When Shutting Down May Be the Only Option
Some attacks escalate so rapidly that leadership must decide whether to “pull the plug” — halting business-critical systems to stop adversary progress. Kill Switch, a CyberEd.io interactive, confronts participants with this excruciating dilemma: sacrifice uptime to contain an attack, or risk catastrophic spread. It forces leaders, SOC teams, and operations staff to weigh technical evidence against operational, financial, and reputational stakes.
Kill Switch: The scenario
The exercise begins with anomalous activity in industrial and cloud environments:
- ICS/OT Logs: PLCs receiving unauthorized commands, threatening to halt production lines.
- Cloud IAM Alerts: Admin accounts newly created with suspicious privileges in AWS/Azure.
- Network Telemetry: Lateral movement detected between segmented environments.
- Endpoint Data: Memory-resident malware showing persistence attempts.
Injects escalate as the attack deepens:
- Mock Vendor Advisory: A zero-day exploit in your widely deployed OT device has no available patch.
- Customer Impact Reports: Service outages begin affecting thousands of users.
- Internal Debate: Operations leaders push to keep production online, while security leaders argue for an immediate shutdown.
- Board Pressure: Executives demand clarity — who has the authority to flip the “kill switch”?
Kill Switch delivers one of the most difficult — and most realistic — cybersecurity decision-making experiences.
By combining technical injects with business-critical stakes, it teaches leaders and teams how to balance operational survival with long-term resilience.
Schedule Kill SwitchLearning outcomes
Participants emerge from Kill Switch with sharpened crisis instincts:
Risk-based decision-making:
Weigh the trade-offs of uptime vs. containment.
Chain of command clarity
Establish who authorizes system shutdowns under duress.
Cross-domain awareness
Learn how IT, OT, and cloud compromises can converge.
Business impact framing:
Translate technical severity into operational and financial language.
Regulatory & liability considerations:
Understand implications of outages versus unchecked spread.
Authority validation:
Confirm who has final shutdown authority under active attack.
Enterprise value
Kill Switch is more than a simulation — it is a crucible for organizational governance:
- Tests Escalation Protocols: Does the IR plan specify thresholds for system shutdown?
- Reveals Authority Gaps: Who truly owns the “stop production” decision — CIO, COO, CISO, or CEO?
- Validates Segmentation: Can your OT and IT environments be separated under attack, or are they too entangled?
- Builds Executive Confidence: Demonstrates how teams will make agonizing but necessary calls.
Industry-specific scenarios include:
Delivery models
CyberEd.io offers Kill Switch in flexible formats:
Live workshops:
Facilitator-driven injects with log evidence, outage reports, and executive decision points.
Remote simulations:
Interactive dashboards showing spreading compromise and “kill switch” triggers.
Hybrid experiences:
Blend technical SOC injects with leadership-level decision dilemmas.
Custom industry tailoring:
Scenarios mapped to OT, SaaS, finance, or healthcare realities.
Post-exercise enablement
Every Kill Switch engagement concludes with a structured enablement package:
- Decision Timeline: Annotated record of choices and consequences.
- Inject Packets: ICS logs, IAM alerts, forensic samples for training reuse.
- Performance Dashboards: Time-to-decision, communication clarity, escalation efficiency.
- Governance Recommendations: Updates to playbooks defining kill switch thresholds and authority.
At-a-glance
Audience:
CIOs, CISOs, SOC teams, OT/ICS operators, legal/compliance, COOs.
Duration:
2–4 hours depending on depth.
Difficulty level:
Advanced, particularly for industries with OT dependencies.
Industry:
OT, SaaS, finance, or healthcare.
Format:
On-site, remote, or hybrid with custom tailoring.
Deliverables:
Annotated evidence, decision dashboards, governance updates, revised playbooks.