Planning Template Usage Guide

Planning Template Usage Guide

How to use the Scenario Planning Template to create effective session plans

This guide explains how to use the Scenario Planning Template to prepare comprehensive Malware & Monsters sessions. Whether you’re adapting an existing scenario or creating new content, this guide will help you leverage the template effectively.

Understanding the Template Structure

The Scenario Planning Template has 12 sections designed to cover every aspect of session preparation:

  1. Quick Reference - At-a-glance session information
  2. Game Configuration Templates - Pre-configured settings for different formats
  3. Scenario Overview - Narrative hooks and organizational context
  4. NPC Reference - Character details and interaction guidance
  5. Investigation Timeline - Evidence delivery and discovery paths
  6. Response Options - Type-effective approaches and creative solutions
  7. Round-by-Round Facilitation Guide - Detailed IM guidance for each round
  8. Pacing & Timing Notes - Time management and engagement strategies
  9. Debrief Discussion Points - Learning objectives and reflection questions
  10. Facilitator Quick Reference - Type effectiveness and common challenges
  11. Scenario Customization Notes - Difficulty and industry adaptations
  12. Cross-References - Related content and resources

When to Use the Full Template

Use the complete template when:

  • Creating comprehensive planning documentation for community sharing
  • Preparing complex scenarios with multiple variants
  • Training new IMs who need detailed guidance
  • Building reusable session plans for repeated use
  • Documenting successful sessions for organizational library

Use a simplified version when:

  • Running one-off sessions for familiar teams
  • Working with scenarios you’ve run multiple times
  • Time-constrained preparation (use Sections 1, 3, 5, 7 only)
  • Experienced IMs comfortable with improvisation

Step-by-Step Template Usage

Step 1: Gather Source Materials

Before filling out the template, collect:

  • Malmon detail page for technical characteristics
  • Scenario card for organizational context and NPCs
  • Type effectiveness chart for strategic guidance
  • Game configuration templates for format options
  • Any existing community documentation or MalDex entries

Where to find these:

  • Malmon details: im-handbook/resources/malmon-details/[malmon-name].qmd
  • Scenario cards: im-handbook/resources/scenario-cards/[malmon-name]/
  • Configuration templates: im-handbook/resources/practical-tools/preparation-templates/
  • Type effectiveness: Included in malmon detail pages

Step 2: Complete Quick Reference (Section 1)

Start with the essentials:

  1. Identify the Malmon - Name and type from malmon detail page
  2. Assess difficulty - Tier 1 (beginner), Tier 2 (intermediate), Tier 3 (advanced)
  3. Choose scenario variant - Industry context that matches your audience
  4. Extract organizational context - From scenario card or create new
  5. Define stakes - What’s at risk in this specific scenario
  6. Select NPCs - 2-3 essential, 4-6 optional from scenario card
  7. Craft scenario hook - Compelling 1-2 sentence opening
  8. State victory condition - Clear definition of successful resolution

Example Quick Reference:

Element Details
Malmon GaboonGrabber (Trojan/Stealth)
Difficulty Tier Tier 1 (Beginner)
Scenario Variant Healthcare - Regional Hospital
Organizational Context 200-bed community hospital, recent EHR implementation
Primary Stakes Patient data, HIPAA compliance, clinical operations
Recommended Formats Lunch & Learn, Full Game
Essential NPCs Dr. Sarah Chen (CMIO), Mark Stevens (IT Director)
Optional NPCs Jennifer Lopez (Nurse Manager), David Kim (Security Officer)

Step 3: Configure Game Formats (Section 2)

Use the four pre-configured templates:

Each format is pre-filled with standard settings. Your job is to:

  1. Review each format - Quick Demo, Lunch & Learn, Full Game, Advanced Challenge
  2. Verify time breakdowns - Adjust if your scenario needs different pacing
  3. Add facilitation notes - Scenario-specific guidance for each format
  4. Identify recommended format - Which format(s) work best for this scenario

Customization tips:

