{"id":16179,"date":"2026-05-06T09:06:59","date_gmt":"2026-05-06T09:06:59","guid":{"rendered":"https:\/\/newestek.com\/?p=16179"},"modified":"2026-05-06T09:06:59","modified_gmt":"2026-05-06T09:06:59","slug":"train-like-you-fight-why-cyber-operations-teams-need-no-notice-drills","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=16179","title":{"rendered":"Train like you fight: Why cyber operations teams need no-notice drills"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

St. Michael\u2019s Hospital in Toronto recently executed a full Code Orange simulation: A mass casualty emergency protocol requiring the activation of every clinical and operational team across the hospital. As a Level 1 trauma centre, it conducts large-scale exercises involving teams across the entire hospital: Emergency, surgery, communications, administration. The exercise is not a compliance event. It is an operational doctrine. The assumption is straightforward: The first time your team encounters a mass casualty event should not be the first time your team has encountered a mass casualty event.<\/p>\n

Cybersecurity is moving in the right direction. Detection has improved markedly but how teams train to respond has not yet caught up, and predictability has a ceiling. Scenarios distributed in advance, schedules agreed weeks ahead, playbooks handed out before anyone enters the room. I understand why. Scheduled exercises satisfy compliance requirements, cross-train teams and surface documentation gaps. But they cannot build the one capability that determines whether a real incident goes well or catastrophically wrong.<\/p>\n

The fix is not more planning. It is more surprise. And the reason why is not just operational. It is neurological.<\/p>\n

<\/a>Detection is the catalyst, not the problem<\/h2>\n

Security leaders often frame incident response readiness as a detection challenge. Build better alerts, tune the SIEM, reduce noise. Detection matters, but it is not where most organizations fail. Mandiant\u2019s M-Trends 2025 <\/a>report<\/a>, drawing on more than 450,000 hours of incident response investigations, documents a long-term reduction in attacker dwell time from 205 days in 2014 to 11 days in 2024. Detection is getting better.<\/p>\n

Detection is the catalyst, not the problem. What determines whether a response goes well is the state of the people who receive it. A team conditioned to act under genuine pressure will compress the time between detection and effective response. A team that has only ever rehearsed under controlled, low-stakes conditions will not, regardless of how sophisticated their tooling is.<\/p>\n

Building several no-notice programs has taught me something that no tabletop exercise ever surfaced. The failure patterns that emerge under genuine pressure are consistent across organizations: Unclear roles, slow decision-making and communication breakdowns that transform a manageable compromise into a full crisis. These are not process failures. They are the predictable result of people operating under acute stress without prior exposure to it. A plan that has never been tested under pressure is not a plan. It is a document.<\/p>\n

<\/a>Why the brain undermines the playbook<\/h2>\n

Under genuine threat stimulus, the human nervous system does not behave the way a tabletop exercise assumes it will. When the sympathetic nervous system activates in response to a perceived threat, it redirects neural resources away from executive function, working memory and language processing. The prefrontal cortex, the part of the brain that reads playbooks, reasons through options and communicates clearly, is progressively suppressed as physiological arousal intensifies. Teams do not fail under pressure because they lack knowledge. They fail because the neurological state that pressure induces makes that knowledge inaccessible at the moment it is needed most.<\/p>\n

This is why scheduled exercises cannot replicate the conditions they are meant to prepare teams for. Without genuine threat stimulus, the sympathetic nervous system is never fully engaged. Participants perform competently because they are not under real arousal. The behavior that feels fluent in the exercise room degrades when the same behavior is demanded under actual threat conditions, because the neurological state is entirely different.<\/p>\n

The Yerkes-Dodson principle, established in 1908 and validated extensively since, describes this as an inverted U. Performance rises with arousal up to an optimal point, then falls sharply as arousal continues to increase.<\/p>\n

\n
width=”1024″ height=”575″ sizes=”auto, (max-width: 1024px) 100vw, 1024px”>
The Yerkes-Dodson inverted-U curve: Performance rises with arousal to an optimal point, then falls sharply.<\/em><\/figcaption><\/figure>\n

Wikimedia Commons, CC-Zero<\/a><\/div>\n

What repeated no-notice drills do is shift a team\u2019s position on that curve. By building familiarity with threat-level arousal, they raise the threshold at which stress becomes performance-impairing. The stimulus is no longer novel. The cascade is shorter. Executive function stays online longer. Untrained teams encounter the steep right side of that curve for the first time during a real incident.<\/p>\n

<\/a>Stress inoculation: The science behind the drill<\/h2>\n

The formal psychological framework for what no-notice drills produce is stress inoculation training, first developed by psychologist Donald Meichenbaum in the 1970s and refined across four decades of applied research. The mechanism operates in three phases: Conceptualization, in which individuals understand their own stress response; skills acquisition, in which coping repertoires are built under controlled conditions; and application, in which those skills are tested through graduated, realistic exposure to the stressor itself. The application phase is not optional. It is where the inoculation occurs.<\/p>\n

The most rigorous contemporary validation of this framework in operational team settings comes from <\/a>Eduardo Salas<\/a>, Allyn R. & Gladys M. Cline Chair Professor of Psychology at Rice University and one of the most cited researchers in the world on team performance under stress. His central finding is directly applicable here: Stress inoculation training produces improvements that transfer to novel, unfamiliar stressors, not just the scenarios that were rehearsed. The inoculation generalizes. A team trained under realistic pressure performs better when the pressure takes an unexpected form.<\/p>\n

Applied to cybersecurity operations, the implication is direct. No-notice drills do not build scenario-specific knowledge. They build a conditioned physiological and cognitive response to threat stimulus: Shorter sympathetic activation cascades, faster recovery of executive function and the ability to make sound decisions before the moment passes. Comfort. Poise. Calm but steady action-on.<\/p>\n

No-notice drills build three outcomes that scheduled exercises cannot.<\/p>\n