惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Cisco Talos Blog
Cisco Talos Blog
V
V2EX
C
Check Point Blog
GbyAI
GbyAI
D
Docker
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
B
Blog RSS Feed
H
Hackread – Cybersecurity News, Data Breaches, AI and More
N
Netflix TechBlog - Medium
T
Troy Hunt's Blog
博客园 - Franky
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Microsoft Security Blog
Microsoft Security Blog
P
Privacy & Cybersecurity Law Blog
WordPress大学
WordPress大学
The Cloudflare Blog
S
SegmentFault 最新的问题
Latest news
Latest news
Microsoft Azure Blog
Microsoft Azure Blog
P
Proofpoint News Feed
I
InfoQ
博客园 - 【当耐特】
NISL@THU
NISL@THU
A
About on SuperTechFans
T
Tailwind CSS Blog
酷 壳 – CoolShell
酷 壳 – CoolShell
The Hacker News
The Hacker News
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Scott Helme
Scott Helme
雷峰网
雷峰网
C
CXSECURITY Database RSS Feed - CXSecurity.com
Security Latest
Security Latest
V
Vulnerabilities – Threatpost
Security Archives - TechRepublic
Security Archives - TechRepublic
A
Arctic Wolf
Hacker News: Ask HN
Hacker News: Ask HN
N
News and Events Feed by Topic
IT之家
IT之家
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
aimingoo的专栏
aimingoo的专栏
T
Threat Research - Cisco Blogs
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
阮一峰的网络日志
阮一峰的网络日志
SecWiki News
SecWiki News
大猫的无限游戏
大猫的无限游戏
S
Security Affairs
The Register - Security
The Register - Security
www.infosecurity-magazine.com
www.infosecurity-magazine.com
L
LINUX DO - 热门话题
T
Tor Project blog

