Immersive Crisis Simulations Catalog

Note: You can download an Excel file of this catalog at the bottom of this page, which contains additional details and allows you to sort and filter the scenarios.

Contents:

• Energy and Infrastructure
• Logistics and Supply Chain
• Manufacturing 
• Healthcare
• Government
• Technology 
• Financial
• Other Sectors
• AI Essentials 
• Building with AI
• Secure with AI

Energy and Infrastructure

Crisis Sim

Crisis at the Dam

In Crisis at the Dam, you lead the crisis management team for a hydroelectric facility battered by days of extreme rain. Reservoir levels surge, structural and operational limits are tested, and your choices—about spillway releases, staff safety, and downstream alerts—shape community outcomes and grid stability.

The exercise demands rapid risk assessment, interpreting hydrological and engineering data, activating emergency action plans, coordinating with regulators and first responders, managing evacuations, and clear public and media communication while balancing ethical trade-offs and environmental impacts. This severe weather and flooding threat scenario, with potential critical infrastructure failure, benefits utility operators, crisis leaders, emergency managers, operations and communications teams, and any organization responsible for lifeline infrastructure or business continuity.

Malicious Code: Incident Responder

In this simulation, you serve as an incident responder within TalkCom’s SOC, confronting a malicious code incident against a national telecom with hybrid-remote staff. As criminal actors target remote access and core services, you’ll navigate 11 time-pressured injects that influence network availability, customer trust, and the secure communications relied on by emergency services and government users.

You’ll demonstrate situational awareness, triage and escalation, and rapid containment decisions (e.g., isolating hosts, tightening VPN access), select eradication and recovery actions, and communicate effectively with technical teams and leadership. The exercise emphasizes applying crisis management procedures, understanding business impacts, and reflecting on outcomes across identification, containment, eradication, recovery, and lessons learned. Ideal for SOC analysts, incident responders, and security leaders—especially in critical infrastructure or distributed-workforce environments—seeking practice against criminal group–driven malicious code threats.

Oldsmar Poisoned Water

This crisis simulation places you as the Incident Manager of a Michigan water treatment plant during a targeted nation-state intrusion modeled on Oldsmar. Under resource constraints and increased remote access use, an attacker attempts to manipulate chemical dosing through IT/OT pathways, creating an urgent public health and operational risk across 13 timed decision points.

You will triage and validate SCADA anomalies, contain compromised remote access (e.g., TeamViewer), coordinate safe plant operations, and balance evidence preservation with rapid mitigation. The exercise tests stakeholder communications, regulatory and public health notifications, engagement with law enforcement, and post-incident recovery planning. It is designed for incident managers, OT/IT security teams, and critical infrastructure leaders seeking to strengthen decision-making against targeted attacks on water and wastewater systems aligned to CISA guidance.

Operation Pressure Test

As Ganymede’s site manager after a recent acquisition, you face a localized cyberattack that led the Texas Railroad Commission to suspend operations. With legacy systems not yet aligned to Orchid Energy, you must run an IT/OT penetration test, remediate weaknesses, and deliver evidence that OT is protected from unauthorized access, control, and manipulation to restart production.

You’ll decide test scope and methods, coordinate OT/IT/security and vendors, manage evidence and change control, and prioritize fixes while balancing safety, downtime, and regulatory expectations. The scenario sharpens risk-based communication and decision-making with regulators, corporate leaders, and field staff against cyber threats targeting industrial control systems. Ideal for site leaders, OT/IT security managers, incident responders, and compliance professionals in energy and other critical infrastructure.

Orchid Energy: Pipeline Panic

In Orchid Energy: Pipeline Panic, participants confront a targeted nation-state cyberattack against newly acquired oil field operations controlled via Siemens PLCs, HMIs, and a compact SCADA system. With IT monitored by Splunk but the OT network largely blind except for a passive packet capture, suspected manipulation of pumpjacks, pipelines, and potentially a safety instrumented system triggers operational disruption, safety risk, and regulatory scrutiny across Orchid Energy’s Midland-based control center.

Success demands rapid, cross-functional decision-making: distinguishing IT vs OT impacts, safely isolating and restoring industrial processes, prioritizing safety over production, coordinating Incident and Crisis Management Teams, communicating with executives and stakeholders, and fulfilling regulatory obligations. The exercise emphasizes asset visibility, OT monitoring, M&A cybersecurity due diligence, and crisis leadership under pressure. Ideal for incident responders, OT engineers, security leaders, and crisis managers in energy and other critical infrastructure sectors.

Orchid Energy: Trial by Fire and Data

Orchid Energy's 'Trial by Fire and Data' plunges participants into a polycrisis sparked by a targeted attack that cascades across IT, OT, and corporate domains. As members of the Crisis Management Team, they confront simultaneous cyber intrusions, operational disruption, safety and environmental risks, media escalation, and shaken stakeholders, making time-pressured choices across 16 injects.

Success demands rapid triage, prioritization, cross-functional coordination, disciplined incident communications, ethical leadership, regulatory and legal awareness, and clear trade-offs between containment, continuity, and safety while managing incomplete information. Designed for crisis leaders, CISOs, security and risk managers, and operations and communications leads in energy and other critical infrastructure, this exercise builds readiness to handle targeted-attack-driven polycrises and strengthens decision making, stakeholder trust, and resilience.

Public Demonstration

In this workforce exercise, you act as a reporting analyst at Houlton Energy during a day of rising tensions: unusual in-office behavior—unattended USBs, questionable file access, and declining report quality—coincides with a public demonstration outside. As the situation develops, you follow security guidance, make decisions about building access and safe egress, and choose how to handle and transport your work laptop for potential remote work.

Participants must identify and report security anomalies, escalate appropriately, and apply physical security and digital hygiene practices (removable media handling, badge discipline, protecting data offsite, and managing digital footprint). The primary threat is an insider threat potentially linked to political/social activists. This exercise benefits staff in high-profile or regulated organizations—especially analysts, front-line employees, and managers—who need to strengthen reporting culture and security responsiveness.

Workforce

A Tough Call

In A Tough Call, you play a customer service advisor at Katara10 whose colleague’s newly issued work phone is stolen after hours, raising the risk of data exposure and account compromise. Across eight decision points, you must assess the situation quickly, follow company policy, and coordinate with the right contacts to report the incident, trigger a remote wipe, and manage communications.

The exercise tests practical skills in incident response, secure device handling on the move, password hygiene, and enabling multi-factor authentication. It simulates a targeted attack focused on a stolen corporate device and potential follow-on abuse. Frontline customer service teams and any staff who use work mobiles or access customer data will benefit from practicing swift escalation, containment, and recovery actions.

Logistics and Supply Chain
 

Crisis Sim

Logistics Lockdown: 24 Hours of Chaos

In this simulation, a Tuesday morning begins with your logistics partner’s ERP and shipping systems taken offline by a suspected ransomware attack, halting order processing, shipment building, and label printing. Warehouses are full, millions in inventory are stranded, and a critical inbound shipment arrives tomorrow. Orders keep coming and customers are demanding answers, leaving you with a 24-hour window to stabilize operations and protect reputation.

As the Crisis Management Team, you’ll practice rapid triage, prioritization, and cross-functional coordination—balancing alternate logistics, customer communications, legal and ethical considerations, contract obligations, and supplier engagement. This ransomware-driven supply chain disruption scenario benefits CMT members, operations and supply chain leaders, IT/security, legal, and communications teams seeking to strengthen crisis decision-making, business continuity planning, and stakeholder management under pressure.

WastedLocker Personal Data Exposure

In this 30-minute crisis simulation, your organization faces a WastedLocker-style ransomware outbreak: employees suddenly lose access to critical files, operations stall, and indicators point to a targeted criminal attack with potential personal data exposure. As part of the crisis management team—playing CEO, COO, Head of Communications, or CISO—you must coordinate with IT and SOC to stabilize the situation and restore essential services.

You will practice rapid triage and containment, preserving evidence, assessing the scope of data exposure, and weighing backup recovery against ransom payment. Expect to manage stakeholder communications, regulatory and legal obligations, engagement with insurers and law enforcement, and prioritization of business continuity. This exercise sharpens executive decision-making and incident leadership for senior leaders in security, operations, and communications seeking to improve resilience against targeted ransomware by criminal groups.

Workforce

A King’s Ransom

In A King’s Ransom, you are a Communications Associate at Freshter Ltd, working remotely when a colleague’s risky browsing triggers suspicious changes on a device and potential ransomware activity. Across five decision points, you must triage the situation, recognize indicators of compromise, and coordinate an appropriate response while working via email, messaging, and video calls.

You will practice spotting unusual file changes, evaluating and reporting suspicious sites and activities, enabling browser protections, and escalating to IT security without paying any ransom. The exercise centers on a ransomware threat caused by human error and reinforces secure browsing and timely reporting. It benefits communications staff, remote workers, and any employees who must recognize and respond to ransomware risks.

Digging Deeper

As the Finance Manager at Ouvi Automotive Insurance, a routine day of approvals, email triage, and meetings is disrupted by a suspicious invoice and related messages that signal a phishing and social engineering attempt. Across five decision points, you must handle unexpected requests, potential credential capture, and follow-up activity while keeping operations moving.

This exercise builds skills in spotting phishing indicators, verifying identities and payment details, escalating to IT, and taking immediate containment steps such as changing credentials and reviewing account activity. It reinforces strong password hygiene and caution with unsolicited contact (including social media), and demonstrates practical incident-response actions in a business context. Ideal for finance and accounts-payable staff, managers who approve spend, and any employee exposed to payment or access requests, it focuses on phishing-driven credential compromise and its impact on financial workflows.

Gone Phishing 3

In Gone Phishing 3, you step into the roles of the CEO and Executive Assistant at Connez International, navigating a crowded inbox and message stream as suspicious requests and urgent directives appear. Across five decision points, you must decide when to engage, verify, or escalate, balancing business pressure with sound security judgment.

