At this point, nobody seriously argues that cyber crisis training is optional.

There is, of course, one very effective alternative: going through the real thing. I would not recommend it. Across the 50+ major crises I have handled in my career, the lesson has always been the same: a real cyber crisis is a very efficient teacher, but a painfully expensive one. You learn a great deal, at a cost most organisations would rather not pay.

So yes, organisations need to exercise. But they should not all exercise in the same way, and certainly not at the same level from day one.

One of the recurring mistakes in this field is to think of a cyber crisis exercise as a single format: a big event, a dramatic scenario, a room full of people reacting under pressure. In reality, there is a progression. The right format depends on the organisation’s maturity, on what it is actually trying to test, and on how much strain it is willing to put on the machine.

Done properly, an exercise programme becomes more demanding over time. It also becomes more useful.

Before any exercise, there has to be a framework

This sounds obvious, but it is often skipped: before testing how an organisation handles a cyber crisis, you need a procedure worth testing.

If the crisis process does not exist, or exists only in fragments, the exercise will not reveal much beyond the fact that the organisation is unprepared. That is not always a useless finding, but it is an expensive and frustrating way to arrive at it. People usually come out of that kind of session feeling they have been judged against rules that were never clearly set in the first place.

That reaction is understandable. An exercise is not supposed to be a trap.

There is another issue here. Cyber crises are close enough to “traditional” crisis management to create false confidence, but different enough to make direct transposition risky. Existing (non-cyber) crisis governance, risk structures, escalation routines, and executive habits remain very useful. But they still need to be reviewed through a cyber lens before exercise design begins.

Level 0: the activation test

This is not the most glamorous format, but it is one of the most useful.

An activation test is simple in principle: you trigger the crisis mechanism in a controlled way and observe whether the right people mobilise, whether the alerting chain works, whether escalation is smooth, and whether the practical setup holds together.

There is barely a scenario. That is not the point. The test stops once the organisation is operational and in a position to manage whatever event is thrown to it.

What it tells you is whether the foundations are sound. Can the key people be reached quickly and anytime? Do they know what is expected of them? Is the crisis room ready, physically or virtually? Does the process start cleanly, or does it begin in confusion? I have seen activation tests reveal that the CEO's emergency number had not been updated in three years.

Because it is light and quick to run, this is often the format that deserves to be repeated most often. It does not answer every question, but it answers an important one: can the organisation even get on its feet when something serious begins.

Level 1: the tabletop

This is the format most people know, and for good reason. A tabletop is light, fast, and easy to organise, at least compared to what comes next!

A group of participants (usually the people who would form the decision-making crisis cell) is brought together and presented with an evolving scenario. They discuss what they would do, how they would prioritise, what decisions they would take, and what difficulties they face due to the degraded conditions.

It is less realistic than what comes later, but that is not necessarily a weakness. A tabletop is often the best place to start because it acts as an excellent brainstorm session.

Used well, it is an excellent format for awareness, alignment, and collective reflection. It does not fully validate the crisis plan. It will not tell you much about logistics, and it only partly tests the more complex mechanisms of crisis management. But it does something else that matters a great deal: it helps people understand one another.

In a good tabletop, legal starts to see what operations is struggling with. IT realises how quickly uncertainty becomes a communications problem. Executives get a better feel for the friction between caution, speed, and incomplete information. That shared understanding is often more valuable than people expect.

To be frank, this is also the format many clients ask for most often today. They are right to do so. Even without the more formal validation benefits, the discussion itself is already a win. In some organisations, that benefit alone makes the exercise worthwhile.

Level 2: the live exercise

This is usually what people have in mind when they hear the term crisis exercise.

The participants start at their desks, in the middle of an apparently normal working day. Then the first inputs arrive: emails, calls, messages, requests, alerts. Everything is clearly marked as part of an exercise, but the experience is designed to create enough realism and enough pressure to force real coordination.

This is where the exercise starts to come alive. You can introduce media pressure through mock news flashes, outside scrutiny through simulated regulator contact, commercial pressure through simulated customers and partners, and physical-world consequences through fabricated but plausible impacts. A well-run live exercise can feel surprisingly close to the rhythm of a genuine event.

