Role-Based Team Facilitation for Gamified Incident Response Training

The Power of Role-Based Collaboration

Managing a six-role Malware & Monsters team requires understanding both the unique contributions each role brings and how to orchestrate their collaboration for maximum learning impact. Your job as Incident Master is to ensure every role has meaningful opportunities to contribute while maintaining productive team dynamics.

Understanding Role Dynamics

Role Specialization Benefits

Why Roles Matter:

Focused Expertise: Each role approaches problems from a distinct perspective
Comprehensive Coverage: Six roles ensure all aspects of incident response are addressed
Natural Division of Labor: Teams self-organize around role-based responsibilities
Learning Amplification: Different perspectives create richer understanding

Avoiding Role Rigidity:

Roles are lenses for contribution, not rigid job descriptions
Encourage cross-role collaboration and knowledge sharing
Allow expertise to transcend role boundaries when appropriate
Focus on team success rather than individual role performance

Team Composition Strategies

For 4-Player Teams: Essential Core:

🔍 Detective (investigation and analysis)
🛡️ Protector (containment and security)
📡 Tracker (monitoring and data flow)
👥 Communicator (coordination and stakeholder management)

Optional Additions:

Add ⚡ Crisis Manager for complex coordination scenarios
Add 🎯 Threat Hunter for advanced threat analysis

For 5-Player Teams: Recommended Configuration:

Core four roles plus Crisis Manager for coordination-heavy scenarios
Core four roles plus Threat Hunter for technically complex threats
Allow team to choose based on interests and scenario requirements

For 6-Player Teams: Full Role Coverage: All six roles provide maximum perspective diversity and learning opportunities

Role Modifier System

Understanding Player Role Modifiers

Each incident response role provides specific mechanical modifiers - or bonuses - that players can apply to relevant actions during sessions. These modifiers reinforce role identity while providing concrete gameplay benefits for specialization.

Detective Modifiers:

🎲 Game Modifiers

🎲

+3 Forensic Analysis

Deep dive into logs, artifacts, and digital evidence to reconstruct attack timelines and identify critical indicators of compromise

🎲

+2 Pattern Recognition

Spot anomalies in system behavior, connect seemingly unrelated clues, and identify attack patterns across multiple data sources

🎲

+1 Documentation

Create comprehensive incident records, develop actionable IoCs, and maintain detailed evidence chains for legal and remediation purposes

Understanding Detective Modifiers in Practice:

+3 Forensic Analysis represents the Detective’s mastery of digital evidence examination. When a Detective player attempts forensic analysis, this substantial bonus reflects their ability to efficiently parse complex log files, correlate timestamps across multiple systems, and extract meaningful intelligence from technical artifacts. For the IM, this means Detective actions involving evidence analysis should almost always succeed when using appropriate tools and methods. Use this bonus when players examine system logs, analyze malware samples, reconstruct attack timelines, or investigate digital crime scenes. The high bonus acknowledges that forensic analysis is the Detective’s core competency.

+2 Pattern Recognition captures the Detective’s trained eye for spotting anomalies others miss. This moderate bonus applies when connecting seemingly unrelated events, identifying recurring attack signatures, or recognizing behavioral patterns in system activity. For the IM, grant this bonus when players attempt to link disparate clues, spot unusual network behavior, or identify attack patterns across multiple incidents. This skill helps Detectives excel at seeing the bigger picture and making connections that drive investigations forward.

+1 Documentation reflects the Detective’s methodical approach to maintaining investigation records. While less exciting than active analysis, proper documentation is crucial for incident response success. Apply this bonus when players create incident reports, develop indicators of compromise (IoCs), maintain evidence chains, or produce documentation for legal proceedings. For the IM, this bonus ensures that Detective players can reliably produce high-quality documentation that supports team coordination and post-incident analysis.

Protector Modifiers:

🎲 Game Modifiers

🎲

+3 Containment Actions

Rapidly isolate compromised systems, deploy security controls, and implement emergency protective measures to prevent attack spread

🎲

+2 Damage Assessment

Evaluate scope of system compromise, assess data integrity, and determine extent of security control failures

🎲

+1 Recovery Planning

Design restoration strategies, validate backup integrity, and coordinate secure system recovery with minimal business disruption

Understanding Protector Modifiers in Practice:

+3 Containment Actions represents the Protector’s expertise in rapidly stopping threats from spreading. This high bonus reflects their ability to quickly isolate compromised systems, deploy emergency security controls, and implement protective measures under pressure. For the IM, this means Protector actions focused on immediate threat containment should succeed reliably, especially when using established security tools and procedures. Use this bonus when players attempt to quarantine infected systems, block malicious network traffic, disable compromised accounts, or deploy emergency security controls. The substantial bonus acknowledges that containment is the Protector’s primary responsibility during active incidents.