Participants practice spotting phishing, spear-phishing/whaling, and CEO impersonation by scrutinizing sender details, tone, links/attachments, and context; confirming requests via trusted channels; and reporting promptly to IT security. The exercise strengthens risk-based triage, incident reporting, and protection of executive workflows. Ideal for executives, executive assistants, and staff who handle sensitive communications, this workforce exercise sharpens vigilance against targeted phishing campaigns.

Internal Affairs

Internal Affairs places you inside Dynamik Manufacturing as an insider sabotage disrupts control systems used by IM Manufacturing and other clients. Playing as a Senior Data Engineer, a junior security analyst, and the Head of IT Security, you must investigate ambiguous system damage in a high-stakes OT environment where malfunctioning machinery could harm people, while managing client expectations and operational pressure.

You will practice detecting and triaging insider activity, preserving evidence, tightening physical and logical access, coordinating across IT/OT, and making safety-first disclosure and shutdown decisions. This insider-threat scenario benefits security teams, data/OT engineers, incident responders, and leaders in manufacturing and critical infrastructure who must balance business commitments with transparent communication and the protection of human life.

Social Engineering Techniques

This workforce exercise places you in the inbox and browser of a typical employee as criminal groups launch a series of modern phishing and social engineering attempts. Across 10 injects, you’ll face urgent emails, fake CAPTCHAs, bogus browser update pop-ups, lookalike login pages, malicious attachments, and push-based MFA prompts designed to make you click, download, or disclose information.

You’ll need to verify senders and URLs, recognize deceptive web flows, refuse unsolicited downloads, spot pretexting and task fraud, deny uninitiated MFA approvals, and escalate to security when uncertain. Success hinges on stopping, validating through trusted channels, and reporting rather than interacting. This scenario focuses on phishing attack vectors used by criminal groups and benefits all employees seeking to sharpen everyday detection and response decisions that keep accounts and organizational data secure.
 

Manufacturing

Crisis Sim

Electric Car Catastrophe

In Electric Car Catastrophe, you act as Head of the Crisis Management Team at McCross, a global automaker preparing to launch a high-stakes electric vehicle. A criminal group deploys ransomware that threatens IT and OT environments, risking plant shutdowns, supply chain disruption, and missing peak sales months. With lean, just-in-time operations and minimal inventory, every hour of downtime imperils revenue and jobs.

Across 19 decision points, you must lead triage and containment, decide on production pauses, prioritize critical systems, leverage backups, and manage IT/OT segmentation and recovery. You will direct clear internal and external communications, coordinate with legal and law enforcement, and balance ransom considerations against business continuity and safety. This exercise benefits crisis leaders, manufacturing and OT security teams, and executives who need to practice responding to ransomware in complex, time-sensitive industrial environments.

Manufacturing Crisis

Manufacturing Crisis immerses you at EngiTech, a UK manufacturer that recently deployed IIoT devices from a trusted supplier. Weeks later, equipment malfunctions escalate to a plant fire and widespread disruption traced to a disgruntled ex-employee at the supplier who retained credentials. Across 20 injects, you rotate between Manufacturing Operations Manager, Fire Marshal, Director of Manufacturing, and Crisis Management Team roles to navigate a fast-moving cyber-physical incident.

Success demands rapid risk triage, plant safety and evacuation decisions, OT/IT incident response, vendor access and credential revocation, production recovery, and clear communications with employees, customers, media, and regulators. The scenario emphasizes insider-threat and supply chain compromise awareness, third‑party offboarding controls, evidence preservation, and business continuity planning. It benefits manufacturing leaders, plant and facilities teams, crisis managers, SOC/IR analysts, and vendor risk owners seeking to strengthen resilience against cyber-physical attacks.

Product Contamination Sabotage

This crisis sim places you at Tung-Lo, a remote-by-default beverage maker whose AI-driven factory and SCADA are managed via O365, Slack, Zoom, and TeamViewer. As a new flavor launch and a potential SipCo acquisition near, a targeted sabotage by political/social activists triggers anomalies in production data and suspected product contamination, igniting online backlash and customer complaints.

You’ll triage OT/IT alerts, isolate compromised SCADA, decide on shutdowns and batch holds/recalls, preserve evidence, and coordinate with regulators, law enforcement, and the acquirer. Success depends on rapid cross-functional decisions across Customer Success, Technical Operations, Legal, Comms, and the CEO: stakeholder messaging, legal risk management, supply chain continuity, and reputational recovery. This exercise models a targeted activist attack on industrial control systems and benefits leaders and responders responsible for ICS security, crisis communications, and business resilience.

The Walls Have Ears – Part One

In this targeted-attack crisis simulation, participants step into a CMT navigating unexplained production failures, system glitches, and rising employee unease that point to malicious interference. As evidence emerges—including a discovered Wi‑Fi Pineapple and signs of an insider threat—the team must stabilize operations, protect sensitive data, and manage escalating internal and external pressures under tight time constraints.

Success requires rapid incident assessment, containment and evidence preservation, coordinated decision-making across Operations, HR, Communications, and executive leadership, clear stakeholder messaging, and continuity planning to defend intellectual property against potential industrial espionage. This exercise benefits crisis managers, senior leaders, Operations heads, HR and Communications leads, and security/incident response stakeholders seeking to strengthen insider-risk management, governance, and real-time decision-making in high-stakes scenarios.

The Walls Have Ears – Part Two

In The Walls Have Ears – Part Two, participants confront the aftermath of a targeted cyber-espionage attack as a rival exploits stolen IP, triggering market turmoil, collapsing partnerships, employee unrest, and intense board and regulatory scrutiny. Across 13 decision points, the CMT must stabilize operations, protect reputation, and steer the organization through high-stakes uncertainty while coordinating Managing Director/CMT lead, HR, Operations, and the Board.

Success demands decisive leadership, cross-functional coordination, and clear stakeholder communication; rapid incident response and containment; management of insider and third‑party risks; legal and regulatory disclosure; workforce engagement; investor relations; and continuity and recovery planning. This simulation is ideal for executives, crisis managers, HR and operations leaders, board members, and security/communications teams seeking to prepare for targeted attacks and corporate espionage that test governance, ethics, and strategic resilience.

OT Crisis Management for Executives

When an OT incident escalates into a crisis, the decisions that follow aren't technical ones. They're leadership decisions made under pressure, with incomplete information and real-world consequences for safety, operations, and the organization. This collection covers what makes OT incidents different for leaders, recognizing escalation, decision-making in OT environments, stakeholder and regulatory communication, leading through prolonged disruption, and post-crisis review and accountability.

Healthcare

Crisis Sim

Healthcare AI

After PXT Healthcare Group deploys an AI diagnostic tool from HealthUTech, a lack of input verification and output oversight leads to misdiagnoses and incorrect treatments. As the crisis escalates, the Crisis Management Team must stabilize patient safety, keep services running, and respond to intense scrutiny from regulators, media, clinicians, and the public.

Participants will weigh whether to suspend the system, identify and notify affected patients, coordinate clinical remediation, engage the vendor, preserve evidence, fulfill regulatory reporting, and communicate transparently while restoring trust. They will design immediate guardrails—data validation, human-in-the-loop review, monitoring—and longer-term governance. The threat centers on AI governance and third‑party technology risk with clinical, operational, legal, and reputational consequences. Ideal for healthcare crisis leaders, executives, risk and compliance officers, clinical leadership, IT/data governance teams, and communications professionals.

Pharmaceuticals, Insider Threat: IP Crisis

Your organization, Llama Pharma, is days from releasing Zillium when a rival debuts a drug built on your unpatented biotech. With only a handful of trusted staff able to access the formula, you must quickly determine whether a current or former employee leaked the IP, contain any ongoing compromise, and protect the launch, evidence, and reputation.

Participants will triage and scope an insider, targeted attack; hunt for exfiltration across logs, endpoints, and repositories; identify backdoors; tighten access; preserve forensics; and coordinate with Legal, HR, and Communications on disclosure, law enforcement, and regulatory strategy while balancing business continuity. Success depends on sound incident response, insider-risk detection, data loss prevention, decision-making under pressure, and clear stakeholder communication. Ideal for security leaders, SOC/IR teams, IT admins, legal/compliance, and R&D or product executives responsible for safeguarding intellectual property.

Workforce

Business As Usual

In this scenario, you play a new Business Development Representative at GreenBottle Inc tasked with building a social media presence and engaging prospects. As you promote company updates and network online, you encounter a suspicious email that tests your ability to spot and handle a phishing attempt while managing the risks of an outward-facing role.

Across multiple decision points, you’ll evaluate email red flags, verify requests, and use your organization’s reporting process, while also checking that your posts align with company guidelines and your social media settings protect sensitive information. This exercise focuses on phishing and social engineering that exploit public profiles. It’s ideal for sales, business development, marketing, and other customer-facing staff who rely on email and social media to engage potential clients.

Gone Phishing 4

In Gone Phishing 4, participants take the role of Toni Ogden, a clinical administrator at BM Frontline, and confront a sequence of seven email scenarios ranging from routine communications to urgent requests. For each message, they must decide whether it is authentic or a phishing attempt and gauge their confidence, taking appropriate action such as reporting suspicious emails to IT security.

Success requires scrutinizing sender addresses for lookalikes, evaluating tone and urgency cues, checking links and context, and recognizing timing tactics around weekends or deadlines. The exercise exposes both targeted and generic phishing techniques, reinforcing practical email hygiene and incident reporting. This scenario focuses on phishing and social engineering threats and benefits clinical administrators and any staff who regularly handle email-based communications.

Government

Crisis Sim

Embassy Bomb Threat

This crisis simulation places you at the British embassy in a crowded European capital amid a severe national threat level and a credible bomb threat. As head of security or head of communications, you must manage a fast-moving incident in a dense government and public precinct frequented by VIPs, commuters, and tourists.

