Enter The Maze Challenge: Immersive’s Most Advanced Collection Yet
Today marks the release of the Maze Challenge, Immersive’s most advanced and cunningly designed offensive cybersecurity collection yet. This new series of labs is more than just a test of skills. It's a puzzle, a game, and a creative brain-bender, crafted by two of Immersive’s most brilliant minds: StefanApostol and SabrinaKayaci. Stefan, known to many as the "evil genius" behind the Human Connection Challenge, and Sabrina, who recently inspired our London community meetup attendees with her predictions on AI within the AppSec space, have teamed up to create something truly unique. We sat down with them to get their insights on what makes the Maze Challenge so special, so challenging, and so much fun. What was the main inspiration behind the maze theme, and how did you translate that narrative into a collection of technical labs? The core idea for the Maze Challenge, as Stefan explained, came from a shared love of games. "Both Sabrina and I are geeks. We like games, and we wanted to create a challenge with an overarching goal that was more than about earning a completion token." While our labs have always awarded tokens for completion, Stefan and Sabrina wanted to create a narrative that would engage users on a deeper level. "A maze is the perfect example of that," Stefan said. "We wanted to include a game element in these challenges." This isn't just a series of technical scenarios. It's a cohesive puzzle where each lab is a step toward a larger objective. The maze narrative encourages participants to think creatively, connecting different skills and techniques in a way that feels more like a game than a traditional capture the flag (CTF). I’ve heard that this is the most advanced lab collection yet. So, what makes these labs more challenging than the thousands of others in Immersive's catalogue? This collection is Immersive's most advanced to date, introducing a range of techniques not yet widely covered in the platform. The labs are a combination of real-world examples drawn from the creators' past experiences and internal testing, all woven together with a good deal of imagination. While the challenge covers a broad spectrum of offensive skills, including web, Linux, Windows, and Active Directory, Stefan was quick to name binary exploitation as an obvious concept that will have participants scratching their heads. The team collaborated with BenMcCarthy on this particular lab, and Ben being Ben, he poured all his creativity into it, making even Stefan nervous to attempt this mean challenge! Sabrina added that the real difficulty lies in the type of thinking required. "Some of them will really require outside-the-box thinking," she said. "They're unusual in a way that requires not just the technical skill, but some creativity and more critical thinking." This is a key theme throughout the collection. Participants can't rely on a simple, formulaic approach. Instead, they must be flexible and resourceful. Sabrina noted that some challenges will require "multiple sets of skills," forcing users to chain together their expertise in different areas to find a solution. Without giving away any spoilers, can you describe a moment in one of the labs that you're particularly proud of designing? Sabrina beamed as she recalled the Inner Maze lab. "I really enjoyed creating Inner Maze," she said, before adding a cryptic twist. "When you break out of that maze is when you're really trapped." She was particularly proud of her ability to create and then beat her own challenge, finding the exploit even more difficult than the design itself. Can you give users any hints or tips? The Maze Challenge is designed to be tough, and you should certainly expect it to be just that. However, the creators want everyone to have a fair shot, so they’ve some advice for those who might feel intimidated. Use the platform to your advantage. Stefan noted that around 98% of concepts within this challenge can be learned in the rest of our lab catalogue. “If you get stuck on a specific skill, take a break from the maze, find the relevant labs on the platform, and then come back with your newfound knowledge.” We encourage you to learn along the way, and persistence is always rewarded! Failure can be a sign of progress. Sabrina shared a key insight: "Sometimes it's important to take note of what it is you're doing that's failing... If you're failing at the same spot in a particular approach, that could actually mean that you're doing something right." Go figure that one out! Don't go it alone. Sabrina advises anyone starting their journey to ask others for advice and help. Our community help forum is a great resource for sharing knowledge and getting tips from fellow participants. We want you to have fun, and part of that fun is collaborating with your industry peers along the way. In the end, what do you hope participants will take away from this experience, beyond the technical skills? Stefan and Sabrina both hope it's a "desire for more challenges”! They also dropped a teaser for a community Halloween challenge… That’s all you’re getting for now! 👀 Want a head start? Join Stefan and Sabrina for a Labs Live webinar on August 19th. They’ll be solving the Improbable Maze lab live on the call, in collaboration with you. Attendees are encouraged to play along, offer their suggestions, methods, and frustrations. It’s the perfect opportunity to see the creators’ thought process and gain some momentum for your own journey through the maze. See you there!New Labs: BlackHat 2025 and DefCon 33
Throughout early August 2025, representatives from Immersive's cyber team attended the BlackHat 2025 and DefCon 33 conferences and got great exposure to the latest technologies, topics, and techniques presented by the sharpest minds in our industry. As a result of attending these talks, workshops, and villages, Immersive has created brand new labs going through the various talks that took place, allowing you to get hands-on with the latest technologies and exploits. We present a number of brand new labs covering some of the most interesting and insightful topics from the events, from operational technology (OT) to achieving privilege escalation through firewall software. AI was a hot topic, as you would imagine, especially around Prompt Injection attacks. We already have plenty of content on Prompt Injection, not to mention the new AI Foundations content, so for this series, we created an Appsec Style lab around preventing Prompt Injection attacks. Why should our customers care? BlackHat and DefCon are two conferences that attract the greatest minds in cyber to get together and share their knowledge through workshops, official talks, and villages. Given the high diversity of events and talks that took place, there is something for everyone! Many of the topic areas shared are things that attackers could easily exploit themselves, so taking advantage of the information in these labs equips our customers with the knowledge of the latest vulnerabilities, threats, and exploitation techniques currently being talked about in the industry - improving your resilience and preparation against the latest threats. Who are the labs for? Offensive Security Engineers and Penetration Testers SOC Analysts and Incident Responders Malware Reverse Engineers Operational Technology Engineers Cyber Security Engineers Here is a list of the labs in this release: Binary Facades: Extracting Embedded Scripts CVE-2024-5921 Redux - Bypassing mitigations to PrivEsc with Palo Alto Global Protect Chrome Alone: Transforming a Browser into a C2 Platform No VPN Needed?: Cryptographic Attacks Against the OPC UA Protocol Python: AI Prompt Injection If you'd like to do any of these labs, here is a link to the BlackHat/DefCon collection: https://immersivelabs.online/series/defcon-black-hat/More Immersive Cyber Drills: How Rich Media Can Bring a Scenario to Life