Participants are expected to act, not just discuss. They alert, escalate, communicate, activate crisis structures, move to the relevant rooms or calls, respond to external pressure, and keep advancing through the ambiguity as the situation evolves.

From this point on, the organisation is no longer merely talking about crisis response. It is beginning to test whether it can actually execute it.

That is why preparation matters. A live exercise only has real value if the participants have a process they can rely on — something reviewed, adapted, and properly communicated beforehand. Otherwise the organisation ends up improvising its own structure under exercise conditions, which is usually noisy but not especially enlightening (I once saw a single 57-persons Stack channel used for crisis coordination during an exercise. Needless to say, it did not work well...)

This format also demands more support around the players: a facilitation team, a dedicated control room, working comms, and enough observers to capture what happened accurately. There is no proper debrief and improvement plan without a good set of observers.

The main limitation is technical. In most live exercises, actions on the real information system are avoided, or kept strictly read-only.

Which is why the final step exists.

Level 3: the simulation

This is where things become epic.

A simulation takes the organisational mechanics of a live exercise and adds the element that changes the nature of the whole event: a replica of the information system in an isolated environment.

Once that exists, the exercise stops being only organisational. It becomes technical as well. Participants are no longer reacting solely to scripted reporting or facilitation prompts. They are dealing with technical activity unfolding in a controlled environment, and they must connect that activity to business decisions in real time.

This can include an actual Red Team operating against the replica, forcing defenders to detect, investigate, contain, and recommend responses while the rest of the organisation deals with degraded services, uncertain impacts, and business consequences.

That coordination is the real value of the format. Cyber crises are difficult not only because the technical problem is hard, but because the technical and organisational timelines rarely move at the same pace. The simulation is one of the few ways to work on that tension seriously.

It is also the closest thing to a real cyber crisis that an organisation can experience without suffering one. Not identical, of course. You never fully reproduce the stress, the fog, or the emotional charge of a real incident (and believe me, these are absolutely major factors). But you get much closer.

Unsurprisingly, this is also the most demanding format in every sense: time, preparation, internal involvement, and of course budget. Some simulations run for several days and involve very large numbers of participants. They can be extremely valuable. They are just not where most organisations should begin.

On surprise exercises

At some point, the same question usually comes up: should the exercise be announced?

The instinct behind the surprise exercise is easy to understand. Real crises do not arrive politely. So why announce the rehearsal?

Because in practice, surprise does not always mean realism.

An unannounced exercise can fail for very mundane reasons: the wrong day, the wrong people absent, not enough bandwidth, not enough willingness to engage, not enough room to distinguish simulation from distraction. When that happens, the result is often disappointing, and occasionally counterproductive.

That does not mean surprise exercises are pointless. They can be very useful in mature organisations, especially when the goal is narrow: testing alternates in key roles, for example, or seeing how mobilisation works under less comfortable conditions. But they tend to work best when the organisation already knows how to handle the more structured formats.

In that case, it is wiser to relax the surprise factor slightly and make sure strong senior backing has been secured first. Pro tip: CEOs are often game for this kind of idea and love pulling it to their C suite during holiday season...

There is, however, a line that should usually not be crossed: the disguised exercise, where the event is not only unannounced but not even identified as an exercise. In most cases, that is a bad idea.

A clean separation between the exercise world and the real world is one of the basic rules of proper crisis exercise design. Once that boundary starts to blur, you create the possibility of escalation outside the intended perimeter. All it takes is one participant taking the situation too literally and triggering real-world action with customers, authorities, partners, or the media.

At that point, you may find yourself managing an actual crisis caused by the exercise itself.

There are more creative ways to work once an organisation is truly mature. That is true in cyber crisis management as it is anywhere else. But most organisations still have plenty to gain from simply building their exercise programme in the right sequence, with clear goals and no unnecessary theatrics.

Start where you are. Build the sequence. Save the theatrics for when you can afford them.