Participants will practice threat verification, protective security, and incident command; decide on evacuation versus shelter-in-place; coordinate with police, emergency services, and neighboring sites; and maintain clear internal and external communications, media messaging, and stakeholder updates while safeguarding staff, visitors, and diplomatic principals. The exercise tests prioritization, situational awareness, and continuity planning under geopolitical pressure. It is designed for embassy teams, government departments, corporate security and crisis communications leaders, and any organization operating high-risk facilities or overseas offices facing physical terrorism threats.

Puppetmaster's Trick or Treat

This immersive crisis simulation places you in a national Crisis Management Team responding to a targeted cyberattack on critical national infrastructure. As the theatrical adversary “Puppetmaster” escalates a Halloween-themed campaign, you must manage cascading disruption while confronting ethical dilemmas and intense public scrutiny. The scenario streamlines technical and governmental processes to emphasize decisive leadership under uncertainty and time pressure.

Participants will practice establishing command, prioritizing competing national interests, coordinating across agencies and operators, and shaping a credible public narrative, while balancing choices around negotiation, containment, and attribution—each with consequences. Focused on a sophisticated targeted cyber threat with psychological manipulation, this exercise benefits crisis leaders, CNI operators, government responders, CISOs, communications heads, and executive incident response teams seeking sharper judgement, stakeholder coordination, and resilient leadership.

Technology

Crisis Sim

Accessibility Crisis

In Accessibility Crisis, you act as a product developer and member of the crisis management team at Anadyne Technologies on the eve of launching a blockchain cybersecurity platform. A coordinated, targeted attack by hacktivists challenges the product’s accessibility posture and your company’s DE&I commitments, putting integrity, customer trust, and potential legal exposure in the spotlight. You must navigate an unfolding incident while balancing launch pressures, regulatory expectations, and third-party dependencies.

Participants will triage and contain the incident, validate and remediate accessibility gaps (e.g., WCAG/Section 508), assess supply-chain obligations, make go/no-go decisions, and craft transparent communications to customers, media, and regulators while coordinating with legal and executives to mitigate litigation and reputational damage. This simulation focuses on a targeted, ideologically driven threat from political/social activists and benefits product teams, crisis leaders, compliance, legal, and communications professionals seeking to strengthen accessibility governance and incident response.

Collaboration Dilemma

In Collaboration Dilemma, you are the CISO of Aspea Technologies, a global provider of collaboration software to the financial sector, confronting a live supply chain compromise by criminal groups. A third-party vendor breach threatens customers and operations across Europe, North America, Asia, and the Middle East. Across 14 timed injects, you must steer the response as the attack unfolds in real time.

Success demands rapid triage, scoping and containment, coordination with the vendor, threat intelligence and forensics, regulatory and contractual notifications, customer and board communications, and risk-based decisions that balance service continuity, reputational impact, and legal exposure. This simulation is ideal for CISOs, security leaders, incident responders, vendor risk and compliance teams seeking to strengthen enterprise and extended supply chain resilience against supply chain attacks.

Insider Data Breach

In this 60-minute crisis simulation, you act as the security lead for insider threats as a high-performing but disruptive engineer prepares to leave for a rival, raising suspicion of IP exfiltration reminiscent of the Waymo–Uber saga. Over 28 timed injects, you must scope and investigate anomalous access and transfers, balance business pressure with risk, and coordinate a defensible response under legal, HR, and executive scrutiny.

You will practice insider risk detection, forensic triage and evidence preservation, rapid containment and access revocation, DLP and monitoring controls, offboarding safeguards, and internal and external communications. Key decisions include when to escalate, engage counsel or law enforcement, protect trade secrets, and manage reputational fallout. This data breach via insider threat scenario benefits security leaders, SOC/IR teams, HR and Legal partners, and IP-heavy organizations seeking to strengthen insider threat programs.

Okta - Failure to Communicate

As CISO of Kaprika, an IAM market leader, you face a supply chain compromise at a critical third-party provider, with criminal groups exploiting vendor access and triggering intense scrutiny from customers, regulators, and media. Across multiple decision points, you must triage technical risk, contain exposure, and steer the business through uncertainty while preparing for fallout, including a subsequent customer breach potentially linked to stolen data.

Success requires SME-level mastery of identity systems, tokens, and logs; decisive revocation and rotation actions; vendor risk management; coordinated disclosure; legal and regulatory alignment; and clear, credible communications to executives, clients, and the public. This exercise benefits CISOs and security leaders responsible for third-party risk, incident response, and reputational resilience against supplier-enabled attacks by criminal groups.

Orchid Corp: Blossom (Drill)

In Orchid Corp: Blossom (Drill), participants step into the leadership team as multiple vulnerabilities in the newly launched HR platform are publicly reported by users and an employee. With clients alarmed and the company caught off-guard, you must stabilize the situation, protect customers, and preserve trust while balancing speed, accuracy, and transparency.

Success requires coordinated vulnerability management and crisis leadership: triaging and prioritizing flaws, deciding on containment and patch timelines, aligning security and engineering on fixes, navigating legal and regulatory exposure, and crafting clear internal and external communications. The scenario focuses on vulnerability disclosure/reporting as the primary threat vector and benefits executives, security leaders, engineering managers, legal and compliance teams, and communications professionals who need to practice high‑stakes decision-making under scrutiny.

Pharmaceuticals, Insider Threat: IP Crisis

Llama Pharma’s breakthrough antidepressant, Zillium, is days from launch when a rival releases a copycat based on unpatented biotech. With access to the formula restricted to a small set of trusted staff, you must determine whether a current or former employee leaked the IP, trace how the data moved, contain further exposure, and protect the product launch and reputation.

Success requires insider-threat investigation, including log and endpoint analysis, access reviews, DLP and credential controls, and identification of any backdoors, while balancing evidence preservation, disclosure, legal action, and stakeholder communications. This insider threat and targeted attack scenario benefits security operations and incident response teams, IT administrators, legal, HR, communications, and R&D leaders in pharmaceutical and other IP-driven organizations.

Scenario Template – Supply Chain Compromise (Crisis Maturity 1)

In this crisis simulation, a SolarWinds-style supply chain compromise surfaces in a trusted third‑party software used across your environment. As the Incident Response Team, you face six time-pressured decisions to determine if your organization is affected, scope potential lateral movement, and choose measured actions that balance security, continuity, and legal/communications obligations.

Participants will practice situational awareness, applying IR plans to triage alerts, validate indicators, prioritize assets, and decide when to contain, isolate, patch, or hold for more intelligence. You’ll weigh collateral business impact, coordinate with vendors and leadership, and evaluate outcomes. Focused on a criminal group–driven supply chain attack, this exercise benefits incident responders, SOC analysts, IT operations, and risk leaders in any sector that relies on third‑party software.

WastedLocker Personal Data Exposure

An abrupt wave of file lockouts signals a WastedLocker-style ransomware outbreak. As part of the crisis management team—acting as CEO, COO, Head of Communications, or CISO—you must coordinate with IT and the SOC to validate the attack, gauge business impact and potential personal data exposure, protect critical services, and keep the company operating during a fast-paced, 30-minute simulation.

You will practice decisive triage and containment, isolation and recovery from backups, ransom response strategy, legal and regulatory assessment (including breach notification), and clear internal and external communications. The exercise sharpens leadership, stakeholder management, and risk trade-off decisions when facing a targeted ransomware attack by criminal groups. Ideal for senior executives, incident managers, and communications leads who need to rehearse high-pressure choices that balance service restoration with confidentiality and compliance.

Project Mythos

Mythos, a next-generation AI vulnerability scanner, has just gone on general release — and Orchid Bank, a tier-1 G-SIB processing over $6 trillion daily through its London payments engine, ran its first approved production scan over the weekend. Now the Security Engineering Lead is outside your office, and he says it's urgent.
Participants take on the role of the senior technology leadership team and must navigate a rapidly escalating incident while juggling a brutal set of competing priorities.

AI Shadow

The scenario takes place at Orchid Corp, which provides point-of-sale and e-commerce solutions to small businesses worldwide. The company has recently invested in AI capabilities, but has not yet established a formal AI acceptable use policy.

A routine alert in the SOC queue triggers an investigation that reveals something unexpected about AI tool adoption across the business. With limited resources and competing priorities, leadership must decide how to allocate its team – and those decisions will have consequences that compound as the day unfolds.

Shai–Hulud Supply Chain Attack

This exercise simulates an organisational response to the "Mini Shai-Hulud" supply chain campaign (May 2026). Meridian Digital, a mid-sized SaaS company, discovers that widely used open-source npm packages have been compromised by the threat group TeamPCP. The self-propagating worm steals CI/CD credentials, cloud API keys, and GitHub tokens — and can weaponise a victim's own packages to spread further.

Everyone's a Builder

This exercise simulates an incident response at Orchid Corp, a 1,000-person SaaS company in Amsterdam, where a junior engineer pushes an experimental AI-built CRM agent to a public GitHub repository — with a live corporate OpenAI API key committed inside it. The key has been exposed for 8 hours before the team is paged, and two unrelated threat actors have already exploited the opening: opportunistic bots racking up $25,000+ in API abuse, and a supply-chain worm (via a trojanised npm package) that harvested credentials and replayed an Okta session into systems holding customer data.

Workforce

A Big Deal

In this workforce exercise, you play the executive assistant to the CEO of MilkshakeSocials on the day of a high-stakes client meeting. A targeted social engineering campaign exploits information from your social media to create a duplicate account that reaches out to your network, threatening the deal and the company’s reputation. Through multiple decision points, you must keep the meeting on track while managing the emerging incident and stakeholder expectations.

Participants will practice verifying identities, recognizing impersonation and identity theft, controlling sensitive information, and taking swift actions such as blocking and reporting fake accounts, adjusting privacy settings, and communicating transparently with the client. This targeted attack scenario benefits executive assistants, client-facing staff, and anyone with a public profile who needs to strengthen digital hygiene, social media safety, and incident response skills to reduce reputational and security risk.

