Gamifying cyber security training

Written by Joe Beaumont on 20/11/2020

At Bulletproof, we know that different people learn in different ways. So when a healthcare provider came to us needing an innovative, engaging way of delivering security awareness training, we stood ready to deliver. The healthcare provider in question was St Andrews Healthcare – providers of specialist care for people with challenging mental health needs. Being a company that works with vulnerable individuals, staff awareness of cyber security is essential. Therefore, the purpose of the training days was to learn how to prevent cyber attacks by demonstrating common attack methods.

The activities took place in September 2020 and were tailored in order to adhere to Covid-19 guidelines. Originally the day was planned to be on-site, but thanks to social distancing requirements, we took the training online. This allowed everyone to still participate in a safe way whilst maintaining interest.

Red Vs Blue

Wanting to encourage engagement through healthy competition, we devised a ‘Capture the Flag’ themed training exercise, gamified into a tournament of red team vs blue team exercises – similar to the teams we have within Bulletproof. Red team are our penetration testers (attackers), who ethically hack into infrastructures to find vulnerabilities. Blue team are the SOC analysts (defenders), who monitor activity 24/7 to protect against attacks.

During the tournament, the red team’s aim was to find weaknesses of a fictional company, (for instance by finding a password), in order to attack them. The blue team, however, would have to work out how and when they were breached. The aim was for each team to use their technical skills to solve a series of challenges and earn as many points as possible. The teams could have hints to help them during their challenges, but at a cost to some of their points – and what do points make?

The staff got to take turns as both the red team and the blue team, so that they understood both attacking and defending. Structuring the training into separate red team and blue team exercises means that staff are aware of cyber threats, as well as how to find and prevent them. It provides an exciting, engaging framework on which to base discussions about hackers’ motives and staff security responsibility. This enables staff to guard against everyday threats – because why would you want your cyber security efforts undone by simple human error? Following this training, staff were able to go back into their roles more knowledgeable, thanks to our hands-on teaching of what to look out for.

Victory trophy

In fact, don’t just take our word -- here’s what some of the attendees had to say about their training days:

  • “Seeing how attackers can find information relevant to our company to exploit/impersonate us, especially information publicly available online, is key to protecting our own potential security flaws.”
  • “It was good to be able to put ourselves in the shoes of a hacker and try to exploit as many vulnerabilities as possible.”
  • “It's shown why it's important to think carefully about passwords and why you want your data more difficult to get into.”
  • “I went in to this exercise knowing nothing, but came out knowing that bit more. I would definitely do another.”

We’re glad that everyone found it a valuable experience. At Bulletproof we understand that making cyber security training fun and engaging is the key to knowledge retention and improving best practice amongst your workforce.


St Andrews Healthcare Logo

Bulletproof delivered an innovative and engaging training programme to educate our staff on cyber security. With activities structured for our teams to think like a hacker, the training encouraged a deep understanding of the cyber threats we’re facing. This means we’re better equipped to identify and proactively prevent cyber attacks against our organisation.


Alexandra Vujcich  IT Security Officer, St Andrews Healthcare


Our experts are the ones to trust when it comes to your cyber security

  • Bulletproof are CREST approved

    CREST approved

  • Bulletproof are ISO 27001 and 9001 certified

    ISO 27001 and 9001 certified

  • Bulletproof are Tigerscheme qualified testers

    Tigerscheme qualified testers

  • Bulletproof are a PCI DSS v3.2 Level 1 service provider

    PCI DSS v3.2 Level 1
    service provider

  • Bulletproof have 24/7 on-site Security Operations Centre

    24/7 on-site Security
    Operations Centre

Get a quote today

If you’re interested in our services, get a free, no obligation quote today by filling out the form below.

By submitting this form, I agree to the Bulletproof privacy policy.