When running a cyber drill, it’s useful to have a consistent and cohesive sense of the story throughout. The use of branding and rich media (videos and audio related to the theme) can engage participants through a sense of world-building and storytelling. Imagine your company drill looking like your company — logo, color scheme, font and all. The Brand It’s a good idea to start with all the assets needed to create the custom content. In my case, I created a logo and color scheme for a fictional news company, CHANNEL 6 News. The intention was to create a consistent look and feel for the news updates we would use. Using a simple color palette and classic news branding style, I could then create a virtual website for news updates using presentation software. This allows for ease of editing and can be presented full-screen to look like a webpage. A key requirement of the project was to create content that could be edited by anyone — no special software needed. This is just a slide in a presentation! The slide format could be used to represent a company website, a news outlet, or anything to aid the storytelling. Each slide in the presentation is a copy of the previous, but the news story is changed (title, image, and copy). Rich Media Video is engaging; it grabs our attention and helps with immersion. Video that has relevant branding and specifics has the chance to immerse participants even further. Continuing with the Channel 6 News theme, I used an AI video generator to create a news presenter intro and outro, all within a single prompt to maintain a consistent look. I also created a graphical intro in professional video editing software, aligning the branding and adding stock backing music. Using a more stripped-back video editing app, such as Google Vids, templates can be created with the intro and outro already in place. In between, video clips and voiceover (also generated) provide the main content of the news update. These templates allow for quick editing by anyone without the need for expert software. Download the MP4, and we’re ready to slot it into a cyber drill! Here's an example of the intro/outro and small amount of content between. Company Videos Immersive has a fictional company it uses for Crisis Sims called Orchid Corp. We have brand assets (logos, graphics, etc.) that we use to create print and digital media. I created employee welcome videos using stock media and generated voiceover audio, which ended up being fairly convincing. Now, imagine your company assets in whatever type of video you want. Perhaps a news broadcast, maybe an internal or external press release on the crisis situation. The more entertaining and interesting the content, the more immersion and engagement. Prove and Improve Running drills with custom videos will capture your audience’s attention and imagination. There's a great opportunity to review how the media can be adjusted for further storytelling depth. It could be effective to have the story evolve at a future drill, building on the actions taken previously. Having templates for the content, such as a news update clip, means that significant time is saved in preparation and a consistent feel is kept across drills.Recommendations for Writing a Program Welcome Email
Key Objectives of the Email Generate Excitement: Make employees want to participate. Clearly State Benefits: What's in it for them? Provide Clear Next Steps: How do they get started? Assure Support: Who to ask for help? Reinforce Company Vision: Link individual growth to organizational success. Recommended Email Structure & Content 1. Compelling Subject Line Purpose: Grab attention, convey value immediately. Examples: "Unlock Your Potential: Introducing [Program Name]!" "Elevate Your Skills: Your Gateway to Growth is Here!" "Future-Proof Your Career: Announcing Our New Upskilling Initiative!" "Exciting News: Your Path to [Skill Area] Mastery Starts Now!" "Invest in Yourself: [Company Name]'s New Upskilling Program" 2. Warm & Enthusiastic Opening Purpose: Welcome, set a positive tone. Content: "Dear [Employee Name]," or "Hello Team," "We're thrilled to announce..." or "Get ready to elevate your career..." "At [Company Name], we believe in fostering continuous growth and development for every member of our team." 3. Program Overview (The "What") Purpose: Briefly explain what the program is. Content: Introduce the program name (e.g., "The [Program Name] Upskilling Initiative"). Briefly describe its scope (e.g., "a comprehensive program designed to enhance critical skills," "a tailored learning experience focusing on [key skill areas]"). Mention the format (e.g., "via interactive online modules," "expert-led workshops," "hands-on labs"). 4. Benefits to the Employee (The "Why Them") Purpose: This is the most crucial section – articulate the direct value to the individual. Content: "Why should you participate? This program is designed to help you:" Advance your career: "Unlock new opportunities for career growth within [Company Name]." Stay competitive: "Master the latest industry skills and technologies." Boost your confidence: "Deepen your expertise and take on new challenges." Enhance your impact: "Contribute even more effectively to your team's and [Company Name]'s success." Personal Growth: "Invest in your personal and professional development." (Optional but impactful): "Aligned with our commitment to [Company Value, e.g., Innovation, Excellence]." 5. How to Get Started (Clear Call to Action - CTA) Purpose: Make enrollment easy and intuitive. Content: "Getting started is simple! Here's how to begin your learning journey:" Provide a clear, clickable link: "Click here to explore the [Program Name] Hub." Brief instructions: "Log in with your [Company Credentials]," "Browse the course catalog," "Enroll in your first module." Mention any deadlines or enrollment periods if applicable. 