Large Group Facilitation Guide

Large Group Facilitation Guide

How to Use This Guide

This guide is the detailed operational reference for large group M&M sessions. It covers format selection and general facilitation mechanics that apply regardless of scenario. For scenario-specific content – artifact distribution tables, opening scripts, round-by-round notes, and scenario debrief questions – use the per-scenario large group facilitator guide alongside this one. Chapter 11 covers the rationale and format overview; come here when you need to run the session.

Warning

Experienced facilitators only. Large group formats require confident multi-team management, comfort with deliberate ambiguity, and the ability to hold back when teams are struggling productively. If this is your first or second session, run a standard 4-6 player format first.

Note

Facilitator, not IM. In standard M&M, the Incident Master runs the game from inside the fiction. In large group formats, your role is fundamentally different: you are a facilitator managing session flow, timing, and NPC delivery. The Incident Commanders (players) run the incident. You are not in the game – you make sure the game runs. This guide uses “facilitator” for your role and “IC” for the player role. Some sections still reference “IM” where the guidance applies equally to standard and large group play.

Choosing Your Format

The five large group formats are not interchangeable. The right choice depends on four factors: who is in the room, what they are trying to learn, how much time you have, and how much facilitation experience you can bring.

Multi-Team Coordination is the primary format and the one the tiered artifact sets (Tier 1/2/3 for Alpha, Bravo, Charlie) are designed for. Use it when the learning objective is cross-functional coordination under uncertainty, when the group is drawn from different real-world roles (network, forensics, business), or when you want to surface how information asymmetry affects organizational decision-making. It requires active IM attention throughout and works best at 120-180 minutes. The IC role is the hardest facilitation challenge – see the IC management section below. This is the format to default to for enterprise workshops and IR team exercises.

Shift Handover works when the group can be split into two natural teams by function, seniority, or department. The learning objective is handover quality: what gets lost, what gets assumed, what never gets communicated. It runs effectively at 90-120 minutes. The IM’s job during the actual handover period is to stay completely silent – the gaps in what gets communicated are the learning, and any IM prompt destroys the naturalness of the handover. Use this format when your group has experience with real handovers (CIRT to SOC, day shift to night shift, first responder to recovery team) and can draw on that memory during debrief.

Specialist Bench suits groups where some participants have deep technical expertise and others do not. It splits the room into a core investigating team and an on-call bench of specialists who are consulted by request. The learning objective is delegation and consultation mechanics – knowing when you need help and being willing to ask for it. Run at 90-120 minutes. The IM’s main facilitation challenge is prompting the core team to use the bench; many groups default to solving everything themselves rather than making consultation requests. A light touch – “You have access to the bench – is there anyone there whose expertise you need right now?” – is usually enough.

Consensus Under Pressure produces the most discussion and the most conflict, which is either a feature or a bug depending on your group. The single team must reach a unanimous decision by a hard deadline. The IM controls the deadline and delivers the consequence if it is missed. The learning objective is decision-making governance under time pressure – who leads, who defers, how disagreement gets resolved. Works well at 90 minutes. Do not use this format with a group that lacks psychological safety; forced consensus in an environment where people do not feel safe speaking will produce superficial agreement and resentment, not learning.

Fishbowl Rotation is the most self-running of the five formats. A small active group investigates while the rest observe, then roles rotate. The learning objective is observation and reflection – seeing your own professional behaviors from the outside. It works at 90-120 minutes and requires less IM intervention than Multi-Team Coordination because the observation structure creates its own engagement. Assign observers specific watching tasks: “Watch how information is shared across roles” or “Watch what happens when the team disagrees.” Without a specific watching task, observers disengage.

Time availability:

  • 90 minutes: Shift Handover, Specialist Bench, Consensus Under Pressure, Fishbowl (tight)
  • 120 minutes: All formats comfortably; Multi-Team Coordination at minimum
  • 180 minutes: Multi-Team Coordination with full round depth and proper debrief time

IM experience required:

  • Lower demand: Fishbowl Rotation, Specialist Bench
  • Moderate demand: Shift Handover, Consensus Under Pressure
  • Highest demand: Multi-Team Coordination

Physical Setup

For a chronological, task-based walkthrough of the full session lifecycle – from room booking through post-session review – see the Session Preparation and Execution Guide.

