Incident Response — Print & Play Bundle · v2.2 Playtest Edition
A cybersecurity board game by RetroVerse Studios · CC BY-NC-SA 4.0
Print this file (Ctrl/Cmd+P) or read on screen. Card pages print best on cardstock.
docs/HOW_TO_PLAY.md
Version: 2.2 - Playtest Edition Read time: ~15 minutes. First game: ~45 minutes.
This is the learn-to-play manual — read it once, run your first game, then use the module rules as reference during play. Exact tables and numbers live in the reference docs; this manual teaches the flow.
Incident Zero is a cybersecurity board game for classrooms and training rooms. One player is the Threat Orchestrator (TO) — part facilitator, part adversary, part narrator. Everyone else is the Blue Team: security defenders making decisions under budget and time pressure.
The game's signature rule: you get better dice odds by explaining your reasoning like a real analyst. Say "we investigate suspicious activity" and you roll flat. Say "we pull the mail gateway logs to check the sender's real IP against threat intel" and you roll at +3. Talking like a professional is literally how you win — that's the point.
There are 6 modules covering the security lifecycle. Each is a standalone 30-45 minute game; they also chain together (the outcome of one feeds the setup of the next). This manual teaches Incident Response first — it's the flagship and the best hook.
Every module runs on the same engine:
roll + modifiers ≥ 11.The setup (TO does this privately, 5 min): An attacker is inside the fictional company's network. The TO secretly builds a 3-card attack chain in kill-chain order and keeps it face-down:
Suggested first chain: T-01 Phishing Campaign (INITIAL COMPROMISE / SOCIAL ENGINEERING) → T-04 Lateral Movement via SMB (PIVOT & ESCALATE / NETWORK) → T-07 Scheduled Task Persistence (PERSISTENCE / MALWARE)
The three actions (Blue Team picks ONE per turn):
| Action | Cost | On success (roll+mods ≥ 11) |
|---|---|---|
| Investigate | 5 | 1st success on a link = the TO gives a clue. 2nd success on the same link = card revealed! |
| Deploy Defense | 10/15/25 by tier | If the card's vector AND chain step match the hidden card = revealed immediately. Partial match = defense stays on the table and gives +2 to future rolls against any link matching its vector |
| Emergency Response | 15 | No roll. Contain one already-revealed threat (removes its ongoing penalty) |
The pressure (TO applies at the START of each turn): - Active Breach Cost: -5 Budget while any chain card is still unrevealed (the breach is burning money whether you see it or not) - Uncontained Threats: -5 Budget per revealed-but-uncontained threat (revealing the next card in the chain auto-contains the previous one)
When a card is revealed, the team immediately picks ONE reward: draw 2 Defense cards, +10 Budget, or Fast-Track (next Investigate succeeds on 5+).
TURN 1. TO: "Start of turn: one attacker action is still hidden — Active Breach Cost, minus 5. Budget: 95. Something is wrong at Meridian Logistics: the helpdesk queue is full of password-reset complaints. What do you do?" Team (after discussion): "Investigate. We pull the mail gateway logs and check sender domains against our threat-intel feed — if this is phishing, the return-path won't match the display name." TO: "That's a real methodology and a real tool — +2 and +1. Roll." Rolls 9. 9+3 = 12 ≥ 11 — success. TO reads a clue from T-01: "Several employees received emails claiming to be from IT, asking them to 're-authenticate'. The link goes to a look-alike domain registered 4 days ago." (First success on this link — clue only. Budget: 95 - 5 = 90.)
TURN 2. TO: "Active Breach Cost, minus 5. Budget: 85." Team: "Keep digging on the phishing — we check the mail gateway for who clicked, and pull those workstations' proxy logs." TO: "+2, +1. Roll." Rolls 10. 13 ≥ 11 — second success on the same link. TO flips T-01 face-up: "Phishing Campaign — revealed! Three users entered credentials on the fake page. This threat is now uncontained. Choose a reward." Team takes Budget Grant: 85 - 5 + 10 = 90.
TURN 3. TO: "Two cards still hidden: Active Breach minus 5. One uncontained threat: minus 5. Budget: 80. You know how they got in — you don't yet know where they went." From here, you're on your own. (A strong play: Deploy the Network Segmentation defense — if the next hidden card is network lateral movement, vector + step match reveals it instantly and auto-contains the phishing.)
Debrief prompts: What did you spend the most on, and was it worth it? Which clue actually changed your next decision? What one defense, bought before turn 1, would have changed everything?
Chaining modules: outcomes carry forward (audit gaps raise your DR costs; an IR loss sets up DR; IR's revealed chain seeds Forensics). See Module Combinations. Full lifecycle = all six in sequence, 4-5 hours across sessions.
| You want... | Read |
|---|---|
| You're the Threat Orchestrator | The TO Guide — the role, judging justifications, per-module screens |
| Exact rules for a module | docs/rules/ — core + one file per module |
| Solo/standalone setup for any module | docs/standalone-games/ |
| Every card, indexed | cards/CARD_REFERENCE.md |
| To run a playtest and report back | docs/playtesting/ |
| Variable game length & difficulty tiers | core-rules §3a |
Roll: d20 + modifiers ≥ 11 · +2 strong justification · +1 real tool/technique named · +2 matching deployed defense (IR) IR costs: Investigate 5 · Deploy 10/15/25 · Emergency Response 15 IR start-of-turn: -5 while any card hidden · -5 per uncontained revealed threat Reveal: 2 successful Investigates on a link, or 1 full-match Deploy (vector + step) · always the earliest unrevealed card Reward per reveal (pick 1): 2 Defense cards / +10 Budget / next Investigate succeeds on 5+ Turn limit: (chain cards × 2) + 1 → 3 cards = 7 turns Budgets: NB 40-60 · DR 50 · Forensics 75 · IR 100 · Audit 100 · Hardening 150
docs/TO_GUIDE.md
Version: 2.2 - Playtest Edition Audience: anyone about to run Incident Zero — teacher, trainer, or the friend who volunteered.
The Threat Orchestrator (TO) is Incident Zero's dungeon master. You wear three hats, usually in the same minute:
If you've ever run a tabletop RPG, you already have 80% of this. The remaining 20% is the adjudication rubric in §4 — it's the part that makes this game educational rather than just thematic.
A good TO makes the game. The same scenario is flat or unforgettable depending on how you deliver clues and how honestly you judge reasoning. That's why this guide exists.
The +2/+1 modifiers are the game's teaching engine. Your consistency is what makes them meaningful.
+2 — Strong technical justification. The player explains methodology: what they'll look at, and why that would reveal or stop this specific thing. - ✅ "We pull the mail gateway logs and compare the return-path against the display-name domain — spoofed senders won't match." (mechanism stated) - ✅ "Deploy EDR because living-off-the-land attacks won't trip signature AV — we need behavioral detection." (threat-to-control logic) - ❌ "We investigate the email server thoroughly." (a location is not a method)
+1 — Real tool or technique named. Wireshark, Splunk queries, Mimikatz, a MITRE technique ID, an actual CVE. - ✅ "Check LSASS access events — that's Mimikatz behavior, T1003." - ❌ "We use our security tools." (no it isn't)
Rulings that keep it fair: - Judge the reasoning, not the vocabulary. A beginner saying "check if the email really came from who it says" in plain words has the mechanism — award the +2. A buzzword salad without a mechanism gets +0. - Consistency beats generosity. Whatever bar you set on turn 1 is the bar all game. - Escalate the bar as the group learns — by session three, "we check the SIEM" that earned +1 in session one should need a specific query. Announce the escalation openly ("you're professionals now — I want specifics"). - Expert groups ("Expert Mode"): award +2 only for named artifacts, ATT&CK technique IDs, or detection logic. This is the challenge ceiling for practitioner tables — the card math never has to change. - One player monologuing every justification? Ask a different player to give it each turn ("Sam, you're on comms — why does this matter to the regulator?").
Signs it's too easy: no failed rolls; goal in sight with 40+ Budget spare; players bored. Signs it's too hard: no progress for 3+ turns; consecutive failures; frustration replacing discussion.
| Easier (pick 1-2) | Harder (pick 1-2) |
|---|---|
| Richer clues (more specific detail per success) | Vaguer clues (accurate but terse) |
| Suggest an angle through the fiction | Expert-mode justification bar |
| Shorter chain / lower tier next game | Longer chain, expansion cards |
| Beginner budgets (module max) | Minimum budgets |
Never adjust by fudging a roll or changing a printed number mid-game — players smell it, and it teaches that outcomes are arbitrary.
| Failure | Symptom | Fix |
|---|---|---|
| The Encyclopedia | You lecture after every roll | One sentence of "why," save the rest for debrief |
| The Softie | Everyone always gets +2 | Re-read §4; require the mechanism |
| The Sphinx | Clues so cryptic nobody moves | Clues must be actionable: each should suggest at least one sensible next investigation |
| The Railroader | You steer them to your solution | Multiple paths are valid; score the outcome, not the route |
| The Accountant | You narrate numbers, not events | Lead with fiction, then state the numbers |
| The Rusher | Debrief skipped because time ran out | Protect the last 10 minutes like it's the win condition — it is |
Three rounds, in order: What happened? (players narrate, you correct only facts) → Why did it work that way? (connect two or three key moments to real-world security — this is where you finally get to lecture, briefly) → What would you do differently? (go around the table; everyone answers). Losses debrief better than wins: read any unrevealed cards' "Why This Works" text aloud — it's the payoff for losing.
docs/rules/core-rules.md
Version: 2.2 - Playtest Edition Last Updated: October 2025
Incident Zero is a modular cybersecurity board game for 2+ players designed for educational environments. One player acts as the Threat Orchestrator (TO) (the facilitator), while all other players form Blue Teams (the Defenders).
Players choose which module(s) to play based on learning objectives:
Modules can be played solo or combined in any sequence using the modifier generation procedures documented in FRAMEWORK.md and Module Combinations.
Represent attacker actions. Each card includes:
- Title: e.g., "Phishing Campaign"
- Attack Chain Step: INITIAL COMPROMISE, PIVOT & ESCALATE, PERSISTENCE, or C2 & EXFIL
- Attack Vector: SOCIAL ENGINEERING, WEB EXPLOIT, CREDENTIAL ABUSE, MALWARE, NETWORK, or DATA EXFIL
- Clue: Descriptive text for the Threat Orchestrator
- Why This Works: Educational explanation (revealed after discovery)
Deck Composition: - 12 Base Threat Cards (see cards/incident-response/core-deck/threat-defense-cards.md) - 8 Expansion Threat Cards (see cards/incident-response/expansion-deck/advanced-threats.md)
Represent security controls. Each card includes: - Title: e.g., "Multi-Factor Authentication" - Countermeasure Vector: One of the six attack vectors - Tier: BASIC (10 Budget), ADVANCED (15 Budget), or ELITE (25 Budget) - Description: What the defense does and when it applies
Deck Composition: - 24 Base Defense Cards (see cards/incident-response/core-deck/threat-defense-cards.md) - 19 Expansion Defenses (see cards/incident-response/expansion-deck/advanced-defenses.md)
Examples: - BASIC: Email Authentication Setup, User Security Training, Firewall Rules (10 Budget) - ADVANCED: Multi-Factor Authentication, EDR, Network Segmentation (15 Budget) - ELITE: Threat Hunting, Memory Forensics, Deception Technology (25 Budget)
Represent sophisticated attack techniques used in Hardening module (and potentially others).
8 Core Tactics (PT-01 to PT-08): 1. PT-01: Social Engineering - Pretexting Attack 2. PT-02: Malware Evasion - Living-off-the-Land Technique 3. PT-03: Credential Dumping - Mimikatz Attack 4. PT-04: Lateral Movement - Network Traversal 5. PT-05: Privilege Escalation - Unpatched Kernel Exploit 6. PT-06: Data Exfiltration - Unmonitored Channel 7. PT-07: Supply Chain Compromise - Trusted Software Update 8. PT-08: Insider Threat - Malicious Administrator
See cards/hardening/core-deck/pentester-tactic-cards.md for full card text, plus 8 expansion tactics (PT-09 to PT-16) in advanced-tactics.md.
Simple cards providing scenario context. Examples: - Email Server - Customer Database - Domain Controller - Web Application - Backup System - Developer Workstation
Physical Components: - One 20-sided die (d20) - Turn Tracker (paper or board, counts 1-12+) - Budget Tracker (shows 0-150+) - Reputation/Security Score Tracker (shows 0-100) - Uncontained Threats Tracker (shows 0-5) - Tokens or counters (for tracking upgrades, penalties)
Optional: - Score sheets (printable or paper) - Playbook tracking sheet - Stakeholder communication log (for Disaster Recovery)
When Used: Investigation, Defense Deployment, Negotiation, and similar actions that have uncertain outcomes.
How It Works:
1. Player announces action and parameters
2. Player rolls 1d20 (one 20-sided die)
3. Compare result to target number (usually 11+) plus modifiers
4. Success if: roll + modifiers ≥ target number
Example:
Action: Investigate email headers
Target: 11+
Roll: 7
Modifiers: +2 (technical justification) +1 (referenced Splunk)
Calculation: 7 + 2 + 1 = 10
Result: FAIL (10 < 11)
What is Budget? Abstract resource representing time, money, personnel, and tools. Spent to take actions, buy defenses, or conduct investigations.
Budget Allocation by Module: - Network Building: Start at 40-60 (by difficulty; see module rules) - Hardening: Start at 150 (or carry over from IR) - Incident Response: Start at 100 - Disaster Recovery: Start at 50 (emergency fund) - Forensics: Start at 75 - Audit & Compliance: Start at 100 (used only for optional remediation cards)
Budget Spending: - Investigate action: 5 Budget - Deploy Defense: 10/15/25 Budget (by tier) - Emergency Response (IR): 15 Budget (v2.2; was 25) - Active Breach Cost (IR, v2.2): -5 Budget at start of each turn while any chain card remains unrevealed - Harden Upgrade (Hardening): 5 Budget - Create Playbook (Hardening): 10 Budget - Crisis Action cards (DR): 5-20 Budget per card (ACTION-01 to ACTION-12; the free "Holding Statement" costs 0) - Ransom Decision (DR, ACTION-13): Pay 20 / Negotiate 5 / Refuse 0
Budget = 0: Team loses (cannot take further actions)
Exception (Disaster Recovery, v2.2): Budget floor is 0 and the free Holding Statement action remains available — DR is never lost by running out of Budget; DR's loss condition is any stakeholder trust reaching 0%.
Turns represent: Time passing in the game world (6 hours, 30 minutes, or abstract unit depending on module)
Turn Sequence: 1. Start of Turn: Penalties applied, trackers announced 2. Planning Phase: Team discusses strategy (2-3 min) 3. Action Phase: Execute chosen action, resolve rolls 4. End of Turn: Advance tracker, draw card, check events
Philosophy: In real incident response, some attacks move fast (hours), some take months. Fixed turn lengths feel unrealistic. This system adds realism without requiring complex calculations.
Default Formula: (Attack Chain Cards × 2) + 1
This gives attackers enough time to progress realistically while keeping games manageable:
| Attack Chain | Formula | Turn Count | Session Duration |
|---|---|---|---|
| 3 cards | (3 × 2) + 1 | 7 turns | 30-40 min play |
| 4 cards | (4 × 2) + 1 | 9 turns | 35-45 min play |
| 5 cards | (5 × 2) + 1 | 11 turns | 40-50 min play |
| 6 cards | (6 × 2) + 1 | 13 turns | 45-55 min play |
How to Use Default Formula: 1. Choose number of threat cards in attack chain (3, 4, 5, or 6) 2. Apply formula: (Cards × 2) + 1 = Turn Count 3. Announce turn count to Blue Team 4. Play game normally with that turn limit
Example Setup:
"I've created a 4-card attack chain. That's (4 × 2) + 1 = 9 turns. You have 9 turns to detect all four threats. Go!"
Advanced Threat Orchestrators can use a Tier + d4 system for more control and variability:
Step 1: Select Attack Complexity Tier
| Tier | Turn Base | Attack Profile | Example |
|---|---|---|---|
| TIER 1 | 5-7 | Simple & obvious | Script kiddie using public tools |
| TIER 2 | 8-10 | Standard sophistication | Organized cybercriminal group |
| TIER 3 | 11-13 | Highly sophisticated | APT with operational security |
| TIER 4 | 14-16 | Expert/Nation-state | State-sponsored group |
Step 2: Add Randomness (Optional)
Roll 1d4 for variation: - Roll 1: -1 turn (tight timeline) - Roll 2 or 3: ±0 turns (no change) - Roll 4: +1 turn (extended dwell time)
Final Turn Count = Tier Base + d4 Result
Example Advanced Setup:
"This is a TIER 2 attack (organized cybercriminals). Base is 8-10 turns. I'll roll d4 for variation... [rolls 4, +1 turn]. Final turn count: 9-11 turns."
