Running Sessions: Thorough Guide

Session Overview and Timing

A complete Malware & Monsters session follows this structure:

• Setup Phase
• Round 1 (Discovery)
  
• Round 2 (Investigation)
• Round 3 (Response)
• Closing

This chapter provides thorough guidance for confident session management.

The Opening: Foundation for Success

Welcome and Energy Setting

Your Opening Script

“Welcome everyone! I’m [Name] and for the next couple of hours, you’re going to become an incident response team facing a real cybersecurity crisis. This isn’t a lecture - you’ll be the experts solving problems together.”

“Before we dive into the emergency, let’s see what expertise we’re working with.”

Energy Assessment

Quickly read the room:

• High energy: Move faster, dive into action
• Low energy: Use more icebreaking, build excitement gradually
• Mixed energy: Address different levels individually
• Nervous energy: Provide reassurance and clear structure

Expertise Discovery and Team Chemistry

The Expertise Round

“Let’s go around quickly - first name and one thing you know about computers or cybersecurity. This could be work experience, personal projects, something you’ve read, or just common sense.”

Facilitation Notes:

• Time limit: 30-45 seconds per person maximum
• Encourage breadth: “Technical and non-technical insights are both valuable”
• Take mental notes: Who has what expertise for later role assignment
• Build confidence: “Great background” or “That’s exactly the perspective we need”

Sample Participant Responses and Your Reactions:

• “I work in IT support” → “Perfect - you see problems first-hand”
• “I’m curious about cybersecurity” → “Curiosity and fresh thinking are incredibly valuable”
• “I develop software” → “Great - you understand how systems work”
• “I handle compliance” → “Essential perspective - business impact matters”

Collaborative Role Assignment

Role Assignment Script

“Based on what you’ve shared, I’ll suggest roles for our incident response team. Feel free to speak up if you’d prefer something different:”

Assignment Logic:

• IT/Technical background → Detective or Protector
• Network/Infrastructure → Tracker
• Business/Management → Communicator
• Security experience → Crisis Manager
• Analytical mindset → Threat Hunter

Role Introduction (Brief)

“Let me quickly explain what each role brings to incident response:”

• 🔍 Detective: “You find clues and analyze evidence”
• 🛡️ Protector: “You secure systems and stop threats”
• 📡 Tracker: “You follow data flows and monitor networks”
• 👥 Communicator: “You handle stakeholders and coordinate response”
• ⚡ Crisis Manager: “You manage the overall incident response”
• 🎯 Threat Hunter: “You proactively search for hidden threats”

Group Confirmation: “Any adjustments to these assignments?”

Character Development and Context Setting

Character Creation

“Now develop your character around your real name and role. Think about:”

• “What’s your work obsession or quirk?”
• “Why do you care about protecting this organization?”
• “What would devastate you if it were compromised?”

Facilitation During Character Creation:

• Move around the room: Available for quiet consultation
• Encourage fun: “Lean into the stereotypes - they’re based in truth”
• Provide prompts: Use role-specific questions for stuck participants
• Manage time: “One more minute for character development”

In-Character Introductions

This is where the magic happens. Fun and laughs are important to break the ice and get players engaged. So if they don’t make it fun themselves during the introduction, try and do ask questions to their role’s stereotypes in order to make them and the other players laugh.

“The emergency alarm just went off. You’re all rushing to the situation room. Introduce yourselves as your characters - 30 seconds each.”

Sample Character Introductions:

• “I’m Sarah, IT Support. I’ve been watching logs like Netflix for two years, and something’s been bothering me since yesterday.”
• “Marcus, Systems Admin. These servers are my children, and someone’s been messing with them.”

Your Response: Build energy and acknowledge each character

• “I love the protective instinct, Marcus”
• “Sarah, your pattern recognition is exactly what we need”

Dice Mechanics Reference for IMs

This section provides the complete game mechanics system you need to adjudicate player actions during sessions. For a quick reference version, see the IM Quick Start Guide.

Understanding Target Numbers

When player actions have uncertain outcomes, ask them to roll a d20 (20-sided die) and compare the result to a target number based on difficulty:

Easy Tasks (Target: 5+)

Success Rate: ~95% chance with no modifiers When to use: Standard procedures with appropriate tools and expertise

Examples:

• Running antivirus scans on suspected infected systems
• Basic network traffic monitoring with established tools
• Standard backup restoration procedures
• Routine communication with familiar stakeholders
• Checking Windows Event Logs for obvious indicators

Facilitation note: These should almost always succeed. Only call for rolls when environmental factors or time pressure add uncertainty.

Medium Tasks (Target: 10+)

Success Rate: ~70% chance with no modifiers When to use: Complex analysis or coordination requiring expertise and some luck

Examples:

• Advanced malware analysis requiring reverse engineering
• Coordinating response across multiple business units
• Implementing novel security controls under time pressure
• Managing crisis communication with external parties
• Analyzing behavioral patterns to identify sophisticated threats

Facilitation note: This is your default difficulty for meaningful challenges. Most important actions should target this range.

