Cyber Rebels exists because of what happens in ordinary working moments.

Someone is in the middle of their day, working through emails, requests, and tasks, when something appears that fits exactly with what they are already doing. The name is familiar. The timing feels right. Responding keeps things moving.

So they do.

Nothing about that moment feels like a cybersecurity decision. It just feels like doing the job.

After more than twelve years working across cybersecurity, safeguarding, digital safety, and education, I kept seeing the same pattern. People were not unaware of risk. They had completed training, understood the guidance, and knew the kinds of things they were supposed to watch for. But when risk appeared inside normal work — in a familiar email, a routine request, or something that needed dealing with quickly — it often did not feel unusual enough to interrupt the flow and question it.

That is the gap Cyber Rebels was built around.

A lot of cybersecurity training works well in calm, controlled settings. The difficulty is that most real decisions are not made in those conditions. They happen when people are busy, trying to be helpful, staying responsive, and keeping work moving. In those moments, doing what feels sensible can still create risk, because nothing obvious makes the situation feel like a threat.

That is the part that never sat right with me.

I have always believed cybersecurity needs to be human first, not technology first. People do not learn well from jargon, fear, or abstract warnings. They learn from situations they recognise, conversations that sound real, and context that reflects how work actually feels when they are in the middle of it.

That belief is what Cyber Rebels was built on.

It exists to help people move beyond awareness into something more useful in practice: the kind of judgement that still holds up when a decision has to be made there and then. Risk does not usually build through one dramatic mistake. More often, it builds through familiar moments that feel normal, pass without challenge, and repeat over time.

What changes that is not simply giving people more information. It is helping them see those moments differently while they are happening. In practice, that means being able to pause when everything looks fine, verify when it would be easier not to, and question something without feeling like they are making life difficult for everyone else.

That is also where I see things differently from a lot of the usual cybersecurity messaging. People are not the weakest link. If something risky happens, I am much more interested in why it made sense at the time than in blaming the person afterwards. If all you do is stop at human error, you lose the learning. Someone else will come in, face a similar moment, and make the same kind of decision in a slightly different way.

For me, that is where the real value sits. Not in blaming people for getting something wrong, but in understanding what they saw, what made the action feel reasonable, and what the business can learn from that.

The strongest protection is not just a system sitting in the background. It is a person who understands what they are looking at when the moment matters, and feels confident enough to do something about it.

That is the reason behind Cyber Rebels, and it is the way I still look at this work now.
– Andy Longhurst
Founder, Cyber Rebels