- Scenario card selection (match group expertise and complexity)
- Malmon selection (choose threat level and type for group skill level)
- NPC motivation review (stakeholder concerns and conflicts)
- Hook internalization (why this attack NOW, practice opening)
- Pressure timeline review (business deadlines and consequences)
- Context-driven question preparation (leverage participant expertise)
Session Preparation: Using Scenario Cards
Step 1: Choose Your Session Configuration
With the new Modular Game Configuration System, you can precisely tailor your Malware & Monsters sessions to fit any time constraint, group size, and learning objective. This is the crucial first step in your preparation process.
Two Ways to Configure Your Session:
- Start with a Template (Recommended for most IMs):
- Choose one of the four pre-configured templates (Quick Demo, Lunch & Learn, Full Game, Advanced Challenge) that best matches your target time and group’s experience level.
- Templates provide all settings pre-filled, giving you a solid starting point.
- You can then make minor adjustments to individual options if needed.
- Refer to: Configuration Templates Overview in the Game Configuration Guide.
- Configure from Scratch (For experienced IMs or unique needs):
- Select each configuration option individually from the grouped system (Major, Moderate, Minor, Complexity).
- This provides maximum flexibility to build a session tailored precisely to your specifications.
- Use the Time Calculation Methodology to estimate your session length as you go.
- Refer to: Grouped Configuration System in the Game Configuration Guide.
Key Resources for Configuration:
- Game Configuration Guide: For a full explanation of all options, templates, and time calculation methodology: Game Configuration Guide
- Configuration Worksheet: A printable worksheet to help you plan and track your choices: Configuration Worksheet
- Template Reference Cards: Quick summaries of each template:
Step 2: Understanding Your Preparation Resources
Malware & Monsters provides preparation resources at two levels - choose based on your experience and available prep time. Important: You use one or the other, not both together.
The Foundation: Scenario Cards
Every scenario starts with a scenario card - the narrative building blocks:
- Organization context: Who you’re protecting and why
- Hook: Why this attack is happening NOW (not just what happened)
- Pressure: Time constraints that force difficult decisions
- NPCs: Key stakeholders with motivations and conflicts
- Secrets: Organizational vulnerabilities that enabled the attack
- Villain plan: Three-stage attack progression
Scenario cards are complete on their own. They contain everything needed for experienced IMs to facilitate engaging sessions using the storytelling approaches described in this chapter.
The Expanded Version: Planning Documents
Planning documents are scenario cards + comprehensive facilitation layers:
Planning Document =
├─ Scenario Card Content (included)
│ ├─ Organization context
│ ├─ Hook & pressure
│ ├─ NPCs
│ ├─ Secrets
│ └─ Villain plan
└─ Plus Detailed Facilitation Guidance
├─ Game Configuration Templates (4 pre-configured formats)
├─ Investigation Timeline (milestone-based progression)
├─ Response Options Matrix (type effectiveness guidance)
├─ Round-by-Round Facilitation Guide (detailed structure)
├─ Pacing & Timing Notes (session flow management)
├─ Debrief Discussion Prompts (learning synthesis)
└─ Customization Notes (difficulty adaptations)Planning documents don’t replace scenario cards - they expand them. The scenario card content is embedded within the planning document as the narrative foundation, with extensive facilitation structure built around it.
Choosing Your Preparation Path
You choose ONE approach based on experience level and prep time:
Important: You Don’t Use Both Together
Common misconception: “Should I use the planning document AND the scenario card during prep?”
Answer: No. The planning document already includes the scenario card content. Using both would be redundant.
Think of it this way:
- Scenario card = Foundation (narrative building blocks)
- Planning document = Foundation + Structure (scenario card expanded into comprehensive guide)
Choose the level of support you need based on your experience and comfort with improvisation. Both paths lead to successful sessions - planning documents provide more scaffolding, scenario cards provide more freedom.
Progression Path for New IMs
Most IMs follow this natural progression:
- First 2-3 sessions: Use planning documents
- Build confidence with detailed structure
- Learn facilitation patterns
- Understand how scenarios unfold
- Sessions 4-10: Mix of both approaches
- Planning documents for new/complex scenarios
- Scenario cards for familiar Malmons
- Gradually increase scenario card usage
- Experienced facilitator: Primarily scenario cards
- Trust storytelling skills
- Adapt to group in real-time
- Use planning documents only for complex scenarios
The goal: Develop confidence to facilitate engaging sessions using scenario cards alone, with planning documents available as comprehensive support when needed.
Step 3: Building Compelling Stories with Scenario Cards
Scenario cards provide narrative building blocks, but compelling facilitation requires transforming those elements into living stories. This section shows you exactly how to use each part of a scenario card to create engaging, memorable sessions.
The Scenario Card as Storytelling Framework
Every scenario card contains six storytelling elements. Here’s how to use each one:
1. The Hook: Opening with “Why NOW?”
What the scenario card gives you: A 2-3 sentence explanation of why this attack is happening at this specific moment.
How to prepare it for storytelling:
- Read the hook and identify the human pressure point
- Rephrase it in your own words (don’t memorize verbatim)
- Practice delivering it as situation context, not exposition
- Lead with the deadline/pressure, then reveal the vulnerability
Example from Code Red Cloud Infrastructure scenario:
Scenario card hook: > “CloudCore provides cloud-based business management software to thousands of small and medium businesses. A newly discovered vulnerability in their API gateway is being mass-exploited by an automated worm that spreads between customer environments.”
❌ Exposition delivery (don’t do this): “You work for CloudCore, a SaaS provider. There’s a vulnerability in the API gateway. A worm is exploiting it.”
✅ Storytelling delivery: “It’s 2:30 PM on a Wednesday. You’re the security team at CloudCore Solutions - you serve over 50,000 customer organizations with your cloud platform. Your phone starts buzzing. Then it doesn’t stop. Customer support is being flooded. ‘My website is defaced.’ ‘My business data is gone.’ ‘When will this be fixed?’ You check your monitoring dashboard. Hundreds of API security alerts. And they’re multiplying. Every few minutes, dozens more customer environments are compromised. This isn’t slowing down - it’s accelerating.”
Why this works:
- Starts with specific time/place (grounds the story)
- Uses present tense (creates immediacy)
- Shows impact through customer voices (makes it human)
- Builds tension progressively (from one call to hundreds of alerts)
- Ends with escalating threat (creates urgency)
2. Organization Context: Making It Real
What the scenario card gives you: Organization name, industry, size, and regulatory environment.
How to prepare it for storytelling:
- Identify details your participants will recognize from their own experience
- Prepare 2-3 specific contextual details that make it feel authentic
- Think about what this organization would worry about most
- Consider what “normal” operations look like before the crisis
Example from MedTech Healthcare scenario:
Scenario card context: > “MedTech Solutions: Healthcare technology, 200 employees”
❌ Generic delivery: “You work for a 200-person healthcare technology company.”
✅ Contextual storytelling: “MedTech Solutions is a healthcare IT company - the kind where everyone knows everyone, where the developers sit three desks away from customer support, where the CEO walks through the office every morning with coffee. 200 people who’ve built their reputation on reliable, secure systems for hospitals. Your biggest client? St. Mary’s Hospital. They’re going live with your new EMR system in 72 hours. This implementation represents 30% of your annual revenue. Everyone in the company knows about the Monday deadline.”
Why this works:
- Specific details create vivid mental image
- Company culture details make it feel real
- Stakes are personal and organizational
- Timeline creates natural pressure
3. Stakes & Pressure: Creating Emotional Investment
What the scenario card gives you: What’s at risk and why there’s urgency.
How to prepare it for storytelling:
- Translate abstract stakes into specific consequences
- Identify who suffers if this fails (make it personal)
- Practice explaining the deadline as a real business constraint
- Prepare to answer “Why can’t we just shut everything down?”
Example from Sterling & Associates Law Firm scenario:
Scenario card stakes: > “Attorney-client privilege breach + Malpractice liability + $2.8B case at risk”
❌ Abstract delivery: “There are compliance concerns and legal risks.”
