Ben Lane, CIPRNA event manager, met Graham Westbrook, VP Cybersecurity Sales Engineering at SimSpace. https://www.linkedin.com/in/graham-westbrook/
SimSpace empowers organizations to confidently manage risk by simulating, testing, and optimizing their teams, tools, and processes in a high-fidelity cyber range. With automated scenario exploration, it enhances readiness, validates security controls, and strengthens cyber resilience against evolving threats. www.simspace.com
This is a transcript of their conversation.
Ben Lane:
Hi Graham, good to see you today. We will be seeing you and your team, SimSpace, in Houston at the conference, Critical Infrastructure Protection & Resilience North America, March 11-13, where you will be speaking in the session: https://ciprna-expo.com/session/cybersecurity-regulations-best-practice-and-minimum-standards/
Tell us about your career and how you got here.
Graham Westbrook:
Thank you. We are looking forward to the conference in Houston. I am a former cybersecurity practitioner, turned product specialist, and in my current role at SimSpace, I get the opportunity to connect in with OT infrastructure and learn how to simulate the future. An important part of that is being able to simulate future cybersecurity attacks, so that we can train tools and technology.
My background spans from supporting the U.S. Department of Defense, looking at web vulnerability scanning and auditing, all the way through to cybersecurity for healthcare. I have also worked in commercial organizations, specifically in threat intelligence.
I am studying artificial intelligence at the University of Oxford, UK. So that background gives me a particular world view, which helps me support our customers in a way where I can see the threats that are coming, and how we can prepare for the next threat, and not the last one.
Ben Lane:
On the topic of threats, what are the key emerging cyber threats that you and your customers are seeing now?
Graham Westbrook:
In relation to operational technology, we are seeing different ways of hopping into OT subnets. If you take the human machine interfaces, and the programmable logical controllers, there are ways in which the attacks or attackers can pivot into those subnets if improperly protected and manipulate the Modbus traffic and the protocols to turn things on and off to create badness on the OT end.
The reason that is important is that those things can be connected to people where bits and bytes meet flesh and blood. Those things can be connected to water treatment plants, or DOD military facilities with top-secret clearances. This means there are implications for exploitation.
Other cyber threats we are seeing are post-quantum cryptography testing, and quantum-resistant cryptography testing. If you look at things like Bitcoin, people are wondering, “Will quantum computing harm me? Will quantum computing start to unravel the cryptographic hashes and methods that we have had for the last 10, 20 years, and put us at risk?” So post-quantum cryptography is trying to better understand how we can validate this kind of future cryptographic method and protect and prevent ourselves from harm.
People are doing work in SimSpace on cyber ranges, which are infrastructures in which you can assess potential future cyber-attacks and implications. We are also seeing various artificial intelligence, or adversarial intelligence elements come out, and we can use a range to validate those protections against those AI components. We use things like Zero Trust to utilize detection engineering to potentially find bad, faster.
This is where SimSpace’s cyber range technology plays a critical role—by enabling organizations to safely test and refine their defenses against OT-specific threats in a controlled, risk-free environment. Through realistic threat emulation, organizations can validate their security controls and ensure their response strategies are effective against modern adversaries.
Ben Lane:
What is advanced simulation technology, and how has it been a transformative solution for addressing the challenges you have mentioned in OT?
Graham Westbrook:
Well, I think about certain metaphors in life. Would you go play in the Super Bowl if you had not practiced first? Would you drive in an F1 race if you had not simulated the pit with your group? The same goes for the cybersecurity realm. We must simulate the future to learn and prepare for it better. Simulation technology and advanced simulation technology are about emulating three layers.
Advanced simulation technology is more than just running attack scenarios—it’s about creating a highly realistic, enterprise-scale environment where organizations can validate their entire cybersecurity strategy. Our cyber range technology replicates three critical layers:
(1) The infrastructure layer—spanning IT, OT, cloud, and hybrid environments, integrating real-world devices.
(2) The tools layer—mirroring an organization’s existing security stack to assess tool efficacy.
(3) The activity layer—generating realistic network traffic, user behavior, and sophisticated attack emulation to test security responses in real-time. Think of attacks and attack emulation to mimic real world APTs and cyber criminals. Once you dial that in, you end up getting this ecosystem in which you can evaluate your people’s process and technology.