+2 Damage Assessment captures the Protector’s skill at evaluating the extent of system compromise. This moderate bonus applies when determining how far an attack has spread, assessing data integrity, or understanding the scope of security control failures. For the IM, grant this bonus when players investigate which systems are affected, evaluate the effectiveness of existing security measures, or determine the extent of data exposure. This skill helps Protectors make informed decisions about containment priorities and resource allocation.

+1 Recovery Planning reflects the Protector’s methodical approach to system restoration. While containment is urgent, recovery planning requires careful consideration of business continuity and security requirements. Apply this bonus when players develop restoration strategies, validate backup integrity, coordinate system recovery timelines, or design secure rebuild procedures. For the IM, this bonus ensures that Protector players can reliably develop recovery plans that balance security with business needs, supporting the organization’s return to normal operations.

Tracker Modifiers:

🎲 Game Modifiers

🎲

+3 Network Analysis

Monitor network traffic patterns, map connection relationships, and track data flow to identify malicious communications and lateral movement

🎲

+2 Behavioral Detection

Recognize unusual network behavior patterns, detect anomalous data transfers, and identify indicators of system compromise through traffic analysis

🎲

+1 Communication Monitoring

Detect command-and-control communications, identify external threat actor infrastructure, and coordinate blocking of malicious network connections

Understanding Tracker Modifiers in Practice:

+3 Network Analysis represents the Tracker’s mastery of network traffic examination and data flow understanding. This substantial bonus reflects their ability to efficiently monitor network communications, map connection relationships between systems, and track how data moves through the organization’s infrastructure. For the IM, this means Tracker actions involving network investigation should succeed reliably when using appropriate monitoring tools and techniques. Use this bonus when players analyze network logs, trace connection patterns, monitor data transfers, or investigate lateral movement pathways. The high bonus acknowledges that network analysis is the Tracker’s core specialty and primary contribution to incident response.

+2 Behavioral Detection captures the Tracker’s skill at recognizing unusual patterns in network activity that might indicate compromise. This moderate bonus applies when identifying anomalous data transfers, detecting unusual communication patterns, or spotting indicators of system compromise through traffic analysis. For the IM, grant this bonus when players attempt to identify suspicious network behavior, detect data exfiltration attempts, spot unusual connection patterns, or recognize signs of lateral movement. This skill helps Trackers excel at finding threats that might otherwise go unnoticed in network traffic.

+1 Communication Monitoring reflects the Tracker’s systematic approach to detecting and blocking malicious external communications. This bonus applies to identifying command-and-control channels, mapping threat actor infrastructure, and coordinating network-based countermeasures. Apply this bonus when players work to detect C2 communications, identify external threat infrastructure, coordinate with network security tools to block malicious connections, or develop network-based indicators for threat hunting. For the IM, this bonus ensures that Tracker players can reliably identify and help disrupt external threat actor communications.

Communicator Modifiers:

🎲 Game Modifiers

🎲

+3 Stakeholder Management

Coordinate with executive leadership, manage user communications, and serve as liaison between technical teams and business units

🎲

+2 Business Impact Assessment

Evaluate organizational implications of incidents, assess financial and operational impacts, and prioritize response based on business criticality

🎲

+1 Crisis Communication

Manage external information flow, coordinate regulatory notifications, and ensure appropriate crisis communication protocols are followed

Understanding Communicator Modifiers in Practice:

+3 Stakeholder Management represents the Communicator’s expertise in coordinating with diverse organizational stakeholders during crisis situations. This substantial bonus reflects their ability to effectively brief executive leadership, manage user communications, and serve as liaison between technical teams and business units. For the IM, this means Communicator actions involving stakeholder coordination should succeed reliably, especially when using established communication channels and protocols. Use this bonus when players conduct executive briefings, coordinate with affected user communities, manage vendor relationships during incidents, or facilitate communication between technical and business teams. The high bonus acknowledges that stakeholder management is the Communicator’s primary strength and critical for organizational incident response.