Physical preparation is the difference between an IM who facilitates and an IM who manages. With 15 people in the room, every minute you spend looking for the right card, rereading a laptop screen, or trying to remember which team gets which artifacts is a minute you are not watching the room. The artifacts below are not props – they are operational tools that free your attention.

This section covers what to prepare, how many of each item to bring, and exactly how each item gets used during the session. Items are grouped by how they work together.

Room Layout

For Multi-Team Coordination, arrange 3 team tables in a triangle or U-shape with the IC position at the gap:

flowchart TB
    WB["WHITEBOARD\nAlpha · Bravo · Charlie"]
    AT["ALPHA TABLE"]
    BT["BRAVO TABLE"]
    CT["CHARLIE TABLE"]
    IC(["IC POSITION"])

    AT & BT --> IC
    IC --> CT

    WB ~~~ AT
    WB ~~~ BT

Facilitator circulates outside the triangle. Facilitator stands near IC during cross-team briefings.

Team separation is deliberate. Information asymmetry – each team holding a different slice of the picture – is the central mechanic. Teams should not be able to easily see each other’s artifacts during the analysis phase. The IC position in the gap means the IC must physically move between teams to collect information, which reinforces the synthesis role rather than passive note-taking.

If the venue does not allow a triangle, a U-shape with the IC at the open end achieves the same separation. A straight-line arrangement (all teams in a row) does not work – teams at opposite ends will communicate directly and bypass the IC synthesis moment.

Whiteboard placement: set it to the IC’s right, within writing distance of the IC position. Label 3 columns before the session starts: ALPHA / BRAVO / CHARLIE. The IC writes their synthesis here after each cross-team briefing.

Set 1: The Distribution System

The artifact envelopes are the highest-value single item you can prepare. For a Multi-Team Coordination session with 3 teams and 5 rounds, you need 15 envelopes total: 5 rounds × 3 teams. Label each one clearly: “Alpha – Round 1”, “Bravo – Round 1”, “Charlie – Round 1”, then the same for Rounds 2 through 5. Prepare 2 blank spares for unexpected injects.

The night before the session, sort all 21 artifact cards into the correct envelopes and seal them. Stack each team’s set face-up in round order – Round 1 on top, Round 5 at the bottom – and bind the three team stacks with a rubber band or paper clip. Now you have a single physical object per round: pick up the next round’s set of 3 envelopes, walk to each team, hand it over. That is the entirety of your Round 2 artifact release. You do not need to think; you execute.

What the envelopes prevent: handing the wrong team the wrong tier. Accidentally giving Charlie the Alpha forensic log in Round 3 collapses the information asymmetry you spent 40 minutes building. It also prevents spoiler – a team cannot see what is in the Round 4 envelope, so they cannot skip ahead.

The IM cheat sheet is a single A4 page, laminated. It contains:

  • The artifact distribution table: which card goes to which team in which round (two sentences per card, one-phrase summary of key content)
  • Round timing targets (e.g., “R1: 20 min, R2-3: 25 min each”)
  • 2-3 failure mode triggers per scenario (e.g., “If Charlie votes on ransom before Alpha reports decryptor reliability – prompt: ‘What does the board need from technical before they vote?’”)
  • 3-4 IC check-in questions for cross-team briefing

Laminated means it survives coffee. It means you can write on it with a dry-erase marker and wipe it between sessions. During the session, the cheat sheet sits on a clipboard or folded in your back pocket. You glance at it between rounds. You do not open a laptop.

These two items work as a pair. The cheat sheet tells you what is in each envelope and when each one gets released. The envelopes contain the physical artifacts. Without the cheat sheet, you are fumbling to remember which round is which while standing in front of a team. Without the envelopes, you have the knowledge but are still handling loose cards. Together they reduce the distribution moment to a 30-second walk around the room.

Alternative: labeled folders. If sealed envelopes feel like unnecessary ceremony, labeled folders achieve the same misdelivery prevention with simpler prep. Label each folder clearly (“Alpha – R1”, “Bravo – R2-3”, etc.), place cards face-down inside, and stack by round. The round transition comes from the bell, not from opening an envelope. Folders are faster to prepare (no sealing, no rubber bands) and reusable across sessions. Envelopes add a physical moment of opening that some facilitators find valuable for marking round transitions. Either works – choose based on your preference.

