Skip to content

Prepare Your Organisation

A 90-minute non-technical workshop which helps organisations find out how resilient they are to cyber attacks and practise their response in a safe environment.

What is Exercise in a Box?
You don’t have to be technical to get involved. Exercise in a Box is a tool that recreates real-world business scenarios and tests your cyber resilience in each scenario. It was developed by the National Cyber Security Centre and started as a self-use tool to help organisations test and practise their internal response to many cyber issues. It is a box full of exercises based on real-world scenarios with probing questions attached to each scenario. It allows your organisation to do them in your own time, in a safe environment, as often as you want. It includes everything you need for setting up, planning, delivery, and post-exercise activity, all in one place.
The Cyber and Fraud Centre team deliver Exercise in a Box to Scottish organisations by conducting practical workshops where we facilitate one of the below scenarios.
Register your organisation or charity here
Exercise in a box

Upcoming Events

The Scenarios

This scenario is based on how your organisation would respond to a phishing attack that leads to a ransomware infection. It tests the support that users are given to detect and respond to phishing attacks and what security controls are implemented to limit the impact of infections when they occur. It also covers how well you could continue operating if you got infected with ransomware and whether you could rely on your current backup solution. More details here.

Understanding the impact of an organisation’s supply chain on cyber security is important. In modern organisations, the digital supply chain includes organisations that provide services, including online tools, cloud-based products, desktop software and even licenced hardware. This scenario begins by exploring how you would ascertain potential suppliers’ security. It then skips forward several months and asks what would happen if that supplier suffered a service outage that could have exposed customer information. More details here.

The Micro Exercise scenario combines aspects of the above-mentioned scenarios with additional, broader cyber security learnings within a 90-minute session to ensure all organisations, regardless of their sector or level of cyber knowledge, can benefit. These sessions take the form of collaborative discussions, giving participants the time and opportunity to further their knowledge of a particular cyber security subject and identify areas of improvement. Micro Exercise in a Box workshops will discuss some basics of good cyber housekeeping. More details here.

Every organisation stores personal data in some form. This could be related to clients, staff, rejected job applicants or even individuals targeted in a marketing campaign. As such, every organisation has a legal obligation to protect that data, with harsh financial and reputational penalties for breaches, particularly when your organisation does not have adequate security measures. By talking through your organisation’s security processes with the help of our ethical hackers, you will identify points for future improvement and learn how to respond. More details here.

It is important to understand the benefits and the additional cyber security risks that home and remote working can bring to an organisation. Many of us have had to move to 100% remote working, having never done it before due to COVID-19, which has created the potential that your organisation’s IT services will be accessible to people other than your remote workforce. Additional sudden requirements and demand on infrastructure could increase your organisation’s attack surface, providing attackers with more potential avenues to exploit. More details here.

“The ethical hacking team’s partnership with NCSC delivers, informative, actionable and real-world based cyber scenarios that are incredibly useful for a range of roles in any organisation. NHS Scotland NSS will be exploring these scenarios to identify gaps in our prevent, detect and response processes and procedures and to engage other areas of our business on cyber matters. What we like most about it, is the non-technical nature of the materials – literally anyone in your organisation will find value in taking part in these scenarios.”

Scott Barnett – Head of Information and Cyber Security, NHS NSS

Is Exercise in a Box for your organisation?

Take our short quiz to find out if Exercise in a Box would benefit your organisation.

1 / 4

What sector does organisation fit in?

2 / 4

How many employees in your organisation?

3 / 4

Have you got Cyber Essentials or Cyber Essentials Plus accreditation?

4 / 4

How confident are you in your organisations cyber security?

What Happens During a Session?

During the session, we pair you with one of our ethical hackers. They take you through and facilitate questions designed to re-create a particular cyber threat scenario. This means you have someone on hand who will help you understand if you are doing enough and what else you could consider implementing.

Each scenario is split into ‘inject’ points. These are used to re-create certain critical factors or moments in the scenario. From here, there are a series of questions you must consider and answer. NCSC has designed these questions to allow organisations to understand how prepared they are for critical vulnerable scenarios in the day-to-day life of an organisation.

On completion, you will leave comforted knowing you have done everything you can to protect your organisation or with a to-do list to strengthen your organisation, We also offer a follow-up session with some 1-to-1 time with one of our ethical hackers who will help you get set up on NCSC Exercise in a Box platform so you can do some more scenarios internally, and they can answer any questions you may still have.

Register here

Join an Upcoming Session

Exercise in a Box has been piloted with small and medium enterprises, local government and emergency services, but other private and public sector communities can benefit from using it depending on their needs. We have seen companies of all sizes and sectors complete a scenario and see a great benefit; however, micro-companies, sole traders, or companies at a very early stage of tech development may not get the full value of joining. Please reach out to us if in doubt about this.

We are conducting in-person and online sessions over Microsoft Teams. The session type will be clear in the event registration page name.

The session is discussion-led, and with this, it is paramount that you bring some team members! Along with yourself, we recommend at least 2 – 5 others, with employees from different departments represented. As it is non-technical, those from non-technical departments will be able to feed just as much into the conversation as a technical team.

We are welcoming organisations from all over Scotland to take part in one of our Exercise in a Box sessions taking place over the next few months.

Sign-up on behalf of your organisation via the event page, and we will be in touch with more details.

If you are interested in finding out more, please email your interest to [email protected]

In-House Sessions

After doing an initial session, many organisations have requested we conduct an in-house session for their clients, members, or other organisations they have a relationship with. These sessions work really well due to prior relationships, meaning a much more open discussion is had at the end of the session. The host organisation will usually take the introduction part, spending 5 – 10 minutes speaking about their views on cyber and Exercise in a Box.

These sessions can be hosted on Zoom or Microsoft Teams, however we must organise them via our own account. This is due to the breakout functionality required. Alternatively, if you would like to host it in-person, please let us know, we will do our best to set one up with you. We will then take control and take everyone through the exercise.

For each session we usually host between 7 – 15 companies, and would expect to do the same for any in-house sessions. We can do closed off sessions, only open to your contacts, or we can do a mixture of both open and closed. Either way, we must still meet the average 7 – 15 companies number.

If you are interested in organising one of these sessions, please contact us [email protected]


Subscribe to our Training Newsletter to be the first to hear about new and upcoming sessions.

* indicates required