IM Quick Start Guide

IM Quick Start Guide

Your Essential One-Page Reference for Running M&M Sessions

New to Malware & Monsters? This is a tabletop role-playing framework where players learn incident response through collaborative storytelling. Instead of lectures or capture-the-flag challenges, they discover cybersecurity concepts by investigating realistic malware scenarios and making consequential decisions. For a complete introduction to the framework and gameplay, see the Players Handbook.

This guide focuses on what you need to facilitate your first session - even if you’ve never played before.

How to Use This Guide

This guide contains everything you might need, organized into three tiers:

🔴 Tier 1: Essential - Read before your first session

• Your First Session: 4 Steps
• Choosing Your Malmon
• Choosing Your Scenario
• Dialing Complexity
• Choosing Your Session Format
• Your First Prep: From Scenario Card to Session Notes
• Core Facilitation Philosophy
• Storytelling with Scenario Cards
• How to Start Your Session
• Session Structure at a Glance
• The Core Game Loop
• Essential IM Questions
• Dice Mechanics Quick Reference

🟡 Tier 2: Reference - Consult during prep or gameplay (as needed)

• Quick Demo Materials
• Session Format Materials Reference
• Type Effectiveness Quick Reference
• Common Scenarios by Difficulty
• Pacing Tips
• Troubleshooting Common Issues
• Quick Configuration Checklist
• Materials to Have Ready
• Quick Wins for First-Time IMs

🟢 Tier 3: Advanced - For experienced facilitators (optional)

• Using Scenario Slides

New facilitators: Read Tier 1 sections in order, then run your first session. Come back to Tier 2 when you need specific information.

---

Your First Session: 4 Steps

Overwhelmed by this guide? Here’s your path:

1. Pick a malmon - Choose based on what you want to teach
2. Pick a scenario - Match your audience’s industry
3. Simplify it - Dial complexity to your comfort level
4. Pick a format - Quick Demo (you control) or Full Game (players drive)

Then read the other 🔴 Tier 1 sections and fill in your Session Prep Worksheet.

Everything else in this guide is reference material - come back to it when you need specific information.

---

Choosing Your Malmon

Note🔴 Tier 1: Essential - Start with the Threat Type

Each malmon teaches different incident response concepts. Pick based on what you want your players to learn.

Malmon	Threat Type	Teaches	Good For
GaboonGrabber	Trojan	Social engineering, phishing recognition, credential theft	User awareness, “why we don’t click links”
FakeBat	Malvertising	Fake downloads, supply chain trust, user vigilance	Download safety, “legitimate-looking threats”
Code Red	Worm	Network propagation, patching importance, containment	Network security, “how threats spread”
WannaCry	Ransomware	Encryption impact, backup importance, business continuity	Ransomware response, “why backups matter”
LockBit	Ransomware	Double extortion, data theft + encryption	Advanced ransomware, exfiltration risks
Poison Ivy	RAT	Persistent access, command & control, stealth	Long-term compromise, detection challenges

First time facilitating? GaboonGrabber and FakeBat are the most straightforward threat types - social engineering and user-initiated compromise are universally relatable.

Teaching network concepts? Code Red’s worm propagation makes network security tangible.

Ransomware awareness? WannaCry (famous case study) or LockBit (modern techniques).

---

Choosing Your Scenario

Note🔴 Tier 1: Essential - Match Your Audience

Each malmon has multiple scenario variants set in different industries. Pick one that resonates with your players.

General guidance:

• Match industry if possible - Healthcare professionals connect with hospital scenarios; finance folks with banking scenarios
• Familiar contexts are easier to facilitate - If you know healthcare, hospital scenarios will feel natural
• Unfamiliar contexts stretch you - But can be simplified (see complexity dial below)

Don’t overthink it - Any scenario works. The organizational context provides color and stakes, but the core learning (threat behavior, response strategies) transfers across industries.

---

Dialing Complexity to Your Comfort Level

Note🔴 Tier 1: Essential - You Control the Difficulty

Scenario cards show everything available - the complexity ceiling. You decide how much to use.

Any scenario can be beginner-friendly. Simplify by:

Complexity Lever	To Simplify	To Enrich
NPCs	Use 1-2 key characters	Voice all NPCs with distinct personalities
Domain details	Skip compliance/regulatory specifics	Include HIPAA, PCI-DSS, industry regulations
Stakeholder pressure	Minimal interruptions	Frequent calls, escalating demands
Evidence trail	Clear, obvious clues	Add ambiguity, red herrings
Org structure	“The IT person and the boss”	Full org chart with politics
Technical depth	High-level descriptions	Specific tools, logs, commands

First session? Start simple:

• 1-2 NPCs (primary stakeholder + one other)
• Skip domain-specific compliance details
• Clear evidence trail (no red herrings)
• Minimal stakeholder pressure

You can always add complexity next time. It’s easier to enrich a simple session than recover from overwhelming players (or yourself).