A Helping Hand

In this workforce exercise, you play a Learning Content Specialist at NewTechniks, a London-based SaaS scale-up expanding into new industries. Under time pressure to develop new learning content, you encounter persuasive emails and chat prompts that may be phishing, alongside opportunities to use AI tools. You must navigate company guidance on sanctioned technologies while collaborating with colleagues and external partners.

Success hinges on recognizing and reporting phishing attempts, validating AI-generated information, selecting approved tools, and escalating questions to security and compliance when policy is unclear. The scenario spotlights phishing and AI misuse risks; it benefits anyone who uses or approves AI tools—especially content, marketing, and product teams—by reinforcing secure tool selection, verification, and policy adherence in day-to-day workflows.

An Expensive Call

You play a Sales Manager on a last-minute trip, working from hotels and public venues while juggling client meetings and expenses. When you’re prompted to share card details over the phone and notice suspicious activity, you must safeguard sensitive information and manage payments without the usual office support.

The exercise develops situational awareness in public spaces, secure workstation setup (privacy screens and seating), discretion with payment details, use of secure channels, and rapid escalation to the right contacts out of hours to contain potential fraud. It simulates opportunistic eavesdropping/shoulder surfing and payment card compromise linked to remote working. Ideal for sales, field, and traveling staff, it sharpens practical decision-making to protect finances and data while working on the move.

Data Decisions

In Data Decisions, you act as a junior data analyst at DataTech Solutions, navigating five decision points that shape data accuracy, privacy, and security. You choose what data to collect and retain, how to safeguard PII, when and how to respond to DSARs, where to store data, who gets access, how to encrypt it, and how to address data quality issues and process gaps.

Success requires applying data minimization, least privilege, secure configuration, and responsible sharing, while knowing when to escalate concerns. The primary threats are data leakage and regulatory non-compliance resulting from mishandled information and weak controls. This exercise benefits analysts, data stewards, and anyone who processes or governs customer data, reinforcing practical habits that protect the organization’s reputation and build stakeholder trust.

ISO 27001 and You

In this workforce exercise, you play the human resources coordinator at Connectalize Communications as the company opens a satellite office in Japan. Under management pressure to launch quickly, you must recruit and onboard staff and enable operations while maintaining strict ISO 27001 compliance across a new international site.

Across multiple decision points, you’ll apply ISO 27001 controls to pre-employment vetting aligned with local laws, classify and handle assets correctly, protect the confidentiality, integrity, and availability of data during cross-border transfers, manage access and third-party risk, and document adherence to approved policies with ongoing monitoring. The primary threats are compliance and information security risks—data leakage, improper access, and supplier/insider exposure—common during rapid expansion. HR teams, hiring managers, compliance officers, and leaders in SaaS or global operations will benefit.

New Job, New Hardware

In this scenario, you’ve just been promoted to Director of Client Services at Silsix and must navigate your first week with new hardware while under pressure to deliver. You’ll face real-time choices about installing tools and browser extensions, responding to update and antivirus prompts, handling suspicious files, and managing requests from colleagues to use your device—all while maintaining productivity.

Success requires applying endpoint security fundamentals: verifying software sources, coordinating with IT when uncertain, refusing device sharing, promptly applying updates and antivirus, and recognizing social engineering risks. The primary threats include malware from unsafe downloads, unauthorized access from shared devices, and exploitation of unpatched systems. This exercise benefits client-facing leaders, new managers, and any staff responsible for corporate devices who need to strengthen practical device security decision-making.

Privacy Spotcheck: Data Subject Rights Requests Template

In this workforce exercise, you act as a [YOUR ORGANIZATION] employee navigating multiple data subject rights (DSR) requests from employees, candidates, customers, and end users. Across nine decision points, you must identify valid requests (access, erasure, portability, objection), distinguish when your organization is acting as controller or processor, and determine how to respond or escalate appropriately within required timelines.

You’ll demonstrate skills in spotting DSRs across channels, verifying identity, scoping and minimizing data, preventing unauthorized disclosure or deletion, documenting actions, and routing to the correct [TEAM]. The primary risks are privacy compliance failures, data leakage, and regulatory and reputational harm. This scenario benefits all staff who may receive personal data requests—especially HR, support, sales, recruiting, marketing, and IT—and helps build confidence in handling DSRs correctly and consistently.

Secret Santa

In Secret Santa, you play the executive assistant to the CEO of Connectalize Communications during the year-end rush, tasked with arranging employee gifts. Amid urgent requests and tight timelines, you receive a convincing email directing you to buy gift cards via an unfamiliar link, forcing rapid choices about verifying the sender, approving vendors, spending company funds, and escalating concerns.

Participants must spot indicators of Business Email Compromise and targeted phishing, validate identities through out-of-band channels, follow phishing reporting procedures, coordinate with IT and finance, and apply purchasing controls such as approved vendors. The exercise models real-world pressure and consequences, emphasizing swift incident response and cross-department collaboration. Ideal for executive assistants, administrative staff, finance and procurement, and anyone who manages executive communications or company purchasing.

Security Spotcheck Template

In this workforce exercise, a [YOUR ORGANIZATION] employee faces a realistic smishing scenario: unsolicited texts to their personal phone appear to come from [THE CEO], pressuring them to urgently purchase Apple or Amazon vouchers. Participants must spot SMS phishing indicators, resist urgency and authority cues, verify requests through trusted channels, avoid buying gift cards or sharing codes, and report the message via [INTERNAL SECURITY EMAIL ADDRESS] or to the [TEAM NAME AND CONTACT INFORMATION].

The exercise assesses decision-making under social engineering, including triaging suspicious outreach, choosing safe responses, and escalating appropriately. It targets criminal-group smishing tactics and benefits all employees, especially those likely to receive executive-impersonation messages on personal devices.

Strange Activity

In Strange Activity, you play a customer service advisor at IM‑Universe, an online gaming platform with an in‑game currency (IMCoin), amid recent organizational change. You encounter unusual account activity and a data subject access request sent broadly across the company, raising concerns of unauthorized access and a potential data breach. Across multiple decision points, you must assess signals, avoid oversharing, and escalate appropriately while coordinating with data protection and security teams.

Success requires sound judgment in incident reporting, identity verification, secure communications, and adherence to data privacy and company policies (including GDPR considerations). This exercise focuses on unauthorized access and data leakage risks, benefiting frontline customer support, service desk, and operations staff—anyone who handles customer data or communicates with users during an unfolding incident.

Strange Activity Multi-Role

Set in IM-Universe, a UK online gaming platform using IMCoin, you rotate through customer service, communications, senior management, incident response, legal, and strategic roles as unusual account activity points to unauthorized access and potential personal data exposure. Amid recent organizational changes, you must triage reports, verify indicators of compromise, contain affected services, coordinate player communications, assess GDPR obligations, and advise leadership on risk, regulatory notification, and recovery.

Success requires prioritizing limited information across five decision points while balancing user safety, business continuity, legal compliance, and reputation. The exercise builds cross-functional incident handling skills—detection, escalation, evidence preservation, stakeholder messaging, and application of security policies and procedures—against an unauthorized access threat. It is valuable for customer-facing teams, incident responders, managers, and legal/compliance staff in any data-driven organization, especially those in gaming and fintech.

Working Practices

In this workforce exercise, you play an InsiteDataCorp account manager handling sensitive customer blueprints and facing five decision points under time pressure. You’ll navigate unclear work-from-home guidance, the risk of using a personal device, a suspected phishing email, unusual device behavior, and the secure handling of physical documents, while deciding when and how to escalate to IT.

Success hinges on applying policy, recognizing phishing and suspicious indicators, maintaining physical security, and reporting incidents promptly. Centered on human error and remote working as attack vectors, the scenario demonstrates how poor decisions can lead to data leakage—ultimately traced to a personal device. This exercise benefits anyone handling confidential data, especially account managers, hybrid workers, and line managers responsible for communicating and enabling secure working practices.

Financial

Crisis Sim

Project Mythos

Mythos, a next-generation AI vulnerability scanner, has just gone on general release — and Orchid Bank, a tier-1 G-SIB processing over $6 trillion daily through its London payments engine, ran its first approved production scan over the weekend. Now the Security Engineering Lead is outside your office, and he says it's urgent.
Participants take on the role of the senior technology leadership team and must navigate a rapidly escalating incident while juggling a brutal set of competing priorities.

Other sectors

Crisis Sim

ShareYourDocs Breach – NIS2 Reporting

In this crisis simulation, Orchid Corp’s crisis management team confronts a suspected breach of ShareYourDocs, a third‑party platform used for sensitive board communications and hosted/administered in Germany. With limited and evolving facts, participants must navigate cross‑border regulatory exposure, assess potential compromise of confidential documents, and determine whether the incident meets NIS2 thresholds for notification and reporting under tight timelines.

Success requires rapid, defensible decisions on incident materiality, mandated reporting stages, and regulator engagement, while coordinating legal, executive, vendor, and communications stakeholders. Participants will balance operational continuity with supply‑chain risk, governance, and reputational impact, clarifying roles and escalation paths across functions. This exercise focuses on a third‑party platform compromise and benefits crisis leaders, CISOs, legal/compliance teams, DPOs, and executives in EU‑scoped essential or important entities seeking to strengthen NIS2 readiness and strategic response.

#LoveHacked

In #LoveHacked, you act as the COO and crisis management team lead at Orchid Retail on Valentine’s Day when a fast-moving cyberattack disrupts operations and threatens customer trust. Across the critical “golden hour,” you’ll navigate a series of escalating, time-pressured decisions with incomplete information to stabilize sales channels, assess potential data exposure, and maintain business continuity.

Success requires decisive leadership, rigorous triage, and risk-based choices on containment versus keeping services online, while coordinating with security, IT, legal, and customer teams. You’ll practice clear internal and external communications, stakeholder management, and reputation protection under pressure. This simulation targets a cyberattack scenario and is ideal for executives, crisis managers, incident commanders, operations leaders, and communications professionals—particularly in retail and other consumer-facing sectors seeking to strengthen first-hour crisis response.

