Audit & Compliance — Print & Play Bundle · v2.2 Playtest Edition
A cybersecurity board game by RetroVerse Studios · CC BY-NC-SA 4.0
Print this file (Ctrl/Cmd+P) or read on screen. Card pages print best on cardstock.
docs/HOW_TO_PLAY.md
Version: 2.2 - Playtest Edition Read time: ~15 minutes. First game: ~45 minutes.
This is the learn-to-play manual — read it once, run your first game, then use the module rules as reference during play. Exact tables and numbers live in the reference docs; this manual teaches the flow.
Incident Zero is a cybersecurity board game for classrooms and training rooms. One player is the Threat Orchestrator (TO) — part facilitator, part adversary, part narrator. Everyone else is the Blue Team: security defenders making decisions under budget and time pressure.
The game's signature rule: you get better dice odds by explaining your reasoning like a real analyst. Say "we investigate suspicious activity" and you roll flat. Say "we pull the mail gateway logs to check the sender's real IP against threat intel" and you roll at +3. Talking like a professional is literally how you win — that's the point.
There are 6 modules covering the security lifecycle. Each is a standalone 30-45 minute game; they also chain together (the outcome of one feeds the setup of the next). This manual teaches Incident Response first — it's the flagship and the best hook.
Every module runs on the same engine:
roll + modifiers ≥ 11.The setup (TO does this privately, 5 min): An attacker is inside the fictional company's network. The TO secretly builds a 3-card attack chain in kill-chain order and keeps it face-down:
Suggested first chain: T-01 Phishing Campaign (INITIAL COMPROMISE / SOCIAL ENGINEERING) → T-04 Lateral Movement via SMB (PIVOT & ESCALATE / NETWORK) → T-07 Scheduled Task Persistence (PERSISTENCE / MALWARE)
The three actions (Blue Team picks ONE per turn):
| Action | Cost | On success (roll+mods ≥ 11) |
|---|---|---|
| Investigate | 5 | 1st success on a link = the TO gives a clue. 2nd success on the same link = card revealed! |
| Deploy Defense | 10/15/25 by tier | If the card's vector AND chain step match the hidden card = revealed immediately. Partial match = defense stays on the table and gives +2 to future rolls against any link matching its vector |
| Emergency Response | 15 | No roll. Contain one already-revealed threat (removes its ongoing penalty) |
The pressure (TO applies at the START of each turn): - Active Breach Cost: -5 Budget while any chain card is still unrevealed (the breach is burning money whether you see it or not) - Uncontained Threats: -5 Budget per revealed-but-uncontained threat (revealing the next card in the chain auto-contains the previous one)
When a card is revealed, the team immediately picks ONE reward: draw 2 Defense cards, +10 Budget, or Fast-Track (next Investigate succeeds on 5+).
TURN 1. TO: "Start of turn: one attacker action is still hidden — Active Breach Cost, minus 5. Budget: 95. Something is wrong at Meridian Logistics: the helpdesk queue is full of password-reset complaints. What do you do?" Team (after discussion): "Investigate. We pull the mail gateway logs and check sender domains against our threat-intel feed — if this is phishing, the return-path won't match the display name." TO: "That's a real methodology and a real tool — +2 and +1. Roll." Rolls 9. 9+3 = 12 ≥ 11 — success. TO reads a clue from T-01: "Several employees received emails claiming to be from IT, asking them to 're-authenticate'. The link goes to a look-alike domain registered 4 days ago." (First success on this link — clue only. Budget: 95 - 5 = 90.)
TURN 2. TO: "Active Breach Cost, minus 5. Budget: 85." Team: "Keep digging on the phishing — we check the mail gateway for who clicked, and pull those workstations' proxy logs." TO: "+2, +1. Roll." Rolls 10. 13 ≥ 11 — second success on the same link. TO flips T-01 face-up: "Phishing Campaign — revealed! Three users entered credentials on the fake page. This threat is now uncontained. Choose a reward." Team takes Budget Grant: 85 - 5 + 10 = 90.
TURN 3. TO: "Two cards still hidden: Active Breach minus 5. One uncontained threat: minus 5. Budget: 80. You know how they got in — you don't yet know where they went." From here, you're on your own. (A strong play: Deploy the Network Segmentation defense — if the next hidden card is network lateral movement, vector + step match reveals it instantly and auto-contains the phishing.)
Debrief prompts: What did you spend the most on, and was it worth it? Which clue actually changed your next decision? What one defense, bought before turn 1, would have changed everything?
Chaining modules: outcomes carry forward (audit gaps raise your DR costs; an IR loss sets up DR; IR's revealed chain seeds Forensics). See Module Combinations. Full lifecycle = all six in sequence, 4-5 hours across sessions.
| You want... | Read |
|---|---|
| You're the Threat Orchestrator | The TO Guide — the role, judging justifications, per-module screens |
| Exact rules for a module | docs/rules/ — core + one file per module |
| Solo/standalone setup for any module | docs/standalone-games/ |
| Every card, indexed | cards/CARD_REFERENCE.md |
| To run a playtest and report back | docs/playtesting/ |
| Variable game length & difficulty tiers | core-rules §3a |
Roll: d20 + modifiers ≥ 11 · +2 strong justification · +1 real tool/technique named · +2 matching deployed defense (IR) IR costs: Investigate 5 · Deploy 10/15/25 · Emergency Response 15 IR start-of-turn: -5 while any card hidden · -5 per uncontained revealed threat Reveal: 2 successful Investigates on a link, or 1 full-match Deploy (vector + step) · always the earliest unrevealed card Reward per reveal (pick 1): 2 Defense cards / +10 Budget / next Investigate succeeds on 5+ Turn limit: (chain cards × 2) + 1 → 3 cards = 7 turns Budgets: NB 40-60 · DR 50 · Forensics 75 · IR 100 · Audit 100 · Hardening 150
docs/TO_GUIDE.md
Version: 2.2 - Playtest Edition Audience: anyone about to run Incident Zero — teacher, trainer, or the friend who volunteered.
The Threat Orchestrator (TO) is Incident Zero's dungeon master. You wear three hats, usually in the same minute:
If you've ever run a tabletop RPG, you already have 80% of this. The remaining 20% is the adjudication rubric in §4 — it's the part that makes this game educational rather than just thematic.
A good TO makes the game. The same scenario is flat or unforgettable depending on how you deliver clues and how honestly you judge reasoning. That's why this guide exists.
The +2/+1 modifiers are the game's teaching engine. Your consistency is what makes them meaningful.
+2 — Strong technical justification. The player explains methodology: what they'll look at, and why that would reveal or stop this specific thing. - ✅ "We pull the mail gateway logs and compare the return-path against the display-name domain — spoofed senders won't match." (mechanism stated) - ✅ "Deploy EDR because living-off-the-land attacks won't trip signature AV — we need behavioral detection." (threat-to-control logic) - ❌ "We investigate the email server thoroughly." (a location is not a method)
+1 — Real tool or technique named. Wireshark, Splunk queries, Mimikatz, a MITRE technique ID, an actual CVE. - ✅ "Check LSASS access events — that's Mimikatz behavior, T1003." - ❌ "We use our security tools." (no it isn't)
Rulings that keep it fair: - Judge the reasoning, not the vocabulary. A beginner saying "check if the email really came from who it says" in plain words has the mechanism — award the +2. A buzzword salad without a mechanism gets +0. - Consistency beats generosity. Whatever bar you set on turn 1 is the bar all game. - Escalate the bar as the group learns — by session three, "we check the SIEM" that earned +1 in session one should need a specific query. Announce the escalation openly ("you're professionals now — I want specifics"). - Expert groups ("Expert Mode"): award +2 only for named artifacts, ATT&CK technique IDs, or detection logic. This is the challenge ceiling for practitioner tables — the card math never has to change. - One player monologuing every justification? Ask a different player to give it each turn ("Sam, you're on comms — why does this matter to the regulator?").
Signs it's too easy: no failed rolls; goal in sight with 40+ Budget spare; players bored. Signs it's too hard: no progress for 3+ turns; consecutive failures; frustration replacing discussion.
| Easier (pick 1-2) | Harder (pick 1-2) |
|---|---|
| Richer clues (more specific detail per success) | Vaguer clues (accurate but terse) |
| Suggest an angle through the fiction | Expert-mode justification bar |
| Shorter chain / lower tier next game | Longer chain, expansion cards |
| Beginner budgets (module max) | Minimum budgets |
Never adjust by fudging a roll or changing a printed number mid-game — players smell it, and it teaches that outcomes are arbitrary.
| Failure | Symptom | Fix |
|---|---|---|
| The Encyclopedia | You lecture after every roll | One sentence of "why," save the rest for debrief |
| The Softie | Everyone always gets +2 | Re-read §4; require the mechanism |
| The Sphinx | Clues so cryptic nobody moves | Clues must be actionable: each should suggest at least one sensible next investigation |
| The Railroader | You steer them to your solution | Multiple paths are valid; score the outcome, not the route |
| The Accountant | You narrate numbers, not events | Lead with fiction, then state the numbers |
| The Rusher | Debrief skipped because time ran out | Protect the last 10 minutes like it's the win condition — it is |
Three rounds, in order: What happened? (players narrate, you correct only facts) → Why did it work that way? (connect two or three key moments to real-world security — this is where you finally get to lecture, briefly) → What would you do differently? (go around the table; everyone answers). Losses debrief better than wins: read any unrevealed cards' "Why This Works" text aloud — it's the payoff for losing.
docs/rules/core-rules.md
Version: 2.2 - Playtest Edition Last Updated: October 2025
Incident Zero is a modular cybersecurity board game for 2+ players designed for educational environments. One player acts as the Threat Orchestrator (TO) (the facilitator), while all other players form Blue Teams (the Defenders).
Players choose which module(s) to play based on learning objectives:
Modules can be played solo or combined in any sequence using the modifier generation procedures documented in FRAMEWORK.md and Module Combinations.
Represent attacker actions. Each card includes:
- Title: e.g., "Phishing Campaign"
- Attack Chain Step: INITIAL COMPROMISE, PIVOT & ESCALATE, PERSISTENCE, or C2 & EXFIL
- Attack Vector: SOCIAL ENGINEERING, WEB EXPLOIT, CREDENTIAL ABUSE, MALWARE, NETWORK, or DATA EXFIL
- Clue: Descriptive text for the Threat Orchestrator
- Why This Works: Educational explanation (revealed after discovery)
Deck Composition: - 12 Base Threat Cards (see cards/incident-response/core-deck/threat-defense-cards.md) - 8 Expansion Threat Cards (see cards/incident-response/expansion-deck/advanced-threats.md)
Represent security controls. Each card includes: - Title: e.g., "Multi-Factor Authentication" - Countermeasure Vector: One of the six attack vectors - Tier: BASIC (10 Budget), ADVANCED (15 Budget), or ELITE (25 Budget) - Description: What the defense does and when it applies
Deck Composition: - 24 Base Defense Cards (see cards/incident-response/core-deck/threat-defense-cards.md) - 19 Expansion Defenses (see cards/incident-response/expansion-deck/advanced-defenses.md)
Examples: - BASIC: Email Authentication Setup, User Security Training, Firewall Rules (10 Budget) - ADVANCED: Multi-Factor Authentication, EDR, Network Segmentation (15 Budget) - ELITE: Threat Hunting, Memory Forensics, Deception Technology (25 Budget)
Represent sophisticated attack techniques used in Hardening module (and potentially others).
8 Core Tactics (PT-01 to PT-08): 1. PT-01: Social Engineering - Pretexting Attack 2. PT-02: Malware Evasion - Living-off-the-Land Technique 3. PT-03: Credential Dumping - Mimikatz Attack 4. PT-04: Lateral Movement - Network Traversal 5. PT-05: Privilege Escalation - Unpatched Kernel Exploit 6. PT-06: Data Exfiltration - Unmonitored Channel 7. PT-07: Supply Chain Compromise - Trusted Software Update 8. PT-08: Insider Threat - Malicious Administrator
See cards/hardening/core-deck/pentester-tactic-cards.md for full card text, plus 8 expansion tactics (PT-09 to PT-16) in advanced-tactics.md.
Simple cards providing scenario context. Examples: - Email Server - Customer Database - Domain Controller - Web Application - Backup System - Developer Workstation
Physical Components: - One 20-sided die (d20) - Turn Tracker (paper or board, counts 1-12+) - Budget Tracker (shows 0-150+) - Reputation/Security Score Tracker (shows 0-100) - Uncontained Threats Tracker (shows 0-5) - Tokens or counters (for tracking upgrades, penalties)
Optional: - Score sheets (printable or paper) - Playbook tracking sheet - Stakeholder communication log (for Disaster Recovery)
When Used: Investigation, Defense Deployment, Negotiation, and similar actions that have uncertain outcomes.
