Large Group Facilitation Guide

Large Group Facilitation Guide

How to Use This Guide

This guide is the detailed operational reference for large group M&M sessions. It covers format selection and general facilitation mechanics that apply regardless of scenario. For scenario-specific content – artifact distribution tables, opening scripts, round-by-round notes, and scenario debrief questions – use the per-scenario large group facilitator guide alongside this one. Chapter 11 covers the rationale and format overview; come here when you need to run the session.

Warning

Experienced IMs only. Large group formats require confident multi-team management, comfort with deliberate ambiguity, and the ability to hold back when teams are struggling productively. If this is your first or second session as IM, run a standard 4-6 player format first.

Choosing Your Format

The five large group formats are not interchangeable. The right choice depends on four factors: who is in the room, what they are trying to learn, how much time you have, and how much facilitation experience you can bring.

Multi-Team Coordination is the primary format and the one the tiered artifact sets (Tier 1/2/3 for Alpha, Bravo, Charlie) are designed for. Use it when the learning objective is cross-functional coordination under uncertainty, when the group is drawn from different real-world roles (network, forensics, business), or when you want to surface how information asymmetry affects organizational decision-making. It requires active IM attention throughout and works best at 120-180 minutes. The IC role is the hardest facilitation challenge – see the IC management section below. This is the format to default to for enterprise workshops and IR team exercises.

Shift Handover works when the group can be split into two natural teams by function, seniority, or department. The learning objective is handover quality: what gets lost, what gets assumed, what never gets communicated. It runs effectively at 90-120 minutes. The IM’s job during the actual handover period is to stay completely silent – the gaps in what gets communicated are the learning, and any IM prompt destroys the naturalness of the handover. Use this format when your group has experience with real handovers (CIRT to SOC, day shift to night shift, first responder to recovery team) and can draw on that memory during debrief.

Specialist Bench suits groups where some participants have deep technical expertise and others do not. It splits the room into a core investigating team and an on-call bench of specialists who are consulted by request. The learning objective is delegation and consultation mechanics – knowing when you need help and being willing to ask for it. Run at 90-120 minutes. The IM’s main facilitation challenge is prompting the core team to use the bench; many groups default to solving everything themselves rather than making consultation requests. A light touch – “You have access to the bench – is there anyone there whose expertise you need right now?” – is usually enough.

Consensus Under Pressure produces the most discussion and the most conflict, which is either a feature or a bug depending on your group. The single team must reach a unanimous decision by a hard deadline. The IM controls the deadline and delivers the consequence if it is missed. The learning objective is decision-making governance under time pressure – who leads, who defers, how disagreement gets resolved. Works well at 90 minutes. Do not use this format with a group that lacks psychological safety; forced consensus in an environment where people do not feel safe speaking will produce superficial agreement and resentment, not learning.

Fishbowl Rotation is the most self-running of the five formats. A small active group investigates while the rest observe, then roles rotate. The learning objective is observation and reflection – seeing your own professional behaviors from the outside. It works at 90-120 minutes and requires less IM intervention than Multi-Team Coordination because the observation structure creates its own engagement. Assign observers specific watching tasks: “Watch how information is shared across roles” or “Watch what happens when the team disagrees.” Without a specific watching task, observers disengage.

Time availability:

  • 90 minutes: Shift Handover, Specialist Bench, Consensus Under Pressure, Fishbowl (tight)
  • 120 minutes: All formats comfortably; Multi-Team Coordination at minimum
  • 180 minutes: Multi-Team Coordination with full round depth and proper debrief time

IM experience required:

  • Lower demand: Fishbowl Rotation, Specialist Bench
  • Moderate demand: Shift Handover, Consensus Under Pressure
  • Highest demand: Multi-Team Coordination

Physical Setup

Physical preparation is the difference between an IM who facilitates and an IM who manages. With 15 people in the room, every minute you spend looking for the right card, rereading a laptop screen, or trying to remember which team gets which artifacts is a minute you are not watching the room. The artifacts below are not props – they are operational tools that free your attention.

This section covers what to prepare, how many of each item to bring, and exactly how each item gets used during the session. Items are grouped by how they work together.

