across Organizations—think a self-service marketplace for specialized, high-value content. Rebecca: Honestly, Matt, what you’ve done with Lab Builder functionality is incredible. And I know you’re not done yet. Matt: Yeah, right—not at all. The team is already heads-down on an AI agent, but I won’t spoil it! Rebecca: Love that! Well, thanks again for meeting with me today, Matt. Maybe next time we can discuss ways customers or partners are already using Lab Builder to meet their unique needs—you know, deep-dive into specific use cases. Matt: Oh, absolutely—happy to share what customers are using Lab Builder for. Maybe we even host a webinar for that one? Would be fun to entertain some Q&A. Rebecca: Nice, let’s plan on it! Final Thought Lab Builder not only powers a customer-first UI and UX, it can help you transform every new threat, policy change, or internal tool into an interactive lab—on your timeline, with your exact requirements. Want to explore the possibilities? Contact your Account Manager for a personalized introduction to this powerful feature. In the meantime, preview how easy it is to customize learning by watching this quick demo: Meet Lab Builder
Your Guide to Effective AI Prompting
Why Prompting Matters for Crisis Simulations Think of AI as a highly intelligent, but literal, assistant. The quality of its output directly reflects the clarity and specificity of your instructions. For crisis simulations, this means: Relevance: Tailored scenarios that mirror your organization's unique risks, industry, and operational environment. Realism: Scenarios that feel authentic, with credible triggers, evolving complications, and realistic stakeholder reactions. Depth: Multi-layered scenarios that challenge your team's decision-making, communication, and collaboration skills. Actionability: Scenarios that provide clear learning objectives and reveal actionable insights for improving your crisis response plan. Core Principles of Effective Prompting Be Specific, Not Vague Bad Prompt "Generate a crisis." (Too generic, will give you a basic, unhelpful scenario.) Good Prompt "Generate a cybersecurity crisis scenario for a mid-sized e-commerce fashion retailer. The trigger is a ransomware attack that encrypts customer databases and disrupts order fulfillment." Why it works It defines the what (cybersecurity crisis, ransomware), the who (e-commerce fashion retailer, mid-sized), and the impact (encrypted databases, disrupted orders). Define your organisation and context using our drop down fields, and then add additional context. Industry (e.g., healthcare, finance, manufacturing, tech, retail) Threat (e.g., data breach, natural disaster, product recall, public relations nightmare, supply chain disruption, insider threat, workplace violence, financial fraud) Attack vector (e.g., phishing attack, severe weather event, manufacturing defect, viral social media post, disgruntled employee action, sudden market downturn) The more information the AI has about your specific context, the more tailored the scenario will be so consider adding further information such as: Company Size: (e.g., small startup, multinational corporation) Key Products/Services: (e.g., cloud-based software, physical goods, financial advisory) Target Audience: (e.g., B2B clients, general consumers, specific demographics) Geographic Scope: (e.g., local, national, global operations) Relevant Regulations/Compliance: (e.g., GDPR, HIPAA, industry-specific standards) Current Trends/Challenges: (e.g., supply chain issues, inflation, new technologies) Example: "Our company, 'Global Pharma Solutions,' is a multinational pharmaceutical company with a focus on novel drug development. We operate globally and are heavily regulated by the FDA and EMA. Generate a scenario reflecting a crisis involving a mislabeled drug batch, discovered shortly after market release in Europe and the US." Outline Key Stakeholders and Their Potential Reactions Realistic scenarios involve diverse stakeholders with varying interests and reactions. Internal: Employees, leadership, legal, HR, IT, communications, specific department teams. External: Customers, media, regulators, investors, suppliers, partners, general public, affected individuals. Desired Reaction: How should these stakeholders react? (e.g., panic, confusion, outrage, demanding answers, seeking legal action, offering support). Example: "Include reactions from panicked customers flooding social media, calls from concerned regulators, and an internal IT team struggling to diagnose the issue. Also, factor in a potential negative news story breaking on a major industry publication." Inject Complications and Escalation Crises rarely remain static. Build in elements that make the scenario evolve and become more challenging. Secondary Events: (e.g., power outage during a cyberattack, additional product defects discovered, key personnel unavailable) Information