INCIDENT ZERO

Audit & Compliance — Print & Play Bundle · v2.2 Playtest Edition

A cybersecurity board game by RetroVerse Studios · CC BY-NC-SA 4.0

Print this file (Ctrl/Cmd+P) or read on screen. Card pages print best on cardstock.

Contents:
  1. docs/HOW_TO_PLAY.md
  2. docs/TO_GUIDE.md
  3. docs/rules/core-rules.md
  4. docs/rules/module-audit-compliance.md
  5. docs/standalone-games/audit-compliance.md
  6. cards/audit-compliance/core-deck/audit-domain-cards.md
  7. cards/audit-compliance/expansion-deck/compliance-frameworks.md
  8. cards/print-templates/tracker-sheets.md

docs/HOW_TO_PLAY.md

How to Play Incident Zero

Version: 2.2 - Playtest Edition Read time: ~15 minutes. First game: ~45 minutes.

This is the learn-to-play manual — read it once, run your first game, then use the module rules as reference during play. Exact tables and numbers live in the reference docs; this manual teaches the flow.


1. What Is This Game?

Incident Zero is a cybersecurity board game for classrooms and training rooms. One player is the Threat Orchestrator (TO) — part facilitator, part adversary, part narrator. Everyone else is the Blue Team: security defenders making decisions under budget and time pressure.

The game's signature rule: you get better dice odds by explaining your reasoning like a real analyst. Say "we investigate suspicious activity" and you roll flat. Say "we pull the mail gateway logs to check the sender's real IP against threat intel" and you roll at +3. Talking like a professional is literally how you win — that's the point.

There are 6 modules covering the security lifecycle. Each is a standalone 30-45 minute game; they also chain together (the outcome of one feeds the setup of the next). This manual teaches Incident Response first — it's the flagship and the best hook.

2. What You Need

3. The Core Loop (all modules)

Every module runs on the same engine:

  1. Turns. A fixed number of turns (announced at setup). Each turn: start-of-turn penalties → 2-3 minutes of team discussion → ONE team action → end of turn.
  2. Budget. One shared pool representing money, staff, and time. Every action costs Budget. Run dry and you can't act.
  3. The d20 roll. Uncertain actions need roll + modifiers ≥ 11.
  4. Justification modifiers. +2 for strong technical reasoning (methodology — why this approach works), +1 for naming real tools or techniques (Wireshark, EDR, Mimikatz, a MITRE technique). The TO judges honestly; vague = +0.
  5. Debrief. Every session ends with 5-10 minutes of "what happened, why, what would you do differently." This is where the learning locks in — don't skip it.

4. Your First Game: Incident Response (Beginner)

The setup (TO does this privately, 5 min): An attacker is inside the fictional company's network. The TO secretly builds a 3-card attack chain in kill-chain order and keeps it face-down:

Suggested first chain: T-01 Phishing Campaign (INITIAL COMPROMISE / SOCIAL ENGINEERING) → T-04 Lateral Movement via SMB (PIVOT & ESCALATE / NETWORK) → T-07 Scheduled Task Persistence (PERSISTENCE / MALWARE)

The three actions (Blue Team picks ONE per turn):

Action Cost On success (roll+mods ≥ 11)
Investigate 5 1st success on a link = the TO gives a clue. 2nd success on the same link = card revealed!
Deploy Defense 10/15/25 by tier If the card's vector AND chain step match the hidden card = revealed immediately. Partial match = defense stays on the table and gives +2 to future rolls against any link matching its vector
Emergency Response 15 No roll. Contain one already-revealed threat (removes its ongoing penalty)

The pressure (TO applies at the START of each turn): - Active Breach Cost: -5 Budget while any chain card is still unrevealed (the breach is burning money whether you see it or not) - Uncontained Threats: -5 Budget per revealed-but-uncontained threat (revealing the next card in the chain auto-contains the previous one)

When a card is revealed, the team immediately picks ONE reward: draw 2 Defense cards, +10 Budget, or Fast-Track (next Investigate succeeds on 5+).

Scripted opening — read this at the table

TURN 1. TO: "Start of turn: one attacker action is still hidden — Active Breach Cost, minus 5. Budget: 95. Something is wrong at Meridian Logistics: the helpdesk queue is full of password-reset complaints. What do you do?" Team (after discussion): "Investigate. We pull the mail gateway logs and check sender domains against our threat-intel feed — if this is phishing, the return-path won't match the display name." TO: "That's a real methodology and a real tool — +2 and +1. Roll." Rolls 9. 9+3 = 12 ≥ 11 — success. TO reads a clue from T-01: "Several employees received emails claiming to be from IT, asking them to 're-authenticate'. The link goes to a look-alike domain registered 4 days ago." (First success on this link — clue only. Budget: 95 - 5 = 90.)

TURN 2. TO: "Active Breach Cost, minus 5. Budget: 85." Team: "Keep digging on the phishing — we check the mail gateway for who clicked, and pull those workstations' proxy logs." TO: "+2, +1. Roll." Rolls 10. 13 ≥ 11 — second success on the same link. TO flips T-01 face-up: "Phishing Campaign — revealed! Three users entered credentials on the fake page. This threat is now uncontained. Choose a reward." Team takes Budget Grant: 85 - 5 + 10 = 90.

TURN 3. TO: "Two cards still hidden: Active Breach minus 5. One uncontained threat: minus 5. Budget: 80. You know how they got in — you don't yet know where they went." From here, you're on your own. (A strong play: Deploy the Network Segmentation defense — if the next hidden card is network lateral movement, vector + step match reveals it instantly and auto-contains the phishing.)

How it ends

Debrief prompts: What did you spend the most on, and was it worth it? Which clue actually changed your next decision? What one defense, bought before turn 1, would have changed everything?

5. The Other Five Modules (one paragraph each)

Chaining modules: outcomes carry forward (audit gaps raise your DR costs; an IR loss sets up DR; IR's revealed chain seeds Forensics). See Module Combinations. Full lifecycle = all six in sequence, 4-5 hours across sessions.

6. Where to Go Next

You want... Read
You're the Threat Orchestrator The TO Guide — the role, judging justifications, per-module screens
Exact rules for a module docs/rules/ — core + one file per module
Solo/standalone setup for any module docs/standalone-games/
Every card, indexed cards/CARD_REFERENCE.md
To run a playtest and report back docs/playtesting/
Variable game length & difficulty tiers core-rules §3a

7. Quick Reference (photocopy this)

Roll: d20 + modifiers ≥ 11 · +2 strong justification · +1 real tool/technique named · +2 matching deployed defense (IR) IR costs: Investigate 5 · Deploy 10/15/25 · Emergency Response 15 IR start-of-turn: -5 while any card hidden · -5 per uncontained revealed threat Reveal: 2 successful Investigates on a link, or 1 full-match Deploy (vector + step) · always the earliest unrevealed card Reward per reveal (pick 1): 2 Defense cards / +10 Budget / next Investigate succeeds on 5+ Turn limit: (chain cards × 2) + 1 → 3 cards = 7 turns Budgets: NB 40-60 · DR 50 · Forensics 75 · IR 100 · Audit 100 · Hardening 150

docs/TO_GUIDE.md

The Threat Orchestrator's Guide

Version: 2.2 - Playtest Edition Audience: anyone about to run Incident Zero — teacher, trainer, or the friend who volunteered.


1. The Role

The Threat Orchestrator (TO) is Incident Zero's dungeon master. You wear three hats, usually in the same minute:

If you've ever run a tabletop RPG, you already have 80% of this. The remaining 20% is the adjudication rubric in §4 — it's the part that makes this game educational rather than just thematic.

A good TO makes the game. The same scenario is flat or unforgettable depending on how you deliver clues and how honestly you judge reasoning. That's why this guide exists.

2. Golden Rules

  1. Be fair, not nice. Never fudge dice — in either direction. The rules already give you legitimate difficulty dials (§5); use those, not your thumb on the d20.
  2. Never block on ignorance. If players are stuck, sell them a hint through the fiction ("your SOC junior suggests looking at outbound traffic...") rather than letting three turns die in silence.
  3. Announce costs before actions. "That's 15 Budget — confirm?" prevents every argument you'd otherwise have.
  4. Explain outcomes. Success or failure, say why in security terms. The explanation is the lesson; the roll is just pacing.
  5. Keep the clock. 2-3 minutes of planning per turn, firmly. Deliberation past that point is quarterbacking, not strategy.
  6. Let them be wrong. A confidently wrong plan that fails teaches more than a corrected plan that succeeds. Save the correction for the debrief.

3. Session Prep (15 minutes)

4. Judging Justifications (the heart of the job)

The +2/+1 modifiers are the game's teaching engine. Your consistency is what makes them meaningful.

+2 — Strong technical justification. The player explains methodology: what they'll look at, and why that would reveal or stop this specific thing. - ✅ "We pull the mail gateway logs and compare the return-path against the display-name domain — spoofed senders won't match." (mechanism stated) - ✅ "Deploy EDR because living-off-the-land attacks won't trip signature AV — we need behavioral detection." (threat-to-control logic) - ❌ "We investigate the email server thoroughly." (a location is not a method)

+1 — Real tool or technique named. Wireshark, Splunk queries, Mimikatz, a MITRE technique ID, an actual CVE. - ✅ "Check LSASS access events — that's Mimikatz behavior, T1003." - ❌ "We use our security tools." (no it isn't)

Rulings that keep it fair: - Judge the reasoning, not the vocabulary. A beginner saying "check if the email really came from who it says" in plain words has the mechanism — award the +2. A buzzword salad without a mechanism gets +0. - Consistency beats generosity. Whatever bar you set on turn 1 is the bar all game. - Escalate the bar as the group learns — by session three, "we check the SIEM" that earned +1 in session one should need a specific query. Announce the escalation openly ("you're professionals now — I want specifics"). - Expert groups ("Expert Mode"): award +2 only for named artifacts, ATT&CK technique IDs, or detection logic. This is the challenge ceiling for practitioner tables — the card math never has to change. - One player monologuing every justification? Ask a different player to give it each turn ("Sam, you're on comms — why does this matter to the regulator?").

5. Difficulty Dials (live, legitimate)

Signs it's too easy: no failed rolls; goal in sight with 40+ Budget spare; players bored. Signs it's too hard: no progress for 3+ turns; consecutive failures; frustration replacing discussion.

Easier (pick 1-2) Harder (pick 1-2)
Richer clues (more specific detail per success) Vaguer clues (accurate but terse)
Suggest an angle through the fiction Expert-mode justification bar
Shorter chain / lower tier next game Longer chain, expansion cards
Beginner budgets (module max) Minimum budgets

Never adjust by fudging a roll or changing a printed number mid-game — players smell it, and it teaches that outcomes are arbitrary.

6. Failure Modes (yours, not theirs)

Failure Symptom Fix
The Encyclopedia You lecture after every roll One sentence of "why," save the rest for debrief
The Softie Everyone always gets +2 Re-read §4; require the mechanism
The Sphinx Clues so cryptic nobody moves Clues must be actionable: each should suggest at least one sensible next investigation
The Railroader You steer them to your solution Multiple paths are valid; score the outcome, not the route
The Accountant You narrate numbers, not events Lead with fiction, then state the numbers
The Rusher Debrief skipped because time ran out Protect the last 10 minutes like it's the win condition — it is

7. Module Panels (your screen, one per module)

🔎 Incident Response — you are the hidden attacker

🛡️ Hardening — you become the pentester mid-game

🏗️ Network Building — you are the demanding business

🚨 Disaster Recovery — you are the crisis itself

🔬 Forensics — you are the evidence

📋 Audit & Compliance — you are the organization under review

8. Running the Debrief (10 minutes, non-negotiable)

Three rounds, in order: What happened? (players narrate, you correct only facts) → Why did it work that way? (connect two or three key moments to real-world security — this is where you finally get to lecture, briefly) → What would you do differently? (go around the table; everyone answers). Losses debrief better than wins: read any unrevealed cards' "Why This Works" text aloud — it's the payoff for losing.

9. First Session? Do This

  1. Run beginner Incident Response with the scripted opening in How to Play §4 — your first two turns are literally written out
  2. Keep the tracker sheet visible to everyone; public state builds trust in your fairness
  3. Log frictions on the session notes form — your confusion is playtest data too
  4. Forgive yourself one rules mistake per session; announce it, fix it forward, don't replay

docs/rules/core-rules.md

Incident Zero: Core Rules & Mechanics

Version: 2.2 - Playtest Edition Last Updated: October 2025


Core Concept 🎯

Incident Zero is a modular cybersecurity board game for 2+ players designed for educational environments. One player acts as the Threat Orchestrator (TO) (the facilitator), while all other players form Blue Teams (the Defenders).

How It Works

Players choose which module(s) to play based on learning objectives:

  1. Network Building Module - Design and secure infrastructure (30-45 min)
  2. Hardening Module - Build defense-in-depth (30-45 min)
  3. Incident Response Module - Detect and investigate hidden attack chains (30-45 min)
  4. Disaster Recovery Module - Manage breach crisis (30-45 min)
  5. Forensics Module - Investigate and attribute attacks (30-45 min) NEW in v2.1
  6. Audit & Compliance Module - Conduct security assessments (30-45 min)

Modules can be played solo or combined in any sequence using the modifier generation procedures documented in FRAMEWORK.md and Module Combinations.


Game Components (Universal)

Card Types

Threat Cards

Represent attacker actions. Each card includes: - Title: e.g., "Phishing Campaign" - Attack Chain Step: INITIAL COMPROMISE, PIVOT & ESCALATE, PERSISTENCE, or C2 & EXFIL - Attack Vector: SOCIAL ENGINEERING, WEB EXPLOIT, CREDENTIAL ABUSE, MALWARE, NETWORK, or DATA EXFIL - Clue: Descriptive text for the Threat Orchestrator - Why This Works: Educational explanation (revealed after discovery)

Deck Composition: - 12 Base Threat Cards (see cards/incident-response/core-deck/threat-defense-cards.md) - 8 Expansion Threat Cards (see cards/incident-response/expansion-deck/advanced-threats.md)


Defense Cards

Represent security controls. Each card includes: - Title: e.g., "Multi-Factor Authentication" - Countermeasure Vector: One of the six attack vectors - Tier: BASIC (10 Budget), ADVANCED (15 Budget), or ELITE (25 Budget) - Description: What the defense does and when it applies

Deck Composition: - 24 Base Defense Cards (see cards/incident-response/core-deck/threat-defense-cards.md) - 19 Expansion Defenses (see cards/incident-response/expansion-deck/advanced-defenses.md)

Examples: - BASIC: Email Authentication Setup, User Security Training, Firewall Rules (10 Budget) - ADVANCED: Multi-Factor Authentication, EDR, Network Segmentation (15 Budget) - ELITE: Threat Hunting, Memory Forensics, Deception Technology (25 Budget)


Pentester Tactic Cards

Represent sophisticated attack techniques used in Hardening module (and potentially others).

