Action Resolution Card
Print, laminate, and hold in hand during the session. This is the core mechanic you run whenever the IC proposes a containment action.
When the IC Orders an Action
Use this framework when no pre-built action card matches the ICβs action. If a matching action card exists, pull it instead β skip to step 4 (roll) and read the outcome from the card.
1 βWhich team owns this?β Team lead answers. They assess the action.
2 βWhatβs the difficulty?β Team assesses: Easy (5+) / Medium (10+) / Hard (15+)
3 βWhat happens if it goes wrong?β Team states the specific risk.
4 Roll d20 + modifiers
5 Read the outcome:
- Success (meet or beat target) = Action works as intended.
- Partial (miss by 1-3) = Action works, BUT the risk they named happens too.
- Failure (miss by 4+) = The risk they named happens. Action does not succeed.
- Critical (natural 20 or beat by 8+) = Action works perfectly + bonus insight.
6 IC updates the whiteboard.
Modifiers
| Condition | Modifier |
|---|---|
| All 3 teams briefed before action | +2 |
| Team provided written rationale | +1 |
| Team identified this specific risk in advance | Advantage (roll twice, take higher) |
When to Roll β When NOT to Roll
Roll when the action has meaningful risk AND uncertain outcome. Examples: isolate a server, revoke a credential, take a system offline, share IoCs.
Donβt roll when the action is information gathering or has no consequence for failure. Examples: check SIEM logs, read an artifact card, brief a team, write a status report.
Rule of thumb: βDoes this action have a consequence if it fails?β If yes, roll. If no, it just happens.