Session Management

The Art of Orchestrating Collaborative Learning

Effective session management balances structure with flexibility, ensuring that learning objectives are met while adapting to the unique dynamics and expertise of each group. Your role is to create and maintain an environment where collaborative discovery can flourish.

Pre-Session Setup

Essential Preparation

Digital Resources:

  • Reference Materials: Type effectiveness chart, role descriptions, emergency protocols
  • Backup Plans: Printed materials in case of technology failure
  • Time Management: Visible timer or clock for phase management
  • Documentation Tools: Capture insights and lessons learned

Group Assessment and Adaptation

Rapid Expertise Assessment:

As participants arrive, gather information about their backgrounds:

  • “What brings you here today?”
  • “What’s your experience level with incident response?”
  • “Are there specific learning goals you hope to achieve?”
  • “Any particular cybersecurity challenges you’re facing at work?”

Adaptation Indicators:

  • High Expertise Group: Focus on complex scenarios, advanced concepts, innovation opportunities
  • Mixed Expertise Group: Leverage peer teaching, emphasize collaboration over individual performance
  • Low Expertise Group: Emphasize concept learning, provide more guidance and structure
  • Organizational Team: Connect learning to specific workplace challenges and opportunities

Opening and Character Creation

Creating Psychological Safety

Set Collaborative Expectations:

  • “This is a learning environment where questions and mistakes are valuable.”
  • “Everyone brings knowledge and perspective that contributes to our collective understanding.”
  • “We succeed as a team, not as individuals competing against each other.”
  • “The goal is learning together, not demonstrating expertise or getting everything right.”

Address Common Concerns:

  • “You don’t need to be a cybersecurity expert to contribute meaningfully.”
  • “Technical knowledge helps, but problem-solving and collaboration skills are equally valuable.”
  • “We’ll learn from each other’s experience and perspectives throughout the session.”

Skills Discovery and Role Assignment

Structured Sharing Process:

Have each participant briefly share (45 seconds each):

  • Name and background
  • Connection to cybersecurity (professional, academic, personal interest)
  • One thing they know about computers, security, or technology
  • What they hope to learn or contribute

Collaborative Role Selection: Based on interests and team needs:

  • “Based on what everyone shared, let’s think about how to build a strong incident response team.”
  • “Which roles appeal to you based on your interests and experience?”
  • “How can we ensure all key perspectives are represented?”
  • “Remember, roles are starting points - your expertise can contribute across all areas.”

Character Development

Individual Reflection: Participants develop their character using prompts:

  • Keep your real first name
  • Build a personality around your chosen role
  • Think about what motivates your character
  • Consider how your real experience informs your character

Brief Introductions: Each participant introduces their character in 20-30 seconds:

  • Name and role
  • One character trait or quirk
  • What drives them to protect their organization
  • How they approach cybersecurity challenges

Round Management

Discovery Phase Management

Phase Introduction:

  • Present initial symptoms clearly and concisely
  • Establish the learning objective: identify the specific threat
  • Remind team of available time and individual action allocation
  • Encourage role-based investigation approaches

Individual Investigation:
Your Role During This Time:

  • Circulate and Listen: Move around table, listen to discussions, gauge engagement
  • Ask Clarifying Questions: Help participants think through their role’s perspective
  • Provide Guidance When Stuck: Offer gentle prompts without providing answers
  • Monitor Time: Give time warnings as needed but focus on learning; you don’t want to break off an engaging conversation where everybody partakes and learn just for the mere sake of progress.

Effective Circulation Questions:

  • “What would someone in your role typically investigate first?”
  • “What patterns or anomalies stand out to you?”
  • “How would you approach this if it happened at your organization?”
  • “What questions would your role ask about these symptoms?”

Knowledge Sharing:
Facilitate Structured Sharing:

  • Go around table, giving each role 90 seconds to share findings
  • Ask follow-up questions that connect different perspectives
  • Help team see patterns and connections across different investigations
  • Build toward collective understanding without forcing conclusions

Effective Facilitation Questions:

  • “How do these different findings connect?”
  • “What patterns emerge when we look at all perspectives together?”
  • “What questions remain after hearing everyone’s investigation?”
  • “What type of threat explains all these different symptoms?”