6. Support & Resources: Purpose: Assure employees they won't be alone. Content: "We're committed to supporting you every step of the way." "For any questions, technical support, or guidance on choosing your learning path, please contact [L&D Team Email/Name, or specific Slack channel]." “Speak with your manager and map this to your own Professional Development Plan (PDP) for regular support and feedback” “We're so excited to celebrate your successes with you, and we're here to offer a helping hand as you grow!” Mention FAQs or a dedicated resource page if available. 7. Closing Purpose: Reinforce enthusiasm and look forward to their participation. Content: "We are incredibly excited about the potential this program holds for your individual growth and our collective success." Reinforce / remind positive impact to organisation “This program will make [Company Name] continue to be class leading / stay ahead of the competition / be the best place to work” "We look forward to seeing you thrive!" "Sincerely," / "Best regards," / "Warmly," [Your Name/Learning & Development Team/Leadership Team] General Recommendations for Effectiveness Personalization: Always use the recipient's name. Conciseness: Get to the point. Employees are busy. Visuals (Optional but Recommended): Consider including a compelling image or a short introductory video if available. Follow-Up Strategy: Plan reminder emails for those who haven't enrolled, and share success stories later. Manager Communication: Ensure managers are informed before the general team, so they can support and encourage participation. By following these recommendations, your upskilling program launch email can effectively motivate employees and kickstart a successful learning initiative.No Sleep on State-Backed Threats: Train for Cyber Conflict Before It Starts
In 2025, the cybersecurity landscape isn’t just evolving – it’s accelerating. State-backed cyberattacks, geopolitical tensions, and a fragmented regulatory environment have placed cyber resilience squarely at the top of boardroom agendas. But while the threats are growing, clear directives and unified mandates are not. Cybersecurity leaders are left asking: If federal policy won’t dictate readiness, how can we validate that we’re prepared? The policy gap: Why the One Big Beautiful Bill won’t save us Despite its sweeping scope, the recently passed One Big Beautiful Bill Act (H.R.1, P.L. 119-21) is notably silent on cybersecurity policy. It includes: Investments of $150M to the Department of Defense for business system modernization, including AI-aided financial auditing $200M for AI-enabled audit systems $20M to DARPA cybersecurity research efforts $250M for Cyber Command’s AI “lines of effort” $685M toward military cryptographic modernization, including quantum benchmarking While these appropriations equip government agencies to modernize and strengthen cyber and crypto capabilities, they stop short of mandating new cross-industry controls, standards, or compliance obligations for private sector entities. Organizations can’t depend on Washington to drive cyber resilience strategy, given how dynamic the landscape is today. Instead, leaders must build proactive, measurable programs rooted in industry frameworks like NIST CSF, ISO 27001, and MITRE ATT&CK. At the same time, they need to monitor shifting government priorities (vis-à-vis risks), evolving state-level regulations, and sector-specific requirements like the Digital Operational Resilience Act for financial services. In short, cyber resilience remains an internal obligation, not an external mandate. The stakes are rising: Salt Typhoon breach proves it’s about people In June 2025, a DHS memo confirmed that Salt Typhoon, a Chinese state-linked hacking group, gained extensive, months-long access to a U.S. Army National Guard network. This breach wasn’t just a military problem – it highlighted systemic risks across civilian infrastructure, state governments, and critical services. The attackers stole administrative credentials, internal diagrams, network configurations, and PII of service members, creating opportunities for lateral movement and follow-on attacks against civilian sectors. As Ellis, a cybersecurity advisor quoted in the memo, pointed out: "An intrusion on a National Guard isn't a 'military only' operation. States regularly engage their Guard to assist with cyber defense of civilian infrastructure." This breach underscores the harsh reality that cyber adversaries aren’t bound by the Law of Armed Conflict – and they’re fully prepared to target civilian infrastructure as part of their strategy. Cyberwar is official: NATO’s Article 5 sets a new precedent NATO now explicitly recognizes cyberattacks as potential triggers for Article 5 collective defense measures. This isn’t about responding to routine ransomware or phishing scams – it’s about preparing for strategic-level attacks that can disrupt economies, paralyze infrastructure, or compromise national defense. To meet this challenge, NATO is expanding joint cyber exercises like Locked Shields and Cyber Coalition, simulating real-world adversaries and integrating civilian infrastructure into their scenarios. Our key lesson? Modern conflict starts in cyberspace – and organizations need to train for it before the first packet hits. Train like the threat is already inside 1. State-sponsored threat actor playbooks Train your team to recognize and respond to APT tactics in the wild. From credential harvesting to stealthy exfiltration, hands-on simulations build muscle memory against real adversary behaviors – not textbook theory. Get hands-on with Threat Actors: Salt Typhoon and explore a recent SNAPPYBEE Campaign Analysis to see how the group uses backdoors to conduct espionage operations. Our complete Threat Actors collection covers a wide range of threat groups and their TTPs, providing practical simulations that build muscle memory against real adversary behaviors. We’ve talked about APT29 before 🙅♀️🐻 and they remain an active threat. Refresh with APT29: Threat Hunting with Splunk and dig into practical nation-state threat intelligence and IOC analysis. 2. Salt Typhoon TTP training Defend against the tactics actually used in the Salt Typhoon breach: Lateral movement: Our MITRE ATT&CK collection covers lateral movement tactics, providing comprehensive training on how attackers move within a network and how to defend against such actions. Credential compromise: The Credential Access collection offers practical experience in understanding and mitigating credential access vulnerabilities, which is crucial for defending against credential compromise. Network reconnaissance: Our Reconnaissance collection focuses on various techniques and tools used for gathering information, which can help in understanding and defending against network reconnaissance. Data exfiltration: Another hit for the Incident Response collection! These labs are specifically designed to teach incident responders how to detect data exfiltration. Put your team in the hot seat and test their response before the next real-world incident hits. 3. AI-readiness for cyber defenders AI is transforming both red and blue team tactics. Prepare with practical training to drive understanding of AI model risks (e.g. prompt injection, data leakage) and build skills defending AI-enabled environments before attackers exploit them. The AI Fundamentals collection offers a broader understanding of AI's role in cybersecurity, covering topics like data ethics, TensorFlow for machine learning, and emerging threats. The AI Challenges collection focuses on identifying vulnerabilities in AI systems, such as AI plugin injection and prompt injection attacks, providing hands-on experience in mitigating AI security risks. Together, these collections provide comprehensive training on both understanding and defending AI-enabled environments against potential threats. 