Quantity: 15 envelopes + 2 spares OR 15 labeled folders (prepared fresh per session). 1 cheat sheet per scenario (reusable).

Set 2: The Visible Thinking System

A whiteboard or flip chart serves two functions during the session. First, the IC uses it to write their synthesis after each cross-team briefing – not a transcript of what each team said, but their own integrated picture. This matters because when the IC writes it down, the whole room sees their synthesis. Other teams can see what the IC understands and what they missed. Second, the IM can use one corner of the board to track the state of the central dilemma: a running tally like “Board inputs received: 3 / 5” makes the decision threshold visible without the IM needing to say it.

If the venue has no whiteboard, tape two sheets of flip chart paper to the wall before the session starts. The IC should be standing when they brief; standing next to a board they are writing on is the right physical posture for the synthesis role.

Large sticky notes and thick markers, 1 pad and 1 marker per team, let teams build a physical evidence timeline on a wall or table surface. This is most valuable in Fog Lifts scenarios (Stuxnet, Noodle RAT) where the attack happened weeks ago and the investigative challenge is establishing when events occurred relative to each other. A team that has built a timeline on the wall is doing materially better analysis than a team whose timeline exists only in one person’s head. As IM, you can read the state of a team’s thinking from across the room by looking at their sticky note arrangement. A wall with no stickies is a team that is still in the “reading and discussing” phase; a wall with 8 stickies in chronological order is a team that has built a model.

Stickies also become debrief material. “Look at your timeline. When did you place the first indicator? When did you realize the attack predated that?” This only works if the physical record exists.

These two items work together: the whiteboard is the IC’s synthesis surface, the stickies are each team’s evidence surface. The IM can read the entire state of the room – all 3 team analyses plus the IC synthesis – visually, without asking anyone a question. That situational awareness is what allows you to decide whether a team needs a navigation prompt or is fine.

Quantity: 1 whiteboard or 2 sheets of flip chart paper (shared by IC and IM). 1 sticky note pad per team (A5 or larger). 1 thick marker per team.

Set 3: The IC Scaffolding System

Table signs and IC identification. In Multi-Team Coordination, tables are separated in a triangle or U-shape. The IC and facilitator need to know which table is which at a glance. The simplest solution is 3 table signs – one A4 sheet per table folded as a tent: “ALPHA – Forensics”, “BRAVO – Network”, “CHARLIE – Business Impact”. Add 2 IC tent cards (“IC #1”, “IC #2” for dual-IC scenarios, or just “IC” for single-IC). That is 5 items total.

The table signs solve the Cross-Team Briefing moment: the IC turns to each table in sequence. The sign makes the briefing order visible to everyone. Tell the IC the team lead names verbally during the pre-session briefing – the IC only needs to remember 3 names, not 15.

Individual tent cards (one per player) are optional in Multi-Team Coordination. They add value in standard play where role-based modifiers matter at the individual level, but in large group format the team function (Forensics/Network/Business Impact) matters more than individual roles. If you bring them, 5 per team + IC cards = 17. If you skip them, the table signs are sufficient.

Wearable team markers (lanyards or colored name badges) solve a problem that mostly does not exist in Multi-Team Coordination: identifying team membership when people are standing and moving. In practice, team members stay seated at their table during analysis and brief from their table during cross-team briefings. The only person who moves significantly between tables is the IC. Consider wearable markers for the IC(s) only – a lanyard or distinct badge makes the IC visible when they are standing between tables during briefings.

For formats where participants DO move between positions – Fishbowl Rotation, some Shift Handover configurations – full wearable markers for all participants make more sense.

The IC decision packet is a printable 5-sheet document – one sheet per round. Print it from Session Materials → IC Decision Packet. Each sheet has fields for recording each team’s brief separately, the key tension across teams, your synthesis, and your decision. Staple the 5 sheets together.

Hand this to the IC at the start of the session. Brief them: “After each cross-team briefing, fill in one sheet. You will use this in the debrief.” The packet does two things: it structures the IC’s synthesis in real time (forcing them to note each team separately before integrating), and it produces a debrief artifact. At the end of the session you can ask the IC to read back what they wrote in Round 2 and the room can discuss whether that synthesis was accurate.

