The Security Toolbox: Raising Preparedness with Wargaming

This blog is part of a series to help organizations of any size optimize their security. Our experts provide insights and recommendations based on common security use cases, customer questions, and security software developer needs.

Practice is what we do when we want to get better at things. From reading and writing to driving, swimming, and cooking, most skills require repetition to master.

Cybersecurity is no different: the more practice security staff have in recognizing vulnerabilities and signs of possible attacks, the better prepared they will be for a real-world breach. Rehearsing possible scenarios builds staff knowledge and their ability to anticipate security issues and react with confidence should the need arise.  

So why isn’t practice more common in the world of cybersecurity? A few reasons include overdependence on security technology, shortage of staff, and lack of time.

In the world of cybersecurity, practice is often overlooked despite the importance of understanding security posture at any given time. Wargames—which are a type of cybersecurity mind sport—can help stress test systems, response plans, and staff readiness in the case of an attack or breach.

What do wargames involve?

Many cybersecurity wargames revolve around logic similar to that of an outdoor sport called “Capture the Flag.” In the traditional game, teams have defined territories populated with their team flags. The object of the game is to capture competitors’ flags and take them back to a home base. If a competitor is caught in the opposing team’s territory and tagged, those tagged may be out of the game or frozen in place until a teammate frees them.

In the cybersecurity version of this game, the “flags” can be hidden pieces of code, scripting, IP address spoofing, reverse language engineering, semantic URL changes, and other types of hacking methods. The object of the game is to find as many “flags” as possible and determine the best strategy to mitigate each one. Often, wargames are developed as friendly competitions within an organization that give staff opportunities to experience realistic and time-sensitive scenarios.

Wargaming helps security professionals practice how to recognize different types of attacks and learn how threat actors exploit systems to find security gaps and vulnerabilities. It also provides insights into an organization’s preparedness and readiness for a cybersecurity attack.

Although there are many ways for security professionals to learn about adversarial threat actors, cybersecurity wargaming—when executed correctly—is an engaging and fun way to build the technical skills needed to hunt, detect, and eliminate cyber threats.

What are some considerations when developing wargames?

Cyber wargames can range in complexity and duration from as little as a few hours to as much as several weeks. The MITRE cyber wargaming framework can help organizations tailor scenarios for their specific industry, challenges, strategy, and desired future security state. This framework helps organizations determine applicable scenarios, requirements, objectives, metrics, and scenario elements and objectives.

According to the MITRE framework, the three classes of wargaming are tabletop, composite, and red-team exercise. All three classes include challenges for players such as changing or false information and progressing situations. Tabletop scenarios are often planned, composite scenarios include participants emulating an adversary, and red-team exercise scenarios include live-fire—simulated live attacks—that must be countered in real time.

Because development of wargaming can be expensive, many organizations outsource this need to an established vendor that is highly experienced with the technologies in their current IT ecosystem.

Another avenue for cybersecurity wargaming participation is at one of the many live events hosted by different organizations such as Hack the Box Events and DEFCON Capture the Flag.

What are some of the limitations of wargaming?

While cybersecurity wargaming can be beneficial to organizations, limitations exist. The MITRE wargaming framework states some of these limitations, including the lack of a fully realistic and spontaneous environment and the continuing rise of new, unknown, and evolving threats that can’t be modeled into a wargame.

Other limitations stem from a disconnect between the realm of cybersecurity and the original intent of wargames. Wargames, when developed for use to practice actual war scenarios, assumed known terrains such as certain land topographies or ocean characteristics. In the world of cybersecurity, the terrain in any given organization has variables of technologies, devices, and users unique to that environment.

Traditional wargames allowed participants’ knowledge and experience of physical domains to inform their actions. Since physical domains don’t exist in cyber, the instability of a constantly changing domain is difficult to mimic and represent adequately in cybersecurity wargaming.

One more limitation to the development of wargaming is the lack of agreement among industries and within cybersecurity sectors on a defined set of cyber tools and their desired effects.

Get started on your wargaming journey

Read about our Cyber Defense Simulation service from VMware Professional Services for Security. If you’re not sure about your security posture or the level of vulnerability in your organization’s IT environment, a security assessment can help you develop a clear view of your current state and possible remediations needed. Visit the Professional Services for Security resources section for overviews on the different types of assessments available, and contact us at to learn more.

For more support, read the other blogs in this series:


One comment has been added so far

Leave a Reply

Your email address will not be published. Required fields are marked *