Network Building — Print & Play Bundle · v2.2 Playtest Edition
A cybersecurity board game by RetroVerse Studios · CC BY-NC-SA 4.0
Print this file (Ctrl/Cmd+P) or read on screen. Card pages print best on cardstock.
docs/HOW_TO_PLAY.md
Version: 2.2 - Playtest Edition Read time: ~15 minutes. First game: ~45 minutes.
This is the learn-to-play manual — read it once, run your first game, then use the module rules as reference during play. Exact tables and numbers live in the reference docs; this manual teaches the flow.
Incident Zero is a cybersecurity board game for classrooms and training rooms. One player is the Threat Orchestrator (TO) — part facilitator, part adversary, part narrator. Everyone else is the Blue Team: security defenders making decisions under budget and time pressure.
The game's signature rule: you get better dice odds by explaining your reasoning like a real analyst. Say "we investigate suspicious activity" and you roll flat. Say "we pull the mail gateway logs to check the sender's real IP against threat intel" and you roll at +3. Talking like a professional is literally how you win — that's the point.
There are 6 modules covering the security lifecycle. Each is a standalone 30-45 minute game; they also chain together (the outcome of one feeds the setup of the next). This manual teaches Incident Response first — it's the flagship and the best hook.
Every module runs on the same engine:
roll + modifiers ≥ 11.The setup (TO does this privately, 5 min): An attacker is inside the fictional company's network. The TO secretly builds a 3-card attack chain in kill-chain order and keeps it face-down:
Suggested first chain: T-01 Phishing Campaign (INITIAL COMPROMISE / SOCIAL ENGINEERING) → T-04 Lateral Movement via SMB (PIVOT & ESCALATE / NETWORK) → T-07 Scheduled Task Persistence (PERSISTENCE / MALWARE)
The three actions (Blue Team picks ONE per turn):
| Action | Cost | On success (roll+mods ≥ 11) |
|---|---|---|
| Investigate | 5 | 1st success on a link = the TO gives a clue. 2nd success on the same link = card revealed! |
| Deploy Defense | 10/15/25 by tier | If the card's vector AND chain step match the hidden card = revealed immediately. Partial match = defense stays on the table and gives +2 to future rolls against any link matching its vector |
| Emergency Response | 15 | No roll. Contain one already-revealed threat (removes its ongoing penalty) |
The pressure (TO applies at the START of each turn): - Active Breach Cost: -5 Budget while any chain card is still unrevealed (the breach is burning money whether you see it or not) - Uncontained Threats: -5 Budget per revealed-but-uncontained threat (revealing the next card in the chain auto-contains the previous one)
When a card is revealed, the team immediately picks ONE reward: draw 2 Defense cards, +10 Budget, or Fast-Track (next Investigate succeeds on 5+).
TURN 1. TO: "Start of turn: one attacker action is still hidden — Active Breach Cost, minus 5. Budget: 95. Something is wrong at Meridian Logistics: the helpdesk queue is full of password-reset complaints. What do you do?" Team (after discussion): "Investigate. We pull the mail gateway logs and check sender domains against our threat-intel feed — if this is phishing, the return-path won't match the display name." TO: "That's a real methodology and a real tool — +2 and +1. Roll." Rolls 9. 9+3 = 12 ≥ 11 — success. TO reads a clue from T-01: "Several employees received emails claiming to be from IT, asking them to 're-authenticate'. The link goes to a look-alike domain registered 4 days ago." (First success on this link — clue only. Budget: 95 - 5 = 90.)
TURN 2. TO: "Active Breach Cost, minus 5. Budget: 85." Team: "Keep digging on the phishing — we check the mail gateway for who clicked, and pull those workstations' proxy logs." TO: "+2, +1. Roll." Rolls 10. 13 ≥ 11 — second success on the same link. TO flips T-01 face-up: "Phishing Campaign — revealed! Three users entered credentials on the fake page. This threat is now uncontained. Choose a reward." Team takes Budget Grant: 85 - 5 + 10 = 90.
TURN 3. TO: "Two cards still hidden: Active Breach minus 5. One uncontained threat: minus 5. Budget: 80. You know how they got in — you don't yet know where they went." From here, you're on your own. (A strong play: Deploy the Network Segmentation defense — if the next hidden card is network lateral movement, vector + step match reveals it instantly and auto-contains the phishing.)
Debrief prompts: What did you spend the most on, and was it worth it? Which clue actually changed your next decision? What one defense, bought before turn 1, would have changed everything?
Chaining modules: outcomes carry forward (audit gaps raise your DR costs; an IR loss sets up DR; IR's revealed chain seeds Forensics). See Module Combinations. Full lifecycle = all six in sequence, 4-5 hours across sessions.
| You want... | Read |
|---|---|
| You're the Threat Orchestrator | The TO Guide — the role, judging justifications, per-module screens |
| Exact rules for a module | docs/rules/ — core + one file per module |
| Solo/standalone setup for any module | docs/standalone-games/ |
| Every card, indexed | cards/CARD_REFERENCE.md |
| To run a playtest and report back | docs/playtesting/ |
| Variable game length & difficulty tiers | core-rules §3a |
Roll: d20 + modifiers ≥ 11 · +2 strong justification · +1 real tool/technique named · +2 matching deployed defense (IR) IR costs: Investigate 5 · Deploy 10/15/25 · Emergency Response 15 IR start-of-turn: -5 while any card hidden · -5 per uncontained revealed threat Reveal: 2 successful Investigates on a link, or 1 full-match Deploy (vector + step) · always the earliest unrevealed card Reward per reveal (pick 1): 2 Defense cards / +10 Budget / next Investigate succeeds on 5+ Turn limit: (chain cards × 2) + 1 → 3 cards = 7 turns Budgets: NB 40-60 · DR 50 · Forensics 75 · IR 100 · Audit 100 · Hardening 150
docs/TO_GUIDE.md
Version: 2.2 - Playtest Edition Audience: anyone about to run Incident Zero — teacher, trainer, or the friend who volunteered.
The Threat Orchestrator (TO) is Incident Zero's dungeon master. You wear three hats, usually in the same minute:
If you've ever run a tabletop RPG, you already have 80% of this. The remaining 20% is the adjudication rubric in §4 — it's the part that makes this game educational rather than just thematic.
A good TO makes the game. The same scenario is flat or unforgettable depending on how you deliver clues and how honestly you judge reasoning. That's why this guide exists.
The +2/+1 modifiers are the game's teaching engine. Your consistency is what makes them meaningful.
+2 — Strong technical justification. The player explains methodology: what they'll look at, and why that would reveal or stop this specific thing. - ✅ "We pull the mail gateway logs and compare the return-path against the display-name domain — spoofed senders won't match." (mechanism stated) - ✅ "Deploy EDR because living-off-the-land attacks won't trip signature AV — we need behavioral detection." (threat-to-control logic) - ❌ "We investigate the email server thoroughly." (a location is not a method)
+1 — Real tool or technique named. Wireshark, Splunk queries, Mimikatz, a MITRE technique ID, an actual CVE. - ✅ "Check LSASS access events — that's Mimikatz behavior, T1003." - ❌ "We use our security tools." (no it isn't)
Rulings that keep it fair: - Judge the reasoning, not the vocabulary. A beginner saying "check if the email really came from who it says" in plain words has the mechanism — award the +2. A buzzword salad without a mechanism gets +0. - Consistency beats generosity. Whatever bar you set on turn 1 is the bar all game. - Escalate the bar as the group learns — by session three, "we check the SIEM" that earned +1 in session one should need a specific query. Announce the escalation openly ("you're professionals now — I want specifics"). - Expert groups ("Expert Mode"): award +2 only for named artifacts, ATT&CK technique IDs, or detection logic. This is the challenge ceiling for practitioner tables — the card math never has to change. - One player monologuing every justification? Ask a different player to give it each turn ("Sam, you're on comms — why does this matter to the regulator?").
Signs it's too easy: no failed rolls; goal in sight with 40+ Budget spare; players bored. Signs it's too hard: no progress for 3+ turns; consecutive failures; frustration replacing discussion.
| Easier (pick 1-2) | Harder (pick 1-2) |
|---|---|
| Richer clues (more specific detail per success) | Vaguer clues (accurate but terse) |
| Suggest an angle through the fiction | Expert-mode justification bar |
| Shorter chain / lower tier next game | Longer chain, expansion cards |
| Beginner budgets (module max) | Minimum budgets |
Never adjust by fudging a roll or changing a printed number mid-game — players smell it, and it teaches that outcomes are arbitrary.
| Failure | Symptom | Fix |
|---|---|---|
| The Encyclopedia | You lecture after every roll | One sentence of "why," save the rest for debrief |
| The Softie | Everyone always gets +2 | Re-read §4; require the mechanism |
| The Sphinx | Clues so cryptic nobody moves | Clues must be actionable: each should suggest at least one sensible next investigation |
| The Railroader | You steer them to your solution | Multiple paths are valid; score the outcome, not the route |
| The Accountant | You narrate numbers, not events | Lead with fiction, then state the numbers |
| The Rusher | Debrief skipped because time ran out | Protect the last 10 minutes like it's the win condition — it is |
Three rounds, in order: What happened? (players narrate, you correct only facts) → Why did it work that way? (connect two or three key moments to real-world security — this is where you finally get to lecture, briefly) → What would you do differently? (go around the table; everyone answers). Losses debrief better than wins: read any unrevealed cards' "Why This Works" text aloud — it's the payoff for losing.
docs/rules/core-rules.md
Version: 2.2 - Playtest Edition Last Updated: October 2025
Incident Zero is a modular cybersecurity board game for 2+ players designed for educational environments. One player acts as the Threat Orchestrator (TO) (the facilitator), while all other players form Blue Teams (the Defenders).
Players choose which module(s) to play based on learning objectives:
Modules can be played solo or combined in any sequence using the modifier generation procedures documented in FRAMEWORK.md and Module Combinations.
Represent attacker actions. Each card includes:
- Title: e.g., "Phishing Campaign"
- Attack Chain Step: INITIAL COMPROMISE, PIVOT & ESCALATE, PERSISTENCE, or C2 & EXFIL
- Attack Vector: SOCIAL ENGINEERING, WEB EXPLOIT, CREDENTIAL ABUSE, MALWARE, NETWORK, or DATA EXFIL
- Clue: Descriptive text for the Threat Orchestrator
- Why This Works: Educational explanation (revealed after discovery)
Deck Composition: - 12 Base Threat Cards (see cards/incident-response/core-deck/threat-defense-cards.md) - 8 Expansion Threat Cards (see cards/incident-response/expansion-deck/advanced-threats.md)
Represent security controls. Each card includes: - Title: e.g., "Multi-Factor Authentication" - Countermeasure Vector: One of the six attack vectors - Tier: BASIC (10 Budget), ADVANCED (15 Budget), or ELITE (25 Budget) - Description: What the defense does and when it applies
Deck Composition: - 24 Base Defense Cards (see cards/incident-response/core-deck/threat-defense-cards.md) - 19 Expansion Defenses (see cards/incident-response/expansion-deck/advanced-defenses.md)
Examples: - BASIC: Email Authentication Setup, User Security Training, Firewall Rules (10 Budget) - ADVANCED: Multi-Factor Authentication, EDR, Network Segmentation (15 Budget) - ELITE: Threat Hunting, Memory Forensics, Deception Technology (25 Budget)
Represent sophisticated attack techniques used in Hardening module (and potentially others).
8 Core Tactics (PT-01 to PT-08): 1. PT-01: Social Engineering - Pretexting Attack 2. PT-02: Malware Evasion - Living-off-the-Land Technique 3. PT-03: Credential Dumping - Mimikatz Attack 4. PT-04: Lateral Movement - Network Traversal 5. PT-05: Privilege Escalation - Unpatched Kernel Exploit 6. PT-06: Data Exfiltration - Unmonitored Channel 7. PT-07: Supply Chain Compromise - Trusted Software Update 8. PT-08: Insider Threat - Malicious Administrator
See cards/hardening/core-deck/pentester-tactic-cards.md for full card text, plus 8 expansion tactics (PT-09 to PT-16) in advanced-tactics.md.
Simple cards providing scenario context. Examples: - Email Server - Customer Database - Domain Controller - Web Application - Backup System - Developer Workstation
Physical Components: - One 20-sided die (d20) - Turn Tracker (paper or board, counts 1-12+) - Budget Tracker (shows 0-150+) - Reputation/Security Score Tracker (shows 0-100) - Uncontained Threats Tracker (shows 0-5) - Tokens or counters (for tracking upgrades, penalties)
Optional: - Score sheets (printable or paper) - Playbook tracking sheet - Stakeholder communication log (for Disaster Recovery)
When Used: Investigation, Defense Deployment, Negotiation, and similar actions that have uncertain outcomes.
How It Works:
1. Player announces action and parameters
2. Player rolls 1d20 (one 20-sided die)
3. Compare result to target number (usually 11+) plus modifiers
4. Success if: roll + modifiers ≥ target number
Example:
Action: Investigate email headers
Target: 11+
Roll: 7
Modifiers: +2 (technical justification) +1 (referenced Splunk)
Calculation: 7 + 2 + 1 = 10
Result: FAIL (10 < 11)
What is Budget? Abstract resource representing time, money, personnel, and tools. Spent to take actions, buy defenses, or conduct investigations.
Budget Allocation by Module: - Network Building: Start at 40-60 (by difficulty; see module rules) - Hardening: Start at 150 (or carry over from IR) - Incident Response: Start at 100 - Disaster Recovery: Start at 50 (emergency fund) - Forensics: Start at 75 - Audit & Compliance: Start at 100 (used only for optional remediation cards)
Budget Spending: - Investigate action: 5 Budget - Deploy Defense: 10/15/25 Budget (by tier) - Emergency Response (IR): 15 Budget (v2.2; was 25) - Active Breach Cost (IR, v2.2): -5 Budget at start of each turn while any chain card remains unrevealed - Harden Upgrade (Hardening): 5 Budget - Create Playbook (Hardening): 10 Budget - Crisis Action cards (DR): 5-20 Budget per card (ACTION-01 to ACTION-12; the free "Holding Statement" costs 0) - Ransom Decision (DR, ACTION-13): Pay 20 / Negotiate 5 / Refuse 0
Budget = 0: Team loses (cannot take further actions)
Exception (Disaster Recovery, v2.2): Budget floor is 0 and the free Holding Statement action remains available — DR is never lost by running out of Budget; DR's loss condition is any stakeholder trust reaching 0%.
Turns represent: Time passing in the game world (6 hours, 30 minutes, or abstract unit depending on module)
Turn Sequence: 1. Start of Turn: Penalties applied, trackers announced 2. Planning Phase: Team discusses strategy (2-3 min) 3. Action Phase: Execute chosen action, resolve rolls 4. End of Turn: Advance tracker, draw card, check events
Philosophy: In real incident response, some attacks move fast (hours), some take months. Fixed turn lengths feel unrealistic. This system adds realism without requiring complex calculations.
Default Formula: (Attack Chain Cards × 2) + 1
This gives attackers enough time to progress realistically while keeping games manageable:
| Attack Chain | Formula | Turn Count | Session Duration |
|---|---|---|---|
| 3 cards | (3 × 2) + 1 | 7 turns | 30-40 min play |
| 4 cards | (4 × 2) + 1 | 9 turns | 35-45 min play |
| 5 cards | (5 × 2) + 1 | 11 turns | 40-50 min play |
| 6 cards | (6 × 2) + 1 | 13 turns | 45-55 min play |
How to Use Default Formula: 1. Choose number of threat cards in attack chain (3, 4, 5, or 6) 2. Apply formula: (Cards × 2) + 1 = Turn Count 3. Announce turn count to Blue Team 4. Play game normally with that turn limit
Example Setup:
"I've created a 4-card attack chain. That's (4 × 2) + 1 = 9 turns. You have 9 turns to detect all four threats. Go!"
Advanced Threat Orchestrators can use a Tier + d4 system for more control and variability:
Step 1: Select Attack Complexity Tier
| Tier | Turn Base | Attack Profile | Example |
|---|---|---|---|
| TIER 1 | 5-7 | Simple & obvious | Script kiddie using public tools |
| TIER 2 | 8-10 | Standard sophistication | Organized cybercriminal group |
| TIER 3 | 11-13 | Highly sophisticated | APT with operational security |
| TIER 4 | 14-16 | Expert/Nation-state | State-sponsored group |
Step 2: Add Randomness (Optional)
Roll 1d4 for variation: - Roll 1: -1 turn (tight timeline) - Roll 2 or 3: ±0 turns (no change) - Roll 4: +1 turn (extended dwell time)
Final Turn Count = Tier Base + d4 Result
Example Advanced Setup:
"This is a TIER 2 attack (organized cybercriminals). Base is 8-10 turns. I'll roll d4 for variation... [rolls 4, +1 turn]. Final turn count: 9-11 turns."
These rules protect game balance and prevent metagaming:
The Rule: Threat Orchestrators MUST accept the random result, even if it feels impossibly tight or loose.
Why: Real incident response is unpredictable. Sometimes attacks happen faster or slower than expected.
Example Scenarios: - TIER 3 attack (11-13 base) + d4 roll of 1 = 10-12 turns (tighter than expected, but realistic) - TIER 1 attack (5-7 base) + d4 roll of 4 = 6-8 turns (easier conditions, but acceptable)
When Chaos Feels Realistic: - Tight timeline: "The attacker worked faster than expected—they had prior knowledge" - Loose timeline: "The attacker was cautious, spending weeks in reconnaissance before striking"
Implementation: Lean into the randomness as realistic incident variability.
The Rule: Blue Team CANNOT deduce the attack tier from the announced turn count. They cannot ask "Is this TIER 2?" or "Is this TIER 4?" based on how many turns they have.
Why: Real incident response doesn't come with difficulty labels. Attackers don't advertise sophistication. Players should discover complexity through gameplay (attack chain complexity, defender evasion, tool sophistication, etc.).
What Players CAN Ask: - "What are the suspicious network events?" (leads to understanding threats) - "Can we analyze the malware?" (reveals attacker sophistication through findings) - "Why did this attack succeed?" (post-game discussion)
What Players CANNOT Ask: - "Is this a TIER 2 attack?" (deriving tier from turn count) - "This looks like a TIER 1 because we have 7 turns" (meta-gaming difficulty)
Implementation: Respond to difficulty questions by saying "Investigate and find out!" Players discover sophistication through evidence, not from turn counts.
The Rule: ONLY after rolling d4, the Threat Orchestrator may apply an optional ±1 turn adjustment IF the rolled result feels genuinely unreasonable for the scenario.
When to Use (Rare): - Scenario setup is unusually complex (multiple attack vectors, coordination across systems) - Player group is new and needs slightly easier conditions - Real-world incident being taught had specific timeline constraints
When NOT to Use (Prefer Random): - "The roll feels unlucky" (accept the chaos) - "I want this exactly 10 turns" (let dice decide) - "The attack chain is long so it should take longer" (that's what TIER system handles)
Implementation: 1. Roll d4 normally 2. Announce rolled result 3. ONLY IF genuinely unreasonable, apply ±1 modifier and explain why 4. Document the override for consistency in future scenarios
Example Valid Use:
"TIER 2 base 8-10, rolled -1 = 7-9 turns. That's tight given we have 5-card attack chain, so I'm adding +1 modifier (explaining the discovery is methodical). Final: 8-10 turns."
Example Invalid Use:
"I rolled 8-10 but I want 10-12, so I'm adding +2." (NO - use the roll as-is)
For Beginners (Use Default Formula): - [ ] Choose attack chain length (3, 4, 5, or 6 cards) - [ ] Calculate: (Cards × 2) + 1 - [ ] Announce turn count - [ ] Play
For Advanced (Use Tier + d4): - [ ] Select TIER (1, 2, 3, or 4) - [ ] Announce TIER basis (not the number, just why it's that complexity) - [ ] Roll d4 for variation (hidden or public, your choice) - [ ] Calculate final turn count - [ ] Apply Rule 3 modifier if genuinely needed (rare) - [ ] Announce final turn count WITHOUT revealing tier
Default Formula: Turn Count = (Attack Cards × 2) + 1
Tier System: - TIER 1: 5-7 turns (simple) - TIER 2: 8-10 turns (standard) - TIER 3: 11-13 turns (advanced) - TIER 4: 14-16 turns (expert) - Add d4 roll: -1, 0, 0, or +1
Golden Rules: 1. Accept any roll (embrace chaos) 2. Never reveal tier to players 3. Modifier authority only when truly needed (rare)
All modules use the same modifier system for consistency:
Awarded when a player provides clear, specific reasoning for their action using real security concepts.