Set 1: The Distribution System

The artifact envelopes are the highest-value single item you can prepare. For a Multi-Team Coordination session with 3 teams and 5 rounds, you need 15 envelopes total: 5 rounds × 3 teams. Label each one clearly: “Alpha – Round 1”, “Bravo – Round 1”, “Charlie – Round 1”, then the same for Rounds 2 through 5. Prepare 2 blank spares for unexpected injects.

The night before the session, sort all 21 artifact cards into the correct envelopes and seal them. Stack each team’s set face-up in round order – Round 1 on top, Round 5 at the bottom – and bind the three team stacks with a rubber band or paper clip. Now you have a single physical object per round: pick up the next round’s set of 3 envelopes, walk to each team, hand it over. That is the entirety of your Round 2 artifact release. You do not need to think; you execute.

What the envelopes prevent: handing the wrong team the wrong tier. Accidentally giving Charlie the Alpha forensic log in Round 3 collapses the information asymmetry you spent 40 minutes building. It also prevents spoiler – a team cannot see what is in the Round 4 envelope, so they cannot skip ahead.

The IM cheat sheet is a single A4 page, laminated. It contains:

  • The artifact distribution table: which card goes to which team in which round (two sentences per card, one-phrase summary of key content)
  • Round timing targets (e.g., “R1: 20 min, R2-3: 25 min each”)
  • 2-3 failure mode triggers per scenario (e.g., “If Charlie votes on ransom before Alpha reports decryptor reliability – prompt: ‘What does the board need from technical before they vote?’”)
  • 3-4 IC check-in questions for cross-team briefing

Laminated means it survives coffee. It means you can write on it with a dry-erase marker and wipe it between sessions. During the session, the cheat sheet sits on a clipboard or folded in your back pocket. You glance at it between rounds. You do not open a laptop.

These two items work as a pair. The cheat sheet tells you what is in each envelope and when each one gets released. The envelopes contain the physical artifacts. Without the cheat sheet, you are fumbling to remember which round is which while standing in front of a team. Without the envelopes, you have the knowledge but are still handling loose cards. Together they reduce the distribution moment to a 30-second walk around the room.

Quantity: 15 envelopes + 2 spares (prepared fresh per session). 1 cheat sheet per scenario (laminated, reusable).

Set 2: The Visible Thinking System

A whiteboard or flip chart serves two functions during the session. First, the IC uses it to write their synthesis after each cross-team briefing – not a transcript of what each team said, but their own integrated picture. This matters because when the IC writes it down, the whole room sees their synthesis. Other teams can see what the IC understands and what they missed. Second, the IM can use one corner of the board to track the state of the central dilemma: a running tally like “Board inputs received: 3 / 5” makes the decision threshold visible without the IM needing to say it.

If the venue has no whiteboard, tape two sheets of flip chart paper to the wall before the session starts. The IC should be standing when they brief; standing next to a board they are writing on is the right physical posture for the synthesis role.

Large sticky notes and thick markers, 1 pad and 1 marker per team, let teams build a physical evidence timeline on a wall or table surface. This is most valuable in Fog Lifts scenarios (Stuxnet, Noodle RAT) where the attack happened weeks ago and the investigative challenge is establishing when events occurred relative to each other. A team that has built a timeline on the wall is doing materially better analysis than a team whose timeline exists only in one person’s head. As IM, you can read the state of a team’s thinking from across the room by looking at their sticky note arrangement. A wall with no stickies is a team that is still in the “reading and discussing” phase; a wall with 8 stickies in chronological order is a team that has built a model.

Stickies also become debrief material. “Look at your timeline. When did you place the first indicator? When did you realize the attack predated that?” This only works if the physical record exists.

These two items work together: the whiteboard is the IC’s synthesis surface, the stickies are each team’s evidence surface. The IM can read the entire state of the room – all 3 team analyses plus the IC synthesis – visually, without asking anyone a question. That situational awareness is what allows you to decide whether a team needs a navigation prompt or is fine.

Quantity: 1 whiteboard or 2 sheets of flip chart paper (shared by IC and IM). 1 sticky note pad per team (A5 or larger). 1 thick marker per team.

