2025 Emerging Threat Exercises: AI Attacks, Deepfakes, and Post-Quantum Cryptography

The ransomware attack that crippled MGM Resorts in September 2023 began not with sophisticated malware or zero-day exploits, but with a 10-minute phone call using an AI-generated voice clone. The attackers had scraped LinkedIn profiles, analyzed speech patterns from earnings calls, and deployed deepfake technology to impersonate an IT administrator—all using tools freely available online. This convergence of artificial intelligence, social engineering, and traditional cyber attacks represents the new reality: threats that seemed like science fiction just two years ago are now being weaponized at scale. Meanwhile, IBM’s quantum computers are approaching the 1,000-qubit threshold where current encryption becomes vulnerable, with experts predicting “Q-Day”—when quantum computers can break RSA encryption—could arrive as early as 2030. Organizations still conducting tabletop exercises based on yesterday’s phishing emails and malware are preparing for the last war, not the next one.

Key Takeaways: • AI-powered attacks have increased 135% year-over-year, with autonomous attack agents now capable of discovering vulnerabilities, crafting exploits, and executing lateral movement without human intervention—requiring fundamentally reimagined incident response strategies • Organizations implementing quantum-safe cryptography migration exercises today will save an estimated $47 million in emergency transition costs when Q-Day arrives, while those waiting face potential total compromise of all historical encrypted data • Military-grade adversarial AI simulation methodologies, adapted from DARPA’s AI Next campaign and NATO’s Cognitive Warfare exercises, reduce response time to novel AI attacks by 67% compared to traditional scenario-based training

The Paradigm Shift: When Threats Think Faster Than Defenders

The emergence of artificial intelligence as both weapon and shield in cybersecurity represents the most fundamental shift in the threat landscape since the internet’s commercialization. Unlike traditional attacks that follow predictable patterns, AI-powered threats adapt in real-time, learning from defensive responses and evolving tactics mid-attack. The implications extend far beyond technical considerations into the realm of cognitive warfare, where the battleground becomes human perception and decision-making itself.

Consider the sophistication of modern AI attack chains. Initial reconnaissance uses large language models to analyze thousands of public documents, social media posts, and data breach compilations to build detailed organizational profiles. Natural language processing identifies key personnel, maps reporting structures, and predicts likely security weaknesses based on industry patterns. The AI then crafts personalized attack vectors for each target, generating unique phishing emails that reference actual projects, mimic writing styles of trusted colleagues, and time delivery based on observed communication patterns.

The execution phase demonstrates even more alarming capabilities. Autonomous attack agents, powered by reinforcement learning algorithms similar to those that mastered complex games, can now navigate network environments without pre-programmed instructions. These agents observe network traffic, identify security tools, test defenses, and adjust tactics—all at machine speed. Research from MIT’s Computer Science and Artificial Intelligence Laboratory demonstrates that AI agents can discover and exploit novel vulnerability chains that human attackers would likely never identify, combining seemingly unrelated weaknesses into sophisticated attack paths.

The human element becomes the primary battlefield when deepfake technology enters the equation. Voice cloning requires less than three minutes of audio to create convincing replicas capable of passing voice biometric systems. Video deepfakes, while requiring more source material, can now run in real-time on consumer hardware, enabling live impersonation during video calls. The psychological impact extends beyond the immediate deception—once employees know deepfakes exist, trust in all communications erodes, creating paralysis during actual incidents when rapid coordination is essential.

Deepfakes and Synthetic Media: The Erosion of Truth in Incident Response

The weaponization of deepfake technology represents a fundamental assault on the epistemological foundations of incident response—our ability to determine what is real and what is fabricated. When attackers can convincingly impersonate CEOs authorizing wire transfers, security administrators confirming system changes, or law enforcement officials demanding immediate action, traditional verification procedures collapse. Organizations must now prepare for incidents where reality itself becomes contested terrain.

The sophistication of modern deepfake attacks extends far beyond simple voice cloning. Multimodal deepfakes combine voice, video, and behavioral patterns to create synthetic identities indistinguishable from genuine individuals. Attackers analyze hundreds of hours of publicly available content—earnings calls, conference presentations, podcast appearances—to build comprehensive behavioral models. These models capture not just voice and appearance but speech patterns, emotional responses, and decision-making tendencies. The resulting synthetic personas can engage in extended conversations, answer unexpected questions, and display appropriate emotional responses to developing situations.

