IM Quick Start Guide

IM Quick Start Guide

Your Essential One-Page Reference for Running M&M Sessions

Core Facilitation Philosophy

Remember: You’re creating discoveries, not delivering lectures. Ask questions instead of explaining answers. Let teams struggle productively before offering guidance.

The Golden Rules

1. “Yes, and…” approach - Build on player ideas rather than blocking them
2. Fail forward - Turn mistakes into learning opportunities and plot advancement
3. Role spotlight - Ensure each role contributes meaningfully each round
4. Type-driven strategy - Guide teams toward type-effective approaches
5. Collaborative discovery - Teams learn more from finding answers together

Storytelling with Scenario Cards

Transform scenario cards into compelling facilitation:

The 5-Minute Storytelling Prep

Scenario cards give you the building blocks - you bring them to life:

1. Hook Internalization (1 min) - Rephrase in your own words, practice present-tense delivery
2. NPC Voice Prep (1 min) - Give key NPCs distinct personalities and signature phrases
3. Stakes Translation (1 min) - Convert abstract stakes to specific human consequences
4. Secret Planning (1 min) - Plan how participants will discover organizational vulnerabilities
5. Opening Practice (1 min) - Combine hook + pressure + urgency into compelling first 30 seconds

Key Storytelling Principles

❌ Don’t:

• Read the scenario card verbatim (sounds like a script)
• Explain everything upfront (kills discovery tension)
• Narrate player actions (removes agency)
• Make NPCs generic (forgettable characters)
• Ignore participant expertise (breaks immersion)

✅ Do:

• Internalize key facts, tell as a living situation
• Reveal information progressively through investigation
• Present situations and let participants decide
• Give each NPC a distinct voice and personality
• Trust and build on participant knowledge

Opening Delivery Formula

Instead of: “Your organization has been compromised by GaboonGrabber. Begin investigating.”

Use: “It’s 6 AM Monday. Your phone rings. Sarah Chen, IT Director, her voice shaking: ‘St. Mary’s Hospital goes live in three hours. The system is failing. We have surgeries scheduled. What do we do?’”

Why it works:

• Specific time/place (grounds the story)
• Present tense (creates immediacy)
• Human voice (makes it real)
• Stakes clear (patient safety, career pressure)
• Ends with question (invites participation)

NPC Characterization Quick Tips

Speak AS the NPC, don’t describe them:

• Sarah (IT Director): Exhausted, protective, deadline-focused
  • “My team followed protocol. This isn’t our fault.”
• Jennifer (COO): Business-focused, impatient, doesn’t understand IT
  • “I don’t need excuses. When will this be fixed? Use words I understand.”
• David (Customer): Threatening, contractually focused
  • “We have options. Other vendors. Is MedTech really the partner we thought you were?”

Progressive Secret Revelation

Don’t info-dump: “The IT team bypassed security protocols due to deadline pressure.”

Reveal through discovery:

1. Participants investigate recent changes
2. Logs show “urgent updates” installed yesterday
3. Sarah confesses during mid-game pressure: “I approved them without security review. We would have missed the deadline…”
4. Participants realize this created the vulnerability

📖 For comprehensive storytelling guidance with detailed examples, see: Building Compelling Stories with Scenario Cards - Complete guide with before/after examples, common mistakes, and scenario type templates.

---

Session Structure at a Glance

Quick Demo (35-40 min)

• Rounds: 1 round, 1 action per player
• Investigation: Guided (present clues on timeline)
• Response: Pre-defined (offer 2-3 clear options)
• Best for: Conference demos, quick introductions, evaluation sessions
• 📋 Planning Template: Quick Demo Session Template

Lunch & Learn (60-75 min)

• Rounds: 2 rounds, 1-2 actions per player
• Investigation: Guided with some player choice
• Response: Mix of pre-defined and creative approaches
• Best for: Regular training sessions, team onboarding
• 📋 Planning Template: Lunch & Learn Session Template

Full Game (120-140 min)

• Rounds: 3 rounds, 2 actions per player
• Investigation: Open (players choose paths)
• Response: Creative (players develop strategies)
• Best for: Comprehensive training, dedicated workshops
• 📋 Planning Template: Full Game Session Template

Advanced Challenge (180+ min)

• Rounds: 4+ rounds, 2 actions per player
• Investigation: Complex multi-threaded
• Response: Innovative solutions required
• Best for: Expert teams, marathon sessions, competitions
• 📋 Planning Template: Advanced Challenge Session Template

