Session Management

The Art of Orchestrating Collaborative Learning

Effective session management balances structure with flexibility, ensuring that learning objectives are met while adapting to the unique dynamics and expertise of each group. Your role is to create and maintain an environment where collaborative discovery can flourish.

Pre-Session Setup

Essential Preparation

Digital Resources:

  • Reference Materials: Type effectiveness chart, role descriptions, emergency protocols
  • Backup Plans: Printed materials in case of technology failure
  • Time Management: Visible timer or clock for phase management
  • Documentation Tools: Capture insights and lessons learned

Group Assessment and Adaptation

Rapid Expertise Assessment:

As participants arrive, gather information about their backgrounds:

  • “What brings you here today?”
  • “What’s your experience level with incident response?”
  • “Are there specific learning goals you hope to achieve?”
  • “Any particular cybersecurity challenges you’re facing at work?”

Adaptation Indicators:

  • High Expertise Group: Focus on complex scenarios, advanced concepts, innovation opportunities
  • Mixed Expertise Group: Leverage peer teaching, emphasize collaboration over individual performance
  • Low Expertise Group: Emphasize concept learning, provide more guidance and structure
  • Organizational Team: Connect learning to specific workplace challenges and opportunities

Opening and Character Creation

Creating Psychological Safety

Set Collaborative Expectations:

  • “This is a learning environment where questions and mistakes are valuable.”
  • “Everyone brings knowledge and perspective that contributes to our collective understanding.”
  • “We succeed as a team, not as individuals competing against each other.”
  • “The goal is learning together, not demonstrating expertise or getting everything right.”

Address Common Concerns:

  • “You don’t need to be a cybersecurity expert to contribute meaningfully.”
  • “Technical knowledge helps, but problem-solving and collaboration skills are equally valuable.”
  • “We’ll learn from each other’s experience and perspectives throughout the session.”

Skills Discovery and Role Assignment

Structured Sharing Process:

Have each participant briefly share (45 seconds each):

  • Name and background
  • Connection to cybersecurity (professional, academic, personal interest)
  • One thing they know about computers, security, or technology
  • What they hope to learn or contribute

Collaborative Role Selection: Based on interests and team needs:

  • “Based on what everyone shared, let’s think about how to build a strong incident response team.”
  • “Which roles appeal to you based on your interests and experience?”
  • “How can we ensure all key perspectives are represented?”
  • “Remember, roles are starting points - your expertise can contribute across all areas.”

Character Development

Individual Reflection: Participants develop their character using prompts:

  • Keep your real first name
  • Build a personality around your chosen role
  • Think about what motivates your character
  • Consider how your real experience informs your character

Brief Introductions: Each participant introduces their character in 20-30 seconds:

  • Name and role
  • One character trait or quirk
  • What drives them to protect their organization
  • How they approach cybersecurity challenges

Round Management

Discovery Phase Management

Phase Introduction:

  • Present initial symptoms clearly and concisely
  • Establish the learning objective: identify the specific threat
  • Remind team of available time and individual action allocation
  • Encourage role-based investigation approaches

Individual Investigation:
Your Role During This Time:

  • Circulate and Listen: Move around table, listen to discussions, gauge engagement
  • Ask Clarifying Questions: Help participants think through their role’s perspective
  • Provide Guidance When Stuck: Offer gentle prompts without providing answers
  • Monitor Time: Give time warnings as needed but focus on learning; you don’t want to break off an engaging conversation where everybody partakes and learn just for the mere sake of progress.

Effective Circulation Questions:

  • “What would someone in your role typically investigate first?”
  • “What patterns or anomalies stand out to you?”
  • “How would you approach this if it happened at your organization?”
  • “What questions would your role ask about these symptoms?”

Knowledge Sharing:
Facilitate Structured Sharing:

  • Go around table, giving each role 90 seconds to share findings
  • Ask follow-up questions that connect different perspectives
  • Help team see patterns and connections across different investigations
  • Build toward collective understanding without forcing conclusions

Effective Facilitation Questions:

  • “How do these different findings connect?”
  • “What patterns emerge when we look at all perspectives together?”
  • “What questions remain after hearing everyone’s investigation?”
  • “What type of threat explains all these different symptoms?”