Set 3: The IC Scaffolding System

Tent cards for team and role identification: with 15 people, you cannot remember who is Alpha Team Lead and neither can the IC. You need 3 “Alpha” cards (one in front of each Alpha player), 3 “Bravo”, 3 “Charlie”, 1 “IC”, plus 5 blanks. That is 15 tent cards minimum; bring 20. Pre-print them – do not handwrite on the day. If you can, print them in team colors (blue/green/red or similar). The IC needs to know who to address during briefings; the IM needs to spot at a glance which team is being circulated to.

The tent cards solve a specific problem at the Cross-Team Briefing moment: the IC turns to each team lead in sequence. If there are no tent cards, the IC has to scan the room and guess. With tent cards, the briefing sequence is visible: IC turns left to Alpha lead, center to Bravo lead, right to Charlie lead. This is faster and feels more structured to the participants.

The IC decision packet is a printable 5-sheet document – one sheet per round. Print it from Session Materials → IC Decision Packet. Each sheet has fields for recording each team’s brief separately, the key tension across teams, your synthesis, and your decision. Staple the 5 sheets together.

Hand this to the IC at the start of the session. Brief them: “After each cross-team briefing, fill in one sheet. You will use this in the debrief.” The packet does two things: it structures the IC’s synthesis in real time (forcing them to note each team separately before integrating), and it produces a debrief artifact. At the end of the session you can ask the IC to read back what they wrote in Round 2 and the room can discuss whether that synthesis was accurate.

These two items work with the whiteboard: tent cards identify who the IC is addressing during the briefing, the decision packet structures what the IC records privately, the whiteboard makes the IC’s synthesis visible publicly. The three items together define the IC role physically and operationally.

Quantity: 20 tent cards (reusable if laminated). 1 IC decision packet per session (print fresh each time, 5 sheets stapled).

Session Management Items

A round transition signal – a small bell, a meeting clapper, anything with a distinct sound – is a simple item that solves a real problem. When 15 people are mid-discussion, “okay let’s move on” does not cut through. A bell does. Ring it once clearly at round end. The room learns the signal after the first round and responds to it automatically by Round 2.

A visible timer keeps rounds honest. Your phone timer works; so does any countdown app projected on screen. If you can project a countdown, the room shares the time pressure, which matters for formats like Consensus Under Pressure. For Multi-Team Coordination, IM-side visibility is sufficient – but you need to actually glance at it. Timer without attention is decoration.

Quantity: 1 bell or clapper (reusable). 1 timer (phone is fine).

Scenario-Specific Items

The red herring resolution card is a small pre-printed card that you hand to the IC at the moment the scenario’s red herring is definitively resolved. For Stuxnet: “ADMIN-WS-012 – All David Reyes sessions confirmed benign. Standard maintenance activity, unrelated to batch anomalies. Thread closed.” For Noodle RAT: “svc.backup activity at 10.10.50.47 – source confirmed as backup server misconfiguration, not implant staging. Thread closed.”

Hand the card over physically rather than making a verbal announcement. A physical handover signals closure in a way that “yeah that was a dead end” does not. The card can be set on the table; teams see it sitting there and do not return to the question. Without this, teams in Fog Lifts scenarios often circle back to the red herring two rounds after it was supposedly resolved.

Quantity: 1 per session (print fresh; scenario-specific).

The ransom demand card (LockBit only) is the ransom note printed as a distinct physical artifact – different paper, ideally slightly larger, set apart from the standard artifact cards. The moment a player physically picks up a ransom demand and reads it is different from reading it on a screen. The physical reality of holding a demand for 40 BTC makes the decision stakes concrete in a way that no amount of IM narration can match.

Quantity: 1 per session (print fresh; LockBit hospital-emergency only).

Quick-Reference: What to Prepare

Tip

Night before the session:

  • Sort 21 artifact cards into 15 labeled envelopes (3 teams × 5 rounds)
  • Stack each team’s 5 envelopes in round order, bind with rubber band
  • Print and laminate IM cheat sheet (if not already laminated from previous session)
  • Print IC decision packet (5 pages, A4 portrait, staple before handing to IC)
  • Print scenario-specific red herring resolution card
  • Print ransom demand card if running LockBit

Morning of the session:

  • Place tent cards at seats or distribute as players arrive
  • Tape flip chart paper to wall (if no whiteboard)
  • Set sticky note pad and marker at each team’s table
  • Confirm timer is working and visible
  • Locate round transition signal
  • Keep Round 1 envelopes (3) in hand; store R2-5 stacks out of sight until needed

Multi-Team Coordination – Running It

This is the format the tiered artifact sets are built around. The operational details below apply to any scenario using that artifact structure.

Before the Session

Team assignment. Assign participants to Alpha (Forensics), Bravo (Network/Infrastructure), or Charlie (Business Impact) before they arrive or as they enter. Do not let people self-select – mixed-experience groupings work better than “all the network people on Bravo.” Aim for roughly equal team sizes; 4-5 per team is ideal for a 12-15 player group.

IC selection. The IC (Incident Commander) role requires specific setup. Choose someone who does NOT lead incidents in real life – a senior analyst, a business-side participant, a network engineer. The IC’s challenge is synthesizing across teams, not just amplifying the most confident voice in the room. Brief them privately before the session: “Your job is to listen to what each team tells you, ask questions across teams, and make decisions when they disagree. You are not here to know more than them – you are here to integrate what they know.”

Artifact preparation. Sort all cards by team and tier. Keep them face-down in separate piles labeled by team and tier. You need: Alpha R1 (x2), Bravo R1 (x2), Charlie R1 (x2) ready for Round 1 release. Prepare R2-3 and R4-5 piles but keep them away from the table until release points.

Opening Delivery

The opening sets the scenario premise before any artifacts are turned over. The per-scenario guide provides the scripted opening language. The generic structure is:

  1. Brief the IC on their role (1 minute, in front of the group)
  2. Describe the organizational context and the moment the scenario starts (1-2 minutes)
  3. Hand each team their R1 cards, face-down
  4. “Turn them over now” – the scenario begins

Do not describe the malware or the attack before cards are turned over. Teams should encounter the scenario through the artifacts, not through IM narration.

The Round Cycle

Each round follows a four-phase cycle:

Situation Update (2-3 minutes). The IM opens the round: “It is now [time]. Here is what has developed since we last met.” Brief factual update. Release new artifacts at this point. Do not interpret the artifacts – hand them over and step back.

Team Analysis (8-12 minutes). Each team works independently on their new artifacts. IM circulates between teams, listening. Do not interject unless a team is completely stuck (see navigation prompts below). The analysis period is where the real work happens; respect it.

Cross-Team Briefing (5-7 minutes). Each team lead gives a 60-90 second brief to the IC. Other teams listen. The IC asks clarifying questions. This is where information asymmetry becomes visible – teams often discover that their picture of the scenario was incomplete.

IC Decision (2-3 minutes). The IC makes a decision or identifies what information is still needed before a decision can be made. The IM may ask: “What do you know, and what do you still need to find out?” IC decisions drive the scenario forward; validate them even if they are not the optimal answer.

Managing the IC

The IC is doing the hardest thing in the room. Common failure modes and how to handle them:

The IC defers to the loudest team. Gently: “You have heard from Alpha and Bravo. What does Charlie say about [the same question]?” Do not let one team dominate the synthesis.

The IC makes a decision before hearing all teams. “Hold that decision – let’s hear from [unheard team] first. That might change what you decide.”

The IC is paralyzed by uncertainty. “What is the minimum you need to know to make a provisional decision? What can Alpha give you in the next two minutes?” Uncertainty is not a reason to defer; provisional decisions with stated conditions are valid.

The IC is repeating back what teams said without synthesizing. “You have heard that Alpha found X and Bravo found Y. Those two things seem to be in tension. How do you think about that?”

Managing Team Leads

Check in with each team lead at the start of Cross-Team Briefing: one quiet question. “What’s the most important thing your team found?” – not to coach them, but to hear what they are prioritizing. If a team is going down a blind alley (chasing a red herring, fixated on a secondary question), a navigation prompt works better than a direct correction:

  • “That detail is interesting. Does it change what you would recommend right now?”
  • “If you had to brief the IC in 90 seconds, what would you lead with?”