  • Quick Demo: Focus on single most impactful round, clearest evidence
  • Lunch & Learn: Balance guided discovery with some player agency
  • Full Game: Ensure three rounds have distinct escalation and focus
  • Advanced Challenge: Add complexity through multiple attack stages or sophisticated evasion

Step 4: Develop Scenario Overview (Section 3)

Craft the narrative foundation:

  1. Write opening presentation - Set scene, introduce tension, present situation (2-3 paragraphs)
  2. List initial symptoms - 4-6 observable problems that bring team together
  3. Detail organizational context - Expand on organization profile, culture, constraints
  4. Describe malmon manifestation - How this Malmon behaves in this specific context
  5. Highlight key capabilities - Which abilities are most relevant to this scenario
  6. Note exploitable vulnerabilities - How defenders can leverage weaknesses

Writing effective opening presentations:

  • Start with specific time and place: “It’s Monday morning at…”
  • Introduce business context or pressure: “Just two weeks before…”
  • Present initial anomaly: “Several staff report…”
  • End with call to action: “As the incident response team…”

Example:

“It’s Thursday afternoon at Valley Community Hospital, just three weeks after completing a major electronic health record migration. The IT help desk has been fielding an unusual number of calls about computer slowdowns, and nursing staff report intermittent access issues with patient charts. Yesterday evening, several staff members mentioned receiving emails about a ‘critical EHR security update’ that seemed legitimate given the recent system changes. Now, as the afternoon shift begins, Dr. Chen urgently calls a meeting—patient care systems are experiencing unexplained performance issues, and she needs answers before the situation affects clinical operations.”

Step 5: Create NPC Reference (Section 4)

Develop memorable characters:

For each NPC (essential first, optional second):

  1. Name and position - Realistic job title and organizational role
  2. Personality - 2-3 traits affecting interactions (anxious, confident, skeptical, etc.)
  3. Agenda - What they want from incident response (protect reputation, find cause, minimize disruption)
  4. Knowledge - Critical information they possess (approved the email, witnessed the attack, knows the systems)
  5. Pressure point - Personal stake in incident (their decision, their department, their responsibility)
  6. IM portrayal notes - How to roleplay effectively (speak quickly when anxious, ask technical questions, focus on patient impact)

NPC interaction timing:

  • Introduce essential NPCs in opening presentation or Round 1
  • Bring in optional NPCs as investigation deepens (Round 2-3)
  • Use NPCs to reveal information, create pressure, and advance plot

Creating realistic NPCs:

  • Base on actual roles in target industry (CMIO, IT Director, Compliance Officer)
  • Give each a unique perspective and agenda (not all cooperative)
  • Make them reactive to team decisions (impressed, frustrated, relieved)
  • Use them to teach organizational dynamics and stakeholder management

Step 6: Build Investigation Timeline (Section 5)

Map evidence to discovery:

For each round:

  1. Automatic reveals - What all teams discover regardless of actions
  2. Role-specific leads - What each role’s investigation uncovers
  3. Escalating complexity - How evidence deepens or complications emerge
  4. Connection paths - How clues link together into coherent threat picture

Investigation timeline principles:

  • Round 1: Surface-level symptoms point to threat type and attack vector
  • Round 2: Deeper investigation reveals scope, impact, and attacker objectives
  • Round 3: Response attempts surface additional evidence or complications

Evidence distribution by role:

  • Detective: Log entries, file artifacts, registry changes, forensic evidence
  • Protector: Running processes, security tool alerts, system configurations
  • Tracker: Network traffic, external connections, command infrastructure
  • Communicator: User interviews, cultural context, organizational constraints
  • Crisis Manager: Timeline correlation, scope assessment, resource status
  • Threat Hunter: Attack patterns, threat intelligence, attribution indicators

Example Round 1 Detective Lead:

“Email header analysis reveals sophisticated spoofing techniques—the ‘From’ address appears legitimate but detailed examination shows slight domain misspelling (healthregulation.gov instead of healthregulation.org). Attachment forensics identify obfuscated executable masquerading as PDF using double extension trick (document.pdf.exe).”