+2 Business Impact Assessment captures the Communicator’s skill at evaluating the organizational implications of security incidents. This moderate bonus applies when assessing financial impacts, understanding operational disruptions, or prioritizing response activities based on business criticality. For the IM, grant this bonus when players attempt to quantify incident impacts, assess business continuity risks, evaluate regulatory implications, or help prioritize recovery efforts based on business needs. This skill helps Communicators ensure that technical response activities align with organizational priorities and business requirements.

+1 Crisis Communication reflects the Communicator’s systematic approach to managing information flow during security incidents. This bonus applies to coordinating external communications, managing regulatory notifications, and ensuring appropriate crisis communication protocols are followed. Apply this bonus when players coordinate with legal teams, manage media relations, handle regulatory reporting requirements, or develop public communications about security incidents. For the IM, this bonus ensures that Communicator players can reliably navigate the complex external communication requirements that accompany significant security incidents.

Crisis Manager Modifiers:

🎲 Game Modifiers

🎲

+3 Team Coordination

Allocate resources effectively, set clear priorities across multiple teams, and develop strategic response plans that maximize team effectiveness

🎲

+2 Multi-track Management

Coordinate parallel response efforts, manage dependencies between different workstreams, and ensure comprehensive coverage of all incident aspects

🎲

+1 Timeline Management

Balance urgency with thoroughness, establish realistic response timelines, and coordinate activities to optimize both speed and quality of response

Understanding Crisis Manager Modifiers in Practice:

+3 Team Coordination represents the Crisis Manager’s mastery of organizing and directing incident response teams under pressure. This substantial bonus reflects their ability to effectively allocate resources, establish clear priorities across multiple teams, and develop strategic response plans that maximize overall team effectiveness. For the IM, this means Crisis Manager actions involving team organization and strategic planning should succeed reliably, especially when coordinating complex multi-team responses. Use this bonus when players coordinate team assignments, establish incident response priorities, allocate resources across competing needs, or develop comprehensive response strategies. The high bonus acknowledges that team coordination is the Crisis Manager’s primary responsibility and most critical contribution to incident response success.

+2 Multi-track Management captures the Crisis Manager’s skill at handling parallel response efforts and managing complex interdependencies. This moderate bonus applies when coordinating simultaneous response activities, managing dependencies between different workstreams, or ensuring comprehensive coverage of all incident aspects. For the IM, grant this bonus when players attempt to coordinate parallel investigation and containment efforts, manage dependencies between different response activities, ensure comprehensive incident coverage, or balance competing response priorities. This skill helps Crisis Managers excel at maintaining oversight of complex, multi-faceted incident responses.

+1 Timeline Management reflects the Crisis Manager’s systematic approach to balancing speed and quality in incident response. This bonus applies to establishing realistic response timelines, coordinating time-sensitive activities, and optimizing the balance between urgency and thoroughness. Apply this bonus when players work to establish incident response timelines, coordinate time-critical response activities, balance immediate needs with long-term recovery, or ensure response activities are completed within business requirements. For the IM, this bonus ensures that Crisis Manager players can reliably develop and maintain response timelines that meet both technical and business needs.

Threat Hunter Modifiers:

🎲 Game Modifiers

🎲

+3 Proactive Investigation

Hunt for hidden threats using hypothesis-driven analysis, search for indicators of advanced persistent threats, and uncover attack activities not detected by standard security tools

🎲

+2 Advanced Technique Recognition

Identify sophisticated attack methods, recognize advanced tradecraft patterns, and understand complex adversary tactics, techniques, and procedures

🎲

+1 Intelligence Development

Create actionable threat intelligence from incident artifacts, develop hunting hypotheses based on attack patterns, and produce intelligence that improves organizational defense

Understanding Threat Hunter Modifiers in Practice:

+3 Proactive Investigation represents the Threat Hunter’s mastery of hypothesis-driven threat discovery and advanced persistent threat detection. This substantial bonus reflects their ability to hunt for hidden threats using systematic analysis, search for indicators of sophisticated attacks, and uncover malicious activities that standard security tools miss. For the IM, this means Threat Hunter actions involving proactive threat discovery should succeed reliably, especially when using advanced hunting techniques and tools. Use this bonus when players conduct hypothesis-driven hunting, search for advanced persistent threats, investigate potential threat actor presence, or look for hidden indicators of compromise. The high bonus acknowledges that proactive investigation is the Threat Hunter’s unique strength and primary contribution to comprehensive incident response.