---

Choosing Your Session Format

Note🔴 Tier 1: Essential - Format Shapes Your Role

Quick Demo and Full Game require different facilitation styles. Neither is “easier” - they’re different.

Format Comparison

Aspect	Quick Demo (35-40 min)	Full Game (2-3 hours)
Your role	Director - you control the show	Responder - players drive, you react
Pacing	You set it (clues at minute 5, 10, 15)	Players set it (investigate what interests them)
Player agency	Limited - choose from options A, B, C	High - creative solutions welcome
Improvisation	Low - scripted structure	High - adjudicate unexpected approaches
Prep focus	Copy clues and options from card	Know investigation sources and evaluation criteria

Which Fits Your Style?

Choose Quick Demo if:

• You want predictable pacing and outcomes
• You prefer less improvisation, more structure
• Time is limited (conference slot, lunch session)

But:

• ⚠️ Requires discipline to hit timing marks
• ⚠️ Less room for player creativity

Choose Full Game if:

• You’re comfortable with “yes, and…” improvisation
• You want players to drive the investigation
• You have 2+ hours available

But:

• ⚠️ Pacing can drift - need active time management
• ⚠️ Players may surprise you

Not sure? Quick Demo gives you more control. Full Game gives players more agency. Pick based on what makes YOU more comfortable, not what seems “easier.”

---

Your First Prep: From Scenario Card to Session Notes

Note🔴 Tier 1: Essential - Do This Before Your First Session

Once you’ve read the Tier 1 essentials, fill in your IM Session Prep Worksheet. Here’s exactly how to extract what you need from any scenario card.

The gap most new IMs face: You’ve picked a scenario and read the scenario card. Now what? How do you turn that card into notes you can actually use during your session?

This section bridges that gap with a concrete 5-step workflow. We’ll use GaboonGrabber Healthcare as our running example, but the process works for any scenario.

The 5-Step Scenario Extraction Workflow

Step 1: Extract the Hook

Find: The “Hook” section in your scenario card

Do:

1. Read the hook once silently
2. Rewrite the opening line in your own words
3. Note these four components:
   • Professional context - What organization, what they do
   • Time pressure - Why “now” matters
   • Vulnerability - What created the opening for attack
   • Current symptoms - What players observe at session start

Tip: Practice saying your opening aloud once. If it feels natural, you’re ready.

Step 2: Know Your NPCs

Find: The “NPCs” section in your scenario card

Do:

1. Identify the primary NPC (usually IT Director or similar) - write down:
   • Name and role
   • What they want (core motivation)
   • One signature phrase that captures their voice
2. Pick 1-2 secondary NPCs and note their pressure points

Tip: Give each NPC a distinct emotional state. Stressed? Defensive? Demanding? Confused? This makes improvisation easier.

Step 3: Understand the stakes

Find: The “Stakes” and “Pressure” sections

Do:

1. Write the business deadline in specific terms
2. Note why that deadline matters (revenue? compliance? safety?)
3. Identify 2-3 escalation points (what happens if deadline is missed)

Tip: Stakes drive urgency - your NPCs should remind players of the deadline through their behavior, not just words.

Step 4: Prep Investigation & Response Materials

For Quick Demo (if that’s your first session):

Find: The “Quick Demo Materials” section (Guided Investigation Clues + Pre-Defined Response Options)

Do:

1. Copy the 3 guided clues with their timing (Minute 5, 10, 15)
2. Copy the 3 response options (A, B, C) with their type effectiveness
3. Note which option is “most effective” against this malmon type

For Full Game (once you’re comfortable):

1. List the available investigation sources from the scenario card
2. Note type effectiveness reminders for this malmon type
3. Review the evaluation criteria for adjudicating creative responses

Tip: First sessions should always use Quick Demo format - the guided structure reduces improvisation pressure.

Step 5: Write Your Discovery Questions

Find: The “Essential IM Questions” section in this guide (below)

Do:

1. Pick 5-7 questions and customize them for your scenario
2. Replace generic placeholders with specific scenario elements
3. Write questions that reference your NPCs and stakes by name

Tip: “What would Sarah Chen be thinking right now?” beats “What would the IT Director think?” - specificity creates immersion.

Concrete Example: GaboonGrabber Healthcare Quick Demo

Note📋 Filled Worksheet Example (Click to Expand)

Here’s what prep notes look like for GaboonGrabber Healthcare. This example uses moderate complexity (3 NPCs, healthcare context). The same pattern works for any malmon/scenario - adjust complexity to your comfort level.