Gaps/Misinformation: (e.g., conflicting reports, rumors spreading on social media, difficulty in verifying facts) Ethical Dilemmas: (e.g., balancing transparency with legal implications, prioritizing different stakeholder needs) Time Constraints: (e.g., a critical decision needed within 30 minutes, public statement required by end of day) Example: "After the initial system outage, introduce a new complication: a cyber-espionage group claims responsibility on a dark web forum, threatening to release sensitive customer data if demands are not met, despite the initial incident being unrelated to a breach." Define the Learning Objectives (Optional, but Recommended) While the AI won't "know" your objectives, including them in your prompt can subtly guide its generation towards a scenario that helps you test specific aspects of your plan. Example: "The scenario should test our team's ability to communicate effectively under pressure," or "Focus on evaluating our supply chain resilience and alternative vendor protocols." By following these guidelines, you'll be well on your way to leveraging our AI crisis simulation feature to its fullest, preparing your team for any challenge the real world might throw at them. Happy simulating!Building Your First Practical Lab (Part 2)
This is the second blog in a 2 part series that will walk you through the entire process of building your first custom practical lab. You’ll learn how to do everything from launching and configuring an EC2 instance in your AWS account to imaging it and seamlessly integrating it into our platform. In part 1 we showed you how to create and import your own machine. You can read part 1 here. In this blog, we’ll walk through building a simple Linux privilege escalation scenario as a working example. Our goal is to give you the foundational steps so you can confidently design scenarios tailored to your own creativity, environment, and organizational needs. The lab objective Ensure you are connected to the machine via the Ubuntu user for the steps below and not our lab user (lab-user). The objective of this lab is to read a token file. To do so, the user will need to escalate privileges via a misconfiguration. We will create a flag.txt file inside /root/ that contains a string that the user must read in the lab. sudo nano /root/flag.txt Add some content inside the file. This will act as a flag that can be used later to complete the lab. w3ll_don3_h4ck3r Save the file The lab challenge Now let’s set up the challenge! The goal is for lab-user to find a way to read the /root/flag.txt which is owned by root and not accessible to the lab-user by default. They will do this by exploiting a world-writable script that is executed as the root user in cron job. Create a directory to hold the script that lab-user can exploit. For this example, it's going to be a simple script that outputs the current time to a file (not very creative). sudo mkdir /opt/date_printer This script will be executed by root, but lab-user will have write permissions to it. The initial content will be benign, but the purpose of this lab is for the lab-user to identify the misconfiguration that allows them to modify it to read the /root/flag.txt file to retrieve the flag. Create a file for the script: nano /opt/date_printer/printer.sh Add the following content: #!/bin/bash echo "Running date_printer: $(date '+%Y-%m-%d %H:%M:%S')" >> /var/log/date.log Save the file. Next, set the misconfigured permissions that allow lab-user to write to the script, enabling privilege escalation. sudo chmod +x /opt/date_printer/printer.sh sudo chown root:root /opt/date_printer/printer.sh sudo chmod 666 /opt/date_printer/printer.sh Additionally, we want to configure the folder to ensure root owns it, but other users on the machine have access to it. sudo chown root:root /opt/date_printer sudo chmod 777 /opt/date_printer Now, let’s add a cron job to run the script we just created. For this scenario, we are going to edit the /etc/crontab file. Cron jobs in this file are generally used for system-wide cron tasks and are readable by anyone. This is good as it adds some breadcrumbs to our lab! If the user reads this file (a common check when looking for privilege escalation on Linux), they will see a script gets run every minute, and it will point them to investigate that script file. Edit the file nano /etc/crontab Add the following line at the end of the file. This line tells cron to execute /opt/date_printer/printer.sh every minute, as the root user * * * * * root /opt/date_printer/printer.sh Save the file. At this point, we have a configured image with a low-privilege lab-user account, which we will use to connect to the lab machine. We also have a cronjob vulnerability that our users attempting the lab have to exploit as the lab-user! For this lab, all the user has to do is find the script that is run by the cronjob and edit it to print the token in the file we added at /root/flag.txt. They could do this by easily updating the /opt/date_printer/printer.sh script to replace the contents with #!