+2 Advanced Technique Recognition captures the Threat Hunter’s skill at identifying sophisticated attack methods and understanding complex adversary tradecraft. This moderate bonus applies when recognizing advanced attack techniques, understanding sophisticated threat actor tactics, or identifying indicators of state-sponsored or advanced criminal activity. For the IM, grant this bonus when players attempt to identify advanced attack techniques, recognize sophisticated threat actor tradecraft, understand complex attack chains, or assess the sophistication level of observed threats. This skill helps Threat Hunters excel at understanding the most challenging and sophisticated threats facing the organization.

+1 Intelligence Development reflects the Threat Hunter’s systematic approach to creating actionable threat intelligence from incident artifacts and attack patterns. This bonus applies to developing hunting hypotheses, creating threat intelligence products, and producing intelligence that improves organizational defenses. Apply this bonus when players work to develop threat intelligence from incident findings, create hunting hypotheses for future investigations, produce threat assessments, or develop indicators and signatures for improved detection. For the IM, this bonus ensures that Threat Hunter players can reliably transform their investigations into actionable intelligence that strengthens the organization’s security posture.

Facilitating Role Modifiers

When to Apply Bonuses:

Player actions clearly align with role specialization
Demonstrates relevant real-world knowledge or experience
Coordinates effectively with teammates using role expertise
Approaches problems from role-appropriate perspective

How to Communicate Bonuses:

Instead of: “Roll a d20” Try: “As the Detective, you get +3 for forensic analysis. Roll a d20 and add 3.”

Instead of: “That’s a 15, you succeed”
Try: “With your Tracker bonus for network analysis, that 12 becomes a 15. You successfully identify the C2 traffic.”

Encouraging Role Identity:

Verbally acknowledge when players demonstrate role expertise
Ask role-specific questions that leverage bonuses: “Tracker, what network patterns concern you most?”
Create situations where each role’s bonuses provide clear advantages
Celebrate successful collaboration that combines multiple role bonuses

Team Bonus Synergies

Direct Support (+2 additional): When one player’s action directly enables another’s specialization:

Detective provides forensic evidence → Protector configures targeted security controls
Tracker identifies data flows → Threat Hunter investigates hidden connections
Crisis Manager coordinates timeline → All roles benefit from clear priorities

Team Coordination (+3 additional): When multiple players coordinate using their role bonuses:

Detective + Tracker collaborate on comprehensive attack timeline
Protector + Crisis Manager coordinate systematic containment strategy
Communicator + all roles manage complex stakeholder response

Perfect Teamwork (Automatic Success): When entire team demonstrates role coordination:

Each role contributes unique perspective using appropriate bonuses
Actions build logically using role specializations
Real-world expertise drives decision-making through role lenses

Common Modifier Mistakes to Avoid

Over-Restriction:

Don’t prevent players from taking actions outside their role
Allow expertise to transcend role boundaries when appropriate
Focus on bonus enhancement, not action limitation

Under-Recognition:

Don’t forget to apply bonuses when players demonstrate role expertise
Acknowledge role contributions even for failed rolls
Use bonuses to reinforce successful role-playing

Inconsistent Application:

Apply bonuses consistently across all roles and players
Document which bonuses you’ve used to maintain fairness
Adjust difficulty considering team’s cumulative bonus potential

🎯 Focus Areas

• Hypothesis-driven threat analysis
• Threat intelligence and attribution

Roll Difficulty Framework

Understanding When to Call for Rolls vs. Automatic Success

As an Incident Master, one of your most important decisions is when to require dice rolls versus granting automatic success. This framework helps you make consistent, fair decisions that maintain engagement while rewarding knowledge and collaboration.

Difficulty Levels and Target Numbers

Easy Tasks (Target: 8+)

Success Rate: ~85% - builds confidence and momentum
When to Use: Standard procedures with appropriate tools and expertise

Specific Examples:

Detective analyzing Windows Event Logs for Process Creation events
Protector deploying standard antivirus tools on infected systems
Tracker monitoring network traffic with familiar SIEM tools
Communicator providing routine incident updates to executive leadership
Crisis Manager coordinating response activities using established protocols
Threat Hunter searching for known indicators of compromise

Medium Tasks (Target: 12+)

Success Rate: ~60% - creates meaningful challenge and uncertainty
When to Use: Complex analysis, coordination requiring expertise, or time pressure situations

Specific Examples:

Detective reverse-engineering unknown malware samples to understand capabilities
Protector implementing novel security controls under crisis conditions
Tracker identifying sophisticated C2 communications using advanced techniques
Communicator managing crisis communications with multiple external parties
Crisis Manager coordinating response across multiple business units with conflicting priorities
Threat Hunter developing custom hunting queries for zero-day threats