These two items work with the whiteboard: tent cards identify who the IC is addressing during the briefing, the decision packet structures what the IC records privately, the whiteboard makes the IC’s synthesis visible publicly. The three items together define the IC role physically and operationally.

Quantity: 3 table signs + 2 IC tent cards (minimum). Individual tent cards optional (17 if used). 1 IC decision packet per session (print fresh each time, 5 sheets stapled).

Session Management Items

A round transition signal – a small bell, a meeting clapper, anything with a distinct sound – is a simple item that solves a real problem. When 15 people are mid-discussion, “okay let’s move on” does not cut through. A bell does. Ring it once clearly at round end. The room learns the signal after the first round and responds to it automatically by Round 2.

A visible timer keeps rounds honest. Your phone timer works; so does any countdown app projected on screen. If you can project a countdown, the room shares the time pressure, which matters for formats like Consensus Under Pressure. For Multi-Team Coordination, IM-side visibility is sufficient – but you need to actually glance at it. Timer without attention is decoration.

Quantity: 1 bell or clapper (reusable). 1 timer (phone is fine).

Scenario-Specific Items

The red herring resolution card is a small pre-printed card that you hand to the IC at the moment the scenario’s red herring is definitively resolved. For Stuxnet: “ADMIN-WS-012 – All David Reyes sessions confirmed benign. Standard maintenance activity, unrelated to batch anomalies. Thread closed.” For Noodle RAT: “svc.backup activity at 10.10.50.47 – source confirmed as backup server misconfiguration, not implant staging. Thread closed.”

Hand the card over physically rather than making a verbal announcement. A physical handover signals closure in a way that “yeah that was a dead end” does not. The card can be set on the table; teams see it sitting there and do not return to the question. Without this, teams in Fog Lifts scenarios often circle back to the red herring two rounds after it was supposedly resolved.

Quantity: 1 per session (print fresh; scenario-specific).

The ransom demand card (LockBit only) is the ransom note printed as a distinct physical artifact – different paper, ideally slightly larger, set apart from the standard artifact cards. The moment a player physically picks up a ransom demand and reads it is different from reading it on a screen. The physical reality of holding a demand for 40 BTC makes the decision stakes concrete in a way that no amount of IM narration can match.

Quantity: 1 per session (print fresh; LockBit hospital-emergency only).

The Consolidated Facilitator’s Cheat Sheet

The sections above describe 4 separate reference items: the cheat sheet, the NPC reference card, the Red Flag Dashboard, and the Session Timeline Card. In practice, all 4 fit on a single double-sided A4 page – giving you one object to track instead of four. This is the recommended approach.

Front side:

  • Artifact distribution table (which cards to which team per round, 1-line summary each)
  • Session flow (event-triggered sequence from opening through debrief)
  • Timing checkpoints (fill in actual start time; mark “if Round 2 hasn’t started by XX:XX, ring the bell”)

Back side:

  • Red Flag triggers with facilitator responses (6 items for Winnti)
  • NPC lines with trigger conditions (when to play each NPC)
  • IC intervention ladder (4 steps: silence, redirect question, navigation prompt, redirect to team leads)
  • Debrief questions (5 scenario-specific questions)

Print on card stock or place in a sheet protector. Laminate only if you plan to reuse across sessions.

Quick-Reference: What to Prepare

Tip

Night before the session:

  • Sort artifact cards into labeled envelopes or folders (3 teams × number of round phases)
  • Stack each team’s set in round order (Round 1 on top), bind with rubber band if using envelopes
  • Print facilitator’s cheat sheet (double-sided A4, card stock)
  • Print IC decision packet (5 pages, A4 portrait, staple before handing to IC)
  • Print IC handover checklist (x2) if using dual-IC format
  • Print scenario-specific red herring resolution card (if applicable)
  • Print table signs (3) and IC tent cards (1-2)
  • Print opening delivery on a single page

Morning of the session:

  • Place table signs and IC tent card(s)
  • Place folders/envelopes at tables (Round 1 on top, face-down)
  • Label whiteboard: ALPHA / BRAVO / CHARLIE
  • Tape flip chart paper to wall (if no whiteboard)
  • Set sticky note pad and marker at each team’s table (optional)
  • Confirm timer is working and visible
  • Locate round transition signal (bell or clapper)

Multi-Team Coordination – Running It

This is the format the tiered artifact sets are built around. The operational details below apply to any scenario using that artifact structure.

