GaboonGrabber Beginner Scenario: The Fundraiser Email
GaboonGrabber Beginner Scenario: The Fundraiser Email
IM Overview
- Malmon: GaboonGrabber
- Runtime: 45-75 minutes (Lunch and Learn)
- Players: 4 (pre-generated team included below)
M&M has four rules that never change. Everything else is your style.
The Core Loop: You describe symptoms. Players each take one action. You describe results and evolve the threat.
Success Mechanic: Simple actions succeed automatically. Complex actions: roll d20, 5+ easy, 10+ medium, 15+ hard. (See the d20 callout in Round 1.)
Collaboration: Players assisting each other: +1 per assisting player (max +3), or roll two dice and take the higher.
The Goal: Contain the threat using your roles before the Malmon evolves.
Everything else is yours to improvise. How you voice the NPCs. Whether you use the clue prompts verbatim or paraphrase them. How much you linger on a decision point. Whether you use modifiers at all in a first session. The scenario is fully scripted – you never have to improvise. But the best sessions always go somewhere the script did not expect. Follow it. That is M&M working.
These rules are defined in the IM Quick Start Guide. The rest of this scenario teaches you the full system one mechanic at a time.
The Stage 2 ending – where the donor database export completes – is designed to be instructive, not punishing. It shows exactly what was at stake and exactly what the team could have done differently.
Before You Begin
Materials needed:
- This document (print or screen)
- Physical d20 dice – bring a handful (3-5 recommended); players can share one die but everyone rolling their own is more engaging. Digital dice apps exist as a last resort when no physical dice are available.
- Role cards for: Detective, Protector, Tracker, Communicator
- Handout A and Handout B – print before the session; see Handouts below for digital alternatives if printing is not possible
- Player tent cards (optional – printable name placards for the table)
No other preparation required. Everything – clues, NPC lines, decision points, and resolution endings – is scripted below. Read through once before running. If you have 5 extra minutes, read the Setting the Scene section aloud to yourself.
Every path through this scenario leads somewhere useful. If Stage 2 triggers, the debrief question about Tom becomes sharper, not harder – the team will have clear evidence of exactly what happened and why. You do not need to improvise consequences; they are already scripted. Your only job is to keep the conversation moving. If the room goes quiet for more than 30 seconds, offer the next clue prompt.
Use one of these when a roll misses by 1-3 points. Pick whichever fits the moment.
| Situation | What to say |
|---|---|
| Investigation | “You find what you were looking for – but it raises a question you were not expecting.” |
| Technical | “It works – but slower, or with a side effect. Something had to give.” |
| Social | “They agree, but only halfway. What do you offer to get the rest?” |
| Under pressure | “You get the result – but the delay cost you. The situation moved while you worked.” |
Pre-Generated Team
Use the Role Distributor to randomly assign roles – enter headcount and tap the button. For four players this scenario uses the standard core four.
If you prefer self-selection: hand out role cards and ask “Which of these sounds most like how you would approach a security incident?” Give players 30 seconds. In practice, most new players do not have strong preferences – that is fine. If nobody steps forward for a role, assign at your discretion. Any combination works; the roles are designed to complement each other.
When the script addresses a clue to a role – “Tracker, the VPN log shows…” – use the player’s actual name instead of the role label. Players are themselves in this scenario.
- Detective – “You always ask who had access and when. Your job is to trace what happened.”
- Situational anchor: You volunteered to help the foundation after last year’s fundraiser. This is the first time you have been called into an actual incident.
- Play as: you ask one more question even when the team is ready to act.
- Protector – “Your instinct is to isolate first, ask questions second. You keep the threat from spreading.”
- Situational anchor: You set up the VPN access for volunteer coordinators like Tom. You want to know if the architecture held.
- Play as: you state the action you want to take, then immediately ask who disagrees.
- Tracker – “You follow the data trail. You want logs and timestamps before anyone acts.”
- Situational anchor: You are the one who flagged the security alert this morning. You forwarded it to Priya at 8:02am.
- Play as: you quote a specific number from the evidence before making any recommendation.
- Communicator – “You keep stakeholders calm and the team aligned. You decide what gets communicated and when.”
- Situational anchor: You manage the donor relationships. If 14,000 records are at risk, you are the one who has to look those donors in the eye.
- Play as: you repeat back what you heard before responding, especially when the news is bad.
Role Card Questions – IM Reference
Players with role cards will ask questions from the “Questions to Drive the Game” section on their card. These callouts give you the answers for this scenario. Open the relevant one if a player asks something you are not sure how to answer.
