Skip to content


The Exercise in a Box toolkit is an online, self-help tool from the National Cyber Security Centre (NCSC) which is designed to help organisations test and practice their response to a cyber-attack. Essentially, it is a free, 90 minute non technical workshop which helps organisations find out how resilient they are to cyber attacks and practice their response in a safe environment. Scenario themes are realistic and based around the main cyber threats faced. It includes everything needed for setting up, planning, delivery, and post-exercise activity.   

The purpose of this case study is to share the milestones achieved during the delivery of Exercise in a Box. This case study relates to the time period from August 2020 to May 2021. 

The Challenge

Exercise in a Box was primarily designed for organisations to hold and facilitate their own internal exercises, physically bringing key people together to take part in what is traditionally referred to as a ‘table-top’ discussion exercise. However, due to COVID-19 pandemic restrictions, it became challenging to bring people together into one room to participate in a ‘physical’ exercise. However out of adversity comes opportunity and we took an alternative and innovative approach by delivering a series of ‘virtual’ Exercise in a Box events held across Scotland, utilising video conferencing platforms, delivered and supported by a cadre of our experienced ethical hacking students. 

We strategically chose to deliver the ‘Working From Home’ scenario first, knowing how many organisations were still getting to grips with the security issues the ‘new normal’ caused by the pandemic. At the beginning of 2021, when ransomware took over the headlines, we launched our second scenario, ‘Phishing Attack Leading to a Ransomware Infection’.  

Always maintaining a user centric approach, we looked to understand what our attendees expected and what they needed. For example, during our ransomware sessions we learned attendees wanted more information on how to deal with media during a ransomware incident and we created it based on needs assessment. The feedback for such efforts was overwhelmingly positive.  

We consciously worked with organisations and charities based all over Scotland supporting them in bettering their cyber resilience. The challenges presented to us allowed us to discover a recipe that would see us successfully delivering this project, hitting our target, with 266 companies completing a session.  

The Solution and Outcome

Despite all the challenges presented, we managed to successfully deliver Exercise in a Box pilot project over 10 months. In total, 266 organisations across Scotland, and 772 attendees participated in the interactive workshops. The organisations consisted of the Public, Private, and Third Sector, including Academic institutions. The virtual approach to delivery increased inclusivity, recognising the diverse nature of business in Scotland and its vast geographical locations.  

As a result, organisations the length and breadth of the country, from Dumfries in the south, the Western Isles, Aberdeen in the north-east and Orkney in the Islands, were able to participate in addition to the more populated central belt. Due to the massive success and popularity of the project delivery, we additionally offered each attending organisation a follow-up session where they could be introduced to the Exercise in a Box platform and enquire about cyber security-related issues.  

To promote cyber-awareness and continue with the theme of Exercise in a Box, we commissioned 10 cyber-awareness videos that are short, informative but, most importantly, easy to understand.  

The following topics were covered in the videos:  

• Password  
• Updates  
• Antivirus  
• Parental controls  
• Public Wi-fi  
• Phishing  
• Home IoT  
• Backups  
• Social Media 


Many attendees were delighted that the NCSC released such a product for free and that they could access it at any time. At the end of each session, it was often mentioned by attendees that they would go and promote Exercise in a Box. 

Both scenarios were found by attendees to be informative, eye-opening, and confidence-boosting. Exercise in a Box was described to have enabled a safe space, which allowed for open and honest discussion and often left attendees more informed about what aspects of their cybersecurity they need to learn and enquire about. 

Both scenarios were delivered at times of relevancy, with ‘Home and Remote Working’ being delivered during the initial year of Covid-19, and ‘A Phishing Attack That Leads To A Ransomware Infection’ delivered due to the heightening frequency of ransomware attacks and its presence in the media. This resulted in several attendees returning for a second session, and the changing of perception around Exercise in a Box.  


Debbie Baird Exercise in a Box

The exercise in a box session was a really valuable experience. It allowed me to let senior leaders see and understand where our gaps are and why these gaps are an issue. Very eye opening for everyone involved.

Debbie Baird, IT Manager, Taranata Group 

Huw Martin Exercise in a Box

I recently attended the training course Exercise in a box. It was focussed on protecting businesses from the Cyber threats and ensuring that companies are resilient and prepared for the various and complex ways companies are targeted. The team running the session were great, hosting breakout sessions to go into more details and ask questions. The quality of guidance and questioning was great as was the course content and I think all on the session hugely valued the effort that had gone in to preparing the content. The training is as relevant for an MD or CEO as much as for their IT teams and I’m sure the course will highlight a few key areas for development or improvement based on the experience shared. I highly recommend it.

Huw Martin, MD, Head Resourcing 

Scott Barnett Exercise in a Box

The Ethical Hacking team’s partnership with NCSC delivers, informative, actionable and realworld based cyber scenarios that are incredibly useful for a range of roles in any organisation. NHS Scotland NSS will be exploring these scenarios to identify gaps in our prevent, detect and response processes and procedures and to engage other areas of our business on cyber matters. What we like most about it, is the non-technical nature of the materials – literally anyone in your organisation will find value in taking part in these scenarios

Scott Barnett, Head of Information and Cyber Security, NHS Scotland National Shared Services 

Simon Chittick Exercise in a Box

Was a little bit sceptical of the use of EiaB but after attending I found it really useful. It’s a quick and effective way to accurately judge your readiness and ability to prevent, detect, or respond to an incident.

Simon Chittick. Cyber Operations Manager. Social Security Scotland

Subscribe to our Education Newsletter to be the first to hear about new and upcoming services including updates to Exercise in a Box

* indicates required

Upcoming Events