Before the Session

For a full pre-session preparation checklist covering room setup, print tasks, and envelope packing, see the Session Preparation and Execution Guide.

Team assignment. Assign participants to Alpha (Forensics), Bravo (Network/Infrastructure), or Charlie (Business Impact) before they arrive or as they enter. Do not let people self-select – mixed-experience groupings work better than “all the network people on Bravo.” Aim for roughly equal team sizes; 4-5 per team is ideal for a 12-15 player group.

IC selection. The IC (Incident Commander) role requires specific setup. Choose someone who does NOT lead incidents in real life – a senior analyst, a business-side participant, a network engineer. The IC’s challenge is synthesizing across teams, not just amplifying the most confident voice in the room. Brief them privately before the session: “Your job is to listen to what each team tells you, ask questions across teams, and make decisions when they disagree. You are not here to know more than them – you are here to integrate what they know.”

Dual-IC and IC #2 placement. In scenarios with a mid-session IC handover (e.g., Winnti), brief both ICs before the session starts. IC #1 manages the first half; IC #2 takes over at the handover point. After the briefing, IC #2 leaves the room and returns only when called back for the handover. This ensures the handover is genuine – IC #2 depends entirely on IC #1’s structured communication to understand the situation, which mirrors real incident command handovers. If IC #2 has been in the room observing, the handover becomes performative and loses its learning value.

Artifact preparation. Sort all cards by team and tier. Keep them face-down in separate piles labeled by team and tier, or in labeled folders/envelopes. You need: Alpha R1, Bravo R1, Charlie R1 ready for Round 1 release. Prepare R2-3 and R4-5 piles but keep them away from the table until release points.

Opening Delivery

The opening sets the scenario premise before any artifacts are turned over. The per-scenario guide provides the scripted opening language. The generic structure is:

  1. Brief the IC on their role (1 minute, in front of the group)
  2. Describe the organizational context and the moment the scenario starts (1-2 minutes)
  3. Hand each team their R1 cards, face-down
  4. “Turn them over now” – the scenario begins

Do not describe the malware or the attack before cards are turned over. Teams should encounter the scenario through the artifacts, not through IM narration.

The Round Cycle

Each round follows a four-phase cycle:

Situation Update (2-3 minutes). The IM opens the round: “It is now [time]. Here is what has developed since we last met.” Brief factual update. Release new artifacts at this point. Do not interpret the artifacts – hand them over and step back.

Team Analysis (8-12 minutes). Each team works independently on their new artifacts. IM circulates between teams, listening. Do not interject unless a team is completely stuck (see navigation prompts below). The analysis period is where the real work happens; respect it.

Cross-Team Briefing (5-7 minutes). Each team lead gives a 60-90 second brief to the IC. Other teams listen. The IC asks clarifying questions. This is where information asymmetry becomes visible – teams often discover that their picture of the scenario was incomplete.

IC Decision (2-3 minutes). The IC makes a decision or identifies what information is still needed before a decision can be made. The IM may ask: “What do you know, and what do you still need to find out?” IC decisions drive the scenario forward; validate them even if they are not the optimal answer.

Managing the IC

The IC is doing the hardest thing in the room. Common failure modes and how to handle them:

The IC defers to the loudest team. Gently: “You have heard from Alpha and Bravo. What does Charlie say about [the same question]?” Do not let one team dominate the synthesis.

The IC makes a decision before hearing all teams. “Hold that decision – let’s hear from [unheard team] first. That might change what you decide.”

The IC is paralyzed by uncertainty. “What is the minimum you need to know to make a provisional decision? What can Alpha give you in the next two minutes?” Uncertainty is not a reason to defer; provisional decisions with stated conditions are valid.

The IC is repeating back what teams said without synthesizing. “You have heard that Alpha found X and Bravo found Y. Those two things seem to be in tension. How do you think about that?”