8 Core Tactics (PT-01 to PT-08): 1. PT-01: Social Engineering - Pretexting Attack 2. PT-02: Malware Evasion - Living-off-the-Land Technique 3. PT-03: Credential Dumping - Mimikatz Attack 4. PT-04: Lateral Movement - Network Traversal 5. PT-05: Privilege Escalation - Unpatched Kernel Exploit 6. PT-06: Data Exfiltration - Unmonitored Channel 7. PT-07: Supply Chain Compromise - Trusted Software Update 8. PT-08: Insider Threat - Malicious Administrator

See cards/hardening/core-deck/pentester-tactic-cards.md for full card text, plus 8 expansion tactics (PT-09 to PT-16) in advanced-tactics.md.


Asset Cards

Simple cards providing scenario context. Examples: - Email Server - Customer Database - Domain Controller - Web Application - Backup System - Developer Workstation


Game Materials Required

Physical Components: - One 20-sided die (d20) - Turn Tracker (paper or board, counts 1-12+) - Budget Tracker (shows 0-150+) - Reputation/Security Score Tracker (shows 0-100) - Uncontained Threats Tracker (shows 0-5) - Tokens or counters (for tracking upgrades, penalties)

Optional: - Score sheets (printable or paper) - Playbook tracking sheet - Stakeholder communication log (for Disaster Recovery)


Universal Game Mechanics

1. The d20 Roll System

When Used: Investigation, Defense Deployment, Negotiation, and similar actions that have uncertain outcomes.

How It Works: 1. Player announces action and parameters 2. Player rolls 1d20 (one 20-sided die) 3. Compare result to target number (usually 11+) plus modifiers 4. Success if: roll + modifiers ≥ target number

Example:

Action: Investigate email headers
Target: 11+
Roll: 7
Modifiers: +2 (technical justification) +1 (referenced Splunk)
Calculation: 7 + 2 + 1 = 10
Result: FAIL (10 < 11)

2. Budget System (Universal)

What is Budget? Abstract resource representing time, money, personnel, and tools. Spent to take actions, buy defenses, or conduct investigations.

Budget Allocation by Module: - Network Building: Start at 40-60 (by difficulty; see module rules) - Hardening: Start at 150 (or carry over from IR) - Incident Response: Start at 100 - Disaster Recovery: Start at 50 (emergency fund) - Forensics: Start at 75 - Audit & Compliance: Start at 100 (used only for optional remediation cards)

Budget Spending: - Investigate action: 5 Budget - Deploy Defense: 10/15/25 Budget (by tier) - Emergency Response (IR): 15 Budget (v2.2; was 25) - Active Breach Cost (IR, v2.2): -5 Budget at start of each turn while any chain card remains unrevealed - Harden Upgrade (Hardening): 5 Budget - Create Playbook (Hardening): 10 Budget - Crisis Action cards (DR): 5-20 Budget per card (ACTION-01 to ACTION-12; the free "Holding Statement" costs 0) - Ransom Decision (DR, ACTION-13): Pay 20 / Negotiate 5 / Refuse 0

Budget = 0: Team loses (cannot take further actions)

Exception (Disaster Recovery, v2.2): Budget floor is 0 and the free Holding Statement action remains available — DR is never lost by running out of Budget; DR's loss condition is any stakeholder trust reaching 0%.


3. Turn System (Universal)

Turns represent: Time passing in the game world (6 hours, 30 minutes, or abstract unit depending on module)

Turn Sequence: 1. Start of Turn: Penalties applied, trackers announced 2. Planning Phase: Team discusses strategy (2-3 min) 3. Action Phase: Execute chosen action, resolve rolls 4. End of Turn: Advance tracker, draw card, check events


3a. Variable Game Length System (v2.1 - New!)

Philosophy: In real incident response, some attacks move fast (hours), some take months. Fixed turn lengths feel unrealistic. This system adds realism without requiring complex calculations.

For Beginners & Quick Play: Default Formula

Default Formula: (Attack Chain Cards × 2) + 1

This gives attackers enough time to progress realistically while keeping games manageable:

Attack Chain Formula Turn Count Session Duration
3 cards (3 × 2) + 1 7 turns 30-40 min play
4 cards (4 × 2) + 1 9 turns 35-45 min play
5 cards (5 × 2) + 1 11 turns 40-50 min play
6 cards (6 × 2) + 1 13 turns 45-55 min play

How to Use Default Formula: 1. Choose number of threat cards in attack chain (3, 4, 5, or 6) 2. Apply formula: (Cards × 2) + 1 = Turn Count 3. Announce turn count to Blue Team 4. Play game normally with that turn limit

Example Setup:

"I've created a 4-card attack chain. That's (4 × 2) + 1 = 9 turns. You have 9 turns to detect all four threats. Go!"


For Advanced Players: Complexity Tiers (v2.1)

Advanced Threat Orchestrators can use a Tier + d4 system for more control and variability:

Step 1: Select Attack Complexity Tier

Tier Turn Base Attack Profile Example
TIER 1 5-7 Simple & obvious Script kiddie using public tools
TIER 2 8-10 Standard sophistication Organized cybercriminal group
TIER 3 11-13 Highly sophisticated APT with operational security
TIER 4 14-16 Expert/Nation-state State-sponsored group

Step 2: Add Randomness (Optional)

Roll 1d4 for variation: - Roll 1: -1 turn (tight timeline) - Roll 2 or 3: ±0 turns (no change) - Roll 4: +1 turn (extended dwell time)

Final Turn Count = Tier Base + d4 Result

Example Advanced Setup:

"This is a TIER 2 attack (organized cybercriminals). Base is 8-10 turns. I'll roll d4 for variation... [rolls 4, +1 turn]. Final turn count: 9-11 turns."


Critical Game Integrity Rules (v2.1)

These rules protect game balance and prevent metagaming:

Rule 1: Accept Any Roll (Even If It Feels Wrong)

The Rule: Threat Orchestrators MUST accept the random result, even if it feels impossibly tight or loose.

Why: Real incident response is unpredictable. Sometimes attacks happen faster or slower than expected.

Example Scenarios: - TIER 3 attack (11-13 base) + d4 roll of 1 = 10-12 turns (tighter than expected, but realistic) - TIER 1 attack (5-7 base) + d4 roll of 4 = 6-8 turns (easier conditions, but acceptable)

When Chaos Feels Realistic: - Tight timeline: "The attacker worked faster than expected—they had prior knowledge" - Loose timeline: "The attacker was cautious, spending weeks in reconnaissance before striking"

Implementation: Lean into the randomness as realistic incident variability.


Rule 2: Players Cannot Question Tier Based on Turn Count

The Rule: Blue Team CANNOT deduce the attack tier from the announced turn count. They cannot ask "Is this TIER 2?" or "Is this TIER 4?" based on how many turns they have.

Why: Real incident response doesn't come with difficulty labels. Attackers don't advertise sophistication. Players should discover complexity through gameplay (attack chain complexity, defender evasion, tool sophistication, etc.).

What Players CAN Ask: - "What are the suspicious network events?" (leads to understanding threats) - "Can we analyze the malware?" (reveals attacker sophistication through findings) - "Why did this attack succeed?" (post-game discussion)

What Players CANNOT Ask: - "Is this a TIER 2 attack?" (deriving tier from turn count) - "This looks like a TIER 1 because we have 7 turns" (meta-gaming difficulty)

Implementation: Respond to difficulty questions by saying "Investigate and find out!" Players discover sophistication through evidence, not from turn counts.


Rule 3: TO Modifier Authority (Rare & Optional)

The Rule: ONLY after rolling d4, the Threat Orchestrator may apply an optional ±1 turn adjustment IF the rolled result feels genuinely unreasonable for the scenario.

When to Use (Rare): - Scenario setup is unusually complex (multiple attack vectors, coordination across systems) - Player group is new and needs slightly easier conditions - Real-world incident being taught had specific timeline constraints

When NOT to Use (Prefer Random): - "The roll feels unlucky" (accept the chaos) - "I want this exactly 10 turns" (let dice decide) - "The attack chain is long so it should take longer" (that's what TIER system handles)

Implementation: 1. Roll d4 normally 2. Announce rolled result 3. ONLY IF genuinely unreasonable, apply ±1 modifier and explain why 4. Document the override for consistency in future scenarios

Example Valid Use:

"TIER 2 base 8-10, rolled -1 = 7-9 turns. That's tight given we have 5-card attack chain, so I'm adding +1 modifier (explaining the discovery is methodical). Final: 8-10 turns."

Example Invalid Use:

"I rolled 8-10 but I want 10-12, so I'm adding +2." (NO - use the roll as-is)


Implementation Checklist

For Beginners (Use Default Formula): - [ ] Choose attack chain length (3, 4, 5, or 6 cards) - [ ] Calculate: (Cards × 2) + 1 - [ ] Announce turn count - [ ] Play

For Advanced (Use Tier + d4): - [ ] Select TIER (1, 2, 3, or 4) - [ ] Announce TIER basis (not the number, just why it's that complexity) - [ ] Roll d4 for variation (hidden or public, your choice) - [ ] Calculate final turn count - [ ] Apply Rule 3 modifier if genuinely needed (rare) - [ ] Announce final turn count WITHOUT revealing tier


Quick Reference Card

Default Formula: Turn Count = (Attack Cards × 2) + 1

Tier System: - TIER 1: 5-7 turns (simple) - TIER 2: 8-10 turns (standard) - TIER 3: 11-13 turns (advanced) - TIER 4: 14-16 turns (expert) - Add d4 roll: -1, 0, 0, or +1

Golden Rules: 1. Accept any roll (embrace chaos) 2. Never reveal tier to players 3. Modifier authority only when truly needed (rare)


4. Roll Modifiers (Universal)

All modules use the same modifier system for consistency:

+2 Bonus: Strong Technical Justification

Awarded when a player provides clear, specific reasoning for their action using real security concepts.

Examples: - "We're analyzing email headers in the mail gateway logs to identify the true sender IP and check it against threat intelligence feeds" - "We're deploying EDR on all endpoints because it can detect living-off-the-land techniques" - "We're querying our SIEM for scheduled task creation events because attackers use them for persistence"

Criteria: - References specific tools (Splunk, EDR, SIEM, etc.) - Explains methodology (why this approach works) - Shows understanding of the threat being addressed


+1 Bonus: Real Tools or Techniques Referenced

Awarded when player references actual security tools or real attack/defense techniques.

Examples: - "We'll use Wireshark to analyze the network traffic" - "We're checking for Mimikatz usage in memory" - "We're reviewing EDR telemetry" - "We're looking for this specific CVE exploitation pattern"

Criteria: - References real tools (Wireshark, EDR, Splunk, etc.) - References real techniques (MITRE ATT&CK, specific CVEs) - Shows awareness of how things actually work


5. Uncontained Threats Penalty (Incident Response Module)

When Applied: Incident Response module only, applied at START of each turn

How It Works: 1. When a threat card is revealed, add 1 to Uncontained Threats Tracker 2. At START of each turn, deduct 5 Budget per uncontained threat 3. When next card in chain is revealed, previous threat is auto-mitigated (-1 from tracker) 4. When Emergency Response action is used (15 Budget), remove a revealed threat (-1 from tracker)

Companion rule — Active Breach Cost (v2.2): while at least one chain card remains unrevealed, deduct an additional flat -5 Budget at the start of each turn. Hidden attackers cost money too.

Purpose: Creates urgency - dwell time costs money, whether you've found the attacker yet or not. Teaches real-world incident response costs.

Example (uncontained penalty only; Active Breach Cost also applies while cards remain hidden):

Turn 1: Phishing revealed → Uncontained Threats = 1
Turn 2: START → Deduct 5 Budget (95 remaining from 100)
Turn 3: Lateral Movement revealed → Phishing auto-mitigated (Uncontained = 1)
Turn 3: START → Deduct 5 Budget
Turn 4: Emergency Response on Lateral Movement (15 Budget) → Uncontained Threats = 0

Common Roles & Responsibilities

Threat Orchestrator (Facilitator)

Responsibilities: - Manage game state and track turns/budget - Describe scenarios and outcomes - Roll dice when action outcomes are uncertain - Guide the narrative

During Incident Response: - Create and manage hidden attack chain - Provide clues based on successful investigations - Control Uncontained Threats penalties - Be fair but challenging

During Other Modules: - Describe threat context and defenses - Draw Pentester Tactic cards (Hardening) - Manage timeline and deadlines (Disaster Recovery) - Guide debrief questions

Universal Tips: - Explain why actions succeed or fail - Ask clarifying questions about player strategy - Balance challenge with learning - Provide constructive feedback


Blue Team (Defenders)

Responsibilities: - Discuss strategy as a team - Choose one action per turn - Justify your decisions (gain +2 modifier) - Manage budget carefully - Learn from success and failure


Modifier Stacking Rules

Key Rule: Modifiers are additive and can stack.

Example (Hardening Module, canonical formula — v2.2):

Pentester Tactic: PT-02 Living-off-the-Land (DC 13)

Defense roll = d20
  + printed bonus for the ONE defense chosen (D-08 EDR vs PT-02: +3)
  + hardening upgrades on that defense (+2 each; one upgrade: +2)
  + relevant playbook (+3)

Team rolls 8:
8 + 3 (EDR) + 2 (upgrade) + 3 (playbook) = 16 ≥ 13 = SUCCESS

Only the single chosen defense's printed bonus applies — deployed defenses do not stack with each other against one tactic.


Difficulty & Scaling

By Attack Chain Length

Length Difficulty Best For
3 cards Beginner Learning mechanics, 30 min sessions
4 cards Intermediate Standard play, 40 min sessions
5 cards Advanced Challenge play, full kill chain

By Starting Budget

Budget Difficulty Best For
60 Hard Resource scarcity, tough choices
100 Standard Balanced play, most scenarios
150+ Easy Strategic depth, multiple options

By Turn Limit

Turns Difficulty Best For
8 Hard Time pressure, fast play
10 Standard Balanced, most scenarios
12 Easy Exploration, learning

Note (v2.2): Incident Response derives its turn limit from the Variable Game Length formula — (Attack Chain Cards × 2) + 1 → 7/9/11 turns (see §3a). The table above is for modules with educator-set limits.


Educational Objectives

By Module

Module Primary Learning Secondary Learning
Incident Response Cyber kill chain, attack detection, investigation Resource prioritization, incident response
Hardening Defense-in-depth, layering, proactive security Cost-benefit analysis, security architecture
Disaster Recovery Crisis management, stakeholder communication Risk assessment, incident cost
Network Building Network design, asset security, architecture Infrastructure hardening, threat modeling
Forensics Digital forensics, chain of custody, attribution Evidence handling, MITRE ATT&CK mapping
Audit & Compliance Security assessment, governance, compliance Risk identification, remediation prioritization

By Game Mechanic

Mechanic What It Teaches
d20 roll system Uncertainty, risk, informed decision-making
Budget constraints Resource allocation, prioritization
Justification bonuses Technical reasoning, tools/techniques knowledge
Uncontained Threats penalty Urgency, cost of dwell time
Pentester Tactics Attacker sophistication, defense limitations
Playbook system Preparation, incident response planning
Scoring systems Outcome measurement, quality assessment

Cooperative vs. Competitive Play

Cooperative Mode

Competitive Mode

Implementation: - Same setup for all teams - Teams cannot share information (Incident Response) - Score comparison determines winner (Hardening) - Reputation comparison (Disaster Recovery)


Debrief & Reflection (Universal)

Every module should include a 5-15 minute debrief with three sections:

Part 1: What Happened?