“What does the process execution history look like on the affected machine?”
The browser opened the phishing page, which served a drive-by download. The executable ran under Tom’s user account 3 minutes after the email arrived. Process chain: browser → GaboonGrabber dropper → credential harvester installed as a scheduled task running every 8 minutes.
“Are there scheduled tasks or registry run keys I can examine?”
Yes – a scheduled task runs the credential harvester every 8 minutes under Tom’s account. Named to resemble a legitimate Windows service. No registry run keys. The scheduled task is the sole persistence mechanism.
“What’s the earliest sign of compromise – can we find Patient Zero?”
Tom is Patient Zero – no other accounts show compromise. His email address was publicly listed on the foundation’s donor portal as volunteer coordinator. The attacker likely sourced it from there.
“Do these indicators match anything in our threat intelligence?”
Yes. The credential-harvesting behaviour (browser passwords, session cookies, form data), 8-minute transmission interval, and fake account-lockout phishing lure are consistent with GaboonGrabber. Do not name the malmon here – only show the GaboonGrabber card when players describe the attack pattern themselves (“phishing,” “credential harvester,” or similar), as described in the malmon card reveal trigger section in Round 2.
“What artefacts did the attacker leave behind that I can preserve?”
The original phishing email (retrieve from the mail server – Tom deleted it from his inbox), the executable, the scheduled task definition, and Tom’s browser credential store. Do not reset Tom’s passwords yet – it destroys evidence and may alert the attacker.
“What network access does the compromised system have – what can the attacker reach from here?”
Tom’s workstation can reach the VPN gateway. Via VPN, the donor database is accessible on a separate segment – there is no direct workstation-to-database path without VPN. The VPN is the chokepoint: resetting Tom’s VPN credentials cuts the attacker’s route in.
“Are our backups isolated from the affected segment and confirmed clean?”
The donor database has nightly backups. The last backup ran at 02:00 this morning – before the infection (executable installed Sunday afternoon). That backup is clean. Tom’s workstation has no centralised backup.
“What’s the blast radius if we don’t contain right now?”
The attacker has Tom’s VPN credentials and can log in at any moment. Once in via VPN, the donor database is accessible – 14,000 records, some with payment details. Regulatory notification may be required if any records are accessed. The fundraiser launches in 48 hours.
“Which systems are most critical to protect first?”
The donor database. Two steps are both required: isolate Tom’s workstation (stops further credential transmission) AND reset his VPN credentials (invalidates already-harvested credentials). Isolation alone does not close the remote access route.
“Do we have an emergency change process for immediate isolation?”
Priya is in the room and has full authority. VPN credential reset can be done immediately by whoever manages the gateway. Tom is cooperative and will support both steps.
“What outbound connections has this machine made in the last 24 hours?”
Regular HTTPS transmissions to an external IP every 8 minutes since the executable installed Sunday afternoon. Small payloads – credential data only. Approximately 135 transmissions over 18 hours. Metronomic cadence, not consistent with normal browsing.
“Are there DNS requests to unusual or newly registered domains?”
The phishing domain donor-portal-secure.net appears in DNS history from when Tom visited the page. The credential harvest C2 traffic uses a direct IP – not the phishing domain. No other suspicious DNS queries.
“Can I see the firewall logs for east-west traffic between internal segments?”
No unusual east-west traffic from Tom’s workstation. The harvester is exfiltrating outbound only and has not received a lateral movement instruction. The key evidence is in the VPN gateway logs: no external login means the database is safe; the Amsterdam login means Stage 2 triggered.
“Is there evidence of data staging or unusually large outbound transfers?”
No large file transfers. Credential data only – small packets, high frequency. The attacker is collecting credentials for remote use, not exfiltrating files directly from Tom’s machine.
“What does the network topology look like between the affected systems and our crown jewels?”
Tom’s workstation → VPN gateway → donor database (separate segment). No direct path without VPN. Reset Tom’s VPN credentials and that route is closed. The VPN logs are the decisive finding for whether Stage 2 has already triggered.
“Who in the organisation needs to know about this right now?”
Priya – already in the room and asking. Tom – needs to understand the severity and must cooperate fully. The board will hear from Priya on the morning call. Donors are not notified yet – no confirmed data access. That changes immediately if Stage 2 triggered.
“Does the data involved trigger any regulatory notification requirements?”