Managing Team Leads

Check in with each team lead at the start of Cross-Team Briefing: one quiet question. “What’s the most important thing your team found?” – not to coach them, but to hear what they are prioritizing. If a team is going down a blind alley (chasing a red herring, fixated on a secondary question), a navigation prompt works better than a direct correction:

  • “That detail is interesting. Does it change what you would recommend right now?”
  • “If you had to brief the IC in 90 seconds, what would you lead with?”

Navigation prompts redirect without giving away the answer.

Timing Management

Running long: Cut the analysis period before cutting the briefing period. The IC synthesis is where the learning crystallizes – protect it. If you need to cut 10 minutes, shorten team analysis from 12 minutes to 8 minutes, not briefing.

Running fast: Add a challenge inject between rounds. “You just received a call from [external party – contract officer, regulator, media]. What does that change?” Injects add pressure without requiring new artifacts.

Round-by-round pacing target: For a 120-minute session with 4 rounds: 20 min / 25 min / 25 min / 20 min, leaving 30 minutes for debrief. For 5 rounds in 180 minutes: 20 / 25 / 25 / 25 / 20, with 25-30 for debrief.

Information Asymmetry

Information asymmetry – each team having a different slice of the picture – is the central mechanic of Multi-Team Coordination. It is designed in, not a bug. Its purpose is to force the IC synthesis moment: only the IC has heard all three briefings, and the IC is the only person who can see the contradiction between what Alpha found and what Charlie believes.

Protect the asymmetry during team analysis. Do not let teams share cards with other teams during the analysis period. The briefing structure is how information crosses team boundaries. If teams are comparing cards outside the briefing, gently: “Keep your analysis within your team for now – the briefing is how you share what you found.”

When designing custom injects or running scenarios not in the standard artifact set, build in at least one asymmetry that the IC alone can resolve. Without a synthesis moment, the IC role is just a note-taker.

Player-Driven Action Resolution

The standard mechanic for large group dice use is player-driven, not facilitator-triggered. The IC and teams propose containment actions; the facilitator resolves them.

When the IC proposes a containment action, the facilitator runs three questions:

  1. Which team owns this? The IC assigns the action to the team with the relevant expertise. “Isolate the compromised subnet” goes to Bravo. “Verify GenixLibrary integrity” goes to Charlie (in Winnti) or Alpha (in other scenarios).
  2. What’s the difficulty? The owning team assesses based on what they know. A team that has already mapped the relevant infrastructure calls it easier than a team working blind. The facilitator sets the DC: Easy (5+), Medium (10+), or Hard (15+).
  3. What could go wrong? The facilitator names the risk before rolling – “If this fails, the attacker pivots to the backup domain controller” or “Partial success means the subnet is isolated but you lose access to the forensic image.” Then the facilitator rolls.

This approach makes players active drivers of the response rather than passengers waiting for pre-scripted roll points. The IC learns to delegate actions to the right team, teams learn to assess their own readiness honestly, and the dice resolve genuine uncertainty rather than arbitrary checkpoints.

When to use it: Round 3 onwards, when the IC has enough synthesis to propose specific actions. Rounds 1-2 are analysis rounds – teams are building their picture, not executing containment. Do not roll during team analysis; evidence cards produce fixed outputs.

When NOT to roll: If the action is clearly within the team’s capability and the outcome is not meaningfully uncertain, skip the roll and narrate success. Rolling for trivial actions wastes time and undermines the weight of the mechanic.

Threat Clock: Attacker Progression

The threat clock creates time pressure without the facilitator needing to improvise attacker behavior. It is a pre-scripted sequence of attacker progression cards – one per round – that advance the attack if teams have not effectively contained the relevant element.

How it works:

  • Before the session, prepare 3-5 attacker progression cards, one per round from Round 2 onwards. Each card describes what the attacker does next: lateral movement to a new subnet, data exfiltration of the next target dataset, deployment of a secondary payload, or escalation of the ransom timeline.
  • Each card has a “skip if” condition. If teams have already contained the element the card targets, skip it. Example: “Attacker moves laterally to the backup domain controller. Skip if: Bravo has already isolated the management VLAN.
  • At the start of each round, check the skip condition against what teams have actually accomplished. If the condition is not met, read the card as part of the Situation Update. If the condition is met, skip it silently – the teams do not need to know what they prevented.