CSO Online

Iranian state-backed spies pose as ransomware slingers in false flag attacks New malware turns Linux systems into P2P attack networks Poisoned truth: The quiet security threat inside enterprise AI Die besten DAST- & SAST-Tools CISA mulls new three-day remediation deadline for critical flaws CISA pushes critical infrastructure operators to prepare to work in isolation CISOs step up to the security workforce challenge 10 Anzeichen für einen schlechten CSO Anthropic Mythos spurs White House to weigh pre-release reviews for high-risk AI models Security agencies draw red lines around agentic AI deployments The fake IT worker problem CISOs can’t ignore How CISOs should utilize data security posture management to inform risk Was ist ein Botnet? Human-centric failures: Why BEC continues to work despite MFA Just 34% of cyber pros plan to stick with their current employer Managing OT risk at scale: Why OT cyber decisions are leadership decisions 4 ways to prepare your SOC for agentic AI ‘Trivial’ exploit can give attackers root access to Linux kernel Bank regulator sounds warning over cybersecurity threat posed by AI models Dismantle implicit trust in OT networks, CISA tells critical infrastructure operators Max-severity RCE flaw found in Google Gemini CLI Stopping the quiet drift toward excessive agency with re-permissioning ODNI to CISOs on threat assessments: You’re on your own 10 wichtige Security-Eigenschaften: So setzen Sie die Kraft Ihres IT-Sicherheitstechnik-Teams frei Researchers unearth industrial sabotage malware that predated Stuxnet by 5 years AWS leans on prior ingenuity to face future AI and quantum threats What it takes to win that CSO role Third Party Risk Management: So vermeiden Sie Compliance-Unheil Critical Cursor bug could turn routine Git into RCE Securing RAG pipelines in enterprise SaaS What CISOs need to get right as identity enters the agentic era Stopping AiTM attacks: The defenses that actually work after authentication succeeds EDR-Software – ein Kaufratgeber Microsoft patched an ‘agent-only’ role that was not AI is reshaping DevSecOps to bring security closer to the code The 'manager of agents': How AI evolves the SOC analyst role 4 Wege aus der Security-Akronymhölle Autonome KI-Agenten: Strategien für die neue Bedrohungslage New US House privacy bills raise hard questions about enterprise data collection Scattered Spider co-conspirator pleads guilty Security-KPIs und -KRIs: So messen Sie Cybersicherheit Bitwarden CLI password manager trojanized in supply chain attack 3 practical ways AI threat detection improves enterprise cyber resilience The curious case of Sean Plankey’s derailed CISA nomination Google gets agent-ready for the Mythos age Google drafts AI agents secure systems against AI hackers CNAPP – ein Kaufratgeber Riddled with flaws, serial-to-Ethernet converters endanger critical infrastructure NFC tap-to-pay gets tapped by hackers Anthropic bets on EPSS for the coming bug surge SBOM erklärt: Was ist eine Software Bill of Materials? Thousands of Apache ActiveMQ instances still unpatched, weeks after an actively exploited hole discovered Prompt injection turned Google’s Antigravity file search into RCE Why identity is the driving force behind digital transformation Top techniques attackers use to infiltrate your systems today The thin gray line: Handala, CyberAv3ngers and Iran’s proxy ops Attackers abuse Microsoft Teams to impersonate the IT helpdesk in a new enterprise intrusion playbook CISOs reshape their roles as business risk strategists Copilot & Agentforce offen für Prompt-Injection-Tricks Claude Mythos – ist der Hype gerechtfertigt? Für Cyberattacken gewappnet – Krisenkommunikation nach Plan Critical sandbox bypass fixed in popular Thymeleaf Java template engine White House moves to give federal agencies access to Anthropic’s Claude Mythos Another Microsoft Defender privilege escalation bug emerges days after patch Palo Alto’s Helmut Reisinger sees a cyber sea change ahead as AI advances Positiv denken für Sicherheitsentscheider: 6 Mindsets, die Sie sofort ablegen sollten NIST cuts down CVE analysis amid vulnerability overload Was bei der Cloud-Konfiguration schiefläuft – und wie es besser geht The endless CISO reporting line debate — and what it says about cybersecurity leadership Behind the Mythos hype, Glasswing has just one confirmed CVE Insurance carriers quietly back away from covering AI outputs RCE by design: MCP architectural choice haunts AI agent ecosystem Critical nginx UI tool vulnerability opens web servers to full compromise Copilot and Agentforce fall to form-based prompt injection tricks The deepfake dilemma: From financial fraud to reputational crisis 7 biggest healthcare security threats The need for a board-level definition of cyber resilience Mallory Launches AI-Native Threat Intelligence Platform, Turning Global Threat Data Into Prioritized Action 13 Fragen gegen Drittanbieterrisiken April Patch Tuesday roundup: Zero day vulnerabilities and critical bugs 4 questions to ask before outsourcing MDR 5 trends defining the future of AI-powered cybersecurity EU regulators largely denied access to Anthropic Mythos China-linked cloud credential heist runs on typos and SMTP How AI is transforming threat detection The AI inflection point: What security leaders must do now Cyber-Inspekteur: Hybride Attacken nehmen weiter zu Anthropic’s Mythos signals a structural cybersecurity shift Seven IBM WebSphere Liberty flaws can be chained into full takeover Old Docker authorization bypass pops up despite previous patch Hacker Unknown now known, named on Europol’s most-wanted list The cyber winners and losers in Trump’s 2027 budget CMMC compliance in the age of AI Claude uncovers a 13‑year‑old ActiveMQ RCE bug within minutes Was CISOs von Moschusochsen lernen können Hackers have been exploiting an unpatched Adobe Reader vulnerability for months New ClickFix variant bypasses Apple safeguards with one‑click script execution Cloudflare ‘actively adjusting’ quantum priorities in wake of Google warning Patch windows collapse as time-to-exploit accelerates So geht Post-Incident Review
Train like you fight: Why cyber operations teams need no-notice drills
2026-05-06 · via CSO Online

St. Michael’s Hospital in Toronto recently executed a full Code Orange simulation: A mass casualty emergency protocol requiring the activation of every clinical and operational team across the hospital. As a Level 1 trauma centre, it conducts large-scale exercises involving teams across the entire hospital: Emergency, surgery, communications, administration. The exercise is not a compliance event. It is an operational doctrine. The assumption is straightforward: The first time your team encounters a mass casualty event should not be the first time your team has encountered a mass casualty event.

Cybersecurity is moving in the right direction. Detection has improved markedly but how teams train to respond has not yet caught up, and predictability has a ceiling. Scenarios distributed in advance, schedules agreed weeks ahead, playbooks handed out before anyone enters the room. I understand why. Scheduled exercises satisfy compliance requirements, cross-train teams and surface documentation gaps. But they cannot build the one capability that determines whether a real incident goes well or catastrophically wrong.