✅ Stakes-driven storytelling: “Let me paint the picture: Sterling & Associates has spent three years building this class action lawsuit. $2.8 billion. The biggest case in the firm’s 40-year history. Hundreds of clients depending on you. Critical depositions start Friday morning - that’s 72 hours from now. If opposing counsel discovers you’ve been compromised, they’ll claim every piece of evidence is contaminated. Attorney-client privilege? Gone. The case? Dismissed. Malpractice claims from hundreds of clients? Inevitable. And Robert Sterling, the senior partner who brought you on board? His reputation and retirement depend on this case.”
Why this works:
- Specific dollar amounts and timeframes (concrete stakes)
- Multiple stakeholder impacts (layered consequences)
- Career and personal stakes (emotional investment)
- Clear timeline creates urgency
- Explains why “shut it down” isn’t simple
4. NPCs: Bringing Characters to Life
What the scenario card gives you: NPC names, roles, and 1-2 sentence descriptions of their motivations.
How to prepare it for storytelling:
- Give each NPC a distinct voice or personality trait
- Prepare 2-3 signature phrases each NPC might say
- Identify what each NPC wants (often conflicting goals)
- Practice switching between NPC voices naturally
Example from MedTech Healthcare scenario:
Scenario card NPCs: > “Sarah Chen (IT Director): Extremely stressed about hospital go-live, knows about recent security warnings but hasn’t investigated thoroughly, primarily concerned about meeting project deadline”
❌ Describing the NPC: “Sarah Chen is the IT Director. She’s stressed about the deadline and hasn’t looked into the security issues.”
✅ Speaking AS the NPC:
[Phone rings at 6 AM Monday]
“This is Sarah. Look, I know it’s early but… we have a problem. St. Mary’s goes live in three hours. THREE HOURS. And the EMR system is throwing errors I’ve never seen before. The cardiac monitoring integration is failing. We have surgeries scheduled. I… I haven’t slept in 36 hours. I need you to tell me this is fixable. I need you to tell me we’re not about to lose our biggest client.”
[voice slightly shaky, speaking faster than normal, you can hear keyboard typing in background]
Why this works:
- Shows emotion through delivery (shaky voice, speed)
- Specific details create authenticity (keyboard sounds, time awake)
- Reveals priorities through what she mentions first (deadline, client)
- Asks for reassurance (human vulnerability)
- Creates immediate pressure without explicitly stating stakes
Multiple NPC interaction example:
Later in the session when participants are investigating:
“While you’re analyzing the logs, you hear voices in the hallway. Jennifer Park, the COO, walks in - she looks confused:
‘Sarah, why are there engineers here at 6 AM? We’re not scheduled for system work today. Is something wrong with the go-live?’
Sarah glances at you nervously, then back at Jennifer:
‘We’re just… running final checks. Standard pre-deployment protocols.’
Jennifer frowns: ‘I just got off the phone with St. Mary’s CEO. He asked if we’re ready for this morning. I told him absolutely. We ARE ready, correct? Because I have the board presentation at 10 AM where I’m announcing this successful implementation.’
The tension in the room just went up significantly.”
Why this works:
- NPCs have conflicting awareness levels (Jennifer doesn’t know)
- Competing priorities create natural tension (Sarah hiding vs Jennifer announcing)
- Participants must navigate organizational politics
- Shows realistic workplace dynamics
5. Secrets: Revealing Through Discovery
What the scenario card gives you: 3-4 organizational secrets that explain how the attack succeeded.
How to prepare it for storytelling:
- Plan WHEN each secret will be revealed (progressive discovery)
- Prepare how participants might discover each secret (investigation paths)
- Think about which NPC might reveal which secret (and why)
- Practice delivering secrets as discoveries, not information dumps
Example from SteelCorp Manufacturing scenario:
Scenario card secrets: > “Control systems team disabled safety interlocks temporarily to boost production capacity during high-demand period”
❌ Information dump: “The control systems team disabled safety interlocks to increase production.”
✅ Discovery-driven revelation:
[After participants investigate control system logs]
“As you’re reviewing the PLC access logs, something catches your eye. Three weeks ago - right when the big Q4 contract started - there’s a series of configuration changes. Safety interlock timeouts extended. Alarm thresholds raised. Emergency shutdown protocols… modified.
You call down to the floor. David Chen, the control systems engineer, picks up. You ask him about the changes.
[long pause]
‘Look… Maria [Production Manager] was under enormous pressure. The new contract required 50% more output. The safety systems kept triggering shutdowns for what she called ’false alarms.’ She said we were going to lose the contract if we couldn’t meet production targets. So we… adjusted some parameters. Temporarily. We were going to put them back after Q4.’
[another pause]
‘We didn’t think it would matter. They were just slowing down production. We didn’t know someone was going to…’
You realize the attacker has complete control over a production system with compromised safety limits. This just went from bad to catastrophic.”
Why this works:
- Secret revealed through participant investigation
- NPC provides context and rationalization (realistic)
- Shows organizational pressure leading to shortcuts
- Dramatic pause creates tension
- Ends with realization that escalates stakes
6. Villain Plan: Evolving Threat
What the scenario card gives you: Three-stage attack progression with current stage marked.
How to prepare it for storytelling:
- Keep stages in mind but don’t reveal them explicitly
- Use stage progression to create escalation pressure
- Tie evolution to participant actions (or inaction)
- Signal upcoming escalation through symptoms
Example from LockBit Hospital scenario:
Scenario card villain plan: > Stage 1: Initial encryption of file servers [✓ Complete] > Stage 2: Lateral movement to domain controllers (CURRENT) > Stage 3: Full network encryption including patient monitoring systems
❌ Mechanical progression: “The ransomware has encrypted file servers. Next it will move to domain controllers, then patient systems.”
✅ Story-driven evolution:
[Opening - Stage 1 complete]: “The overnight help desk got the first call at 11 PM: ‘I can’t access patient records.’ Then another. Then another. By midnight, every shared drive in the hospital was encrypted. Ransomware note on every screen. $2.5 million in Bitcoin. 48 hours to pay.”
[Mid-game - Stage 2 beginning]: “Your phone buzzes. It’s Tom from IT:
‘Hey, uh… we’re seeing weird activity on the domain controllers. Authentication attempts from systems that shouldn’t be accessing them. The encrypted file servers - they’re not isolated. They’re… probing. Looking for credentials. This isn’t over.’“
What do you do?
[If participants don’t contain quickly - Stage 3 trigger]: “You’re working on containment when Dr. Martinez rushes in:
‘The cardiac monitoring displays in ICU just went black. All of them. The backup systems too. We have six critical patients up there. What is happening?’
Your worst fear is realized: the ransomware isn’t just going after data. It’s going after life-critical systems.”
Why this works:
- Evolution feels organic, not mechanical
- Each stage reveals through symptoms (file servers → domain controllers → patient monitoring)
- NPCs discover and report escalation (Dr. Martinez brings bad news)
- Participant actions (or inaction) influence timing
- Stakes escalate emotionally (data → credentials → lives)
Practical Storytelling Workflow: 5-Minute Scenario Card Prep
Here’s how to prepare storytelling elements efficiently:
Minute 1: Hook Internalization
- Read the scenario card hook
- Identify the key pressure point: “Hospital goes live in 72 hours”
- Rephrase in present tense: “You’re 72 hours from the biggest go-live in company history…”
- Practice once out loud
Minute 2: NPC Voice Preparation
- Pick the most important NPC (usually the one under most pressure)
- Give them a signature trait: Sarah = exhausted, speaking fast, keyboard always typing
- Prepare their opening line: “I know it’s early but we have a problem…”
- Think about what they want: Deadline success > Security thoroughness
Minute 3: Stakes Translation
- Convert abstract stakes to specific consequences
- Card says: “Patient safety data + HIPAA compliance”
- You prepare: “St. Mary’s Hospital, 400 beds, cardiology center of excellence. If this goes wrong, patient monitoring systems fail. People could die.”
Minute 4: Secret Revelation Planning
- Identify the most important secret
- Plan how participants might discover it: “Through log analysis” or “NPC confession” or “Email discovery”
- Prepare the “aha” moment: “You realize the attacker got in because IT bypassed approval during the deadline crunch”
Minute 5: Opening Line Practice
- Combine hook + pressure + urgency
- Practice your first 30 seconds out loud
- Example: “6 AM Monday. Your phone rings. Sarah Chen, IT Director at MedTech. Her voice is shaking: ‘St. Mary’s Hospital goes live in three hours. The system is failing. We have surgeries scheduled. What do we do?’”