Hard Tasks (Target: 16+)

Success Rate: ~35% - requires exceptional expertise or perfect teamwork
When to Use: Cutting-edge techniques, high-stakes decisions, significant obstacles

Specific Examples:

Detective developing attribution analysis for state-sponsored attack campaigns
Protector designing custom containment strategies for novel attack vectors
Tracker analyzing encrypted or obfuscated command and control infrastructure
Communicator managing organization-wide crisis with regulatory and media attention
Crisis Manager coordinating international incident response with law enforcement
Threat Hunter predicting threat actor next moves based on tactical intelligence

Automatic Success Criteria (No Roll Required)

Grant automatic success when players demonstrate:

Clear Role Expertise:

Actions clearly within role specialization with demonstrated knowledge
Real-world cybersecurity knowledge and best practices applied appropriately
Creative approaches that directly address threat-specific vulnerabilities

Effective Team Collaboration:

Well-coordinated team efforts with logical planning and clear execution steps
Each role contributing unique perspective that builds on others’ work
Communication and coordination that reflects real incident response practices

Appropriate Tools and Procedures:

Standard procedures executed with proper tools and clear understanding
Solutions that demonstrate understanding of threat characteristics
Approaches that leverage organizational capabilities effectively

IM Decision Making Guidelines

Call for Dice Rolls When:

Uncertain outcomes: Player demonstrates knowledge but success depends on external factors
Time pressure: Standard procedures complicated by crisis conditions or tight deadlines
Novel situations: Creative solutions that haven’t been tried before in this context
High stakes: Critical decisions where failure has significant consequences
Learning opportunities: Moments where uncertainty creates valuable team discussion

Grant Automatic Success When:

Clear expertise: Player demonstrates specific, relevant cybersecurity knowledge through role lens
Appropriate tools: Standard procedures with proper tools and clear understanding of their use
Excellent teamwork: Well-coordinated efforts that leverage multiple roles’ bonuses effectively
Type advantage: Approaches that directly exploit Malmon weaknesses or use role strengths
Good planning: Logical, well-thought-out approaches with clear execution steps

Practical Decision Examples

Automatic Success Example: Player says: “As the Detective, I’ll examine the Windows Event Logs for Process Creation events around 10:30 AM when users reported the suspicious behavior, focusing on any processes spawned from unusual parent processes or locations.”

IM Response: “That’s exactly the right approach with the right tools. You find several suspicious PowerShell processes spawned from Word documents - automatic success.”

Medium Roll Example: Player says: “I want to try reverse-engineering this malware sample to understand what data it’s trying to steal.”

IM Response: “That’s complex analysis under time pressure. Roll d20 and add your Detective bonus for forensic analysis - you need 12 or higher.”

Team Coordination Automatic Success: Team collaborates: “Detective will analyze the logs while Tracker monitors network traffic, Protector prepares containment measures, and Communicator notifies stakeholders about potential data exposure.”

IM Response: “Perfect coordination using each role’s strengths with clear procedures - automatic success for the whole team.”

Role-Specific Facilitation Techniques

🔍 Detective (Cyber Sleuth) Facilitation

🔍

Detective

Cyber Sleuth

🎭 Archetype

"I see patterns others miss. Every attack tells a story."

💪 Strengths

• Pattern Recognition: Spotting anomalies in logs and behavior
• Evidence Analysis: Connecting clues into attack timelines
• Digital Forensics: Understanding attack artifacts
• Timeline Construction: Building accurate chronologies

🎯 Focus Areas

• System logs and process executions
• Attack vector analysis and entry points
• Evidence preservation and IoC development
• Attack attribution and technique identification

🎪 Roleplay Tips

• Be curious about details others might skip
• Ask 'what does this remind you of?' when examining evidence
• Share your thought process: 'This pattern suggests...'
• Connect current findings to previous experiences

Encouraging Detective Contributions:

“What patterns do you notice that others might miss?”
“How would you piece together the timeline of this attack?”
“What evidence would help confirm or rule out your hypothesis?”
“What questions would a digital forensics investigator ask here?”

When Detectives Dominate:

“That’s great analysis, Detective [Name] - how might other roles use this information?”
“Let’s hear how this evidence looks from different role perspectives.”
“What would the Protector want to know about these findings?”