4. Incident response: No-doze drills Run full-cycle incident response simulations, from detection to containment to recovery. Focus on the messy middle: ambiguous alerts, cross-team coordination, and real-time decision-making under pressure. Train with our Introduction to Incident Response and Incident Response collections. These collections cover the entire incident response process, including detection, containment, and recovery, with an emphasis on cross-team coordination and real-time decision-making. Then, test your skills with our new Cyber Range Exercise inspired by Salt Typhoon with simulated malware, or our Crisis Simulations focused on nation-state attacks. 5. Critical infrastructure and IT/OT defense modules Your OT environment isn’t off-limits to adversaries. Practice defending blended IT/OT networks, identify cascading risks, and rehearse failover processes when the grid comes under cyber-fire. Explore the following collections that are part of our new Operational Technology offering: OT: Fundamentals OT: Threats and Vulnerabilities OT: Devices and Protocols These labs are valuable for practicing defense strategies in blended IT/OT networks and understanding cascading risks in critical infrastructure. You can also experience actual incidents like the Norwegian Dam Compromise: Campaign Analysis! Conclusion: Build cyber resilience before the next state-backed attack The One Big Beautiful Bill won’t mandate cyber resilience. NATO knows cyberwar is already here. And Salt Typhoon’s breach shows that the human element is still the biggest vulnerability facing businesses, entities, and nation states alike. That’s why continuous skills development, validated readiness, and real-world scenario training aren’t optional. Adhere to tested frameworks and operational rigor for your people, processes, and technology. Share your thoughts If you’re not sleeping on state-backed threats, set the alarm and kickstart your team’s readiness. Have you prioritized specific procedures or skills in response to the latest nation-state activity from groups like Salt Typhoon? Share your tips (or your favorite preparedness quote) in the comments below! Train like it’s game day – because for state-backed threats, it already is. Stay sharp and threat-ready by following the Human Connection blog for more updates like this.Building Your First Practical Lab (Part 2)
This is the second blog in a 2 part series that will walk you through the entire process of building your first custom practical lab. You’ll learn how to do everything from launching and configuring an EC2 instance in your AWS account to imaging it and seamlessly integrating it into our platform. In part 1 we showed you how to create and import your own machine. You can read part 1 here. In this blog, we’ll walk through building a simple Linux privilege escalation scenario as a working example. Our goal is to give you the foundational steps so you can confidently design scenarios tailored to your own creativity, environment, and organizational needs. The lab objective Ensure you are connected to the machine via the Ubuntu user for the steps below and not our lab user (lab-user). The objective of this lab is to read a token file. To do so, the user will need to escalate privileges via a misconfiguration. We will create a flag.txt file inside /root/ that contains a string that the user must read in the lab. sudo nano /root/flag.txt Add some content inside the file. This will act as a flag that can be used later to complete the lab. w3ll_don3_h4ck3r Save the file The lab challenge Now let’s set up the challenge! The goal is for lab-user to find a way to read the /root/flag.txt which is owned by root and not accessible to the lab-user by default. They will do this by exploiting a world-writable script that is executed as the root user in cron job. Create a directory to hold the script that lab-user can exploit. For this example, it's going to be a simple script that outputs the current time to a file (not very creative). sudo mkdir /opt/date_printer This script will be executed by root, but lab-user will have write permissions to it. The initial content will be benign, but the purpose of this lab is for the lab-user to identify the misconfiguration that allows them to modify it to read the /root/flag.txt file to retrieve the flag. Create a file for the script: nano /opt/date_printer/printer.sh Add the following content: #!/bin/bash echo "Running date_printer: $(date '+%Y-%m-%d %H:%M:%S')" >> /var/log/date.log Save the file. Next, set the misconfigured permissions that allow lab-user to write to the script, enabling privilege escalation. sudo chmod +x /opt/date_printer/printer.sh sudo chown root:root /opt/date_printer/printer.sh sudo chmod 666 /opt/date_printer/printer.sh Additionally, we want to configure the folder to ensure root owns it, but other users on the machine have access to it. sudo chown root:root /opt/date_printer sudo chmod 777 /opt/date_printer Now, let’s add a cron job to run the script we just created. For this scenario, we are going to edit the /etc/crontab file. Cron jobs in this file are generally used for system-wide cron tasks and are readable by anyone. This is good as it adds some breadcrumbs to our lab! If the user reads this file (a common check when looking for privilege escalation on Linux), they will see a script gets run every minute, and it will point them to investigate that script file. Edit the file nano /etc/crontab Add the following line at the end of the file. This line tells cron to execute /opt/date_printer/printer.sh every minute, as the root user * * * * * root /opt/date_printer/printer.sh Save the file. At this point, we have a configured image with a low-privilege lab-user account, which we will use to connect to the lab machine. We also have a cronjob vulnerability that our users attempting the lab have to exploit as the lab-user! For this lab, all the user has to do is find the script that is run by the cronjob and edit it to print the token in the file we added at /root/flag.txt. They could do this by easily updating the /opt/date_printer/printer.sh script to replace the contents with #!