Hard Tasks (Target: 15+)

Success Rate: ~40% chance with no modifiers When to use: Cutting-edge techniques, high-stakes decisions, or overcoming significant obstacles

Examples:

• Developing custom tools to counter sophisticated threats
• Managing organization-wide crisis with regulatory implications
• Responding to zero-day exploits with no established procedures
• Coordinating international incident response efforts
• Detecting nation-state adversary tradecraft

Facilitation note: Reserve for truly exceptional challenges. Players should feel accomplished when succeeding at this difficulty.

The Complete Modifier System

Modifiers adjust the roll to reflect circumstances, expertise, and coordination. Add all applicable modifiers to the player’s d20 roll before comparing to the target number.

Role Expertise Modifiers

+2: Action aligns with role specialization

• Detective analyzing forensic evidence
• Protector implementing containment measures
• Tracker monitoring network communications
• Communicator managing stakeholder relationships
• Crisis Manager coordinating team efforts
• Threat Hunter conducting proactive investigation

+1: Action is related to role but not core specialty

• Detective implementing security controls (Protector’s specialty)
• Protector conducting forensic analysis (Detective’s specialty)

-1: Action significantly outside role expertise

• Communicator attempting advanced malware analysis
• Detective leading executive stakeholder management

Facilitation guidance: Most role-aligned actions get +2. Don’t penalize creative approaches, but apply -1 when a player attempts something requiring expertise they haven’t demonstrated.

Collaboration Modifiers

Standard Approach: +1 per assisting player (maximum +3 total)

• Detective provides evidence → Protector uses it to configure controls (+1)
• Tracker identifies traffic → Threat Hunter investigates patterns (+1)
• Multiple roles coordinate comprehensive response (+2 or +3)

Alternative Approach: Advantage Mechanic

Instead of stacking +1 bonuses, some IMs prefer the “advantage” mechanic borrowed from other tabletop games. When a player receives meaningful help, they roll 2d20 and take the higher result.

How Advantage Works:

• Player declares action with collaboration support
• Instead of adding +1 per helper, player rolls two d20s
• Use the higher of the two rolls
• Apply other modifiers (role expertise, type effectiveness) normally

Comparing the Two Approaches:

Aspect	Stacking +1	Advantage (2d20)
Math	Simple addition	Take higher of two
Feel	Incremental improvement	Better overall odds
Best for	Multiple helpers, team coordination	Key moments of support
Average benefit	Predictable (+1 to +3)	Variable (~+3.3 average)

When to Use Which:

• +1 Stacking works well when you want to reward each contributor visibly. Players see their help adding up.
• Advantage works well for dramatic moments where one teammate makes a crucial assist. It feels more like “you’ve got backup” than “everyone’s contributing a little.”

You might use both in the same session:

• Standard coordination → +1 per helper
• Key dramatic assist → Advantage

Example of Advantage: “The Detective has analyzed the malware’s behavior and is sharing exactly what to look for. Riley, roll with advantage for your threat hunting - you have excellent intel to work from.”

NoteReader Choice

Neither approach is “correct.” Choose based on your preference and group dynamics. Some IMs use +1 stacking for consistency; others prefer advantage for its dramatic feel. Some use both situationally. Experiment to find what works for your table.

TipFrom Inver: When two players both have a stake, let them both roll

If two players have both contributed meaningfully to the same action, let them each roll and take the higher result. I did this when both my Protector and Crisis Manager had relevant information about a suspicious IP – they’d both earned the right to attempt it.

It’s faster than arbitrating who “gets” the roll, it rewards collaborative thinking, and it almost always results in a better outcome – which is the point. Teamwork should help.

TipFrom Inver: Give advantage when a player does something genuinely clever

When a player makes a particularly smart move – a creative approach, a well-reasoned argument, a real insight that changes the room – give them advantage: roll twice, take the higher result. I reserve it for moments that actually deserve it, so it still means something when it happens.

It’s a way of saying “yes, that was good” without breaking the fiction to praise them out loud. The dice communicate it for you.

TipFrom Inver: Let players name their own modifier

When a roll doesn’t have an obvious modifier, I ask the player to name the skill they’re using. If they can justify it, I’ll give it a +2 or +3. If they’re stuck, I give them a default.

It takes two seconds and it does real work. The player has to think about what they’re actually doing, not just “I roll.” When someone argues for a higher modifier because they have real-world experience that applies to the situation, that’s exactly the kind of expertise I want surfaced at the table.

Perfect Teamwork: Automatic Success

When the entire team demonstrates:

• Each role contributing unique, valuable perspective
• Actions building logically on each other
• Clear understanding of both technical and business aspects
• Real-world cybersecurity knowledge driving decisions

Facilitation guidance: Generously award collaboration bonuses. The goal is encouraging teamwork, not making math complicated.