Examples: - "We're analyzing email headers in the mail gateway logs to identify the true sender IP and check it against threat intelligence feeds" - "We're deploying EDR on all endpoints because it can detect living-off-the-land techniques" - "We're querying our SIEM for scheduled task creation events because attackers use them for persistence"
Criteria: - References specific tools (Splunk, EDR, SIEM, etc.) - Explains methodology (why this approach works) - Shows understanding of the threat being addressed
Awarded when player references actual security tools or real attack/defense techniques.
Examples: - "We'll use Wireshark to analyze the network traffic" - "We're checking for Mimikatz usage in memory" - "We're reviewing EDR telemetry" - "We're looking for this specific CVE exploitation pattern"
Criteria: - References real tools (Wireshark, EDR, Splunk, etc.) - References real techniques (MITRE ATT&CK, specific CVEs) - Shows awareness of how things actually work
When Applied: Incident Response module only, applied at START of each turn
How It Works: 1. When a threat card is revealed, add 1 to Uncontained Threats Tracker 2. At START of each turn, deduct 5 Budget per uncontained threat 3. When next card in chain is revealed, previous threat is auto-mitigated (-1 from tracker) 4. When Emergency Response action is used (15 Budget), remove a revealed threat (-1 from tracker)
Companion rule — Active Breach Cost (v2.2): while at least one chain card remains unrevealed, deduct an additional flat -5 Budget at the start of each turn. Hidden attackers cost money too.
Purpose: Creates urgency - dwell time costs money, whether you've found the attacker yet or not. Teaches real-world incident response costs.
Example (uncontained penalty only; Active Breach Cost also applies while cards remain hidden):
Turn 1: Phishing revealed → Uncontained Threats = 1
Turn 2: START → Deduct 5 Budget (95 remaining from 100)
Turn 3: Lateral Movement revealed → Phishing auto-mitigated (Uncontained = 1)
Turn 3: START → Deduct 5 Budget
Turn 4: Emergency Response on Lateral Movement (15 Budget) → Uncontained Threats = 0
Responsibilities: - Manage game state and track turns/budget - Describe scenarios and outcomes - Roll dice when action outcomes are uncertain - Guide the narrative
During Incident Response: - Create and manage hidden attack chain - Provide clues based on successful investigations - Control Uncontained Threats penalties - Be fair but challenging
During Other Modules: - Describe threat context and defenses - Draw Pentester Tactic cards (Hardening) - Manage timeline and deadlines (Disaster Recovery) - Guide debrief questions
Universal Tips: - Explain why actions succeed or fail - Ask clarifying questions about player strategy - Balance challenge with learning - Provide constructive feedback
Responsibilities: - Discuss strategy as a team - Choose one action per turn - Justify your decisions (gain +2 modifier) - Manage budget carefully - Learn from success and failure
Key Rule: Modifiers are additive and can stack.
Example (Hardening Module, canonical formula — v2.2):
Pentester Tactic: PT-02 Living-off-the-Land (DC 13)
Defense roll = d20
+ printed bonus for the ONE defense chosen (D-08 EDR vs PT-02: +3)
+ hardening upgrades on that defense (+2 each; one upgrade: +2)
+ relevant playbook (+3)
Team rolls 8:
8 + 3 (EDR) + 2 (upgrade) + 3 (playbook) = 16 ≥ 13 = SUCCESS
Only the single chosen defense's printed bonus applies — deployed defenses do not stack with each other against one tactic.
| Length | Difficulty | Best For |
|---|---|---|
| 3 cards | Beginner | Learning mechanics, 30 min sessions |
| 4 cards | Intermediate | Standard play, 40 min sessions |
| 5 cards | Advanced | Challenge play, full kill chain |
| Budget | Difficulty | Best For |
|---|---|---|
| 60 | Hard | Resource scarcity, tough choices |
| 100 | Standard | Balanced play, most scenarios |
| 150+ | Easy | Strategic depth, multiple options |
| Turns | Difficulty | Best For |
|---|---|---|
| 8 | Hard | Time pressure, fast play |
| 10 | Standard | Balanced, most scenarios |
| 12 | Easy | Exploration, learning |
Note (v2.2): Incident Response derives its turn limit from the Variable Game Length formula — (Attack Chain Cards × 2) + 1 → 7/9/11 turns (see §3a). The table above is for modules with educator-set limits.
| Module | Primary Learning | Secondary Learning |
|---|---|---|
| Incident Response | Cyber kill chain, attack detection, investigation | Resource prioritization, incident response |
| Hardening | Defense-in-depth, layering, proactive security | Cost-benefit analysis, security architecture |
| Disaster Recovery | Crisis management, stakeholder communication | Risk assessment, incident cost |
| Network Building | Network design, asset security, architecture | Infrastructure hardening, threat modeling |
| Forensics | Digital forensics, chain of custody, attribution | Evidence handling, MITRE ATT&CK mapping |
| Audit & Compliance | Security assessment, governance, compliance | Risk identification, remediation prioritization |
| Mechanic | What It Teaches |
|---|---|
| d20 roll system | Uncertainty, risk, informed decision-making |
| Budget constraints | Resource allocation, prioritization |
| Justification bonuses | Technical reasoning, tools/techniques knowledge |
| Uncontained Threats penalty | Urgency, cost of dwell time |
| Pentester Tactics | Attacker sophistication, defense limitations |
| Playbook system | Preparation, incident response planning |
| Scoring systems | Outcome measurement, quality assessment |
Implementation: - Same setup for all teams - Teams cannot share information (Incident Response) - Score comparison determines winner (Hardening) - Reputation comparison (Disaster Recovery)
Every module should include a 5-15 minute debrief with three sections:
Too Easy Signs: - Team reveals all cards/achieves goal with 40+ budget remaining - No failed rolls - No meaningful decisions required - Team is bored
Too Hard Signs: - Team is stuck/making no progress after 5 turns - Multiple consecutive failed rolls - Team frustrated rather than challenged - No learning happening
Adjustment Options: - Easier: Provide better clues, more starting budget, fewer tactics - Harder: Less specific clues, lower budget, more tactics - Faster: Shorter turn limits, simpler scenarios - Slower: More turns, more complex scenarios
For complete card descriptions, see: - Base Threat & Defense Cards cards/incident-response/core-deck/threat-defense-cards.md - Expansion Threats cards/incident-response/expansion-deck/advanced-threats.md - Expansion Defenses cards/incident-response/expansion-deck/advanced-defenses.md - All decks indexed cards/CARD_REFERENCE.md
For complete rules on each module:
For your first game: 1. Choose a module from Module Combinations 2. Read the module-specific rules 3. Read the standalone setup guide 4. Prepare your scenario 5. Play!
For multiple modules: 1. Refer to Module Combinations for recommended sequences 2. Refer to FRAMEWORK.md for modifier generation procedures 3. Play first module, generate modifiers for next 4. Continue as desired
Incident Zero: Core Rules & Mechanics v2.1 - Balanced & Refined Edition Universal rules for all modules
docs/rules/module-network-building.md
Version: 2.2 - Playtest Edition Last Updated: July 2026
The Network Building Module teaches players how to design IT infrastructure under budget constraints, business requirements, and trade-off decisions. This is a pre-game module designed to create the network context for other modules (particularly Incident Response, Hardening, and Disaster Recovery).
Key Concept: Architecture decisions create vulnerabilities that are discovered during investigations and audits. Bad decisions made here cost more money later.
Module Teaches: - Primary: Network architecture, infrastructure design, security trade-offs - Secondary: Budget prioritization, business vs. security balance, intentional/accidental vulnerabilities
Integration Point: - Network Building can be played standalone OR as setup for Incident Response/Hardening/Disaster Recovery modules - When combined with other modules, the network design created here becomes the context for those modules (see module-combinations.md)
| Difficulty | Budget | Recommended Use |
|---|---|---|
| Beginner | 60 | Learning networks; roomier budget, easier trade-offs |
| Standard | 50 | Balanced play, typical scenario |
| Advanced | 40 | Tight budget; hard trade-offs, strategic depth |
Budget represents: Time, money, and resources for infrastructure design
(v2.2) More budget = easier. Beginner gets the most budget; Advanced gets the least.
Narrative Framing:
"Your organization is building or rebuilding its IT infrastructure. You have limited budget and must support 500 employees with core business functions. Every decision will affect your security posture when this network is tested. Make smart trade-offs."
Key Point: Teams don't know yet which decisions will matter most. Some budget is "wasted" on nice-to-haves, some on security that (hopefully) won't be needed.
Components fall into 5 categories:
| Server Type | Cost | Capacity | Function | Security Notes |
|---|---|---|---|---|
| Email Server | 8 | 1 | Email system | Internet-facing; phishing target |
| Web Server | 7 | 1 | Public website | Internet-facing; exploit target |
| Database Server | 10 | 1 | Customer data | High-value target; access control critical |
| File Server | 6 | 2 | File storage | Often over-privileged; lateral movement point |
| Domain Controller | 12 | 2 | User identity (AD/Kerberos) | Critical; full compromise if breached |
| Development Server | 5 | 3 | Dev/testing environment | Weak security; staging ground for attacks |
| Backup Server | 9 | 1 | Data backup | Should be isolated; ransomware recovery |
| Cloud Workload | 4 | 2 | General cloud compute | Less control; API/credential exposure |
| Legacy System | 3 | 1 | Old/unmaintained system | High exploitability; hard to patch |
| Honeypot Decoy | 7 | 1 | Detection trap | Detects attackers; wastes attacker time |
Capacity Rules: - Each server can host a certain number of services (shown in Capacity column) - Services = business functions (email, web, database, identity, file storage, etc.) - Can OVERLOAD a server (put more services than capacity allows) to save budget, but creates risk
| Device Type | Cost | Function | Gameplay Effect |
|---|---|---|---|
| Firewall | 12 | Perimeter defense | Blocks traffic between network zones |
| Intrusion Detection (IDS) | 10 | Network monitoring | Detects lateral movement (+1 investigation modifier in IR) |
| Intrusion Prevention (IPS) | 14 | Network blocking | Blocks exploits passively |
| Load Balancer | 8 | Traffic distribution | Improves availability without extra capacity |
| VPN Gateway | 9 | Remote access | Enables secure remote work; attack surface if weak |
| Email Gateway | 6 | Email filtering | Stops phishing; reduces SOCIAL_ENGINEERING risk |
| Web Application Firewall (WAF) | 11 | App-level defense | Protects web servers from app attacks |
| Network Segmentation Switch | 10 | Microsegmentation | Creates isolated network zones |
| SIEM System | 15 | Centralized logging | Logs everything; helps IR investigations (+1 to Investigate in IR module) |
| Honeypot Network | 8 | Detection | Detects lateral movement; wastes attacker time |
How servers are logically organized and connected:
| Decision | Cost | Security Impact | Notes |
|---|---|---|---|
| Flat Network | 0 | No segmentation | All servers on same network; vulnerable but simple |
| Segmented Network (3 zones) | 5 | Basic isolation | Separate DMZ, Internal, Sensitive zones |
| Fully Isolated (multiple firewalls) | 12 | Strong isolation | Each zone protected; expensive but resilient |
| Cloud Hybrid (on-prem + cloud) | 8 | Complex | Adds cloud security considerations |
| Cloud First (mostly cloud) | 6 | Different attack surface | Less on-prem; more cloud API risk |
Architecture decisions are NON-NEGOTIABLE - teams must pick one to organize their network.
Teams MUST satisfy every Required item by end of game. Recommended items are not mandatory, but skipping one is recorded as a gap (and costs points at scoring).
| Requirement | Status | Satisfied By | Notes |
|---|---|---|---|
| Required | Email Server, OR hosted on a Cloud Workload | Non-negotiable | |
| Web Presence | Required | Web Server, OR hosted on a Cloud Workload | Online business |
| Customer Database | Required | Database Server, OR hosted on a Cloud Workload | Cloud-hosting the crown jewels is a recorded risk |
| User Identity (AD/Kerberos) | Required | Domain Controller | No substitute |
| Disaster Recovery (Backup) | Required (v2.2) | Backup Server | No backup = automatic FAIL on this requirement, recorded as a CRITICAL gap (not an instant game loss) |
| File Storage | Recommended (v2.2) | File Server, OR spare capacity/overload on another server | Gap if missing |
| Development/Testing | Recommended (v2.2) | Dev Server, OR overload another server | Overloading a server for dev is explicitly allowed |
| Remote Work VPN | Recommended (v2.2) | VPN Gateway | Gap if missing: risky remote-access workarounds |
Key Rule: Required items are fixed. Teams must find places to host them, even if it means cloud-hosting or overloading servers.
Affordability Check (v2.2) — the Required list fits every difficulty:
Physical location of infrastructure:
| Model | Cost | Notes |
|---|---|---|
| Self-Hosted (On-Premises) | 0 | Team controls; responsibility for patching |
| Cloud-Hosted (AWS/Azure/GCP) | 0 | Provider controls; less direct control |
| Hybrid | 0 | Mix of on-prem and cloud; complex |
Teams take 5 "Build Turns" (~3-4 minutes each to discuss and decide).
Each turn is a design-review phase (v2.2): the team may take any number of actions — place as many components as they can afford — before ending the turn. Turns are not a one-purchase limit; they are checkpoints where the design gets stress-tested.
Between turns, the Threat Orchestrator reveals a development: draw one Operational Event or Business Requirement card from the standalone decks (cards/network-building/standalone/), or narrate one (a stakeholder demand, a vendor issue, a budget change). This gives teams a reason to revisit the design each turn.
Available actions:
Cost: Server cost (3-12 Budget) Effect: Add server to infrastructure
How It Works: 1. Choose a server card 2. Decide which business services it will host 3. Pay the cost 4. Track remaining budget
Example: "We're placing a Domain Controller on-premises (12 Budget). It will host user identity, with a spare capacity slot for file storage. Remaining budget: 38."
Constraints: - Duplicates allowed (v2.2): you may deploy more than one server of the same type; each copy costs full price - Can't host a required service on a server that doesn't exist - Can OVERLOAD servers (see Overload Mechanic below)
Cost: Device cost (6-15 Budget) Effect: Add network defense or monitoring
How It Works: 1. Choose a security device card 2. Describe which servers/zones it protects 3. Pay the cost 4. Track placement on network diagram
Example Turn: "We're deploying a Firewall between our DMZ and Internal network (12 Budget). This blocks unauthorized traffic between zones. Remaining budget: 26."
Cost: Architecture cost (0-12 Budget) Effect: Determine how servers logically connect
How It Works: 1. Choose one architecture type (only ONE per game) 2. Describe zone organization 3. Pay the cost 4. Document on network diagram
Example Turn: "We're implementing a Segmented Network with 3 zones (5 Budget): - DMZ: Email and Web servers (internet-facing) - Internal: File servers and user workstations - Sensitive: Database and Domain Controller Remaining budget: 21."
Cost: Usually 0 (some cloud strategies cost money) Effect: Determines where infrastructure physically lives
How It Works: 1. Decide on hosting strategy 2. Apply to appropriate servers 3. Document on infrastructure card 4. Pay if cloud-specific (usually free)
Example Turn: "We're hosting our email and web servers on AWS (0 cost). Domain Controller stays on-premises. This reduces on-prem complexity but adds cloud management responsibility."
Cost: 0 Effect: Take no further actions this turn; preserve budget
Use When: Satisfied with current design or holding budget in reserve for surprises
Problem: Limited budget + mandatory services = imperfect solutions
Solution: Overload servers (put more services on one server than intended)
How It Works (v2.2): - If a server has capacity for 2 services, you can put 3+ on it - Cost: +1 Budget per extra service beyond capacity (paid when the service is added) - Benefit: Still far cheaper than buying another server - Risk: Overloaded server is harder to isolate; compromise affects multiple services
Example Scenario: "Budget remaining: 5. Still need to host Development Services.
Option A: Buy Dev Server for 5 (leaves 0 budget) Option B: Put Dev on our File Server, which already hosts File Storage and Email Backup (2/2). Overload by 1: pay 1 Budget (leaves 4)
We choose B: File Server becomes (File Storage, Email Backup, Dev Services — OVERLOADED 3/2)"
Consequences (Discovered Later): - Overloaded servers are easier to pivot from (when other modules investigate) - If one service is compromised, ALL services on that server are at risk - Recovery is harder (can't isolate just the compromised service)
Teams inevitably leave security gaps:
| Gap Type | How It Happens | Cost Saved | Later Consequence |
|---|---|---|---|
| No Segmentation | Too expensive (5-12) | 5-12 | All servers accessible after initial compromise |
| No Firewall | Too expensive (12) | 12 | Can't enforce zone boundaries |
| Legacy Systems | Cheap (3) | 7+ | Easy to exploit; unpatched vulnerabilities |
| Overloaded Servers | Budget pressure | 2-11 (server cost minus overload fees) | Multi-service compromise; hard to isolate |
| No Detection (no IDS/SIEM) | Expensive (10-15) | 10-15 | Attacks undetected; investigations harder |
| No Email Gateway | Phishing defense (6) | 6 | Phishing easier in IR module |
| No Honeypot | Luxury item (7) | 7 | Attackers move silently |
| All Cloud or All On-Prem | Simplicity | 0 | Security model doesn't fit actual architecture |
| No Backup Server | Expensive (9) | 9 | Automatic FAIL on the Disaster Recovery requirement |
| No SIEM | Most expensive (15) | 15 | Investigation takes longer |
Key Insight: These gaps are discovered when other modules test the network (Audit, Incident Response, Disaster Recovery).
Teams create an Infrastructure Summary Card:
YOUR NETWORK ARCHITECTURE (Standard, 50 Budget)
SERVERS DEPLOYED:
- Cloud Workload (AWS) - Hosts: Email + Web (2/2, cloud-hosted)
- Database Server (On-Prem) - Hosts: Customer Database
- Domain Controller (On-Prem) - Hosts: Identity, File Storage,
Dev Services (OVERLOADED 3/2, +1 Budget paid)
- Backup Server (On-Prem, isolated) - Hosts: Backups / DR
ARCHITECTURE: Segmented (3 zones)
- DMZ: (cloud workload fronts the internet)
- Internal: Users
- Sensitive: Database, Domain Controller, Backup Server
SECURITY DEVICES:
- Email Gateway (incoming mail)
- NO Firewall, NO IDS/SIEM, NO VPN Gateway, NO Honeypot
HOSTING: Hybrid (cloud front end, on-prem crown jewels)
BUDGET SPENT: 47/50 (3 remaining)
- Cloud Workload 4 + Database 10 + Domain Controller 12 + Backup 9
+ Segmented Architecture 5 + Email Gateway 6 + Overload 1 = 47
IDENTIFIED GAPS (for other modules):
- Overloaded Domain Controller (identity + files + dev on one box)
- No IDS/SIEM (attacks undetected; investigations harder)
- No VPN Gateway (remote workers use risky workarounds)
- Email and Web share one cloud workload (single point of failure)
After building, teams receive a score reflecting their design choices:
| Metric | Score |
|---|---|
| Requirements | +2 per Required item satisfied (Email, Web, Database, Identity, Backup) — max +10 |
| Segmentation | Implemented Segmented or Fully Isolated architecture = +10 |
| Detection | Deployed IDS, IPS, or SIEM = +5 |
| Recovery | Deployed Backup Server = +5 |
| Redundancy | Duplicated a critical server or deployed a Load Balancer = +5 |
| Contingency Reserve | 5-15 Budget remaining = +5; 1-4 remaining = +2; 0 or 16+ remaining = 0 |
Maximum: 40 points. The reserve bonus rewards smart utilization — meet the requirements and keep a small cushion; hoarding budget scores nothing.
