Hardening — Print & Play Bundle · v2.2 Playtest Edition
A cybersecurity board game by RetroVerse Studios · CC BY-NC-SA 4.0
Print this file (Ctrl/Cmd+P) or read on screen. Card pages print best on cardstock.
docs/HOW_TO_PLAY.md
Version: 2.2 - Playtest Edition Read time: ~15 minutes. First game: ~45 minutes.
This is the learn-to-play manual — read it once, run your first game, then use the module rules as reference during play. Exact tables and numbers live in the reference docs; this manual teaches the flow.
Incident Zero is a cybersecurity board game for classrooms and training rooms. One player is the Threat Orchestrator (TO) — part facilitator, part adversary, part narrator. Everyone else is the Blue Team: security defenders making decisions under budget and time pressure.
The game's signature rule: you get better dice odds by explaining your reasoning like a real analyst. Say "we investigate suspicious activity" and you roll flat. Say "we pull the mail gateway logs to check the sender's real IP against threat intel" and you roll at +3. Talking like a professional is literally how you win — that's the point.
There are 6 modules covering the security lifecycle. Each is a standalone 30-45 minute game; they also chain together (the outcome of one feeds the setup of the next). This manual teaches Incident Response first — it's the flagship and the best hook.
Every module runs on the same engine:
roll + modifiers ≥ 11.The setup (TO does this privately, 5 min): An attacker is inside the fictional company's network. The TO secretly builds a 3-card attack chain in kill-chain order and keeps it face-down:
Suggested first chain: T-01 Phishing Campaign (INITIAL COMPROMISE / SOCIAL ENGINEERING) → T-04 Lateral Movement via SMB (PIVOT & ESCALATE / NETWORK) → T-07 Scheduled Task Persistence (PERSISTENCE / MALWARE)
The three actions (Blue Team picks ONE per turn):
| Action | Cost | On success (roll+mods ≥ 11) |
|---|---|---|
| Investigate | 5 | 1st success on a link = the TO gives a clue. 2nd success on the same link = card revealed! |
| Deploy Defense | 10/15/25 by tier | If the card's vector AND chain step match the hidden card = revealed immediately. Partial match = defense stays on the table and gives +2 to future rolls against any link matching its vector |
| Emergency Response | 15 | No roll. Contain one already-revealed threat (removes its ongoing penalty) |
The pressure (TO applies at the START of each turn): - Active Breach Cost: -5 Budget while any chain card is still unrevealed (the breach is burning money whether you see it or not) - Uncontained Threats: -5 Budget per revealed-but-uncontained threat (revealing the next card in the chain auto-contains the previous one)
When a card is revealed, the team immediately picks ONE reward: draw 2 Defense cards, +10 Budget, or Fast-Track (next Investigate succeeds on 5+).
TURN 1. TO: "Start of turn: one attacker action is still hidden — Active Breach Cost, minus 5. Budget: 95. Something is wrong at Meridian Logistics: the helpdesk queue is full of password-reset complaints. What do you do?" Team (after discussion): "Investigate. We pull the mail gateway logs and check sender domains against our threat-intel feed — if this is phishing, the return-path won't match the display name." TO: "That's a real methodology and a real tool — +2 and +1. Roll." Rolls 9. 9+3 = 12 ≥ 11 — success. TO reads a clue from T-01: "Several employees received emails claiming to be from IT, asking them to 're-authenticate'. The link goes to a look-alike domain registered 4 days ago." (First success on this link — clue only. Budget: 95 - 5 = 90.)
TURN 2. TO: "Active Breach Cost, minus 5. Budget: 85." Team: "Keep digging on the phishing — we check the mail gateway for who clicked, and pull those workstations' proxy logs." TO: "+2, +1. Roll." Rolls 10. 13 ≥ 11 — second success on the same link. TO flips T-01 face-up: "Phishing Campaign — revealed! Three users entered credentials on the fake page. This threat is now uncontained. Choose a reward." Team takes Budget Grant: 85 - 5 + 10 = 90.
TURN 3. TO: "Two cards still hidden: Active Breach minus 5. One uncontained threat: minus 5. Budget: 80. You know how they got in — you don't yet know where they went." From here, you're on your own. (A strong play: Deploy the Network Segmentation defense — if the next hidden card is network lateral movement, vector + step match reveals it instantly and auto-contains the phishing.)
Debrief prompts: What did you spend the most on, and was it worth it? Which clue actually changed your next decision? What one defense, bought before turn 1, would have changed everything?
Chaining modules: outcomes carry forward (audit gaps raise your DR costs; an IR loss sets up DR; IR's revealed chain seeds Forensics). See Module Combinations. Full lifecycle = all six in sequence, 4-5 hours across sessions.
| You want... | Read |
|---|---|
| You're the Threat Orchestrator | The TO Guide — the role, judging justifications, per-module screens |
| Exact rules for a module | docs/rules/ — core + one file per module |
| Solo/standalone setup for any module | docs/standalone-games/ |
| Every card, indexed | cards/CARD_REFERENCE.md |
| To run a playtest and report back | docs/playtesting/ |
| Variable game length & difficulty tiers | core-rules §3a |
Roll: d20 + modifiers ≥ 11 · +2 strong justification · +1 real tool/technique named · +2 matching deployed defense (IR) IR costs: Investigate 5 · Deploy 10/15/25 · Emergency Response 15 IR start-of-turn: -5 while any card hidden · -5 per uncontained revealed threat Reveal: 2 successful Investigates on a link, or 1 full-match Deploy (vector + step) · always the earliest unrevealed card Reward per reveal (pick 1): 2 Defense cards / +10 Budget / next Investigate succeeds on 5+ Turn limit: (chain cards × 2) + 1 → 3 cards = 7 turns Budgets: NB 40-60 · DR 50 · Forensics 75 · IR 100 · Audit 100 · Hardening 150
docs/TO_GUIDE.md
Version: 2.2 - Playtest Edition Audience: anyone about to run Incident Zero — teacher, trainer, or the friend who volunteered.
The Threat Orchestrator (TO) is Incident Zero's dungeon master. You wear three hats, usually in the same minute:
If you've ever run a tabletop RPG, you already have 80% of this. The remaining 20% is the adjudication rubric in §4 — it's the part that makes this game educational rather than just thematic.
A good TO makes the game. The same scenario is flat or unforgettable depending on how you deliver clues and how honestly you judge reasoning. That's why this guide exists.
The +2/+1 modifiers are the game's teaching engine. Your consistency is what makes them meaningful.
+2 — Strong technical justification. The player explains methodology: what they'll look at, and why that would reveal or stop this specific thing. - ✅ "We pull the mail gateway logs and compare the return-path against the display-name domain — spoofed senders won't match." (mechanism stated) - ✅ "Deploy EDR because living-off-the-land attacks won't trip signature AV — we need behavioral detection." (threat-to-control logic) - ❌ "We investigate the email server thoroughly." (a location is not a method)
+1 — Real tool or technique named. Wireshark, Splunk queries, Mimikatz, a MITRE technique ID, an actual CVE. - ✅ "Check LSASS access events — that's Mimikatz behavior, T1003." - ❌ "We use our security tools." (no it isn't)
Rulings that keep it fair: - Judge the reasoning, not the vocabulary. A beginner saying "check if the email really came from who it says" in plain words has the mechanism — award the +2. A buzzword salad without a mechanism gets +0. - Consistency beats generosity. Whatever bar you set on turn 1 is the bar all game. - Escalate the bar as the group learns — by session three, "we check the SIEM" that earned +1 in session one should need a specific query. Announce the escalation openly ("you're professionals now — I want specifics"). - Expert groups ("Expert Mode"): award +2 only for named artifacts, ATT&CK technique IDs, or detection logic. This is the challenge ceiling for practitioner tables — the card math never has to change. - One player monologuing every justification? Ask a different player to give it each turn ("Sam, you're on comms — why does this matter to the regulator?").
Signs it's too easy: no failed rolls; goal in sight with 40+ Budget spare; players bored. Signs it's too hard: no progress for 3+ turns; consecutive failures; frustration replacing discussion.
| Easier (pick 1-2) | Harder (pick 1-2) |
|---|---|
| Richer clues (more specific detail per success) | Vaguer clues (accurate but terse) |
| Suggest an angle through the fiction | Expert-mode justification bar |
| Shorter chain / lower tier next game | Longer chain, expansion cards |
| Beginner budgets (module max) | Minimum budgets |
Never adjust by fudging a roll or changing a printed number mid-game — players smell it, and it teaches that outcomes are arbitrary.
| Failure | Symptom | Fix |
|---|---|---|
| The Encyclopedia | You lecture after every roll | One sentence of "why," save the rest for debrief |
| The Softie | Everyone always gets +2 | Re-read §4; require the mechanism |
| The Sphinx | Clues so cryptic nobody moves | Clues must be actionable: each should suggest at least one sensible next investigation |
| The Railroader | You steer them to your solution | Multiple paths are valid; score the outcome, not the route |
| The Accountant | You narrate numbers, not events | Lead with fiction, then state the numbers |
| The Rusher | Debrief skipped because time ran out | Protect the last 10 minutes like it's the win condition — it is |
Three rounds, in order: What happened? (players narrate, you correct only facts) → Why did it work that way? (connect two or three key moments to real-world security — this is where you finally get to lecture, briefly) → What would you do differently? (go around the table; everyone answers). Losses debrief better than wins: read any unrevealed cards' "Why This Works" text aloud — it's the payoff for losing.
docs/rules/core-rules.md
Version: 2.2 - Playtest Edition Last Updated: October 2025
Incident Zero is a modular cybersecurity board game for 2+ players designed for educational environments. One player acts as the Threat Orchestrator (TO) (the facilitator), while all other players form Blue Teams (the Defenders).
Players choose which module(s) to play based on learning objectives:
Modules can be played solo or combined in any sequence using the modifier generation procedures documented in FRAMEWORK.md and Module Combinations.
Represent attacker actions. Each card includes:
- Title: e.g., "Phishing Campaign"
- Attack Chain Step: INITIAL COMPROMISE, PIVOT & ESCALATE, PERSISTENCE, or C2 & EXFIL
- Attack Vector: SOCIAL ENGINEERING, WEB EXPLOIT, CREDENTIAL ABUSE, MALWARE, NETWORK, or DATA EXFIL
- Clue: Descriptive text for the Threat Orchestrator
- Why This Works: Educational explanation (revealed after discovery)
Deck Composition: - 12 Base Threat Cards (see cards/incident-response/core-deck/threat-defense-cards.md) - 8 Expansion Threat Cards (see cards/incident-response/expansion-deck/advanced-threats.md)
Represent security controls. Each card includes: - Title: e.g., "Multi-Factor Authentication" - Countermeasure Vector: One of the six attack vectors - Tier: BASIC (10 Budget), ADVANCED (15 Budget), or ELITE (25 Budget) - Description: What the defense does and when it applies
Deck Composition: - 24 Base Defense Cards (see cards/incident-response/core-deck/threat-defense-cards.md) - 19 Expansion Defenses (see cards/incident-response/expansion-deck/advanced-defenses.md)
Examples: - BASIC: Email Authentication Setup, User Security Training, Firewall Rules (10 Budget) - ADVANCED: Multi-Factor Authentication, EDR, Network Segmentation (15 Budget) - ELITE: Threat Hunting, Memory Forensics, Deception Technology (25 Budget)
Represent sophisticated attack techniques used in Hardening module (and potentially others).
8 Core Tactics (PT-01 to PT-08): 1. PT-01: Social Engineering - Pretexting Attack 2. PT-02: Malware Evasion - Living-off-the-Land Technique 3. PT-03: Credential Dumping - Mimikatz Attack 4. PT-04: Lateral Movement - Network Traversal 5. PT-05: Privilege Escalation - Unpatched Kernel Exploit 6. PT-06: Data Exfiltration - Unmonitored Channel 7. PT-07: Supply Chain Compromise - Trusted Software Update 8. PT-08: Insider Threat - Malicious Administrator
See cards/hardening/core-deck/pentester-tactic-cards.md for full card text, plus 8 expansion tactics (PT-09 to PT-16) in advanced-tactics.md.
Simple cards providing scenario context. Examples: - Email Server - Customer Database - Domain Controller - Web Application - Backup System - Developer Workstation
Physical Components: - One 20-sided die (d20) - Turn Tracker (paper or board, counts 1-12+) - Budget Tracker (shows 0-150+) - Reputation/Security Score Tracker (shows 0-100) - Uncontained Threats Tracker (shows 0-5) - Tokens or counters (for tracking upgrades, penalties)
Optional: - Score sheets (printable or paper) - Playbook tracking sheet - Stakeholder communication log (for Disaster Recovery)
When Used: Investigation, Defense Deployment, Negotiation, and similar actions that have uncertain outcomes.
How It Works:
1. Player announces action and parameters
2. Player rolls 1d20 (one 20-sided die)
3. Compare result to target number (usually 11+) plus modifiers
4. Success if: roll + modifiers ≥ target number
Example:
Action: Investigate email headers
Target: 11+
Roll: 7
Modifiers: +2 (technical justification) +1 (referenced Splunk)
Calculation: 7 + 2 + 1 = 10
Result: FAIL (10 < 11)
What is Budget? Abstract resource representing time, money, personnel, and tools. Spent to take actions, buy defenses, or conduct investigations.
