Managing the Progression System

Understanding Player Development

As an Incident Master, you play a crucial role in recognizing, encouraging, and validating the cybersecurity expertise that participants develop through Malware & Monsters sessions. The progression system isn’t just about tracking achievements—it’s about creating meaningful pathways for professional growth and community contribution.

Recognizing Skill Development

During-Session Observation

Detective Skill Indicators:

  • Pattern Recognition: Connects seemingly unrelated clues into coherent attack narratives
  • Evidence Analysis: Systematically examines artifacts and draws logical conclusions
  • Timeline Construction: Builds accurate chronologies of attack progression
  • Question Development: Asks probing questions that reveal important insights

Protector Skill Indicators:

  • Strategic Containment: Selects appropriate security controls based on threat characteristics
  • System Thinking: Understands how security measures affect overall organizational operations
  • Risk Assessment: Evaluates trade-offs between security and business continuity
  • Implementation Planning: Develops realistic approaches for deploying security measures

Tracker Skill Indicators:

  • Network Awareness: Understands data flows and communication patterns
  • Behavioral Analysis: Recognizes anomalous activities and unusual patterns
  • Monitoring Strategy: Develops effective approaches for detecting ongoing threats
  • Technical Integration: Connects network security with broader incident response

Communicator Skill Indicators:

  • Stakeholder Management: Effectively coordinates with diverse organizational roles
  • Technical Translation: Explains complex cybersecurity concepts in accessible language
  • Crisis Communication: Manages information flow during high-stress situations
  • Business Alignment: Connects technical security decisions to organizational objectives

Crisis Manager Skill Indicators:

  • Strategic Coordination: Orchestrates complex, multi-faceted response efforts
  • Resource Allocation: Makes effective decisions about time, personnel, and tool deployment
  • Priority Management: Balances competing demands and urgent requirements
  • Team Leadership: Guides collaborative decision-making and maintains team effectiveness

Threat Hunter Skill Indicators:

  • Proactive Investigation: Seeks out threats before they trigger alerts
  • Hypothesis Development: Creates and tests theories about threat activity
  • Intelligence Integration: Uses external information to guide investigation priorities
  • Advanced Analysis: Discovers sophisticated threats and evasion techniques

Growth Trajectory Patterns

Novice to Competent (Sessions 1-5):

  • Building confidence in role-specific contributions
  • Learning to collaborate effectively with other roles
  • Developing basic understanding of cybersecurity concepts
  • Starting to ask insightful questions about threats and responses

Competent to Proficient (Sessions 6-15):

  • Taking initiative in role-specific investigations
  • Helping newer participants understand concepts and techniques
  • Contributing unique insights based on growing expertise
  • Beginning to see connections between different types of threats and responses

Proficient to Expert (Sessions 16+):

  • Leading complex investigations and response coordination
  • Mentoring other participants and sharing knowledge effectively
  • Contributing to community knowledge through innovative techniques
  • Taking on facilitation or community leadership responsibilities

The Badge System Implementation

Badge Assessment Criteria

Network Security Badge - “Guardian of Digital Highways”

Evidence Requirements:

  • Successfully leads containment of 5+ Worm-type Malmons using network-based approaches
  • Demonstrates understanding of network segmentation, traffic analysis, and lateral movement
  • Shows ability to coordinate network security with other security domains
  • Contributes insights about network architecture and monitoring strategies

Assessment Methods:

  • Direct Observation: IM notes network-focused contributions during sessions
  • Peer Recognition: Other participants acknowledge network security leadership
  • Knowledge Demonstration: Explains network security concepts to less experienced participants
  • Innovation: Develops or shares novel network security techniques or insights

Documentation:

Badge: Network Security
Participant: [Name]
Sessions: [List of relevant sessions]
Evidence: 
- Led WannaCry containment using network isolation (Session #12)
- Explained lateral movement concepts to new participants (Session #15)
- Developed network monitoring checklist adopted by local community (Session #18)
Assessment: Demonstrates comprehensive network security understanding and leadership
Awarded: [Date]
Assessor: [IM Name]

Human Factors Badge - “Defender Against Social Engineering”

Human Factors Badge - Earned State

Evidence Requirements:

  • Successfully counters 5+ social engineering or phishing-based attacks
  • Develops effective security awareness training programs or materials
  • Demonstrates excellent crisis communication during high-stress incidents
  • Shows ability to translate technical security concepts for non-technical audiences

Assessment Methods:

  • Communication Excellence: Consistently manages stakeholder expectations during incidents
  • Training Development: Creates or improves security awareness materials
  • Social Engineering Defense: Recognizes and counters human-targeted attacks
  • Crisis Leadership: Maintains calm, clear communication under pressure

Endpoint Security Badge - “Protector of Digital Workstations”

Endpoint Security Badge - Progress State

Evidence Requirements:

  • Successfully contains 5+ Trojan or Rootkit-type Malmons using host-based approaches
  • Masters behavioral analysis and system monitoring techniques
  • Leads system recovery and hardening efforts post-incident
  • Develops comprehensive endpoint protection strategies

Assessment Methods:

  • Host Analysis: Demonstrates proficiency with system-level threat detection
  • Malware Analysis: Shows understanding of endpoint threat behaviors and capabilities
  • Recovery Leadership: Successfully guides system restoration and hardening
  • Prevention Strategy: Develops proactive endpoint security measures

Data Protection Badge - “Guardian of Digital Assets”

Data Protection Badge - Pending State

Evidence Requirements:

  • Successfully defends against 5+ Ransomware or Infostealer-type Malmons
  • Implements and tests effective backup and recovery strategies
  • Demonstrates data loss prevention techniques and controls
  • Leads data breach response and notification processes

Assessment Methods:

  • Data Security: Shows mastery of encryption, classification, and handling procedures
  • Backup Strategy: Develops and validates comprehensive data protection plans
  • Breach Response: Manages data incident investigation and compliance requirements
  • Prevention Systems: Implements effective data loss prevention controls

Critical Infrastructure Security Badge - “Protector of Essential Systems”

Critical Infrastructure Badge - Progress State

Evidence Requirements:

  • Successfully defends against 3+ industrial control system or infrastructure threats
  • Understands operational technology (OT) security principles and risks
  • Coordinates effective IT/OT security integration efforts
  • Develops business continuity and disaster recovery plans

Assessment Methods:

  • OT Security: Demonstrates understanding of industrial control system protection
  • Integration Leadership: Successfully bridges IT and operational technology security
  • Continuity Planning: Develops comprehensive business continuity strategies
  • Critical Systems: Shows expertise in protecting essential infrastructure

Governance and Compliance Badge - “Navigator of Regulatory Requirements”

Governance Badge - Pending State

Evidence Requirements:

  • Successfully manages compliance aspects of 5+ security incidents
  • Demonstrates thorough understanding of relevant regulatory frameworks
  • Leads compliance reporting and documentation efforts
  • Develops risk management and governance programs

Assessment Methods:

  • Regulatory Knowledge: Shows mastery of applicable compliance frameworks (GDPR, HIPAA, SOX, etc.)
  • Risk Management: Develops comprehensive risk assessment and management strategies
  • Documentation Excellence: Creates thorough incident reports and compliance documentation
  • Governance Leadership: Builds effective security governance and policy programs

Badge States and Visual Reference

Each badge has three visual states that IMs should recognize:

  • 🟢 EARNED (Green): Player has completed all requirements and demonstrated sustained competency
  • 🟡 PROGRESS (Yellow): Player is actively working toward requirements with documented evidence
  • ⚪ PENDING (Gray): Badge not yet pursued or early-stage interest indicated

Cross-Role Badge Development

Advanced Badges Requiring Multiple Role Experience:

Crisis Leadership Badge:

  • Must demonstrate competence in at least 3 different roles
  • Successfully coordinates response to ⭐⭐⭐ level threats
  • Shows ability to adapt leadership style to different team compositions
  • Mentors other participants in role development and team coordination

Community Educator Badge:

  • Effectively teaches cybersecurity concepts to participants with diverse backgrounds
  • Develops or adapts scenarios for specific learning objectives
  • Contributes to community knowledge through documentation or presentation
  • Demonstrates ability to connect game mechanics to real-world applications

Badge Validation Process

Community-Based Assessment:

  • Self-Assessment: Participants reflect on their growth and contributions
  • Peer Feedback: Other participants provide input on observed skills and contributions
  • IM Evaluation: Incident Masters assess demonstrated competencies during sessions
  • Portfolio Development: Participants document their learning journey and contributions

Quality Assurance:

  • Multiple Session Evidence: Badges require demonstration across multiple sessions and contexts
  • Community Review: Local communities validate badge awards through peer discussion
  • Continuous Learning: Badge holders commit to ongoing skill development and community contribution
  • Mentorship Responsibility: Badge recipients support other participants’ learning and development

Elite Specialization Tracks

APT Specialist Development

Prerequisites:

  • Network Security, Endpoint Security, and Data Protection badges
  • Demonstrated experience with ⭐⭐⭐ level threat scenarios
  • Active contribution to threat intelligence and attribution discussions
  • Mentorship of other participants in advanced threat analysis

Development Pathway:

  • Advanced Threat Analysis: Lead investigation of nation-state level threats
  • Attribution Methodology: Develop expertise in connecting threats to specific actors
  • Intelligence Integration: Use external threat intelligence to guide response strategies
  • Strategic Assessment: Understand geopolitical and strategic implications of advanced threats

Assessment Criteria:

  • Successfully leads response to 3+ APT-level scenarios
  • Demonstrates understanding of advanced threat actor tactics and motivations
  • Contributes original analysis or insights about sophisticated threat campaigns
  • Shows ability to coordinate response across organizational and national boundaries

Global Incident Commander Track

Prerequisites:

  • Crisis Manager experience with complex, multi-stakeholder scenarios
  • Demonstrated leadership in cross-organizational coordination exercises
  • Experience with regulatory, legal, and policy aspects of major incidents
  • Strong communication and diplomatic skills for international cooperation

Development Opportunities:

  • Multi-Organization Scenarios: Lead response efforts involving multiple organizations
  • Regulatory Coordination: Navigate complex compliance and reporting requirements
  • Media Management: Handle public communication during high-profile incidents
  • International Cooperation: Coordinate with government agencies and international partners

Supporting Individual Development Plans

Assessment and Goal Setting

Quarterly Development Reviews:

  • Self-Reflection: What cybersecurity areas interest you most?
  • Skill Assessment: Where do you feel confident, and where do you want to grow?
  • Goal Setting: What specific capabilities do you want to develop?
  • Community Contribution: How do you want to help other participants learn?

Individual Development Planning:

Participant: [Name]
Current Role Focus: [Primary role, secondary interests]
Experience Level: [Novice/Competent/Proficient/Expert]

Skill Development Goals:

- Technical: [Specific cybersecurity knowledge areas]
- Collaboration: [Team coordination and communication objectives]
- Leadership: [Mentorship and community contribution goals]

Badge Progression Plan:

- Next Badge Target: [Specific badge and timeline]
- Evidence Requirements: [What needs to be demonstrated]
- Learning Activities: [Sessions, mentorship, community contribution]

Community Involvement:

- Mentorship: [Who you're learning from, who you're helping]
- Contributions: [How you're adding to community knowledge]
- Leadership: [What community responsibilities you're taking on]

Mentorship and Peer Learning

Facilitating Mentor Relationships:

  • Expert-Novice Pairing: Connect experienced participants with newcomers
  • Cross-Role Learning: Encourage participants to explore different role perspectives
  • Community Introductions: Help participants connect with others who share their interests
  • Recognition Opportunities: Highlight when participants help others learn effectively

Community Learning Opportunities:

  • Practice Sessions: Additional opportunities to practice skills between formal sessions
  • Knowledge Sharing: Informal discussions about real-world cybersecurity experiences
  • Innovation Labs: Groups focused on developing new techniques or approaches

Organizational Integration

Connecting Progression to Professional Development

Performance Review Integration:

  • Skill Documentation: How progression demonstrates cybersecurity competency development
  • Leadership Evidence: Examples of mentorship, teaching, and community contribution
  • Innovation Contribution: Novel techniques or insights developed through participation
  • Professional Network: Relationships built through community participation

Career Advancement Support:

  • Portfolio Development: Documenting cybersecurity learning and achievement
  • Reference Networks: Connections with other cybersecurity professionals
  • Conference Opportunities: Speaking about collaborative learning experiences
  • Certification Connections: How progression supports formal cybersecurity certification

Team Capability Assessment

Organizational Skill Mapping:

  • Role Coverage: What incident response capabilities exist within the organization
  • Experience Distribution: How cybersecurity expertise is distributed across the team
  • Development Priorities: What skills would most benefit organizational security
  • Succession Planning: Who can take on additional responsibilities as they develop

Training Integration:

  • Skill Gap Analysis: What capabilities are missing or need strengthening
  • Development Planning: How Malware & Monsters supports broader training objectives
  • Budget Justification: Return on investment for collaborative learning programs
  • Vendor Coordination: How community learning complements commercial training

Remember: The progression system serves learning, not the other way around. Focus on recognizing and supporting genuine skill development and community contribution rather than checking boxes or accumulating achievements. The goal is building cybersecurity expertise and community, with progression recognition as a supportive framework for that growth.