Part 2: Why Did That Happen?

Part 3: What Would You Do Differently?


Tips for Threat Orchestrators (Universal)

Before the Game

  1. Read the module rules completely - Know what's coming
  2. Prepare your scenario - Pre-build attack chain or threat context
  3. Organize materials - Sort cards, prepare trackers
  4. Know your balancing points - Be ready to adjust difficulty if needed
  5. Practice reading clues - Deliver them dramatically!

During Gameplay

  1. Be clear about costs - Announce Budget before action
  2. Resolve rolls immediately - Announce target, let player roll, resolve
  3. Ask clarifying questions - "Why are you investigating email headers?"
  4. Be fair but challenging - Give honest difficulty, don't fudge rolls
  5. Narrate outcomes - Describe what happens, not just success/failure
  6. Manage pacing - Keep turns moving (2-3 min discussion max)
  7. Track penalties accurately - Keep budget, turn, and threat trackers visible

Balancing Difficulty

Too Easy Signs: - Team reveals all cards/achieves goal with 40+ budget remaining - No failed rolls - No meaningful decisions required - Team is bored

Too Hard Signs: - Team is stuck/making no progress after 5 turns - Multiple consecutive failed rolls - Team frustrated rather than challenged - No learning happening

Adjustment Options: - Easier: Provide better clues, more starting budget, fewer tactics - Harder: Less specific clues, lower budget, more tactics - Faster: Shorter turn limits, simpler scenarios - Slower: More turns, more complex scenarios


Card Reference

For complete card descriptions, see: - Base Threat & Defense Cards cards/incident-response/core-deck/threat-defense-cards.md - Expansion Threats cards/incident-response/expansion-deck/advanced-threats.md - Expansion Defenses cards/incident-response/expansion-deck/advanced-defenses.md - All decks indexed cards/CARD_REFERENCE.md


Module-Specific Rules

For complete rules on each module:


Quick Reference: Universal Mechanics

d20 Roll System

Budget System

Turn System

Penalties & Bonuses


Continuing to Next Steps

For your first game: 1. Choose a module from Module Combinations 2. Read the module-specific rules 3. Read the standalone setup guide 4. Prepare your scenario 5. Play!

For multiple modules: 1. Refer to Module Combinations for recommended sequences 2. Refer to FRAMEWORK.md for modifier generation procedures 3. Play first module, generate modifiers for next 4. Continue as desired


Need Help?


Incident Zero: Core Rules & Mechanics v2.1 - Balanced & Refined Edition Universal rules for all modules

docs/rules/module-audit-compliance.md

Audit & Compliance Module: Rules & Mechanics

Version: 2.2 - Playtest Edition Last Updated: October 2025

v2.2: this document's modifier table is canonical — the tables in cards/audit-compliance/ are generated from it. See v2.2 Playtest Edition Changes at the bottom.


Module Overview

The Audit & Compliance Module teaches players how security assessments reveal vulnerabilities that attackers will eventually exploit. Teams conduct a simulated third-party audit of their IT infrastructure, discovering gaps that will matter later.

Key Concept: "Auditors find what attackers will exploit." The findings from this module either inform hardening decisions (if successful) or create additional costs (if incident occurs).

Module Teaches: - Primary: Security assessment, compliance frameworks (NIST, CIS, PCI-DSS), vulnerability discovery - Secondary: Risk prioritization, remediation planning, audit-to-action translation

Integration Point: - Can be played standalone (teams audit a pre-built network) - OR as setup for Incident Response/Disaster Recovery (audit findings modify those modules) - See module-combinations.md for recommended sequences


Module Setup (10 minutes)

1. Choose Assessment Framework

Framework Focus Best For
NIST Cybersecurity Framework 5 Core Functions General organizations
CIS Critical Controls 18 Controls (CIS v8) Defense-focused
PCI-DSS Payment card security Retail/e-commerce
HIPAA Healthcare data Healthcare organizations
Multi-Framework Mix of above Realistic compliance

Key Point: Framework choice determines which audit domains are tested.

Budget note (v2.2): core-rules gives the Audit module a starting Budget of 100 — Budget (100) applies only when playing the optional Remediation follow-up cards (see cards/audit-compliance/expansion-deck/compliance-frameworks.md, remediation section); the assessment itself costs nothing.

2. Choose Assessment Scope

Scope Time Networks Evaluated
Basic 5 min One pre-built network
Standard 10 min One network from Network Building OR pre-built
Comprehensive 15+ min Multiple networks / multiple locations

3. Network Input

Option A: Use Pre-Built Network - Threat Orchestrator provides a sample network - Teams audit it without having built it - Focuses on audit skills, not network design

Option B: Use Network from Network Building Module - Teams audit the network they just built - Directly see consequences of earlier decisions - More integrated experience

Option C: Create Fictional Network via Narrative - Threat Orchestrator describes a scenario: "Your organization has email, web, database, and domain controller servers. Some are on-prem, some in cloud. You have a firewall but no IDS." - Teams audit based on description - Faster, requires less setup


Gameplay Loop (10 minutes)

Audit Structure

Threat Orchestrator (Acting as External Auditor) reviews the network and assesses 6 audit domains:

Domain 1: Network Segmentation & Isolation

Audit Question: "Does your network properly isolate critical systems from untrusted networks?"

Pass Criteria: - Implemented segmented architecture (3+ zones), AND - Deployed firewall between zones, AND - Critical systems (Database, Domain Controller) in separate zone from internet-facing systems

Fail Criteria: - Flat network (no segmentation), OR - Segmentation without firewall, OR - Critical systems on same zone as untrusted systems

If FAIL - Finding: - Name: Network Segmentation Gap - Risk Level: CRITICAL - Consequence in IR: Lateral movement easier (-1 to defending against NETWORK attacks) - Consequence in DR: Attacker access spreads to more systems (-10 DR budget penalty)

Narrative for Teams: "All of your systems are on the same network segment. Once an attacker gains access to one system, they can move freely between others."


Domain 2: Access Control & Identity Management

Audit Question: "Is your identity system (directory services, authentication, authorization) properly secured?"

Pass Criteria: - Domain Controller deployed, AND - Domain Controller on separate network segment, AND - Domain Controller not overloaded (≤2 services)

Fail Criteria: - No Domain Controller deployed, OR - Domain Controller on same segment as untrusted systems, OR - Domain Controller overloaded (3+ services)

If FAIL - Finding: - Name: Identity System Vulnerability - Risk Level: CRITICAL - Consequence in IR: Credential-based attacks easier (-1 to defending against CREDENTIAL_ABUSE attacks) - Consequence in DR: Full credential compromise; all user accounts compromised (-15 DR budget penalty)

Narrative for Teams: "Your identity system is overloaded with too many services and insufficient hardening. If compromised, attackers will have broad access to all user credentials."


Domain 3: Threat Detection & Incident Response

Audit Question: "Can you detect attacks when they happen? Do you have monitoring and alerting?"

Pass Criteria: - IDS or IPS deployed, AND/OR - SIEM system deployed, AND/OR - Email Gateway + Honeypot deployed (detection alternatives)

Fail Criteria: - None of the above detection systems deployed, OR - Only basic security devices with no central logging

If FAIL - Finding: - Name: Detection & Monitoring Gap - Risk Level: HIGH - Consequence in IR: Investigations slower (-1 to Investigation rolls; 12+ instead of 11+) - Consequence in DR: Breach undetected longer; more data stolen (-10 DR budget penalty)

Narrative for Teams: "You have no centralized logging or monitoring. When an attack happens, you won't know about it until data is already compromised."


Domain 4: Backup & Disaster Recovery

Audit Question: "Do you have functional backups? Can you recover from data loss or ransomware?"

Pass Criteria: - Backup System deployed, AND - Backup isolated on separate network, OR - Cloud backup configured, OR - Multiple hosting locations (on-prem + cloud redundancy)

Fail Criteria: - No Backup System deployed, OR - Single point of failure (all on-prem or all cloud)

If FAIL - Finding: - Name: Backup & Recovery Gap - Risk Level: CRITICAL (for ransomware/DR only) - Consequence in IR: None (network gap, not detection issue) - Consequence in DR: Ransomware unrecoverable; full rebuild required (-25 DR budget penalty)

Narrative for Teams: "You have no backup strategy. If ransomware hits, you cannot recover your data. You must either pay ransom or rebuild from scratch."


Domain 5: Third-Party Risk & Cloud Security

Audit Question: "Are your cloud systems and third-party integrations properly secured and isolated?"

Pass Criteria: - Cloud systems isolated on private network (VPN), AND - Cloud systems monitored/managed, AND - Credentials for cloud access securely managed

Fail Criteria: - Cloud systems internet-exposed, OR - No monitoring of cloud services, OR - Credentials stored locally for cloud access

If FAIL - Finding: - Name: Cloud Security Gap - Risk Level: HIGH - Consequence in IR: Cloud-based attacks easier (-1 to defending against WEB_EXPLOIT attacks) - Consequence in DR: Cloud compromise requires cloud provider recovery; slow remediation (-20 DR budget penalty)

Narrative for Teams: "Your cloud systems are internet-accessible without protection. Any attacker can directly target your cloud infrastructure."


Domain 6: Security Operations & Monitoring

Audit Question: "Do you have centralized logging, monitoring, and security operations capability?"

Pass Criteria: - SIEM system deployed, OR - Email Gateway + IDS deployed (combined monitoring)

Fail Criteria: - No SIEM or equivalent centralized logging

If FAIL - Finding: - Name: Security Operations Gap - Risk Level: MEDIUM - Consequence in IR: Investigations slower (-1 to Investigation rolls) - Consequence in DR: Forensic analysis slow; can't determine breach scope (-5 DR budget penalty)

Narrative for Teams: "You have no centralized place to view security events. When an attack happens, investigators must pull data from multiple sources manually."


Audit Report Generation

Creating the Formal Findings Report

After all 6 domains are assessed, Threat Orchestrator produces an Audit Findings Report:

SECURITY AUDIT FINDINGS REPORT

Organization: [Name]
Assessment Date: [Date]
Framework: [Framework used]
Auditor: [Your name / External firm]

═══════════════════════════════════════════

DOMAIN ASSESSMENT SUMMARY:

✓ PASS - Network Segmentation & Isolation
  Observation: Network properly segmented with firewalls between zones.
  Assessment: Risk is LOW for lateral movement.

✗ FAIL - Access Control & Identity Management
  Finding: Domain Controller overloaded with excessive services.
  Risk: If DC compromised, entire identity system at risk.
  Severity: CRITICAL
  Recommendation: Isolate DC to minimal required services.

✓ PASS - Threat Detection & Incident Response
  Observation: SIEM system deployed with centralized logging.
  Assessment: Good detection capability.

✗ FAIL - Backup & Disaster Recovery
  Finding: No backup system deployed.
  Risk: Data loss unrecoverable; ransomware response limited to ransom/rebuild.
  Severity: CRITICAL
  Recommendation: Deploy backup system immediately.

✓ PASS - Third-Party Risk & Cloud Security
  Observation: Cloud systems properly isolated on private network.
  Assessment: Cloud security posture adequate.

✗ FAIL - Security Operations & Monitoring
  Finding: No centralized logging platform.
  Risk: Incident investigation will be slow and manual.
  Severity: HIGH
  Recommendation: Deploy SIEM or equivalent centralized logging.

═══════════════════════════════════════════

FINAL SCORE: 3/6 DOMAINS PASS

Overall Assessment: CONCERNING GAPS IDENTIFIED

Summary: Organization has adequate network and cloud security but lacks:
1. Proper identity system isolation
2. Backup/recovery capability
3. Centralized monitoring

Impact Estimate:
- If attack occurs: Detection delayed, recovery impossible without ransom
- Estimated cost to remediate findings: ~$40K (modest investment)
- Estimated cost of breach due to these gaps: ~$500K+ (significant exposure)

Recommendation Priority:
1. Deploy backup system (prevent ransomware catastrophe)
2. Isolate Domain Controller (prevent credential compromise)
3. Centralize logging (speed up incident response)

Audit Scoring

One Rubric (v2.2): PASS/FAIL is primary

PASS/FAIL per domain (X/6) is the primary score. Star ratings (1-5★) are flavor for narrative reports, with this fixed mapping:

1-2★ = FAIL · 3★+ = PASS · "PARTIAL" counts as FAIL

Optional (v2.2): a 5★ (exemplary) rating in Detection grants +1 to Incident Response investigation rolls if IR is played later.

Final Audit Score

Teams receive a score reflecting their infrastructure quality:

Score Assessment Interpretation
6/6 PASS Enterprise-Grade No modifiers carried into later modules; strong foundation
5/6 PASS Strong Security -1 modifier to one attack type in IR
4/6 PASS Adequate Security -1 modifier to two attack types in IR
3/6 PASS Concerning Gaps -1 modifier to three attack types; IR easier
Below 3/6 High Risk Multiple -1 modifiers; IR much easier; DR much costlier

Narrative Interpretation

6/6 Pass: "Your organization demonstrates strong security practices across all domains. While no system is perfect, you have implemented key controls and best practices."

4-5/6 Pass: "Your organization has good foundational security but should prioritize remediation of identified gaps. Most critical systems are protected, but some exposure remains."

3/6 Pass: "Your organization has significant security gaps that create real risk. Multiple critical domains require attention. If an incident occurs, you will face challenges."

Below 3/6: "Your organization has critical gaps across multiple domains. Significant investment needed to meet baseline security standards."


Audit Findings as Attack Modifiers

How Audit Failures Affect Other Modules

When audit findings exist and other modules are played:

In Incident Response Module:

Each FAIL finding creates a -1 modifier (one per gap — canonical, v2.2) to the relevant roll:

Audit Finding IR Modifier Affected Threat Type
Segmentation Gap -1 to NETWORK defenses Lateral movement attacks easier
Identity Gap -1 to CREDENTIAL_ABUSE defenses Credential attacks easier
Detection Gap -1 to Investigation rolls Finding threats takes longer (11+ becomes 12+)
Backup Gap No IR effect (Matters in Disaster Recovery)
Cloud Gap -1 to WEB_EXPLOIT defenses Web/API attacks easier
Operations Gap -1 to Investigation rolls Forensic investigation slower

Example: Segmentation Gap Active in IR

INCIDENT RESPONSE PHASE:

Team's Threat: Lateral Movement via SMB
Base roll needed: 11+
Audit Modifier: -1 (Segmentation Gap)
Effective roll needed: 12+

Team's Defense: Network Segmentation (newly deployed)
Roll: 14 + 2 (justification) = 16
Result: SUCCESS (16 ≥ 12)

TO Narrative: "Your network segmentation worked perfectly, stopping the
lateral movement that would have been trivial in an unsegmented network."