Common Storytelling Mistakes and Fixes
Mistake 1: Reading the Scenario Card Verbatim
❌ What it sounds like: “Your organization is MedTech Solutions, a healthcare technology company with 200 employees. You are in the final week of your largest client implementation…”
✅ How to fix it: Internalize the key facts, then tell it as a situation: “Picture this: small healthcare IT company, everyone knows everyone. Your biggest client ever goes live Monday. Everyone’s working overtime. The CEO mentions it every morning. This is make-or-break.”
Why: Reading sounds like a script. Telling sounds like a story.
Mistake 2: Explaining Everything Upfront
❌ What it sounds like: “Sarah Chen is the IT Director. She’s been working on this project for months. She bypassed security protocols to install updates quickly because of deadline pressure. Now there’s a malware infection. She’s worried about the deadline and also about compliance issues.”
✅ How to fix it: Reveal information progressively through investigation: - Opening: Sarah calls, panicked about system failures - Investigation: Participants discover recent “urgent updates” - Mid-game: Sarah confesses she rushed approvals due to deadline - Late-game: Compliance officer reveals HIPAA implications
Why: Progressive discovery creates engagement. Information dumps create boredom.
Mistake 3: Narrating Actions Instead of Facilitating Decisions
❌ What it sounds like: “You investigate the logs and find the malware. You contain the infected systems. The attack is stopped. Good job.”
✅ How to fix it: Present situations and let participants decide: “The logs show suspicious processes on 12 workstations. While you’re analyzing, Sarah calls: ‘The hospital is asking if we’re ready for go-live in 90 minutes.’ What do you do?”
Why: Facilitation creates agency. Narration removes it.
Mistake 4: NPCs Without Personality
❌ What it sounds like: “The IT Director tells you about the deadline. The COO asks for status. The customer wants answers.”
✅ How to fix it: Give each NPC a voice: - Sarah (IT Director): Exhausted, technical, protective of her team: “We’ve been working 16-hour days. My team followed protocol. This isn’t our fault.” - Jennifer (COO): Business-focused, impatient, doesn’t understand IT: “I don’t need excuses, I need to know when this will be fixed. Use words I understand.” - David (Hospital CIO): Threatening, contractually focused: “We have options. Other vendors. Is MedTech really the partner we thought you were?”
Why: Distinct voices create memorable characters. Generic NPCs are forgettable.
Mistake 5: Ignoring Participant Expertise
❌ What happens: Participant: “I’d check if the updates came from the legitimate vendor domain.” IM: “Uh… let me check the scenario card… um, they were legitimate.”
✅ How to handle it: Participant: “I’d check if the updates came from the legitimate vendor domain.” IM: “Great investigative instinct. Walk me through what you’re looking for.” Participant: “Email headers, sender verification, domain authentication…” IM: “You pull up the email headers. The ‘From’ address is the vendor domain… but when you check the SPF records and DKIM signatures, something’s off. This email passed basic filters but failed authentication. How would that happen?” Participant: “Compromised vendor account or sophisticated spoofing.” IM: “Bingo. Which has bigger implications?”
Why: Trust participant expertise. Use their knowledge to enrich the story.
Storytelling Templates by Scenario Type
Worm/Propagation Scenarios (WannaCry, Code Red)
Opening formula: “[Organization] serves [multiple locations/customers]. [Single infection point]. Now [spreading faster than containment]. [Number] affected and growing. [Time constraint] approaching.”
Example: “Municipal government. 12 departments, 800 employees, 15 different locations. Someone in Parks & Recreation opened an email attachment Monday morning. By Monday afternoon, Public Works couldn’t access systems. By Tuesday, Police Department computers started crashing. Now it’s Wednesday. City Council meeting tonight where you’re supposed to present the annual budget. The budget spreadsheet is on an encrypted server.”
Key storytelling elements:
- Start with single point, show exponential spread
- Use multiple locations/victims to create scale
- Create tension through racing the clock
- Force difficult containment vs. operation decisions
APT/Sophisticated Scenarios (Stuxnet, Noodle RAT)
Opening formula: “[High-value organization]. [Long-term strategic value]. [Subtle symptoms] that seemed innocuous. [Discovery moment] reveals [sophisticated indicators]. [Realization] this is bigger than you thought.”
Example: “You’re the security team at a defense contractor. Last month, an intern reported his laptop was ‘acting weird.’ IT reimaged it. Two weeks ago, engineering mentioned some files seemed corrupted. Blamed storage issues. Yesterday, your SOC analyst was reviewing historical logs for an audit and found something disturbing: that intern’s laptop? The activity didn’t stop after the reimage. It migrated to three engineering workstations. And it’s been quietly exfiltrating CAD files for six weeks.”
Key storytelling elements:
- Build realization that this is sophisticated
- Show how subtle indicators were rationalized away
- Create “oh no” moment when scope is revealed
- Introduce attribution and geopolitical implications
Putting It All Together: Complete Example
Scenario: MedTech Healthcare (GaboonGrabber)
Your 5-minute prep: 1. Hook: Hospital go-live Monday, deadline pressure, IT installed “urgent updates” 2. NPC: Sarah = exhausted, protective, deadline-focused 3. Stakes: Patient safety, $2M contract, company reputation 4. Secret: IT bypassed approval during crunch time 5. Opening: “6 AM Monday, three hours to go-live, system failing”
Your actual facilitation:
Opening (1 minute): “It’s 6 AM Monday morning. You’re the security team at MedTech Solutions - a 200-person healthcare IT company. Your biggest client, St. Mary’s Hospital, goes live with your new EMR system at 9 AM. That’s three hours from now. Your phone rings. It’s Sarah Chen, the IT Director. You can tell immediately something’s wrong:
‘We have a problem. The EMR system is throwing errors I’ve never seen. The cardiac unit integration is failing. We have surgeries scheduled at 10 AM. I… I need you to tell me this is fixable. Please.’
What do you do?“
Investigation (participants drive):
- Participants ask questions, examine systems
- You reveal symptoms progressively
- Sarah provides information when asked, defensive about her team
- Logs reveal “critical security updates” installed yesterday
- Email shows vendor domain but suspicious authentication
Secret revelation (mid-game): “Sarah’s phone rings. You can tell from her face it’s not good news. She steps into the hallway. You hear raised voices. She comes back, looking shaken:
‘That was Jennifer. The COO. She’s in the board meeting right now presenting our Q4 results. St. Mary’s implementation is supposed to be the success story. She wants status in 30 minutes.’
[Sarah sits down heavily]
‘Look… I need to tell you something. When those security updates came through yesterday, we were in crisis mode. The hospital was reporting issues, we had fires everywhere. The updates said ’critical installation required.’ I… I approved them without the normal security review process. We would have missed the deadline waiting for sign-off.’
She looks at you: ‘That’s how they got in, isn’t it?’“
Response phase (participants decide):
- Hospital calling asking about go-live (delay or proceed?)
- COO demanding answers (explain or cover up?)
- Systems need isolation (disconnect during surgeries?)