---

SESSION BASICS

• Format: Quick Demo (35-40 min)
• Malmon: GaboonGrabber (Trojan type)
• Variant: Healthcare Implementation Crisis
• Expected players: 4-6

---

HOOK (Internalized)

Opening line (my words): “It’s Friday afternoon at MedTech Solutions. Your biggest client implementation goes live Monday morning at St. Mary’s Hospital. But instead of celebrating, your help desk is getting flooded with calls. Computers are running slow. Pop-ups are appearing. And several IT staff mention receiving ‘urgent security update’ emails yesterday evening during the final push. Sarah Chen, your IT Director, looks exhausted and worried. ‘Something’s wrong,’ she says. ‘What do we do?’”

Key components:

• Professional context: MedTech Solutions, healthcare IT vendor, 200 employees
• Time pressure: Hospital go-live Monday morning (3 days)
• Vulnerability: Staff clicked “urgent security updates” during stressful crunch time
• Current symptoms: Slowdowns, pop-ups, help desk calls

---

NPCs

Primary: Sarah Chen (IT Director)

• Wants: To make the deadline without her team getting blamed
• Core phrase: “My team followed protocol. This isn’t our fault.”
• Voice: Exhausted, defensive, protective of her team

Secondary: Jennifer Park (COO)

• Wants: Client satisfaction, no delays
• Pressure point: “I don’t need excuses. When will this be fixed?”

Secondary: David Kim (Hospital CIO)

• Wants: Monday go-live, no excuses
• Pressure point: “We have options. Other vendors.”

---

STAKES

• Deadline: Monday go-live (72 hours)
• Why it matters: $2M annual contract, hospital threatening to cancel
• Escalation: Hour 2 = hospital status calls, Hour 3 = COO demands answers, Hour 4 = CEO gets involved

---

INVESTIGATION CLUES (Quick Demo - Present at intervals)

Clue 1 (Minute 5): “You discover an email from ‘Microsoft Security’ with subject ‘CRITICAL UPDATE: Please install immediately.’ It was sent to all IT staff working on the Riverside General project.”

Clue 2 (Minute 10): “Analyzing the email header reveals the sender’s domain is ‘micr0soft-security.com’ - with a zero instead of an ‘o’. It’s a well-crafted phishing attempt.”

Clue 3 (Minute 15): “You find a new process running on several workstations: ‘SecurityUpdate.exe’. It’s communicating with a suspicious IP address located in a foreign country.”

---

RESPONSE OPTIONS (Quick Demo - Present after clues)

Option A: Isolate & Re-image

• Action: Take 12 affected workstations offline, wipe, re-install
• Type effectiveness: Super effective against Trojan types
• Trade-off: Guarantees removal but takes 24-48 hours (delays go-live)

Option B: Network Segmentation

• Action: Create isolated VLAN for affected workstations
• Type effectiveness: Moderately effective (contains but doesn’t remove)
• Trade-off: Quick to implement, but malware still present

Option C: Block Malicious Domain

• Action: Add C2 domain to firewall blocklist
• Type effectiveness: Partially effective (stops communication only)
• Trade-off: Fastest option, but doesn’t address infected machines

---

DISCOVERY QUESTIONS (Customized for this scenario)

1. “What patterns do you notice about when these emails were sent and who received them?”
2. “What would make IT staff click on security updates during such a stressful period?”
3. “How might David Kim react if you told him you need to delay Monday’s go-live?”
4. “What’s the worst case scenario if this malware is still active when the hospital goes live?”
5. “Which of these response options best addresses the immediate threat vs. the business deadline?”

Using Your Notes During Gameplay

Keep your worksheet visible during the session. Here’s when to reference each section:

• Hook section: Only during opening - then put it aside
• NPC section: Whenever players interact with stakeholders
• Stakes section: When you need to add pressure or escalation
• Clues section: At the designated time intervals (Quick Demo) or when players investigate relevant sources
• Response section: After investigation phase, when presenting options
• Questions section: Whenever players seem stuck or need prompting

Track during gameplay:

• What clues players have discovered (check them off)
• Creative solutions they propose (note for debrief)
• Questions that worked well (reuse next time)

Core Facilitation Philosophy

Note🔴 Tier 1: Essential - Read Before Your First Session

This section covers the foundational mindset for facilitating M&M sessions.

Remember: You’re creating discoveries, not delivering lectures. Ask questions instead of explaining answers. Let teams struggle productively before offering guidance.

The Golden Rules

1. You don’t need to know all the answers
   • Your role is to facilitate discovery, not lecture on cybersecurity
   • “I don’t know, let’s find out together” is a perfectly valid response
2. Discovery beats lectures
   • Players remember what they figure out themselves
   • Ask “What do you notice?” instead of explaining what’s happening
3. Mistakes are features, not bugs
   • Every player mistake becomes a teaching moment
   • Failed containment attempts reveal how real attacks spread
4. Uncertainty creates engagement
   • Not knowing if their solution will work keeps players invested
   • Consequences should be meaningful but not punitive
5. Your players’ ideas are better than yours
   • Players will surprise you with creative approaches
   • Say “yes, and…” instead of “no, but…”

Storytelling with Scenario Cards

Note🔴 Tier 1: Essential - Read Before Your First Session

This section teaches you how to bring scenario cards to life through simple storytelling techniques.