When Detectives Withdraw:

“We need the Detective’s analytical perspective here.”
“What patterns or anomalies stand out to you in this scenario?”
“How would you approach investigating this if it happened at your organization?”

Detective Learning Objectives:

Pattern recognition and evidence analysis
Timeline construction and attack progression
Digital forensics concepts and methodologies
Connection between evidence and response decisions

🛡️ Protector (Digital Guardian) Facilitation

🛡️

Protector

Digital Guardian

🎭 Archetype

"Not on my watch. Every system is someone I'm protecting."

💪 Strengths

• Threat Containment: Stopping attacks from spreading
• System Hardening: Implementing security controls
• Damage Assessment: Understanding system compromises
• Recovery Planning: Getting systems back to secure states

🎯 Focus Areas

• Identifying compromised systems and accounts
• Implementing isolation and quarantine measures
• Coordinating system restoration efforts
• Preventing attack evolution and spread

🎪 Roleplay Tips

• Express personal investment in system security
• Think about immediate protective actions
• Consider the human impact of system compromises
• Focus on practical, implementable defenses

Encouraging Protector Contributions:

“What immediate protective actions would you consider?”
“How would you prevent this attack from causing more damage?”
“What security controls could have prevented this situation?”
“What’s your assessment of current system security posture?”

When Protectors Rush to Action:

“That’s a good protective instinct - what information would help you choose the best approach?”
“How would you coordinate with other team members before implementing that control?”
“What might go wrong if you acted immediately without more analysis?”

When Protectors Are Passive:

“The systems are under active attack - what’s your protective response?”
“How would you limit damage while the investigation continues?”
“What would worry you most about the current security posture?”

Protector Learning Objectives:

Containment strategy development and implementation
Security control selection and deployment
Risk assessment and damage limitation
Balance between protection and business continuity

📡 Tracker (Data Whisperer) Facilitation

📡

Tracker

Data Whisperer

🎭 Archetype

"I follow the digital breadcrumbs. Data flows tell me everything."

💪 Strengths

• Network Analysis: Understanding traffic patterns
• Data Flow Monitoring: Tracking information movement
• Connection Mapping: Identifying system relationships
• Behavioral Analysis: Recognizing unusual patterns

🎯 Focus Areas

• Unusual outbound network connections
• Lateral movement pathways through networks
• Blocking malicious network communications
• Tracking threat actor infrastructure changes

🎪 Roleplay Tips

• Use spatial/visual metaphors for network activity
• Get excited about discovering communication patterns
• Think about data like water flowing through pipes
• Focus on connections and relationships between systems

Encouraging Tracker Contributions:

“What network activity patterns concern you?”
“How would you trace the data flow in this attack?”
“What monitoring would help you understand the scope of compromise?”
“Where would you look for signs of data exfiltration?”

When Trackers Get Lost in Technical Details:

“That’s detailed network analysis - what does it tell us about the attacker’s objectives?”
“How would you explain these network patterns to non-technical team members?”
“What decisions does this network intelligence support?”

When Trackers Can’t Contribute:

“Even without deep network expertise, what would concern you about data movement?”
“What questions would you ask about how information flows through the organization?”
“How would you determine if sensitive data was at risk?”

Tracker Learning Objectives:

Network behavior analysis and anomaly detection
Data flow understanding and protection strategies
Communication pattern recognition
Integration of network intelligence with incident response

👥 Communicator (People Whisperer) Facilitation

👥

Communicator

People Whisperer

🎭 Archetype

"I translate between human and technical. Everyone needs to understand what's happening."

💪 Strengths

• Stakeholder Management: Keeping teams informed
• Technical Translation: Explaining complex concepts
• Crisis Communication: Managing information flow
• Business Impact Assessment: Understanding implications

🎯 Focus Areas

• Interviewing users about suspicious activities
• Managing executive and customer communications
• Coordinating organization-wide response activities
• Planning post-incident user education

🎪 Roleplay Tips

• Think about explaining technical findings to non-technical people
• Consider the business and human impact of incidents
• Ask about organizational policies and compliance
• Focus on clear, actionable communication

Encouraging Communicator Contributions:

“Who needs to know about this situation and what do they need to know?”
“How would you explain this technical situation to organizational leadership?”
“What stakeholder concerns would you anticipate with this type of incident?”
“How would you coordinate response with different organizational departments?”

When Communicators Focus Only on External Relations:

“How does stakeholder management inform our technical response strategy?”
“What business requirements should guide our containment approach?”
“How would you gather information from users to support the investigation?”