In Disaster Recovery Module:

Each FAIL finding is a penalty subtracted from the DR starting budget (this table is canonical — v2.2):

Audit Finding DR Budget Penalty
Segmentation Gap -10 Budget (attacker spreads to more systems)
Identity Gap -15 Budget (full credential compromise)
Detection Gap -10 Budget (dwell time longer; more data stolen)
Backup Gap -25 Budget (no recovery option; expensive rebuild)
Cloud Gap -20 Budget (cloud provider recovery needed)
Operations Gap -5 Budget (forensic investigation slow)

Cap (v2.2): the total gap penalty applied to a subsequent module's budget is capped at -30.

Example: Multiple Gaps in DR (v2.2)

DISASTER RECOVERY PHASE:

Teams start with 50 crisis budget (DR 50; for reference, IR starts at 100).

Audit Failures from earlier assessment:
- Segmentation Gap: -10
- Detection Gap: -10
- Backup Gap: -25

Raw Gap Penalty: -45 -> capped at -30

Available Crisis Budget: 50 - 30 = 20

With 20 Budget the team can still afford the mandatory beats
(cheapest mandatory path is 29 -> they must lean on the free
Holding Statement and skip actions), but the response will be
thin. Outcome: heavy pressure, likely reputation damage.

Integration with Other Modules

Audit as Setup for Incident Response

Recommended Flow: Audit → Incident Response

  1. Conduct Audit (10 minutes)
  2. Identify 3-5 gaps in network

  3. Generate Modifiers (2 minutes)

  4. Each gap becomes a -1 modifier to relevant defense in IR

  5. Play Incident Response (35-40 minutes)

  6. Teams discover that audit findings predicted attack vectors
  7. Audit gaps make IR harder
  8. Teams gain appreciation for audit value

  9. Debrief (10 minutes)

  10. Discuss how audit findings manifested as attack vectors
  11. Real-world connection to breach investigations

Audit as Setup for Disaster Recovery

Recommended Flow: Audit → [Incident Response] → Disaster Recovery

  1. Conduct Audit (10 minutes)
  2. Identify gaps (particularly Backup Gap and Detection Gap)

  3. Skip or Lose IR (optional)

  4. Assume attackers breached and incident was NOT detected

  5. Play Disaster Recovery (30-35 minutes)

  6. Each audit gap increases crisis costs
  7. Teams discover backup gap = ransomware unrecoverable
  8. Teams discover detection gap = dwell time was 48+ hours

  9. Debrief (10 minutes)

  10. Discuss financial impact of audit failures
  11. Calculate total incident cost

Audit as Learning Tool (Standalone)

Play Just the Audit Module (as independent learning)


Tips for Threat Orchestrators

Before the Audit

  1. Choose framework - NIST/CIS/PCI-DSS based on organization/industry
  2. Select network - Pre-built OR from Network Building OR fictional
  3. Prepare assessment checklist - Know pass/fail criteria for each domain
  4. Have findings report template - For consistent, professional output

During the Audit

  1. Walk through systematically - Each domain, one at a time
  2. Explain reasoning - "You passed segmentation because you have firewalls between zones"
  3. Use NIST/CIS language - Frame findings in recognized compliance framework
  4. Be fair - Audit findings should be accurate, not arbitrary
  5. Take notes - Document what you see for the formal report

After the Audit

  1. Create findings report - Professional document teams can reference
  2. Calculate score - X/6 domains pass
  3. Identify modifiers - Which audit gaps will affect Incident Response
  4. Estimate remediation costs - Budget and timeline to fix findings
  5. Explain real-world connections - Compare audit process to actual assessments (SOC 2, ISO 27001, etc.)

Sample Scenarios

Scenario 1: "Startup Audit" (Beginner)

Network Characteristics: - Flat network (no segmentation) - Email, web, database on same servers (overloaded) - No backup system - No SIEM or monitoring - All on-premises

Expected Audit Result: - 1-2/6 domains pass - Multiple CRITICAL findings - High remediation cost - Team learns value of basics (backup, monitoring)


Scenario 2: "Mid-Market Audit" (Intermediate)

Network Characteristics: - Segmented network with firewall - Dedicated servers for critical functions - Backup system present - IDS deployed but no SIEM - Hybrid on-prem/cloud

Expected Audit Result: - 4/6 domains pass - 2 MEDIUM findings (monitoring, cloud config) - Moderate remediation cost - Team learns importance of comprehensive monitoring


Scenario 3: "Enterprise Audit" (Advanced)

Network Characteristics: - Fully isolated network architecture - Dedicated hardened servers - Comprehensive backup strategy - SIEM + IDS deployed - Cloud properly secured

Expected Audit Result: - 5-6/6 domains pass - 0-1 minor findings - Low remediation cost - Team learns value of comprehensive program


Extensions & Variations

Variation 1: Regulatory Compliance Specific

Focus audit on specific compliance requirement: - PCI-DSS: Focus on payment card handling, encryption, access control - HIPAA: Focus on healthcare data protection, audit logs, access management - SOC 2: Focus on security, availability, confidentiality controls - GDPR: Focus on data protection, breach notification, privacy

Each framework has different pass/fail criteria.


Variation 2: Continuous Auditing

Run audit multiple times with team improvements: 1. Initial audit (baseline) 2. Team makes improvements based on findings 3. Follow-up audit (measure improvement) 4. Calculate improvement % and cost-benefit


Variation 3: Threat Model Audit

Instead of compliance framework, audit against specific threat profile: - "This organization faces nation-state threat" → Audit for advanced detection - "This organization handles PHI data" → Audit for healthcare security - "This organization processes credit cards" → Audit for PCI-DSS - "This organization is critical infrastructure" → Audit for resilience


Quick Reference: Audit Domains & Consequences (canonical, v2.2)

Domain PASS Meaning FAIL Consequence (IR) FAIL Consequence (DR)
Segmentation Good isolation -1 to NETWORK defense -10 budget
Identity Proper AC -1 to CREDENTIAL_ABUSE defense -15 budget
Detection Good monitoring -1 to Investigation -10 budget
Backup Recovery capable None -25 budget
Cloud Secure cloud -1 to WEB_EXPLOIT defense -20 budget
Operations Good logging -1 to Investigation -5 budget

Cap (v2.2): total DR budget penalty capped at -30. Star flavor mapping: 1-2★ = FAIL, 3★+ = PASS, PARTIAL = FAIL.


Need Help?


v2.2 Playtest Edition Changes

  1. One canonical modifier table. This document's table is authoritative: DR budget penalties Segmentation -10 / Identity -15 / Detection -10 / Backup -25 / Cloud -20 / Ops -5, and one -1 IR modifier per gap. The tables in cards/audit-compliance/core-deck/audit-domain-cards.md and cards/audit-compliance/README.md are regenerated from it. One-off mechanics that existed nowhere else ("+5 turn penalty", "+1 escalation point", "-2 modifier", "+1 difficulty") are deleted or folded into the canonical -1-per-gap rule.
  2. Cap added: the total gap penalty applied to a subsequent module's budget is capped at -30. The unexplained "from 120 to 190" example was replaced with real budgets (DR 50, IR 100).
  3. One scoring rubric: PASS/FAIL per domain (X/6) is primary. Stars are flavor with a fixed mapping — 1-2★ = FAIL, 3★+ = PASS, "PARTIAL" counts as FAIL — printed here, on the domain cards, and in the standalone guide. Optional: 5★ in Detection grants +1 to IR investigation rolls if IR is played later.
  4. Budget note: the module's core-rules Budget (100) applies only to the optional Remediation follow-up cards; the assessment itself costs nothing.
  5. Fact corrections: CIS "20 Core Controls" → 18 (CIS v8) everywhere; NIST CSF category codes corrected in the expansion deck (Protect = PR.AC/PR.AT/PR.DS/PR.IP/PR.MA/PR.PT; Respond = RS.RP/RS.CO/RS.AN/RS.MI/RS.IM); segmentation cites PR.AC-5; vendor risk cites ID.SC; incident response is CIS Control 17 (v8).
  6. Card counts corrected: expansion deck is 19 cards (11 framework + 8 remediation); CIS section is 3 cards; HIPAA/SOC 2 moved to "Planned".
  7. Play aids: scoring reference card, audit worksheet, and judge guide are moving to the print pack (coming); an inline text audit worksheet is included in the standalone guide so it is playable today.

Audit & Compliance Module - Rules & Mechanics Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition

docs/standalone-games/audit-compliance.md

Incident Zero: Compliance Audit Standalone Mini-Games

Three Variations of Security Assessment Gameplay

Version: 2.2 - Playtest Edition — answer keys now follow the printed criteria; PASS/FAIL (X/6) is the primary score (stars: 1-2★ = FAIL, 3★+ = PASS, PARTIAL = FAIL). See docs/rules/module-audit-compliance.md for the canonical modifier table.


Overview

Compliance Audit Standalone offers three distinct game modes that can be played independently:

  1. Variation A: Pre-Built Networks (15-25 minutes) - Audit existing networks
  2. Variation B: Random Network Generation (25-35 minutes) - Generate network, then audit
  3. Variation C: Audit the Auditor Debate (20-30 minutes) - Interactive audit challenge

Common Theme: Teams understand how audits find vulnerabilities that attackers will exploit.

Best For: - Standalone 20-35 minute sessions - Teaching audit frameworks - Understanding security gaps - Before/after comparison with the Incident Response module - Competitive assessment skills


VARIATION A: PRE-BUILT NETWORKS

"Audit the Sample Networks"

Duration: 15-25 minutes
Players: 1-4 teams
Difficulty: Easy (low cognitive load)
Best For: Quick session, first-time audit introduction


Concept

"Three organizations have submitted their infrastructure for audit. Review each one and score their security posture. Which has the best design? Which is most vulnerable?"

Teams receive 3 pre-built network descriptions and audit them against a 6-domain framework. Compare results and discuss why vulnerabilities matter.


Game Materials

Pre-Built Sample Networks (3 total)

SAMPLE NETWORK 1: "StartUp Tech"

INFRASTRUCTURE DESCRIPTION:

Startup Tech is a 50-person web development company.
Cloud-first approach, minimal on-premises systems.

DEPLOYMENT:
- Web Server (Cloud - AWS): Hosts company website and app portal
- Database Server (Cloud - AWS RDS): Customer data, 100K records
- Development Server (Cloud - AWS EC2): Dev/test environment
- Domain Controller (On-Prem): AD for user identity (1 small server)
- File Server (On-Prem): Shared documents
- Email Server (Cloud - Microsoft 365): Email via SaaS provider

SECURITY DEVICES:
- Email Gateway: None (using Microsoft 365 default)
- Firewall: AWS Security Groups (cloud provider native)
- IDS/IPS: None
- SIEM: None
- WAF: None
- Backup: AWS automated snapshots + Microsoft 365 retention
- VPN: None (all cloud-native, no remote access needed)

NETWORK ARCHITECTURE:
- Hybrid (50% Cloud, 50% On-Prem)
- Cloud systems accessible via internet (all public IP)
- On-prem systems on isolated LAN
- No network segmentation between cloud and on-prem

HOSTING:
- 50% AWS (web, database, dev)
- 50% On-Premises (AD, file sharing)

SECURITY POSTURE:
- No perimeter firewall monitoring
- Cloud infrastructure: AWS default security (basic)
- On-prem infrastructure: Minimal controls
- Identity: Single AD instance (critical point)
- No incident detection
- Backups functional but not tested

SAMPLE NETWORK 2: "Mid-Market Corp"

INFRASTRUCTURE DESCRIPTION:

Mid-Market Corp is a 200-person financial services company.
Balanced on-premises and cloud, mature IT operations.

DEPLOYMENT:
- Email Server (On-Prem): Exchange 2019
- Web Server (Cloud - Azure): Public website + customer portal
- Database Server (On-Prem): SQL Server, customer data, 1M records
- File Server (On-Prem): Network file shares, active collaboration
- Domain Controller (On-Prem): AD + LDAP, 200 users
- Development Server (Cloud - Azure): Dev/test
- Backup System (On-Prem): Backup appliance, off-site replication
- Legacy System (On-Prem): 15-year-old accounting system

SECURITY DEVICES:
- Firewall: Cisco ASA (perimeter) + internal segmentation firewall
- Email Gateway: Proofpoint (phishing/malware filter)
- IDS: Suricata (network-based detection)
- IPS: None (IDS only)
- SIEM: Splunk (centralized logging)
- WAF: AWS WAF (in front of web server)
- VPN: Cisco AnyConnect (remote access)
- Honeypot: None

NETWORK ARCHITECTURE:
- Segmented (3 zones: DMZ, Internal, Finance)
- Firewalls enforce zone boundaries
- On-prem systems segregated from cloud
- Cloud systems on private network (not public internet)

HOSTING:
- 40% On-Premises (core business systems)
- 60% Cloud (web, dev, supplementary)

SECURITY POSTURE:
- Perimeter monitoring active (IDS)
- Email filtering active
- Centralized logging (SIEM)
- Remote access controlled (VPN)
- Backup and recovery tested
- Legacy system isolated but unpatched

SAMPLE NETWORK 3: "Enterprise Bank"

INFRASTRUCTURE DESCRIPTION:

Enterprise Bank is a 1000+ person financial institution.
Highly regulated (PCI-DSS, HIPAA), on-premises focused.

DEPLOYMENT:
- Email Server (On-Prem): Custom hardened system + redundancy
- Web Server (Cloud/Hybrid): DMZ layer for customer portal
- Database Server (On-Prem): Oracle RAC, 500M+ records, air-gapped
- File Server (On-Prem): Multiple redundant file servers by department
- Domain Controller (On-Prem): Multiple DCs, LDAP + Kerberos, hardened
- Development Server (On-Prem): Isolated dev network, no access to prod
- Backup System (On-Prem): Multiple backup systems, offline vault, geographically distant
- Cloud Workload (Limited): Only non-sensitive workloads

SECURITY DEVICES:
- Firewall: Multiple Palo Alto networks (perimeter + internal + cloud boundary)
- Email Gateway: Proofpoint + internal inspection
- IDS: Multiple IDS systems (network + host-based)
- IPS: Palo Alto IPS (active blocking)
- SIEM: Splunk + IBM QRadar (redundant)
- WAF: F5 WAF (multi-layer)
- VPN: Multiple VPN concentrators, MFA required
- Honeypot: Internal honeypot network (3 decoy systems)
- Network Segmentation: Microsegmentation between critical systems
- Intrusion Prevention: Advanced threat prevention

NETWORK ARCHITECTURE:
- Fully Isolated (10+ security zones)
- Each zone has firewall enforcement
- Zero-trust network access
- Air-gapped critical systems
- Private clouds only (no public internet access)

HOSTING:
- 95% On-Premises (regulatory requirement)
- 5% Cloud (non-critical, isolated)

SECURITY POSTURE:
- Comprehensive logging (multiple SIEM)
- Advanced threat detection (IDS/IPS + honeypot)
- Incident response ready
- Backup and recovery tested quarterly
- All systems hardened per NIST guidelines
- Compliance audited annually (PCI-DSS, SOX)

Audit Assessment Framework

The 6-Domain Audit

Teams assess each network using this framework. Scoring (v2.2): PASS/FAIL per domain (X/6) is the primary score. If you use star ratings for flavor, the fixed mapping is 1-2★ = FAIL, 3★+ = PASS, "PARTIAL" counts as FAIL.