Budget Allocation by Module: - Network Building: Start at 40-60 (by difficulty; see module rules) - Hardening: Start at 150 (or carry over from IR) - Incident Response: Start at 100 - Disaster Recovery: Start at 50 (emergency fund) - Forensics: Start at 75 - Audit & Compliance: Start at 100 (used only for optional remediation cards)
Budget Spending: - Investigate action: 5 Budget - Deploy Defense: 10/15/25 Budget (by tier) - Emergency Response (IR): 15 Budget (v2.2; was 25) - Active Breach Cost (IR, v2.2): -5 Budget at start of each turn while any chain card remains unrevealed - Harden Upgrade (Hardening): 5 Budget - Create Playbook (Hardening): 10 Budget - Crisis Action cards (DR): 5-20 Budget per card (ACTION-01 to ACTION-12; the free "Holding Statement" costs 0) - Ransom Decision (DR, ACTION-13): Pay 20 / Negotiate 5 / Refuse 0
Budget = 0: Team loses (cannot take further actions)
Exception (Disaster Recovery, v2.2): Budget floor is 0 and the free Holding Statement action remains available — DR is never lost by running out of Budget; DR's loss condition is any stakeholder trust reaching 0%.
Turns represent: Time passing in the game world (6 hours, 30 minutes, or abstract unit depending on module)
Turn Sequence: 1. Start of Turn: Penalties applied, trackers announced 2. Planning Phase: Team discusses strategy (2-3 min) 3. Action Phase: Execute chosen action, resolve rolls 4. End of Turn: Advance tracker, draw card, check events
Philosophy: In real incident response, some attacks move fast (hours), some take months. Fixed turn lengths feel unrealistic. This system adds realism without requiring complex calculations.
Default Formula: (Attack Chain Cards × 2) + 1
This gives attackers enough time to progress realistically while keeping games manageable:
| Attack Chain | Formula | Turn Count | Session Duration |
|---|---|---|---|
| 3 cards | (3 × 2) + 1 | 7 turns | 30-40 min play |
| 4 cards | (4 × 2) + 1 | 9 turns | 35-45 min play |
| 5 cards | (5 × 2) + 1 | 11 turns | 40-50 min play |
| 6 cards | (6 × 2) + 1 | 13 turns | 45-55 min play |
How to Use Default Formula: 1. Choose number of threat cards in attack chain (3, 4, 5, or 6) 2. Apply formula: (Cards × 2) + 1 = Turn Count 3. Announce turn count to Blue Team 4. Play game normally with that turn limit
Example Setup:
"I've created a 4-card attack chain. That's (4 × 2) + 1 = 9 turns. You have 9 turns to detect all four threats. Go!"
Advanced Threat Orchestrators can use a Tier + d4 system for more control and variability:
Step 1: Select Attack Complexity Tier
| Tier | Turn Base | Attack Profile | Example |
|---|---|---|---|
| TIER 1 | 5-7 | Simple & obvious | Script kiddie using public tools |
| TIER 2 | 8-10 | Standard sophistication | Organized cybercriminal group |
| TIER 3 | 11-13 | Highly sophisticated | APT with operational security |
| TIER 4 | 14-16 | Expert/Nation-state | State-sponsored group |
Step 2: Add Randomness (Optional)
Roll 1d4 for variation: - Roll 1: -1 turn (tight timeline) - Roll 2 or 3: ±0 turns (no change) - Roll 4: +1 turn (extended dwell time)
Final Turn Count = Tier Base + d4 Result
Example Advanced Setup:
"This is a TIER 2 attack (organized cybercriminals). Base is 8-10 turns. I'll roll d4 for variation... [rolls 4, +1 turn]. Final turn count: 9-11 turns."
These rules protect game balance and prevent metagaming:
The Rule: Threat Orchestrators MUST accept the random result, even if it feels impossibly tight or loose.
Why: Real incident response is unpredictable. Sometimes attacks happen faster or slower than expected.
Example Scenarios: - TIER 3 attack (11-13 base) + d4 roll of 1 = 10-12 turns (tighter than expected, but realistic) - TIER 1 attack (5-7 base) + d4 roll of 4 = 6-8 turns (easier conditions, but acceptable)
When Chaos Feels Realistic: - Tight timeline: "The attacker worked faster than expected—they had prior knowledge" - Loose timeline: "The attacker was cautious, spending weeks in reconnaissance before striking"
Implementation: Lean into the randomness as realistic incident variability.
The Rule: Blue Team CANNOT deduce the attack tier from the announced turn count. They cannot ask "Is this TIER 2?" or "Is this TIER 4?" based on how many turns they have.
Why: Real incident response doesn't come with difficulty labels. Attackers don't advertise sophistication. Players should discover complexity through gameplay (attack chain complexity, defender evasion, tool sophistication, etc.).
What Players CAN Ask: - "What are the suspicious network events?" (leads to understanding threats) - "Can we analyze the malware?" (reveals attacker sophistication through findings) - "Why did this attack succeed?" (post-game discussion)
What Players CANNOT Ask: - "Is this a TIER 2 attack?" (deriving tier from turn count) - "This looks like a TIER 1 because we have 7 turns" (meta-gaming difficulty)
Implementation: Respond to difficulty questions by saying "Investigate and find out!" Players discover sophistication through evidence, not from turn counts.
The Rule: ONLY after rolling d4, the Threat Orchestrator may apply an optional ±1 turn adjustment IF the rolled result feels genuinely unreasonable for the scenario.
When to Use (Rare): - Scenario setup is unusually complex (multiple attack vectors, coordination across systems) - Player group is new and needs slightly easier conditions - Real-world incident being taught had specific timeline constraints
When NOT to Use (Prefer Random): - "The roll feels unlucky" (accept the chaos) - "I want this exactly 10 turns" (let dice decide) - "The attack chain is long so it should take longer" (that's what TIER system handles)
Implementation: 1. Roll d4 normally 2. Announce rolled result 3. ONLY IF genuinely unreasonable, apply ±1 modifier and explain why 4. Document the override for consistency in future scenarios
Example Valid Use:
"TIER 2 base 8-10, rolled -1 = 7-9 turns. That's tight given we have 5-card attack chain, so I'm adding +1 modifier (explaining the discovery is methodical). Final: 8-10 turns."
Example Invalid Use:
"I rolled 8-10 but I want 10-12, so I'm adding +2." (NO - use the roll as-is)
For Beginners (Use Default Formula): - [ ] Choose attack chain length (3, 4, 5, or 6 cards) - [ ] Calculate: (Cards × 2) + 1 - [ ] Announce turn count - [ ] Play
For Advanced (Use Tier + d4): - [ ] Select TIER (1, 2, 3, or 4) - [ ] Announce TIER basis (not the number, just why it's that complexity) - [ ] Roll d4 for variation (hidden or public, your choice) - [ ] Calculate final turn count - [ ] Apply Rule 3 modifier if genuinely needed (rare) - [ ] Announce final turn count WITHOUT revealing tier
Default Formula: Turn Count = (Attack Cards × 2) + 1
Tier System: - TIER 1: 5-7 turns (simple) - TIER 2: 8-10 turns (standard) - TIER 3: 11-13 turns (advanced) - TIER 4: 14-16 turns (expert) - Add d4 roll: -1, 0, 0, or +1
Golden Rules: 1. Accept any roll (embrace chaos) 2. Never reveal tier to players 3. Modifier authority only when truly needed (rare)
All modules use the same modifier system for consistency:
Awarded when a player provides clear, specific reasoning for their action using real security concepts.
Examples: - "We're analyzing email headers in the mail gateway logs to identify the true sender IP and check it against threat intelligence feeds" - "We're deploying EDR on all endpoints because it can detect living-off-the-land techniques" - "We're querying our SIEM for scheduled task creation events because attackers use them for persistence"
Criteria: - References specific tools (Splunk, EDR, SIEM, etc.) - Explains methodology (why this approach works) - Shows understanding of the threat being addressed
Awarded when player references actual security tools or real attack/defense techniques.
Examples: - "We'll use Wireshark to analyze the network traffic" - "We're checking for Mimikatz usage in memory" - "We're reviewing EDR telemetry" - "We're looking for this specific CVE exploitation pattern"
Criteria: - References real tools (Wireshark, EDR, Splunk, etc.) - References real techniques (MITRE ATT&CK, specific CVEs) - Shows awareness of how things actually work
When Applied: Incident Response module only, applied at START of each turn
How It Works: 1. When a threat card is revealed, add 1 to Uncontained Threats Tracker 2. At START of each turn, deduct 5 Budget per uncontained threat 3. When next card in chain is revealed, previous threat is auto-mitigated (-1 from tracker) 4. When Emergency Response action is used (15 Budget), remove a revealed threat (-1 from tracker)
Companion rule — Active Breach Cost (v2.2): while at least one chain card remains unrevealed, deduct an additional flat -5 Budget at the start of each turn. Hidden attackers cost money too.
Purpose: Creates urgency - dwell time costs money, whether you've found the attacker yet or not. Teaches real-world incident response costs.
Example (uncontained penalty only; Active Breach Cost also applies while cards remain hidden):
Turn 1: Phishing revealed → Uncontained Threats = 1
Turn 2: START → Deduct 5 Budget (95 remaining from 100)
Turn 3: Lateral Movement revealed → Phishing auto-mitigated (Uncontained = 1)
Turn 3: START → Deduct 5 Budget
Turn 4: Emergency Response on Lateral Movement (15 Budget) → Uncontained Threats = 0
Responsibilities: - Manage game state and track turns/budget - Describe scenarios and outcomes - Roll dice when action outcomes are uncertain - Guide the narrative
During Incident Response: - Create and manage hidden attack chain - Provide clues based on successful investigations - Control Uncontained Threats penalties - Be fair but challenging
During Other Modules: - Describe threat context and defenses - Draw Pentester Tactic cards (Hardening) - Manage timeline and deadlines (Disaster Recovery) - Guide debrief questions
Universal Tips: - Explain why actions succeed or fail - Ask clarifying questions about player strategy - Balance challenge with learning - Provide constructive feedback
Responsibilities: - Discuss strategy as a team - Choose one action per turn - Justify your decisions (gain +2 modifier) - Manage budget carefully - Learn from success and failure
Key Rule: Modifiers are additive and can stack.
Example (Hardening Module, canonical formula — v2.2):
Pentester Tactic: PT-02 Living-off-the-Land (DC 13)
Defense roll = d20
+ printed bonus for the ONE defense chosen (D-08 EDR vs PT-02: +3)
+ hardening upgrades on that defense (+2 each; one upgrade: +2)
+ relevant playbook (+3)
Team rolls 8:
8 + 3 (EDR) + 2 (upgrade) + 3 (playbook) = 16 ≥ 13 = SUCCESS
Only the single chosen defense's printed bonus applies — deployed defenses do not stack with each other against one tactic.
| Length | Difficulty | Best For |
|---|---|---|
| 3 cards | Beginner | Learning mechanics, 30 min sessions |
| 4 cards | Intermediate | Standard play, 40 min sessions |
| 5 cards | Advanced | Challenge play, full kill chain |
| Budget | Difficulty | Best For |
|---|---|---|
| 60 | Hard | Resource scarcity, tough choices |
| 100 | Standard | Balanced play, most scenarios |
| 150+ | Easy | Strategic depth, multiple options |
| Turns | Difficulty | Best For |
|---|---|---|
| 8 | Hard | Time pressure, fast play |
| 10 | Standard | Balanced, most scenarios |
| 12 | Easy | Exploration, learning |
Note (v2.2): Incident Response derives its turn limit from the Variable Game Length formula — (Attack Chain Cards × 2) + 1 → 7/9/11 turns (see §3a). The table above is for modules with educator-set limits.
| Module | Primary Learning | Secondary Learning |
|---|---|---|
| Incident Response | Cyber kill chain, attack detection, investigation | Resource prioritization, incident response |
| Hardening | Defense-in-depth, layering, proactive security | Cost-benefit analysis, security architecture |
| Disaster Recovery | Crisis management, stakeholder communication | Risk assessment, incident cost |
| Network Building | Network design, asset security, architecture | Infrastructure hardening, threat modeling |
| Forensics | Digital forensics, chain of custody, attribution | Evidence handling, MITRE ATT&CK mapping |
| Audit & Compliance | Security assessment, governance, compliance | Risk identification, remediation prioritization |
| Mechanic | What It Teaches |
|---|---|
| d20 roll system | Uncertainty, risk, informed decision-making |
| Budget constraints | Resource allocation, prioritization |
| Justification bonuses | Technical reasoning, tools/techniques knowledge |
| Uncontained Threats penalty | Urgency, cost of dwell time |
| Pentester Tactics | Attacker sophistication, defense limitations |
| Playbook system | Preparation, incident response planning |
| Scoring systems | Outcome measurement, quality assessment |
Implementation: - Same setup for all teams - Teams cannot share information (Incident Response) - Score comparison determines winner (Hardening) - Reputation comparison (Disaster Recovery)
Every module should include a 5-15 minute debrief with three sections:
Too Easy Signs: - Team reveals all cards/achieves goal with 40+ budget remaining - No failed rolls - No meaningful decisions required - Team is bored
Too Hard Signs: - Team is stuck/making no progress after 5 turns - Multiple consecutive failed rolls - Team frustrated rather than challenged - No learning happening
Adjustment Options: - Easier: Provide better clues, more starting budget, fewer tactics - Harder: Less specific clues, lower budget, more tactics - Faster: Shorter turn limits, simpler scenarios - Slower: More turns, more complex scenarios
For complete card descriptions, see: - Base Threat & Defense Cards cards/incident-response/core-deck/threat-defense-cards.md - Expansion Threats cards/incident-response/expansion-deck/advanced-threats.md - Expansion Defenses cards/incident-response/expansion-deck/advanced-defenses.md - All decks indexed cards/CARD_REFERENCE.md
For complete rules on each module:
For your first game: 1. Choose a module from Module Combinations 2. Read the module-specific rules 3. Read the standalone setup guide 4. Prepare your scenario 5. Play!