Why this works: The threat clock creates genuine consequence for inaction without requiring the facilitator to improvise attacker behavior in real time. It also rewards effective containment visibly – when teams contain something and the attacker does NOT escalate, that absence is itself a signal that their actions mattered.

Preparing the cards: Use the per-scenario facilitator guide’s round notes as the basis. Most scenarios already describe what the attacker does between rounds – formalize those into cards with explicit skip conditions. For custom scenarios, map the attacker’s kill chain and create one card per kill chain stage beyond initial access.

IC Status Board

The IC maintains a visible status board – the whiteboard or a flip chart – with two columns: CONTAINED and OPEN.

After each round’s cross-team briefing and any dice resolution, the IC updates the board:

  • CONTAINED: Elements the teams have successfully addressed. “Management VLAN isolated.” “Ransomware binary quarantined.” “CFCS notified.”
  • OPEN: Elements still active or unresolved. “Exfiltration channel status unknown.” “Backup integrity unverified.” “Board notification pending.”

The status board serves three purposes:

  1. IC synthesis tool. Writing forces the IC to commit to a position on what is and is not resolved. Ambiguity becomes visible.
  2. Team situational awareness. All three teams can see the IC’s picture of the incident without waiting for a briefing. A team that sees their domain listed under OPEN knows the IC is waiting for their input.
  3. Debrief artifact. At the end of the session, the board is a physical record of how the IC’s understanding evolved. “Look at what was under CONTAINED in Round 3. Was it actually contained, or did you move it there too early?”

Facilitator role: Do not manage the board for the IC. If the IC forgets to update it, prompt once: “Your board – anything to move?” After the first prompt, the IC either adopts it or does not. Forcing the practice defeats the purpose.

Shift Handover – Running It

Setup

Divide the group into two teams: the outgoing team (holding the incident from the start) and the incoming team (who learn about the incident through the handover). The outgoing team receives a pre-read brief and runs Round 1 working through the initial indicators. The incoming team enters the room only for the handover moment.

The IM’s Role During Handover

Stay completely silent. Do not prompt, clarify, or intervene. The gaps in what the outgoing team communicates are the learning. If the outgoing team fails to mention the backup server status, or gets the timeline wrong, or skips the regulatory obligation – those are the debrief findings.

Brief both teams before the session: “The handover is real. Outgoing team: hand over what you know. Incoming team: you are taking over this incident right now.”

What to Observe

Note during the handover:

  • What critical facts were not mentioned
  • What was stated with more confidence than the evidence supports
  • What assumptions the incoming team made without checking
  • Whether the IC authority was explicitly transferred or left ambiguous
  • Whether anyone on the incoming team asked “what do you still not know?”

These observations drive the debrief.

Debrief Focus

The debrief question specific to this format: “What would have happened if [specific gap in the handover] had been in a real incident?” Then: “What structure would have caught that gap – what does a good handover template look like for your organization?”

Specialist Bench – Running It

On-Call Rotation Mechanics

The bench sits apart from the core team and cannot participate in the investigation unless explicitly consulted. Bench members can signal availability (raising a hand, a simple card flag) but cannot speak unless called.

Define consultation mechanics before the session: the core team nominates one person to make consultation requests, the request must name the specialist and the specific question, and bench members give a timed answer (90 seconds maximum). The time limit is important – it prevents the specialist from taking over the investigation.

Prompting Consultation

Many groups will not use the bench without prompting. Light IM prompts work:

  • “You have specialists available. Is there a question here that sits outside this team’s expertise?”
  • “The bench has [network forensics / regulatory / OT engineering]. Is any of that relevant right now?”

Do not identify specific bench members by name unless the group is clearly stuck.

Debrief Focus

“When did you know you needed to ask for help – and what stopped you from asking earlier?” The debrief should surface the decision to consult, not just what the specialists said. In real incidents, knowing when to escalate to a specialist is a distinct skill from the specialist knowledge itself.

Consensus Under Pressure – Running It

Time Limit Mechanics

Set a visible timer. The deadline should be tight enough to create genuine pressure but not so tight that the group has no time to discuss. For most scenarios: 15-20 minutes for a complex decision, 8-10 minutes for a simpler one.

Announce the consequence before the timer starts: “If you have not reached consensus by [time], [specific consequence – regulator is notified of your failure to act, contract officer proceeds without your input, recovery begins without a decision from this team].” Make the consequence concrete.