/bin/bash cat /root/flag.txt >> /var/log/date.log This one-liner will cat the contents of the /root/flag.txt file to the /var/log/date.log file, which the user can then read to get the token (there are other things we could do here as well, but for the purposes of this lab, let's keep it simple). Imaging and sharing the lab AMI Go back to the EC2 dashboard and find the running instance you just configured. Right-click on the EC2 machine, select Image and templates, and then Create image. Image name: Provide a descriptive name, e.g., “MyFirstCyberLab-AMI” or “Linux-PrivEsc-Lab-AMI”. Image description: Add a brief description, e.g., “Custom lab with lab-user password SSH and cron job privesc scenario.” Leave other settings at their default values. Click Create image. This will now create an AMI from the configured EC2 lab machine. Adding your custom AMI to your lab Navigate to Lab Builder and go to your custom lab via Manage > Create Lab. If you haven’t created one yet, go ahead and do so by selecting Create a new custom lab. On the Lab details page, we can give our lab a name and configure various other settings. For the purposes of this example, we’ll call it Linux CTF Challenge, and we’ll fill out the rest of the information to ensure our users know what the lab is all about. Lab description: This is a Linux CTF machine designed to test your ability in privilege escalation! Estimated Time Required: 30 Minutes Difficulty: 3 Learning outcomes: Understand how to exploit a common Linux misconfiguration What’s involved: Investigate the machine and find the misconfiguration that allows for privilege escalation. Next, we want to fill in the briefing panel. The briefing panel is the learning material that lets our lab users understand a bit about the topic and anything else they need to know to answer the questions. Since this is a CTF, we’ll give them limited information: Linux CTF This is a CTF lab scenario designed to test your ability to exploit a common misconfiguration in Linux that could result in privilege escalation. Your task in this lab is to read a flag located at /root/flag.txt. Good luck! Next, we want to add a Task. Tasks are what the user has to solve to complete the lab. For this example lab, we want to add a question to verify that they’ve read the flag in the /root/flag.txt file. Select Add task, which will bring up a library of task types. From the library, select Question. This will add a question to the lab task list, which we can then edit by selecting Edit. Update the question settings to the following: Question text: What is the flag found in the /root/flag.txt file? Answer: w3ll_don3_h4ck3r The next stage is to import our custom image. Select Systems and then click Add under the Virtual machine—EC2 type. This will add a new machine to your lab. Once the machine has been added, we want to configure it. Selecting Edit at the top right will open the machine's configuration editor. In the blue information box, we provide which region and, most importantly, which AWS account to share your image with so that our platform can use it in a lab. Within your own AWS account where you created your AMI for the lab image, click on the AMI, and at the bottom of the screen, you will see Permissions. Select Edit AMI permissions and Add account ID. This will open a box where you enter the Account ID that is displayed in Lab Builder. Click Share AMI. Now, copy the AMI ID of the machine you just shared and add it to the Lab Builder machine AMI ID section: Set the following configuration for the other sections in this editor: System Name: Your chosen name for the system you’re configuring. For this example, let's call it “Linux Machine”. Instance Type: t3.medium Connection Type: SSH Username: lab-user (or the username you set) Password: lab-user (or the password you set) Once you’ve configured your system, you can easily use it in Lab Builder by selecting Preview System on the system view. Assuming you’ve built everything correctly, you’ll get a shiny preview of your newly configured machine! This is a good time to run through your lab scenario to ensure it's working correctly. And that’s it—congratulations on building your first practical lab! At this point, you can spruce up your lab by adding additional questions or details to the briefing panel and publish your lab to your organization for them to enjoy. This powerful new feature puts the control directly in your hands, allowing you to create incredibly specific and challenging learning environments. These range from simple privilege escalation scenarios like this one to complex, multi-machine attack simulations. We can’t wait to see the innovative labs you'll create. In the meantime, if you need more ideas or support, use our Help Centre docs for Lab Builder.Building Your First Practical Lab (Part 1)
This is the first blog in a 2 part series that will walk you through the entire process of building your first custom practical lab. You’ll learn how to do everything from launching and configuring an EC2 instance in your AWS account to imaging it and seamlessly integrating it into our platform. In this blog, we’ll walk through the process of creating and importing your own machines. In part 2 we’ll walk you through building a simple Linux privilege escalation scenario as a working example. Our goal is to give you the foundational steps so you can confidently design scenarios tailored to your own creativity, environment, and organizational needs. Building your machine in AWS The first step is to log into your AWS account and provision your first EC2 machine to be configured. Access to AWS will depend on your organization and its access rules (e.g., logging in via console.aws.amazon.com). Provision an EC2 Once logged in, the first step is to launch an EC2 instance. Search for “EC2” in the top search bar and click “EC2” under Services. In the EC2 Dashboard, click on “Launch instance”. The lab will use a standard Linux distribution. It’s recommended to start with a clean slate. Select Ubuntu Server 22.04 LTS (HVM), SSD Volume Type, or a similar recent Ubuntu LTS version. This is a widely used and well-documented distribution. It’s also in the free tier, which means we can keep costs as low as possible. The next step is to select the instance type. Lab Builder supports t3.micro, t3.medium, and t3.large. You can select whichever CPU type and associated resources your machine needs in the lab that best suits your needs. Since this is a reasonably straightforward Linux privilege escalation lab, we are going to use t3.micro. Now, we’ll need to configure the instance details. You can generally leave most of these settings as the default for the current purpose. Network: Ensure your default VPC and a subnet are selected. Auto-assign Public IP: Check this is enabled so you can SSH into the instance from the internet and configure it. Security Groups control the machine's inbound and outbound access. Since you need to configure the machine, make sure you have SSH open to SSH into it (alternatively, you can use AWS Systems Manager to control access without the need for SSH or direct network