Incident Master Handbook - Malware & Monsters

The Complete Guide to Facilitating Cybersecurity Learning

The Malware & Monsters Community

Welcome, Incident Master

“Great facilitators don’t have all the answers—they ask the right questions.”

As an Incident Master, you’re not just running a training session—you’re orchestrating a collaborative learning experience that transforms how people think about cybersecurity. This handbook is your complete guide to facilitating Malware & Monsters sessions that provide professional security training platform capabilities through incident response tabletop exercise methodologies. Our approach drives security professional development and cybersecurity skills development simultaneously.

Legacy & Contemporary Malmons

Your toolkit includes both historical threats that shaped cybersecurity (Code Red, Stuxnet, Ghost RAT, Poison Ivy) and modern attacks currently impacting organizations (GaboonGrabber, WannaCry, LockBit, FakeBat). This range allows you to guide teams through cybersecurity’s evolution, connecting lessons from past incidents to today’s threat landscape.

Your Role as Learning Facilitator

What Makes a Great Incident Master

  • Question architect - You guide discovery through strategic questioning
  • Safety creator - You build psychological safety for experimentation and learning
  • Process guide - You manage time, energy, and group dynamics
  • Learning catalyst - You unlock the collective wisdom in the room

What You’re NOT

  • The expert with all the answers - Participants provide the cybersecurity expertise
  • A lecturer - Learning happens through collaborative discovery
  • A judge - Success is measured by learning, not “correct” answers

Facilitation Philosophy

At the heart of Malware & Monsters is a simple but powerful principle: your participants already know more than they think they do. Your job is to create the conditions where that knowledge can emerge, combine, and grow through collaboration.

Core Principles

  1. Trust the framework - The structure supports learning; trust it
  2. Trust your participants - They have valuable knowledge and insights
  3. Trust the process - Discovery-based learning is more powerful than instruction
  4. Trust yourself - You don’t need to be perfect; you need to be curious

How to Use This Handbook

If You’re New to Facilitating

If You’re an Experienced Facilitator

If You’re Looking for Quick Reference

Your Learning Journey

Getting Started (First 3 Sessions)

  1. Start simple - Use GaboonGrabber for your first few sessions
  2. Focus on questions - Trust that good questions lead to good learning
  3. Observe and learn - Watch how participants interact and discover
  4. Reflect and improve - Each session teaches you something new

Building Expertise (Sessions 4-20)

  • Experiment with different Malmon types and complexity levels
  • Develop your personal facilitation style and approaches
  • Build relationships within the learning community
  • Begin mentoring new Incident Masters

Master Level (20+ Sessions)

  • Design custom scenarios and adaptations
  • Train other facilitators in your organization
  • Contribute new Malmons and techniques to the community
  • Lead community initiatives and development

Ready to Begin?

The most important thing to remember is this: every expert was once a beginner. You don’t need years of experience to be an effective Incident Master. You need curiosity, patience, and willingness to learn alongside your participants.

Your participants don’t expect perfection—they expect authenticity, engagement, and someone who cares about their learning. You already have everything you need to create transformative cybersecurity education experiences.

Remember: Great Incident Masters are made through practice, not perfection. Every session you facilitate makes cybersecurity education more collaborative, engaging, and effective.

The monsters are waiting. Your learners are ready. Let’s build something amazing together.