These rules protect game balance and prevent metagaming:
The Rule: Threat Orchestrators MUST accept the random result, even if it feels impossibly tight or loose.
Why: Real incident response is unpredictable. Sometimes attacks happen faster or slower than expected.
Example Scenarios: - TIER 3 attack (11-13 base) + d4 roll of 1 = 10-12 turns (tighter than expected, but realistic) - TIER 1 attack (5-7 base) + d4 roll of 4 = 6-8 turns (easier conditions, but acceptable)
When Chaos Feels Realistic: - Tight timeline: "The attacker worked faster than expected—they had prior knowledge" - Loose timeline: "The attacker was cautious, spending weeks in reconnaissance before striking"
Implementation: Lean into the randomness as realistic incident variability.
The Rule: Blue Team CANNOT deduce the attack tier from the announced turn count. They cannot ask "Is this TIER 2?" or "Is this TIER 4?" based on how many turns they have.
Why: Real incident response doesn't come with difficulty labels. Attackers don't advertise sophistication. Players should discover complexity through gameplay (attack chain complexity, defender evasion, tool sophistication, etc.).
What Players CAN Ask: - "What are the suspicious network events?" (leads to understanding threats) - "Can we analyze the malware?" (reveals attacker sophistication through findings) - "Why did this attack succeed?" (post-game discussion)
What Players CANNOT Ask: - "Is this a TIER 2 attack?" (deriving tier from turn count) - "This looks like a TIER 1 because we have 7 turns" (meta-gaming difficulty)
Implementation: Respond to difficulty questions by saying "Investigate and find out!" Players discover sophistication through evidence, not from turn counts.
The Rule: ONLY after rolling d4, the Threat Orchestrator may apply an optional ±1 turn adjustment IF the rolled result feels genuinely unreasonable for the scenario.
When to Use (Rare): - Scenario setup is unusually complex (multiple attack vectors, coordination across systems) - Player group is new and needs slightly easier conditions - Real-world incident being taught had specific timeline constraints
When NOT to Use (Prefer Random): - "The roll feels unlucky" (accept the chaos) - "I want this exactly 10 turns" (let dice decide) - "The attack chain is long so it should take longer" (that's what TIER system handles)
Implementation: 1. Roll d4 normally 2. Announce rolled result 3. ONLY IF genuinely unreasonable, apply ±1 modifier and explain why 4. Document the override for consistency in future scenarios
Example Valid Use:
"TIER 2 base 8-10, rolled -1 = 7-9 turns. That's tight given we have 5-card attack chain, so I'm adding +1 modifier (explaining the discovery is methodical). Final: 8-10 turns."
Example Invalid Use:
"I rolled 8-10 but I want 10-12, so I'm adding +2." (NO - use the roll as-is)
For Beginners (Use Default Formula): - [ ] Choose attack chain length (3, 4, 5, or 6 cards) - [ ] Calculate: (Cards × 2) + 1 - [ ] Announce turn count - [ ] Play
For Advanced (Use Tier + d4): - [ ] Select TIER (1, 2, 3, or 4) - [ ] Announce TIER basis (not the number, just why it's that complexity) - [ ] Roll d4 for variation (hidden or public, your choice) - [ ] Calculate final turn count - [ ] Apply Rule 3 modifier if genuinely needed (rare) - [ ] Announce final turn count WITHOUT revealing tier
Default Formula: Turn Count = (Attack Cards × 2) + 1
Tier System: - TIER 1: 5-7 turns (simple) - TIER 2: 8-10 turns (standard) - TIER 3: 11-13 turns (advanced) - TIER 4: 14-16 turns (expert) - Add d4 roll: -1, 0, 0, or +1
Golden Rules: 1. Accept any roll (embrace chaos) 2. Never reveal tier to players 3. Modifier authority only when truly needed (rare)
All modules use the same modifier system for consistency:
Awarded when a player provides clear, specific reasoning for their action using real security concepts.
Examples: - "We're analyzing email headers in the mail gateway logs to identify the true sender IP and check it against threat intelligence feeds" - "We're deploying EDR on all endpoints because it can detect living-off-the-land techniques" - "We're querying our SIEM for scheduled task creation events because attackers use them for persistence"
Criteria: - References specific tools (Splunk, EDR, SIEM, etc.) - Explains methodology (why this approach works) - Shows understanding of the threat being addressed
Awarded when player references actual security tools or real attack/defense techniques.
Examples: - "We'll use Wireshark to analyze the network traffic" - "We're checking for Mimikatz usage in memory" - "We're reviewing EDR telemetry" - "We're looking for this specific CVE exploitation pattern"
Criteria: - References real tools (Wireshark, EDR, Splunk, etc.) - References real techniques (MITRE ATT&CK, specific CVEs) - Shows awareness of how things actually work
When Applied: Incident Response module only, applied at START of each turn
How It Works: 1. When a threat card is revealed, add 1 to Uncontained Threats Tracker 2. At START of each turn, deduct 5 Budget per uncontained threat 3. When next card in chain is revealed, previous threat is auto-mitigated (-1 from tracker) 4. When Emergency Response action is used (15 Budget), remove a revealed threat (-1 from tracker)
Companion rule — Active Breach Cost (v2.2): while at least one chain card remains unrevealed, deduct an additional flat -5 Budget at the start of each turn. Hidden attackers cost money too.
Purpose: Creates urgency - dwell time costs money, whether you've found the attacker yet or not. Teaches real-world incident response costs.
Example (uncontained penalty only; Active Breach Cost also applies while cards remain hidden):
Turn 1: Phishing revealed → Uncontained Threats = 1
Turn 2: START → Deduct 5 Budget (95 remaining from 100)
Turn 3: Lateral Movement revealed → Phishing auto-mitigated (Uncontained = 1)
Turn 3: START → Deduct 5 Budget
Turn 4: Emergency Response on Lateral Movement (15 Budget) → Uncontained Threats = 0
Responsibilities: - Manage game state and track turns/budget - Describe scenarios and outcomes - Roll dice when action outcomes are uncertain - Guide the narrative
During Incident Response: - Create and manage hidden attack chain - Provide clues based on successful investigations - Control Uncontained Threats penalties - Be fair but challenging
During Other Modules: - Describe threat context and defenses - Draw Pentester Tactic cards (Hardening) - Manage timeline and deadlines (Disaster Recovery) - Guide debrief questions
Universal Tips: - Explain why actions succeed or fail - Ask clarifying questions about player strategy - Balance challenge with learning - Provide constructive feedback
Responsibilities: - Discuss strategy as a team - Choose one action per turn - Justify your decisions (gain +2 modifier) - Manage budget carefully - Learn from success and failure
Key Rule: Modifiers are additive and can stack.
Example (Hardening Module, canonical formula — v2.2):
Pentester Tactic: PT-02 Living-off-the-Land (DC 13)
Defense roll = d20
+ printed bonus for the ONE defense chosen (D-08 EDR vs PT-02: +3)
+ hardening upgrades on that defense (+2 each; one upgrade: +2)
+ relevant playbook (+3)
Team rolls 8:
8 + 3 (EDR) + 2 (upgrade) + 3 (playbook) = 16 ≥ 13 = SUCCESS
Only the single chosen defense's printed bonus applies — deployed defenses do not stack with each other against one tactic.
| Length | Difficulty | Best For |
|---|---|---|
| 3 cards | Beginner | Learning mechanics, 30 min sessions |
| 4 cards | Intermediate | Standard play, 40 min sessions |
| 5 cards | Advanced | Challenge play, full kill chain |
| Budget | Difficulty | Best For |
|---|---|---|
| 60 | Hard | Resource scarcity, tough choices |
| 100 | Standard | Balanced play, most scenarios |
| 150+ | Easy | Strategic depth, multiple options |
| Turns | Difficulty | Best For |
|---|---|---|
| 8 | Hard | Time pressure, fast play |
| 10 | Standard | Balanced, most scenarios |
| 12 | Easy | Exploration, learning |
Note (v2.2): Incident Response derives its turn limit from the Variable Game Length formula — (Attack Chain Cards × 2) + 1 → 7/9/11 turns (see §3a). The table above is for modules with educator-set limits.
| Module | Primary Learning | Secondary Learning |
|---|---|---|
| Incident Response | Cyber kill chain, attack detection, investigation | Resource prioritization, incident response |
| Hardening | Defense-in-depth, layering, proactive security | Cost-benefit analysis, security architecture |
| Disaster Recovery | Crisis management, stakeholder communication | Risk assessment, incident cost |
| Network Building | Network design, asset security, architecture | Infrastructure hardening, threat modeling |
| Forensics | Digital forensics, chain of custody, attribution | Evidence handling, MITRE ATT&CK mapping |
| Audit & Compliance | Security assessment, governance, compliance | Risk identification, remediation prioritization |
| Mechanic | What It Teaches |
|---|---|
| d20 roll system | Uncertainty, risk, informed decision-making |
| Budget constraints | Resource allocation, prioritization |
| Justification bonuses | Technical reasoning, tools/techniques knowledge |
| Uncontained Threats penalty | Urgency, cost of dwell time |
| Pentester Tactics | Attacker sophistication, defense limitations |
| Playbook system | Preparation, incident response planning |
| Scoring systems | Outcome measurement, quality assessment |
Implementation: - Same setup for all teams - Teams cannot share information (Incident Response) - Score comparison determines winner (Hardening) - Reputation comparison (Disaster Recovery)
Every module should include a 5-15 minute debrief with three sections:
Too Easy Signs: - Team reveals all cards/achieves goal with 40+ budget remaining - No failed rolls - No meaningful decisions required - Team is bored
Too Hard Signs: - Team is stuck/making no progress after 5 turns - Multiple consecutive failed rolls - Team frustrated rather than challenged - No learning happening
Adjustment Options: - Easier: Provide better clues, more starting budget, fewer tactics - Harder: Less specific clues, lower budget, more tactics - Faster: Shorter turn limits, simpler scenarios - Slower: More turns, more complex scenarios
For complete card descriptions, see: - Base Threat & Defense Cards cards/incident-response/core-deck/threat-defense-cards.md - Expansion Threats cards/incident-response/expansion-deck/advanced-threats.md - Expansion Defenses cards/incident-response/expansion-deck/advanced-defenses.md - All decks indexed cards/CARD_REFERENCE.md
For complete rules on each module:
For your first game: 1. Choose a module from Module Combinations 2. Read the module-specific rules 3. Read the standalone setup guide 4. Prepare your scenario 5. Play!
For multiple modules: 1. Refer to Module Combinations for recommended sequences 2. Refer to FRAMEWORK.md for modifier generation procedures 3. Play first module, generate modifiers for next 4. Continue as desired
Incident Zero: Core Rules & Mechanics v2.1 - Balanced & Refined Edition Universal rules for all modules
docs/rules/module-incident-response.md
Version: 2.2 - Playtest Edition Last Updated: July 2026
The Incident Response Module is the foundation of Incident Zero. Players act as a security operations center (SOC) team responding to an active cyberattack. The core challenge: reveal a hidden attack chain before time runs out or budget is exhausted.
This module teaches: - Primary: Cyber kill chain understanding, threat detection, evidence gathering - Secondary: Resource prioritization, incident response under pressure, forensic investigation
Key Mechanics: - Hidden attack chain (3-5 Threat Cards) is pre-built by the Threat Orchestrator - Blue Team reveals cards by successful investigation (two successes on the same chain link, v2.2) or by deploying a vector+step-matching defense - Uncontained Threats Penalty creates urgency—revealed threats cost 5 Budget per turn until contained - Active Breach Cost (v2.2)—while any chain card remains hidden, the breach itself costs 5 Budget per turn (dwell time is never free) - Emergency Response action provides a way to contain uncontained threats (15 Budget, v2.2)
Turn limits use the Variable Game Length formula from Core Rules §3a: Turn Limit = (Attack Chain Cards × 2) + 1.
| Difficulty | Chain Length | Starting Budget | Turn Limit | Best For |
|---|---|---|---|---|
| Beginner | 3 cards | 100 | 7 turns | First playthrough, basic learning |
| Intermediate | 4 cards | 100 | 9 turns | Standard play, mixed experience |
| Advanced | 5 cards | 100 | 11 turns | Experienced players, challenge |
Scaling Notes: - Beginner: ~30 min session, teaches full kill chain with comfortable pace - Intermediate: ~40 min session, requires focused investigation strategy - Advanced: ~45 min session, demands efficient resource allocation and quick thinking - Advanced Threat Orchestrators can instead use the Tier + d4 system in Core Rules §3a
Create the Hidden Attack Chain:
1. Select 3-5 Threat Cards from the deck
2. Arrange them in logical attack chain sequence:
- First card: INITIAL COMPROMISE
- Middle cards: PIVOT & ESCALATE, PERSISTENCE
- Final card: C2 & EXFIL
3. Write down clues for each hidden card on separate paper (keep hidden from Blue Team)
4. Place relevant Asset Cards on the table (visible to all—provides scenario context). Asset Cards are shared components: see cards/network-building/core-deck/asset-cards.md
Attack Chain Strategy Tips: - Start simple (Beginner): Phishing → Lateral Movement → Database Exfil - Intermediate: Phishing → Credential Dumping → VPN Access → Persistence → C2 Beaconing - Advanced: Web Exploit → Lateral Movement → Privilege Escalation → Data Staging → Exfiltration
Recommended First-Time Scenario (3 cards, 30 minutes): 1. T-01: Phishing Campaign (INITIAL COMPROMISE - SOCIAL ENGINEERING) 2. T-04: Lateral Movement via SMB (PIVOT & ESCALATE - NETWORK) 3. T-10: SQL Database Exfiltration (C2 & EXFIL - DATA EXFIL)
Initialize trackers and materials:
| Item | Starting Value |
|---|---|
| Turn Tracker | 1 |
| Budget Tracker | 100 |
| Uncontained Threats Tracker | 0 |
| Defense Cards | Draw 5 (face down) |
Threat Orchestrator delivers opening narrative using only the first hidden card's clue. Example:
"Your security operations center is monitoring the network when alerts begin firing. Your SIEM shows suspicious email traffic coming from your IT department domain, but the headers look spoofed. Several employees have reported clicking links in emails they thought came from IT requesting password resets.
You have limited time and budget to investigate before the attacker escalates. What do you do?"
Each turn represents approximately 2-4 hours of incident response operations.
COMPLETE TURN SEQUENCE:
1. START OF TURN - Apply Uncontained Threats Penalty: For each revealed-but-uncontained threat, deduct 5 Budget from the tracker - Apply Active Breach Cost (v2.2): If at least one chain card is still unrevealed, deduct 5 Budget (the hidden breach is doing damage while you can't see it) - Announce current turn number and budget remaining - Example: "Turn 3. Start-of-turn costs: 5 for your uncontained threat, plus 5 Active Breach Cost—the chain isn't fully mapped yet. Budget drops from 85 to 75."
2. BLUE TEAM'S TURN (2-3 minutes discussion) - Team discusses incident response strategy - Decides on ONE action to take this turn (Investigate, Deploy Defense, or Emergency Response) - Team member announces action and parameters (what they're investigating, which defense they're deploying, etc.)
3. ACTION RESOLUTION - Perform chosen action (see three actions below) - Roll 1d20 if action requires a roll - Apply modifiers (see modifier rules in core-rules.md) - Resolve outcome immediately
4. END OF TURN - Advance Turn Tracker by 1 - Draw 1 new Defense Card (add to hand) - Check if game has been won or lost (see victory/defeat conditions below) - If still playing, return to START OF TURN
The attack chain is discovered in order: only the earliest unrevealed chain card can be investigated toward or revealed. Clues, investigation successes, and Deploy Defense reveals all target that card until it is face-up, then attention shifts to the next link. This matches how the clue system walks the kill chain.
Deployed defenses stay on the table and keep working. Whenever the chain link currently being targeted has an Attack Vector matching a deployed defense's Countermeasure Vector, add +2 to Investigate and Deploy Defense rolls against that link. The Threat Orchestrator (who knows the hidden vector) announces when this bonus applies—hearing "your deployed defenses are helping here" is itself a useful clue. This rule is stated once here; other sections simply refer to it.