/bin/bash cat /root/flag.txt >> /var/log/date.log This one-liner will cat the contents of the /root/flag.txt file to the /var/log/date.log file, which the user can then read to get the token (there are other things we could do here as well, but for the purposes of this lab, let's keep it simple). Imaging and sharing the lab AMI Go back to the EC2 dashboard and find the running instance you just configured. Right-click on the EC2 machine, select Image and templates, and then Create image. Image name: Provide a descriptive name, e.g., “MyFirstCyberLab-AMI” or “Linux-PrivEsc-Lab-AMI”. Image description: Add a brief description, e.g., “Custom lab with lab-user password SSH and cron job privesc scenario.” Leave other settings at their default values. Click Create image. This will now create an AMI from the configured EC2 lab machine. Adding your custom AMI to your lab Navigate to Lab Builder and go to your custom lab via Manage > Create Lab. If you haven’t created one yet, go ahead and do so by selecting Create a new custom lab. On the Lab details page, we can give our lab a name and configure various other settings. For the purposes of this example, we’ll call it Linux CTF Challenge, and we’ll fill out the rest of the information to ensure our users know what the lab is all about. Lab description: This is a Linux CTF machine designed to test your ability in privilege escalation! Estimated Time Required: 30 Minutes Difficulty: 3 Learning outcomes: Understand how to exploit a common Linux misconfiguration What’s involved: Investigate the machine and find the misconfiguration that allows for privilege escalation. Next, we want to fill in the briefing panel. The briefing panel is the learning material that lets our lab users understand a bit about the topic and anything else they need to know to answer the questions. Since this is a CTF, we’ll give them limited information: Linux CTF This is a CTF lab scenario designed to test your ability to exploit a common misconfiguration in Linux that could result in privilege escalation. Your task in this lab is to read a flag located at /root/flag.txt. Good luck! Next, we want to add a Task. Tasks are what the user has to solve to complete the lab. For this example lab, we want to add a question to verify that they’ve read the flag in the /root/flag.txt file. Select Add task, which will bring up a library of task types. From the library, select Question. This will add a question to the lab task list, which we can then edit by selecting Edit. Update the question settings to the following: Question text: What is the flag found in the /root/flag.txt file? Answer: w3ll_don3_h4ck3r The next stage is to import our custom image. Select Systems and then click Add under the Virtual machine—EC2 type. This will add a new machine to your lab. Once the machine has been added, we want to configure it. Selecting Edit at the top right will open the machine's configuration editor. In the blue information box, we provide which region and, most importantly, which AWS account to share your image with so that our platform can use it in a lab. Within your own AWS account where you created your AMI for the lab image, click on the AMI, and at the bottom of the screen, you will see Permissions. Select Edit AMI permissions and Add account ID. This will open a box where you enter the Account ID that is displayed in Lab Builder. Click Share AMI. Now, copy the AMI ID of the machine you just shared and add it to the Lab Builder machine AMI ID section: Set the following configuration for the other sections in this editor: System Name: Your chosen name for the system you’re configuring. For this example, let's call it “Linux Machine”. Instance Type: t3.medium Connection Type: SSH Username: lab-user (or the username you set) Password: lab-user (or the password you set) Once you’ve configured your system, you can easily use it in Lab Builder by selecting Preview System on the system view. Assuming you’ve built everything correctly, you’ll get a shiny preview of your newly configured machine! This is a good time to run through your lab scenario to ensure it's working correctly. And that’s it—congratulations on building your first practical lab! At this point, you can spruce up your lab by adding additional questions or details to the briefing panel and publish your lab to your organization for them to enjoy. This powerful new feature puts the control directly in your hands, allowing you to create incredibly specific and challenging learning environments. These range from simple privilege escalation scenarios like this one to complex, multi-machine attack simulations. We can’t wait to see the innovative labs you'll create. In the meantime, if you need more ideas or support, use our Help Centre docs for Lab Builder.Building Your First Practical Lab (Part 1)