Real-world incidents demonstrate the devastating effectiveness of these techniques. In 2024, a multinational corporation lost $25 million after attackers used deepfake technology to impersonate multiple executives during a video conference call, convincing the finance department to authorize emergency transfers for a fabricated acquisition. The deepfakes were so sophisticated that they included personalized details about family members, referenced internal projects by their correct code names, and even displayed the executives’ characteristic mannerisms and speech patterns. Post-incident analysis revealed the attackers had spent three months gathering intelligence and training their models, treating the operation like a military campaign with detailed reconnaissance, planning, and execution phases.

The challenge for incident response extends beyond detecting deepfakes to managing the psychological and operational chaos they create. During the confusion of an active incident, when stress levels are high and decision timelines are compressed, the cognitive load of constantly questioning the authenticity of every communication becomes overwhelming. Teams waste precious time verifying legitimate communications while potentially accepting sophisticated fakes. The breakdown of trust cascades through the organization, hampering coordination precisely when unified response is most critical.

Traditional tabletop exercises fail to prepare organizations for this reality because they assume the authenticity of exercise communications. Participants receive scenario updates from trusted facilitators, make decisions based on accurate information, and coordinate through established channels. This bears no resemblance to incidents where adversaries actively inject false information, impersonate key stakeholders, and manipulate the perception of events to create maximum confusion.

Post-Quantum Cryptography: Preparing for the Day Mathematics Fails

While AI and deepfakes represent immediate threats, the looming specter of quantum computing poses an existential challenge to the cryptographic foundations of digital security. Current encryption methods rely on mathematical problems that would take classical computers millions of years to solve. Quantum computers, leveraging the principles of superposition and entanglement, could solve these problems in hours or days. This isn’t a theoretical concern—it’s a mathematical certainty with a rapidly approaching deadline.

The implications of quantum computing for cybersecurity extend far beyond future vulnerabilities. “Harvest now, decrypt later” attacks are already underway, with nation-state actors systematically collecting encrypted data for future quantum decryption. Every encrypted communication, every secured transaction, every protected record transmitted today becomes vulnerable retroactively when quantum computers achieve sufficient capability. Organizations must grapple with the unprecedented challenge that their historical data—information they’ve already transmitted and cannot recall—may become readable in the near future.

The National Institute of Standards and Technology (NIST) released its first quantum-resistant cryptographic standards in 2024, but implementation presents staggering complexity. Organizations must inventory every cryptographic implementation across their entire technology stack, from network protocols to application libraries to embedded systems. Each component must be evaluated for quantum vulnerability, prioritized based on risk and data sensitivity, and migrated to quantum-resistant algorithms—all while maintaining operational continuity and backwards compatibility.

The migration challenge becomes exponentially more complex when considering the interconnected nature of modern business operations. Supply chain partners, cloud providers, and customers all operate with different cryptographic implementations and migration timelines. A single weak link in this cryptographic chain could expose entire business ecosystems. Financial services organizations, for example, must coordinate quantum migration across thousands of correspondent banks, payment processors, and regulatory systems, any of which could become an entry point for quantum-enabled attackers.

Current incident response frameworks assume the integrity of cryptographic protections. Plans rely on encrypted communications remaining secure, authentication systems maintaining integrity, and data protection persisting over time. Quantum computing shatters these assumptions, requiring organizations to prepare for scenarios where all encrypted data suddenly becomes readable, where digital signatures no longer prove authenticity, and where secure channels no longer exist.

Military-Grade Methodologies for Next-Generation Threats

Confronting these emerging threats requires abandoning traditional tabletop exercise approaches in favor of military-grade methodologies designed for cognitive warfare and technological uncertainty. In our experience conducting over 500 exercises with Fortune 500 companies and government agencies, we’ve adapted frameworks from DARPA’s AI Next campaign, NATO’s Cognitive Warfare concept, and the Defense Department’s quantum security initiatives to create exercise programs that prepare organizations for threats that don’t yet fully exist.

The foundation of our approach draws from the military concept of “capability-based planning”—preparing for adversary capabilities rather than specific scenarios. Traditional exercises ask, “What if ransomware encrypts our databases?” Capability-based exercises ask, “What if adversaries can manipulate any digital communication in real-time?” This shift from scenario-specific to capability-focused preparation ensures organizations develop adaptive responses that remain relevant as threats evolve.