How It Works:
1. Player announces action and parameters
2. Player rolls 1d20 (one 20-sided die)
3. Compare result to target number (usually 11+) plus modifiers
4. Success if: roll + modifiers ≥ target number
Example:
Action: Investigate email headers
Target: 11+
Roll: 7
Modifiers: +2 (technical justification) +1 (referenced Splunk)
Calculation: 7 + 2 + 1 = 10
Result: FAIL (10 < 11)
What is Budget? Abstract resource representing time, money, personnel, and tools. Spent to take actions, buy defenses, or conduct investigations.
Budget Allocation by Module: - Network Building: Start at 40-60 (by difficulty; see module rules) - Hardening: Start at 150 (or carry over from IR) - Incident Response: Start at 100 - Disaster Recovery: Start at 50 (emergency fund) - Forensics: Start at 75 - Audit & Compliance: Start at 100 (used only for optional remediation cards)
Budget Spending: - Investigate action: 5 Budget - Deploy Defense: 10/15/25 Budget (by tier) - Emergency Response (IR): 15 Budget (v2.2; was 25) - Active Breach Cost (IR, v2.2): -5 Budget at start of each turn while any chain card remains unrevealed - Harden Upgrade (Hardening): 5 Budget - Create Playbook (Hardening): 10 Budget - Crisis Action cards (DR): 5-20 Budget per card (ACTION-01 to ACTION-12; the free "Holding Statement" costs 0) - Ransom Decision (DR, ACTION-13): Pay 20 / Negotiate 5 / Refuse 0
Budget = 0: Team loses (cannot take further actions)
Exception (Disaster Recovery, v2.2): Budget floor is 0 and the free Holding Statement action remains available — DR is never lost by running out of Budget; DR's loss condition is any stakeholder trust reaching 0%.
Turns represent: Time passing in the game world (6 hours, 30 minutes, or abstract unit depending on module)
Turn Sequence: 1. Start of Turn: Penalties applied, trackers announced 2. Planning Phase: Team discusses strategy (2-3 min) 3. Action Phase: Execute chosen action, resolve rolls 4. End of Turn: Advance tracker, draw card, check events
Philosophy: In real incident response, some attacks move fast (hours), some take months. Fixed turn lengths feel unrealistic. This system adds realism without requiring complex calculations.
Default Formula: (Attack Chain Cards × 2) + 1
This gives attackers enough time to progress realistically while keeping games manageable:
| Attack Chain | Formula | Turn Count | Session Duration |
|---|---|---|---|
| 3 cards | (3 × 2) + 1 | 7 turns | 30-40 min play |
| 4 cards | (4 × 2) + 1 | 9 turns | 35-45 min play |
| 5 cards | (5 × 2) + 1 | 11 turns | 40-50 min play |
| 6 cards | (6 × 2) + 1 | 13 turns | 45-55 min play |
How to Use Default Formula: 1. Choose number of threat cards in attack chain (3, 4, 5, or 6) 2. Apply formula: (Cards × 2) + 1 = Turn Count 3. Announce turn count to Blue Team 4. Play game normally with that turn limit
Example Setup:
"I've created a 4-card attack chain. That's (4 × 2) + 1 = 9 turns. You have 9 turns to detect all four threats. Go!"
Advanced Threat Orchestrators can use a Tier + d4 system for more control and variability:
Step 1: Select Attack Complexity Tier
| Tier | Turn Base | Attack Profile | Example |
|---|---|---|---|
| TIER 1 | 5-7 | Simple & obvious | Script kiddie using public tools |
| TIER 2 | 8-10 | Standard sophistication | Organized cybercriminal group |
| TIER 3 | 11-13 | Highly sophisticated | APT with operational security |
| TIER 4 | 14-16 | Expert/Nation-state | State-sponsored group |
Step 2: Add Randomness (Optional)
Roll 1d4 for variation: - Roll 1: -1 turn (tight timeline) - Roll 2 or 3: ±0 turns (no change) - Roll 4: +1 turn (extended dwell time)
Final Turn Count = Tier Base + d4 Result
Example Advanced Setup:
"This is a TIER 2 attack (organized cybercriminals). Base is 8-10 turns. I'll roll d4 for variation... [rolls 4, +1 turn]. Final turn count: 9-11 turns."
These rules protect game balance and prevent metagaming:
The Rule: Threat Orchestrators MUST accept the random result, even if it feels impossibly tight or loose.
Why: Real incident response is unpredictable. Sometimes attacks happen faster or slower than expected.
Example Scenarios: - TIER 3 attack (11-13 base) + d4 roll of 1 = 10-12 turns (tighter than expected, but realistic) - TIER 1 attack (5-7 base) + d4 roll of 4 = 6-8 turns (easier conditions, but acceptable)
When Chaos Feels Realistic: - Tight timeline: "The attacker worked faster than expected—they had prior knowledge" - Loose timeline: "The attacker was cautious, spending weeks in reconnaissance before striking"
Implementation: Lean into the randomness as realistic incident variability.
The Rule: Blue Team CANNOT deduce the attack tier from the announced turn count. They cannot ask "Is this TIER 2?" or "Is this TIER 4?" based on how many turns they have.
Why: Real incident response doesn't come with difficulty labels. Attackers don't advertise sophistication. Players should discover complexity through gameplay (attack chain complexity, defender evasion, tool sophistication, etc.).
What Players CAN Ask: - "What are the suspicious network events?" (leads to understanding threats) - "Can we analyze the malware?" (reveals attacker sophistication through findings) - "Why did this attack succeed?" (post-game discussion)
What Players CANNOT Ask: - "Is this a TIER 2 attack?" (deriving tier from turn count) - "This looks like a TIER 1 because we have 7 turns" (meta-gaming difficulty)
Implementation: Respond to difficulty questions by saying "Investigate and find out!" Players discover sophistication through evidence, not from turn counts.
The Rule: ONLY after rolling d4, the Threat Orchestrator may apply an optional ±1 turn adjustment IF the rolled result feels genuinely unreasonable for the scenario.
When to Use (Rare): - Scenario setup is unusually complex (multiple attack vectors, coordination across systems) - Player group is new and needs slightly easier conditions - Real-world incident being taught had specific timeline constraints
When NOT to Use (Prefer Random): - "The roll feels unlucky" (accept the chaos) - "I want this exactly 10 turns" (let dice decide) - "The attack chain is long so it should take longer" (that's what TIER system handles)
Implementation: 1. Roll d4 normally 2. Announce rolled result 3. ONLY IF genuinely unreasonable, apply ±1 modifier and explain why 4. Document the override for consistency in future scenarios
Example Valid Use:
"TIER 2 base 8-10, rolled -1 = 7-9 turns. That's tight given we have 5-card attack chain, so I'm adding +1 modifier (explaining the discovery is methodical). Final: 8-10 turns."
Example Invalid Use:
"I rolled 8-10 but I want 10-12, so I'm adding +2." (NO - use the roll as-is)
For Beginners (Use Default Formula): - [ ] Choose attack chain length (3, 4, 5, or 6 cards) - [ ] Calculate: (Cards × 2) + 1 - [ ] Announce turn count - [ ] Play
For Advanced (Use Tier + d4): - [ ] Select TIER (1, 2, 3, or 4) - [ ] Announce TIER basis (not the number, just why it's that complexity) - [ ] Roll d4 for variation (hidden or public, your choice) - [ ] Calculate final turn count - [ ] Apply Rule 3 modifier if genuinely needed (rare) - [ ] Announce final turn count WITHOUT revealing tier
Default Formula: Turn Count = (Attack Cards × 2) + 1
Tier System: - TIER 1: 5-7 turns (simple) - TIER 2: 8-10 turns (standard) - TIER 3: 11-13 turns (advanced) - TIER 4: 14-16 turns (expert) - Add d4 roll: -1, 0, 0, or +1
Golden Rules: 1. Accept any roll (embrace chaos) 2. Never reveal tier to players 3. Modifier authority only when truly needed (rare)
All modules use the same modifier system for consistency:
Awarded when a player provides clear, specific reasoning for their action using real security concepts.
Examples: - "We're analyzing email headers in the mail gateway logs to identify the true sender IP and check it against threat intelligence feeds" - "We're deploying EDR on all endpoints because it can detect living-off-the-land techniques" - "We're querying our SIEM for scheduled task creation events because attackers use them for persistence"
Criteria: - References specific tools (Splunk, EDR, SIEM, etc.) - Explains methodology (why this approach works) - Shows understanding of the threat being addressed
Awarded when player references actual security tools or real attack/defense techniques.
Examples: - "We'll use Wireshark to analyze the network traffic" - "We're checking for Mimikatz usage in memory" - "We're reviewing EDR telemetry" - "We're looking for this specific CVE exploitation pattern"
Criteria: - References real tools (Wireshark, EDR, Splunk, etc.) - References real techniques (MITRE ATT&CK, specific CVEs) - Shows awareness of how things actually work
When Applied: Incident Response module only, applied at START of each turn
How It Works: 1. When a threat card is revealed, add 1 to Uncontained Threats Tracker 2. At START of each turn, deduct 5 Budget per uncontained threat 3. When next card in chain is revealed, previous threat is auto-mitigated (-1 from tracker) 4. When Emergency Response action is used (15 Budget), remove a revealed threat (-1 from tracker)
Companion rule — Active Breach Cost (v2.2): while at least one chain card remains unrevealed, deduct an additional flat -5 Budget at the start of each turn. Hidden attackers cost money too.
Purpose: Creates urgency - dwell time costs money, whether you've found the attacker yet or not. Teaches real-world incident response costs.
Example (uncontained penalty only; Active Breach Cost also applies while cards remain hidden):
Turn 1: Phishing revealed → Uncontained Threats = 1
Turn 2: START → Deduct 5 Budget (95 remaining from 100)
Turn 3: Lateral Movement revealed → Phishing auto-mitigated (Uncontained = 1)
Turn 3: START → Deduct 5 Budget
Turn 4: Emergency Response on Lateral Movement (15 Budget) → Uncontained Threats = 0
Responsibilities: - Manage game state and track turns/budget - Describe scenarios and outcomes - Roll dice when action outcomes are uncertain - Guide the narrative
During Incident Response: - Create and manage hidden attack chain - Provide clues based on successful investigations - Control Uncontained Threats penalties - Be fair but challenging
During Other Modules: - Describe threat context and defenses - Draw Pentester Tactic cards (Hardening) - Manage timeline and deadlines (Disaster Recovery) - Guide debrief questions
Universal Tips: - Explain why actions succeed or fail - Ask clarifying questions about player strategy - Balance challenge with learning - Provide constructive feedback
Responsibilities: - Discuss strategy as a team - Choose one action per turn - Justify your decisions (gain +2 modifier) - Manage budget carefully - Learn from success and failure
Key Rule: Modifiers are additive and can stack.
