Practical Facilitation Techniques

Player Agency Patterns

Great facilitation invites players to drive the narrative. Rather than telling players what happens, ask them what they’re doing - then build the story around their choices.

The “What Are You Doing?” Pattern

The most powerful question in facilitation is simply: “What are you doing?”

This question:

• Puts players in control of their characters and actions
• Reveals player thinking so you can respond appropriately
• Creates natural story beats driven by player initiative
• Avoids railroading toward predetermined outcomes

Example Flow:

1. You describe the situation: “Your monitoring tools just flagged unusual outbound traffic. The volume is small but the destination is suspicious.”
2. Instead of telling them what to do: “What are you doing?”
3. Player responds: “I want to capture that traffic and analyze the packets.”
4. You build on their choice: “Great - as you start the capture, what specifically are you looking for?”

TipFrom Joe: Asking by Name

I make it explicit by using player names: “Susan, what would you like to be doing right now?” or “Seth, what are you doing besides telling Peter you needed Cortex?” Adding the name transforms a general question into a personal invitation. It puts that person in the spotlight and gives them permission to take action.

When someone’s been quiet, a direct name-call draws them in: “Stefan, what else are you doing right now?” When someone’s been dominating, asking others by name spreads participation: “Kesha, what are you doing while they’re handling that?”

The pattern becomes predictable in a good way - players start anticipating their turn and preparing their response.

Your choice: Use explicit name-calling if you want structured participation, or keep questions open-ended if your group naturally self-organizes. Some tables need prompting; others find it too directed.

Concrete Question Examples for Eliciting Decisions

Opening a Scene:

• “You’ve just arrived at the compromised system. What’s your first move?”
• “The alert came in 10 minutes ago. What have you been doing since then?”
• “You have the forensic image. How do you want to approach the analysis?”

After Discovering Information:

• “You found evidence of lateral movement. What does that mean for your investigation?”
• “The timeline shows the malware was dormant for two weeks before activating. What do you make of that?”
• “This signature matches a known threat actor. How does that change your approach?”

At Decision Points:

• “You can either isolate the system immediately or continue monitoring to learn more. What’s your call?”
• “The executive wants a briefing in 15 minutes. What do you tell them?”
• “Your containment will work, but it’ll take down the finance system during payroll processing. How do you want to handle that?”

When Players Seem Stuck:

• “What would you do if this happened at your real organization?”
• “What information would help you decide?”
• “What’s your gut telling you here?”

When to Allow Re-Investigation

Players may want to revisit something they already examined, especially with new information. Here’s how to handle re-investigation requests:

Allow Re-Investigation When:

• New information genuinely changes what they might find
• They’re taking a different approach than before
• Collaboration brings a new perspective (different role examining same evidence)
• Reasonable time has passed in-story for circumstances to change

Example: “Earlier you checked the logs and found normal activity. But now that you know the malware uses process injection, you want to re-examine with that lens? Absolutely - what are you looking for specifically?”

Discourage Re-Investigation When:

• They’re simply hoping for a better roll on the same action
• No meaningful change in approach or information
• It would stall the session without adding value

Gentle Redirect: “You already examined those logs thoroughly. Unless you have a specific new theory to test, your time might be better spent on areas you haven’t explored yet. What else interests you?”

Balancing Guidance vs. Player Initiative

Signs You Might Be Guiding Too Much:

• Players wait for you to suggest their next action
• Choices feel predetermined rather than discovered
• Players ask “what should I do?” more than “can I try…?”
• The story follows your outline rather than emerging from play

Signs You Might Be Guiding Too Little:

• Players seem genuinely confused about their options
• Sessions stall with no one taking action
• Players feel lost rather than challenged
• Technical concepts needed for good decisions aren’t being introduced

Calibration Questions to Ask Yourself:

• Am I asking questions, or giving instructions?
• Are players discovering answers, or being told them?
• Would this group benefit from more structure or more freedom right now?
• Is confusion productive (learning opportunity) or frustrating (needs intervention)?