access). When using Security Groups, it's a good practice only to allow sources from trusted IPs. Select “Create Security Group.” Select Allow SSH traffic from For the source, it is recommended to select a trusted IP range or your own IP. The storage you’ll need will depend on the machine you’re building. However, the default storage (8 GiB General Purpose SSD gp2) is usually sufficient unless you're installing and configuring large applications. Note: We do not currently support encrypted EBS volumes. Now you’re ready to launch your machine! Review all your settings carefully and click Launch. You’ll be prompted to add an SSH key to the machine. You’ll use this key to connect to the instance and configure it. To create a new key pair, choose a name like my-lab-key and click Download Key Pair. Keep the downloaded .pem file secure—you’ll need it to SSH into your instance. If you’re using an existing key pair, select it. Once you have your key sorted, select Launch Instance. Your EC2 instance will now start to launch. It might take a few minutes for it to be ready. Configuring the instance for use as a lab Once your EC2 machine is launched and ready, it’s time to connect to and configure it, ready to be used in a custom lab! Connect to the running instance via SSH, using the key you downloaded previously when you provisioned the EC2. ssh -i <key>.pem ubuntu@<public_ip></public_ip></key> Note: You may need to change the permissions on the key first by running chmod 400 .pem Next, update the system packages. sudo apt update sudo apt upgrade -y Note: Depending on the future labs you create, you may not want to update system packages if you need specific versions of software or libraries installed. Setting up SSH for the lab user With Lab Builder, labs can be configured to have a session open when the lab loads. This session can be SSH, RDP, or HTTP. For this lab, we want the lab to load in the platform with the lab user already SSH’d into the machine, so they can get to work on the scenario straight away without needing to worry about connecting to a machine themselves. Many default Ubuntu AMIs disable SSH password authentication and only allow key-based authentication by default, but this can be changed. Password authentication needs to be enabled to allow our lab user to connect with a password (Lab Builder does not support key-based authentication). To do this, we can update the configuration for SSH. In the examples below, we use nano, but you can use whichever file editing tool you are comfortable with (Vi/Vim, etc.) sudo nano /etc/ssh/sshd_config Find the line that says: #PasswordAuthentication no or PasswordAuthentication no. We want to change this to allow our users to connect via a password: PasswordAuthentication yes Make sure ChallengeResponseAuthentication no is set to no (it usually is). Save the file. While this will work for most distributions, certain images provided by AWS can have additional config for SSH that needs to be changed. For our image that we are using in this example (Ubuntu Server 22.04 LTS (HVM), SSD Volume Type), we also need to change the file at the location below: /etc/ssh/sshd_config/60-cloudimg-settings.conf Open this file and make the same change we did for the other sshd_config file PasswordAuthentication yes For the changes to SSH to take effect, restart the SSH service: sudo systemctl restart ssh Next, let's create a dedicated user account for our lab participants. sudo adduser lab-user When prompted: Enter a password that will be used for lab-user (make sure you remember this, as we will need it later!) Re-enter the password to confirm. You can press Enter for all the full name, room number, etc., prompts. Confirm with Y when asked if the information is correct. Note: We recommend changing the password above to something unique to you and this machine. At this point, we recommend logging out of the existing SSH session as the Ubuntu user and logging in as the newly created lab-user to verify that the SSH configuration has been updated and that you can successfully connect to the machine via password-based SSH authentication. ssh lab-user@<ec2-ip></ec2-ip> You should be prompted to enter the user's password, which will connect you to the machine. ssh lab-user@52.18.126.144 lab-user@52.18.126.144's password: >Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 6.8.0-1029-aws x86_64) >lab-user@ip-172-31-17-115:~$ Ready to create the lab challenge? Read part 2 here.Hasta La Vista, Passive Defense: Why Blue Teams Need an Offensive Edge
In a world of ever-evolving tactics, techniques, procedures (TTPs) and relentless adversaries, it’s no longer enough for defenders to simply monitor, detect, and respond. You can’t wait for next-gen threats to come to you – you must go on the offensive to stay ahead. I’m not saying you need to send an advanced cyborg back in time to test yesterday’s defenses, but your blue team does need to adopt offensive mindsets and methods to stay ahead today. Now, as Arnold once said, come with me if you want to live. Adapting to a threat-led world Traditional Security Operations Center (SOC) roles were built for known threats and predefined signatures. Attackers don’t play by those rules anymore. Understanding offensive tactics helps defenders anticipate attacker behaviors, prioritize real risks, and reduce alert fatigue. This proactive approach leads to more effective incident response and a threat-informed defense strategy. Defensive teams that understand offensive logic are better at: Anticipating lateral movement Introduction to Detection Engineering includes labs that analyze logs generated during lateral movement and use tools like Process Monitor and Sysmon. APT29: Threat Hunting with Elasticsearch can help you understand attacker tactics and techniques, which is crucial for anticipating lateral movement. Recognizing attacker tradecraft Attacking the Active Directory is a critical skill in any offensive security professional's arsenal, involving setting manipulation and intentional misconfigurations to gain unauthorized access. Exploitation, Weaponization, and Delivery focuses on payload creation, obfuscation techniques, delivery methods, and communication techniques used in cyberattacks, providing hands-on experience with tools like Metasploit. Prioritizing real risk over alert fatigue Threat Hunting covers essential topics like threat research, digital forensics, and malware analysis, which are crucial for understanding and prioritizing alerts. The labs include a variety of tools like Wireshark, Process Monitor, and Volatility to analyze network traffic and investigate incidents, helping users to identify and respond to suspicious activities effectively. If your blue team thinks like a red team, your incident response becomes threat-informed and dynamic. Offensive skills that matter for defenders Not everyone needs to have the skills of a full-time red teamer, but they do need to think critically about attacker behavior to protect critical