Don’t worry - you don’t need to be a professional storyteller or cybersecurity expert. The scenario cards do most of the work for you. Your job is to:

• Read the scenario card aloud
• Answer player questions using the card’s information
• Describe what happens when players take actions
• Keep the story moving forward

That’s it. The rest of this section explains techniques for when you’re ready to level up.

---

Transform scenario cards into compelling facilitation:

The 5-Minute Storytelling Prep

Scenario cards give you the building blocks - you bring them to life:

1. Hook Internalization - Rephrase in your own words, practice present-tense delivery
2. NPC Voice Prep - Give key NPCs distinct personalities and signature phrases
3. Stakes Translation - Convert abstract stakes to specific human consequences
4. Secret Planning - Plan how participants will discover organizational vulnerabilities
5. Opening Practice - Combine hook + pressure + urgency into compelling first 30 seconds

📋 Use the IM Session Prep Worksheet to organize these notes before your session.

Key Storytelling Principles

❌ Don’t:

• Read the scenario card verbatim (sounds like a script)
• Explain everything upfront (kills discovery tension)
• Narrate player actions (removes agency)
• Make NPCs generic (forgettable characters)
• Ignore participant expertise (breaks immersion)

✅ Do:

• Internalize key facts, tell as a living situation
• Reveal information progressively through investigation
• Present situations and let participants decide
• Give each NPC a distinct voice and personality
• Trust and build on participant knowledge

Opening Delivery Formula

Instead of: “Your organization has been compromised by GaboonGrabber. Begin investigating.”

Use: “It’s 6 AM Monday. Your phone rings. Sarah Chen, IT Director, her voice shaking: ‘St. Mary’s Hospital goes live in three hours. The system is failing. We have surgeries scheduled. What do we do?’”

Why it works:

• Specific time/place (grounds the story)
• Present tense (creates immediacy)
• Human voice (makes it real)
• Stakes clear (patient safety, career pressure)
• Ends with question (invites participation)

NPC Characterization Quick Tips

Speak AS the NPC, don’t describe them:

• Sarah (IT Director): Exhausted, protective, deadline-focused
  • “My team followed protocol. This isn’t our fault.”
• Jennifer (COO): Business-focused, impatient, doesn’t understand IT
  • “I don’t need excuses. When will this be fixed? Use words I understand.”
• David (Customer): Threatening, contractually focused
  • “We have options. Other vendors. Is MedTech really the partner we thought you were?”

Progressive Secret Revelation

Don’t info-dump: “The IT team bypassed security protocols due to deadline pressure.”

Reveal through discovery:

1. Participants investigate recent changes
2. Logs show “urgent updates” installed yesterday
3. Sarah confesses during mid-game pressure: “I approved them without security review. We would have missed the deadline…”
4. Participants realize this created the vulnerability

📖 For comprehensive storytelling guidance with detailed examples, see: Building Compelling Stories with Scenario Cards - Complete guide with before/after examples, common mistakes, and scenario type templates.

---

How to Start Your Session

Note🔴 Tier 1: Essential - Read Before Your First Session

This section covers the critical first 15 minutes: getting players settled, roles assigned, and smoothly transitioning into the scenario.

Remember: The opening sets the tone for everything that follows. Take your time here - these 15 minutes are an investment that pays off throughout the session.

The 5-Step Session Opening

Step 1: Welcome and Energy Setting

Your opening script:

“Welcome everyone! I’m [Name] and for the next [timeframe], you’re going to become an incident response team facing a real cybersecurity crisis. This isn’t a lecture - you’ll be the experts solving problems together.”

Read the room:

• High energy → Move faster, dive into action
• Low energy → Use more icebreaking, build excitement gradually
• Nervous energy → Provide reassurance and clear structure

Step 2: Expertise Discovery

Discovery script:

“Let’s go around quickly - first name and one thing you know about computers or cybersecurity. This could be work experience, personal projects, something you’ve read, or just common sense.”

What you’re doing:

• Building rapport and psychological safety
• Assessing expertise levels for role assignments
• Identifying who can contribute what knowledge
• Making everyone feel valued from the start

Time management: 30-45 seconds per person maximum. Gently redirect if anyone goes long.

Your responses:

• “I work in IT support” → “Perfect - you see problems first-hand”
• “I’m curious about cybersecurity” → “Curiosity and fresh thinking are incredibly valuable”
• “I handle compliance” → “Essential perspective - business impact matters”

Step 3: Role Assignment

Assignment script:

“Based on what you’ve shared, I’ll suggest roles for our incident response team. Feel free to speak up if you’d prefer something different.”

