Frequently Asked Questions

Getting Started

What is Malware & Monsters?

Malware & Monsters is a collaborative cybersecurity education framework that uses creature-collection mechanics and storytelling to teach incident response. Teams work together to identify, analyze, and respond to digital threats represented as “Malmons” - creatures with distinct behaviors, capabilities, and weaknesses based on real malware families.

Who can participate in Malware & Monsters sessions?

Anyone interested in cybersecurity can participate! Sessions are designed for diverse experience levels, from beginners to cybersecurity professionals. The collaborative learning approach means participants learn from each other’s expertise and perspectives.

Do I need cybersecurity experience to play?

No prior cybersecurity experience is required. The framework is designed to teach through discovery and collaboration. Your unique perspective and problem-solving skills are valuable regardless of your technical background.

How long does a typical session last?

A standard Malware & Monsters session lasts 2-4 hours, divided into three rounds: Discovery (identifying the threat), Investigation (understanding impact and scope), and Response (coordinating containment and recovery).

Game Configuration & Session Length

What is the Modular Game Configuration System?

It’s a new system designed to give Incident Masters (IMs) ultimate flexibility in tailoring sessions. You can choose from pre-set templates (Quick Demo, Lunch & Learn, Full Game, Advanced Challenge) or build a custom configuration, adjusting factors like rounds, actions per player, and investigation structure. This allows you to fit sessions to any time constraint or learning goal without compromising the rich narrative.

How do I choose the right session length?

The system includes predefined templates that target specific session lengths (e.g., Quick Demo for 35-40 min, Full Game for 120-140 min). You can also use the Time Calculation Methodology in the Game Configuration Guide to estimate session length for custom configurations.

Can I adjust a template or create a custom session?

Absolutely! Templates are starting points. You can easily adjust individual options (like debrief length or complexity settings) to fine-tune a template. Experienced IMs can also build sessions from scratch using the grouped configuration options and the Configuration Worksheet.

Does changing the session length impact the story?

No! A core principle of the Modular Game Configuration System is “Full Narrative Always Preserved.” Time savings come from streamlining gameplay mechanics (e.g., fewer rounds, more guided investigation), never from cutting narrative elements, NPC characterization, or organizational context. Every session, regardless of length, delivers the complete story.

For Facilitators

What’s an Incident Master?

An Incident Master (IM) is the facilitator who guides sessions using proven educational techniques. They don’t need to be cybersecurity experts - they focus on asking the right questions and creating engaging learning experiences.

How do I become an Incident Master?

Start with the IM Handbook which provides complete facilitation guidance, techniques, and session management approaches based on the Sly Flourish methodology.

What scenarios are available?

The framework includes detailed scenario cards covering various organizational contexts (healthcare, finance, education, etc.) and different malware families from historical threats like Code Red (2001) to contemporary threats like LockBit.

What are planning documents and how do they differ from scenario cards?

Scenario cards provide the essential narrative framework (organization context, hook, pressure, NPCs, secrets) for quick-start facilitation using the “lazy IM” approach.

Planning documents build on scenario cards with comprehensive facilitation support including game configuration templates, investigation timelines, response options matrix, round-by-round guidance, pacing strategies, and debrief prompts. They’re designed for first-time IMs who want structured 30-minute preparation, or as quick-reference support for experienced facilitators.

Both approaches work well - choose based on your experience level and preparation preferences. See Session Preparation for detailed guidance.

How much preparation time do I need as an IM?

It depends on your experience and chosen approach:

• 5-Minute Prep (Experienced IMs): Use scenario cards alone with the “lazy IM” approach - quick scan of NPCs, hook, and pressure timeline
• 30-Minute Prep (First-Time IMs): Use planning documents for structured preparation with game configuration, investigation milestones, and facilitation guidance
• Quick Reference (During Sessions): Planning documents include one-page facilitator cheat sheets for in-session support

All 42 planning documents are available in the IM Handbook Practical Tools section.

Which planning document should I use for my first session?

Start with a Tier 1 Beginner scenario (60-90 minutes) that matches your group’s industry:

• Healthcare/Medical groups: GaboonGrabber Healthcare or Raspberry Robin Healthcare
• Technology/IT groups: Code Red E-commerce or FakeBat Small Business
• Business/Finance groups: GaboonGrabber Financial or Poison Ivy Financial
• Government/Public sector: Code Red Government or Raspberry Robin Government

Browse all planning documents organized by difficulty tier in the Practical Tools index.

Technical Questions

What are Malmons?

Malmons (short for Malware Monsters) are creatures representing real malware families. Each has specific types (Trojan, Worm, Ransomware, APT), abilities based on actual attack techniques, and weaknesses that mirror real-world containment strategies.

How does the type effectiveness system work?

Similar to creature-collection games, different response approaches are more or less effective against specific Malmon types. For example, network isolation is super effective against Worms but less effective against already-installed Trojans.

Are the scenarios based on real incidents?

Yes, all scenarios and Malmons are based on real malware families and actual cybersecurity incidents, adapted for educational purposes while maintaining technical accuracy.

Community and Resources

Where can I find more resources?

• Players Handbook - Complete participant guide
• IM Handbook - Facilitation techniques and scenarios
  
• Community - Connect with other learners and facilitators
• GitHub Repository - Open source materials

How can I contribute to the project?

The project welcomes contributions including: - New scenario cards and organizational contexts - Additional Malmon profiles for emerging threats - Translation into other languages - Facilitation technique improvements - Community feedback and session reports

Is Malware & Monsters free to use?

Yes, all materials are available under Creative Commons NonCommercial licensing for educational use by schools, organizations, and community groups. Commercial use (paid training, workshops, or consulting) requires a separate commercial license. See our licensing guide for details.

---

Don’t see your question here? Contact us and we’ll help you get started with collaborative cybersecurity learning.