DARPA’s approach to AI warfare, developed through programs like the Artificial Intelligence Exploration initiative, emphasizes “human-machine teaming” where AI augments rather than replaces human decision-making. We’ve adapted these principles into exercise frameworks that train teams to work with AI-powered defense tools while maintaining skepticism about AI-generated information. Participants learn to leverage machine-speed analysis while retaining human judgment for strategic decisions, creating a synthesis that outperforms either humans or machines operating independently.

The integration of cognitive warfare principles transforms exercises from technical simulations into psychological battlegrounds. Drawing from NATO’s research on cognitive security, we create scenarios where information itself becomes weaponized. Participants face not just technical attacks but coordinated influence operations designed to shape perception, create false urgencies, and manipulate decision-making. These exercises develop what military theorists call “cognitive sovereignty”—the ability to maintain clear thinking and accurate situational awareness despite active attempts at manipulation.

Quantum threat exercises require entirely different approaches that account for the retroactive nature of quantum vulnerabilities. We’ve developed “time-shifted scenarios” where organizations must respond to the sudden decryption of historical data, manage the cascading failures of cryptographic systems, and coordinate emergency migrations while under active attack. These exercises, based on classified military planning for “Q-Day,” reveal dependencies and vulnerabilities that traditional risk assessments miss.

Building AI-Resilient Incident Response Capabilities

Preparing for AI-powered attacks requires fundamentally reimagining incident response architectures, processes, and training. Organizations can no longer assume that attacks will follow human-comprehensible patterns or progress at human-manageable speeds. The response capability must match the speed, scale, and sophistication of AI-enabled threats while maintaining human oversight of critical decisions.

The first transformation involves temporal dynamics. Traditional incident response operates in human time—minutes for initial detection, hours for investigation, days for full remediation. AI attacks operate in machine time—milliseconds for vulnerability discovery, seconds for exploitation, minutes for complete compromise. This thousand-fold acceleration in attack speed means that initial response must be largely automated, with human involvement focused on strategic decisions rather than tactical actions. Organizations implementing AI-speed response capabilities report 89% reduction in initial containment time, limiting attack spread before human teams even engage.

Response architectures must evolve from static playbooks to dynamic, AI-assisted decision support systems. Machine learning models trained on millions of historical incidents can identify patterns, predict attack progression, and recommend responses faster than any human analyst. However, these systems must be designed with “explainable AI” principles that allow human operators to understand and validate recommendations. Our military-grade exercise methodology includes “AI failure modes” where automated systems provide incorrect or manipulated recommendations, training human operators to maintain appropriate skepticism and override authority.

The challenge of AI-generated disinformation during incidents requires new verification frameworks that go beyond traditional authentication methods. We’ve adapted military intelligence procedures for source validation, creating multi-factor verification protocols that combine technical indicators, behavioral analysis, and out-of-band confirmation. These protocols, tested through exercises featuring sophisticated deepfake attacks, ensure teams can maintain operational tempo without sacrificing security. Organizations practicing these frameworks show 76% improvement in detecting synthetic media during high-stress incident response.

Cross-functional coordination becomes exponentially more complex when AI acceleration compresses decision timelines from hours to seconds. Traditional escalation chains, designed for human-speed operations, collapse under machine-speed pressure. Our exercise programs develop “pre-authorized response matrices” where strategic decisions are made in advance and executed automatically when specific conditions occur. This approach, borrowed from military rules of engagement, enables rapid response while maintaining appropriate governance and control.

Quantum-Safe Migration as a Strategic Imperative

The transition to post-quantum cryptography represents one of the most complex technological migrations in history, comparable to Y2K but with less certainty about timing and more severe consequences for failure. Organizations must begin this transition now, not when quantum computers become publicly available, because by then it will be too late. The migration process itself, likely taking 5-10 years for large enterprises, must be completed before quantum computers achieve cryptographically relevant capability.

The complexity begins with discovery and inventory. Most organizations lack comprehensive understanding of where cryptography exists in their environments. It’s embedded in network hardware, application code, third-party libraries, cloud services, and even industrial control systems. Each instance must be catalogued, assessed for quantum vulnerability, and prioritized for migration. Our exercises reveal that organizations typically underestimate their cryptographic footprint by 300-400%, discovering critical dependencies only during simulated quantum attacks.