Type Effectiveness Modifiers

+2: Super effective approaches

• Using behavioral analysis against Trojans
• Network segmentation against Worms
• Backup restoration against Ransomware
• Network monitoring against RATs
• User education against Phishing/Social Engineering

0: Standard effectiveness

• General security best practices
• Appropriate but not optimized responses

-2: Ineffective approaches

• Signature detection against polymorphic threats
• Endpoint isolation against network worms
• File recovery tools against ransomware (before decryption)

Facilitation guidance: Help players understand type matchups through questions: “Given this is a [Type] threat, what approaches might work well?”

Environmental Modifiers

+2: Organization has strong security posture

• Robust monitoring and logging infrastructure
• Well-trained security team with experience
• Updated tools and security controls
• Clear incident response procedures
• Management support for security initiatives

+1: Standard organizational capabilities

• Basic security tools and procedures in place
• Some security awareness and training
• Adequate but not exceptional resources

-1: Organizational limitations

• Budget constraints affecting tool availability
• Policy restrictions limiting response options
• Political challenges to implementing controls
• Outdated infrastructure or technical debt

-2: Significant environmental obstacles

• Critical systems cannot be taken offline
• Severe budget or resource limitations
• Hostile political environment for security
• Legacy systems with known vulnerabilities

Facilitation guidance: Use environmental modifiers to reflect scenario-specific context. They help explain why the same actions might have different success rates in different organizations.

Time Pressure Modifiers

-1: Increased time pressure

• Threat showing signs of evolution
• Management demanding rapid resolution
• Business operations affected by investigation
• Regulatory notification deadlines approaching

-2: Actively evolving threat

• Malmon deploying additional capabilities
• Attack expanding to additional systems
• Data exfiltration in progress
• Ransomware encryption spreading

-3: Crisis-level threat

• Organization-threatening incident
• Imminent business failure risk
• Regulatory enforcement actions likely
• Media scrutiny and public relations crisis

Facilitation guidance: Start scenarios without time pressure. Introduce it progressively to create mounting tension and force difficult prioritization decisions.

Combining Modifiers: Worked Examples

Example 1: Detective Analyzing Logs (Easy Task)

• Base difficulty: 5+ (standard procedure)
• Role expertise: +2 (core Detective specialty)
• Environment: +1 (adequate logging infrastructure)
• Modified target: 5 - 2 - 1 = 2 (essentially automatic success)

Facilitation: “As the Detective with access to comprehensive logs, you efficiently identify the malicious process. No need to roll - this is clearly within your expertise.”

Example 2: Team Coordinating Complex Containment (Medium Task)

• Base difficulty: 10+ (complex coordination)
• Role expertise: +2 (Crisis Manager leading coordination)
• Collaboration: +3 (all team members contributing)
• Type effectiveness: +2 (using super effective approach)
• Modified target: 10 - 2 - 3 - 2 = 3 (very likely success)

Facilitation: “With your Crisis Manager coordinating and everyone contributing their expertise using the optimal containment strategy, roll d20 and add 7. You need a 3 or higher.”

Example 3: Responding to Unknown Threat Under Pressure (Hard Task)

• Base difficulty: 15+ (novel situation)
• Role expertise: +2 (Threat Hunter’s specialty)
• Environment: -1 (limited tooling)
• Time pressure: -2 (actively evolving threat)
• Modified target: 15 - 2 + 1 + 2 = 16 (challenging)

Facilitation: “Riley, you’re attempting sophisticated threat hunting with limited tools while the threat is actively spreading. Roll d20 and add 1. You need 16 or higher - this is genuinely difficult.”

When NOT to Use Dice

Grant automatic success when players demonstrate:

Clear Expertise

• Player describes specific, appropriate cybersecurity procedures
• Action clearly within role specialization
• Real-world knowledge evident in approach

Example: “I’ll check the Windows Event Logs for Event ID 4688 process creation events around the time of the alert, looking for unusual parent-child process relationships.”

Your response: “That’s exactly the right approach, and you clearly know what you’re looking for. You discover several suspicious PowerShell processes spawned by WinWord.exe…”

Excellent Teamwork

• Well-coordinated efforts leveraging multiple roles
• Logical planning with clear execution steps
• Each team member contributing meaningfully

Example: Team develops comprehensive response plan where Detective provides evidence, Tracker identifies network indicators, Protector implements containment, and Communicator manages stakeholders - all working in clear coordination.

Your response: “This is exactly how professional incident response works. Your coordinated approach succeeds without needing a roll.”

Creative Solutions

• Approach directly addresses threat-specific vulnerabilities
• Player leverages scenario details in clever ways
• Solution demonstrates deep understanding

Example: Player suggests using the malware’s own command-and-control infrastructure against it by identifying and blocking its update mechanism.

Your response: “That’s brilliant - you’re turning the malware’s design against itself. This works exactly as you described.”

TipFrom Inver: Not everything deserves a dice roll

A player did some quick research mid-session and reported back what he found. Good information, real contribution. I didn’t make him roll for it – I just said “we’ll allow it to be part of the universal canon.”

But when he wanted to interpret what that meant for the investigation? That’s a roll. The distinction matters: contributing a fact is different from drawing a conclusion. Gating every contribution behind dice slows the table and signals that you don’t trust smart play.