Assignment logic:

• IT/Technical background → Detective or Protector
• Network/Infrastructure → Tracker
• Business/Management → Communicator
• Security experience → Crisis Manager
• Analytical mindset → Threat Hunter

Quick role explanations:

• 🔍 Detective: “You find clues and analyze evidence”
• 🛡️ Protector: “You secure systems and stop threats”
• 📡 Tracker: “You follow data flows and monitor networks”
• 👥 Communicator: “You handle stakeholders and coordinate response”
• ⚡ Crisis Manager: “You manage the overall incident response”
• 🎯 Threat Hunter: “You proactively search for hidden threats”

Group confirmation: “Any adjustments to these assignments?”

Step 4: Character Development

Character creation prompt:

“Now develop your character around your real name and role. Think about:”

• “What’s your work obsession or quirk?”
• “Why do you care about protecting this organization?”
• “What would devastate you if it were compromised?”

Your facilitation during this time:

• Move around the room - be available for quiet consultation
• Encourage fun: “Lean into the stereotypes - they’re based in truth”
• Provide prompts for stuck participants
• Time warning at 1 minute remaining

Step 5: In-Character Introductions

Transition to action:

“The emergency alarm just went off. You’re all rushing to the situation room. Introduce yourselves as your characters - 30 seconds each.”

What this accomplishes:

• Shifts from “learning exercise” to “we’re in this together”
• Creates fun and laughter to break remaining ice
• Makes roles feel real and personal
• Sets stage for scenario hook

Your responses build energy:

• “I love the protective instinct, Marcus”
• “Sarah, your pattern recognition is exactly what we need”

Materials and Setup Checklist

Before players arrive:

• Role reference cards or quick sheets accessible
• Name tags or table tents ready for character names
• Success mechanic tools ready (dice/cards if using)
• Timer visible for time management
• Scenario card with hook internalized
• Network Security Status tracker visible

Smooth transition to gameplay:

After introductions, seamlessly deliver your scenario hook (from “Storytelling with Scenario Cards” section). The opening script leads directly into your prepared hook delivery.

Common Opening Pitfalls to Avoid

❌ Don’t:

• Rush through introductions to “get to the game faster”
• Skip expertise discovery (you need this information)
• Assign roles without player input or confirmation
• Read role descriptions verbatim from handbook
• Make people feel judged for their experience level

✅ Do:

• Take the full 15 minutes - it’s worth it
• Use expertise discovery to inform role assignments
• Give players agency in their role selection
• Explain roles conversationally in your own words
• Celebrate diverse experience levels as team strengths

📖 For complete opening guidance with detailed examples:

Running Sessions - The Opening: Foundation for Success

---

Session Structure at a Glance

Note🔴 Tier 1: Essential - Read Before Your First Session

This section explains the different session formats and helps you choose which one to run.

Quick Demo (35-40 min)

• Rounds: 1 round, 1 action per player
• Investigation: Guided (present clues on timeline)
• Response: Pre-defined (offer 2-3 clear options)
• Best for: Conference demos, quick introductions, evaluation sessions
• 📋 Planning Template: Quick Demo Session Template

Lunch & Learn (60-75 min)

• Rounds: 2 rounds, 1-2 actions per player
• Investigation: Guided with some player choice
• Response: Mix of pre-defined and creative approaches
• Best for: Regular training sessions, team onboarding
• 📋 Planning Template: Lunch & Learn Session Template

Full Game (120-140 min)

• Rounds: 3 rounds, 2 actions per player
• Investigation: Open (players choose paths)
• Response: Creative (players develop strategies)
• Best for: Comprehensive training, dedicated workshops
• 📋 Planning Template: Full Game Session Template

Advanced Challenge (180+ min)

• Rounds: 4+ rounds, 2 actions per player
• Investigation: Complex multi-threaded
• Response: Innovative solutions required
• Best for: Expert teams, marathon sessions, competitions
• 📋 Planning Template: Advanced Challenge Session Template

---

Quick Demo Materials: Where to Find What You Need

🟡 Tier 2: Reference - Consult when preparing for your Quick Demo session.

For Quick Demo sessions (35-40 min), you need two key materials:

1. Guided Investigation Clues

What: Time-based evidence to present at 5-minute intervals
Format: “Clue 1 (Minute 5): [specific evidence]”

Where to find:

• Scenario cards with “Guided Investigation Clues” section: Present clues directly (GaboonGrabber, WannaCry, Code Red historical)
• Other scenario cards: Use “Detective Investigation Leads” from scenario planning document, simplify to 3 key clues

Example extraction: From planning doc’s “Detective Investigation Leads,” select the 3 most obvious pieces of evidence and present them at minutes 5, 10, and 15.