For multiple modules: 1. Refer to Module Combinations for recommended sequences 2. Refer to FRAMEWORK.md for modifier generation procedures 3. Play first module, generate modifiers for next 4. Continue as desired
Incident Zero: Core Rules & Mechanics v2.1 - Balanced & Refined Edition Universal rules for all modules
docs/rules/module-hardening.md
Version: 2.2 - Playtest Edition Module Duration: 20-45 minutes (standalone or after Incident Response) Prerequisites: None (can play standalone) or completion of Incident Response module Learning Focus: Defense-in-depth, security architecture, proactive hardening, layered controls
The Hardening Module teaches players how to build multi-layered security controls that work together to protect critical systems. Players transition from reactive incident response to proactive security design.
This module can be: - Standalone: Play alone with generated threat context - Continuation: Follow a successful Incident Response (players harden against discovered threats) - Paired: Combined with other modules for complete security lifecycle training
| Aspect | Incident Response | Hardening |
|---|---|---|
| Focus | Detect hidden threats | Build defenses against known threats |
| Time Pressure | High (variable turn limit, 100 budget) | Lower (7 turns, carries budget forward) |
| Actions | Investigate, Deploy, Emergency Response | Deploy, Upgrade, Playbook, Test |
| Rolls Needed | Investigation & Defense deployments | Test & Drill and Pentester defense rolls |
| Scoring | Detection efficiency | Defense layering & breadth |
| Threats | Hidden chain | Known vectors, Pentester tactics |
Generate threat context from scratch (v2.2 — one standard procedure): - Roll 1d6 for each of the six threat vectors (SOCIAL_ENGINEERING, WEB_EXPLOIT, CREDENTIAL_ABUSE, MALWARE, NETWORK, DATA_EXFIL): - 1-2: No notable threat on this vector - 3-4: Intermediate threat on this vector - 5-6: Advanced threat on this vector - Or use Threat Orchestrator's chosen scenario - Budget: 150 (full planning allocation)
Use the attack chain that was just discovered: - All revealed threat cards now represent known attack vectors - Each vector gets a defense priority - Budget carries over (minimum 20, maximum 150) - Example: If IR revealed Phishing, Lateral Movement, and Data Exfil, you harden against those specific vectors
Threat Orchestrator describes a realistic scenario:
"Imagine your team successfully detected an attack chain: 1. Phishing campaign (SOCIAL ENGINEERING vector) 2. Lateral movement via SMB (NETWORK vector) 3. Data exfiltration (DATA EXFIL vector)
You have time to harden your network. Here are the threat vectors you need to defend against..."
cards/hardening/core-deck/defense-cards.md)cards/hardening/core-deck/pentester-tactic-cards.md)cards/network-building/core-deck/asset-cards.md)Each Blue Team receives 5 Defense Cards (drawn randomly, face down in hand)
Threat Orchestrator provides context for the hardening scenario:
"Your detection team successfully identified an attack chain. Now you have time and resources to harden your defenses to prevent similar attacks in the future. Here's what you're defending against and what assets are at risk..."
The Hardening module runs 7 turns at every difficulty level (v2.2 — difficulty scales through the number of Pentester Tactics, not the turn count). One action per turn.
START OF TURN - Announce turn number: "Hardening Turn 3..." - Announce remaining Budget - Declare any Pentester Challenge scheduled for this turn
PLANNING PHASE (2-3 minutes) - Team discusses hardening strategy - Decides which action to take this turn - Prepares for any mid-turn Pentester Challenge
ACTION PHASE - Execute chosen action (see below) - Resolve rolls if applicable - Update trackers
END OF TURN - Advance turn counter - Draw 1 new Defense Card - Check if Pentester Challenge occurs (typically turn 3-4)
Cost: 10/15/25 Budget (based on card tier) Roll Required: None—automatic success
How it works: 1. Choose a Defense Card from your hand 2. Announce which Asset or threat vector it protects 3. Place card on the table (face up) 4. Optional: Explain the deployment strategy (enhances learning but not required)
Effect: - Defense is immediately active and deployed - Counts toward Security Score (5 points per defense) - Cannot be undone (represents permanent security improvement) - Stays on board for remainder of module and beyond (if continuing)
Quick-Win Rule (v2.2): You may deploy up to 2 BASIC-tier defenses as a single action (pay 10 Budget each). This keeps foundational hygiene affordable within the 7-turn limit.
Examples: - Deploy Multi-Factor Authentication (ADVANCED - 15 Budget) on VPN access - Deploy EDR on all workstations (ADVANCED - 15 Budget) - Deploy Data Loss Prevention (DLP) on network gateways (ADVANCED - 15 Budget) - Deploy Email Authentication (BASIC - 10 Budget) and User Security Training (BASIC - 10 Budget) together as one action (v2.2 Quick-Win)
Strategic Notes: - BASIC defenses (10 Budget) are cheaper but carry smaller printed bonuses against Pentester Tactics - ADVANCED defenses (15 Budget) provide good balance of cost/effectiveness - ELITE defenses (25 Budget) are expensive but carry the largest printed bonuses against Pentester Tactics
Cost: 5 Budget per upgrade Roll Required: None
How it works: 1. Choose a Defense Card already deployed (earlier this game, or carried over from Incident Response) 2. Pay 5 Budget 3. Mark defense with +2 effectiveness bonus (track on paper) 4. Optional: Describe the hardening (e.g., "Tuning behavioral analytics in EDR")
Effect: - Defense effectiveness increases by +2 - Bonuses stack (EDR with three upgrades = +6 total) - Counts toward Security Score (2 points per upgrade) - Makes defense more resistant to Pentester Tactics
Examples of Hardening: - "Harden our MFA by requiring hardware tokens instead of SMS" → MFA now has +2 - "Enhance Network Segmentation with microsegmentation inside critical zones" → NS now has +2 - "Improve SIEM with threat intelligence integration" → SIEM now has +2
Strategic Value: - Fewer, well-hardened defenses can beat many basic ones - Upgrades compound: 3 upgrades on one defense = +6 bonus - Cost-effective way to improve security posture without full new deployments
Cost: 10 Budget per playbook Roll Required: None Limit (v2.2): Maximum 2 playbooks per game
How it works: 1. Choose a specific threat vector you want to prepare for (SOCIAL ENGINEERING, WEB EXPLOIT, CREDENTIAL ABUSE, MALWARE, NETWORK, or DATA EXFIL) 2. Write a 1-2 sentence playbook describing your response plan 3. Place playbook on the table with vector marked 4. When an attack using this vector occurs, you get one-time +3 bonus to your defense roll
Effect: - Provides one-time +3 bonus to defense roll when matching vector is attacked - Playbook is discarded after use (one-time only) - Counts toward Security Score (10 points per playbook) - Forces strategic thinking about which threats matter most
Example Playbooks: - SOCIAL ENGINEERING: "Credential Compromise Response - Forced MFA re-authentication and access token revocation across all systems" - MALWARE: "Ransomware Response - Immediate backup isolation, network segmentation, and process termination" - NETWORK: "Lateral Movement Detection - Real-time network behavior analysis and suspicious SMB activity alert protocol" - DATA EXFIL: "Data Theft Response - DLP block, endpoint containment, and forensic image capture" - WEB EXPLOIT: "Web Attack Response - Immediate application firewall rule deployment and vulnerable component isolation"
Strategic Considerations: - Playbooking is expensive (10 Budget) but provides large bonus (+3) - You can only use each playbook once, and only create two per game (v2.2) — plan carefully - Encourages predicting which threats are most dangerous - Reflects real-world incident response playbook development - Playbooks alone cannot win the game: victory requires at least 4 deployed defenses (v2.2)
Cost: 0 Budget (represents time investment) Roll Required: 11+ on d20
How it works: 1. Announce you're conducting a security drill 2. Choose one or more deployed defenses to test 3. For each defense, roll 1d20 4. Defenses with roll 11+ are successful; 10 or less fail
Effect: - Successful tests: Defense works properly (tracked as "tested") - Failed tests: Implementation issues found (no penalty, but noted) - Tests don't contribute to final score but provide confidence - Teaches the importance of validation and testing
Educational Value: - Reflects real-world practice of security testing - Validates that deployments actually work - Low-cost way to use budget on preparation vs. initial deployment
Typically after turn 3 or 4, once teams have deployed initial defenses.
Timing Options: - Per turn: One Pentester Tactic drawn each turn (turns 3-6) - Multiple attacks: 2-4 Pentester Tactics total (depends on difficulty) - Final challenge: All remaining Tactics drawn at end of turn 6
(v2.2) The Hardening module uses the standard Pentester Tactic deck, PT-01 to PT-08, defined in cards/hardening/core-deck/pentester-tactic-cards.md. Each card is a realistic red-team technique with a printed DC (difficulty class) and a list of printed defense bonuses for specific Defense Cards.
| Card | Tactic | Target Vectors | Difficulty | Primary Defense |
|---|---|---|---|---|
| PT-01 | Social Engineering - Pretexting Attack | SOCIAL_ENGINEERING, CREDENTIAL_ABUSE | BASIC (DC 12) | D-02 User Training |
| PT-02 | Malware Evasion - Living-off-the-Land | MALWARE, CREDENTIAL_ABUSE | INTERMEDIATE (DC 13) | D-08 EDR |
| PT-03 | Credential Dumping - Mimikatz | CREDENTIAL_ABUSE, MALWARE | INTERMEDIATE (DC 13) | D-16 Credential Guard |
| PT-04 | Lateral Movement - Network Traversal | NETWORK, CREDENTIAL_ABUSE | INTERMEDIATE (DC 13) | D-09 Network Segmentation |
| PT-05 | Privilege Escalation - Unpatched Kernel Exploit | MALWARE, WEB_EXPLOIT | ADVANCED (DC 14) | D-03 Patch Management |
| PT-06 | Data Exfiltration - Unmonitored Channel | DATA_EXFIL, NETWORK | ADVANCED (DC 14) | D-11 DLP |
| PT-07 | Supply Chain Compromise - Trusted Update | MALWARE, WEB_EXPLOIT | ADVANCED (DC 14) | D-08 EDR / D-13 Threat Hunting |
| PT-08 | Insider Threat - Malicious Administrator | CREDENTIAL_ABUSE, DATA_EXFIL, NETWORK | EXPERT (DC 15) | D-22 SIEM / D-20 Zero Trust |
For expansion play, 8 additional tactics (PT-09 to PT-16) are available in cards/hardening/expansion-deck/advanced-tactics.md.
When a Pentester Tactic Card is drawn:
1. Threat Orchestrator Describes the Attack
Example (PT-01): "A pentester calls your IT helpdesk impersonating a VIP executive, demanding emergency access to critical systems..."
2. Blue Team Chooses ONE Deployed Defense to Resolve With
Example: "We resolve this with our User Security Training (D-02) — staff are trained to verify callers."
3. Roll the Defense Roll
Defense roll = d20 + printed defense bonus for the chosen defense (from the tactic card's bonus list) + hardening upgrades on that defense (+2 each) + relevant playbook (+3, one-time, matching vector)
Success if the total ≥ the tactic card's printed DC.
Notes: - Only ONE defense's printed bonus applies per roll. If your chosen defense isn't on the tactic's bonus list, its printed bonus is +0 (upgrades and playbooks still apply). - Multi-vector or multi-phase tactics (e.g., PT-09): resolve each vector/phase as a separate roll, one chosen defense per roll. - Playbooks are discarded after use.
4. Worked Example
Tactic: PT-01 Social Engineering - Pretexting (DC 12)
Chosen defense: D-02 User Security Training (printed bonus +2 vs PT-01)
D-02 has 1 hardening upgrade (+2)
SOCIAL ENGINEERING playbook available (+3)
Roll 1d20 = 7
Total = 7 + 2 (printed) + 2 (upgrade) + 3 (playbook) = 14
14 ≥ DC 12 → SUCCESS. Playbook is discarded.
5. Outcome
(v2.2: the old -10 Reputation penalty has been removed from Hardening — failed defenses simply score nothing and trigger the card's printed consequence. Reputation remains a Disaster Recovery mechanic.)