Malmon Identification: Guide Collaborative Conclusion:

  • Help team synthesize their investigations into threat identification
  • Validate their reasoning and analysis process
  • Reveal Malmon card and confirm their assessment
  • Briefly discuss type effectiveness and what it means for response

Investigation Phase Management

Phase Transition:

  • Acknowledge successful discovery work
  • Present evolution pressure or additional complications
  • Establish phase objective: understand scope and plan response
  • Maintain urgency while allowing thorough analysis

Impact Assessment: Key Areas to Explore:

  • What systems and data are affected or at risk?
  • How has the attack progressed since initial compromise?
  • What are the business and operational implications?
  • What vulnerabilities enabled this attack to succeed?

Facilitation Focus:

  • Keep discussions tied to actionable intelligence
  • Help team balance thoroughness with time pressure
  • Connect technical findings to business impact
  • Encourage cross-role collaboration and information sharing

Attack Vector Analysis: Guide Deeper Understanding:

  • How did the attack succeed initially?
  • What would have prevented this compromise?
  • What does this reveal about organizational security posture?
  • How might similar attacks be prevented in the future?

Evolution Assessment: Create Urgency for Response:

  • Present signs of potential threat evolution or escalation
  • Help team understand time pressure for effective response
  • Connect investigation findings to response strategy needs
  • Transition focus from understanding to action planning

Response Phase Management

Strategy Development: Facilitate Collaborative Planning:

  • Help team choose approaches based on Malmon type effectiveness
  • Encourage role-based contribution to strategy development
  • Address resource constraints and organizational realities
  • Build consensus around coordinated response approach

Key Questions:

  • “Given what we know about this threat type, what approaches would be most effective?”
  • “How would you coordinate different response activities?”
  • “What could go wrong with this approach, and how would you address those risks?”
  • “How does this response strategy address both immediate threats and long-term prevention?”

Implementation:
Manage Action Resolution:

  • Help team execute their strategy through role-based actions
  • Use dice mechanics when outcomes are uncertain
  • Apply type effectiveness bonuses and penalties appropriately
  • Maintain tension while rewarding good collaboration and planning

Resolution:
Wrap Up the Incident:

  • Determine final outcome based on team performance and decisions
  • Acknowledge effective strategies and collaboration
  • Connect results to learning objectives and real-world applications
  • Set up post-session reflection and documentation

Time Management Strategies

When Phases Run Long

Early Intervention:

  • “We are almost out of time for this phase - what’s our key priority?”
  • “Let’s focus on the most important decision we need to make.”
  • “What’s the essential information we need before moving to the next phase?”

Late Intervention:

  • “Time to wrap up - what’s our main conclusion?”
  • “What’s the most important takeaway from this phase?”
  • “We’ll carry forward [key insight] as we move to the next phase.”

When Phases Run Short

Depth Questions:

  • “What might we be missing if we move too quickly?”
  • “What are the implications of this decision?”
  • “How would different approaches change our outcomes?”
  • “What would worry you most about our current understanding?”

Extension Activities:

  • Cross-role consultation and knowledge sharing
  • Alternative scenario exploration
  • Strategic thinking about prevention and improvement
  • Connection to real-world organizational challenges

Energy and Engagement Management

Maintaining High Energy

Technique Rotation:

  • Discussion: Collaborative problem-solving and knowledge sharing
  • Action: Individual investigation and strategy implementation
  • Reflection: Analysis of decisions and learning capture
  • Movement: Physical position changes, role consultations

Engagement Indicators:

  • Active participation from all roles
  • Building on each other’s contributions
  • Questions and curiosity about the scenario
  • Connection to real-world experience and challenges

Addressing Low Energy

Immediate Interventions:

  • “What’s at stake if we don’t solve this problem?”
  • “How would you explain the urgency to your organization’s leadership?”
  • “What would make this attack particularly dangerous?”
  • Brief physical movement or position change

Systemic Adjustments:

  • Reduce complexity and focus on core learning objectives
  • Increase role-based structure and guidance
  • Add collaborative elements and team consultation
  • Connect more directly to participants’ real-world experience

Managing Different Group Types

High-Expertise Groups

Characteristics: Deep technical knowledge, may find scenarios too simple
Management Approach:

  • Add complexity and advanced concepts
  • Focus on innovation and technique development
  • Encourage mentoring and knowledge sharing
  • Connect to cutting-edge threats and responses

Effective Questions:

  • “What additional complications might arise in real incidents?”
  • “How would you improve on standard response approaches?”
  • “What would you do differently based on your experience?”
  • “How would you teach this concept to less experienced colleagues?”