Malmon Identification: Guide Collaborative Conclusion:

  • Help team synthesize their investigations into threat identification
  • Validate their reasoning and analysis process
  • Reveal Malmon card and confirm their assessment
  • Briefly discuss type effectiveness and what it means for response

Investigation Phase Management

Phase Transition:

  • Acknowledge successful discovery work
  • Present evolution pressure or additional complications
  • Establish phase objective: understand scope and plan response
  • Maintain urgency while allowing thorough analysis

Impact Assessment: Key Areas to Explore:

  • What systems and data are affected or at risk?
  • How has the attack progressed since initial compromise?
  • What are the business and operational implications?
  • What vulnerabilities enabled this attack to succeed?

Facilitation Focus:

  • Keep discussions tied to actionable intelligence
  • Help team balance thoroughness with time pressure
  • Connect technical findings to business impact
  • Encourage cross-role collaboration and information sharing

Attack Vector Analysis: Guide Deeper Understanding:

  • How did the attack succeed initially?
  • What would have prevented this compromise?
  • What does this reveal about organizational security posture?
  • How might similar attacks be prevented in the future?

Evolution Assessment: Create Urgency for Response:

  • Present signs of potential threat evolution or escalation
  • Help team understand time pressure for effective response
  • Connect investigation findings to response strategy needs
  • Transition focus from understanding to action planning

Response Phase Management

Strategy Development: Facilitate Collaborative Planning:

  • Help team choose approaches based on Malmon type effectiveness
  • Encourage role-based contribution to strategy development
  • Address resource constraints and organizational realities
  • Build consensus around coordinated response approach

Key Questions:

  • “Given what we know about this threat type, what approaches would be most effective?”
  • “How would you coordinate different response activities?”
  • “What could go wrong with this approach, and how would you address those risks?”
  • “How does this response strategy address both immediate threats and long-term prevention?”

Implementation:
Manage Action Resolution:

  • Help team execute their strategy through role-based actions
  • Use dice mechanics when outcomes are uncertain
  • Apply type effectiveness bonuses and penalties appropriately
  • Maintain tension while rewarding good collaboration and planning

Resolution:
Wrap Up the Incident:

  • Determine final outcome based on team performance and decisions
  • Acknowledge effective strategies and collaboration
  • Connect results to learning objectives and real-world applications
  • Set up post-session reflection and documentation

Time Management Strategies

When Phases Run Long

Early Intervention:

  • “We are almost out of time for this phase - what’s our key priority?”
  • “Let’s focus on the most important decision we need to make.”
  • “What’s the essential information we need before moving to the next phase?”

Late Intervention:

  • “Time to wrap up - what’s our main conclusion?”
  • “What’s the most important takeaway from this phase?”
  • “We’ll carry forward [key insight] as we move to the next phase.”

When Phases Run Short

Depth Questions:

  • “What might we be missing if we move too quickly?”
  • “What are the implications of this decision?”
  • “How would different approaches change our outcomes?”
  • “What would worry you most about our current understanding?”

Extension Activities:

  • Cross-role consultation and knowledge sharing
  • Alternative scenario exploration
  • Strategic thinking about prevention and improvement
  • Connection to real-world organizational challenges

Energy and Engagement Management

Maintaining High Energy

Technique Rotation:

  • Discussion: Collaborative problem-solving and knowledge sharing
  • Action: Individual investigation and strategy implementation
  • Reflection: Analysis of decisions and learning capture
  • Movement: Physical position changes, role consultations

Engagement Indicators:

  • Active participation from all roles
  • Building on each other’s contributions
  • Questions and curiosity about the scenario
  • Connection to real-world experience and challenges

Addressing Low Energy

Immediate Interventions:

  • “What’s at stake if we don’t solve this problem?”
  • “How would you explain the urgency to your organization’s leadership?”
  • “What would make this attack particularly dangerous?”
  • Brief physical movement or position change

Systemic Adjustments:

  • Reduce complexity and focus on core learning objectives
  • Increase role-based structure and guidance
  • Add collaborative elements and team consultation
  • Connect more directly to participants’ real-world experience

Managing Different Group Types

High-Expertise Groups

Characteristics: Deep technical knowledge, may find scenarios too simple
Management Approach:

  • Add complexity and advanced concepts
  • Focus on innovation and technique development
  • Encourage mentoring and knowledge sharing
  • Connect to cutting-edge threats and responses

Effective Questions:

  • “What additional complications might arise in real incidents?”
  • “How would you improve on standard response approaches?”
  • “What would you do differently based on your experience?”
  • “How would you teach this concept to less experienced colleagues?”

Mixed-Experience Groups

Characteristics: Varying levels of technical knowledge and experience
Management Approach:

  • Facilitate peer teaching and learning
  • Ensure all participants can contribute meaningfully
  • Balance technical depth with accessible concepts
  • Use experienced participants as teaching resources

Effective Questions:

  • “How would you explain this to someone new to cybersecurity?”
  • “What questions would someone without technical background ask?”
  • “How do different experience levels contribute to understanding this threat?”
  • “What can we learn from each other’s different perspectives?”

Low-Experience Groups

Characteristics: Limited cybersecurity background, may feel intimidated
Management Approach:

  • Emphasize concept learning over technical details
  • Provide more structure and guidance
  • Celebrate insights and logical thinking
  • Connect to everyday technology experience

Effective Questions:

  • “What would common sense suggest in this situation?”
  • “How is this similar to technology problems you’ve encountered?”
  • “What would worry you if this happened to your personal computer?”
  • “What questions would you ask if you were responsible for fixing this?”

Organizational Teams

Characteristics: Work together regularly, want applicable insights
Management Approach:

  • Connect learning directly to organizational challenges
  • Address specific workplace constraints and opportunities
  • Encourage discussion of implementation and application
  • Support team development and relationship building

Effective Questions:

  • “How would this scenario play out in your specific environment?”
  • “What organizational factors would help or hinder this response?”
  • “How could you apply these insights to improve your current security posture?”
  • “What would you need to implement these approaches at work?”

Recognizing Natural Endings

Knowing when to end a session - or a round within a session - is as important as knowing how to run one. The best endings feel earned and satisfying, not arbitrary.

Decision Resolution vs. Time Limits

Ending on Resolution: The most satisfying session endings come when the team reaches a natural conclusion - the threat is contained, the crisis is resolved, or a clear decision point has been reached.

“Your coordinated response has neutralized the threat. The malware is contained, systems are being restored, and leadership has what they need for the regulatory notification. This feels like a natural place to wrap up.”

When Resolution-Based Endings Work:

  • The team has achieved their primary objective
  • A major decision has been made and implemented
  • The story has reached a clear climax and resolution
  • Energy is high and ending now preserves that energy
TipFrom Joe: Ending on the Big Decision

I ended my LockBit session when the team reached the “pay ransom or not” decision point—even though we had time remaining. I read the table and decided to move the plot forward to keep everyone engaged—even though it meant shortening the scenario. In this case the investigation was complete, they understood the threat, and now they faced the genuinely hard choice that real incident responders face: pay the criminals and maybe get your data back, or refuse on principle and accept the losses.

That decision point was the emotional peak. Continuing past it would have diluted the impact. The team debated intensely, consulted their “legal counsel” NPC, and ultimately decided. That moment—the weight of the decision—was more valuable than any additional gameplay.

Your choice: End on decision points if your group enjoys moral complexity, or push through to full resolution if they want closure. Both approaches are valid.

Time-Based Endings: Sometimes external constraints (room bookings, lunch breaks, participant schedules) require ending at a specific time regardless of story state.