Navigation prompts redirect without giving away the answer.

Timing Management

Running long: Cut the analysis period before cutting the briefing period. The IC synthesis is where the learning crystallizes – protect it. If you need to cut 10 minutes, shorten team analysis from 12 minutes to 8 minutes, not briefing.

Running fast: Add a challenge inject between rounds. “You just received a call from [external party – contract officer, regulator, media]. What does that change?” Injects add pressure without requiring new artifacts.

Round-by-round pacing target: For a 120-minute session with 4 rounds: 20 min / 25 min / 25 min / 20 min, leaving 30 minutes for debrief. For 5 rounds in 180 minutes: 20 / 25 / 25 / 25 / 20, with 25-30 for debrief.

Information Asymmetry

Information asymmetry – each team having a different slice of the picture – is the central mechanic of Multi-Team Coordination. It is designed in, not a bug. Its purpose is to force the IC synthesis moment: only the IC has heard all three briefings, and the IC is the only person who can see the contradiction between what Alpha found and what Charlie believes.

Protect the asymmetry during team analysis. Do not let teams share cards with other teams during the analysis period. The briefing structure is how information crosses team boundaries. If teams are comparing cards outside the briefing, gently: “Keep your analysis within your team for now – the briefing is how you share what you found.”

When designing custom injects or running scenarios not in the standard artifact set, build in at least one asymmetry that the IC alone can resolve. Without a synthesis moment, the IC role is just a note-taker.

Shift Handover – Running It

Setup

Divide the group into two teams: the outgoing team (holding the incident from the start) and the incoming team (who learn about the incident through the handover). The outgoing team receives a pre-read brief and runs Round 1 working through the initial indicators. The incoming team enters the room only for the handover moment.

The IM’s Role During Handover

Stay completely silent. Do not prompt, clarify, or intervene. The gaps in what the outgoing team communicates are the learning. If the outgoing team fails to mention the backup server status, or gets the timeline wrong, or skips the regulatory obligation – those are the debrief findings.

Brief both teams before the session: “The handover is real. Outgoing team: hand over what you know. Incoming team: you are taking over this incident right now.”

What to Observe

Note during the handover:

  • What critical facts were not mentioned
  • What was stated with more confidence than the evidence supports
  • What assumptions the incoming team made without checking
  • Whether the IC authority was explicitly transferred or left ambiguous
  • Whether anyone on the incoming team asked “what do you still not know?”

These observations drive the debrief.

Debrief Focus

The debrief question specific to this format: “What would have happened if [specific gap in the handover] had been in a real incident?” Then: “What structure would have caught that gap – what does a good handover template look like for your organization?”

Specialist Bench – Running It

On-Call Rotation Mechanics

The bench sits apart from the core team and cannot participate in the investigation unless explicitly consulted. Bench members can signal availability (raising a hand, a simple card flag) but cannot speak unless called.

Define consultation mechanics before the session: the core team nominates one person to make consultation requests, the request must name the specialist and the specific question, and bench members give a timed answer (90 seconds maximum). The time limit is important – it prevents the specialist from taking over the investigation.

Prompting Consultation

Many groups will not use the bench without prompting. Light IM prompts work:

  • “You have specialists available. Is there a question here that sits outside this team’s expertise?”
  • “The bench has [network forensics / regulatory / OT engineering]. Is any of that relevant right now?”

Do not identify specific bench members by name unless the group is clearly stuck.

Debrief Focus

“When did you know you needed to ask for help – and what stopped you from asking earlier?” The debrief should surface the decision to consult, not just what the specialists said. In real incidents, knowing when to escalate to a specialist is a distinct skill from the specialist knowledge itself.

Consensus Under Pressure – Running It

Time Limit Mechanics

Set a visible timer. The deadline should be tight enough to create genuine pressure but not so tight that the group has no time to discuss. For most scenarios: 15-20 minutes for a complex decision, 8-10 minutes for a simpler one.