Mixed-Experience Groups

Characteristics: Varying levels of technical knowledge and experience
Management Approach:

  • Facilitate peer teaching and learning
  • Ensure all participants can contribute meaningfully
  • Balance technical depth with accessible concepts
  • Use experienced participants as teaching resources

Effective Questions:

  • “How would you explain this to someone new to cybersecurity?”
  • “What questions would someone without technical background ask?”
  • “How do different experience levels contribute to understanding this threat?”
  • “What can we learn from each other’s different perspectives?”

Low-Experience Groups

Characteristics: Limited cybersecurity background, may feel intimidated
Management Approach:

  • Emphasize concept learning over technical details
  • Provide more structure and guidance
  • Celebrate insights and logical thinking
  • Connect to everyday technology experience

Effective Questions:

  • “What would common sense suggest in this situation?”
  • “How is this similar to technology problems you’ve encountered?”
  • “What would worry you if this happened to your personal computer?”
  • “What questions would you ask if you were responsible for fixing this?”

Organizational Teams

Characteristics: Work together regularly, want applicable insights
Management Approach:

  • Connect learning directly to organizational challenges
  • Address specific workplace constraints and opportunities
  • Encourage discussion of implementation and application
  • Support team development and relationship building

Effective Questions:

  • “How would this scenario play out in your specific environment?”
  • “What organizational factors would help or hinder this response?”
  • “How could you apply these insights to improve your current security posture?”
  • “What would you need to implement these approaches at work?”

Scaling to Large Groups

Standard M&M is designed for 4-6 players in a single conversation. For groups of 7-11, consider splitting into two teams running the same scenario in parallel with separate IMs, or use one team of 6 with the remaining players as observers who rotate in each round. When groups reach 12-15 or more, a different facilitation model is needed – one where parallel teams work independently and artifacts carry the investigation load rather than IM narration alone.

WarningExperience Requirement: Not for Beginner IMs

Large group formats are NOT recommended for IMs running their first sessions. Before attempting a large group session, you should have successfully run at least 3-5 standard sessions and feel confident managing group dynamics, timing, and NPC delivery without a script.

Large group sessions demand simultaneous management of multiple teams, careful timing orchestration, and the ability to adapt on the fly. The complexity compounds quickly. If you are new to M&M facilitation, run standard sessions first.

Five Format Options

Each format creates different dynamics and teaches different things. Choose based on your learning objective.

1. Multi-Team Coordination

All 12-15 players participate simultaneously, split into functional teams (typically three): Alpha (Forensics), Bravo (Network/Infrastructure), and Charlie (Business Impact). Each team receives lens-specific artifacts and briefs an Incident Commander who synthesizes findings and makes decisions.

  • Best for: Maximum engagement, cross-functional collaboration practice
  • Trust mechanism: Teams must trust each other’s analysis without verifying it themselves

2. Shift Handover

Three groups of 5 play sequentially, each for 25-30 minutes. Each shift briefs the next – the IM stays silent during handover. The incident continues across shifts.

  • Best for: Testing communication quality, revealing what gets lost in handovers, practical IR skill
  • Trust mechanism: You must trust what the previous shift told you

3. Specialist Bench

Six active role players plus 9 on-call specialists. Active players can call in specialists when they need help. Specialists rotate into active slots over the session.

  • Best for: Practicing delegation, building comfort with asking for help
  • Trust mechanism: Asking for help requires vulnerability

4. Consensus Under Pressure

All 15 decide together with strict time limits. No designated leader – the group must self-organize. Failure to reach consensus has consequences.

  • Best for: Revealing natural team dynamics, practicing rapid negotiation
  • Trust mechanism: “Disagree and commit” in a safe environment

5. Fishbowl Rotation

Five active players plus 10 observers. Each observer is assigned to watch one specific player – not necessarily their own role. Rotate each round.

  • Best for: Building mutual respect, generating structured debrief material
  • Trust mechanism: Giving and receiving feedback requires psychological safety

Format Selection Guide

Objective Recommended Format
Maximum engagement Multi-Team Coordination
Testing handover quality Shift Handover
Practicing delegation Specialist Bench
Revealing team dynamics Consensus Under Pressure
Building observation skills Fishbowl Rotation

Multi-Team Structure and Round Flow

For Multi-Team Coordination – the most common large group format – translate the standard M&M role-based investigation paths into functional team lenses:

Existing Role Paths Team Lens
Detective + Protector (forensics focus) Alpha – Forensics
Tracker + Protector (network focus) Bravo – Network/Infrastructure
Communicator + Organizational Context Charlie – Business Impact

Each round follows a four-phase cycle:

Phase Time Activity
Situation Update 5 min IM presents new developments to all teams
Team Analysis 15 min Teams huddle separately, analyze artifacts, request investigations
Cross-Team Briefing 5 min Each team briefs the IC on key findings (90 seconds each)
IC Decision Point 5 min IC synthesizes and decides next action

Repeat for 4-5 rounds.

The Incident Commander Role

In formats that use an IC (Multi-Team Coordination and others), one or two participants coordinate teams and make final decisions.

IC rotation: A mid-session handover tests leadership context transfer – what gets communicated, what gets assumed, what gets lost. This is often one of the richest debrief topics.

Role inversion principle: The IC ideally should NOT be someone who leads incidents in real life. This builds empathy for the IC role among those who usually support it. Your usual Incident Commander becomes a Detective; your usual analyst discovers what coordination actually feels like.

Tiered Artifacts

Large groups cannot rely on IM narration to carry investigation momentum – teams working independently need physical artifacts. Reveal these progressively across rounds, not all at once:

Tier Rounds What It Contains
Initial Indicators Round 1 Obvious symptoms, alerts, first signs that triggered the response
Deep Analysis Rounds 2-3 Technical detail requiring active investigation
Developments Rounds 4-5 Escalations, new attack phases, consequences of team decisions

For a standard session (4 rounds), each team receives 6 artifacts total (2 Initial + 3 Deep + 1 Development), giving 18 artifacts across three teams. For extended sessions (5 rounds), 7 per team gives 21 total.

See the Large Group Prep Worksheet for a per-team artifact planning checklist.

NPCs and Injects

Large group facilitation significantly reduces IM bandwidth for NPC work.

NPC adjustments:

  • NPCs interact with the IC or specific team leads – not the whole room
  • Designate team leads as NPC contact points to reduce your cognitive load
  • Use NPCs sparingly – parallel team dynamics already generate natural pressure

Inject design:

  • Decide upfront whether each inject goes to one team, the IC only, or all teams simultaneously
  • Volume can be lower than in standard sessions – cross-team coordination creates inherent pressure
  • Avoid injects during team analysis phases when teams need focus
  • The IC is a natural receiver for organization-wide pressures: board calls, media inquiries, regulatory notifications
  • Team-specific injects can create useful information asymmetry where teams have different pictures of the same incident

Scaling Beyond 15 Players

When groups exceed 15, each format adapts differently:

Multi-Team Coordination (16-24+): Add functional teams rather than expanding team size. At 18+ players, consider adding Legal/Regulatory, External Comms, or Recovery teams. Expanding beyond 6 per team reduces individual engagement and increases IC coordination burden.

Shift Handover (18-25): Add a fourth shift, or expand shift size to 6-7. More shifts mean more handover practice but a longer total session.

Specialist Bench (18-25): Simply add more specialists to the bench. The format scales naturally – more specialists means more opportunities to practice asking for help.

Consensus Under Pressure (16-20 max): Does not scale well beyond 15-20. Group decision-making becomes chaotic. For larger groups, split into subgroups with representatives if you want to use this format.

Fishbowl Rotation (18-30): Scales excellently – just add observers. Keep the active player count at 5-6 regardless of total group size. More observers means richer debrief discussions.

Recognizing Natural Endings

Knowing when to end a session - or a round within a session - is as important as knowing how to run one. The best endings feel earned and satisfying, not arbitrary.

Decision Resolution vs. Time Limits

Ending on Resolution: The most satisfying session endings come when the team reaches a natural conclusion - the threat is contained, the crisis is resolved, or a clear decision point has been reached.

“Your coordinated response has neutralized the threat. The malware is contained, systems are being restored, and leadership has what they need for the regulatory notification. This feels like a natural place to wrap up.”

When Resolution-Based Endings Work:

  • The team has achieved their primary objective
  • A major decision has been made and implemented
  • The story has reached a clear climax and resolution
  • Energy is high and ending now preserves that energy
TipFrom Joe: Ending on the Big Decision

I ended my LockBit session when the team reached the “pay ransom or not” decision point—even though we had time remaining. I read the table and decided to move the plot forward to keep everyone engaged—even though it meant shortening the scenario. In this case the investigation was complete, they understood the threat, and now they faced the genuinely hard choice that real incident responders face: pay the criminals and maybe get your data back, or refuse on principle and accept the losses.