TipFrom Inver: Roll your own dice when the world is uncertain

A player asked whether our vendor was based in Moldova. I hadn’t decided. So I rolled my own dice, out loud, in front of everyone. It came up yes.

The player who asked got a visible moment of confirmation – not “the IM says so,” but “the dice says so.” When the world feels genuinely undecided until the roll happens, the fiction breathes differently. You don’t have to pre-script everything. Sometimes the most authentic answer is to let the world decide alongside your players.

Common Facilitation Mistakes

Mistake 1: Rolling for Everything

• Problem: Slows pace, reduces player agency
• Solution: Default to automatic success for standard procedures with demonstrated expertise

Mistake 2: Forgetting to Apply Modifiers

• Problem: Makes rolls feel arbitrary, discourages specialization
• Solution: Verbally announce modifiers as you apply them: “As the Detective, you get +2. With the team helping, that’s another +2. Roll d20 and add 4.”

Mistake 3: Inconsistent Difficulty

• Problem: Players can’t calibrate expectations
• Solution: Establish baseline: Easy (5+) for standard tasks, Medium (10+) for meaningful challenges, Hard (15+) for exceptional situations

Mistake 4: Ignoring Perfect Teamwork

• Problem: Misses opportunities to reward collaboration
• Solution: When the team demonstrates excellent coordination using real cybersecurity knowledge, grant automatic success and celebrate it

Quick Decision Tree for IMs

Step 1: Does the player demonstrate clear expertise and appropriate approach?

• YES → Automatic success, no roll needed
• NO → Continue to Step 2

Step 2: How difficult is this action?

• Standard procedure → Easy (5+)
• Complex challenge → Medium (10+)
• Exceptional difficulty → Hard (15+)

Step 3: What modifiers apply?

• Role alignment: +2 (specialty), +1 (related), -1 (misaligned)
• Collaboration: +1 per assisting player (max +3)
• Type effectiveness: +2 (super effective), 0 (standard), -2 (ineffective)
• Environment: +2 to -2
• Time pressure: -1 to -3

Step 4: Announce total modifier and ask for roll

“Roll d20 and add [X]. You need [target minus modifiers] or higher.”

Step 5: Interpret result and narrate outcome

• Success: Describe what they accomplish
• Failure: Explain what went wrong and offer next steps
• Critical (natural 20): Extra success or unexpected benefit
• Fumble (natural 1): Complication or setback

---

This complete mechanics reference provides everything you need to confidently adjudicate player actions. Remember: The goal is supporting collaborative learning, not enforcing rigid rules. When in doubt, favor player agency and interesting storytelling over mechanical precision.

Dice Delivery as Performance (Optional)

How you announce dice results can significantly shape player experience. Some IMs prefer a matter-of-fact approach, while others enjoy building dramatic moments. Both are valid - find what feels natural for you and your group.

Building Suspense (If It Suits Your Style)

The Pause Technique: After a player rolls, you might take a moment before announcing the result. This works especially well for high-stakes moments:

• Player rolls for critical containment attempt
• You glance at the die, then look up at the team
• Brief pause… “The malware’s communication channel… goes silent. You’ve done it.”

When Pauses Work:

• Critical success or failure moments where anticipation enhances the experience
• End-of-round resolutions that determine major outcomes
• First time a team uses a clever new strategy

When to Skip Drama:

• Routine checks that don’t warrant spotlight
• When the group’s energy is low or time is short
• When players prefer straightforward results

TipFrom Joe: The Graduated Reveal

I like to pause briefly after a player rolls, then build through the modifiers before announcing success or failure. When Stefan rolled a 14 for threat hunting, I said: “14… and that’s not with the plus three yet… so 17. Oh my gosh. Yes.” That pause and graduated reveal makes the success feel more earned - the team gets to experience the tension of wondering if they’ll make it.

For really tense moments, I’ll look at the die, then look up at the players, let them see me thinking about the implications before I describe what happens. It’s the tabletop equivalent of a dramatic pause in a movie.

Your choice: Use graduated reveals if you enjoy theatrical delivery, or announce results immediately if your group prefers quick pacing. Both work - match your table’s energy.

Making Failures Interesting

Low rolls don’t have to feel punishing. How you narrate failures shapes whether players feel discouraged or engaged.

Failure as Discovery:

• “The scan doesn’t find what you’re looking for… but you notice something else that seems off. What do you want to investigate next?”
• “Your first approach didn’t work, but now you’ve ruled out one possibility. What does that tell you?”

Failure as Complication:

• “The isolation attempt triggers an alert - the malware knows you’re onto it. The clock just got tighter.”
• “The executive meeting runs long, and you see an urgent message from the Tracker. Something’s changed.”

Failure as Learning:

• “This is exactly the kind of obstacle real incident responders face. What would you try differently?”
• “Not every approach works on the first try - that’s realistic. What did you learn from this attempt?”