Potentially yes. 14,000 donor records including payment details means GDPR (if any EU donors) and PCI DSS obligations may apply if the database was accessed. The regulatory trigger is database access – not just credential theft. Priya needs to know this before the board call so she can decide whether to involve legal counsel.
“What’s the business impact in plain language – how do I explain this to the board?”
“Tom’s workstation was infected by malware that stole his VPN credentials. The attacker may be able to access our donor database right now. We are cutting that access. Whether the fundraiser launches on Wednesday depends on whether the database was reached before we contained this.”
“What should we say if journalists or customers start asking questions?”
No external disclosure yet. If asked: “We identified a security issue affecting one workstation and are investigating. No donor data has been confirmed compromised at this time.” Priya approves all external messaging. Do not comment on the fundraiser timeline to outside parties.
“Are there contractual notification obligations to customers or partners?”
If the foundation has corporate donors with data processing agreements, those may include incident notification clauses. If payment details were accessed, the payment processor contract likely requires notification. This is a decision for Priya and the board – flag it before the board call, not after.
Setting the Scene
It is Monday morning at Clearwater Community Foundation, a 20-person nonprofit that runs youth programs across the city. In 48 hours, their annual fundraiser campaign goes live – the one that funds everything for the next 12 months. Director Priya Chen called an emergency meeting: the security monitoring tool flagged unusual activity on Tom Reeves’ workstation overnight. Tom is the volunteer coordinator. He is in the conference room now, sitting near the back, not making eye contact. Priya is at the head of the table. What do you do?
When the Communicator or Detective approaches Tom directly:
“It said my account was locked. I thought I had locked myself out again. I get that message sometimes when I travel. I did not think…” He trails off. He is not defensive. He is embarrassed.
Most rolls succeed. At DC 10 – the default here – players succeed 55% of the time (11-20 on a d20). Partial successes (7-9) advance the story too; only 1-6 creates real friction. The clue tables below give you scripted text for every outcome band.
Use DC 15 once per round at most. At that threshold success drops to 30%. Reserve it for genuinely hard moments – cutting-edge analysis or high-stakes social pressure.
When to skip the dice entirely: Simple, clear actions succeed automatically. The dice are for genuine uncertainty only.
Round 1: What Tom Clicked
Before you start, explain the three steps to your players:
- You describe what the team observes. A situation, a symptom, a piece of information.
- Each player takes one action. What does your character do? Anything realistic counts – ask a question, run a scan, check a log, call someone, isolate a machine.
- You describe what they find, then evolve the situation.
That is the whole game. Everything else builds on those three steps.
Tom’s workstation is still running. The security alert flagged it at 7:58am. The fundraiser donor database is accessible from the network. Priya is in the room, watching the team.
Reactive (player-driven): When a player declares an investigation action that matches a clue below, ask for a d20 roll and read the matching row. The roll determines how much they find and how cleanly.
Proactive (stuck group): If the room has genuinely worked a moment and is still stuck, offer the 10-19 row directly – no roll required. Do not narrate what it means. Describe the finding and let the team draw the conclusion.
A player’s wrong hypothesis – “maybe it is ransomware?” – is more valuable than your next clue. Ask what evidence would confirm or rule it out first.
If players get stuck, offer these clue prompts one at a time:
Clue 1 – Email investigation (proactive: ~3 min; reactive: Detective investigates the email → DC 10)
| Roll | What you say |
|---|---|
| 20 ★ | “Detective, the email came from noreply@donor-portal-secure.net – sent Sunday at 2:14pm. The link routed through three domains in under a second before landing on a credential harvesting page. This is professional kit.” |
| 10-19 | “Detective, the email came from noreply@donor-portal-secure.net – not from the foundation’s domain. Sent Sunday at 2:14pm. The link redirected through two domains before landing on a credential harvesting page.” |
| 7-9 ◐ | “Detective, the From address is suspicious – noreply@donor-portal-secure.net. But Tom deleted the email. You have the header; tracing the link requires pulling from the mail server.” |
| 1-6 | “Detective, Tom deleted the email when he realized something was wrong. You will need to pull the original from the mail server – another 10 minutes.” |
Clue 2 – Executable analysis (proactive: ~6 min; reactive: Tracker examines Tom’s workstation → DC 10)
| Roll | What you say |
|---|---|
| 20 ★ | “Tracker, the executable installed at 2:17pm Sunday – three minutes after the email – and has been transmitting to an external IP every 8 minutes. Last transmission: 6 minutes ago.” |
