Large Group Session Preparation and Execution Guide

Large Group Session Preparation and Execution Guide

Overview

A large group M&M session runs 12-15 participants across three parallel teams (Alpha, Bravo, Charlie), each investigating a different slice of the same incident. An Incident Commander synthesizes findings across teams and makes decisions under information pressure. The session closes with a structured group debrief on coordination, communication, and decision-making.

Running a large group session involves more preparation than a standard 4-6 player session, and uses a set of documents that are shared across the IM, the client contact, and the players. The section below shows how they fit together.

How to Use This Guide

This is a checklist-style walkthrough – not a reference document. Read it once before your first large group session. On subsequent sessions, skim the CRITICAL items and skip OPTIONAL items you already have in hand.

For format selection rationale, IC management tactics, and per-format facilitation mechanics, see the Large Group Facilitation Guide. For scenario-specific opening scripts, round notes, and artifact tables, use the per-scenario large group facilitator guide.

Document Purpose When Audience
Large Group Facilitation Guide Format selection, IC management tactics, per-format mechanics Read once before your first large group session IM
This guide Chronological execution checklist Read once; skim CRITICAL items on repeat sessions IM
Large Group Prep Worksheet Fillable session planning form 1 week before – use alongside Phase 1 of this guide IM
Per-scenario facilitator guide Opening script, round notes, Red Flag Dashboard, Envelope Packing Checklist Day-of reference during the session IM
Session Coordinator Brief Room setup and logistics for the client contact Send to client 5-7 days before (Phase 1) Client contact
Intro slides Player orientation before the scenario-specific slides Opening of the session (Phase 4) Players
Warning

Experienced IMs only. If this is your first or second session as IM, run a standard 4-6 player format first.

Working with Your Client Contact

Large group sessions typically involve a client-side coordinator who handles logistics: booking the room, setting up AV, pre-assigning roles, and sometimes printing materials. That person is not running the session – you are – but their preparation directly affects yours.

Split of responsibilities:

  • You handle: All scenario content, printed materials, facilitation, IC briefing, timing, debrief.
  • Client contact handles: Room booking, table arrangement, whiteboard and markers, and pre-assigning the IC if requested.

Send the email below 5-7 days before the session. Adapt it to your client relationship – some contacts want more context, some want less.

Note

Email template – copy and adapt:

Subject: Preparation checklist – [SCENARIO NAME] session on [DATE]

Hi [NAME],

I’m looking forward to running the session with your team on [DATE]. To make sure everything runs smoothly, I need a few things in place before I arrive.

The session runs in three stages:

  1. Investigation (teams work independently on printed evidence cards – approx. 120-150 min)
  2. Cross-team briefing (teams report findings to an Incident Commander – built into stage 1)
  3. Debrief (structured group reflection – approx. 25 min)

Room requirements (your side to arrange):

  • 1 room large enough for 3 separate tables arranged in a triangle or U-shape, plus space to move between them
  • Minimum 3 tables (one per team) – round or rectangular both work
  • 1 whiteboard or flip chart with markers
  • Projector/screen recommended (for a 10-minute intro presentation). If unavailable, I can deliver the introduction verbally

Teams and roles to assign in advance:

The session uses three specialist teams, each investigating a different aspect of the same incident:

  • Alpha (Forensics): Analyses endpoint artifacts, processes, memory, and timelines. Best for people who do DFIR, malware analysis, or endpoint security.
  • Bravo (Network/Infrastructure): Analyses network traffic, access paths, lateral movement, and infrastructure. Best for SOC analysts, network security, or infrastructure teams.
  • Charlie (Business Impact): Analyses stakeholder impact, regulatory obligations, and operational consequences. Does not require deep technical expertise – best for GRC, legal, business continuity, or management participants. Note: Charlie’s focus is scenario-dependent. For Winnti (Biotech R&D Espionage), Charlie is “Threat Intel & Recovery” – blast radius assessment, GenixLibrary integrity verification, CFCS coordination, and R&D continuity planning. For other scenarios, Charlie remains Business Impact as described above.

Assignment guidance: Mixed-experience teams work better than matching specialties. Putting a forensics expert on Charlie forces them to think about business decisions – that is where the learning happens. Avoid grouping all technical people together. For technical-expert audiences (e.g., a room of experienced IR practitioners), Charlie can be refocused to a technical-strategic role rather than pure business impact – the Winnti scenario demonstrates this approach.

I will need you to designate the following people before the session:

  • 1-2 Incident Commanders (IC) – someone who does NOT lead incidents in their day job; synthesizes across teams. The IC role is about integration, not technical expertise. A senior analyst, a business-side participant, or someone from a different function works well. Some scenarios use a dual-IC format with a mid-session handover – I will confirm whether this session needs 1 or 2 ICs
  • 3 Team Leads (one per team) – can be chosen on the day if preferred
  • Assign remaining participants across the three teams (4-5 per team is ideal for 12-15 players)

One note about your own role: because you have been involved in planning, you already know elements of the scenario participants will be discovering. Consider taking an NPC role instead – I will brief you on a character and a few lines you play during the exercise. It keeps you involved and sidesteps the insider knowledge problem. Entirely your call.