- Multiple competing pressures force difficult trade-offs
Resolution (collaborative):
- Participants’ decisions drive outcome
- Consequences flow naturally from choices made
- Sarah faces accountability realistically
- Group discusses what could have prevented this
Why this works:
- Started with immediate crisis (6 AM call, 3 hours to deadline)
- NPCs felt real (Sarah’s exhaustion and defensiveness)
- Stakes were personal (careers, patient safety, company survival)
- Secret revealed through investigation and confession
- Participants drove all decisions
- Ended with natural debrief conversation
Final Storytelling Principles
- The scenario card is your skeleton, not your script
- Internalize the key elements
- Tell it in your own words
- Adapt to your group’s expertise
- Reveal, don’t explain
- Let participants discover through investigation
- Use NPCs to reveal information naturally
- Build tension through progressive disclosure
- Make it human
- Every decision has a person behind it
- Show pressure and rationalization
- Create empathy even for mistakes
- Trust your participants
- Their expertise enriches your story
- Their questions guide discovery
- Their decisions create the best outcomes
- The best stories emerge during play
- Prepare the framework, improvise the details
- Let participant actions shape the narrative
- The most memorable moments are unplanned
Available Planning Documents by Difficulty Tier
Tier 1: Beginner Scenarios (60-90 minutes)
- GaboonGrabber: Healthcare, Education, Financial (3 planning docs)
- Code Red: E-commerce, University, Government (3 planning docs)
- FakeBat: Small Business, Gaming Cafe, Nonprofit, Coworking (4 planning docs)
- Raspberry Robin: Healthcare, Financial, Government, Manufacturing (4 planning docs)
- Wire Lurker: Creative Agency, EdTech, Media (3 planning docs)
Tier 2: Intermediate Scenarios (90-120 minutes)
- WannaCry: Hospital, Law Firm, Municipality (3 planning docs)
- Poison Ivy: Corporate, Financial, Medical (3 planning docs)
- Ghost RAT: Corporate Espionage (1 planning doc)
Tier 3: Expert Scenarios (150 minutes)
- Stuxnet Critical Infrastructure: Manufacturing, Power Plant, Research, Water (4 planning docs)
- Noodle RAT APT: Aerospace, Biotech, Investment Bank, Tech Unicorn (4 planning docs)
- Litter Drifter Nation-State: Aid Organization, Media, Defense, Government (4 planning docs)
- Ghost RAT Advanced: Law Firm, University, Financial Firm (3 planning docs)
- LockBit Advanced: Hospital, Law Firm, Municipality (3 planning docs)
Total: 42 comprehensive planning documents available
How Planning Documents Work
Each planning document follows a standardized 12-section structure:
- Quick Reference Summary: At-a-glance session information
- Game Configuration Templates: 4 pre-configured session types
- Scenario Overview: Narrative context and technical details
- NPC Reference: Detailed stakeholder profiles and motivations
- Investigation Timeline: Milestone-based discovery progression
- Response Options Matrix: Type effectiveness and decision frameworks
- Round-by-Round Facilitation: Detailed guidance for each game round
- Pacing & Timing: Session flow and time management strategies
- Debrief Discussion Prompts: Structured learning synthesis questions
- Facilitator Quick Reference: One-page cheat sheet for during sessions
- Customization Notes: Adaptation guidance for different groups
- Cross-References: Links to scenario cards, malmon details, and related resources
Integration with Your Workflow
30-Minute Preparation with Planning Documents:
- Minutes 1-10: Read Quick Reference Summary and choose Game Configuration Template
- Minutes 11-20: Review NPC Reference and Investigation Timeline
- Minutes 21-25: Study Round-by-Round Facilitation Guide for first 2 rounds
- Minutes 26-30: Review Pacing Guidance and Facilitator Quick Reference
5-Minute Preparation with Planning Documents:
- Minute 1: Quick Reference Summary only
- Minute 2: NPC Reference key motivations
- Minute 3: Investigation Timeline milestones
- Minute 4: Facilitator Quick Reference review
- Minute 5: Print/bookmark for session reference
Key Resources
- Planning Template Guide: Complete explanation of planning document structure and usage: Planning Template Guide
- Scenario Planning Template: Master template for creating your own planning documents: Scenario Planning Template
- Scenario Cards Index: Browse all available scenario cards: Scenario Cards
Step 4: Complete Preparation Workflows
This section provides narrative walkthroughs showing how configuration templates, preparation resources, and storytelling techniques work together for different session formats. Each workflow shows the complete integration process from start to finish.
Workflow 1: Your First Quick Demo (40 Minutes)
Scenario: You’ve been asked to deliver a 40-minute M&M demo at a conference. You’re a first-time IM. Here’s exactly how to prepare using a planning document.
Your Preparation Journey
Day Before the Demo (30 minutes):
You open the GaboonGrabber Healthcare Planning Document. The first thing you see is Section 1: Quick Reference - perfect! This tells you everything at a glance: Tier 1 beginner scenario, healthcare context, 40-minute Quick Demo format recommended.
You scroll down to Section 2: Game Configuration Templates and find the “Quick Demo Configuration (35-40 min)” subsection. It’s all pre-configured: 1 round, 1 action per player, guided investigation, pre-defined responses. The template tells you exactly what to focus on: “Fast-paced demonstration showing how project pressure creates security vulnerabilities.”
Now you understand the structure. Next, Section 3: Scenario Overview - this is where the scenario card content lives. You read the Opening Presentation: “It’s Friday afternoon at MedTech Solutions, and the mood should be celebratory…” You say it out loud a few times, making it your own. The hospital go-live deadline on Monday - that’s the pressure. You feel it.
The Initial Symptoms are listed: computer slowdowns, unexpected pop-ups, “urgent security update” emails. You make a mental note: you’ll present these symptoms and ask the group what they notice.
Section 4: NPC Reference - you focus on the two Essential NPCs for Quick Demo format: Sarah Chen (stressed IT Director) and David Kim (client CIO threatening penalties). You practice Sarah’s voice - quick, defensive, exhausted. David’s voice - formal, businesslike, impatient. You note Sarah’s confession moment: she approved bypassing security for the deadline.
Skip ahead to Section 7: Round-by-Round Facilitation Guide. You read the Round 1 opening narration. You review the “Expected Player Actions” section - it tells you exactly what to do when players investigate: “Detective examining email logs: Reveal sophisticated spoofing… Ask: ‘What patterns do you notice?’”
The “Pre-Defined Response Options” are in Section 6: Isolate & Re-image (guarantees removal but time-consuming), Network Segmentation (quick containment), Block Domain (partial effectiveness). You’ll present these three options and let the group choose.
Finally, Section 10: Facilitator Quick Reference - you print this one-page cheat sheet showing type effectiveness and common facilitation challenges. This stays with you during the demo.
Time spent: 30 minutes. You feel prepared.
Morning of Demo (5 minutes):
Quick review of your printed Facilitator Quick Reference. You practice the opening hook once more: “It’s Friday afternoon at MedTech Solutions, the mood should be celebratory, but instead there’s growing concern…”
You check your materials: planning document pulled up on tablet, printed reference sheet, you’ll project the opening scenario on screen. Ready.
During the Demo:
You open with the hook, using present tense and emotion. Participants immediately engage - one says “I’ve lived this exact situation.” You present the symptoms. Players start investigating. You guide them using the Round 1 facilitation section, presenting clues when they ask good questions.
When they identify GaboonGrabber, you introduce the time pressure: David Kim just called demanding go-live confirmation. You present the three response options. The group debates. They choose network segmentation with enhanced monitoring - balancing security and business continuity.
You run the quick debrief from Section 9: “What made the IT team vulnerable? How did deadline pressure create the opening?” Rich discussion follows.
Result: Successful 40-minute demo. The planning document structure kept you on track. You never felt lost.
Workflow 2: Lunch & Learn Session (90 Minutes)
Scenario: You’re running a regular team training session. You’ve facilitated M&M a few times. You’re comfortable but want structure for the two-round format.
Your Preparation Journey
Two Days Before (30 minutes):
You’re using the same GaboonGrabber Healthcare Planning Document, but this time you go to Section 2: Lunch & Learn Configuration instead of Quick Demo.
The configuration shows: 2 rounds, 2 actions per player, “guided with player choice” investigation, “mix of pre-defined and creative approaches” for response. Time breakdown: Round 1 (20 min), Round 2 (25 min). The focus: “Balanced experience exploring social engineering + technical analysis + stakeholder pressure.”
This means you’ll guide more loosely than Quick Demo. Players can choose investigation paths, you facilitate based on their decisions.
You review Section 3: Scenario Overview again, but this time you also study the organizational culture details: “High-pressure project culture where deadlines frequently override processes… ‘Client first’ mentality… Recent management emphasis on ‘user experience’ over security.” These will come up in Round 2 when you dig deeper.
Section 4: NPC Reference - this time you’ll use the full NPC cast: Sarah, Mike (hospital nurse), David, and Jennifer (COO). You develop each voice. Mike is patient-focused and frustrated with tech jargon. Jennifer is results-oriented and demanding action plans.