Cost: 5 Budget per action Roll Required: roll + modifiers ≥ 11 on d20 Special Rule: Modifiers apply and can stack
How It Works:
Roll Modifiers:
| Bonus | When Awarded | Examples |
|---|---|---|
| +2 | Strong technical justification | "We're analyzing email headers in the mail gateway logs to identify the true sender IP and check it against threat intelligence feeds. This helps us understand the initial compromise vector." |
| +1 | Real security tools/techniques referenced | "We'll query our SIEM for scheduled task creation events" or "We're checking for Mimikatz usage in memory" |
| +2 | Deployed Defense Persistence (v2.2) | A deployed defense's vector matches the targeted chain link (see rule above) |
| +0 | Vague investigation | "We want to find suspicious activity" |
Success (roll + modifiers ≥ 11) — Investigation successes accumulate (v2.2): - First success against a chain link: TO provides a verbal clue about that card (the earliest unrevealed card in the chain) - Second success against the same chain link: THE CARD IS REVEALED! Place it face-up; it becomes uncontained (add 1 to the Uncontained Threats Tracker) and the team chooses a Discovery Reward - Clues should be dramatic and progressive—give more detail with each successful investigation - Budget is spent (5 is deducted)
Failure (roll + modifiers < 11): - "Your investigation yields no actionable intelligence at this time" - Budget is spent anyway (5 is deducted) - Team learns nothing but advances in time - Failure is realistic—not every investigation uncovers information - Failures do NOT count toward the two accumulated successes
Strategic Consideration: - Cheap action (only 5 Budget) - Moderate success chance (need 11+ on d20, so ~50% without bonuses) - Two successful investigations reveal a card without needing the right Defense Card in hand (v2.2) - Deploy Defense (full match) is faster—one successful roll—but costs more and needs the right card
Cost: 10/15/25 Budget (depending on Defense Card tier: BASIC/ADVANCED/ELITE) Roll Required: roll + modifiers ≥ 11 on d20 Special Rule: Modifiers apply; matching defense to threat reveals cards immediately
How It Works:
Roll Modifiers: Same as Investigate action (+2 for justification, +1 for tools, +2 Deployed Defense Persistence if applicable)
Success (roll + modifiers ≥ 11):
Check if Defense Card matches the earliest unrevealed hidden threat (sequential discovery): - FULL MATCH: Defense Countermeasure Vector matches threat's Attack Vector AND it's the correct step in the chain - THREAT CARD IS REVEALED IMMEDIATELY! Threat card is placed face-up on the table. Blue Team learns what they've been fighting. - Threat card is now "uncontained" (add 1 to Uncontained Threats Tracker) - Defense Card is discarded (used) - Budget is spent
Defense remains active—see Deployed Defense Persistence (v2.2): it grants +2 to future rolls against any chain link matching its vector
NO MATCH: Defense doesn't address current threat
Failure (roll + modifiers < 11): - Defense fails to deploy properly - Budget is spent anyway - Card is discarded - No progress made, but team learns from failure
Key Point: Even "unsuccessful" Defense deployments can be strategically valuable. Deployed defenses stay in play and grant +2 to rolls against later threats that match their vector (v2.2).
Strategic Consideration: - Expensive action (10-25 Budget, scales with defense tier) - Moderate success chance (same 11+ threshold as Investigate) - Two potential rewards: Defense deployment AND card reveal - High-risk/high-reward compared to Investigate
Example Scenario:
Hidden attack chain: Phishing → Lateral Movement → Database Exfil
Team believes phishing is happening (first card).
They deploy D-01 "Email Authentication Setup" (BASIC, 10 Budget).
Email Authentication addresses SOCIAL ENGINEERING vector.
Roll: 8 + 2 (strong justification) = 10 = FAIL
Email deployment fails, 10 Budget spent, card discarded.
Next turn: Same team deploys D-02 "User Security Training" (BASIC, 10 Budget).
Roll: 13 + 1 = 14 = SUCCESS
Defense addresses SOCIAL ENGINEERING vector and is INITIAL COMPROMISE step.
PHISHING CAMPAIGN REVEALED! Threat card placed face-up.
Uncontained Threats increases to 1 (now costing 5 Budget per turn).
Cost: 15 Budget (v2.2 — repriced from 25; flat cost) Roll Required: None—this always succeeds Special Rule: Only works on previously revealed threats
How It Works:
Strategic Use Cases:
Example Timeline (one action per turn):
Turn 3: Deploy Defense succeeds → PHISHING revealed → Uncontained Threats = 1
Turn 4: START → Deduct 5 (uncontained) + 5 (Active Breach Cost, 2 cards still hidden)
ACTION → Emergency Response on Phishing: pay 15 Budget
→ Phishing removed from play, Uncontained Threats = 0
Turn 5: START → Deduct only 5 (Active Breach Cost; no uncontained threats)
These are the core urgency mechanics of Incident Response. Dwell time costs money—whether you can see the threat or not.
Step 1: Threat Revealed - When a Threat Card is successfully revealed (by two investigation successes or a full-match defense deployment) - Add 1 to the Uncontained Threats Tracker - This threat is now "active" and dangerous
Step 2: Penalty Applied at Turn Start - At the START of every turn, deduct 5 Budget per uncontained threat - Example: 2 uncontained threats = 10 Budget penalty each turn - This creates continuous pressure—you MUST contain threats or lose resources
Step 3: Auto-Mitigation - When the next card in the attack chain is revealed, the previous uncontained threat is automatically "contained" (represents shift of attention to new priority) - Uncontained Threats Tracker decreases by 1 - Penalties decrease immediately
Step 4: Emergency Response Containment - Team can use Emergency Response action to immediately remove a threat from the board - Cost: 15 Budget (v2.2) - Uncontained Threats Tracker decreases by 1
SETUP: 3-card chain (Phishing → Lateral Movement → Database Exfil)
Budget 100, Turn Limit 7 [(3 × 2) + 1]
Turn 1: START → Active Breach Cost -5 (95). No uncontained threats.
INVESTIGATE email headers (-5, 90). Roll succeeds.
→ 1st success vs. link 1: clue about the phishing campaign.
Turn 2: START → Active Breach Cost -5 (85).
INVESTIGATE mail gateway logs (-5, 80). Roll succeeds.
→ 2nd success vs. link 1: ✓ PHISHING CAMPAIGN REVEALED (investigation reveal, v2.2)
Uncontained Threats = 1. Reward: Budget Grant +10 (90).
Turn 3: START → -5 (uncontained) -5 (Active Breach) = 80.
INVESTIGATE network logs (-5, 75). Roll succeeds.
→ 1st success vs. link 2: clue about SMB lateral movement.
Turn 4: START → -5 (uncontained) -5 (Active Breach) = 65.
DEPLOY D-09 Network Segmentation (ADVANCED, -15, 50). Roll succeeds.
FULL MATCH (NETWORK vector, PIVOT & ESCALATE step)
→ ✓ LATERAL MOVEMENT REVEALED immediately (deploy reveal)
Phishing auto-mitigates; Lateral Movement now uncontained (still 1 total).
Reward: Budget Grant +10 (60).
Turn 5: START → -10 (50).
INVESTIGATE database access logs (-5, 45). Roll fails. No progress.
Turn 6: START → -10 (35).
INVESTIGATE DLP alerts (-5, 30). Roll succeeds.
→ 1st success vs. link 3: clue about bulk data leaving the database.
Turn 7: START → -10 (20).
DEPLOY D-11 Data Loss Prevention (ADVANCED, -15, 5). Roll succeeds.
FULL MATCH (DATA EXFIL vector, C2 & EXFIL step)
→ ✓ DATABASE EXFILTRATION REVEALED — final card!
Victory is checked IMMEDIATELY (before any start-of-turn penalties).
WIN on the final turn with 5 Budget remaining.
(Arithmetic check, turn by turn: 100 → 95 → 90 | 85 → 80 → +10 = 90 | 80 → 75 | 65 → 50 → +10 = 60 | 50 → 45 | 35 → 30 | 20 → 5.)
Blue Team wins Incident Response if: 1. ALL threat cards in the attack chain are revealed (face-up on table), AND 2. This happens within the turn limit (7/9/11 by chain length, per Core Rules §3a)
Victory is checked immediately when the final card is revealed (v2.2) — before any start-of-turn penalties would apply. Revealing the last card on your final turn with 0 Budget remaining is still a win.
Blue Team loses Incident Response if: 1. Turn Tracker exceeds the turn limit with unrevealed cards remaining, OR 2. The team cannot take any legal action (see Budget Edge Rules below)
Losing Scenarios: - Turns expired with only 2 of 4 cards revealed = attack succeeded - Budget too low to afford any action = response ran out of resources
If you want to measure quality of victory:
Victory Points Formula:
Points = (Cards Revealed / Total Cards) × 50 + (Budget Remaining / Starting Budget) × 50
Examples:
- 4 of 4 cards revealed, 35 Budget remaining: (4/4 × 50) + (35/100 × 50) = 50 + 17.5 = 67.5/100 (Victory with good efficiency)
- 3 of 4 cards revealed, 15 Budget remaining: (3/4 × 50) + (15/100 × 50) = 37.5 + 7.5 = 45/100 (Partial victory, struggled)
- 2 of 4 cards revealed, 0 Budget: (2/4 × 50) + (0 × 50) = 25/100 (Defeat)
When your team successfully reveals a Threat Card, immediately choose ONE of these rewards:
Important: Choose only ONE reward per card reveal. Cannot combine rewards.
Every game should conclude with guided reflection connecting game mechanics to real security concepts.
Discuss whether they targeted the right logs/evidence first
"Which action type was most effective for you—Investigate or Deploy Defense?"
Both are valid; discuss trade-offs (v2.2: investigation reveals need two successes but cost less)
"How did the Uncontained Threats penalty and Active Breach Cost affect your decisions?"
Were they realistic representations of incident response and dwell-time costs?
"If you replayed, what would you do differently?"
Discuss investigation approaches that didn't work
"Would you have benefited from more defense deployments vs. investigations?"
Discuss risk/reward trade-offs
"How would you investigate differently if you could replay?"
Strategic adjustments for next attempt
"What was the attacker's complete kill chain?"
Discuss which card took longest to detect and why
"Why isn't this easy to detect in real-world networks?"
Detection requires specific telemetry (EDR, SIEM, network monitoring)
"What tool or process would have helped you detect faster?"
User and Entity Behavior Analytics (UEBA)
"How does game dwell time compare to real breaches?"
Poor clue (too vague, gives nothing away): - "You find something suspicious" - "There's a threat somewhere"
Bad clue (gives it away completely): - "The attacker used Mimikatz to dump credentials from LSASS memory" - "You have a database exfiltration happening right now"
Good clue (progressive disclosure, dramatic delivery): - "Your memory forensics shows suspicious LSASS process manipulation. A tool has dumped credential hashes from memory. Several cached domain admin credentials have been extracted."
Excellent clue (specific without revealing, creates narrative): - "Your EDR shows PowerShell activity with suspicious encoding. Memory access patterns suggest credential harvesting. Your domain admin cached credentials appear to have been targeted."
The game is TOO EASY if: - Team reveals all cards in the first half of the turn limit with 60+ Budget remaining - Multiple consecutive successful rolls (unlikely with d20) - Clues are too specific/obvious - Team makes no difficult decisions
Action: Make clues more subtle, reduce starting budget next time, or add extra card to chain
The game is TOO HARD if: - Team gets stuck after revealing only 1 card (4+ turns with no progress) - Multiple consecutive failed rolls - Team is frustrated rather than challenged - Team is out of ideas about what to investigate
Action: Provide more explicit clues, increase starting budget, reduce chain length
Adjustment Options: - Chain Length: 3 (easier) vs. 4 (medium) vs. 5 (harder) — the turn limit scales automatically via (chain × 2) + 1 - Clue Quality: More specific/obvious (easier) vs. subtle (harder) - Starting Budget: 80 (harder) vs. 100 (medium) vs. 120 (easier) - Turn Limit: formula −1 (harder) vs. formula (medium) vs. formula +1 (easier)
If running for tournament or competitive context:
Attack Chain: 1. T-01: Phishing Campaign (INITIAL COMPROMISE - SOCIAL ENGINEERING) 2. T-06: Mimikatz Credential Dumping (PIVOT & ESCALATE - CREDENTIAL ABUSE) 3. T-10: SQL Database Exfiltration (C2 & EXFIL - DATA EXFIL)
Starting Budget: 100 Turn Limit: 7 [(3 × 2) + 1]
Narrative Setup:
"Your startup just deployed a new customer database. An employee clicked a malicious link in an email claiming to be from IT. Security monitoring detected unusual PowerShell activity after that. Now you're investigating what happened."
Focus: Teaching full kill chain detection (initial → credential harvesting → data theft) Expected Duration: 30 minutes Best For: First-time players, classroom introduction
Sample Defenses in Starting Hand: - D-01: Email Authentication Setup (BASIC, 10) - D-02: User Security Training (BASIC, 10) - D-07: Multi-Factor Authentication (ADVANCED, 15) - D-08: EDR (Endpoint Detection & Response) (ADVANCED, 15) - D-11: Data Loss Prevention (ADVANCED, 15)
Attack Chain: 1. T-02: Watering Hole Attack (INITIAL COMPROMISE - WEB EXPLOIT) 2. T-04: Lateral Movement via SMB (PIVOT & ESCALATE - NETWORK) 3. T-07: Scheduled Task Persistence (PERSISTENCE - MALWARE) 4. T-09: Beaconing to C2 Server (C2 & EXFIL - NETWORK)
Starting Budget: 100 Turn Limit: 9 [(4 × 2) + 1]
Narrative Setup:
"Your organization's industry-specific website was silently compromised last month. A sophisticated attacker injected malicious code that targeted specific visitor browsers. One of your engineers visited the site and became infected. You're detecting strange network activity but aren't sure what's happening."
Focus: Sophisticated attack with multiple detection points; requires multiple defense/investigation attempts Expected Duration: 40 minutes Best For: Experienced players, demonstrating complex kill chain
Sample Defenses: - D-18: Intrusion Prevention System (IPS) (ADVANCED, 15) - D-09: Network Segmentation (ADVANCED, 15) - D-04: Network Firewall Rules (BASIC, 10) - D-08: EDR (Endpoint Detection & Response) (ADVANCED, 15) - D-13: Threat Hunting Program (ELITE, 25) - D-14: Memory Forensics (ELITE, 25)
Attack Chain: 1. T-13: Compromised Software Vendor Update (INITIAL COMPROMISE - MALWARE) 2. T-04: Lateral Movement via SMB (PIVOT & ESCALATE - NETWORK) 3. T-05: Privilege Escalation via Kernel Exploit (PIVOT & ESCALATE - MALWARE) 4. T-09: Beaconing to C2 Server (C2 & EXFIL - NETWORK) 5. T-11: Ransomware Payload Deployment (C2 & EXFIL - MALWARE)
Starting Budget: 100 Turn Limit: 11 [(5 × 2) + 1]
Narrative Setup:
"A trusted software vendor released an update to your monitoring tools three weeks ago. Today, you're detecting ransomware-like activity across your infrastructure. You suspect the vendor update was compromised. Can you trace the attack chain before the ransomware wakes up?"
Focus: Complex supply-chain-initiated attack; requires pattern recognition; high pressure Expected Duration: 45 minutes Best For: Advanced players, demonstrating supply chain risk
Sample Defenses: - D-17: Advanced Malware Sandbox (ELITE, 25) — detonates vendor updates before deployment - D-08: EDR (Endpoint Detection & Response) (ADVANCED, 15) - D-09: Network Segmentation (ADVANCED, 15) - D-03: Windows Update Patching (BASIC, 10) — closes the kernel exploit - D-14: Memory Forensics (ELITE, 25) - D-19: Backup & Disaster Recovery (BASIC, 10) - D-11: Data Loss Prevention (ADVANCED, 15)
How to Play Solo: - Single player acts as both Blue Team AND Threat Orchestrator - Orchestrator creates attack chain before game starts - Orchestrator then "steps back" to investigate (hard mode: don't peek at hidden cards) - Requires discipline: don't use knowledge of chain to guide rolls
Best For: Individual learning, skill practice
Compress the Game: - Reduce the turn limit by 2 (e.g., a 3-card chain plays in 5 turns instead of 7) - Optional: Remove Uncontained Threats penalty and Active Breach Cost (less bookkeeping) - Budget costs stay the same - Budget starts at 120 to balance speed pressure
Best For: Experienced teams wanting high-stakes challenge
Deeper Forensics: - Add "Advanced Investigate" action (costs 15 Budget, rolls 11+) - A successful Advanced Investigate counts as TWO accumulated investigation successes (i.e., it can reveal a link in one action if you already have a clue, v2.2) - Allows for riskier but more rewarding investigation strategy
Best For: Players who want forensic investigation to feel more rewarding
Multiple Teams, Same Challenge: 1. All teams receive the same 4-card attack chain 2. All teams start with same 100 Budget, same 5 Defense Cards drawn 3. Teams play simultaneously (or in sequence) against same scenario 4. Scoring: Cards revealed + Budget remaining = final score 5. Tiebreaker: Fewest turns taken
Best For: Classroom competition, conference play, benchmarking
Option 1: Continue to Hardening Module - Excellent choice if building defenses against discovered threats - Use the attack chain you just discovered as the hardening context - Natural progression: detect the attack → now prevent it
Option 2: Continue to Audit & Compliance Module - Great for understanding how to detect this attack chain - Validates that your detection methods work - Audits your existing security controls
Option 1: Continue to Disaster Recovery Module - Appropriate: assume the attack succeeded - Manage the breach that just happened - Focus on response, stakeholder communication, recovery
Option 2: Replay with Different Strategy - Try again with different investigation/defense approach - Use what you learned to optimize for next attempt
Option 3: Study Real Breach Case Studies - Compare your experience to real breaches (Equifax, Target, SolarWinds) - Understand why real dwell times are 200+ days - Learn what signals real defenders look for
Play Again with: - Different attack chain from the card deck - Different difficulty (if you won easily or struggled) - Competitive mode against other teams - Extended variations with different mechanics
| Action | Cost | Roll Required | Success Condition | Failure Condition |
|---|---|---|---|---|
| Investigate | 5 Budget | roll + modifiers ≥ 11 | 1st success: clue; 2nd success on same link: card revealed (v2.2) | No intel gained |
| Deploy Defense | 10/15/25 | roll + modifiers ≥ 11 | Full match reveals card immediately | Defense not deployed |
| Emergency Response | 15 Budget (v2.2) | None | Threat removed, penalty stops | — |
| Bonus | When Awarded | Examples |
|---|---|---|
| +2 | Strong technical justification | "Analyze mail headers in gateway logs to identify true sender IP, check against threat intelligence" |
| +1 | Real security tools/techniques | "Query SIEM for scheduled tasks", "Check Mimikatz in memory", "Review EDR telemetry" |
| +2 | Deployed Defense Persistence (v2.2) | A deployed defense's vector matches the targeted chain link |
| +0 | Vague/no justification | "Find suspicious activity" |
| Tracker | Starts At | Changes |
|---|---|---|
| Budget | 100 | -5 per Investigate, -10/15/25 per Defense, -15 per Emergency Response, -5 per uncontained threat at turn start, -5 Active Breach Cost at turn start while any chain card is unrevealed (v2.2); floor 0 |
| Turn | 1 | +1 each turn (limit = chain × 2 + 1) |
| Uncontained Threats | 0 | +1 when card revealed, -1 when auto-mitigated or Emergency Response used |
Changes for playtesters to validate, and why they were made:
Rough balance check (3-card beginner game, 7 turns): worst-case fixed costs are 5/turn Active Breach + 5/turn for one uncontained threat ≈ 60-70 Budget over a full game, leaving ~30-40 for actions before rewards; two Budget Grants (+20) and cheap Investigates (5) keep an investigation-led run solvent — see the worked example above, which ends at 5 Budget on turn 7.
Incident Response Module - Rules & Mechanics Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition
docs/standalone-games/incident-response.md
Version: 2.2 - Playtest Edition Duration: 30-45 minutes Players: 1 Threat Orchestrator + 2-4 Blue Team members Best For: Incident response training, attack detection practice, SOC operations
The Incident Response Module teaches players how to detect and investigate cyberattacks under pressure. Players must reveal a hidden attack chain before time runs out or budget is exhausted.
This is the foundation module—many other modules build upon successful or unsuccessful incident response.
Turn limits use the Variable Game Length formula from Core Rules §3a: Turn Limit = (Attack Chain Cards × 2) + 1.
| Difficulty | Chain Length | Budget | Turn Limit | Best For |
|---|---|---|---|---|
| Beginner | 3 cards | 100 | 7 turns | First playthrough, basic learning |
| Intermediate | 4 cards | 100 | 9 turns | Standard play, mixed experience |
| Advanced | 5 cards | 100 | 11 turns | Experienced players, challenge |
Create the Attack Chain:
1. Select 3-5 threat cards in logical sequence
2. Arrange by attack chain step: INITIAL COMPROMISE → PIVOT & ESCALATE → PERSISTENCE → C2 & EXFIL
3. Write down clues for each hidden card (don't reveal yet)
4. Place relevant Asset Cards on the table (visible to all). Asset Cards are shared components — see cards/network-building/core-deck/asset-cards.md
Recommended first-time scenario: - T-01: Phishing Campaign (INITIAL COMPROMISE - SOCIAL ENGINEERING) - T-04: Lateral Movement via SMB (PIVOT & ESCALATE - NETWORK) - T-10: SQL Database Exfiltration (C2 & EXFIL - DATA EXFIL) - Total: 3 cards, ~30 minutes, teaches full attack chain concept
Threat Orchestrator reads opening scenario based on only the first hidden card's clue. Example:
"Your security operations center is monitoring the network when alerts begin firing. Your SIEM shows suspicious email traffic coming from your IT department domain, but the headers look spoofed. Several employees have reported clicking links in emails they thought came from IT requesting password resets."
Each turn follows this structure:
1. START OF TURN - Uncontained Threats Penalty: For each revealed-but-uncontained threat, deduct 5 Budget - Active Breach Cost (v2.2): If at least one chain card is still unrevealed, deduct 5 Budget (dwell time is never free) - Read turn number aloud ("Turn 3...")
2. BLUE TEAM'S TURN (2-3 minutes discussion) - Team discusses strategy - Decides on ONE action (see below) - Announces action and parameters
3. ACTION RESOLUTION - Roll 1d20 for success/failure - Apply modifiers (see below) - Determine outcome
4. END OF TURN - Advance Turn Tracker by 1 - Draw 1 Defense Card - Check if game won/lost
Cost: 5 Budget Roll Required: 11+ (on d20)
How it works: 1. Team describes what they're investigating (e.g., "Email headers in the mail gateway logs") 2. Provide technical justification for the investigation approach 3. Roll 1d20
Roll Modifiers: - +2 bonus: Strong technical justification (references specific logs, tools, or methodologies) - +1 bonus: References real security tools/techniques (Splunk, Wireshark, EDR, specific CVEs, MITRE ATT&CK) - No modifier: Vague investigation (0 to +0)
Examples of good justification: - "We want to analyze the email headers in the mail gateway to identify the true sender IP and check it against threat intelligence feeds" - "We'll query our EDR agent logs for any processes spawned after the user clicked the link, looking for PowerShell or suspicious child processes"
Outcomes (v2.2 — investigation successes accumulate): - Success (roll + modifiers ≥ 11): - First success against the current chain link: TO gives a verbal clue about that hidden threat (always the earliest unrevealed card — see Sequential Discovery below) - Second success against the same link: THE CARD IS REVEALED! It becomes uncontained and the team chooses a Discovery Reward - Failure: "Your investigation yields no actionable intelligence" (turn wasted, budget spent, but team learned). Failures do not count toward the two successes.
Sequential Discovery (v2.2 note): Only the earliest unrevealed chain card can be revealed — by investigation or by defense deployment. Clues and successes always target that card, matching the clue system's walk down the kill chain.
Cost: 10/15/25 Budget (depending on card tier) Roll Required: 11+ (on d20)
How it works: 1. Choose a Defense Card from your hand 2. Target a specific Asset or threat vector 3. Explain why this defense is appropriate for the situation 4. Roll 1d20
Roll Modifiers: Same as Investigate (+2 for justification, +1 for real tools)
Outcomes: - Success (roll + modifiers ≥ 11): - If card's Countermeasure matches the hidden threat's Attack Vector AND it's the correct step in the chain → THREAT CARD REVEALED IMMEDIATELY! - If it matches but wrong step, or right step but wrong vector → Defense deployed but no reveal - If neither matches → Defense deployed but ineffective against current threat
Deployed Defense Persistence (v2.2): Deployed defenses stay on the board. Whenever the chain link currently being targeted has a vector matching a deployed defense, add +2 to Investigate and Deploy Defense rolls against it (the TO, who knows the hidden vector, announces when this applies). Full rule in Module: Incident Response.
Cost: 15 Budget (v2.2 — repriced from 25) Roll Required: None—this always succeeds
How it works: 1. Choose a previously revealed Threat Card still in play 2. Describe your containment strategy (quarantine infected systems, disable compromised accounts, isolate network segments, etc.) 3. Card is immediately removed from play 4. Uncontained Threats penalty decreases by 1
Strategic Use: - Use this if you're running out of budget and accumulating penalties - Use this if a threat is too dangerous to leave active - Use this to prepare for later modules (e.g., if continuing to Hardening, fewer contained threats = more budget available)
How it works: 1. When a threat card is revealed, it becomes "uncontained" (add 1 to Uncontained Threats Tracker) 2. At the START of each turn, deduct 5 Budget per uncontained threat 3. Active Breach Cost (v2.2): at the START of each turn, also deduct 5 Budget if at least one chain card is still unrevealed (hidden dwell time costs money too) 4. When Emergency Response is used, remove that threat and decrement the tracker 5. When the next card in the chain is revealed, the previous uncontained threat is automatically "mitigated" (decrement tracker)
Example (one action per turn; 3-card chain; Budget 100):
Turn 1: START → -5 Active Breach Cost (95)
Deploy Defense succeeds, full match → PHISHING REVEALED
(-10 for the BASIC defense, 85) → Uncontained Threats = 1
Reward: Budget Grant +10 (95)
Turn 2: START → -5 (uncontained) -5 (Active Breach: 2 cards hidden) = 85
Emergency Response on Phishing: pay 15 (70) → Uncontained = 0
Turn 3: START → -5 (Active Breach only) = 65
...investigation continues toward the next chain card
Blue Team Wins if: - All threat cards in the attack chain are revealed - AND this happens within your turn limit (7/9/11 by chain length)
Victory is checked immediately when the final card is revealed (v2.2) — before any start-of-turn penalties.
Blue Team Loses if: - Turn Tracker exceeds your turn limit with unrevealed cards remaining - OR the team cannot afford any legal action (Budget floors at 0; an action requires its full cost — see Budget Edge Rules in Module: Incident Response)
If you want to score:
Points = (Cards Revealed / Total Cards) × 50 + (Budget Remaining / 100) × 50
Example (4-card chain):
- 3 cards revealed: 37.5 points
- 35 budget remaining: 17.5 points
- Total: 55/100 (moderate performance)
When your team successfully reveals a Threat Card:
Choose ONE reward:
FOR WINNERS: 1. "What was your investigation strategy? What worked?" 2. "Which action type (Investigate vs. Deploy Defense) was most effective for you?" 3. "Did Uncontained Threats penalties force you to make reactive decisions? Was that realistic?"
FOR LOSERS: 1. "What went wrong in your investigation? Where did you get stuck?" 2. "Would you have benefited from more defense deployments vs. investigations?" 3. "How would you investigate differently if you could replay?"
EVERYONE: 1. "What was the attacker's complete kill chain?" 2. "Which threat card was hardest to detect? Why?" 3. "Why isn't this easy to detect in real-world networks?" 4. "What tool or process would have helped you detect faster?"
Poor clue (too vague): - "You find something suspicious"
Too good (gives it away): - "The attacker used Mimikatz to dump credentials from LSASS memory"
Just right (progressive disclosure): - "Your memory forensics shows suspicious LSASS process manipulation. A tool has dumped credential hashes from memory. Several cached domain admin credentials have been extracted."
The game is too easy if: - Teams reveal all cards in turns 1-4 with budget to spare - Clues are too specific - Teams succeed on every roll
The game is too hard if: - Teams get stuck after revealing 1 card - No successful rolls for 5+ turns - Teams hit the turn limit with only 1-2 cards revealed
Adjust by: - Number of cards (3 vs. 4 vs. 5 — the turn limit scales automatically via (chain × 2) + 1) - Quality of clues (more/less specific) - Starting budget (60 vs. 100 vs. 120) - Turn limit (formula −1 for harder, formula +1 for easier)
If running this for a tournament or competitive context: - Assign different attack chains to each team (or same chain for scoring comparison) - Teams cannot see each other's progress - First team to reveal all cards wins - Tiebreaker: Most Budget remaining
Focus: Teaching full kill chain detection in 30 minutes
Focus: Sophisticated attack with multiple detection points
Focus: Complex supply-chain-initiated attack chain
If you won: - Continue to Hardening Module → Build defenses against discovered threats - Continue to Audit & Compliance Module → Verify your detection methods
If you lost: - Continue to Disaster Recovery Module → Manage the breach that succeeded - Replay with a different strategy - Try a different scenario
Standalone: Play again with a different attack chain
| Action | Cost | Roll | Success | Failure |
|---|---|---|---|---|
| Investigate | 5 Budget | roll + modifiers ≥ 11 | 1st success: clue; 2nd success on same link: reveal (v2.2) | No intel (budget wasted) |
| Deploy Defense | 10/15/25 | roll + modifiers ≥ 11 | Full match reveals card immediately | Defense not deployed |
| Emergency Response | 15 (v2.2) | None | Remove revealed threat | — |
| Modifier | Effect |
|---|---|
| +2 | Strong technical justification |
| +1 | Real tool/technique referenced |
| +2 | Deployed Defense Persistence: deployed defense's vector matches targeted link (v2.2) |
| Tracker | Starting | Changes |
|---|---|---|
| Budget | 100 | -5 per uncontained threat + -5 Active Breach Cost while any card is hidden (start of turn, v2.2); floor 0 |
| Turn | 1 | +1 each turn (limit = chain × 2 + 1) |
| Uncontained Threats | 0 | +1 when revealed, -1 when contained or next card revealed |
For the full list of v2.2 changes and reasoning, see the "v2.2 Playtest Edition Changes" section in Module: Incident Response.