Example (Hardening Module, canonical formula — v2.2):
Pentester Tactic: PT-02 Living-off-the-Land (DC 13)
Defense roll = d20
+ printed bonus for the ONE defense chosen (D-08 EDR vs PT-02: +3)
+ hardening upgrades on that defense (+2 each; one upgrade: +2)
+ relevant playbook (+3)
Team rolls 8:
8 + 3 (EDR) + 2 (upgrade) + 3 (playbook) = 16 ≥ 13 = SUCCESS
Only the single chosen defense's printed bonus applies — deployed defenses do not stack with each other against one tactic.
| Length | Difficulty | Best For |
|---|---|---|
| 3 cards | Beginner | Learning mechanics, 30 min sessions |
| 4 cards | Intermediate | Standard play, 40 min sessions |
| 5 cards | Advanced | Challenge play, full kill chain |
| Budget | Difficulty | Best For |
|---|---|---|
| 60 | Hard | Resource scarcity, tough choices |
| 100 | Standard | Balanced play, most scenarios |
| 150+ | Easy | Strategic depth, multiple options |
| Turns | Difficulty | Best For |
|---|---|---|
| 8 | Hard | Time pressure, fast play |
| 10 | Standard | Balanced, most scenarios |
| 12 | Easy | Exploration, learning |
Note (v2.2): Incident Response derives its turn limit from the Variable Game Length formula — (Attack Chain Cards × 2) + 1 → 7/9/11 turns (see §3a). The table above is for modules with educator-set limits.
| Module | Primary Learning | Secondary Learning |
|---|---|---|
| Incident Response | Cyber kill chain, attack detection, investigation | Resource prioritization, incident response |
| Hardening | Defense-in-depth, layering, proactive security | Cost-benefit analysis, security architecture |
| Disaster Recovery | Crisis management, stakeholder communication | Risk assessment, incident cost |
| Network Building | Network design, asset security, architecture | Infrastructure hardening, threat modeling |
| Forensics | Digital forensics, chain of custody, attribution | Evidence handling, MITRE ATT&CK mapping |
| Audit & Compliance | Security assessment, governance, compliance | Risk identification, remediation prioritization |
| Mechanic | What It Teaches |
|---|---|
| d20 roll system | Uncertainty, risk, informed decision-making |
| Budget constraints | Resource allocation, prioritization |
| Justification bonuses | Technical reasoning, tools/techniques knowledge |
| Uncontained Threats penalty | Urgency, cost of dwell time |
| Pentester Tactics | Attacker sophistication, defense limitations |
| Playbook system | Preparation, incident response planning |
| Scoring systems | Outcome measurement, quality assessment |
Implementation: - Same setup for all teams - Teams cannot share information (Incident Response) - Score comparison determines winner (Hardening) - Reputation comparison (Disaster Recovery)
Every module should include a 5-15 minute debrief with three sections:
Too Easy Signs: - Team reveals all cards/achieves goal with 40+ budget remaining - No failed rolls - No meaningful decisions required - Team is bored
Too Hard Signs: - Team is stuck/making no progress after 5 turns - Multiple consecutive failed rolls - Team frustrated rather than challenged - No learning happening
Adjustment Options: - Easier: Provide better clues, more starting budget, fewer tactics - Harder: Less specific clues, lower budget, more tactics - Faster: Shorter turn limits, simpler scenarios - Slower: More turns, more complex scenarios
For complete card descriptions, see: - Base Threat & Defense Cards cards/incident-response/core-deck/threat-defense-cards.md - Expansion Threats cards/incident-response/expansion-deck/advanced-threats.md - Expansion Defenses cards/incident-response/expansion-deck/advanced-defenses.md - All decks indexed cards/CARD_REFERENCE.md
For complete rules on each module:
For your first game: 1. Choose a module from Module Combinations 2. Read the module-specific rules 3. Read the standalone setup guide 4. Prepare your scenario 5. Play!
For multiple modules: 1. Refer to Module Combinations for recommended sequences 2. Refer to FRAMEWORK.md for modifier generation procedures 3. Play first module, generate modifiers for next 4. Continue as desired
Incident Zero: Core Rules & Mechanics v2.1 - Balanced & Refined Edition Universal rules for all modules
docs/rules/module-audit-compliance.md
Version: 2.2 - Playtest Edition Last Updated: October 2025
v2.2: this document's modifier table is canonical — the tables in
cards/audit-compliance/are generated from it. See v2.2 Playtest Edition Changes at the bottom.
The Audit & Compliance Module teaches players how security assessments reveal vulnerabilities that attackers will eventually exploit. Teams conduct a simulated third-party audit of their IT infrastructure, discovering gaps that will matter later.
Key Concept: "Auditors find what attackers will exploit." The findings from this module either inform hardening decisions (if successful) or create additional costs (if incident occurs).
Module Teaches: - Primary: Security assessment, compliance frameworks (NIST, CIS, PCI-DSS), vulnerability discovery - Secondary: Risk prioritization, remediation planning, audit-to-action translation
Integration Point: - Can be played standalone (teams audit a pre-built network) - OR as setup for Incident Response/Disaster Recovery (audit findings modify those modules) - See module-combinations.md for recommended sequences
| Framework | Focus | Best For |
|---|---|---|
| NIST Cybersecurity Framework | 5 Core Functions | General organizations |
| CIS Critical Controls | 18 Controls (CIS v8) | Defense-focused |
| PCI-DSS | Payment card security | Retail/e-commerce |
| HIPAA | Healthcare data | Healthcare organizations |
| Multi-Framework | Mix of above | Realistic compliance |
Key Point: Framework choice determines which audit domains are tested.
Budget note (v2.2): core-rules gives the Audit module a starting Budget of 100 — Budget (100) applies only when playing the optional Remediation follow-up cards (see cards/audit-compliance/expansion-deck/compliance-frameworks.md, remediation section); the assessment itself costs nothing.
| Scope | Time | Networks Evaluated |
|---|---|---|
| Basic | 5 min | One pre-built network |
| Standard | 10 min | One network from Network Building OR pre-built |
| Comprehensive | 15+ min | Multiple networks / multiple locations |
Option A: Use Pre-Built Network - Threat Orchestrator provides a sample network - Teams audit it without having built it - Focuses on audit skills, not network design
Option B: Use Network from Network Building Module - Teams audit the network they just built - Directly see consequences of earlier decisions - More integrated experience
Option C: Create Fictional Network via Narrative - Threat Orchestrator describes a scenario: "Your organization has email, web, database, and domain controller servers. Some are on-prem, some in cloud. You have a firewall but no IDS." - Teams audit based on description - Faster, requires less setup
Threat Orchestrator (Acting as External Auditor) reviews the network and assesses 6 audit domains:
Audit Question: "Does your network properly isolate critical systems from untrusted networks?"
Pass Criteria: - Implemented segmented architecture (3+ zones), AND - Deployed firewall between zones, AND - Critical systems (Database, Domain Controller) in separate zone from internet-facing systems
Fail Criteria: - Flat network (no segmentation), OR - Segmentation without firewall, OR - Critical systems on same zone as untrusted systems
If FAIL - Finding: - Name: Network Segmentation Gap - Risk Level: CRITICAL - Consequence in IR: Lateral movement easier (-1 to defending against NETWORK attacks) - Consequence in DR: Attacker access spreads to more systems (-10 DR budget penalty)
Narrative for Teams: "All of your systems are on the same network segment. Once an attacker gains access to one system, they can move freely between others."
Audit Question: "Is your identity system (directory services, authentication, authorization) properly secured?"
Pass Criteria: - Domain Controller deployed, AND - Domain Controller on separate network segment, AND - Domain Controller not overloaded (≤2 services)
Fail Criteria: - No Domain Controller deployed, OR - Domain Controller on same segment as untrusted systems, OR - Domain Controller overloaded (3+ services)
If FAIL - Finding: - Name: Identity System Vulnerability - Risk Level: CRITICAL - Consequence in IR: Credential-based attacks easier (-1 to defending against CREDENTIAL_ABUSE attacks) - Consequence in DR: Full credential compromise; all user accounts compromised (-15 DR budget penalty)
Narrative for Teams: "Your identity system is overloaded with too many services and insufficient hardening. If compromised, attackers will have broad access to all user credentials."
Audit Question: "Can you detect attacks when they happen? Do you have monitoring and alerting?"
Pass Criteria: - IDS or IPS deployed, AND/OR - SIEM system deployed, AND/OR - Email Gateway + Honeypot deployed (detection alternatives)
Fail Criteria: - None of the above detection systems deployed, OR - Only basic security devices with no central logging
If FAIL - Finding: - Name: Detection & Monitoring Gap - Risk Level: HIGH - Consequence in IR: Investigations slower (-1 to Investigation rolls; 12+ instead of 11+) - Consequence in DR: Breach undetected longer; more data stolen (-10 DR budget penalty)
Narrative for Teams: "You have no centralized logging or monitoring. When an attack happens, you won't know about it until data is already compromised."
Audit Question: "Do you have functional backups? Can you recover from data loss or ransomware?"
Pass Criteria: - Backup System deployed, AND - Backup isolated on separate network, OR - Cloud backup configured, OR - Multiple hosting locations (on-prem + cloud redundancy)
Fail Criteria: - No Backup System deployed, OR - Single point of failure (all on-prem or all cloud)
If FAIL - Finding: - Name: Backup & Recovery Gap - Risk Level: CRITICAL (for ransomware/DR only) - Consequence in IR: None (network gap, not detection issue) - Consequence in DR: Ransomware unrecoverable; full rebuild required (-25 DR budget penalty)
Narrative for Teams: "You have no backup strategy. If ransomware hits, you cannot recover your data. You must either pay ransom or rebuild from scratch."
Audit Question: "Are your cloud systems and third-party integrations properly secured and isolated?"
Pass Criteria: - Cloud systems isolated on private network (VPN), AND - Cloud systems monitored/managed, AND - Credentials for cloud access securely managed
Fail Criteria: - Cloud systems internet-exposed, OR - No monitoring of cloud services, OR - Credentials stored locally for cloud access
If FAIL - Finding: - Name: Cloud Security Gap - Risk Level: HIGH - Consequence in IR: Cloud-based attacks easier (-1 to defending against WEB_EXPLOIT attacks) - Consequence in DR: Cloud compromise requires cloud provider recovery; slow remediation (-20 DR budget penalty)
Narrative for Teams: "Your cloud systems are internet-accessible without protection. Any attacker can directly target your cloud infrastructure."
Audit Question: "Do you have centralized logging, monitoring, and security operations capability?"
Pass Criteria: - SIEM system deployed, OR - Email Gateway + IDS deployed (combined monitoring)
Fail Criteria: - No SIEM or equivalent centralized logging
If FAIL - Finding: - Name: Security Operations Gap - Risk Level: MEDIUM - Consequence in IR: Investigations slower (-1 to Investigation rolls) - Consequence in DR: Forensic analysis slow; can't determine breach scope (-5 DR budget penalty)
Narrative for Teams: "You have no centralized place to view security events. When an attack happens, investigators must pull data from multiple sources manually."
After all 6 domains are assessed, Threat Orchestrator produces an Audit Findings Report:
SECURITY AUDIT FINDINGS REPORT
Organization: [Name]
Assessment Date: [Date]
Framework: [Framework used]
Auditor: [Your name / External firm]
═══════════════════════════════════════════
DOMAIN ASSESSMENT SUMMARY:
✓ PASS - Network Segmentation & Isolation
Observation: Network properly segmented with firewalls between zones.
Assessment: Risk is LOW for lateral movement.
✗ FAIL - Access Control & Identity Management
Finding: Domain Controller overloaded with excessive services.
Risk: If DC compromised, entire identity system at risk.
Severity: CRITICAL
Recommendation: Isolate DC to minimal required services.
✓ PASS - Threat Detection & Incident Response
Observation: SIEM system deployed with centralized logging.
Assessment: Good detection capability.
✗ FAIL - Backup & Disaster Recovery
Finding: No backup system deployed.
Risk: Data loss unrecoverable; ransomware response limited to ransom/rebuild.
Severity: CRITICAL
Recommendation: Deploy backup system immediately.
✓ PASS - Third-Party Risk & Cloud Security
Observation: Cloud systems properly isolated on private network.
Assessment: Cloud security posture adequate.
✗ FAIL - Security Operations & Monitoring
Finding: No centralized logging platform.
Risk: Incident investigation will be slow and manual.
Severity: HIGH
Recommendation: Deploy SIEM or equivalent centralized logging.
═══════════════════════════════════════════
FINAL SCORE: 3/6 DOMAINS PASS
Overall Assessment: CONCERNING GAPS IDENTIFIED
Summary: Organization has adequate network and cloud security but lacks:
1. Proper identity system isolation
2. Backup/recovery capability
3. Centralized monitoring
Impact Estimate:
- If attack occurs: Detection delayed, recovery impossible without ransom
- Estimated cost to remediate findings: ~$40K (modest investment)
- Estimated cost of breach due to these gaps: ~$500K+ (significant exposure)
Recommendation Priority:
1. Deploy backup system (prevent ransomware catastrophe)
2. Isolate Domain Controller (prevent credential compromise)
3. Centralize logging (speed up incident response)
PASS/FAIL per domain (X/6) is the primary score. Star ratings (1-5★) are flavor for narrative reports, with this fixed mapping:
1-2★ = FAIL · 3★+ = PASS · "PARTIAL" counts as FAIL
Optional (v2.2): a 5★ (exemplary) rating in Detection grants +1 to Incident Response investigation rolls if IR is played later.
Teams receive a score reflecting their infrastructure quality:
| Score | Assessment | Interpretation |
|---|---|---|
| 6/6 PASS | Enterprise-Grade | No modifiers carried into later modules; strong foundation |
| 5/6 PASS | Strong Security | -1 modifier to one attack type in IR |
| 4/6 PASS | Adequate Security | -1 modifier to two attack types in IR |
| 3/6 PASS | Concerning Gaps | -1 modifier to three attack types; IR easier |
| Below 3/6 | High Risk | Multiple -1 modifiers; IR much easier; DR much costlier |
6/6 Pass: "Your organization demonstrates strong security practices across all domains. While no system is perfect, you have implemented key controls and best practices."
4-5/6 Pass: "Your organization has good foundational security but should prioritize remediation of identified gaps. Most critical systems are protected, but some exposure remains."
3/6 Pass: "Your organization has significant security gaps that create real risk. Multiple critical domains require attention. If an incident occurs, you will face challenges."