Now Section 5: Investigation Timeline. You study both Round 1 and Round 2. Round 1 is discovery - players identify GaboonGrabber. Round 2 is investigation - they discover hospital network exposure and approach the 24-hour secondary payload threshold. The “Situation Update” at Round 2 is key: “David Kim just called for the third time… approaching 24-hour threshold.”
Section 7: Round-by-Round Facilitation - you read Round 1 and Round 2 guides carefully. Round 1 ends with: “You understand what happened. Now you need to understand how bad this could get.” That’s your transition. Round 2 introduces the pressure points hour-by-hour.
Section 6: Response Options shows type-effective approaches. You’ll encourage creative solutions but guide toward behavioral analysis (most effective against Trojans) if they get stuck.
Time spent: 30 minutes. You understand the two-round arc.
Day of Session (10 minutes):
Review the Facilitator Quick Reference. Re-read the Round 1 and Round 2 opening narrations. You note the key questions from Section 7 to ask when players get stuck. Print the Type Effectiveness Chart to reference.
During the Session:
Round 1 flows naturally. Players investigate, you present clues from Section 5 based on their role actions. They identify GaboonGrabber using behavioral analysis - excellent use of type effectiveness.
You transition with the Round 2 situation update. Now things get complex. Players discover the hospital network exposure. Mike Rodriguez calls about nursing staff readiness. Jennifer demands explanations. Players feel the pressure mounting.
Round 2 becomes about decision-making under constraints. They propose a hybrid approach: immediate containment, enhanced monitoring, phased cleanup. You adjudicate using the Response Options guidance - this balances security and business continuity well.
The debrief explores organizational culture: why did this happen? What needs to change systemically? Players connect it to their own workplace experiences.
Result: Engaging 90-minute session. The two-round structure provided narrative arc. Planning document gave you confidence to facilitate dynamically while maintaining structure.
Workflow 3: Full Game Session (2-3 Hours)
Two Preparation Paths for Different Experience Levels:
Path A: Intermediate IM Using Planning Document (30-minute prep)
You’re comfortable facilitating but want comprehensive support for the longer three-round format.
Your Preparation:
Same planning document, but you focus on Section 2: Full Game Configuration: 3 rounds, 2 actions per player, “open investigation,” “creative response,” full role complement, badge tracking enabled.
The key difference: “Players have the freedom to investigate as they see fit, using ‘Key Discovery Paths’ as a guide for the IM. They must come up with their own solutions, rather than choosing from a pre-defined list.”
You study all three rounds in Section 7: Round-by-Round Facilitation. Round 3 is the Response Phase with the “Critical Decision Point” narration. You note this is where players face the hard choice: delay go-live for thorough cleanup vs. proceed with enhanced monitoring.
Section 8: Pacing & Timing Notes becomes essential. You review the “If Running Long” and “If Running Short” strategies. You note the “If Team is Stuck” interventions.
The Section 6: Response Options section is crucial - you’ll use “Creative Response Guidance” to encourage innovation, then adjudicate using type effectiveness principles rather than presenting pre-defined options.
During the Session:
You facilitate all three rounds, giving players freedom to explore. Round 1: Discovery and identification. Round 2: Deep investigation revealing the scope. Round 3: The business vs. security decision.
The team develops a creative solution you hadn’t anticipated: they propose engaging Riverside General’s security team as partners, turning the incident into a relationship-strengthening opportunity. You adjudicate positively - this shows sophisticated stakeholder thinking.
The extended debrief from Section 9 allows deep exploration of organizational culture, security as business enabler, and the balance between thoroughness and pragmatism.
Path B: Experienced IM Using Scenario Card Only (5-minute prep)
You’ve facilitated dozens of M&M sessions. You trust your improvisation skills and want maximum flexibility.
Your Preparation:
You open the GaboonGrabber Healthcare Scenario Card. You quickly absorb the key elements from the scenario metadata div:
- Organization: MedTech Solutions, healthcare tech, 200 employees
- Hook: Final week before go-live, stressed IT clicking through warnings
- Pressure: Hospital goes live in 3 days, patient safety at stake
- NPCs: Sarah (stressed IT Director), Mike (frustrated nurse), Jennifer (COO), David (client CIO threatening penalties)
- Secrets: IT bypassed approval process, management prioritized experience over security, attacker targets implementation phases
- Villain Plan: Stage 1 (delivered malware), Stage 2 (reconnaissance), Stage 3 (secondary payload deployment)
You practice the hook delivery using techniques from Step 3: Building Compelling Stories. You internalize the pressure: “It’s Friday, Monday is go-live, everyone’s exhausted and clicking through to maintain momentum.”
You prepare NPC voices: Sarah quick and defensive, David formal and threatening, Mike patient-focused and frustrated.
You note the secret reveals: Sarah will confess to bypassing security mid-game when pressure mounts. The organizational culture prioritizes speed over safety - that’s the root cause.
Time spent: 5 minutes.
During the Session:
You open with the hook, using storytelling techniques. Players immediately feel the deadline pressure - several say “This is my life.”
Round 1: You present symptoms as they investigate. They use role-based approaches to discover GaboonGrabber. You reveal the sophisticated phishing using the Detective investigation path from the scenario card.
Round 2: You escalate. Hospital network exposure becomes apparent. David calls with legal team CC’d. Sarah admits the security shortcuts. Players face the complexity.
Round 3: You frame the critical decision using the pressure points. Players debate. They develop a creative balanced approach.
You facilitate the three-round arc naturally, adapting to player choices in real-time. The scenario card provided the narrative foundation, you brought it to life through facilitation.
Result: Both paths lead to successful Full Game sessions. Planning document provides comprehensive structure for intermediate IMs. Scenario card provides narrative foundation for experienced improvisers.
Workflow 4: Advanced Challenge (3+ Hours)
Scenario: You’re facilitating for an expert team who wants maximum challenge. You’ll customize the planning document to add complexity.
Your Preparation Journey
Week Before (45 minutes):
You start with the planning document, but immediately go to Section 11: Scenario Customization Notes and focus on “Make Harder (For Expert Teams).”
The suggestions: - Add red herrings (legitimate EMR bugs creating confusion) - Introduce potential insider threat angle - Expand Multi-Payload Deployment (actually deploy secondary payloads if team too slow) - Add media pressure (local news picks up story) - Require innovation (remove reference materials) - Use Advanced Challenge format with subtle evidence
You review Section 2: Advanced Challenge Configuration - 4+ rounds, complex multi-threaded investigation, innovative solutions required, subtle evidence with red herrings.
You design your customizations:
Round 1: Standard discovery, but you’ll add legitimate EMR system bugs creating initial confusion - is it malware or software issues?
Round 2: When they identify GaboonGrabber, you’ll introduce the insider threat angle - evidence suggesting someone may have facilitated the attack (turns out to be coincidental, but adds investigation complexity).
Round 3: If they don’t contain the threat quickly enough, GaboonGrabber’s Multi-Payload Deployment actually triggers. Now they’re dealing with multiple malware families simultaneously.
Round 4: Media picks up hints of “security problems at healthcare implementation firm.” Now they’re managing technical response, business relationships, AND public perception.
You study the Section 5: Investigation Timeline Round 2 “Threat Hunter Proactive Findings” section to understand the attribution clues. You’ll make these more subtle for expert teams.
You prepare complex stakeholder interactions from Section 4: NPC Reference, adding the optional NPCs and giving them hidden agendas.
Time spent: 45 minutes customizing the scenario for expert challenge.
During the Session:
Four rounds of intense investigation and response. Players appreciate the complexity - they’re challenged but not overwhelmed. The red herrings make them question assumptions. The insider threat angle adds paranoia and careful evidence evaluation.
When Multi-Payload Deployment triggers in Round 3 (they were slightly too slow), the team has to adapt their strategy mid-execution. Excellent learning about incident response flexibility.
Round 4 introduces the media dimension. Players develop sophisticated crisis communication strategies alongside technical response.
The extended debrief explores advanced topics: attribution complexity, APT-level persistence, organizational security culture change, and industry-wide vulnerability patterns.
Result: Expert team deeply engaged for 3.5 hours. Customization made familiar scenario feel novel and challenging.
Workflow 5: Experienced IM Fast Prep (Any Format)
Scenario: You’re an experienced IM. You can run any format (Quick Demo, Lunch & Learn, Full Game) using just scenario cards with 5 minutes of prep.
