Role Cards Reference for Incident Masters

This appendix provides complete role cards for all six incident response roles. Use these during facilitation to understand each role’s strengths, focus areas, modifiers, and roleplay guidance. These are identical to the cards in the Players Handbook for easy cross-reference.

Complete Role Cards Overview

πŸ” Detective (Cyber Sleuth)

πŸ”

Detective

Cyber Sleuth

🎭 Archetype

"I see patterns others miss. Every attack tells a story."

πŸ’ͺ Strengths

β€’ Pattern Recognition: Spotting anomalies in logs and behavior
β€’ Evidence Analysis: Connecting clues into attack timelines
β€’ Digital Forensics: Understanding attack artifacts
β€’ Timeline Construction: Building accurate chronologies

🎯 Focus Areas

β€’ System logs and process executions
β€’ Attack vector analysis and entry points
β€’ Evidence preservation and IoC development
β€’ Attack attribution and technique identification

πŸŽͺ Roleplay Tips

β€’ Be curious about details others might skip
β€’ Ask 'what does this remind you of?' when examining evidence
β€’ Share your thought process: 'This pattern suggests...'
β€’ Connect current findings to previous experiences

🎲 Game Modifiers

🎲
+3 Forensic Analysis
Log analysis, timeline construction, evidence correlation
🎲
+2 Pattern Recognition
Identifying anomalies, connecting disparate clues
🎲
+1 Documentation
Creating detailed incident records, IoC development

πŸ›‘οΈ Protector (Digital Guardian)

πŸ›‘οΈ

Protector

Digital Guardian

🎭 Archetype

"Not on my watch. Every system is someone I'm protecting."

πŸ’ͺ Strengths

β€’ Security Architecture: Understanding defensive systems
β€’ Threat Containment: Stopping attacks in progress
β€’ Access Control: Managing permissions and restrictions
β€’ Incident Isolation: Preventing spread of compromise

🎯 Focus Areas

β€’ Network segmentation and isolation
β€’ Security tool configuration and deployment
β€’ Backup systems and recovery procedures
β€’ Access control and privilege management

πŸŽͺ Roleplay Tips

β€’ Think defensively: 'How do we stop this now?'
β€’ Consider business continuity in every decision
β€’ Be protective of critical assets
β€’ Focus on immediate containment before analysis

🎲 Game Modifiers

🎲
+3 Containment
Network isolation, access controls, system hardening
🎲
+2 Security Architecture
Defensive design, control implementation
🎲
+1 Business Continuity
Backup systems, recovery planning

πŸ“‘ Tracker (Network Analyst)

πŸ“‘

Tracker

Network Analyst

🎭 Archetype

"I follow the digital breadcrumbs wherever they lead."

πŸ’ͺ Strengths

β€’ Network Analysis: Understanding traffic patterns and flows
β€’ Data Flow Tracking: Following information through systems
β€’ Communication Monitoring: Detecting C2 and exfiltration
β€’ Infrastructure Mapping: Understanding network relationships

🎯 Focus Areas

β€’ Network traffic and communication patterns
β€’ Data exfiltration and C2 channels
β€’ Lateral movement detection
β€’ Infrastructure and connection analysis

πŸŽͺ Roleplay Tips

β€’ Think in terms of flows and connections
β€’ Ask 'where is this data going?' and 'what is calling home?'
β€’ Visualize the network in your explanations
β€’ Focus on movement and communication patterns

🎲 Game Modifiers

🎲
+3 Network Analysis
Traffic monitoring, flow analysis, connection tracking
🎲
+2 Data Tracking
Exfiltration detection, data flow mapping
🎲
+1 Infrastructure Mapping
Network topology, system relationships

πŸ“’ Communicator (Stakeholder Liaison)

πŸ“’

Communicator

Stakeholder Liaison

🎭 Archetype

"I translate tech-speak into human-speak and back again."

πŸ’ͺ Strengths

β€’ Stakeholder Management: Coordinating with leadership and teams
β€’ Crisis Communication: Clear messaging during high-stress situations
β€’ Regulatory Compliance: Understanding notification requirements
β€’ Risk Translation: Explaining technical impacts in business terms

🎯 Focus Areas

β€’ Executive and management communication
β€’ User and employee notifications
β€’ External vendor and partner coordination
β€’ Regulatory and legal compliance communication

πŸŽͺ Roleplay Tips

β€’ Always consider 'who needs to know?' about developments
β€’ Translate technical details into business impact
β€’ Think about timing and messaging of communications
β€’ Balance transparency with operational security

🎲 Game Modifiers

🎲
+3 Stakeholder Management
Executive reporting, external coordination
🎲
+2 Crisis Communication
Clear messaging, impact translation
🎲
+1 Compliance
Regulatory requirements, legal notifications

⚑ Crisis Manager (Incident Commander)

⚑

Crisis Manager

Incident Commander

🎭 Archetype

"I coordinate chaos into coordinated response."

πŸ’ͺ Strengths

β€’ Resource Allocation: Deploying people and tools effectively
β€’ Priority Management: Deciding what's most important right now
β€’ Team Coordination: Keeping everyone working toward common goals
β€’ Decision Making: Making calls when information is incomplete

🎯 Focus Areas

β€’ Response coordination and resource allocation
β€’ Prioritization and decision making under pressure
β€’ Escalation management and authority interfaces
β€’ Overall incident strategy and planning

πŸŽͺ Roleplay Tips

β€’ Think strategically about resource allocation
β€’ Keep the big picture in mind during technical discussions
β€’ Don't hesitate to make decisions with incomplete information
β€’ Focus on coordination rather than doing everything yourself

🎲 Game Modifiers

🎲
+3 Coordination
Team management, resource allocation, priority setting
🎲
+2 Strategic Planning
Incident strategy, decision making
🎲
+1 Escalation Management
Authority interfaces, leadership communication

🎯 Threat Hunter (Proactive Defender)

🎯

Threat Hunter

Proactive Defender

🎭 Archetype

"I hunt threats before they know they're being hunted."

πŸ’ͺ Strengths

β€’ Advanced Detection: Finding sophisticated and hidden threats
β€’ Attack Prediction: Anticipating threat behavior and evolution
β€’ Intelligence Analysis: Using threat intelligence effectively
β€’ Proactive Defense: Stopping attacks before they cause damage

🎯 Focus Areas

β€’ Hidden threat detection and hunting
β€’ Threat intelligence and attribution analysis
β€’ Attack prediction and evolution assessment
β€’ Advanced persistent threat investigation

πŸŽͺ Roleplay Tips

β€’ Think beyond the immediate threat: 'What else might be here?'
β€’ Use threat intelligence to predict attacker next moves
β€’ Be proactive: look for what hasn't been found yet
β€’ Consider the broader campaign beyond this incident

🎲 Game Modifiers

🎲
+3 Threat Detection
Advanced hunting, hidden threat discovery
🎲
+2 Intelligence Analysis
Attribution, campaign analysis
🎲
+1 Attack Prediction
Evolution assessment, behavior forecasting

IM Quick Reference: Role Strengths & Modifiers

Role Modifier Quick Reference Table

Role +3 Bonus +2 Bonus +1 Bonus
πŸ” Detective Forensic Analysis Pattern Recognition Documentation
πŸ›‘οΈ Protector Containment Security Architecture Business Continuity
πŸ“‘ Tracker Network Analysis Data Tracking Infrastructure Mapping
πŸ“’ Communicator Stakeholder Management Crisis Communication Compliance
⚑ Crisis Manager Coordination Strategic Planning Escalation Management
🎯 Threat Hunter Threat Detection Intelligence Analysis Attack Prediction