assets cough cough John Connor We suggest focusing on these areas: Understanding how common tools behave in the wrong hands (C2 frameworks, privilege escalation chains) PoshC2 provides training on command and control frameworks, credential harvesting, system enumeration, and privilege escalation, all of which are crucial for operating under the assumption that a breach has occurred. Scenario-based threat modeling and adversarial emulation Threat Modeling Fundamentals explores threat modeling, attack trees, and tools like Threat Dragon. These labs help teams identify vulnerabilities, understand different methodologies, and implement effective countermeasures. Reconnaissance is important for understanding and employing reconnaissance techniques essential to offensive operations. Exploit walkthroughs to reinforce detection and log analysis, recent campaigns, and the heavy-hitter offensive TTPs. BadSuccessor: Offensive CVE-2025-35433 (Erlang SSH): Offensive CVE-2025-31161 (CrushFTP): Offensive Water Gamayun: (CVE-2025-26633) Campaign Analysis Threat Actors: Salt Typhoon - SNAPPYBEE Campaign Analysis Command and Scripting Interpreter (T1059) Valid Accounts (T1078) Lateral Movement via Remote Services (T1021) You should also think about: Cyber incident simulations with “adversary POVs” For hands-on training, explore our Pen Test CTF labs to build penetration testing and exploitation skills in a capture-the-flag format. Want to take exercising your teams to the next level? Talk to your account team about Cyber Range Exercises. Engaging in offensive security training raises awareness among employees about potential threats and attack vectors. This awareness fosters a security-first culture, encouraging proactive behaviors and vigilance across the organization. Prove and improve: planning for sustainable upskilling The cybersecurity skills gap isn’t just a hiring problem - it’s a strategic opportunity. Building offensive awareness within defensive teams deepens technical expertise, sharpens detection logic, speeds up incident response, and improves threat prioritization. Success doesn’t happen by accident – it requires a plan. If you're John Connor maybe that plan is sending a Terminator back in time to protect your critical PI... but maybe your plan is partnering with Immersive to design a custom security program 😉 Sustainable upskilling starts with three core elements: Baseline where you are today Engage with Immersive Premium Support to conduct an Immersive assessment, or use Demonstrate labs across key tools and capabilities to baseline current skills. You can also reference threat simulation results, or incident retrospectives to identify practical knowledge gaps. From there, define your target skills and security outcomes (e.g. improving lateral movement detection or reducing false positives), then build and execute a plan to get from A to B. Design learning journeys, not one-offs Structure development plans across 6-, 12-, and 18-month checkpoints. We recommend tailoring these to role-specific needs, but in the context of today’s blog, you also should consider use cases like: Have your Tier 1 SOC analysts start by learning scripting and alert triage logic. Challenge senior analysts to complete red team shadowing or participate in a DTF to strengthen threat hunting skills and hypotheses they can use in detection engineering. Prove value through applied learning Build defenders who can think and act with offensive context. Encourage applied projects like: “Hack-your-fist” systems to better understand attacker behavior. Logging analysis with an “assume breach” lens. Injecting adversary POVs into tabletops or indecent retrospectives. The new defender DNA Defensive security is evolving. It’s no longer about who can triage the fastest – it’s about who can think like the threat and adapt in real time. Upskilling your blue team with red principles isn’t about turning defenders into pentesters. Give them the tools they need to defend with intent. Share your thoughts Have you been leveling up your team’s offensive instincts? Is your blue team ready to terminate threats before they take root? Share your story in the comments below! Don’t let your cyber resilience go offline this summer – stay sharp and threat-ready. Get updates on posts like this by following the Human Connection Blog!ISO 27001 and the Immersive One Platform: Strengthening Your Information Security Posture
The importance of continuous evidence When audits or investigations happen, it’s not enough to say you’ve got things under control – you need to prove it. That means having solid evidence of your security posture, how it’s been implemented, and a continued commitment to it. Without that, the risk of fines and reputational damage goes up. Being able to demonstrate continuous evidence is crucial for staying in line with the latest directives and regulations. How Immersive can help Immersive helps organizations implement compliance frameworks like ISO 27001 by providing evidence of due diligence, simplifying the human element of security, and enabling gradual expansion of security measures. Depending on your priorities, or where you perceive your biggest gaps to be, these are some of the areas you can leverage in the Immersive platform: Improving the speed and quality of response to emerging threats. Increasing efficacy in recruitment, retention, and career development. Reducing cloud and application vulnerabilities early in the Software Development Life Cycle (SDLC). Here are three practical ways Immersive supports ISO 27001 compliance: 1. Hands-On Labs These labs ensure people across different roles get the right training and skill development. Security and technical teams have varying needs, and our labs help meet those needs by aligning practical learning to specific job functions. A general theme is how failing to provide proper training isn’t just a missed opportunity – it can be seen as negligence. An organization is responsible for providing training tools, which should be aligned with specific roles. Here are some of the ISO 27002 sections that our Hands-On Labs align with: 5.4, 5.7, 6.1, 6.3, 8.7, and 8.27. For more details, see the ISO 27002 implementation guide. 2. Crisis Sim All frameworks emphasize properly exercising staff and those with decision-making responsibilities. This covers everything from traditional tabletop exercise (TTX) at the board level to hands-on scenarios for teams further down the organization. Proving these exercises are happening effectively can be challenging. Traditional exec-level sessions are expensive, time-consuming, and hard to scale. Crisis Sim helps to solve this. It offers a practical, scalable way to run structured exercises across different teams and roles, including the supply chain. Here are some of the ISO 27002 sections that our Crisis Sim solution addresses: 5.4, 5.20, 5.24, 5.34, and 8.16. For more details, see the ISO 27002 implementation guide. 