Example Scoring (the sample network above, Standard 50): - All 5 Required items satisfied: +10 - Segmentation implemented: +10 - No IDS/IPS/SIEM: 0 - Backup Server deployed: +5 - No redundancy: 0 - 3 Budget remaining: +2 - Total: 27 points — Good design
Interpretation Tiers (v2.2): - 32-40 points: Enterprise-grade design; comprehensive protection - 22-31 points: Good design; most critical gaps covered - 12-21 points: Adequate design; some gaps remain - Below 12 points: High risk; many gaps; future modules will be challenging
Reachability check: at Beginner (60), a team can score the full 40 — e.g., Cloud Workload 4 (Email+Web) + Database 10 + Domain Controller 12 (Identity + File) + Backup 9 + Segmented 5 + IDS 10 + second Cloud Workload 4 (redundant web) = 54 spent, 6 remaining → 10+10+5+5+5+5 = 40.
For use in Incident Response and Audit modules: - List all identified gaps - Note severity (CRITICAL, HIGH, MEDIUM, LOW) - These gaps become modifiers when other modules test the network
When Network Building leads to other modules:
→ Incident Response Module: - Network design determines which attacks are possible - Overloaded servers make lateral movement easier - Missing IDS/SIEM makes investigation harder
→ Hardening Module: - Teams can see which network gaps they should fix - Fixing a gap they identified = +2 bonus to that defense
→ Disaster Recovery Module: - Network gaps increase crisis budget costs - Overloaded servers = more data compromised - No backup = no recovery option
→ Audit & Compliance Module: - Pre-built network is audited against NIST/CIS - Audit findings highlight network gaps - Findings become modifiers in Incident Response
Constraint: Very limited budget; must make hard choices
Starting Narrative: "You're a startup with limited funding. You need to build infrastructure but can't afford everything. Choose wisely."
Likely Outcome: - Flat network (save 5) - Few security devices - Multiple overloaded servers - High vulnerability; good learning about consequences
Constraint: Moderate budget; can afford some security
Starting Narrative: "Your organization is growing. You have some budget for infrastructure but not unlimited. Balance growth with security."
Likely Outcome: - Segmented network - Basic security devices (firewall, email gateway, IDS or SIEM) - Some overloading but manageable - Moderate vulnerability; balanced design
Constraint: Good budget; comprehensive design possible
Starting Narrative: "You're rebuilding infrastructure with sufficient budget. Design for security AND resilience."
Likely Outcome: - Segmented or isolated network - Multiple security devices - Minimal overloading - Good security posture; few gaps
Add compliance requirements: - NIST CSF, CIS Controls, PCI-DSS, HIPAA - Teams must choose devices that satisfy compliance - Some devices count toward multiple requirements
Assign roles: - Finance wants cheap solutions - Operations wants reliability - Security wants defense-in-depth - Teams must negotiate trade-offs
After Incident Response or Disaster Recovery: - Teams rebuild network based on lessons learned - Compare new design to original - Measure improvement
| Component | Cost | Notes |
|---|---|---|
| Servers | 3-12 | Higher cost = more critical function |
| Devices | 6-15 | Higher cost = more capability |
| Architecture | 0-12 | One per game; segmented is best balance |
| Hosting | 0-8 | Usually free; some cloud options cost |
Summary of rule changes for playtesters (all labelled "(v2.2)" in the text above):
cards/network-building/standalone/). Previously 5 turns × 1 action made the mandatory requirements physically impossible to place.Network Building Module - Rules & Mechanics Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition
docs/standalone-games/network-building.md
Version: 2.2 - Playtest Edition Last Updated: July 2026
Network Building Standalone is a 30-45 minute competitive resource management game where teams design IT infrastructure under budget constraints with random business requirements and operational challenges.
Core Concept: - Budget: Limited funding (40-60 Network Budget tokens by difficulty; 50 standard) - Requirements: Random business needs forcing tough trade-offs - Randomness: Equipment failures, budget surprises, requirement changes - Scoring: Multi-dimensional (security, budget efficiency, capability, resilience) - Winner: Team with highest final score
Best For: - Teaching infrastructure trade-offs - Understanding security budget constraints - Decision-making under uncertainty - Standalone 30-45 minute session - Competitive team play (2-4 teams)
Game Duration: 5-7 turns (by difficulty) × 4-5 minutes per turn = 20-30 minutes gameplay - Setup: 5 minutes (explain rules, distribute materials) - Gameplay: 20-30 minutes - Scoring & Debrief: 5-10 minutes - Total: 30-45 minutes
Each turn represents ~1 quarter of the fiscal year: - Reveal a Business Requirement (what does the business need this quarter?) - Reveal an Operational Event (failure, budget change, attack, opportunity) - Team deploys components, handles the event, or passes
cards/network-building/core-deck/server-cards.md)Each has: Type, Cost, Capacity, Security Profile
┌──────────────────────┐
│ EMAIL SERVER │
│ Cost: 8 │
│ Capacity: 1 service │
│ Security: Low │
│ (Phishing target) │
└──────────────────────┘
Server Types Available: - Email Server (8 Budget, 1 capacity, Low security) - Web Server (7 Budget, 1 capacity, Low security) - Database Server (10 Budget, 1 capacity, Medium security) - File Server (6 Budget, 2 capacity, Low security) - Domain Controller (12 Budget, 2 capacity, Medium security) - Development Server (5 Budget, 3 capacity, Low security) - Backup Server (9 Budget, 1 capacity, High security) - Cloud Workload (4 Budget, 2 capacity, Medium security) - Legacy System (3 Budget, 1 capacity, Very Low security) - Honeypot Decoy (7 Budget, 1 capacity, Medium security)
Overload rule: a server may host more services than its capacity for +1 Budget per extra service — but overloaded servers are a recorded risk (see Variations, now a standard rule).
cards/network-building/core-deck/security-device-cards.md)Each has: Type, Cost, Benefit
┌──────────────────────┐
│ FIREWALL │
│ Cost: 12 │
│ Blocks traffic │
│ between network │
│ zones (segmentation) │
└──────────────────────┘
Security Device Types Available (v2.2 — benefits stated in plain language; the Scoring section says what each counts as): - Firewall (12 Budget) — blocks traffic between network zones; counts as Firewall and toward segmentation - IDS (10 Budget) — spots attacks in progress; counts as detection - IPS (14 Budget) — blocks known exploits in real time; counts as detection - Email Gateway (6 Budget) — filters phishing and email malware - WAF (11 Budget) — protects web applications from injection/XSS attacks - SIEM (15 Budget) — central logging and alerting; counts as detection, helps audits - Network Segmentation Switch (10 Budget) — isolates network zones; counts as segmentation - VPN Gateway (9 Budget) — secure remote access for staff - Load Balancer (8 Budget) — spreads load across duplicated services; counts as redundancy - Honeypot Network (8 Budget) — decoy segment that exposes intruders; counts as detection
cards/network-building/standalone/business-requirement-cards.md)20 cards (REQ-01 to REQ-20) of random quarterly business needs. Each names the requirement, what satisfies it, and the score impact.
┌──────────────────────┐
│ BUSINESS REQUIREMENT │
├──────────────────────┤
│ REQ-01: "New Product │
│ Launch Website" │
│ │
│ Satisfied by: Web │
│ Server or cloud web │
│ │
│ Missed: -5 points │
└──────────────────────┘
cards/network-building/standalone/operational-event-cards.md)16 cards (EVT-01 to EVT-16) of random incidents, opportunities, and challenges. Each states its effect and which designs mitigate it.
┌──────────────────────┐
│ OPERATIONAL EVENT │
├──────────────────────┤
│ EVT-01: "Email │
│ Server Failure" │
│ │
│ Pay 5 Budget to fix │
│ OR -10 points │
│ │
│ Mitigated by: │
│ redundant/cloud email│
└──────────────────────┘
Final Score = Security Score + Budget Score + Capability Score + Resilience Score − Requirement/Event penalties (+ bonuses)
Teams win by maximizing total score, not just saving budget.
Each Team Receives: - Starting Budget: 50 Network Budget tokens (Standard difficulty) - Infrastructure Summary Sheet (to track what they've built) - Score Tracking Sheet - Network Diagram Worksheet (optional, for visualization)
Shuffle and place face-down: - Business Requirement deck (all 20 cards; 1 drawn per turn) - Operational Event deck (all 16 cards; 1 drawn per turn)
**"You're a CIO designing your organization's IT infrastructure for the next 18 months. You have limited budget ($50K, represented as 50 tokens). Each quarter brings new business requirements and operational challenges. You must balance: - Getting the work done (business requirements) - Keeping things secure (security devices) - Managing money (budget efficiency) - Surviving incidents (resilience features)
After 6 quarters (turns), we'll score your infrastructure. Highest score wins."**
Threat Orchestrator flips top Business Requirement Card:
"It's Q2. The executive team wants to acquire a customer database company. You need to integrate their 2 million customer records into your infrastructure. You MUST have a functioning Database Server by end of Q2 or you lose 10 points (deal falls through)."
Team Notes: - What service is needed? - When is the deadline? (end of this turn unless the card says otherwise) - What's the penalty if you skip? (points deduction)
Teams Discuss: Do we have it? If not, how do we get it?
Threat Orchestrator flips top Operational Event Card:
"OPERATIONAL EVENT: Your Email Server just failed. It's been down for 2 hours. You can: - Option A: Pay 5 budget for emergency repair (get email back online) - Option B: Skip repair (email stays down all quarter) - lose 10 points (users upset, productivity down) - Option C: Use this as an excuse to upgrade (replace with new server, normal cost)"
Teams Decide: How to handle the incident?
Teams may take ANY NUMBER of the following actions, in any order, limited only by budget (previously one action per turn):
Example: "We're deploying a Database Server on-premises. Cost: 10 budget. Remaining: 40 budget. This satisfies the Q2 acquisition requirement. No penalty!"
Example: "We're deploying an IDS on our internal network. Cost: 10 budget. Remaining: 30 budget. That gives us detection — if a ransomware or insider event comes up, we're covered."
Example: "Email Server failed. We're paying 5 budget for emergency repair. That lets us avoid the -10 penalty. Remaining: 25 budget."
Update Trackers: - Subtract budget spent - Mark servers/devices deployed - Apply any penalties from unmet requirements - Prepare for next turn
Next Turn Begins
Final Score = Security + Budget + Capability + Resilience − requirement/event penalties (+ bonuses)
Requirement and event penalties/bonuses (from the cards) are tracked as they happen and applied to the final total. Dimension scores can go negative.
Measures defensive capability against attacks
| Security Metric | Points | How Scored |
|---|---|---|
| IDS or IPS Deployed | +5 | Detect/prevent network attacks |
| SIEM Deployed | +5 | Centralized logging & detection |
| Firewall Deployed | +4 | Perimeter / zone enforcement |
| Backup Server Deployed | +4 | Ransomware recovery |
| Email Gateway Deployed | +3 | Phishing protection |
| WAF Deployed | +3 | Web application protection |
| Honeypot Deployed | +3 | Early warning system |
| Network Segmentation | +3 | Lateral movement prevention (Segmentation Switch or segmented architecture) |
Maximum Security Score: 30 points (5+5+4+4+3+3+3+3 = 30)
Examples: - Only Email Gateway: 3 points (basic phishing defense, weak) - IDS + SIEM + Email Gateway: 13 points (good detection) - Full suite (IDS + SIEM + Firewall + Backup + Email Gateway + WAF + Honeypot + Segmentation): 30 points (enterprise-grade, but expensive)
Rewards smart utilization: meeting the business's needs within budget while keeping a small contingency reserve. Hoarding budget is NOT rewarded — an unspent token did no work.
Budget Remaining at Game End → Points:
| Budget Remaining | Points | Reading |
|---|---|---|
| 5-15 left | 20 | Requirements met, plus a contingency reserve for surprises |
| 1-4 left | 15 | Fully invested, but nothing left for the next incident |
| 0 left | 10 | Ran completely dry |
| 16-25 left | 10 | Under-invested; capability probably missing |
| 26+ left | 5 | Hoarding — budget is not the goal |
Anti-hoarding check: if the team missed 2 or more Business Requirements during the game, halve their Budget Score (round down). Saving money by failing the business is not efficiency.
Examples: - Spent 42, left 8: 20 points (met needs, kept a reserve) - Spent 46, left 4: 15 points (all-in; one bad event from trouble) - Spent 20, left 30: 5 points (a pile of tokens and a network full of gaps)
Does infrastructure meet business needs?
| Capability | Points | Notes |
|---|---|---|
| Email Service | +3 | Basic business function (Email Server or cloud-hosted) |
| Web Service | +3 | Public presence / e-commerce |
| Database Service | +4 | High-value data management |
| File Storage | +2 | Internal collaboration |
| Domain Controller | +3 | User identity & security |
| Development Capability | +2 | Dev Server or dev via overload |
| Backup Server | +3 | Disaster recovery |
| Remote Access (VPN Gateway) | +2 | Work-from-home support |
| Cloud Workload | +2 | Scalability & redundancy |
| Honeypot | +1 | Early-warning capability |
Maximum Capability Score: 25 points (3+3+4+2+3+2+3+2+2+1 = 25)
Penalties for Missing Key Services: - No Email service: -5 (business can't communicate) - No Database service: -10 (core data has no home) - No Domain Controller: -3 (no central identity) - No VPN Gateway (only if a remote-work requirement card was drawn): -3
(Ransomware consequences for missing backups come from the event cards themselves — see EVT-11.)
Examples: - Email, Web, Database, File, Domain Controller, Backup: 3+3+4+2+3+3 = 18 points (good) - The same plus VPN Gateway and a Honeypot: 18+2+1 = 21 points (excellent) - Email, Web, File, Domain, Backup but NO Database: 3+3+2+3+3 = 14, minus 10 = 4 points (the penalty bites)
Ability to survive and recover from failures
Resilience Factors:
| Factor | Points | Criteria |
|---|---|---|
| Backup Server | +8 | Can recover from ransomware/data loss |
| Detection | +7 | IDS/IPS/SIEM can spot attacks early |
| Redundancy | +5 | Duplicate server in the same role OR Load Balancer |
| Isolation | +3 | Network segmentation prevents spread |
| Recovery Plan | +2 | Has BOTH Backup Server and detection |
Maximum Resilience Score: 25 points (8+7+5+3+2 = 25)
Penalties for Vulnerabilities (v2.2): - No Backup Server: -10 (one disaster from catastrophe) - Single point of failure (all critical services on one server): -5 - No detection capability: -3 - Flat network (no segmentation): -2
Examples: - Backup + Detection + Segmentation + Redundancy: 8+7+3+5, +2 recovery plan = 25 points (maximum; very resilient) - Backup + Detection, flat network, no redundancy: 8+7+2−2 = 15 points (adequate) - No backup, no detection, flat network: −10−3−2 = −15 points (high risk; yes, scores go negative)
Built (total 46 of 50; 4 remaining): - Email Server (8): handles email - Web Server (7): public website - Database Server (10): customer data - File Server (6): internal files - Backup Server (9): disaster recovery - Email Gateway (6): phishing defense
Check: 8+7+10+6+9+6 = 46 ✓. No Domain Controller (too expensive; skipped for budget). Flat network.
Scoring Team A:
Security Score: - Email Gateway: +3 - Backup Server: +4 - No IDS/IPS/SIEM/Firewall/WAF/Honeypot/Segmentation: 0 - Total: 7 points
Budget Score: - 4 budget remaining → 1-4 band - Total: 15 points
Capability Score: - Email +3, Web +3, Database +4, File +2, Backup +3 = 15 - No Domain Controller: −3 - Total: 12 points
Resilience Score: - Backup Server: +8 - No detection: −3 - Flat network: −2 - Total: 3 points
Team A Final Score: 7 + 15 + 12 + 3 = 37 points
Built (total 47 of 50; 3 remaining): - Email Server (8) - Web Server (7) - Database Server (10) - Domain Controller (12) - IDS (10)
Check: 8+7+10+12+10 = 47 ✓. No Backup Server (sacrificed for detection). Flat network.
Scoring Team B:
Security Score: - IDS: +5 - Total: 5 points
Budget Score: - 3 left → 1-4 band - Total: 15 points
Capability Score: - Email +3, Web +3, Database +4, Domain Controller +3 = 13 - Total: 13 points
Resilience Score: - Detection: +7 - No Backup Server: −10 - Flat network: −2 - Total: −5 points (negative!)
Team B Final Score: 5 + 15 + 13 − 5 = 28 points
RESULT: Team A (37) beats Team B (28)
Lesson: Having Backup is critical for resilience, even if it means fewer security devices.
Each team: - Separate budget (50 tokens each at Standard) - Separate infrastructure tracking sheet - Separate score tracker
Simultaneous Play: - All teams reveal the same requirement and event at the same time - Teams take turns choosing actions (round-robin) OR all teams act simultaneously - Simultaneous is faster; rotating turns allows player agency
Track all teams' scores throughout game (illustrative):
| Team | Sec | Budget | Cap | Res | TOTAL |
|---|---|---|---|---|---|
| Team A | 8 | 20 | 12 | 5 | 45 |
| Team B | 12 | 15 | 18 | 10 | 55 |
| Team C | 5 | 10 | 8 | 2 | 25 |
Winner: Team with highest total score after the final turn
If two teams tie: 1. First tiebreaker: Security Score (defense is critical) 2. Second tiebreaker: Resilience Score (ability to survive matters) 3. Third tiebreaker: Capability Score (business requirement fulfillment)
Each game is different because:
Example Game Flow Variations:
Game 1 (Tough Start): - Turn 1: Ransomware wave (REQ-12) → Must buy Backup + Detection early - Turn 2: Budget cut (EVT-05) → Can't afford nice devices - Turn 3: M&A integration (REQ-08) → Need more capacity - Result: Teams forced into defensive posture
Game 2 (Growth-Focused): - Turn 1: Product launch (REQ-01) → Need Web Server - Turn 2: Data acquisition (REQ-02) → Need Database - Turn 3: Emergency funds (EVT-06) → +10 budget! - Result: Teams build bigger, more capable infrastructure
Beginner Mode (Generous): - Starting Budget: 60 - Kind decks (remove EVT-11 and REQ-12 before shuffling) - Turn Limit: 7 (extra time)
Standard Mode: - Starting Budget: 50 - Random card draws - Turn Limit: 6
Advanced Mode (Challenging): - Starting Budget: 40 (tight budget) - Harsh decks (remove EVT-06, EVT-07, EVT-16 — fewer breaks) - Requirement penalties doubled - Turn Limit: 5
Phase 1: Business Requirement TO flips card: "New Product Launch Website — need modern web server capability. If missing by end of Q1: -5 points."
Phase 2: Operational Event TO flips card: "Emergency Funds! A surprise rebate arrives. +10 Budget (one time)."
Budget update: 50 + 10 = 60
Phase 3: Team Actions "We're deploying a Web Server to meet the launch requirement. Cost: 7 budget. Remaining: 53. We know we'll need a backup server eventually — holding the rest for now."
Phase 4: End of Turn - Infrastructure: Web Server - Budget: 53
Phase 1: Business Requirement "Customer Data Acquisition — must have a functioning Database by end of Q2 or lose 10 points."
Phase 2: Operational Event "Email Server Failure — pay 5 budget for emergency repair OR skip and lose 10 points."
The team has no email server, so the TO rules the event inert — there's nothing to break. (TO tip: when an event targets a component the team doesn't own, it fizzles — but it's a great moment to point at the capability gap.)
Phase 3: Team Actions "We're deploying a Database Server (10 budget) to handle the acquisition — that's critical. The failure event doesn't apply to us, so no repair cost. Total this turn: 10. Remaining: 43."
Infrastructure: Web Server, Database Server Budget: 43
Phase 1: Business Requirement "Ransomware Wave in Sector — you need Backup AND Detection capability OR lose 20 points."
Phase 2: Operational Event "Vendor Promotion — next security device this turn costs 2 less."
Phase 3: Team Actions "Critical quarter. We're deploying: - Backup Server (9 budget) - IDS at the promo discount (10 − 2 = 8 budget) That satisfies the ransomware requirement. We'll also grab a Cloud Workload (4) for future flexibility. Total: 21 budget. Remaining: 22."
Infrastructure: Web, Database, Backup, IDS, Cloud Workload Budget: 22
Phase 1: Business Requirement "Work-From-Home Program — need remote access capability. Missing: -3 points."
Phase 2: Operational Event "IT Staff Burnout — you may deploy at most ONE component this turn."