Below 3/6: "Your organization has critical gaps across multiple domains. Significant investment needed to meet baseline security standards."
When audit findings exist and other modules are played:
Each FAIL finding creates a -1 modifier (one per gap — canonical, v2.2) to the relevant roll:
| Audit Finding | IR Modifier | Affected Threat Type |
|---|---|---|
| Segmentation Gap | -1 to NETWORK defenses | Lateral movement attacks easier |
| Identity Gap | -1 to CREDENTIAL_ABUSE defenses | Credential attacks easier |
| Detection Gap | -1 to Investigation rolls | Finding threats takes longer (11+ becomes 12+) |
| Backup Gap | No IR effect | (Matters in Disaster Recovery) |
| Cloud Gap | -1 to WEB_EXPLOIT defenses | Web/API attacks easier |
| Operations Gap | -1 to Investigation rolls | Forensic investigation slower |
Example: Segmentation Gap Active in IR
INCIDENT RESPONSE PHASE:
Team's Threat: Lateral Movement via SMB
Base roll needed: 11+
Audit Modifier: -1 (Segmentation Gap)
Effective roll needed: 12+
Team's Defense: Network Segmentation (newly deployed)
Roll: 14 + 2 (justification) = 16
Result: SUCCESS (16 ≥ 12)
TO Narrative: "Your network segmentation worked perfectly, stopping the
lateral movement that would have been trivial in an unsegmented network."
Each FAIL finding is a penalty subtracted from the DR starting budget (this table is canonical — v2.2):
| Audit Finding | DR Budget Penalty |
|---|---|
| Segmentation Gap | -10 Budget (attacker spreads to more systems) |
| Identity Gap | -15 Budget (full credential compromise) |
| Detection Gap | -10 Budget (dwell time longer; more data stolen) |
| Backup Gap | -25 Budget (no recovery option; expensive rebuild) |
| Cloud Gap | -20 Budget (cloud provider recovery needed) |
| Operations Gap | -5 Budget (forensic investigation slow) |
Cap (v2.2): the total gap penalty applied to a subsequent module's budget is capped at -30.
Example: Multiple Gaps in DR (v2.2)
DISASTER RECOVERY PHASE:
Teams start with 50 crisis budget (DR 50; for reference, IR starts at 100).
Audit Failures from earlier assessment:
- Segmentation Gap: -10
- Detection Gap: -10
- Backup Gap: -25
Raw Gap Penalty: -45 -> capped at -30
Available Crisis Budget: 50 - 30 = 20
With 20 Budget the team can still afford the mandatory beats
(cheapest mandatory path is 29 -> they must lean on the free
Holding Statement and skip actions), but the response will be
thin. Outcome: heavy pressure, likely reputation damage.
Recommended Flow: Audit → Incident Response
Identify 3-5 gaps in network
Generate Modifiers (2 minutes)
Each gap becomes a -1 modifier to relevant defense in IR
Play Incident Response (35-40 minutes)
Teams gain appreciation for audit value
Debrief (10 minutes)
Recommended Flow: Audit → [Incident Response] → Disaster Recovery
Identify gaps (particularly Backup Gap and Detection Gap)
Skip or Lose IR (optional)
Assume attackers breached and incident was NOT detected
Play Disaster Recovery (30-35 minutes)
Teams discover detection gap = dwell time was 48+ hours
Debrief (10 minutes)
Play Just the Audit Module (as independent learning)
Network Characteristics: - Flat network (no segmentation) - Email, web, database on same servers (overloaded) - No backup system - No SIEM or monitoring - All on-premises
Expected Audit Result: - 1-2/6 domains pass - Multiple CRITICAL findings - High remediation cost - Team learns value of basics (backup, monitoring)
Network Characteristics: - Segmented network with firewall - Dedicated servers for critical functions - Backup system present - IDS deployed but no SIEM - Hybrid on-prem/cloud
Expected Audit Result: - 4/6 domains pass - 2 MEDIUM findings (monitoring, cloud config) - Moderate remediation cost - Team learns importance of comprehensive monitoring
Network Characteristics: - Fully isolated network architecture - Dedicated hardened servers - Comprehensive backup strategy - SIEM + IDS deployed - Cloud properly secured
Expected Audit Result: - 5-6/6 domains pass - 0-1 minor findings - Low remediation cost - Team learns value of comprehensive program
Focus audit on specific compliance requirement: - PCI-DSS: Focus on payment card handling, encryption, access control - HIPAA: Focus on healthcare data protection, audit logs, access management - SOC 2: Focus on security, availability, confidentiality controls - GDPR: Focus on data protection, breach notification, privacy
Each framework has different pass/fail criteria.
Run audit multiple times with team improvements: 1. Initial audit (baseline) 2. Team makes improvements based on findings 3. Follow-up audit (measure improvement) 4. Calculate improvement % and cost-benefit
Instead of compliance framework, audit against specific threat profile: - "This organization faces nation-state threat" → Audit for advanced detection - "This organization handles PHI data" → Audit for healthcare security - "This organization processes credit cards" → Audit for PCI-DSS - "This organization is critical infrastructure" → Audit for resilience
| Domain | PASS Meaning | FAIL Consequence (IR) | FAIL Consequence (DR) |
|---|---|---|---|
| Segmentation | Good isolation | -1 to NETWORK defense | -10 budget |
| Identity | Proper AC | -1 to CREDENTIAL_ABUSE defense | -15 budget |
| Detection | Good monitoring | -1 to Investigation | -10 budget |
| Backup | Recovery capable | None | -25 budget |
| Cloud | Secure cloud | -1 to WEB_EXPLOIT defense | -20 budget |
| Operations | Good logging | -1 to Investigation | -5 budget |
Cap (v2.2): total DR budget penalty capped at -30. Star flavor mapping: 1-2★ = FAIL, 3★+ = PASS, PARTIAL = FAIL.
cards/audit-compliance/core-deck/audit-domain-cards.md and cards/audit-compliance/README.md are regenerated from it. One-off mechanics that existed nowhere else ("+5 turn penalty", "+1 escalation point", "-2 modifier", "+1 difficulty") are deleted or folded into the canonical -1-per-gap rule.Audit & Compliance Module - Rules & Mechanics Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition
docs/standalone-games/audit-compliance.md
Version: 2.2 - Playtest Edition — answer keys now follow the printed criteria; PASS/FAIL (X/6) is the primary score (stars: 1-2★ = FAIL, 3★+ = PASS, PARTIAL = FAIL). See docs/rules/module-audit-compliance.md for the canonical modifier table.
Compliance Audit Standalone offers three distinct game modes that can be played independently:
Common Theme: Teams understand how audits find vulnerabilities that attackers will exploit.
Best For: - Standalone 20-35 minute sessions - Teaching audit frameworks - Understanding security gaps - Before/after comparison with the Incident Response module - Competitive assessment skills
Duration: 15-25 minutes
Players: 1-4 teams
Difficulty: Easy (low cognitive load)
Best For: Quick session, first-time audit introduction
"Three organizations have submitted their infrastructure for audit. Review each one and score their security posture. Which has the best design? Which is most vulnerable?"
Teams receive 3 pre-built network descriptions and audit them against a 6-domain framework. Compare results and discuss why vulnerabilities matter.
INFRASTRUCTURE DESCRIPTION:
Startup Tech is a 50-person web development company.
Cloud-first approach, minimal on-premises systems.
DEPLOYMENT:
- Web Server (Cloud - AWS): Hosts company website and app portal
- Database Server (Cloud - AWS RDS): Customer data, 100K records
- Development Server (Cloud - AWS EC2): Dev/test environment
- Domain Controller (On-Prem): AD for user identity (1 small server)
- File Server (On-Prem): Shared documents
- Email Server (Cloud - Microsoft 365): Email via SaaS provider
SECURITY DEVICES:
- Email Gateway: None (using Microsoft 365 default)
- Firewall: AWS Security Groups (cloud provider native)
- IDS/IPS: None
- SIEM: None
- WAF: None
- Backup: AWS automated snapshots + Microsoft 365 retention
- VPN: None (all cloud-native, no remote access needed)
NETWORK ARCHITECTURE:
- Hybrid (50% Cloud, 50% On-Prem)
- Cloud systems accessible via internet (all public IP)
- On-prem systems on isolated LAN
- No network segmentation between cloud and on-prem
HOSTING:
- 50% AWS (web, database, dev)
- 50% On-Premises (AD, file sharing)
SECURITY POSTURE:
- No perimeter firewall monitoring
- Cloud infrastructure: AWS default security (basic)
- On-prem infrastructure: Minimal controls
- Identity: Single AD instance (critical point)
- No incident detection
- Backups functional but not tested
INFRASTRUCTURE DESCRIPTION:
Mid-Market Corp is a 200-person financial services company.
Balanced on-premises and cloud, mature IT operations.
DEPLOYMENT:
- Email Server (On-Prem): Exchange 2019
- Web Server (Cloud - Azure): Public website + customer portal
- Database Server (On-Prem): SQL Server, customer data, 1M records
- File Server (On-Prem): Network file shares, active collaboration
- Domain Controller (On-Prem): AD + LDAP, 200 users
- Development Server (Cloud - Azure): Dev/test
- Backup System (On-Prem): Backup appliance, off-site replication
- Legacy System (On-Prem): 15-year-old accounting system
SECURITY DEVICES:
- Firewall: Cisco ASA (perimeter) + internal segmentation firewall
- Email Gateway: Proofpoint (phishing/malware filter)
- IDS: Suricata (network-based detection)
- IPS: None (IDS only)
- SIEM: Splunk (centralized logging)
- WAF: AWS WAF (in front of web server)
- VPN: Cisco AnyConnect (remote access)
- Honeypot: None
NETWORK ARCHITECTURE:
- Segmented (3 zones: DMZ, Internal, Finance)
- Firewalls enforce zone boundaries
- On-prem systems segregated from cloud
- Cloud systems on private network (not public internet)
HOSTING:
- 40% On-Premises (core business systems)
- 60% Cloud (web, dev, supplementary)
SECURITY POSTURE:
- Perimeter monitoring active (IDS)
- Email filtering active
- Centralized logging (SIEM)
- Remote access controlled (VPN)
- Backup and recovery tested
- Legacy system isolated but unpatched
INFRASTRUCTURE DESCRIPTION:
Enterprise Bank is a 1000+ person financial institution.
Highly regulated (PCI-DSS, HIPAA), on-premises focused.
DEPLOYMENT:
- Email Server (On-Prem): Custom hardened system + redundancy
- Web Server (Cloud/Hybrid): DMZ layer for customer portal
- Database Server (On-Prem): Oracle RAC, 500M+ records, air-gapped
- File Server (On-Prem): Multiple redundant file servers by department
- Domain Controller (On-Prem): Multiple DCs, LDAP + Kerberos, hardened
- Development Server (On-Prem): Isolated dev network, no access to prod
- Backup System (On-Prem): Multiple backup systems, offline vault, geographically distant
- Cloud Workload (Limited): Only non-sensitive workloads
SECURITY DEVICES:
- Firewall: Multiple Palo Alto networks (perimeter + internal + cloud boundary)
- Email Gateway: Proofpoint + internal inspection
- IDS: Multiple IDS systems (network + host-based)
- IPS: Palo Alto IPS (active blocking)
- SIEM: Splunk + IBM QRadar (redundant)
- WAF: F5 WAF (multi-layer)
- VPN: Multiple VPN concentrators, MFA required
- Honeypot: Internal honeypot network (3 decoy systems)
- Network Segmentation: Microsegmentation between critical systems
- Intrusion Prevention: Advanced threat prevention
NETWORK ARCHITECTURE:
- Fully Isolated (10+ security zones)
- Each zone has firewall enforcement
- Zero-trust network access
- Air-gapped critical systems
- Private clouds only (no public internet access)
HOSTING:
- 95% On-Premises (regulatory requirement)
- 5% Cloud (non-critical, isolated)
SECURITY POSTURE:
- Comprehensive logging (multiple SIEM)
- Advanced threat detection (IDS/IPS + honeypot)
- Incident response ready
- Backup and recovery tested quarterly
- All systems hardened per NIST guidelines
- Compliance audited annually (PCI-DSS, SOX)
Teams assess each network using this framework. Scoring (v2.2): PASS/FAIL per domain (X/6) is the primary score. If you use star ratings for flavor, the fixed mapping is 1-2★ = FAIL, 3★+ = PASS, "PARTIAL" counts as FAIL.
