The Attack Is Coming, Are We Actually Prepared?

July 29, 2025

The cybersecurity landscape has undergone a significant transformation, with chief information security officers (CISOs) stepping into pivotal roles that blend technical expertise with strategic business acumen. The rapid advancement of generative artificial intelligence (GenAI) has reshaped the threat environment, compelling organizations to recalibrate their cybersecurity strategies. This blog delves into the evolving responsibilities of CISOs and the imperative for company boards to align their expectations accordingly.

The Evolving Role of the CISO

What happens when the unthinkable occurs, and your team is caught off guard? This story unfolds in the heart of a high-stakes simulation during the Optiv Threat Summit. Defenders are pitted against relentless attackers in a race against time. As chaos erupts, the true test of readiness begins — not just for the systems in place, but for the people behind them. Join me as I recount a day filled with unexpected challenges, moments of realization and insights that may change the way we approach cybersecurity preparedness.

I arrived at the secure facility in Arizona, ready for battle. With my experience in incident response and recovery, and having handled hundreds of incidents, I felt a sense of pride and confidence. I was not only prepared to face the "red teams" of rival factions but was even planning to show off a little bit.

The “war room” resembled a scene from a modern thriller movie, featuring a large screen displaying attackers and defenders at war. Colorful lines and a world map created a "War Games" atmosphere. Clusters of attackers and defenders represented separate networks, each launching and defending against exploits.

Then the event began: “Three, two, one, go!” Almost immediately, other obligations reduced my team of four defenders to just two. My colleague and I suddenly found ourselves dramatically understaffed against a wave of attacks. This was not intentional; we were supposed to have a full team, but like in the real world, team attrition can be unexpected and painful.

In the Heat of Battle

As we navigated the simulation, we used our endpoint detection and response (EDR) system to detect threats while managing server hardening and account management tasks. The pace was quick, and despite being short-handed, we managed to keep afloat in the beginning. However, we soon lost access to a server, and a glance at the other table revealed the smug expressions of the attackers. We knew we were in trouble.

We set aside our growing list of tasks and frantically tried to regain access to the server. I switched between the EDR and remote desktop protocol (RDP) sessions to deactivate accounts and protect our network. Meanwhile, my colleague struggled with a tool that was malfunctioning. Its naming conventions conflicted with those reported in the EDR system, making our communication confusing.

As the hours passed, I found myself sweating. Why was I so anxious? I realized that while I had nothing at stake but my pride. The frustration of being prepared for one scenario and facing another was overwhelming. Being short-staffed left us with too many competing priorities, causing us to overlap efforts. I longed for better tools and a coordinated plan to defend our network.

Lessons From the Front Lines

In that moment, I recognized that I was experiencing what many of my clients face. I felt a wave of empathy for real-life defenders who are often understaffed, under-equipped and under-prepared. When the exercise commenced, it became clear we had much work ahead. We encountered users with simple passwords and overprovisioned roles. Our EDR was in monitor mode, lacking essential detections and active features. Some operating systems were outdated, unpatched and had known vulnerabilities. I tried to keep track of our next steps amid changing priorities. We had not established an incident commander role to oversee tasks, leaving too much for just two people. The lack of preparation and coordination complicated our response, leading to duplicative efforts and a feeling of being overwhelmed.

Despite these challenges, my partner and I made significant progress in the first hour. Communication was a strength, as we had worked together on many live and simulated engagements. However, the workload remained daunting. We discovered default passwords, unimplemented least privilege, accounts not on our lists and local admins with weak passwords. RDP access was enabled for all, and our EDR lacked configurations to counter known threats.

We recognized these issues and began cleaning up the environment. The scenario allowed us an hour to familiarize ourselves with the network and fortify our defenses. We did not have an incident response plan (IRP). We didn’t have the benefit of a tabletop exercise (TTX) to familiarize ourselves with the environment and how we would react. We didn’t have a playbook to list our priorities in our response. Time was running out. Even with an hour’s warning about the impending attack, we were unable to prepare adequately.

Reflections and Recommendations

That evening, reflecting on the exercise, my team shared stories of our experiences. My simulated organization was not ready for the attack, and despite the stakes being low, I was troubled by our performance. 

What advice would I offer this hypothetical organization? If I were my own client, here’s what I would say: If you do nothing else — if you conduct no further preparations or exercises — make sure to communicate this one critical point: 

An attack is imminent, and we need to be better prepared! 

If you have questions about your own organization's preparedness, now is the time to act. Don’t wait for a real incident to expose your vulnerabilities. Reach out to our experts to tap into proven cybersecurity expertise, build resilience and ensure you’re equipped to face even the most relentless threats.