Running Sessions: Thorough Guide

Session Overview and Timing

A complete Malware & Monsters session follows this structure:

• Setup Phase
• Round 1 (Discovery)
  
• Round 2 (Investigation)
• Round 3 (Response)
• Closing

This chapter provides thorough guidance for confident session management.

The Opening: Foundation for Success

Welcome and Energy Setting

Your Opening Script

“Welcome everyone! I’m [Name] and for the next couple of hours, you’re going to become an incident response team facing a real cybersecurity crisis. This isn’t a lecture - you’ll be the experts solving problems together.”

“Before we dive into the emergency, let’s see what expertise we’re working with.”

Energy Assessment

Quickly read the room:

• High energy: Move faster, dive into action
• Low energy: Use more icebreaking, build excitement gradually
• Mixed energy: Address different levels individually
• Nervous energy: Provide reassurance and clear structure

Expertise Discovery and Team Chemistry

The Expertise Round

“Let’s go around quickly - first name and one thing you know about computers or cybersecurity. This could be work experience, personal projects, something you’ve read, or just common sense.”

Facilitation Notes:

• Time limit: 30-45 seconds per person maximum
• Encourage breadth: “Technical and non-technical insights are both valuable”
• Take mental notes: Who has what expertise for later role assignment
• Build confidence: “Great background” or “That’s exactly the perspective we need”

Sample Participant Responses and Your Reactions:

• “I work in IT support” → “Perfect - you see problems first-hand”
• “I’m curious about cybersecurity” → “Curiosity and fresh thinking are incredibly valuable”
• “I develop software” → “Great - you understand how systems work”
• “I handle compliance” → “Essential perspective - business impact matters”

Collaborative Role Assignment

Role Assignment Script

“Based on what you’ve shared, I’ll suggest roles for our incident response team. Feel free to speak up if you’d prefer something different:”

Assignment Logic:

• IT/Technical background → Detective or Protector
• Network/Infrastructure → Tracker
• Business/Management → Communicator
• Security experience → Crisis Manager
• Analytical mindset → Threat Hunter

Role Introduction (Brief)

“Let me quickly explain what each role brings to incident response:”

• 🔍 Detective: “You find clues and analyze evidence”
• 🛡️ Protector: “You secure systems and stop threats”
• 📡 Tracker: “You follow data flows and monitor networks”
• 👥 Communicator: “You handle stakeholders and coordinate response”
• ⚡ Crisis Manager: “You manage the overall incident response”
• 🎯 Threat Hunter: “You proactively search for hidden threats”

Group Confirmation: “Any adjustments to these assignments?”

Character Development and Context Setting

Character Creation

“Now develop your character around your real name and role. Think about:”

• “What’s your work obsession or quirk?”
• “Why do you care about protecting this organization?”
• “What would devastate you if it were compromised?”

Facilitation During Character Creation:

• Move around the room: Available for quiet consultation
• Encourage fun: “Lean into the stereotypes - they’re based in truth”
• Provide prompts: Use role-specific questions for stuck participants
• Manage time: “One more minute for character development”

In-Character Introductions

This is where the magic happens. Fun and laughs are important to break the ice and get players engaged. So if they don’t make it fun themselves during the introduction, try and do ask questions to their role’s stereotypes in order to make them and the other players laugh.

“The emergency alarm just went off. You’re all rushing to the situation room. Introduce yourselves as your characters - 30 seconds each.”

Sample Character Introductions:

• “I’m Sarah, IT Support. I’ve been watching logs like Netflix for two years, and something’s been bothering me since yesterday.”
• “Marcus, Systems Admin. These servers are my children, and someone’s been messing with them.”

Your Response: Build energy and acknowledge each character

• “I love the protective instinct, Marcus”
• “Sarah, your pattern recognition is exactly what we need”

Round 1: Discovery Phase

Phase Setup

Crisis Presentation Script

“Here’s the situation at [Organization Name]. You’ve been called in because:”

Present 2-3 clear symptoms:

• “Multiple users across all locations report computers running 30% slower since yesterday”
• “Help desk received 5 calls about unexpected pop-ups appearing”
• “One user mentioned receiving a ‘critical software update’ email yesterday afternoon”

Stakes and Pressure

“Your critical systems are affected. [Specific organizational stakes]. The clock is ticking.”

