The Cybercrime Research Institute (CRI) is a privately operated think-tank and research institution. CRI and the affiliated researchers provide consultancy services for the highest levels of government (ministerial level and directors), Fortune 500 companies (boards, advisory boards and crisis management teams) and international organizations. These consultancy service mainly focus on decision making in relation to technical developments and security threats. It includes the development of Cybersecurity policies and strategies, supporting top decision makers to improving their response capacities and developing emergency response plans. CRI developed a unique approach to the advisory. The entire service is built around the simulations.

CRI’s specialized unit RED TEAM CYBER developed a „Live Cyber Incident Simulation for Top Management“. This tool is for several years utilized by governments, large enterprises, international organizations and conferences to provide high-level decision makers with awareness raising as well as response training opportunities. The target audience for this simulation tool is highly demanding and the tool was drafted accordingly. It is highly interactive, fully dynamic to respond to the decisions taken and includes high quality media (such as videos including fictitious news reports).

In addition to those high level simulations RED TEAM CYBER also developed a simulation approach that can be used for conferences. It focuses on a simulated attack against a fictitious company or nation state and allows to include the audience of the event in the decision making process. The simulation was developed for by institutions like the United Nations, World Bank, European Central Bank, World Economic Forum and was part of the Munich Security Conference from 2015 to 2017.


For the last 10 years the Cybercrime Research Institute has been advising governments and boards of major corporations on cyber risks and the role of decision makers. Very often the advisory focuses on preparing decision-makers for crisis situations. One of the biggest challenges in the past has been to ensure that the theoretical knowledge that has been providing in advisory actually prepares the decision makers for critical situations. But it is very difficult to ensure this in a purely theoretical environment (lecture, briefing, table desk exercise). Therefore the institute decided to create RED TEAM CYBER and develop simulations of realistic cyber incidents using military-standard techniques ( war gaming“ or „serious gaming”). The unique thing about the simulation is the dynamic developments – every decision influences the progress of the simulation, so that the participants immediately recognize the consequences of their actions.


The RED TEAM CYBER simulation is unique in severalways.

RED TEAM CYBER believes that simulations are most efficient when tailored to the client’s individual risk landscape and situation. The starting point is therefore aways an assessment. After this assessment RED TEAM CYBER will develop a fully individualized simulation. All plot elements, graphics and videos are designed to represent the clients company. Actors appearing (e.g. incoming e-mails) and facilities are realistic. The entire plot is tailored to clients risk landscape. In order to be realistic such approach requires coordination with and verification by clients internal resources.


Most simulations offered in the field of Cybersecurity follow a pre-defined plot. However, this is not how real attacks develop. Analyzing real cyber attacks shows that such attacks do not develop independently of the decisions. A realistic simulation will need to take account the decisions taken by the decision makers and the plot needs to develop accordingly. If for some reason the decision makers take the far reaching decision to disconnect a unit from the Internet the next attack scenario can not possibly be an on-going exfiltration of data from this unit. When it comes to simulations for top management the related challenge for the operation of a simulation is that depending on the personality of the decision makers radical and rather unpredictable decisions may be taken in the course of a simulation. Due to the complexity of the implications of each decision on the continuation of the plot it is hardly possible for an operator to keep the overview. RED TEAM CYBER therefore developed its own operation application and several unique algorithms that utilize artificial intelligence and machine learning to support the operation of complex simulations. This allows a significantly more realistic “dynamic plot development”.


A lot of advisory offered in the field of Cybersecurity solely or mainly focuses on technical aspects. While Cybersecurity certainly is a technical field CRI’s simulation based consultancy approach focuses on issues relevant for decision makers. Through personal advisory for various ministers, board members/advisory board members and a unique combination of skills – from leadership to legal liability risks – RED TEAM CYBER has the experience and knowledge to design unique simulations that provide real contributions to the preparation of high level decision makers.


RED TEAM CYBER offers a wide range of services in relation to the simulation and works with teams of highly specialized experts to provide analysis that goes beyond state of the art. Services range from leadership evaluation by specialized scientists and highly decorated former generals to advanced bio data and speech analysis that can for example help to detect areas for further training based on stress level identification.


It it turned out that the simulation is not only suitable for governments and large enterprises to prepare decision makers for the challenges of cyber attacks. The simulation approach was also used in recent years for the exclusive events such as the Munich Security Conference, at which heads of state, ministers, senior military representatives, corporate leaders and scientists discuss security issues. The simulation was part of the program of the worlds largest and most exclusive event of it’s kind from 2015 to 2017.

For conferences the simulation has been slightly modified, so that no longer a particular state or a specific company is in the focus of the attack, but a fictitious company or a fictitious state. And depending on the focus of the conference, the attacks may also focus on specific topics. For example, targeted attacks on elections in a state or Cyber attacks attacks against the production of a company can be included.

One reason why the format is particularly suitable for events such as conferences is the fact that the adaptation of the simulation allows the involvement of the auditorium. While the simulations for governments and large companies focus on an individual discussion with decision makers, the inclusion of the less homogenous circle of participants in conferences involves selecting different options for action and voting (either electronically via „voting tools“ or in traditional ways).