3. Workforce Plenty of areas in the ISO 27001 framework apply to the entire organization, not just technical teams. In some cases, we already have content such as labs and workforce exercises that can be used right away. But often, the focus is on your own internal policies and procedures – and that’s where our customizable templates and lab-building tools come in. The Immersive Workforce methodology gives you a structured way to train your people and show that they truly understand and can apply those policies in real-world scenarios. It’s all about making security awareness practical, measurable, and tailored to your organization. Our Workforce methodology meets the following ISO 27002 sections: 5.10, 5.17, 5.27, 5.34, 6.3, 6.7, and 8.1. For more details, see the ISO 27002 guide. Turning compliance into confidence By tapping into the full power of the Immersive platform, organizations can go beyond just checking compliance boxes. They can actively show due diligence, streamline compliance efforts, and proactively strengthen their information security posture. From hands-on training and crisis simulations to workforce assessments, Immersive provides the tools and methodologies needed to ensure that individuals at all levels are equipped to understand, apply, and uphold robust security practices. Ultimately, this leads to a more secure environment, reduced risk, and clearly demonstrates an organization's commitment to protecting its valuable information assets. Share your thoughts How is your organization approaching ISO 27001 compliance? Drop a comment below and let us know what’s worked, or what you’re still figuring out. For more details on strengthening your information security posture, check out these sources: ISO 27001 framework ISO 27002 implementation guide (for ISO27001) NIS2 DORADecoding Coding: Picking a Language
These days, more and more jobs can benefit from being able to write simple scripts and programs, especially in cybersecurity. For example, pulling data from an API, scraping web pages, or processing large data files to extract information – the list of uses is virtually endless! Tempting as it is to dive right in, there are several things worth thinking about before you begin. This article will discuss one of the most important choices – selecting a language. What to consider when choosing a language A basic understanding of programming languages can make your life easier, increasing your adaptability and finesse in different environments. But with tons of languages like Python, Java, JavaScript, Go, Rust, and more, which one should you choose? Here are the crucial factors to consider: What's available Can you install whatever language you like to run your code, or are there limitations? If you have an enterprise-managed computer, you might not be able to install new software or languages, and you may need to use the default options. For Windows, this is PowerShell. Bash Script is the equivalent for Mac and Linux devices, and Python is often available too. Your personal experience and interest This one might sound obvious, but it does matter. We learn better and faster when we're invested in the subject. Look at your previous experiences. Have you worked with any programming languages before? Did you enjoy them? For example, if you had a good experience working with Python, let that guide your decision! That said, don't shy away from learning something new if there's a good reason or you’re curious to do so. What's trending in your organization Does your organization or team predominantly use a specific language? Not only would learning that one help you communicate better with your colleagues, but it could also give you an edge while working with systems developed in that language. Plus, there’ll be plenty of people to talk to if you get stuck! The language's capabilities and nature Like people, different languages have different strengths. Some are fantastic for web development (like JavaScript), while others are better suited for system-level programming (like C). Python is often an excellent choice. It's considered easy to learn, incredibly flexible, and powerful due to the huge catalog of packages available. While it isn't as fast as many other languages, for most purposes, it's usually more than fast enough. Java is a very widely used object-oriented programming language and can be extremely fast. The learning curve is steeper than Python, but there are loads of learning resources available. JavaScript (not to be confused with Java!) isn’t as useful for quick standalone scripts or applications, but it's the dominant language for websites and browsers, so understanding it is practically a superpower for testing and manipulating websites and applications. C and C++ allow low-level access to memory and offer a lot of flexibility – incredibly helpful when evaluating systems with these languages at their core. Available tools and training Great tools can make tough jobs easier. Certain programming languages have robust toolsets that can help automate your tasks. For instance, Python has a wide array of libraries and frameworks that make handling big projects a cinch while saving you time and effort – why reinvent the wheel when you can just import it? Take a look at what training is available for the language you’re interested in. Older and more popular languages are likely to have more to choose from, but there’s loads out there and a lot of it is free! Also, consider what tools you might already have access to within your organization. Community and support If a programming language has a large active community, it means help is readily available when you get stuck. Languages like Python, JavaScript, and Java have strong communities and plenty of online resources available. Scope for growth If you're planning to learn a language, why not pick one that's in demand? Check job boards, look at industry trends, and see if learning a particular language can give your professional growth a boost! Summary Remember, no language is “the best". The best is the one that suits your needs and circumstances. You might even find mastering multiple programming languages useful over time. Just like speaking multiple languages, the more you know, the better you can communicate in different environments! Once you understand some of the basic programming concepts, like variables and loops, it’s easier to learn a second or third language. Learning a programming language may initially seem like climbing a steep mountain. But once you get the hang of it, you'll realize that the view from the top was well worth the hike! Want to take the next step? Here are some lab collections that may help you learn a bit more about PowerShell and Python: PowerShell Basics Offensive PowerShell Introduction to Python Scripting Share your thoughts If you’re new to coding, tell us what language you’re trying out! Why did you pick it, and would you make the same choice again? Are there any specific challenges you found or any relevant experiences you’d like to share?