Initial Status Setting:

• “Network Security Status starts at 100”
• “Each of you gets 2 actions this round”
• “Your goal: figure out what you’re dealing with”

Individual Investigation

Action Facilitation

“Each role investigates from their expertise area. [Role name], what’s your first move?”

Detective Actions:

• Prompt: “Sarah, your pattern-recognition instincts are tingling. What do you investigate first?”
• Follow-up: “What would worry you most in those logs?”
• Success guidance: Help them find evidence that leads to Malmon identification

Protector Actions:

• Prompt: “Marcus, someone’s attacking your systems. What’s your defensive instinct?”
• Follow-up: “What would you check to see how they’re hiding?”
• Success guidance: Guide toward understanding attack techniques

Tracker Actions:

• Prompt: “Alex, you’re seeing unusual trains on your network subway map. What do you track first?”
• Follow-up: “What would suspicious outbound traffic look like here?”
• Success guidance: Help discover data exfiltration or command & control

Communicator Actions:

• Prompt: “Jamie, you need to understand the human side. Who do you talk to first?”
• Follow-up: “What questions help you understand how this attack succeeded?”
• Success guidance: Reveal social engineering or user compromise

Crisis Manager Actions:

• Prompt: “Taylor, you’re seeing the big picture. What’s your first priority?”
• Follow-up: “How do you coordinate the team’s efforts?”
• Success guidance: Help organize team response and resource allocation

Threat Hunter Actions:

• Prompt: “Riley, you’re looking for what others missed. Where do you hunt first?”
• Follow-up: “What signs suggest there’s more than meets the eye?”
• Success guidance: Help discover hidden persistence or additional threats

Real-Time Facilitation Notes

• Dice rolls: Use for uncertain outcomes, not obvious successes
• Build on expertise: When players demonstrate real knowledge, auto-succeed
• Guide toward Malmon: Help discoveries point to your chosen threat
• Time management: “Two more minutes for individual actions”
• Energy monitoring: If energy drops, inject urgency or stakes

Knowledge Sharing

Structured Information Exchange

“Excellent investigation work. Now share your findings - what story do your discoveries tell together?”

Facilitation Sequence:

1. Detective reports first: Sets foundation with evidence
2. Protector adds technical details: How the attack works
3. Tracker provides network perspective: What’s happening with data
4. Communicator explains human factor: How the attack succeeded
5. Crisis Manager synthesizes: Big picture assessment
6. Threat Hunter reveals hidden elements: What others missed

Pattern Recognition Guidance

Help the group connect dots without providing answers:

• “Interesting - fake software updates AND process injection. What does that combination suggest?”
• “So we have social engineering AND technical evasion. What kind of threat does both?”
• “The timing and sophistication level - what does that tell us about our adversary?”

Collaborative Building Techniques

• Yes, and… “Yes, that’s exactly right, and what does that mean for…”
• Connect expertise: “Jamie’s social engineering insight connects to what Sarah found in the logs”
• Build tension: “This is more sophisticated than a random attack”

Malmon Identification

The Revelation Moment

“Based on your investigation, you’re dealing with a specific type of threat. Given the evidence - social engineering, process injection, data exfiltration - what kind of Malmon matches this pattern?”

Guide toward correct identification:

• If they struggle: “Think about the combination of deception and technical sophistication”
• If they’re close: “Yes, that’s exactly the right family of threats”
• If they’re off-track: “What about the [key evidence] suggests something different?”

Malmon Card Reveal

“Exactly right. Meet your adversary…”

[Reveal Malmon card with dramatic flair]

“This is [Malmon Name], a [Type] that specializes in [primary ability]. You’ve identified the threat, but it’s already been active for [time period]. What’s your assessment?”

Network Security Status Update:

• Calculate changes based on group performance
• Announce new status: “Network Security Status is now [number]”
• Build urgency: “The threat is established but not yet evolved”

Round 2: Investigation Phase

Phase Transition

Escalation Script

“Now that you know what you’re facing, you need to understand the full scope of [Malmon Name]’s infiltration. The threat is active and could evolve if not contained quickly.”

New Objectives:

• “Assess the complete impact”
• “Understand the attack progression”
• “Identify vulnerabilities that enabled success”
• “Prepare for potential evolution”

Impact Assessment

Role-Specific Deep Dives

Each role investigates different aspects of the compromise:

Detective: Evidence Analysis
“Sarah, now that you know it’s [Malmon Name], what evidence would confirm its full capabilities?”