Unlike static Breach and Attack Simulation (BAS) tools, which run predefined attack scripts, SimSpace provides a fully dynamic, customizable environment where organizations can continuously test, adapt, and improve their defenses against evolving threats.
What we are trying to do is get as close to reality as possible, so that we can simulate the future. The last metaphor is a pilot simulation. So again, with no risk, if I can create a highly realistic pilot flight simulator, those people are able to train like they fight. They can train in a way where when they get in that cockpit and are willing to take on real world risk, they are already ready for the fight.
Ben Lane:
How can you effectively train cyber defenders in simulation technology when it is only simulating scenarios?
Graham Westbrook:
When we talk about making sure that simulation is effective, what we are trying to consider is how realistic we can be. Because the closer we can get to reality, the more likely we are able to train for the future. So, when you say scenarios, I think, “Okay, well that’s anything in the realm of what we can come up with.” And so maybe we are limited by our ability to perceive the future, but in-between randomness and knowing everything, we try to get as close to omniscience as possible. We try to understand what the likeliest scenarios are, the most dangerous courses of action, and then we can simulate those within a range.
The way we would train those individuals is to be able to interpret new and emerging cyber threats. Then turn those into attack emulations and deploy those attacks within an environment that looks like them, that helps them train for the most realistic future scenarios.
Ben Lane:
How do you see AI affecting the way cyber-attacks are conducted? And can simulation technology keep up with this tool?
Graham Westbrook:
Great question. I think AI in the hands of both good guys and bad guys is a fascinating problem to solve. The way we can keep pace or outpace the adversaries is to forecast future badness. When you look at Google’s recent GenCast technology, they have been able to predict future weather patterns at almost 100% accuracy up to 15 days.
We used to rely on a single forecast for tomorrow, or the next week or the next month. Now, what organizations like Google and new weather forecasting agencies are doing is fifty forecasts for the next day. From those fifty forecasts, they are interpreting them for most scenarios, or how things could change, pivot, or persevere. I say all that because what we can do is create simulation labs and simulate different iterations of the future. And we can dupe this probabilistic ensemble analysis as they call it, where they combine all these different predictions of the future, and start to produce probabilities for what is most likely. Or what we should prepare for, and what we are not thinking about yet.
We use our cyber range platform to proactively test AI-driven attack techniques, helping organizations refine their defense strategies before these threats materialize. By leveraging AI-powered detection and behavioral analytics in our simulations, security teams can stress-test their response capabilities against AI-generated malware, deepfake phishing attempts, and automated attack sequences. Our goal is to ensure that organizations aren’t just reacting to AI-driven threats but are actively preparing for the next wave of adversarial AI tactics.
I would say that the best way for us to really consider what is coming is to forecast those futures and start to treat it like different probabilities of what we can expect.
My background is in threat intelligence analysis, and we use what are called words of estimative probability; things like highly likely or our chances are about even. We would take something like that and say, “Okay, it looks like this week, it’s highly likely that we’re going to experience some kind of new ransomware attack, just based on a new technology that dropped. Or a new kind of AI algorithm that is identifying areas of weakness, or vulnerability in an organization.” In short, we need to forecast multiple futures to better understand the present.
Ben Lane:
I am going to throw one last one in for you, just as a personal question really: What keeps you awake at night?
Graham Westbrook:
I think about not being able to detect when malicious actors are at the door, or even inside of our organizations. There is a philosophy in the cybersecurity realm called assume breach. And it is considering that the bad guys are already in the house. I think about how AI giving malicious threat actors an advantage might disable us from being able to understand what is inside the house. I think algorithms like Isolation Forest that help detect anomalies are things that can help us from an AI perspective.
I guess something else that keeps me up at night related to AI, and the threats of the future, is just that it is removing from us the duty that we must create friendships and lean into connecting with other people. And sometimes it seems like there is an inverse correlation with the rise of technology, and the decline of mental health. I think that we cannot shirk the responsibility of striving to create opportunities for fellowship, and walk alongside other people, and get to know them, rather than outsourcing our brains to technology, and hoping that AI protects us.
Ben Lane:
And that is a fabulous answer and something we should pick up at another point, because there is some interesting stuff in that last point you mentioned. But thank you, Graham, and of course we look forward to seeing you in March.
Graham Westbrook:
Thanks, and see you soon.