Risk prioritization for quantum threats differs fundamentally from traditional security planning. The primary consideration isn’t just the sensitivity of data but its required protection lifetime. Medical records that must remain confidential for decades face different quantum risk than financial transactions that lose sensitivity after settlement. Organizations must also consider the retroactive threat—data already transmitted that adversaries may have collected for future decryption. This temporal dimension, unique to quantum threats, requires new frameworks for risk assessment and prioritization.

The technical challenges of migration pale compared to the coordination requirements. Every external connection, every partner integration, every customer interaction involves cryptographic protocols that must maintain compatibility during transition. A single organization’s migration must synchronize with hundreds or thousands of external entities, each on different timelines with different approaches. Military logistics principles, particularly those developed for coalition operations, provide models for managing this complexity. Our quantum migration exercises simulate these multi-party coordination challenges, revealing bottlenecks and dependencies that traditional planning misses.

Testing quantum-resistant implementations presents its own challenges. Without actual quantum computers capable of breaking current encryption, organizations cannot definitively validate their new protections. Instead, they must rely on mathematical proofs, implementation audits, and simulated quantum attacks. Our exercise methodology includes “quantum breach scenarios” where teams must respond to the sudden failure of cryptographic protections, developing muscle memory for a threat that hasn’t yet materialized but mathematical certainty guarantees will arrive.

The Economics of Preparing for Tomorrow’s Threats Today

The business case for advanced threat exercises extends beyond risk mitigation to competitive advantage and operational excellence. Organizations that prepare for emerging threats before they materialize gain first-mover advantages in resilience, response capability, and market confidence. The economics are compelling: every dollar invested in emerging threat preparation returns $12-15 in prevented losses and operational improvements, according to our analysis of 200+ enterprise implementations.

Consider the cost dynamics of reactive versus proactive preparation. When deepfake attacks become widespread, unprepared organizations will scramble to implement detection technologies, train personnel, and redesign verification procedures—all while under active attack. Market estimates suggest emergency deepfake response implementations cost 5-7 times more than planned deployments, not including breach costs during the vulnerable transition period. Organizations conducting deepfake response exercises today build capabilities methodically, selecting optimal technologies and developing robust procedures without crisis pressure.

The quantum cryptography migration presents even starker economic contrasts. Organizations beginning migration now can leverage existing technology refresh cycles, spreading costs over multiple years and minimizing disruption. Those waiting until quantum threats become imminent will face compressed timelines, premium pricing for scarce expertise, and potential regulatory penalties for inadequate preparation. Our economic modeling suggests early movers will spend 60-70% less on quantum migration while achieving superior security outcomes.

Beyond direct cost savings, emerging threat preparation delivers substantial operational benefits. Teams trained on AI-powered attack scenarios develop enhanced analytical capabilities applicable to all security operations. The cognitive resilience built through deepfake exercises improves crisis management across all domains. Quantum migration projects drive cryptographic hygiene improvements that enhance current security while preparing for future threats. These collateral benefits often exceed the direct value of threat preparation, creating positive ROI even if specific threats evolve differently than anticipated.

Market differentiation increasingly depends on demonstrated resilience against emerging threats. Cyber insurance providers already offer premium reductions for organizations with mature exercise programs—discounts averaging 15-20% and growing as actuarial data confirms the risk reduction. Regulatory compliance increasingly requires forward-looking threat preparation, with frameworks like the EU’s Digital Operational Resilience Act explicitly mandating emerging threat scenarios. Customer and partner confidence, particularly in critical sectors like healthcare and financial services, increasingly depends on demonstrated preparation for next-generation threats.

Implementation Framework: From Awareness to Excellence

Transitioning from traditional tabletop exercises to emerging threat simulations requires structured progression that builds capabilities systematically while delivering immediate value. Our military-adapted implementation framework progresses through five maturity levels, each building on previous achievements while introducing new complexities and capabilities.

Level One establishes foundational awareness through executive briefings and demonstration exercises. Leadership experiences firsthand the qualitative difference between traditional scenarios and emerging threat simulations. A pharmaceutical company CEO, after participating in a deepfake crisis simulation, immediately authorized a comprehensive program, stating, “I finally understand why our current annual exercise is like bringing a knife to a gunfight.” This awareness phase typically requires 2-3 months, culminating in formal program authorization and resource allocation.

