Comprehensive Scenario Types Guide

IM Quick Reference: All Session Types

This chapter provides a unified overview of every session format available in our cybersecurity education framework, helping you choose the right approach for your group and goals through our security training platform that supports both incident response training and security professional development.

Decision Matrix: Choosing Session Type

Group Type	Time Available	Learning Goal	Recommended Approach
Mixed expertise, educational setting	2+ hours	Understanding cybersecurity evolution	Historical Foundation
Advanced technical team	90 minutes	Current practical skills	Contemporary Standard
Leadership/business focus	90-120 minutes	Strategic decision-making	Contemporary with Business Focus
New to cybersecurity	90 minutes	Basic incident response	Standard Contemporary (Beginner Malmons)
Expert-dominated group	2+ hours	Collaborative learning	Historical Foundation
Training/certification	60-90 minutes	Specific current techniques	Contemporary Focused

Session Type Categories

1. Standard Contemporary Sessions

Core Format

Duration: 90-120 minutes
Technology Context: Current platforms, tools, and threats
Malmons: Any contemporary malmon (GaboonGrabber, WannaCry, Raspberry Robin, etc.)
Scenario Cards: Multiple organizational contexts per malmon

Session Structure

Setup (15 min) - Introductions, role assignment, context setting
Investigation (30-45 min) - Collaborative threat analysis and discovery
Response (30-45 min) - Coordinated containment and mitigation
Debrief (15 min) - Learning synthesis and real-world application

When to Use

✅ Perfect for:

Groups wanting immediate practical skills
Limited time availability
Focus on current cybersecurity challenges
Professional development and training

❌ Avoid when:

Group wants historical perspective
Significant time available for deeper exploration
Educational setting focused on evolution and learning

IM Preparation (10 minutes)

Choose appropriate malmon for group expertise level
Select scenario card matching group’s industry/context
Review Network Security Status tracking approach
Prepare role assignments based on group backgrounds

Success Indicators

Effective team coordination and communication
Appropriate use of current cybersecurity tools and techniques
Realistic business decision-making under pressure
Learning that applies directly to participants’ current work

2. Legacy Malmon Sessions

Two Distinct Approaches Available

2A. Historical Foundation Sessions

Core Format

Duration: 2+ hours for full exploration
Technology Context: Authentic period technology (2001-2010)
Malmons: Code Red, Stuxnet, Gh0st RAT, Poison Ivy
Learning Goal: Understanding cybersecurity evolution through collaborative discovery

Session Structure

Historical Context (15 min) - Period technology and security assumptions
Authentic Historical Investigation (45 min) - Response using only period tools/knowledge
Collaborative Modernization (30 min) - Team discovery of evolution to current threats
Learning Synthesis (15 min) - Pattern recognition and current application insights

When to Use

✅ Perfect for:

Educational settings and training programs
Groups with diverse expertise levels
Time available for extended learning exploration
Expert-dominated groups needing collaborative focus
Understanding how cybersecurity knowledge developed

❌ Avoid when:

Immediate practical skills needed
Limited time (less than 2 hours)
Group focused only on current challenges
Advanced technical audience wanting cutting-edge techniques

IM Preparation (20 minutes)

Research historical technology context thoroughly
Prepare period-appropriate organizational scenarios
Plan modernization discovery questions
Ready to enforce historical limitations strictly

Success Indicators

Authentic surprise at historical security assumptions
Collaborative discovery of evolution patterns
“Aha moments” about how threats have developed
Enhanced understanding of current threats through historical perspective
Strong team collaboration across expertise levels

2B. Contemporary Legacy Sessions

Core Format

Duration: 90-120 minutes
Technology Context: Modern technology with evolved versions of historical threats
Malmons: Modern versions (Cloud Infrastructure Attack, Smart Grid Sabotage, etc.)
Learning Goal: Understanding how classic attack patterns manifest today

Session Structure

Evolutionary Context (5 min) - Connection to historical threat
Contemporary Response (75 min) - Standard modern incident response
Historical Comparison (15 min) - Brief evolution discussion in debrief