Incident Response Module - Standalone Play Guide Part of Incident Zero, a modular cybersecurity board game
cards/incident-response/core-deck/threat-defense-cards.md
INITIAL COMPROMISE - First entry pointPIVOT & ESCALATE - Movement and privilege escalationPERSISTENCE - Maintaining accessC2 & EXFIL - Command & control and data theftSOCIAL ENGINEERINGWEB EXPLOITCREDENTIAL ABUSEMALWARENETWORKDATA EXFIL┌─────────────────────────────────────┐
│ THREAT CARD │
├─────────────────────────────────────┤
│ PHISHING CAMPAIGN │
├─────────────────────────────────────┤
│ Step: INITIAL COMPROMISE │
│ Vector: SOCIAL ENGINEERING │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR: │
│ "Your security team reports that │
│ several employees have received │
│ emails claiming to be from your │
│ IT department requesting password │
│ resets. One user has already │
│ clicked the link. Email headers │
│ show the domain is spoofed." │
├─────────────────────────────────────┤
│ WHY THIS WORKS: │
│ Phishing exploits human psychology │
│ rather than technical vulnerabilities.│
│ Attackers use social engineering to │
│ create urgency and bypass technical │
│ controls. With email authentication │
│ (DMARC/SPF) and user training, this │
│ attack is highly preventable. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ THREAT CARD │
├─────────────────────────────────────┤
│ WATERING HOLE ATTACK │
├─────────────────────────────────────┤
│ Step: INITIAL COMPROMISE │
│ Vector: WEB EXPLOIT │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR: │
│ "A popular industry blog your │
│ employees frequently visit has │
│ been compromised. Logs show that │
│ your users' browsers were │
│ redirected to a malicious domain │
│ hosting an exploit kit targeting │
│ unpatched browsers." │
├─────────────────────────────────────┤
│ WHY THIS WORKS: │
│ Watering hole attacks target │
│ trusted third-party sites to infect │
│ specific user groups. They bypass │
│ email filters and exploit browser │
│ vulnerabilities. Defense requires │
│ rapid patching and endpoint │
│ monitoring. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ THREAT CARD │
├─────────────────────────────────────┤
│ COMPROMISED CREDENTIALS │
├─────────────────────────────────────┤
│ Step: INITIAL COMPROMISE │
│ Vector: CREDENTIAL ABUSE │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR: │
│ "Your SIEM has detected a │
│ successful VPN login from an │
│ unusual geographic location at │
│ 3 AM. The username belongs to an │
│ employee who is currently on │
│ vacation. The login attempt came │
│ from an IP in a known cybercrime │
│ hosting provider." │
├─────────────────────────────────────┤
│ WHY THIS WORKS: │
│ Credential stuffing uses passwords │
│ leaked from third-party breaches. │
│ If employees reuse passwords, their │
│ work accounts become compromised. │
│ Multi-factor authentication (MFA) │
│ is the primary defense. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ THREAT CARD │
├─────────────────────────────────────┤
│ LATERAL MOVEMENT VIA SMB │
├─────────────────────────────────────┤
│ Step: PIVOT & ESCALATE │
│ Vector: NETWORK │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR: │
│ "Network segmentation alerts show │
│ unusual SMB traffic between a │
│ compromised workstation and your │
│ file server. Suspicious named pipe │
│ activity detected. The attacker │
│ appears to be enumerating shares │
│ and attempting to access restricted │
│ resources." │
├─────────────────────────────────────┤
│ WHY THIS WORKS: │
│ SMB (Server Message Block) is a │
│ legitimate protocol, so traffic │
│ blends in. Flat network architecture│
│ allows attackers to move freely. │
│ Without micro-segmentation and │
│ strong authentication, lateral │
│ movement is easy. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ THREAT CARD │
├─────────────────────────────────────┤
│ PRIVILEGE ESCALATION VIA KERNEL │
├─────────────────────────────────────┤
│ Step: PIVOT & ESCALATE │
│ Vector: MALWARE │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR: │
│ "EDR telemetry shows a low-privilege│
│ process loading a proof-of-concept │
│ exploit for an unpatched local │
│ privilege escalation vulnerability │
│ in the Windows kernel. Seconds │
│ later, the same process spawned a │
│ child running as SYSTEM. Patch │
│ reports show this host is three │
│ months behind on kernel updates." │
├─────────────────────────────────────┤
│ WHY THIS WORKS: │
│ Kernel exploits abuse memory- │
│ corruption or logic flaws (think │
│ Dirty Pipe or win32k CVEs) to jump │
│ from a standard user to SYSTEM or │
│ root. Public PoC code often appears │
│ within days of disclosure, so │
│ unpatched hosts are easy targets. │
│ Rapid patching, EDR behavioral │
│ detection, and least privilege │
│ limit the damage. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ THREAT CARD │
├─────────────────────────────────────┤
│ MIMIKATZ CREDENTIAL DUMPING │
├─────────────────────────────────────┤
│ Step: PIVOT & ESCALATE │
│ Vector: CREDENTIAL ABUSE │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR: │
│ "Memory forensics analysis on the │
│ Domain Controller reveals suspicious│
│ LSASS process manipulation. A tool │
│ has dumped credential hashes from │
│ memory. Several cached domain admin │
│ credentials have been extracted. │
│ Attacker now has credentials to │
│ move to critical systems." │
├─────────────────────────────────────┤
│ WHY THIS WORKS: │
│ Mimikatz attacks Windows LSASS │
│ (Local Security Authority Subsystem)│
│ memory to extract credentials. │
│ Without proper Credential Guard and │
│ memory protection, domain admin │
│ credentials become compromised, │
│ enabling full infrastructure access.│
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ THREAT CARD │
├─────────────────────────────────────┤
│ SCHEDULED TASK PERSISTENCE │
├─────────────────────────────────────┤
│ Step: PERSISTENCE │
│ Vector: MALWARE │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR: │
│ "Log analysis shows a scheduled │
│ task created by the compromised │
│ account. The task is set to execute │
│ every 6 hours and runs a script │
│ from a hidden directory. The │
│ activity occurs outside normal │
│ business hours. Timestamp metadata │
│ indicates advanced timestomping." │
├─────────────────────────────────────┤
│ WHY THIS WORKS: │
│ Scheduled tasks run with privileges │
│ of the owner account and survive │
│ reboots. They blend in with │
│ legitimate administrative tasks. │
│ Windows Event Logs may not be │
│ forwarded centrally, allowing this │
│ persistence mechanism to hide. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ THREAT CARD │
├─────────────────────────────────────┤
│ REGISTRY RUN KEY PERSISTENCE │
├─────────────────────────────────────┤
│ Step: PERSISTENCE │
│ Vector: MALWARE │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR: │
│ "Registry analysis detects a new │
│ entry under HKLM\Software\Microsoft\│
│ Windows\CurrentVersion\Run pointing │
│ to an executable in an unusual │
│ location. The binary has │
│ obfuscated metadata and a fake │
│ digital signature. It executes at │
│ every system startup." │
├─────────────────────────────────────┤
│ WHY THIS WORKS: │
│ Registry Run keys execute at startup│
│ with persistence across reboots. │
│ They're difficult to distinguish │
│ from legitimate startup programs. │
│ Endpoint detection solutions must │
│ actively monitor registry writes. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ THREAT CARD │
├─────────────────────────────────────┤
│ BEACONING TO C2 SERVER │
├─────────────────────────────────────┤
│ Step: C2 & EXFIL │
│ Vector: NETWORK │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR: │
│ "Your threat intelligence feed │
│ alerts on suspicious outbound │
│ HTTPS connections to a domain │
│ associated with known malware. │
│ Netflow shows regular 3-minute │
│ intervals of encrypted traffic. │
│ The pattern matches documented C2 │
│ beaconing behavior." │
├─────────────────────────────────────┤
│ WHY THIS WORKS: │
│ Beaconing establishes command and │
│ control communication with the │
│ attacker's infrastructure. Encrypted│
│ HTTPS makes payload inspection │
│ difficult. Threat intelligence and │
│ behavioral analysis (unusual timing)│
│ are required for detection. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ THREAT CARD │
├─────────────────────────────────────┤
│ SQL DATABASE EXFILTRATION │
├─────────────────────────────────────┤
│ Step: C2 & EXFIL │
│ Vector: DATA EXFIL │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR: │
│ "Database audit logs show a large │
│ SELECT query executed by a service │
│ account retrieving customer data. │
│ Results (500k+ records) were piped │
│ to a temporary file. System logs │
│ show this file was copied to cloud │
│ storage via encrypted connection." │
├─────────────────────────────────────┤
│ WHY THIS WORKS: │
│ Database exfiltration bypasses │
│ endpoint controls. Attackers use │
│ legitimate protocols (HTTPS, SFTP) │
│ to trusted services (S3, Dropbox). │
│ Without DLP (Data Loss Prevention), │
│ and egress filtering, detection is │
│ nearly impossible. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ THREAT CARD │
├─────────────────────────────────────┤
│ RANSOMWARE PAYLOAD DEPLOYMENT │
├─────────────────────────────────────┤
│ Step: C2 & EXFIL │
│ Vector: MALWARE │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR: │
│ "EDR alerts spike as multiple │
│ processes begin encrypting files │
│ on the file server. Hundreds of │
│ files change extension to '.locked'.│
│ A ransom note appears on all │
│ administrative workstations. Network│
│ traffic shows exfil before encryption│
│ began (double extortion tactic)." │
├─────────────────────────────────────┤
│ WHY THIS WORKS: │
│ Modern ransomware exfiltrates data │
│ first (to extort payment), then │
│ encrypts. Fast detection during the │
│ exfil phase is critical. Once file │
│ encryption begins, recovery becomes │
│ difficult. Segmentation and backups │
│ are essential. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ THREAT CARD │
├─────────────────────────────────────┤
│ BROWSER EXTENSION BACKDOOR │
├─────────────────────────────────────┤
│ Step: C2 & EXFIL │
│ Vector: DATA EXFIL │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR: │
│ "Browser logs show installation of │
│ a suspicious extension claiming to │
│ be a productivity tool. Traffic │
│ analysis reveals the extension is │
│ capturing keystrokes and session │
│ cookies. User login credentials for │
│ sensitive portals are being sent to │
│ a server in a high-risk country." │
├─────────────────────────────────────┤
│ WHY THIS WORKS: │
│ Browser extensions run with full │
│ access to user activity. They can │
│ capture credentials, intercept │
│ HTTPS traffic (before encryption), │
│ and persist across browser updates. │
│ Extension vetting and endpoint │
│ protection are critical defenses. │
└─────────────────────────────────────┘
Defense cards counter specific Attack Vectors:
- SOCIAL ENGINEERING
- WEB EXPLOIT
- CREDENTIAL ABUSE
- MALWARE
- NETWORK
- DATA EXFIL
Note (v2.2): This deck is identical to cards/hardening/core-deck/defense-cards.md (the two modules share one physical deck). Cards are grouped by tier; card IDs are stable and do not renumber when a card's tier changes, so IDs within a section are not always contiguous. D-18, D-19, D-23, and D-24 were retiered in v2.2, and D-24 is dual-tagged (counts as a match for either listed vector).
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ EMAIL AUTHENTICATION SETUP │
│ (BASIC - 10 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: SOCIAL ENGINEERING │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Deploy SPF (Sender Policy │
│ Framework), DKIM (DomainKeys │
│ Identified Mail), and DMARC (Domain │
│ Message Authentication, Reporting & │
│ Conformance) to prevent email │
│ spoofing. Implement enforcement │
│ policies to reject spoofed emails. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Blocks phishing emails claiming to │
│ be from your domain. Requires │
│ attackers to find alternative │
│ vectors. Also provides reporting on │
│ spoofing attempts. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ USER SECURITY TRAINING │
│ (BASIC - 10 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: SOCIAL ENGINEERING │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Conduct phishing awareness training │
│ for all staff. Teach recognition of │
│ suspicious links, sender spoofing, │
│ urgency tactics, and credential │
│ harvesting attempts. Run simulated │
│ phishing campaigns. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Reduces successful phishing rate by │
│ 70-80%. Users become your first │
│ line of defense. Works best when │
│ combined with technical controls. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ WINDOWS UPDATE PATCHING │
│ (BASIC - 10 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: WEB EXPLOIT │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Deploy automated Windows Update │
│ management across all systems. │
│ Establish patch deployment timelines│
│ (critical = 48 hours, high = 2 │
│ weeks). Audit compliance with patch │
│ reporting. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Closes browser and kernel │
│ vulnerabilities. Prevents watering │
│ hole and exploit kit attacks. │
│ Should be combined with vulnerability│
│ scanning to identify gaps. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ NETWORK FIREWALL RULES │
│ (BASIC - 10 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: NETWORK │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Deploy perimeter firewall rules to │
│ block unauthorized outbound │
│ protocols. Default-deny for unusual │
│ ports and known malware C2 domains. │
│ Whitelist only necessary business │
│ traffic. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Prevents early-stage lateral │
│ movement and C2 beaconing. │
│ Slows attacker reconnaissance. │
│ Must be maintained with threat │
│ intelligence feeds. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ LOG CENTRALIZATION │
│ (BASIC - 10 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Deploy centralized log aggregation │
│ (syslog, Splunk, ELK). Forward │
│ Windows Event Logs, firewall logs, │
│ DNS queries, and proxy logs to │
│ central SIEM. Configure syslog │
│ integrity protection. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Makes local log tampering difficult.│
│ Provides investigative visibility │
│ into attacker activities. Foundation│
│ for threat hunting and compliance. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ BASIC ANTIVIRUS DEPLOYMENT │
│ (BASIC - 10 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Deploy signature-based antivirus │
│ across all endpoints. Enable │
│ automatic definition updates │
│ (daily). Configure real-time file │
│ and email scanning. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Catches known malware variants. │
│ Does not detect zero-day or │
│ polymorphic malware. Useful as part │
│ of defense-in-depth but insufficient│
│ as primary defense. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ BACKUP & DISASTER RECOVERY │
│ (BASIC - 10 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Implement the 3-2-1 backup │
│ strategy: 3 copies of data, 2 │
│ different storage types, 1 offsite │
│ copy. Test restore procedures │
│ quarterly. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Enables rapid recovery from │
│ ransomware. Ensures data │
│ availability even if primary │
│ systems are compromised. Critical │
│ for business continuity. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ IR PROGRAM & RUNBOOKS │
│ (BASIC - 10 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: NETWORK │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Establish an incident response │
│ program with detailed runbooks for │
│ common scenarios: malware infection,│
│ data exfiltration, ransomware, │
│ insider threats, supply chain │
│ compromise. Include roles, │
│ responsibilities, and communication │
│ plans. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Enables faster, more coordinated │
│ response when incidents occur. │
│ Reduces confusion during high- │
│ pressure situations. Improves │
│ incident containment and recovery │
│ time. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ MULTI-FACTOR AUTHENTICATION (MFA) │
│ (ADVANCED - 15 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: CREDENTIAL ABUSE │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Deploy MFA for all remote access │
│ (VPN, RDP), email, and admin │
│ portals. Use authenticator apps or │
│ hardware tokens (not SMS). Enforce │
│ MFA on sensitive user accounts. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Makes compromised credentials │
│ useless without the second factor. │
│ Blocks credential stuffing attacks. │
│ Most effective single security │
│ measure against account takeover. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ EDR (ENDPOINT DETECTION & RESPONSE) │
│ (ADVANCED - 15 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Deploy EDR agent on all endpoints. │
│ Monitor process execution, file │
│ creation, registry modifications, │
│ and memory injection attempts. │
│ Enable behavioral analytics and │
│ automated response. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Detects living-off-the-land attacks │
│ (PowerShell, cmd, scheduled tasks). │
│ Enables fast incident response and │
│ threat hunting. Provides deep │
│ visibility into attack progression. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ NETWORK SEGMENTATION │
│ (ADVANCED - 15 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: NETWORK │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Implement VLANs and microsegmentation│
│ to separate user workstations from │
│ servers. Deploy firewall rules │
│ between segments. Implement zero- │
│ trust network access controls. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Prevents lateral movement via SMB │
│ and other internal protocols. │
│ Limits blast radius of compromise. │
│ Forces attackers to find alternate │
│ paths. Combined with MFA, highly │
│ effective. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ SIEM CORRELATION RULES │
│ (ADVANCED - 15 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: NETWORK │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Create SIEM rules to detect attack │
│ patterns: failed login spikes, │
│ privilege escalation attempts, │
│ unusual process creation, scheduled │
│ task creation, and data exfil │
│ indicators. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Correlates events across logs to │
│ detect multi-step attacks. Reduces │
│ alert fatigue through smart │
│ aggregation. Enables faster │
│ investigation and response. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ DATA LOSS PREVENTION (DLP) │
│ (ADVANCED - 15 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: DATA EXFIL │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Deploy DLP to monitor outbound data │
│ transfers. Classify sensitive data │
│ (customer PII, source code, trade │
│ secrets). Block or alert on │
│ unauthorized transfers to cloud │
│ storage, email, USB, or external │