That decision point was the emotional peak. Continuing past it would have diluted the impact. The team debated intensely, consulted their “legal counsel” NPC, and ultimately decided. That moment—the weight of the decision—was more valuable than any additional gameplay.

Your choice: End on decision points if your group enjoys moral complexity, or push through to full resolution if they want closure. Both approaches are valid.

Time-Based Endings: Sometimes external constraints (room bookings, lunch breaks, participant schedules) require ending at a specific time regardless of story state.

Making Time-Based Endings Satisfying:

  • Give a 10-minute warning: “We need to wrap up in 10 minutes. What’s the most important thing to accomplish?”
  • Find a mini-resolution: “Let’s bring this round to a close. What’s the team’s current status and plan?”
  • Frame as cliffhanger: “The containment is in progress but not complete. If this were a real incident, you’d be handing off to the night shift right about now…”

Reading the Room for Ending Signals

Signs the Group is Ready to End:

  • The main challenge has been resolved and energy is winding down
  • Players are satisfied with their outcome (even if imperfect)
  • Continuing would require introducing new complications that feel forced
  • The learning objectives for the session have been achieved
  • Players begin asking “what happens next?” in wrap-up tone rather than investigative tone

Signs to Keep Going:

  • Players are highly engaged and want to see consequences play out
  • A cliffhanger would feel frustrating rather than exciting
  • Important learning moments are emerging from the discussion
  • The team is on the verge of a breakthrough they’ll be satisfied completing

Flexibility in Round Structure

The three-round structure (Discovery → Investigation → Response) is a guide, not a prison. Adapt timing based on what serves learning and engagement.

Extending a Round: If Discovery is generating excellent discussion and learning, don’t cut it short just to maintain schedule.

“This investigation is really productive. Let’s spend another 10 minutes here before moving to Response. We can adjust the final round accordingly.”

Compressing a Round: If the team quickly achieves a round’s objectives, move on rather than padding time.

“You’ve clearly identified the threat and understand its capabilities. Let’s move straight into planning your response.”

Merging Rounds: Sometimes Investigation and Response naturally blend together. That’s fine.

“As you investigate, you’re already taking containment actions. Let’s handle this organically rather than forcing a hard break between phases.”

Skipping Rounds: For short sessions or experienced groups, you might skip directly to the interesting part.

“Given our time today, let’s assume your team has already identified this as [threat]. We’ll pick up at the response planning stage.”

NoteReader Choice

Session structure should serve learning, not the other way around. If strict adherence to three rounds isn’t working for your group, adapt. Some groups prefer longer, deeper Investigation phases; others want to jump quickly to Response. Follow the energy and learning rather than the formula.

Ending Techniques

The Satisfying Close: Acknowledge what the team accomplished and connect it to learning.

“You successfully contained a sophisticated threat through excellent coordination. The Tracker’s network monitoring, combined with the Detective’s forensic analysis, gave the Protector exactly what they needed. That’s how real incident response works.”

The Cliffhanger: End with unresolved tension that makes players want to continue.

“The immediate threat is contained, but the Detective just found evidence this was part of a larger campaign. There may be other organizations being hit right now. We’ll have to pick this up next time…”

The Reflection: End by turning the lens back on learning.

“Before we wrap up - what surprised you about how this incident unfolded? What would you do differently if you faced something similar in real life?”

The Handoff: Frame the ending as a shift change in the story.

“It’s been 14 hours since the first alert. Your shift is ending, and the overnight team is arriving. As you brief them, what are the three most important things they need to know?”

Post-Session Wrap-Up (5 minutes)

Learning Capture

Structured Reflection:

  • What surprised you most about this scenario?
  • Which response techniques were most effective?
  • How does this connect to your real-world experience?
  • What would you do differently in a similar situation?

MalDex Documentation:

  • Key insights about the Malmon’s behavior and weaknesses
  • Effective response strategies discovered during the session
  • Lessons learned about team coordination and collaboration
  • Recommendations for other teams facing similar threats

Community Connection

Next Steps:

  • Information about additional learning opportunities
  • Connection to local cybersecurity communities
  • Resources for continued skill development
  • Opportunities to contribute to community knowledge

Feedback Collection:

  • What worked well in this session?
  • What could be improved for future sessions?
  • Interest in additional scenarios or advanced challenges
  • Suggestions for community development and growth

Remember: Effective session management creates the conditions for collaborative learning while adapting to the unique needs and dynamics of each group. Focus on maintaining engagement, ensuring meaningful participation from all roles, and connecting learning to real-world applications and challenges.