Scenario Card Template Reference
Scenario Card Framework Overview
Scenario Card Structure
Every scenario card provides complete preparation:
- Hook - Why this attack is happening NOW (professional context + time pressure)
- Pressure - Real business deadlines creating authentic urgency
- NPCs - Stakeholders with clear motivations and conflicts
- Secrets - Organizational vulnerabilities that enabled the attack
- Villain Plan - 3-stage escalation with evolution triggers
- Context Details - Industry specifics, regulatory environment, critical assets
Using These Templates
The examples below show complete scenario cards built from these organizational foundations. Each card provides everything needed for immediate session use.
Complete Scenario Card Examples
Example 1: Healthcare Technology Crisis
Example 2: Manufacturing Under Pressure
Example 3: Financial Services Under Examination
Organizational Context Foundations
Note: The following templates show the foundational elements that the above scenario cards build upon. The complete scenario cards above provide everything needed for session preparation.
Healthcare Technology (MedTech Solutions)
Organization Profile
- Size: 200 employees across 3 locations
- Business: Patient management software and medical device integration
- Critical Assets: EMR systems, patient databases, medical device networks
- Regulatory Environment: HIPAA, FDA medical device regulations
- Stakeholders: Hospital clients, patients, regulatory bodies
Built-in Stakes
- Patient Safety: Medical device control systems
- Privacy Compliance: Protected health information (PHI)
- Business Continuity: Hospital operations depend on systems
- Regulatory Penalties: HIPAA violations, FDA sanctions
- Reputation Risk: Patient trust, industry credibility
Common Vulnerabilities
- Legacy medical device integration
- User convenience vs. security trade-offs
- Interconnected systems across multiple hospitals
- Limited downtime windows for security updates
- Complex vendor relationships and access requirements
Sample Symptoms for This Context
- “Hospital clients reporting EMR system slowdowns during peak hours”
- “Medical device network showing unusual connectivity patterns”
- “IT support receiving calls about ‘system update’ prompts on workstations”
Financial Services (RegionalBank)
Organization Profile
- Size: 350 employees, main branch plus 12 locations
- Business: Regional banking with commercial and personal services
- Critical Assets: Core banking systems, customer databases, ATM networks
- Regulatory Environment: FDIC, state banking commission, SOX compliance
- Stakeholders: Customers, regulators, correspondent banks, employees
Built-in Stakes
- Customer Trust: Financial data security and privacy
- Regulatory Compliance: Bank examination, regulatory penalties
- Financial Stability: Fraud prevention, operational continuity
- Market Reputation: Community standing, competitor advantage
- Legal Liability: Customer lawsuits, regulatory enforcement
Common Vulnerabilities
- High-value target for financial crime
- Complex legacy system integrations
- Mobile banking and remote access points
- Third-party vendor connections
- Employee access to sensitive financial data
Sample Symptoms for This Context
- “Online banking customers reporting unexpected ‘security verification’ requests”
- “ATM network showing intermittent connectivity issues”
- “Fraud detection system flagging unusual transaction patterns”
Manufacturing/Industrial (SteelCorp Manufacturing)
Organization Profile
- Size: 400 employees, main facility plus 2 distribution centers
- Business: Steel processing and fabrication for construction industry
- Critical Assets: Production control systems, inventory management, safety systems
- Regulatory Environment: OSHA, EPA, industry safety standards
- Stakeholders: Construction customers, suppliers, employees, local community
Built-in Stakes
- Worker Safety: Industrial control system integrity
- Production Continuity: Manufacturing schedules, customer commitments
- Environmental Compliance: Emission controls, waste management
- Supply Chain Impact: Customer projects, economic ripple effects
- Competitive Position: Trade secrets, production efficiency
Common Vulnerabilities
- Air-gapped networks with occasional connectivity
- Legacy industrial control systems
- Integration between IT and operational technology (OT)
- Remote monitoring and maintenance access
- Limited cybersecurity awareness in OT environment
Sample Symptoms for This Context
- “Production line computers showing decreased performance during shift changes”
- “Maintenance staff reporting new software installations on HMI systems”
- “Network monitoring detecting unexpected traffic between IT and OT networks”
Technology Services (CloudCorp)
Organization Profile
- Size: 180 employees, distributed workforce with main office
- Business: Cloud infrastructure and software development services
- Critical Assets: Source code repositories, customer data, cloud infrastructure
- Regulatory Environment: SOC 2, various customer compliance requirements
- Stakeholders: Software clients, cloud customers, developers, investors
Built-in Stakes
- Customer Data: Multi-tenant cloud environment security
- Intellectual Property: Proprietary source code and algorithms
- Service Availability: 99.9% uptime SLA commitments
- Developer Productivity: CI/CD pipeline integrity
- Competitive Advantage: Technical capabilities and customer trust
Common Vulnerabilities
- Rapid development and deployment cycles
- Developer tools and privileged access
- Cloud infrastructure misconfigurations
- Open source dependency vulnerabilities
- Remote workforce security challenges
Sample Symptoms for This Context
- “CI/CD pipeline showing unusual build failures and performance issues”
- “Developers reporting unexpected authentication prompts in development tools”
- “Cloud monitoring alerts showing abnormal resource consumption patterns”
Educational Institution (StateU)
Organization Profile
- Size: 25,000 students, 3,000 faculty/staff across multiple campuses
- Business: Higher education with research operations
- Critical Assets: Student information systems, research data, library systems
- Regulatory Environment: FERPA, research compliance, state education regulations
- Stakeholders: Students, faculty, parents, state government, research partners
Built-in Stakes
- Student Privacy: Educational records and personal information
- Academic Freedom: Open research environment vs. security
- Research Integrity: Valuable research data and intellectual property
- Operational Continuity: Campus services and academic calendar
- Public Trust: State funding and institutional reputation
Common Vulnerabilities
- Open network environment with diverse user base
- Legacy academic systems and limited security budgets
- High staff turnover and varying security awareness
- Research collaboration requiring external access
- BYOD policies and guest network access
Sample Symptoms for This Context
- “Student portal reporting authentication issues across multiple departments”
- “Research lab computers showing unusual network activity during off-hours”
- “Library systems experiencing intermittent database connection failures”
Symptom Template Categories
Performance-Based Symptoms
Use when emphasizing system impact:
Template A: Gradual Degradation
- “Systems running [X]% slower since [timeframe]”
- “Users reporting increased application response times”
- “Database queries taking longer than normal to complete”
Template B: Intermittent Issues
- “Critical applications randomly crashing or freezing”
- “Network connectivity dropping unexpectedly”
- “File access sometimes failing with permission errors”
Template C: Resource Consumption
- “Servers showing high CPU/memory usage during off-peak hours”
- “Network bandwidth utilization higher than expected”
- “Storage systems filling up faster than projected”
User-Reported Symptoms
Use when emphasizing human factor:
Template A: Security Warnings
- “Users receiving unexpected [security update/authentication/verification] prompts”
- “Help desk calls about suspicious email attachments or links”
- “Reports of unfamiliar security software appearing on workstations”
Template B: Application Behavior
- “Software behaving differently than usual”
- “New icons or programs appearing on desktops”
- “Browser redirecting to unexpected websites”
Template C: Communication Issues
- “Email delivery delays or failures”
- “VPN connections requiring multiple authentication attempts”
- “Video conferencing quality degraded significantly”
System Administration Symptoms
Use when emphasizing technical detection:
Template A: Process and Service Anomalies
- “Unknown processes consuming system resources”
- “Services starting or stopping without administrative action”
- “Scheduled tasks appearing that weren’t created by IT”
Template B: Network Anomalies
- “Unusual outbound connections to unfamiliar IP addresses”
- “Network traffic patterns different from baseline”
- “DNS queries to suspicious or unusual domains”
Template C: File System Changes
- “Files appearing in unexpected locations”
- “System files modified without explanation”
- “Backup systems showing inconsistent or missing data”
Malmon-Specific Scenario Adaptations
Type Effectiveness Planning Reference
Use this chart when selecting Malmons and planning containment challenges for your scenarios:
Trojan
Weak to: Detection
Resists: Training
Worm
Weak to: Isolation
Resists: Backup
Ransomware
Weak to: Backup
Resists: Encryption
Rootkit
Weak to: Forensics
Resists: Detection
APT
Weak to: Intelligence
Phishing
Weak to: Training
Botnet
Weak to: Coordination
Infostealer
Weak to: Encryption
Strategic Scenario Planning: - Super Effective relationships create confident, successful team moments - use for teaching and confidence building - Normal relationships provide balanced challenges that require coordination and strategic thinking - Not Effective relationships create learning opportunities about limitations and alternative approaches
Choose Malmon types that align with your learning objectives and team capabilities.
For Trojan-Type Malmons (GaboonGrabber, FakeBat)
For Worm-Type Malmons (WannaCry, Code Red, Raspberry Robin)
Scenario Focus: Network Propagation + Rapid Spread
Organization Context Adaptation:
- Emphasize network architecture and segmentation
- Include patch management processes
- Highlight interconnected systems and dependencies
Symptom Selection:
- Multiple systems showing similar symptoms
- Network performance degradation
- Propagation vector evidence (USB, network shares, vulnerabilities)
Investigation Emphasis:
- Network traffic analysis
- Propagation vector identification
- Vulnerable system assessment
Response Focus:
- Network segmentation and isolation
- Patch deployment strategies
- Containment vs. business continuity trade-offs
For Ransomware-Type Malmons (LockBit)
Scenario Focus: Data Encryption + Business Impact
Organization Context Adaptation:
- Emphasize backup and recovery capabilities
- Include business continuity planning
- Highlight regulatory and legal implications
Symptom Selection:
- File access failures or corruption
- Ransom demands or threatening messages
- Backup system interference
Investigation Emphasis:
- Data impact assessment
- Backup integrity verification
- Recovery time estimation
Response Focus:
- Backup restoration strategies
- Business continuity maintenance
- Stakeholder communication
For APT-Type Malmons (Stuxnet, Noodle RAT)
Scenario Focus: Sophisticated Persistence + Attribution
Organization Context Adaptation:
- Emphasize high-value assets and strategic importance
- Include geopolitical or competitive context
- Highlight advanced threat detection capabilities
Symptom Selection:
- Subtle, long-term indicators
- Advanced evasion technique evidence
- Strategic asset targeting patterns
Investigation Emphasis:
- Advanced persistent threat analysis
- Attribution and threat actor profiling
- Sophisticated technique identification
Response Focus:
- Advanced threat hunting
- Counter-intelligence considerations
- Long-term security architecture improvements
Collaborative Context Creation
Group-Driven Organization Building
Instead of pre-selecting context, facilitate group creation:
Opening Questions
- “What kind of organization should we protect today?”
- “What would be devastating if compromised here?”
- “What makes this organization unique or challenging to secure?”
- “What regulatory or business constraints do we need to consider?”
Collaborative Filling
Let group decide:
- Industry and business model
- Size and geographic distribution
- Critical assets and stakeholders
- Regulatory environment
- Competitive landscape
Benefits of Collaborative Creation
- Immediate investment in scenario
- Authentic expertise application
- Natural constraints and considerations
- Real-world relevance for participants
Adaptive Context Refinement
Adjust based on group responses:
If Group Chooses Familiar Industry
- Build on their expertise
- Add realistic complexities they know
- Use their experience to drive discovery
If Group Chooses Unfamiliar Industry
- Focus on universal security principles
- Emphasize transferable concepts
- Use common-sense reasoning
If Group Creates Complex Scenario
- Embrace the complexity
- Use their knowledge to manage details
- Let expertise drive technical accuracy
Time-Adaptive Scenario Scaling
60-Minute Sessions
Condensed Format:
- Setup: 8 minutes (faster character creation)
- Discovery: 20 minutes (focus on identification)
- Investigation: 15 minutes (scope assessment only)
- Response: 15 minutes (key coordination decisions)
- Closing: 2 minutes (quick debrief)
Scenario Adaptations:
- Simpler organization context
- Clearer symptoms with obvious leads
- Streamlined Malmon choices (GaboonGrabber, FakeBat)
- Focus on core learning objectives
90-Minute Sessions
Standard Format:
- Setup: 13 minutes (full character development)
- Discovery: 25 minutes (thorough investigation)
- Investigation: 25 minutes (complete impact assessment)
- Response: 25 minutes (coordinated team response)
- Closing: 2 minutes (structured debrief)
Scenario Adaptations:
- Rich organization context
- Complex symptom patterns
- Full Malmon capability exploration
- Complete learning objective coverage
120-Minute Sessions
Extended Format:
- Setup: 15 minutes (detailed character development)
- Discovery: 30 minutes (comprehensive investigation)
- Investigation: 35 minutes (deep impact analysis)
- Response: 35 minutes (sophisticated coordination)
- Closing: 5 minutes (detailed debrief and planning)
Scenario Adaptations:
- Complex organization with multiple stakeholders
- Layered symptom discovery
- Advanced Malmon with evolution
- Multiple learning objectives integration
Scenario Difficulty Scaling
Beginner Groups
Characteristics: Limited cybersecurity experience, mixed technical backgrounds
Scenario Adaptations:
- Clear, obvious symptoms
- Straightforward organization context
- Simple Malmon with clear characteristics
- Focus on basic concepts and collaboration
Example Scenario:
- Organization: Small medical practice
- Symptoms: Obvious fake software, clear performance issues
- Malmon: GaboonGrabber
- Focus: Social engineering awareness, basic incident response
Intermediate Groups
Characteristics: Some cybersecurity knowledge, varied expertise levels
Scenario Adaptations:
- Mixed obvious and subtle symptoms
- Realistic organization complexity
- Moderate Malmon complexity
- Balance of technical and business concepts
Example Scenario:
- Organization: Regional bank with multiple branches
- Symptoms: Performance issues plus network anomalies
- Malmon: WannaCry or Gh0st RAT
- Focus: Network security, coordinated response
Advanced Groups
Characteristics: Experienced cybersecurity professionals
Scenario Adaptations:
- Subtle, realistic symptoms
- Complex organization with multiple constraints
- Sophisticated Malmon with advanced capabilities
- Advanced technical concepts and attribution
Example Scenario:
- Organization: Critical infrastructure provider
- Symptoms: Subtle system changes, advanced evasion indicators
- Malmon: Stuxnet or Noodle RAT
- Focus: Advanced persistent threats, attribution analysis
Emergency Scenario Pivots
When Chosen Scenario Doesn’t Work
Symptoms Don’t Resonate
- Quickly adapt symptoms to group interests
- Ask what symptoms would concern them most
- Let group suggest alternative indicators
Organization Context Fails
- Switch to collaborative context creation
- Ask group to suggest alternative organization
- Focus on universal security principles
Malmon Too Complex/Simple
- Have backup Malmon cards ready
- Adapt complexity through questioning
- Focus on appropriate learning level
Mid-Session Adaptations
Group Advances Too Quickly
- Add evolution scenarios
- Introduce additional complications
- Explore advanced technical concepts
Group Struggles with Complexity
- Simplify remaining phases
- Focus on core concepts
- Provide more guidance
Interest Shifts Dramatically
- Follow group interest
- Adapt scenario to their direction
- Maintain learning objectives through different path
Template Customization Guidelines
Industry-Specific Adaptations
Healthcare:
- Emphasize patient safety and HIPAA compliance
- Include medical device integration complexity
- Focus on life-critical system dependencies
Financial Services:
- Highlight regulatory examination pressure
- Include fraud prevention and detection systems
- Emphasize customer trust and reputation management
Manufacturing:
- Focus on operational technology and safety systems
- Include supply chain dependencies
- Emphasize production continuity and worker safety
Government/Defense:
- Include classification levels and clearance implications
- Focus on national security implications
- Emphasize inter-agency coordination requirements
Education:
- Include diverse user populations and open network challenges
- Focus on academic freedom vs. security balance
- Emphasize budget constraints and resource limitations
Cultural and Regional Adaptations
International Contexts:
- Include relevant privacy regulations (GDPR, local laws)
- Adapt to different business cultures and communication styles
- Consider time zone and language factors for distributed teams
Cultural Sensitivity:
- Respect different communication norms and hierarchy expectations
- Adapt participation techniques to cultural comfort levels
- Include relevant local threat landscape and regulatory environment
Scenario Quality Assurance
Template Validation Checklist
Common Template Pitfalls to Avoid
- Over-specification: Too many predetermined details limit group creativity
- Under-specification: Too vague to provide clear direction
- Technical bias: Favoring technical participants over business perspectives
- Unrealistic constraints: Scenarios that don’t reflect real-world limitations
- Single-solution thinking: Templates that push toward one “correct” answer
Advanced Template Techniques
Branching Scenario Paths
Create templates with multiple potential developments based on group choices:
Discovery Branch Points:
- Quick identification → More time for investigation and response
- Slow identification → Time pressure and potential evolution
- Incorrect identification → Misdirection and course correction
Investigation Branch Points:
- Thorough analysis → Better response options but potential time pressure
- Rapid assessment → Faster response but higher uncertainty
- Deep technical focus → Advanced capabilities but potential tunnel vision
Response Branch Points:
- Conservative approach → Lower risk but potentially incomplete resolution
- Aggressive approach → Higher risk but potentially better outcomes
- Collaborative approach → Better team coordination but slower implementation
Adaptive Complexity Scaling
Real-Time Difficulty Adjustment:
- If group struggles: Simplify technical concepts, provide more guidance
- If group excels: Add complications, introduce evolution scenarios
- If participation unbalanced: Adjust scenario to engage quiet participants
- If time pressure builds: Focus on essential learning objectives
Progressive Revelation Techniques:
- Start with clear, obvious symptoms
- Gradually introduce complexity and ambiguity
- Allow group expertise to drive depth of technical discussion
- Reveal additional information based on investigation quality
Scenario Template Library Organization
By Difficulty Level
Beginner Templates:
- Clear symptoms with obvious investigation paths
- Straightforward organization contexts
- Simple malmon types with clear characteristics
- Focus on basic incident response concepts
Intermediate Templates:
- Mixed obvious and subtle symptoms
- Realistic organizational complexity
- Moderate technical concepts
- Balance of technical and business considerations
Advanced Templates:
- Subtle, realistic indicators requiring expert analysis
- Complex organizational constraints and stakeholder management
- Sophisticated malmon types with advanced capabilities
- Focus on coordination and strategic decision-making
By Learning Objectives
Technical Skill Focus:
- Emphasize malware analysis and network forensics
- Include advanced detection and response techniques
- Focus on tool usage and technical methodology
Process and Coordination Focus:
- Emphasize team communication and decision-making
- Include stakeholder management and crisis communication
- Focus on incident response procedures and coordination
Strategic and Leadership Focus:
- Emphasize business impact and strategic decision-making
- Include resource allocation and priority management
- Focus on organizational learning and improvement
By Organization Type
Critical Infrastructure:
- Power grids, water systems, transportation networks
- Emphasis on public safety and service continuity
- Regulatory compliance and government coordination
Healthcare Systems:
- Hospitals, clinics, medical device manufacturers
- Patient safety and privacy protection focus
- Regulatory requirements and life-critical dependencies
Financial Services:
- Banks, investment firms, payment processors
- Customer trust and regulatory examination focus
- Fraud prevention and financial stability
Technology Companies:
- Software developers, cloud services, social media
- Intellectual property protection and service availability
- Rapid response and customer communication
Template Evolution and Improvement
Community Feedback Integration
- Collect facilitator experiences with different templates
- Document successful adaptations and modifications
- Share effective techniques across facilitator community
- Continuously improve templates based on real-world usage
Template Version Control
- Track changes and improvements over time
- Maintain backward compatibility for established facilitators
- Document rationale for template modifications
- Provide migration guidance for updated templates
Collaborative Template Development
- Encourage facilitator contributions and modifications
- Provide frameworks for sharing effective adaptations
- Create community review processes for new templates
- Establish quality standards for contributed templates
Integration with Scenario Card System
Scenario Card Categories and Professional Focus
Social Engineering Focus Cards (GaboonGrabber):
- Healthcare contexts emphasizing trust relationships and authority
- Financial contexts highlighting customer service and urgent deadlines
- Focus on stakeholder pressure creating security shortcuts
Network Propagation Focus Cards (WannaCry):
- Municipal contexts emphasizing public service continuity
- Healthcare contexts highlighting patient safety during outages
- Focus on multi-site coordination and rapid response decisions
Critical Infrastructure Focus Cards (Stuxnet):
- Energy sector contexts emphasizing safety and regulatory oversight
- Manufacturing contexts highlighting production continuity and worker safety
- Focus on sophisticated attackers and geopolitical implications
Stakeholder Complexity Matching:
- Simple cards: Single primary stakeholder with clear motivation
- Intermediate cards: 2-3 stakeholders with competing priorities
- Advanced cards: Complex stakeholder networks with regulatory and political pressure
Scenario Template Delivery Formats
Quick Reference Cards
- One-page scenario summaries for experienced facilitators
- Key decision points and adaptation options
- Essential context and constraint information
Detailed Scenario Guides
- Comprehensive preparation materials for new facilitators
- Step-by-step guidance and expected participant responses
- Troubleshooting tips and alternative approaches
Interactive Scenario Builders
- Digital tools for customizing templates in real-time
- Dropdown options for different organization types and complexity levels
- Automatic adaptation based on group size and expertise level
Collaborative Scenario Databases
- Community-contributed scenarios with ratings and reviews
- Search functionality by learning objectives and group characteristics
- Version control and improvement tracking
Complete Resource Integration
Linking Templates to Other Resources
Scenario Card Preparation Integration:
- Use 5-Minute Scenario Card Preparation for quick card selection and hook mastery
- Reference New IM 30-Minute Scenario Card Preparation for comprehensive stakeholder development
Question Bank Connection:
- Discovery Phase Question Bank provides role-specific prompts for each template
- Investigation Phase Question Bank offers deep-dive questions for chosen context
- Response Phase Question Bank includes coordination prompts for different organization types
- Emergency Questions for Stuck Groups provides rescue techniques for stuck groups
Real-Time Support:
- Technical Gap Protocols handles knowledge gaps effectively
The scenario card system provides rich professional context while preserving the flexibility and collaborative discovery that makes Malware & Monsters effective. The best sessions combine scenario card foundations with responsive adaptation to group expertise and professional experience.