│ networks. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Prevents SQL database exfiltration │
│ and bulk data theft. Detects │
│ unusual data access patterns. │
│ Enforces data security policies. │
│ Works best with strong authentication│
│ and encryption. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ PASSWORD MANAGER & VAULT │
│ (ADVANCED - 15 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: CREDENTIAL ABUSE │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Deploy enterprise password vault │
│ (CyberArk, HashiCorp Vault). Enforce│
│ strong unique passwords. Implement │
│ password rotation policies for │
│ service accounts. Enable audit │
│ logging for credential access. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Prevents credential reuse attacks. │
│ Makes credential stuffing difficult.│
│ Provides audit trail for compliance │
│ and incident investigation. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ INTRUSION PREVENTION SYSTEM (IPS) │
│ (ADVANCED - 15 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: WEB EXPLOIT │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Deploy network-based IPS with │
│ exploit signatures. Monitor for │
│ known CVE exploitation patterns. │
│ Configure WAF (Web Application │
│ Firewall) rules for SQL injection, │
│ XSS, and other OWASP Top 10 attacks.│
├─────────────────────────────────────┤
│ EFFECT: │
│ Blocks exploitation attempts in │
│ transit. Prevents watering hole and │
│ web exploit attacks. Most effective │
│ when combined with patching. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ THREAT INTELLIGENCE INTEGRATION │
│ (ADVANCED - 15 Budget) │
├─────────────────────────────────────┤
│ Countermeasures: NETWORK, │
│ DATA EXFIL │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Subscribe to threat intelligence │
│ feeds (MISP, VirusTotal, AlienVault │
│ OTX). Integrate IOCs (Indicators of │
│ Compromise) into firewall, SIEM, │
│ and proxy. Participate in │
│ information sharing communities. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Enables faster detection of known │
│ malicious IPs and domains. │
│ Identifies emerging threats │
│ targeting your industry. Reduces │
│ detection time from days to minutes.│
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ THREAT HUNTING PROGRAM │
│ (ELITE - 25 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Establish proactive threat hunting │
│ using MITRE ATT&CK framework. │
│ Hunt for living-off-the-land │
│ techniques, anomalous processes, │
│ suspicious registry changes, and │
│ memory injection. Use automated │
│ tools (OSQuery, Velociraptor). │
├─────────────────────────────────────┤
│ EFFECT: │
│ Finds advanced attacks that bypass │
│ signature-based detection. Detects │
│ LSASS dumping, scheduled task │
│ persistence, and registry backdoors.│
│ Reduces dwell time significantly. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ MEMORY FORENSICS │
│ (ELITE - 25 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Deploy memory capture and analysis │
│ (Volatility, Memoryze). Create │
│ memory images of suspicious systems.│
│ Analyze for credential dumping, │
│ injected code, and rootkits. Extract│
│ evidence for incident response. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Detects Mimikatz attacks and │
│ credential harvesting. Reveals │
│ attacker activities hidden from │
│ disk forensics. Critical for │
│ identifying advanced persistence │
│ mechanisms. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ DECEPTION TECHNOLOGY (HONEYPOTS) │
│ (ELITE - 25 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: NETWORK │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Deploy decoy systems (fake file │
│ servers, databases, credentials) │
│ to detect lateral movement. Create │
│ canary tokens that alert when │
│ accessed. Deploy honeypots for web │
│ exploit detection. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Any access to honeypots indicates │
│ active compromise. Detects lateral │
│ movement with zero false positives. │
│ Slows attacker progress and forces │
│ reconnaissance, increasing detection│
│ time. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ CREDENTIAL GUARD & SECURE BOOT │
│ (ELITE - 25 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: CREDENTIAL ABUSE │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Enable Windows Credential Guard to │
│ isolate LSASS in virtualized │
│ container. Implement UEFI Secure │
│ Boot to prevent bootkit attacks. │
│ Enable TPM attestation for device │
│ integrity validation. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Makes Mimikatz credential dumping │
│ ineffective. Prevents bootloader │
│ manipulation. Ensures firmware │
│ integrity. Blocks entire classes of │
│ attacks targeting early boot stage. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ ADVANCED MALWARE SANDBOX │
│ (ELITE - 25 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Deploy advanced sandboxing solution │
│ (Cuckoo, Detonate, hybrid-analysis).│
│ Analyze suspicious files/URLs in │
│ isolated environments. Generate │
│ behavioral indicators and YARA │
│ rules. Share IOCs with threat intel.│
├─────────────────────────────────────┤
│ EFFECT: │
│ Detects zero-day malware and unknown│
│ exploits. Analyzes evasion tactics. │
│ Generates detection rules for SIEM. │
│ Prevents spread of novel malware. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ ZERO TRUST ACCESS CONTROL │
│ (ELITE - 25 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: CREDENTIAL ABUSE │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Implement zero-trust architecture: │
│ verify every access request │
│ regardless of source. Deploy device │
│ identity, user identity, and │
│ behavior analytics. Implement │
│ conditional access policies. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Eliminates implicit trust based on │
│ network location. Even compromised │
│ devices cannot access sensitive │
│ resources without proper │
│ authentication and behavior │
│ validation. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ CONTAINER SECURITY & ORCHESTRATION │
│ (ELITE - 25 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Deploy container runtime security │
│ (Falco, Sysdig). Implement image │
│ scanning for vulnerabilities. Use │
│ policy enforcement engines (OPA/ │
│ Gatekeeper). Implement network │
│ policies for container │
│ segmentation. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Detects container escape attempts. │
│ Prevents vulnerable images from │
│ running. Limits lateral movement │
│ within containerized environments. │
│ Critical for modern cloud │
│ applications. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ SECURITY INFO & EVENT MGMT (SIEM) │
│ (ELITE - 25 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: NETWORK │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Deploy enterprise SIEM (Splunk, │
│ ELK, QRadar). Centralize logs from │
│ all sources. Implement automated │
│ correlation rules, threat │
│ intelligence integration, and │
│ incident response workflows. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Provides centralized visibility │
│ into all security events. Enables │
│ rapid threat detection and │
│ investigation. Foundation for a │
│ mature incident response program. │
└─────────────────────────────────────┘
Distribution by Countermeasure (v2.2): - SOCIAL ENGINEERING: 2 defenses (D-01, D-02) - WEB EXPLOIT: 2 defenses (D-03, D-18) - CREDENTIAL ABUSE: 4 defenses (D-07, D-12, D-16, D-20) - MALWARE: 8 defenses (D-05, D-06, D-08, D-13, D-14, D-17, D-19, D-21) - NETWORK: 7 defenses (D-04, D-09, D-10, D-15, D-22, D-23, D-24) - DATA EXFIL: 2 defenses (D-11, D-24)
Note: 24 cards total. D-24 is dual-tagged (NETWORK + DATA EXFIL) and appears in both rows, so the vector rows sum to 25 tags across 24 cards.
The ideas below have been built out as printable expansion cards:
Supply chain attacks, insider threats, IoT device compromise, cloud API abuse, DNS tunneling, and physical security bypass — see ../expansion-deck/advanced-threats.md.
Application whitelisting, behavioral analytics, container security, cloud security posture management, response playbooks, and backup/DR variants — see ../expansion-deck/advanced-defenses.md.
Sample card sheets for Incident Zero board game
For complete game rules, see docs/rules/core-rules.md and docs/rules/module-incident-response.md
cards/incident-response/expansion-deck/advanced-threats.md
This document provides additional Threat Cards for expanding Incident Zero gameplay beyond the base 12-card deck. These cards introduce more sophisticated attack vectors and modern threat landscape scenarios.
┌─────────────────────────────────────┐
│ THREAT CARD │
├─────────────────────────────────────┤
│ COMPROMISED SOFTWARE VENDOR UPDATE │
├─────────────────────────────────────┤
│ Step: INITIAL COMPROMISE │
│ Vector: MALWARE │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR: │
│ "Your monitoring systems detect │
│ unusual outbound connections from │
│ a recently deployed software update │
│ to an IP address not associated │
│ with the vendor. The update was │
│ digitally signed but verification │
│ shows the signature was backdated. │
│ Hundreds of organizations received │
│ the same malicious update." │
├─────────────────────────────────────┤
│ WHY THIS WORKS: │
│ Supply chain compromises affect │
│ entire industries simultaneously. │
│ Organizations trust vendor updates │
│ and often deploy them automatically │
│ without deep inspection. The │
│ attacker gains access to thousands │
│ of targets at once. Real-world │
│ example: SolarWinds, 3CX. │
│ │
│ DETECTION DIFFICULTY: High │
│ The malware appears legitimate due │
│ to trusted vendor origin. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ THREAT CARD │
├─────────────────────────────────────┤
│ MALICIOUS THIRD-PARTY LIBRARY │
│ INJECTION │
├─────────────────────────────────────┤
│ Step: INITIAL COMPROMISE │
│ Vector: MALWARE │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR: │
│ "Your dependency scanning tool │
│ alerts on a typosquatted NPM │
│ package (npm package manager) that │
│ was installed in your build │
│ pipeline. The malicious package has │
│ the same name as a popular logging │
│ library but with a slight misspell. │
│ It has been downloaded 50k times. │
│ Your build logs show it was │
│ installed 6 days ago." │
├─────────────────────────────────────┤
│ WHY THIS WORKS: │
│ Developers rely on open-source │
│ packages from package managers │
│ (npm, PyPI, Maven). Attackers │
│ upload malicious packages with │
│ names similar to popular libraries │
│ (typosquatting). Once downloaded, │
│ the malicious code runs during │
│ build/deployment. This affects │
│ every application built from that │
│ point forward. │
│ │
│ DETECTION DIFFICULTY: High │
│ Requires dependency scanning and │
│ behavior analysis of build processes.│
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ THREAT CARD │
├─────────────────────────────────────┤
│ MALICIOUS INSIDER DATA THEFT │
├─────────────────────────────────────┤
│ Step: C2 & EXFIL │
│ Vector: DATA EXFIL │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR: │
│ "Your DLP system flags a large │
│ volume of sensitive data being │
│ copied by an IT operations │
│ employee during off-hours. Their │
│ user account accessed databases │
│ they don't normally interact with. │
│ The data was copied to a removable │
│ USB drive connected to a shared │
│ workstation. Security badge logs │
│ show they entered the building at │
│ 2 AM when the office was empty." │
├─────────────────────────────────────┤
│ WHY THIS WORKS: │
│ Insiders have legitimate access and │
│ often bypass security controls. │
│ Their activities may not trigger │
│ alerts because their permissions │
│ are valid. Detection requires: │
│ - Behavioral analysis (unusual │
│ times/volumes) │
│ - Physical security controls │
│ - DLP and USB device control │
│ - Privileged access management │
│ Insiders cause 30-40% of data │
│ breaches in many industries. │
│ │
│ DETECTION DIFFICULTY: Very High │
│ Insider actions often look normal │
│ to automated systems. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ THREAT CARD │
├─────────────────────────────────────┤
│ DISGRUNTLED EMPLOYEE SABOTAGE │
├─────────────────────────────────────┤
│ Step: PIVOT & ESCALATE │
│ Vector: MALWARE │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR: │
│ "A recently terminated database │
│ administrator appears to have │
│ retained remote access using a │
│ dormant service account they │
│ created months ago. Logs show │
│ connection attempts from their │
│ home IP address. They've been │
│ modifying stored procedures and │
│ adding logic bombs set to trigger │
│ in 30 days. Your team notices │
│ their employee laptop is still │
│ configured with VPN certificates." │
├─────────────────────────────────────┤
│ WHY THIS WORKS: │
│ Disgruntled employees often have │
│ privileged access and deep system │
│ knowledge. They may have created │
│ backdoors before termination. │
│ Offboarding failures (not revoking │
│ certs, not disabling accounts) are │
│ common. Defense requires: │
│ - Complete offboarding procedures │
│ - Privileged access review │
│ - Anomalous activity detection │
│ - Behavior analysis for terminated │
│ employees │
│ │
│ DETECTION DIFFICULTY: High │
│ Requires correlation of access │
│ patterns and employee status changes.│
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ THREAT CARD │
├─────────────────────────────────────┤
│ COMPROMISED IOT DEVICE AS PIVOT │
│ POINT │
├─────────────────────────────────────┤
│ Step: INITIAL COMPROMISE │
│ Vector: NETWORK │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR: │
│ "Your network monitoring detects │
│ unusual traffic from an IoT device │
│ (surveillance camera) in the │
│ building. The device is communicating│
│ with a command server overseas and │
│ tunneling internal network traffic. │
│ Your asset inventory shows this │
│ camera was never formally added to │
│ any security program. It's running │
│ firmware from 2019 with known │
│ vulnerabilities." │
├─────────────────────────────────────┤
│ WHY THIS WORKS: │
│ IoT devices are often neglected in │
│ security programs (cameras, printers,│
│ thermostats, building automation). │
│ They run outdated firmware and have │
│ weak or default credentials. Once │
│ compromised, they provide network │
│ access and can pivot to critical │
│ systems. Many organizations don't │
│ inventory or monitor IoT devices. │
│ │
│ DETECTION DIFFICULTY: Medium │
│ Requires network monitoring and │
│ device inventory practices. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ THREAT CARD │
├─────────────────────────────────────┤
│ CLOUD API TOKEN THEFT & ABUSE │
├─────────────────────────────────────┤
│ Step: PIVOT & ESCALATE │
│ Vector: CREDENTIAL ABUSE │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR: │
│ "Your AWS CloudTrail logs show API │
│ calls from unusual IP addresses │
│ using API keys belonging to a │
│ developer who left the company 6 │
│ months ago. The calls are creating │
│ new IAM users, accessing S3 buckets │
│ with customer data, and launching │
│ EC2 instances in regions where you │
│ don't normally operate. The API key │
│ was embedded in old GitHub │
│ repository code." │
├─────────────────────────────────────┤
│ WHY THIS WORKS: │
│ Cloud API tokens/keys are often │
│ exposed in code repositories or │
│ configuration files. Once exposed, │
│ they provide direct access to cloud │
│ resources. Attackers can spin up │
│ resources, steal data, or deploy │
│ cryptominers. Many organizations │
│ fail to rotate or revoke old API │
│ keys. Detection requires: │
│ - API audit logging │
│ - Anomalous API pattern detection │
│ - Key rotation policies │
│ - Secrets scanning in repos │
│ │
│ DETECTION DIFFICULTY: Medium-High │
│ Requires cloud monitoring and │
│ secrets management practices. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ THREAT CARD │
├─────────────────────────────────────┤
│ DNS TUNNELING DATA EXFILTRATION │
├─────────────────────────────────────┤
│ Step: C2 & EXFIL │
│ Vector: DATA EXFIL │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR: │
│ "Your DNS query logs show massive │
│ volume of unusual subdomains being │
│ queried through an external DNS │
│ resolver. The subdomain names look │
│ like Base64-encoded data. Queries │
│ are happening in steady intervals. │
│ Query timestamps align with your │
│ database being accessed. Your DLP │
│ didn't flag anything because DNS is │
│ typically trusted." │
├─────────────────────────────────────┤
│ WHY THIS WORKS: │
│ DNS tunneling encodes data in DNS │
│ queries to bypass firewalls and DLP │
│ systems. Organizations often allow │
│ DNS traffic without inspection. DNS │
│ queries are typically high-volume │
│ and hard to distinguish from normal │
│ activity. Attackers can exfil small │
│ amounts of data over weeks. │
│ Defense requires: │
│ - DNS query content analysis │
│ - Anomalous query pattern detection │
│ - DNS rate limiting │
│ - External DNS access restrictions │
│ │
│ DETECTION DIFFICULTY: Very High │
│ Requires specialized DNS monitoring │
│ tools and baseline analysis. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ THREAT CARD │
├─────────────────────────────────────┤
│ PHYSICAL ACCESS + BADGE CLONING │
│ ATTACK │
├─────────────────────────────────────┤
│ Step: INITIAL COMPROMISE │
│ Vector: CREDENTIAL ABUSE │
├─────────────────────────────────────┤
│ CLUE FOR THREAT ORCHESTRATOR: │
│ "Your security team discovers that │
│ an RFID badge belonging to a │
│ manager was cloned using a portable │
│ reader. The cloned badge was used │
│ to gain access to your secure data │
│ center after-hours. Badge access │
│ logs are timestamped, but the │
│ person's schedule shows they weren't│
│ in the office that evening. Your │
│ server room CCTV captured footage │
│ of an unknown individual installing │
│ a wireless device in the network │
│ rack." │
├─────────────────────────────────────┤
│ WHY THIS WORKS: │
│ Physical security is often │
│ overlooked in cybersecurity │
│ programs. RFID badges can be cloned │
│ with inexpensive readers. Once │
│ inside the data center, attackers │
│ can install rogue network devices, │
│ steal hardware, or gain console │
│ access to servers. Defense requires:│
│ - Encrypted badge technology │
│ - Multi-factor access (biometric) │
│ - CCTV monitoring │
│ - Environmental controls │
│ - Equipment inventory tracking │
│ - Badge deactivation on exit │
│ │
│ DETECTION DIFFICULTY: High │
│ Requires integration of physical │
│ and cyber security monitoring. │
└─────────────────────────────────────┘
Teaches: Third-party risk management, vendor security assessment, incident response at scale 1. Compromised Software Vendor Update (Initial Compromise) → MALWARE 2. Lateral Movement via SMB (Pivot & Escalate) → NETWORK 3. Scheduled Task Persistence (Persistence) → MALWARE 4. Beaconing to C2 Server (C2 & Exfil) → NETWORK 5. SQL Database Exfiltration (C2 & Exfil) → DATA EXFIL
Special Rule: Reveal this threat to 3+ teams (representing industry-wide detection). First team to detect gains +20 Budget (represents vendor advisory advantage).
Teaches: Insider risk detection, privileged access management, offboarding procedures 1. Disgruntled Employee Sabotage (Pivot & Escalate) → MALWARE 2. Lateral Movement via SMB (Pivot & Escalate) → NETWORK 3. Mimikatz Credential Dumping (Pivot & Escalate) → CREDENTIAL ABUSE 4. Malicious Insider Data Theft (C2 & Exfil) → DATA EXFIL
Special Rule: The employee's offboarding checklist is partially incomplete. Teams get a -2 penalty to detect the first insider threat (represents delayed detection in real situations).
Teaches: IoT security, cloud security, API management, defense breadth 1. Compromised IoT Device as Pivot Point (Initial Compromise) → NETWORK 2. Lateral Movement via SMB (Pivot & Escalate) → NETWORK 3. Cloud API Token Theft & Abuse (Pivot & Escalate) → CREDENTIAL ABUSE 4. DNS Tunneling Data Exfiltration (C2 & Exfil) → DATA EXFIL
Parallel threat: Teams must defend against both cloud and on-premises infrastructure simultaneously.
Teaches: Physical security integration, environmental controls, holistic security 1. Physical Access + Badge Cloning (Initial Compromise) → CREDENTIAL ABUSE 2. Lateral Movement via SMB (Pivot & Escalate) → NETWORK 3. Scheduled Task Persistence (Persistence) → MALWARE 4. Ransomware Payload Deployment (C2 & Exfil) → MALWARE
Special Rule: The first defense deployed must address the physical security aspect (badge systems, CCTV review, environmental controls). Teams get a narrative bonus: "Your physical security team noticed the intruder before full compromise."
Teaches: Complex attack coordination, detecting collusion, multi-vector threats 1. Malicious Third-Party Library Injection (Initial Compromise) → MALWARE 2. Disgruntled Employee Sabotage (Pivot & Escalate) → MALWARE 3. Cloud API Token Theft & Abuse (Pivot & Escalate) → CREDENTIAL ABUSE 4. DNS Tunneling Data Exfiltration (C2 & Exfil) → DATA EXFIL 5. Malicious Insider Data Theft (C2 & Exfil) → DATA EXFIL
Special Rule: Two threats must be revealed to understand the full scope (supply chain + insider collaboration). Incomplete investigation leads to missed detection of the insider component.
(v2.2) Entries now cite real card IDs from the core deck (D-01 to D-24) and expansion deck (D-25 to D-43, see advanced-defenses.md). Concepts without a printed card are marked (custom — not in deck) and make good custom-card projects.
Real-world context: - SolarWinds (2020) - 18,000+ organizations affected - 3CX (2023) - Trojanized build system - XcodeGhost (2015) - Compromised Xcode developer tool - Typosquatted packages discovered monthly on npm/PyPI
Discussion points after reveal: - "How do you verify software authenticity?" - "What's the difference between detecting supply chain compromises vs. traditional malware?" - "Why is this harder to detect than direct attacks?"
Real-world context: - ~30-40% of data breaches involve insiders (Verizon DBIR) - Manning, Snowden, Reality Winner cases (government sector) - Thousands of employee theft cases in financial/tech industries
Discussion points after reveal: - "How would you detect insider threat indicators before damage occurs?" - "Why is offboarding security often weak?" - "What's the difference between a malicious insider and negligent employee?"
Real-world context: - Mirai botnet (2016) - Millions of compromised IoT devices - Connected cameras, printers, thermostats often neglected - "Shadow IT" problem in many organizations
Discussion points after reveal: - "Should IoT devices be on the same network as critical systems?" - "How do you patch thousands of IoT devices?" - "Why are credentials often factory-default on IoT?"
Real-world context: - AWS credentials leaked in GitHub ~8 times per day (GitHub telemetry) - Tesla's Kubernetes cluster hacked via exposed credentials - Capital One breach involved compromised IAM role
Discussion points after reveal: - "How do you manage API keys for thousands of developers?" - "Why is secrets rotation hard in practice?" - "How would you know if someone used your AWS API key?"
Real-world context: - Used by DNS.Exfiltrator, OilRig APT, Turla malware families - Hard to detect because DNS is typically trusted - Can exfil ~20 KB/hour via subdomains
Discussion points after reveal: - "Why is DNS hard to monitor?" - "What would a normal DNS query pattern look like?" - "How would you distinguish data exfil from normal DNS activity?"
Real-world context: - RFID cloning demonstrated on hotel keys, building badges - Rogue network devices found in data centers (Target breach had physical component) - USB drops with malware remain effective attack vectors
Discussion points after reveal: - "Should cybersecurity teams care about physical security?" - "How do you audit data center access?" - "What's harder to defend: cyber or physical attacks?"
| Card | Title | Step | Vector | Difficulty |
|---|---|---|---|---|
| T-13 | Compromised Software Vendor Update | INITIAL | MALWARE | Hard |
| T-14 | Malicious Third-Party Library Injection | INITIAL | MALWARE | Medium |
| T-15 | Malicious Insider Data Theft | C2 & EXFIL | DATA EXFIL | Very Hard |
| T-16 | Disgruntled Employee Sabotage | PIVOT & ESCALATE | MALWARE | Hard |
| T-17 | Compromised IoT Device as Pivot Point | INITIAL | NETWORK | Medium |
| T-18 | Cloud API Token Theft & Abuse | PIVOT & ESCALATE | CREDENTIAL ABUSE | Hard |
| T-19 | DNS Tunneling Data Exfiltration | C2 & EXFIL | DATA EXFIL | Very Hard |
| T-20 | Physical Access + Badge Cloning | INITIAL | CREDENTIAL ABUSE | Hard |
Expansion Threat Card Set for Incident Zero
Use these cards to add modern threat scenarios to your game
For discussion and teaching notes, see above sections
cards/incident-response/expansion-deck/advanced-defenses.md
This document provides additional Defense Cards for expanding Incident Zero gameplay beyond the base 24-card deck. These cards introduce modern security architectures and advanced defensive capabilities that complement the base game.
Note (v2.2): These expansion defenses were renumbered from D-19–D-37 to D-25–D-43 to avoid colliding with core deck cards D-19–D-24 (see ../core-deck/threat-defense-cards.md).
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ APPLICATION WHITELISTING │
│ (BASIC - 10 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Deploy application whitelisting on │
│ critical workstations and servers. │
│ Maintain an approved applications │
│ list (Word, Excel, Chrome, etc.). │
│ Block execution of any unapproved │
│ binaries. Use AppLocker (Windows) │
│ or similar tools. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Prevents execution of malware and │
│ unauthorized tools. Attackers cannot│
│ run ransomware, backdoors, or │
│ penetration tools if they're not on │
│ the whitelist. Effective against │
│ zero-days if not signed by trusted │
│ publishers. │
│ │
│ LIMITATION: False positives if │
│ maintenance is poor. Users may │
│ struggle with legitimate tools │
│ being blocked. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ ADVANCED APPLICATION CONTROL WITH AI│
│ (ADVANCED - 15 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Deploy AI-powered application │
│ control that learns normal program │
│ execution patterns. System builds a │
│ baseline of legitimate applications │
│ and automatically flags deviations. │
│ Prevents execution of suspicious │
│ or anomalous applications. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Combines whitelisting with behavior │
│ analysis. Adapts to legitimate new │
│ applications without manual updates.│
│ Catches polymorphic malware variants│
│ that might bypass static whitelisting│
│ (different packing, slight name │
│ changes). Reduces false positives. │
│ │
│ LEARNING CURVE: Requires baseline │
│ training period (1-2 weeks). │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ LIVING-OFF-THE-LAND BLOCKER │
│ (ELITE - 25 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Deploy advanced script and tool │
│ control that restricts execution of │
│ PowerShell, WScript, cmd.exe, and │
│ other "living-off-the-land" tools. │
│ Allow only specific, monitored usage│
│ with strong justification logging. │
│ Monitor for obfuscation patterns. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Directly targets attacker techniques│
│ used in privilege escalation and │
│ lateral movement (scheduled tasks, │
│ registry modification, credential │
│ dumping). Makes PowerShell and cmd │
│ attacks extremely difficult. │
│ Works especially well with EDR. │
│ │
│ IMPACT: May break legitimate admin │
│ tasks; requires strong change │
│ management. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ BASELINE BEHAVIOR LEARNING SYSTEM │
│ (ADVANCED - 15 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: NETWORK │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Deploy behavioral analytics that │
│ establishes baseline profiles for │
│ users, systems, and network traffic.│
│ System learns what "normal" looks │
│ like, then alerts on deviations. │
│ Monitors: login times, file access, │
│ network destinations, resource usage.│
├─────────────────────────────────────┤
│ EFFECT: │
│ Detects anomalies like: │
│ - Unusual login geography/time │
│ - Data access patterns changing │
│ - Lateral movement via SMB │
│ - New network destinations │
│ Works best as a *combination* with │
│ other tools. Requires good baseline │
│ data (1-2 weeks of normal traffic). │
│ │
│ DETECTS: Insider threats, │
│ compromised credentials, APT tactics.│
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ PROCESS BEHAVIOR ANALYSIS │
│ (ADVANCED - 15 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Deploy process-level behavioral │
│ monitoring that learns what each │
│ application normally does (file I/O,│
│ network calls, registry access, │
│ child processes spawned). Blocks │
│ anomalous behavior from legitimate │
│ binaries. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Catches: │
│ - Legitimate apps compromised by │
│ supply chain attack │
│ - Process injection attacks │
│ - Unexpected child process creation │
│ - Anomalous registry/file writes │
│ Example: Word.exe normally doesn't │
│ spawn PowerShell; if it does, block │
│ and alert. │
│ │
│ DETECTS: Zero-day malware, APT │
│ techniques, supply chain compromises.│
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ MACHINE LEARNING ANOMALY DETECTION │
│ (ELITE - 25 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Deploy ML models trained on terabytes│
│ of security data. System detects │
│ subtle anomalies humans would miss: │
│ subtle timing changes, rare resource│
│ combinations, statistical outliers. │
│ Continuously retrains on new data. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Catches advanced attacks that bypass│
│ signature and rule-based systems. │
│ Detects: │
│ - Polymorphic malware variations │
│ - Advanced persistent threats (APT) │
│ - Zero-day exploits (by behavior) │
│ - Sophisticated insider threats │
│ - Supply chain compromises │
│ │
│ TRADE-OFF: False positives require │
│ human analysis. Requires large │
│ datasets for training. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ CONTAINER IMAGE SCANNING │
│ (BASIC - 10 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Scan all container images before │
│ deployment for known vulnerabilities│
│ and malicious packages. Integrate │
│ scanning into CI/CD pipeline. │
│ Block images with critical CVEs │
│ from being deployed. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Prevents deployment of vulnerable │
│ containers. Catches: │
│ - Old base images with known CVEs │
│ - Malicious packages in dependencies│
│ - Secrets accidentally baked into │
│ images │
│ Works best when combined with │
│ runtime monitoring. │
│ │
│ LIMITATION: Only catches known │
│ vulnerabilities (CVE databases). │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ CONTAINER RUNTIME PROTECTION │
│ (ADVANCED - 15 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Deploy runtime security monitoring │
│ that enforces security policies on │
│ running containers. Monitor syscalls│
│ (system calls), network connections,│
│ and file access. Enforce AppArmor │
│ or SELinux profiles. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Detects and blocks: │
│ - Container escape attempts │
│ - Lateral movement between containers│
│ - Privilege escalation in container │
│ - Anomalous process execution │
│ - Unexpected network connections │
│ Works against both known and unknown│
│ attacks (zero-day exploits). │
│ │
│ REQUIREMENT: Requires kernel-level │
│ instrumentation; varies by platform.│
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ KUBERNETES NETWORK POLICY & RBAC │
│ (ELITE - 25 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: NETWORK │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Implement Kubernetes network policies│
│ to restrict container-to-container │
│ communication. Deploy role-based │
│ access control (RBAC) for API access│
│ and service accounts. Enforce pod │
│ security policies and admission │
│ controllers. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Implements micro-segmentation in │
│ containerized environments. Prevents:│
│ - Lateral movement between pods │
│ - Container escape attacks accessing │
│ host network │
│ - Privilege escalation via RBAC │
│ - Unauthorized Kubernetes API access│
│ │
│ COMPLEXITY: Requires mature │
│ Kubernetes operations and expertise. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ CLOUD CONFIGURATION AUDITING │
│ (BASIC - 10 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: CREDENTIAL ABUSE │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Deploy continuous cloud configuration│
│ monitoring (AWS Config, Azure Policy│
│ Manager, GCP Cloud Asset Inventory).│
│ Scan for misconfigured resources: │
│ - Public S3 buckets │
│ - Overly permissive IAM policies │
│ - Unencrypted databases │
│ - Open security groups │
├─────────────────────────────────────┤
│ EFFECT: │
│ Detects misconfigurations that allow│
│ unauthorized access: │
│ - Public database access │
│ - Exposed credentials in configs │
│ - Overly broad IAM permissions │
│ - Disabled encryption/logging │
│ Alert on drift from secure baseline.│
│ │
│ LIMITATION: Only catches known │
│ misconfiguration patterns. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ CLOUD ACCESS & PERMISSION AUDITING │
│ (ADVANCED - 15 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: CREDENTIAL ABUSE │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Audit all IAM roles, service │
│ accounts, and API credentials for │
│ over-privilege. Implement least- │
│ privilege access. Regularly review │
│ who has what permissions. Detect │
│ and revoke unused credentials. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Prevents attackers from leveraging: │
│ - Exposed API keys with broad │
│ permissions │
│ - Service accounts with admin access│
│ - Stale credentials from departed │
│ employees │
│ - Cross-account trust abuse │
│ Reduces blast radius if credentials │
│ are compromised. │
│ │
│ REQUIRES: Strong governance process │
│ to maintain least-privilege state. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ CLOUD COMPLIANCE & AUDIT TRAIL │
│ (ELITE - 25 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: DATA EXFIL │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Enable comprehensive cloud audit │
│ logging (CloudTrail, Stackdriver, │
│ Activity Monitor). Forward all logs │
│ to immutable, centralized storage. │
│ Monitor for unauthorized API calls, │
│ data access, and resource changes. │
│ Enable MFA Delete on audit logs. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Provides forensic trail for: │
│ - Detecting API token abuse │
│ - Investigating data exfiltration │
│ - Compliance reporting │
│ - Incident response timeline │
│ Prevents attackers from covering │
│ tracks (immutable logs). Enables │
│ rapid investigation of cloud API │
│ compromises. │
│ │
│ COST: High storage requirements. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ PLAYBOOK: RANSOMWARE RESPONSE │
│ (ADVANCED - 15 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Pre-built, tested ransomware response│
│ playbook covering: │
│ - Immediate network isolation steps │
│ - Communication procedures │
│ - Forensic data collection │
│ - Restoration procedures │
│ - Stakeholder notifications │
│ Train incident response team on │
│ playbook annually. │
├─────────────────────────────────────┤
│ EFFECT: │
│ During Phase 2 or when ransomware │
│ is detected: │
│ Get +4 bonus to defense rolls when │
│ responding to ransomware threats. │
│ Reduces response time, limiting │
│ damage. │
│ │
│ EDUCATIONAL VALUE: Teaches incident │