Phase 3: Team Actions "We need remote access, and burnout limits us to one deployment. VPN Gateway it is (9 budget). Remaining: 13."
Infrastructure: Web, Database, Backup, IDS, Cloud, VPN Gateway Budget: 13
Phase 1: Business Requirement "Cyber-Insurance Renewal — Backup + Email Gateway + detection: +5 points if all present, -5 if not."
Phase 2: Operational Event "Hardware Recall — pick an on-prem server: pay 3 budget or it's offline this quarter."
Phase 3: Team Actions "We deploy an Email Gateway (6 budget) — with our Backup and IDS that completes the insurance checklist: +5 points. For the recall we pay 3 to keep the Database Server online (it's load-bearing). Total: 9. Remaining: 4."
Infrastructure: Web, Database, Backup, IDS, Cloud, VPN Gateway, Email Gateway Budget: 4
Phase 1: Business Requirement "Single Sign-On Rollout — must have a Domain Controller OR lose 5 points."
Phase 2: Operational Event "Quiet Quarter — no incident."
Phase 3: Team Actions "A Domain Controller costs 12; we have 4. We can't buy it. We pass and take the -5 penalty."
Final Infrastructure & Budget Check: - Web Server (7) - Database Server (10) - Backup Server (9) - IDS (10, paid 8 with promo) - Cloud Workload (4) - VPN Gateway (9) - Email Gateway (6) - Recall fee (3) - Total spent: 7+10+9+8+4+9+6+3 = 56 of 60 available (50 start + 10 windfall) - Final Budget: 4 remaining ✓
Security Score: - IDS: +5 - Email Gateway: +3 - Backup Server: +4 - Total: 12 points
Budget Score: - 4 remaining → 1-4 band - Missed only 1 requirement (no halving) - Total: 15 points
Capability Score: - Web +3, Database +4, Backup +3, VPN +2, Cloud +2 = 14 - No Email service: −5 (an Email Gateway is a security device — it filters mail, it doesn't host mailboxes; they never deployed an Email Server or cloud email) - No Domain Controller: −3 - Total: 6 points
Resilience Score: - Backup Server: +8 - Detection (IDS): +7 - Recovery Plan (backup + detection): +2 - Flat network: −2 - Total: 15 points
Requirement/Event adjustments: - Turn 5 insurance bonus: +5 - Turn 6 missed SSO requirement: −5
FINAL SCORE: 12 + 15 + 6 + 15 + 5 − 5 = 48 points
Lesson: This team survived the ransomware quarter and kept every event in check — but never bought email or identity. Detection and backups scored well; missing core business services bled capability points all game.
Servers may exceed capacity at +1 Budget per extra service. This is the same rule as the Network Building module. - Example: 3 services on a 2-capacity server costs +1 budget - Trade-off: cheaper than a new server now, but overloaded servers are recorded risks (single point of failure; events and later modules punish them)
Optional Rule: Allow teams to upgrade servers already deployed (swap for a better one, pay the difference). - Example: Replace File Server (6) with Domain Controller (12) — pay 6, keep the hosted services - Creates flexibility but adds complexity
Optional Rule (High Difficulty): If EVT-11 (Ransomware Strikes) is drawn and the team has NO Backup Server, they take the -20 immediately AND must deploy a Backup Server by the end of the next turn (mandatory). - Creates an urgent decision point - Teaches that failures have compounding consequences
Optional Rule: Each Legacy System deployed costs 1 extra budget per turn to maintain (not paid upfront). - Teaches that cheap solutions have hidden costs - Creates long-term vs. short-term thinking
NETWORK BUILDING STANDALONE SCORING (v2.2)
SECURITY SCORE (max 30):
IDS or IPS: +5 | SIEM: +5 | Firewall: +4 | Backup: +4
Email Gateway: +3 | WAF: +3 | Honeypot: +3 | Segmentation: +3
BUDGET SCORE (max 20) — smart utilization, not hoarding:
5-15 left: 20 | 1-4 left: 15 | 0 left: 10 | 16-25 left: 10 | 26+ left: 5
Missed 2+ requirements? Halve it (round down).
CAPABILITY SCORE (max 25):
Email: +3 | Web: +3 | Database: +4 | File: +2 | Domain: +3
Dev: +2 | Backup: +3 | VPN: +2 | Cloud: +2 | Honeypot: +1
Penalties: no Email -5 | no Database -10 | no DC -3
no VPN (if remote-work card drawn) -3
RESILIENCE SCORE (max 25):
Backup: +8 | Detection: +7 | Redundancy: +5 | Segmentation: +3
Recovery Plan (Backup AND Detection): +2
Penalties: no Backup -10 | single point of failure -5
no Detection -3 | flat network -2
FINAL = Security + Budget + Capability + Resilience
− requirement/event penalties (+ bonuses)
SERVERS (Cost / Capacity / Security Profile):
Email (8/1/Low) | Web (7/1/Low) | Database (10/1/Med)
File (6/2/Low) | Domain (12/2/Med) | Dev (5/3/Low)
Backup (9/1/High) | Cloud (4/2/Med) | Legacy (3/1/VLow) | Honeypot (7/1/Med)
Overload: +1 Budget per service beyond capacity
SECURITY DEVICES (Cost — benefit):
Firewall (12 — zone control) | IDS (10 — detection) | IPS (14 — detection+blocking)
Email Gateway (6 — anti-phishing) | WAF (11 — web app defense)
SIEM (15 — detection+logging) | Segmentation Switch (10 — isolation)
VPN Gateway (9 — remote access) | Load Balancer (8 — redundancy)
Honeypot Network (8 — detection/deception)
This is a complete, standalone 30-45 minute competitive mini-game.
To run a session:
1. Print server and device cards (cards/network-building/core-deck/)
2. Print the requirement and event decks (cards/network-building/standalone/)
3. Give each team a budget tracker
4. Run 5-7 turns (4-5 min each, per difficulty)
5. Calculate final scores
6. Declare winner
7. 10-minute debrief
Summary of changes for playtesters:
cards/network-building/standalone/; inline example lists replaced by references to them.Incident Zero: Network Building Standalone Mini-Game Infrastructure design competition with multi-dimensional scoring v2.2 - Playtest Edition
cards/network-building/core-deck/server-cards.md
Version: 2.2 - Playtest Edition Last Updated: July 2026
Server Cards represent the core computational systems that run your business. Each server has cost (Budget), capacity (how many services it can host), complexity, and security properties that affect network design.
Type: Business Critical Cost: 8 Budget Capacity: 1 service Complexity: 2/4 Availability Requirement: 99.9% (almost always needed)
Description: Central email system (Exchange, Postfix, or cloud-based like Office 365). Handles all organizational communication. Commonly targeted by phishing and credential attacks. Must support spam filtering, encryption, and audit logging.
Key Concerns: - Email spoofing and phishing vectors - Credential compromise (email = access to password resets) - Data exfiltration via email attachments and forwarding - High user impact if unavailable
Defense Considerations: - Requires Email Authentication (DMARC/SPF/DKIM) - Benefits from DLP for sensitive email attachments - Gateway filtering for phishing and malware - MFA required for administrative access
Network Placement: DMZ or protected segment (external access required)
Interactions: - Used with Asset Card "Email" - References in Incident Response scenarios (T-01 Phishing, T-11 Browser Extension) - Part of Disaster Recovery "critical services" list
Type: Business Critical Cost: 7 Budget Capacity: 1 service Complexity: 2/4 Availability Requirement: 99.5% (critical during business hours)
Description: Public-facing web application server (Apache, Nginx, IIS). Hosts corporate website, customer portal, or SaaS application. Primary attack surface for web exploits (SQL injection, XSS, remote code execution).
Key Concerns: - Web application vulnerabilities (OWASP Top 10) - Unpatched framework or library exploits - DDoS attacks targeting availability - Code injection and remote execution - Data exposure via web interface
Defense Considerations: - Requires WAF (Web Application Firewall) for SQL injection/XSS prevention - IPS for exploit signature detection - Regular patching and vulnerability scanning - Load balancer for availability - TLS/SSL for data in transit
Network Placement: DMZ (external access required, isolated from internal systems)
Interactions: - Used with Asset Card "Web" - References in Incident Response scenarios (T-02 Watering Hole, T-05 Kernel Exploit) - Load balancer reduces single point of failure
Type: Business Critical Cost: 10 Budget Capacity: 1 service Complexity: 3/4 Availability Requirement: 99.9% (critical for business operations)
Description: Relational or NoSQL database (SQL Server, PostgreSQL, MongoDB, Oracle). Stores customer data, financial records, operational data. Highest value target after compromise—contains the "crown jewels."
Key Concerns: - SQL injection attacks - Credential abuse (weak database admin passwords) - Lateral movement target (pivot point) - Unencrypted data at rest - Unencrypted data in transit - Unauthorized data access and exfiltration
Defense Considerations: - Requires Network Segmentation to limit access - Credential Guard and strong authentication - Database activity monitoring (DAM) - TLS for all connections - Data encryption at rest - Regular backups with immutability - Connection string in vault (not hardcoded)
Network Placement: Restricted segment (only authorized systems can connect)
Interactions: - Used with Asset Card "Database" - References in Incident Response scenarios (T-04 Lateral Movement, T-10 SQL Exfiltration, T-11 Browser Extension) - Critical for Disaster Recovery backup and recovery
Type: Business Critical Cost: 6 Budget Capacity: 2 services Complexity: 2/4 Availability Requirement: 99% (needed during business hours)
Description: File storage and sharing system (SMB/CIFS, NFS, or cloud file sharing). Stores shared documents, project files, compliance records. Often contains both sensitive and non-sensitive data mixed together.
Key Concerns: - SMB lateral movement attacks - Excessive file permissions (everyone can read everything) - Ransomware encryption of shares - Unauthorized file access and data theft - Compliance violations (PII, PHI, PCI data stored unencrypted) - Uncontrolled data growth and backup challenges
Defense Considerations: - Network Segmentation to limit SMB access - File permissions auditing and hardening - DLP for sensitive file detection - Immutable snapshots for ransomware recovery - Encryption at rest - Access logging and monitoring
Network Placement: Protected segment (limited internal access only)
Interactions: - Used with Asset Card "File Storage" - Target of T-04 Lateral Movement in Incident Response - Critical dependency for Disaster Recovery
Type: Business Critical Cost: 12 Budget Capacity: 2 services Complexity: 3/4 Availability Requirement: 99.5% (core infrastructure dependency)
Description: Active Directory or LDAP domain controller. Master repository of all user identities, credentials, and group memberships. Most powerful target in the organization—compromise of DC gives attacker control of entire directory.
Key Concerns: - Credential dumping (Mimikatz targets LSASS on DC) - Pass-the-hash attacks - Unauthorized privilege escalation - DC compromise = organization is fundamentally compromised - Backup DC synchronization complications - Can be both on-premises and cloud (Azure AD)
Defense Considerations: - Credential Guard to protect LSASS - Privileged Access Workstation (PAW) for DC admin access - Strong authentication (MFA) for all DC access - Network Segmentation (DC in restricted tier) - Backup DC in geographically separate location - Regular backup and recovery testing
Network Placement: Restricted segment (admin-only access)
Interactions: - Used with Asset Card "Identity" - Central to Incident Response investigation (T-06 Mimikatz, T-04 Lateral Movement) - DC compromise immediately loses the game (organizational control lost) - Critical for Disaster Recovery restore procedures
Type: Business Important Cost: 5 Budget Capacity: 3 services Complexity: 2/4 Availability Requirement: 80% (nice to have, can work around)
Description: Development and testing environment for software development. Lower security requirements than production but often contains production-like data (for testing). Developers need broad access for testing purposes.
Key Concerns: - Overly permissive developer access - Production data in dev (compliance violations) - Outdated/unpatched tools (focus on development, not security) - Lateral movement springboard to production - Code repository contains source code (intellectual property) - Test credentials and API keys hardcoded
Defense Considerations: - Separate dev database from production database (never use prod data) - Firewall rules to prevent dev→prod lateral movement - Code repository security (secrets scanning, access control) - Regular cleanup of test data - MFA for dev server access - Audit logging of developer activities
Network Placement: Development segment (isolated from production)
Interactions: - Used with Asset Card "Development" - Often overlooked security risk (compliance gap in Audit module) - Lateral movement target (attacker compromise dev to move to prod)
Type: Business Critical (Different Tier) Cost: 9 Budget Capacity: 1 service Complexity: 2/4 Availability Requirement: 95% (needed for recovery scenarios)
Description: Backup and archival storage system (dedicated appliance, NAS, or cloud backup like Veeam, Commvault, or Backblaze). Stores point-in-time copies of all critical systems. The ultimate recovery mechanism for ransomware, disasters, and destructive attacks.
Key Concerns: - Backup corruption or compromise (renders backups useless) - Ransomware targeting backup systems - Backup media not separated from primary systems - Backups not regularly tested (recovery fails when needed) - Immutability not enforced (backups can be modified) - Access control: who can restore? Who can delete?
Defense Considerations: - CRITICAL: 3-2-1 backup strategy: 3 copies, 2 media types, 1 offsite - Immutable backups (WORM - Write Once Read Many) - Encryption at rest and in transit - Backup testing schedule (quarterly minimum) - Separate backup credentials (not domain-linked) - Offsite backup location (geographically separated) - Backup media inventory and audit log
Network Placement: Restricted segment + offsite (separate from primary network)
Interactions: - Used with Asset Card "Disaster Recovery" - Critical for Disaster Recovery module (backup resilience determines recovery speed) - If backup is missing or compromised, the team automatically FAILS the Disaster Recovery requirement (v2.2) — a CRITICAL gap carried into other modules - Incident Response mentions backup verification in defenses
Type: Increasingly Business Critical Cost: 4 Budget Capacity: 2 services Complexity: 2/4 (but different concerns than on-premises) Availability Requirement: 99% (vendor manages SLA)
Description: Cloud-hosted application or service (AWS EC2, Azure VM, GCP Compute Engine, or fully managed service like Lambda, Cloud Run). Shifts some infrastructure management to cloud provider but introduces new security concerns.
Key Concerns: - Misconfigured security groups/network ACLs (open to internet) - Cloud credentials compromise (AWS IAM keys stolen) - Instance metadata service attacks (AWS IMDS exploitation) - Cross-account or cross-tenant access (shared infrastructure) - Cloud-specific vulnerabilities (API, permissions models) - Data residency and compliance (where is data stored?)
Defense Considerations: - Cloud-native security tools (AWS Security Hub, Azure Security Center) - Proper IAM configuration (least privilege for cloud roles) - Network security groups with default-deny - Cloud workload protection (container runtime security) - VPC and subnet isolation - Encryption of cloud data
Network Placement: Cloud provider network (separate from on-premises, connected via VPN)
Interactions: - Used with Asset Card (varies—Email in cloud, Web in cloud, etc.) - Network design must include cloud connectivity (VPN or Direct Connect) - Audit module assesses cloud security posture - Cloud-specific Incident Response and Hardening challenges
Type: Business Important (Legacy) Cost: 3 Budget Capacity: 1 service Complexity: 3/4 (difficult to maintain, patch, or secure) Availability Requirement: 90% (supported but aging)
Description: Aging system running outdated OS (Windows XP, older Linux, proprietary systems) or custom applications. Cannot be easily patched due to compatibility issues, vendor no longer supporting, or critical business process depends on it.
Key Concerns: - Cannot patch due to vendor EOL (End of Life) - Incompatible with modern security tools (EDR won't run) - No TLS support (unencrypted traffic) - Known, publicly disclosed vulnerabilities with no fix - Business relies on it despite security risk - Migration cost exceeds security benefit (economically trapped)
Defense Considerations: - CRITICAL: Network Segmentation isolates legacy system - Firewall rules restrict legacy system traffic - Assume compromise and defend the segmented network (not the legacy system itself) - Monitor legacy system for suspicious activity (can't detect on system, detect on network) - Immutable backups to restore if compromised - Plan legacy system retirement
Network Placement: Isolated segment (strict firewall rules, minimal connectivity)
Interactions: - Used if organization has legacy infrastructure - Audit module finds legacy systems as critical findings - Network design: "assume legacy is compromised, defend around it" - Expansion deck explores legacy system challenges
Type: Security Tool (Non-Business) Cost: 7 Budget Capacity: 1 service (decoy only — hosts no real business service) Complexity: 1/4 (purposefully simple and unmonitored-looking) Availability Requirement: N/A (false resource)
Description: Deliberately exposed fake server or user account designed to detect compromise and lateral movement. Appears to be a real business resource but is actually a trap. Any access to honeypot indicates active attacker activity (zero false positives).
Key Concerns: - Placement visibility (attacker must discover it to trigger it) - Believability (must look like real system worth attacking) - Monitoring (honeypot access must be logged securely) - Honeypot maintenance (must not appear unmaintained) - Response procedures (what do we do when honeypot is triggered?)
Defense Considerations: - Canary tokens (watermarked documents, fake credentials) - Fake administrative account (admin account that isn't really admin) - Fake file server with sensitive-looking shares - Fake VIP email addresses on mailing lists - Alerting on any access to honeypot (immediate incident response)
Network Placement: Among legitimate resources (cannot appear isolated)
Interactions: - Used with Deception Technology defense card in Hardening - Network design: "place honeypots where attackers will likely look" - Zero false positives: any honeypot access = real attack - Expansion deck discusses advanced honeypot strategies
| Card | Server Type | Cost | Capacity | Complexity | Availability | Key Risk |
|---|---|---|---|---|---|---|
| SRV-01 | Email Server | 8 | 1 | 2/4 | 99.9% | Phishing, Credential Abuse |
| SRV-02 | Web Server | 7 | 1 | 2/4 | 99.5% | Web Exploits, RCE |
| SRV-03 | Database Server | 10 | 1 | 3/4 | 99.9% | SQL Injection, Data Exfil |
| SRV-04 | File Server | 6 | 2 | 2/4 | 99% | SMB Laterals, Ransomware |
| SRV-05 | Domain Controller | 12 | 2 | 3/4 | 99.5% | Mimikatz, Complete Compromise |
| SRV-06 | Development | 5 | 3 | 2/4 | 80% | Lateral Movement, Data Leak |
| SRV-07 | Backup Server | 9 | 1 | 2/4 | 95% | Ransomware, Recovery Failure |
| SRV-08 | Cloud Workload | 4 | 2 | 2/4 | 99% | Misconfiguration, IAM Abuse |
| SRV-09 | Legacy System | 3 | 1 | 3/4 | 90% | Known Vulns, Cannot Patch |
| SRV-10 | Honeypot | 7 | 1 | 1/4 | N/A | Detection, Early Warning |
Each server fulfills one or more Asset Card requirements: - SRV-01 → Asset "Email" - SRV-02 → Asset "Web" - SRV-03 → Asset "Database" - SRV-04 → Asset "File Storage" - SRV-05 → Asset "Identity" - SRV-06 → Asset "Development" - SRV-07 → Asset "Disaster Recovery" - SRV-08 → Asset (varies—could be Email, Web, Database in cloud) - SRV-09 → Asset (legacy system supporting specific business function) - SRV-10 → Security monitoring (not a business requirement)
Network Building Module: Server Cards Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition
cards/network-building/core-deck/security-device-cards.md
Version: 2.2 - Playtest Edition Last Updated: July 2026
Security Device Cards represent network security appliances and tools that control traffic, detect threats, and enforce policies between network segments.
Type: Perimeter Control Cost: 12 Budget Placement: Network edge (between internet and internal network) Primary Function: Block unauthorized inbound/outbound traffic
Description: Traditional stateful firewall (Cisco ASA, Palo Alto Networks, Fortinet FortiGate) at network perimeter. Enforces allow/deny rules based on source IP, destination IP, protocol, and port. First line of defense against external attacks.