Your General Approach
For Any Session Format (5 minutes prep):
- Minute 1: Read scenario card hook and organization context
- Understand the pressure point and deadline
- Identify what makes this organization vulnerable NOW
- Minute 2: Prepare NPC voices and motivations
- Give each character a distinct personality
- Note the key conflicts and competing priorities
- Minute 3: Plan secret revelations
- How will players discover organizational vulnerabilities?
- What’s the mid-game confession moment?
- Minute 4: Review villain plan stages
- Stage 1 (already happened): Initial compromise
- Stage 2 (current): What players will discover
- Stage 3 (threat): How malmon escalates if not contained
- Minute 5: Format adaptation
- Quick Demo: Plan 1-round guided investigation with 3 response options
- Lunch & Learn: Plan 2-round arc with evolution between rounds
- Full Game: Plan 3-round complete narrative with critical decision point
Your Facilitation Style:
You trust your improvisation skills. The scenario card gives you rich narrative foundation. You adapt to player choices in real-time. Type effectiveness guides your adjudication. You facilitate discovery through questions rather than exposition.
When players take unexpected investigation paths, you use the scenario card elements (NPCs, secrets, villain plan) to respond organically. When they propose creative responses, you adjudicate using type effectiveness principles.
Result: Confident, flexible facilitation for any format using minimal prep time. Years of experience let you bring scenario cards to life through storytelling and dynamic adaptation.
Integration Summary: How Everything Works Together
The Complete M&M Preparation System:
- Step 1: Choose Your Session Configuration
- Pick format (Quick Demo, Lunch & Learn, Full Game, Advanced Challenge)
- Use configuration templates to define structure
- Step 2: Choose Your Preparation Resource
- New/Intermediate IMs: Use planning documents (30-min prep)
- Experienced IMs: Use scenario cards only (5-min prep)
- Step 3: Apply Storytelling Techniques
- Transform scenario card elements into compelling narratives
- Prepare hook delivery, NPC voices, secret revelations
- Step 4: Follow Format-Specific Workflow (This Step)
- Use the workflow matching your format and experience level
- Integrate configuration + resources + storytelling
The system adapts to:
- Your experience level (new to expert)
- Your available prep time (5 to 45 minutes)
- Your session format (40 minutes to 3+ hours)
- Your group’s needs (beginners to experts)
All paths lead to successful sessions. Choose the level of support you need. The resources work together to give you confidence and flexibility.
IM Preparation Quick Reference
📋
Session Prep Guide
IM PREP CHECKLIST
🔄 Preparation Steps
📦 Required Materials
- Scenario cards (plus backups)
- Malmon cards for selected threat
- Physical d20 dice
- Network Security Status tracker
- Role reference cards
- Blank paper and pens
💡 Pro Tips
Trust the scenario card - it contains everything you need. Your job is facilitation, not expertise. Focus on asking questions that connect to participants' real-world experience
🔧 Common Issues
If scenario doesn't resonate with group expertise, pivot to collaborative context creation using organizational templates from the preparation guides
Transforming M&M Sessions Through Rich Narrative
The M&M Scenario Card system represents a fundamental evolution in cybersecurity education facilitation, transforming sessions from technical exercises into compelling, human-centered learning experiences. This security training platform approach provides comprehensive professional context while leaving technical content to emerge from player expertise, enabling better improvisation and more meaningful learning through incident response tabletop exercise methodologies.
The Integration Philosophy
Enhancing, Not Replacing
Scenario cards build upon the proven M&M framework for gamified incident response training:
- Core mechanics remain unchanged: Role-based investigation, type effectiveness, evolution triggers
- Lazy IM philosophy enhanced: Rich backstories enable better improvisation and adaptation for security professional development
- Question-driven discovery improved: Compelling scenarios generate more meaningful questions for collaborative learning cybersecurity
- Player expertise leveraged: Realistic organizational contexts connect to professional experience in team-based security training
From Technical to Human-Centered
Traditional Approach: “Your organization has been compromised by GaboonGrabber. Begin investigating.”
Scenario Card Approach: “MedTech Solutions is 72 hours from their biggest client go-live ever. St. Mary’s Hospital is depending on the new EMR system Monday morning. During the final push yesterday, IT staff received ‘critical security updates’ that seemed legitimate given the project pressure. Now systems are failing and the project timeline is at risk.”
The Transformation:
- Immediate stakes: Players understand what matters and why
- Compelling timeline: Pressure creates natural urgency without artificial constraints
- Realistic context: Professional experience connects to scenario elements
- Rich investigation: Multiple paths and stakeholder perspectives drive discovery
Example Scenario Card
Here’s a complete scenario card to demonstrate the structure:
This single card provides everything needed for a rich, 90-minute session: compelling professional context, realistic stakeholder dynamics, and natural investigation paths that connect to participants’ real expertise.
The New IM 30-Minute Scenario Card Preparation
First-Time Facilitator Complete Prep Using Scenario Cards
Minutes 1-5: Essential Materials Preparation
Core Game Materials:
Minutes 6-10: Scenario Card Selection
Choose Based on Group and Learning Objectives:
High-tech group → Technology/Healthcare scenario cards
Mixed group → Healthcare/Financial scenario cards
Business-focused → Manufacturing/Financial scenario cards
Academic → Municipal/Research scenario cardsScenario card categories with built-in professional context:
- GaboonGrabber Cards: Social engineering, trust exploitation, deadline pressure
- WannaCry Cards: Network propagation, multi-site coordination, rapid response
- Stuxnet Cards: Critical infrastructure, sophisticated threats, geopolitical context
Scenario Card Examples by Industry
Here are snippet previews showing how different industries and contexts create varied challenges:
Each card provides complete context: Hook, Pressure, NPCs, Secrets, Villain Plan
Minutes 11-15: NPC Development and Context Mastery
Master your scenario card’s stakeholders:
Primary NPC Understanding:
- Role and responsibilities: What they manage day-to-day
- Core concerns: What keeps them awake at night
- Success criteria: What a “win” looks like for them
- Constraints: Why they can’t just “shut everything down”
Stakeholder Dynamics:
- Competing priorities: Security vs. Operations vs. Compliance
- Time pressures: Real deadlines creating authentic urgency
- Information flow: Who reports to whom in crisis
- Decision authority: Who ultimately makes the call
Minutes 16-20: Hook Mastery and Opening Preparation
Internalize your scenario’s hook:
Professional Context Elements:
- Industry situation: Context players will immediately recognize
- Time pressure: Specific business deadline creating urgency
- Vulnerability creation: Why security was compromised under pressure
- Current symptoms: What’s happening NOW that demands response
Practice Opening Delivery:
- “[Organization] is [timeframe] from [critical deadline]…”
- “During [pressure situation], [stakeholder] approved [security compromise]…”
- “Now [symptoms] are appearing…”
- “What would worry you most in this situation?”
Minutes 21-25: Context-Driven Question Development
Prepare scenario-specific questions:
Context Integration Questions:
- “Given [organization’s situation], what would worry you most?”
- “In [industry context], who would feel this pressure first?”
- “How would [primary stakeholder] be thinking about this?”
- “What makes this timing particularly problematic?”
Stakeholder Perspective Questions:
- “What would [IT Director] be concerned about right now?”
- “How would [Business Sponsor] want this handled?”
- “What would success look like from [stakeholder] perspective?”
Professional Reality Questions:
- “How would you handle [competing pressures] in your organization?”
- “What would this response look like in your real workplace?”
- “Who would you need to coordinate with for this approach?”
Minutes 26-30: Contingency Planning
Backup Plans:
- Alternative Malmon: If chosen one doesn’t resonate with group
- Simplified scenario: If group struggles with complexity
- Extended scenario: If group moves faster than expected
- Time management: Strategies for running long or short
Emergency Protocols:
- Silent group: Prepared icebreaker questions
- Dominated discussion: Techniques for balanced participation
- Technical disputes: Facilitation methods for conflicting expertise
- Technology failure: Pen-and-paper alternatives
The Experienced IM 5-Minute Scenario Card Preparation
Streamlined Workflow for Regular Facilitators
Minute 1: Scenario Card Selection
- Choose card based on group expertise and learning objectives
- Consider industry match and stakeholder complexity
- Have backup card from different context ready
Minute 2: Secrets and Clues Preparation
Using the Sly Flourish secrets and clues methodology (see Sly Flourish Principles):
- Identify core secret: Why did this attack succeed in this organization?