Security Score = (Defenses Deployed × 5)
+ (Hardening Upgrades × 2)
+ (Playbooks Created × 10) [max 2 playbooks]
+ (Pentester Tactics Defended × 5)
+ (Budget Remaining / Starting Budget) × 10
Turn 1: Deploy D-01 Email Auth + D-02 User Training (2 BASIC as one action) -20
Turn 2: Deploy D-04 Firewall Rules + D-19 Backup & DR (2 BASIC) -20
Turn 3: Deploy D-08 EDR (ADVANCED) -15
→ PT-02 strikes: defended ✓
Turn 4: Deploy D-09 Network Segmentation (ADVANCED) -15
Turn 5: Create MALWARE playbook -10
→ PT-01 strikes: defended ✓
Turn 6: Harden D-08 EDR (+2) -5
Turn 7: Deploy D-11 DLP (ADVANCED) -15
→ PT-06 strikes: defended ✓ (D-11's printed +4 bonus vs DC 14 carried the roll)
Budget spent: 100 → 50 remaining
Defenses Deployed: 7 × 5 = 35 points
Hardening Upgrades: 1 × 2 = 2 points
Playbooks Created: 1 × 10 = 10 points
Tactics Defended: 3 × 5 = 15 points
Budget Efficiency: (50/150) × 10 ≈ 3 points
─────────────────────────────────────
FINAL SECURITY SCORE: 65 points → Strong (Victory)
| Score | Level | Interpretation | Real-World Equivalent |
|---|---|---|---|
| 75+ | Exceptional | Enterprise-grade security posture | Large financial institution |
| 60-74 | Strong | Comprehensive defense-in-depth | Mid-market company |
| 45-59 | Adequate | Basic layered protection | Startup/small business |
| 30-44 | Weak | Minimal defenses, significant gaps | Under-resourced organization |
| Below 30 | Vulnerable | Inadequate protection, likely to fail | High-risk organization |
Blue Team Wins Hardening if ALL of: - Final Security Score ≥ 60 (strong, comprehensive defense-in-depth) - AND at least 4 defenses deployed (playbooks and upgrades alone cannot win) - AND majority of Pentester Tactics defended against (defenses actually work)
Interpretation: Team successfully built layered, effective defenses within constraints.
Blue Team Loses Hardening if: - Final Security Score < 45 (inadequate overall protection) - OR Budget exhausted before completing hardening strategy - OR majority of Pentester Tactics succeeded (defenses aren't effective)
Interpretation: Defenses are insufficient against realistic threats.
Scores between 45 and 59 that meet the tactic/defense requirements count as a partial success — adequate protection with room to improve.
All difficulty levels run 7 turns (v2.2); difficulty scales via Pentester Tactic count.
Too Easy: - Teams deploy 8+ defenses with large budget remaining - Almost all Pentester Tactics fail - No meaningful decisions required - Game feels trivial
Too Hard: - Teams can only afford 3-4 defenses with budget exhausted - Almost all Pentester Tactics succeed - Team feels overwhelmed - Frustration rather than learning
Just Right (within 7 actions and 150 Budget): - Teams deploy 5-7 defenses with some budget remaining (the Quick-Win rule for BASIC pairs makes this achievable) - 50-70% of Pentester Tactics fail (defenses work) - Teams debate priorities and trade-offs - Players learn through strategic choices
Adjustments: - Lower budget (100) for harder game - Higher budget (200) for easier game - Fewer/more Pentester Tactics - Provide feedback: "Your defenses are working well" or "Your SIEM isn't catching these"
Timing: Draw first tactic after turn 3-4 (let teams deploy initial defenses)
Narrative: Always frame tactics as specific scenarios: - "Your red team just attempted a supply chain attack..." - "An advanced attacker is using living-off-the-land techniques..." - "A coordinated insider attack is beginning..."
Strategy: Escalate difficulty - Turns 1-2: No tactics (deployment phase) - Turn 3: First tactic (softer: PT-01, DC 12) - Turn 4: Second tactic (medium: PT-02 to PT-04, DC 13) - Turn 5+: Third/fourth tactics (harder: PT-05 to PT-08, DC 14-15)
Defense-in-Depth: When a chosen defense earns only a +0/+1 printed bonus, discuss why layers matter Cost-Benefit: Teams overspend on Elite defenses; discuss Advanced alternatives Upgrades: Teams ignore upgrades; show how +2 bonuses compound Playbooks: Teams underestimate playbooks; demonstrate their power (+3 bonus) — and note the 2-per-game cap
| Learning Goal | How Module Teaches It |
|---|---|
| Defense-in-depth concept | Deploy multiple layers, see some fail while others succeed |
| Resource prioritization | Limited budget forces choices between defenses |
| Trade-offs in security | BASIC cheap but weak vs. ELITE expensive but strong |
| Proactive vs. reactive | Hardening teaches prevention vs. IR's response focus |
| Layering effectiveness | Pentester Tactics show how weak defenses alone fail |
| Incident playbooks | Playbook mechanic teaches the value of preparation |
| Security architecture | Thoughtful defense selection teaches how to think architecturally |
| Cost-benefit analysis | Every budget point spent has consequences |
| Action | Cost | Roll | Effect | Score |
|---|---|---|---|---|
| Deploy Defense | 10/15/25 | None | Active immediately (up to 2 BASIC per action, v2.2) | +5 each |
| Harden Upgrade | 5 | None | +2 effectiveness | +2 |
| Create Playbook | 10 | None | One-time +3 bonus (max 2 per game, v2.2) | +10 |
| Test & Drill | 0 | 11+ | Validates defense | +0 |
Pentester defense roll (v2.2): d20 + printed bonus (one chosen defense) + upgrades (+2 each) + playbook (+3) ≥ tactic DC. Each tactic defended: +5 Score.
After Winning Hardening: - Continue to Incident Response (test your defenses) - Continue to Audit & Compliance (verify your hardening) - Play again with new threat vectors
After Losing Hardening: - Replay with different strategy - Try higher budget variation - Study which Pentester Tactics caused most losses - Plan for those tactics in next iteration
Changes for playtesters to validate, and why they were made:
cards/hardening/core-deck/pentester-tactic-cards.md. This removes duplicate, conflicting tactic definitions (including a "Persistence Expert" tactic that referenced a nonexistent PERSISTENCE vector).Designer note — why playbook spam can't win (v2.2 math): - Playbook-spam strategy: 2 playbooks (cap) = 20 pts; 0 defenses = 0 pts; with no deployed defenses every Pentester roll is d20 + 0 (+3 once per playbook) vs DC 12-15, so expect ~1 of 3 tactics defended = 5 pts; budget efficiency (130/150) × 10 ≈ 9 pts. Total ≈ 34 — below the 60 threshold, and it fails the ≥4-defenses gate regardless. Cannot win. - Balanced layered strategy: 7 defenses (35) + 1 upgrade (2) + 1 playbook (10) + 3 of 3 tactics defended (15) + budget efficiency (50/150 × 10 ≈ 3) = 65 → Victory. See the worked example above.
Hardening Module - Complete Rules Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition
docs/standalone-games/hardening.md
Version: 2.2 - Playtest Edition Duration: 30-45 minutes Players: 1 Threat Orchestrator + 2-4 Blue Team members Best For: Defense architecture training, security design, proactive hardening practice
The Hardening Module teaches players how to build defense-in-depth—layered security controls that work together to protect critical systems. Players deploy defenses strategically, harden existing controls, and defend against pentester challenges.
This module focuses on proactive security rather than reactive incident response.
All difficulty levels run 7 turns, one action per turn (v2.2). Difficulty scales via Pentester Tactic count.
| Difficulty | Budget | Turn Limit | Pentester Tactics | Best For |
|---|---|---|---|---|
| Beginner | 150 | 7 turns | 2 cards | First-time, teaching defense concepts |
| Intermediate | 150 | 7 turns | 3 cards | Standard play, balanced challenge |
| Advanced | 150 | 7 turns | 4 cards | Experienced players, comprehensive test |
Option A: Hypothetical Threat (Solo) Threat Orchestrator describes a realistic threat scenario:
"Imagine your team successfully detected an attack last month. The attacker started with a phishing email, moved laterally through the network via SMB, and escalated privileges using a kernel exploit. Now you have time to harden your defenses. Here's the threat profile you need to defend against..."
Option B: Follow from Incident Response Module If continuing from Incident Response: - Use the attack chain that was just played - Players now design defenses against those specific threats - Discovered vectors guide defense selection
Option C: Generate Threat Vectors Randomly (v2.2 — one standard procedure) Roll 1d6 for each of the six threat vectors to determine which threats you must defend against (1-2 = no notable threat, 3-4 = intermediate threat, 5-6 = advanced threat): - Roll 1d6 for SOCIAL ENGINEERING threats - Roll 1d6 for WEB EXPLOIT threats - Roll 1d6 for CREDENTIAL ABUSE threats - Roll 1d6 for MALWARE threats - Roll 1d6 for NETWORK threats - Roll 1d6 for DATA EXFIL threats
cards/network-building/core-deck/asset-cards.md)Each turn represents time allocated to hardening (15-30 minutes of planning work per turn).
TURN SEQUENCE:
1. START OF TURN - Read turn number aloud ("Hardening Turn 1...") - Remaining budget announced
2. BLUE TEAM'S TURN (2-3 minutes discussion) - Discuss which hardening action to take - Decide strategy (deploy new defense, upgrade existing, create playbook)
3. ACTION EXECUTION - Perform chosen action - No roll needed for deployment (see below for when rolls occur) - Update trackers
4. END OF TURN - Advance Turn Tracker by 1 - Draw 1 new Defense Card - Check if mid-game Pentester Challenge should occur
Cost: 10/15/25 Budget (by tier) Roll Required: None—automatic success
How it works: 1. Choose a Defense Card from your hand 2. Announce which Asset or threat vector it defends 3. Explain strategy (optional but encouraged): "Why are we deploying this defense?" 4. Card is placed on the table (face up)
Outcome: - Defense is immediately active - No roll needed - All deployed defenses contribute to final Security Score
Quick-Win Rule (v2.2): You may deploy up to 2 BASIC-tier defenses as a single action (pay 10 Budget each).
Note (v2.2): The core deck contains one copy of each defense (D-01 to D-24), so each defense can only be deployed once per game. If you want duplicate deployments (e.g., two MFA implementations on different systems), print a second copy of the deck and house-rule it.
Cost: 5 Budget per upgrade Roll Required: None
How it works: 1. Choose a Defense Card already deployed (from this turn or previous) 2. Pay 5 Budget 3. Mark defense with +2 effectiveness bonus (track on paper next to the card) 4. Optionally explain: "We're improving this defense by..."
Examples of hardening: - "Hardening our EDR deployment by tuning behavioral analytics and adding threat intel integration" → EDR now has +2 bonus - "Hardening our MFA implementation by enabling hardware token requirements" → MFA now has +2 bonus - "Hardening Network Segmentation by adding microsegmentation within critical zones" → Network Seg now has +2 bonus
Strategic Value: - Each upgrade adds +2 to the defense's effectiveness - Upgrades can stack (e.g., MFA with +2, +2, +2 = +6 total) - Upgraded defenses are more likely to survive Pentester Tactics
Cost: 10 Budget per playbook Roll Required: None Limit (v2.2): Maximum 2 playbooks per game
How it works: 1. Choose a specific threat vector you want to prepare for 2. Write a 1-2 sentence playbook describing your response: (e.g., "Ransomware Outbreak Response: Immediate backup isolation, network segmentation, and access revocation") 3. Place playbook card on the table 4. When a Pentester uses a matching vector later, you get +3 bonus to your defense roll
Example Playbooks: - "Credential Compromise Incident: Forced MFA re-authentication and access token revocation" - "Supply Chain Attack Detection: Monitor unusual DNS and C2 beaconing patterns" - "Insider Threat Response: Behavioral analytics review and privileged access audit" - "Ransomware Response: Immediate backup isolation and network segmentation"
Strategic Value: - Playbooks cost more (10 Budget) but provide larger bonus (+3) - Limited use (one-time per playbook, then discarded after use; max 2 per game) - Forces teams to predict which threats are most dangerous - Playbooks alone cannot win: victory requires at least 4 deployed defenses (v2.2)
Cost: 0 Budget (represents time, not money) Roll Required: 11+ on d20
How it works: 1. Announce you're conducting a drill/test of deployed defenses 2. Choose one or more deployed defenses to test 3. Roll 1d20 for each defense 4. Each defense with roll of 11+ succeeds; 10 or less fails
Outcome: - Success: Defense works properly; mark it as "tested" (contributes extra points at end) - Failure: Defense has implementation issues; no penalty, but doesn't count toward testing bonus
Strategic Value: - Free way to validate defenses - Successful tests add confidence (and points) but don't guarantee success against real attacks - Encourages thinking about deployment validation (realistic practice)
After turn 3 or 4, the Threat Orchestrator draws a Pentester Tactic Card (PT-01 to PT-08, see cards/hardening/core-deck/pentester-tactic-cards.md) and launches a simulated attack.
1. TO Describes the Attack Scenario Example (PT-02): "Your red team delivered a payload that uses only built-in Windows tools — living-off-the-land. Can your defenses detect it?"
2. Blue Team Chooses ONE Deployed Defense to Resolve With Team selects one deployed defense to defend against this attack
3. Roll the Defense Roll
Defense roll = d20 + printed defense bonus for the chosen defense (from the tactic card's bonus list) + hardening upgrades on that defense (+2 each) + relevant playbook (+3, one-time, matching vector)
Success if the total ≥ the tactic card's printed DC (DC 12-15 for PT-01 to PT-08).
If the chosen defense isn't on the tactic's bonus list, its printed bonus is +0 (upgrades and playbooks still apply). Multi-vector tactics: two separate rolls, one defense each.
4. Outcome - Success: Defense holds; count as a Pentester Tactic Defended (+5 Security Score) - Failure: Attack succeeds; apply the consequence printed on the tactic card; no score for this tactic
Optional: Play multiple pentester tactics (2-4 total) across turns 3-6.