The fix is not more planning. It is more surprise. And the reason why is not just operational. It is neurological.

Detection is the catalyst, not the problem

Security leaders often frame incident response readiness as a detection challenge. Build better alerts, tune the SIEM, reduce noise. Detection matters, but it is not where most organizations fail. Mandiant’s M-Trends 2025 report, drawing on more than 450,000 hours of incident response investigations, documents a long-term reduction in attacker dwell time from 205 days in 2014 to 11 days in 2024. Detection is getting better.

Detection is the catalyst, not the problem. What determines whether a response goes well is the state of the people who receive it. A team conditioned to act under genuine pressure will compress the time between detection and effective response. A team that has only ever rehearsed under controlled, low-stakes conditions will not, regardless of how sophisticated their tooling is.

Building several no-notice programs has taught me something that no tabletop exercise ever surfaced. The failure patterns that emerge under genuine pressure are consistent across organizations: Unclear roles, slow decision-making and communication breakdowns that transform a manageable compromise into a full crisis. These are not process failures. They are the predictable result of people operating under acute stress without prior exposure to it. A plan that has never been tested under pressure is not a plan. It is a document.

Why the brain undermines the playbook

Under genuine threat stimulus, the human nervous system does not behave the way a tabletop exercise assumes it will. When the sympathetic nervous system activates in response to a perceived threat, it redirects neural resources away from executive function, working memory and language processing. The prefrontal cortex, the part of the brain that reads playbooks, reasons through options and communicates clearly, is progressively suppressed as physiological arousal intensifies. Teams do not fail under pressure because they lack knowledge. They fail because the neurological state that pressure induces makes that knowledge inaccessible at the moment it is needed most.

This is why scheduled exercises cannot replicate the conditions they are meant to prepare teams for. Without genuine threat stimulus, the sympathetic nervous system is never fully engaged. Participants perform competently because they are not under real arousal. The behavior that feels fluent in the exercise room degrades when the same behavior is demanded under actual threat conditions, because the neurological state is entirely different.

The Yerkes-Dodson principle, established in 1908 and validated extensively since, describes this as an inverted U. Performance rises with arousal up to an optimal point, then falls sharply as arousal continues to increase.

The Yerkes-Dodson inverted-U curve
The Yerkes-Dodson inverted-U curve: Performance rises with arousal to an optimal point, then falls sharply.

Wikimedia Commons, CC-Zero

What repeated no-notice drills do is shift a team’s position on that curve. By building familiarity with threat-level arousal, they raise the threshold at which stress becomes performance-impairing. The stimulus is no longer novel. The cascade is shorter. Executive function stays online longer. Untrained teams encounter the steep right side of that curve for the first time during a real incident.

Stress inoculation: The science behind the drill

The formal psychological framework for what no-notice drills produce is stress inoculation training, first developed by psychologist Donald Meichenbaum in the 1970s and refined across four decades of applied research. The mechanism operates in three phases: Conceptualization, in which individuals understand their own stress response; skills acquisition, in which coping repertoires are built under controlled conditions; and application, in which those skills are tested through graduated, realistic exposure to the stressor itself. The application phase is not optional. It is where the inoculation occurs.

The most rigorous contemporary validation of this framework in operational team settings comes from Eduardo Salas, Allyn R. & Gladys M. Cline Chair Professor of Psychology at Rice University and one of the most cited researchers in the world on team performance under stress. His central finding is directly applicable here: Stress inoculation training produces improvements that transfer to novel, unfamiliar stressors, not just the scenarios that were rehearsed. The inoculation generalizes. A team trained under realistic pressure performs better when the pressure takes an unexpected form.

Applied to cybersecurity operations, the implication is direct. No-notice drills do not build scenario-specific knowledge. They build a conditioned physiological and cognitive response to threat stimulus: Shorter sympathetic activation cascades, faster recovery of executive function and the ability to make sound decisions before the moment passes. Comfort. Poise. Calm but steady action-on.

No-notice drills build three outcomes that scheduled exercises cannot.