Question: "Are critical systems isolated?"
| Score | Criteria |
|---|---|
| PASS | Firewall between zones OR microsegmentation active |
| FAIL | Flat network OR segmentation without enforcement |
Question: "Is identity management secure?"
| Score | Criteria |
|---|---|
| PASS | Dedicated Domain Controller, MFA for remote access, minimal over-privilege |
| FAIL | No DC OR DC overloaded OR no MFA OR broad admin access |
Question: "Can you detect attacks?"
| Score | Criteria |
|---|---|
| PASS | IDS/IPS or SIEM deployed, covering all critical segments |
| FAIL | No IDS/IPS and no SIEM, OR a critical segment sits outside detection coverage |
Question: "Can you recover from failure?"
| Score | Criteria |
|---|---|
| PASS | Backup system deployed + tested + geographically diverse |
| FAIL | No backup OR untested backup OR single location |
Question: "Are cloud/vendor systems managed?"
| Score | Criteria |
|---|---|
| PASS | Cloud systems isolated OR not handling critical data |
| FAIL | Cloud systems on internet + handling sensitive data + no WAF |
Question: "Do you have centralized visibility?"
| Score | Criteria |
|---|---|
| PASS | SIEM deployed + centralized logging active |
| FAIL | No SIEM OR no centralized logging |
AUDIT WORKSHEET
Organization audited: ______________________ Auditing team: ______________________
Domain PASS/FAIL Key finding (one line)
1. Network Segmentation [ ] ______________________________________
2. Access Control & Identity [ ] ______________________________________
3. Incident Detection & Response [ ] ______________________________________
4. Backup & Disaster Recovery [ ] ______________________________________
5. Third-Party Risk Management [ ] ______________________________________
6. Security Ops & Monitoring [ ] ______________________________________
SCORE: ____ / 6 PASS (PARTIAL counts as FAIL; stars: 1-2* = FAIL, 3*+ = PASS)
TOP 3 RECOMMENDATIONS:
1. ___________________________________________________________________________
2. ___________________________________________________________________________
3. ___________________________________________________________________________
TO explains: "You're security auditors reviewing three organizations' infrastructure designs. For each, you'll score them on a 6-domain framework. Your goal: Identify which has the strongest security posture and which is most vulnerable."
For each network (Startup, Mid-Market, Enterprise):
Teams answer: 1. "Which organization is most secure?" 2. "Which is most vulnerable to attack?" 3. "If you HAD to use one network, which would you choose?"
| Domain | Score | Finding |
|---|---|---|
| Network Segmentation | FAIL | No firewall between cloud and on-prem; cloud accessible from internet |
| Access Control | FAIL | Dedicated AD exists, but no MFA anywhere (cloud consoles are remote access) — "no MFA" is a FAIL condition |
| Detection | FAIL | No IDS/IPS or SIEM |
| Backup & Recovery | FAIL | AWS snapshots + M365 retention exist but are untested — "untested backup" is a FAIL condition |
| Third-Party Risk | FAIL | Cloud systems public internet-accessible, holding customer data, no WAF |
| Operations | FAIL | No centralized monitoring |
Score: 0/6 PASS (strict). A lenient auditor might award Access Control a narrow PASS — dedicated, single-purpose DC and no VPN/remote-access paths to on-prem — for 1/6. Either reading lands in the same tier: Below 3/6, HIGH RISK. (The judgment call itself is a great Variation C debate.)
Risk Rating: HIGH / CRITICAL - Vulnerabilities: No network segmentation, no detection capability, no MFA, untested backups, cloud systems exposed - Attack Scenario: Attacker compromises cloud web server → lateral movement to on-prem AD → full network access; if ransomware hits, the untested backups may not restore - Cost of Breach: Very high (no detection, no segmentation to contain, recovery uncertain)
| Domain | Score | Finding |
|---|---|---|
| Network Segmentation | PASS | Firewalls between DMZ, Internal, Finance zones |
| Access Control | PASS | AD hardened, VPN with MFA |
| Detection | FAIL | IDS + SIEM deployed, but detection-only (no IPS blocking) and the isolated legacy accounting segment sits outside IDS coverage — a blind spot at the highest-risk, unpatched system |
| Backup & Recovery | PASS | Backup appliance with off-site replication, tested |
| Third-Party Risk | PASS | Cloud systems on private network, WAF in place |
| Operations | PASS | SIEM + centralized logging |
Score: 5/6 PASS
Risk Rating: MEDIUM - Strengths: Good segmentation, logging, backups - Weaknesses: Legacy accounting system (unpatched, and unmonitored — the Detection FAIL) - Attack Scenario: Attacker may get into DMZ but segmentation blocks lateral movement; an attack routed through the legacy segment, however, could go undetected - Cost of Breach: Moderate (segmentation limits damage; the legacy blind spot is the residual risk)
| Domain | Score | Finding |
|---|---|---|
| Network Segmentation | PASS | Microsegmentation between all critical systems |
| Access Control | PASS | Hardened DCs, MFA, minimal over-privilege |
| Detection | PASS | IDS/IPS + dual SIEM + honeypot |
| Backup & Recovery | PASS | Multiple offline vaults, quarterly testing |
| Third-Party Risk | PASS | Cloud only for non-critical, extensive monitoring |
| Operations | PASS | Dual SIEM, air-gapped logging |
Score: 6/6 PASS
Risk Rating: LOW - Strengths: Defense-in-depth across all domains - Weaknesses: Very expensive to operate; regulatory complexity - Attack Scenario: Multiple layers would have to be bypassed; honeypot would alert SOC immediately - Cost of Breach: Lower (but incident response costs are high due to complexity)
| Score | Assessment | Implication |
|---|---|---|
| 6/6 PASS | Enterprise-grade | Highest security, highest cost |
| 5/6 PASS | Strong security | Balanced security & cost |
| 3-4/6 PASS | Adequate but gapped | Risk exposure present |
| Below 3/6 | High risk | Vulnerabilities likely exploited |
Which team's audit assessment was most accurate? - Teams that scored Startup as high-risk: +1 point - Teams that scored Enterprise as low-risk: +1 point - Teams that identified Legacy System as Mid-Market's weakness: +1 point
Winner: Team with most accurate audit assessments
Answer: No detection, no segmentation, cloud exposed
"If you had to recommend improvements to Startup, what's priority #1?"
Answer: Network segmentation OR IDS/SIEM (detection)
"Why is Enterprise Bank so expensive?"
Answer: Redundancy, microsegmentation, multiple layers of defense
"Which organization would you actually want to work for?"
Duration: 25-35 minutes
Players: 1-4 teams
Difficulty: Medium (requires both building and auditing)
Best For: Combined learning, deeper understanding
"Each team builds a simplified network by drawing random infrastructure cards. Then you audit each other's networks. Better auditors find more gaps."
This combines elements of Network Building (simplified) with Audit mechanics. Teams make trade-off decisions, then their network design is audited by competitors.
Each team builds a network using a simplified card deck:
SERVER CARDS (Draw 5 cards, must include certain types): - Email Server (must have) - Web Server (must have) - Database Server (must have) - Domain Controller (should have) - Backup System (optional) - Development Server (optional) - File Server (optional) - Cloud Workload (optional)
SECURITY DEVICE CARDS (Draw 3 cards, choose to deploy or skip): - Firewall - IDS - SIEM - Email Gateway - WAF - Honeypot
ARCHITECTURE CARD (Draw 1, determines layout): - Flat Network (budget-friendly, weak) - Segmented Network (balanced) - Fully Isolated (expensive, strong)
Rules: - Must have: Email, Web, Database - Can choose: Others - Budget: Implicit (each card represents a choice; no money tracking) - Time: 10 minutes to decide and document on "Network Card"
Each team creates a Network Card:
TEAM A'S NETWORK:
SERVERS:
✓ Email Server
✓ Web Server
✓ Database Server
✓ Domain Controller
✓ Backup System
✓ File Server
✗ Development Server (skipped)
SECURITY DEVICES:
✓ Firewall
✓ IDS
✗ SIEM (skipped)
✓ Email Gateway
✗ WAF (skipped)
✗ Honeypot (skipped)
ARCHITECTURE:
→ Segmented (3 zones)
Each team audits a different team's network (round-robin):
Example Audit of Team A:
AUDIT OF TEAM A'S NETWORK:
Domain 1: Network Segmentation
Decision: Segmented (3 zones) → PASS
Finding: Good segmentation between DMZ, Internal, Sensitive
Domain 2: Access Control
Decision: Domain Controller present → PASS
Finding: Identity management in place
Domain 3: Detection
Decision: IDS present but NO SIEM → PARTIAL FAIL
(v2.2: "PARTIAL" counts as FAIL for the score)
Finding: Can detect network attacks but no centralized logging for correlation
Domain 4: Backup & Recovery
Decision: Backup System present → PASS
Finding: Can recover from data loss
Domain 5: Third-Party Risk
Decision: No WAF on Web Server → FAIL
Finding: Web server vulnerable to application attacks
Domain 6: Operations
Decision: No SIEM → FAIL
Finding: No centralized monitoring; incident response slower
AUDIT SCORE: 3/6 PASS
CRITICAL FINDINGS:
1. Missing SIEM (no centralized logging)
2. No WAF (web server unprotected)
3. IDS without SIEM (detection blindspot)
Accuracy of Audits is Scored:
| Audit Accuracy | Points |
|---|---|
| Identified all major gaps | +5 |
| Identified some gaps | +3 |
| Missed critical gap | -2 |
| Incorrect assessment | 0 |
Team Scores: - Building Teams: Score = (6 - number of fails) × 5 - Example: 3/6 PASS = 3 fails → 3 × 5 = 15 points - Auditing Teams: Score = accuracy of audit assessment
Winner: Highest combined score OR winner of each category
Duration: 20-30 minutes
Players: 2-4 teams
Difficulty: High (requires critical thinking & argumentation)
Best For: Advanced teams, strong discussion-based learning
"You're given a network design and audit findings. As a team, debate whether the auditor's findings are FAIR, HARSH, or MISSING SOMETHING. Win by making the most convincing argument."
This is a debate game where teams argue the merits of audit findings, teaching that audits are interpretable and that defending infrastructure requires understanding the rationale.
(Same fictional company as Variation A's "Startup Tech": 50 people, cloud-first, no VPN.)
SCENARIO:
Startup Tech built this network:
- Email (Cloud), Web (Cloud), Database (Cloud),
Domain Controller (On-Prem), Backup (Cloud snapshots)
- No Firewall between cloud and on-prem
- No IDS or SIEM
- No VPN (all cloud-native; cloud consoles protected by
provider logins only, no MFA)
AUDITOR'S FINDINGS:
Domain 1: Network Segmentation → FAIL
"No firewall between cloud and on-prem represents
uncontrolled lateral movement risk."
Domain 3: Detection → FAIL
"No IDS/SIEM means attacks go undetected."
OVERALL: HIGH RISK
STARTUP'S COUNTERARGUMENT:
"We use cloud providers (AWS/Azure) which have built-in
firewalls at the cloud level. Cloud provider security
groups mean only the services we expose are reachable.
Our small team (50 people) means we're faster to respond.
This audit is too harsh for a startup."
YOUR JOB:
- Is the auditor FAIR? (reasonable standards)
- Is the auditor HARSH? (too strict for context)
- Is the auditor MISSING gaps? (what should they have found?
Hint: no MFA, untested backups)
- Vote: Fair / Harsh / Missing / Balanced
SCENARIO:
Mid-Market Corp has this system:
- 15-year-old Accounting System (on-prem)
- Runs on Windows Server 2003 (unsupported, unpatched)
- Handles $2B in transactions annually
- Cannot be replaced for 2+ years (licensing/training)
- Isolated on separate network segment but bridged for
month-end consolidation
AUDITOR'S FINDINGS:
Domain 2: Access Control → FAIL
"Legacy system runs on unsupported OS. Vulnerability
present = critical risk."
Domain 4: Backup & Recovery → PARTIAL
"System backed up but no tested recovery procedure."
OVERALL: CRITICAL RISK (specifically legacy system)
CORP'S COUNTERARGUMENT:
"The system is air-gapped except for 3 days per month.
We have detective controls (IDS) watching for suspicious
access. The cost of replacement ($2M) is greater than
our risk tolerance. This system is a known risk we're
accepting."
YOUR JOB:
- Is the auditor RIGHT to flag this?
- Is the corporation taking reasonable risk?
- How would you rate this scenario? Risk Acceptance vs. Negligence?
- Vote: Auditor Correct / Corp Reasonable / Need More Controls / Acceptable Risk
SCENARIO:
Enterprise Bank built this network:
- 10+ security zones with microsegmentation
- Dual SIEM systems (Splunk + QRadar)
- IDS + IPS on every zone
- Honeypot network with decoys
- All systems hardened per NIST
- Quarterly disaster recovery testing
- Air-gapped offline backups in vault
- Annual compliance audit (PCI-DSS, SOX)
COST: $5M annual IT security budget
AUDITOR'S FINDINGS:
Domain 1-6: ALL PASS ✓
AUDITOR'S COMMENT:
"Exceptional security posture. Well-engineered
defense-in-depth. Highly resilient. Recommended
best practices for financial institution."
STAKEHOLDER QUESTION:
"Is this over-engineered? Could we achieve 80%
of the security with 30% of the cost?"
YOUR JOB:
- Is defense-in-depth always justified?
- What's the cost-benefit breakpoint?
- For different organization types (startup vs. bank),
what's appropriate?
- Vote: Over-Engineered / Justified / Right for Context / Too Expensive
TO reads: 1. Organization and network design 2. Auditor's findings 3. Organization's counterargument 4. Debate question
Each team gets assigned a position: - Team A: Defend the Auditor (findings are fair/necessary) - Team B: Defend the Organization (counterargument is valid) - Team C: Play Neutral Assessor (judge fairness of both)
Teams prepare arguments: - 2-3 key points supporting their position - Anticipate opponent's counterarguments - Use security/business logic
Structure: 1. Auditor Position: 1 minute opening (Team A) 2. Organization Position: 1 minute opening (Team B) 3. Cross-Examination: 2 minutes (back-and-forth) 4. Neutral Assessment: Team C (judge who had better argument)
Team C Scores: - Most convincing argument: +3 points - Better use of logic: +2 points - Anticipated counterarguments: +2 points - Clearer presentation: +1 point
Repeat for each scenario (3 scenarios = 3 rounds)
AUDITOR POSITION (Team A): "The findings are fair because: 1. Network security standards apply to all organizations 2. Cloud provider firewalls don't replace organizational controls 3. No IDS means breaches go undetected for weeks 4. A $10M breach destroys a startup; prevention is essential"
ORGANIZATION POSITION (Team B): "The counterargument is valid because: 1. Startups operate under different constraints than enterprises 2. Cloud provider security groups limit what's exposed 3. Our cloud provider has better security than we could build 4. For 50 employees, a $50K security investment is proportional 5. We're risk-accepting; this is a known trade-off"
CROSS-EXAMINATION (back and forth):
A: "But if you get compromised, your customer data is exposed. Isn't that a problem?"
B: "Yes, but our cloud provider's controls AND limited data make that less likely than you're suggesting."
A: "What about detection? If you're breached, you won't know for months."
B: "True, but adding SIEM costs $5K/month that we don't have. We're choosing early detection (IDS) instead of centralized logging."
C (NEUTRAL): "Who made the better argument?" - Team A cited industry standards - Team B cited resource constraints - Both had merit
VERDICT: Team B made slightly more convincing argument (better contextualization of risk) - Team B: +3 points - Team A: +2 points
After 3 scenarios:
| Team | Scenario 1 | Scenario 2 | Scenario 3 | TOTAL |
|---|---|---|---|---|
| Team A (Auditor) | 2 | 3 | 2 | 7 |
| Team B (Organization) | 3 | 2 | 2 | 7 |
| Team C (Neutral) | 3 | 2 | 3 | 8 |
Winner: Team C (Neutral Assessor)
Award: "Best Critical Thinking"
Answer: No; context matters (startup vs. bank)
"How would you defend an audit finding to the board?"
Teaching point: Audits need business justification, not just technical standards
"What's the difference between a 'critical finding' and a 'risk we're accepting'?"
Teaching point: Risk management is nuanced; not all gaps are equally important
"How does this change how you think about the attacks in Incident Response?"
Use When: - Limited time (< 30 min session) - First exposure to audit concepts - Want to compare different infrastructure strategies - Non-competitive, educational focus
Learning Value: - Understand how audit domains work - See difference between good/bad designs - Low setup time
Use When: - Want to combine building + auditing - 30-40 minute session - Teams benefit from designing then being audited - Competitive element desired
Learning Value: - Teams make trade-off decisions - See consequences of choices reflected in audit - "This gap I chose to accept was exactly what the auditor found!"
Use When: - Advanced/experienced teams - Want deep critical thinking - Discussion-based learning preferred - Comfortable with argumentation/debate format
Learning Value: - Audit findings are interpretable - Context matters (startup vs. bank) - Security decisions involve trade-offs - Preparation for defending security to board/leadership
Setup: 3 min
Audit Startup Tech: 4 min
Audit Mid-Market: 4 min
Audit Enterprise: 4 min
Comparison & Discussion: 3 min
Debrief: 2 min
Total: 20 minutes
Perfect for: Intro to audit concepts
Setup: 3 min
Teams build networks (simplified): 10 min
Teams audit each other: 15 min
Score & announce winner: 3 min
Debrief: 4 min
Total: 35 minutes
Perfect for: Combined learning, competitive
Setup & brief: 2 min
SCENARIO 1:
- Presentation: 1 min
- Prep: 3 min
- Debate: 5 min
- Scoring: 1 min
- Subtotal: 10 min
SCENARIO 2: 10 min
SCENARIO 3: 10 min
Debrief: 3 min
Total: 30 minutes
Perfect for: Advanced critical thinking
Variation A (Pre-Built): 20 min
- Understand audit domains via 3 sample networks
Variation B (Random Gen): 25 min
- Build network, get audited
- See your choices reflected in audit findings
Variation C (Debate): 10 min
- Single debate scenario to reinforce learning
Debrief & Connection: 5 min
- "Now you understand how audits work"
- "In Incident Response, attackers will exploit these gaps"
Total: 60 minutes
Perfect for: Comprehensive audit education
After playing Audit Standalone, teams can transition to the Incident Response module:
Narrative Bridge:
"You just audited how well different organizations designed their security. Now let's see what happens when an attacker encounters those same networks. The gaps you found in the audit? Attackers will find them too.
Your audit findings were: - Startup Tech: HIGH RISK (no segmentation, no detection) - Mid-Market: MEDIUM RISK (strong foundation, legacy gap) - Enterprise: LOW RISK (defense-in-depth)
Now, if an attacker targets each of these networks, how will it go?"
Everything needed to play today is in this document: the three network descriptions, the 6-domain framework, the answer keys, the inline audit worksheet, and the three debate scenarios. Printed play aids (scoring reference card, audit worksheet, judge guide, scoring sheets): see print pack (coming).
| Variation | Duration | Complexity | Competition | Setup |
|---|---|---|---|---|
| A: Pre-Built | 15-25 min | Low | Low | Minimal |
| B: Random Gen | 25-35 min | Medium | Medium | Moderate |
| C: Debate | 20-30 min | High | High | Moderate |
After any Audit Standalone variation, teams should understand:
Key Teaching: "In Incident Response, auditors played the role of the security team. Attackers play the same role, but with opposite intent. They're looking for exactly what auditors find."
Incident Zero: Compliance Audit Standalone Mini-Games
Three variations of security assessment gameplay
Teach how audits find vulnerabilities that attackers will exploit
cards/audit-compliance/core-deck/audit-domain-cards.md
Version: 2.2 - Playtest Edition Last Updated: October 2025
Audit Domain Assessment Cards represent six critical security domains that an organization must have controls for. Each domain is assessed independently, with findings recorded on a standard audit report.
PASS/FAIL per domain (X/6) is the primary score. Stars are flavor, with this fixed mapping:
1-2★ = FAIL · 3★+ = PASS · "PARTIAL" counts as FAIL
Domain Score determines:
- Audit Grade (1-5 stars, flavor)
- PASS/FAIL status (primary — via the mapping above)
- Findings Severity (critical/major/minor)
- Modifiers for other modules (IR, DR get harder if audit failed — see the canonical table in docs/rules/module-audit-compliance.md)
Focus: How well is network divided into protected segments? Critical For: Preventing lateral movement Regulatory References: PCI-DSS (network segmentation), NIST (zero trust)
What's Assessed: - Is network flat (1 segment) or segmented (multiple segments)? - Are sensitive systems isolated (DMZ, database segment, admin segment)? - Are firewall rules enforced between segments? - Is network architecture documented? - Are VLANs/subnets properly configured?
Typical Findings: - Critical (1-2 star): Flat network, no segmentation, everything can talk to everything - Major (2-3 star): Basic segmentation exists, but enforcement is weak - Minor (3-4 star): Segmentation exists, few rule violations - Compliant (4-5 star): Strong segmentation, zero-trust architecture
Real-World Question: "If one system is compromised, how far can the attacker spread?" - Flat network: Entire organization immediately - 3-zone network: Blocked by firewalls - Zero-trust: Individual systems isolated
Audit Evidence: - Network diagram (shows segments) - Firewall rule documentation - Network ACL lists - Proof of implementation (switch configs) - Test results (can systems cross segments? No)
Compliance Standards: - PCI-DSS Requirement 1: Network segmentation for cardholder data - NIST CSF: PR.AC-5 (Network integrity protected via segmentation) - CIS Control 12: Network Infrastructure Management (v8)
Findings Template:
FINDING: Network segmentation inadequate
SEVERITY: [Critical/Major/Minor]
DESCRIPTION: The network is [flat/minimally segmented], allowing [lateral movement/unauthorized access]
RECOMMENDATION: Implement [VLAN/firewall rules/zero-trust] to segment [database/admin/sensitive systems]
EFFORT: [1-5] weeks
COST: [Moderate/High/Very High]
Remediation Actions: - ✓ Implement network segmentation (ARCH-02, ARCH-03 in Network Building) - ✓ Deploy firewall with segmentation rules (SEC-08) - ✓ Implement zero-trust architecture (ARCH-03) - ✓ Test segmentation enforcement
Impact if Failed (1-2 stars): - T-04 (Lateral Movement) becomes trivial for attackers - Incident Response: -1 to NETWORK defenses (canonical modifier) - Disaster Recovery: -10 DR budget penalty (attacker spreads widely)
Focus: How are user identities managed and access controlled? Critical For: Preventing unauthorized access Regulatory References: HIPAA (access controls), GDPR (access management)
What's Assessed: - Is there centralized identity management (Domain Controller/Azure AD)? - Is multi-factor authentication (MFA) enabled for sensitive access? - Are access permissions based on least privilege? - Are access reviews performed (verify who has access)? - Are privileged accounts managed (admin accounts, service accounts)?
Typical Findings: - Critical (1-2 star): No centralized identity, weak passwords, no MFA - Major (2-3 star): Some identity management, MFA not universal - Minor (3-4 star): Good identity management, minor gaps - Compliant (4-5 star): Strong identity, MFA everywhere, privilege management
Real-World Question: "How easily can an attacker use stolen credentials?" - Weak: No MFA, can use stolen password immediately - Medium: MFA only for some systems - Strong: MFA everywhere, weak credentials are useless
Audit Evidence: - AD/directory configuration - MFA enrollment status - Access policy documentation - Privileged account audit (who has admin?) - Account review records (periodic access verification)
Compliance Standards: - PCI-DSS Requirement 8: User identification and authentication - HIPAA Rule 164.308(a)(4): Unique user identification - NIST CSF: PR.AC-1 (Physical & logical access controls)
Findings Template:
FINDING: Multi-factor authentication not universally enforced
SEVERITY: [Critical/Major/Minor]
DESCRIPTION: MFA is [not implemented/optional] for [VPN/email/admin access]
RECOMMENDATION: Deploy [MFA solution] to [affected systems]
EFFORT: [2-4] weeks
COST: [Low/Moderate/High]
Remediation Actions: - ✓ Deploy MFA (D-07 in Hardening) - ✓ Implement password vault (D-12) - ✓ Credential Guard for privileged access (D-16) - ✓ Access reviews quarterly
Impact if Failed (1-2 stars): - T-03 (Compromised Credentials), T-06 (Mimikatz) become likely - Incident Response: -1 to CREDENTIAL_ABUSE defenses (canonical modifier) - Disaster Recovery: -15 DR budget penalty (attacker can restore themselves with stolen creds)
Focus: Can the organization detect and respond to attacks? Critical For: Finding breaches quickly Regulatory References: GDPR (breach detection), HIPAA (log monitoring)
What's Assessed: - Are logs being collected centrally (SIEM or similar)? - Is there 24/7 monitoring of critical systems? - Are alerts configured to detect suspicious activity? - Is there incident response plan documented? - Are incident responders trained?
Typical Findings: - Critical (1-2 star): No logging, no monitoring, no incident response plan - Major (2-3 star): Some logging, limited monitoring - Minor (3-4 star): Good logging, some gaps in alerting - Compliant (4-5 star): Comprehensive logging, active monitoring, trained team
Real-World Question: "How quickly will you detect an active attacker?" - Poor: Days/weeks (after data is already stolen) - Medium: Hours (after attacker has spread) - Strong: Minutes (catch attacker early)
Audit Evidence: - SIEM/logging configuration - Alert rules documentation - Incident response plan - Training records (who's trained?) - Incident history (how did you detect past incidents?)