Domain 1: Network Segmentation

Question: "Are critical systems isolated?"

Score Criteria
PASS Firewall between zones OR microsegmentation active
FAIL Flat network OR segmentation without enforcement

Domain 2: Access Control & Identity

Question: "Is identity management secure?"

Score Criteria
PASS Dedicated Domain Controller, MFA for remote access, minimal over-privilege
FAIL No DC OR DC overloaded OR no MFA OR broad admin access

Domain 3: Incident Detection & Response

Question: "Can you detect attacks?"

Score Criteria
PASS IDS/IPS or SIEM deployed, covering all critical segments
FAIL No IDS/IPS and no SIEM, OR a critical segment sits outside detection coverage

Domain 4: Backup & Disaster Recovery

Question: "Can you recover from failure?"

Score Criteria
PASS Backup system deployed + tested + geographically diverse
FAIL No backup OR untested backup OR single location

Domain 5: Third-Party Risk Management

Question: "Are cloud/vendor systems managed?"

Score Criteria
PASS Cloud systems isolated OR not handling critical data
FAIL Cloud systems on internet + handling sensitive data + no WAF

Domain 6: Security Operations & Monitoring

Question: "Do you have centralized visibility?"

Score Criteria
PASS SIEM deployed + centralized logging active
FAIL No SIEM OR no centralized logging

Audit Worksheet (inline version — copy onto paper; printed sheet: see print pack, coming)

AUDIT WORKSHEET
Organization audited: ______________________   Auditing team: ______________________

Domain                              PASS/FAIL   Key finding (one line)
1. Network Segmentation             [    ]      ______________________________________
2. Access Control & Identity        [    ]      ______________________________________
3. Incident Detection & Response    [    ]      ______________________________________
4. Backup & Disaster Recovery       [    ]      ______________________________________
5. Third-Party Risk Management      [    ]      ______________________________________
6. Security Ops & Monitoring        [    ]      ______________________________________

SCORE: ____ / 6 PASS      (PARTIAL counts as FAIL; stars: 1-2* = FAIL, 3*+ = PASS)

TOP 3 RECOMMENDATIONS:
1. ___________________________________________________________________________
2. ___________________________________________________________________________
3. ___________________________________________________________________________

Gameplay (20-25 minutes)

Turn Structure

Phase 1: Introduction (2 minutes)

TO explains: "You're security auditors reviewing three organizations' infrastructure designs. For each, you'll score them on a 6-domain framework. Your goal: Identify which has the strongest security posture and which is most vulnerable."

Phase 2: Audit Each Network (5 minutes per network = 15 minutes)

For each network (Startup, Mid-Market, Enterprise):

  1. TO reads network description (2 minutes)
  2. Teams discuss and score (2 minutes)
  3. Vote on PASS/FAIL for each domain
  4. Record scores on the audit worksheet (inline version below; printed version: see print pack, coming)
  5. TO reveals "correct" audit (1 minute)
  6. Teams compare their assessment to expert audit
  7. Discuss differences

Phase 3: Comparative Analysis (5 minutes)

Teams answer: 1. "Which organization is most secure?" 2. "Which is most vulnerable to attack?" 3. "If you HAD to use one network, which would you choose?"


Pre-Built Audit Results

Startup Tech - Audit Results (v2.2 — the answer key now follows its own criteria)

Domain Score Finding
Network Segmentation FAIL No firewall between cloud and on-prem; cloud accessible from internet
Access Control FAIL Dedicated AD exists, but no MFA anywhere (cloud consoles are remote access) — "no MFA" is a FAIL condition
Detection FAIL No IDS/IPS or SIEM
Backup & Recovery FAIL AWS snapshots + M365 retention exist but are untested — "untested backup" is a FAIL condition
Third-Party Risk FAIL Cloud systems public internet-accessible, holding customer data, no WAF
Operations FAIL No centralized monitoring

Score: 0/6 PASS (strict). A lenient auditor might award Access Control a narrow PASS — dedicated, single-purpose DC and no VPN/remote-access paths to on-prem — for 1/6. Either reading lands in the same tier: Below 3/6, HIGH RISK. (The judgment call itself is a great Variation C debate.)

Risk Rating: HIGH / CRITICAL - Vulnerabilities: No network segmentation, no detection capability, no MFA, untested backups, cloud systems exposed - Attack Scenario: Attacker compromises cloud web server → lateral movement to on-prem AD → full network access; if ransomware hits, the untested backups may not restore - Cost of Breach: Very high (no detection, no segmentation to contain, recovery uncertain)


Mid-Market Corp - Audit Results (v2.2 — table and score now agree)

Domain Score Finding
Network Segmentation PASS Firewalls between DMZ, Internal, Finance zones
Access Control PASS AD hardened, VPN with MFA
Detection FAIL IDS + SIEM deployed, but detection-only (no IPS blocking) and the isolated legacy accounting segment sits outside IDS coverage — a blind spot at the highest-risk, unpatched system
Backup & Recovery PASS Backup appliance with off-site replication, tested
Third-Party Risk PASS Cloud systems on private network, WAF in place
Operations PASS SIEM + centralized logging

Score: 5/6 PASS

Risk Rating: MEDIUM - Strengths: Good segmentation, logging, backups - Weaknesses: Legacy accounting system (unpatched, and unmonitored — the Detection FAIL) - Attack Scenario: Attacker may get into DMZ but segmentation blocks lateral movement; an attack routed through the legacy segment, however, could go undetected - Cost of Breach: Moderate (segmentation limits damage; the legacy blind spot is the residual risk)


Enterprise Bank - Audit Results

Domain Score Finding
Network Segmentation PASS Microsegmentation between all critical systems
Access Control PASS Hardened DCs, MFA, minimal over-privilege
Detection PASS IDS/IPS + dual SIEM + honeypot
Backup & Recovery PASS Multiple offline vaults, quarterly testing
Third-Party Risk PASS Cloud only for non-critical, extensive monitoring
Operations PASS Dual SIEM, air-gapped logging

Score: 6/6 PASS

Risk Rating: LOW - Strengths: Defense-in-depth across all domains - Weaknesses: Very expensive to operate; regulatory complexity - Attack Scenario: Multiple layers would have to be bypassed; honeypot would alert SOC immediately - Cost of Breach: Lower (but incident response costs are high due to complexity)


Scoring & Comparison

Audit Score Tiers

Score Assessment Implication
6/6 PASS Enterprise-grade Highest security, highest cost
5/6 PASS Strong security Balanced security & cost
3-4/6 PASS Adequate but gapped Risk exposure present
Below 3/6 High risk Vulnerabilities likely exploited

Team Competition

Which team's audit assessment was most accurate? - Teams that scored Startup as high-risk: +1 point - Teams that scored Enterprise as low-risk: +1 point - Teams that identified Legacy System as Mid-Market's weakness: +1 point

Winner: Team with most accurate audit assessments


Debrief (5 minutes)

Discussion Questions

  1. "Why would Startup Tech be attractive to attackers?"
  2. Answer: No detection, no segmentation, cloud exposed

  3. "If you had to recommend improvements to Startup, what's priority #1?"

  4. Answer: Network segmentation OR IDS/SIEM (detection)

  5. "Why is Enterprise Bank so expensive?"

  6. Answer: Redundancy, microsegmentation, multiple layers of defense

  7. "Which organization would you actually want to work for?"

  8. Answer: Mid-Market (good balance of security and usability)

VARIATION B: RANDOM NETWORK GENERATION

"Build-Then-Audit Mini-Game"

Duration: 25-35 minutes
Players: 1-4 teams
Difficulty: Medium (requires both building and auditing)
Best For: Combined learning, deeper understanding


Concept

"Each team builds a simplified network by drawing random infrastructure cards. Then you audit each other's networks. Better auditors find more gaps."

This combines elements of Network Building (simplified) with Audit mechanics. Teams make trade-off decisions, then their network design is audited by competitors.


Game Flow

Phase 1: Rapid Network Generation (10 minutes)

Each team builds a network using a simplified card deck:

Simplified Network Generation Cards

SERVER CARDS (Draw 5 cards, must include certain types): - Email Server (must have) - Web Server (must have) - Database Server (must have) - Domain Controller (should have) - Backup System (optional) - Development Server (optional) - File Server (optional) - Cloud Workload (optional)

SECURITY DEVICE CARDS (Draw 3 cards, choose to deploy or skip): - Firewall - IDS - SIEM - Email Gateway - WAF - Honeypot

ARCHITECTURE CARD (Draw 1, determines layout): - Flat Network (budget-friendly, weak) - Segmented Network (balanced) - Fully Isolated (expensive, strong)

Rules: - Must have: Email, Web, Database - Can choose: Others - Budget: Implicit (each card represents a choice; no money tracking) - Time: 10 minutes to decide and document on "Network Card"

Each team creates a Network Card:

TEAM A'S NETWORK:

SERVERS:
✓ Email Server
✓ Web Server
✓ Database Server
✓ Domain Controller
✓ Backup System
✓ File Server
✗ Development Server (skipped)

SECURITY DEVICES:
✓ Firewall
✓ IDS
✗ SIEM (skipped)
✓ Email Gateway
✗ WAF (skipped)
✗ Honeypot (skipped)

ARCHITECTURE:
→ Segmented (3 zones)

Phase 2: Cross-Team Audit (15 minutes)

Each team audits a different team's network (round-robin):

  1. Auditing Team Receives Network Card
  2. Auditing Team Scores Network on 6 Domains
  3. PASS or FAIL for each domain
  4. Write findings
  5. Present Audit Results to Building Team

Example Audit of Team A:

AUDIT OF TEAM A'S NETWORK:

Domain 1: Network Segmentation
  Decision: Segmented (3 zones) → PASS
  Finding: Good segmentation between DMZ, Internal, Sensitive

Domain 2: Access Control
  Decision: Domain Controller present → PASS
  Finding: Identity management in place

Domain 3: Detection
  Decision: IDS present but NO SIEM → PARTIAL FAIL
  (v2.2: "PARTIAL" counts as FAIL for the score)
  Finding: Can detect network attacks but no centralized logging for correlation

Domain 4: Backup & Recovery
  Decision: Backup System present → PASS
  Finding: Can recover from data loss

Domain 5: Third-Party Risk
  Decision: No WAF on Web Server → FAIL
  Finding: Web server vulnerable to application attacks

Domain 6: Operations
  Decision: No SIEM → FAIL
  Finding: No centralized monitoring; incident response slower

AUDIT SCORE: 3/6 PASS

CRITICAL FINDINGS:
1. Missing SIEM (no centralized logging)
2. No WAF (web server unprotected)
3. IDS without SIEM (detection blindspot)

Phase 3: Auditor Scoring (5 minutes)

Accuracy of Audits is Scored:

Audit Accuracy Points
Identified all major gaps +5
Identified some gaps +3
Missed critical gap -2
Incorrect assessment 0

Team Scores: - Building Teams: Score = (6 - number of fails) × 5 - Example: 3/6 PASS = 3 fails → 3 × 5 = 15 points - Auditing Teams: Score = accuracy of audit assessment

Winner: Highest combined score OR winner of each category


Debrief (5 minutes)

  1. "What gaps did auditors find in your network?"
  2. "Did the auditors miss anything you're concerned about?"
  3. "What would you fix if you had to improve?"

VARIATION C: "AUDIT THE AUDITOR" DEBATE

Interactive Challenge & Discussion Game

Duration: 20-30 minutes
Players: 2-4 teams
Difficulty: High (requires critical thinking & argumentation)
Best For: Advanced teams, strong discussion-based learning


Concept

"You're given a network design and audit findings. As a team, debate whether the auditor's findings are FAIR, HARSH, or MISSING SOMETHING. Win by making the most convincing argument."

This is a debate game where teams argue the merits of audit findings, teaching that audits are interpretable and that defending infrastructure requires understanding the rationale.


Game Materials

Audit Finding Scenarios (3 total)

SCENARIO 1: "The Startup Defense"

(Same fictional company as Variation A's "Startup Tech": 50 people, cloud-first, no VPN.)

SCENARIO:
Startup Tech built this network:
- Email (Cloud), Web (Cloud), Database (Cloud),
  Domain Controller (On-Prem), Backup (Cloud snapshots)
- No Firewall between cloud and on-prem
- No IDS or SIEM
- No VPN (all cloud-native; cloud consoles protected by
  provider logins only, no MFA)

AUDITOR'S FINDINGS:
Domain 1: Network Segmentation → FAIL
  "No firewall between cloud and on-prem represents 
   uncontrolled lateral movement risk."

Domain 3: Detection → FAIL
  "No IDS/SIEM means attacks go undetected."

OVERALL: HIGH RISK

STARTUP'S COUNTERARGUMENT:
"We use cloud providers (AWS/Azure) which have built-in
firewalls at the cloud level. Cloud provider security
groups mean only the services we expose are reachable.
Our small team (50 people) means we're faster to respond.
This audit is too harsh for a startup."

YOUR JOB:
- Is the auditor FAIR? (reasonable standards)
- Is the auditor HARSH? (too strict for context)
- Is the auditor MISSING gaps? (what should they have found?
  Hint: no MFA, untested backups)
- Vote: Fair / Harsh / Missing / Balanced

SCENARIO 2: "The Legacy System Dilemma"

SCENARIO:
Mid-Market Corp has this system:
- 15-year-old Accounting System (on-prem)
- Runs on Windows Server 2003 (unsupported, unpatched)
- Handles $2B in transactions annually
- Cannot be replaced for 2+ years (licensing/training)
- Isolated on separate network segment but bridged for 
  month-end consolidation

AUDITOR'S FINDINGS:
Domain 2: Access Control → FAIL
  "Legacy system runs on unsupported OS. Vulnerability 
   present = critical risk."

Domain 4: Backup & Recovery → PARTIAL
  "System backed up but no tested recovery procedure."

OVERALL: CRITICAL RISK (specifically legacy system)

CORP'S COUNTERARGUMENT:
"The system is air-gapped except for 3 days per month.
We have detective controls (IDS) watching for suspicious 
access. The cost of replacement ($2M) is greater than 
our risk tolerance. This system is a known risk we're 
accepting."

YOUR JOB:
- Is the auditor RIGHT to flag this?
- Is the corporation taking reasonable risk?
- How would you rate this scenario? Risk Acceptance vs. Negligence?
- Vote: Auditor Correct / Corp Reasonable / Need More Controls / Acceptable Risk

SCENARIO 3: "The Over-Engineering Question"

SCENARIO:
Enterprise Bank built this network:
- 10+ security zones with microsegmentation
- Dual SIEM systems (Splunk + QRadar)
- IDS + IPS on every zone
- Honeypot network with decoys
- All systems hardened per NIST
- Quarterly disaster recovery testing
- Air-gapped offline backups in vault
- Annual compliance audit (PCI-DSS, SOX)

COST: $5M annual IT security budget

AUDITOR'S FINDINGS:
Domain 1-6: ALL PASS ✓

AUDITOR'S COMMENT:
"Exceptional security posture. Well-engineered 
defense-in-depth. Highly resilient. Recommended 
best practices for financial institution."

