The window is open. Use it.
After a breach or near-miss, organisations have something they almost never have: a workforce that's genuinely paying attention to security. Most programmes aren't built to use that moment. Here's how to.
Talk to us
Something happened. Everyone knows it.
A breach or near-miss creates conditions that almost nothing else does. Leadership is paying attention. The general workforce has registered that this is real. The security team has credibility it may not have had last week. And crucially, people are receptive in a way they rarely are outside of a genuine incident.
That's a narrow window. It closes quickly. Within a few weeks, normal operations reassert themselves. The urgency fades. The attention shifts. The opportunity to use the incident as a genuine turning point passes, and the organisation goes back to whatever it was doing before.
The incident itself isn't the failure. The failure is letting the moment close without using it.
This page is about how to use that window well. Not to punish, not to pile on compliance training that arrives at exactly the wrong emotional moment, but to deploy the right experiences at the right time and turn a difficult period into the foundation of something genuinely better.
Most organisations do one of these. Neither works.
The instinct after an incident is to respond with volume. Mandatory modules. Refresher courses. Phishing simulations. All deployed at a moment when the workforce is already shaken and the relationship between the general workforce and the security team is at its most fragile. Blame-adjacent training after a breach doesn't build awareness. It builds resentment. Reporting drops. Questions stop. The culture gets quieter, which is one of the most dangerous states an organisation can be in.
The other instinct is to do nothing until the dust settles. Let people recover. Avoid making a difficult period worse. Then carry on more or less as before once the immediate pressure has lifted. This feels considerate but it wastes the one thing an incident creates that nothing else does: genuine, voluntary attention. The window closes fast. Organisations that wait for the right moment usually find it never arrives, and the incident becomes a story about what went wrong rather than the start of something better.
Use the window. But use it carefully. Start with structured sense-making at the leadership level, before blame sets the narrative. Then move to scalable experiences that reach the general workforce while attention is still high, framed around learning and shared responsibility rather than consequence and compliance. Rebuild confidence with something people actually want to take part in. End the period with a moment that signals the programme has turned a corner, not just responded to a crisis.
Three phases. Each with a different job.
The sequence matters as much as the products. What works in week one is different from what works in week six. Getting the timing right is the difference between a programme that capitalises on the moment and one that makes things worse.
Start at the top. CMD is a structured tabletop exercise for exec teams and incident response functions. It creates a safe, designed space for leadership to process what happened, understand the decisions that were made, and work through what needs to change. Not a debrief. Not a blame session. A facilitated exercise that turns a difficult event into structured learning before the narrative hardens.
Deploy to the general workforce while attention is still elevated. SHIFT is solo, browser-based, and requires no logistics. ALT works solo or as a group on people's own devices. Both reach distributed teams without delivery overhead. The framing matters here: this is about building shared understanding and confidence, not consequence. People who've just lived through an incident are already primed to engage. Give them something worth engaging with.
Once the immediate pressure has lifted, rebuild with something positive. ESC creates a shared experience around security that isn't defined by what went wrong. SPACE_ takes it further: a flagship activation that signals this is where the programme turned a corner. The incident becomes the context for a better programme rather than the dominant story in how the organisation thinks about security.
Every product. Why it's here.
The post-incident window is the one situation where the full ecosystem earns its place simultaneously. Each product addresses a different aspect of recovery, at a different level of the organisation, at a different moment in the timeline.
Structured sense-making for the people at the top of the organisation. CMD creates a facilitated space for exec teams and incident response leads to work through what happened, test their decision-making under a reconstructed scenario, and surface the gaps before the next incident rather than during it.
As soon as operationally possible after the incident is contained. Before the narrative about what happened has hardened. Run with the exec team and IR leads separately. The questions it surfaces about authority, escalation, and communication are different at leadership level and need a different space to be answered honestly.
The fastest way to reach the general workforce with something meaningful. Solo, browser-based, no logistics, no facilitation required. SHIFT deploys at scale while attention is still elevated, giving people an engaging experience that builds understanding without arriving with a blame message attached.
Weeks two to four, while the incident is still fresh enough to motivate engagement but far enough away that the immediate emotion has settled. Push to the entire general workforce as a standard communication. Frame it as the organisation investing in people, not responding to a failure.
A novel, engaging layer that runs alongside SHIFT or independently. Works solo or as a group on people's own devices. ALT's novelty factor is particularly valuable in a post-incident period when the general workforce's emotional relationship with security is fragile. Something genuinely different in format signals that the programme is changing, not just repeating.
Alongside or immediately after SHIFT. Use it for team or department-level sessions where group engagement is possible. For distributed organisations, ALT's device-agnostic, no-kit approach means it can reach remote colleagues in the same window as everything else, without creating a two-tier recovery programme.
The culture reset tool. A physical, team-based experience that creates a new shared security memory to sit alongside the incident. ESC isn't deployed to respond to what happened. It's deployed to establish what happens next. The experience becomes a reference point that belongs to the new chapter rather than the difficult one.
Month two onwards, once the immediate pressure has lifted. Run with teams who were most directly affected first. The act of working through a scenario together under pressure, and doing it well, is itself a confidence-rebuilding exercise. Use train-the-trainer to establish ongoing delivery rather than a one-off response.
The turning point moment. A large-scale SPACE_ activation signals to the entire organisation that the programme has fundamentally changed. Not just a response to an incident, but a visible, memorable statement that security is being taken seriously in a way it wasn't before. Done well, SPACE_ reframes the incident as the catalyst for something better rather than just something bad that happened.
Anchor to a significant moment: an anniversary of the incident, an October awareness month, a leadership-driven programme relaunch. SPACE_ works best when it's the culmination of a recovery arc rather than a standalone activation. By the time it runs, the general workforce should already be part of a programme that has changed. SPACE_ is the moment that makes that change visible.
If the incident involved social engineering, CTRL+Vish is the targeted follow-up for the roles involved and the high-risk cohorts adjacent to them. It addresses the specific vulnerability that was exploited, in the specific way it was exploited, without applying blanket pressure to the whole organisation.
Only when the incident had a social engineering component. Deploy to Finance, HR, IT helpdesk and any other roles directly involved, alongside the general SHIFT and ALT rollout. Start with training and the practice line before any live simulation. The post-incident period is not the moment to add more unexpected pressure to the people who were already targeted.
Let SPACE_ write the next chapter.
Every organisation that goes through a significant incident has a choice about what that incident means in its culture. It can be the thing that happened. Or it can be the thing that changed everything.
SPACE_ is a large-scale immersive installation designed for exactly the kind of moment where something needs to visibly, memorably shift. An entire environment transformed around a cyber security narrative. An experience the organisation talks about for months. A shared reference point that belongs to the new chapter, not the old one.
Why the timing matters
SPACE_ deployed as a direct incident response feels reactive. SPACE_ deployed as the culmination of a recovery programme, after CMD has run with leadership, after SHIFT has reached the general workforce, after ESC has started rebuilding confidence at team level, that's a different signal entirely. It says the organisation didn't just respond. It rebuilt.
"The most interesting parts for me have been during the debriefs at the end. It's been great to hear of people's own experiences of being hacked, or dealing with their companies being hacked, and then being able to pull out the similarities between those attacks and what they learnt in the escape room."
Ministry of Defence
The window is open. Talk to us.
We won't ask you to replay what happened. We'll help you work out what to do next, and how to make the most of the moment you're in right now.