Scenario Planning Template

Scenario Planning Template

Complete preparation template for any M&M scenario

This template provides a comprehensive structure for planning Malware & Monsters sessions. Adapt each section to your specific Malmon, scenario variant, and audience needs.

1. Quick Reference

Essential at-a-glance information for session setup

Element Details
Malmon [Malmon name and type]
Difficulty Tier Tier 1 (Beginner) / Tier 2 (Intermediate) / Tier 3 (Advanced)
Scenario Variant [Industry/context: Healthcare, Financial, Education, etc.]
Organizational Context [Brief description of fictional organization]
Primary Stakes [What’s at risk: data, operations, compliance, reputation]
Recommended Formats Quick Demo / Lunch & Learn / Full Game / Advanced Challenge
Essential NPCs [2-3 key NPCs that must appear]
Optional NPCs [4-6 additional NPCs for depth]

Scenario Hook

[1-2 sentence compelling opening that sets up tension and context]

Victory Condition

[Clear description of what constitutes successful incident resolution]

2. Game Configuration Templates

Pre-configured settings for different session formats

Quick Demo Configuration (35-40 min)

Pre-Configured Settings:

  • Number of Rounds: 1 round
  • Actions per Player: 1 action
  • Investigation Structure: Guided (IM presents clues on timeline)
  • Response Structure: Pre-defined (IM presents 2-3 clear options)
  • Team Size: 2-3 players (hybrid roles)
  • Success Mechanics: Automatic (good idea = success)
  • Evidence Type: Obvious
  • NPC Count: Essential only (2-3)

Experience Focus: Fast-paced introduction with full storytelling but streamlined gameplay. Perfect for demonstrations and quick evaluations.

Time Breakdown:

  • Introduction & Roles: 5 min
  • Scenario Briefing: 5 min
  • Gameplay: 20 min
  • Quick Debrief: 5 min
  • Q&A: 5 min

Facilitation Notes: Focus on guiding players through core mechanics. Be ready to provide hints to maintain pace. Emphasize narrative and player agency even in guided format.

Lunch & Learn Configuration (60-75 min)

Pre-Configured Settings:

  • Number of Rounds: 2 rounds
  • Actions per Player: 1-2 actions per round
  • Investigation Structure: Guided with player choice
  • Response Structure: Mix of pre-defined and creative approaches
  • Team Size: 3-5 players (standard roles)
  • Success Mechanics: Dice/Cards (simple)
  • Evidence Type: Mixed (obvious and subtle)
  • NPC Count: Standard (3-4)

Experience Focus: Balanced introduction to M&M with guided discovery and some creative problem-solving. Ideal for regular training sessions.

Time Breakdown:

  • Introduction & Roles: 8 min
  • Scenario Briefing: 7 min
  • Round 1: 20 min
  • Round 2: 20 min
  • Standard Debrief: 10 min
  • Q&A: 5 min

Facilitation Notes: Let players explore within structure. Provide options but encourage creative thinking. Balance guidance with discovery.

Full Game Configuration (120-140 min)

Pre-Configured Settings:

  • Number of Rounds: 3 rounds
  • Actions per Player: 2 actions per round
  • Investigation Structure: Open (players choose investigation paths)
  • Response Structure: Creative (players develop their own approaches)
  • Team Size: 4-6 players (full role complement)
  • Success Mechanics: Dice/Cards with modifiers
  • Evidence Type: Mixed (realistic blend)
  • NPC Count: Full cast (4-6)
  • Badge Tracking: On

Experience Focus: Complete immersive M&M experience with player-driven investigation and creative problem-solving. Standard intended experience.

Time Breakdown:

  • Introduction & Roles: 10 min
  • Scenario Briefing: 10 min
  • Round 1 (Discovery): 25 min
  • Round 2 (Investigation): 30 min
  • Round 3 (Response): 25 min
  • Standard Debrief: 10 min
  • Advanced Discussion: 10 min

Facilitation Notes: Act as facilitator allowing independent exploration. Respond dynamically to player choices. Encourage connection to real-world principles.

Advanced Challenge Configuration (180+ min)

Pre-Configured Settings:

  • Number of Rounds: 4+ rounds
  • Actions per Player: 2 actions per round
  • Investigation Structure: Complex multi-threaded
  • Response Structure: Innovative solutions required
  • Team Size: 6+ players (expanded roles or multiple teams)
  • Success Mechanics: Complex (Network Security Status tracking)
  • Evidence Type: Subtle with red herrings
  • Attack Complexity: Multi-stage with evolution
  • NPC Count: Full cast with hidden agendas (6+)
  • Badge Tracking: On with achievements

Experience Focus: Sophisticated challenge for expert teams with complex investigation, innovative response, and advanced facilitation techniques.

Time Breakdown:

  • Introduction & Roles: 15 min
  • Scenario Briefing: 15 min
  • Round 1 (Initial Discovery): 30 min
  • Round 2 (Deep Investigation): 35 min
  • Round 3 (Response Planning): 30 min
  • Round 4 (Execution & Adaptation): 30 min
  • Extended Debrief: 20 min
  • Advanced Discussion: 15 min

Facilitation Notes: Minimal guidance, maximum complexity. Introduce complications and adaptations. Challenge assumptions. Facilitate innovation.

3. Scenario Overview

Opening Presentation

[The dramatic narrative hook you’ll use to start the session. Set the scene, introduce tension, and present the initial situation that brings the team together.]

Initial Symptoms to Present

[Bulleted list of 4-6 initial symptoms or user reports that players will investigate]

  • [Symptom 1: Observable behavior or user report]
  • [Symptom 2: Technical indicator or system issue]
  • [Symptom 3: Business impact or operational concern]
  • [Symptom 4: Timeline clue or temporal pattern]

Organizational Context Details

Organization Profile:

  • Name: [Organization name]
  • Type: [Healthcare, Financial, Education, Government, etc.]
  • Size: [Employee count, locations, scale]
  • Key Assets: [Critical data, systems, or operations]
  • Regulatory Environment: [Relevant compliance requirements]

Cultural Factors:

  • [Organizational culture element that affects security]
  • [Business pressure or constraint creating vulnerability]
  • [Communication pattern or hierarchy affecting response]

Malmon Characteristics in This Scenario

[How this specific Malmon manifests in this organizational context. Include type-specific behaviors and capabilities relevant to this scenario.]

Key Capabilities Demonstrated:

  • [Primary ability and how it affects this organization]
  • [Secondary ability and scenario-specific impact]
  • [Hidden ability that may emerge during session]

Vulnerabilities to Exploit:

  • [Weakness 1 and how defenders can leverage it]
  • [Weakness 2 and organizational resources that target it]

4. NPC Reference

Essential NPCs (Must Include)

NPC 1: [Name and Role]

  • Position: [Job title and organizational responsibility]
  • Personality: [Key personality traits affecting interactions]
  • Agenda: [What they want from the incident response]
  • Knowledge: [Critical information they possess]
  • Pressure Point: [How threat personally affects them]
  • IM Portrayal Notes: [How to roleplay this character effectively]

NPC 2: [Name and Role]

[Same structure as above]

NPC 3: [Name and Role]

[Same structure as above]

Optional NPCs (Add Depth)

NPC 4: [Name and Role]

[Briefer description - can be added if time permits]

NPC 5: [Name and Role]

[Briefer description - can be added if time permits]

NPC 6: [Name and Role]

[Briefer description - can be added if time permits]

NPC Interaction Guidelines

When to introduce NPCs:

  • [Timing and context for NPC 1]
  • [Timing and context for NPC 2]
  • [Timing and context for NPC 3]

How NPCs advance the plot:

  • [How NPCs reveal information or create complications]
  • [How NPC conflicts or cooperation affects team decisions]

5. Investigation Timeline

Guided evidence delivery for structured formats (Quick Demo, Lunch & Learn)

Round 1: Discovery Phase

Automatic Reveals (present to all teams):

  • [Evidence 1: What’s revealed and what it indicates]
  • [Evidence 2: What’s revealed and what it indicates]

Detective Investigation Leads:

  • [Specific evidence Detective role would uncover]
  • [Analysis techniques that reveal this information]

Protector System Analysis:

  • [System-level evidence Protector would discover]
  • [Security tool outputs or system states]

Tracker Network Investigation:

  • [Network traffic patterns or communication evidence]
  • [External connection or command infrastructure details]

Communicator Stakeholder Insights:

  • [Information gathered from user interviews]
  • [Organizational context or cultural factors revealed]

Crisis Manager Coordination Discoveries:

  • [Timeline information or scope assessment data]
  • [Resource constraints or business impact details]

Threat Hunter Proactive Findings:

  • [Advanced indicators or attack patterns identified]
  • [Threat intelligence or attribution clues]

Round 2: Investigation Phase

[Same structure as Round 1, with deeper or escalating evidence]

Round 3: Response Phase

[Evidence that emerges during response attempts, complications, or confirmations]

6. Response Options

Pre-defined approaches for guided formats, inspiration for open formats

Type-Effective Approaches

Most Effective ([Type] Strength):

  • [Approach 1: Description and expected DC/difficulty]
  • [Approach 2: Description and expected success rate]

Moderately Effective:

  • [Approach 3: Description and trade-offs]
  • [Approach 4: Description and partial success outcomes]

Least Effective ([Type] Resistance):

  • [Approach 5: Description and why it struggles]
  • [Why signature detection or other common approach falls short]

Creative Response Guidance

Encourage player innovation in these areas:

  • [Domain 1 where creativity can shine]
  • [Domain 2 where unconventional approaches might work]
  • [Domain 3 where team coordination creates new options]

Common creative solutions players develop:

  • [Creative solution 1 and how to adjudicate it]
  • [Creative solution 2 and potential complications]

7. Round-by-Round Facilitation Guide

Round 1: Discovery

Opening Narration: [Set the scene and present initial situation]

IM Questions to Ask:

  • β€œ[Question prompting investigation]”
  • β€œ[Question encouraging role-based thinking]”
  • β€œ[Question connecting symptoms to threats]”

Expected Player Actions:

  • [Common action 1 and how to resolve it]
  • [Common action 2 and what it reveals]

Malmon Identification Moment: [How to guide team toward recognizing the Malmon type and characteristics]

Round Conclusion: [How to transition to Round 2, what tension to build]

Round 2: Investigation

Situation Update: [How threat has evolved or escalated since Round 1]

IM Questions to Ask:

  • β€œ[Question deepening understanding]”
  • β€œ[Question about scope and impact]”
  • β€œ[Question about organizational context]”

Pressure Points to Introduce:

  • [Time pressure or business constraint]
  • [NPC demand or stakeholder concern]
  • [Technical complication or attack evolution]

Round Conclusion: [How to transition to Round 3, decision point framing]

Round 3: Response

Critical Decision Point: [Frame the key choice teams must make]

IM Questions to Ask:

  • β€œ[Question about strategy selection]”
  • β€œ[Question about risk and trade-offs]”
  • β€œ[Question about coordination and execution]”

Success and Failure Branches:

  • [How to handle successful response]
  • [How to handle partial success]
  • [How to fail forward from failed attempts]

Resolution Narration: [How to wrap up the scenario based on team performance]

Round 4+ (Advanced Challenge Only)

[Additional rounds for complex scenarios with multi-stage responses]

8. Pacing & Timing Notes

Time Management Strategies

If Running Long:

  • [What to skip or abbreviate without losing core experience]
  • [How to fast-forward through less critical moments]
  • [Signals that indicate need to accelerate]

If Running Short:

  • [Complications to add for depth]
  • [NPC interactions to expand]
  • [Additional investigation threads to introduce]

If Team is Stuck:

  • [Specific hints to provide at each stage]
  • [NPC interventions that unstick progress]
  • [Evidence to reveal if investigation stalls]

Engagement Indicators

Positive Signs:

  • [Behavior indicating good engagement]
  • [Discussion patterns showing productive collaboration]

Warning Signs:

  • [Behavior indicating confusion or frustration]
  • [Patterns suggesting need for intervention]

9. Debrief Discussion Points

Critical Learning Objectives

Technical Concepts:

  • [Key cybersecurity concept 1 this scenario teaches]
  • [Key cybersecurity concept 2 this scenario teaches]
  • [Technical skill or knowledge area developed]

Collaboration Skills:

  • [Team coordination aspect highlighted]
  • [Role-based contribution demonstrated]
  • [Communication pattern practiced]

Reflection Questions

Scenario-Specific:

  • β€œ[Question about specific decisions made]”
  • β€œ[Question about organizational context insights]”
  • β€œ[Question about attack vector understanding]”

Real-World Connections:

  • β€œ[Question connecting game to actual incidents]”
  • β€œ[Question about professional application]”
  • β€œ[Question about organizational preparedness]”

MalDex Documentation Prompts

Encourage teams to document:

  • [Specific investigation technique or discovery]
  • [Effective response strategy or innovation]
  • [Organizational vulnerability or lesson learned]
  • [Team coordination insight or best practice]

10. Facilitator Quick Reference

Type Effectiveness Chart

[Include relevant type effectiveness information for this Malmon]

[Malmon Type] is strong against: [List] [Malmon Type] is weak against: [List] [Malmon Type] resists: [List]

Common Facilitation Challenges

Challenge 1: [Specific issue] β†’ IM Response: β€œ[Suggested question or intervention]”

Challenge 2: [Specific issue] β†’ IM Response: β€œ[Suggested question or intervention]”

Challenge 3: [Specific issue] β†’ IM Response: β€œ[Suggested question or intervention]”

Dice/Success Mechanics Guidelines

For this scenario:

  • [DC ranges for different action types]
  • [Modifiers based on type effectiveness]
  • [Automatic success conditions]
  • [Automatic failure conditions]

11. Scenario Customization Notes

Difficulty Adjustments

Make Easier:

  • [Specific modification to reduce complexity]
  • [Evidence to make more obvious]
  • [Response option to simplify]

Make Harder:

  • [Complication to add]
  • [Red herring to introduce]
  • [Time pressure to increase]

Industry Adaptations

For Healthcare Context:

  • [Specific HIPAA or patient care considerations]

For Financial Context:

  • [Specific regulatory or fraud considerations]

For Education Context:

  • [Specific FERPA or academic considerations]

For Government Context:

  • [Specific compliance or public trust considerations]

Experience Level Adaptations

For Novice Teams:

  • [Guidance to add]
  • [Concepts to explain explicitly]
  • [Complexity to remove]

For Expert Teams:

  • [Challenge to add]
  • [Assumption to subvert]
  • [Innovation to require]

12. Cross-References

Related Handbook Content

  • [Malmon Detail Page: Link to technical reference]
  • [Relevant Chapter: Link to related handbook chapter]
  • [Related Scenario: Link to similar or connected scenario]
  • [Type Effectiveness Guide: Link to type chart and strategy]

Additional Resources

  • [External resource or real-world incident reference]
  • [MITRE ATT&CK techniques demonstrated]
  • [Professional development connection]

Community Contributions

  • [Link to community-developed variations]
  • [Reference to shared MalDex entries]
  • [Attribution for community-created content]

Notes for IM Customization

[Space for IMs to add their own notes, modifications, or insights from running this scenario]

What worked well:

What to modify next time:

Creative player solutions to remember:

Timing adjustments needed: