October is here! Prepare for Cybersecurity Awareness Month with Immersive đ
In a world where technology and threats are constantly evolving, building a resilient team is more important than ever. At Immersive, we're proud to be your partner in this journey, and we've put together a fantastic lineup of events, challenges, and resources throughout October to help you and your teams stay ahead of the curve. Whatâs on at Immersive this Cybersecurity Awareness Month đ Oct 1st Whitepaper: GenAIâs Impact on Cybersecurity Skills and Training Oct 6th Trick or Treat on Specter Street Challenge Begins: Labs 1-3 Oct 9th Labs Live: Ripper's Riddle Community Webinar Oct 13th Trick or Treat on Specter Street Challenge: Labs 4 - 6 Oct 15th Webinar: How to Build a People-Centric Defense for AI-Driven Attacks Oct 16th Labs Live: Cursed Canvas Community Webinar Oct 20th Trick or Treat on Specter Street Challenge: Labs 7 - 9 Oct 22nd Cyber Resilience Customer Awards Winners Revealed Oct 23rd Labs Live: Macro Polo Community Webinar Oct 27th Trick or Treat on Specter Street Challenge: Labs 10-12 Oct 30th Labs Live: Phantom Pages Webinar Oct 31st Trick or Treat on Specter Street Challenge Finale: Labs 13 Oct 31st Virtual Crisis Sim: The Puppet Masterâs Trick or Treat Challenges and Labs Trick or Treat on Specter Street đ» Welcome to Trick or Treat on Specter Street, a Halloween-themed cybersecurity challenge where you'll use both offensive and defensive skills to solve a mystery unlike anything weâve encountered before. Each week throughout October, weâll drop new hands-on labs that slowly begin to uncover the secrets of Specter Street. Can you crack the case? Find out more. AI Foundations đ€ Ready to navigate the rapidly evolving world of Artificial Intelligence with confidence? Give our new AI Foundations lab collection a go! Designed to equip your teams with critical AI knowledge and practical implementation skills; this initial collection features seven foundational labs that progressively guide your teams from high-level overviews to secure, hands-on AI implementation. Find out more. Events and Webinars Webinar How to Build a People-Centric Defense for AI-Driven Attacks Wednesday October 15th A must-attend event for understanding how threat actors are leveraging AI and other emerging technologies to carry out attacks. Register Now. Virtual Crisis Sim The Puppet Masterâs Trick or Treat Friday October 31st Join us on Halloween as the notorious Puppet Master returns for a fiendish game of Trick or Treat đ Play along with our Immersive crisis response experts as we tackle a LIVE coordinated attack from the Puppet Master on a Critical National Infrastructure organization. Dare you play the Puppet Masterâs game and survive, or will they finally get their revenge?! Register Now. AI and Emerging Threats Throughout the month, weâre shining a spotlight on the rise of AI in cyber. From our all-new AI Foundational lab series to cutting edge research from the experts at the cutting edge of GenAI in cybersecurity in our latest whitepaper: GenAIâs Impact on Cybersecurity Skills and Training. Explore our latest AI-focused resources and upskill your teams to confidently face the future of cyber resilience. Check out our latest reports, articles, webinars and more on GenAI, here. Celebrating Cyber Resilience Heroes đ We're also celebrating the individuals and organizations at the forefront of cyber resilience with our Cyber Resilience Customer Awards. Keep your eyes peeled on our social channels! We'll be unveiling our latest winners on October 22nd, recognizing those who demonstrate an outstanding commitment to proving and improving their cyber readiness. It's going to be a jam-packed month focused on practical application and deep engagement. Letâs make this the most secure October yet!
Enter The Maze Challenge: Immersiveâs Most Advanced Collection Yet
Today marks the release of the Maze Challenge, Immersiveâs most advanced and cunningly designed offensive cybersecurity collection yet. This new series of labs is more than just a test of skills. It's a puzzle, a game, and a creative brain-bender, crafted by two of Immersiveâs most brilliant minds: StefanApostolâ and SabrinaKayaciâ. Stefan, known to many as the "evil genius" behind the Human Connection Challenge, and Sabrina, who recently inspired our London community meetup attendees with her predictions on AI within the AppSec space, have teamed up to create something truly unique. We sat down with them to get their insights on what makes the Maze Challenge so special, so challenging, and so much fun. What was the main inspiration behind the maze theme, and how did you translate that narrative into a collection of technical labs? The core idea for the Maze Challenge, as Stefan explained, came from a shared love of games. "Both Sabrina and I are geeks. We like games, and we wanted to create a challenge with an overarching goal that was more than about earning a completion token." While our labs have always awarded tokens for completion, Stefan and Sabrina wanted to create a narrative that would engage users on a deeper level. "A maze is the perfect example of that," Stefan said. "We wanted to include a game element in these challenges." This isn't just a series of technical scenarios. It's a cohesive puzzle where each lab is a step toward a larger objective. The maze narrative encourages participants to think creatively, connecting different skills and techniques in a way that feels more like a game than a traditional capture the flag (CTF). Iâve heard that this is the most advanced lab collection yet. So, what makes these labs more challenging than the thousands of others in Immersive's catalogue? This collection is Immersive's most advanced to date, introducing a range of techniques not yet widely covered in the platform. The labs are a combination of real-world examples drawn from the creators' past experiences and internal testing, all woven together with a good deal of imagination. While the challenge covers a broad spectrum of offensive skills, including web, Linux, Windows, and Active Directory, Stefan was quick to name binary exploitation as an obvious concept that will have participants scratching their heads. The team collaborated with BenMcCarthyâ on this particular lab, and Ben being Ben, he poured all his creativity into it, making even Stefan nervous to attempt this mean challenge! Sabrina added that the real difficulty lies in the type of thinking required. "Some of them will really require outside-the-box thinking," she said. "They're unusual in a way that requires not just the technical skill, but some creativity and more critical thinking." This is a key theme throughout the collection. Participants can't rely on a simple, formulaic approach. Instead, they must be flexible and resourceful. Sabrina noted that some challenges will require "multiple sets of skills," forcing users to chain together their expertise in different areas to find a solution. Without giving away any spoilers, can you describe a moment in one of the labs that you're particularly proud of designing? Sabrina beamed as she recalled the Inner Maze lab. "I really enjoyed creating Inner Maze," she said, before adding a cryptic twist. "When you break out of that maze is when you're really trapped." She was particularly proud of her ability to create and then beat her own challenge, finding the exploit even more difficult than the design itself. Can you give users any hints or tips? The Maze Challenge is designed to be tough, and you should certainly expect it to be just that. However, the creators want everyone to have a fair shot, so theyâve some advice for those who might feel intimidated. Use the platform to your advantage. Stefan noted that around 98% of concepts within this challenge can be learned in the rest of our lab catalogue. âIf you get stuck on a specific skill, take a break from the maze, find the relevant labs on the platform, and then come back with your newfound knowledge.â We encourage you to learn along the way, and persistence is always rewarded! Failure can be a sign of progress. Sabrina shared a key insight: "Sometimes it's important to take note of what it is you're doing that's failing... If you're failing at the same spot in a particular approach, that could actually mean that you're doing something right." Go figure that one out! Don't go it alone. Sabrina advises anyone starting their journey to ask others for advice and help. Our community help forum is a great resource for sharing knowledge and getting tips from fellow participants. We want you to have fun, and part of that fun is collaborating with your industry peers along the way. In the end, what do you hope participants will take away from this experience, beyond the technical skills? Stefan and Sabrina both hope it's a "desire for more challengesâ! They also dropped a teaser for a community Halloween challenge⊠Thatâs all youâre getting for now! đ Want a head start? Join Stefan and Sabrina for a Labs Live webinar on August 19th. Theyâll be solving the Improbable Maze lab live on the call, in collaboration with you. Attendees are encouraged to play along, offer their suggestions, methods, and frustrations. Itâs the perfect opportunity to see the creatorsâ thought process and gain some momentum for your own journey through the maze. See you there!Unlock the World of AI: Introducing Our New AI Foundations Collection!
That's why weâre thrilled to announce the launch of our new AI Foundations collection, a comprehensive set of labs designed to empower you to navigate the fast-paced world of AI confidently. This seven-part lab collection is your guided tour through the core components of modern AI implementation. We've crafted this collection for everyone, breaking down complex concepts into digestible, easy-to-understand labs. Whether you're a seasoned tech professional or just starting your AI journey, this collection will provide you with a practical, hands-on understanding of how AI systems are built and how they work together to deliver powerful capabilities. NOTE: These labs are only available for customers who havenât opted out of AI-related content. Why a new AI collection? Our customers have asked for more in-depth AI content â a demand that mirrors the explosive growth of the AI market. This new collection is our commitment to staying at the forefront of the industry and proactively addressing the needs of our community. What you'll learn The AI Foundations collection is a journey through the essential concepts of artificial intelligence. Each lab builds on the last, culminating in a holistic understanding of modern AI systems, with a special focus on agentic AI. Here's a glimpse into what you'll discover: Episode 1: Artificial Intelligence (Theory): Dive into the fundamentals of AI, exploring what it is, how it works, and the distinctions between generative AI and AGI. It also discusses AIâs limitations and demystifies the "illusion of thinking". Episode 2: Core Components (Theory): Get acquainted with the building blocks of AI, including LLMs, embedding and diffusion models, RAG, MCP, and the exciting world of agentic AI. It also touches on crucial security considerations as AI transitions from "knowing" to "doing". Episode 3: Large Language Models (Theory): Explore the power of foundational models, the importance of fine-tuning, the role of system prompts, and security considerations such as exploitable vulnerabilities and data privacy. Episode 4: Retrieval Augmented Generation (RAG) (Practical): Take a deep dive into RAG, vector databases, embedding, and chunking. In this hands-on lab, you'll create a knowledge base, chunk a file, and query a fictional company's proprietary data through an integrated AI chatbot. Episode 5: Model Context Protocol (MCP) (Practical): Understand the MCP protocol and its architecture within the broader AI landscape. You'll get hands-on experience using MCP Inspector to interact with an MCP server, and instruct an AI chatbot to organize files on your desktop, gaining insight into exactly how tools are chosen and invoked. Episode 6: Agentic AI (Practical): Immerse yourself in the world of AI agents. You'll get access to real AI agents within a safe sandbox environment. The curious can poke and edit the code and explore integrated Langfuse for a deeper look into the observability of the AI system. Episode 7: Demonstrate Your Knowledge (Theory): Put your newfound knowledge to the test and solidify your understanding of the concepts covered throughout the collection. Secure and private by design We've built our practical AI labs with your security and privacy as the top priority. When you launch a lab, you're entering a completely isolated, sandboxed environment. These sandboxes are self-contained and have no connection to any customer data or personal information. Think of it as your own private, temporary workspace thatâs thoroughly purged after each use. To interact with the AI models, each lab session creates temporary user credentials. Not only are these credentials temporary, but theyâre also locked to the lab environment itself. This means that even if the credentials were to be exposed, they would be useless outside of the specific lab they were created for, providing a robust layer of security. Access to the internet is also strictly controlled, which only allows connections to the minimum endpoints required for the lab to function. We utilize privacy-centric AI models designed to protect your data. The models we use donât store or log your prompts and completions. Furthermore, your interactions are never used to train any models, ensuring that your data remains your own. Weâve also opted out of any content being used for service improvements across all the AI services we use. In some of our more advanced labs, we've implemented an additional layer of security with guardrails that preprocess user inputs and model outputs to filter for harmful or inappropriate content. These guardrails are mandatory and canât be bypassed by users within the lab environment. These multiple layers of security work together to provide a safe and secure environment for you to learn and experiment with AI. Who is this collection for? Everyone! We've designed these labs to be a guided walkthrough, making even the more technical details accessible to anyone working with or interested in AI. Whether you're a developer, a business leader, a student, or simply a curious mind, our AI Foundations course will equip you with the knowledge and skills to thrive in the age of artificial intelligence. Join us on this exciting journey and unlock the power of AI. Get ready to build, innovate, and lead in the new era of intelligence.New Labs: BlackHat 2025 and DefCon 33