STAKEHOLDER QUESTION:
"Is this over-engineered? Could we achieve 80% 
of the security with 30% of the cost?"

YOUR JOB:
- Is defense-in-depth always justified?
- What's the cost-benefit breakpoint?
- For different organization types (startup vs. bank), 
  what's appropriate?
- Vote: Over-Engineered / Justified / Right for Context / Too Expensive

Gameplay (25-30 minutes)

Turn Structure

Phase 1: Present Scenario (3 minutes)

TO reads: 1. Organization and network design 2. Auditor's findings 3. Organization's counterargument 4. Debate question

Phase 2: Debate Preparation (5 minutes)

Each team gets assigned a position: - Team A: Defend the Auditor (findings are fair/necessary) - Team B: Defend the Organization (counterargument is valid) - Team C: Play Neutral Assessor (judge fairness of both)

Teams prepare arguments: - 2-3 key points supporting their position - Anticipate opponent's counterarguments - Use security/business logic

Phase 3: Debate Round (5 minutes)

Structure: 1. Auditor Position: 1 minute opening (Team A) 2. Organization Position: 1 minute opening (Team B) 3. Cross-Examination: 2 minutes (back-and-forth) 4. Neutral Assessment: Team C (judge who had better argument)

Phase 4: Judge's Decision & Scoring (2 minutes)

Team C Scores: - Most convincing argument: +3 points - Better use of logic: +2 points - Anticipated counterarguments: +2 points - Clearer presentation: +1 point

Repeat for each scenario (3 scenarios = 3 rounds)


Example Debate

SCENARIO 1: Startup Defense

AUDITOR POSITION (Team A): "The findings are fair because: 1. Network security standards apply to all organizations 2. Cloud provider firewalls don't replace organizational controls 3. No IDS means breaches go undetected for weeks 4. A $10M breach destroys a startup; prevention is essential"

ORGANIZATION POSITION (Team B): "The counterargument is valid because: 1. Startups operate under different constraints than enterprises 2. Cloud provider security groups limit what's exposed 3. Our cloud provider has better security than we could build 4. For 50 employees, a $50K security investment is proportional 5. We're risk-accepting; this is a known trade-off"

CROSS-EXAMINATION (back and forth):

A: "But if you get compromised, your customer data is exposed. Isn't that a problem?"

B: "Yes, but our cloud provider's controls AND limited data make that less likely than you're suggesting."

A: "What about detection? If you're breached, you won't know for months."

B: "True, but adding SIEM costs $5K/month that we don't have. We're choosing early detection (IDS) instead of centralized logging."

C (NEUTRAL): "Who made the better argument?" - Team A cited industry standards - Team B cited resource constraints - Both had merit

VERDICT: Team B made slightly more convincing argument (better contextualization of risk) - Team B: +3 points - Team A: +2 points


Debate Scoring & Winner

After 3 scenarios:

Team Scenario 1 Scenario 2 Scenario 3 TOTAL
Team A (Auditor) 2 3 2 7
Team B (Organization) 3 2 2 7
Team C (Neutral) 3 2 3 8

Winner: Team C (Neutral Assessor)

Award: "Best Critical Thinking"


Debrief (5 minutes)

Key Learning Questions

  1. "Are all audit findings equally valid?"
  2. Answer: No; context matters (startup vs. bank)

  3. "How would you defend an audit finding to the board?"

  4. Teaching point: Audits need business justification, not just technical standards

  5. "What's the difference between a 'critical finding' and a 'risk we're accepting'?"

  6. Teaching point: Risk management is nuanced; not all gaps are equally important

  7. "How does this change how you think about the attacks in Incident Response?"

  8. Connection: "Auditors find gaps that attackers exploit"

USING ALL THREE VARIATIONS

Which Variation When?

Variation A: Pre-Built Networks (Quickest)

Use When: - Limited time (< 30 min session) - First exposure to audit concepts - Want to compare different infrastructure strategies - Non-competitive, educational focus

Learning Value: - Understand how audit domains work - See difference between good/bad designs - Low setup time

Variation B: Random Generation (Balanced)

Use When: - Want to combine building + auditing - 30-40 minute session - Teams benefit from designing then being audited - Competitive element desired

Learning Value: - Teams make trade-off decisions - See consequences of choices reflected in audit - "This gap I chose to accept was exactly what the auditor found!"

Variation C: Debate Game (Most Interactive)

Use When: - Advanced/experienced teams - Want deep critical thinking - Discussion-based learning preferred - Comfortable with argumentation/debate format

Learning Value: - Audit findings are interpretable - Context matters (startup vs. bank) - Security decisions involve trade-offs - Preparation for defending security to board/leadership


SAMPLE PLAY SESSIONS


Session 1: Pre-Built Networks Only (20 minutes)

Setup: 3 min
Audit Startup Tech: 4 min
Audit Mid-Market: 4 min
Audit Enterprise: 4 min
Comparison & Discussion: 3 min
Debrief: 2 min

Total: 20 minutes

Perfect for: Intro to audit concepts


Session 2: Random Generation + Audit (35 minutes)

Setup: 3 min
Teams build networks (simplified): 10 min
Teams audit each other: 15 min
Score & announce winner: 3 min
Debrief: 4 min

Total: 35 minutes

Perfect for: Combined learning, competitive


Session 3: Debate Game Intensive (30 minutes)

Setup & brief: 2 min

SCENARIO 1:
- Presentation: 1 min
- Prep: 3 min
- Debate: 5 min
- Scoring: 1 min
- Subtotal: 10 min

SCENARIO 2: 10 min
SCENARIO 3: 10 min

Debrief: 3 min

Total: 30 minutes

Perfect for: Advanced critical thinking


Session 4: Combination Play (60 minutes)

Variation A (Pre-Built): 20 min
- Understand audit domains via 3 sample networks

Variation B (Random Gen): 25 min
- Build network, get audited
- See your choices reflected in audit findings

Variation C (Debate): 10 min
- Single debate scenario to reinforce learning

Debrief & Connection: 5 min
- "Now you understand how audits work"
- "In Incident Response, attackers will exploit these gaps"

Total: 60 minutes

Perfect for: Comprehensive audit education


CONNECTING TO INCIDENT RESPONSE (Attack Chain)

After playing Audit Standalone, teams can transition to the Incident Response module:

Narrative Bridge:

"You just audited how well different organizations designed their security. Now let's see what happens when an attacker encounters those same networks. The gaps you found in the audit? Attackers will find them too.

Your audit findings were: - Startup Tech: HIGH RISK (no segmentation, no detection) - Mid-Market: MEDIUM RISK (strong foundation, legacy gap) - Enterprise: LOW RISK (defense-in-depth)

Now, if an attacker targets each of these networks, how will it go?"


MATERIALS CHECKLIST

Everything needed to play today is in this document: the three network descriptions, the 6-domain framework, the answer keys, the inline audit worksheet, and the three debate scenarios. Printed play aids (scoring reference card, audit worksheet, judge guide, scoring sheets): see print pack (coming).

Variation A: Pre-Built Networks

Variation B: Random Generation

Variation C: Audit the Auditor


QUICK REFERENCE

Variation Duration Complexity Competition Setup
A: Pre-Built 15-25 min Low Low Minimal
B: Random Gen 25-35 min Medium Medium Moderate
C: Debate 20-30 min High High Moderate

DEBRIEF CONNECTIONS TO INCIDENT ZERO

After any Audit Standalone variation, teams should understand:

  1. Audits find real vulnerabilities - Same gaps auditors find, attackers will exploit
  2. Context matters - Startup vs. bank = different risk tolerance
  3. Trade-offs are real - Can't afford everything; must prioritize
  4. Detection vs. Prevention - Strong IDS/SIEM matters as much as hardening
  5. Incident response starts with audit - Knowing your gaps speeds detection

Key Teaching: "In Incident Response, auditors played the role of the security team. Attackers play the same role, but with opposite intent. They're looking for exactly what auditors find."


Incident Zero: Compliance Audit Standalone Mini-Games
Three variations of security assessment gameplay
Teach how audits find vulnerabilities that attackers will exploit

cards/audit-compliance/core-deck/audit-domain-cards.md

Audit & Compliance Module: Audit Domain Assessment Cards

Version: 2.2 - Playtest Edition Last Updated: October 2025


Overview

Audit Domain Assessment Cards represent six critical security domains that an organization must have controls for. Each domain is assessed independently, with findings recorded on a standard audit report.


Assessment Methodology

The Audit Process

  1. Assessment: Auditor reviews domain for evidence of controls
  2. Scoring: Rate domain 1-5 stars based on maturity
  3. ⭐ (1 star): No controls, critical findings
  4. ⭐⭐ (2 stars): Minimal controls, major findings
  5. ⭐⭐⭐ (3 stars): Adequate controls, minor findings
  6. ⭐⭐⭐⭐ (4 stars): Strong controls, few findings
  7. ⭐⭐⭐⭐⭐ (5 stars): Excellent controls, no findings
  8. Findings: Record specific gaps (vulnerabilities, non-compliance)
  9. Remediation: Recommend actions to address findings
  10. Report: Compile audit findings and recommendations

Star → PASS/FAIL Mapping (v2.2)

PASS/FAIL per domain (X/6) is the primary score. Stars are flavor, with this fixed mapping:

1-2★ = FAIL · 3★+ = PASS · "PARTIAL" counts as FAIL

Scoring Impact

Domain Score determines: - Audit Grade (1-5 stars, flavor) - PASS/FAIL status (primary — via the mapping above) - Findings Severity (critical/major/minor) - Modifiers for other modules (IR, DR get harder if audit failed — see the canonical table in docs/rules/module-audit-compliance.md)


Audit Domain Cards

DOMAIN-01: Network Segmentation & Isolation

Focus: How well is network divided into protected segments? Critical For: Preventing lateral movement Regulatory References: PCI-DSS (network segmentation), NIST (zero trust)

What's Assessed: - Is network flat (1 segment) or segmented (multiple segments)? - Are sensitive systems isolated (DMZ, database segment, admin segment)? - Are firewall rules enforced between segments? - Is network architecture documented? - Are VLANs/subnets properly configured?

Typical Findings: - Critical (1-2 star): Flat network, no segmentation, everything can talk to everything - Major (2-3 star): Basic segmentation exists, but enforcement is weak - Minor (3-4 star): Segmentation exists, few rule violations - Compliant (4-5 star): Strong segmentation, zero-trust architecture

Real-World Question: "If one system is compromised, how far can the attacker spread?" - Flat network: Entire organization immediately - 3-zone network: Blocked by firewalls - Zero-trust: Individual systems isolated

Audit Evidence: - Network diagram (shows segments) - Firewall rule documentation - Network ACL lists - Proof of implementation (switch configs) - Test results (can systems cross segments? No)

Compliance Standards: - PCI-DSS Requirement 1: Network segmentation for cardholder data - NIST CSF: PR.AC-5 (Network integrity protected via segmentation) - CIS Control 12: Network Infrastructure Management (v8)

Findings Template:

FINDING: Network segmentation inadequate
SEVERITY: [Critical/Major/Minor]
DESCRIPTION: The network is [flat/minimally segmented], allowing [lateral movement/unauthorized access]
RECOMMENDATION: Implement [VLAN/firewall rules/zero-trust] to segment [database/admin/sensitive systems]
EFFORT: [1-5] weeks
COST: [Moderate/High/Very High]

Remediation Actions: - ✓ Implement network segmentation (ARCH-02, ARCH-03 in Network Building) - ✓ Deploy firewall with segmentation rules (SEC-08) - ✓ Implement zero-trust architecture (ARCH-03) - ✓ Test segmentation enforcement

Impact if Failed (1-2 stars): - T-04 (Lateral Movement) becomes trivial for attackers - Incident Response: -1 to NETWORK defenses (canonical modifier) - Disaster Recovery: -10 DR budget penalty (attacker spreads widely)


DOMAIN-02: Access Control & Identity Management

Focus: How are user identities managed and access controlled? Critical For: Preventing unauthorized access Regulatory References: HIPAA (access controls), GDPR (access management)

What's Assessed: - Is there centralized identity management (Domain Controller/Azure AD)? - Is multi-factor authentication (MFA) enabled for sensitive access? - Are access permissions based on least privilege? - Are access reviews performed (verify who has access)? - Are privileged accounts managed (admin accounts, service accounts)?

Typical Findings: - Critical (1-2 star): No centralized identity, weak passwords, no MFA - Major (2-3 star): Some identity management, MFA not universal - Minor (3-4 star): Good identity management, minor gaps - Compliant (4-5 star): Strong identity, MFA everywhere, privilege management

Real-World Question: "How easily can an attacker use stolen credentials?" - Weak: No MFA, can use stolen password immediately - Medium: MFA only for some systems - Strong: MFA everywhere, weak credentials are useless

Audit Evidence: - AD/directory configuration - MFA enrollment status - Access policy documentation - Privileged account audit (who has admin?) - Account review records (periodic access verification)

Compliance Standards: - PCI-DSS Requirement 8: User identification and authentication - HIPAA Rule 164.308(a)(4): Unique user identification - NIST CSF: PR.AC-1 (Physical & logical access controls)

Findings Template:

FINDING: Multi-factor authentication not universally enforced
SEVERITY: [Critical/Major/Minor]
DESCRIPTION: MFA is [not implemented/optional] for [VPN/email/admin access]
RECOMMENDATION: Deploy [MFA solution] to [affected systems]
EFFORT: [2-4] weeks
COST: [Low/Moderate/High]

Remediation Actions: - ✓ Deploy MFA (D-07 in Hardening) - ✓ Implement password vault (D-12) - ✓ Credential Guard for privileged access (D-16) - ✓ Access reviews quarterly

Impact if Failed (1-2 stars): - T-03 (Compromised Credentials), T-06 (Mimikatz) become likely - Incident Response: -1 to CREDENTIAL_ABUSE defenses (canonical modifier) - Disaster Recovery: -15 DR budget penalty (attacker can restore themselves with stolen creds)


DOMAIN-03: Threat Detection & Incident Response

Focus: Can the organization detect and respond to attacks? Critical For: Finding breaches quickly Regulatory References: GDPR (breach detection), HIPAA (log monitoring)

What's Assessed: - Are logs being collected centrally (SIEM or similar)? - Is there 24/7 monitoring of critical systems? - Are alerts configured to detect suspicious activity? - Is there incident response plan documented? - Are incident responders trained?

Typical Findings: - Critical (1-2 star): No logging, no monitoring, no incident response plan - Major (2-3 star): Some logging, limited monitoring - Minor (3-4 star): Good logging, some gaps in alerting - Compliant (4-5 star): Comprehensive logging, active monitoring, trained team

Real-World Question: "How quickly will you detect an active attacker?" - Poor: Days/weeks (after data is already stolen) - Medium: Hours (after attacker has spread) - Strong: Minutes (catch attacker early)

Audit Evidence: - SIEM/logging configuration - Alert rules documentation - Incident response plan - Training records (who's trained?) - Incident history (how did you detect past incidents?)

Compliance Standards: - GDPR Article 33: Breach notification timing (72 hours) - HIPAA Rule 164.308(a)(6): Incident response procedures - NIST CSF: DE.AE-3 (Event detection processes)

Findings Template:

FINDING: Insufficient threat detection and monitoring
SEVERITY: [Critical/Major/Minor]
DESCRIPTION: [SIEM/monitoring] is [not deployed/inadequately configured]
RECOMMENDATION: Deploy [SIEM] with [alert rules] to detect [attack patterns]
EFFORT: [4-8] weeks
COST: [Moderate/High]

Remediation Actions: - ✓ Deploy SIEM (D-09, D-22) - ✓ Configure log centralization (D-05) - ✓ Create SIEM correlation rules (D-10) - ✓ Threat hunting program (D-13)

Impact if Failed (1-2 stars): - Breach detection is late (attacker has time to steal data) - Incident Response: -1 to Investigation rolls (canonical modifier; late detection) - Disaster Recovery: -10 DR budget penalty (dwell time longer; more data stolen)

Optional (v2.2): a 5-star rating in this domain grants +1 to Incident Response investigation rolls if IR is played later.


DOMAIN-04: Backup & Disaster Recovery

Focus: Can the organization recover from attacks/disasters? Critical For: Ransomware resilience Regulatory References: Most breach laws mention recovery

What's Assessed: - Is there a documented backup strategy (frequency, retention)? - Are backups tested regularly (restore actually works)? - Is backup storage off-site (geographically separated)? - Are backups immutable (cannot be deleted/encrypted)? - Is recovery time objective (RTO) documented for each system?

Typical Findings: - Critical (1-2 star): No backups or untested backups (may not restore) - Major (2-3 star): Backups exist but not properly tested - Minor (3-4 star): Backups exist and tested, gaps in immutability - Compliant (4-5 star): 3-2-1 strategy, tested, immutable, offsite

Real-World Question: "Can you recover from ransomware?" - Poor: No (backups are encrypted too) - Medium: Yes but slowly (days to recover) - Strong: Yes quickly (hours to recover, immutable backups)

Audit Evidence: - Backup schedule/documentation - Backup test results (prove restore works) - Off-site backup location documentation - Immutable backup configuration - Recovery time estimates

Compliance Standards: - Most breach laws assume backups exist (no recovery = massive damage) - HIPAA Rule 164.308(a)(7): Data backup procedures - NIST CSF: PR.IP-4 (Resilience practices documented)

Findings Template:

FINDING: Backup and recovery procedures inadequate
SEVERITY: [Critical/Major/Minor]
DESCRIPTION: Backups are [not tested/not off-site/not immutable]
RECOMMENDATION: Implement [3-2-1 strategy] with [immutable storage]
EFFORT: [2-4] weeks
COST: [Moderate]

Remediation Actions: - ✓ Implement 3-2-1 backup strategy (D-19) - ✓ Test backups quarterly (prove restore works) - ✓ Immutable storage (WORM, cloud versioning) - ✓ Off-site backup location

Impact if Failed (1-2 stars): - Ransomware attacks cannot be recovered from - Disaster Recovery: -25 DR budget penalty (no recovery option; expensive rebuild) - Business interruption is long (days vs hours) - No IR effect (matters in Disaster Recovery)


DOMAIN-05: Third-Party Risk & Cloud Security

Focus: How well are vendors and cloud services managed? Critical For: Managing supply chain risk Regulatory References: GDPR (processor accountability), PCI-DSS (vendor security)

What's Assessed: - Is there a vendor management program? - Are vendors required to meet security standards? - Are vendor assessments conducted (security questionnaires, audits)? - Are cloud configurations secured (IAM, encryption, monitoring)? - Is data residency managed (where is customer data stored)?

Typical Findings: - Critical (1-2 star): No vendor management, cloud misconfigured - Major (2-3 star): Basic vendor management, cloud gaps - Minor (3-4 star): Vendor management exists, minor gaps - Compliant (4-5 star): Strong vendor program, cloud security

Real-World Question: "Is your vendor secure?" - Poor: No idea (never asked them) - Medium: They said they're secure (took their word) - Strong: Assessed and monitored (ongoing verification)

Audit Evidence: - Vendor management policy - Vendor security questionnaires - Cloud configuration documentation - IAM policies for cloud access - Data residency mapping

Compliance Standards: - GDPR Article 28: Processor agreements (vendor security required) - PCI-DSS Requirement 12.8: Service provider agreements - NIST CSF: ID.SC (Supply Chain Risk Management)

Findings Template:

FINDING: Vendor and cloud security assessment inadequate
SEVERITY: [Critical/Major/Minor]
DESCRIPTION: [Vendor/Cloud] security is [not assessed/misconfigured]
RECOMMENDATION: Implement [vendor assessment process/cloud security hardening]
EFFORT: [3-6] weeks
COST: [Low/Moderate]

Remediation Actions: - ✓ Vendor management program (SLAs, security requirements) - ✓ Cloud security posture management (CSPM tools) - ✓ Cloud IAM hardening (least privilege) - ✓ Regular vendor assessments

Impact if Failed (1-2 stars): - SCENARIO-03 (Supply Chain Compromise) becomes likely in Disaster Recovery - Vendor breach affects your customers - Liability disputes (who's responsible?) - Incident Response: -1 to WEB_EXPLOIT defenses (canonical modifier) - Disaster Recovery: -20 DR budget penalty (cloud provider recovery needed)


DOMAIN-06: Security Operations & Monitoring

Focus: How is security operationalized (day-to-day)? Critical For: Sustained security posture Regulatory References: Most frameworks mention continuous monitoring

What's Assessed: - Is there a dedicated security team (CISO, analysts)? - Are security meetings held regularly? - Is vulnerability scanning done regularly? - Are patches applied timely? - Is security training conducted?

Typical Findings: - Critical (1-2 star): No security team, no updates, no training - Major (2-3 star): Small security team, infrequent patching - Minor (3-4 star): Security team exists, good operations - Compliant (4-5 star): Mature security operations, continuous improvement

Real-World Question: "Is security a priority for the organization?" - Poor: No dedicated resources - Medium: Part-time effort - Strong: Dedicated team, empowered leadership

Audit Evidence: - Org chart (is CISO position filled?) - Security meeting minutes - Vulnerability scan reports - Patch management records - Training records

Compliance Standards: - Most frameworks require security leadership - NIST CSF: PR.IP-1 (Security policy established & communicated) - CIS Control 17: Incident Response Management (v8)

Findings Template:

FINDING: Security operations maturity inadequate
SEVERITY: [Critical/Major/Minor]
DESCRIPTION: [Security team/training/patching] is [insufficient]
RECOMMENDATION: [Hire/train/increase resources] for [security function]
EFFORT: [Ongoing]
COST: [Varies]

Remediation Actions: - ✓ Hire CISO (if missing) - ✓ Establish security team - ✓ Regular vulnerability scanning - ✓ Patch management program - ✓ Security awareness training

Impact if Failed (1-2 stars): - Security functions are reactive (not proactive) - Incident Response: -1 to Investigation rolls (canonical modifier) - Disaster Recovery: -5 DR budget penalty (forensic investigation slow) - Vulnerabilities accumulate (PT-10 Zero-Day risk increases)


Audit Domain Summary

Domain Focus Critical Finding Remediation Effort Compliance Impact
DOMAIN-01 Network Segmentation Flat network Moderate (2-4 wk) Lateral movement prevented
DOMAIN-02 Access Control No MFA Low (2-4 wk) Credential attacks harder
DOMAIN-03 Threat Detection No SIEM High (4-8 wk) Breach detection enabled
DOMAIN-04 Backup & DR No backups Moderate (2-4 wk) Ransomware resilience
DOMAIN-05 Vendor Risk No assessment Low (3-6 wk) Supply chain risk managed
DOMAIN-06 Security Ops No security team High (ongoing) Sustained security posture

Audit Scoring & Findings

Standard Audit Report Format

AUDIT REPORT - [Organization Name]
Audit Date: [Date]
Domains Assessed: 6
Overall Score: 2/6 PASS (stars are flavor: 1-2* = FAIL, 3*+ = PASS)

DOMAIN SCORES:
1. Network Segmentation: ⭐⭐ (2 stars) - FAIL
2. Access Control: ⭐⭐⭐ (3 stars) - PASS
3. Threat Detection: ⭐ (1 star) - FAIL (CRITICAL)
4. Backup & DR: ⭐⭐ (2 stars) - FAIL
5. Vendor Risk: ⭐⭐ (2 stars) - FAIL
6. Security Ops: ⭐⭐⭐⭐ (4 stars) - PASS

CRITICAL FINDINGS (must fix immediately):
- No SIEM or threat monitoring
- Network is completely flat (no segmentation)

MAJOR FINDINGS (fix within 30 days):
- No backup strategy
- Vendor security not assessed
- MFA not implemented

MINOR FINDINGS (fix within 90 days):
- Security training curriculum needs update

RECOMMENDATIONS:
1. Deploy SIEM immediately (critical)
2. Implement network segmentation
3. Establish backup program
4. Implement MFA
5. Develop vendor management program

Modifiers for Other Modules (generated from the canonical table in docs/rules/module-audit-compliance.md, v2.2)

Incident Response Modifiers

For each failed domain (FAIL = 1-2 stars): one -1 modifier.

Failed Domain IR Modifier
DOMAIN-01 Segmentation -1 to NETWORK defenses
DOMAIN-02 Identity -1 to CREDENTIAL_ABUSE defenses
DOMAIN-03 Detection -1 to Investigation rolls
DOMAIN-04 Backup None (matters in DR)
DOMAIN-05 Vendor/Cloud -1 to WEB_EXPLOIT defenses
DOMAIN-06 Security Ops -1 to Investigation rolls

Example: if 3 domains fail, IR carries three separate -1 modifiers.

Disaster Recovery Modifiers

For each failed domain (FAIL = 1-2 stars): a penalty subtracted from the DR starting budget.

Failed Domain DR Budget Penalty
DOMAIN-01 Segmentation -10
DOMAIN-02 Identity -15
DOMAIN-03 Detection -10
DOMAIN-04 Backup -25
DOMAIN-05 Vendor/Cloud -20
DOMAIN-06 Security Ops -5

Cap (v2.2): the total gap penalty applied to a subsequent module's budget is capped at -30.

Example (real budgets: DR starts at 50, IR at 100): if all 6 domains fail, the raw penalty is -85, capped at -30 — the team enters Disaster Recovery with 50 - 30 = 20 Budget.


Gameplay Notes

Playing Audit Standalone

  1. Assess all 6 domains
  2. Score each domain (1-5 stars)
  3. Record findings
  4. Compile audit report
  5. Game ends: Audit complete, recommendations provided

Playing Audit as Module Lead-In

  1. Play Audit first (establish baseline)
  2. Get audit report with findings
  3. Play Incident Response (audit failures become modifiers)
  4. Play Disaster Recovery (audit failures increase costs)
  5. Narrative: Poor audit = harder subsequent modules

Audit Remediation Follow-Up (Optional)

  1. After audit report, teams can remediate findings
  2. Spend Budget to fix findings
  3. Re-assess domain (did remediation work?)
  4. Update modifiers for downstream modules

Print Instructions

  1. Print on cardstock (250 gsm minimum)
  2. Color-code by domain function:
  3. Blue (Infrastructure): DOMAIN-01 (Segmentation)
  4. Purple (Access): DOMAIN-02 (Identity)
  5. Red (Detection): DOMAIN-03 (Detection)
  6. Green (Resilience): DOMAIN-04 (Backup)
  7. Orange (Supply Chain): DOMAIN-05 (Vendor)
  8. Yellow (Operations): DOMAIN-06 (Ops)
  9. Include assessment rubric (1-5 star descriptions and the star → PASS/FAIL mapping)
  10. Include finding templates on back of card
  11. Cut along dotted lines
  12. Audit scoring reference card: see print pack (coming)

Audit & Compliance Module: Audit Domain Assessment Cards Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition

cards/audit-compliance/expansion-deck/compliance-frameworks.md

Audit & Compliance Module: Compliance Frameworks & Remediation (Expansion)

Version: 2.2 - Playtest Edition Last Updated: October 2025


Overview

Compliance Framework Cards extend the Audit & Compliance module with industry-specific and regulation-specific assessment frameworks beyond the generic 6-domain audit.


Compliance Framework Variants

Organizations must often comply with specific regulatory frameworks. Each framework has slightly different focuses and requirements.


NIST Cybersecurity Framework (5 cards)

Relevance: US Federal government, critical infrastructure, government contractors Key Standard: NIST CSF (Cybersecurity Framework) 5 functions

FRAMEWORK-NIST-01: Identify Function

Framework: NIST CSF Function: Identify (AM - Asset Management, RM - Risk Management) Focus: Knowing what systems/data you have and what risks they face

Assessment Criteria: - Asset inventory (what systems exist?) - Data classification (what data is sensitive?) - Risk assessment (what could go wrong?) - Threat intelligence (what are realistic threats?)