Defenses Deployed: Count × 5 points
Hardening Upgrades: Count × 2 points
Playbooks Created: Count × 10 points [max 2 playbooks per game]
Pentester Tactics Defended: Count × 5 points
Budget Efficiency: (Remaining Budget / Starting Budget) × 10 points
EXAMPLE (150 starting budget, 7 turns):
- 7 defenses deployed (two turns used the 2-BASIC Quick-Win): 35 points
- 1 hardening upgrade: 2 points
- 1 playbook created: 10 points
- 3 of 3 pentester tactics defended: 15 points
- 50 budget remaining (spent 100): (50/150) × 10 ≈ 3 points
────────────────────────────
TOTAL SECURITY SCORE: 65 points → Strong (Victory)
| Score | Level | Interpretation |
|---|---|---|
| 75+ | Exceptional | Enterprise-grade security posture; sophisticated threat preparedness |
| 60-74 | Strong | Mid-market ready; layered, comprehensive defenses |
| 45-59 | Adequate | Startup-level protection; covers main attack vectors |
| 30-44 | Weak | Minimal protection; significant gaps remain |
| Below 30 | Vulnerable | Inadequate defenses; likely to fail against sophisticated attacks |
Blue Team Wins Hardening if ALL of: - Final Security Score ≥ 60 (strong layered defenses) - AND at least 4 defenses deployed (playbooks and upgrades alone cannot win) - AND majority of Pentester Tactics were successfully defended against
Blue Team Loses Hardening if: - Final Security Score < 45 (inadequate protection) - OR Budget exhausted before defenses were deployed - OR majority of Pentester Tactics succeeded despite defenses
Scores of 45-59 that meet the tactic/defense requirements count as a partial success.
PART 1: DEFENSE STRATEGY (3 min) 1. "How did you prioritize which defenses to deploy first?" 2. "What layers of defense work best together?" 3. "Did the Pentester Tactics reveal gaps? Which ones?"
PART 2: RESOURCE MANAGEMENT (2 min) 1. "Did you run out of budget? Would more budget have helped?" 2. "Which defenses provided the best value (cost vs. effectiveness)?" 3. "Would you have allocated budget differently?"
PART 3: PENTESTER RESULTS (2-3 min) 1. "Which Pentester Tactic was most surprising?" 2. "Which defense was most valuable against attacks?" 3. "How would you harden further given unlimited budget?"
PART 4: REAL-WORLD APPLICATION (2 min) 1. "If you were hardening your actual organization, what would you deploy first?" 2. "Why is defense-in-depth difficult in practice?" 3. "What's the hardest part of maintaining layered security?"
Too Easy: - Teams deploy 8+ defenses with budget to spare - All Pentester Tactics fail - No difficult decisions required
Too Hard: - Teams can only afford 3-4 defenses - Most Pentester Tactics succeed - Team feels overwhelmed
Just Right: - Teams deploy 5-7 defenses with some budget left - 50-70% of Pentester Tactics fail - Teams debate defense priorities
Adjust by: - Starting budget (120, 150, or 180) - Number of Pentester Tactics (2, 3, or 4) - Defense card availability (more common defense draws)
Narrative framing: "Your red team has tested your defenses..."
If multiple teams are hardening simultaneously: - All teams get same starting threat vectors - All teams draw from same card deck (or equivalent decks) - Highest Security Score wins - Tiebreaker: Most Budget remaining
Threat Vector: SOCIAL ENGINEERING Budget: 150 Pentester Tactics: 2
Setup: "Your team detected a phishing attack. Now harden against social engineering threats."
Suggested defenses: - D-01: Email Authentication Setup (BASIC) - D-02: User Security Training (BASIC) - D-07: Multi-Factor Authentication (ADVANCED) - D-20: Zero Trust Access Control (ELITE)
Threat Vectors: MALWARE, DATA EXFIL, NETWORK Budget: 150 Pentester Tactics: 3
Setup: "A ransomware variant targeted your industry. Prepare your defenses."
Key defenses: - D-08: EDR (Endpoint Detection & Response) - D-11: Data Loss Prevention (DLP) - D-09: Network Segmentation - D-15: Deception Technology (Honeypots) - D-19: Backup & Disaster Recovery - D-23: IR Program & Runbooks
Threat Vectors: All 6 (SOCIAL ENGINEERING, WEB EXPLOIT, CREDENTIAL ABUSE, MALWARE, NETWORK, DATA EXFIL) Budget: 150 Pentester Tactics: 4
Setup: "Your enterprise faces threats across all vectors. Build comprehensive defense-in-depth."
Challenge: Defend against all six vectors with limited budget
Duration: 45-60 minutes - Start with Budget: 200 (more resources) - Play 9 turns instead of 7 (more time) - 4-5 Pentester Tactics (more challenges) - Raise the playbook cap from 2 to 3
Focus on layering: - Each turn, discuss why defenses work together - Create explicit layer descriptions: "Layer 1 (Prevention), Layer 2 (Detection), Layer 3 (Response)" - Score based on how well defenses complement each other
Add compliance requirement: - Teams must defend against threat vectors while meeting compliance requirements (PCI-DSS, GDPR, HIPAA) - Some defenses satisfy both security and compliance - Creates strategic depth
If you won: - Continue to Incident Response Module (as follow-up) → Test your defenses against attacks - Continue to Audit & Compliance Module → Validate your security posture
If you lost: - Replay with higher budget - Try a less complex scenario - Play Incident Response to understand what defenses are actually needed
Standalone: Play again with different threat vectors and Pentester Tactics
| Action | Cost | Effect | Roll |
|---|---|---|---|
| Deploy Defense | 10/15/25 | Defense active immediately (up to 2 BASIC per action, v2.2) | None |
| Harden Upgrade | 5 | +2 effectiveness to defense | None |
| Create Playbook | 10 | +3 bonus when used once (max 2 per game, v2.2) | None |
| Test & Drill | 0 | Validate defenses | 11+ |
Pentester defense roll (v2.2): d20 + printed bonus (one chosen defense) + upgrades (+2 each) + playbook (+3) ≥ tactic DC.
For the full list of v2.2 changes and the reasoning behind them, see the "v2.2 Playtest Edition Changes" section in Module: Hardening.
Hardening Module - Standalone Play Guide Part of Incident Zero, a modular cybersecurity board game
cards/hardening/core-deck/defense-cards.md
Version: 2.2 - Playtest Edition Last Updated: July 2026
These 24 Defense Cards are shared between the Incident Response and Hardening modules. In Hardening, teams deploy these same defenses to build defense-in-depth and test them against Pentester Tactics.
Note (v2.2): Tiers are grouped by section below. Card IDs are stable and do not renumber when a card's tier changes, so IDs within a section are not always contiguous.
SOCIAL_ENGINEERINGWEB_EXPLOITCREDENTIAL_ABUSEMALWARENETWORKDATA_EXFILVectors: plural convention (v2.2): Most defenses list a single vector. A few list two (marked "Vectors:"). A dual-tagged defense counts as a vector match for either listed vector.
Tier: BASIC (10 Budget) Vector: SOCIAL_ENGINEERING
Deploy SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain Message Authentication, Reporting & Conformance) to prevent email spoofing.
Effect: Blocks phishing emails claiming to be from your domain. Requires attackers to find alternative vectors.
Used Against: T-01 (Phishing Campaign)
Tier: BASIC (10 Budget) Vector: SOCIAL_ENGINEERING
Conduct phishing awareness training for all staff. Teach recognition of suspicious links, sender spoofing, urgency tactics, and credential harvesting attempts.
Effect: Reduces successful phishing rate by 70-80%. Users become your first line of defense.
Used Against: T-01, T-02 (Phishing, Watering Hole)
Tier: BASIC (10 Budget) Vector: WEB_EXPLOIT
Deploy automated Windows Update management across all systems. Establish patch deployment timelines (critical = 48 hours, high = 2 weeks).
Effect: Closes browser and kernel vulnerabilities. Prevents watering hole and exploit kit attacks.
Used Against: T-02 (Watering Hole), T-05 (Privilege Escalation)
Tier: BASIC (10 Budget) Vector: NETWORK
Deploy perimeter firewall rules to block unauthorized outbound protocols. Default-deny for unusual ports and known malware C2 domains.
Effect: Prevents early-stage lateral movement and C2 beaconing. Slows attacker reconnaissance.
Used Against: T-04 (Lateral Movement), T-09 (C2 Beaconing)
Tier: BASIC (10 Budget) Vector: MALWARE
Deploy centralized log aggregation (syslog, Splunk, ELK). Forward Windows Event Logs, firewall logs, DNS queries, and proxy logs to central SIEM.
Effect: Makes local log tampering difficult. Provides investigative visibility into attacker activities. Foundation for threat hunting.
Used Against: T-07, T-08 (Persistence attacks)
Tier: BASIC (10 Budget) Vector: MALWARE
Deploy signature-based antivirus across all endpoints. Enable automatic definition updates (daily). Configure real-time file and email scanning.
Effect: Catches known malware variants. Does not detect zero-day or polymorphic malware. Useful as part of defense-in-depth.
Used Against: T-05, T-07, T-08 (Malware-based attacks)
Tier: BASIC (10 Budget) (v2.2 — retiered from ELITE; 3-2-1 backups are fundamental hygiene) Vector: MALWARE
Implement 3-2-1 backup strategy: 3 copies of data, 2 different storage types, 1 offsite copy. Test restore procedures quarterly.
Effect: Enables rapid recovery from ransomware. Ensures data availability even if primary systems are compromised. Critical for business continuity.
Used Against: T-07, T-08, T-10, T-11, T-12 (Persistence and exfil attacks)
Tier: BASIC (10 Budget) (v2.2 — retiered from ELITE and renamed from "Incident Response Playbooks" to avoid confusion with the Hardening "Create Playbook" action) Vector: NETWORK
Establish an incident response program with detailed runbooks for common scenarios: malware infection, data exfiltration, ransomware, insider threats, supply chain compromise. Include roles, responsibilities, communication plans.
Effect: Enables faster, more coordinated response when incidents occur. Reduces confusion during high-pressure situations. Improves incident containment and recovery time.
Used Against: T-09, T-10, T-11, T-12 (All C2 & Exfil attacks)
Tier: ADVANCED (15 Budget) Vector: CREDENTIAL_ABUSE
Deploy MFA for all remote access (VPN, RDP), email, and admin portals. Use authenticator apps or hardware tokens (not SMS).
Effect: Makes compromised credentials useless without the second factor. Blocks credential stuffing attacks.
Used Against: T-03 (Compromised Credentials), T-06 (Mimikatz)
Tier: ADVANCED (15 Budget) Vector: MALWARE
Deploy EDR agent on all endpoints. Monitor process execution, file creation, registry modifications, and memory injection attempts. Enable behavioral analytics.
Effect: Detects living-off-the-land attacks (PowerShell, cmd, scheduled tasks). Provides deep visibility into attack progression.
Used Against: T-05 (Priv Esc), T-07, T-08 (Persistence)
Tier: ADVANCED (15 Budget) Vector: NETWORK
Implement VLANs and microsegmentation to separate user workstations from servers. Deploy firewall rules between segments. Implement zero-trust network access controls.
Effect: Prevents lateral movement via SMB and other internal protocols. Limits blast radius of compromise.
Used Against: T-04 (Lateral Movement), T-06 (Credential Dumping spread)
Tier: ADVANCED (15 Budget) Vector: NETWORK
Create SIEM rules to detect attack patterns: failed login spikes, privilege escalation attempts, unusual process creation, scheduled task creation, and data exfil indicators.
Effect: Correlates events across logs to detect multi-step attacks. Enables faster investigation and response.
Used Against: T-04, T-05, T-06, T-07, T-08, T-09 (Detection across entire chain)
Tier: ADVANCED (15 Budget) Vector: DATA_EXFIL
Deploy DLP to monitor outbound data transfers. Classify sensitive data (customer PII, source code, trade secrets). Block or alert on unauthorized transfers.
Effect: Prevents SQL database exfiltration and bulk data theft. Detects unusual data access patterns. Enforces data security policies.
Used Against: T-10, T-11, T-12 (Data exfiltration attacks)
Tier: ADVANCED (15 Budget) Vector: CREDENTIAL_ABUSE
Deploy enterprise password vault (CyberArk, HashiCorp Vault). Enforce strong unique passwords. Implement password rotation policies for service accounts.
Effect: Prevents credential reuse attacks. Makes credential stuffing difficult. Provides audit trail for compliance and incident investigation.
Used Against: T-03, T-06 (Credential attacks)
Tier: ADVANCED (15 Budget) (v2.2 — retiered from ELITE; IPS/WAF appliances are standard mid-tier controls) Vector: WEB_EXPLOIT
Deploy network-based IPS with exploit signatures. Monitor for known CVE exploitation patterns. Configure WAF (Web Application Firewall) rules for SQL injection, XSS, and OWASP Top 10 attacks.
Effect: Blocks exploitation attempts in transit. Prevents watering hole and web exploit attacks. Most effective when combined with patching.
Used Against: T-02 (Watering Hole), T-05 (Exploits)
Tier: ADVANCED (15 Budget) (v2.2 — retiered from ELITE; community feeds like MISP/OTX are affordable) Vectors: NETWORK, DATA_EXFIL (v2.2 — dual-tagged; counts as a match for either vector)
Subscribe to threat intelligence feeds (MISP, VirusTotal, AlienVault OTX). Integrate IOCs (Indicators of Compromise) into firewall, SIEM, and proxy. Participate in information sharing communities.
Effect: Enables faster detection of known malicious IPs and domains. Identifies emerging threats targeting your industry. Reduces detection time from days to minutes.
Used Against: T-09 (C2 Beaconing), T-10, T-11, T-12 (Exfil detection)
Tier: ELITE (25 Budget) Vector: MALWARE
Establish proactive threat hunting using MITRE ATT&CK framework. Hunt for living-off-the-land techniques, anomalous processes, suspicious registry changes, and memory injection.
