team security exercises

Most security awareness programs fail for the same boring reason: they’re boring.

Employees sit through a 45-minute video about password hygiene, click “Next” through a quiz, and forget everything before lunch. You know it. They know it. The phishing click rates prove it.

The fix isn’t better videos. It’s getting people out of their chairs and into scenarios that feel real. The 15 activities below are ones we’ve seen work in actual companies, with actual skeptical employees, producing actual measurable improvements. Some take 15 minutes. Some need a full hour. All of them beat another compliance slideshow.

If you want a broader look at cybersecurity training exercises and how to structure a program, we covered that separately. This post is the practical playbook: specific activities you can run this week.

These are low-prep, high-energy formats for teams that haven’t done interactive security training before. Start here.

Put 10-15 email screenshots on a projector. Teams get 60 seconds per email to decide: legit or phishing? They write down the red flags they spot. Points for correct calls, bonus points for naming specific indicators.

This works well with groups of 4-20. Budget about 20 minutes. The competitive element is what makes it click. Time pressure forces the same fast-scan decisions people make in their actual inbox, and the group discussion after each email is where the real learning happens.

Start with obvious fakes and escalate. Throw in at least two completely legitimate emails. Otherwise everyone defaults to “it’s all phishing” and learns nothing.

This is my favorite starter activity. Even the most skeptical rooms get loud by email three or four.

Everyone creates their best password or passphrase, then you test each one against a projected strength checker. Simple, fast, weirdly competitive.

Any group size works. 15 minutes is plenty. The moment someone’s “unbreakable” password scores poorly, the room pays attention. The moment someone’s silly passphrase scores higher than every complex-character creation, the lesson about length vs. complexity lands without a lecture.

Push people toward passphrases. Show them why “correct-horse-battery-staple” beats “P@ssw0rd!” in both strength and memorability. That single demonstration sticks longer than any policy document.

Read social engineering scenarios aloud. Participants raise their hand the instant they hear a red flag. First to spot it gets a point.

Here’s a sample: “Hi, I’m calling from your IT department. We’ve detected unusual activity on your account and need to reset your password immediately. Can you verify your current password so I can update it in our system?”

The red flags pile up fast: urgency, requesting the actual password, vague “unusual activity,” caller can’t prove their identity. Groups of 5-30 work well, and 15 minutes is the sweet spot before energy dips. You’ll need a stack of scenario cards prepared in advance.

Display URLs one at a time and let people call out which are real and which are malicious. This one teaches a concrete, inspectable skill that transfers directly to daily work.

Some examples to get you started:

• https://microsoft-support.com (fake)
• https://support.microsoft.com (real)
• https://arnazon.com/deals (fake, the ‘rn’ masquerades as ‘m’)

Most employees have never actually looked at a URL structure before. Once you walk through the anatomy of a URL and show common deception patterns, they start checking. That habit alone prevents a significant chunk of phishing attacks.

15 minutes, any group size, projector required.

These need more setup but create the strongest memories. Use them quarterly or for dedicated training sessions.

Teams solve security-themed puzzles to “escape” a simulated breach scenario. Decoding encrypted messages, spotting phishing emails hidden in clues, identifying social engineering tactics. You can DIY the puzzles or buy pre-built kits.

Groups of 4-8 per room, 45-60 minutes. Theme it around something plausible: “A ransomware attack has locked our systems. Find the backup password before the deadline.” Mix security knowledge with general puzzle-solving so non-technical people can contribute.

This is the most work to set up and the most talked-about activity afterward. People remember escape rooms for months. They remember compliance videos for minutes.

Assign roles across the room: CISO, IT, Legal, Communications, HR. Present an evolving security incident with new information dropping every few minutes. Teams coordinate response decisions in real time.

Starting scenario: “An employee reports their email is sending messages they didn’t write. Thirty minutes later, a customer calls asking why they received a suspicious invoice.”

Budget 45 minutes for a group of 6-15. The value here isn’t the security knowledge. It’s exposing the coordination gaps that kill real incident response. Departments that have never talked through a breach together will fumble the handoffs. Better to discover that in a simulation than during an actual event. This is particularly relevant for teams building a human firewall culture across departments.

Flip the perspective. Small teams of 3-5 design the most convincing phishing email they can, targeting a fictional company. Present them, vote on the most convincing, then tear each one apart for detection clues.

30 minutes. Set hard rules: fictional targets only, no real malicious links. Focus discussion on what a defender would notice.

Understanding attacker psychology is one of the fastest ways to improve defense. When people realize how easy it is to create a convincing fake, their guard goes up permanently.

Classic Jeopardy format with security categories: Phishing, Passwords, Physical Security, Social Engineering, Incident Response. PowerPoint templates work fine. Online tools work better.

Sample questions:

• Phishing 200: “The technique of sending text message scams” (What is smishing?)
• Passwords 400: “The recommended minimum number of characters for a secure password” (What is 12-16?)
• Social Engineering 600: “The term for when an unauthorized person follows an employee through a secure door” (What is tailgating?)

This handles big groups well (10-50, team-based) and runs 30-45 minutes. The familiar format means zero resistance. Nobody has to be convinced to play Jeopardy. It covers broad territory fast and works especially well as a review after more intensive training.

One-off activities create spikes of awareness that fade. These programs keep security visible between training events.

Recruit one volunteer per 25-50 employees to serve as a department security liaison. Give them extra training, a shared communication channel, and early access to security updates. They answer colleague questions and advocate for security practices.

This works because peer influence outperforms top-down mandates. Asking a question feels safer when you’re talking to Sarah from your team instead of “the IT department.” Monthly 30-minute champion meetings keep the program alive. Recognize contributions visibly.

The champions program takes ongoing investment, but it’s the single highest-ROI activity on this list for organizations over 100 people.

Reward employees who report suspicious emails, flag security issues, or catch potential incidents. Public recognition plus small prizes: gift cards, extra PTO, a good parking spot.

Track reports per month (should trend up), time to report (should trend down), and false positive rate (should be high, because you want people reporting uncertain items rather than ignoring them).

Positive reinforcement increases reporting behavior. A reporting culture matters more than any individual employee getting every call right.

Drop a security puzzle into each monthly newsletter. Employees who solve it earn raffle entries. Draw winners quarterly.

Challenge ideas: spot the phishing indicators in an email screenshot, find the security mistakes in an office photo, decode a simple cipher. 5-minute time investment per employee, organization-wide reach.

This isn’t going to transform your security posture on its own. But regular touchpoints keep security in peripheral vision between formal training, and gamification drives newsletter open rates up dramatically.

Generic training wastes time on irrelevant scenarios. These activities target the specific attacks each department actually faces.

Present invoice scenarios mixing real and fraudulent samples. Teams identify red flags: vendor address changes, unusual payment terms, different bank details than established vendors, pressure to process immediately.

30 minutes with the finance team. Focus on verifying vendor banking changes via known contact numbers (not the number on the suspicious invoice), recognizing urgency manipulation, and understanding wire transfer fraud patterns.

Finance teams face business email compromise attempts constantly. This is the most practical activity for any department that handles payments.

Walk the executive team through sanitized whaling attack case studies. 30 minutes covering why executives are specifically targeted, what manipulation tactics look like at the C-suite level, and how to verify financial or sensitive requests.

Key scenarios to cover: fake acquisition documents requiring secrecy, vendor payment emergencies, board communication compromises, and deepfake voice calls. That last one gets attention. Executives who think they’re too savvy for phishing tend to take deepfake impersonation more seriously.

Recruiters receive more unsolicited external contacts than almost anyone in the organization. That makes them prime social engineering targets.

30 minutes practicing identification of suspicious applicant behavior, fake references, and information harvesting disguised as job inquiries. Scenarios like an “applicant” probing for details about company systems during an interview, resumes with embedded malware, or a “reference check” that tries to extract employee information.

IT staff have elevated access, and attackers know it. Role-play scenarios where “users” or “executives” request unauthorized access, password resets, or system changes under pressure.

45 minutes. Practice responses to “urgent” executive access requests, vendors asking for remote access credentials, and new employees claiming their account setup is incomplete. The goal is building the reflex to verify before acting, even when the request sounds reasonable and the person sounds impatient.

The activities above work. Running them poorly doesn’t. A few things that separate good facilitation from wasted time.

Before you start. Run through the full activity yourself first. Nothing kills credibility faster than fumbling the setup. Prepare for resistance. Some employees will arrive skeptical, arms crossed. Competition and humor get them participating before they realize they’ve dropped the attitude. Set the frame early: this is practice, not a test. Nobody gets in trouble for wrong answers.

While it’s running. Keep the pace up. Dead air between segments is where engagement goes to die. Acknowledge all attempts, not just correct ones. Drop brief mentions of real breaches when relevant. “This is how [company X] got hit” snaps attention back faster than any motivational talk.

Afterward. Summarize three takeaways, max. Point people to resources for going deeper. Collect feedback on what worked and what fell flat, and actually use it next time.

If you’ve never done interactive security training, start with the phishing email showdown (#1). Low setup, high energy, universally relevant. Run it at your next team meeting. If the room responds well, schedule a security escape room (#5) or incident response simulation (#6) within the next quarter.

If you already run activities but want better long-term results, invest in a security champions program (#9) and reporting rewards (#10). Those two create the cultural infrastructure that makes one-off activities stick.

And if you want to see what professional interactive training looks like, with 3D simulations and scenarios your team will actually remember, explore our exercise library.

Activities should produce measurable improvements, not just good feelings.

Track before and after: phishing simulation click rates, incident report volume, time to report suspicious activity, and survey confidence levels.

Good signs that something is working: employees mention the activities to colleagues unprompted. People volunteer for follow-up sessions. Security-related questions increase. Simulation performance improves month over month.

If none of that is happening, the activities need adjustment. Go back to the feedback you collected and figure out what missed.

Want to skip the DIY setup? Try our free interactive security exercises and see what simulation-based training looks like when it’s built by people who’ve been doing this for years.