Making Time-Based Endings Satisfying:

  • Give a 10-minute warning: “We need to wrap up in 10 minutes. What’s the most important thing to accomplish?”
  • Find a mini-resolution: “Let’s bring this round to a close. What’s the team’s current status and plan?”
  • Frame as cliffhanger: “The containment is in progress but not complete. If this were a real incident, you’d be handing off to the night shift right about now…”

Reading the Room for Ending Signals

Signs the Group is Ready to End:

  • The main challenge has been resolved and energy is winding down
  • Players are satisfied with their outcome (even if imperfect)
  • Continuing would require introducing new complications that feel forced
  • The learning objectives for the session have been achieved
  • Players begin asking “what happens next?” in wrap-up tone rather than investigative tone

Signs to Keep Going:

  • Players are highly engaged and want to see consequences play out
  • A cliffhanger would feel frustrating rather than exciting
  • Important learning moments are emerging from the discussion
  • The team is on the verge of a breakthrough they’ll be satisfied completing

Flexibility in Round Structure

The three-round structure (Discovery → Investigation → Response) is a guide, not a prison. Adapt timing based on what serves learning and engagement.

Extending a Round: If Discovery is generating excellent discussion and learning, don’t cut it short just to maintain schedule.

“This investigation is really productive. Let’s spend another 10 minutes here before moving to Response. We can adjust the final round accordingly.”

Compressing a Round: If the team quickly achieves a round’s objectives, move on rather than padding time.

“You’ve clearly identified the threat and understand its capabilities. Let’s move straight into planning your response.”

Merging Rounds: Sometimes Investigation and Response naturally blend together. That’s fine.

“As you investigate, you’re already taking containment actions. Let’s handle this organically rather than forcing a hard break between phases.”

Skipping Rounds: For short sessions or experienced groups, you might skip directly to the interesting part.

“Given our time today, let’s assume your team has already identified this as [threat]. We’ll pick up at the response planning stage.”

NoteReader Choice

Session structure should serve learning, not the other way around. If strict adherence to three rounds isn’t working for your group, adapt. Some groups prefer longer, deeper Investigation phases; others want to jump quickly to Response. Follow the energy and learning rather than the formula.

Ending Techniques

The Satisfying Close: Acknowledge what the team accomplished and connect it to learning.

“You successfully contained a sophisticated threat through excellent coordination. The Tracker’s network monitoring, combined with the Detective’s forensic analysis, gave the Protector exactly what they needed. That’s how real incident response works.”

The Cliffhanger: End with unresolved tension that makes players want to continue.

“The immediate threat is contained, but the Detective just found evidence this was part of a larger campaign. There may be other organizations being hit right now. We’ll have to pick this up next time…”

The Reflection: End by turning the lens back on learning.

“Before we wrap up - what surprised you about how this incident unfolded? What would you do differently if you faced something similar in real life?”

The Handoff: Frame the ending as a shift change in the story.

“It’s been 14 hours since the first alert. Your shift is ending, and the overnight team is arriving. As you brief them, what are the three most important things they need to know?”

Post-Session Wrap-Up (5 minutes)

Learning Capture

Structured Reflection:

  • What surprised you most about this scenario?
  • Which response techniques were most effective?
  • How does this connect to your real-world experience?
  • What would you do differently in a similar situation?

MalDex Documentation:

  • Key insights about the Malmon’s behavior and weaknesses
  • Effective response strategies discovered during the session
  • Lessons learned about team coordination and collaboration
  • Recommendations for other teams facing similar threats

Community Connection

Next Steps:

  • Information about additional learning opportunities
  • Connection to local cybersecurity communities
  • Resources for continued skill development
  • Opportunities to contribute to community knowledge

Feedback Collection:

  • What worked well in this session?
  • What could be improved for future sessions?
  • Interest in additional scenarios or advanced challenges
  • Suggestions for community development and growth

Remember: Effective session management creates the conditions for collaborative learning while adapting to the unique needs and dynamics of each group. Focus on maintaining engagement, ensuring meaningful participation from all roles, and connecting learning to real-world applications and challenges.