Effect: Finds advanced attacks that bypass signature-based detection. Detects LSASS dumping, scheduled task persistence, and registry backdoors. Reduces dwell time significantly.
Used Against: T-05, T-07, T-08 (Advanced persistence)
Tier: ELITE (25 Budget) Vector: MALWARE
Deploy memory capture and analysis (Volatility, Memoryze). Create memory images of suspicious systems. Analyze for credential dumping, injected code, and rootkits.
Effect: Detects Mimikatz attacks and credential harvesting. Reveals attacker activities hidden from disk forensics. Critical for identifying advanced persistence mechanisms.
Used Against: T-06 (Mimikatz), T-07, T-08 (In-memory attacks)
Tier: ELITE (25 Budget) Vector: NETWORK
Deploy decoy systems (fake file servers, databases, credentials) to detect lateral movement. Create canary tokens that alert when accessed.
Effect: Any access to honeypots indicates active compromise. Detects lateral movement with zero false positives. Slows attacker progress and forces reconnaissance.
Used Against: T-04 (Lateral Movement), T-06 (Credential abuse)
Tier: ELITE (25 Budget) Vector: CREDENTIAL_ABUSE
Enable Windows Credential Guard to isolate LSASS in virtualized container. Implement UEFI Secure Boot to prevent bootkit attacks. Enable TPM attestation.
Effect: Makes Mimikatz credential dumping ineffective. Prevents bootloader manipulation. Ensures firmware integrity. Blocks entire classes of early-boot attacks.
Used Against: T-06 (Mimikatz), T-07, T-08 (Persistence)
Tier: ELITE (25 Budget) Vector: MALWARE
Deploy advanced sandboxing solution (Cuckoo, Detonate, hybrid-analysis). Analyze suspicious files/URLs in isolated environments. Generate behavioral indicators and YARA rules.
Effect: Detects zero-day malware and unknown exploits. Analyzes evasion tactics. Generates detection rules for SIEM. Prevents spread of novel malware.
Used Against: T-05 (Privilege Escalation), T-07, T-08 (Malware persistence)
Tier: ELITE (25 Budget) Vector: CREDENTIAL_ABUSE
Implement zero-trust architecture: verify every access request regardless of source. Deploy device identity, user identity, and behavior analytics. Implement conditional access policies.
Effect: Eliminates implicit trust based on network location. Even compromised devices cannot access sensitive resources without proper authentication and behavior validation.
Used Against: T-03, T-06 (Credential abuse), T-04 (Lateral movement)
Tier: ELITE (25 Budget) Vector: MALWARE
Deploy container runtime security (Falco, Sysdig). Implement image scanning for vulnerabilities. Use policy enforcement engines (OPA/Gatekeeper). Implement network policies for container segmentation.
Effect: Detects container escape attempts. Prevents vulnerable images from running. Limits lateral movement within containerized environments. Critical for modern cloud applications.
Used Against: T-05 (Priv Esc), T-04 (Lateral Movement in cloud)
Tier: ELITE (25 Budget) Vector: NETWORK
Deploy enterprise SIEM (Splunk, ELK, QRadar). Centralize logs from all sources. Implement automated correlation rules, threat intelligence integration, and incident response workflows.
Effect: Provides centralized visibility into all security events. Enables rapid threat detection and investigation. Foundation for mature incident response program.
Used Against: T-04, T-06, T-07, T-08, T-09, T-10 (Detection across entire attack chain)
Note: 24 cards total. D-24 is dual-tagged (NETWORK + DATA_EXFIL) and appears in both rows, so vector-row counts sum to 25 tags across 24 cards.
Blue Team selects a Defense Card from their hand and deploys it: - Cost: 10/15/25 Budget depending on tier - Roll Required: None—automatic success - Effect: Defense immediately becomes active and counts toward Security Score - (v2.2) Two BASIC defenses may be deployed together as a single action
When a Pentester Tactic is drawn (see Pentester Tactic Cards file), the Blue Team chooses one deployed defense to resolve it with:
Defense roll = d20 + printed defense bonus for the chosen defense (from the tactic card's bonus list) + hardening upgrades on that defense (+2 each) + relevant playbook (+3)
Success if the total is ≥ the tactic card's printed DC.
See Module: Hardening for the full resolution procedure and a worked example.
Multiple defenses work together: - BASIC defenses are cheap but carry small printed bonuses against tactics - ADVANCED defenses provide good cost/effectiveness balance - ELITE defenses are expensive but carry the largest printed bonuses against sophisticated tactics - Layering across vectors matters: each tactic card lists which defenses earn bonuses, so broad coverage means you always have a strong defense to choose
These 24 Defense Cards are the same cards used in Incident Response module. The difference in usage:
This allows educators to: - Use one physical deck for both modules - Teach defense-in-depth concepts in sequence - Show how defenses complement each other
Hardening Module: Defense Cards Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition
cards/hardening/core-deck/pentester-tactic-cards.md
Version: 2.2 - Playtest Edition Last Updated: July 2026
Pentester Tactic Cards are unique to the Hardening Module. These 8 cards represent real-world red team attack tactics that challenge the defenses the Blue Team has deployed.
During the Hardening module gameplay:
Tactic Type: Initial Access / Social Engineering Target Vectors: SOCIAL_ENGINEERING, CREDENTIAL_ABUSE Difficulty: BASIC (defeat DC 12)
Description: A pentester calls your IT helpdesk impersonating a VIP executive. They claim to be traveling without their laptop and need emergency access to critical systems. They pressure the helpdesk with urgency and authority. Can they bypass your security procedures?
Attack Details: - Targets: User security training gaps, process enforcement - Success indicates: Social engineering protocols aren't followed - Blue Team rolls 1d20 to resist
Defending Defenses: - D-02 (User Security Training): +2 bonus (staff trained to verify callers) - D-07 (MFA): +1 bonus (second factor still required) - D-23 (IR Program & Runbooks): +2 bonus (clear escalation procedures)
Outcome: - Blue Team Succeeds (12+): Helpdesk follows proper verification procedures, attacker is denied - Blue Team Fails: Attacker gains credentials or system access; Blue Team must deploy additional defenses
Teaching Point: Social engineering exploits human psychology and organizational process gaps. Technology alone cannot defend against this; training and procedures are essential.
Tactic Type: Persistence & Execution Target Vectors: MALWARE, CREDENTIAL_ABUSE Difficulty: INTERMEDIATE (defeat DC 13)
Description: A pentester delivers a payload that uses only built-in Windows tools (PowerShell, scheduled tasks, registry modifications, WMI) to maintain persistence and establish a beachhead. No suspicious files, no external C2 traffic—just legitimate Windows features weaponized. Can your defenses detect this?
Attack Details: - Targets: Traditional antivirus, signature-based detection - Success indicates: Blind spot in malware detection strategy - Blue Team rolls 1d20 to detect and block
Defending Defenses: - D-06 (Basic Antivirus): +1 bonus only (signatures don't catch living-off-the-land) - D-08 (EDR): +3 bonus (behavioral detection catches anomalous PowerShell/schtasks) - D-13 (Threat Hunting): +2 bonus (proactive hunting finds MITRE ATT&CK techniques) - D-14 (Memory Forensics): +2 bonus (finds injected code in memory)
Outcome: - Blue Team Succeeds (13+): EDR or threat hunting detects the attack before persistence is established - Blue Team Fails: Attacker establishes persistent access; Blue Team must escalate incident response
Teaching Point: Signature-based defenses are insufficient against sophisticated attackers. Behavioral detection and proactive hunting are essential for modern threats.
Tactic Type: Privilege Escalation / Credential Access Target Vectors: CREDENTIAL_ABUSE, MALWARE Difficulty: INTERMEDIATE (defeat DC 13)
Description: A pentester with local admin privileges attempts to dump LSASS memory and extract cached domain credentials using Mimikatz. These credentials could then be used for lateral movement and privilege escalation. Can your endpoint defenses prevent this?
Attack Details: - Targets: LSASS memory protection, credential storage hardening - Success indicates: Weak credential protection on endpoints - Blue Team rolls 1d20 to block the attack
Defending Defenses: - D-07 (MFA): +1 bonus only (doesn't protect cached credentials) - D-12 (Password Vault): +2 bonus (service accounts in vault aren't in LSASS) - D-14 (Memory Forensics): +2 bonus (detects LSASS tampering) - D-16 (Credential Guard & Secure Boot): +4 bonus (isolates LSASS in virtualized container—primary defense) - D-08 (EDR): +2 bonus (alerts on suspicious LSASS access)
Outcome: - Blue Team Succeeds (13+): Credential Guard blocks the attack or EDR detects the attempt - Blue Team Fails: Domain credentials compromised; Blue Team loses future rolls vs. credential-based attacks (-1 penalty for remaining game)
Teaching Point: Privileged credential protection is critical. Credential Guard is the gold standard for endpoint protection. Service account password rotation and vaults prevent cached credential abuse.
Tactic Type: Lateral Movement Target Vectors: NETWORK, CREDENTIAL_ABUSE Difficulty: INTERMEDIATE (defeat DC 13)
Description: A pentester with access to one workstation attempts to move laterally across your network using SMB share enumeration, pass-the-hash attacks, and exploitation of unsecured share access. Can your network architecture and controls prevent this?
Attack Details: - Targets: Network segmentation, share access controls - Success indicates: Flat network with unrestricted SMB traffic - Blue Team rolls 1d20 + architecture modifiers
Defending Defenses: - D-04 (Firewall Rules): +1 bonus (blocks some traffic, but not SMB on internal network) - D-09 (Network Segmentation): +3 bonus (restricts SMB traffic between segments) - D-10 (SIEM Correlation): +2 bonus (detects lateral movement patterns) - D-15 (Honeypots): +2 bonus (attacker triggers canary token) - D-20 (Zero Trust Access): +3 bonus (even lateral access requires authentication)
Outcome: - Blue Team Succeeds (13+): Network segmentation or honeypots stop the attack - Blue Team Fails: Attacker establishes foothold on file server or domain controller; future defense deployments cost 1.5x Budget
Teaching Point: Flat networks are indefensible. Network segmentation combined with zero-trust access controls are essential. Honeypots are low-cost but highly effective deterrents.
Tactic Type: Privilege Escalation Target Vectors: MALWARE, WEB_EXPLOIT Difficulty: ADVANCED (defeat DC 14)
Description: A pentester discovers an unpatched vulnerability in a critical Windows kernel or third-party driver. They develop a local privilege escalation exploit that elevates from user to SYSTEM privileges. Can your patch management and detection systems catch this?
Attack Details: - Targets: Patch management gaps, detection of privilege escalation - Success indicates: Unpatched systems or poor vulnerability management - Blue Team rolls 1d20 to patch or detect
Defending Defenses: - D-03 (Windows Patching): +3 bonus (prevents the vulnerability from existing) - D-05 (Log Centralization): +1 bonus (may detect unusual privilege elevation attempts) - D-08 (EDR): +3 bonus (behavioral detection alerts on privilege escalation) - D-13 (Threat Hunting): +2 bonus (proactive hunting finds unpatched systems)
Outcome: - Blue Team Succeeds (14+): Patch management or EDR prevents or detects the exploit before escalation - Blue Team Fails: Attacker gains system-level access; all subsequent attacks get +1 bonus, all defensive deployments get -1 penalty for remainder of game
Teaching Point: Patch management is one of the highest-ROI security controls. Unpatched systems are low-hanging fruit for attackers. Automated patching and vulnerability scanning are essential.
Tactic Type: Exfiltration Target Vectors: DATA_EXFIL, NETWORK Difficulty: ADVANCED (defeat DC 14)
Description: A pentester with network access attempts to exfiltrate sensitive data (customer database, source code, trade secrets) via an unmonitored channel: DNS tunneling, steganography in image uploads, or a rogue cloud storage account. Can your DLP and monitoring systems catch this?
Attack Details: - Targets: Data loss prevention, network monitoring blind spots - Success indicates: Unsupervised data channels or weak DLP enforcement - Blue Team rolls 1d20 to detect and block
Defending Defenses: - D-04 (Firewall Rules): +1 bonus (may block some exfil channels) - D-05 (Log Centralization): +1 bonus (may reveal unusual network traffic) - D-10 (SIEM Correlation): +2 bonus (detects anomalous data transfer patterns) - D-11 (DLP): +4 bonus (primary defense against data exfil) - D-22 (SIEM): +2 bonus (detects data access and transfer anomalies) - D-24 (Threat Intelligence): +1 bonus (identifies known C2 domains/IPs)
Outcome: - Blue Team Succeeds (14+): DLP or network monitoring detects and blocks the exfil attempt - Blue Team Fails: Data is exfiltrated; Blue Team immediately loses the game (breach is complete)
Teaching Point: DLP and network monitoring are essential for preventing data loss. Organizations must understand their critical data flows and monitor them accordingly.
Tactic Type: Initial Access / Persistence Target Vectors: MALWARE, WEB_EXPLOIT Difficulty: ADVANCED (defeat DC 14)
Description: A pentester compromises a software vendor that your organization trusts. They inject malicious code into a legitimate update that your organization automatically deploys. The malware is signed with the vendor's legitimate certificate. Can you detect and prevent this?