  • Instinct: Analysts who have been genuinely surprised before respond faster the next time, not because they followed a procedure, but because the threat is no longer neurologically novel. The sympathetic cascade is shorter. Decision-making begins sooner.
  • Trust: When the script disappears, teams rely on each other’s judgment. Amy Edmondson, Novartis Professor of Leadership and Management at Harvard Business School, has spent three decades establishing that psychological safety built before a crisis is the precondition for effective performance during one. Teams that have experienced speaking up under pressure without negative consequence are measurably more able to do so again when it matters most. No-notice drills create exactly that experience. They surface the communication gaps and authority ambiguities that only emerge under genuine stress, the ones a tabletop never reaches.
  • Organizational honesty: Every organization that runs a surprise exercise finds something broken. An outdated escalation contact. A permissions gap. An executive who does not know what to do on a call at 3:00 a.m. The question is not whether those gaps exist. They do. The question is whether you find them before your adversaries do.

How to build the program

Following Meichenbaum’s application phase and Salas’s guidance on graduated stress exposure, an effective no-notice program begins contained and builds toward full-chain complexity. Here is what works in practice.

  • Start with anomaly injection: Seed realistic signals into production telemetry without announcement: An unexpected privileged account login, a credential used from an implausible geography, a misconfigured asset surfacing in cloud inventory, a ransomware detection in EDR. Observe what happens naturally. Which alerts fire. Who triages. How long before escalation begins.
  • Trigger full-chain activation: Once detection occurs, let the scenario cross organizational boundaries into Legal, Communications, Risk and the executive layer. This is where most exercises fail to go, and where the most expensive gaps live. In my experience running large-scale Fusion operations across multiple geographies, technical teams typically detect and triage with reasonable competence. The exposure sits in cross-functional latency: The time it takes decision-makers outside the SOC to become meaningfully engaged. That latency is invisible until you measure it under real conditions.
  • Debrief fast and without blame: Conduct a blameless post-mortem within 24 hours. Capture what surprised people, what slowed them and what they needed but did not have. Assign follow-ups in days, not months. The learning velocity of the program is almost entirely a function of how quickly the feedback loop closes.
  • Measure what matters: Mean time to detect and mean time to respond are necessary but insufficient. Add mean time to acknowledge, mean time to escalate and cross-functional activation time. A team that measurably cuts its acknowledgement time after three surprise drills has improved operational capability. A team that updates its playbook after a tabletop has improved its documentation.

The leadership obstacle

The most common objection to no-notice drills is political rather than operational. Leadership is mindful of team embarrassment, perceived panic and audit exposure. These concerns are worth addressing directly: Run the first drills at small scale, brief leadership on the stress inoculation framework before you begin and be explicit that the goal is to find gaps, not to grade performance. Every gap found is a program success, because it is.

The harder conversation is about what happens when those concerns win. The cost of never being surprised in training is being surprised for the first time during a real incident, when the damage clock is already running. PagerDuty’s Failure Friday program reached a weekly cadence because that trade-off was made explicit and decided correctly: Structured surprise became part of normal operational rhythm rather than a periodic ordeal. The embarrassment of a drill that surfaces gaps is recoverable. The embarrassment of a breach that exposes them is not.

No-notice programs fail when leadership treats mistakes as evidence of failure. They succeed when the post-mortem question is what we learned, not who missed it.

The standard worth holding

St. Michael’s Hospital does not discover gaps in its mass casualty response during actual mass casualty events. Emergency medicine settled this question decades ago: You train under realistic pressure, across every team that would need to activate, before the event that requires it. Aviation reached the same conclusion. Military doctrine is built on it. The science, from Meichenbaum established that graduated exposure to realistic stress builds lasting resilience. Salas validated that finding across every high-consequence operational domain. And Edmondson at Harvard showed that psychological safety enabling teams to perform under crisis must be cultivated long before the crisis arrives. Three researchers, three disciplines, one conclusion.

Too often, cybersecurity operations teams face their first genuine no-notice pressure event during an actual incident. That is a choice many organizations make by default, not by design and it is a choice with a known and preventable cost.

The gap between a team that performs under pressure and one that collapses under it is not talent, tooling or process. The science, the doctrine and the operational evidence all point in the same direction. Teams that train under realistic pressure perform better when the pressure is palpable. The question is not whether to build this capability. It is how quickly you can get started, and the answer is simpler than most leaders expect: Seed an anomaly. Observe what happens. Debrief within 24 hours. That is the first drill. Everything else builds from there.

Build the instinct and neurological memory now, before you need it. Because by the time you need it, it is already too late to build.

This article is published as part of the Foundry Expert Contributor Network.
Want to join?

SUBSCRIBE TO OUR NEWSLETTER

From our editors straight to your inbox

Get started by entering your email address below.