Role Cards Reference for Incident Masters
This appendix provides a quick reference for all six incident response roles. Full role cards with gameplay guidance, example bonus actions, and badge alignment are in the Players Handbook individual role pages.
Complete Role Cards Overview
π Detective (Cyber Sleuth)
See the full role card in the Players Handbook: Detective β Cyber Sleuth
π‘οΈ Protector (Digital Guardian)
See the full role card in the Players Handbook: Protector β Digital Guardian
π‘ Tracker (Network Analyst)
See the full role card in the Players Handbook: Tracker β Network Analyst
π’ Communicator (Stakeholder Liaison)
See the full role card in the Players Handbook: Communicator β Stakeholder Liaison
β‘ Crisis Manager (Incident Commander)
See the full role card in the Players Handbook: Crisis Manager β Incident Commander
π― Threat Hunter (Proactive Defender)
See the full role card in the Players Handbook: Threat Hunter β Proactive Defender
IM Quick Reference: Role Strengths & Modifiers
Role Modifier Quick Reference Table
| Role | +3 Bonus | +2 Bonus | +1 Bonus |
|---|---|---|---|
| π Detective | Forensic Analysis | Pattern Recognition | Documentation |
| π‘οΈ Protector | Containment | Security Architecture | Business Continuity |
| π‘ Tracker | Network Analysis | Data Tracking | Infrastructure Mapping |
| π’ Communicator | Stakeholder Management | Crisis Communication | Compliance |
| β‘ Crisis Manager | Coordination | Strategic Planning | Escalation Management |
| π― Threat Hunter | Threat Detection | Intelligence Analysis | Attack Prediction |
Role Strengths at a Glance
- π Detective: Pattern recognition, evidence analysis, timeline construction
- π‘οΈ Protector: Containment, security architecture, business continuity
- π‘ Tracker: Network analysis, data flow tracking, infrastructure mapping
- π’ Communicator: Stakeholder management, crisis communication, compliance
- β‘ Crisis Manager: Coordination, strategic planning, resource allocation
- π― Threat Hunter: Advanced detection, intelligence analysis, attack prediction
Facilitation Tips by Role
Encouraging Balanced Participation
When Roles Dominate:
- Detective dominating: βGreat analysis - how might other roles use this evidence?β
- Protector rushing: βWhat do other roles need to know before we contain?β
- Tracker getting technical: βHow does this network data impact our response strategy?β
- Communicator over-managing: βWhat do the technical roles need to investigate first?β
- Crisis Manager micro-managing: βLetβs hear the specialist perspectives before coordinating.β
- Threat Hunter rabbit-holing: βWhat immediate threats need the teamβs attention now?β
When Roles Withdraw:
- Detective quiet: βWhat patterns or anomalies stand out to you here?β
- Protector passive: βHow would you protect our critical systems right now?β
- Tracker disconnected: βWhat network activity concerns you most?β
- Communicator silent: βWho needs to know about these developments?β
- Crisis Manager absent: βHow should we prioritize these response activities?β
- Threat Hunter unfocused: βWhat arenβt we seeing that we should be looking for?β
Role-Specific Questions to Ask
π Detective Activation:
- βWhat story do these clues tell you?β
- βWhat patterns does this remind you of?β
- βHow would you build a timeline of this attack?β
π‘οΈ Protector Activation:
- βWhatβs your biggest security concern right now?β
- βHow do we stop this from spreading?β
- βWhat systems need immediate protection?β
π‘ Tracker Activation:
- βWhere is this data going?β
- βWhat network activity looks suspicious?β
- βHow is this threat moving through our systems?β
π’ Communicator Activation:
- βWho needs to know about this development?β
- βHow would you explain this to executive leadership?β
- βWhat are the business implications?β
β‘ Crisis Manager Activation:
- βHow should we prioritize these response activities?β
- βWhat resources do we need to coordinate?β
- βWhatβs our overall strategy here?β
π― Threat Hunter Activation:
- βWhat else might be hiding that we havenβt found?β
- βWhat would a sophisticated attacker do next?β
- βWhat intelligence can help us get ahead of this threat?β
Team Composition Guidelines
For 4-Player Teams
Essential Core:
- π Detective (investigation and analysis)
- π‘οΈ Protector (containment and security)
- π’ Communicator (stakeholder management)
- β‘ Crisis Manager (coordination)
Alternative Configurations:
- Replace Crisis Manager with π‘ Tracker for network-heavy scenarios
- Replace Crisis Manager with π― Threat Hunter for sophisticated threats
For 5-Player Teams
Recommended Additions:
- Core four + π‘ Tracker for network-focused incidents
- Core four + π― Threat Hunter for APT scenarios
- Allow team to choose based on interests and scenario type
For 6-Player Teams
Full Coverage: All six roles provide maximum perspective diversity and comprehensive incident response coverage.
For Teams with Role Overlap
Managing Multiple Players in Same Role:
- Assign specialized focus areas (junior/senior, different systems)
- Create complementary responsibilities (analysis vs. communication)
- Use geographical or departmental divisions
- Emphasize different aspects of the roleβs capabilities
This reference ensures IMs can quickly understand each roleβs mechanical benefits, behavioral tendencies, and optimal activation strategies for balanced, engaging facilitation.