Attack Details: - Targets: Update management, supply chain security, behavioral detection - Success indicates: Over-trust in vendor updates, poor verification procedures - Blue Team rolls 1d20 to detect or prevent
Defending Defenses: - D-03 (Windows Patching): +0 bonus (legitimate patch—can't be distinguished) - D-06 (Antivirus): +1 bonus only (legitimate signature—won't help) - D-08 (EDR): +3 bonus (behavioral detection catches malicious activity after installation) - D-13 (Threat Hunting): +2 bonus (proactive hunting for suspicious post-update behavior) - D-17 (Malware Sandbox): +2 bonus (detonates update before deployment) - D-21 (Container Security): +2 bonus (prevents compromise spread in containerized environments)
Outcome: - Blue Team Succeeds (14+): EDR or threat hunting detects malicious behavior before widespread compromise - Blue Team Fails: Supply chain compromise spreads across organization; -2 penalty to all defense rolls for remainder of game
Teaching Point: Trust is not security. Even legitimate vendors can be compromised. Behavioral detection, code signing verification, and staged rollouts are essential.
Tactic Type: Privilege Abuse / Data Exfiltration Target Vectors: CREDENTIAL_ABUSE, DATA_EXFIL, NETWORK Difficulty: EXPERT (defeat DC 15)
Description: A pentester acts as a disgruntled administrator with legitimate system access. They use their privileges to bypass security controls, disable logging, create backdoor accounts, and exfiltrate sensitive data. Can your controls prevent insider threats?
Attack Details: - Targets: Administrative account monitoring, privilege abuse detection - Success indicates: Weak monitoring of privileged access, overly broad admin permissions - Blue Team rolls 1d20 to detect and prevent
Defending Defenses: - D-05 (Log Centralization): +2 bonus (immutable offsite logs prevent tampering) - D-07 (MFA): +1 bonus (makes it harder to create backdoor accounts) - D-10 (SIEM Correlation): +2 bonus (detects unusual admin activity patterns) - D-12 (Password Vault): +2 bonus (requires approval/audit for privileged access) - D-20 (Zero Trust Access): +3 bonus (even admins require proper authorization for sensitive access) - D-22 (SIEM): +3 bonus (behavioral analytics detect insider threats) - D-23 (IR Program & Runbooks): +1 bonus (clear escalation for suspicious admin activity)
Outcome: - Blue Team Succeeds (15+): Monitoring detects unauthorized admin activity before damage - Blue Team Fails: Insider exfiltrates data and disables controls; Blue Team loses game immediately and additional penalties apply to Disaster Recovery module (if played next)
Teaching Point: Insider threats are one of the hardest problems in security. Prevention is impossible; detection is essential. Privileged access management, behavioral monitoring, and immutable audit logs are critical.
| Card | Tactic | Vectors | Difficulty | Primary Defense |
|---|---|---|---|---|
| PT-01 | Social Engineering | SE, CA | BASIC (DC 12) | User Training |
| PT-02 | Malware Evasion | MALWARE, CA | INTERMEDIATE (DC 13) | EDR |
| PT-03 | Credential Dumping | CA, MALWARE | INTERMEDIATE (DC 13) | Credential Guard |
| PT-04 | Lateral Movement | NETWORK, CA | INTERMEDIATE (DC 13) | Network Segmentation |
| PT-05 | Privilege Escalation | MALWARE, WEB | ADVANCED (DC 14) | Patch Management |
| PT-06 | Data Exfiltration | EXFIL, NETWORK | ADVANCED (DC 14) | DLP |
| PT-07 | Supply Chain Compromise | MALWARE, WEB | ADVANCED (DC 14) | EDR/Threat Hunting |
| PT-08 | Insider Threat | CA, EXFIL, NETWORK | EXPERT (DC 15) | Privileged Access Monitoring |
Pentester Tactics are typically drawn during turns 3-4 of the 7-turn game (v2.2). This gives the Blue Team time to deploy initial defenses but creates time pressure for the final deployment phase.
When a Pentester Tactic is drawn:
Defense roll = d20 + printed defense bonus for the chosen defense (from this tactic card's bonus list) + hardening upgrades on that defense (+2 each) + relevant playbook (+3)
Notes: - Only ONE defense's printed bonus applies per roll—there is no stacking of multiple defenses on a single roll. Layering still matters: broad coverage means a strong printed bonus is always available to choose. - If the chosen defense is not listed on the tactic card, its printed bonus is +0 (upgrades and playbooks still apply). - Multi-vector or multi-phase tactics (e.g., PT-09 in the expansion): resolve each vector/phase as a separate roll, choosing one defense for each roll.
See Module: Hardening for the full procedure and a worked example.
Each Pentester Tactic represents a real-world attack pattern that: 1. Is realistic - Based on actual TTPs (Tactics, Techniques, Procedures) from MITRE ATT&CK 2. Teaches defense priorities - Success requires defense-in-depth, not single solutions 3. Demonstrates gaps - Failing a tactic shows where the defense strategy is weak 4. Encourages layering - Multiple defenses together are stronger than any single defense
For advanced gameplay, 8 additional Pentester Tactics are available: - PT-09: Multi-Vector Attack (combines multiple tactics) - PT-10: Zero-Day Exploitation (signature-based defenses are useless) - PT-11: Ransomware Deployment & Encryption (requires backup verification) - PT-12: APT Campaign (multi-turn tactic with escalating difficulty) - PT-13: Cloud Misconfiguration Attack (for cloud-native environments) - PT-14: IoT/OT Compromise (for industrial environments) - PT-15: Firmware/BIOS Attack (hardware-level persistence) - PT-16: Container Escape (privilege escalation from containers)
See ../expansion-deck/advanced-tactics.md for these advanced cards.
Hardening Module: Pentester Tactic Cards Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition
cards/hardening/expansion-deck/advanced-tactics.md
Version: 2.2 - Playtest Edition Last Updated: July 2026
Difficulty → DC mapping (v2.2): BASIC = DC 12, INTERMEDIATE = DC 13, ADVANCED = DC 14, EXPERT = DC 15, EXPERT+ = DC 16. The Outcome threshold on every card equals its printed DC. Resolution uses the canonical formula in Module: Hardening: d20 + printed bonus for ONE chosen defense + upgrades (+2 each) + playbook (+3) vs DC.
Advanced Pentester Tactic Cards extend the core Hardening module with 8 sophisticated attack scenarios for experienced players and complex threat environments.
Tactic Type: Advanced Persistence / Multi-Stage Target Vectors: MALWARE, CREDENTIAL_ABUSE, NETWORK, DATA_EXFIL Difficulty: ADVANCED (defeat DC 14)
Description: A pentester orchestrates a coordinated multi-vector attack that combines multiple tactics simultaneously: social engineering + malware + lateral movement + data exfiltration. Each phase is dependent on the previous one, and success in one area opens opportunities in others. Can your defenses coordinate to stop the full attack chain?
Attack Details: - Phase 1: Phishing delivers initial malware - Phase 2: Malware establishes persistence - Phase 3: Lateral movement to file server - Phase 4: Credential harvesting and exfiltration - Targets: Defense coordination, integrated threat response - Blue Team must roll separately for EACH phase
Defending Defenses: - Phase 1 (Social Engineering): D-02 (+2), D-23 (+2) reduce success by +2 on this roll - Phase 2 (Malware): D-06 (+1), D-08 (+3), D-13 (+2), D-17 (+2) for this phase - Phase 3 (Lateral Movement): D-04 (+1), D-09 (+3), D-10 (+2), D-15 (+2) for this phase - Phase 4 (Data Exfil): D-11 (+4), D-22 (+2), D-24 (+1) for this phase - Card Effect — Full Coverage: If Blue Team has deployed defenses covering all 4 targeted vectors, add +1 to each phase roll
Resolution (v2.2): Each phase is a separate roll against DC 14, with one chosen defense per roll (that phase's bonus list).
Outcome: - Blue Team Succeeds (14+ on every phase roll): Comprehensive defense stops the attack chain - Blue Team Fails ANY phase: Attack progresses; Blue Team loses 1d4 security score points per failed phase and must deploy emergency response
Teaching Point: Modern attacks are sophisticated and multi-faceted. No single defense can stop them. Comprehensive defense-in-depth with coordinated response is essential. Defense teams must practice responding to coordinated attacks.
Tactic Type: Initial Access / Execution Target Vectors: MALWARE, WEB_EXPLOIT Difficulty: EXPERT (defeat DC 15)
Description: A pentester exploits a previously unknown vulnerability (zero-day) in a critical business application. Traditional defenses (patching, signature-based detection, vulnerability scanning) cannot help because the vulnerability isn't public. Only behavioral detection or proactive hunting can identify this attack. Can your advanced monitoring catch what signature-based tools cannot?
Attack Details: - Targets: Signature-based defenses, unknown vulnerability management - Attack Vector: Unpatched but pristine application - Success indicates: Blind spots in behavioral detection - Blue Team rolls 1d20 to detect before exploitation succeeds
Defending Defenses: - D-03 (Patching): +0 bonus (zero-day by definition isn't in patches) - D-06 (Antivirus): +0 bonus (signatures don't exist for zero-day) - D-08 (EDR): +3 bonus (behavioral analytics detect anomalous post-exploitation) - D-13 (Threat Hunting): +3 bonus (proactive hunting finds zero-day activity) - D-17 (Sandbox): +2 bonus (detonates malicious payloads in sandbox before deployment) - D-18 (IPS): +1 bonus only (cannot stop unknown exploits) - D-21 (Container Security): +2 bonus (isolates exploited application)
Outcome: - Blue Team Succeeds (15+): EDR or threat hunting detects post-exploitation activity before damage - Blue Team Fails: Zero-day achieves initial access; Blue Team suffers -1 penalty to all rolls for remainder of game (blind spot in defenses)
Special Rule: If Blue Team has NOT deployed at least 2 of {D-08, D-13, D-17}, they cannot succeed at this challenge (add clause: "You must have behavioral detection to stop unknown exploits").
Teaching Point: Signature-based defenses have inherent limitations. Behavioral detection and threat hunting are essential for detecting novel attacks. Zero-day preparedness requires assumption-of-breach mindset.
Tactic Type: Impact / Extortion Target Vectors: MALWARE, DATA_EXFIL, NETWORK Difficulty: EXPERT (defeat DC 15)
Description: A pentester deploys ransomware that encrypts critical business data and demands payment for decryption keys. The attack combines malware execution, persistence, and data exfiltration (to threaten public disclosure if ransom not paid). This is the culmination of a successful attack chain. Can your defenses prevent data encryption, and can your backup strategy save you?
Attack Details: - Targets: Data availability, backup resilience, recovery procedures - Success indicates: Lack of backup redundancy or immutable backup protection - Blue Team rolls 1d20 to either: (A) prevent ransomware deployment, OR (B) recover from backup
Defending Defenses: - Option A: Prevent Deployment - D-08 (EDR): +3 bonus (detects ransomware execution) - D-13 (Threat Hunting): +2 bonus (proactive hunting finds ransomware) - D-14 (Memory Forensics): +1 bonus (detects encryption process) - D-17 (Sandbox): +2 bonus (detonates before reaching production) - D-21 (Container Security): +2 bonus (prevents spread in containerized environments)
Outcome: - Blue Team Succeeds (15+ on prevention roll, or 12+ on recovery roll under Option B): Ransomware prevented or successfully recovered from backup - Blue Team Fails: Data encrypted; immediate loss of 25% of remaining Budget, and all data-dependent operations suffer -2 penalty for remainder of game
Special Rule - Immutable Backup Check: If Blue Team deployed D-19, they also need verification that backups are immutable and tested. If backup testing procedures weren't mentioned in D-19 deployment, the bonus only applies if they roll 15+.
Teaching Point: Ransomware is now the #1 cybersecurity threat. Prevention through detection is important, but backup resilience is the ultimate defense. Immutable backups that survive ransomware attacks are essential business continuity strategy. Regular restore testing is critical.
Tactic Type: Advanced Persistent Threat / Long-term Compromise Target Vectors: CREDENTIAL_ABUSE, MALWARE, NETWORK, DATA_EXFIL Difficulty: EXPERT+ (defeat DC 16)
Description: A pentester simulates an Advanced Persistent Threat (APT) campaign that maintains presence across multiple turns. Each turn, the APT performs new reconnaissance, persistence, lateral movement, or data exfiltration activities. The Blue Team must detect and eradicate the APT before it achieves critical objectives. This is a multi-turn challenge that escalates difficulty.
Attack Details: - Multi-turn challenge (lasts 2-3 turns of main game) - Targets: Long-term detection, threat hunting, incident response procedures - Each turn the APT performs an action; Blue Team must detect and respond - If APT achieves 3 objectives (e.g., 3 successful data exfils), game is lost
Turn-by-Turn APT Actions: - Turn 1: Reconnaissance (scan network, enumerate users, identify critical assets) - Turn 2: Lateral movement (move to file server, domain controller) - Turn 3: Persistence establishment (add backdoor, create hidden user account) - Turn 4 (if still active): Data exfiltration (steal customer database) - Turn 5+ (if still active): Destruction phase (delete logs, trigger ransomware)
Defending Against APT:
Each turn, Blue Team must roll 1d20 to detect the APT activity:
D-24 (Threat Intelligence): +2 bonus (known APT indicators in threat feeds)
Eradication Phase (if detected):
Outcome: - Blue Team Succeeds (roll ≥ current DC, base 16): APT detected and eradicated before achieving 3 objectives - Blue Team Fails (roll < current DC): APT progresses to next action; if 3 objectives achieved, game is lost
Special Rule - Escalating Difficulty: Each turn the APT remains undetected, DC increases by 1 (Turn 1: DC 16, Turn 2: DC 17, Turn 3: DC 18, etc.)