| 10-19 | “Tracker, an executable installed at 2:17pm Sunday – three minutes after the email arrived. Running as a scheduled task under Tom’s user account.” |
| 7-9 ◐ | “Tracker, a suspicious process started at 2:17pm Sunday – running as a scheduled task under Tom’s account. It has disguised itself with a legitimate-looking process name. Cannot confirm it is malicious without deeper analysis.” |
| 1-6 | “Tracker, the executable has disguised itself as a Windows system process. The timestamp shows 2:17pm Sunday but the process name is nearly identical to a legitimate system service. Standard tools will not catch it.” |
Clue 3 – Process analysis (proactive: ~9 min; reactive: Protector examines running processes → DC 15)
| Roll | What you say |
|---|---|
| 20 ★ | “Protector, the process is actively reading browser passwords, session cookies, and form data. Running 18 hours. It also captured Tom’s VPN credentials – the attacker may be able to log in remotely right now.” |
| 10-19 | “Protector, an unfamiliar background process is actively reading browser saved passwords and form data. It has been running for 18 hours.” |
| 7-9 ◐ | “Protector, something is reading Tom’s credential stores – you can see it accessing protected memory. But when you try to capture it, the process pauses. It is monitoring for analysis.” |
| 1-6 | “Protector, the process detects your investigation and terminates. The malware is gone – and so is the forensic evidence. You know it was there; you cannot confirm what it took.” |
When a player attempts something with uncertain outcome – convincing Tom to share his credentials for investigation, isolating a live machine without crashing an open report, pulling VPN logs for the past 24 hours – ask for a d20 roll.
Target numbers:
- Easy (5+): Standard procedures with the right tools – succeed most of the time
- Medium (10+): Complex analysis, uncertain coordination, or working under pressure
- Hard (15+): Cutting-edge techniques, high-stakes decisions, or significant obstacles
Degrees of success:
- Critical (natural 20): Exceptional result – extra information, bonus, or advantage in the next action
- Full success (meets or beats target): Complete achievement
- Partial success (within 3 below target): Useful result with a complication or cost – the story still advances
- Failure (4+ below target): Does not achieve the goal; may create a new complication
Automatic success: Skip the dice entirely when a player’s expertise, the right tools, and a clear plan all line up. The dice are for genuine uncertainty, not a control mechanism.
For most first-session actions, set the target at 10. Only push to 15 when the stakes genuinely warrant it.
NPC interruption:
“I need to know two things before I talk to the board this afternoon. First: is the donor database safe? We have 14,000 donor records in there – names, addresses, giving history, some payment details. Second: can we still launch the fundraiser on Wednesday? Those are the only two questions that matter to me right now.”
She asks exactly two questions and then stops talking. She will not ask a third until she has answers to the first two.
Round 1 Decision Point:
The team must give Priya an initial answer. What do they know, and what do they do about Tom’s machine?
- Option A: Isolate Tom’s workstation now. Take the machine off the network immediately, before investigating further.
- Outcome: The credential harvester loses its network connection. No further data can leave. Tom cannot work for the rest of the day. Investigation continues on an isolated machine. The attacker does not yet have a VPN session – Stage 2 has not triggered.
- Priya: “Good. What do I tell the board about the fundraiser?”
- Option B: Keep the machine running and monitor. Continue investigating without disrupting Tom’s access, hoping to catch the full scope.
- Outcome: Better forensic picture emerges. But during Round 2, the harvested credentials are transmitted to the attacker’s server. The attacker now has Tom’s VPN credentials. Stage 2 may trigger.
Priya checks her watch: “You have until 10am. I need something before the board call.”
- Option C: Reset Tom’s passwords immediately. Change all of Tom’s account credentials right now, even before the investigation is complete.
- Outcome: Harvested credentials are invalidated. The attacker can no longer use them. But the malware is still installed and will begin harvesting the new credentials within minutes unless the machine is also isolated. Follow up with isolation in Round 2.
- Priya: “Will resetting the passwords be enough if we do not isolate the machine too?”
Whichever option they choose, move to Round 2. If they chose Option B, note that credential transmission has occurred.
Round 2: The Donor Database
The workstation situation is clearer. Now the team must determine whether the donor database was accessed – and whether it can safely be left online through the fundraiser.
When two or more players combine their actions toward the same goal:
- +1 per assisting player (maximum +3), or
- Advantage: roll two d20 dice and take the higher result
Either approach works – use advantage when it is cleaner to narrate, use the bonus when stacking precision matters.
Automatic success: When the whole team coordinates clearly with good logic and role division, skip the dice entirely. Perfect collaboration earns it.
