Round Transition Scripts
Discovery to Investigation Transition
Malmon Identification Success
“Excellent detective work, team. Based on your investigation - the social engineering, the process injection, the data exfiltration pattern - you’ve identified your adversary.”
Present evidence summary before card reveal:
Team Discovery Summary
“This evidence profile points to one specific threat…”
[Reveal Malmon Card with dramatic flair]
“Meet [Malmon Name] - a [Type] specializing in [primary ability]. You’ve successfully identified the threat, but this is just the beginning.”
Building Urgency for Round 2
“Now that you know what you’re dealing with, you need to understand the full scope of [Malmon Name]’s infiltration. How deep has it penetrated? What’s been compromised? And most importantly - what’s it trying to accomplish?”
Network Security Status Update
“Let’s update our Network Security Status:”
- “Starting position: 100”
- “Time to identification: [adjustment based on performance]”
- “Current active threat: [adjustment for ongoing damage]”
- “Current Status: [new number]”
Stakes Escalation
“[Malmon Name] has been active for [time period], and it’s not going to wait for you to investigate. The clock is ticking.”
Investigation Phase Discovery
“Now that we know we’re dealing with [Malmon Name], what do you think we need to figure out next?”
Guide toward key investigation concepts through their responses: - “Yes! Understanding the full scope is critical.” - “Absolutely! We need to know how deep this goes.” - “Right! Figuring out how this happened will help prevent it recurring.” - “Good thinking! What might this threat do next?”
“Detective, based on what you’ve learned about [Malmon Name], what’s your first investigative priority?”
Investigation to Response Transition
Evolution Threat Introduction
“Just as you’re getting a comprehensive picture of the damage, your monitoring systems start showing critical alerts…”
Threat Evolution Alert
“[Malmon Name] is attempting to evolve - it’s trying to [specific evolution behavior based on Malmon card]. This changes everything.”
Critical Decision Moment
“You have a critical decision to make as a team: Do you continue investigating to understand the complete scope, or do you shift immediately to active response to prevent evolution?”
Let the group debate this decision naturally - both choices have consequences
Decision Consequences Setup
If they choose continued investigation: “You’ve chosen thoroughness over speed. You’ll have better information for your response, but [Malmon Name] will have more time to establish itself.”
If they choose immediate response: “You’ve chosen speed over complete information. You’ll act quickly to prevent evolution, but you may be working with incomplete intelligence.”
Network Security Status Update
“Based on your investigation findings:”
- “Scope of compromise: [adjustment]”
- “Attack progression: [adjustment]”
- “Team coordination: [adjustment]”
- “Current Network Security Status: [new number]”
Response Phase Discovery
“We’re moving into active response mode. What do you think an incident response team needs to accomplish when facing an active, evolving threat?”
Guide toward key response concepts through their responses: - “Exactly! Stopping the ongoing damage is critical.” - “Yes! Containment is a top priority.” - “Absolutely! Preventing evolution could save us from a much worse situation.” - “Right! Communication is crucial during active response.”
Type Advantage Reminder
“Remember, [Malmon Name] is a [Type], which means it’s vulnerable to [specific countermeasures]. How can you exploit these weaknesses in your response?”
“Crisis Manager, how does the team coordinate this response?”
Response to Closing Transition
Final Outcome Scenarios
Complete Victory (80+ Network Security Status)
“Outstanding work! Your coordinated response has completely contained [Malmon Name] with minimal impact to the organization.”
Mission Success
“Your use of [specific successful strategies] and exploitation of [Malmon weaknesses] was textbook incident response. The threat is neutralized, systems are secured, and stakeholders are informed.”
“Network Security Status final: [number] - Mission accomplished.”
Partial Victory (60-79 Network Security Status)
“Solid performance under pressure. [Malmon Name] has been contained, though not without some cost to the organization.”
“Your [successful elements] worked well, and you’ve learned valuable lessons about [key insights]. The threat is stopped, systems are being restored, and you’ve prevented a much worse outcome.”
“Network Security Status final: [number] - Threat contained, lessons learned.”
Pyrrhic Victory (40-59 Network Security Status)
“The threat is stopped, but it came at significant cost. This scenario demonstrates the critical importance of [key lessons] in incident response.”