2. Pre-Defined Response Options

What: 2-3 ready-to-present choices with Action/Pros/Cons/Type Effectiveness
Format: “Option A: [Name] - Action/Pros/Cons/Type Effectiveness”

Where to find:

• Scenario cards with “Pre-Defined Response Options” section: Present Options A, B, C directly (GaboonGrabber, WannaCry, Code Red historical)
• Other scenario cards: Extract from planning document’s “Type-Effective Approaches” section (Section 6):
  1. Select the most effective approach (super-effective vs malmon type)
  2. Select one moderately effective approach
  3. Select one less effective but commonly attempted approach
  4. Simplify each to Action/Pros/Cons format

Quick extraction template:

Option A: [Approach Name]
- Action: [One sentence what to do]
- Pros: [Main benefit]
- Cons: [Key trade-off]
- Type Effectiveness: [Against malmon type]

Example: For a Trojan-type malmon without pre-defined options:

• Option A: Deploy behavioral monitoring (Super effective - detects runtime behavior)
• Option B: Network segmentation (Moderately effective - contains spread)
• Option C: Signature-based scanning (Least effective - evades detection)

Quick Reference by Scenario

Complete materials available:

• GaboonGrabber (all variants) - scenario card has both sections
• WannaCry - Hospital Emergency - scenario card has both sections
• Code Red - Historical Foundation - scenario card has both sections

Extract from planning docs:

• All other scenarios - use planning document Sections 5 (Investigation Timeline) and 6 (Response Options)

📖 See also: Game Configuration Guide for detailed format customization

Session Format Materials Reference

Note🟡 Tier 2: Reference - Consult When Comparing Formats

This section provides detailed comparison of what materials each format requires.

All four session formats now have comprehensive prep checklists. Choose your format based on available prep time and session goals:

Format	Investigation Materials	Response Materials	Prep Time	Best For
Quick Demo (35-40 min)	3 Guided Clues (sequenced timeline)	2-3 Pre-defined Options	15-20 min	Conferences, quick introductions, evaluation sessions
Lunch & Learn (75-90 min)	6-9 Guided Clues across 2 rounds	Pre-defined Options per round	20-30 min	Department training, team building, regular security awareness
Full Game (120-140 min)	Investigation Sources Catalog (player chooses)	Response Evaluation Criteria (adjudicate creative solutions)	25-35 min	Comprehensive workshops, dedicated skill development
Advanced Challenge (150-170 min)	Sources + Subtle Evidence + Red Herrings	Evaluation + Innovation Requirements	40-50 min	Experienced teams, competitive events, professional validation

Format Selection Guide

Choose Quick Demo or Lunch & Learn when:

• You want guided structure (IM presents clues on timeline)
• Time is limited or audience is newer
• You need predictable pacing and clear learning outcomes
• Materials: Sequenced clues + Pre-defined response options

Choose Full Game or Advanced Challenge when:

• You want player-driven investigation (players choose what to investigate)
• Team has experience and can handle open exploration
• Learning goals include critical thinking and creative problem-solving
• Materials: Investigation catalog + Evaluation criteria (not pre-defined options)

Detailed Prep Checklists

Each template now includes comprehensive preparation guidance:

• Quick Demo Template - 3 clues, 2-3 options, 15-20 min prep
• Lunch & Learn Template - 2-round structure, 6-9 clues, 20-30 min prep
• Full Game Template - Investigation catalog, evaluation framework, 25-35 min prep
• Advanced Challenge Template - Complexity layers, innovation requirements, 40-50 min prep

Each template’s prep checklist provides:

• Specific materials needed for that format
• Where to find materials (scenario cards vs planning docs)
• Session flow guidance
• Format-specific facilitation techniques

The Core Game Loop

Note🔴 Tier 1: Essential - Read Before Your First Session

This section describes the fundamental 4-step pattern that every M&M round follows.

Every round follows this pattern:

1. Present Situation (2-3 min)
   • Describe current symptoms and evidence
   • Introduce new complications or developments
   • Set the stakes for this round
2. Player Actions (15-30 min depending on format)
   • Each player declares their action for this round
   • Resolve actions using appropriate mechanics
   • Reveal new information based on actions
3. Evolution & Escalation (2-3 min)
   • Malmon adapts or threat escalates
   • Introduce next challenge or complication
   • Set up next round’s situation
4. Debrief (5-20 min after final round)
   • Reflect on decisions and discoveries
   • Connect game events to real-world concepts
   • Document lessons learned in MalDex

Essential IM Questions

Note🔴 Tier 1: Essential - Read Before Your First Session

This section provides ready-to-use questions that facilitate discovery without lecturing.

Use these to guide without telling:

Discovery Phase

• “What patterns do you notice in these symptoms?”
• “What would worry you most about this evidence?”
• “How might you investigate what happened here?”
• “What kind of threat shows these characteristics?”

Investigation Phase

• “What does this evidence tell you about the attacker’s goals?”
• “How would you determine the scope of compromise?”
• “What additional information would help you decide next steps?”
• “Which role’s perspective would be most valuable here?”