Avoid:

• Making players feel foolish for failed rolls
• Narrative dead ends with no path forward
• Treating failure as purely negative rather than informative

TipFrom Joe: The Cursed Dice

When someone rolls badly, I lean into humor rather than gravity. Before a roll, I might say “I gotta tell you, this may be a cursed die, but we’re gonna find out.” When a player rolled a natural 1 on disclosure verification, I said: “You accidentally posted it to Facebook” - the whole team laughed, and suddenly the failure became a memorable moment instead of a frustrating one.

This does two things: it takes the sting out of bad rolls, and it creates running jokes that bond the group. By the end of the session, players were making their own cursed dice comments. They wanted to keep rolling even after bad results because failure had become entertaining.

Your choice: Use humor to soften failures if your table enjoys levity, or keep the tone serious if that matches your group’s preferences. Some tables thrive on dramatic tension; others need laughter to stay engaged.

TipFrom Inver: A nat 1 is a gift, not a punishment

The same player rolled two natural ones in my session. The first time I said: “With your nat one, you have estimated that the vibes are indeed bad currently. Good to know.” That got the biggest laugh of the session.

The second time, I opened a help action so a teammate could bail him out. Now it’s a team moment instead of a solo humiliation.

Find the absurdist reading. Nat 1 isn’t “you fail and feel bad” – it’s “something slightly ridiculous happens and everyone moves on.” The player who rolled both ones was fully engaged the whole session.

Finding Your Delivery Style

Matter-of-Fact Approach: Some IMs and groups prefer straightforward delivery: “You rolled a 14 plus 3, that’s 17. Success - you identify the malware variant.” This keeps pace quick and works well for experienced groups or time-limited sessions.

Narrative Approach: Others prefer weaving results into story: “Your analysis reveals familiar signatures… this isn’t just any ransomware. You recognize the LockBit calling card.” This works well for groups who enjoy immersion.

Hybrid Approach: Many IMs blend both: mechanical clarity for routine rolls, narrative flair for pivotal moments. You might develop a rhythm where the first roll of a phase gets more description, while subsequent rolls stay brisk.

NoteReader Choice

There’s no “correct” way to deliver dice results. The techniques above are options to explore, not requirements to follow. Pay attention to what energizes your specific group and adjust accordingly.

Roll Interpretation Examples

Understanding what different roll results mean in practice helps you narrate outcomes that feel appropriate and educational. These examples illustrate the range of outcomes for common action types.

Interpreting the Roll Range

Natural 1 (Critical Fumble)

Not punishment - complication with learning value.

Investigation Example: “You’re so focused on the logs that you miss a real-time alert. The malware just made a move - but you also now know it’s still active.”

Technical Example: “The isolation command has an unexpected side effect - it takes down a system you didn’t intend to affect. What’s your recovery plan?”

Communication Example: “Your briefing accidentally reveals the scope of the incident to someone who didn’t have clearance. How do you handle this?”

Key Principle: Critical fumbles should create interesting complications, not arbitrary failure.

Low Rolls (2-7)

Insufficient for most challenges, but partial information available.

Investigation Example (rolling 5 against target 10): “The logs show something happened around that time, but the entries are ambiguous. You can’t tell if it’s malicious activity or normal system behavior. You’d need another approach to get clarity.”

Technical Example (rolling 6 against target 10): “Your containment blocks some traffic but not all. The malware has a backup communication channel you didn’t account for.”

Communication Example (rolling 4 against target 10): “The executive understood there’s a problem, but left the meeting still unclear on the urgency. They’re not blocking your response, but they’re not prioritizing resources either.”

Moderate Rolls (8-12)

The interesting middle ground - success and failure both possible.

Partial Success (8-9 against target 10): “You identify the malware family, but not the specific variant. That’s enough to choose a general response strategy, but you might encounter surprises.”

Clean Success (10-12 against target 10): “Your analysis confirms this is [specific threat]. You now understand its primary capabilities and can plan your response accordingly.”

Facilitation Note: This range generates the most discussion. Partial successes invite follow-up questions and team collaboration.

Good Rolls (13-17)

Solid professional competence with room for additional benefits.

Investigation Example (rolling 15 against target 10): “Your analysis is thorough - not only do you identify the threat, but you also notice timing patterns that suggest when it first arrived and how it spread.”

Technical Example (rolling 16 against target 15): “Your containment is effective and clean. No collateral damage, and you’ve preserved forensic evidence that will help the Detective.”

Communication Example (rolling 14 against target 10): “The briefing goes well. Leadership understands the situation, approves your resource requests, and - importantly - agrees to let you control the response timeline.”

High Rolls (18-19)

Excellence that provides advantages beyond the immediate action.

Investigation Example (rolling 18): “Your analysis reveals not just what the malware does, but why the attackers chose this specific approach. This insight helps you predict their next moves.”

Technical Example (rolling 19): “Your containment is so well-executed that you’ve actually improved the organization’s security posture. The emergency controls you implemented should probably become permanent.”

Communication Example (rolling 19): “Leadership doesn’t just understand - they’re impressed. You’ve built political capital that will help fund security improvements after this incident is resolved.”

Natural 20 (Critical Success)

Exceptional outcomes that reward and energize the team.