---

Quick Demo Materials: Where to Find What You Need

For Quick Demo sessions (35-40 min), you need two key materials:

1. Guided Investigation Clues

What: Time-based evidence to present at 5-minute intervals
Format: “Clue 1 (Minute 5): [specific evidence]”

Where to find:

• Scenario cards with “Guided Investigation Clues” section: Present clues directly (GaboonGrabber, WannaCry, Code Red historical)
• Other scenario cards: Use “Detective Investigation Leads” from scenario planning document, simplify to 3 key clues

Example extraction: From planning doc’s “Detective Investigation Leads,” select the 3 most obvious pieces of evidence and present them at minutes 5, 10, and 15.

2. Pre-Defined Response Options

What: 2-3 ready-to-present choices with Action/Pros/Cons/Type Effectiveness
Format: “Option A: [Name] - Action/Pros/Cons/Type Effectiveness”

Where to find:

• Scenario cards with “Pre-Defined Response Options” section: Present Options A, B, C directly (GaboonGrabber, WannaCry, Code Red historical)
• Other scenario cards: Extract from planning document’s “Type-Effective Approaches” section (Section 6):
  1. Select the most effective approach (super-effective vs malmon type)
  2. Select one moderately effective approach
  3. Select one less effective but commonly attempted approach
  4. Simplify each to Action/Pros/Cons format

Quick extraction template:

Option A: [Approach Name]
- Action: [One sentence what to do]
- Pros: [Main benefit]
- Cons: [Key trade-off]
- Type Effectiveness: [Against malmon type]

Example: For a Trojan-type malmon without pre-defined options:

• Option A: Deploy behavioral monitoring (Super effective - detects runtime behavior)
• Option B: Network segmentation (Moderately effective - contains spread)
• Option C: Signature-based scanning (Least effective - evades detection)

Quick Reference by Scenario

Complete materials available:

• GaboonGrabber (all variants) - scenario card has both sections
• WannaCry - Hospital Emergency - scenario card has both sections
• Code Red - Historical Foundation - scenario card has both sections

Extract from planning docs:

• All other scenarios - use planning document Sections 5 (Investigation Timeline) and 6 (Response Options)

📖 See also: Game Configuration Guide for detailed format customization

Session Format Materials Reference

All four session formats now have comprehensive prep checklists. Choose your format based on available prep time and session goals:

Format	Investigation Materials	Response Materials	Prep Time	Best For
Quick Demo (35-40 min)	3 Guided Clues (sequenced timeline)	2-3 Pre-defined Options	15-20 min	Conferences, quick introductions, evaluation sessions
Lunch & Learn (75-90 min)	6-9 Guided Clues across 2 rounds	Pre-defined Options per round	20-30 min	Department training, team building, regular security awareness
Full Game (120-140 min)	Investigation Sources Catalog (player chooses)	Response Evaluation Criteria (adjudicate creative solutions)	25-35 min	Comprehensive workshops, dedicated skill development
Advanced Challenge (150-170 min)	Sources + Subtle Evidence + Red Herrings	Evaluation + Innovation Requirements	40-50 min	Experienced teams, competitive events, professional validation

Format Selection Guide

Choose Quick Demo or Lunch & Learn when:

• You want guided structure (IM presents clues on timeline)
• Time is limited or audience is newer
• You need predictable pacing and clear learning outcomes
• Materials: Sequenced clues + Pre-defined response options

Choose Full Game or Advanced Challenge when:

• You want player-driven investigation (players choose what to investigate)
• Team has experience and can handle open exploration
• Learning goals include critical thinking and creative problem-solving
• Materials: Investigation catalog + Evaluation criteria (not pre-defined options)

Detailed Prep Checklists

Each template now includes comprehensive preparation guidance:

• Quick Demo Template - 3 clues, 2-3 options, 15-20 min prep
• Lunch & Learn Template - 2-round structure, 6-9 clues, 20-30 min prep
• Full Game Template - Investigation catalog, evaluation framework, 25-35 min prep
• Advanced Challenge Template - Complexity layers, innovation requirements, 40-50 min prep

Each template’s prep checklist provides:

• Specific materials needed for that format
• Where to find materials (scenario cards vs planning docs)
• Session flow guidance
• Format-specific facilitation techniques