Throughout early August 2025, representatives from Immersive's cyber team attended the BlackHat 2025 and DefCon 33 conferences and got great exposure to the latest technologies, topics, and techniques presented by the sharpest minds in our industry. As a result of attending these talks, workshops, and villages, Immersive has created brand new labs going through the various talks that took place, allowing you to get hands-on with the latest technologies and exploits. We present a number of brand new labs covering some of the most interesting and insightful topics from the events, from operational technology (OT) to achieving privilege escalation through firewall software. AI was a hot topic, as you would imagine, especially around Prompt Injection attacks. We already have plenty of content on Prompt Injection, not to mention the new AI Foundations content, so for this series, we created an Appsec Style lab around preventing Prompt Injection attacks. Why should our customers care? BlackHat and DefCon are two conferences that attract the greatest minds in cyber to get together and share their knowledge through workshops, official talks, and villages. Given the high diversity of events and talks that took place, there is something for everyone! Many of the topic areas shared are things that attackers could easily exploit themselves, so taking advantage of the information in these labs equips our customers with the knowledge of the latest vulnerabilities, threats, and exploitation techniques currently being talked about in the industry - improving your resilience and preparation against the latest threats. Who are the labs for? Offensive Security Engineers and Penetration Testers SOC Analysts and Incident Responders Malware Reverse Engineers Operational Technology Engineers Cyber Security Engineers Here is a list of the labs in this release: Binary Facades: Extracting Embedded Scripts CVE-2024-5921 Redux - Bypassing mitigations to PrivEsc with Palo Alto Global Protect Chrome Alone: Transforming a Browser into a C2 Platform No VPN Needed?: Cryptographic Attacks Against the OPC UA Protocol Python: AI Prompt Injection If you'd like to do any of these labs, here is a link to the BlackHat/DefCon collection: https://immersivelabs.online/series/defcon-black-hat/More Immersive Cyber Drills: How Rich Media Can Bring a Scenario to Life
When running a cyber drill, itâs useful to have a consistent and cohesive sense of the story throughout. The use of branding and rich media (videos and audio related to the theme) can engage participants through a sense of world-building and storytelling. Imagine your company drill looking like your company â logo, color scheme, font and all. The Brand Itâs a good idea to start with all the assets needed to create the custom content. In my case, I created a logo and color scheme for a fictional news company, CHANNEL 6 News. The intention was to create a consistent look and feel for the news updates we would use. Using a simple color palette and classic news branding style, I could then create a virtual website for news updates using presentation software. This allows for ease of editing and can be presented full-screen to look like a webpage. A key requirement of the project was to create content that could be edited by anyone â no special software needed. This is just a slide in a presentation! The slide format could be used to represent a company website, a news outlet, or anything to aid the storytelling. Each slide in the presentation is a copy of the previous, but the news story is changed (title, image, and copy). Rich Media Video is engaging; it grabs our attention and helps with immersion. Video that has relevant branding and specifics has the chance to immerse participants even further. Continuing with the Channel 6 News theme, I used an AI video generator to create a news presenter intro and outro, all within a single prompt to maintain a consistent look. I also created a graphical intro in professional video editing software, aligning the branding and adding stock backing music. Using a more stripped-back video editing app, such as Google Vids, templates can be created with the intro and outro already in place. In between, video clips and voiceover (also generated) provide the main content of the news update. These templates allow for quick editing by anyone without the need for expert software. Download the MP4, and weâre ready to slot it into a cyber drill! Here's an example of the intro/outro and small amount of content between. Company Videos Immersive has a fictional company it uses for Crisis Sims called Orchid Corp. We have brand assets (logos, graphics, etc.) that we use to create print and digital media. I created employee welcome videos using stock media and generated voiceover audio, which ended up being fairly convincing. Now, imagine your company assets in whatever type of video you want. Perhaps a news broadcast, maybe an internal or external press release on the crisis situation. The more entertaining and interesting the content, the more immersion and engagement. Prove and Improve Running drills with custom videos will capture your audienceâs attention and imagination. There's a great opportunity to review how the media can be adjusted for further storytelling depth. It could be effective to have the story evolve at a future drill, building on the actions taken previously. Having templates for the content, such as a news update clip, means that significant time is saved in preparation and a consistent feel is kept across drills.Recommendations for Writing a Program Welcome Email
