top of page

What's inside the box?

Cyber security is often deemed complex and confusing, but what if there was a simple way to recreate real-life business scenarios where a cyber-attack could occur and allow you to practice your response to it?

Well, the good news is that this already exists and is an online tool from the National Cyber Security Centre. Exercise in a Box is essentially a box full of exercises based around real world scenarios with probing questions attached to each scenario.

Who is Exercise in a Box for?

Anyone, no technical skills are necessary! This is a great way to engage other areas of your business on cyber threats. However, it is recommended particularly for those in the following roles and positions:

  • Senior decision makers

  • Senior IT stakeholders

  • Technical IT security owners

  • Media/press/communications and marketing

  • Company policy owners

The tool allows your business and employees to do complete the exercises in your own time and in a safe environment. There is no responsibility for you to find materials for the scenarios, as it includes everything you need for setting up, planning, delivery, and post-exercise activity.

The exercises are broken into three categories, discussion based exercises, simulation exercises and micro exercises. Within each category is a breakdown of what each exercise will cover, how long it will take and a link to the resources need to complete that specific exercise.

An example of one of the scenario’s available is that of a phishing attack (when attackers attempt to trick users into doing 'the wrong thing', such as clicking a bad link) leading to a ransomware infection, preventing you from accessing your computer (and the data that is stored on it).

Other exercises also included are:

  • Responding to a ransomware attack

  • Connecting securely to a network when working remotely

  • Mobile phone theft and response

  • And many more!

Find out more about Exercise in a Box, here.


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the West Midlands is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others.  Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the West Midlands provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.


The Cyber Resilience Centre for the West Midlands does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the West Midlands is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page