When to Use

✅ Perfect for:

Groups wanting both current skills and historical perspective
Standard time constraints with added learning value
Understanding persistent attack patterns across time
Advanced groups appreciating threat evolution

IM Preparation (15 minutes)

Understand connection between historical and contemporary versions
Prepare brief evolutionary context explanation
Plan debrief comparison questions
Focus on persistent attack patterns

3. Specialized Session Formats

3A. Business Leadership Sessions

Core Adaptations

Focus: Strategic decision-making and organizational implications
Language: Executive-appropriate terminology and concepts
Decisions: Board-level choices with enterprise-wide impact
NPCs: C-level executives, board members, regulatory agencies

Key Modifications

Emphasize strategic coordination over technical details
Focus on policy implications and precedent-setting
Include interagency and international coordination
Measure success by strategic contribution, not just incident resolution

Example Session Types

Stuxnet Strategic Response: Nation-state attack requiring federal coordination
WannaCry Executive Crisis: Healthcare system-wide ransomware impact
Supply Chain Compromise: Enterprise vendor relationship crisis

3B. Technical Deep-Dive Sessions

Core Adaptations

Focus: Advanced technical analysis and cutting-edge response techniques
Complexity: Multi-stage attacks with sophisticated evasion techniques
Tools: Advanced threat hunting, forensic analysis, custom defensive measures
Challenge Level: Nation-state capabilities and zero-day exploitation

Key Modifications

Increased technical complexity and realism
Advanced MITRE ATT&CK technique mapping
Custom tool development and advanced forensics
Focus on threat intelligence and attribution

3C. Industry-Specific Sessions

Healthcare Focus

Regulatory Context: HIPAA, patient safety, medical device security
Critical Systems: Electronic health records, patient monitoring, surgical systems
Stakeholders: Patients, medical staff, regulatory agencies, insurance

Financial Services Focus

Regulatory Context: SOX, PCI DSS, banking regulations, market oversight
Critical Systems: Trading platforms, payment processing, customer accounts
Stakeholders: Customers, regulators, market participants, law enforcement

Critical Infrastructure Focus

Regulatory Context: NERC CIP, national security, public safety
Critical Systems: Power generation, water treatment, transportation
Stakeholders: Government agencies, public safety, national security

4. Problem-Focused Sessions

4A. Expert-Dominated Groups

Challenge: Senior participants overwhelming others
Solution: Historical context to level playing field
Technique: Uncomfortable role assignments requiring collaboration
Goal: Collaborative learning despite expertise imbalances

4B. Silent/Disengaged Groups

Challenge: Participants reluctant to contribute
Solution: Structured discovery questions and role validation
Technique: Small wins building to larger contributions
Goal: Active engagement from all participants

4C. Lost/Overwhelmed Groups

Challenge: Participants feeling out of their depth
Solution: Simplified scenarios with strong IM guidance
Technique: Breaking complex problems into manageable steps
Goal: Confidence building through achievable success

Scenario Card System

Understanding Scenario Cards

Each malmon can be encountered through multiple scenario cards that provide different organizational contexts while maintaining consistent core threat behavior.

Scenario Card Components

Organization: Specific company/agency context with realistic constraints
Stakes: What’s at risk (data, operations, reputation, compliance)
Hook: Compelling opening situation drawing players into the incident
NPCs: Period and context-appropriate characters with specific expertise
Secrets: Hidden information revealed through investigation
Adaptation Notes: Guidance for different group expertise levels

Organizational Context Variations

Healthcare: MedTech Solutions (200 employees)

Constraints: Patient safety, HIPAA compliance, medical device security
Stakes: Patient data, medical device integrity, regulatory compliance
NPCs: Medical staff, IT support, compliance officers, patient advocates

Financial Services: Regional Credit Union (50,000 members)

Constraints: Financial regulations, real-time transactions, customer trust
Stakes: Customer financial data, transaction integrity, regulatory standing
NPCs: Financial officers, IT security, regulators, customer service