The Core Game Loop

Every round follows this pattern:

1. Present Situation (2-3 min)
   • Describe current symptoms and evidence
   • Introduce new complications or developments
   • Set the stakes for this round
2. Player Actions (15-30 min depending on format)
   • Each player declares their action for this round
   • Resolve actions using appropriate mechanics
   • Reveal new information based on actions
3. Evolution & Escalation (2-3 min)
   • Malmon adapts or threat escalates
   • Introduce next challenge or complication
   • Set up next round’s situation
4. Debrief (5-20 min after final round)
   • Reflect on decisions and discoveries
   • Connect game events to real-world concepts
   • Document lessons learned in MalDex

Essential IM Questions

Use these to guide without telling:

Discovery Phase

• “What patterns do you notice in these symptoms?”
• “What would worry you most about this evidence?”
• “How might you investigate what happened here?”
• “What kind of threat shows these characteristics?”

Investigation Phase

• “What does this evidence tell you about the attacker’s goals?”
• “How would you determine the scope of compromise?”
• “What additional information would help you decide next steps?”
• “Which role’s perspective would be most valuable here?”

Response Phase

• “Given this is a [Type] threat, what approaches might work well?”
• “How do you balance speed with thoroughness?”
• “What coordination is needed between your roles?”
• “What could go wrong with this approach?”

Stuck or Struggling

• “What would you try with unlimited resources and time?”
• “What’s your gut instinct about what’s happening?”
• “If you had to make a decision right now, what would it be?”
• “How might [specific role] see this situation differently?”

Type Effectiveness Quick Reference

Guide teams toward type-appropriate strategies:

Threat Type	Most Effective	Moderately Effective	Least Effective
Trojan	Behavioral Analysis, User Education	System Restoration	Signature Detection
Worm	Network Segmentation, Patch Management	Traffic Analysis	Endpoint Isolation
Ransomware	Backup Restoration, Payment Prevention	Network Isolation	File Recovery
RAT	Network Monitoring, C2 Blocking	Behavioral Analysis	Process Termination
Phishing	User Education, Email Filtering	Link Analysis	Content Inspection

Common Scenarios by Difficulty

Beginner-Friendly (Tier 1)

• GaboonGrabber (Trojan) - Social engineering basics
• Code Red (Worm) - Network propagation fundamentals
• WannaCry (Ransomware) - Encryption and recovery basics
• FakeBat (Malvertising) - User interaction and web threats

Intermediate (Tier 2)

• LockBit (Ransomware) - Multi-stage attacks
• Raspberry Robin (Worm) - Advanced propagation
• Poison Ivy (RAT) - Command and control persistence
• Wire Lurker (Trojan) - Cross-platform threats

Advanced (Tier 3)

• Stuxnet (Worm) - APT and targeted attacks
• Ghost RAT (RAT) - Sophisticated evasion
• Litter Drifter (Worm) - State-sponsored threats
• Noodle RAT (RAT) - Advanced persistent threats

Pacing Tips

Keep sessions engaging:

• Set clear time expectations - Players plan better with known constraints
• Use timers judiciously - Add pressure for experienced groups only
• Watch for analysis paralysis - Prompt decisions when teams overthink
• Balance air time - Quiet players often have valuable insights
• Trust the process - Productive struggle is learning in action

Troubleshooting Common Issues

“Players focus too much on technical minutiae”

→ “Great analysis - how does this inform your team’s next steps?”

“One role dominates investigation”

→ “How might [other role]’s perspective differ from yours?”

“Team completely stuck”

→ “What would you guess is happening, even without perfect evidence?”

“Players want to skip straight to response”

→ “What would happen if you responded without understanding the threat?”

“Session running over time”

→ “Let’s fast-forward to the critical decision point…”

“Players create solution not in your notes”

→ “That’s creative - let’s see how effective that approach would be…” (Use type effectiveness)

Quick Configuration Checklist

Before each session, decide:

• Format: Quick Demo / Lunch & Learn / Full Game / Advanced
• Malmon: Choose appropriate difficulty for group experience
• Scenario variant: Match to audience industry/interests
• Team size: 2-3 (quick) / 4-6 (full) / 6+ (advanced)
• Success mechanics: Automatic / Dice-Cards / Complex
• Investigation structure: Guided / Mixed / Open
• Response structure: Pre-defined / Creative / Innovative
• Badge tracking: On or Off (affects debrief time)
• Reference materials: Gather relevant handouts