When Communicators Feel Left Out of Technical Discussion:

“The business impact perspective is crucial here - what concerns you most?”
“How would you assess the organizational implications of what we’re discovering?”
“What questions would executive leadership ask about this situation?”

Communicator Learning Objectives:

Stakeholder management and crisis communication
Business impact assessment and risk communication
Coordination between technical and business teams
Translation of technical concepts for diverse audiences

⚡ Crisis Manager (Chaos Wrangler) Facilitation

⚡

Crisis Manager

Chaos Wrangler

🎭 Archetype

"I see the big picture. Someone has to keep track of everything while you specialists do your magic."

💪 Strengths

• Incident Coordination: Orchestrating team efforts
• Resource Management: Allocating time, people, and tools
• Priority Setting: Determining what needs attention first
• Strategic Planning: Balancing response with recovery

🎯 Focus Areas

• Team role assignment and investigation coordination
• Cross-functional team coordination
• Comprehensive response strategy coordination
• Post-incident review and improvement planning

🎪 Roleplay Tips

• Focus on team coordination and communication
• Think about timelines, dependencies, and priorities
• Ask about resource availability and constraints
• Consider both immediate response and long-term recovery

Encouraging Crisis Manager Contributions:

“How would you coordinate all these different response activities?”
“What priorities would you set for the team’s next actions?”
“How would you allocate resources across these different response needs?”
“What dependencies and constraints affect our response timeline?”

When Crisis Managers Micromanage:

“That’s good strategic thinking - how would you empower each role to contribute their expertise?”
“What information do you need from other roles to make coordination decisions?”
“How would you balance centralized coordination with distributed expertise?”

When Crisis Managers Are Overwhelmed:

“Let’s break this complex situation into manageable pieces - what are the key priorities?”
“What would help you organize these different response activities?”
“How would you approach coordinating this type of incident in your organization?”

Crisis Manager Learning Objectives:

Incident coordination and resource allocation
Strategic decision-making under pressure
Team leadership and cross-functional collaboration
Integration of technical response with business continuity

🎯 Threat Hunter (Pattern Seeker) Facilitation

🎯

Threat Hunter

Pattern Seeker

🎭 Archetype

"I don't wait for alerts. I go looking for trouble before it finds us."

💪 Strengths

• Proactive Investigation: Finding undetected threats
• Hypothesis-Driven Analysis: Testing attack theories
• Adversary Behavior Analysis: Understanding attackers
• Intelligence Development: Creating actionable intelligence

🎯 Focus Areas

• Hidden threats not revealed by investigation
• Persistence mechanisms beyond obvious indicators
• Remaining threat actor presence after containment
• Intelligence collection for future defense

🎪 Roleplay Tips

• Always assume there's more to discover
• Think from the attacker's perspective
• Question obvious conclusions and dig deeper
• Connect current incident to broader threat landscape

Encouraging Threat Hunter Contributions:

“What aren’t we seeing that might still be hidden in the environment?”
“How would you proactively search for related threats or compromise?”
“What hypotheses would you test about additional attacker activities?”
“What intelligence would help predict the attacker’s next moves?”

When Threat Hunters Go Off on Tangents:

“That’s interesting threat intelligence - how does it inform our current incident response?”
“What’s the most actionable insight from your analysis for our immediate situation?”
“How would you prioritize these different threat possibilities?”

When Threat Hunters Can’t Find Hidden Threats:

“What questions would you ask to determine if there are other threats we haven’t discovered?”
“How would you validate that we’ve found all the attacker activities?”
“What would make you confident that the threat has been fully contained?”

Threat Hunter Learning Objectives:

Proactive threat discovery and hypothesis testing
Threat intelligence analysis and application
Advanced investigation techniques and tools
Strategic thinking about adversary behavior and motivation

Managing Role Interactions

Natural Role Partnerships

Detective + Threat Hunter Synergy:

Complementary Analysis: Detective provides evidence, Threat Hunter develops hypotheses
Facilitation Approach: “How do the Detective’s findings support the Threat Hunter’s theory about additional threats?”
Learning Opportunity: Evidence-based investigation combined with proactive threat discovery

Protector + Crisis Manager Synergy:

Implementation Coordination: Protector provides technical solutions, Crisis Manager coordinates deployment
Facilitation Approach: “How would you coordinate the Protector’s containment strategy across the organization?”
Learning Opportunity: Technical security controls integrated with strategic incident management

Tracker + Communicator Synergy:

Intelligence and Impact: Tracker provides technical details, Communicator assesses business implications
Facilitation Approach: “How do the Tracker’s network findings affect the Communicator’s stakeholder management strategy?”
Learning Opportunity: Technical network analysis connected to business impact assessment

Managing Role Conflicts

When Roles Disagree on Priorities: Common Scenario: Protector wants immediate containment, Detective wants more investigation time

Facilitation Approach:

“Both perspectives have merit - what are the trade-offs of each approach?”
“How might we address both the Protector’s urgency and the Detective’s need for evidence?”
“What would help you decide between immediate action and continued analysis?”
“How would you resolve this tension in a real incident?”