│ response process and coordination. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ PLAYBOOK: CREDENTIAL COMPROMISE │
│ RESPONSE │
│ (ADVANCED - 15 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: CREDENTIAL ABUSE │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Pre-built playbook for credential │
│ compromise scenarios: │
│ - Identify affected accounts │
│ - Forced password reset procedures │
│ - Session invalidation │
│ - MFA re-enrollment process │
│ - Forensic user activity review │
│ - Privileged account audit │
├─────────────────────────────────────┤
│ EFFECT: │
│ When investigating compromised │
│ credentials: │
│ Get +4 bonus to defense rolls. │
│ Allows rapid containment before │
│ lateral movement occurs. │
│ │
│ EXAMPLE USE: During "Mimikatz │
│ Credential Dumping" threat, playbook│
│ helps isolate affected accounts. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ PLAYBOOK: INSIDER THREAT RESPONSE │
│ (ELITE - 25 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: DATA EXFIL │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Comprehensive insider threat │
│ response playbook including: │
│ - HR coordination protocols │
│ - Legal review and preservation │
│ - Forensic evidence collection │
│ - Physical security response │
│ - System access removal procedures │
│ - Communication to management │
│ Requires cross-functional team │
│ coordination. │
├─────────────────────────────────────┤
│ EFFECT: │
│ When responding to insider threats: │
│ Get +5 bonus to defense rolls. │
│ Requires strong organizational │
│ processes to be effective. │
│ │
│ EXAMPLE USE: When "Malicious │
│ Insider Data Theft" is detected, │
│ playbook coordinates response across │
│ security, HR, legal, and executives.│
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ PLAYBOOK: SUPPLY CHAIN BREACH │
│ RESPONSE │
│ (ELITE - 25 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: WEB EXPLOIT │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Specialized playbook for supply │
│ chain compromises: │
│ - Vendor notification procedures │
│ - Industry coordination │
│ - Affected system inventory │
│ - Patch deployment prioritization │
│ - Third-party impact assessment │
│ - Public communication strategy │
├─────────────────────────────────────┤
│ EFFECT: │
│ During Phase 2 when defending │
│ against supply chain attacks: │
│ Get +5 bonus to defense rolls. │
│ Requires vendor relationships and │
│ industry collaboration. │
│ │
│ LEARNING: Teaches that supply chain │
│ incidents require industry response.│
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ BACKUP STRATEGY - 3-2-1 RULE │
│ (BASIC - 10 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Implement the 3-2-1 backup rule: │
│ - 3 copies of data │
│ - 2 different media types │
│ - 1 copy offline/offsite │
│ Regular backup verification testing.│
│ Document retention and recovery RPO/│
│ RTO (Recovery Point/Time Objectives).│
├─────────────────────────────────────┤
│ EFFECT: │
│ If ransomware encrypts data: │
│ Recovery becomes possible without │
│ paying ransom. Offline backups │
│ ensure attacker cannot delete them. │
│ Reduces ransomware attack impact │
│ significantly. │
│ │
│ LIMITATION: Only effective if │
│ backups are regularly tested and │
│ truly offline. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ IMMUTABLE BACKUP STORAGE │
│ (ADVANCED - 15 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Deploy backup storage with WORM │
│ (Write-Once-Read-Many) protection. │
│ Once backups are written, they │
│ cannot be modified or deleted, │
│ even by administrators. Implement │
│ MFA Delete on storage. Use air-gapped│
│ backup network. │
├─────────────────────────────────────┤
│ EFFECT: │
│ Even if attacker gains admin access │
│ or compromises backup system: │
│ Backups remain protected and │
│ unmodifiable. Enables guaranteed │
│ recovery. Works against double- │
│ extortion ransomware attacks. │
│ │
│ COST: Higher storage cost for │
│ immutable solutions. │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ DEFENSE CARD │
├─────────────────────────────────────┤
│ DISASTER RECOVERY PLAN & TESTING │
│ (ELITE - 25 Budget) │
├─────────────────────────────────────┤
│ Countermeasure: MALWARE │
├─────────────────────────────────────┤
│ DESCRIPTION: │
│ Establish comprehensive disaster │
│ recovery plan (DRP) including: │
│ - Failover procedures │
│ - Alternate site readiness │
│ - Recovery procedures (step-by-step)│
│ - Communication protocols │
│ - Key personnel contacts │
│ Conduct quarterly DRP drills and │
│ recovery testing. │
├─────────────────────────────────────┤
│ EFFECT: │
│ During ransomware or supply chain │
│ attacks: │
│ Get +3 bonus to all defense rolls │
│ after initial containment. Enables │
│ business continuity. │
│ │
│ EDUCATIONAL VALUE: Teaches business │
│ continuity planning and resilience. │
└─────────────────────────────────────┘
Against Supply Chain Attacks (T-13, T-14): - D-31: Container Image Scanning - D-29: Process Behavior Analysis (catches apps compromised by supply chain attacks) - D-40: Playbook: Supply Chain Breach Response
Against Insider Threats (T-15, T-16): - D-28: Baseline Behavior Learning System - D-29: Process Behavior Analysis - D-39: Playbook: Insider Threat Response
Against IoT Compromise (T-17): - D-25: Application Whitelisting - D-31: Container Image Scanning (if containerized) - D-28: Baseline Behavior Learning System
Against Cloud API Abuse (T-18): - D-34: Cloud Configuration Auditing - D-35: Cloud Access & Permission Auditing - D-36: Cloud Compliance & Audit Trail
Against DNS Tunneling (T-19): - D-28: Baseline Behavior Learning System (network baseline) - D-30: Machine Learning Anomaly Detection
Against Physical Security Bypass (T-20): - D-28: Baseline Behavior Learning System (detection) - D-38: Playbook: Credential Compromise Response
Against Ransomware (T-11, supply chain variants): - D-41: Backup Strategy - 3-2-1 Rule - D-42: Immutable Backup Storage - D-43: Disaster Recovery Plan & Testing - D-37: Playbook: Ransomware Response
Starting Budget: 150 | Turn Limit: 7 (one action per turn; up to 2 BASIC defenses may be deployed as one action)
Turn 1 (Foundation): D-34 Cloud Configuration Auditing (10) + D-25 Application Whitelisting (10) — Quick-Win pair → 20 spent Turn 2 (Foundation): D-41 Backup Strategy - 3-2-1 Rule (10) + D-31 Container Image Scanning (10) — Quick-Win pair → 40 spent Turn 3 (Advanced Layer): D-28 Baseline Behavior Learning System (15) → 55 spent Turn 4 (Advanced Layer): D-32 Container Runtime Protection (15) → 70 spent Turn 5 (Advanced Layer): D-35 Cloud Access & Permission Auditing (15) → 85 spent Turn 6 (Preparation): Create MALWARE playbook (10) → 95 spent Turn 7 (Expert Layer): D-36 Cloud Compliance & Audit Trail (25) → 120 spent, 30 remaining
Final Security Score Calculation (v2.2 formula): - (8 defenses deployed × 5) = 40 points - (0 hardening upgrades × 2) = 0 points - (1 playbook × 10) = 10 points - (3 of 4 pentester tactics defended × 5) = 15 points - Budget efficiency: (30 / 150) × 10 = 2 points - Total: 67 points (Strong defense-in-depth — Victory: score ≥ 60, ≥ 4 defenses, majority of tactics defended)
When a Pentester Tactic Card (PT-01 to PT-08, see ../../hardening/core-deck/pentester-tactic-cards.md) is drawn during a Hardening phase, these expansion defenses may be chosen as the single resolving defense. Use the bonus below as the chosen defense's printed bonus in the canonical formula (d20 + printed bonus + upgrades + playbook vs. the tactic's DC):
Why it matters: - Stops 90%+ of malware variants if properly configured - "Defense in depth" - cheap to start, expensive to perfect - Trade-off: Security vs. usability (users can't run unauthorized apps)
Real-world context: - Used by government agencies and financial institutions - Apple's approach (iOS/macOS sandboxing) - Increasingly common in "zero trust" architectures
Discussion points: - "What's blocked by living-off-the-land blocker that regular whitelisting isn't?" - "Why is adoption slow despite effectiveness?"
Why it matters: - Catches attacks that don't match known signatures - Foundation for modern threat detection - Requires "normal" baseline to be effective
Real-world context: - Splunk, Elastic, Sentinel use behavioral analytics - UEBA systems detect insider threats - Process behavior monitoring by Crowdstrike, Falcon, Tanium
Discussion points: - "What counts as 'abnormal' and who decides?" - "How do you build a baseline without including attacks?" - "Why can't signature-based antivirus do this?"
Why it matters: - Container environments have unique attack surfaces - Rapid deployment means traditional approaches fail - Network segmentation at container level is powerful
Real-world context: - Kubernetes is now the standard container orchestrator - Docker/container adoption is 90%+ in enterprises - Container escape vulnerabilities (runc, containerd, etc.)
Discussion points: - "How is container security different from VM security?" - "Why is network policy critical in Kubernetes?" - "What's an example of a container escape attack?"
Why it matters: - Cloud misconfigurations are leading breach cause - Shared responsibility model confuses organizations - API-driven access requires different monitoring
Real-world context: - Hundreds of millions exposed via public S3 buckets - Capital One breach: misconfigured WAF - Equifax: unpatched open-source component in cloud environment
Discussion points: - "Who's responsible for cloud security: vendor or organization?" - "How do you audit permissions when there are 1000s of IAM roles?" - "Why is 'least privilege' hard to achieve in practice?"
Why it matters: - Pre-planning reduces response time significantly - Coordination across teams is critical - Written procedures prevent panic decisions
Real-world context: - Organizations without playbooks average 9+ month detection time - With playbooks, average drops to 3-4 months - Playbooks required by HIPAA, PCI-DSS, NIST frameworks
Discussion points: - "Who should be involved in ransomware response?" - "How do you balance forensics with business recovery?" - "Why test playbooks if you hope to never use them?"
Why it matters: - Ransomware made backups critical (not just compliance) - Recovery is often cheapest way to respond to attacks - Immutable backups prevent attacker deletion
Real-world context: - Many ransomware attacks double-extort (steal + encrypt) - Immutable backups became critical after backup deletion attacks - AWS S3, Azure Blob WORM protection adopted widely
Discussion points: - "Can backups be targeted by attackers?" - "What's the difference between backup and disaster recovery?" - "Why would immutable backups be controversial?"
| Card | Title | Tier | Budget | Countermeasure |
|---|---|---|---|---|
| D-25 | Application Whitelisting | BASIC | 10 | MALWARE |
| D-26 | Advanced Application Control with AI | ADVANCED | 15 | MALWARE |
| D-27 | Living-Off-The-Land Blocker | ELITE | 25 | MALWARE |
| D-28 | Baseline Behavior Learning System | ADVANCED | 15 | NETWORK |
| D-29 | Process Behavior Analysis | ADVANCED | 15 | MALWARE |
| D-30 | Machine Learning Anomaly Detection | ELITE | 25 | MALWARE |
| D-31 | Container Image Scanning | BASIC | 10 | MALWARE |
| D-32 | Container Runtime Protection | ADVANCED | 15 | MALWARE |
| D-33 | Kubernetes Network Policy & RBAC | ELITE | 25 | NETWORK |
| D-34 | Cloud Configuration Auditing | BASIC | 10 | CREDENTIAL ABUSE |
| D-35 | Cloud Access & Permission Auditing | ADVANCED | 15 | CREDENTIAL ABUSE |
| D-36 | Cloud Compliance & Audit Trail | ELITE | 25 | DATA EXFIL |
| D-37 | Playbook: Ransomware Response | ADVANCED | 15 | MALWARE |
| D-38 | Playbook: Credential Compromise Response | ADVANCED | 15 | CREDENTIAL ABUSE |
| D-39 | Playbook: Insider Threat Response | ELITE | 25 | DATA EXFIL |
| D-40 | Playbook: Supply Chain Breach Response | ELITE | 25 | WEB EXPLOIT |
| D-41 | Backup Strategy - 3-2-1 Rule | BASIC | 10 | MALWARE |
| D-42 | Immutable Backup Storage | ADVANCED | 15 | MALWARE |
| D-43 | Disaster Recovery Plan & Testing | ELITE | 25 | MALWARE |
Total Expansion Cards: 19 (D-25 to D-43) Budget Range: 10 (BASIC) to 25 (ELITE) Distribution: 4 BASIC (D-25, D-31, D-34, D-41), 8 ADVANCED (D-26, D-28, D-29, D-32, D-35, D-37, D-38, D-42), 7 ELITE (D-27, D-30, D-33, D-36, D-39, D-40, D-43)
Setup: - 5-card threat chain (mix of base + expansion threats) - Starting Budget: 120 - Turn Limit: 11 [(5 × 2) + 1, per core rules §3a]
Incident Response Attack Chain Example: 1. Compromised Software Vendor Update (T-13) → MALWARE 2. Lateral Movement via SMB (T-04) → NETWORK 3. Cloud API Token Theft (T-18) → CREDENTIAL ABUSE 4. Disgruntled Employee Sabotage (T-16) → MALWARE 5. Data Exfiltration (T-19: DNS Tunneling) → DATA EXFIL
Incident Response Recommended Defense Starting Hand: - D-31: Container Image Scanning (10) - D-28: Baseline Behavior Learning System (15) - D-34: Cloud Configuration Auditing (10) - D-35: Cloud Access & Permission Auditing (15) - D-37: Playbook: Ransomware Response (15) - reusable
Hardening Strategy: - Deploy D-32, D-33 for container security - Deploy D-36 for cloud audit trails - Deploy D-30 for insider threat detection - Prepare D-39 playbook for insider coordination
Pentester Tactics to Draw (Hardening): 1. PT-07: Supply Chain Compromise (countered by D-31, D-40) 2. PT-02: Malware Evasion - Living-off-the-Land (countered by D-27, D-30) 3. PT-09: Multi-Vector Attack, expansion (countered by D-33, D-35)
Total Threats: 20
Base Defense Cards: 24
Recommended Play: Use subsets based on experience level - Beginners: Base deck only - Intermediate: Base + 4 expansion threats (choose scenario) - Advanced: Base + all expansion cards
Expansion Defense Card Set for Incident Zero
Use these cards to add modern security controls to your game
For integration guides and teaching notes, see above sections
cards/print-templates/tracker-sheets.md
Version: 2.2 - Playtest Edition
Print on plain A4. One Universal Sheet per table, plus the module sheet for the module you're playing. Tip: laminate and use a dry-erase marker, or move a coin/token along the tracks.
Cross off as each turn ends. Circle your turn limit before starting.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
[ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ]
Start at your module's budget (Network Building 40-60 · Disaster Recovery 50 · Forensics 75 · IR 100 · Audit 100 · Hardening 150). Tick down in 5s.
150 145 140 135 130 125 120 115 110 105 100 95 90 85 80 75
70 65 60 55 50 45 40 35 30 25 20 15 10 5 0
100 95 90 85 80 75 70 65 60 55 50 45 40 35 30 25 20 15 10 5 0
0 1 2 3 4 5
[ ] [ ] [ ] [ ] [ ] [ ] Penalty at start of turn: -5 Budget each
Advance each meter per card effects. Victory thresholds marked ▲.
ATTRIBUTION 0 10 20 30 40 50 60 70 80 90▲ 100
TIMELINE 0 10 20 30 40 50 60 70 80▲ 90 100
ATTACK CHAIN 0 10 20 30 40 50 60 70 80▲ 90 100
CHAIN OF CUSTODY 0 10 20 30 40 50 60 70▲ 80 90 100
Victory check (end of game): - V1 Full Attribution: Attribution ≥90 AND Timeline ≥80 - V2 Solid Case: Timeline ≥80 AND Attack Chain ≥80 AND Chain of Custody ≥70 - V3 Partial Findings: any two meters ≥70
Investigation in flight: ____ (results arrive Turn _) Evidence collected (✓ = Analyzed, one Analyze per card):
| Evidence card | Documented? (+5% CoC) | Analyzed? |
|---|---|---|
INVESTIGATION 0 10 20 30 40 50 60 70 80 90 100
REMEDIATION 0 10 20 30 40 50 60 70 80 90 100
COMMUNICATION 0 10 20 30 40 50 60 70 80 90 100
| Stakeholder | 100 | 80 | 60 | 40 | 20 (critical) | 0 (LOSS) |
|---|---|---|---|---|---|---|
| Customers | ||||||
| Employees | ||||||
| Regulators | ||||||
| Board / Investors | ||||||
| Media / Public |
| Turn | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 |
|---|---|---|---|---|---|---|---|---|
| Scheduled event | ||||||||
| Deadline | Customers notified (recommended) | Regulator penalties begin | GDPR 72h — regulators notified |
Multi-turn action in flight: ____ (completes Turn _)
| # | Domain | Stars (1-5) | PASS (3★+) / FAIL (1-2★) | Key gap found |
|---|---|---|---|---|
| 1 | Network Segmentation | |||
| 2 | Identity & Access | |||
| 3 | Detection & Monitoring | |||
| 4 | Backup & Recovery | |||
| 5 | Cloud Security | |||
| 6 | Security Operations |
Result: ___ / 6 PASS — Gap penalties for follow-on modules: see module rules (total capped at -30).
| Category | Points | Notes |
|---|---|---|
| Requirements met | per requirement card | |
| Security coverage | per rules scoring table | |
| Capability coverage | per rules scoring table | |
| Budget management | per rules scoring table | |
| TOTAL |
Components placed:
| Component | Cost | Capacity used / total |
|---|---|---|
Budget remaining: ___ / starting ___