Investigation Example: “You don’t just identify the malware - you recognize the specific campaign and threat actor. This intelligence lets you check for related threats and predict what the attackers might try if containment fails.”

Technical Example: “Your containment is textbook perfect. Other teams will study this response. The malware is neutralized, evidence is preserved, and you’ve documented a procedure that will help future incidents.”

Communication Example: “The executive team doesn’t just support your response - they ask how they can help. Legal clears potential regulatory concerns, PR prepares holding statements, and the CEO offers to personally call key customers. You have full organizational backing.”

Action Type Interpretation Guide

Investigation Actions - Focus on information quality:

• Low rolls: Ambiguous, partial, or misleading information
• Medium rolls: Core facts established, some gaps remain
• High rolls: Complete picture with bonus insights

Technical Actions - Focus on effectiveness and side effects:

• Low rolls: Doesn’t work, or works with significant complications
• Medium rolls: Achieves primary objective cleanly
• High rolls: Exceeds expectations, additional benefits

Communication Actions - Focus on stakeholder response:

• Low rolls: Message received but not acted upon effectively
• Medium rolls: Desired understanding and cooperation achieved
• High rolls: Enhanced support, resources, or political capital

Strategic Actions - Focus on coordination and planning:

• Low rolls: Plan has gaps that will cause problems
• Medium rolls: Sound approach that will work with good execution
• High rolls: Anticipates complications, positions team for success

TipThe Goal of Interpretation

Roll interpretation should feel fair and educational. Players should understand why outcomes happen and what they can learn from both successes and failures. When in doubt, narrate outcomes that advance the story and create opportunities for the team to demonstrate cybersecurity knowledge.

Round 1: Discovery Phase

Phase Setup

Crisis Presentation Script

“Here’s the situation at [Organization Name]. You’ve been called in because:”

Present 2-3 clear symptoms:

• “Multiple users across all locations report computers running 30% slower since yesterday”
• “Help desk received 5 calls about unexpected pop-ups appearing”
• “One user mentioned receiving a ‘critical software update’ email yesterday afternoon”

Stakes and Pressure

“Your critical systems are affected. [Specific organizational stakes]. The clock is ticking.”

Initial Status Setting:

• “Network Security Status starts at 100”
• “Each of you gets 2 actions this round”
• “Your goal: figure out what you’re dealing with”

Individual Investigation

Action Facilitation

“Each role investigates from their expertise area. [Role name], what’s your first move?”

Detective Actions:

• Prompt: “Sarah, your pattern-recognition instincts are tingling. What do you investigate first?”
• Follow-up: “What would worry you most in those logs?”
• Success guidance: Help them find evidence that leads to Malmon identification

Protector Actions:

• Prompt: “Marcus, someone’s attacking your systems. What’s your defensive instinct?”
• Follow-up: “What would you check to see how they’re hiding?”
• Success guidance: Guide toward understanding attack techniques

Tracker Actions:

• Prompt: “Alex, you’re seeing unusual trains on your network subway map. What do you track first?”
• Follow-up: “What would suspicious outbound traffic look like here?”
• Success guidance: Help discover data exfiltration or command & control

Communicator Actions:

• Prompt: “Jamie, you need to understand the human side. Who do you talk to first?”
• Follow-up: “What questions help you understand how this attack succeeded?”
• Success guidance: Reveal social engineering or user compromise

Crisis Manager Actions:

• Prompt: “Taylor, you’re seeing the big picture. What’s your first priority?”
• Follow-up: “How do you coordinate the team’s efforts?”
• Success guidance: Help organize team response and resource allocation

Threat Hunter Actions:

• Prompt: “Riley, you’re looking for what others missed. Where do you hunt first?”
• Follow-up: “What signs suggest there’s more than meets the eye?”
• Success guidance: Help discover hidden persistence or additional threats

Real-Time Facilitation Notes

• Dice rolls: Use for uncertain outcomes, not obvious successes
• Build on expertise: When players demonstrate real knowledge, auto-succeed
• Guide toward Malmon: Help discoveries point to your chosen threat
• Time management: “Two more minutes for individual actions”
• Energy monitoring: If energy drops, inject urgency or stakes

Knowledge Sharing

Structured Information Exchange

“Excellent investigation work. Now share your findings - what story do your discoveries tell together?”

Facilitation Sequence:

1. Detective reports first: Sets foundation with evidence
2. Protector adds technical details: How the attack works
3. Tracker provides network perspective: What’s happening with data
4. Communicator explains human factor: How the attack succeeded
5. Crisis Manager synthesizes: Big picture assessment
6. Threat Hunter reveals hidden elements: What others missed

Pattern Recognition Guidance

Help the group connect dots without providing answers:

• “Interesting - fake software updates AND process injection. What does that combination suggest?”
• “So we have social engineering AND technical evasion. What kind of threat does both?”
• “The timing and sophistication level - what does that tell us about our adversary?”