Letting Chaos Run

When the group disagrees loudly and time is running, hold back. Productive conflict is the point of this format. Intervene only if:

  • The group is repeating the same argument without adding new information
  • One voice is completely dominating and others have stopped engaging
  • Someone is visibly distressed

A well-facilitated Consensus Under Pressure session should feel slightly uncomfortable. That discomfort reflects real decision-making under time pressure.

Debrief Focus

“How did the group actually make this decision in the end?” Map the power dynamics explicitly. “Who drove the final outcome, and does your organization’s actual decision-making process work that way?”

Fishbowl Rotation – Running It

Observer Assignment

Observers need a specific watching task or they disengage within 5 minutes. Before the first rotation begins, assign each observer a named behavior to watch:

  • “Watch how information is shared between the analyst and the communicator”
  • “Watch what happens when the team disagrees on what the evidence means”
  • “Watch whether the IC asks for clarification or makes assumptions”

One watching task per observer. Write it on a card if possible.

Rotation Timing

Rotate after each artifact tier, or every 15-20 minutes. The rotation brief should be short: “Observers, you are stepping in. The scenario is at [state]. Here are the artifacts in play.” Give the new active group 2-3 minutes to review before picking up where the previous group left off.

Structured Feedback Mechanics

After each rotation, give the outgoing active group 2 minutes to hear from their observers. One observation per observer, specific and behavioral: “I noticed that when [X happened], [person] did [Y].” Not evaluative (“that was a mistake”) – observational (“I noticed the recommendation went to the IC before Bravo had finished their analysis”).

Debrief Focus

“What was different about doing it versus watching it?” This format produces the most insight about professional habits and blind spots. The debrief should spend more time on the observer feedback than the technical analysis.

Large Group Debrief

Large group sessions need more debrief time than standard sessions: 20-25 minutes rather than 10-15. With multiple teams and an IC layer, there are more layers to surface.

Cross-Format Debrief Questions

These questions work across all five formats:

The information gap question: “At what point in the session did you realize that another team – or another person – had a piece of information you needed? What did that feel like?”

The decision quality question: “Looking back at the IC decisions, which one would you change with the information you now have? What information was missing at the time?”

The real-world connection: “Where in your actual organization does this kind of information gap exist – not in a tabletop, but day to day?” This is where the session connects to real behavior change.

The assumption audit: “What did your team assume to be true that turned out not to be – or that you never actually verified?”

Timing

Open with an individual reflection question before group discussion. “Take 30 seconds and write down the one decision point you most want to revisit.” Starting with a writing prompt prevents the first loud voice from dominating.

Run the cross-team questions first (information gaps, IC decisions), then the real-world connection. The real-world question lands better after participants have already surfaced specific moments from the session.

Close with: “What is one thing you will do differently in the next incident?” Go around the room quickly – one sentence per person, no elaboration. This creates accountability and sends people out with a specific commitment, not just a general feeling that it was useful.

Per-Scenario Debrief Questions

For scenario-specific retrospective questions after the session ends, see the per-scenario large group facilitator guide. Those questions are calibrated to the specific arc and central dilemma of each scenario.

Scenarios with Large Group Support

The following Phase 1 scenarios have full large group materials: 21 tiered artifact cards (Alpha/Bravo/Charlie x 7 rounds), an organizational context document, and a per-scenario facilitator guide.

Scenario Setting Central Dilemma
LockBit – Hospital Emergency 750-bed hospital, flu surge Ransom payment vs. patient safety under a 72-hour data-release deadline
WannaCry – Hospital Emergency Regional hospital, active infections Killswitch + patch sequencing vs. operational continuity
Stuxnet – Manufacturing Deadline Precision manufacturer, government contract Halt production to audit vs. ship potentially compromised components
Noodle RAT – Biotech Research Biotech firm, IP theft Disclose breach and delay trial vs. protect competitive position
Winnti – Biotech R&D Espionage Danish biosolutions firm, active acquisition Preserve forensic evidence for counterintelligence vs. immediate eradication – and disclose merger data room compromise now or scope it first

Each scenario card page links directly to the organizational context artifacts and the per-scenario facilitator guide.