• Guide toward forensic indicators
• Help discover timeline and progression
• Reveal attack vector details

Protector: Damage Assessment
“Marcus, how many systems are affected and what’s been compromised?”

• Guide toward scope of infection
• Help identify vulnerable systems
• Reveal defensive failures

Tracker: Data Flow Analysis
“Alex, what data is being stolen and where is it going?”

• Guide toward exfiltration patterns
• Help identify command & control
• Reveal network compromise

Communicator: Human Factor Analysis
“Jamie, how did this attack succeed and who was targeted?”

• Guide toward social engineering analysis
• Help identify user education gaps
• Reveal organizational vulnerabilities

Crisis Manager: Organizational Impact
“Taylor, what’s the business impact and what resources do we need?”

• Guide toward operational assessment
• Help identify recovery requirements
• Reveal stakeholder concerns

Threat Hunter: Hidden Threats
“Riley, what else might be lurking that we haven’t found yet?”

• Guide toward additional persistence
• Help identify lateral movement
• Reveal potential additional threats

Attack Vector Analysis

Collaborative Mapping

“Let’s map how [Malmon Name] got in and spread through our environment.”

Facilitation Techniques:

• Use whiteboard: Visual mapping of attack progression
• Build timeline: When did each phase occur?
• Identify decision points: Where could this have been stopped?
• Connect to type effectiveness: How does [Malmon Type] exploit weaknesses?

Vulnerability Assessment

“What enabled this attack to succeed?”

Guide discussion toward:

• Technical vulnerabilities (unpatched systems, weak configurations)
• Process gaps (inadequate training, poor procedures)
• Human factors (social engineering susceptibility)
• Environmental issues (network segmentation, monitoring gaps)

Evolution Threat

The Escalation Moment

“Just as you’re getting a handle on the situation, your monitoring tools alert you: [Malmon Name] is attempting to evolve. It’s trying to [specific evolution behavior based on Malmon card].”

Critical Decision Point: “Do you focus on containing what you’ve found, or continue investigating to understand the complete scope? This decision affects your response options.”

Facilitation Notes:

• Let group debate naturally
• Both choices have consequences
• Their decision affects Round 3 difficulty
• Build tension around time pressure

Round 3: Response Phase

Phase Transition

Action Phase Setup

“Time for coordinated response. Based on your investigation, how does the team counter [Malmon Name]?”

Response Objectives:

• “Stop ongoing damage”
• “Prevent evolution/spread”
• “Begin recovery operations”
• “Coordinate stakeholder communications”

Strategy Coordination

Team Planning Session

“Plan your coordinated response. Remember [Malmon Name]’s type weaknesses: [specific weaknesses from card].”

Facilitation Focus:

• Encourage type advantage usage: “How can you exploit its weakness to [vulnerability]?”
• Coordinate actions: “How do your individual actions support each other?”
• Address constraints: “What real-world limitations affect your response?”
• Build on expertise: “Given your experience, what would work best?”

Strategy Validation

Help group assess their plan:

• “What could go wrong with this approach?”
• “What would [Malmon Name] do to counter your strategy?”
• “How does this plan address all the evidence you found?”

Implementation

Coordinated Action Execution

Each player executes their response strategy:

Action Resolution:

• Use dice for uncertain outcomes
• Apply type effectiveness bonuses/penalties
• Reward creative solutions
• Build on collaborative efforts

Malmon Counter-Actions

“[Malmon Name] fights back using [specific abilities from card].”

• Use Malmon’s abilities to create challenges
• Don’t make it impossible, make it interesting
• Reward good strategy and teamwork
• Build dramatic tension

Real-Time Network Security Status Updates

Track and announce changes:

• “Good coordination - Network Security Status improves to [number]”
• “The attack is being contained but [complication]”
• “Excellent use of [type advantage] - major progress”

Resolution

Outcome Determination

Based on team coordination and strategy effectiveness:

Complete Victory (80+ Security Status): “Outstanding work. [Malmon Name] has been completely contained with minimal impact. Your coordinated response and use of type advantages was textbook incident response.”

Partial Victory (60-79 Security Status): “Good work under pressure. The threat is contained, though some damage occurred. You’ve learned valuable lessons about [specific insights].”

