top of page

NCSC Free Tools: What is Exercise in a Box?

The National Cyber Security Centre (NCSC) is the UK’s technical authority on cyber security, providing businesses and individuals with up-to-date guidance on all things cyber. Alongside distilling industry knowledge into practical guidance and helping respond to cyber incidents, the NCSC also provides a range of free tools and resources to help people support themselves in being safer online. One of these resources is Exercise in a Box, which helps organisations find out how resilient they are to cyber-attacks and allows them to practice how they would respond to an incident. This is an invaluable tool, particularly for SMEs, helping to strengthen cyber resilience at no cost.

cyber security

What is Exercise in a Box?

Exercise in a Box is an online tool, which is completely free to use and designed to be accessible to a non-technical audience. The service works by providing exercises that are based around the main cyber threats facing businesses. These can be accessed as many times as necessary, and require no preparation, allowing businesses to run them in their own time, at their own pace. The service works by getting users to register for a free account, allowing them to receive a personalised report upon completion, which evaluates their readiness and suggests some key ways to improve their response to a potential cyber incident.

Exercise in a Box provides three types of exercise, micro, table top and simulation. The types of exercise vary in duration, providing a variety of training that covers a plethora of cyber threats and vulnerabilities. Micro exercises are short and sharp and can be completed within thirty minutes. Topics covered in these succinct and interactive activities include password managers, securing video conferencing services, securing cloud productivity suites, connecting securely, using passwords, identifying, and reporting a phishing email, and responding to a ransomware attack. Table top exercises are more in-depth and take up to two hours to complete.

Topics covered in table top exercises include:

• Heightened Cyber Threat

• Supply Chain Ransomware Attack

• Supply Chain Software

• Managing a Vulnerability Disclosure

• Home and Remote Working

• Supply Chain Risks

• Threatened Leak of Sensitive Data

• Bring Your Own Device (BYOD)

• Third Party Software Compromise

• Insider Threat Resulting in a Data Breach

• Being Attacked From an Unknown Wi-Fi Network

• Mobile Phone Theft and Response

• A Ransomware Attack Delivered by a Phishing Email

Exercise in a Box also offers a cyber threat simulation exercise, which takes between three and four hours to complete. This allows your organisation an opportunity to see if they would be able to locate and stop a cyber threat; practising your response and ensuring you would be prepared to deal with an incident- all in a safe and secure environment.

Ultimately, Exercise in a Box is an invaluable free tool to provide training and insight on many different cyber threats that are facing businesses. It helps to nurture the different aspects of cyber resilience, including being aware of risks, putting measures in place to limit these, and also being prepared in how you would respond if the worst was to happen. The possibility of a cyber crime can be reduced massively by making sure you know how to protect your organisation and staff online, but the risks can never be fully mitigated. Having a plan in place buys your organisation valuable time back if the worst is to happen, and can help to control any potential damage. It is a great online resource to use, and evolves based on user feedback, making sure it stays current, relevant, and engaging to its users.

To find out more about Exercise in a Box you can visit the NCSC’s website here. To learn about other free tools available to businesses such as the Cyber Action Plan and the NCSC's Board Toolkit, visit the Free Tools section of our website, or go directly to the NCSC’s website.

How Can We Help at the ECRC?

Alongside accessing the free resources made available by the NCSC, joining the ECRC as a free member ensures that you and your business are supported in making small changes online that make the biggest difference. Signing up enrols you onto our free email programme, which sends you bite-sized steps to take to improve your cyber resilience.

Becoming a member also means you are signposted towards other options that are available, providing you with information on topics such as Cyber Essentials qualifications, and affordable cyber services.

To join the ECRC as a free member, please click here. If you have any questions about the ECRC or wish to learn more about improving your cyber resilience, please book a chat with us today!

the eastern cyber resilience centre

Reporting a live cyber-attack 24/7:

If you are a business, charity or other organisation which is currently suffering a live cyber-attack (in progress) please call Action Fraud on 0300 123 2040 immediately. This service is available 24 hours a day 7 days a week.

Reporting a cyber-attack which isn’t ongoing:

Please report online to Action Fraud, the UK’s national reporting centre for fraud and cybercrime. You can report cybercrime online at any time using the online reporting tool, which will guide you through simple questions to identify what has happened. Action Fraud advisors can also provide the help, support, and advice you need.

Alternatively, you can call Action Fraud on 0300 123 2040 (textphone 0300 123 2050)


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page