Compliance Standards: - GDPR Article 33: Breach notification timing (72 hours) - HIPAA Rule 164.308(a)(6): Incident response procedures - NIST CSF: DE.AE-3 (Event detection processes)
Findings Template:
FINDING: Insufficient threat detection and monitoring
SEVERITY: [Critical/Major/Minor]
DESCRIPTION: [SIEM/monitoring] is [not deployed/inadequately configured]
RECOMMENDATION: Deploy [SIEM] with [alert rules] to detect [attack patterns]
EFFORT: [4-8] weeks
COST: [Moderate/High]
Remediation Actions: - ✓ Deploy SIEM (D-09, D-22) - ✓ Configure log centralization (D-05) - ✓ Create SIEM correlation rules (D-10) - ✓ Threat hunting program (D-13)
Impact if Failed (1-2 stars): - Breach detection is late (attacker has time to steal data) - Incident Response: -1 to Investigation rolls (canonical modifier; late detection) - Disaster Recovery: -10 DR budget penalty (dwell time longer; more data stolen)
Optional (v2.2): a 5-star rating in this domain grants +1 to Incident Response investigation rolls if IR is played later.
Focus: Can the organization recover from attacks/disasters? Critical For: Ransomware resilience Regulatory References: Most breach laws mention recovery
What's Assessed: - Is there a documented backup strategy (frequency, retention)? - Are backups tested regularly (restore actually works)? - Is backup storage off-site (geographically separated)? - Are backups immutable (cannot be deleted/encrypted)? - Is recovery time objective (RTO) documented for each system?
Typical Findings: - Critical (1-2 star): No backups or untested backups (may not restore) - Major (2-3 star): Backups exist but not properly tested - Minor (3-4 star): Backups exist and tested, gaps in immutability - Compliant (4-5 star): 3-2-1 strategy, tested, immutable, offsite
Real-World Question: "Can you recover from ransomware?" - Poor: No (backups are encrypted too) - Medium: Yes but slowly (days to recover) - Strong: Yes quickly (hours to recover, immutable backups)
Audit Evidence: - Backup schedule/documentation - Backup test results (prove restore works) - Off-site backup location documentation - Immutable backup configuration - Recovery time estimates
Compliance Standards: - Most breach laws assume backups exist (no recovery = massive damage) - HIPAA Rule 164.308(a)(7): Data backup procedures - NIST CSF: PR.IP-4 (Resilience practices documented)
Findings Template:
FINDING: Backup and recovery procedures inadequate
SEVERITY: [Critical/Major/Minor]
DESCRIPTION: Backups are [not tested/not off-site/not immutable]
RECOMMENDATION: Implement [3-2-1 strategy] with [immutable storage]
EFFORT: [2-4] weeks
COST: [Moderate]
Remediation Actions: - ✓ Implement 3-2-1 backup strategy (D-19) - ✓ Test backups quarterly (prove restore works) - ✓ Immutable storage (WORM, cloud versioning) - ✓ Off-site backup location
Impact if Failed (1-2 stars): - Ransomware attacks cannot be recovered from - Disaster Recovery: -25 DR budget penalty (no recovery option; expensive rebuild) - Business interruption is long (days vs hours) - No IR effect (matters in Disaster Recovery)
Focus: How well are vendors and cloud services managed? Critical For: Managing supply chain risk Regulatory References: GDPR (processor accountability), PCI-DSS (vendor security)
What's Assessed: - Is there a vendor management program? - Are vendors required to meet security standards? - Are vendor assessments conducted (security questionnaires, audits)? - Are cloud configurations secured (IAM, encryption, monitoring)? - Is data residency managed (where is customer data stored)?
Typical Findings: - Critical (1-2 star): No vendor management, cloud misconfigured - Major (2-3 star): Basic vendor management, cloud gaps - Minor (3-4 star): Vendor management exists, minor gaps - Compliant (4-5 star): Strong vendor program, cloud security
Real-World Question: "Is your vendor secure?" - Poor: No idea (never asked them) - Medium: They said they're secure (took their word) - Strong: Assessed and monitored (ongoing verification)
Audit Evidence: - Vendor management policy - Vendor security questionnaires - Cloud configuration documentation - IAM policies for cloud access - Data residency mapping
Compliance Standards: - GDPR Article 28: Processor agreements (vendor security required) - PCI-DSS Requirement 12.8: Service provider agreements - NIST CSF: ID.SC (Supply Chain Risk Management)
Findings Template:
FINDING: Vendor and cloud security assessment inadequate
SEVERITY: [Critical/Major/Minor]
DESCRIPTION: [Vendor/Cloud] security is [not assessed/misconfigured]
RECOMMENDATION: Implement [vendor assessment process/cloud security hardening]
EFFORT: [3-6] weeks
COST: [Low/Moderate]
Remediation Actions: - ✓ Vendor management program (SLAs, security requirements) - ✓ Cloud security posture management (CSPM tools) - ✓ Cloud IAM hardening (least privilege) - ✓ Regular vendor assessments
Impact if Failed (1-2 stars): - SCENARIO-03 (Supply Chain Compromise) becomes likely in Disaster Recovery - Vendor breach affects your customers - Liability disputes (who's responsible?) - Incident Response: -1 to WEB_EXPLOIT defenses (canonical modifier) - Disaster Recovery: -20 DR budget penalty (cloud provider recovery needed)
Focus: How is security operationalized (day-to-day)? Critical For: Sustained security posture Regulatory References: Most frameworks mention continuous monitoring
What's Assessed: - Is there a dedicated security team (CISO, analysts)? - Are security meetings held regularly? - Is vulnerability scanning done regularly? - Are patches applied timely? - Is security training conducted?
Typical Findings: - Critical (1-2 star): No security team, no updates, no training - Major (2-3 star): Small security team, infrequent patching - Minor (3-4 star): Security team exists, good operations - Compliant (4-5 star): Mature security operations, continuous improvement
Real-World Question: "Is security a priority for the organization?" - Poor: No dedicated resources - Medium: Part-time effort - Strong: Dedicated team, empowered leadership
Audit Evidence: - Org chart (is CISO position filled?) - Security meeting minutes - Vulnerability scan reports - Patch management records - Training records
Compliance Standards: - Most frameworks require security leadership - NIST CSF: PR.IP-1 (Security policy established & communicated) - CIS Control 17: Incident Response Management (v8)
Findings Template:
FINDING: Security operations maturity inadequate
SEVERITY: [Critical/Major/Minor]
DESCRIPTION: [Security team/training/patching] is [insufficient]
RECOMMENDATION: [Hire/train/increase resources] for [security function]
EFFORT: [Ongoing]
COST: [Varies]
Remediation Actions: - ✓ Hire CISO (if missing) - ✓ Establish security team - ✓ Regular vulnerability scanning - ✓ Patch management program - ✓ Security awareness training
Impact if Failed (1-2 stars): - Security functions are reactive (not proactive) - Incident Response: -1 to Investigation rolls (canonical modifier) - Disaster Recovery: -5 DR budget penalty (forensic investigation slow) - Vulnerabilities accumulate (PT-10 Zero-Day risk increases)
| Domain | Focus | Critical Finding | Remediation Effort | Compliance Impact |
|---|---|---|---|---|
| DOMAIN-01 | Network Segmentation | Flat network | Moderate (2-4 wk) | Lateral movement prevented |
| DOMAIN-02 | Access Control | No MFA | Low (2-4 wk) | Credential attacks harder |
| DOMAIN-03 | Threat Detection | No SIEM | High (4-8 wk) | Breach detection enabled |
| DOMAIN-04 | Backup & DR | No backups | Moderate (2-4 wk) | Ransomware resilience |
| DOMAIN-05 | Vendor Risk | No assessment | Low (3-6 wk) | Supply chain risk managed |
| DOMAIN-06 | Security Ops | No security team | High (ongoing) | Sustained security posture |
AUDIT REPORT - [Organization Name]
Audit Date: [Date]
Domains Assessed: 6
Overall Score: 2/6 PASS (stars are flavor: 1-2* = FAIL, 3*+ = PASS)
DOMAIN SCORES:
1. Network Segmentation: ⭐⭐ (2 stars) - FAIL
2. Access Control: ⭐⭐⭐ (3 stars) - PASS
3. Threat Detection: ⭐ (1 star) - FAIL (CRITICAL)
4. Backup & DR: ⭐⭐ (2 stars) - FAIL
5. Vendor Risk: ⭐⭐ (2 stars) - FAIL
6. Security Ops: ⭐⭐⭐⭐ (4 stars) - PASS
CRITICAL FINDINGS (must fix immediately):
- No SIEM or threat monitoring
- Network is completely flat (no segmentation)
MAJOR FINDINGS (fix within 30 days):
- No backup strategy
- Vendor security not assessed
- MFA not implemented
MINOR FINDINGS (fix within 90 days):
- Security training curriculum needs update
RECOMMENDATIONS:
1. Deploy SIEM immediately (critical)
2. Implement network segmentation
3. Establish backup program
4. Implement MFA
5. Develop vendor management program
docs/rules/module-audit-compliance.md, v2.2)For each failed domain (FAIL = 1-2 stars): one -1 modifier.
| Failed Domain | IR Modifier |
|---|---|
| DOMAIN-01 Segmentation | -1 to NETWORK defenses |
| DOMAIN-02 Identity | -1 to CREDENTIAL_ABUSE defenses |
| DOMAIN-03 Detection | -1 to Investigation rolls |
| DOMAIN-04 Backup | None (matters in DR) |
| DOMAIN-05 Vendor/Cloud | -1 to WEB_EXPLOIT defenses |
| DOMAIN-06 Security Ops | -1 to Investigation rolls |
Example: if 3 domains fail, IR carries three separate -1 modifiers.
For each failed domain (FAIL = 1-2 stars): a penalty subtracted from the DR starting budget.
| Failed Domain | DR Budget Penalty |
|---|---|
| DOMAIN-01 Segmentation | -10 |
| DOMAIN-02 Identity | -15 |
| DOMAIN-03 Detection | -10 |
| DOMAIN-04 Backup | -25 |
| DOMAIN-05 Vendor/Cloud | -20 |
| DOMAIN-06 Security Ops | -5 |
Cap (v2.2): the total gap penalty applied to a subsequent module's budget is capped at -30.
Example (real budgets: DR starts at 50, IR at 100): if all 6 domains fail, the raw penalty is -85, capped at -30 — the team enters Disaster Recovery with 50 - 30 = 20 Budget.
Audit & Compliance Module: Audit Domain Assessment Cards Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition
cards/audit-compliance/expansion-deck/compliance-frameworks.md
Version: 2.2 - Playtest Edition Last Updated: October 2025
Compliance Framework Cards extend the Audit & Compliance module with industry-specific and regulation-specific assessment frameworks beyond the generic 6-domain audit.
Organizations must often comply with specific regulatory frameworks. Each framework has slightly different focuses and requirements.
Relevance: US Federal government, critical infrastructure, government contractors Key Standard: NIST CSF (Cybersecurity Framework) 5 functions
Framework: NIST CSF Function: Identify (AM - Asset Management, RM - Risk Management) Focus: Knowing what systems/data you have and what risks they face
Assessment Criteria: - Asset inventory (what systems exist?) - Data classification (what data is sensitive?) - Risk assessment (what could go wrong?) - Threat intelligence (what are realistic threats?)