This is the first blog in a 2 part series that will walk you through the entire process of building your first custom practical lab. You’ll learn how to do everything from launching and configuring an EC2 instance in your AWS account to imaging it and seamlessly integrating it into our platform. In this blog, we’ll walk through the process of creating and importing your own machines. In part 2 we’ll walk you through building a simple Linux privilege escalation scenario as a working example. Our goal is to give you the foundational steps so you can confidently design scenarios tailored to your own creativity, environment, and organizational needs. Building your machine in AWS The first step is to log into your AWS account and provision your first EC2 machine to be configured. Access to AWS will depend on your organization and its access rules (e.g., logging in via console.aws.amazon.com). Provision an EC2 Once logged in, the first step is to launch an EC2 instance. Search for “EC2” in the top search bar and click “EC2” under Services. In the EC2 Dashboard, click on “Launch instance”. The lab will use a standard Linux distribution. It’s recommended to start with a clean slate. Select Ubuntu Server 22.04 LTS (HVM), SSD Volume Type, or a similar recent Ubuntu LTS version. This is a widely used and well-documented distribution. It’s also in the free tier, which means we can keep costs as low as possible. The next step is to select the instance type. Lab Builder supports t3.micro, t3.medium, and t3.large. You can select whichever CPU type and associated resources your machine needs in the lab that best suits your needs. Since this is a reasonably straightforward Linux privilege escalation lab, we are going to use t3.micro. Now, we’ll need to configure the instance details. You can generally leave most of these settings as the default for the current purpose. Network: Ensure your default VPC and a subnet are selected. Auto-assign Public IP: Check this is enabled so you can SSH into the instance from the internet and configure it. Security Groups control the machine's inbound and outbound access. Since you need to configure the machine, make sure you have SSH open to SSH into it (alternatively, you can use AWS Systems Manager to control access without the need for SSH or direct network access). When using Security Groups, it's a good practice only to allow sources from trusted IPs. Select “Create Security Group.” Select Allow SSH traffic from For the source, it is recommended to select a trusted IP range or your own IP. The storage you’ll need will depend on the machine you’re building. However, the default storage (8 GiB General Purpose SSD gp2) is usually sufficient unless you're installing and configuring large applications. Note: We do not currently support encrypted EBS volumes. Now you’re ready to launch your machine! Review all your settings carefully and click Launch. You’ll be prompted to add an SSH key to the machine. You’ll use this key to connect to the instance and configure it. To create a new key pair, choose a name like my-lab-key and click Download Key Pair. Keep the downloaded .pem file secure—you’ll need it to SSH into your instance. If you’re using an existing key pair, select it. Once you have your key sorted, select Launch Instance. Your EC2 instance will now start to launch. It might take a few minutes for it to be ready. Configuring the instance for use as a lab Once your EC2 machine is launched and ready, it’s time to connect to and configure it, ready to be used in a custom lab! Connect to the running instance via SSH, using the key you downloaded previously when you provisioned the EC2. ssh -i <key>.pem ubuntu@<public_ip></public_ip></key> Note: You may need to change the permissions on the key first by running chmod 400 .pem Next, update the system packages. sudo apt update sudo apt upgrade -y Note: Depending on the future labs you create, you may not want to update system packages if you need specific versions of software or libraries installed. Setting up SSH for the lab user With Lab Builder, labs can be configured to have a session open when the lab loads. This session can be SSH, RDP, or HTTP. For this lab, we want the lab to load in the platform with the lab user already SSH’d into the machine, so they can get to work on the scenario straight away without needing to worry about connecting to a machine themselves. Many default Ubuntu AMIs disable SSH password authentication and only allow key-based authentication by default, but this can be changed. Password authentication needs to be enabled to allow our lab user to connect with a password (Lab Builder does not support key-based authentication). To do this, we can update the configuration for SSH. In the examples below, we use nano, but you can use whichever file editing tool you are comfortable with (Vi/Vim, etc.) sudo nano /etc/ssh/sshd_config Find the line that says: #PasswordAuthentication no or PasswordAuthentication no. We want to change this to allow our users to connect via a password: PasswordAuthentication yes Make sure ChallengeResponseAuthentication no is set to no (it usually is). Save the file. While this will work for most distributions, certain images provided by AWS can have additional config for SSH that needs to be changed. For our image that we are using in this example (Ubuntu Server 22.04 LTS (HVM), SSD Volume Type), we also need to change the file at the location below: /etc/ssh/sshd_config/60-cloudimg-settings.conf Open this file and make the same change we did for the other sshd_config file PasswordAuthentication yes For the changes to SSH to take effect, restart the SSH service: sudo systemctl restart ssh Next, let's create a dedicated user account for our lab participants. sudo adduser lab-user When prompted: Enter a password that will be used for lab-user (make sure you remember this, as we will need it later!) Re-enter the password to confirm. You can press Enter for all the full name, room number, etc., prompts. Confirm with Y when asked if the information is correct. Note: We recommend changing the password above to something unique to you and this machine. At this point, we recommend logging out of the existing SSH session as the Ubuntu user and logging in as the newly created lab-user to verify that the SSH configuration has been updated and that you can successfully connect to the machine via password-based SSH authentication. ssh lab-user@<ec2-ip></ec2-ip> You should be prompted to enter the user's password, which will connect you to the machine. ssh lab-user@52.18.126.144 lab-user@52.18.126.144's password: >Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 6.8.0-1029-aws x86_64) >lab-user@ip-172-31-17-115:~$ Ready to create the lab challenge? Read part 2 here.Feature Focus: Crisis Sim Presentation Mode Uplifts
Here at Immersive, we're constantly striving to push the boundaries of cyber education and make our simulations as realistic and impactful as possible. We believe that truly effective learning happens when you're immersed in a genuinely challenging and engaging scenario. That's why we're incredibly excited to announce a significant uplift to the UI and UX of our Crisis Sim Presentation Mode. These aren't just cosmetic tweaks; they’re impactful changes, requested by you, designed to elevate the realism and engagement of your crisis simulation exercises, making the experience more dynamic and true-to-life for you and your team. A modern makeover for a seamless experience First impressions matter, and we’ve given the Presentation Mode UI a thorough modernization. This refresh delivers a cleaner, more intuitive aesthetic that’s not just pleasing to the eye, but also enhances clarity and reduces cognitive load during high-stakes scenarios. Our goal was to create an environment that feels contemporary and professional, reflecting the gravity of the simulated situations. Crucial UX enhancements for heightened realism Beyond the visual refresh, we've implemented several key UX changes that directly address the need for increased realism and participant engagement: The optional countdown timer: Feel the pressure build! In a real crisis, time is often a critical factor. Now, with the addition of an optional countdown timer, facilitators can introduce this vital element directly into the Presentation Mode. This isn't just about a ticking clock; it's about replicating the pressure and time constraints that decision-makers face in genuine incident response. This subtle yet powerful addition can significantly heighten the sense of urgency and consequence for participants, driving more active and strategic thinking. Navigating back: review and reflect in read-only mode Ever wished you could quickly refer back to a previous piece of information during a fast-paced crisis? Now you can! We've introduced the ability to navigate back to previous injects in a read-only mode. This means participants can revisit past communications, intelligence, or decisions without impacting the live progression of the exercise. This feature fosters better situational awareness and allows for more informed decision-making, mirroring the investigative and analytical processes that occur during a real incident. Companion App integration: all your content, always on hand Perhaps one of the most impactful changes for participant engagement is the surfacing of all content and static rich media directly on the Companion App. Previously, certain elements might have been facilitator-driven. Now, everything from critical intelligence reports to simulated news articles, social media feeds, and relevant imagery is immediately accessible to participants on their personal devices. This comprehensive content delivery ensures that participants have all the necessary