Teaching Point: APTs are sophisticated, well-resourced, and patient. They expect to remain undetected for months or years. Early detection is critical. Continuous monitoring, threat intelligence integration, and advanced hunting are essential for APT detection.
Tactic Type: Cloud Security / Privilege Escalation Target Vectors: MALWARE, CREDENTIAL_ABUSE, NETWORK, DATA_EXFIL Difficulty: ADVANCED (defeat DC 14)
Description: A pentester discovers misconfigured cloud resources (S3 bucket, Azure storage, GCP database) that are accessible without authentication. They pivot from compromised workstation to cloud infrastructure, exfiltrating sensitive data stored in cloud. Can your cloud security controls catch this lateral movement into cloud?
Attack Details: - Targets: Cloud security posture management, identity & access management in cloud - Assumes: Blue Team has cloud infrastructure in their network design - Success indicates: Misconfigured cloud resources, weak cloud IAM policies - Blue Team rolls 1d20 to detect and remediate
Defending Defenses: - D-04 (Firewall Rules): +1 bonus (limits cloud connectivity from compromised systems) - D-20 (Zero Trust Access): +2 bonus (requires proper identity & authorization for cloud access) - D-21 (Container Security): +2 bonus (blocks cloud API abuse if containerized) - D-22 (SIEM Enterprise): +2 bonus (detects unusual cloud API calls) - D-24 (Threat Intelligence): +1 bonus (known misconfigured bucket signatures) - New Special Defense - Cloud Posture Mgmt: +3 bonus (automatically detects and remediates misconfigurations)
Special Cloud Defense: If Blue Team deployed cloud-specific hardening (e.g., cloud security posture management tools, cloud-native IAM), add +2 bonus.
Outcome: - Blue Team Succeeds (14+): Misconfiguration detected and remediated before exfiltration - Blue Team Fails: Cloud data is exfiltrated; -1 penalty to all rolls for remainder of game, plus immediate 15 Budget cost for cloud forensics
Teaching Point: Cloud security is fundamentally different from on-premises. Shared responsibility model requires organizations to actively manage cloud configuration. Cloud misconfigurations are the #1 cloud vulnerability. Continuous posture scanning is essential.
Tactic Type: Operational Technology Attack / Physical Safety Impact Target Vectors: NETWORK, MALWARE Difficulty: ADVANCED (defeat DC 14)
Description: A pentester compromises IoT or Operational Technology (OT) devices (industrial control systems, HVAC, building management, manufacturing systems) that are connected to the corporate network. Unlike IT systems (computers, servers), OT systems prioritize availability and cannot be patched frequently. Can your network architecture prevent OT compromise, and can you detect it before physical systems are affected?
Attack Details: - Targets: Network segmentation between IT and OT, OT-specific monitoring - Assumes: Blue Team has IoT/OT devices in their network design - Success indicates: Lack of network segmentation or OT-specific monitoring - Blue Team rolls 1d20 to detect and isolate
Defending Defenses: - D-04 (Firewall Rules): +1 bonus (separates IT from OT traffic) - D-09 (Network Segmentation): +3 bonus (dedicated OT segment with restricted access) - D-10 (SIEM Correlation): +1 bonus (detects OT anomalies if properly tuned) - D-22 (SIEM Enterprise): +2 bonus (advanced OT monitoring and correlation) - New Special Defense - OT Monitoring: +3 bonus (specialized tools detect OT compromise)
Special OT Defense: If Blue Team has deployed OT-specific monitoring and segmentation, add +2 bonus.
Outcome: - Blue Team Succeeds (14+): OT compromise detected and isolated before impact - Blue Team Fails: OT systems compromised; physical operations affected, -2 penalty to all rolls for remainder of game, plus potential safety/liability consequences (narrative impact)
Teaching Point: OT security is distinct from IT security. OT systems cannot be patched like IT systems. Network segmentation is the primary defense. OT-specific monitoring and threat hunting are essential. Organizations with manufacturing, utilities, or building management need specialized OT security strategies.
Tactic Type: Persistence / Hardware-Level Attack Target Vectors: MALWARE, NETWORK Difficulty: EXPERT (defeat DC 15)
Description: A pentester with physical or remote access targets system firmware (BIOS/UEFI) or bootloader, establishing persistence at the hardware level below the operating system. This attack survives OS reinstalls and even hardware replacement (if firmware is deployed via supply chain). Can your controls detect and prevent firmware-level attacks?
Attack Details: - Targets: Firmware integrity, secure boot verification, hardware attestation - Success indicates: Lack of UEFI Secure Boot, no firmware validation, no TPM - Blue Team rolls 1d20 to detect firmware tampering
Defending Defenses: - D-16 (Credential Guard & Secure Boot): +3 bonus (UEFI Secure Boot prevents unauthorized firmware) - D-17 (Malware Sandbox): +1 bonus only (doesn't catch firmware-level attacks) - D-13 (Threat Hunting): +2 bonus (advanced hunting detects firmware persistence) - New Special Defense - Hardware Attestation: +3 bonus (TPM verification detects firmware changes) - New Special Defense - Supply Chain Verification: +2 bonus (validates firmware integrity from trusted source)
Special Firmware Defense: If Blue Team deployed secure boot, TPM attestation, and hardware validation, add +2 additional bonus.
Outcome: - Blue Team Succeeds (15+): Firmware tampering detected and system reimaged - Blue Team Fails: Firmware-level persistence established; -2 penalty to all rolls for remainder of game, Blue Team loses control of compromised system
Teaching Point: Firmware attacks are extremely sophisticated but increasingly common in APT campaigns. Secure Boot and TPM are standard defenses but must be enabled and properly configured. Firmware supply chain security is critical. Organizations should consider firmware integrity verification in procurement.
Tactic Type: Privilege Escalation / Container Escape Target Vectors: MALWARE, NETWORK Difficulty: EXPERT (defeat DC 15)
Description: A pentester, operating from within a compromised container, exploits a container runtime vulnerability (like CVE-2019-5736 runc exploit) to escape the container and gain access to the underlying host system. From there, lateral movement to other containers and host systems becomes possible. Can your container security and patching strategies prevent container escape?
Attack Details: - Targets: Container runtime patching, container isolation, runtime security - Assumes: Blue Team has containerized workloads (Docker, Kubernetes, etc.) - Success indicates: Unpatched container runtime or lack of runtime monitoring - Blue Team rolls 1d20 to prevent or detect escape
Defending Defenses: - D-03 (Patching): +2 bonus (ensures container runtime is patched) - D-08 (EDR): +2 bonus (detects suspicious syscalls attempting escape) - D-13 (Threat Hunting): +2 bonus (hunting for container escape indicators) - D-21 (Container Security): +4 bonus (runtime security detects and blocks escape attempts) - New Special Defense - Kubernetes Security Policies: +2 bonus (network policies and pod security policies restrict escape)
Special Container Defense: If Blue Team has deployed comprehensive container security (runtime monitoring + pod security policies + network policies), add +2 additional bonus.
Outcome: - Blue Team Succeeds (15+): Container escape prevented or detected before host compromise - Blue Team Fails: Attacker escapes container to host; immediate +1 for all subsequent attacks, gains ability to compromise other containers
Teaching Point: Container security is distinct from traditional OS security. Container runtimes have historically had significant vulnerabilities. Runtime security monitoring is essential. Kubernetes network policies and pod security standards are critical controls. Organizations using containers must keep runtimes patched and actively monitor for escape attempts.
| Card | Tactic | Vectors | Difficulty | Primary Defense |
|---|---|---|---|---|
| PT-09 | Multi-Vector Attack | Multiple | ADVANCED (DC 14) | Integrated Response |
| PT-10 | Zero-Day Exploitation | MALWARE, WEB | EXPERT (DC 15) | Behavioral Detection |
| PT-11 | Ransomware Deployment | MALWARE, EXFIL, NETWORK | EXPERT (DC 15) | Backup & DR |
| PT-12 | APT Campaign | Multiple | EXPERT+ (DC 16) | Threat Hunting |
| PT-13 | Cloud Misconfiguration | Multiple | ADVANCED (DC 14) | Cloud Posture |
| PT-14 | IoT/OT Compromise | NETWORK, MALWARE | ADVANCED (DC 14) | OT Segmentation |
| PT-15 | Firmware Attack | MALWARE, NETWORK | EXPERT (DC 15) | Hardware Attestation |
| PT-16 | Container Escape | MALWARE, NETWORK | EXPERT (DC 15) | Runtime Security |
Scenario A: Cloud-Native Hardening (6 turns) - Turn 1-3: Deploy cloud-specific defenses + container security - Turn 4: PT-13 (Cloud Misconfiguration) challenge - Turn 5: PT-16 (Container Escape) challenge - Turn 6: Final defense evaluation
Scenario B: APT Defense (8 turns) - Turns 1-4: Deploy enterprise-grade defenses (SIEM, threat hunting, forensics) - Turns 5-7: PT-12 (APT Campaign) multi-turn challenge - Turn 8: Eradication and recovery
Scenario C: Zero-Day & Ransomware (7 turns) - Turns 1-3: Deploy behavioral detection + backup systems - Turn 4: PT-10 (Zero-Day) challenge - Turn 5: PT-11 (Ransomware) challenge - Turns 6-7: Recovery and hardening improvements
Each Advanced Tactic represents modern, sophisticated threat scenarios that:
Advanced tactics can be introduced gradually: - Start with PT-09 (Multi-Vector) and PT-10 (Zero-Day) - Once mastered, add PT-11 (Ransomware) and PT-13 (Cloud) - Save PT-12 (APT), PT-14 (OT), PT-15 (Firmware), PT-16 (Container) for expert play
Advanced tactics build on concepts from core tactics: - PT-09 (Multi-Vector) combines concepts from PT-01 to PT-08 - PT-10 (Zero-Day) extends PT-05 (Priv Esc) concepts - PT-12 (APT) extends PT-02 (Malware Evasion) concepts
Possible additional advanced tactics: - PT-17: Machine Learning Model Poisoning - PT-18: Quantum-Resistant Cryptography Breaking - PT-19: Supply Chain Compromise (Deep Dive) - PT-20: Geopolitical Nation-State Attack Simulation
Hardening Module: Advanced Pentester Tactics Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition
cards/print-templates/tracker-sheets.md
Version: 2.2 - Playtest Edition
Print on plain A4. One Universal Sheet per table, plus the module sheet for the module you're playing. Tip: laminate and use a dry-erase marker, or move a coin/token along the tracks.
Cross off as each turn ends. Circle your turn limit before starting.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
[ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ]
Start at your module's budget (Network Building 40-60 · Disaster Recovery 50 · Forensics 75 · IR 100 · Audit 100 · Hardening 150). Tick down in 5s.
150 145 140 135 130 125 120 115 110 105 100 95 90 85 80 75
70 65 60 55 50 45 40 35 30 25 20 15 10 5 0
100 95 90 85 80 75 70 65 60 55 50 45 40 35 30 25 20 15 10 5 0
0 1 2 3 4 5
[ ] [ ] [ ] [ ] [ ] [ ] Penalty at start of turn: -5 Budget each
Advance each meter per card effects. Victory thresholds marked ▲.
ATTRIBUTION 0 10 20 30 40 50 60 70 80 90▲ 100
TIMELINE 0 10 20 30 40 50 60 70 80▲ 90 100
ATTACK CHAIN 0 10 20 30 40 50 60 70 80▲ 90 100
CHAIN OF CUSTODY 0 10 20 30 40 50 60 70▲ 80 90 100
Victory check (end of game): - V1 Full Attribution: Attribution ≥90 AND Timeline ≥80 - V2 Solid Case: Timeline ≥80 AND Attack Chain ≥80 AND Chain of Custody ≥70 - V3 Partial Findings: any two meters ≥70
Investigation in flight: ____ (results arrive Turn _) Evidence collected (✓ = Analyzed, one Analyze per card):
| Evidence card | Documented? (+5% CoC) | Analyzed? |
|---|---|---|
INVESTIGATION 0 10 20 30 40 50 60 70 80 90 100
REMEDIATION 0 10 20 30 40 50 60 70 80 90 100
COMMUNICATION 0 10 20 30 40 50 60 70 80 90 100
| Stakeholder | 100 | 80 | 60 | 40 | 20 (critical) | 0 (LOSS) |
|---|---|---|---|---|---|---|
| Customers | ||||||
| Employees | ||||||
| Regulators | ||||||
| Board / Investors | ||||||
| Media / Public |
| Turn | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 |
|---|---|---|---|---|---|---|---|---|
| Scheduled event | ||||||||
| Deadline | Customers notified (recommended) | Regulator penalties begin | GDPR 72h — regulators notified |
Multi-turn action in flight: ____ (completes Turn _)
| # | Domain | Stars (1-5) | PASS (3★+) / FAIL (1-2★) | Key gap found |
|---|---|---|---|---|
| 1 | Network Segmentation | |||
| 2 | Identity & Access | |||
| 3 | Detection & Monitoring | |||
| 4 | Backup & Recovery | |||
| 5 | Cloud Security | |||
| 6 | Security Operations |
Result: ___ / 6 PASS — Gap penalties for follow-on modules: see module rules (total capped at -30).
| Category | Points | Notes |
|---|---|---|
| Requirements met | per requirement card | |
| Security coverage | per rules scoring table | |
| Capability coverage | per rules scoring table | |
| Budget management | per rules scoring table | |
| TOTAL |
Components placed:
| Component | Cost | Capacity used / total |
|---|---|---|
Budget remaining: ___ / starting ___