What It Protects Against: - Unauthorized inbound access attempts - Unauthorized outbound connections (C2 beaconing, data exfiltration) - Network reconnaissance from internet - DDoS attacks (basic flood protection)
What It Doesn't Protect Against: - Application-layer attacks (SQL injection, XSS) - Lateral movement within network (operates at L3/L4 only) - Encrypted traffic inspection (needs deep packet inspection) - Insider threats or authorized-but-malicious access
Network Interactions: - Required for: Most organizations (perimeter protection is baseline) - Works with: Web Server (must allow inbound HTTP/HTTPS), Email Server (SMTP/POP3/IMAP) - Supports: Database (prevents inbound database connections from internet)
Ruleset Complexity: Medium (5-10 rules for basic setup, 50+ for mature organization)
Performance Impact: Minimal for small networks, can become bottleneck at scale
Type: Threat Detection Cost: 10 Budget Placement: Internal network (behind firewall, in front of critical systems) Primary Function: Detect suspicious network traffic patterns
Description: Network-based IDS (Snort, Zeek, Suricata) that inspects all traffic and alerts on suspicious patterns. Uses signature matching and/or behavioral analysis to identify known attacks and anomalous traffic.
What It Protects Against: - Known attack patterns (exploits, vulnerability scans) - Port scanning and reconnaissance - Lateral movement (SMB, RDP abuse) - Data exfiltration patterns (unusual volume, unusual destination) - Command & Control (C2) communication
What It Doesn't Protect Against: - Zero-day exploits (no signature exists) - Encryption inspection (needs decryption) - Insider threats (authorized users on authorized systems) - Application-layer attacks (SQL injection, XSS still pass through)
Network Interactions: - Works with: SIEM (IDS alerts feed into SIEM for correlation) - Supports: Detection of T-04 (Lateral Movement), T-09 (C2 Beaconing) in Incident Response - Complements: IPS (IDS detects, IPS blocks; often paired)
Signature Maintenance: High (requires weekly/daily signature updates from threat intelligence)
Performance Impact: Medium (packet inspection adds latency, can slow network)
Type: Threat Prevention Cost: 14 Budget Placement: Internal network (actively blocks malicious traffic) Primary Function: Block suspicious traffic in real-time
Description: Network-based IPS (actively protective version of IDS). Can block traffic in addition to alerting. Inline placement allows real-time threat blocking.
What It Protects Against: - Everything IDS protects against (detection + blocking) - Exploit attempts against known vulnerabilities - Worm propagation - Policy violations
What It Doesn't Protect Against: - Same limitations as IDS, plus: - False positive blocking (can block legitimate traffic) - Encrypted traffic inspection limitations - Zero-day exploits
Network Interactions: - Works with: WAF on web traffic (IPS for network, WAF for applications) - Works with: Firewall (layered network defense) - Supports: Defense against T-02 (Watering Hole), T-05 (Kernel Exploit) in Incident Response
Tuning Complexity: High (false positives require tuning; too aggressive = blocks legitimate traffic)
Performance Impact: Medium-High (real-time inspection + blocking adds latency)
Risk: Misconfigured IPS can block critical business traffic
Type: Availability & Performance Cost: 8 Budget Placement: In front of multiple web servers Primary Function: Distribute traffic across multiple servers
Description: Load balancer (F5, Citrix NetScaler, nginx, HAProxy) distributes incoming traffic across multiple backend servers. Increases availability and performance.
What It Protects Against: - Single server failure (if one web server fails, traffic routes to others) - DDoS attacks (distributes attack traffic across multiple servers) - Overload attacks (can queue excess requests)
What It Doesn't Protect Against: - Application vulnerabilities - Malicious traffic targeting multiple backends - Session hijacking - Backend compromise (load balancer can't protect compromised backend)
Network Interactions: - Requires: Web Server (needs multiple instances for load balancing to make sense) - Works with: Web Server redundancy (2+ web servers behind load balancer) - Supports: Web application availability in Incident Response scenarios
Health Check Mechanism: Monitors backend servers; removes unhealthy servers automatically
Cost-Benefit: Low cost (8 Budget) but high value if you have multiple web servers
Type: Remote Access Control Cost: 9 Budget Placement: Network perimeter (between internet and internal network) Primary Function: Secure remote access for employees/contractors
Description: VPN concentrator (Cisco AnyConnect, Palo Alto Prisma Access, F5 BIG-IP) that creates encrypted tunnels for remote users. Allows employees to securely access internal resources from outside network.
What It Protects Against: - Man-in-the-middle attacks on remote user traffic - Credential interception (traffic encrypted) - Unauthorized access to internal resources (authentication required) - IP spoofing (tunnel validates source)
What It Doesn't Protect Against: - Weak VPN credentials (still vulnerable to brute force) - Compromised endpoint connecting via VPN (malware on home computer) - Insider threats (authorized user with legitimate credentials) - Application vulnerabilities accessed through VPN
Network Interactions: - Works with: Domain Controller (VPN user auth) - Works with: MFA (VPN should require MFA) - Supports: Remote work scenarios (necessary for distributed teams)
Authentication Complexity: Requires MFA for security (otherwise easy brute force)
Cost-Benefit: Necessary for remote work, but alone insufficient (needs MFA)
Type: Email Security Cost: 6 Budget Placement: Network perimeter (filters incoming/outgoing email) Primary Function: Filter spam, phishing, and malware in email
Description: Email security appliance (Proofpoint, Mimecast, Cisco Email Security) that filters all incoming/outgoing email. Scans for phishing, malware, data exfiltration attempts.
What It Protects Against: - Phishing emails (signature and behavior-based detection) - Email-based malware (attachments, links) - Spam (reduces alert fatigue) - Data exfiltration via email (DLP for email) - Email spoofing (validates SPF/DKIM/DMARC)
What It Doesn't Protect Against: - User clicks on phishing links (user training needed) - Advanced phishing with legitimate credentials - Compromised internal email account sending from inside - Zero-day malware in attachments
Network Interactions: - Works with: Email Server (filters before reaching server) - Works with: User Security Training (filters + training = defense-in-depth) - Supports: Defense against T-01 (Phishing) in Incident Response
Signature Maintenance: Very high (email threats change daily)
User Experience Impact: Email delays (milliseconds) are imperceptible; false positives = missed emails
Type: Application-Layer Protection Cost: 11 Budget Placement: In front of web server Primary Function: Block application-layer attacks (SQL injection, XSS, etc.)
Description: Web Application Firewall (ModSecurity, Cloudflare WAF, AWS WAF) that inspects HTTP traffic and blocks malicious payloads. Understands web application protocols unlike traditional firewall.
What It Protects Against: - SQL injection attacks - Cross-site scripting (XSS) - Cross-site request forgery (CSRF) - Remote code execution (RCE) - Malicious file uploads - Buffer overflows in web apps
What It Doesn't Protect Against: - Logic flaws in application (WAF can't fix broken business logic) - Authenticated attacks (user is authorized) - Distributed attacks across many IPs (WAF can't distinguish) - Zero-day application vulnerabilities (no rule exists)
Network Interactions: - Requires: Web Server (only protects web traffic) - Works with: IPS (network-level and application-level defense) - Supports: Defense against T-02 (Watering Hole) in Incident Response
Rule Maintenance: Medium (OWASP rules are standardized, vendor maintains them)
False Positive Rate: Medium (needs tuning for specific web application)
Performance Impact: Medium (application inspection adds latency)
Type: Network Architecture Control Cost: 10 Budget Placement: Internal network (between segmented network zones) Primary Function: Enforce network segmentation via VLANs and ACLs
Description: Layer 3 switch or router configured for network segmentation. Implements VLANs (virtual LANs) and layer 3 filtering to separate network into zones (DMZ, User segment, Server segment, Admin segment).
What It Protects Against: - Lateral movement via SMB and other internal protocols - Credential dumping spread (isolated networks can't reach DCs) - Compromised user system accessing servers directly - Insider threats (restrictions on data access) - Data exfiltration to external media (if USB segment is isolated)
What It Doesn't Protect Against: - Attacks within same segment (switch can't prevent user↔user attacks) - Routing around segmentation (if misconfigured) - Physical network attacks (layer 1 problems) - Encrypted tunneling out of segment (if firewall rule allows)
Network Interactions: - Works with: Firewall (firewall rules enforce segmentation policies) - Works with: Database Server (database in isolated segment) - Works with: Zero Trust (segmentation is prerequisite for zero trust) - Supports: Defense against T-04 (Lateral Movement) in Incident Response
Configuration Complexity: High (requires planning of segment boundaries and rules)
Cost-Benefit: Very high ROI (prevents lateral movement for 10 Budget)
Type: Threat Monitoring & Investigation Cost: 15 Budget Placement: Central monitoring (logs from all devices) Primary Function: Aggregate logs and detect threats via correlation
Description: Enterprise SIEM (Splunk, Elastic, QRadar, ArcSight) that collects logs from all systems, correlates events, and alerts on suspicious patterns. Foundation of mature incident response program.
What It Protects Against: - Multi-step attack patterns (correlation finds chains) - Persistence mechanisms (scheduled tasks, registry changes logged) - Credential abuse (failed login spikes) - Insider threats (excessive file access, off-hours activity) - Data exfiltration (unusual volume to unusual destination)
What It Doesn't Protect Against: - Attacks happening faster than SIEM ingests logs - False negatives (misconfigured rules miss attacks) - Encrypted traffic inspection (needs decryption) - Malware on endpoint (needs EDR, not SIEM)
Network Interactions: - Requires: Log Centralization deployment (needs logs to analyze) - Works with: IDS/IPS alerts (SIEM correlates with network alerts) - Supports: Incident Response investigation (SIEM data essential for forensics) - Critical for: Hardening module detection (SIEM detects Pentester Tactics)
Data Requirements: Massive (can be 10+ GB/day for large organizations)
Maintenance: Very high (tuning rules, managing data retention, responding to false positives)
Value: Essential for organizations that need incident detection
Type: Deception & Detection Cost: 8 Budget Placement: Isolated segment (mimics legitimate infrastructure) Primary Function: Detect lateral movement and reconnaissance
Description: Network of decoy systems (not SRV-10 honeypot server, but entire segment) designed to attract attackers. Any access to honeypot network indicates active attacker.
What It Protects Against: - Lateral movement (attacker triggers honeypot while exploring) - Network reconnaissance (if honeypot is discovered) - Ransomware spread (if honeypot is in ransomware path) - Insider reconnaissance (any access to honeypot = red flag)
What It Doesn't Protect Against: - Attacks that don't trigger honeypot (if attacker follows direct path) - Honeypot visibility (attacker must find it to trigger it) - False positives (must be designed to avoid accidental triggers)
Network Interactions: - Works with: Network Segmentation (honeypot in isolated but accessible segment) - Works with: SIEM (honeypot triggers feed into SIEM) - Supports: Detection in Hardening module (Deception Technology defense)
Maintenance: Medium (must keep honeypot looking alive and attractive)
Cost-Benefit: Low cost (8 Budget) with high detection value (zero false positives)
| Card | Device Type | Cost | Primary Vectors | Placement |
|---|---|---|---|---|
| SEC-01 | Firewall (Perimeter) | 12 | NETWORK, CREDENTIAL | Perimeter |
| SEC-02 | IDS | 10 | MALWARE, NETWORK | Internal |
| SEC-03 | IPS | 14 | MALWARE, WEB, NETWORK | Internal |
| SEC-04 | Load Balancer | 8 | NETWORK (availability) | Web Tier |
| SEC-05 | VPN Gateway | 9 | CREDENTIAL, NETWORK | Perimeter |
| SEC-06 | Email Gateway | 6 | SOCIAL_ENG, MALWARE | Perimeter |
| SEC-07 | WAF | 11 | WEB, MALWARE | Web Tier |
| SEC-08 | Network Segmentation | 10 | CREDENTIAL, NETWORK | Internal |
| SEC-09 | SIEM | 15 | Multiple (detection) | Central |
| SEC-10 | Honeypot Network | 8 | NETWORK (detection) | Isolated |
Budgets are 40-60 by difficulty (Beginner 60 / Standard 50 / Advanced 40), and the Required servers eat most of it — plan security spending around what's left.
Network Building Module: Security Device Cards Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition
cards/network-building/core-deck/architecture-cards.md
Version: 2.2 - Playtest Edition Last Updated: July 2026
Architecture Cards represent different network topology and design patterns. Each organization selects ONE architecture that determines how network segments are organized and how traffic flows between them.
Cost: 0 Budget Complexity: 1/5 (very simple) Security Posture: Low Performance: High (no routing/switching overhead)
Description: All systems connected to same network segment (same subnet, same broadcast domain). No network segmentation—everything can talk to everything. Traditional small office network.
Network Design:
Internet → Firewall → Switch
├─ Email Server
├─ Web Server
├─ Database Server
├─ File Server
├─ Domain Controller
└─ User Workstations
Characteristics: - All systems on same IP subnet (e.g., 192.168.1.0/24) - Single broadcast domain - No layer 3 routing between segments - Firewall only at perimeter, not internal
What This Means for Security: - Advantages: Simple to set up and manage, low cost - Disadvantages: Lateral movement is trivial (attacker on user system can reach database server directly) - Implication: If any system is compromised, entire network is at risk
Who Uses This: - Small offices with <50 people - Non-security-sensitive organizations - Organizations where ease of use matters more than security
Defenses Required: - Stronger endpoint protection (must protect each individual system) - User security training (social engineering becomes primary attack vector) - Cannot rely on network-level controls
Against Incident Response Threats: - T-04 (Lateral Movement): Trivially successful (same network) - T-06 (Mimikatz): Once DC is compromised, entire network is accessible - T-11 (Data Exfil): No segmentation to stop data movement
Cost: 5 Budget Complexity: 2/5 (simple but requires planning) Security Posture: Medium Performance: Medium (slight routing overhead)
Description: Network divided into three logical zones with firewall rules between them. This is the most common network architecture for medium-sized organizations.
Network Design:
Internet → Firewall → [DMZ Zone] → Firewall → [Internal Zone] → Firewall → [Admin Zone]
(Perimeter) ↓ ↓ ↓
Web Server File Server Domain Controller
Email Server User Workstations Admin Workstations
Database Server Backup Server
Three Zones:
If compromised, firewall prevents spread to internal zone
Internal Zone - Business systems
Cannot reach Admin Zone
Admin Zone - Administrative access and privileged systems
Firewall Rules: - Internet → DMZ: Allowed (limited ports) - DMZ → Internal: Blocked (one-way dependency if needed) - Internal → Admin: Blocked (strict isolation) - Admin → Internal: Allowed (admin management of internal systems) - Admin → DMZ: Allowed (admin management of DMZ)
What This Means for Security: - Advantages: Limits lateral movement (attacker on web server can't reach database server directly) - Disadvantages: More complex to design and manage
Who Uses This: - Most medium-sized organizations (50-500 employees) - Organizations with some web/email presence - Organizations that want segmentation without extreme complexity
Against Incident Response Threats: - T-04 (Lateral Movement): Firewall rules block direct SMB access between zones; attacker must find alternate path - T-06 (Mimikatz): DC is in Admin Zone, isolated from compromised internal system - T-11 (Data Exfil): Must exit through firewall, can be monitored
Cost: 12 Budget Complexity: 4/5 (complex, requires careful design) Security Posture: Very High Performance: Lower (strict controls add latency)
Description: Network divided into many small segments, each with strict firewall rules. No implicit trust based on network location—every connection is verified. Approximates zero-trust architecture.
Network Design:
Internet → Firewall → [DMZ Segment] → Firewall → [Each Server has own segment]
+ User segment
+ Admin segment
+ Development segment
+ Backup segment
+ Legacy segment
Each connection between segments requires explicit allow rule.
Segment Isolation: - Every major system or group gets its own segment - Database server isolated from file server - Email server isolated from web server - User workstations isolated from each other (per-user or small group segments) - Development isolated from production - Admin segment for domain controllers only - Legacy systems isolated from modern systems
Firewall Rules: - Default deny: Any traffic not explicitly allowed is blocked - Explicit allows: Every needed connection has a specific rule - Unidirectional: Rules are directional (client→server, not server→client) - Port specific: Rules specify exact port, not ranges
What This Means for Security: - Advantages: Lateral movement is nearly impossible—even if one system is compromised, firewall blocks reach to others - Disadvantages: Very complex to design, expensive to implement, difficult to troubleshoot when legitimate traffic is blocked
Who Uses This: - Large enterprises with security teams - Organizations with strict compliance requirements (finance, healthcare, government) - Organizations that assume breach and plan accordingly
Against Incident Response Threats: - T-04 (Lateral Movement): Firewall blocks attempt immediately; attacker cannot move - T-06 (Mimikatz): Even with DC credentials, accessing other systems requires approval - T-11 (Data Exfil): Exfil traffic blocked by firewall rules
Governance: Requires change management process for any new firewall rules
Cost: 8 Budget Complexity: 3/5 (cloud adds complexity) Security Posture: Medium-High (cloud provider handles some security) Performance: Medium (internet latency for cloud communication)
Description: Organization has both on-premises infrastructure AND cloud resources. Some applications run on-premises, others run in cloud (AWS, Azure, GCP).
Network Design:
Internet → Firewall → On-Premises Segment
├─ Email Server (on-prem)
├─ File Server (on-prem)
├─ Database Server (on-prem)
└─ VPN/Direct Connect → Cloud
├─ Web Server (cloud)
├─ App Server (cloud)
├─ Cloud Storage
└─ Cloud Database
Connectivity Methods: 1. VPN: Encrypted tunnel over internet (slower, cheaper) 2. Direct Connect: Dedicated network connection (faster, more expensive)
What This Means for Security: - Advantages: Flexibility (use right tool for each workload), scalability - Disadvantages: New attack surface (cloud APIs, IAM), credential management across platforms
Cloud-Specific Risks: - Misconfigured S3 buckets (public read access) - Cloud IAM overly permissive (too much access) - Cloud API keys in source code - Data residency in unexpected regions
Who Uses This: - Organizations transitioning to cloud (lift-and-shift) - Organizations with variable load (burst to cloud) - Organizations with development in cloud, production on-prem
Against Incident Response Threats: - T-04 (Lateral Movement): Can pivot from on-prem to cloud via cloud APIs - T-08 (Cloud breach): New threat class specific to cloud - T-13 (Misconfiguration): Cloud-specific attack not in traditional scenarios
Cost: 6 Budget Complexity: 2/5 (cloud provider manages complexity) Security Posture: Medium (cloud provider security + customer configuration) Performance: Excellent (cloud provider optimization)
Description: All infrastructure is cloud-based. No on-premises data center. Applications, data, and users all in cloud (AWS, Azure, GCP, or SaaS).
Network Design:
Internet → Cloud Edge
├─ Web Services (cloud)
├─ Application Services (cloud)
├─ Database (cloud)
├─ Storage (cloud)
└─ All managed by cloud provider
Deployment Models: 1. IaaS (Infrastructure as a Service): You manage VMs, they manage infrastructure 2. PaaS (Platform as a Service): You manage app, they manage platform 3. SaaS (Software as a Service): Vendor manages everything (Microsoft 365, Salesforce, Slack)
Cloud Provider Responsibilities: - Physical security of data centers - Network infrastructure - Hardware maintenance - Some security controls (network, storage)
Customer Responsibilities: - IAM configuration (who can access what) - Network configuration (security groups, VPCs) - Encryption keys (customer-managed or provider-managed) - Application security
What This Means for Security: - Advantages: Offload infrastructure security to cloud provider, auto-scaling, built-in redundancy - Disadvantages: New threat landscape (cloud-specific attacks, misconfiguration)
Cloud-Specific Risks: - IAM overly permissive (everyone can do everything) - Public buckets/storage (data visible to internet) - Unused resources (exposed services) - Cross-account/cross-tenant misconfiguration - Cloud API abuse (stolen credentials)
Who Uses This: - Startups (no on-prem infrastructure needed) - SaaS vendors (cloud is core offering) - Organizations with distributed teams (no office) - Modern organizations building on cloud-native architecture
Against Incident Response Threats: - T-08 (Cloud-specific): Entirely new threat surface - T-13 (Misconfiguration): Most common cloud vulnerability - T-07 (API abuse): Cloud APIs are attack surface
| Aspect | Flat | 3-Zone | Fully Isolated | Cloud Hybrid | Cloud First |
|---|---|---|---|---|---|
| Cost (Budget) | 0 | 5 | 12 | 8 | 6 |
| Complexity | 1/5 | 2/5 | 4/5 | 3/5 | 2/5 |
| Lateral Movement Risk | Very High | Medium | Very Low | Medium-High | Medium |
| Incident Response Difficulty | Very Easy | Medium | Hard | Hard | Hard |
| Operational Overhead | Low | Medium | High | High | Low (cloud manages) |
| Best For | Tiny orgs | Medium orgs | Large/sensitive | Hybrid migration | Cloud-native |
| Scalability | Poor | Good | Excellent | Excellent | Excellent |
| Cloud Integration | None | None | Optional | Required | Only option |
Choosing architecture affects remaining budget for servers and security devices: - ARCH-01 (Flat): 0 Budget cost, frees up budget for servers - ARCH-02 (3-Zone): 5 Budget cost, medium budget remaining - ARCH-03 (Fully Isolated): 12 Budget cost, significant budget consumed - ARCH-04 (Cloud Hybrid): 8 Budget cost, cloud connectivity cost - ARCH-05 (Cloud First): 6 Budget cost, low cost (cloud provider manages infrastructure)
Higher security architectures require more firewall rules: - ARCH-01: 0 rules needed (flat network) - ARCH-02: 10-20 rules (3-zone model) - ARCH-03: 50-100+ rules (fully isolated, per-system rules) - ARCH-04: 20-30 rules (cloud connectivity + on-prem) - ARCH-05: 10-15 rules (cloud provider manages most)
Does your organization use cloud?
