The Forbidden Word: Confessions of a Blue Teamer

The Forbidden Word: Confessions of a Blue Teamer

By Kevin Marriott, Immersive

There are unwritten rules in every demanding job, and the world of cyber defense is no different. The first rule? You never, ever jinx a peaceful day by saying something like “it’s been quiet.”

I recently co-hosted a webinar, “Confessions of a Blue Teamer,” where we pulled back the curtain on the unseen and absolutely critical work that defenders do long before a crisis ever hits. One of our expert panelists shared a story that I’m sure is painfully familiar to anyone who has worked in a Security Operations Center (SOC): A colleague on the nightshift remarked how “quiet” it had been. His immediate thought was, “Great, thanks. That’s my day gone”.

An hour later, chaos. A vendor had pushed a faulty rule that began blocking every single inbound email to the company, including critical merger documents an executive was waiting for. The emails weren’t delayed; they were gone forever. That day, the word “quiet” was officially banned.

This is the reality for us blue teamers. It’s a world that swings violently between structured, methodical work and high-stakes, all-hands-on-deck emergencies. I was joined by my former colleague Natalie George, Senior Manager of CyberOperations at BT Group, and Kev Breen, Senior Director of Cyber Threat Research at Immersive, and together we dove into the hair-raising experiences and quiet victories that define the life of a defender—what we call The Real Work.

The Goalkeeper’s Dilemma: The Human Cost of Defense

Most people only notice cybersecurity when something goes wrong. When the defenses hold, the victory is silent. But when a breach occurs, the blame is deafening. This creates a psychological pressure cooker for practitioners. In our research for this campaign, one blue teamer put it perfectly: “We're a lot like a goalkeeper in soccer: they're the first to blame if they let a goal in, but if everything goes right, no one really celebrates us.”

This constant pressure inevitably leads to burnout. Threat actors don’t work nine to five, and neither do defenders. My fellow panelist, Natalie, shared how her team at BT felt this acutely after going through a heavy spate of incidents. A major event last year required a 3 a.m. wake-up call. “...was it something that could affect a service or not? We didn't know,” she said.

To counter this, Natalie has focused on building a culture where it’s safe for people to admit they need a break. “We've tried to focus on building a culture where people are comfortable enough to say ‘I'm not okay, I need a minute,’” she explained. This involves rotating leadership during incidents and spreading the load, ensuring no single person carries the weight from start to finish.

I also shared a personal story from my own career—a time I worked a 75-hour week just after my youngest child was born. These personal sacrifices are common in the field. During a crisis, I’ve learned that a leader’s most important job is to be the calmest person in the room. My secret weapon? Dad jokes. “I would make a few dad jokes and get people chuckling and try and bring the temperature down,” Icon fessed. “You have to let people breathe. Because that's how you get them to make good decisions.”

Building Muscle Memory for the Inevitable Crisis

So how do we prepare our teams to perform under such intense pressure? It all comes down to muscle memory.

You can’t build a crisis response capability in the middle of a crisis. It has to be forged beforehand through relentless practice. This is where the real work happens. It’s the continuous cycle of running drills, performing retrospectives on every major incident, and stress-testing not just technology, but people and processes. This proactive preparation is the only way to build the instinctual, almost automatic responses needed when a real attack unfolds. And while you can be prepared, as Natalie said, there will always be the "one out of five that will be a completely new curve ball".

This philosophy also means rethinking outdated concepts. Natalie makes an excellent point about the phrase “defense in depth,” which is often misinterpreted as simply having a series of tools. “You can have all the tools and the technology in place… but if you've still got processes with holes in it or single points of failure, you're still not going to be able to get that correct defense in depth”. The real depth comes from having skilled people who can ask the right questions and challenge assumptions.

Lost in Translation: The Art of the Briefing

One of the most overlooked skills in a defender’s toolkit is the ability to communicate. A blue teamer can be a technical genius, but if they can’t translate their findings into clear business impact, their work loses its power.

Early in my career when my manager asked me to brief the CISO on an incident. I learned the hard way that you can deliver a technically perfect brief that is completely incomprehensible to my audience, and that communicating to different audiences in their own language is crucial.

Soft skills are not optional. Understanding your audience and tailoring the message—whether through concise language or visual representations in slides—is essential forgetting buy-in and making sure leaders understand the stakes.

Debunking the Hollywood Myth: Defense is a Team Sport

The movies get it wrong. A blue teamer isn’t a lone genius in a hoodie sitting in a darkroom with giant world maps on screens.

As Natalie notes: “We need technical people, yes, but we also need people that can look at big data. We need people that can do forensics and malware. We need people that can do comms. We need people that can project manage the rest of us.”

Ultimately, blue teaming is one of the most challenging and rewarding roles in cybersecurity. You have to be right every single time while the attacker only has to be right once. As we discussed on the webinar, true cyber resilience isn’t built on flashy tools or last-minute heroics. It’s forged in the quiet, consistent, and disciplined work of the defenders who show up every day, ready for a crisis they hope will never come.

To hear more real-world stories and gain deeper insights from the front lines of cyberdefense, watch the full webinar, Confessions of a Blue Teamer, and download our e-book, Shadow of a Breach: The Real Work of Cyber Readiness, for a comprehensive guide on building and proving your team's resilience.

‍