Scoring (1-5 stars): - ⭐ (1): No asset inventory, no risk assessment - ⭐⭐ (2): Partial inventory, informal risk assessment - ⭐⭐⭐ (3): Complete inventory, documented risk assessment - ⭐⭐⭐⭐ (4): Inventory regularly updated, risk assessment reviewed annually - ⭐⭐⭐⭐⭐ (5): Real-time asset visibility, continuous risk assessment

Typical Findings: - Unknown systems (shadow IT) - Unclassified data (don't know what's sensitive) - Missing risk assessment - Risk assessment not updated

Remediation: - Discovery tools (find all systems) - Data classification policy - Annual risk assessment - Asset management system


FRAMEWORK-NIST-02: Protect Function

Framework: NIST CSF Function: Protect (PR.AC - Identity Management & Access Control, PR.AT - Awareness & Training, PR.DS - Data Security, PR.IP - Information Protection Processes, PR.MA - Maintenance, PR.PT - Protective Technology) Focus: Building security controls to prevent/slow attacks

Assessment Criteria: - Access controls (only authorized users) - Employee training (security awareness) - Data protection (encryption, classification) - Information protection (DLP, data loss prevention) - Business continuity (backup, disaster recovery)

Scoring (1-5 stars): - ⭐ (1): No controls - ⭐⭐ (2): Basic controls (passwords) - ⭐⭐⭐ (3): Good controls (MFA, encryption) - ⭐⭐⭐⭐ (4): Strong controls (defense-in-depth) - ⭐⭐⭐⭐⭐ (5): Excellent controls (comprehensive, tested)

Typical Findings: - Weak authentication (no MFA) - Poor training (phishing success rate >10%) - Unencrypted data - No backup strategy - Defense gaps

Remediation: - MFA deployment - Security training program - Encryption implementation - Backup/DR strategy - Penetration testing


FRAMEWORK-NIST-03: Detect Function

Framework: NIST CSF Function: Detect (AE - Anomalies & Events, CM - Continuous Monitoring) Focus: Detecting attacks as they happen

Assessment Criteria: - Log monitoring (are suspicious activities logged?) - Anomaly detection (is suspicious behavior caught?) - Continuous monitoring (24/7 surveillance) - Alert procedures (who responds to alerts?) - Threat intelligence integration (using threat data)

Scoring (1-5 stars): - ⭐ (1): No logging, no monitoring - ⭐⭐ (2): Logging exists, limited monitoring - ⭐⭐⭐ (3): SIEM deployed, some alerts - ⭐⭐⭐⭐ (4): SIEM with good rules, 24/7 monitoring - ⭐⭐⭐⭐⭐ (5): Mature SOC, threat intelligence integrated

Typical Findings: - No SIEM deployed - Alerts not reviewed - No 24/7 monitoring - Response time too slow - Threat intel not integrated

Remediation: - SIEM deployment - Alert rule tuning - SOC staffing (24/7 coverage) - Response procedures - Threat intel integration


FRAMEWORK-NIST-04: Respond Function

Framework: NIST CSF Function: Respond (RS.RP - Response Planning, RS.CO - Communications, RS.AN - Analysis, RS.MI - Mitigation, RS.IM - Improvements) Focus: Responding to breaches/attacks

Assessment Criteria: - Incident response plan (documented procedures) - Response team (trained, staffed) - Communication plan (who gets told when) - Investigation procedures (forensics) - Post-incident review (lessons learned)

Scoring (1-5 stars): - ⭐ (1): No incident response plan - ⭐⭐ (2): Plan exists, not tested - ⭐⭐⭐ (3): Plan exists, annual testing - ⭐⭐⭐⭐ (4): Plan regularly tested, team trained - ⭐⭐⭐⭐⭐ (5): Mature response, regular exercises, continuous improvement

Typical Findings: - No incident response plan - Response team not trained - No communication plan - Investigation procedures unclear - No post-incident reviews

Remediation: - Incident response plan development - Team training - Communication procedures - Tabletop exercises - Post-incident review process


FRAMEWORK-NIST-05: Recover Function

Framework: NIST CSF Function: Recover (RC.RP - Recovery Planning, RC.IM - Improvements, RC.CO - Communications) Focus: Recovering from breaches and improving for next time

Assessment Criteria: - Recovery plan (how to restore systems) - Recovery time objectives (RTO - how fast?) - Recovery point objectives (RPO - how much data loss?) - Backup verification (can you actually restore?) - Lessons learned process (improve after incident)

Scoring (1-5 stars): - ⭐ (1): No recovery plan, no backups - ⭐⭐ (2): Backup exists, recovery not tested - ⭐⭐⭐ (3): Recovery plan exists, tested annually - ⭐⭐⭐⭐ (4): Recovery plan regularly tested, RPO/RTO defined - ⭐⭐⭐⭐⭐ (5): Mature recovery, tested regularly, continuous improvement

Typical Findings: - No recovery plan - Backups untested (may not restore) - RTO/RPO not defined - Recovery team not trained - No lessons learned process

Remediation: - Recovery plan development - Backup testing (quarterly) - RTO/RPO definition - Recovery team training - Lessons learned process


CIS Controls (3 cards)

Relevance: General US/Canada, healthcare, financial, government Key Standard: CIS Controls (18 prioritized security controls)

FRAMEWORK-CIS-01: Safeguards 1-6 (Foundations)

Focus: Basic security practices (asset management, access control, data protection, secure configuration)

Assessment Criteria: - Asset management (know what you have) - Access control (least privilege) - Data protection (encryption) - Secure configuration (harden systems) - Detection tools (SIEM, antivirus) - Training (security awareness)


FRAMEWORK-CIS-02: Safeguards 7-13 (Advanced Defenses)

Focus: Advanced controls (incident response, supply chain, defense tools)

Assessment Criteria: - Incident response plan - Supply chain risk - Vulnerability management - Application security - Remote services security - Testing & monitoring - Network segmentation


FRAMEWORK-CIS-03: Safeguards 14-18 (Operations & Governance)

Focus: Operational controls (reporting, awareness, training, testing)

Assessment Criteria: - Security awareness training - Incident reporting - Third-party risk management - Penetration testing - Secure development practices


PCI-DSS (3 cards)

Relevance: Any organization handling payment cards Key Standard: PCI-DSS (Payment Card Industry Data Security Standard)

FRAMEWORK-PCI-01: Infrastructure Security (Requirements 1-4)

Focus: Network and system security for cardholder data

Assessment Criteria: - Firewall configuration - No default credentials - Cardholder data protection - Vulnerability scanning


FRAMEWORK-PCI-02: Access & Operations (Requirements 5-10)

Focus: Access control and operational procedures

Assessment Criteria: - Antivirus/malware protection - Secure system updates - Access control & authentication - Audit trails & logging


FRAMEWORK-PCI-03: Testing & Compliance (Requirements 11-12)

Focus: Testing, monitoring, and compliance management

Assessment Criteria: - Security testing (penetration testing, vulnerability scanning) - Monthly scanning - Annual penetration testing - Security policies - Training - Incident response procedures


Remediation Action Cards (8 cards)

Remediation Cards represent specific actions to address compliance findings. These can be used after an audit to remediate identified gaps.

Budget note (v2.2): these cards are the only place the Audit module's starting Budget (100, per core rules) is spent — the assessment itself costs nothing.

REMEDIATION-01: Implement MFA

Cost: 5 Budget Timeline: 2-4 weeks Difficulty: Low-Medium

What it does: - Deploy multi-factor authentication for all user access - Implement MFA for VPN, remote access, email, admin access - Select authentication method (authenticator app, hardware token, SMS)

Prerequisites: - Identity management system (Domain Controller, Azure AD) - User device (phone or security key) - Application/system support for MFA

Impact: - Reduces DOMAIN-02 (Access Control) findings - Makes credential attacks (T-03, T-06) harder - Improves Incident Response and Disaster Recovery modifiers


REMEDIATION-02: Deploy SIEM

Cost: 15 Budget Timeline: 4-8 weeks Difficulty: Medium

What it does: - Deploy Security Information & Event Management (SIEM) - Configure log collection from all systems - Create alert rules for suspicious activity - Implement 24/7 monitoring

Prerequisites: - Centralized logging infrastructure - SIEM software/service (Splunk, ELK, QRadar, Azure Sentinel) - Security personnel to manage SIEM

Impact: - Reduces DOMAIN-03 (Threat Detection) findings - Enables early breach detection - Improves Incident Response investigation - Provides audit trail for compliance


REMEDIATION-03: Implement Network Segmentation

Cost: 12 Budget Timeline: 4-6 weeks Difficulty: Medium-High

What it does: - Divide network into security zones (DMZ, internal, admin) - Deploy firewalls between zones - Configure firewall rules for inter-zone traffic - Implement VLANs and network isolation

Prerequisites: - Network switches/routers capable of VLAN support - Firewall(s) for inter-zone traffic - Network diagram and access requirements

Impact: - Reduces DOMAIN-01 (Network Segmentation) findings - Prevents lateral movement (T-04 becomes harder) - Improves Disaster Recovery (limits blast radius) - Foundational for zero-trust architecture


REMEDIATION-04: Backup & Disaster Recovery

Cost: 10 Budget Timeline: 2-4 weeks Difficulty: Low-Medium

What it does: - Implement 3-2-1 backup strategy (3 copies, 2 media, 1 offsite) - Configure automated backups - Test backup restoration (quarterly) - Document recovery procedures

Prerequisites: - Backup software/service - Off-site storage location - Testing schedule

Impact: - Reduces DOMAIN-04 (Backup & DR) findings - Enables ransomware recovery - Improves Disaster Recovery (reduces costs) - Supports compliance requirements


REMEDIATION-05: Security Training Program

Cost: 3 Budget Timeline: 1-2 weeks (ongoing) Difficulty: Low

What it does: - Develop security awareness training curriculum - Conduct initial training for all employees - Implement phishing simulations - Quarterly refresher training

Prerequisites: - Training development (internal or vendor) - Management buy-in (release time for employees)

Impact: - Reduces DOMAIN-06 (Security Ops) findings - Reduces phishing success rate - Improves overall security culture - Compliance requirement (most frameworks)


REMEDIATION-06: Vendor Security Assessment

Cost: 5 Budget Timeline: 2-4 weeks Difficulty: Low-Medium

What it does: - Develop vendor security questionnaire - Send questionnaires to key vendors - Review vendor security controls - Document vendor risk assessment - Establish SLAs with security requirements

Prerequisites: - Vendor list and criticality assessment - Security questionnaire template - Document review process

Impact: - Reduces DOMAIN-05 (Third-Party Risk) findings - Identifies supply chain risks - Prevents SCENARIO-03 (Supply Chain Compromise) - Compliance requirement (GDPR, etc.)


REMEDIATION-07: Vulnerability Management Program

Cost: 8 Budget Timeline: 3-4 weeks Difficulty: Medium

What it does: - Deploy vulnerability scanning tools - Establish patching procedures - Configure patch management automation - Document vulnerability remediation process

Prerequisites: - Vulnerability scanner (Nessus, Qualys, OpenVAS) - Patch management tools or procedures - Prioritization process (critical vs. non-critical)

Impact: - Reduces multiple audit findings - Prevents PT-05 (Privilege Escalation via unpatched kernel) - Improves overall security posture


REMEDIATION-08: Incident Response Plan & Team

Cost: 12 Budget Timeline: 4-6 weeks (plus ongoing) Difficulty: Medium-High

What it does: - Develop incident response plan (procedures, contacts, escalation) - Establish incident response team - Conduct tabletop exercises - Implement communication procedures

Prerequisites: - Team designation (CISO, security analysts, IT, legal, PR) - Plan documentation - Training and exercises

Impact: - Reduces DOMAIN-03 (Threat Detection) and DOMAIN-06 (Security Ops) findings - Enables faster response to Incident Response module - Improves Disaster Recovery effectiveness - Compliance requirement (nearly universal)


Using Compliance Frameworks in Gameplay

Standalone Compliance Assessment

  1. Choose one framework (e.g., NIST CSF, CIS Controls, PCI-DSS)
  2. Assess each requirement
  3. Score and document findings
  4. Develop remediation roadmap
  5. Game ends: Compliance report delivered

Framework-Specific Play

Remediation Roadmap

  1. After audit, teams identify high-priority findings
  2. Allocate budget to remediation actions
  3. Spend Budget to fix findings
  4. Re-assess after remediation
  5. Track compliance journey

Print Instructions

  1. Print on cardstock (250 gsm minimum)
  2. Framework color-coding:
  3. Blue (NIST): FRAMEWORK-NIST-01 to FRAMEWORK-NIST-05
  4. Orange (CIS): FRAMEWORK-CIS-01 to FRAMEWORK-CIS-03
  5. Red (PCI): FRAMEWORK-PCI-01 to FRAMEWORK-PCI-03
  6. Green (Remediation): REMEDIATION-01 to REMEDIATION-08
  7. Include assessment rubric (1-5 stars) on each framework card
  8. Include cost/timeline/difficulty on remediation cards
  9. Cut along dotted lines

Possible Expansion: Additional Frameworks


Audit & Compliance Module: Compliance Frameworks & Remediation (Expansion) Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition

cards/print-templates/tracker-sheets.md

Tracker Sheets (Print & Play)

Version: 2.2 - Playtest Edition

Print on plain A4. One Universal Sheet per table, plus the module sheet for the module you're playing. Tip: laminate and use a dry-erase marker, or move a coin/token along the tracks.


Universal Tracker Sheet (all modules)

Turn Track

Cross off as each turn ends. Circle your turn limit before starting.

 1   2   3   4   5   6   7   8   9   10   11   12   13   14   15   16
[ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ]  [ ]  [ ]  [ ]  [ ]  [ ]  [ ]  [ ]

Budget Track

Start at your module's budget (Network Building 40-60 · Disaster Recovery 50 · Forensics 75 · IR 100 · Audit 100 · Hardening 150). Tick down in 5s.

150 145 140 135 130 125 120 115 110 105 100  95  90  85  80  75
 70  65  60  55  50  45  40  35  30  25  20  15  10   5   0

Reputation / Score Track (0-100)

100  95  90  85  80  75  70  65  60  55  50  45  40  35  30  25  20  15  10  5  0

Uncontained Threats (Incident Response)

 0   1   2   3   4   5
[ ] [ ] [ ] [ ] [ ] [ ]      Penalty at start of turn: -5 Budget each

Forensics Module Sheet — Progress Meters

Advance each meter per card effects. Victory thresholds marked ▲.

ATTRIBUTION      0   10   20   30   40   50   60   70   80   90▲  100
TIMELINE         0   10   20   30   40   50   60   70   80▲  90   100
ATTACK CHAIN     0   10   20   30   40   50   60   70   80▲  90   100
CHAIN OF CUSTODY 0   10   20   30   40   50   60   70▲  80   90   100

Victory check (end of game): - V1 Full Attribution: Attribution ≥90 AND Timeline ≥80 - V2 Solid Case: Timeline ≥80 AND Attack Chain ≥80 AND Chain of Custody ≥70 - V3 Partial Findings: any two meters ≥70

Investigation in flight: ____ (results arrive Turn _) Evidence collected (✓ = Analyzed, one Analyze per card):

Evidence card Documented? (+5% CoC) Analyzed?

Disaster Recovery Module Sheet

Crisis Progress Tracks

INVESTIGATION   0   10   20   30   40   50   60   70   80   90   100
REMEDIATION     0   10   20   30   40   50   60   70   80   90   100
COMMUNICATION   0   10   20   30   40   50   60   70   80   90   100

Stakeholder Trust (0-100%; any stakeholder at 0% = company collapses)

Stakeholder 100 80 60 40 20 (critical) 0 (LOSS)
Customers
Employees
Regulators
Board / Investors
Media / Public

Deadline Timeline (mark scheduled events at setup)

Turn 1 2 3 4 5 6 7 8
Scheduled event
Deadline Customers notified (recommended) Regulator penalties begin GDPR 72h — regulators notified

Multi-turn action in flight: ____ (completes Turn _)


Audit & Compliance Module Sheet — Scoring Worksheet

# Domain Stars (1-5) PASS (3★+) / FAIL (1-2★) Key gap found
1 Network Segmentation
2 Identity & Access
3 Detection & Monitoring
4 Backup & Recovery
5 Cloud Security
6 Security Operations

Result: ___ / 6 PASS — Gap penalties for follow-on modules: see module rules (total capped at -30).


Network Building Module Sheet — Score Sheet

Category Points Notes
Requirements met per requirement card
Security coverage per rules scoring table
Capability coverage per rules scoring table
Budget management per rules scoring table
TOTAL

Components placed:

Component Cost Capacity used / total

Budget remaining: ___ / starting ___