information at their fingertips, enabling them to actively participate, analyze, and collaborate without disruption. It transforms the Companion App into a truly indispensable tool for the exercise, fostering deeper immersion and a more authentic crisis experience. Why these changes matter Our core mission at Immersive is to make learning about cybersecurity as effective and memorable as possible. These updates to Crisis Sim Presentation Mode directly serve that mission by: Increasing realism: By incorporating elements like time pressure and readily accessible information, we're making our simulations more closely resemble the complexities and demands of real-world cyber crises. Boosting engagement: When participants have all the information they need at their fingertips and can actively interact with the scenario, their engagement levels naturally soar. This leads to more meaningful learning outcomes and a greater retention of critical skills. Enhancing learning outcomes: A more realistic and engaging environment naturally fosters better decision-making skills, improved teamwork, and a deeper understanding of crisis management principles. These enhancements will provide an even more powerful and immersive experience for both facilitators and participants. We're confident that these changes will lead to even more impactful learning and a greater readiness to tackle the cyber challenges of tomorrow. Share your thoughts We can't wait for you to experience the difference, and we’d love to hear your thoughts on the changes. Log in to your Immersive platform and explore the enhanced Crisis Sim Presentation Mode today!Begin Again: How to Plan for Your Next Crisis Sim Exercise
Welcome back to the third installment in our series for managers using Crisis Sim. If you missed the first two episodes, check them out here: Crisis Sim Complete: Now What? Between Two Sims: What to Focus on Between Exercises The threat landscape is ever evolving and shows no sign of slowing down. Focus on cyber resilience is more important than ever. Everyone must continue to upskill and improve their incident response strategy so businesses can function as usual. In this guide, we’ll help you understand how you can effectively prove and improve your organizational cyber resilience in a crisis. Not sure where to begin? Here’s your guide to planning and preparation You've analyzed the data, bridged the gaps in your processes between exercises, and started building a culture of cyber resilience. Now, it's time to gear up for your next simulation! Remember, each exercise is a fresh opportunity to refine your team's skills, highlight existing strengths and weaknesses, and problem-solve together – all while strengthening your organization's cyber resilience. Let's dive into how to plan your next Crisis Sim for maximum impact. Next steps for managers Goals and objectives Every successful Crisis Sim starts with a clear destination. Before you jump in, take a moment to align your exercise objectives with your organization's priorities. Ask yourself: What specific skills do you want to test? Are there already any areas of concern? In a crisis, what are the most important considerations? For example, if your last exercise revealed communication gaps during a ransomware attack, your next objective might be to improve interdepartmental communication protocols within a defined timeframe. Tip: Incorporate next steps, action items, and the ownership of those items in your debriefs! This way, all parties walk away understanding what must be done to address immediate needs. Ahead of a crisis, you should consider areas that have a critical impact on your organization. Factors could include: Reputational impact: Damaged public and stakeholder trust, eroded image, social media amplification, and strained business relationships. Financial impact: Stock price drops, revenue losses, increased costs incurred, including legal fees, potential fines, and recovery efforts. Operational impact: Disrupted operations, production delays, supply chain issues, service interruptions, and the potential for both physical and digital infrastructure damage. Physical safety impact: Cyber incidents can lead to safety system failures, utility disruptions, security breaches, and equipment sabotage – posing serious risks to employees and the public. Legal and regulatory impact: Cyber incidents can trigger lawsuits, regulatory or criminal investigations, and significant fines – especially for safety or ethical violations. Did you know? IBM’s 2024 Cost of a Data Breach Report found that the global average cost of a data breach has surged to USD 4.88 million. Scenario selection and target audience Choose scenarios that reflect the real-world threats your organization faces. Consider the level of difficulty, technical skill, and complexity, and select participants from diverse departments to ensure a comprehensive evaluation. Even