NoteReader Choice

Different groups need different levels of guidance. New players often appreciate more structure; experienced groups may prefer minimal intervention. Pay attention to what your specific group needs and adjust throughout the session.

The Question Arsenal

Effective facilitation depends on asking the right questions at the right time. This chapter provides a comprehensive toolkit of questions, techniques, and responses for real-time session management.

Universal Discovery Questions

Opening Investigation Questions

These work for any Malmon and expertise level:

• “What’s the first thing that would seem unusual here?”
• “Who in your organization would typically notice these problems first?”
• “What pattern suggests this isn’t a normal technical issue?”
• “Based on your experience, what would worry you most about this situation?”
• “What would be your first instinct when hearing these symptoms?”
• “How would this compare to problems you’ve seen before?”

Evidence Analysis Questions

When players find clues but need to interpret them:

• “What does this evidence tell us about our adversary?”
• “How does this connect to what we found earlier?”
• “What would someone with malicious intent do with this access?”
• “If you were the attacker, what would your next move be?”
• “What’s the significance of the timing here?”
• “What does the sophistication level suggest?”

Pattern Recognition Questions

Help groups connect disparate clues:

• “What’s the common thread between these different findings?”
• “How do these pieces fit together into a single story?”
• “What type of threat typically combines these techniques?”
• “What does the combination of [A] and [B] usually indicate?”
• “If this is all connected, what would that mean?”

Investigation Phase Question Bank

Impact Assessment Questions

For understanding scope and damage:

• “What’s the worst-case scenario if this continues unchecked?”
• “What would be most valuable to an attacker in this environment?”
• “How would this affect your organization’s core mission?”
• “What regulatory or compliance implications are you seeing?”
• “Who would be most affected if this data is compromised?”
• “What systems absolutely cannot be taken offline?”

Technical Deep-Dive Questions

When groups need to explore technical aspects:

• “What tools would help you investigate this further?”
• “How would you typically approach this type of analysis?”
• “What indicators would confirm your suspicions?”
• “What would you need to prove this theory?”
• “How would you test whether [solution] would work?”
• “What’s the technical explanation for what we’re seeing?”

Attack Vector Questions

For understanding how threats succeeded:

• “How might this have gotten past your existing defenses?”
• “What vulnerabilities enabled this attack?”
• “Why would this technique be effective in this environment?”
• “What would have had to happen for this to succeed?”
• “How could this have been prevented?”
• “What assumptions did the attacker make about your environment?”

Response Phase Question Bank

Strategy Development Questions

For coordinating team responses:

• “What’s your biggest constraint in responding to this?”
• “How would you prioritize your response actions?”
• “What could go wrong with this approach?”
• “How do we balance speed with thoroughness?”
• “What resources would you need to implement this?”
• “How would you coordinate this in your real organization?”

Risk Assessment Questions

For evaluating response options:

• “What’s the risk of taking this action versus not taking it?”
• “What collateral damage might this response cause?”
• “How do we minimize disruption while containing the threat?”
• “What happens if this response fails?”
• “How do we maintain business operations during response?”
• “What stakeholders need to be informed about this decision?”

Coordination Questions

For managing team dynamics during crisis:

• “How do your individual actions support the overall strategy?”
• “Who needs to know what, and when?”
• “How do we ensure we’re not working against each other?”
• “What communication is essential versus what creates noise?”
• “How do we track progress across all response activities?”
• “What decisions require team consensus versus individual expertise?”

Managing Group Dynamics

Encouraging Quiet Participants

Direct Engagement Techniques

• Role-specific questions: “As our [role], what’s your perspective on this?”
• Expertise validation: “Given your background in [area], what would you try?”
• Opinion seeking: “What’s your gut feeling about this situation?”
• Experience mining: “Have you seen anything similar in your work?”

Indirect Inclusion Methods

• Turn to neighbor: “Discuss with the person next to you, then we’ll hear thoughts”
• Written first: “Jot down your thoughts, then we’ll share”
• Choice offering: “Here are three options - which appeals to you and why?”
• Build on others: “What would you add to what [name] just said?”

Confidence Building Approaches

• Lower stakes questions: “What questions would you want to ask about this?”
• Common sense focus: “Even without technical expertise, what seems off here?”
• Future thinking: “What would you want to learn more about after this?”
• Validation offering: “That’s exactly the kind of thinking we need”

Managing Dominant Participants

Gentle Redirection Techniques

• Acknowledge then redirect: “That’s valuable insight. Let’s hear other perspectives.”
• Time boxing: “Thanks for that detail. In the interest of time, let’s hear from others.”
• Role switching: “Can you help facilitate input from the rest of the team?”
• Question redirection: “What questions does that raise for others?”

Structural Solutions

• Rotation systems: “Let’s go around and hear one thought from everyone”
• Role assignments: Give dominant participants teaching or coordination roles
• Small groups: Break into pairs or triads for discussion
• Written contributions: Have everyone write thoughts before verbal sharing

Private Conversation Approaches

During natural breaks:

• “Your expertise is really valuable. Can you help me draw out others’ insights too?”
• “I notice you have a lot to contribute. How can we make space for everyone?”
• “Would you mind holding back a bit so we can encourage others to participate?”

NPC Engagement Strategies

Non-player characters (NPCs) - the IT director, the panicking CEO, the helpful helpdesk tech - can bring scenarios to life. How you portray them is entirely up to your comfort level and group preferences.

The NPC Engagement Spectrum

Minimal Approach: NPCs as Information Sources Simply describe what NPCs communicate without voicing them directly.

“The CIO’s assistant emails that he’s in back-to-back meetings but wants a status update by 3pm. She mentions he’s particularly concerned about customer data.”

Works well when:

• You prefer not to do voices or character acting
• Time is limited and efficiency matters
• The focus should stay on player actions rather than NPC interactions

Moderate Approach: Summarized Dialogue Paraphrase what NPCs say without fully acting it out.

“The helpdesk tech tells you that three users reported similar issues this morning, all in the marketing department. She seems relieved someone is finally looking into it.”

Works well when:

• You want NPCs to feel present without full performance
• Balancing narrative flow with information delivery
• Players need context but the NPC interaction isn’t the main focus

Full Approach: Voiced Characters Speak as the NPC, adopting mannerisms or vocal patterns.

“Look, I know you security people have your protocols, but I have a board presentation in two hours. Can you just… make the computer work? Please?”

Works well when:

• You enjoy character performance
• The NPC interaction is a key dramatic moment
• Adding emotional stakes or humor enhances the learning

TipFrom Joe: Making NPCs Memorable

I give each key NPC a distinct personality and let them react authentically to what players do. In my LockBit scenario, Peter was a cranky managing partner who’d ask things like “Who authorized procurement of this LockBit thing?” - treating the ransomware like a bad purchasing decision. Glen, the IT director, obsessed over metrics: “I need this stuff back up and working. My availability metrics are getting hit hard.”

My favorite moment was Matthew, the stressed M&A lawyer, who muttered “I’m considering cashing out and changing my name” when the situation got worse. Players remembered these NPCs because they felt like real people with real concerns - not just information dispensers.

The key is consistency: Peter stayed cranky, Glen stayed metrics-focused, Matthew stayed anxious. Players started predicting how each would react, which made the world feel real.

Your choice: Go full character if you enjoy acting, or keep NPCs understated if that’s more your style. The personalities don’t require different voices - tone and word choice alone can distinguish characters.

NPCs as Technical Experts

When players lack expertise in an area, NPCs can fill knowledge gaps without breaking immersion.

The Helpful Colleague Pattern: Introduce an NPC who knows what players don’t, and have them share information through natural conversation.

“Your team’s junior analyst, fresh from a threat intelligence course, looks up from her screen. ‘Hey, this signature… I saw something about this threat actor in the morning brief. Want me to pull up what we know about their usual tactics?’”

The Expert Consultant Pattern: Bring in an external expert who can explain concepts players need.

“The DFIR consultant your company keeps on retainer returns your call. She asks what you’re seeing, then says: ‘That behavior pattern - process hollowing combined with DNS tunneling - that’s a specific toolkit. Let me explain what you’re probably dealing with…’”

Key Principle: NPCs providing expertise should feel like natural parts of incident response (which they are - real teams consult specialists), not like the IM lecturing through a puppet.

NPCs for Pressure and Stakes

NPCs make consequences tangible. Abstract “business impact” becomes real when the CFO is worried about payroll.

Creating Time Pressure:

“Your phone buzzes. The Operations VP: ‘The manufacturing floor just reported that three PLCs are behaving erratically. I need to know if we should halt production. That’s a $50,000 per hour decision.’”

Making Stakes Personal:

“The helpdesk supervisor catches you in the hallway. ‘My team is getting hammered with calls. Users are scared - some of them have personal files on those drives. Sarah in accounting is almost in tears. What can I tell them?’”

Adding Political Complexity:

“The head of the department where the breach originated stops by. She’s defensive: ‘My team followed all the procedures. Whatever this is, it’s not our fault.’ You can tell she’s worried about blame falling on her group.”

NPCs for Humor and Relief

Tension relief is valuable - humor helps groups process stress and stay engaged. NPCs can provide lighter moments.

The Clueless Executive:

“The CEO pokes his head in: ‘I heard we have a computer virus. Have you tried turning it off and on again? My grandson says that fixes everything.’”

The Overly Helpful User:

“Marketing sends an email: ‘I noticed my computer was slow so I downloaded a PC cleaner I found online. Hope that helps with the investigation!’”

The Veteran Who’s Seen It All:

“The grizzled IT admin leans back: ‘Ransomware, huh? Back in ’03 we had a worm that took down the whole building. Spent a week rebuilding. You kids have it easy with these fancy backups.’”

Finding Your NPC Style

NoteReader Choice

NPCs are optional tools, not requirements. Some IMs love creating memorable characters; others prefer minimal NPC presence. Some groups enjoy roleplay interactions; others find them distracting.

Start with what feels comfortable and adjust based on group response. A scenario works fine with NPCs as pure information delivery (“the IT director reports…”) or as fully voiced characters. Choose the approach that serves your session best.

Questions to Help You Choose:

• Does this NPC serve a purpose (information, stakes, humor, pacing)?
• Will voicing this character enhance or distract from the learning?
• Is this a key moment worth the performance, or routine information?
• What does this group seem to enjoy?

Building Psychological Safety

Creating Safe Learning Environment

• Normalize uncertainty: “Not knowing is normal in incident response”
• Validate attempts: *“Good thinking” even when answers aren’t perfect
• Share your own uncertainty: “I don’t know that either - let’s figure it out together”
• Reframe mistakes: “That’s exactly the kind of question real incident responders ask”

Encouraging Risk-Taking

• Model vulnerability: “I’m not sure about this either”
• Celebrate attempts: “I appreciate you thinking out loud”
• Use hypotheticals: “What if we tried…” instead of “We should…”
• Focus on learning: “What can we learn from this approach?”

Handling Technical Knowledge Gaps

When Nobody Knows the Answer

The Progressive Revelation Technique

Step 1: Simplify the Question Original: “How would you detect advanced persistent threats?” Simplified: “How would you notice something that’s trying to hide in your network?”

Step 2: Provide Context Clues “Think about it this way - if someone was living in your house secretly, what might give them away?”

Step 3: Multiple Choice Framework “Would you be more concerned about: A) New files appearing, B) Unusual network traffic, or C) Strange user behavior?”

Step 4: Collaborative Discovery “Let’s think through this together. What would be the signs?”

Step 5: Direct Teaching (Last Resort) “This is a great learning moment. Security professionals typically look for…”

Common Sense Bridge Technique

• Start with logic: “Using common sense, what would worry you?”
• Use analogies: “This is like [familiar situation]”
• Focus on impact: “What would be the business consequences?”
• Ask about feelings: “What makes you uncomfortable about this situation?”

When Information is Incorrect

Gentle Correction Methods

• Question back: “Can you walk me through that reasoning?”
• Seek clarification: “Help me understand how that would work”
• Offer alternatives: “What about this other possibility?”
• Group validation: “What do others think about that approach?”

Learning from Errors

• Explore the thinking: “That’s interesting logic - let’s see where it leads”
• Compare approaches: “How does that compare to [alternative]?”
• Real-world check: “How would that work in your actual environment?”
• Use as teaching moment: “This highlights an important distinction…”

Bridging Expertise Gaps

Expert-to-Beginner Translation

When experts use complex terminology:

• “Can you explain that in terms [beginner] would understand?”
• “What’s the business impact of what you just described?”
• “How would you explain that to your CEO?”
• “What’s the simple version of that concept?”

Encouraging Peer Teaching

• “[Expert], can you help the team understand [concept]?”
• “Who here can break down what [complex thing] means?”
• “Let’s have [expert] teach us about [topic]”
• “Can someone translate that technical detail for the group?”

Reading the Room and Adapting

Energy Level Assessment

High Engagement Indicators

• Active discussion and debate
• Building on each other’s ideas
• Asking clarifying questions
• Leaning forward, eye contact
• Time seems to pass quickly

Response: Maintain pace, dive deeper into technical details, encourage debate

Medium Engagement Indicators

• Some participation with prompting
• Polite attention but limited initiative
• Following along but not contributing
• Checking time occasionally

Response: Inject urgency, ask direct questions, change pace or approach

Low Engagement Indicators

• Minimal response to questions
• Checking phones or laptops
• Side conversations
• Slumped posture, wandering attention
• Frequent time checking

Response: Emergency engagement protocols, break activity, refocus on stakes

Adaptive Difficulty Management

Increasing Difficulty Mid-Session

When group advances quickly:

• Add complexity to scenarios
• Introduce multiple attack vectors
• Explore advanced techniques
• Challenge assumptions
• Add time pressure

Decreasing Difficulty Mid-Session

When group struggles:

• Simplify terminology
• Provide more guidance
• Focus on core concepts
• Use more analogies
• Reduce scope

Real-Time Assessment Questions

• “How are we doing on complexity level?”
• “Should we dive deeper or move on?”
• “Is this hitting the right level of challenge?”
• “What would be most valuable to explore further?”

Cultural and Communication Adaptation

Diverse Group Management

• Check understanding: “Does this make sense to everyone?”
• Invite perspectives: “How would this work in your organization/country?”
• Cultural sensitivity: Be aware of different communication styles
• Language barriers: Use simple, clear language and check comprehension

Mixed Experience Levels

• Expert involvement: “Can you help others understand this concept?”
• Beginner inclusion: “What questions does this raise for you?”
• Experience sharing: “Who’s dealt with something similar?”
• Learning partnerships: Pair experts with beginners

Advanced Facilitation Techniques

Building Dramatic Tension

Escalation Techniques

• Time pressure: “You have 10 minutes before the attack spreads”
• Stakes raising: “Customer data is being stolen right now”
• Complication introduction: “Just as you think you have it contained…”
• Choice consequences: “This decision will determine whether…”

Suspense Building

• Cliffhanger moments: End phases with unresolved tension
• Gradual revelation: Release information piece by piece
• Multiple threats: Suggest additional hidden dangers
• Personal stakes: Connect to character motivations

Improvisation and Adaptation

When Scenarios Go Sideways

• Follow player interest: Their direction often leads to better learning
• Incorporate unexpected elements: Use player contributions to evolve scenario
• Maintain core objectives: Guide back to key learning goals
• Document insights: Capture unexpected discoveries for future sessions

Creative Problem-Solving Encouragement

• Yes, and… Build on creative suggestions
• What if… Explore unconventional approaches
• Challenge assumptions: “What if the obvious answer is wrong?”
• Encourage experimentation: “Let’s try that and see what happens”

Seamless Transition Management

Between Phases

• Energy maintenance: Keep momentum between rounds
• Clear objectives: Make new goals explicit
• Stakes evolution: Escalate tension appropriately
• Progress acknowledgment: Celebrate discoveries and progress

Between Activities

• Smooth handoffs: Connect current activity to next
• Participation shifts: Ensure everyone stays engaged
• Focus management: Help group shift attention smoothly
• Time awareness: Keep group informed of schedule

Emergency Facilitation Protocols

When Groups Get Completely Stuck

Circuit Breaker Techniques

• Change perspective: “Let’s approach this from a different angle”
• Lower stakes: “What if resources were unlimited?”
• Role switch: “What would [different role] do here?”
• Break it down: “What’s the simplest first step?”

Reset Strategies

• Step back: “Let’s recap what we know for certain”
• Refocus: “What’s the most important thing to figure out right now?”
• Simplify: “If you had to pick just one action, what would it be?”
• Time jump: “Fast forward - what does success look like?”

When Conflict Arises

Technical Disagreements

• Acknowledge both sides: “Both approaches have merit”
• Focus on context: “In our specific situation, which would work better?”
• Use constraints: “Given our time/resource limits, what’s most practical?”
• Learn from disagreement: “This is exactly what real teams debate”

Personality Conflicts

• Redirect to task: “Let’s focus on solving the incident”
• Acknowledge emotions: “I can see this is important to both of you”
• Use roles: “From your role perspective, what would you recommend?”
• Private intervention: Brief sidebar conversations if needed

When Technology Fails

Backup Facilitation Methods

• Paper alternatives: Have analog versions of all digital tools
• Verbal tracking: Use group memory for status tracking
• Whiteboard substitution: Visual tools for complex scenarios
• Continue regardless: Don’t let technology stop learning

Success Indicators and Troubleshooting

Session Success Metrics

Engagement Indicators

• Everyone contributes meaningfully
• Questions generate more discussion than answers
• Players build on each other’s ideas
• Time feels like it passes quickly
• Group wants to continue or play again

Learning Indicators

• Technical concepts emerge from group discussion
• Players connect game concepts to real work
• Misconceptions get corrected through peer interaction
• New insights emerge from collaboration
• Confidence in cybersecurity concepts increases

Common Problems and Solutions

Problem: Group Won’t Engage

Solutions:

• Lower stakes questions
• Direct individual attention
• Change physical arrangement
• Inject urgency or humor
• Break into smaller groups

Problem: Too Much Technical Detail

Solutions:

• Redirect to big picture
• Ask about business impact
• Use time pressure to prioritize
• Focus on decisions rather than details
• Acknowledge expertise but maintain pace

Problem: Not Enough Technical Depth

Solutions:

• Ask follow-up questions
• Encourage expert elaboration
• Dive into specific techniques
• Explore alternative approaches
• Connect to real-world tools and methods

Problem: Time Management Issues

Solutions:

• Flexible scenario adaptation
• Priority-based decision making
• Efficient transition techniques
• Strategic time allocation
• Emergency pacing protocols

Implementing Degrees of Success

The degrees of success framework provides sophisticated outcome resolution that creates more engaging and realistic incident response scenarios than simple success/failure mechanics.

Understanding the Four Degrees

Critical Success (Natural 20 or exceeds target by 8+)

When to Award:

• Player demonstrates exceptional cybersecurity knowledge
• Creative solution that addresses multiple problems simultaneously
  
• Team coordination that elevates everyone’s contribution
• Real-world expertise that enhances the scenario’s authenticity

How to Narrate:

• “Not only does your analysis identify the malware family, but you also recognize the specific campaign and can predict the attacker’s next moves…”
• “Your network isolation is so well-executed that it actually improves your overall security posture…”
• “Your communication is so clear that it aligns the entire organization behind the response effort…”

Additional Benefits to Consider:

• Bonus information about threat actor tactics
• Enhanced team coordination for the next round
• Reduced time pressure or evolution risk
• Improved Network Security Status beyond normal success

Full Success (Meets or beats target)

When to Award:

• Standard professional competence with appropriate tools and knowledge
• Good teamwork that achieves stated objectives
• Realistic approach that would work in actual incident response
• Demonstration of cybersecurity best practices

How to Narrate:

• “Your forensic analysis confirms the malware type and provides the evidence you need…”
• “The containment measures successfully isolate the affected systems…”
• “Your stakeholder communication keeps leadership informed and supportive…”

Standard Outcomes:

• Action achieves its intended purpose
• Team progresses toward resolution
• No complications from the action itself
• Network Security Status changes as expected

Partial Success (1-3 points below target)

Most Important for Learning:

Partial successes create the most educational moments because they simulate real-world incident response complexity.

When to Award:

• Approach is sound but execution has minor issues
• External factors complicate otherwise good decisions
• Time pressure forces trade-offs between competing priorities
• Resource constraints limit optimal solutions

How to Narrate:

• “Your network monitoring detects the malware’s communication, but the traffic is encrypted and you can only see connection patterns…”
• “The executive briefing goes well, but the CFO raises budget concerns that could complicate your response…”
• “You successfully contain the threat on most systems, but one critical database server remains accessible to avoid disrupting operations…”

Creating Follow-Up Opportunities:

• Partial success should lead to additional actions or choices
• Give players options for how to address complications
• Use partial outcomes to generate team discussion about priorities
• Connect complications to real incident response challenges

Example Partial Success Complications:

• Technical: Solution works but creates new vulnerabilities or monitoring gaps
• Organizational: Action succeeds but creates political or business complications
• Temporal: Success achieved but takes longer than expected, increasing evolution risk
• Resource: Solution works but consumes more budget/personnel than planned

Failure (4+ points below target)

Educational Approach to Failure: Frame failures as learning opportunities rather than narrative dead ends.

When to Award:

• Approach demonstrates fundamental misunderstanding
• Action attempts something beyond current capabilities
• Dice result represents environmental factors beyond player control
• Teaching moment about incident response limitations

How to Narrate Constructively:

• “The malware proves more sophisticated than expected - your standard analysis tools aren’t revealing its full capabilities…”
• “The containment attempt fails when you discover the threat has already established persistence mechanisms you hadn’t detected…”
• “Your communication with legal raises additional compliance concerns that complicate the response timeline…”

Turning Failure into Learning:

• Ask: “What does this tell us about the threat we’re dealing with?”
• Explore: “How might you approach this differently with what you now know?”
• Connect: “What would this failure teach you for future incidents?”

Advanced Facilitation with Degrees of Success

Building Narrative Tension

Use degrees of success to create escalating scenarios:

1. Early Critical Successes: Build team confidence and establish threat baseline
2. Mid-Session Partial Successes: Introduce complications that require adaptation
   
3. Climax Moments: High-stakes rolls where degrees of success dramatically affect outcomes
4. Resolution: Mix outcomes that show both victories and lessons learned

Balancing Player Agency with Realism

Player Expertise Should Matter More Than Dice:

• Award automatic success for clearly demonstrated cybersecurity knowledge
• Use critical success to reward creative applications of real-world experience
• Reserve failure for situations where external factors create genuine obstacles

Environmental Factors:

• Partial successes often represent organizational or technical constraints
• Failures can represent adversary sophistication or environmental complexity
• Critical successes can overcome constraints through exceptional expertise

Managing Degrees Across Team Actions

Individual Actions:

• Degrees apply to each player’s specific contribution
• Multiple partial successes can combine into team full success
• Individual critical success can inspire team bonuses

Collaborative Actions:

• Team coordination affects the baseline difficulty
• Multiple players working together can shift failure to partial success
• Excellent teamwork should enable critical successes more frequently

Pacing and Story Flow

Early Phase (Discovery):

• Favor partial successes that reveal information gradually
• Use failures to highlight threat sophistication
• Critical successes provide breakthrough moments

Middle Phase (Investigation):

• Mix outcomes to create realistic investigation complexity
• Partial successes maintain momentum while adding complications
• Failures represent dead ends that require new approaches

Final Phase (Response):

• Higher success rates as team applies accumulated knowledge
• Critical successes represent excellent execution of well-planned response
• Failures have higher stakes but clearer learning outcomes

Practical Application Examples

Investigation Action Example

Player Action: “I want to analyze the network logs to understand how the malware spreads”

Critical Success: “Your log analysis not only traces the malware’s lateral movement but reveals it’s using a previously unknown exploitation technique. You gain insight into both its current scope AND its future targets.”

Full Success: “The log analysis shows clear patterns of lateral movement through compromised credentials. You can map the affected systems and understand the timeline.”

Partial Success: “You identify signs of lateral movement, but the logs have gaps during shift changes. You understand the general pattern but need additional investigation to get complete visibility.”

Failure: “The logs show suspicious activity, but without understanding the malware’s specific techniques, you can’t distinguish its traffic from legitimate administrative activity. You need a different approach.”

Communication Action Example

Player Action: “I’ll brief the executive team on our response progress and resource needs”

Critical Success: “Your briefing not only secures the resources you need but also gets executive commitment to implement the security improvements you’ve identified. Leadership becomes champions of the response effort.”

Full Success: “The executives understand the situation and approve your resource requests. They’ll handle communication with customers and regulators as needed.”

Partial Success: “Leadership approves most of your requests but wants to minimize operational disruption. You get the resources but with constraints on how disruptive your response can be.”

Failure: “The briefing raises more concerns than it answers. Leadership wants additional consultants involved and more detailed impact assessments before approving significant resources.”

Scenario Card Preparation Method

The 5-Minute Scenario Card Prep

Most experienced IMs can prepare for any session using scenario cards in just 5 minutes:

Minute 1: Card Selection (60 seconds)

• Choose based on group expertise and industry context
• Quick scan: Hook, Pressure, NPCs, Secrets, Villain Plan

Minute 2: NPC Motivation Review (60 seconds)

• Identify primary stakeholder (IT Director, Hospital CIO, etc.)
• Understand their immediate concerns and constraints
• Note competing priorities and pressure sources

Minute 3: Hook Internalization (60 seconds)

• Understand WHY this attack is happening NOW
• Connect to realistic business pressures and deadlines
• Prepare opening hook: “Organization X is 72 hours from critical deadline Y…”

Minute 4: Pressure Timeline Review (60 seconds)

• Understand business deadline and consequences
• Map escalation stages if threat evolves
• Balance urgency with realistic response time

Minute 5: Question Preparation (60 seconds)

• Prepare context-driven discovery questions
• Focus on stakeholder perspectives: “What would worry you most?”
• Trust scenario card details, facilitate discovery over lecturing

Why Scenario Cards Work

Rich Context Pre-Built:

• Organizational situations participants recognize professionally
  
• Authentic business constraints and stakeholder pressures
• Realistic technical vulnerabilities and attack progression

95% Content Reuse:

• Core technical content identical across scenarios
• Only organizational details change (company names, deadlines, NPCs)
• Allows focus on facilitation rather than content generation

Professional Authenticity:

• Industry-specific pressure situations
• Realistic stakeholder dynamics and competing priorities
• Natural investigation starting points and discovery paths

Key Principle: Scenario cards contain everything needed. Your job is facilitation, not expertise demonstration.

---

The key to practical facilitation is building a toolkit of responses that become automatic, allowing you to focus on reading the group and adapting to their needs in real-time.