Skip to content

Get Your Organisation Prepared

A free, 90-minute non-technical workshop which helps organisations find out how resilient they are to cyber attacks and practise their response in a safe environment.

What is Exercise in a Box?
Firstly, it is completely free, and you don’t have to be technical to get involved.
Exercise in a Box can be best described as a tool that recreates real world business scenarios and tests your cyber resilience in each scenario. It was developed by the National Cyber Security Centre and started its life as a self-use tool to help organisations test and practise their internal response to a plethora of cyber issues. It is, in essence, a box full of exercises based around real world scenarios with probing questions attached to each scenario. It allows your organisation to do them in your own time, in a safe environment, as many times as you want. It includes everything you need for setting up, planning, delivery, and post-exercise activity, all in one place.
We at SBRC have been tasked with promoting Exercise in a Box to Scottish companies by conducting practical workshops where we facilitate one of the scenarios.
Register your organisation or charity here
Exercise in a box

Upcoming Events

Add your details below and we will be in touch with you shortly with further information:

The Scenarios

It is important to understand both the benefits and the additional cyber security risks that home and remote working can bring to an organisation. Many of us have had to move to 100% remote working having never done it before due to COVID-19, which has created the potential that your organisation’s IT services will be accessible to people other than your remote workforce. Additional sudden requirements and demand on infrastructure could increase your organisation’s attack surface, providing attackers with more potential avenues to exploit. More details here.

This scenario is based on how your organisation would respond to a phishing attack that leads to a ransomware infection. It tests the support that users are given to detect and respond to phishing attacks, as well as what security controls are implemented to limit the impact of infections when they do occur. It also covers how well you would be able to continue operating if you did get infected with ransomware and whether you would be able to rely on your current backup solution. More details here.

It is important to understand the impact that an organisation’s supply chain can have in relation to cybersecurity. In modern organisations, the digital supply chain includes organisations that provide services including online tools, cloud-based products, desktop software and even licenced hardware. This scenario begins by exploring how you would ascertain how secure potential suppliers are. It then skips forward several months and asks what would happen if that supplier suffered a service outage that could have exposed customer information. More details here.

The Micro Exercise scenario combines aspects of each of the above-mentioned scenarios, with additional, broader cyber security learnings within a 90-minute session to ensure all organisations, regardless of their sector or level of cyber knowledge, can benefit. These sessions take the form of collaborative discussions, giving participants the time and opportunity to further their knowledge of a particular cyber security subject and identify areas of improvement. Micro Exercise in a Box workshops will discuss some of the basics of good cyber housekeeping. More details here.

“The SBRC Ethical Hacking team’s partnership with NCSC delivers, informative, actionable and real-world based cyber scenarios that are incredibly useful for a range of roles in any organisation. NHS Scotland NSS will be exploring these scenarios to identify gaps in our prevent, detect and response processes and procedures and to engage other areas of our business on cyber matters. What we like most about it, is the non-technical nature of the materials – literally anyone in your organisation will find value in taking part in these scenarios.”

Scott Barnett – Head of Information and Cyber Security, NHS NSS

Is Exercise in a Box for your organisation?

Take our short quiz to find out if Exercise in a Box would benefit your organisation.

1 / 4

What sector does organisation fit in?

2 / 4

How many employees in your organisation?

3 / 4

Have you got Cyber Essentials or Cyber Essentials Plus accreditation?

4 / 4

How confident are you in your organisations cyber security?

What Happens During a Session?

During the session you are paired with one of our ethical hackers. They take you through and facilitate the set of questions designed to re-create a certain scenario. This means you have someone on hand who will help you understand if what you are doing is enough, and what else you could potentially think about implementing.

Each scenario is broken into ‘inject’ points. These are used to re-create certain critical factors or moments in the scenario. From here there are a series of questions you must consider and answer. These questions have been designed by NCSC to allow organisations understand how prepared they really are for key vulnerable scenarios in the day-to-day life of an organisation.

On completion you will leave comforted knowing you have done everything you can to protect your organisation, or with a to-do list to strengthen your organisation, We also offer a follow up session with some 1-to-1 time with one of our ethical hackers who will help you get set up on NCSC Exercise in a Box platform so you can do some more scenarios internally, and they can answer any questions you may still have.

Register here

Join an Upcoming Session

Exercise in a Box has been piloted with small and medium enterprises, local government and the emergency services, but other private and public sector communities could benefit from using it depending on their needs. We have seen companies of all sizes and sectors complete a scenario and see a great benefit, however, micro-companies, sole traders, or companies at a very early stage of tech development may not get the full value in joining. Please reach out to us if in doubt about this.

We are conducting sessions over Zoom and Microsoft Teams. The session type will be in the event registration page name.

The session is discussion-led, and with this, it is paramount that you bring some team members! Along with yourself, we recommend at least 2 – 5 others, with employees from all different departments represented. As it is non-technical those from non-technical departments will be able to feed just as much into the conversation as a technical team.

We are welcoming organisations from all over Scotland to take part in one of our Exercise in a Box sessions taking place over the next few months.

Sign up on behalf of your organisation via the event page and we will be in touch with next details so you can register your team for Zoom or MS Teams.

If you are interested in finding out more, please email your interest to [email protected].

In-House Sessions

After doing an initial session for their own company, many have requested we conduct an in-house session for their clients, members, or other organisations they have a relationship with. These sessions work really well due to prior relationships, meaning a much more open discussion is had at the end of the session. The host organisation will usually take the introduction part, spending 5 – 10 minutes speaking about their views on cyber and Exercise in a Box.

These sessions can be hosted on Zoom or Microsoft Teams, however we must organise them from our own account. This is due to the breakout functionality needed. Alternatively, if you would like to host it in person, please let us know, and government rules considered, we will do our best to set one up with you. We will then take control and take everyone through the exercise.

For each session we usually host between 7 – 15 companies, and would expect to do the same for any in-house sessions. We can do closed off sessions, only open to your contacts, or we can do a mixture of both open and closed. Either way, we must still meet the average 7 – 15 companies number.

If you are interested in organising one of these sessions, please fill in your details in the form below.


In House Session Sign Up

Subscribe to our Training Newsletter to be the first to hear about new and upcoming sessions.

* indicates required