I will handle all printed materials, scenario content, and facilitation.

Please confirm the room is booked and let me know if you have any questions.

[YOUR NAME]

For a printable coordinator brief the client contact can work from independently, see Session Coordinator Brief.

Phase 1: Decide and Prepare

  • Choose scenario and confirm format (Multi-Team Coordination vs. others)
  • Book the room – minimum 1 table per team + 1 IC space; separate tables strongly preferred
  • Read the per-scenario large group facilitator guide end-to-end once
  • Locate the Session Timeline Card at the bottom of the facilitator guide and read it now
  • Complete the Large Group Prep Worksheet to plan team structure, timing, and inject schedule
  • Assign IC and 3 team leads in advance, or plan team assignment logistics for arrival
  • Identify 2-3 NPCs you are likely to need; practice the lines

Room booking note. For Multi-Team Coordination with 12-15 players, book for 15-20 minutes before your listed start time. You need that buffer for room setup before participants arrive.

IC selection note. Choose someone who does NOT lead incidents in real life – a senior analyst, a business-side participant, a network engineer. Brief them in advance: “Your job is to synthesize across teams and make decisions when they disagree. You are not expected to know more than the teams – you are expected to integrate what they know.”

Scenario read-through note. The first time you read the facilitator guide, pay attention to the Red Flag Dashboard and Central Dilemma sections. These are the two things you need internalized before the session begins. Everything else can be referenced during the session.

Phase 2: Print and Pack

  • Locate the Envelope Packing Checklist at the bottom of the per-scenario facilitator guide
  • Print all 21 artifact cards (organizational-context.qmd – all tiers)
  • Stuff envelopes per the Envelope Packing Checklist in the per-scenario facilitator guide
  • Print the IC Decision Packet (5 pages, A4 portrait, staple)
  • Print tent cards and the Session Timeline Card from the per-scenario facilitator guide
  • Print threat clock cards (scenario-specific, 5 cards, stack in order face-down)
  • Print pre-built action cards (scenario-specific, 6-8 cards)
  • Print action resolution card (A5 format, laminate if possible – hold in hand during session)
  • Prepare wearable team markers (lanyards with printed badge cards, or colored adhesive name badges)
  • Prepare the Red Flag Dashboard as a laminated IM reference card
  • Write opening delivery on index cards; rehearse the 90-second hook
  • Prepare contingency injects (optional)

Envelope packing note. Once envelopes are stuffed and sealed, stack each team’s set in round order – Round 1 on top, last round at the bottom – and bind with a rubber band or paper clip. You now have a single physical object per team stack. Distribution becomes: pick up the next round’s 3 envelopes, walk to each table, hand it over. That is 30 seconds of execution, no thinking required.

Wearable team markers note. Tent cards identify team membership at the table; they stop working the moment someone stands up. For sessions where participants move – cross-team briefings, whiteboard work, IC circulating between tables – add a wearable marker. Lanyards with a printed badge card (team color background, team name, role) are the cleaner option for enterprise settings. Colored adhesive name badges are faster: one color per team, participants write their own name on arrival, no pre-printing needed. Either works; bring whichever you can prepare. Distribute at the door as participants arrive, before teams are seated.

IC Decision Packet note. Hand the IC Decision Packet to the IC at the start of the session. Brief them: “After each cross-team briefing, fill in one sheet. You will use this in the debrief.”

Phase 3: Room Setup

  • Arrange 3 team tables in a triangle or U-shape; IC position at the gap
  • Place sealed envelopes face-down at each team table, sorted by round, R1 on top
  • Put NPC reference card and Red Flag Dashboard at the IM position
  • Set whiteboard to IC’s right; label 3 columns: ALPHA / BRAVO / CHARLIE
  • Place a timer where teams can see it
  • Set sticky note pad and thick marker at each team’s table
  • Test that all 21 artifact cards are printed clearly – no cutoff text, no faint ink
  • Place round transition signal (bell or clapper) at IM position (optional)

Room Layout

flowchart TB
    WB["WHITEBOARD\nAlpha · Bravo · Charlie"]
    AT["ALPHA TABLE"]
    BT["BRAVO TABLE"]
    CT["CHARLIE TABLE"]
    IC(["IC POSITION"])

    AT & BT --> IC
    IC --> CT

    WB ~~~ AT
    WB ~~~ BT

IM circulates outside the triangle. IM stands near IC during cross-team briefings.

Team separation is deliberate. Teams should not be able to easily see each other’s artifacts during the analysis phase. Information asymmetry – each team holding a different slice of the picture – is the central mechanic of Multi-Team Coordination. The IC position in the gap is also deliberate: the IC must physically move between teams to collect information, which reinforces the synthesis role.

If the room does not allow a triangle, a U-shape with the IC at the open end achieves the same separation. A straight-line arrangement (all teams in a row) does not work – teams on opposite ends will communicate directly and bypass the IC synthesis moment.