“While [Malmon Name] is no longer active, the impact to [affected systems/data] will require substantial recovery efforts. However, your team prevented what could have been a catastrophic breach.”
“Network Security Status final: [number] - Hard-won victory with important lessons.”
Learning Experience (Below 40 Network Security Status)
“[Malmon Name] proved to be a formidable adversary that challenged your response capabilities. While the outcome wasn’t what we hoped, the learning value is tremendous.”
“This scenario highlights the complexity of real-world incident response and the importance of [key insights]. Every security professional faces scenarios like this - it’s how we learn and improve.”
“Network Security Status final: [number] - Valuable learning experience.”
Evolution Outcomes
If Malmon Successfully Evolved
“During your response, [Malmon Name] successfully evolved into [next form], demonstrating how threats escalate when not quickly contained.”
“However, your coordinated efforts prevented [worse outcome] and you’ve gained valuable experience dealing with advanced persistent threats.”
If Evolution Was Prevented
“Your rapid response successfully prevented [Malmon Name]’s evolution, keeping it from becoming a much more dangerous threat.”
“This demonstrates the critical importance of speed in incident response - catching threats before they can establish deeper persistence.”
Energy Management During Transitions
High Energy Groups
- Move quickly through transitions
- Add complexity or additional challenges
- Dive deeper into technical details
- Encourage advanced scenario exploration
Medium Energy Groups
- Standard pacing with clear objectives
- Emphasize collaborative success
- Build on momentum from previous round
- Maintain engagement with stakes
Low Energy Groups
- Inject urgency and drama
- Simplify objectives and focus
- Celebrate successes more actively
- Add humor or change physical positions
Time Management During Transitions
Running Ahead of Schedule
- Allow more time for team discussion and strategy
- Explore alternative approaches and consequences
- Add complexity to scenarios
- Deeper dive into technical or business aspects
Running Behind Schedule
- Streamline transition explanations
- Focus on key objectives only
- Combine some phases if necessary
- Maintain educational value while accelerating pace
Severe Time Pressure
- Emergency transition mode
- Essential information only
- Focus on core learning objectives
- Promise follow-up discussion if desired
Common Transition Challenges
Group Wants to Keep Investigating in Response Phase
“I understand the desire to gather more information, but [Malmon Name] isn’t waiting for your investigation. In real incident response, you often have to act on incomplete information. What’s your best response given what you know?”
Group Overwhelmed by Complexity
“This is a lot to process - that’s realistic. Real incident response is complex and stressful. Let’s focus on the most critical priority: [specific focus].”
Technical Disagreements During Transitions
“Both approaches have merit. Given our time constraints and the active threat, which would be most effective in our current situation?”
Loss of Character Engagement
“Remember, you’re not just analysts - you’re [character roles] with personal stakes in this outcome. [Character name], how is your character feeling about this development?”
Smooth Transition Techniques
Physical Movement
- Stand up and move during transitions
- Change positions or rearrange seating
- Use whiteboard for visual transitions
- Gesture to emphasize phase changes
Voice and Pace Changes
- Lower voice for dramatic reveals
- Increase pace for urgency
- Pause for emphasis at key moments
- Match energy to desired outcome
Participation Shifts
- Change who speaks first each round
- Rotate leadership or focus
- Ensure everyone contributes to transitions
- Build on previous round contributions
Stakes Evolution
- Escalate consequences each round
- Add new complications or pressures
- Connect to character motivations
- Maintain sense of progress and achievement
Emergency Transition Protocols
When Transitions Fall Flat
- “Let me restart that transition - this is an important moment.”
- Add energy and enthusiasm artificially if needed
- Ask group directly: “How is everyone feeling about moving to [next phase]?”
- Acknowledge if transition feels awkward and move forward
When Group Resists Phase Change
- Acknowledge their interest: “I can see you want to explore this more.”
- Explain necessity: “The threat isn’t waiting, though.”
- Offer compromise: “Let’s address this in [next phase] or during debrief.”
- Use time pressure: “We have [X] minutes to respond before [consequence].”
When Technical Issues Disrupt Transitions
- Continue verbally without visual aids
- Use participant notes as backup
- Acknowledge disruption briefly and move on
- Don’t let technology problems derail energy
Remember: Smooth transitions maintain momentum and engagement. They’re bridges between learning phases, not obstacles to overcome.