Example: the Tracker checks the VPN access logs while the Detective reviews the donor database access history. That is a collaboration – +2 or advantage.
Apply these when they make a moment more real or more interesting – not mechanically:
| Situation | Modifier |
|---|---|
| Action aligns with player’s role | +2 |
| Action misaligns with role | -1 |
| Super effective response type | +2 |
| Not effective response type | -2 |
| Strong security posture supporting action | +2 |
| Significant obstacle | -2 |
| Threat actively evolving | -1 to -3 |
Stacking example: A Tracker (+2 role) pulling VPN logs while the threat is actively evolving (-1 time pressure) rolls at +1.
For a first session: You do not need to apply modifiers at all. Use them when a player does something that should obviously be easier or harder than straight 50/50.
Clue prompts for Round 2:
Clue 4 – VPN log analysis (reactive: Tracker pulls VPN logs → DC 10; state depends on Round 1 outcome)
| Roll | If Option A/C (contained) | If Option B (monitored) |
|---|---|---|
| 20 ★ | “No external login – and you have the exact moment Tom’s machine attempted to transmit and was cut off. The containment was clean.” | “Amsterdam login at 8:23am this morning, 4-minute session. And a second attempt 11 minutes later from the same IP – blocked. The attacker tried twice.” |
| 10-19 | “VPN logs show no external login using Tom’s credentials.” | “VPN logs show a successful login from Amsterdam at 8:23am this morning. Session lasted 4 minutes. The donor database was accessed.” |
| 7-9 ◐ | “Logs look clean but the detail level was set low. You cannot confirm the last 2-hour gap with certainty.” | “Something shows in the VPN logs – unusual session behavior – but the detail level was set low. You know there was activity; you cannot confirm what.” |
| 1-6 | “VPN log retention is 6 hours. You cannot confirm what happened before 3am.” | “VPN log retention is 6 hours. Whatever happened before 3am this morning is gone.” |
Clue 5 – Database access log (no roll – factual reveal based on Round 1 outcome)
If no VPN breach (Option A/C): “The last database access was Tom’s normal check at 9:01am last week. Nothing unusual. No export queries. No bulk operations.”
If VPN breach occurred (Option B): “An export query ran at 8:24am this morning. 14,000 records were queried. Export status: incomplete – the session was terminated before download finished, but query metadata was captured.”
Malmon card reveal trigger:
When players describe “phishing,” “credential harvester,” “Trojan,” or anything close, show them the GaboonGrabber card and say:
“Your analysis confirms this is GaboonGrabber – a credential-stealing Trojan delivered via convincing phishing lures. It harvests saved passwords, browser session tokens, and form data. The goal is not to destroy data – it is to sell or use the credentials for follow-on access.”
If players have not named it by end of Round 2, give them this:
“Your logs confirm this is GaboonGrabber – malware that arrives as a phishing link, installs silently, and systematically harvests every credential it can find on the infected machine.”
Round 2 Decision Point:
Priya needs to make a decision about the fundraiser. The team must advise her:
- Option A: Delay the fundraiser launch by 48 hours. Take the time to fully investigate, reset all donor portal credentials, and confirm the database is clean before going public.
- Outcome: The fundraiser is delayed. Priya is frustrated but accepts the reasoning. Donors receive a brief “technical maintenance” notice. No data is at risk during cleanup. Launch happens Thursday instead of Wednesday.
- Priya: “48 hours. All right. I am calling it ‘system maintenance’ unless you tell me I cannot.”
- Option B: Launch as planned with enhanced monitoring. Proceed Wednesday with additional logging on the donor database and all VPN connections.
- Outcome: The fundraiser launches on time. Monitoring catches one suspicious login attempt Wednesday evening – a second credential that had been harvested from Tom’s email contacts. The team blocks it in real time. Priya is relieved but shaken.
- Priya: “Then we monitor everything. If anything moves, you tell me immediately.”
Round 2 ends. Move to Round 3.
Round 3: Before Wednesday
It is Tuesday afternoon. The immediate threat is contained. Now the team must clean up Tom’s machine, determine whether any other accounts were compromised, and prepare for the fundraiser.
In M&M, some responses are more effective against certain threat types than others.
GaboonGrabber is a Trojan type.
- Super effective: Phishing awareness training + EDR (endpoint detection and response) tools that flag credential-harvesting behavior. This combination prevents the initial install and catches it immediately if it does install.
- Not very effective: Reactive antivirus scanning alone. GaboonGrabber avoids signature-based detection by using legitimate system tools for its harvesting. A scan will find the initial dropper but may miss the payload running as a scheduled task.
