Building a Cyber-Resilient Public Sector Through Hands-on Security Training

In March 2018, Atlanta’s municipal government ground to a halt as ransomware paralyzed their systems. For days, emergency dispatch operators resorted to paper and pen. The city’s security team worked around the clock, but they lacked the hands-on experience to quickly contain the breach. The final price tag? Over $17 million in recovery costs—all because their security practitioners had learned from books and lectures, but never practiced fighting a real attacker.

This isn’t a one-off incident. In February 2021, an attacker breached Oldsmar, Florida’s water treatment plant and tried to poison the water supply by ramping up sodium hydroxide to dangerous levels. Only a vigilant operator’s quick action prevented disaster. In May 2019, Baltimore’s security team watched their incident response playbook crumble as RobbinHood ransomware tore through their systems, racking up $18 million in damages and crippling everything from property tax systems to real estate transactions.

Most public sector security teams can recite compliance requirements chapter and verse. They can diagram network architectures and list security controls. But finding a real attacker moving through your network? That’s like learning to box by reading about Muhammad Ali’s footwork. You need to get in the ring.

James, a security engineer for a state agency, puts it bluntly: “I had all the certifications. I knew the theory. Then we got hit, and I realized I’d never actually practiced finding and stopping an attack. It’s completely different when it’s real.”

You wouldn’t trust a surgeon who’d only read medical textbooks. Yet we put security practitioners in charge of critical infrastructure without letting them practice their craft in realistic environments.

Here’s what public sector security teams face:

• Attackers targeting industrial control systems they’ve never had hands-on experience defending
• Advanced persistent threats using techniques they’ve only read about
• Critical infrastructure attacks that don’t follow the textbook examples

These aren’t hypothetical scenarios. They’re real challenges that demand practical experience to handle effectively.

A SWAT team doesn’t train by watching PowerPoints about hostage situations. They run full-scale simulations. Security practitioners need the same hands-on experience.

The training programs that actually prepare teams for real attacks:

Instead of reading about SQL injection, they practice finding and exploiting real vulnerabilities, then learn to properly defend against them using the OffSec Cyber Range with knowledge gained from the OffSec Learning Library.

Teams practice advanced persistent threat techniques to understand how real attackers think and move through systems. They can also play against each other in the OffSec Cyber Range through the “Versus” functionality. 

Like special forces running drills, security teams practice incident response scenarios until the right moves become instinct.

In August 2019, when attackers launched a coordinated ransomware attack against 23 Texas local governments, demanding $2.5 million in ransom, it highlighted how critical hands-on incident response experience really is. Some security teams struggled, while others contained the threat quickly—the difference often came down to practical experience handling similar scenarios in training environments.

The success stories from this incident helped shape how other state and local governments approach security training. Now, more agencies are moving beyond theoretical knowledge to ensure their teams get hands-on practice with real-world attack scenarios. They’re creating environments that mirror their actual infrastructure, where security teams can hunt threats, respond to staged incidents, and learn from each engagement.

We’re not trying to replace certifications and theory. We train theory through the OffSec Learning Library, and certify OffSec Learners are ready for the real-world problems they’ll face through certifications like the OSCP. We’re also putting that knowledge into practice through hands-on labs. It’s the difference between knowing how to throw a punch and having the experience to win a fight.

Some agencies are already stepping up. In Texas, when hackers targeted local governments, one security team’s hands-on experience paid off. They’d practiced fighting these exact tactics in training. When the real attack came, they didn’t need to think—they just acted.

Let’s be real: Public sector security practitioners protect our most critical systems. They defend our emergency services, our water supply, our power grid. But without hands-on practice against real-world threats, they’re fighting with one hand tied behind their back.

These teams stand between attackers and our critical infrastructure. The least we can do is give them the practical training they need to win that fight. Because when security teams fail, lives are on the line. 

Equip your team today