Collaborative Building Techniques

• Yes, and… “Yes, that’s exactly right, and what does that mean for…”
• Connect expertise: “Jamie’s social engineering insight connects to what Sarah found in the logs”
• Build tension: “This is more sophisticated than a random attack”

Malmon Identification

The Revelation Moment

“Based on your investigation, you’re dealing with a specific type of threat. Given the evidence - social engineering, process injection, data exfiltration - what kind of Malmon matches this pattern?”

Guide toward correct identification:

• If they struggle: “Think about the combination of deception and technical sophistication”
• If they’re close: “Yes, that’s exactly the right family of threats”
• If they’re off-track: “What about the [key evidence] suggests something different?”

Malmon Card Reveal

“Exactly right. Meet your adversary…”

[Reveal Malmon card with dramatic flair]

“This is [Malmon Name], a [Type] that specializes in [primary ability]. You’ve identified the threat, but it’s already been active for [time period]. What’s your assessment?”

Network Security Status Update:

• Calculate changes based on group performance
• Announce new status: “Network Security Status is now [number]”
• Build urgency: “The threat is established but not yet evolved”

Round 2: Investigation Phase

Phase Transition

Escalation Script

“Now that you know what you’re facing, you need to understand the full scope of [Malmon Name]’s infiltration. The threat is active and could evolve if not contained quickly.”

New Objectives:

• “Assess the complete impact”
• “Understand the attack progression”
• “Identify vulnerabilities that enabled success”
• “Prepare for potential evolution”

Impact Assessment

Role-Specific Deep Dives

Each role investigates different aspects of the compromise:

Detective: Evidence Analysis
“Sarah, now that you know it’s [Malmon Name], what evidence would confirm its full capabilities?”

• Guide toward forensic indicators
• Help discover timeline and progression
• Reveal attack vector details

Protector: Damage Assessment
“Marcus, how many systems are affected and what’s been compromised?”

• Guide toward scope of infection
• Help identify vulnerable systems
• Reveal defensive failures

Tracker: Data Flow Analysis
“Alex, what data is being stolen and where is it going?”

• Guide toward exfiltration patterns
• Help identify command & control
• Reveal network compromise

Communicator: Human Factor Analysis
“Jamie, how did this attack succeed and who was targeted?”

• Guide toward social engineering analysis
• Help identify user education gaps
• Reveal organizational vulnerabilities

Crisis Manager: Organizational Impact
“Taylor, what’s the business impact and what resources do we need?”

• Guide toward operational assessment
• Help identify recovery requirements
• Reveal stakeholder concerns

Threat Hunter: Hidden Threats
“Riley, what else might be lurking that we haven’t found yet?”

• Guide toward additional persistence
• Help identify lateral movement
• Reveal potential additional threats

Attack Vector Analysis

Collaborative Mapping

“Let’s map how [Malmon Name] got in and spread through our environment.”

Facilitation Techniques:

• Use whiteboard: Visual mapping of attack progression
• Build timeline: When did each phase occur?
• Identify decision points: Where could this have been stopped?
• Connect to type effectiveness: How does [Malmon Type] exploit weaknesses?

Vulnerability Assessment

“What enabled this attack to succeed?”

Guide discussion toward:

• Technical vulnerabilities (unpatched systems, weak configurations)
• Process gaps (inadequate training, poor procedures)
• Human factors (social engineering susceptibility)
• Environmental issues (network segmentation, monitoring gaps)

Evolution Threat

The Escalation Moment

“Just as you’re getting a handle on the situation, your monitoring tools alert you: [Malmon Name] is attempting to evolve. It’s trying to [specific evolution behavior based on Malmon card].”

Critical Decision Point: “Do you focus on containing what you’ve found, or continue investigating to understand the complete scope? This decision affects your response options.”

Facilitation Notes:

• Let group debate naturally
• Both choices have consequences
• Their decision affects Round 3 difficulty
• Build tension around time pressure

Round 3: Response Phase

Phase Transition

Action Phase Setup

“Time for coordinated response. Based on your investigation, how does the team counter [Malmon Name]?”

Response Objectives:

• “Stop ongoing damage”
• “Prevent evolution/spread”
• “Begin recovery operations”
• “Coordinate stakeholder communications”

Strategy Coordination

Team Planning Session

“Plan your coordinated response. Remember [Malmon Name]’s type weaknesses: [specific weaknesses from card].”

Facilitation Focus:

• Encourage type advantage usage: “How can you exploit its weakness to [vulnerability]?”
• Coordinate actions: “How do your individual actions support each other?”
• Address constraints: “What real-world limitations affect your response?”
• Build on expertise: “Given your experience, what would work best?”

Strategy Validation

Help group assess their plan:

• “What could go wrong with this approach?”
• “What would [Malmon Name] do to counter your strategy?”
• “How does this plan address all the evidence you found?”

Implementation

Coordinated Action Execution

Each player executes their response strategy:

Action Resolution:

• Use dice for uncertain outcomes
• Apply type effectiveness bonuses/penalties
• Reward creative solutions
• Build on collaborative efforts

Malmon Counter-Actions

“[Malmon Name] fights back using [specific abilities from card].”