- Scatter 3-4 clues: Evidence discoverable through different investigation paths
- Plan revelation: How will each role naturally uncover clues through their expertise?
Minute 3: NPC Motivation Review
- Quick scan of primary stakeholder concerns and constraints
- Identify key stakeholder conflicts and competing priorities
- Review why normal security processes were bypassed
Minute 4: Hook Internalization
- Practice opening hook delivery connecting context to symptoms
- Understand why this attack is happening NOW
- Prepare transition from hook to investigation questions
Minute 5: Pressure Timeline Understanding
- Review business deadline and why it can’t move
- Understand escalation stages if threat evolves
- Prepare authentic urgency without rushing facilitation
Final Steps: Question Preparation and Setup
- Prepare context-driven discovery questions
- Materials check: scenario card, dice, tracking sheets
- Mental transition to facilitator mode
When to Spend More Time
Extend preparation for:
- Unfamiliar groups: Need more stakeholder dynamic contingency planning
- New scenario cards: Require deeper professional context review
- High-stakes sessions: Conference workshops, executive audiences
- Complex stakeholder dynamics: Multi-authority or regulatory scenarios
Stick to 5 minutes for:
- Regular groups: Known professional backgrounds and dynamics
- Familiar scenario cards: Comfortable with context and stakeholders
- Standard sessions: Normal learning objectives and complexity
- Confident facilitation: Experience with context-driven questioning
Malmon Selection Decision Trees
Based on Group Composition
High Technical Expertise Groups
Experienced SOC analysts, security engineers, incident responders
Recommended Malmons:
- Stuxnet (if industrial experience present)
- Noodle RAT (advanced persistence concepts)
- LockBit (complex ransomware operations)
- WannaCry (network propagation mechanics)
Avoid:
- GaboonGrabber (too basic)
- FakeBat (obvious techniques)Mixed Expertise Groups
Combination of technical and business professionals
Recommended Malmons:
- GaboonGrabber (clear concepts, good learning progression)
- Raspberry Robin (tangible USB infection vector)
- Gh0st RAT (classic remote access techniques)
- WireLurker (cross-platform concepts)
Focus on:
- Clear type effectiveness
- Collaborative learning opportunities
- Business impact discussionsBusiness-Focused Groups
Managers, compliance, risk management, executives
Recommended Malmons:
- FakeBat (clear deception, business impact)
- GaboonGrabber (social engineering focus)
- LockBit (business continuity implications)
- Code Red (historical context, business lessons)
Emphasize:
- Business impact and decision-making
- Communication and coordination
- Risk management perspectivesBased on Learning Objectives
Technical Skill Development
- WannaCry: Network propagation and patching
- Stuxnet: Advanced evasion and attribution
- Noodle RAT: Fileless techniques and persistence
- Poison Ivy: Classic RAT capabilities
Incident Response Process
- GaboonGrabber: Full IR lifecycle
- Raspberry Robin: Containment and forensics
- Gh0st RAT: Coordination and communication
- LockBit: Business continuity and recovery
Threat Intelligence and Attribution
- Stuxnet: Nation-state analysis
- Gh0st RAT: APT group characteristics
- LitterDrifter: Geopolitical context
- Noodle RAT: Campaign tracking
Organization Context Templates
Quick Context Generator
Healthcare Organizations
- Stakes: Patient safety, HIPAA compliance, operational continuity
- Critical assets: EMR systems, patient data, medical devices
- Vulnerabilities: Legacy systems, user convenience, interconnected devices
- Constraints: Cannot disrupt patient care, strict privacy requirements
Financial Services
- Stakes: Customer trust, regulatory compliance, financial stability
- Critical assets: Transaction systems, customer data, trading platforms
- Vulnerabilities: High-value targets, complex integrations, mobile access
- Constraints: Regulatory reporting, availability requirements, fraud prevention
Manufacturing/Industrial
- Stakes: Production continuity, worker safety, competitive advantage
- Critical assets: Control systems, proprietary processes, supply chain data
- Vulnerabilities: Air-gapped networks, legacy systems, remote monitoring
- Constraints: Safety systems, production schedules, physical security
Technology Companies
- Stakes: Intellectual property, customer data, service availability
- Critical assets: Source code, customer databases, cloud infrastructure – Vulnerabilities: Developer tools, cloud misconfigurations, supply chain
- Constraints: Rapid development cycles, distributed workforce, scalability
Collaborative Context Creation
Group-Driven Approach
Instead of pre-selecting, let the group decide:
- “What kind of organization are you protecting today?”
- “What would be devastating if compromised?”
- “What makes your organization unique or challenging to secure?”
Benefits:
- Immediate investment in scenario
- Authentic expertise application
- Natural constraints and considerations
- Real-world relevance
Core Integration Points
Integration with Role-Based Investigation
Enhanced Role Clarity
Scenario cards provide organizational context that makes roles immediately meaningful:
Detective Role:
- Traditional: “Investigate the compromise”
- With Scenario Cards: “Sarah (IT Director) needs to understand what happened during the project crunch - interview staff, analyze logs, determine attack timeline”
Protector Role:
- Traditional: “Identify systems to protect”
- With Scenario Cards: “Critical hospital systems go live Monday - determine what’s at risk, implement containment without disrupting patient care”
Communicator Role:
- Traditional: “Coordinate team response”
- With Scenario Cards: “Hospital CIO is calling hourly demanding updates - manage stakeholder communication while coordinating technical response”
Natural Investigation Paths
NPCs and organizational context create realistic investigation opportunities:
- Staff interviews reveal social engineering vectors and organizational pressures
- System dependencies show critical assets and business impact priorities
- Timeline pressures create realistic constraints on investigation thoroughness
- Stakeholder concerns drive investigation priorities and communication needs
Integration with Question-Driven Discovery
Enhanced Question Frameworks
Scenario cards provide rich context for more meaningful discovery questions:
Discovery Phase Questions:
- “Given the pressure [organization] was under, what would make [specific stakeholder] click on suspicious emails?”
- “How would [business deadline] affect normal security awareness and procedures?”
- “What organizational factors would make this attack particularly effective at this time?”
Investigation Phase Questions:
- “If [critical deadline] is missed, what are the real consequences for [specific stakeholders]?”
- “How would [regulatory requirement] affect your investigation approach and evidence collection?”
- “What would [key customer/partner] do if they knew about this security incident?”
Response Phase Questions:
- “Given [specific organizational constraint], what response options are actually feasible?”
- “How would you manage [stakeholder conflict] while responding to this cybersecurity threat?”
- “What communication strategy maintains [key relationship] during incident response?”
Contingency Planning
Alternative Scenarios
Backup Malmon Strategy
Always have 2-3 Malmons prepared:
- Primary choice: Based on group and objectives
- Simpler backup: If group struggles with complexity
- Complex alternative: If group advances quickly
Time Management Alternatives
Running Long (Extra 30+ minutes):
- Extended investigation phase
- Multiple evolution scenarios
- Advanced response techniques
- Detailed debrief and lessons learned
Running Short (30+ minutes remaining):
- Accelerated discovery phase
- Combined investigation/response
- Quick evolution challenge
- Rapid debrief with key takeaways
Severe Time Constraints (Under 60 minutes):
- Single-round scenario
- Focus on one aspect (discovery or response)
- Mini-session with core concepts
- Promise follow-up session
Group Dynamic Challenges
Silent Group Protocol
- Structured icebreakers: “Share one cybersecurity concern”
- Direct questions: Address individuals by name and role
- Collaborative tasks: Force interaction through shared problems
- Lower stakes: Reduce pressure with hypothetical scenarios
Dominated Discussion Management
- Rotation systems: Ensure everyone speaks before anyone speaks twice
- Role-specific questions: Direct questions to quiet participants
- Private coaching: Brief sidebar with dominant speaker
- Structural solutions: Break into smaller groups
Technical Knowledge Gaps
- Peer teaching: Connect experts with learners
- Simplified scenarios: Reduce technical complexity
- Common sense focus: Emphasize logical thinking over technical knowledge
- Learning opportunities: Frame gaps as discovery moments
Emergency Protocols
Technology Failures
- Backup methods: Paper alternatives for all digital tools
- Simple substitutions: Use coin flips instead of dice apps
- Manual tracking: Paper Network Security Status tracker
- Continue regardless: Don’t let technology stop the session
Participant Issues
- Late arrivals: Quick integration techniques
- Early departures: Graceful role transitions
- Disruptive behavior: Professional de-escalation
- Medical/personal emergencies: Session pause and support protocols
Facilitator Challenges
- Knowledge gaps: Redirect to group expertise
- Time pressure: Flexible scenario adaptation
- Group conflict: Neutral facilitation techniques
- Personal stress: Breathing techniques and perspective
Pre-Session Checklist
24 Hours Before
1 Hour Before
10 Minutes Before
Example: Following the Method in Practice
Let’s walk through using this method to prepare for a session with a mixed-expertise group.