When Roles Have Overlapping Interests: Common Scenario: Multiple roles want to investigate the same aspect

Facilitation Approach:

“Let’s leverage different role perspectives on this issue - Detective, focus on evidence; Threat Hunter, look for related threats.”
“How would each role approach this investigation differently?”
“What unique insights can each role contribute to understanding this aspect?”

Ensuring Balanced Participation

When Some Roles Dominate: Identification Signs:

One or two roles providing most responses
Other team members becoming passive
Technical discussions excluding business-focused roles

Intervention Strategies:

“Let’s hear from roles we haven’t heard from yet.”
“[Quiet Role], what questions would someone in your position ask?”
“How would this situation look from different role perspectives?”
“What would worry each role most about this scenario?”

When Some Roles Withdraw: Identification Signs:

Minimal participation from specific roles
“I don’t know enough about this” responses
Deferring to more technical roles

Intervention Strategies:

“Every role brings valuable perspective - what would concern you about this situation?”
“You don’t need deep technical knowledge - what does your role’s perspective suggest?”
“How would someone in your position typically respond to this type of incident?”
“What questions would you ask if this happened at your organization?”

Advanced Team Management Techniques

Rotating Leadership

Technique: Give different roles team leadership during different phases

Implementation:

Discovery Phase: Detective leads investigation coordination
Investigation Phase: Crisis Manager leads resource allocation and prioritization
Response Phase: Protector leads containment strategy development

Benefits:

Every role experiences leadership responsibility
Team appreciates different leadership styles and perspectives
More comprehensive understanding of incident response coordination

Cross-Role Teaching

Technique: Have roles explain their perspective to others

Implementation:

“Detective, help the Communicator understand what these technical findings mean for stakeholder messaging.”
“Protector, explain to the Crisis Manager what resources you’d need for this containment strategy.”
“Tracker, walk the team through what this network analysis tells us about the attack progression.”

Benefits:

Develops communication and teaching skills
Builds empathy and understanding between roles
Creates shared vocabulary and understanding

Role Switching

Technique: Temporarily have team members consider other role perspectives

Implementation:

“Everyone think like a Communicator for a moment - what would worry you about this situation?”
“If you were the Protector, what immediate actions would you consider?”
“From a Crisis Manager perspective, how would you prioritize these different response activities?”

Benefits:

Develops appreciation for different role challenges
Builds more well-rounded incident response thinking
Encourages collaborative rather than siloed approaches

Assessment and Learning Objectives

Team Effectiveness Indicators

Successful Role Integration:

All roles contribute meaningfully to investigation and response
Team leverages different role perspectives to develop comprehensive strategies
Roles collaborate rather than compete for contribution opportunities
Team demonstrates understanding of how different cybersecurity functions work together

Communication Quality:

Roles explain their perspectives clearly to others
Team builds on each other’s contributions rather than working in isolation
Technical concepts are made accessible to business-focused roles
Business implications inform technical decision-making

Strategic Thinking:

Team balances immediate response needs with thorough investigation
Roles coordinate their activities for maximum effectiveness
Team considers both technical and business aspects of incident response
Strategic decisions reflect input from multiple role perspectives

Individual Role Development

Role Mastery Indicators:

Consistent contribution of role-appropriate insights and perspectives
Ability to explain role’s value to other team members
Development of role-specific skills and knowledge
Growing confidence in role-based contributions

Cross-Role Understanding:

Appreciation for other roles’ contributions and challenges
Ability to collaborate effectively with all other roles
Understanding of how role fits into broader incident response strategy
Development of communication skills across different expertise areas

Remember: Your goal is not perfect role execution, but collaborative learning that builds understanding of how diverse cybersecurity perspectives work together to create effective incident response. Focus on facilitating meaningful contributions from every role while building appreciation for the value of collaborative cybersecurity work.