Pyrrhic Victory (40-59 Security Status): “The threat is stopped, but at significant cost. This scenario highlights the importance of [key lessons] for future incidents.”

Evolution Outcomes

If Malmon evolved during the scenario:

“[Malmon Name] successfully evolved into [next form], demonstrating how threats escalate when not quickly contained. However, your response prevented [worse outcome].”

Session Transitions and Pacing

Maintaining Energy Throughout

Energy Monitoring Checklist

• High engagement: Players actively discussing, building on each other’s ideas
• Medium engagement: Some participation, but needs encouragement
• Low engagement: Minimal discussion, blank stares, checking phones

Energy Management Techniques

For Low Energy:

• “What’s the worst-case scenario here?”
• “Who would be panicking right now besides us?”
• “What would happen if we’re wrong about this?”
• Inject urgency and stakes

For Overwhelming Complexity:

• “Let’s step back to the big picture”
• “What’s the most important thing to focus on right now?”
• “If you had to pick one action, what would it be?”

Time Management Strategies

Running Ahead of Schedule

• Extend investigation phases: Deeper technical discussions
• Add complexity: Multiple attack vectors or evolution
• Enhanced debrief: More detailed lessons learned
• Advanced scenarios: What happens next week/month?

Running Behind Schedule

• Accelerate discovery: Provide more direct guidance
• Combine phases: Investigation and response together
• Focus on key learning: Hit main educational objectives
• Efficient resolution: Quick but satisfying conclusion

Real-Time Adjustments

• 10 minutes over: Normal, just note for next time
• 15 minutes over: Start condensing remaining phases
• 20+ minutes over: Emergency time management protocols

Participant Management

Encouraging Quiet Participants

• Direct, gentle questions: “Alex, what’s your network perspective on this?”
• Role-specific prompts: “As our Communicator, how would you handle this?”
• Expertise validation: “Given your [background], what would you try?”
• Lower stakes questions: “What’s your gut feeling about this situation?”

Managing Dominant Participants

• Redirect without dismissing: “That’s valuable insight. Let’s hear other perspectives.”
• Role assignments: “Can you help facilitate others’ contributions?”
• Structured turns: “Let’s go around and hear from everyone.”
• Private sidebar: Brief, respectful conversation about balance

Handling Technical Disputes

• Acknowledge both sides: “Both approaches have merit”
• Focus on scenario: “In our specific situation, which would work better?”
• Use time pressure: “Given our constraints, what’s the fastest effective solution?”
• Learn from disagreement: “This is exactly the kind of discussion incident response teams have”

Closing Strong

Session Wrap-up

Immediate Debrief

“Quick debrief - what’s one thing that surprised you about this incident?” “What’s one technique you could use in your real work?” “What would you want to learn more about?”

MalDex Entry Creation

“Let’s capture this for the community:”

• Incident name: Group creates memorable name
• Key learnings: Most important insights
• Effective techniques: What worked well
• Future applications: How to use these skills

Community Connection

“You’re now part of the Malware & Monsters community. Here’s how to stay connected…”

• Contact information sharing
• Follow-up resources
• Future session opportunities
• Contribution possibilities

Success Indicators

A successful session typically includes:

• Everyone contributed meaningfully to the investigation
• Technical discussions emerged from group expertise
• Questions drove more discovery than explanations
• Group made collaborative decisions under pressure
• Players connected game concepts to real-world applications
• Energy remained high throughout all phases
• Participants want to play again or facilitate sessions

Common Real-Time Challenges

When Nobody Knows Technical Details

• Common sense redirect: “Using logic, what would worry you about this?”
• Analogy method: “Think of this like [familiar comparison]”
• Role-playing approach: “You don’t need technical expertise - as [role], what concerns you?”
• Collaborative building: “Let’s think through this together”

When Sessions Go Off-Script

• Follow player interest: Their direction often leads to better learning
• Maintain objectives: Guide back to key concepts when possible
• Improvise confidently: Trust that engagement leads to education
• Document insights: Capture unexpected learning for future sessions

When Technical Accuracy is Questioned

• Redirect to group: “Who here has experience with this?”
• Focus on learning: “What can we learn from this discussion?”
• Acknowledge limits: “I’m not an expert in this area - let’s explore together”
• Use uncertainty: “This is exactly the kind of uncertainty incident responders face”

The key to successful session management is confident flexibility - ready for anything while maintaining focus on collaborative learning and practical skill development.