Scoring (1-5 stars): - ⭐ (1): No asset inventory, no risk assessment - ⭐⭐ (2): Partial inventory, informal risk assessment - ⭐⭐⭐ (3): Complete inventory, documented risk assessment - ⭐⭐⭐⭐ (4): Inventory regularly updated, risk assessment reviewed annually - ⭐⭐⭐⭐⭐ (5): Real-time asset visibility, continuous risk assessment
Typical Findings: - Unknown systems (shadow IT) - Unclassified data (don't know what's sensitive) - Missing risk assessment - Risk assessment not updated
Remediation: - Discovery tools (find all systems) - Data classification policy - Annual risk assessment - Asset management system
Framework: NIST CSF Function: Protect (PR.AC - Identity Management & Access Control, PR.AT - Awareness & Training, PR.DS - Data Security, PR.IP - Information Protection Processes, PR.MA - Maintenance, PR.PT - Protective Technology) Focus: Building security controls to prevent/slow attacks
Assessment Criteria: - Access controls (only authorized users) - Employee training (security awareness) - Data protection (encryption, classification) - Information protection (DLP, data loss prevention) - Business continuity (backup, disaster recovery)
Scoring (1-5 stars): - ⭐ (1): No controls - ⭐⭐ (2): Basic controls (passwords) - ⭐⭐⭐ (3): Good controls (MFA, encryption) - ⭐⭐⭐⭐ (4): Strong controls (defense-in-depth) - ⭐⭐⭐⭐⭐ (5): Excellent controls (comprehensive, tested)
Typical Findings: - Weak authentication (no MFA) - Poor training (phishing success rate >10%) - Unencrypted data - No backup strategy - Defense gaps
Remediation: - MFA deployment - Security training program - Encryption implementation - Backup/DR strategy - Penetration testing
Framework: NIST CSF Function: Detect (AE - Anomalies & Events, CM - Continuous Monitoring) Focus: Detecting attacks as they happen
Assessment Criteria: - Log monitoring (are suspicious activities logged?) - Anomaly detection (is suspicious behavior caught?) - Continuous monitoring (24/7 surveillance) - Alert procedures (who responds to alerts?) - Threat intelligence integration (using threat data)
Scoring (1-5 stars): - ⭐ (1): No logging, no monitoring - ⭐⭐ (2): Logging exists, limited monitoring - ⭐⭐⭐ (3): SIEM deployed, some alerts - ⭐⭐⭐⭐ (4): SIEM with good rules, 24/7 monitoring - ⭐⭐⭐⭐⭐ (5): Mature SOC, threat intelligence integrated
Typical Findings: - No SIEM deployed - Alerts not reviewed - No 24/7 monitoring - Response time too slow - Threat intel not integrated
Remediation: - SIEM deployment - Alert rule tuning - SOC staffing (24/7 coverage) - Response procedures - Threat intel integration
Framework: NIST CSF Function: Respond (RS.RP - Response Planning, RS.CO - Communications, RS.AN - Analysis, RS.MI - Mitigation, RS.IM - Improvements) Focus: Responding to breaches/attacks
Assessment Criteria: - Incident response plan (documented procedures) - Response team (trained, staffed) - Communication plan (who gets told when) - Investigation procedures (forensics) - Post-incident review (lessons learned)
Scoring (1-5 stars): - ⭐ (1): No incident response plan - ⭐⭐ (2): Plan exists, not tested - ⭐⭐⭐ (3): Plan exists, annual testing - ⭐⭐⭐⭐ (4): Plan regularly tested, team trained - ⭐⭐⭐⭐⭐ (5): Mature response, regular exercises, continuous improvement
Typical Findings: - No incident response plan - Response team not trained - No communication plan - Investigation procedures unclear - No post-incident reviews
Remediation: - Incident response plan development - Team training - Communication procedures - Tabletop exercises - Post-incident review process
Framework: NIST CSF Function: Recover (RC.RP - Recovery Planning, RC.IM - Improvements, RC.CO - Communications) Focus: Recovering from breaches and improving for next time
Assessment Criteria: - Recovery plan (how to restore systems) - Recovery time objectives (RTO - how fast?) - Recovery point objectives (RPO - how much data loss?) - Backup verification (can you actually restore?) - Lessons learned process (improve after incident)
Scoring (1-5 stars): - ⭐ (1): No recovery plan, no backups - ⭐⭐ (2): Backup exists, recovery not tested - ⭐⭐⭐ (3): Recovery plan exists, tested annually - ⭐⭐⭐⭐ (4): Recovery plan regularly tested, RPO/RTO defined - ⭐⭐⭐⭐⭐ (5): Mature recovery, tested regularly, continuous improvement
Typical Findings: - No recovery plan - Backups untested (may not restore) - RTO/RPO not defined - Recovery team not trained - No lessons learned process
Remediation: - Recovery plan development - Backup testing (quarterly) - RTO/RPO definition - Recovery team training - Lessons learned process
Relevance: General US/Canada, healthcare, financial, government Key Standard: CIS Controls (18 prioritized security controls)
Focus: Basic security practices (asset management, access control, data protection, secure configuration)
Assessment Criteria: - Asset management (know what you have) - Access control (least privilege) - Data protection (encryption) - Secure configuration (harden systems) - Detection tools (SIEM, antivirus) - Training (security awareness)
Focus: Advanced controls (incident response, supply chain, defense tools)
Assessment Criteria: - Incident response plan - Supply chain risk - Vulnerability management - Application security - Remote services security - Testing & monitoring - Network segmentation
Focus: Operational controls (reporting, awareness, training, testing)
Assessment Criteria: - Security awareness training - Incident reporting - Third-party risk management - Penetration testing - Secure development practices
Relevance: Any organization handling payment cards Key Standard: PCI-DSS (Payment Card Industry Data Security Standard)
Focus: Network and system security for cardholder data
Assessment Criteria: - Firewall configuration - No default credentials - Cardholder data protection - Vulnerability scanning
Focus: Access control and operational procedures
Assessment Criteria: - Antivirus/malware protection - Secure system updates - Access control & authentication - Audit trails & logging
Focus: Testing, monitoring, and compliance management
Assessment Criteria: - Security testing (penetration testing, vulnerability scanning) - Monthly scanning - Annual penetration testing - Security policies - Training - Incident response procedures
Remediation Cards represent specific actions to address compliance findings. These can be used after an audit to remediate identified gaps.
Budget note (v2.2): these cards are the only place the Audit module's starting Budget (100, per core rules) is spent — the assessment itself costs nothing.
Cost: 5 Budget Timeline: 2-4 weeks Difficulty: Low-Medium
What it does: - Deploy multi-factor authentication for all user access - Implement MFA for VPN, remote access, email, admin access - Select authentication method (authenticator app, hardware token, SMS)
Prerequisites: - Identity management system (Domain Controller, Azure AD) - User device (phone or security key) - Application/system support for MFA
Impact: - Reduces DOMAIN-02 (Access Control) findings - Makes credential attacks (T-03, T-06) harder - Improves Incident Response and Disaster Recovery modifiers
Cost: 15 Budget Timeline: 4-8 weeks Difficulty: Medium
What it does: - Deploy Security Information & Event Management (SIEM) - Configure log collection from all systems - Create alert rules for suspicious activity - Implement 24/7 monitoring
Prerequisites: - Centralized logging infrastructure - SIEM software/service (Splunk, ELK, QRadar, Azure Sentinel) - Security personnel to manage SIEM
Impact: - Reduces DOMAIN-03 (Threat Detection) findings - Enables early breach detection - Improves Incident Response investigation - Provides audit trail for compliance
Cost: 12 Budget Timeline: 4-6 weeks Difficulty: Medium-High
What it does: - Divide network into security zones (DMZ, internal, admin) - Deploy firewalls between zones - Configure firewall rules for inter-zone traffic - Implement VLANs and network isolation
Prerequisites: - Network switches/routers capable of VLAN support - Firewall(s) for inter-zone traffic - Network diagram and access requirements
Impact: - Reduces DOMAIN-01 (Network Segmentation) findings - Prevents lateral movement (T-04 becomes harder) - Improves Disaster Recovery (limits blast radius) - Foundational for zero-trust architecture
Cost: 10 Budget Timeline: 2-4 weeks Difficulty: Low-Medium
What it does: - Implement 3-2-1 backup strategy (3 copies, 2 media, 1 offsite) - Configure automated backups - Test backup restoration (quarterly) - Document recovery procedures
Prerequisites: - Backup software/service - Off-site storage location - Testing schedule
Impact: - Reduces DOMAIN-04 (Backup & DR) findings - Enables ransomware recovery - Improves Disaster Recovery (reduces costs) - Supports compliance requirements
Cost: 3 Budget Timeline: 1-2 weeks (ongoing) Difficulty: Low
What it does: - Develop security awareness training curriculum - Conduct initial training for all employees - Implement phishing simulations - Quarterly refresher training
Prerequisites: - Training development (internal or vendor) - Management buy-in (release time for employees)
Impact: - Reduces DOMAIN-06 (Security Ops) findings - Reduces phishing success rate - Improves overall security culture - Compliance requirement (most frameworks)
Cost: 5 Budget Timeline: 2-4 weeks Difficulty: Low-Medium
What it does: - Develop vendor security questionnaire - Send questionnaires to key vendors - Review vendor security controls - Document vendor risk assessment - Establish SLAs with security requirements
Prerequisites: - Vendor list and criticality assessment - Security questionnaire template - Document review process
Impact: - Reduces DOMAIN-05 (Third-Party Risk) findings - Identifies supply chain risks - Prevents SCENARIO-03 (Supply Chain Compromise) - Compliance requirement (GDPR, etc.)
Cost: 8 Budget Timeline: 3-4 weeks Difficulty: Medium
What it does: - Deploy vulnerability scanning tools - Establish patching procedures - Configure patch management automation - Document vulnerability remediation process
Prerequisites: - Vulnerability scanner (Nessus, Qualys, OpenVAS) - Patch management tools or procedures - Prioritization process (critical vs. non-critical)
Impact: - Reduces multiple audit findings - Prevents PT-05 (Privilege Escalation via unpatched kernel) - Improves overall security posture
Cost: 12 Budget Timeline: 4-6 weeks (plus ongoing) Difficulty: Medium-High
What it does: - Develop incident response plan (procedures, contacts, escalation) - Establish incident response team - Conduct tabletop exercises - Implement communication procedures
Prerequisites: - Team designation (CISO, security analysts, IT, legal, PR) - Plan documentation - Training and exercises
Impact: - Reduces DOMAIN-03 (Threat Detection) and DOMAIN-06 (Security Ops) findings - Enables faster response to Incident Response module - Improves Disaster Recovery effectiveness - Compliance requirement (nearly universal)
Audit & Compliance Module: Compliance Frameworks & Remediation (Expansion) Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition
cards/print-templates/tracker-sheets.md
Version: 2.2 - Playtest Edition
Print on plain A4. One Universal Sheet per table, plus the module sheet for the module you're playing. Tip: laminate and use a dry-erase marker, or move a coin/token along the tracks.
Cross off as each turn ends. Circle your turn limit before starting.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
[ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ]
Start at your module's budget (Network Building 40-60 · Disaster Recovery 50 · Forensics 75 · IR 100 · Audit 100 · Hardening 150). Tick down in 5s.
150 145 140 135 130 125 120 115 110 105 100 95 90 85 80 75
70 65 60 55 50 45 40 35 30 25 20 15 10 5 0
100 95 90 85 80 75 70 65 60 55 50 45 40 35 30 25 20 15 10 5 0
0 1 2 3 4 5
[ ] [ ] [ ] [ ] [ ] [ ] Penalty at start of turn: -5 Budget each
Advance each meter per card effects. Victory thresholds marked ▲.
ATTRIBUTION 0 10 20 30 40 50 60 70 80 90▲ 100
TIMELINE 0 10 20 30 40 50 60 70 80▲ 90 100
ATTACK CHAIN 0 10 20 30 40 50 60 70 80▲ 90 100
CHAIN OF CUSTODY 0 10 20 30 40 50 60 70▲ 80 90 100
Victory check (end of game): - V1 Full Attribution: Attribution ≥90 AND Timeline ≥80 - V2 Solid Case: Timeline ≥80 AND Attack Chain ≥80 AND Chain of Custody ≥70 - V3 Partial Findings: any two meters ≥70
Investigation in flight: ____ (results arrive Turn _) Evidence collected (✓ = Analyzed, one Analyze per card):
| Evidence card | Documented? (+5% CoC) | Analyzed? |
|---|---|---|
INVESTIGATION 0 10 20 30 40 50 60 70 80 90 100
REMEDIATION 0 10 20 30 40 50 60 70 80 90 100
COMMUNICATION 0 10 20 30 40 50 60 70 80 90 100
| Stakeholder | 100 | 80 | 60 | 40 | 20 (critical) | 0 (LOSS) |
|---|---|---|---|---|---|---|
| Customers | ||||||
| Employees | ||||||
| Regulators | ||||||
| Board / Investors | ||||||
| Media / Public |
| Turn | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 |
|---|---|---|---|---|---|---|---|---|
| Scheduled event | ||||||||
| Deadline | Customers notified (recommended) | Regulator penalties begin | GDPR 72h — regulators notified |
Multi-turn action in flight: ____ (completes Turn _)
| # | Domain | Stars (1-5) | PASS (3★+) / FAIL (1-2★) | Key gap found |
|---|---|---|---|---|
| 1 | Network Segmentation | |||
| 2 | Identity & Access | |||
| 3 | Detection & Monitoring | |||
| 4 | Backup & Recovery | |||
| 5 | Cloud Security | |||
| 6 | Security Operations |
Result: ___ / 6 PASS — Gap penalties for follow-on modules: see module rules (total capped at -30).
| Category | Points | Notes |
|---|---|---|
| Requirements met | per requirement card | |
| Security coverage | per rules scoring table | |
| Capability coverage | per rules scoring table | |
| Budget management | per rules scoring table | |
| TOTAL |
Components placed:
| Component | Cost | Capacity used / total |
|---|---|---|
Budget remaining: ___ / starting ___