├─ No → Do you have >100 people?
│ ├─ No → Choose ARCH-01 (Flat) or ARCH-02 (3-Zone)
│ └─ Yes → Do you have compliance requirements?
│ ├─ No → Choose ARCH-02 (3-Zone)
│ └─ Yes → Choose ARCH-03 (Fully Isolated)
│
├─ Partially (hybrid) → Choose ARCH-04 (Cloud Hybrid)
│
└─ Yes, entirely cloud → Choose ARCH-05 (Cloud First)
Network Building Module: Architecture Cards Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition
cards/network-building/core-deck/asset-cards.md
Version: 2.2 - Playtest Edition Last Updated: July 2026
Asset Cards represent business requirements or critical functions that the network must support. Each asset card describes a business need, and teams must ensure their network design includes appropriate servers/services to satisfy each requirement.
Business Function: Internal and external email communication Criticality: High (nearly universal requirement) Impact if Down: Significant (communication stops, customer requests missed) Compliance Requirements: Email retention (SOX, GDPR), encryption (HIPAA, PCI-DSS)
Description: Organization needs reliable email system for internal communication and external customer contact. Email is both critical infrastructure and significant security risk (phishing, credential attacks, data exfiltration).
Network Requirements: - Server: Email Server (SRV-01) - Protection: Email Gateway (SEC-06) for phishing/malware filtering - Optional: Load Balancer if email server needs redundancy
Security Considerations: - Email is primary phishing attack vector (T-01 in Incident Response) - Email contains sensitive information (must be encrypted and access-controlled) - Email forwarding rules can be abused for data exfiltration - Email archive must be protected and retained per compliance requirements
Dependencies: - Requires Domain Controller for user authentication - Requires backup for email archive recovery - Integrates with SIEM for email security event logging
Team Design Validation: ✓ Must Include: Email Server or equivalent email service (cloud-based OK) ✓ Should Include: Email Gateway for threat filtering ✗ Failure Condition: No email capability = cannot satisfy Asset requirement
Business Function: Public-facing web application or website Criticality: Medium (business depends on it but alternatives exist) Impact if Down: Moderate (customers cannot access services, lost sales/engagement) Compliance Requirements: PCI-DSS (if payments), WCAG accessibility
Description: Organization has public web presence—either corporate website, e-commerce site, or customer portal. Web server is exposed to internet and primary target for web exploits (SQL injection, RCE, DDoS).
Network Requirements: - Server: Web Server (SRV-02) in DMZ - Protection: WAF (SEC-07) for application-layer attack prevention - Optional: Load Balancer (SEC-04) for redundancy and DDoS protection
Security Considerations: - Web servers have highest internet attack surface - Vulnerable to web exploits (T-02 Watering Hole, T-05 Kernel Exploit in Incident Response) - DDoS attacks can take down web server - Code injection can compromise entire application - Requires patching and web application security testing
Dependencies: - Often connects to Database (for dynamic content) - May require load balancer for redundancy - Requires SIEM monitoring for web security events
Team Design Validation: ✓ Must Include: Web Server (SRV-02) or cloud-hosted web service ✓ Should Include: WAF for attack protection ✓ Should Include: Load Balancer if redundancy needed ✗ Failure Condition: No web server = Asset unsatisfied
Business Function: Data storage and retrieval for critical business data Criticality: Very High (most sensitive business data) Impact if Down: Severe (business cannot operate, financial/customer impact) Compliance Requirements: PCI-DSS, HIPAA, GDPR, SOX (depending on data type)
Description: Centralized database for customer data, financial records, operational data. Database is most valuable attack target—contains the "crown jewels." Database compromise often defines loss condition in Incident Response.
Network Requirements: - Server: Database Server (SRV-03) in restricted/admin segment - Protection: Network Segmentation (SEC-08) to limit access - Optional: Backup Server (SRV-07) for recovery capability
Security Considerations: - Database is primary exfiltration target (T-10, T-11 in Incident Response) - SQL injection attacks compromise database - Credential abuse allows unauthorized access to sensitive data - Data exfiltration is often attack goal (customer PII, financial data) - Database compromise may be game-loss condition - Must have immutable backups for recovery from ransomware
Dependencies: - Requires strong authentication (MFA, password vault) - Requires Data Loss Prevention (DLP) to prevent exfiltration - Requires encryption at rest and in transit - Requires database activity monitoring (DAM) for audit
Team Design Validation: ✓ Must Include: Database Server or equivalent data store (Cloud Workload hosting is allowed but is a recorded risk) ✓ Should Include: Network Segmentation to isolate database access ✓ Should Include: Backup Server for disaster recovery ✗ Failure Condition: No database = Asset unsatisfied OR unsecured database access = audit finding
Business Function: Shared file storage for documents, projects, compliance records Criticality: High (business relies on shared documents) Impact if Down: Moderate-High (work stops, cannot access needed files) Compliance Requirements: Data retention (GDPR), data classification (HIPAA, PCI-DSS)
Description: Shared network file storage for collaborative work. File servers often contain mixed-sensitivity data (company policy next to customer PII next to trade secrets). Poorly secured file storage is source of data exfiltration and lateral movement.
Network Requirements: - Server: File Server (SRV-04) in protected segment - Protection: Network Segmentation (SEC-08) to limit file access - Optional: DLP (in Hardening module) to prevent sensitive file exfiltration
Security Considerations: - File servers are lateral movement target (T-04 in Incident Response) - SMB protocol allows attacker to enumerate shares and attempt access - Over-permissive file permissions = data exfiltration vector - Ransomware frequently targets file servers (T-11 in Incident Response) - File permissions audit is critical for compliance
Dependencies: - Requires Domain Controller for user authentication - Requires Network Segmentation to limit SMB access - Requires backup strategy (especially for ransomware recovery) - Requires file permission auditing
Team Design Validation: ✓ Must Include: File Server or cloud file storage (OneDrive, SharePoint, Google Drive) ✓ Should Include: Network Segmentation to restrict access ✓ Should Include: Backup for ransomware recovery ✗ Failure Condition: No file storage = Asset unsatisfied
Business Function: User identity and access management Criticality: Very High (foundational to all access control) Impact if Down: Severe (cannot authenticate users, cannot operate) Compliance Requirements: MFA (various standards), audit logging (GDPR, SOX)
Description: Centralized identity system (Active Directory, Azure AD, Okta) that authenticates users and grants access to resources. Identity compromise is game-over scenario—attacker with access to identity system can impersonate any user.
Network Requirements: - Server: Domain Controller (SRV-05) in admin segment - Protection: Network Segmentation Switch (SEC-08) — keep the DC in an isolated admin zone - Optional: Second Domain Controller for redundancy (full price)
Security Considerations: - Domain Controller is most sensitive system (compromise = total infrastructure access) - Credential dumping attacks target DC (T-06 Mimikatz in Incident Response) - Compromised DC allows attacker to create backdoor accounts - Pass-the-hash attacks replay credentials from DC compromise - DC must be in isolated segment with strict access control
Dependencies: - Requires strong authentication (MFA for all DC access) - Requires privileged access workstation (PAW) for admin access - Requires immutable backup DC in separate location - Requires audit logging of all DC changes
Team Design Validation: ✓ Must Include: Domain Controller (on-premises or Azure AD) ✓ Should Include: Network Segmentation (isolated admin zone) ✓ Should Include: Second Domain Controller for redundancy (optional, full price) ✗ Failure Condition: No identity system = the Identity requirement is unsatisfied (design incomplete)
Business Function: Software development and testing environment Criticality: Medium (important but not production-critical) Requirement Strength: Recommended (v2.2) — may be satisfied by overloading another server (+1 Budget per extra service) Impact if Down: Low-Medium (development delays, but not immediate business impact) Compliance Requirements: Secrets management (API keys not hardcoded), code scanning
Description: Development and testing infrastructure where software developers build and test applications. Development environment is often overlooked security risk because developers prioritize speed over security.
Network Requirements: - Server: Development Server (SRV-06) in isolated development segment - Protection: Firewall rules prevent dev→prod lateral movement - Optional: Code repository (Git, GitHub) for version control
Security Considerations: - Development servers often contain production-like data (compliance violation) - Developers have broad access (weak access controls) - Test credentials and API keys in source code - Outdated/unpatched tools (developer tools not security tools) - Development system as lateral movement springboard to production - Source code repository is high-value target (intellectual property)
Dependencies: - Requires separate database from production (never use production data in dev) - Requires code review and secrets scanning - Requires firewall rules isolating dev from production - Requires MFA for code repository access
Team Design Validation: ✓ Should Include: Development Server, OR dev services overloaded onto another server (allowed, +1 Budget) ✓ Should Isolate: Dev network from production network ✓ Should Scan: Code for hardcoded secrets ✗ Failure Condition: Using production database in dev = data exposure/compliance violation
Business Function: Recovery capability for business continuity Criticality: Very High (determines if business survives major attack/disaster) Requirement Strength: Required (v2.2) Impact if Down: Catastrophic (cannot recover from major incident) Compliance Requirements: Backup retention, recovery SLA (RTO/RPO)
Description: Backup and disaster recovery capability. Organization needs ability to recover from data loss, ransomware, or disaster. Backup/recovery capability is often neglected until it's needed.
Network Requirements: - Server: Backup Server (SRV-07) with off-site backups - Protection: Immutable backups (WORM storage) - 3-2-1 Strategy: 3 copies, 2 media types, 1 off-site
Security Considerations: - Ransomware attacks target backup systems (T-11 in Incident Response) - Backup must be immutable (attacker cannot modify backups) - Backup must be off-site (local backup lost if data center destroyed) - Backup testing must be regular (quarterly minimum) - Backup credentials must be separate from domain (attacker cannot delete backups)
Dependencies: - Requires off-site backup location (geographically separated) - Requires immutable storage (WORM or cloud versioning) - Requires regular backup restore testing - Requires separate backup credentials
Team Design Validation: ✓ Must Include: Backup Server with off-site capability ✓ Must Test: Recovery procedures (quarterly) ✓ Must Implement: 3-2-1 strategy ✗ Failure Condition (v2.2): No Backup Server = automatic FAIL on the Disaster Recovery requirement, recorded as a CRITICAL gap (not an instant game loss — but ransomware in later modules becomes unrecoverable)
Business Function: Secure remote access for employees and contractors Criticality: Medium (became High during COVID pandemic) Impact if Down: Moderate (remote workers cannot work) Compliance Requirements: MFA (various standards), encryption, audit logging
Description: VPN or similar remote access solution for employees working from home, traveling, or off-site. Remote access expands attack surface but is necessary for modern workforce.
Network Requirements: - Device: VPN Gateway (SEC-05) at network perimeter - Protection: MFA required for all VPN access - Optional: Conditional access policies (restrict access by device/location)
Security Considerations: - VPN is attractive attack target (Credential Abuse) - Weak VPN credentials easily brute-forced (must use MFA) - Compromised home computer connecting via VPN = internal network at risk - VPN traffic must be encrypted - VPN access must be logged and audited
Dependencies: - Requires Domain Controller for user authentication - Requires MFA (cannot rely on password alone) - Requires endpoint security on remote devices - Requires SIEM monitoring of VPN access
Team Design Validation: ✓ Should Include: VPN Gateway for remote access ✓ Must Implement: MFA for VPN access ✓ Should Monitor: VPN access logs in SIEM ✗ Failure Condition: Weak VPN security (no MFA) = credential attack vector
| Asset | Business Function | Criticality | Server | Key Defense |
|---|---|---|---|---|
| ASSET-01 | High | SRV-01 | Email Gateway | |
| ASSET-02 | Web | Medium | SRV-02 | WAF |
| ASSET-03 | Database | Very High | SRV-03 | Network Segmentation |
| ASSET-04 | File Storage | High | SRV-04 | Network Segmentation |
| ASSET-05 | Identity | Very High | SRV-05 | Network Segmentation |
| ASSET-06 | Development | Medium | SRV-06 | Network Isolation |
| ASSET-07 | Disaster Recovery | Very High | SRV-07 | Immutable Backups |
| ASSET-08 | VPN/Remote Access | Medium | SEC-05 | MFA |
Asset Cards drive network design decisions: 1. Display all 8 Asset Cards face-up on the table 2. Team designs network to satisfy each Asset 3. For each Asset, team must include appropriate Server and Defenses 4. Team validates: "Does our network design satisfy this Asset?"
Asset Cards provide scenario context: - Threat Orchestrator refers to Assets when describing scenarios - "Customer database is being exfiltrated" = reference ASSET-03 - "Email is compromised" = reference ASSET-01 - Assets help Blue Team understand what they're protecting
Asset Cards determine impact assessment: - "How many critical systems are down?" = count "Very High" Assets affected - Recovery priority = order by Asset criticality - RTO (Recovery Time Objective) depends on which Assets must recover first
Financial Services Assets: - Trading System (real-time market data) - Payment Processing (external integrations) - Audit Trail (regulatory requirement)
Healthcare Assets: - Electronic Health Records (HIPAA-critical) - Prescription Management (pharmacy integration) - Patient Portal (external access)
Manufacturing Assets: - Industrial Control Systems (safety-critical) - Supply Chain Integration (vendor systems) - Engineering Data (intellectual property)
Retail Assets: - Point of Sale (transaction processing) - Inventory Management (supplier integration) - Customer Loyalty (marketing data)
After team completes network design, verify each Asset is satisfied. The checklist only names components that can actually be purchased from the Network Building decks; items in parentheses are recommended, not mandatory.
If any Asset is unsatisfied or under-defended: - Network design is incomplete - That Asset becomes a vulnerability in Incident Response - That Asset affects recovery time in Disaster Recovery
Network Building Module: Asset Cards Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition
cards/network-building/standalone/business-requirement-cards.md
Version: 2.2 - Playtest Edition Last Updated: July 2026
Business Requirement Cards drive the Network Building standalone game. One card is revealed at the start of each turn (Phase 1) and represents what the business demands this quarter. Teams must satisfy the requirement by end of the stated deadline or take the score penalty.
Type: Growth Requirement: Marketing is launching a flagship product this quarter and needs a modern public website. Satisfied By: Web Server (7), OR web service hosted on a Cloud Workload (4) Score Impact: Missed: -5 points (launch flops; lost sales)
Type: Growth / M&A Requirement: The executive team is acquiring a customer-data company. Two million customer records must land somewhere safe by end of quarter. Satisfied By: Database Server (10), OR database service hosted on a Cloud Workload (4) — cloud-hosting the crown jewels is a recorded risk Score Impact: Missed: -10 points (deal falls through)
Type: Workforce Requirement: HR is rolling out flexible work. Staff need secure remote access to internal systems. Satisfied By: VPN Gateway (9) Score Impact: Missed: -3 points (staff use risky workarounds; morale dips)
Type: Workforce Requirement: The board mandates support for a fully remote workforce: secure access AND central identity for every remote login. Satisfied By: VPN Gateway (9) AND Domain Controller (12) Score Impact: Missed: -5 points (shadow IT spreads across home offices)
Type: Compliance Requirement: A new healthcare client puts you in HIPAA scope. Regulators expect recoverable data and isolated sensitive systems. Satisfied By: Backup Server (9) AND network segmentation (Network Segmentation Switch (10), or Segmented/Fully Isolated architecture) Score Impact: Missed: -10 points (client walks; compliance exposure)
Type: Compliance Requirement: You now process card payments. Cardholder data must live on a database that is walled off from the rest of the network. Satisfied By: Database Server (10) or cloud-hosted database, AND a Firewall (12) or Network Segmentation Switch (10) protecting it Score Impact: Missed: -10 points (acquirer threatens to pull card processing)
Type: Operations Requirement: Your biggest customer signs a contract with a 99.9% uptime SLA on your public services. A single box is no longer good enough. Satisfied By: Load Balancer (8), OR a second server duplicating any business-critical service (full price) Score Impact: Missed: -5 points (SLA credits eat the margin)
Type: Growth / M&A Requirement: The company you just bought needs its two core services absorbed into your infrastructure this quarter. Satisfied By: Two free capacity slots across your existing servers, OR deploy any new server this turn to host them (overloading is allowed at +1 Budget per extra service) Score Impact: Missed: -10 points (integration stalls; synergies evaporate)
Type: Operations Requirement: Headcount doubled and the email system is groaning. Add headroom. Satisfied By: Second Email Server (8), Load Balancer (8), OR email hosted on a Cloud Workload (4) Score Impact: Missed: -5 points (mail delays; missed customer requests)
Type: Compliance Requirement: The audit committee orders an independent security audit. Auditors expect centralized visibility of security events. Satisfied By: SIEM (15), OR both IDS (10) and Email Gateway (6) Score Impact: Missed: -5 points (qualified audit opinion)
Type: Security Requirement: A competitor's breach is front-page news. The board demands demonstrable incident-detection capability. Satisfied By: IDS (10), IPS (14), OR SIEM (15) Score Impact: Missed: -10 points (board censure; CISO on thin ice)
Type: Security Requirement: A ransomware variant is tearing through your industry. You need recoverable backups AND a way to spot the attack. Satisfied By: Backup Server (9) AND at least one of IDS (10) / IPS (14) / SIEM (15) Score Impact: Missed: -20 points (you are one bad click from catastrophe)
Type: Growth Requirement: A new regional office opens with no local infrastructure. Staff there must reach head-office systems securely. Satisfied By: VPN Gateway (9) Score Impact: Missed: -5 points (office runs on personal email and USB sticks)
Type: Growth Requirement: Sales moves online. You need a public web presence AND protection against the web attacks that come with taking payments. Satisfied By: Web Server (7) or cloud-hosted web, AND WAF (11) Score Impact: Missed: -5 points (checkout is either absent or a breach waiting to happen)
Type: Workforce Requirement: Engineering triples in size. Developers need somewhere to build and test that is not production. Satisfied By: Development Server (5), OR dev services overloaded onto an existing server (+1 Budget per extra service — allowed) Score Impact: Missed: -3 points (developers test in production; incidents follow)
Type: Compliance Requirement: New regulation requires seven-year retention of business records: durable shared storage plus a recoverable copy. Satisfied By: File storage (File Server (6), or hosted on another server's capacity/overload) AND Backup Server (9) Score Impact: Missed: -5 points (regulator issues a compliance notice)
Type: Operations Requirement: Password chaos across a dozen apps. Leadership wants one identity for everything. Satisfied By: Domain Controller (12) Score Impact: Missed: -5 points (password reuse everywhere; helpdesk drowning)
Type: Security Requirement: Your insurer's renewal questionnaire wants proof of backups, phishing defense, and detection. Satisfied By: Backup Server (9) AND Email Gateway (6) AND at least one of IDS/IPS/SIEM Score Impact: Met: +5 points (premium drops). Missed: -5 points (premium spikes)
Type: Security (Opportunity) Requirement: Your ISAC offers to feature any member running deception technology in its quarterly report. Satisfied By: Honeypot Decoy (7) or Honeypot Network (8) Score Impact: Met: +5 points (industry kudos). Missed: 0 points (opportunity passes; no penalty)
Type: Operations (Opportunity) Requirement: Finance wants the server-room footprint shrunk. Show that at least one business service runs in the cloud. Satisfied By: Any service hosted on a Cloud Workload (4) Score Impact: Met: +3 points (opex savings). Missed: -3 points (facilities costs balloon)
| Card | Requirement | Satisfied By | Missed | Met Bonus |
|---|---|---|---|---|
| REQ-01 | Product Launch Website | Web Server or cloud web | -5 | — |
| REQ-02 | Customer Data Acquisition | Database (dedicated or cloud) | -10 | — |
| REQ-03 | Work-From-Home Program | VPN Gateway | -3 | — |
| REQ-04 | Remote Workforce Mandate | VPN Gateway + Domain Controller | -5 | — |
| REQ-05 | HIPAA Compliance | Backup + segmentation | -10 | — |
| REQ-06 | PCI Cardholder Data | Database + Firewall/Segmentation | -10 | — |
| REQ-07 | 99.9% Uptime SLA | Load Balancer or duplicate server | -5 | — |
| REQ-08 | M&A Network Integration | 2 spare slots or new server | -10 | — |
| REQ-09 | Scale Email System | 2nd Email Server / LB / cloud email | -5 | — |
| REQ-10 | Security Audit | SIEM, or IDS + Email Gateway | -5 | — |
| REQ-11 | IR Readiness | IDS, IPS, or SIEM | -10 | — |
| REQ-12 | Ransomware Wave | Backup + detection | -20 | — |
| REQ-13 | New Subsidiary Office | VPN Gateway | -5 | — |
| REQ-14 | E-Commerce Expansion | Web + WAF | -5 | — |
| REQ-15 | Developer Hiring Spree | Dev Server or overload | -3 | — |
| REQ-16 | Records Retention | File storage + Backup | -5 | — |
| REQ-17 | Single Sign-On | Domain Controller | -5 | — |
| REQ-18 | Cyber-Insurance Renewal | Backup + Email Gateway + detection | -5 | +5 |
| REQ-19 | Threat-Intel Pilot | Honeypot | 0 | +5 |
| REQ-20 | Data-Center Consolidation | Any cloud-hosted service | -3 | +3 |
Requirements are deliberately lumpy: some are satisfied by things every sane design already has (web, database), others punish narrow builds (detection, deception, redundancy). Teams that spend everything in turn 1 have no reserve when REQ-12 lands.