Announce the consequence before the timer starts: “If you have not reached consensus by [time], [specific consequence – regulator is notified of your failure to act, contract officer proceeds without your input, recovery begins without a decision from this team].” Make the consequence concrete.

Letting Chaos Run

When the group disagrees loudly and time is running, hold back. Productive conflict is the point of this format. Intervene only if:

  • The group is repeating the same argument without adding new information
  • One voice is completely dominating and others have stopped engaging
  • Someone is visibly distressed

A well-facilitated Consensus Under Pressure session should feel slightly uncomfortable. That discomfort reflects real decision-making under time pressure.

Debrief Focus

“How did the group actually make this decision in the end?” Map the power dynamics explicitly. “Who drove the final outcome, and does your organization’s actual decision-making process work that way?”

Fishbowl Rotation – Running It

Observer Assignment

Observers need a specific watching task or they disengage within 5 minutes. Before the first rotation begins, assign each observer a named behavior to watch:

  • “Watch how information is shared between the analyst and the communicator”
  • “Watch what happens when the team disagrees on what the evidence means”
  • “Watch whether the IC asks for clarification or makes assumptions”

One watching task per observer. Write it on a card if possible.

Rotation Timing

Rotate after each artifact tier, or every 15-20 minutes. The rotation brief should be short: “Observers, you are stepping in. The scenario is at [state]. Here are the artifacts in play.” Give the new active group 2-3 minutes to review before picking up where the previous group left off.

Structured Feedback Mechanics

After each rotation, give the outgoing active group 2 minutes to hear from their observers. One observation per observer, specific and behavioral: “I noticed that when [X happened], [person] did [Y].” Not evaluative (“that was a mistake”) – observational (“I noticed the recommendation went to the IC before Bravo had finished their analysis”).

Debrief Focus

“What was different about doing it versus watching it?” This format produces the most insight about professional habits and blind spots. The debrief should spend more time on the observer feedback than the technical analysis.

Large Group Debrief

Large group sessions need more debrief time than standard sessions: 20-25 minutes rather than 10-15. With multiple teams and an IC layer, there are more layers to surface.

Cross-Format Debrief Questions

These questions work across all five formats:

The information gap question: “At what point in the session did you realize that another team – or another person – had a piece of information you needed? What did that feel like?”

The decision quality question: “Looking back at the IC decisions, which one would you change with the information you now have? What information was missing at the time?”

The real-world connection: “Where in your actual organization does this kind of information gap exist – not in a tabletop, but day to day?” This is where the session connects to real behavior change.

The assumption audit: “What did your team assume to be true that turned out not to be – or that you never actually verified?”

Timing

Open with an individual reflection question before group discussion. “Take 30 seconds and write down the one decision point you most want to revisit.” Starting with a writing prompt prevents the first loud voice from dominating.

Run the cross-team questions first (information gaps, IC decisions), then the real-world connection. The real-world question lands better after participants have already surfaced specific moments from the session.

Close with: “What is one thing you will do differently in the next incident?” Go around the room quickly – one sentence per person, no elaboration. This creates accountability and sends people out with a specific commitment, not just a general feeling that it was useful.

Per-Scenario Debrief Questions

For scenario-specific retrospective questions after the session ends, see the per-scenario large group facilitator guide. Those questions are calibrated to the specific arc and central dilemma of each scenario.

Scenarios with Large Group Support

The following Phase 1 scenarios have full large group materials: 21 tiered artifact cards (Alpha/Bravo/Charlie x 7 rounds), an organizational context document, and a per-scenario facilitator guide.

Scenario Setting Central Dilemma
LockBit – Hospital Emergency 750-bed hospital, flu surge Ransom payment vs. patient safety under a 72-hour data-release deadline
WannaCry – Hospital Emergency Regional hospital, active infections Killswitch + patch sequencing vs. operational continuity
Stuxnet – Manufacturing Deadline Precision manufacturer, government contract Halt production to audit vs. ship potentially compromised components
Noodle RAT – Biotech Research Biotech firm, IP theft Disclose breach and delay trial vs. protect competitive position

Each scenario card page links directly to the organizational context artifacts and the per-scenario facilitator guide.