Education: University Technology Services (15,000 students)

Constraints: Academic freedom, limited budget, diverse user base
Stakes: Student data, research integrity, operational continuity
NPCs: IT staff, faculty, students, administrators

Small Business: Local Marketing Agency (25 employees)

Constraints: Limited resources, personal relationships, survival-level decisions
Stakes: Client data, business survival, personal liability
NPCs: Business owner, freelance IT, key clients, family members

Choosing Scenario Cards

Match Group Context

Industry Experience: Choose scenarios familiar to participants
Organizational Size: Match complexity to group’s professional experience
Regulatory Environment: Use familiar compliance and legal frameworks
Technical Sophistication: Align with group’s technical capabilities

Contrast for Learning

Different Industry: Expose participants to unfamiliar constraints
Different Scale: Help understand how organizational size affects incident response
Different Stakes: Explore various business impact scenarios
Different Resources: Experience resource-constrained vs. well-resourced response

Session Planning Framework

Pre-Session Decision Process

Step 1: Group Assessment (5 minutes)

Expertise Levels: Technical backgrounds and cybersecurity experience
Industry Experience: Professional contexts and regulatory familiarity
Learning Goals: Immediate skills vs. broader understanding
Time Constraints: Available session duration and follow-up possibilities

Step 2: Session Type Selection (2 minutes)

Historical Foundation: Educational focus, diverse expertise, extended time
Contemporary Standard: Practical skills, limited time, current challenges
Specialized Format: Leadership group, technical deep-dive, industry-specific needs

Step 3: Malmon and Scenario Selection (3 minutes)

Complexity Match: Align threat sophistication with group capabilities
Context Relevance: Choose organizational scenario matching group experience
Learning Objectives: Select threats supporting specific learning goals

Step 4: Preparation Focus (Variable)

Historical Foundation: Research period context, prepare evolution questions
Contemporary: Review current techniques, select appropriate tools/references
Specialized: Adapt language, stakes, and decision complexity for audience

Session Execution Guidelines

Opening Phase Best Practices

Energy Setting: Establish collaborative, learning-focused environment
Expectation Management: Explain session type and learning approach
Role Assignment: Match roles to backgrounds while encouraging stretch growth
Context Clarity: Ensure everyone understands organizational and threat context

Investigation Phase Best Practices

Question-Driven Discovery: Guide learning through questions, not exposition
Collaborative Building: Help participants build on each other’s insights
Progressive Revelation: Introduce complexity gradually based on team readiness
Role Validation: Ensure each participant contributes unique value

Response Phase Best Practices

Realistic Constraints: Maintain organizational limitations and resource availability
Coordinated Action: Require team collaboration for success
Adaptive Challenge: Allow threat evolution based on team actions
Success Recognition: Acknowledge effective teamwork and creative solutions

Debrief Phase Best Practices

Learning Synthesis: Help participants connect session experience to real-world application
Pattern Recognition: Highlight transferable principles and techniques
Honest Reflection: Encourage discussion of challenges and improvement opportunities
Future Application: Connect learning to participants’ current professional contexts

Advanced IM Techniques

Managing Mixed Groups

Expertise Balancing

Historical Context: Use unfamiliar contexts to reduce expertise advantages
Role Rotation: Give experts unfamiliar roles requiring new skill development
Collaborative Requirements: Structure success to require diverse perspectives
Learning Focus: Emphasize discovery over demonstration of existing knowledge

Engagement Strategies

Validated Contribution: Ensure every participant contributes unique value
Progressive Challenge: Start accessible, build complexity based on team success
Peer Learning: Structure opportunities for participants to teach each other
Success Sharing: Celebrate team achievements over individual brilliance

Adapting Session Complexity

Scaling Up for Advanced Groups

Multi-Stage Attacks: Complex, coordinated threats requiring sustained response
Advanced Techniques: Cutting-edge attack methods and defensive capabilities
Strategic Implications: Enterprise-wide and industry-wide impact considerations
International Coordination: Multi-agency and international response requirements

Scaling Down for Beginners

Clear Progression: Obvious attack stages with distinct response phases
Guided Discovery: More IM support for investigation and analysis
Simplified Decisions: Fewer variables and clearer choice consequences
Success Reinforcement: Frequent positive feedback and achievement recognition

Real-Time Adaptation

Reading Group Dynamics

Engagement Indicators: Participation levels, question quality, collaborative behavior
Difficulty Calibration: Signs of being overwhelmed vs. under-challenged
Learning Progress: Understanding development and insight generation
Energy Management: Maintaining focus and enthusiasm throughout session

Mid-Session Adjustments

Complexity Modification: Adding or reducing challenge based on team performance
Role Rebalancing: Addressing participation imbalances or role mismatches
Pacing Adjustment: Speeding up or slowing down based on group processing
Learning Support: Providing additional guidance or clarification as needed

Success Metrics by Session Type

Standard Contemporary Sessions

Technical Success Indicators

Appropriate use of current cybersecurity tools and techniques
Realistic decision-making within organizational constraints
Effective team coordination and communication
Business-aware technical choices

Learning Success Indicators

Direct application insights for participants’ current work
Enhanced understanding of team-based incident response
Improved confidence in cybersecurity decision-making
Recognition of cross-functional collaboration importance

Historical Foundation Sessions

Historical Understanding Indicators

Authentic surprise at historical security assumptions
Understanding of period technology limitations
Recognition of security knowledge evolution
Appreciation for historical cybersecurity pioneers

Evolution Learning Indicators

Collaborative discovery of threat development patterns
Connection between historical and current threats
Insight into defensive capability advancement
Understanding of persistent attack principles

Business Leadership Sessions

Strategic Decision Indicators

Appropriate escalation and coordination decisions
Understanding of policy and precedent implications
Effective interagency and stakeholder coordination
Strategic risk assessment and management

Organizational Impact Indicators

Recognition of enterprise-wide incident implications
Appropriate governance and communication decisions
Understanding of regulatory and legal considerations
Long-term organizational resilience planning

Technical Deep-Dive Sessions

Advanced Technical Indicators

Sophisticated threat analysis and attribution
Advanced tool usage and custom solution development
Complex multi-stage attack understanding
Cutting-edge defensive technique application

Professional Development Indicators

Enhanced threat hunting and forensic capabilities
Improved understanding of advanced persistent threats
Development of technical leadership skills
Contribution to cybersecurity knowledge advancement

Quick Reference Cards

Session Type Quick Selection

Need immediate practical skills + limited time + current focus: → Standard Contemporary Session

Want to understand cybersecurity evolution + have extended time + diverse group: → Historical Foundation Session

Need current skills with historical perspective + standard time: → Contemporary Legacy Session

Working with senior leadership + strategic focus + enterprise implications: → Business Leadership Session

Advanced technical team + cutting-edge challenges + deep technical focus: → Technical Deep-Dive Session

Expert-dominated group + need collaboration + extended time available: → Historical Foundation Session

Preparation Time Investment

Standard Contemporary: 10 minutes
Historical Foundation: 20 minutes
Contemporary Legacy: 15 minutes
Business Leadership: 15 minutes
Technical Deep-Dive: 20 minutes
Problem-Focused: 15 minutes + specific technique research

Common Session Planning Mistakes

❌ Choosing Historical Foundation for time-constrained groups → Requires minimum 2 hours for effective learning

❌ Using advanced technical scenarios with business-focused groups → Alienates non-technical participants and misses learning goals

❌ Selecting familiar organizational contexts for all sessions → Limits learning about cybersecurity challenges in different industries

❌ Assuming expertise level without group assessment → Results in inappropriate challenge level and poor learning outcomes

❌ Mixing session types without clear transition → Confuses participants and dilutes learning effectiveness

This comprehensive guide ensures you can select and execute the most effective session type for any group while maximizing learning outcomes and participant engagement.