Network Building Standalone: Business Requirement Cards Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition
cards/network-building/standalone/operational-event-cards.md
Version: 2.2 - Playtest Edition Last Updated: July 2026
Operational Event Cards are the random incidents, windfalls, and headaches of running infrastructure. One card is revealed each turn (Phase 2) of the Network Building standalone game, right after the Business Requirement.
Type: Outage Effect: Your email server dies mid-quarter. Choose one: - Repair: Pay 5 Budget (emergency callout) - Ignore: -10 points (email down all quarter; users furious) Mitigated By: A second Email Server, or email hosted on a Cloud Workload — the redundant/cloud service carries the load: no cost, no penalty No email service at all? Nothing to break — but you already have bigger problems (see Capability scoring)
Type: Load Effect: Your product goes viral overnight. Public services are hammered. - Prepared (Load Balancer, CDN, or a duplicated web service): +5 points (you rode the wave; sales boom) - Unprepared: -5 points (site down during your biggest day) Mitigated By: Load Balancer (8), CDN (expansion CLOUD-04), or redundant web hosting
Type: Attack Effect: A targeted phishing campaign hits every inbox in the company. - Email Gateway deployed: +5 points (campaign filtered; nice catch) - No Email Gateway: -10 points (three credential sets stolen) Mitigated By: Email Gateway (6)
Type: Outage Effect: Your cloud provider has a region-wide outage this quarter. - If any required business service runs only in the cloud: -5 points (service dark; SLA breached) - Cloud services with an on-prem twin, or no cloud usage: no effect Mitigated By: On-prem redundancy for cloud-hosted services, or an all-on-prem design Lesson: Cloud is cheap, but concentration risk is real
Type: Finance Effect: Fiscal crisis. Lose 5 Budget immediately (to a minimum of 0). Mitigated By: Nothing — but teams holding a contingency reserve absorb it without changing plans
Type: Finance Effect: A surprise rebate lands. Gain +10 Budget (one time). Mitigated By: N/A (enjoy it)
Type: Finance Effect: A government cyber-resilience grant is available to organizations with recoverable backups. - Backup Server deployed: Gain +5 Budget - No Backup Server: Nothing (you don't qualify) Mitigated By: N/A — this one rewards good hygiene
Type: Capacity Effect: Shared storage hits 98% full. Choose one this turn: - Add capacity: Deploy any server to host file storage, or overload an existing server (+1 Budget per extra service) - Ignore: -5 points (service degradation; work grinds) Mitigated By: Spare capacity anywhere in your design (assign file storage to it at no cost) No file storage service at all? No effect — and no file-storage capability either
Type: Attack (Detected?) Effect: Someone has been quietly probing your network. - Honeypot Decoy or Honeypot Network deployed: +5 points (intruder caught red-handed in the decoy; access cut) - No honeypot: Nothing visible happens. Nothing visible ever happens. (No penalty — this time) Mitigated By: N/A — this is deception's payday
Type: Attack Effect: An employee is browsing systems far outside their role. - SIEM deployed OR network segmentation in place: +5 points (caught early / blocked at the zone boundary) - Neither: -5 points (months of quiet data access before anyone notices) Mitigated By: SIEM (15) or Network Segmentation Switch (10) / segmented architecture
Type: Attack (Severe) Effect: Ransomware detonates on an internal system. - Backup Server deployed: Pay 3 Budget for restore effort; if you also have detection (IDS/IPS/SIEM), you contained it fast: +5 points - No Backup Server: -20 points (pay the ransom or lose the data — either way it's ugly) Mitigated By: Backup Server (9); detection reduces blast radius
Type: Operations Effect: The ops team is running on fumes. This turn you may deploy at most ONE component. (Handling the turn's Business Requirement with an already-deployed component is fine.) Mitigated By: Designs that are already complete — teams who front-loaded their build barely notice
Type: Opportunity Effect: A security vendor is clearing stock. The next security device you deploy this turn costs 2 less (minimum cost 1). Mitigated By: N/A — pure opportunity; skip it if nothing on the list fits your design
Type: Workforce Effect: A key new hire works from another city and starts Monday. - VPN Gateway deployed: No effect (onboarding is routine) - No VPN Gateway: -3 points (they quit in week two, or worse: they improvise) Mitigated By: VPN Gateway (9)
Type: Outage Effect: A vendor recalls a faulty component. Pick one of your on-prem servers (Threat Orchestrator picks if you won't): - Pay 3 Budget for expedited replacement, OR - That server is offline this quarter — any requirement it alone satisfies counts as unmet this turn Mitigated By: Redundant servers or cloud-hosted twins (the twin covers the outage: no cost, no penalty). All-cloud designs are unaffected
Type: Respite Effect: Nothing breaks. Nobody attacks. Finance leaves you alone. Use the breathing room to review your gaps. Mitigated By: N/A
| Card | Event | Effect (Unmitigated) | Mitigated By |
|---|---|---|---|
| EVT-01 | Email Server Failure | Pay 5 or -10 pts | Redundant/cloud email |
| EVT-02 | Traffic Spike | -5 pts (or +5 if ready) | LB / CDN / redundant web |
| EVT-03 | Phishing Wave | -10 pts (or +5 if ready) | Email Gateway |
| EVT-04 | Cloud Vendor Outage | -5 pts if cloud-only service | On-prem redundancy |
| EVT-05 | Budget Cut | -5 Budget | Contingency reserve |
| EVT-06 | Emergency Funds | +10 Budget | — |
| EVT-07 | Security Grant | +5 Budget if Backup | — |
| EVT-08 | File Server Filling Up | Buy capacity or -5 pts | Spare capacity |
| EVT-09 | Honeypot Triggers | +5 pts if honeypot | — |
| EVT-10 | Insider Snooping | -5 pts (or +5 if ready) | SIEM / segmentation |
| EVT-11 | Ransomware Strikes | -20 pts | Backup (+ detection: +5) |
| EVT-12 | IT Staff Burnout | Max 1 deploy this turn | Completed builds |
| EVT-13 | Vendor Promotion | Next device -2 cost | — |
| EVT-14 | New Hire Remote Access | -3 pts | VPN Gateway |
| EVT-15 | Hardware Recall | Pay 3 or server offline | Redundancy / cloud |
| EVT-16 | Quiet Quarter | Nothing | — |
Events reward the same things the scoring rewards — redundancy, detection, backups, and a contingency reserve — so mitigation is never wasted spend. The nastiest cards (EVT-11) are exactly why hoarding zero-reserve builds and backup-free builds both hurt.
Network Building Standalone: Operational Event Cards Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition
cards/network-building/expansion-deck/legacy-systems.md
Version: 2.1 - Balanced & Refined Edition Last Updated: October 2025
Legacy System Cards extend the Network Building module with specialized systems that many organizations still operate but cannot easily patch or upgrade.
Type: Legacy Business-Critical Infrastructure Cost: 15 Budget (expensive to operate) Complexity: 4/4 (extremely complex, specialized expertise required) Availability Requirement: 99.95% (financial/mission-critical) Supported Operating System: Mainframe OS (z/OS, VSE, VM), Not patchable
Description: Large centralized mainframe computer running business-critical applications. Banks, insurance companies, government agencies, and utilities often depend on mainframes for core operations. Mainframes are designed for availability and stability, but security model is outdated (predates internet security concerns).
Key Characteristics: - Age: Often 20-30+ years old - Software: Custom applications written in COBOL or other legacy languages - Security: Perimeter security model (assume all internal traffic is trusted) - Expertise: Few experts remain (knowledge leaving the industry) - Vendor Support: Vendor may no longer exist; in-house expertise critical - Cost of Replacement: $5M-100M+ (impossible to replace)
Key Concerns: - No regular security patches available (vendor EOL) - Known CVEs published but cannot be patched - Legacy protocols (unencrypted connections, weak authentication) - Access control systems predate modern security standards - Directly connected to corporate network (not isolated) - Often contains entire organization's critical data - Business process depends on it (replacement would take years)
Defense Strategy (Cannot Fix, Must Isolate): - Network Isolation: Mainframe in restricted segment, minimal connectivity - Firewall Rules: Only authorized systems can connect to specific ports - Monitoring: SIEM must monitor all mainframe connections (detect anomalies) - Assumption of Breach: Assume mainframe will be compromised; defend everything else - No Direct User Access: Users should not directly access mainframe (access via secure application tier) - Log Aggregation: All mainframe activities logged centrally (immutable audit trail)
Network Interactions: - Requires: Firewall rules isolating mainframe - Requires: Network Segmentation to restrict access - Requires: SIEM monitoring for anomaly detection - Incompatible with: Direct internet access (perimeter firewall only) - Incompatible with: Cloud integration (data residency and connectivity issues)
Incident Response Impact: - If mainframe is compromised, entire organization may be compromised - Mainframe compromise may be immediate game-loss in Incident Response - Legacy authentication means attacker can move freely once inside - Mainframe contains sufficient data to be primary exfiltration target
Team Design Validation: - ✓ If including mainframe: must include Network Segmentation + Firewall - ✓ Must include SIEM for monitoring - ✗ Failure: Direct user access to mainframe increases risk - ✗ Failure: Cloud connectivity to mainframe violates security boundary
Type: Legacy Business-Critical Software Cost: 8 Budget (application licensing/support) Complexity: 3/4 (difficult to update or replace) Availability Requirement: 99% (business depends on it) Operating System: Windows Server 2008/2012, or older Linux, or proprietary OS
Description: Specialized business application written by external vendor or in-house team that is no longer maintained. Application may be: - Accounting system (custom financial software) - Manufacturing control system (production scheduling) - Insurance claims system - Legal case management system - ERP (Enterprise Resource Planning) system
The application is mission-critical but: - Vendor no longer provides updates (company went out of business, or stopped supporting) - Cost to replace: $500K-$5M+ (economically infeasible) - Business process deeply embedded in application (replacement would require major restructuring) - Knowledge of application is scarce (original developers left, documentation poor)
Key Characteristics: - Age: Often 10-20 years old - Language: Written in outdated languages (Visual Basic 6, old Java, COBOL) - Vendor: Vendor may no longer exist; purchased "as-is" - Customization: Heavily customized for organization (not standard product) - Expertise: Few people understand the code - Database: Proprietary or very old database (SQL Server 2005, Oracle 10g, etc.) - Integration: Deeply integrated into business workflow
Key Concerns: - Application may contain hardcoded credentials - Application may store passwords in plaintext - Application may use unencrypted connections to database - Application may have SQL injection vulnerabilities (pre-2005 development) - Application may lack audit logging - Upgrading operating system may break application - Patches to operating system may be incompatible with application - Security testing tools may break application
Defense Strategy (Isolate and Monitor): - Application Server Isolation: Application in restricted segment - Database Isolation: Application database encrypted and access-controlled - Network Firewall: Only users/systems needing application can access it - No Direct Internet Access: Application never exposed to internet - SIEM Monitoring: All application access logged and monitored - Assumption: Assume application has SQL injection or similar vulnerabilities; defend database - Access Control: Limit who can use application (risk vs. benefit analysis)
Network Interactions: - Requires: Application Server (SRV-06 or custom server) - Requires: Database Server isolated from other systems - Requires: Firewall rules limiting access - Requires: SIEM monitoring application access - Incompatible with: Cloud hosting (licensing, data residency issues)
Incident Response Impact: - Custom application vulnerability could be exploited for lateral movement - Application database compromise exposes sensitive business data - Application logs may be missing or inaccessible - Attacker may extract application source code
Team Design Validation: - ✓ If including custom application: must isolate application + database - ✓ Must limit user access (principle of least privilege) - ✓ Must monitor application access in SIEM - ✗ Failure: Direct internet access to application increases attack surface - ✗ Failure: Weak access controls allow unauthorized application access
Type: Operational Technology (OT) / Safety-Critical Cost: 12 Budget (specialized equipment) Complexity: 4/4 (extremely specialized, safety implications) Availability Requirement: 99.9%+ (safety-critical, cannot fail) Operating System: Proprietary Industrial OS, real-time OS, or very old Linux
Description: Specialized system that controls physical machinery, manufacturing processes, power generation, utilities, or other critical infrastructure. Examples: - Manufacturing: Assembly line control, robotic systems - Utilities: Power distribution, water treatment, smart grid - Building Systems: HVAC, access control, fire systems - Transportation: Traffic signals, rail systems
Industrial Control Systems (ICS) are purpose-built for reliability and real-time control, not information security. They predate cybersecurity concerns.
Key Characteristics: - Purpose: Controls physical machinery or critical infrastructure - Real-time: Must respond in milliseconds (cannot tolerate latency) - Reliability: Designed for 99.99%+ availability - Security: Predates modern security (no authentication, no encryption) - Isolation: Historically air-gapped (not connected to corporate network) - Expertise: Requires specialized engineering expertise (electrical, mechanical, control systems) - Cost of Downtime: $10K-$1M+ per minute of downtime - Lifecycle: 10-30 year lifespan (different than IT systems)
Key Concerns (from IT Perspective): - Cannot be patched (real-time systems cannot tolerate OS updates) - Cannot tolerate intrusion detection (latency would affect operations) - Cannot install EDR/antivirus (would slow down real-time responses) - Cannot use modern encryption (adds latency) - Uses legacy protocols (Modbus, Profibus, DNP3 - no security built-in) - Often air-gapped; now being connected to corporate network (exposes vulnerability) - If compromised, physical safety implications (machinery malfunction, power outage, etc.)
Key Concerns (from ICS Perspective): - Availability is paramount (security is secondary) - Adding security controls might affect uptime - ICS engineers don't understand IT security - IT security tools and practices may break ICS - ICS changes must be tested extensively (downtime is unacceptable)
Defense Strategy (Strict Isolation): - Never Connect to Corporate Network: ICS should remain air-gapped - If Connection Required: Use unidirectional gateway (ICS can send data out, nothing comes in) - Network Segmentation: ICS in completely isolated segment from corporate systems - No User Internet Access from ICS: ICS workstations cannot browse internet - Physical Security: ICS room locked, access restricted to authorized engineers - Monitoring: Use ICS-specific monitoring tools (not traditional SIEM) - Assumption: Assume ICS network will be compromised; focus on preventing spread to corporate
Network Interactions: - Isolation: Complete separation from corporate network (air-gapped preferred) - If Bridge Required: Unidirectional gateway (one-way data flow) - Incompatible with: Corporate firewall (ICS cannot tolerate intrusion detection latency) - Incompatible with: EDR/Antivirus (would slow down real-time control) - Incompatible with: Cloud integration (real-time latency requirements)
Incident Response Impact: - ICS compromise may cause physical safety issues (priority = physical safety over data) - ICS compromise may cause production shutdown (significant financial impact) - ICS security investigation requires specialized expertise (not standard IT) - ICS forensics may disrupt operations (cannot preserve evidence if it affects safety)
Team Design Validation: - ✓ If including ICS: must isolate ICS from corporate network - ✓ Must use unidirectional gateway if connectivity required - ✓ Must NOT install traditional IT security tools on ICS - ✗ Failure: Corporate network connected to ICS without isolation - ✗ Failure: ICS exposed to internet or untrusted networks - ✗ Failure: IT security tools degrading ICS real-time performance
Type: Legacy Infrastructure Running Unsupported OS Cost: 5 Budget (cheap hardware, but difficult to support) Complexity: 3/4 (difficult to manage with modern security tools) Availability Requirement: 80-95% (business can tolerate occasional downtime) Operating System Examples: Windows XP, Windows Server 2003, old Linux kernels, custom UNIX variants
Description: Systems running operating systems that are no longer supported by vendor or open-source community. Vendor has stopped releasing security patches. Public exploit code for known vulnerabilities exists and is freely available.
