M&M Scenario Card Template

Complete Scenario Card Creation Guide

The M&M Scenario Card system transforms cybersecurity incident response training from mechanical Malmon selection to rich, story-driven scenario development. Each scenario card provides a complete narrative foundation that explains WHY incidents are happening NOW, not just WHAT is happening.

Scenario Card Format

Each scenario card follows this exact structure:

Front of Card: The Elevator Pitch & Hook

ORGANIZATION: [Specific organization name and type]
STAKES: [What they protect] + [Regulatory/compliance] + [Critical systems]
HOOK: [2-sentence compelling backstory explaining WHY this is happening NOW]
PRESSURE: [Time constraint or urgent deadline creating immediacy]
MALMON: [Specific Malmon this scenario is designed for]

Back of Card: NPCs & Secrets

NPCs:
• [Name] ([Role]): [Current situation/motivation/emotional state]
• [Name] ([Role]): [Relationship to incident/what they know/don't know]
• [Name] ([Role]): [Stakes/concerns/complications they bring]

SECRETS:
• [Organizational vulnerability that enabled the incident]
• [Internal politics/pressure that complicates response]
• [Hidden connection to broader threat landscape]

VILLAIN PLAN:
Stage 1: [Initial infiltration method] [✓ if complete]
Stage 2: [Current objective/activity] (CURRENT if active)
Stage 3: [Ultimate goal/endgame]

ADAPTATION NOTES:
• High-expertise groups: [Specific complexity additions]
• Beginner groups: [Simplification strategies]
• Time constraints: [Compression options]

Field-by-Field Completion Instructions

Front of Card Fields

ORGANIZATION

Purpose: Establishes the setting and context for the entire scenario.

Format: [Company Name]: [Industry Type], [Size Category]

Examples:

• MedTech Solutions: Healthcare technology, 200 employees
• RegionalBank: Financial services, 350 employees across 12 locations
• SteelCorp Manufacturing: Industrial steel processing, 400 employees
• CloudCorp: Software development and cloud services, 180 distributed employees

Selection Criteria:

• Choose industries familiar to your group or universally understandable
• Ensure organization size creates realistic constraints (not too big, not too small)
• Consider regulatory environment complexity for learning objectives

STAKES

Purpose: Immediately establishes what matters and why the team should care.

Format: [Customer/Data Protection] + [Regulatory Compliance] + [Critical Operations]

Examples: - Patient safety data + HIPAA compliance + Life-critical medical device networks - Customer financial records + Banking regulations + 24/7 transaction processing - Worker safety systems + OSHA compliance + $2M daily production output - Client source code + SOC 2 compliance + 99.9% SLA commitments

Key Principles:

• Lead with human impact (patients, customers, workers)
• Include specific regulatory frameworks when relevant
• Quantify operational impact when possible
• Balance complexity with clarity

HOOK

Purpose: The narrative engine that explains WHY this incident is happening NOW.

Format: Two compelling sentences that create urgency and context.

Effective Hook Patterns:

Timing Exploitation: “MedTech Solutions is in the final week of their largest client implementation, with St. Mary’s Hospital going live Monday morning. The attacker has been monitoring email traffic and knows that IT staff are working overtime, making them more likely to click through security warnings to keep the project on track.”

Organizational Pressure: “RegionalBank faces their annual regulatory examination next month, creating pressure to demonstrate robust security controls. The attacker is exploiting this compliance focus by sending fake ‘security audit’ emails that bypass normal skepticism.”

Industry Event Targeting: “SteelCorp Manufacturing received a major contract requiring 50% increased production during Q4, putting enormous pressure on operational systems. The attacker specifically chose this period knowing that production downtime would be unacceptable, limiting aggressive containment options.”

Avoid These Approaches:

• Generic timing: “The attack happened yesterday”
• Technical focus without context: “The malware was delivered via email”
• No compelling reason: “Users clicked on malicious links”

PRESSURE

Purpose: Creates time constraints that force difficult decisions and realistic trade-offs.

Format: Specific deadline or constraint that affects response options.

Examples: - St. Mary's Hospital goes live with new EMR system in 3 days - delays risk patient safety - Quarterly financial close in 48 hours - system downtime prevents regulatory reporting - Major production deadline Friday - shutdown costs $200K per day in penalties - Code release scheduled tomorrow - security team has 12 hours before deployment

Key Elements:

• Specific deadlines (not “soon” or “urgent”)
• Clear consequences for delays
• Realistic business constraints
• Multiple stakeholders affected

MALMON

Purpose: Connects the narrative scenario to specific game mechanics and learning objectives.

Selection Guidelines:

For GaboonGrabber Scenarios:

• Situations involving user trust and software updates
• Organizations with diverse user populations
• Scenarios requiring social engineering analysis
• Settings where behavioral detection would be relevant

For WannaCry Scenarios:

• Network-dependent operations with time pressure
• Organizations with mixed legacy and modern systems
• Scenarios requiring rapid containment decisions
• Settings where patch management is critical

For Stuxnet Scenarios:

• High-value or strategic targets
• Industrial or infrastructure settings
• Scenarios involving sophisticated attribution
• Settings requiring advanced threat analysis

Back of Card Fields

NPCs (Non-Player Characters)

Purpose: Provides realistic organizational roles that create complications, provide information, and drive story development.

NPC Formula: [Name] ([Role]): [Current emotional state/situation] + [What they know/don't know] + [Their primary concern]

Essential NPC Archetypes:

IT Leadership: “Sarah Chen (IT Director): Extremely stressed about hospital go-live, knows about recent security warnings but hasn’t had time to investigate thoroughly, primarily concerned about project deadline success.”

End User Representative: “Mike Rodriguez (Head Nurse): Frustrated with computer slowdowns, clicked on several ‘urgent security updates’ yesterday, doesn’t realize the connection, worried about patient care impact.”

Business Stakeholder: “Jennifer Park (Chief Operating Officer): Unaware of security incident, focused entirely on regulatory exam preparation, will resist any delays to compliance activities.”

External Pressure: “David Kim (St. Mary’s CIO): Calling hourly for project updates, threatens to find new vendor if go-live is delayed, represents $2M annual contract.”

Key NPC Guidelines:

• Give each NPC a clear emotional state and motivation
• Create conflicting priorities that complicate response
• Include both helpful and obstructive characters
• Make their concerns realistic and understandable

SECRETS

Purpose: Hidden information that explains how the attack succeeded and creates investigation opportunities.

Three Required Secret Types:

Organizational Vulnerability: “IT department bypassed normal software approval process for ‘critical security updates’ during crunch time, removing a key defense layer.”

Internal Politics/Pressure: “Management has been pressuring IT to approve user requests quickly to improve ‘customer service scores,’ creating a culture of security shortcuts.”

Broader Threat Connection: “The attacker has been monitoring healthcare industry forums and specifically targeted organizations during implementation periods when security awareness is lowest.”

Effective Secret Characteristics:

• Explains WHY the attack succeeded beyond technical factors
• Creates realistic organizational complexity
• Provides investigation leads for different player roles
• Connects to broader cybersecurity challenges

VILLAIN PLAN

Purpose: Provides a three-stage progression that creates urgency and explains threat evolution.

Stage Structure:

Stage 1: Initial Infiltration [✓ Complete] “Delivered convincing ‘critical security update’ emails to IT staff during project crunch time, successfully installed GaboonGrabber on 12 workstations.”

Stage 2: Current Activity (CURRENT) “Establishing persistence and conducting reconnaissance to identify valuable data stores and system access credentials.”

Stage 3: Ultimate Goal “Deploy secondary payloads (AgentTesla keylogger) to capture administrative credentials and establish long-term access to hospital network for future attacks.”

Planning Guidelines:

• Stage 1 should be complete when scenario begins
• Stage 2 represents immediate threat requiring response
• Stage 3 creates urgency by showing escalation consequences
• Each stage should be realistic for the chosen Malmon

ADAPTATION NOTES

Purpose: Provides specific guidance for adjusting scenario complexity based on group expertise and time constraints.

Required Adaptation Categories:

High-Expertise Groups: “Add attribution analysis requiring investigation of attack infrastructure and threat actor TTPs. Include discussion of advanced evasion techniques and custom tool development.”

Beginner Groups: “Focus on basic social engineering concepts and simple containment strategies. Provide additional guidance about investigation techniques and industry-standard response procedures.”

Time Constraints: “For 60-minute sessions, combine investigation and response phases. Focus on identification and immediate containment rather than comprehensive analysis.”

Example Scenario Card: Complete

Here’s what the actual scenario card looks like when properly formatted:

•

FRONT • 90 minutes • Intermediate

•

Compare this rendered scenario card to the template structure - you can see how each field translates into the visual format that players will experience.

Additional Example: Industrial Scenario

Here’s a different scenario card showing an industrial/manufacturing context:

•

FRONT • 90 minutes • Intermediate

•

Notice how this scenario uses the same structure but creates completely different stakes, characters, and learning opportunities while remaining appropriate for the Stuxnet malmon.

Quality Assurance Checklist

Before Finalizing Any Scenario Card

Narrative Coherence Check

• Does the HOOK clearly explain WHY this is happening NOW?
• Do the STAKES create immediate emotional investment?
• Does the PRESSURE force difficult trade-offs?
• Are the NPCs realistic with clear motivations?
• Do the SECRETS explain HOW the attack succeeded?

Technical Accuracy Check

• Does the scenario match the chosen Malmon’s capabilities?
• Are the attack stages realistic for this threat type?
• Do the organizational vulnerabilities make technical sense?
• Are the industry-specific details accurate?

Facilitation Utility Check

• Does the scenario provide enough material for 90 minutes of discovery?
• Are there multiple investigation paths for different player roles?
• Do the adaptation notes provide actionable guidance?
• Would this scenario teach the intended learning objectives?

Engagement Potential Check

• Would players immediately understand what’s at stake?
• Does the scenario create natural urgency and tension?
• Are there opportunities for collaborative problem-solving?
• Would this scenario lead to memorable learning moments?

Custom Scenario Development Process

Step 1: Choose Your Foundation (5 minutes)

1. Select target Malmon based on learning objectives
2. Choose industry/organization type familiar to your group
3. Identify 2-3 key learning outcomes you want to achieve

Step 2: Build the Hook (10 minutes)

1. Research current pressures in your chosen industry
2. Identify realistic timing that would create vulnerability
3. Craft 2-sentence hook explaining WHY NOW
4. Define specific deadline that creates trade-offs

Step 3: Develop Characters (10 minutes)

1. Create 3-4 NPCs with different organizational roles
2. Give each NPC clear motivations and concerns
3. Ensure conflicts between different NPC priorities
4. Include both helpful and obstructive characters

Step 4: Design Investigation (10 minutes)

1. Create secrets that explain attack success
2. Develop realistic villain plan with 3 clear stages
3. Ensure multiple investigation paths for different roles
4. Plan revelation points that maintain engagement

Step 5: Test and Refine (5 minutes)

1. Walk through the scenario from player perspective
2. Identify potential sticking points or confusion
3. Ensure adaptation notes provide clear guidance
4. Validate learning objectives alignment

Integration with Existing Preparation Workflows

Enhanced 5-Minute Prep with Scenario Cards

1. Minute 1: Select pre-made scenario card matching group and objectives
2. Minute 2: Review NPC motivations and key secrets
3. Minute 3: Plan opening symptom presentation and hook delivery
4. Minute 4: Review villain plan stages and evolution triggers
5. Minute 5: Identify 3 key questions for discovery phase

Story-Driven 15-Minute Prep

1. Minutes 1-3: Select and customize scenario card for specific group
2. Minutes 4-7: Develop additional NPC details and relationship dynamics
3. Minutes 8-11: Plan multiple opening options and symptom variations
4. Minutes 12-14: Prepare contingency plans and adaptation strategies
5. Minute 15: Final confidence check and material preparation

Master-Level 30-Minute Prep

1. Minutes 1-5: Choose base scenario and identify customization opportunities
2. Minutes 6-10: Develop rich NPC backgrounds and complex relationship webs
3. Minutes 11-15: Create interconnected secrets and multiple revelation paths
4. Minutes 16-20: Plan advanced adaptation strategies for different group responses
5. Minutes 21-25: Develop extension activities and follow-up scenario connections
6. Minutes 26-30: Final preparation and mental transition to facilitator mode

Remember: The best scenario cards provide rich narrative foundation while maintaining the “lazy IM” philosophy of confident flexibility over rigid preparation. They should enhance your facilitation capabilities, not constrain your ability to adapt to group needs and interests.