Coordination and communication¶
Clear communication before, during, and after an engagement does not happen automatically. The conditions that make it possible need to be designed, not assumed.
Satir’s work on communication under stress explains why this matters. An engagement creates pressure, and pressure activates survival stances. The analyst who defaults to computing behaviour under stress will produce a technically precise account of what they did that avoids naming the decision that mattered. The team lead who placates will agree that findings are important and not escalate the structural ones. These are not individual failures; they are predictable responses to environments that have not been designed to make honest communication safe. The coordination structure is part of that design.
Before the engagement¶
Brief each participating group separately with the information relevant to their role. The testing team needs objectives, scope, rules of engagement, communication protocols, and emergency contacts. The defending team needs to know that an exercise is happening, what the safety boundaries are, how to flag if something seems genuinely wrong, and that their performance during the exercise is not a performance review.
Stakeholders who need to know the exercise is happening can be briefed on what to expect: potential unusual activity in monitoring systems, possible increased workload for on-call staff, expected outputs.
During the engagement¶
Disclosed testing: the testing and defending teams share observations in real time through an agreed channel. This is faster to run and produces more direct learning, because the defending team can immediately understand what the attacker did and why the detection did or did not fire.
Blind testing: the defending team does not know the testing team’s actions. This produces more realistic response behaviour but requires more careful coordination to keep the exercise within scope and to maintain safety.
Either way, a direct line from any participant to the facilitator, usable immediately if something is going wrong, is what makes the whole thing safe to run.
After the engagement¶
The hot wash, run immediately after the exercise ends, captures first impressions before they are revised into more considered positions. It is short, unstructured, and its primary product is the questions to explore in the detailed debrief.
The detailed debrief is where the learning happens. Facilitation over instruction applies: the facilitator’s job is to ask questions that surface the participants’ models and examine them against what the exercise revealed, not to deliver the correct analysis. A debrief where the facilitator explains what the right answer was has produced a lecture. A debrief where participants examine what they assumed, what happened, and what the gap reveals has produced learning.
The out-brief to leadership works best when framed in terms that produce decisions rather than acknowledgement.