- Normal effectiveness: Everything else – credential resets, network isolation, VPN access review.
Final Response Decision:
The team must choose their remediation and prevention approach:
- Option A: Full workstation rebuild + phishing awareness session before Wednesday. Rebuild Tom’s machine from clean image. Run a 30-minute phishing awareness session for all staff before the fundraiser launch. Reset all donor portal credentials.
- Type effectiveness: Super effective
- Outcome: Tom’s machine is clean. Staff leave the session knowing how to spot a fake password reset email. The fundraiser launches with the team confident in their preparation.
- Option B: Malware removal + credential audit + no staff session. Remove the malware manually, audit all credentials that touched Tom’s machine, reset everything. Skip the awareness session – there is not enough time.
- Type effectiveness: Normal effectiveness
- Outcome: Technical remediation succeeds. The fundraiser launches clean. But two weeks later, another staff member clicks a similar phishing email. The pattern continues.
- Option C: Credential reset only for Tom. Reset Tom’s passwords and move on. The fundraiser must launch.
- Type effectiveness: Not very effective
- Outcome: Tom’s credentials are safe. But the malware is still on his machine and will harvest his new credentials within 24 hours. By Thursday morning, the attacker has fresh credentials. The donor database is at risk again.
Resolution:
Wednesday arrives. The fundraiser campaign goes live at 9am. By noon, 400 donors have already given. Tom pulls the Communicator aside before the afternoon check-in: “I looked up that domain name this morning – I should have caught it. I am going to start reading those security emails instead of deleting them.” Priya thanks the team before the end-of-day meeting. The organization enters the fundraiser season knowing it handled a real incident, learned from it, and came out stronger.
The fundraiser launches successfully. Wednesday and Thursday are strong. Two weeks later, development coordinator Kenji receives a nearly identical phishing email while processing donor acknowledgements. He clicks it. The team responds faster this time – they know exactly what to look for. But the pattern is clear: without the awareness session, the organization remains vulnerable to the same lure. Priya schedules a staff training for next month.
Thursday morning, the Tracker’s monitoring alert fires at 6:47am. A VPN session is active using Tom’s credentials – the new ones, reset just two days ago. The attacker has been back on the machine since yesterday. The donor database shows a completed export at 6:51am: 14,000 records. The fundraiser is live. The data is gone. Priya is on the phone with the board. The team has work to do – but this time, they know the attacker’s methods cold. The remediation will be thorough.
Handouts
Print both handouts before the session and keep them face-down until the release point. One copy per handout is enough – players can pass it around or lean in.
- Handout A: Phishing Email – Release at the start of Round 1
- Handout B: VPN Access Log – Select version and release at the start of Round 2
The handouts add tangibility and a “document handling” moment that grounds the scenario, but the investigation works without them. If printing is not possible:
- Project on screen – Open the handout link on a laptop or tablet and display it to the group. Give players a moment to read before discussion starts.
- Share the link – Send the handout URL to players before the session (or via chat at the release point) and ask them to open it on their own devices.
- Read aloud – For Handout A, reading the phishing email text aloud takes under a minute. For Handout B, reading the relevant VPN log entries aloud is sufficient; players do not need to see every row to reach the right conclusions.
Whichever method you use, treat the handout release as a deliberate pause – stop talking, let them absorb it, then ask what they notice.
Debrief Guide
Standard closing questions (ask all 4):
- “What was the first moment you suspected something was wrong?”
- “Which decision felt hardest, and why?”
- “What would you do differently if this happened at your actual organization?”
- “What is one thing you will remember from today’s session?”
Scenario-specific question:
“Tom’s email looked like it came from a legitimate system. What habits or controls would help your organization catch a fake password reset email before someone clicks it?”
What’s Next
Your group has completed their first M&M session. Ready to pick your own scenario? IM Quick Start Guide – Path 2: Picking Your Own Scenario walks you through threat type, audience, difficulty, and format selection.
More GaboonGrabber scenarios:
- GaboonGrabber: Healthcare Phishing – Healthcare technology firm, HIPAA compliance layer, higher regulatory stakes
- GaboonGrabber: Financial Compliance – Financial services, regulatory reporting, more complex stakeholder structure
- GaboonGrabber: Education Financial Aid – University financial aid office, student data, federal compliance context
Try FakeBat:
- FakeBat Beginner Scenario: Friday Deadline – Malvertising via fake software update, same beginner format, different threat type