Response Phase

• “Given this is a [Type] threat, what approaches might work well?”
• “How do you balance speed with thoroughness?”
• “What coordination is needed between your roles?”
• “What could go wrong with this approach?”

Stuck or Struggling

• “What would you try with unlimited resources and time?”
• “What’s your gut instinct about what’s happening?”
• “If you had to make a decision right now, what would it be?”
• “How might [specific role] see this situation differently?”

Dice Mechanics Quick Reference

Note🔴 Tier 1: Essential - Read Before Your First Session

This section provides the core game mechanics you need to adjudicate player actions.

When players need to roll dice, use these target numbers:

Target Numbers

• Easy (5+): ~95% success - Standard procedures with appropriate tools
• Medium (10+): ~70% success - Complex analysis or coordination under pressure
• Hard (15+): ~40% success - Novel techniques or high-stakes decisions

Common Modifiers

Add these bonuses to player rolls:

• Role Expertise: +2 when action aligns with role specialization, -1 when misaligned
• Type Effectiveness: +2 when using super effective approaches, -2 when ineffective
• Collaboration: +1 per player assisting (max +3), or use advantage (roll 2d20, take higher) - see Chapter 9
• Environment: +2 with strong security posture, -2 with significant obstacles
• Time Pressure: -1 to -3 when responding under crisis conditions

Automatic Success (No Roll Needed)

Grant automatic success when players demonstrate:

• Clear expertise with appropriate cybersecurity knowledge
• Well-coordinated team efforts with logical planning
• Creative approaches that directly address threat vulnerabilities
• Standard procedures with proper tools and understanding

For detailed modifier system and examples: See IM Handbook Chapter 9

Type Effectiveness Quick Reference

🟡 Tier 2: Reference - Consult when players ask about type matchups.

Guide teams toward type-appropriate strategies:

Threat Type	Most Effective	Moderately Effective	Least Effective
Trojan	Behavioral Analysis, User Education	System Restoration	Signature Detection
Worm	Network Segmentation, Patch Management	Traffic Analysis	Endpoint Isolation
Ransomware	Backup Restoration, Payment Prevention	Network Isolation	File Recovery
RAT	Network Monitoring, C2 Blocking	Behavioral Analysis	Process Termination
Phishing	User Education, Email Filtering	Link Analysis	Content Inspection

Common Scenarios by Difficulty

🟡 Tier 2: Reference - Consult when choosing which scenario to run.

Beginner-Friendly (Tier 1)

• GaboonGrabber (Trojan) - Social engineering basics
• Code Red (Worm) - Network propagation fundamentals
• WannaCry (Ransomware) - Encryption and recovery basics
• FakeBat (Malvertising) - User interaction and web threats

Intermediate (Tier 2)

• LockBit (Ransomware) - Multi-stage attacks
• Raspberry Robin (Worm) - Advanced propagation
• Poison Ivy (RAT) - Command and control persistence
• Wire Lurker (Trojan) - Cross-platform threats

Advanced (Tier 3)

• Stuxnet (Worm) - APT and targeted attacks
• Ghost RAT (RAT) - Sophisticated evasion
• Litter Drifter (Worm) - State-sponsored threats
• Noodle RAT (RAT) - Advanced persistent threats

Pacing Tips

Note🟡 Tier 2: Reference - Consult During Gameplay

These tips help you maintain momentum and engagement during live sessions.

Keep sessions engaging:

• Set clear time expectations - Players plan better with known constraints
• Use timers judiciously - Add pressure for experienced groups only
• Watch for analysis paralysis - Prompt decisions when teams overthink
• Balance air time - Quiet players often have valuable insights
• Trust the process - Productive struggle is learning in action

Troubleshooting Common Issues

🟡 Tier 2: Reference - Consult when facing facilitation challenges during gameplay.

“Players focus too much on technical minutiae”

→ “Great analysis - how does this inform your team’s next steps?”

“One role dominates investigation”

→ “How might [other role]’s perspective differ from yours?”

“Team completely stuck”

→ “What would you guess is happening, even without perfect evidence?”

“Players want to skip straight to response”

→ “What would happen if you responded without understanding the threat?”

“Session running over time”

→ “Let’s fast-forward to the critical decision point…”

“Players create solution not in your notes”

→ “That’s creative - let’s see how effective that approach would be…” (Use type effectiveness)

Quick Configuration Checklist

🟡 Tier 2: Reference - Consult when planning a new session.

Before each session, decide:

• Format: Quick Demo / Lunch & Learn / Full Game / Advanced
• Malmon: Choose appropriate difficulty for group experience
• Scenario variant: Match to audience industry/interests
• Team size: 2-3 (quick) / 4-6 (full) / 6+ (advanced)
• Success mechanics: Automatic / Dice / Complex
• Investigation structure: Guided / Mixed / Open
• Response structure: Pre-defined / Creative / Innovative
• Badge tracking: On or Off (affects debrief time)
• Reference materials: Gather relevant handouts

Materials to Have Ready

🟡 Tier 2: Reference - Consult when gathering materials before your session.