A Not So Silent Night

Set during the peak holiday rush at the North Pole, this simulation places participants on Santa’s crisis management team after a new AI system misclassifies every child as naughty, freezing list management and jeopardizing on-time delivery. Across 16 injects, you must stabilize operations, manage internal morale and public scrutiny, evaluate offers from Grinch Incorporated, and diagnose and remediate the failure under intense time pressure.

Success demands sound crisis declaration and governance, clear external and internal communications, risk assessment and prioritization, vendor and legal considerations, ethical AI oversight, data integrity controls, incident response, and business continuity and recovery planning. The scenario models an AI/algorithmic failure causing operational disruption and reputational risk, benefiting crisis leaders, executives, communications and PR teams, operations and supply chain managers, and technology, security, and business continuity practitioners seeking to strengthen decision-making and organizational resilience.

AI-pril Fools: The Return of the Puppetmaster

AI-pril Fools: The Return of the Puppetmaster places your Crisis Management Team in a live-fire scenario where an AI-empowered adversary hijacks corporate communications, seeds misinformation and disinformation, and triggers cascading security and operational disruptions. With trusted channels compromised, participants must validate signals, re-establish secure communications, and regain control of the narrative as incidents unfold and stakeholders demand clarity.

Success requires disciplined crisis communication, rapid triage and containment, cross-functional coordination, and sound ethical judgment under pressure and uncertainty. Teams will practice verifying intelligence, prioritizing actions, briefing executives and the public, and mitigating reputational and business impact amid AI-driven manipulation. This exercise targets modern AI-enabled information warfare and communications takeovers, benefiting crisis managers, security and IT leaders, communications/PR teams, and executives seeking to strengthen decision-making and resilience.

Attacker Perspective: Spearphishing

In this attacker-perspective crisis simulation, you play a novice hacktivist tasked with spearphishing a video game publisher criticized for excessive staff hours. Working from a supplied dossier, you navigate nine decision points—from OSINT reconnaissance and target selection to crafting persuasive lures and delivering malicious code—while weighing impact against exposure and adapting to basic defenses. The scenario illustrates how readily publicly available information and lax controls can be exploited to gain initial access and cause disruption.

Participants must demonstrate social engineering judgement, payload selection, operational security, and risk-based decision-making. Focused on a politically/socially motivated hacktivist threat using spearphishing and malware, this exercise benefits security leaders, blue teams, incident responders, and awareness practitioners—particularly in entertainment and media—by sharpening understanding of attacker mindset, refining phishing defenses, and reinforcing vigilance against opportunistic intrusion paths.

Boardroom Betrayal: When Deepfakes Strike The Top

Boardroom Betrayal: When Deepfakes Strike The Top puts participants in the hot seat as a targeted deepfake campaign and insider-enabled fraud trigger a fast-moving corporate crisis. Fabricated executive audio/video fuels misinformation, reputational damage, and financial exposure, forcing rapid verification, containment, and stakeholder reassurance amid market and media pressure.

Success requires decisive, ethical leadership: authenticating content, activating cyber and legal response, managing insider‑threat investigations, shaping transparent communications, meeting disclosure obligations, and balancing speed with accuracy to protect customers, employees, and investors. Ideal for boards and C‑suite, it also benefits crisis managers, communications teams, and risk leaders seeking to strengthen resilience against deepfake and targeted attack scenarios.

Boardroom Hack

Boardroom Hack places participants in the board seat during a live ransomware crisis, with critical systems disrupted and sensitive data exfiltrated for extortion. Under time pressure and incomplete information, you must steer organizational response while managing operational disruption, media scrutiny, and stakeholder expectations.

Success demands strategic decision-making under uncertainty: weighing whether to engage with attackers, activate incident response and business continuity, notify regulators and customers, involve law enforcement, and shape transparent communications. You will balance legal, financial, ethical, and reputational risks while providing governance oversight and aligning stakeholder interests. This ransomware and data extortion scenario is ideal for boards and senior leaders seeking to test crisis readiness, clarify roles and risk appetite, and strengthen collaboration and communication in a globally applicable context.

Capita Ransomware Attack: Threat Response

In this crisis simulation, you are the crisis management team at Paragon Services, a consultancy serving NHS, defense, and local authorities, when a Black Basta-style ransomware attack locks out staff and disrupts client services. Adversaries have exfiltrated sensitive documents and threaten double extortion, forcing rapid decisions under public and regulatory scrutiny while operations fall back to manual workarounds.

Across 10 decision injects, you will triage and contain the intrusion, investigate a likely phishing-led entry, manage communications, determine notification and legal obligations, weigh ransom and negotiation options, coordinate with law enforcement and clients, and restore services from backups securely. This ransomware and data theft scenario benefits crisis leaders, security and IT operations, legal/comms teams, and anyone supporting high-trust, regulated or public-sector customers.

Christmas Tree-son

Christmas Tree-son is a crisis simulation in which your Crisis Management Team must stabilize the North Pole on Christmas Eve amid cascading incidents triggered by disgruntled former employees. Across 11 injects, you confront leaks, a data breach, an operational fire, and a whistleblower while regulators and the public scrutinize every move, with the specter of GDPR violations culminating in Santa’s arrest if mishandled.

Participants must coordinate clear, timely communications; protect data; triage operations for business continuity and delivery; weigh legal and ethical implications; and make high-stakes decisions with incomplete information and tight deadlines to preserve trust and mission. This exercise is ideal for crisis managers, CISOs and security leaders, communications and PR teams, legal/compliance, and executives seeking to strengthen cross-functional response to insider-driven cyber crises.

Digital Dilemma: Data Breach Response

Digital Dilemma: Data Breach Response immerses participants in a high-stakes breach at a global corporation, where sensitive data is suspected to be exfiltrated and operations are at risk. As the incident unfolds through multiple decision points, you must coordinate the Crisis Management Team, SOC, and Incident Response to investigate, contain, and recover while managing internal dynamics and external pressures.

Success requires clear leadership, rapid risk assessment, evidence-driven containment, prioritization of business continuity, transparent stakeholder communications, and timely legal/regulatory actions. The exercise emphasizes ethical trade-offs, cross-functional alignment, and post-incident learning. Focused on data breach threats, it benefits crisis leaders, SOC analysts, incident responders, communications and HR leads, and executives seeking to strengthen decision-making, resilience, and trust under pressure.

Echoes of Doubt: A Workplace Violence Exercise

In Echoes of Doubt, participants act as the Crisis Management Team responding to a suspected, then misdirected, and ultimately confirmed targeted workplace violence incident. The scenario unfolds through escalating, ambiguous reports that demand rapid threat assessment, activation of protective actions (avoid, deny, defend), coordination with security and law enforcement, and careful management of internal alerts, rumor control, and media scrutiny.

Success requires making time-critical decisions with incomplete information, triaging and verifying data, prioritizing life safety, and adapting strategies as conditions change. Participants will practice dynamic crisis communications, resource coordination, and post-incident recovery planning. This exercise is ideal for crisis management teams, security leaders, HR, facilities, communications, and executive stakeholders across industries seeking to strengthen readiness for targeted workplace violence.

Fool’s Gambit: Deepfake Dilemma

Fool’s Gambit: Deepfake Dilemma places you in the role of head of PR and communications at a leading news network during a targeted deepfake attack that undermines on-air credibility and public trust. As misleading clips spread, you must steady internal morale, manage a hostile news cycle, brief executives, reassure advertisers, and address escalating regulatory scrutiny while maintaining transparency.

Success hinges on rapid, strategic communication: verifying facts with editorial and technical teams, shaping clear public statements, sequencing disclosures, coordinating with legal, engaging platforms to curb misinformation, and monitoring sentiment to adapt your response. This simulation focuses on the deepfake/disinformation threat and benefits PR and comms leaders, executives, crisis managers, newsroom leaders, and security or risk professionals seeking to strengthen decision-making, stakeholder engagement, and reputational resilience under pressure.

GlobalCloud Breach: A Microsimulation on Third-Party Breach Exposure

Your organization has recently migrated authentication, collaboration, and customer-facing systems to GlobalCloud when hacker “rose87168” claims to have stolen millions of customer records. GlobalCloud initially denies a breach, but mounting evidence points to a compromised, still-connected legacy environment (GlobalCloud Classic). As the Crisis Management Team, you must lead a real-time response amid ambiguity and potentially misleading vendor updates.

Participants will assess third-party exposure, determine containment and isolation steps, validate indicators without full forensics, align legal, security, communications, and executive priorities, and judge regulatory disclosure thresholds (including NIS2) and customer messaging under uncertainty. This exercise centers on a third‑party cloud/supply-chain data breach with potential data exfiltration and service impact. It benefits crisis leaders, CISOs, incident managers, legal and communications leads, and risk executives seeking to sharpen decision-making in high-pressure, incomplete-information scenarios.

International Racing Championship

As Team Principal of an International Racing Championship outfit at the British Championship, you face a targeted cyberattack from criminal actors that threatens race-day operations, data integrity, and brand reputation. With a large trackside footprint—multiple hosts and terabytes of capacity—you must make time-critical calls on and off the pit wall across 44 evolving injects, balancing performance, safety, and reputation.

Success demands rapid triage and containment, OT/IT segregation, forensic preservation, vendor and partner coordination, clear stakeholder and media communications, regulatory considerations, and recovery planning amid extortion pressure. This exercise develops crisis decision-making and incident leadership for security leaders, team principals, operations managers, comms leads, and responders in any high-availability, mobile infrastructure environment confronting targeted attacks by criminal groups.

MOVEit Zero-Day: Threat Response

In this simulation, you respond to a real-world style zero-day exploitation of the MOVEit file transfer software affecting Beeches, a UK pharmacy chain reliant on third-party payroll services. A criminal group leverages the vulnerability to exfiltrate sensitive employee data via a supplier compromise, leaving you to operate under uncertainty while coordinating with the vendor and assessing potential exposure.