Role Strengths at a Glance

  • πŸ” Detective: Pattern recognition, evidence analysis, timeline construction
  • πŸ›‘οΈ Protector: Containment, security architecture, business continuity
  • πŸ“‘ Tracker: Network analysis, data flow tracking, infrastructure mapping
  • πŸ“’ Communicator: Stakeholder management, crisis communication, compliance
  • ⚑ Crisis Manager: Coordination, strategic planning, resource allocation
  • 🎯 Threat Hunter: Advanced detection, intelligence analysis, attack prediction

Facilitation Tips by Role

Encouraging Balanced Participation

When Roles Dominate:

  • Detective dominating: β€œGreat analysis - how might other roles use this evidence?”
  • Protector rushing: β€œWhat do other roles need to know before we contain?”
  • Tracker getting technical: β€œHow does this network data impact our response strategy?”
  • Communicator over-managing: β€œWhat do the technical roles need to investigate first?”
  • Crisis Manager micro-managing: β€œLet’s hear the specialist perspectives before coordinating.”
  • Threat Hunter rabbit-holing: β€œWhat immediate threats need the team’s attention now?”

When Roles Withdraw:

  • Detective quiet: β€œWhat patterns or anomalies stand out to you here?”
  • Protector passive: β€œHow would you protect our critical systems right now?”
  • Tracker disconnected: β€œWhat network activity concerns you most?”
  • Communicator silent: β€œWho needs to know about these developments?”
  • Crisis Manager absent: β€œHow should we prioritize these response activities?”
  • Threat Hunter unfocused: β€œWhat aren’t we seeing that we should be looking for?”

Role-Specific Questions to Ask

πŸ” Detective Activation:

  • β€œWhat story do these clues tell you?”
  • β€œWhat patterns does this remind you of?”
  • β€œHow would you build a timeline of this attack?”

πŸ›‘οΈ Protector Activation:

  • β€œWhat’s your biggest security concern right now?”
  • β€œHow do we stop this from spreading?”
  • β€œWhat systems need immediate protection?”

πŸ“‘ Tracker Activation:

  • β€œWhere is this data going?”
  • β€œWhat network activity looks suspicious?”
  • β€œHow is this threat moving through our systems?”

πŸ“’ Communicator Activation:

  • β€œWho needs to know about this development?”
  • β€œHow would you explain this to executive leadership?”
  • β€œWhat are the business implications?”

⚑ Crisis Manager Activation:

  • β€œHow should we prioritize these response activities?”
  • β€œWhat resources do we need to coordinate?”
  • β€œWhat’s our overall strategy here?”

🎯 Threat Hunter Activation:

  • β€œWhat else might be hiding that we haven’t found?”
  • β€œWhat would a sophisticated attacker do next?”
  • β€œWhat intelligence can help us get ahead of this threat?”

Team Composition Guidelines

For 4-Player Teams

Essential Core:

  • πŸ” Detective (investigation and analysis)
  • πŸ›‘οΈ Protector (containment and security)
  • πŸ“’ Communicator (stakeholder management)
  • ⚑ Crisis Manager (coordination)

Alternative Configurations:

  • Replace Crisis Manager with πŸ“‘ Tracker for network-heavy scenarios
  • Replace Crisis Manager with 🎯 Threat Hunter for sophisticated threats

For 5-Player Teams

Recommended Additions:

  • Core four + πŸ“‘ Tracker for network-focused incidents
  • Core four + 🎯 Threat Hunter for APT scenarios
  • Allow team to choose based on interests and scenario type

For 6-Player Teams

Full Coverage: All six roles provide maximum perspective diversity and comprehensive incident response coverage.

For Teams with Role Overlap

Managing Multiple Players in Same Role:

  • Assign specialized focus areas (junior/senior, different systems)
  • Create complementary responsibilities (analysis vs. communication)
  • Use geographical or departmental divisions
  • Emphasize different aspects of the role’s capabilities

This reference ensures IMs can quickly understand each role’s mechanical benefits, behavioral tendencies, and optimal activation strategies for balanced, engaging facilitation.