Exercise Mercury

So, what is it?

Exercise Mercury is a competition between different Universities within the UK and the Baltic region. It was originally an idea set up between the British Embassy in Tallinn, Estonia, TalTech University, and the University of Cambridge.

The idea is to harness the internal skills that each University have, to "compete" against other to find out all of their visible vulnerabilities; within processes, policies, procedures, technical vulnerabilities, and their digital footprint. At the end of the exercise, the data is put together into a report, and then shared securely between each University.


The major benefits we offer, and why it is helpful to use this approach in addition to traditional pen testing, is as follows:
  • Universities understand the complexity of how Universities actually work. We know what is important to you.
  • The vulnerabilities located can be prioritised in order for you to understand how the impact of that attack would impact the University.
  • We provide you with a detailed report of where your vulnerabilities are without a large expense (the service is free).
  • As we are conducting this check across the Universities and Higher education sectors across the United Kingdom and the Baltic region, we can provide interesting data to JISC and CERT.EE in showing them what the situation on the ground is like, and we can detect interesting similarities and vulnerabilities, to provide Universities with the tools and information to better improve their security posture. 
  • Constant communications are kept throughout the Universities in question. Any issues, the exercise is terminated in order to make sure the exercise is not impeeding operational requirements of the University. If there is an area we would like to further probe, we will ask for permission first before we do anything that is considered "active". Other than that, the information provided is used using passive skills
  • Social Engineering, in terms of spear phishing, can be added at the request of the organisation.
  • Any data that is collected will be deleted from students laptops afterwards. 
In working together in this fun, competition kind of way, we can improve our security posture, understand our threat landscape easier, and practice the skills required to check ourselves and to improve the next generation of cybersecurity professionals.

In reality, this is a win-win situation, unless if you are one of the bad guys. It is better to find out your vulnerability from a friendly University than it is from someone who exploits it. 

How do I apply?

The application is easy. Currently, the current exercise will be from Tallinn University of Technology vs another University. However, this will change in the future and become a "cybersecurity premier league" once we are happy with the pilot. So far, everything has been great. What do you have to lose? 

Any questions, please use the contact us page below.

Apply  Contact Us