Across rotating roles, you’ll demonstrate rapid triage and containment, supply chain risk management, legal and regulatory decision-making (including breach notification), executive risk prioritization, and clear internal and external communications. The exercise emphasizes data-theft/extortion tactics stemming from a zero-day and benefits cybersecurity practitioners, crisis managers, communications teams, and executives seeking to strengthen cross-functional incident response to third-party compromise.

One Password, Multiple Problems: A Cybersecurity Awareness Exercise

Participants step into the CISO and Crisis Management Team roles at a telecoms company after a reused employee password is leveraged in a targeted attack, triggering data exposure, service disruption, and reputational risk. Across a sequence of decision points, they must triage the incident, contain lateral movement, coordinate forensics, enforce password resets and MFA, manage media and customer communications, and address legal/regulatory obligations.

Success requires sound incident response, risk-based prioritization, stakeholder communication, and cross-functional collaboration under pressure. The threat centers on credential reuse and human error exploited by a targeted attacker. This exercise benefits CISOs, crisis managers, IT/security teams, and non-technical staff seeking practical insight into password hygiene, proactive controls, and the ripple effects of everyday security choices.

Operation Skylock

Operation Skylock places the Bronze Command Team in a fast‑escalating incident at Orchid Corp following the launch of an AWS-hosted invoice app. A subtle reconnaissance and slow port scan quickly turns into remote access, privilege escalation, pivoting into AWS, data exfiltration, persistence, and a ransomware detonation that cripples the core business application. Participants must triage incomplete signals, investigate suspected breaches, coordinate tightly with the Silver Command Team, and recommend time-critical mitigations.

Success requires strong incident command, cloud and endpoint forensics, threat hunting, containment and recovery planning, and clear stakeholder communication under pressure. This simulation models a modern ransomware-and-exfiltration attack chain and benefits SOC analysts, incident responders, cloud security engineers, and operational leaders seeking to practice decision-making and business-technical integration during a live cyber crisis.

Orchid Rail UK: The Firmware Express Incident

A criminal group has compromised Orchid Rail UK’s Fleet Intelligence Platform—the WSUS-based system that distributes firmware to 387 trains—turning routine updates into a fleet-wide infection risk. As the Crisis Management Team, you face a fast-moving supply-chain attack propagating whenever trains connect at depots and stations, with potential safety impacts, service disruption, and regulatory scrutiny.

You must make rapid, high-stakes decisions: suspend and validate updates, revoke certificates, isolate or stand down rolling stock, activate disaster recovery, coordinate with Network Rail and the outsourced SOC, and manage transparent communications with regulators, law enforcement, staff, media, and passengers. Success hinges on balancing safety and continuity, evidencing forensics and legal obligations, and leveraging collaboration under time pressure. This simulation benefits leaders and responders in rail, transport, and critical infrastructure—CISOs, OT/IT incident handlers, and operations and risk managers—seeking to strengthen supply-chain resilience and crisis leadership.

Operation Wipeout

Operation Wipeout places your crisis management team in the midst of a targeted criminal group–led wiper malware attack that cripples systems and disrupts core operations. Participants must navigate irreversible data loss, cascading supply chain impacts, and heightened stakeholder concern while working to stabilize the business and restore critical services under pressure.

Across a series of time-pressured decision points, you will activate and adapt the BCP, coordinate incident response and forensics, prioritize recovery, allocate scarce resources, and manage clear, timely communications to executives, employees, customers, and partners. This exercise benefits crisis management teams, business continuity planners, and senior executives seeking to validate resilience, reveal operational interdependencies, and sharpen decision-making and communication skills during a severe, real-world cyber disruption.

Puppetmaster’s Revenge

In Puppetmaster’s Revenge, participants act as Immersive Tech’s Crisis Management Team after a criminal hacker hijacks connected IoT products, turning them into public pranks and safety risks. With services disrupted and customer trust wavering, you must stabilize operations while investigators trace the intrusions and motives.

Through eight decision points, you’ll prioritize incidents, assess product vulnerabilities, choose containment and patch strategies, coordinate with law enforcement and vendors, and shape transparent customer and investor communications. You’ll balance safety, legal and ethical considerations with brand protection, and explore turning the event into a reputational recovery story. This simulation suits crisis leaders, comms and legal teams, product and security managers, and executives—anyone seeking to strengthen decision-making and cross-functional coordination against criminal-group cyberattacks on IoT ecosystems.

Ransomware Template Scenario

In this Immersive Labs crisis simulation, you are the Incident Response Manager at [INSERT COMPANY NAME HERE], a key player in [INSERT INDUSTRY TYPE HERE], facing a fast-moving ransomware attack by a criminal group. Endpoints are shutting down as data is encrypted and exfiltrated, with threats to publish stolen information on a leak site. You must make rapid decisions with evolving, incomplete intelligence to contain the incident and stabilize the business.

You will assess indicators of compromise, triage and isolate systems, choose between shutdown, segmentation, and recovery paths, validate backups, and coordinate legal, communications, and executive briefings. The exercise tests your judgment on ransom engagement, evidence preservation, regulatory notification, customer messaging, and business continuity trade-offs. Designed for incident response leaders, security managers, and operational stakeholders, it sharpens readiness for ransomware campaigns by financially motivated criminal actors.

Ransomware: Garmin

Wake to an urgent call: Glomax has been hit by ransomware modeled on the 2020 Garmin incident. Critical systems are encrypted and users are locked out. As the Incident Response Handler, you must stabilize the first hours of a WastedLocker attack, establish situational awareness, and guide the organization through fast-moving uncertainty.

You will practice triage and scoping, isolating affected networks, preserving forensics, initiating backups and recovery, and coordinating with SOC, IT, legal, executives, and third parties. Key decisions include whether to shut down services, how to handle ransom notes and negotiations, when to notify regulators and customers, and how to balance containment with business continuity. This simulation is ideal for incident responders, SOC analysts, security leaders, IT operations, and communications teams who need realistic, time-pressured ransomware response experience.

Responding to a Scattered Spider Attack

This simulation drops you into a targeted, identity-based intrusion on Orchid Global by the Scattered Spider threat group. Attackers use social engineering to seize user and admin accounts, move laterally, exfiltrate sensitive data, and issue extortion demands. Across nine escalating injects, you act as the core incident response team, weighing containment and eradication against business continuity, legal exposure, and reputational impact.

Success requires rapid triage, access containment, MFA and SSO hardening, forensic preservation, breach scoping, and clear internal and external communications. You will make decisions on customer notification, executive and board briefings, law-enforcement engagement, and extortion strategy while applying relevant local laws and timelines. Ideal for SOC analysts, incident commanders, CISOs, communications leaders, customer support heads, and cross-functional crisis teams preparing for Scattered Spider–style targeted attacks.

Scenario Template - Terrorist Attack

In this crisis simulation, you serve on [Company Name]’s enterprise crisis management team in the [X sector], responding to a terrorist attack by an armed assailant at a critical [location/office]. As the incident escalates in real time, you must prioritize life safety, coordinate with law enforcement, and stabilize operations amid uncertainty and incomplete information.

You will demonstrate situational awareness, rapid decision-making on lockdown, evacuation, and accounting for personnel, and effective internal and external communications. The exercise also tests escalation paths, coordination across security, facilities, HR, and leadership, and early steps toward recovery and continuity. Focused on terrorism/active shooter threats from hostile groups, this scenario benefits crisis managers, security and facilities teams, communications professionals, and executives seeking to validate plans, roles, and readiness.

Scenario Template – Insider Threat

In this crisis simulation, you serve on [Company Name]’s enterprise crisis management team after sensitive data from the [X Sector] organization surfaces on the dark web. With indications that a current employee may be responsible, you must investigate under uncertainty, balance swift containment with the risk of escalation, and coordinate across security, IT, legal, HR, and communications to protect operations, customers, and reputation.

Participants will practice situational awareness, time-critical decision-making, and clear communication workflows—deciding when to revoke access, preserve evidence, engage law enforcement, inform stakeholders, and manage public messaging. Ideal for crisis managers, security leaders, IT/IR teams, HR and compliance professionals, and executives, this exercise focuses on insider threat detection and response, reinforcing disciplined, coordinated actions that limit damage while respecting legal and organizational constraints.

Scenario Template – Phishing Attack/Data Breach

In this crisis simulation, you are part of the Enterprise Crisis Management Team at [Company Name] in the [X sector] responding to a phishing-driven data breach. With limited and evolving information, you must triage reports of suspicious emails, assess potential network compromise, protect operations, and coordinate technical and business actions while criminal actors attempt to exploit access.

You will practice situational awareness, clear communications, and time-critical decision-making: who to notify, what containment steps to order, how to manage stakeholders and regulators, and when to escalate or recover. The exercise emphasizes applying crisis management plans, recognizing collateral business impacts, and reflecting on outcomes. Ideal for crisis leaders, security and IT managers, and communications or legal stakeholders seeking to strengthen organizational response to phishing and social-engineering threats.

Scenario Template – Ransomware

In this crisis simulation, you are part of [Company Name]’s enterprise crisis management team in the [X Sector], responding to a crippling ransomware attack by a criminal group that has encrypted and exfiltrated data and is threatening publication. With limited, evolving information across 13 decision points, you must prioritize containment and recovery, coordinate internal and external communications, weigh legal and regulatory obligations, assess ransom options, and maintain business continuity.

The exercise builds situational awareness, cross-functional communication, and fast, defensible decision-making, then prompts reflection on outcomes and lessons learned. It is ideal for crisis managers, executives, IT and security leaders, operations, communications, and legal teams seeking to rehearse response to modern double-extortion ransomware and its operational and strategic impacts.

Sewage Subterfuge

Set in Stoneswell Waste Management, a publicly owned treatment works in a rural tourist area, this simulation places you on the crisis management team as legacy SCADA systems and recent job cuts leave the utility exposed. When suspicious activity suggests an insider—potentially a disgruntled or former employee—has targeted 142 scattered pumps across a network handling 9 million gallons daily, you must assess impacts to public health and the environment while stabilizing operations.

