Full Game Template

🎯 Full Game Template

Target Time: 120-140 minutes

This template delivers the complete Malware & Monsters experience, providing deep investigation, creative problem-solving, and a comprehensive learning environment. It’s ideal for a dedicated workshop session.

When to Use:

  • Comprehensive training workshops and full-length sessions.
  • Dedicated team skill development initiatives.
  • In-depth cybersecurity education.
  • The standard, intended M&M experience for maximum engagement.

Pre-Configured Settings:

  • MAJOR TIME IMPACT:
    • Number of Rounds: 3 rounds
    • Actions per Player: 2 actions per round
  • MODERATE TIME IMPACT:
    • Investigation Structure: Open (players choose investigation paths)
    • Response Structure: Creative (players develop their own approach)
    • Team Size: 4-6 players (standard roles recommended)
  • MINOR TIME IMPACT:
    • Success Mechanics: Dice/Cards
    • Debrief Length: Standard (10 min)
    • Turn Timer: None
  • COMPLEXITY OPTIONS:
    • Attack Complexity: Multi-stage
    • Evidence Type: Mixed (realistic blend of obvious and subtle)
    • Red Herrings: Absent
    • Containment Clarity: Ambiguous (players must reason through options)
    • NPC Count: Full cast (4-6 NPCs for rich organizational dynamics)
    • Badge Tracking: On
    • Reference Materials: Available

Experience:

A complete, immersive M&M experience where players drive the investigation and formulate their own creative responses. This configuration encourages critical thinking, deep collaboration, and adaptability in a complex environment.

Time Breakdown (Example 130-minute session):

  • Introduction & Role Assignment: 10 minutes
  • Scenario Briefing: 10 minutes
  • Gameplay (3 rounds, 2 actions, Open/Creative): ~90 minutes
  • Standard Debrief: 10 minutes
  • Q&A / Advanced Discussion: 10 minutes
  • Total: ~130 minutes

Customize This Template:

You can adjust individual options from this template to suit your needs.

  • Reduce to 90 min:
    • Change “Number of Rounds” to 2 rounds, OR
    • Change “Actions per Player” to 1 action per round, OR
    • Change “Investigation Structure” to “Guided”.
  • Add 20-30 min:
    • Change “Debrief Length” to “Extended” (15-20 min).
    • Change “Success Mechanics” to “Complex” (Network Security Status tracking).
  • Make harder:
    • Introduce “Red Herrings” (Present).
    • Change “Evidence Type” to “Subtle”.

Full Game Prep Checklist

Pre-Session Materials (25-35 min prep)

Investigation Sources Catalog (NOT sequenced clues):

Prepare a catalog of what CAN be discovered if players investigate different sources. Unlike guided formats, you don’t present clues on a timeline—players choose what to investigate.

Categories of Evidence:

  • System Logs: What anomalies exist in various log files (network, authentication, application)
  • Email/Communications: Phishing attempts, suspicious communications, user reports
  • Interviews: What each NPC knows (and doesn’t know) if asked
  • System Analysis: Malware artifacts, suspicious processes, modified files if examined
  • Network Traffic: Command-and-control communications, data exfiltration if monitored
  • External Research: Malware family indicators, similar attacks if researched

For Each Source, Document:

  • What information is available: Specific evidence that exists
  • What investigation reveals it: Which player actions uncover this evidence
  • Key discovery paths: Most productive investigation directions
  • Dead ends (realistic!): Reasonable investigations that don’t yield useful information

Response Evaluation Criteria (NOT pre-defined options):

Players develop their own response strategies. Prepare criteria to adjudicate creative approaches:

  • Type-Effective Approaches for This Malmon:
    • What containment methods work well against this malmon type
    • What the malmon is particularly vulnerable to
    • Common ineffective approaches to watch for
  • Common Effective Strategies for This Scenario:
    • Isolation and containment approaches
    • Eradication and recovery methods
    • Communication and coordination strategies
  • Common Pitfalls to Watch For:
    • Actions that could make the situation worse
    • Overlooked business considerations
    • Technical mistakes that miss residual infection
  • How to Adjudicate Hybrid/Novel Approaches:
    • Framework for evaluating creative solutions
    • Balancing technical correctness with game enjoyment
    • When to say “yes, and…” vs “yes, but…”

Session Flow (player-driven, 3 rounds)

Round 1 (25-30 minutes): Player-Driven Discovery

  • Players decide what to investigate
  • IM responds to investigations with relevant evidence
  • No pre-sequenced clues—react to player choices
  • Players collaborate to identify the threat

Round 2 (25-30 minutes): Player-Driven Scope Assessment

  • Players choose how to investigate scope
  • IM provides information based on chosen investigation paths
  • Players assess complete impact and business implications
  • Collaborative discussion about response approach

Round 3 (25-30 minutes): Creative Response Implementation

  • Players propose their own response strategy
  • IM adjudicates based on evaluation criteria
  • Players implement and adapt their approach
  • Final outcome determined by player choices and dice/cards

Facilitation Techniques

Responding When Players Investigate:

  • “You check the network logs. You find…” (provide relevant evidence)
  • “Who specifically are you interviewing?” (clarify before responding)
  • “That’s a dead end, but you notice…” (make dead ends realistic, not punishing)

When Players Get Stuck:

  • Ask questions, don’t present clues: “What haven’t you investigated yet?”
  • Offer investigation options: “You could check logs, interview staff, or analyze systems”
  • Never give answers: Guide toward discovery, don’t reveal solutions

Adjudicating Creative Responses:

  • Evaluate based on criteria: Does this address the malmon type effectively?
  • Balance realism with fun: Technically sound approaches should succeed
  • Use “yes, and…” liberally: Build on player ideas when possible
  • Explain consequences: “This approach works, but here’s the trade-off…”

Materials Location Pattern

Investigation Sources Catalog:

  • If planning document has “Available Evidence Sources” section: Use that directly
  • If not: Extract from planning document Section 5 (Evidence and Investigation)—convert narrative into catalog of discoverable information

Response Evaluation Criteria:

  • Planning document Section 6: “Type-Effective Approaches” provides evaluation framework
  • Scenario card: “Type Effectiveness” sections show what works against this malmon
  • Malmon profile: Weaknesses and containment methods inform adjudication

What Makes Full Game Unique

Dynamic Response to Player Choices: Unlike guided formats where the IM controls the narrative flow, Full Game responds to player decisions. The IM maintains a catalog of available information but presents it only when players investigate relevant sources. This creates authentic discovery and problem-solving.

Creative Rather Than Pre-Defined: Players don’t choose from Option A/B/C. They develop their own approaches, combining technical knowledge, role-specific expertise, and collaborative strategy. The IM adjudicates these creative solutions using evaluation criteria rather than predetermined outcomes.

Investigation Catalog, Not Sequence: The prep work shifts from “What do I present when?” to “What can they discover if they look here?” This supports player agency while ensuring the IM has comprehensive knowledge to respond to any reasonable investigation path.