Key Objectives of the Email Generate Excitement: Make employees want to participate. Clearly State Benefits: What's in it for them? Provide Clear Next Steps: How do they get started? Assure Support: Who to ask for help? Reinforce Company Vision: Link individual growth to organizational success. Recommended Email Structure & Content 1. Compelling Subject Line Purpose: Grab attention, convey value immediately. Examples: "Unlock Your Potential: Introducing [Program Name]!" "Elevate Your Skills: Your Gateway to Growth is Here!" "Future-Proof Your Career: Announcing Our New Upskilling Initiative!" "Exciting News: Your Path to [Skill Area] Mastery Starts Now!" "Invest in Yourself: [Company Name]'s New Upskilling Program" 2. Warm & Enthusiastic Opening Purpose: Welcome, set a positive tone. Content: "Dear [Employee Name]," or "Hello Team," "We're thrilled to announce..." or "Get ready to elevate your career..." "At [Company Name], we believe in fostering continuous growth and development for every member of our team." 3. Program Overview (The "What") Purpose: Briefly explain what the program is. Content: Introduce the program name (e.g., "The [Program Name] Upskilling Initiative"). Briefly describe its scope (e.g., "a comprehensive program designed to enhance critical skills," "a tailored learning experience focusing on [key skill areas]"). Mention the format (e.g., "via interactive online modules," "expert-led workshops," "hands-on labs"). 4. Benefits to the Employee (The "Why Them") Purpose: This is the most crucial section â articulate the direct value to the individual. Content: "Why should you participate? This program is designed to help you:" Advance your career: "Unlock new opportunities for career growth within [Company Name]." Stay competitive: "Master the latest industry skills and technologies." Boost your confidence: "Deepen your expertise and take on new challenges." Enhance your impact: "Contribute even more effectively to your team's and [Company Name]'s success." Personal Growth: "Invest in your personal and professional development." (Optional but impactful): "Aligned with our commitment to [Company Value, e.g., Innovation, Excellence]." 5. How to Get Started (Clear Call to Action - CTA) Purpose: Make enrollment easy and intuitive. Content: "Getting started is simple! Here's how to begin your learning journey:" Provide a clear, clickable link: "Click here to explore the [Program Name] Hub." Brief instructions: "Log in with your [Company Credentials]," "Browse the course catalog," "Enroll in your first module." Mention any deadlines or enrollment periods if applicable. 6. Support & Resources: Purpose: Assure employees they won't be alone. Content: "We're committed to supporting you every step of the way." "For any questions, technical support, or guidance on choosing your learning path, please contact [L&D Team Email/Name, or specific Slack channel]." âSpeak with your manager and map this to your own Professional Development Plan (PDP) for regular support and feedbackâ âWe're so excited to celebrate your successes with you, and we're here to offer a helping hand as you grow!â Mention FAQs or a dedicated resource page if available. 7. Closing Purpose: Reinforce enthusiasm and look forward to their participation. Content: "We are incredibly excited about the potential this program holds for your individual growth and our collective success." Reinforce / remind positive impact to organisation âThis program will make [Company Name] continue to be class leading / stay ahead of the competition / be the best place to workâ "We look forward to seeing you thrive!" "Sincerely," / "Best regards," / "Warmly," [Your Name/Learning & Development Team/Leadership Team] General Recommendations for Effectiveness Personalization: Always use the recipient's name. Conciseness: Get to the point. Employees are busy. Visuals (Optional but Recommended): Consider including a compelling image or a short introductory video if available. Follow-Up Strategy: Plan reminder emails for those who haven't enrolled, and share success stories later. Manager Communication: Ensure managers are informed before the general team, so they can support and encourage participation. By following these recommendations, your upskilling program launch email can effectively motivate employees and kickstart a successful learning initiative.No Sleep on State-Backed Threats: Train for Cyber Conflict Before It Starts
In 2025, the cybersecurity landscape isnât just evolving â itâs accelerating. State-backed cyberattacks, geopolitical tensions, and a fragmented regulatory environment have placed cyber resilience squarely at the top of boardroom agendas. But while the threats are growing, clear directives and unified mandates are not. Cybersecurity leaders are left asking: If federal policy wonât dictate readiness, how can we validate that weâre prepared? The policy gap: Why the One Big Beautiful Bill wonât save us Despite its sweeping scope, the recently passed One Big Beautiful Bill Act (H.R.1, P.L. 119-21) is notably silent on cybersecurity policy. It includes: Investments of $150M to the Department of Defense for business system modernization, including AI-aided financial auditing $200M for AI-enabled audit systems $20M to DARPA cybersecurity research efforts $250M for Cyber Commandâs AI âlines of effortâ $685M toward military cryptographic modernization, including quantum benchmarking While these appropriations equip government agencies to modernize and strengthen cyber and crypto capabilities, they stop short of mandating new cross-industry controls, standards, or compliance obligations for private sector entities. Organizations canât depend on Washington to drive cyber resilience strategy, given how dynamic the landscape is today. Instead, leaders must build proactive, measurable programs rooted in industry frameworks like NIST CSF, ISO 27001, and MITRE ATT&CK. At the same time, they need to monitor shifting government priorities (vis-Ă -vis risks), evolving state-level regulations, and sector-specific requirements like the Digital Operational Resilience Act for financial services. In short, cyber resilience remains an internal obligation, not an external mandate. The stakes are rising: Salt Typhoon breach proves itâs about people In June 2025, a DHS memo confirmed that Salt Typhoon, a Chinese state-linked hacking group, gained extensive, months-long access to a U.S. Army National Guard network. This breach wasnât just a military problem â it highlighted systemic risks across civilian infrastructure, state governments, and critical services. The attackers stole administrative credentials, internal diagrams, network configurations, and PII of service members, creating opportunities for lateral movement and follow-on attacks against civilian sectors. As Ellis, a cybersecurity advisor quoted in the memo, pointed out: "An intrusion on a National Guard isn't a 'military only' operation. States regularly engage their Guard to assist with cyber defense of civilian infrastructure." This breach underscores the harsh reality that cyber adversaries arenât bound by the Law of Armed Conflict â and theyâre fully prepared to target civilian infrastructure as part of their strategy. Cyberwar is official: NATOâs Article 5 sets a new precedent NATO now explicitly recognizes cyberattacks as potential triggers for Article 5 collective defense measures. This isnât about responding to routine ransomware or phishing scams â itâs about preparing for strategic-level attacks that can disrupt economies, paralyze infrastructure, or compromise national defense. To meet this challenge, NATO is expanding joint cyber exercises like Locked Shields and Cyber Coalition, simulating real-world adversaries and integrating civilian infrastructure into their scenarios. Our key lesson? Modern conflict starts in cyberspace â and organizations need to train for it before the first packet hits. Train like the threat is already inside 1. State-sponsored threat actor playbooks Train your team to recognize and respond to APT tactics in the wild. From credential harvesting to stealthy exfiltration, hands-on simulations build muscle memory against real adversary behaviors â not textbook theory. Get hands-on with Threat Actors: Salt Typhoon and explore a recent SNAPPYBEE Campaign Analysis to see how the group uses backdoors to conduct espionage operations. Our complete Threat Actors collection covers a wide range of threat groups and their TTPs, providing practical simulations that build muscle memory against real adversary behaviors. Weâve talked about APT29 before đ ââïžđ» and they remain an active threat. Refresh with APT29: Threat Hunting with Splunk and dig into practical nation-state threat intelligence and IOC analysis. 2. Salt Typhoon TTP training Defend against the tactics actually used in the Salt Typhoon breach: Lateral movement: Our MITRE ATT&CK collection covers lateral movement tactics, providing comprehensive training on how attackers move within a network and how to defend against such actions. Credential compromise: The Credential Access collection offers practical experience in understanding and mitigating credential access vulnerabilities, which is crucial for defending against credential compromise. Network reconnaissance: Our Reconnaissance collection focuses on various techniques and tools used for gathering information, which can help in understanding and defending against network reconnaissance. Data exfiltration: Another hit for the Incident Response collection! These labs are specifically designed to teach incident responders how to detect data exfiltration. Put your team in the hot seat and test their response before the next real-world incident hits. 3. AI-readiness for cyber defenders AI is transforming both red and blue team tactics. Prepare with practical training to drive understanding of AI model risks (e.g. prompt injection, data leakage) and build skills defending AI-enabled environments before attackers exploit them. The AI Fundamentals collection offers a broader understanding of AI's role in cybersecurity, covering topics like data ethics, TensorFlow for machine learning, and emerging threats. The AI Challenges collection focuses on identifying vulnerabilities in AI systems, such as AI plugin injection and prompt injection attacks, providing hands-on experience in mitigating AI security risks. Together, these collections provide comprehensive training on both understanding and defending AI-enabled environments against potential threats. 4. Incident response: No-doze drills Run full-cycle incident response simulations, from detection to containment to recovery. Focus on the messy middle: ambiguous alerts, cross-team coordination, and real-time decision-making under pressure. Train with our Introduction to Incident Response and Incident Response collections. These collections cover the entire incident response process, including detection, containment, and recovery, with an emphasis on cross-team coordination and real-time decision-making. Then, test your skills with our new Cyber Range Exercise inspired by Salt Typhoon with simulated malware, or our Crisis Simulations focused on nation-state attacks. 5. Critical infrastructure and IT/OT defense modules Your OT environment isnât off-limits to adversaries. Practice defending blended IT/OT networks, identify cascading risks, and rehearse failover processes when the grid comes under cyber-fire. Explore the following collections that are part of our new Operational Technology offering: OT: Fundamentals OT: Threats and Vulnerabilities OT: Devices and Protocols These labs are valuable for practicing defense strategies in blended IT/OT networks and understanding cascading risks in critical infrastructure. You can also experience actual incidents like the Norwegian Dam Compromise: Campaign Analysis! Conclusion: Build cyber resilience before the next state-backed attack The One Big Beautiful Bill wonât mandate cyber resilience. NATO knows cyberwar is already here. And Salt Typhoonâs breach shows that the human element is still the biggest vulnerability facing businesses, entities, and nation states alike. Thatâs why continuous skills development, validated readiness, and real-world scenario training arenât optional. Adhere to tested frameworks and operational rigor for your people, processes, and technology. Share your thoughts If youâre not sleeping on state-backed threats, set the alarm and kickstart your teamâs readiness. Have you prioritized specific procedures or skills in response to the latest nation-state activity from groups like Salt Typhoon? Share your tips (or your favorite preparedness quote) in the comments below! Train like itâs game day â because for state-backed threats, it already is. Stay sharp and threat-ready by following the Human Connection blog for more updates like this.Building Your First Practical Lab (Part 2)
This is the second blog in a 2 part series that will walk you through the entire process of building your first custom practical lab. Youâll learn how to do everything from launching and configuring an EC2 instance in your AWS account to imaging it and seamlessly integrating it into our platform. In part 1 we showed you how to create and import your own machine. You can read part 1 here. In this blog, weâll walk through building a simple Linux privilege escalation scenario as a working example. Our goal is to give you the foundational steps so you can confidently design scenarios tailored to your own creativity, environment, and organizational needs. The lab objective Ensure you are connected to the machine via the Ubuntu user for the steps below and not our lab user (lab-user). The objective of this lab is to read a token file. To do so, the user will need to escalate privileges via a misconfiguration. We will create a flag.txt file inside /root/ that contains a string that the user must read in the lab. sudo nano /root/flag.txt Add some content inside the file. This will act as a flag that can be used later to complete the lab. w3ll_don3_h4ck3r Save the file The lab challenge Now letâs set up the challenge! The goal is for lab-user to find a way to read the /root/flag.txt which is owned by root and not accessible to the lab-user by default. They will do this by exploiting a world-writable script that is executed as the root user in cron job. Create a directory to hold the script that lab-user can exploit. For this example, it's going to be a simple script that outputs the current time to a file (not very creative). sudo mkdir /opt/date_printer This script will be executed by root, but lab-user will have write permissions to it. The initial content will be benign, but the purpose of this lab is for the lab-user to identify the misconfiguration that allows them to modify it to read the /root/flag.txt file to retrieve the flag. Create a file for the script: nano /opt/date_printer/printer.sh Add the following content: #!/bin/bash echo "Running date_printer: $(date '+%Y-%m-%d %H:%M:%S')" >> /var/log/date.log Save the file. Next, set the misconfigured permissions that allow lab-user to write to the script, enabling privilege escalation. sudo chmod +x /opt/date_printer/printer.sh sudo chown root:root /opt/date_printer/printer.sh sudo chmod 666 /opt/date_printer/printer.sh Additionally, we want to configure the folder to ensure root owns it, but other users on the machine have access to it. sudo chown root:root /opt/date_printer sudo chmod 777 /opt/date_printer Now, letâs add a cron job to run the script we just created. For this scenario, we are going to edit the /etc/crontab file. Cron jobs in this file are generally used for system-wide cron tasks and are readable by anyone. This is good as it adds some breadcrumbs to our lab! If the user reads this file (a common check when looking for privilege escalation on Linux), they will see a script gets run every minute, and it will point them to investigate that script file. Edit the file nano /etc/crontab Add the following line at the end of the file. This line tells cron to execute /opt/date_printer/printer.sh every minute, as the root user * * * * * root /opt/date_printer/printer.sh Save the file. At this point, we have a configured image with a low-privilege lab-user account, which we will use to connect to the lab machine. We also have a cronjob vulnerability that our users attempting the lab have to exploit as the lab-user! For this lab, all the user has to do is find the script that is run by the cronjob and edit it to print the token in the file we added at /root/flag.txt. They could do this by easily updating the /opt/date_printer/printer.sh script to replace the contents with #!/bin/bash cat /root/flag.txt >> /var/log/date.log This one-liner will cat the contents of the /root/flag.txt file to the /var/log/date.log file, which the user can then read to get the token (there are other things we could do here as well, but for the purposes of this lab, let's keep it simple). Imaging and sharing the lab AMI Go back to the EC2 dashboard and find the running instance you just configured. Right-click on the EC2 machine, select Image and templates, and then Create image. Image name: Provide a descriptive name, e.g., âMyFirstCyberLab-AMIâ or âLinux-PrivEsc-Lab-AMIâ. Image description: Add a brief description, e.g., âCustom lab with lab-user password SSH and cron job privesc scenario.â Leave other settings at their default values. Click Create image. This will now create an AMI from the configured EC2 lab machine. Adding your custom AMI to your lab Navigate to Lab Builder and go to your custom lab via Manage > Create Lab. If you havenât created one yet, go ahead and do so by selecting Create a new custom lab. On the Lab details page, we can give our lab a name and configure various other settings. For the purposes of this example, weâll call it Linux CTF Challenge, and weâll fill out the rest of the information to ensure our users know what the lab is all about. Lab description: This is a Linux CTF machine designed to test your ability in privilege escalation! Estimated Time Required: 30 Minutes Difficulty: 3 Learning outcomes: Understand how to exploit a common Linux misconfiguration Whatâs involved: Investigate the machine and find the misconfiguration that allows for privilege escalation. Next, we want to fill in the briefing panel. The briefing panel is the learning material that lets our lab users understand a bit about the topic and anything else they need to know to answer the questions. Since this is a CTF, weâll give them limited information: Linux CTF This is a CTF lab scenario designed to test your ability to exploit a common misconfiguration in Linux that could result in privilege escalation. Your task in this lab is to read a flag located at /root/flag.txt. Good luck! Next, we want to add a Task. Tasks are what the user has to solve to complete the lab. For this example lab, we want to add a question to verify that theyâve read the flag in the /root/flag.txt file. Select Add task, which will bring up a library of task types. From the library, select Question. This will add a question to the lab task list, which we can then edit by selecting Edit. Update the question settings to the following: Question text: What is the flag found in the /root/flag.txt file? Answer: w3ll_don3_h4ck3r The next stage is to import our custom image. Select Systems and then click Add under the Virtual machineâEC2 type. This will add a new machine to your lab. Once the machine has been added, we want to configure it. Selecting Edit at the top right will open the machine's configuration editor. In the blue information box, we provide which region and, most importantly, which AWS account to share your image with so that our platform can use it in a lab. Within your own AWS account where you created your AMI for the lab image, click on the AMI, and at the bottom of the screen, you will see Permissions. Select Edit AMI permissions and Add account ID. This will open a box where you enter the Account ID that is displayed in Lab Builder. Click Share AMI. Now, copy the AMI ID of the machine you just shared and add it to the Lab Builder machine AMI ID section: Set the following configuration for the other sections in this editor: System Name: Your chosen name for the system youâre configuring. For this example, let's call it âLinux Machineâ. Instance Type: t3.medium Connection Type: SSH Username: lab-user (or the username you set) Password: lab-user (or the password you set) Once youâve configured your system, you can easily use it in Lab Builder by selecting Preview System on the system view. Assuming youâve built everything correctly, youâll get a shiny preview of your newly configured machine! This is a good time to run through your lab scenario to ensure it's working correctly. And thatâs itâcongratulations on building your first practical lab! At this point, you can spruce up your lab by adding additional questions or details to the briefing panel and publish your lab to your organization for them to enjoy. This powerful new feature puts the control directly in your hands, allowing you to create incredibly specific and challenging learning environments. These range from simple privilege escalation scenarios like this one to complex, multi-machine attack simulations. We canât wait to see the innovative labs you'll create. In the meantime, if you need more ideas or support, use our Help Centre docs for Lab Builder.Building Your First Practical Lab (Part 1)
This is the first blog in a 2 part series that will walk you through the entire process of building your first custom practical lab. Youâll learn how to do everything from launching and configuring an EC2 instance in your AWS account to imaging it and seamlessly integrating it into our platform. In this blog, weâll walk through the process of creating and importing your own machines. In part 2 weâll walk you through building a simple Linux privilege escalation scenario as a working example. Our goal is to give you the foundational steps so you can confidently design scenarios tailored to your own creativity, environment, and organizational needs. Building your machine in AWS The first step is to log into your AWS account and provision your first EC2 machine to be configured. Access to AWS will depend on your organization and its access rules (e.g., logging in via console.aws.amazon.com). Provision an EC2 Once logged in, the first step is to launch an EC2 instance. Search for âEC2â in the top search bar and click âEC2â under Services. In the EC2 Dashboard, click on âLaunch instanceâ. The lab will use a standard Linux distribution. Itâs recommended to start with a clean slate. Select Ubuntu Server 22.04 LTS (HVM), SSD Volume Type, or a similar recent Ubuntu LTS version. This is a widely used and well-documented distribution. Itâs also in the free tier, which means we can keep costs as low as possible. The next step is to select the instance type. Lab Builder supports t3.micro, t3.medium, and t3.large. You can select whichever CPU type and associated resources your machine needs in the lab that best suits your needs. Since this is a reasonably straightforward Linux privilege escalation lab, we are going to use t3.micro. Now, weâll need to configure the instance details. You can generally leave most of these settings as the default for the current purpose. Network: Ensure your default VPC and a subnet are selected. Auto-assign Public IP: Check this is enabled so you can SSH into the instance from the internet and configure it. Security Groups control the machine's inbound and outbound access. Since you need to configure the machine, make sure you have SSH open to SSH into it (alternatively, you can use AWS Systems Manager to control access without the need for SSH or direct network access). When using Security Groups, it's a good practice only to allow sources from trusted IPs. Select âCreate Security Group.â Select Allow SSH traffic from For the source, it is recommended to select a trusted IP range or your own IP. The storage youâll need will depend on the machine youâre building. However, the default storage (8 GiB General Purpose SSD gp2) is usually sufficient unless you're installing and configuring large applications. Note: We do not currently support encrypted EBS volumes. Now youâre ready to launch your machine! Review all your settings carefully and click Launch. Youâll be prompted to add an SSH key to the machine. Youâll use this key to connect to the instance and configure it. To create a new key pair, choose a name like my-lab-key and click Download Key Pair. Keep the downloaded .pem file secureâyouâll need it to SSH into your instance. If youâre using an existing key pair, select it. Once you have your key sorted, select Launch Instance. Your EC2 instance will now start to launch. It might take a few minutes for it to be ready. Configuring the instance for use as a lab Once your EC2 machine is launched and ready, itâs time to connect to and configure it, ready to be used in a custom lab! Connect to the running instance via SSH, using the key you downloaded previously when you provisioned the EC2. ssh -i <key>.pem ubuntu@<public_ip></public_ip></key> Note: You may need to change the permissions on the key first by running chmod 400 .pem Next, update the system packages. sudo apt update sudo apt upgrade -y Note: Depending on the future labs you create, you may not want to update system packages if you need specific versions of software or libraries installed. Setting up SSH for the lab user With Lab Builder, labs can be configured to have a session open when the lab loads. This session can be SSH, RDP, or HTTP. For this lab, we want the lab to load in the platform with the lab user already SSHâd into the machine, so they can get to work on the scenario straight away without needing to worry about connecting to a machine themselves. Many default Ubuntu AMIs disable SSH password authentication and only allow key-based authentication by default, but this can be changed. Password authentication needs to be enabled to allow our lab user to connect with a password (Lab Builder does not support key-based authentication). To do this, we can update the configuration for SSH. In the examples below, we use nano, but you can use whichever file editing tool you are comfortable with (Vi/Vim, etc.) sudo nano /etc/ssh/sshd_config Find the line that says: #PasswordAuthentication no or PasswordAuthentication no. We want to change this to allow our users to connect via a password: PasswordAuthentication yes Make sure ChallengeResponseAuthentication no is set to no (it usually is). Save the file. While this will work for most distributions, certain images provided by AWS can have additional config for SSH that needs to be changed. For our image that we are using in this example (Ubuntu Server 22.04 LTS (HVM), SSD Volume Type), we also need to change the file at the location below: /etc/ssh/sshd_config/60-cloudimg-settings.conf Open this file and make the same change we did for the other sshd_config file PasswordAuthentication yes For the changes to SSH to take effect, restart the SSH service: sudo systemctl restart ssh Next, let's create a dedicated user account for our lab participants. sudo adduser lab-user When prompted: Enter a password that will be used for lab-user (make sure you remember this, as we will need it later!) Re-enter the password to confirm. You can press Enter for all the full name, room number, etc., prompts. Confirm with Y when asked if the information is correct. Note: We recommend changing the password above to something unique to you and this machine. At this point, we recommend logging out of the existing SSH session as the Ubuntu user and logging in as the newly created lab-user to verify that the SSH configuration has been updated and that you can successfully connect to the machine via password-based SSH authentication. ssh lab-user@<ec2-ip></ec2-ip> You should be prompted to enter the user's password, which will connect you to the machine. ssh lab-user@52.18.126.144 lab-user@52.18.126.144's password: >Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 6.8.0-1029-aws x86_64) >lab-user@ip-172-31-17-115:~$ Ready to create the lab challenge? Read part 2 here.Hasta La Vista, Passive Defense: Why Blue Teams Need an Offensive Edge