Through 13 decision points you'll prioritize containment of OT assets, validate telemetry, manage access and credential revocation, coordinate with law enforcement and regulators, and execute clear internal and public communications. Participants will practice insider-threat response, SCADA/ICS incident handling, risk trade-offs, and recovery planning. Ideal for crisis managers, water and wastewater operators, municipal leaders, and public communications teams seeking to strengthen resilience against insider threats.

Solar Sentinel

Solar Sentinel places participants in a Carrington-scale solar storm that cripples power grids, satellites, communications, finance, healthcare, and transportation worldwide. As part of the Global Crisis Response Team, you must advise governments and coordinate an international response amid cascading failures, competing priorities, and severe resource constraints.

Success demands rapid prioritization, infrastructure triage, allocation of scarce assets, cross-sector and cross-border coordination, clear risk communication, and ethically defensible decisions under uncertainty. Participants practice restoration sequencing for energy and communications, stabilizing critical supply chains, and delivering actionable policy guidance and public messaging. Focused on a natural hazard/space-weather threat, this exercise benefits government leaders, emergency managers, critical infrastructure operators (energy, telecom, finance, healthcare, transport), and security and business continuity professionals seeking to strengthen preparedness and resilience.

The 8-K Conundrum

In The 8-K Conundrum, you step in as CFO amid a fast-moving, material event sparked by current employees that likely triggers an SEC Form 8-K within four business days. With investors, regulators, and media pressure mounting, you must determine materiality, decide what to disclose and when, and coordinate with counsel and the board under intense scrutiny.

The simulation tests SEC reporting fluency, ethical judgment under time pressure, and concise crisis communications that balance legal, financial, and reputational risk. You’ll refine disclosure language, set remediation and accountability measures, and manage market impact and stakeholder expectations. This exercise is ideal for finance leaders, legal and compliance professionals, investor relations, and executives seeking to strengthen responses to insider-driven incidents and improve disclosure readiness.

Unforeseen Consequences

In Unforeseen Consequences, you play the CISO confronting a global Microsoft service disruption while your own corporate device hits a Blue Screen of Death, signaling a cascading failure tied to third‑party tooling. With cloud services degraded and staff escalating issues, you must stabilize operations and make rapid, high‑impact calls under uncertainty.

Across four decision points, you’ll demonstrate crisis leadership, triage and recovery planning, cloud and endpoint containment, and clear executive and workforce communications. You’ll weigh credential hygiene actions (including company‑wide admin password resets), assess vendor risk and trust in CrowdStrike, and coordinate business continuity while preserving evidence and stakeholder confidence. This human error–driven scenario benefits CISOs, incident managers, and IT/ops leaders seeking to strengthen decision-making, dependency management, and resilience during large-scale, third‑party induced outages.

Up in the Air

Up in the Air places you inside Longitude Airlines during a holiday‑weekend disruption triggered by a suspected supply chain compromise rooted in human error. As the situation evolves through rapid injects, you rotate between On-duty Manager, NOC, Flight 722 Captain, and CMT roles to keep aircraft, crews, and customers moving while passenger and baggage backlogs grow and reputational/financial risks mount.

Success demands decisive operational triage, cross‑functional coordination, and clear stakeholder communication with pilots, customers, media, and partners. You will balance safety, delays versus cancellations, rerouting, manual workarounds, information sharing, and activation of continuity and recovery plans while safeguarding data and investigating the supplier incident. This exercise suits airline and airport leaders, crisis managers, NOC/IT security teams, incident responders, and communications professionals in aviation and other critical infrastructure sectors.

USB Hack: Network Down

As a member of Navarris’s Executive Crisis Management Team, you confront a coordinated nation-state operation that uses targeted phishing and a tampered USB security key to breach corporate and NECS networks, disrupt services, and trigger ransomware and data exfiltration. With first responders and NYC Ambulance reliant on your infrastructure, you must make time-critical decisions to contain the attack, sustain essential communications, and navigate legal, regulatory, and reputational fallout.

You will demonstrate device hygiene and supply-chain skepticism, social-engineering detection, threat hunting, impact and vulnerability assessment, urgent-versus-important prioritization, risk assessment, ransom response posture, evidence preservation, and clear, flexible crisis communications with stakeholders. This multi-vector APT scenario—ransomware, phishing, data breach, targeted attack—benefits executive crisis leaders, telecom and critical-infrastructure operators, and public-sector suppliers seeking to sharpen security posture and real-world crisis readiness.

Valentine's Day Chaos

Valentine’s Day Chaos places your crisis management team in one of two sector-specific scenarios: a major retailer grappling with last-minute demand, supply chain snags, and PR/competitive pressures, or a healthcare system strained by a severe winter storm driving surges in patient volume and resource shortages. Across 15 decision injects, you’ll navigate fast-moving operational disruption, reputational risk, and staff wellbeing challenges under time pressure.

Success demands clear prioritization, stakeholder communication, cross-functional coordination, and data-driven resource allocation, along with ethical decision-making and media handling. This exercise benefits crisis and business continuity leaders, operations managers, clinical administrators, and communications teams seeking to sharpen universal crisis competencies in retail or healthcare settings.

Your Digital Footprint: A Crisis Sim for Teens

Your Digital Footprint: A Crisis Sim for Teens places students in fast-paced, real-world online dilemmas across 11 injects, where every choice shapes immediate consequences. Working as a student in a small team, participants navigate pressures from friends, likes, and FOMO while managing posts, messages, and reputational fallout that can resurface years later.

Success demands critical thinking, ethical judgment, consent awareness, bystander intervention, privacy and security hygiene, and escalation/reporting decisions under time pressure. The exercise exposes digital-risk threats including reputational damage, cyberbullying, doxxing, social engineering/phishing, data leakage, and legal or school-disciplinary impacts. Ideal for teens, school cohorts, and youth leaders, this simulation builds resilient online behavior and decision-making that protects personal reputation and community safety.

Workforce

A Great Solution

In this workforce exercise, you play a producer racing to finish a client short film by Friday while working between home and office. You routinely back up large media files to an encrypted external hard drive, which company policy requires you to return to IT for secure wiping once the project ends. Under deadline pressure, you must balance productivity with proper data handling and device management.

Across five decision points, you’ll demonstrate safe use and ejection of external drives, physical security and chain-of-custody, compliance with disposal policies, appropriate incident reporting, and when to transition to secure cloud storage. The primary threat is human error leading to data loss or exposure. This exercise benefits producers, creatives, and any hybrid workers handling large files or removable media.

A Successful Event Template

As an events administration assistant at a major company, you manage post-event communications while onboarding a new colleague. Amid thank-you emails and attendee records, you receive an unexpected message that constitutes a subject access request and face a complaint about shared information, forcing quick choices in a hybrid working context.

Across six injects, you must recognize and escalate SARs, apply data minimization, confirm lawful basis and permissions, choose secure channels, document actions, and align with policy and the data protection team. The threat is privacy and compliance risk leading to inadvertent data breach and reputational harm. This exercise benefits events, marketing, and customer-facing teams, and anyone who handles personal data in day-to-day operations.

Browsing Around

In this simulation, you play a product designer researching supermarket products and trends online while navigating realistic security scares. Across several decision points, you must assess websites, links, and tools you use to gather information without exposing your organization to risk.

Success depends on demonstrating secure browsing habits: verifying URLs before clicking, recognizing spoofed or malicious sites, avoiding risky downloads or extensions, configuring browser updates, and managing cookies for privacy and performance. The primary threats include phishing, malicious websites, and data harvesting that could lead to credential theft or system compromise. This exercise benefits product designers and any staff who conduct online research, helping them protect company data, systems, and customer trust through safer everyday browsing.

Don't Take the Bait

In this immersive workforce exercise, you play an account officer navigating a series of realistic, targeted phishing emails—some potentially crafted with AI. You must evaluate messages that pressure you to click links, open attachments, share credentials, or approve unusual requests, deciding when to trust, verify, escalate, or report.

Success requires spotting phishing red flags, validating senders and requests through safe, out-of-band methods, adhering to policy, and avoiding risky actions that lead to compromise. The scenario focuses on phishing and human error, providing adaptive feedback to sharpen judgment under pressure. It benefits anyone handling email and sensitive data—especially finance, customer-facing, and operations staff—and helps organizations strengthen their first line of defense against social engineering.

First Day On The Job

First Day On The Job is a workforce exercise where you begin as a Social Media Executive at DicedPineapples, meeting colleagues and setting up your workspace while dealing with a malfunctioning laptop and an unexpected call from someone claiming to be IT. Participants must decide what to share publicly on social media, secure new accounts, handle device issues appropriately, and verify the identity of anyone requesting credentials or access.

The exercise builds skills in social media privacy, password hygiene (e.g., using a manager), physical and device security, and timely escalation to the correct support channels. Centered on human error exploited by social engineering and a misconfigured device, it’s ideal for new starters and communications professionals who need to strengthen everyday security decisions.

Footprints in the Sand

In Footprints in the Sand, you play a content creator at Cardio, a small greeting card company, navigating real-time choices about using your personal social media to amplify company news. Across five decision points, you’ll confront dilemmas around what to post, how to respond to engagement, and how to configure privacy to protect both your reputation and the organization’s.

Participants must interpret policy, assess reputational and security risk, validate content sources, limit sensitive disclosures, and balance brand promotion with privacy. The exercise spotlights insider risk from well-meaning current employees whose online activity can expose personal data, company information, or invite social engineering. It benefits any workforce member who posts about their employer, especially content creators, marketing and communications teams, and managers responsible for digital conduct.

Gone Phishing 1

In Gone Phishing 1, you play Maria Jones, a marketing assistant at an online virtual experience company, tasked with triaging multiple emails and deciding which are genuine and which are phishing, while rating your confidence in each decision. The scenario mirrors everyday inbox traffic and time pressure across five short injects.

You will apply practical detection skills: verifying sender domains, inspecting links and attachments, spotting urgency or unusual requests, cross-checking context, and knowing when to report to IT security. This phishing-focused exercise benefits any employee who uses email, particularly marketing and customer-facing teams, by sharpening judgment and awareness across common communication channels.

Gone Phishing 2

This simulation places you in the role of Ashley Woods, a finance assistant at a telecommunications company who receives a stream of business emails. Across five decision points, you assess varied messages and determine whether each is legitimate or a phishing attempt, then rate your confidence in each judgment.

Success requires applying practical email security skills: verifying sender identities and domains, inspecting links and attachments safely, checking requests against normal business processes, spotting manipulation such as urgency or unusual payment changes, and escalating suspicious messages to IT security. Emphasizing spearphishing realism, the exercise shows that flawless grammar doesn’t guarantee authenticity. It targets the phishing threat and benefits finance teams and any staff who handle invoices, payments, or sensitive information across the organization.

Learners: Using Workforce Exercising

In this Workforce Exercise, you step into everyday workplace scenarios where human error is targeted—think phishing emails, social engineering attempts, weak authentication, and lax physical security. Across four short decision points, you choose how to respond in realistic situations that mirror both work and home contexts, with immediate feedback and links to deeper upskilling.

To succeed, you’ll practice recognizing suspicious communications, verifying identities and requests, protecting accounts and devices, managing your digital footprint, and escalating concerns through the right channels. The exercise focuses on human-centered cyber threats such as phishing, manipulation, and misuse of access. It’s ideal for all employees—including non-technical staff and new starters—who need practical, time-efficient training to build secure behaviors and strengthen the organization’s overall security posture.

Managers: Using Workforce Exercising

As a human cyber risk professional, you’re tasked with planning and rolling out Immersive Labs’ Workforce Exercising across your organization. Through four decision points, you must select risk areas, choose between baselining with the Security Hygiene Compass or targeted campaigns, and design an engaging, time-efficient experience that fits existing policies and culture.

You’ll demonstrate prioritization, stakeholder communication, customization, data interpretation, and measurement—using exercise analytics to target interventions and assess impact. The threats addressed are human-factor cyber risks, including social engineering, unsafe digital footprints, weak authentication, and physical security lapses. This exercise benefits security managers, people leaders, and awareness teams seeking to reduce human cyber risk and build a positive, measurable security culture.

Password Problems

In Password Problems, you play a finance administrator at Bernard and Kate during a busy period while IT rolls out SSO across payroll, email, HR, and invoicing. Amid upgrade disruption, you encounter suspicious sign-in activity and waves of MFA prompts indicative of an MFA fatigue attack by criminal groups seeking unauthorized access and financial gain.

Success requires recognizing and resisting MFA push floods, verifying unexpected notifications, using strong unique passwords, refusing to share credentials, and escalating concerns through proper channels. You’ll balance continuity of finance operations with secure access decisions during a live rollout, helping prevent account compromise and reputational damage. This exercise is ideal for finance staff, administrators, and any workforce members using SSO and MFA who need to sharpen authentication practices against unauthorized access threats.

Payday Blues

In this workforce exercise, participants act as the Lead Analyst at Freshter Ltd when payday-adjacent phishing emails and questionable social media exposure target staff. After a colleague flags suspicious messages and another reports a stolen device, the participant must triage the situation, validate requests, and escalate appropriately while minimizing disruption.

Success requires recognizing subtle phishing indicators, verifying identities out of band, advising on social media privacy and personal data exposure, and coordinating with the information security team to report, contain, and remediate (for example, locking devices and disabling accounts). The scenario models a phishing-driven social engineering incident with spillover from a lost device. It benefits analysts, people managers, HR/payroll, and any employee who handles communications or uses social media for work or personal use.

Security Hygiene Compass

The Security Hygiene Compass is a 15–20 minute workforce exercise presenting multiple short, standalone scenarios across different job roles. Participants picture themselves in each situation and select the response they would most likely take, sometimes referencing provided images, to demonstrate judgment on everyday cyber hygiene.

Decisions test the ability to spot phishing and social engineering, safeguard credentials and devices, handle data correctly, use MFA, keep software updated, report incidents, and work securely remotely and on the go. This broad assessment of common security risks benefits all employees and helps organizations identify strengths, gaps, and targeted upskilling needs.

Text Thread

In this text-based workforce exercise, you play a receptionist finishing a long day when a message arrives from someone claiming to be your friend on a “new number.” As the conversation unfolds, the sender pushes for an urgent money transfer, testing your ability to recognize an impersonation scam conducted over SMS or messaging apps.

Participants must spot social-engineering red flags, verify identities through an independent channel, avoid sharing personal or sensitive information, and take appropriate actions such as blocking and reporting the number. This scenario focuses on phishing via smishing and impersonation, and is valuable for all employees—especially receptionists and frontline staff who regularly handle unsolicited communications—by reinforcing verification habits and response procedures to reduce the risk of fraud.

We Are The Champions

As the Security Champion at PunterPlay, a fast-growing live-betting platform reliant on third-party integrations, you guide a sales colleague through sharing customer data with external vendors. Under pressure to enable promotions, you face a series of decisions that could turn routine collaboration into an unintended data breach.

To succeed, you must choose approved transfer methods, apply multi-factor authentication, follow password policy (including use of password managers), limit access and data scope, verify vendor requests, and consult or escalate per company policy. The scenario focuses on a data-breach threat caused by human error and reinforces practical governance around third-party sharing. It benefits security champions, sales and marketing teams, and anyone responsible for handling customer data or managing vendor access.

Who Am I?

Who Am I? is a workforce exercise that drops you into a stream of increasingly convincing communications designed to trick you into clicking links or sharing money and data. Using realistic, AI-polished phishing messages, the scenario challenges you to discern intent, verify identities, and decide how to respond within typical workplace tools and time pressure.

In each decision, you practice spotting red flags, confirming requests through trusted channels, handling suspicious links and attachments, safeguarding credentials and MFA codes, and following policy for reporting and escalation—especially when urged to bypass controls or fast-track payments. The primary threat is phishing and social engineering that exploits human error. This exercise benefits all employees, particularly anyone who manages sensitive information, approvals, or customer interactions.

AI Essentials

On the Immersive Labs cybersecurity training platform, the AI Essentials category builds practical knowledge and skills for understanding, using, and securing artificial intelligence—especially modern generative AI and large language models. It blends core AI concepts with hands-on defense techniques, governance considerations, and threat-focused scenarios so learners can safely adopt AI and respond to emerging risks.

Learners explore the OWASP Top 10 for LLMs and GenAI, a 10‑lab collection that develops the ability to identify, exploit, and mitigate risks such as prompt injection, sensitive information disclosure, supply chain weaknesses, data and model poisoning, improper output handling, excessive agency, system prompt leakage, vector and embedding weaknesses, misinformation, and unbounded consumption. AI Fundamentals lays a strong base across AI concepts, data ethics and responsible use, emerging threats, TensorFlow, image classification, generative AI models, prompt injection attacks, and incident response, culminating in a skills demonstration. AI Foundations dives deeper into modern architectures and patterns—Large Language Models (LLMs), Retrieval Augmented Generation (RAG), Model Context Protocol (MCP), and Agentic AI—alongside a knowledge check. Fundamental AI Algorithms teaches practical machine learning with security-flavored use cases using K-Means, Decision Trees, and SVMs for tasks like beacon, script, and behavior detection. AI for Business equips decision‑makers with an understanding of what AI is, its benefits and risks, and how to use AI at work responsibly.

This category is designed for security practitioners, incident responders, detection engineers, developers building with LLMs, and business and risk leaders. By completing it, learners will be equipped to evaluate and securely deploy AI capabilities, recognize and mitigate LLM‑specific risks, implement guardrails and governance, and respond confidently to AI‑driven threats.

Collections

OWASP Top 10 for LLMs and GenAI

AI Fundamentals

AI Foundations

Fundamental AI Algorithms

AI for Business

 AWS Bedrock Guardrails

Azure Foundry Guardrails

NVIDIA NeMo Guardrails

Agent Identity 

Building with AI

The Building with AI category on the Immersive Labs cybersecurity training platform guides practitioners through designing, implementing, and securing AI-enabled applications and agent workflows from first prompt to production. Through hands-on labs, you’ll build proficiency in manual prompting and spec-driven development, safe tool invocation via the Model Context Protocol (MCP) and extensions, multi-agent patterns, plugin and slash-command interfaces, sandboxing, hooks, and skills. You will also learn to implement policy engines and guardrails that deliver governance, auditability, and risk controls for real-world use.

In the Building with AI: Claude Code collection, learners progress from foundational prompting to advanced topics including Tools and MCP, Slash Commands, Claude Skills, Subagents, Hooks, Plugins, and Guardrails, culminating in a Demonstrate Your Knowledge capstone. Building with AI: Gemini CLI adds agent skills, sandboxes, hooks, a policy engine, and guardrails to help you design resilient, governed agent workflows, while Building with AI: Codex CLI focuses on practical prompting, spec-driven development, Tools and MCP, Slash Commands, and Guardrails for streamlined, secure delivery. This category is ideal for software engineers, security engineers, DevSecOps practitioners, and platform teams who need to ship AI features responsibly; by the end, you’ll be equipped to prototype and integrate AI, apply guardrails and policies, govern tool use, and operate AI systems that are robust, auditable, and aligned with security and compliance requirements.

Collections

Building with AI: Claude Code

Building with AI: Gemini CLI

Building with AI: Codex CLI

Regulated industries and large organizations are trying to find ways to implement AI without it scaring leadership and these collections can help bridge the knowledge gaps required to effectively answer these questions.
Secure AI Adoption will empower your teams to:

• Enforce "Secure by Design" principles: Wrap unpredictable models in a verified security layer.
• Accelerate Innovation: Move to production faster by neutralizing poor implementation of AI inside an organization.

Collections

AI Governance

AI Data Protection

Agentic Observability