Examples: - Windows XP (support ended 2014) - Windows Server 2003 (support ended 2015) - Linux 2.4/2.6 kernels (EOL for 10+ years) - Solaris 8/9 (Sun Microsystems EOL) - Other commercial UNIX variants EOL decades ago
Key Characteristics: - Support: No security patches from vendor - Exploits: All known vulnerabilities are published (no zero-days) - Tools: Modern security tools often don't run on EOL OS - Compatibility: Cannot run modern applications - Patching OS: OS upgrade would break dependent applications - Cost of Replacement: Application replacement cost makes OS upgrade prohibitive
Key Concerns: - All known vulnerabilities can be exploited (no patches) - Public exploits readily available (trivial for attacker) - Modern malware often targets these systems (profitable attacks) - Ransomware frequently targets EOL systems (known vulnerabilities) - System cannot run modern antivirus/EDR (not compatible) - System cannot use modern encryption protocols - System is prone to exploitation for lateral movement into modern systems
Defense Strategy (Assume Compromise, Isolate): - Assumption: Assume EOL system will be compromised (all vulnerabilities are public) - Network Isolation: EOL system in restricted segment, minimal connectivity - Firewall Rules: Only necessary traffic to/from EOL system - No Lateral Movement: Firewall rules prevent movement from EOL system to others - No Sensitive Data: Do not store sensitive data on EOL system - Monitoring: SIEM monitors EOL system closely (detect compromise signs) - Replacement Planning: Have timeline to replace/upgrade EOL system - Physical Security: Restrict physical access to EOL system
Network Interactions: - Isolation: EOL system in isolated segment - Firewall: Strict firewall rules (default deny) - Monitoring: SIEM alerts on any unusual EOL system activity - No Cloud Access: EOL system does not connect to cloud systems - Air-gapped Preferred: If possible, keep EOL system air-gapped
Incident Response Impact: - EOL system compromise may be inevitable (all vulnerabilities public) - Attacker will target EOL system as entry point (easier than hardened systems) - EOL system may be used as staging point for attacks on hardened systems - Forensics on EOL system may be difficult (no modern forensics tools support it)
Team Design Validation: - ✓ If including EOL system: must isolate completely - ✓ Must have replacement timeline - ✓ Must NOT store sensitive data on EOL system - ✗ Failure: No network isolation for EOL system - ✗ Failure: Sensitive data on EOL system - ✗ Failure: EOL system has same network privileges as modern systems
| Card | System Type | Cost | Complexity | Key Challenge |
|---|---|---|---|---|
| LEGACY-01 | Mainframe | 15 | 4/4 | Cannot patch, mission-critical |
| LEGACY-02 | Custom Application | 8 | 3/4 | Vendor no longer exists |
| LEGACY-03 | Industrial Control | 12 | 4/4 | Real-time + safety-critical |
| LEGACY-04 | Obsolete OS | 5 | 3/4 | All vulnerabilities public |
Key Principle: Cannot Fix, Must Isolate
Legacy systems cannot be fixed through normal security controls: - Cannot patch (vendor no longer supports) - Cannot upgrade OS (breaks dependent applications) - Cannot install modern security tools (incompatible) - Cannot redesign (cost prohibitive)
Instead, organizations must: 1. Isolate the legacy system: Separate network segment, strict firewall rules 2. Monitor closely: SIEM alerts on any anomalous activity 3. Assume compromise: Design defenses assuming legacy system will be compromised 4. Plan replacement: Have timeline to eventually replace legacy system 5. Limit exposure: Do not connect sensitive systems to legacy system network
Including legacy systems significantly increases network design complexity: - Must add firewall rules for each legacy system - Must add network segmentation - Must add SIEM monitoring - Budget is constrained (legacy systems are expensive to operate)
If Incident Response follows Network Building: - Legacy systems are easier attack targets (known vulnerabilities) - Attacker will likely compromise legacy system first - Legacy system compromise may lead to lateral movement - Legacy system may lack proper logging (forensics is difficult)
Teams face strategic decision: Include legacy systems or avoid them? - Include Legacy Systems: Realistic, mirrors real organizations, adds challenge - Avoid Legacy Systems: Simpler network design, but unrealistic - Team Decision: Should reflect organization's actual legacy system situation
Additional Legacy System Cards: - LEGACY-05: Mainframe Tape Backup System (disaster recovery, retention archiving) - LEGACY-06: Proprietary Database System (custom data storage, vendor extinct) - LEGACY-07: Dedicated PBX Telephony System (VoIP not yet viable) - LEGACY-08: Custom SCADA System (industrial automation, not standard ICS)
Network Building Module: Legacy Systems (Expansion) Part of Incident Zero, a modular cybersecurity board game v2.1 - Balanced & Refined Edition
cards/network-building/expansion-deck/cloud-variants.md
Version: 2.1 - Balanced & Refined Edition Last Updated: October 2025
Cloud Variant Cards extend the Network Building module with advanced cloud deployment options and cloud-native technologies beyond the basic Cloud Workload card in the core deck.
Type: Cloud-Native Architecture Cost: 6 Budget (container orchestration platform) Complexity: 3/4 (requires Kubernetes expertise) Supported Platforms: AWS ECS, Azure Container Instances, Google Cloud Run, Kubernetes Application Type: Modern cloud-native applications built as multiple small services
Description: Applications broken into microservices running in containers (Docker). Each service is a separate container that can scale independently. Containers are orchestrated by a platform (Kubernetes, Docker Swarm, ECS).
Key Characteristics: - Services: Application broken into small, focused services - Containers: Each service runs in a container (isolated environment) - Orchestration: Platform automatically manages container deployment, scaling, and recovery - Scalability: Each service can scale independently based on demand - DevOps: Infrastructure and code are tightly integrated (Infrastructure as Code) - Cloud-Native: Built for cloud (ephemeral resources, auto-scaling, auto-healing)
Key Advantages: - Scalability: Auto-scale individual services based on load - Resilience: Container failure doesn't affect entire application - Efficiency: Containers share OS kernel (more efficient than VMs) - Velocity: Deploy microservices independently (faster development) - Cost: Pay only for resources used (serverless principles)
Key Concerns (Security Perspective): - Complexity: Many moving parts, many potential attack surfaces - Container Escape: Attacker in one container might escape to host - Supply Chain: Container images come from registries (may be compromised) - Secrets Management: Container needs credentials/API keys (risk of exposure) - Lateral Movement: Multiple containers in same cluster, network policies must isolate - Compliance: Tracing data across microservices complicated - Logging: Distributed across many containers (aggregation required)
Defense Strategy: - Container Runtime Security: Monitor and restrict container behavior (Falco, Sysdig) - Image Scanning: Scan images for vulnerabilities before deployment - Network Policies: Kubernetes network policies restrict inter-service communication - Pod Security Policies: Restrict what containers can do (no privileged escalation) - Registry Security: Scan images in registry, require signing - Secrets Vault: Use HashiCorp Vault or cloud native secrets (not environment variables) - SIEM Integration: Aggregate logs from all containers
Network Interactions: - Works with: Cloud-native architecture (ARCH-05) - Requires: Container orchestration platform (Kubernetes) - Requires: Container registry (Docker Hub, ECR, ACR, GCR) - Requires: Secrets management (HashiCorp Vault, AWS Secrets Manager) - Integrates with: Microservices architecture (multiple services)
Incident Response Impact: - Container compromise may be isolated (if network policies work) - Container escape would give attacker access to host - Supply chain attack on container images affects all deployments - Distributed nature makes forensics complex - Log aggregation essential for investigation
Team Design Validation: - ✓ If including microservices: must include container runtime security - ✓ Must include image scanning + signing - ✓ Must include network policies - ✓ Must include secrets management - ✗ Failure: Hardcoded secrets in containers - ✗ Failure: No image signing/scanning - ✗ Failure: No container network policies
Type: Cloud-Native Compute (Abstracted Infrastructure) Cost: 3 Budget (minimal infrastructure management) Complexity: 2/4 (simple from ops perspective, but different security model) Supported Platforms: AWS Lambda, Azure Functions, Google Cloud Functions, IBM Cloud Functions Use Cases: Event-driven processing, API backends, scheduled jobs, data transformation
Description: Functions deployed to serverless platform. You write code, platform handles scaling, infrastructure, and execution. You pay only for actual execution time (milliseconds).
Key Characteristics: - No Infrastructure: You don't manage servers/containers/VMs - Event-Driven: Functions triggered by events (API call, message queue, schedule, etc.) - Auto-Scaling: Automatically scales from zero to thousands of concurrent executions - Stateless: Functions should not maintain state (state in database/message queue) - Time-Limited: Function has timeout (usually 15 minutes max) - Cost Model: Pay per execution millisecond (very cheap if infrequently called)
Key Advantages: - Simplicity: Write code, deploy, done (no servers to manage) - Cost: Pay only for execution time (not for idle servers) - Scalability: Automatic scaling without configuration - Velocity: Rapid deployment cycle (seconds) - Reduced Attack Surface: No server to compromise (provider manages infrastructure)
Key Concerns (Security Perspective): - Dependency Management: Function depends on libraries (vulnerable packages) - Secrets in Environment Variables: Function needs credentials (hardcoded or env vars) - Supply Chain: Libraries may be compromised (dependency attack) - Monitoring Blind Spot: Functions are ephemeral (logs must be aggregated) - Cold Start Attacks: Function startup time can leak information - Privilege Escalation: Function may have overly broad IAM permissions - Denial of Service: Function can be invoked repeatedly (cost/resource attack) - Compliance: Difficult to audit function execution (multi-tenant platform)
Defense Strategy: - Dependency Scanning: Scan dependencies for vulnerabilities - Secrets Management: Use cloud secrets manager (not environment variables) - IAM Least Privilege: Function has minimum required permissions - CloudTrail Logging: Log all function invocations - VPC Integration: Function connects to VPC if accessing private resources - Rate Limiting: Prevent function invocation DoS - Input Validation: Strict validation of all inputs (injection attacks) - Library Pinning: Pin exact library versions (prevent supply chain attacks)
Network Interactions: - Works with: Cloud-first architecture (ARCH-05) - Integrates with: API Gateway (exposes function as HTTP endpoint) - Integrates with: Message Queues (event-driven triggers) - Requires: Secrets Manager (for credentials) - Optional: VPC integration for private resource access
Incident Response Impact: - Function compromise is possible (code vulnerability or dependency) - Function invocation logs are critical (only audit trail) - Multi-tenant platform may complicate forensics - Dependency vulnerability affects all functions using vulnerable library - Distributed nature makes understanding attack chain difficult
Team Design Validation: - ✓ If including serverless: must include secrets management - ✓ Must include dependency scanning - ✓ Must include IAM least privilege configuration - ✗ Failure: Secrets in environment variables - ✗ Failure: Overly broad function permissions - ✗ Failure: No input validation
Type: Cloud-Managed Data Layer Cost: 5 Budget (pay per GB + IO operations) Complexity: 1/4 (cloud provider manages infrastructure) Supported Platforms: AWS RDS, Azure SQL Database, Google Cloud SQL, MongoDB Atlas, DynamoDB Database Types: Relational (SQL Server, PostgreSQL, MySQL, Oracle), NoSQL (MongoDB, DynamoDB, Cassandra)
Description: Database managed entirely by cloud provider. You provision database capacity, cloud provider handles: backups, patching, failover, replication, encryption, monitoring.
Key Characteristics: - Managed: Cloud provider manages infrastructure (patches, backups, upgrades) - Automated Backup: Point-in-time recovery (no manual backup configuration) - Replication: Automatic geo-replication for disaster recovery - Encryption: Encryption at rest and in transit (built-in) - Scaling: Can scale storage and compute without downtime - Monitoring: Built-in monitoring and alerting - Compliance: Provider maintains compliance certifications (SOC 2, HIPAA, PCI-DSS)
Key Advantages: - Reliability: Provider manages availability (99.99% SLA typical) - Security: Provider manages patching and security updates - Compliance: Provider handles compliance certifications - Cost: No ops team needed to maintain database - Disaster Recovery: Automated backups and geo-replication - Scalability: Transparent scaling without downtime
Key Concerns (Security Perspective): - IAM Configuration: Database access via IAM roles (misconfiguration exposes data) - Network Exposure: Database may be internet-accessible (must restrict) - Encryption Keys: Cloud provider manages keys (limited control) - Audit Logging: Must enable audit logging (not always on by default) - Data Residency: Where is data stored geographically? - Backup Security: Backups must be encrypted and access-controlled - Supply Chain: Vendor is now part of attack surface - Multi-Tenant: Data may share hardware with other customers (trust model)
Defense Strategy: - Network Isolation: Database accessible only from application (not internet) - IAM Least Privilege: Only application has access (not human users) - Encryption Keys: Use customer-managed keys (not provider-managed) - Audit Logging: Enable all audit logging (schema changes, access, queries) - Monitoring: Set up alerting on suspicious queries (large exports, drops, etc.) - Backup Encryption: Verify backups are encrypted - Access Control: Disable public IP, use private endpoints only - Secrets Management: Database credentials in secrets vault (not hardcoded)
Network Interactions: - Works with: Cloud-first architecture (ARCH-05) or Cloud Hybrid (ARCH-04) - Integrates with: Application tier (via private endpoint) - Requires: Secrets management (for credentials) - Incompatible with: On-premises applications (latency/connectivity issues)
Incident Response Impact: - Database compromise likely primary attack goal (most valuable data) - Cloud provider manages baseline security (shifts responsibility model) - Audit logs are critical evidence (may be only forensics available) - Backup verification essential (can you restore to pre-attack state?) - Multi-tenant concerns for sensitive investigations
Team Design Validation: - ✓ If including managed database: must use private endpoints (not public) - ✓ Must enable audit logging - ✓ Must use customer-managed encryption keys - ✓ Must restrict database IAM permissions - ✗ Failure: Database public IP exposed to internet - ✗ Failure: Overly broad IAM permissions (anyone can access) - ✗ Failure: Audit logging disabled
Type: Edge Computing / Performance Enhancement Cost: 4 Budget (pay per GB transferred + requests) Complexity: 2/4 (configuration required, but well-documented) Supported Platforms: CloudFlare, AWS CloudFront, Azure CDN, Google Cloud CDN, Akamai Use Cases: Static assets (images, JS, CSS), web application acceleration, DDoS mitigation
Description: CDN caches content across globally distributed edge servers. When users request content, they get it from nearest edge server (fast). Reduces load on origin server and improves user experience.
Key Characteristics: - Distributed Caching: Content cached at 100+ edge locations worldwide - Fast Delivery: Users get content from nearest edge (milliseconds) - Origin Protection: Origin server behind CDN (hides IP, reduces load) - DDoS Protection: CDN absorbs DDoS attacks before reaching origin - SSL/TLS Termination: CDN handles encryption (origin can use HTTP) - Rate Limiting: Can rate-limit requests per IP - Security Headers: Can inject security headers (HSTS, CSP, etc.)
Key Advantages: - Performance: Content delivery 100x faster globally - DDoS Protection: Built-in DDoS mitigation - Security: Origin IP hidden, security scanning at edge - Cost Efficiency: Reduces origin server bandwidth costs - Geo-Location: Can route users to different content based on location
Key Concerns (Security Perspective): - Cache Poisoning: Attacker poisons CDN cache with malicious content - Origin Bypass: Attacker finds origin IP, bypasses CDN security - SSL Stripping: CDN can decrypt traffic (must trust CDN provider) - Cookie Security: Sensitive cookies may be cached (GDPR/privacy issue) - Personalization: Cached content loses personalization (may expose user data) - Configuration Mistakes: Wrong cache settings may cache sensitive content - Origin Protection: Still need to protect origin server (CDN is not complete solution) - Bot Attack: Attackers can still target origin through CDN
Defense Strategy: - Cache Settings: Do not cache sensitive content (set cache headers) - Origin Protection: Implement Web Application Firewall (WAF) on origin - Rate Limiting: Configure CDN rate limiting rules - DDoS Settings: Enable DDoS protection features - SSL Validation: Verify SSL certificates (prevent MITM) - Geoblocking: Block traffic from unwanted regions (geo-restrictions) - Security Headers: Implement security headers (HSTS, CSP, X-Frame-Options) - Origin IP Hiding: Use origin concealment (hide real IP) - Monitoring: Monitor for suspicious CDN patterns
Network Interactions: - Works with: Web application (static assets + dynamic content) - Works with: Cloud Hybrid (ARCH-04) or Cloud First (ARCH-05) - Complements: Web Application Firewall (WAF) - Optional with: Infrastructure (performance enhancement, not required)
Incident Response Impact: - CDN compromise could distribute malware to all users (supply chain attack) - Cache poisoning affects entire user base - Origin IP exposure could enable direct attacks on origin server - CDN logs are evidence (attacker activity visible in CDN analytics) - DDoS attack visibility (CDN shows attack patterns)
Team Design Validation: - ✓ If including CDN: must configure cache headers correctly - ✓ Must enable security features (DDoS, WAF, rate limiting) - ✓ Should hide origin IP - ✗ Failure: Caching sensitive/personalized content - ✗ Failure: Disabled security features - ✗ Failure: Origin IP exposed
| Card | Technology | Cost | Complexity | Primary Benefit |
|---|---|---|---|---|
| CLOUD-01 | Microservices | 6 | 3/4 | Scalability & Velocity |
| CLOUD-02 | Serverless | 3 | 2/4 | Simplicity & Cost |
| CLOUD-03 | Managed DB | 5 | 1/4 | Reliability & Compliance |
| CLOUD-04 | CDN | 4 | 2/4 | Performance & DDoS Protection |
Key Principle: Different Cloud Services, Different Security Models
Each cloud variant represents different architectural choices: - Microservices: Scalability + complexity (many attack surfaces) - Serverless: Simplicity + different threat model (function-level security) - Managed Database: Reliability + shared responsibility (provider + customer) - CDN: Performance + edge computing (distributed security)
Organizations use combinations of these services: - Serverless functions backed by managed database (simple, scalable, reliable) - Microservices deployed globally via CDN (scalable, fast, available) - Mix of serverless and containers (different workloads, different approaches)
Cloud variants add flexibility to network design: - Can build entirely on serverless (very simple, minimal infrastructure) - Can mix serverless + containers (different workloads) - Can add CDN for global distribution - Can use managed database for all data needs
Cloud variants have different cost models: - Serverless: Cheap if used occasionally, expensive if always running - Microservices: Scale-to-zero not available (always running cost) - Managed Database: Scale with usage (can get expensive) - CDN: Cheap for low traffic, expensive for high traffic
Cloud variants trade operational complexity for different concerns: - Serverless: No ops burden, but security mindset different - Microservices: Ops burden (Kubernetes), but powerful scalability - Managed Database: No ops burden, but IAM misconfiguration risk - CDN: Config once, then mostly set-and-forget
Additional Cloud Variant Cards: - CLOUD-05: Machine Learning Platform (ML training/inference) - CLOUD-06: Event Streaming (Kafka, pub/sub architectures) - CLOUD-07: Search & Analytics (Elasticsearch, BigQuery) - CLOUD-08: API Gateway (API management and rate limiting) - CLOUD-09: Message Queue (async processing, event-driven) - CLOUD-10: Infrastructure as Code Platform (automated deployment)
Network Building Module: Cloud Variants (Expansion) Part of Incident Zero, a modular cybersecurity board game v2.1 - Balanced & Refined Edition
cards/print-templates/tracker-sheets.md
Version: 2.2 - Playtest Edition
Print on plain A4. One Universal Sheet per table, plus the module sheet for the module you're playing. Tip: laminate and use a dry-erase marker, or move a coin/token along the tracks.
Cross off as each turn ends. Circle your turn limit before starting.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
[ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ]
Start at your module's budget (Network Building 40-60 · Disaster Recovery 50 · Forensics 75 · IR 100 · Audit 100 · Hardening 150). Tick down in 5s.
150 145 140 135 130 125 120 115 110 105 100 95 90 85 80 75
70 65 60 55 50 45 40 35 30 25 20 15 10 5 0
100 95 90 85 80 75 70 65 60 55 50 45 40 35 30 25 20 15 10 5 0
0 1 2 3 4 5
[ ] [ ] [ ] [ ] [ ] [ ] Penalty at start of turn: -5 Budget each
Advance each meter per card effects. Victory thresholds marked ▲.
ATTRIBUTION 0 10 20 30 40 50 60 70 80 90▲ 100
TIMELINE 0 10 20 30 40 50 60 70 80▲ 90 100
ATTACK CHAIN 0 10 20 30 40 50 60 70 80▲ 90 100
CHAIN OF CUSTODY 0 10 20 30 40 50 60 70▲ 80 90 100
Victory check (end of game): - V1 Full Attribution: Attribution ≥90 AND Timeline ≥80 - V2 Solid Case: Timeline ≥80 AND Attack Chain ≥80 AND Chain of Custody ≥70 - V3 Partial Findings: any two meters ≥70
Investigation in flight: ____ (results arrive Turn _) Evidence collected (✓ = Analyzed, one Analyze per card):
| Evidence card | Documented? (+5% CoC) | Analyzed? |
|---|---|---|
INVESTIGATION 0 10 20 30 40 50 60 70 80 90 100
REMEDIATION 0 10 20 30 40 50 60 70 80 90 100
COMMUNICATION 0 10 20 30 40 50 60 70 80 90 100
| Stakeholder | 100 | 80 | 60 | 40 | 20 (critical) | 0 (LOSS) |
|---|---|---|---|---|---|---|
| Customers | ||||||
| Employees | ||||||
| Regulators | ||||||
| Board / Investors | ||||||
| Media / Public |
| Turn | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 |
|---|---|---|---|---|---|---|---|---|
| Scheduled event | ||||||||
| Deadline | Customers notified (recommended) | Regulator penalties begin | GDPR 72h — regulators notified |
Multi-turn action in flight: ____ (completes Turn _)
| # | Domain | Stars (1-5) | PASS (3★+) / FAIL (1-2★) | Key gap found |
|---|---|---|---|---|
| 1 | Network Segmentation | |||
| 2 | Identity & Access | |||
| 3 | Detection & Monitoring | |||
| 4 | Backup & Recovery | |||
| 5 | Cloud Security | |||
| 6 | Security Operations |
Result: ___ / 6 PASS — Gap penalties for follow-on modules: see module rules (total capped at -30).
| Category | Points | Notes |
|---|---|---|
| Requirements met | per requirement card | |
| Security coverage | per rules scoring table | |
| Capability coverage | per rules scoring table | |
| Budget management | per rules scoring table | |
| TOTAL |
Components placed:
| Component | Cost | Capacity used / total |
|---|---|---|
Budget remaining: ___ / starting ___