though you may eat, sleep, and breathe cybersecurity, others may be less familiar – cater to your audience! Customize exercises from our Scenario Catalog to make them relevant and impactful for your organization. The goal is to realistically test your team’s readiness while reinforcing best practices, processes, and decision making. Consider including participants who aren’t usually involved in cyber incident response to break down silos and boost collaboration. If they’re unclear on how to report an issue, it could delay notification and hinder activation of your response plan. Effective injects and options Design injects that challenge decision making and reflect real-world scenarios. Use branching paths and feedback to boost engagement and learning. Leverage all Crisis Sim features – like Option Ranking, and Inject Confidence – to gather valuable data. This not only highlights knowledge gaps and overall risk, but also directly supports your After Action Report, helping you capture the insights, graphs, and charts managers often look for post-exercise. Tip: Use injects that require participants to consider multiple factors and make tough choices under pressure. This will help them develop critical thinking skills. Preparation and facilitation for a successful exercise Preparation is essential for a successful simulation. Set clear expectations, share resources and training materials, and ensure technical, timing, and contingency logistics are in place. Involve stakeholders and leadership early to gain support and align the exercise with organizational goals – they can provide critical input on objectives, attack vectors, and realism. A well-prepared team is a confident team. Make sure everyone knows what to expect and has the tools they need to succeed. Facilitation During the exercise, focus on managing the flow and timing, encouraging active participation, and paying attention to your team's conversations. We recommend having an internal notetaker who can focus on the conversations so that key insights and takeaways don’t get lost or overlooked. Remember, your role is to guide the learning process and ensure everyone gets the most out of the experience – the discussion and collaboration of your teams is a key benefit! Keep the atmosphere positive and supportive, even when things get challenging. Not all options in a crisis are good options, so encourage your team to take risks, make mistakes, and play out what their gut instincts tell them. Reinforce the idea that this isn’t a test, but an opportunity for individuals, teams, and the organization as a whole to take stock of what improvements can be made. It’s a learning experience for participants and facilitators, not a pass/fail exercise. There’s a reason why athletes practice! It’s better to make mistakes when the game isn’t on the line, and the same goes for incidents! It’s better to be wrong and learn from the exercise than to see these gaps in knowledge and processes play out during a real incident. Feedback and considerations Depending on your exercise objectives, follow up with stakeholders and participants to gather feedback and key takeaways. This can be done through a group hotwash, an anonymous survey, or scheduled feedback sessions after the team has had time to reflect. Tip: Encourage additional feedback after a brief cooling-off period to capture both immediate reactions and more thoughtful insights once the team has had time to reflect on the exercise. Planning your next Crisis Sim exercise is an opportunity to build on your team's strengths and address any remaining vulnerabilities. Set clear objectives, select the right scenarios and participants, design effective injects, and prepare thoroughly to facilitate a smooth exercise. By doing this, you can maximize the impact of your simulations and strengthen your organization's cyber resilience. You know your organization and teams better than anyone, so it’s ultimately up to you how you want to proceed! To ensure your next exercise is a success in proving and improving upon your cyber resilience, we encourage you to prioritize these items: Define and communicate the objectives to all participants, whether it's testing a new process, improving communication and handoffs, or enhancing crisis preparedness. Develop realistic scenarios by incorporating real-world, industry-specific events to create relevant and challenging experiences. Prepare logistics, including technical setups, briefing documents, and technology like video conferencing tools or software. Tip: For presentation exercises, remember to send out calendar holds and account for virtual or in-person meeting logistics! Share your thoughts If you’ve recently started planning your next Crisis Sim exercise, what changes did you make from the previous exercise? What recommendations do you have for others who are beginning their Crisis Sim journey? Join the discussion below!