Level Two develops basic response capabilities through simplified scenarios focusing on single threat vectors. Teams practice AI attack response using scripted scenarios with predictable progressions. Deepfake detection training uses known samples with obvious tells. Quantum migration planning begins with comprehensive cryptographic inventory. This capability building phase, lasting 4-6 months, establishes fundamental skills and identifies capability gaps requiring additional investment.

Level Three introduces complexity through multi-vector scenarios combining emerging threats with traditional attacks. AI-powered attacks include deepfake communications to create command confusion. Quantum vulnerability discoveries occur during active ransomware incidents. These integrated scenarios, drawn from military “hybrid warfare” concepts, develop the cognitive flexibility required for real-world incidents where threats rarely arrive in isolation. Organizations typically require 6-9 months at this level, with monthly exercises building incremental complexity.

Level Four achieves operational excellence through unscripted, adaptive scenarios with intelligent opposition. Red teams employ actual AI tools to generate novel attacks during exercises. Deepfake capabilities include real-time video generation requiring sophisticated detection techniques. Quantum scenarios incorporate supply chain complications and regulatory requirements. This advanced phase, requiring 12-18 months to fully develop, produces teams capable of handling any conceivable threat combination.

Level Five establishes continuous adaptation through automated micro-exercises and persistent readiness testing. AI agents continuously probe defenses with novel scenarios, maintaining skills between major exercises. Deepfake detection becomes embedded in daily operations rather than special procedures. Quantum migration progresses through automated testing and validation. This state of persistent readiness, achieved after 18-24 months, transforms incident response from periodic capability to continuous competency.

Case Study: Global Financial Services Quantum Resilience Program

A Fortune 50 financial services company’s journey from quantum ignorance to industry leadership illustrates the transformative potential of properly executed emerging threat exercises. Facing regulatory pressure and board concerns about quantum risks to decades of encrypted transaction data, they engaged our team to develop a comprehensive quantum resilience program combining military-grade exercises with systematic capability development.

The initial assessment revealed staggering complexity: over 400 cryptographic implementations across 3,000 applications, connections to 800 financial institutions globally, and petabytes of historical data requiring decades of protection. Traditional risk assessment frameworks failed to capture the temporal dynamics of quantum threats, while existing incident response plans assumed cryptographic integrity. The organization faced a classic “unknown unknowns” situation where they couldn’t even articulate what they didn’t know.

Phase one established quantum literacy through executive immersion exercises. Board members and senior leaders participated in a “Q-Day” simulation where quantum computers suddenly broke current encryption. The exercise revealed cascading failures: payment systems freezing as authentication failed, historical transaction data becoming readable, and customer panic as news spread. The visceral experience of cryptographic collapse transformed quantum computing from abstract future threat to immediate strategic priority. The board authorized a $50 million quantum resilience program within 48 hours of exercise completion.

Phase two developed quantum response capabilities through progressively complex scenarios. Initial exercises focused on single-system failures, training teams to recognize quantum-related anomalies and implement emergency protocols. Subsequent scenarios introduced complications: quantum attacks during merger integrations, simultaneous attacks on multiple cryptographic systems, and “crypto-agility” tests where teams rapidly switched between quantum-safe algorithms. Each exercise revealed new dependencies and vulnerabilities, driving continuous improvement in response procedures.

Phase three integrated quantum considerations into all cybersecurity operations. Every incident response plan included quantum failure modes. Every technology deployment assessed quantum vulnerability. Every third-party connection evaluated quantum readiness. The organization developed the industry’s first “Quantum Security Operations Center” with dedicated teams monitoring for early quantum indicators and managing the ongoing migration. This integration, guided by exercises simulating various quantum emergence scenarios, ensured quantum readiness became operational reality rather than strategic aspiration.

Results after 24 months exceeded all projections. The organization completed quantum-safe migration for 60% of critical systems, developed response playbooks for 15 different quantum attack scenarios, and established itself as the industry leader in quantum preparedness. When NIST released updated quantum-resistant algorithms, they implemented updates within 30 days while competitors scrambled to understand implications. Most significantly, their demonstrated quantum readiness became a competitive differentiator, winning three major government contracts specifically citing their quantum security capabilities.

