There is very close collaboration between the team simulating the attackers and the teams acting as defenders (e.g., Threat Analysis Group (TAG) and Detection/Response teams), who might identify suspicious activities and respond to them. Since there are multiple exercises happening at any given time, we differentiate between several types of exercises and the response after detection. For most exercises, one of our primary goals is to test detection and make it as efficient as possible for defenders to verify that a signal is associated with an exercise. By doing this, we avoid using resources that could be used to thwart malicious activities targeting people using our services or our wider infrastructure. In other exercises, we want to make sure that the entire process of identifying, isolating and ejecting the attackers, works as intended and that we are able to improve processes.