Essential for every session:

• IM Session Prep Worksheet - Keep filled copy during session
• Scenario card for chosen Malmon and variant
• Malmon detail page for type effectiveness reference
• Role cards for each player
• Success mechanic tools (dice/cards if using)
• Timer (if using turn timers)
• Debrief discussion prompts
• MalDex access for documentation

Optional but helpful:

• Pre-printed NPC reference cards
• Evidence inventory worksheet
• Network diagram for complex scenarios
• Badge tracking sheet
• Type effectiveness chart

Quick Wins for First-Time IMs

Note🟡 Tier 2: Reference - Practical Tips for Your First Few Sessions

Concrete approaches to build confidence when you’re just starting out.

Build confidence with these approaches:

1. Start with Quick Demo format - Guided structure reduces improvisation
2. Use GaboonGrabber or Code Red - Well-documented beginner scenarios
3. Prepare 3-5 guiding questions per round - Helps maintain momentum
4. Accept player creativity - “Yes, and…” leads to best moments
5. Debrief thoroughly - Where the real learning happens
6. Document your sessions - Build personal IM reference library

Using Scenario Slides

🟢 Tier 3: Advanced - For experienced facilitators using presentation mode.

Interactive RevealJS presentations for guided sessions

Scenario slides provide a structured, visual way to present M&M scenarios during live sessions. Each scenario includes both player-visible content and IM-only reference materials.

Accessing Scenario Slides

Tier 1 (Beginner) Scenarios:

• FakeBat - Small Business Crisis
• FakeBat - Gaming Cafe Crisis
• FakeBat - Nonprofit Crisis
• FakeBat - Coworking Crisis
• GaboonGrabber - Healthcare Crisis
• GaboonGrabber - Education Crisis
• GaboonGrabber - Financial Crisis

Tier 2 (Intermediate) Scenarios: Coming soon

Tier 3 (Advanced) Scenarios: Coming soon

Player-Safe Mode (P Key)

Critical for live presentations:

• Press ‘P’ to toggle between Full IM Mode and Player-Safe Mode
• Player-Safe Mode hides IM-only slides to prevent accidental spoilers
• Full IM Mode shows all slides including facilitation notes and answers
• Visual indicator in top-right corner shows current mode
• Always start in Player-Safe Mode when presenting to players

Session State Tracking

Built-in tools for tracking progress:

• Checkboxes - Track discovered clues and evidence (auto-saved)
• Scratchpad - Take notes during the session (auto-saved to browser)
• Persistent storage - State saved per-scenario using localStorage
• Export/Import - Save session state to continue later

Slide Controls

Essential keyboard shortcuts:

• Arrow keys - Navigate forward/backward through slides
• P key - Toggle Player-Safe Mode (hides IM-only content)
• T key - Toggle light/dark theme
• H key - Open resource navigation menu
• ESC - Exit full screen or close menus
• F key - Enter full screen mode

Content Organization

Each scenario includes:

• Player-visible slides (marked data-visibility="player")
  • Scenario introduction and setup
  • Initial evidence and symptoms
  • Investigation guidance
  • Response options and outcomes
• IM-only slides (marked data-visibility="im-only")
  • Facilitation notes and timing guides
  • Answer keys and hidden information
  • Type effectiveness reminders
  • Debrief discussion prompts

Best Practices

Make the most of scenario slides:

1. Test before presenting - Navigate through slides in Full IM Mode first
2. Start in Player-Safe Mode - Prevent accidental reveals
3. Use scratchpad for notes - Track player theories and decisions
4. Check discovered clues - Mark evidence as players find it
5. Toggle mode strategically - Switch to Full IM Mode during breaks for reference
6. Export state after session - Save progress for documentation

Troubleshooting

Common issues and solutions:

• Slides not loading? Ensure JavaScript is enabled in your browser
• Lost session state? Check localStorage isn’t blocked; export state regularly
• Wrong mode showing? Press ‘P’ to toggle Player-Safe Mode
• Can’t see IM notes? Make sure you’re in Full IM Mode (eye icon visible)

Remember

You’re not here to:

• Demonstrate your expertise
• Stump players with complexity
• Follow a rigid script
• Have all the answers

You’re here to:

• Create engaging learning experiences
• Facilitate team discovery and collaboration
• Guide productive struggle
• Make cybersecurity education collaborative and fun

---

For comprehensive guidance, see:

• Scenario Planning Template - Detailed session preparation
• Game Configuration Guide - Format customization
• Facilitation Philosophy Chapter - Core principles
• Malmon Details Index - All Malmon technical references