Future Evolution: The Convergence of Exponential Threats

The emergence of AI attacks, deepfake technology, and quantum computing as simultaneous threats represents just the beginning of a fundamental transformation in the cyber threat landscape. Looking ahead to the next five years, we see convergence scenarios that will challenge every assumption about cybersecurity and incident response. Organizations must prepare not just for individual emerging threats but for their synergistic combination into unprecedented challenges.

The convergence of AI and quantum computing will create threats of unimaginable sophistication. Quantum computers will break current encryption while AI systems instantly analyze the exposed data, identifying exploitation opportunities no human would recognize. Quantum-enhanced machine learning will discover vulnerabilities in quantum-resistant algorithms themselves, creating an endless cycle of attack and defense at speeds beyond human comprehension. Our advanced exercise scenarios already explore these possibilities, training teams to operate in environments where traditional security assumptions no longer apply.

Biotechnology and cybersecurity will increasingly overlap as medical devices, genetic sequencers, and laboratory equipment become network-connected and software-controlled. Attacks on these systems won’t just compromise data but could potentially harm or kill patients, contaminate research, or even weaponize biological materials. The complexity of securing systems where digital and biological intersect requires entirely new frameworks that our military partners are just beginning to develop. Organizations in healthcare and life sciences must prepare for scenarios that blend cyber attacks with biological threats.

Autonomous systems and robotics introduce physical consequences to cyber attacks that traditional IT security never contemplated. When self-driving vehicles, surgical robots, and industrial automation systems can be compromised, cyber incidents become kinetic events. The military’s experience securing autonomous weapons systems provides frameworks for these challenges, but civilian applications require different risk tolerances and response strategies. Our emerging threat exercises increasingly include scenarios where cyber attacks manifest as physical harm, requiring coordination between digital response teams and physical emergency services.

Space systems and satellite infrastructure represent the next frontier for cyber conflict. As commercial space activities proliferate and critical services increasingly depend on orbital assets, the vulnerability of space systems becomes a strategic concern. Quantum communications through satellites promise unhackable channels but also create new attack surfaces. Organizations depending on GPS, satellite communications, or space-based services must prepare for scenarios where these supposedly reliable systems fail or become compromised.

Conclusion: The Imperative of Proactive Evolution

The threats of 2025 and beyond—AI-powered attacks adapting faster than human defenders can respond, deepfakes eroding the very concept of trust, and quantum computers promising to shatter current encryption—demand a fundamental evolution in how organizations approach incident response preparation. Traditional tabletop exercises, designed for a simpler era of predictable threats and human-speed attacks, have become dangerously inadequate. They prepare organizations for the last war, not the next one.

The path forward requires embracing military-grade methodologies that assume continuous conflict against thinking adversaries armed with exponentially advancing technologies. It demands moving beyond annual compliance exercises to continuous capability development that matches the pace of threat evolution. Most critically, it requires leadership courage to invest in preparing for threats that haven’t fully materialized but mathematical and technological certainty guarantee will arrive.

Organizations that make this transformation today will discover that preparing for emerging threats delivers immediate benefits beyond future risk mitigation. The cognitive capabilities developed through AI attack simulations enhance all security operations. The verification frameworks created for deepfake defense improve general security hygiene. The cryptographic inventory required for quantum migration reveals optimization opportunities throughout the technology stack. These compound benefits create positive ROI regardless of specific threat evolution patterns.

The question facing every organization is not whether to prepare for emerging threats but whether to lead or follow. Leaders who begin comprehensive emerging threat exercises now will build resilient capabilities methodically, select optimal technologies thoughtfully, and develop robust procedures systematically. Followers who wait for threats to fully materialize will scramble reactively, pay premium prices for scarce expertise, and suffer breaches during vulnerable transition periods. The difference, measured in tens of millions of dollars and potential organizational survival, makes emerging threat exercises not just prudent but essential for 2025 and beyond.

The future belongs to organizations that prepare for it today. In our experience conducting 500+ exercises across every major industry, we’ve seen the transformative power of proper preparation. Organizations that embrace emerging threat exercises don’t just survive future attacks—they thrive in an environment where adaptability and resilience become the ultimate competitive advantages. The tools, methodologies, and frameworks exist. The only question is whether your organization will use them before it’s too late.