When your systems are under attack, the time for planning a response has already passed. Your teams must spring into action immediately, working swiftly and in concert. Each member must know their role – and the action to take – without hesitation.
This kind of coordination doesn't just happen. It requires hours of practice working with a range of real-world scenarios in a safe space – without the fear of failing.
A virtual environment that experiments with real-world attack scenarios to rehearse and refine incident response capabilities in a consequence-free environment.
ThreatSpace is a technology-enabled cyber range that assesses and develops your security team’s technical capabilities, processes, and procedures when responding to real-world cyber threats. The scenarios are based on extensive Mandiant incident response experience from responding to thousands of breaches and include the latest adversary tactics, techniques, and procedures (TTPs).
This is done in a consequence-free environment, through a simulated infrastructure that includes network segments, servers, and applications.
Students investigate and respond to simulated attacks with real-time coaching from our expert instructors. Your team will receive feedback on their strengths and weaknesses, along with an actionable best-practices roadmap for improvement.
During a typical three-day ThreatSpace workshop, our expert instructors will provide guidance to help your security professionals learn from their mistakes as well as their successes. When the workshop ends, our instructors will recommend areas of improvement so that, when a threat or attack does occur, your team is confidently prepared.
Identify gaps and opportunities for improvement
Investigate real-world, complex incidents to identify gaps in training, processes, procedures, and communication plans.
Learn from incident response experts
Work closely with experienced Mandiant incident responders who draw on years of intelligence-led investigative expertise to assess and provide real-time feedback and coaching.
Investigate critical security incidents
Familiarize your response and intelligence teams with the latest attack scenarios and attacker TTPs relevant to your organization, as learned from Mandiant advanced persistent threat (APT) investigations.
Gain experience with different attack scenarios and threat actors
Evaluate and improve the abilities of your incident response and intelligence teams as they respond to various attack scenarios and threat actors in real time.
Research and analyze identified threats
Learn how to effectively research attacker TTPs and identify indicators of compromise from host-based and network-based artifacts.
While these are our most popular exercises, we can also develop custom scenarios to address your unique challenges.
Insider threat
This multi-level scenario simulates an insider threat, from an employee misusing standard permissions to one acting under the direction of an external threat actor to exfiltrate data.
Phishing and deployment of ransomware
This scenario starts with a phishing attack to gain access, then moves to privilege escalation, data exfiltration, and finally, ransomware deployment on key systems.
Compromise through malicious download
A scenario where a threat actor uses a compromised website to deliver malware. This allows the attacker to establish a foothold, maintain persistence, and conduct reconnaissance.
Unauthorized access and data theft
This multi-level scenario involves an attacker exploiting a public-facing service to gain access, and then moving laterally to target Active Directory, compromise critical assets, and exfiltrate data.
Threat actor emulation
Live scenarios simulate the latest adversary TTPs to challenge your team's detection and response capabilities. We emulate real-world threat actors, from financially motivated criminals like FIN6 and Lapsus$ to state-sponsored groups like APT40 and APT41 engaged in espionage and service disruption.
M-Trends 2025 top 10 techniques
This workshop focuses on detecting top adversary techniques from the Mandiant M-Trends 2025 report. Learn to identify and respond to common attack methods like file obfuscation, indicator removal, and script-based execution.