By Dan Bergner, Cyber Incident Response Lead
TL;DR: A red team exercise almost led us to isolate a client’s core production environment. What prevented disruption wasn’t luck - it was informed judgement, a robust escalation process and the discipline to apply controls even under pressure. This incident became one of the clearest reminders of why preparedness, teamwork and humility matter in cyber security.
The Calm Before a Very Different Friday
“If you’ve spent any time in cyber, you’ll know this truth: nothing good starts on a Friday afternoon.”
It was one of those standard Fridays. Everything in the SOC felt routine. Analysts were catching up on tickets. Dashboards were stable. The usual flow of alerts came through - nothing out of the ordinary.
Then the situation changed quicker than you can say “quiet Friday”.
- A Teams notification pinged.
- A single message from the analyst team.
- A few too many concerning words.
Moments later, more alerts arrived. Then more. And suddenly this wasn’t just a normal Friday. We were looking at account creations, privilege escalations, lateral movement and behaviour that simply does not belong in a healthy environment.
I remember leaning forward in my chair, thinking, here we go…
What I didn’t know. And what no one in the SOC knew. Was it that the client had authorised a red team engagement? Only the client’s internal contact and one of our senior leaders were aware. The rest of us were treating this as a live incident because every indicator suggested it was one.
And to be honest, it looked real. Very real.
Seeing An Attack Unfold In Real Time
Within minutes, we had timelines built, correlation panels up and investigative threads mapped out. Whatever was happening was coordinated and clearly progressing.
When you’ve handled enough incidents, you learn the difference between background noise and someone actively moving through an environment.
This wasn’t noise. This was someone inside the hallway.
A containment decision point hit us early. Some of the systems affected are directly tied to production operations. Isolating them would have an immediate and material impact on the client.
As Cyber Incident Response Lead, the responsibility sat with me - but no one in this work ever makes decisions in isolation. CyberOne operates with strict escalation and validation controls specifically to prevent unnecessary outages.
This is where those controls proved their worth.
“In cyber incident response, decisive action matters. But decisive action must be informed, validated and proportionate – especially when the impact touches the core of a customer’s business.”
The Escalation That Made the Difference
The analyst on the case escalated to me exactly as our procedures require when a mitigation could affect production systems. Before taking action, I needed additional context - not caution, but due diligence.
Part of that escalation route includes contacting senior cyber defence leadership for validation when a containment step could have major business impact. Lewis, our Head of Cyber Threat Defence, was the designated escalation point that day.
Now, Lewis happened to be off sick, but escalation redundancy is built into our processes. If he hadn’t answered, the call would have automatically gone to the next in line. The system doesn’t rely on one person.
- Still, he picked up.
- Croaky voice, but sharp mind.
Bound by the red team’s rules of engagement, he couldn’t tell me outright what was happening. But he guided me enough to recognise that the specific containment action we were about to take wasn’t appropriate in this context.
Minutes later, the truth surfaced: It was a red team engagement.
The key point here isn’t that I “paused”. It’s that our escalation controls worked exactly as they were designed to.
When The Truth Came Out
Once the exercise concluded, the client disclosed the full context and ran us through the red team’s objectives and tactics.
Their reaction to our actions surprised us - in a good way.
They told us:
“Every defensive step you took, every escalation you prepared, every action you were ready to execute… would have stopped a real attacker.”
For any blue team, that’s the best feedback you can receive.
This wasn’t just a simulation. It was a real-world validation of every process, every judgment call, and every hour of training the team had invested.
“The red team didn’t expose a weakness. It proved the strength of the defenders.”
Why Exercises Like This Matter Far More Than People Think
People often imagine cyber security maturity like a checklist:
- Got a SOC?
- Got a firewall?
- Got training?
But maturity is more like climbing a pyramid:
This exercise hit the very top of that pyramid: a live, adversarial simulation against an unaware blue team, giving everyone an honest assessment of how they perform under pressure.
You can only learn certain things by being placed under genuine stress.
This is where real organisational resilience is built:
- Not in the documentation.
- Not in the theory.
- But in the messy, imperfect reality of a Friday afternoon incident.
Universal Lessons From An Almost-Incident
This story applies to anyone, regardless of sector, size or technical awareness. You don’t need to understand SIEM logs or lateral movement to get the point.
Here’s what I think the universal lessons are.
- Preparedness Is More Than A Plan.
Having a plan is good. Practising it is better. Testing it under pressure is best.
- Strong Judgment Is Built Long Before The Crisis.
That small hesitation - the choice to pause - only happens when you’ve built confidence, experience and trust in your team.
- Communication Saves More Than Technology
One phone call prevented a costly mistake. Cyber is still fundamentally human.
- Testing Your Defences Is Not A Luxury
Red teams aren’t there to embarrass you. They’re there to strengthen you.
- Humility Is One Of The Most Important Security Controls
You don’t know everything. You won’t always have perfect information. And you won’t always get it right. But you can always learn.
How The Client Reacted Afterwards
To their credit, the client didn’t hide behind the secrecy of the red team engagement. They openly acknowledged the pressure we had been under and appreciated the risks we were managing.
They were actually impressed - not just with the technical response, but with the discipline and composure of the team. They saw our readiness to take decisive action as a sign of genuine resilience.
And that honesty sparked something important between us: a deeper trust.
They asked for advice on how to mature further, how to sharpen their detection and how to build more confidence at board level. That kind of openness only comes from shared experience - especially one where everyone was tested.
A Reflection On Leadership, Judgement And Humility
If this experience taught me anything, it’s that leadership in cyber isn’t about being the loudest voice in the room or the quickest to act.
It’s about:
- Knowing when not to act.
- Knowing when to trust your gut.
- Knowing when to pause, even for a second.
- And knowing when to pick up the phone to someone who may see what you can’t.
Cyber security is full of high-stakes moments wrapped in incomplete information. You can’t avoid that. But you can prepare yourself and your team to navigate it.
In our case, a single moment of hesitation prevented a major operational disruption. But it also validated everything the team had built - our processes, our instincts and our collective discipline.
That’s what resilience looks like.
Not perfection. Not certainty. Just humans, working together, making smart decisions under pressure.
And on a Friday afternoon, that’s more than enough.