Step 7: Define Response Options (Section 6)

Provide strategic guidance:

  1. Type-effective approaches - What works well against this Malmon type
  2. Moderately effective - Partial solutions and their trade-offs
  3. Least effective - Common but ineffective approaches and why
  4. Creative response encouragement - Domains where innovation can succeed
  5. Common creative solutions - What players typically invent and how to handle

Using type effectiveness:

  • Reference malmon detail page for type strengths and weaknesses
  • Explain why certain approaches work better (behavioral detection vs. signatures)
  • Encourage type-appropriate thinking without dictating specific solutions
  • Reward creative applications of type-effective principles

Handling creative solutions:

  • Say “yes, and…” to innovative ideas that respect type effectiveness
  • Ask clarifying questions: “How would that work against this threat?”
  • Adjudicate based on type logic, not whether it’s in your notes
  • Document successful innovations for community sharing

Step 8: Craft Round-by-Round Facilitation (Section 7)

Create your IM script:

For each round:

  1. Opening narration - Set scene and present current situation
  2. IM questions - 3-5 questions to guide without telling
  3. Expected player actions - Common approaches and how to resolve
  4. Key moment - Malmon identification or critical realization
  5. Round conclusion - Transition to next round or resolution

Effective IM questions:

  • Open-ended: “What patterns concern you?” not “Do you see the pattern?”
  • Role-focused: “How might the Protector view this evidence?”
  • Strategic: “What would happen if you tried that approach?”
  • Connecting: “How does this relate to what you discovered earlier?”

Round structure guidance:

  • Round 1: Discovery - “What’s happening?” Investigation and malmon identification
  • Round 2: Investigation - “How bad is it?” Scope, impact, and attack progression
  • Round 3: Response - “How do we stop it?” Strategy development and execution
  • Round 4+: Adaptation - “How does it evolve?” Advanced challenge complications

Step 9: Plan Pacing & Timing (Section 8)

Manage time effectively:

  1. If running long - What to skip without losing core experience
  2. If running short - Complications to add for depth
  3. If team stuck - Specific hints and interventions
  4. Engagement indicators - Positive signs and warning signs

Time management strategies:

  • Fast-forward: “Let’s jump ahead to when the scan completes…”
  • Montage: “Over the next hour, your team discovers…”
  • Summary: “Rather than role-playing each interview, tell me what you’re asking…”
  • Focus: “That’s interesting but peripheral—let’s focus on the critical path…”

Unsticking stuck teams:

  • Reframe: “Let me rephrase the situation…”
  • NPC intervention: Have NPC offer perspective or information
  • Evidence reveal: Provide the next clue they would eventually find
  • Permission: “Make your best guess—what’s your instinct?”

Step 10: Design Debrief (Section 9)

Maximize learning value:

  1. Critical learning objectives - Technical concepts and collaboration skills taught
  2. Reflection questions - Scenario-specific and real-world connections
  3. MalDex prompts - What teams should document for community

Debrief structure:

  1. Celebrate success - Acknowledge effective decisions and discoveries (2 min)
  2. Reflect on challenges - Discuss what was difficult and why (3 min)
  3. Connect to reality - Link game events to real cybersecurity (3 min)
  4. Document insights - Guide MalDex entry creation (2 min)

Effective reflection questions:

  • “What surprised you about how this attack succeeded?”
  • “Which of your team’s decisions had the biggest impact?”
  • “How would you explain this threat to non-technical stakeholders?”
  • “What would you do differently if this happened at your organization?”

Step 11: Create Quick Reference (Section 10)

Facilitate smoothly during session:

  1. Type effectiveness chart - Quick lookup for adjudicating actions
  2. Common facilitation challenges - Pre-prepared responses to predictable issues
  3. Success mechanics guidelines - DCs, modifiers, auto-success/fail conditions

During-session reference needs:

  • Keep this section visible during actual facilitation
  • Quick answers to “would this work?” questions
  • Common challenges from your own experience or community reports
  • Dice/card mechanics specific to this scenario’s complexity

Step 12: Document Customization Options (Section 11)

Enable adaptation:

  1. Difficulty adjustments - How to make easier or harder
  2. Industry adaptations - Sector-specific modifications
  3. Experience level adaptations - Novice vs. expert accommodations

Difficulty scaling:

  • Easier: More obvious evidence, pre-defined response options, automatic successes
  • Harder: Subtle clues, red herrings, time pressure, multi-stage complications

Industry customization:

  • Healthcare: HIPAA, patient safety, clinical workflow impact
  • Financial: Regulatory reporting, fraud prevention, transaction integrity
  • Education: FERPA, diverse user population, limited IT resources
  • Government: Public trust, compliance requirements, bureaucratic constraints

After Creating Your Planning Document

Test Your Plan

Before using with players:

  1. Mental walkthrough - Read through as if facilitating
  2. Timing check - Verify rounds fit target session length
  3. Evidence flow - Ensure investigation paths connect logically
  4. NPC motivation - Verify characters have clear, consistent agendas

Run and Refine

During actual session:

  1. Take notes - What worked, what didn’t, timing issues
  2. Document innovations - Creative player solutions
  3. Observe engagement - When energy was high or low
  4. Gather feedback - Ask players what was effective

After session:

  1. Update planning doc - Add notes about modifications needed
  2. Share insights - Contribute to community documentation
  3. Refine for next time - Adjust based on experience
  4. Document in MalDex - Add facilitation insights to collective knowledge

Tips for Effective Planning Documents

Writing for Other IMs

If sharing with community:

  • Be specific: “Have Dr. Chen urgently call meeting” not “introduce pressure”
  • Explain rationale: Why this NPC at this time, why this evidence reveals that
  • Share experience: “Teams often get stuck here—try this question…”
  • Include alternatives: “For shorter sessions, skip the subplot about…”

Balancing Detail and Flexibility

Provide enough structure to:

  • Give inexperienced IMs confidence
  • Ensure consistent core experience
  • Communicate learning objectives clearly
  • Enable effective time management

Leave enough flexibility to:

  • Accommodate creative player solutions
  • Adapt to team interests and expertise
  • Respond to unexpected directions
  • Maintain spontaneity and discovery

Common Planning Mistakes

Avoid these pitfalls:

Over-scripting: Trying to predict every player action ✅ Instead: Provide principles and examples, trust IM judgment

Railroad plot: Requiring specific actions to progress ✅ Instead: Multiple paths to same discoveries, flexible success conditions

Information overload: Too much detail for practical use ✅ Instead: Essential information prominent, optional details collapsible

Ignoring timing: Beautiful plan that needs 4 hours for “60-minute” session ✅ Instead: Realistic time estimates tested through walkthrough

Missing the “why”: What happens but not why it matters ✅ Instead: Clear learning objectives and real-world connections

Example: Planning Document Evolution

Initial Draft

“GaboonGrabber infects hospital. Users click phishing email. Team investigates and responds.”

Too vague, no actionable guidance for IM.

Intermediate Draft

“GaboonGrabber healthcare scenario. Opening: Dr. Chen reports slowdowns. Evidence: phishing emails, process injection. NPCs: Dr. Chen (CMIO), Mark (IT). Response: behavioral analysis works, signature detection doesn’t.”

Better, but missing narrative hooks, timing, facilitation guidance.

Polished Planning Document

Complete 12-section document with: - Compelling opening narration about EHR migration pressure - Detailed NPC profiles with specific agendas and knowledge - Round-by-round evidence progression tied to roles - IM questions for each round - Pre-configured game formats with time breakdowns - Type-effective response options with strategic explanations - Debrief questions connecting to HIPAA and patient safety - Customization notes for different experience levels

Actionable, complete, enables confident facilitation while preserving flexibility.

Resources and Support

Additional Planning Resources

Getting Help

If you’re stuck:

  • Review existing planning docs for similar scenarios
  • Consult malmon detail page for technical characteristics
  • Reference scenario card for organizational context
  • Ask community for feedback on draft planning docs
  • Start with simpler format (Quick Demo) before advancing

Remember: Planning documents are living resources that improve through use and iteration. Start with a solid draft, run the session, refine based on experience, and share your insights with the community.