Group Context
You have 5 participants: an IT manager, a software developer, a compliance officer, a network admin, and a project manager. They work in different organizations but all deal with healthcare technology.
Following the Preparation Activities
Activity 1: Scenario Card Selection
Your thinking: Mixed group with healthcare focus. GaboonGrabber healthcare scenario will resonate - social engineering they can all relate to, technical depth for IT folks, business pressure for managers.
Your choice: GaboonGrabber “MedTech Solutions” scenario card Backup: WannaCry hospital scenario (if they want more technical network focus)
Activity 2: NPC Motivation and Context Review
From the scenario card, you understand:
Sarah (IT Director): Under massive pressure to deliver hospital EMR system on time. Monday go-live cannot be delayed - hospital staff trained, old system being decommissioned. She’s been cutting corners on security approvals because “the project absolutely cannot fail.”
Dr. Martinez (Hospital CIO): Depending on MedTech to deliver Monday. If EMR isn’t ready, hospital operations could be severely disrupted. Patient safety is her primary concern, but she needs the new system.
Mike (MedTech CEO): This contract makes or breaks the company. If St. Mary’s cancels, MedTech loses credibility and probably goes under. He’s been pushing everyone to “do whatever it takes.”
Competing priorities: Security vs. delivery timeline vs. patient safety vs. business survival.
Activity 3: Hook Internalization and Opening
Your opening: “MedTech Solutions is 72 hours from their biggest client go-live ever. St. Mary’s Hospital has trained 200 staff members and is shutting down their old EMR system Sunday night. The new system absolutely must work Monday morning for patient safety. Yesterday, during the final integration push, IT staff received ‘critical security updates’ from what looked like Microsoft. Under pressure to keep the project on track, they approved the updates immediately. Now systems are running 30% slower and help desk is getting calls about pop-ups. What would worry you most in this situation?”
Activity 4: Pressure Timeline and Evolution Planning
Business deadline: Monday morning hospital go-live - immovable because:
- 200 hospital staff already trained on new system
- Old EMR being decommissioned Sunday night
- Patient care depends on working system Monday
If threat evolves:
- Stage 1: Performance issues (current)
- Stage 2: Data exfiltration and system corruption
- Stage 3: Complete system failure Sunday night, hospital cannot treat patients Monday
Activity 5: Question Preparation and Materials Setup
Your prepared questions:
- “Given the project pressure MedTech was under, what would make IT staff click on security updates without proper verification?”
- “If this system fails Monday morning, what happens to patient care at St. Mary’s?”
- “How would you balance cybersecurity response with the absolute need to have systems working in 72 hours?”
- “What would Sarah (IT Director) be most afraid of - the cyberattack or missing the deadline?”
Materials ready: GaboonGrabber malmon card, scenario card, dice, whiteboard markers, participant name tags.
What This Preparation Achieves
Immediate engagement: Players understand the stakes before you even explain the technical threat.
Professional relevance: Everyone has experienced project pressure and stakeholder conflicts.
Natural investigation paths:
- IT Manager: “I need to understand what these updates actually did”
- Developer: “How do we fix this without breaking the go-live?”
- Compliance Officer: “What are our reporting requirements if patient data is at risk?”
- Network Admin: “I want to trace what network connections these updates made”
- Project Manager: “How do we coordinate response while maintaining the timeline?”
Rich facilitation opportunities: You can represent Sarah’s desperation, Dr. Martinez’s patient safety concerns, and Mike’s business survival fears to create realistic tension and decision-making pressure.
Multiple learning outcomes: Social engineering awareness, incident response coordination, business-security balance, stakeholder management under pressure.
During the Session
Your job becomes easy because the scenario card provides:
- Context players immediately understand
- Stakeholders you can role-play naturally
- Business pressure that creates realistic urgency
- Multiple investigation angles for different expertise
- Authentic decision-making dilemmas
Instead of lecturing about GaboonGrabber techniques, you ask: “Given what you’ve found, what would worry you about this ‘security update’ from Sarah’s perspective?”
Players discover the technical details while you facilitate the human drama.
Post-Preparation Mindset
Confidence Building
Remember:
- Preparation is foundation, not script: Be ready to adapt
- Players provide content: Your job is facilitation, not information delivery
- Mistakes are learning: Both for you and participants
- Questions > answers: When in doubt, ask the group
- Success is participation: Everyone contributing meaningfully
Session Success Indicators
A well-prepared session typically includes:
Practical Integration Workflows
Scenario Card Selection Process
Matching Cards to Groups
Step 1: Assess Group Composition
- Experience Level: Beginner → GaboonGrabber scenarios; Advanced → Stuxnet scenarios
- Professional Background: Healthcare → Medical scenarios; Finance → Banking scenarios
- Learning Objectives: Social engineering → Trojan scenarios; Network security → Worm scenarios
Step 2: Review Adaptation Notes Each scenario card includes specific guidance for:
- High-expertise groups: Additional complexity and advanced concepts
- Beginner groups: Simplification strategies and concept focus
- Time constraints: Compression options and priority elements
Step 3: Customize for Context
- Industry familiarity: Adapt organizational details to match group experience
- Current events: Connect scenario timing to relevant news or industry trends
- Group interests: Emphasize aspects that align with participant professional concerns
Troubleshooting Integration Challenges
When Scenario Cards Feel Overwhelming
Simplification Strategies - Focus on Core Elements:
- Hook: Why this is happening now
- Pressure: What creates urgency
- NPCs: 2-3 key stakeholders maximum
- Secrets: 1-2 organizational factors that enabled attack
Adaptation Approach:
- Use scenario cards as inspiration rather than rigid scripts
- Select elements that serve your learning objectives
- Ignore complexity that doesn’t add value for your specific group
- Trust the “lazy IM” philosophy - good enough preparation with rich context beats perfect preparation with rigid structure
When Group Doesn’t Connect to Scenario Context
Quick Adaptation Techniques:
- Industry Swap: Change from healthcare to technology, finance to manufacturing
- Scale Adjustment: Adjust organization size and complexity
- Stakeholder Modification: Replace NPCs with roles familiar to your group
- Context Simplification: Focus on universal business pressures rather than industry-specific details
Collaborative Fixes:
- Ask group to suggest organizational context they find more relevant
- Let participants modify NPCs to match their professional experience
- Encourage group to adapt scenario elements during session
- Use “yes, and…” techniques to incorporate participant suggestions
The goal of scenario card preparation is confident flexibility - ready for anything while attached to nothing. Scenario cards enhance the “lazy IM” philosophy by providing rich context that enables better improvisation, not rigid scripts that constrain adaptation.
Social Engineering Scenarios (GaboonGrabber, FakeBat)
Opening formula: “[Organization] is under [time pressure]. [Authority figure] received [legitimate-looking request]. [Action taken] that bypassed [normal security]. Now [symptoms appearing].”
Example: “RegionalBank processes payroll for 1,200 employees this Friday. Tuesday morning, the CFO received an urgent email from your accounting software vendor: ‘Critical tax update required before Friday processing.’ She forwarded it to IT with ‘Please handle immediately.’ IT installed it Wednesday. Thursday morning, transaction records start disappearing.”
Key storytelling elements: