The idea of the complex emergency has given rise to the notion of resilience as a form of acting out security. While security policies largely embrace the concept of resilience, critical scholarship points to the ‘responsibilization’ of the threatened subject, who is ‘programmed’ to act out security in a fashion that internalizes neoliberal values. This behaviour is trained through disciplinary practices, such as exercises, that seek to conduct the conduct of disaster populations. However, is the resilient subject only ever an instance of programmes and disciplinary power? This article takes a look at how self-organization comes about and how this process can be conceptualized through affect. It uses the setting of a cyber-security exercise to describe the dynamic interplay between affect and re/action. Building on Spinoza’s understanding of affect as the onset for action, the article discusses what affect theory contributes to resilience theory. It concludes that, as a form of acting out security, resilience incorporates both ‘programmed’ and ‘self-determined’ actions. Both forms of acting, however, imply that the resilient subject has no choice but to act out security. Given this fundamental restraint, powerlessness as the incapacity to act appears as one of the few instances that escape the governmental logic of resilience.