Phase 4: Opening

  • Seat teams, distribute tent cards, give a one-sentence format overview
  • Brief the IC privately (or in front of the group): 3-sentence summary of their job
  • Display the Large Group Intro Slides to orient players before switching to scenario-specific slides
  • Read opening delivery from notes – do not improvise the first symptom description
  • Release Round 1 envelopes; start timer

IC briefing language (adapt to scenario): “Your job in Round 1 is synthesis, not decision-making. You will hear three separate threads from three teams. Your task is to find the connection – which thread represents the active situation right now.”

Intro slides note. The intro slides cover the team structure, IC role, round flow, rules, and objective. Show them to the full group before switching to the scenario-specific slide deck. They take approximately 10 minutes. If you are not using dice, skip the dice slide.

Opening delivery note. Read from the per-scenario guide verbatim the first time you run a scenario. The hook is calibrated to give exactly enough context without naming the malmon family or pointing teams at the answer. Improvising risks giving away the Central Dilemma before Round 3.

Phase 5 – During the Session

  • Walk the room at T+15; use Red Flag Dashboard to catch early divergence
  • Call cross-team briefing at end of each round regardless of team readiness
  • Do not reveal the Central Dilemma before Round 3
  • When the IC freezes: “What did Bravo tell you? How does that change Alpha’s finding?”
  • When a team is stuck: ask one navigation question from the facilitator guide, then leave
  • When a team is running ahead: direct them to the Discussion Prompts section of the guide (optional)

Timing targets. Typical session: 120-150 minutes plus 25-30 minutes for debrief. Budget 15-25 minutes per round depending on complexity. If running long, cut team analysis time before cutting briefing time – the IC synthesis is where learning crystallizes. Scenarios with IC handover need an additional 8-10 minute handover phase between the two halves.

IC intervention ladder. Use these in order before escalating:

  1. Nothing – silence is often the right intervention. Wait 30 seconds.
  2. “What did [Team X] tell you? How does that change what [Team Y] found?”
  3. “What is the minimum you need to know to make a provisional decision?”
  4. If paralyzed: redirect to the team leads – “Alpha lead, give the IC your top finding in 30 seconds.”

Optional: Dice

Dice are off by default. Add them when you want the IC’s containment or response call to carry mechanical weight – when poor synthesis should have consequences, or when the group would benefit from a moment of genuine uncertainty.

Player-driven action resolution. The standard mechanic is player-driven: the IC proposes a containment action, the facilitator asks which team owns it, the team assesses difficulty, and the facilitator rolls. Players drive the response; dice resolve the outcome. For the full mechanic, see the Player-Driven Action Resolution section in the Large Group Facilitation Guide.

When to roll: Round 3 onwards only. The IC proposes an action and the outcome is genuinely uncertain. Do not roll during team analysis – evidence cards produce fixed outputs.

Modifiers:

Condition Modifier
Response matches malmon type +2
Response mismatches malmon type -2
All 3 teams briefed IC before the call +1
IC called before all 3 team briefings arrived -1
All 3 teams reached a shared recommendation Advantage (roll 2d20, take higher)
Time pressure -1 to -2 (see per-scenario facilitator guide)

Difficulty: Easy (5+) / Medium (10+) / Hard (15+) – listed in the per-scenario facilitator guide.

Degrees of success:

  • Critical (natural 20, or beat target by 8+): Full success plus one bonus – evidence preserved, containment faster than expected, or a deadline window extended
  • Success (meet or beat target): The call holds
  • Partial (within 3 below target): The call holds but with a complication – time lost, a secondary system affected, or a team finding proves incomplete
  • Failure (4+ below target): The call does not hold – introduce a Red Flag Dashboard inject at the start of the next round

IM-only rolls: Roll a d20 privately at the end of Round 2 and Round 4. Target: 10+. If the roll fails, introduce one item from the Red Flag Dashboard at the start of the next round. Adds unpredictability without any player-side overhead.

Phase 6 – Debrief (25 Minutes)

  • Open with 30 seconds of individual reflection before group discussion
  • Use the 5 Debrief Focus questions from the per-scenario guide, in order
  • Spend no more than 5 minutes per question – move on even if discussion is live
  • Ask “who owns fixing this?” before moving to the next question
  • Close with one sentence per person: “One thing I will do differently next week” (optional)

Opening the debrief. Before anyone speaks: “Take 30 seconds and write down the one decision point you most want to revisit.” Starting with a writing prompt prevents the first loud voice from setting the frame for everyone else.

Per-scenario debrief questions. These are at the bottom of the per-scenario facilitator guide, calibrated to the specific arc and Central Dilemma of each scenario. Use those rather than the generic cross-format questions in the Large Group Facilitation Guide – they land better because they are anchored to moments the group actually experienced.

Phase 7 – Post-Session: IM Self-Review

Capture these notes before leaving the room. They are inputs for your next session.

  • Which Red Flags from the dashboard were triggered, and which were not
  • Which NPC lines you used and whether they landed
  • Timing: which round overran, and which round lost the IC
  • One facilitation decision you would make differently
  • Whether the difficulty level was correctly matched to this group

Why this matters. Large group sessions surface IM habits that standard sessions do not. The IC management moment in Round 3 – when the IC is paralyzed and you decide whether to intervene – is a decision that improves only with reflection. If you leave without capturing it, you make the same call the same way next time.