In a world of ever-evolving tactics, techniques, procedures (TTPs) and relentless adversaries, itâs no longer enough for defenders to simply monitor, detect, and respond. You canât wait for next-gen threats to come to you â you must go on the offensive to stay ahead. Iâm not saying you need to send an advanced cyborg back in time to test yesterdayâs defenses, but your blue team does need to adopt offensive mindsets and methods to stay ahead today. Now, as Arnold once said, come with me if you want to live. Adapting to a threat-led world Traditional Security Operations Center (SOC) roles were built for known threats and predefined signatures. Attackers donât play by those rules anymore. Understanding offensive tactics helps defenders anticipate attacker behaviors, prioritize real risks, and reduce alert fatigue. This proactive approach leads to more effective incident response and a threat-informed defense strategy. Defensive teams that understand offensive logic are better at: Anticipating lateral movement Introduction to Detection Engineering includes labs that analyze logs generated during lateral movement and use tools like Process Monitor and Sysmon. APT29: Threat Hunting with Elasticsearch can help you understand attacker tactics and techniques, which is crucial for anticipating lateral movement. Recognizing attacker tradecraft Attacking the Active Directory is a critical skill in any offensive security professional's arsenal, involving setting manipulation and intentional misconfigurations to gain unauthorized access. Exploitation, Weaponization, and Delivery focuses on payload creation, obfuscation techniques, delivery methods, and communication techniques used in cyberattacks, providing hands-on experience with tools like Metasploit. Prioritizing real risk over alert fatigue Threat Hunting covers essential topics like threat research, digital forensics, and malware analysis, which are crucial for understanding and prioritizing alerts. The labs include a variety of tools like Wireshark, Process Monitor, and Volatility to analyze network traffic and investigate incidents, helping users to identify and respond to suspicious activities effectively. If your blue team thinks like a red team, your incident response becomes threat-informed and dynamic. Offensive skills that matter for defenders Not everyone needs to have the skills of a full-time red teamer, but they do need to think critically about attacker behavior to protect critical assets cough cough John Connor We suggest focusing on these areas: Understanding how common tools behave in the wrong hands (C2 frameworks, privilege escalation chains) PoshC2 provides training on command and control frameworks, credential harvesting, system enumeration, and privilege escalation, all of which are crucial for operating under the assumption that a breach has occurred. Scenario-based threat modeling and adversarial emulation Threat Modeling Fundamentals explores threat modeling, attack trees, and tools like Threat Dragon. These labs help teams identify vulnerabilities, understand different methodologies, and implement effective countermeasures. Reconnaissance is important for understanding and employing reconnaissance techniques essential to offensive operations. Exploit walkthroughs to reinforce detection and log analysis, recent campaigns, and the heavy-hitter offensive TTPs. BadSuccessor: Offensive CVE-2025-35433 (Erlang SSH): Offensive CVE-2025-31161 (CrushFTP): Offensive Water Gamayun: (CVE-2025-26633) Campaign Analysis Threat Actors: Salt Typhoon - SNAPPYBEE Campaign Analysis Command and Scripting Interpreter (T1059) Valid Accounts (T1078) Lateral Movement via Remote Services (T1021) You should also think about: Cyber incident simulations with âadversary POVsâ For hands-on training, explore our Pen Test CTF labs to build penetration testing and exploitation skills in a capture-the-flag format. Want to take exercising your teams to the next level? Talk to your account team about Cyber Range Exercises. Engaging in offensive security training raises awareness among employees about potential threats and attack vectors. This awareness fosters a security-first culture, encouraging proactive behaviors and vigilance across the organization. Prove and improve: planning for sustainable upskilling The cybersecurity skills gap isnât just a hiring problem - itâs a strategic opportunity. Building offensive awareness within defensive teams deepens technical expertise, sharpens detection logic, speeds up incident response, and improves threat prioritization. Success doesnât happen by accident â it requires a plan. If you're John Connor maybe that plan is sending a Terminator back in time to protect your critical PI... but maybe your plan is partnering with Immersive to design a custom security program đ Sustainable upskilling starts with three core elements: Baseline where you are today Engage with Immersive Premium Support to conduct an Immersive assessment, or use Demonstrate labs across key tools and capabilities to baseline current skills. You can also reference threat simulation results, or incident retrospectives to identify practical knowledge gaps. From there, define your target skills and security outcomes (e.g. improving lateral movement detection or reducing false positives), then build and execute a plan to get from A to B. Design learning journeys, not one-offs Structure development plans across 6-, 12-, and 18-month checkpoints. We recommend tailoring these to role-specific needs, but in the context of todayâs blog, you also should consider use cases like: Have your Tier 1 SOC analysts start by learning scripting and alert triage logic. Challenge senior analysts to complete red team shadowing or participate in a DTF to strengthen threat hunting skills and hypotheses they can use in detection engineering. Prove value through applied learning Build defenders who can think and act with offensive context. Encourage applied projects like: âHack-your-fistâ systems to better understand attacker behavior. Logging analysis with an âassume breachâ lens. Injecting adversary POVs into tabletops or indecent retrospectives. The new defender DNA Defensive security is evolving. Itâs no longer about who can triage the fastest â itâs about who can think like the threat and adapt in real time. Upskilling your blue team with red principles isnât about turning defenders into pentesters. Give them the tools they need to defend with intent. Share your thoughts Have you been leveling up your teamâs offensive instincts? Is your blue team ready to terminate threats before they take root? Share your story in the comments below! Donât let your cyber resilience go offline this summer â stay sharp and threat-ready. Get updates on posts like this by following the Human Connection Blog!