• Use Malmon’s abilities to create challenges
• Don’t make it impossible, make it interesting
• Reward good strategy and teamwork
• Build dramatic tension

Real-Time Network Security Status Updates

Track and announce changes:

• “Good coordination - Network Security Status improves to [number]”
• “The attack is being contained but [complication]”
• “Excellent use of [type advantage] - major progress”

Resolution

Outcome Determination

Based on team coordination and strategy effectiveness:

Complete Victory (80+ Security Status): “Outstanding work. [Malmon Name] has been completely contained with minimal impact. Your coordinated response and use of type advantages was textbook incident response.”

Partial Victory (60-79 Security Status): “Good work under pressure. The threat is contained, though some damage occurred. You’ve learned valuable lessons about [specific insights].”

Pyrrhic Victory (40-59 Security Status): “The threat is stopped, but at significant cost. This scenario highlights the importance of [key lessons] for future incidents.”

Evolution Outcomes

If Malmon evolved during the scenario:

“[Malmon Name] successfully evolved into [next form], demonstrating how threats escalate when not quickly contained. However, your response prevented [worse outcome].”

Session Transitions and Pacing

Maintaining Energy Throughout

Energy Monitoring Checklist

• High engagement: Players actively discussing, building on each other’s ideas
• Medium engagement: Some participation, but needs encouragement
• Low engagement: Minimal discussion, blank stares, checking phones

Energy Management Techniques

For Low Energy:

• “What’s the worst-case scenario here?”
• “Who would be panicking right now besides us?”
• “What would happen if we’re wrong about this?”
• Inject urgency and stakes

For Overwhelming Complexity:

• “Let’s step back to the big picture”
• “What’s the most important thing to focus on right now?”
• “If you had to pick one action, what would it be?”

Time Management Strategies

Running Ahead of Schedule

• Extend investigation phases: Deeper technical discussions
• Add complexity: Multiple attack vectors or evolution
• Enhanced debrief: More detailed lessons learned
• Advanced scenarios: What happens next week/month?

Running Behind Schedule

• Accelerate discovery: Provide more direct guidance
• Combine phases: Investigation and response together
• Focus on key learning: Hit main educational objectives
• Efficient resolution: Quick but satisfying conclusion

Real-Time Adjustments

• 10 minutes over: Normal, just note for next time
• 15 minutes over: Start condensing remaining phases
• 20+ minutes over: Emergency time management protocols

Participant Management

Encouraging Quiet Participants

• Direct, gentle questions: “Alex, what’s your network perspective on this?”
• Role-specific prompts: “As our Communicator, how would you handle this?”
• Expertise validation: “Given your [background], what would you try?”
• Lower stakes questions: “What’s your gut feeling about this situation?”

Managing Dominant Participants

• Redirect without dismissing: “That’s valuable insight. Let’s hear other perspectives.”
• Role assignments: “Can you help facilitate others’ contributions?”
• Structured turns: “Let’s go around and hear from everyone.”
• Private sidebar: Brief, respectful conversation about balance

Handling Technical Disputes

• Acknowledge both sides: “Both approaches have merit”
• Focus on scenario: “In our specific situation, which would work better?”
• Use time pressure: “Given our constraints, what’s the fastest effective solution?”
• Learn from disagreement: “This is exactly the kind of discussion incident response teams have”

Closing Strong

Session Wrap-up

Immediate Debrief

“Quick debrief - what’s one thing that surprised you about this incident?” “What’s one technique you could use in your real work?” “What would you want to learn more about?”

MalDex Entry Creation

“Let’s capture this for the community:”

• Incident name: Group creates memorable name
• Key learnings: Most important insights
• Effective techniques: What worked well
• Future applications: How to use these skills

Community Connection

“You’re now part of the Malware & Monsters community. Here’s how to stay connected…”

• Contact information sharing
• Follow-up resources
• Future session opportunities
• Contribution possibilities

Success Indicators

A successful session typically includes:

• Everyone contributed meaningfully to the investigation
• Technical discussions emerged from group expertise
• Questions drove more discovery than explanations
• Group made collaborative decisions under pressure
• Players connected game concepts to real-world applications
• Energy remained high throughout all phases
• Participants want to play again or facilitate sessions

Common Real-Time Challenges

When Nobody Knows Technical Details

• Common sense redirect: “Using logic, what would worry you about this?”
• Analogy method: “Think of this like [familiar comparison]”
• Role-playing approach: “You don’t need technical expertise - as [role], what concerns you?”
• Collaborative building: “Let’s think through this together”

When Sessions Go Off-Script

• Follow player interest: Their direction often leads to better learning
• Maintain objectives: Guide back to key concepts when possible
• Improvise confidently: Trust that engagement leads to education
• Document insights: Capture unexpected learning for future sessions

When Technical Accuracy is Questioned

• Redirect to group: “Who here has experience with this?”
• Focus on learning: “What can we learn from this discussion?”
• Acknowledge limits: “I’m not an expert in this area - let’s explore together”
• Use uncertainty: “This is exactly the kind of uncertainty incident responders face”

The key to successful session management is confident flexibility - ready for anything while maintaining focus on collaborative learning and practical skill development.