Materials to Have Ready

Essential for every session:

• Scenario card for chosen Malmon and variant
• Malmon detail page for type effectiveness reference
• Role cards for each player
• Success mechanic tools (dice/cards if using)
• Timer (if using turn timers)
• Debrief discussion prompts
• MalDex access for documentation

Optional but helpful:

• Pre-printed NPC reference cards
• Evidence inventory worksheet
• Network diagram for complex scenarios
• Badge tracking sheet
• Type effectiveness chart

Quick Wins for New IMs

Build confidence with these approaches:

1. Start with Quick Demo format - Guided structure reduces improvisation
2. Use GaboonGrabber or Code Red - Well-documented beginner scenarios
3. Prepare 3-5 guiding questions per round - Helps maintain momentum
4. Accept player creativity - “Yes, and…” leads to best moments
5. Debrief thoroughly - Where the real learning happens
6. Document your sessions - Build personal IM reference library

Using Scenario Slides

Interactive RevealJS presentations for guided sessions

Scenario slides provide a structured, visual way to present M&M scenarios during live sessions. Each scenario includes both player-visible content and IM-only reference materials.

Accessing Scenario Slides

Tier 1 (Beginner) Scenarios:

• FakeBat - Small Business Crisis
• FakeBat - Gaming Cafe Crisis
• FakeBat - Nonprofit Crisis
• FakeBat - Coworking Crisis
• GaboonGrabber - Healthcare Crisis
• GaboonGrabber - Education Crisis
• GaboonGrabber - Financial Crisis

Tier 2 (Intermediate) Scenarios: Coming soon

Tier 3 (Advanced) Scenarios: Coming soon

Player-Safe Mode (P Key)

Critical for live presentations:

• Press ‘P’ to toggle between Full IM Mode and Player-Safe Mode
• Player-Safe Mode hides IM-only slides to prevent accidental spoilers
• Full IM Mode shows all slides including facilitation notes and answers
• Visual indicator in top-right corner shows current mode
• Always start in Player-Safe Mode when presenting to players

Session State Tracking

Built-in tools for tracking progress:

• Checkboxes - Track discovered clues and evidence (auto-saved)
• Scratchpad - Take notes during the session (auto-saved to browser)
• Persistent storage - State saved per-scenario using localStorage
• Export/Import - Save session state to continue later

Slide Controls

Essential keyboard shortcuts:

• Arrow keys - Navigate forward/backward through slides
• P key - Toggle Player-Safe Mode (hides IM-only content)
• T key - Toggle light/dark theme
• H key - Open resource navigation menu
• ESC - Exit full screen or close menus
• F key - Enter full screen mode

Content Organization

Each scenario includes:

• Player-visible slides (marked data-visibility="player")
  • Scenario introduction and setup
  • Initial evidence and symptoms
  • Investigation guidance
  • Response options and outcomes
• IM-only slides (marked data-visibility="im-only")
  • Facilitation notes and timing guides
  • Answer keys and hidden information
  • Type effectiveness reminders
  • Debrief discussion prompts

Best Practices

Make the most of scenario slides:

1. Test before presenting - Navigate through slides in Full IM Mode first
2. Start in Player-Safe Mode - Prevent accidental reveals
3. Use scratchpad for notes - Track player theories and decisions
4. Check discovered clues - Mark evidence as players find it
5. Toggle mode strategically - Switch to Full IM Mode during breaks for reference
6. Export state after session - Save progress for documentation

Troubleshooting

Common issues and solutions:

• Slides not loading? Ensure JavaScript is enabled in your browser
• Lost session state? Check localStorage isn’t blocked; export state regularly
• Wrong mode showing? Press ‘P’ to toggle Player-Safe Mode
• Can’t see IM notes? Make sure you’re in Full IM Mode (eye icon visible)

Remember

You’re not here to:

• Demonstrate your expertise
• Stump players with complexity
• Follow a rigid script
• Have all the answers

You’re here to:

• Create engaging learning experiences
• Facilitate team discovery and collaboration
• Guide productive struggle
• Make cybersecurity education collaborative and fun

---

For comprehensive guidance, see:

• Scenario Planning Template - Detailed session preparation
• Game Configuration Guide - Format customization
• Facilitation Philosophy Chapter - Core principles
• Malmon Details Index - All Malmon technical references