Large Group Facilitator Guide: Winnti – Biotech R&D Espionage

Large Group Facilitator Guide: Winnti – Biotech R&D Espionage

Tip

Quick Reference

  • Format: Multi-Team Coordination
  • Session length: ~120 min + 30 min debrief
  • Teams: Alpha (Forensics) / Bravo (Network/Infrastructure) / Charlie (Threat Intel & Recovery)
  • Organization: BioGenix Solutions (Danish biosolutions firm, 1,800 employees) – DK variant only
  • Expertise level: Expert (recommended for IMs with 3+ standard sessions)
  • IC structure: Two ICs, mid-session handover after Round 2 cross-team briefing (guardrail: T+70)
  • Central dilemma: Preserve forensic evidence for counterintelligence value vs. immediate eradication – and how far has the attacker already spread?
Note

Two guides, different purposes. This document is the per-scenario guide – opening script, round-by-round notes, artifact table, NPC lines, and debrief questions specific to Winnti. Reference this during the session. The Large Group Facilitation Guide is the format-agnostic guide – IC management tactics, room setup, distribution system, and the facilitator’s cheat sheet concept. It applies to any Multi-Team Coordination session regardless of scenario. Read both before your first session. A third document, the Session Preparation and Execution Guide, is a chronological checklist from room booking through post-session review.

Tip

Reading this guide

If reading for the first time, read this guide straight through to build your mental model. On your second pass or the night before the session, use the Packing Checklist at the bottom to prepare your materials and build your facilitator’s cheat sheet.

See the consolidated cheat sheet concept in the Large Group Facilitation Guide for the cheat sheet template. See the Session Preparation and Execution Guide for room setup and day-of execution.

Note

Dice

In large group format, the person running the session is the facilitator, not the Incident Master (IM). The IM role from standard play does not exist here – the facilitator manages the room, the ICs, and the mechanics, but does not play a character in the scenario.

The standard M&M rule applies: any IC decision where the outcome is uncertain warrants a roll. In large group format, roll moments cluster around IC decisions rather than individual player actions – teams analyse fixed artifact cards, but the IC’s operational calls have uncertain outcomes. The facilitator is selective about which moments to invoke the rule. The roll points below are recommended; others may arise naturally.

  • Dual-IC handover: The handover creates natural pressure – no mechanical modifier needed
  • Dual-IC note: IC #1 rolls in Rounds 1-2. IC #2 rolls in Round 4. The IC handover itself is not a dice moment.
  • Advantage triggers when all 3 teams and the outgoing IC have aligned on a recommendation before the incoming IC calls it.

How outcomes work: Roll a d20, add modifiers, compare to target. Meet or beat the target = Success. Miss by 1-3 = Partial (the call holds but with a complication). Miss by 4+ = Failure (the call doesn’t hold – introduce a consequence). Beat by 8+ or roll a natural 20 = Critical (full success plus a bonus). A roll point is a moment where the IC makes a decision with an uncertain outcome and the facilitator calls for a d20 roll.

Recommended Roll Points:

Roll 1 – Credential Revocation (Round 1-2, IC #1 orders svc-rdbridge-admin revoked)

  • Target: Medium (Success: 10+, Partial: 7-9, Failure: 6 or below)
  • Modifiers: +1 if all 3 teams briefed IC before the call
Outcome What happens
Success Clean revocation, all sessions terminated immediately
Partial Revoked but one active session persists for 10 more minutes before timeout – attacker has a final access window
Failure Revocation triggers a visibility event; the attacker notices and accelerates data access before the window closes

Roll 2 – Exception Closure (Round 2, IC #1 orders COLLBRIDGE-EXCL-003 closed) – optional, skip if time is tight

  • Target: Medium (Success: 10+, Partial: 7-9, Failure: 6 or below)
  • Modifiers: +1 if all 3 teams briefed IC before the call
Outcome What happens
Success Exception closed cleanly, Collaborative Bridge moves to modern auth
Partial Exception closed but 2 legitimate integration workflows break – IT needs 24 hours to reconfigure
Failure Closing the exception locks out 3 legitimate service accounts. 2 hours of business disruption while IT reconfigures.

Roll 3 – Preserve vs. Eradicate (Round 4, IC #2 makes the call on HANSEN-SAP-01)

  • Target: Hard (Success: 15+, Partial: 12-14, Failure: 11 or below)
  • Modifiers: +2 if response matches malmon type (preservation is correct for Winnti/Bug type – patient, intelligence-driven response), +1 if all 3 teams briefed, Advantage if all 3 teams + IC #1 aligned on recommendation
Outcome What happens
Critical Memory image captured cleanly. CFCS confirms it is the best artifact in the campaign. Chain of custody is airtight.
Success Preservation works as planned. Memory image and kernel driver secured.
Partial Memory image captured but one process log corrupted during isolation. Evidence is usable but incomplete.
Failure Isolation triggered before image was complete. Kernel driver artifact is degraded. CFCS can still work with it but confidence drops. The active R&D data transfer continues uninterrupted during the delay.

21 Artifacts at a Glance

Investigation is triggered by a CFCS tip-off – indicators from a European campaign match BioGenix infrastructure. Six injects, Expert difficulty, IC handover after Round 2 cross-team briefing.

Tier Team Card Key Content
R1 Alpha Initial Indicator 1: HANSEN-SAP-01 System Profile 3 years unpatched; no EDR; no monitoring; decommission 18 months overdue; CaliSyncPro v4.2.0 installed; valid certificate (OCSP/CRL clean)
R1 Alpha Initial Indicator 2: Azure AD Sign-In Anomaly svc-rdbridge-admin from HANSEN-SAP-01; Risk: HIGH; CA: BYPASSED (COLLBRIDGE-EXCL-003)
R1 Bravo Initial Indicator 1: Collaborative Bridge VPN Connection Log NTLM auth from HANSEN-SAP-01 to cloud R&D; no MFA; off-hours; active right now
R1 Bravo Initial Indicator 2: HANSEN-SAP-01 Outbound Traffic Log C2 beacon pattern to 203.0.113.44:443 with SNI spoofing (graph.microsoft.com); large transfers on Apr 15
R1 Charlie Initial Indicator 1: CFCS Tip-Off: European Life Sciences Campaign Advisory Full advisory with IoCs, TTPs, sector context; investigation trigger
R1 Charlie Initial Indicator 2: Threat Intelligence Platform: CFCS Indicator Enrichment Surface-level WHOIS, DNS, passive DNS; domain rotation pattern visible
R2 Alpha Deep Analysis 1: HANSEN-SAP-01 Memory Forensics Output Hidden PID 4028 with active C2 to 203.0.113.44:443; DKOM hook; 5 hidden processes
R2 Alpha Deep Analysis 2: Supply Chain Delivery Analysis Valid cert, legitimate portal, malicious payload – forensic paradox; vendor notification decision
R2 Alpha Deep Analysis 3: Pass-the-Hash Authentication Forensics 6 sessions, 0 interactive logons, 0 Kerberos TGTs; NTLM hash reuse confirmed
R2 Bravo Deep Analysis 1: Collaborative Bridge Lateral Movement Log 6 NTLM sessions Mar–Apr; all off-hours; all bypassing CA via COLLBRIDGE-EXCL-003
R2 Bravo Deep Analysis 2: Azure Conditional Access Bypass Detail Exception created 2024-11-14; never reviewed; no expiry; CTO approved
R2 Bravo Deep Analysis 3: Legacy Auth Exception Policy Record ITSM-29847 timeline; unassigned owner; patching paused; SOC excluded
R2 Charlie Deep Analysis 1: GenixLibrary Access Logs Raw access log entries; off-hours svc-rdbridge-admin sessions among legitimate traffic
R2 Charlie Deep Analysis 2: C2 Infrastructure Enrichment Report Domain patterns, passive DNS, UTC+8 tempo, Chinese-nexus indicators; attribution puzzle piece
R2 Charlie Deep Analysis 3: CFCS Cross-Victim Intelligence Update Anonymized data from 3 European victims; dwell times, volumes, common patterns
R4 Alpha Development 1: Rootkit Capability Analysis API imports, hooked system calls, behavioral observations reveal a purpose-built espionage toolkit targeting life sciences file types with hardcoded GenixLibrary paths; changes “generic theft” to “targeted collection escalation”
R4 Alpha Development 2: Lateral Movement Scope Expansion PID 4036 enumerated 3 targets; HANSEN-SAP-02 partial compromise; containment scope expands
R4 Bravo Development 1: Outbound HTTPS Traffic Analysis ~7 GB historical (Mar 20–Apr 14) + active ongoing R&D data transfer (~2-3 GB so far); graph-api-sync.bioanalytics.net
R4 Bravo Development 2: DLP Classification Failure Detail 3 independent DLP gaps; active R&D data transfer undetected
R4 Charlie Development 1: Recovery Prioritization and Containment Verification Containment status checklist; recovery sequence; vendor notification + CFCS sharing + GenixLibrary decisions
R4 Charlie Development 2: Campaign Scope and Attribution Consolidation Attribution synthesis template; impact summary; CFCS coordination status

Opening Delivery

The opening sets the scene and puts teams into the moment. The cards deliver the findings – the opening should not summarize card content. Keep it minimal: who they are, why they are here, and the instruction to begin.

Brief both ICs before session open. Both ICs need to understand the SBAR handover card (see below) before the session begins.

Hand each IC their printed briefing card (page 1 of the IC Cards). Then deliver the scenario-specific context verbally:

TipIC #1 verbal briefing (scenario-specific)

Your teams are investigating CFCS indicators that match your infrastructure. Your task is to determine: are we compromised, and where is the active threat right now?

TipIC #2 verbal briefing (then IC #2 leaves the room)

You are inheriting a mid-incident command. Your printed card explains the SBAR handover process. You will leave the room now and return only when called for the handover.

IC #2 returns only when called back for the handover after Round 2. This ensures the handover is genuine – IC #2 depends entirely on IC #1’s structured communication to understand the situation. If IC #2 has been in the room observing, they already know what happened and the handover becomes performative.

“It is Thursday afternoon at BioGenix Solutions. CFCS contacted your CISO a couple of hours ago with intelligence from a European campaign – indicators match your infrastructure. Your teams are assembled to investigate. Turn over your cards.”

Critical note for opening: Do not say “the attacker is in.” The framing must stay in symptoms – teams should arrive at “live attacker access” through their analysis of the cards, not from the opening script.

IC Handover (After Round 2 Cross-Team Briefing)

The handover is triggered by an event: the Round 2 cross-team briefing is complete. When the compromise is confirmed but the full scope is not yet known, IC #1 briefs IC #2 using SBAR format. If the Round 2 briefing has not completed by T+70, compress and move to handover.

The handover uses SBAR (Situation, Background, Assessment, Recommendation) — a structured briefing format used in healthcare and incident management for high-stakes handovers. Combined with a key principle from ICS Transfer of Command: IC #2 decides when they are ready to assume command, not IC #1.

Five minutes before the handover: Hand IC #1 their SBAR card. Call IC #2 back into the room and hand them their card. Facilitator stays silent during the entire transfer.

Print the IC Handover Cards before the session — one A4 page, cut in half. IC #1 gets the SBAR briefing card (top half). IC #2 gets the incoming commander card (bottom half).

IC #1 briefs IC #2 using SBAR: Situation, Background, Assessment, Recommendation. IC #2 listens, then decides when to accept command. The transfer is not complete until IC #2 says: “I have command.”

After IC #2 accepts, the facilitator asks: “What do you still not know?”

If IC #2 cannot answer that question, the handover lacked depth — note it for debrief. If IC #2 delays accepting command because the briefing was insufficient, that is also a finding — and a good one.

Round-by-Round Facilitation Notes

These notes are preparation reading. During the session, use your facilitator’s cheat sheet – it contains the navigation prompts, NPC triggers, and timing checkpoints you need.

Round 1 – Initial Indicators

Released: 2 cards per team

Alpha finds: HANSEN-SAP-01 system profile showing a neglected legacy server – 3 years unpatched, no EDR, no monitoring, decommission 18 months overdue, CaliSyncPro v4.2.0 installed with valid certificate; Azure AD HIGH risk sign-in from HANSEN-SAP-01 with CA bypassed

Bravo finds: Active Collaborative Bridge NTLM session from HANSEN-SAP-01 right now; HANSEN-SAP-01 outbound traffic showing C2 beacon pattern to 203.0.113.44 with SNI spoofing and large data transfers

Charlie finds: CFCS advisory describes campaign TTPs; initial TI enrichment shows C2 infrastructure with previous campaign history on same IP; cross-references CFCS indicators against Alpha and Bravo findings

IC synthesis: Bravo confirms the CFCS indicators are live in the environment – HANSEN-SAP-01 is providing active cloud R&D access right now and its outbound traffic matches the C2 pattern from the CFCS advisory. Alpha’s system profile reveals a neglected legacy server with the compromised software installed. Charlie has the CFCS campaign intelligence and can confirm: what Alpha and Bravo found matches the advisory TTPs. The IC must connect: “HANSEN-SAP-01 is the active threat – a forgotten server with no monitoring, running compromised software, beaconing to attacker infrastructure.”

Facilitator navigation prompt (if teams are still reading after initial analysis period): “CFCS flagged indicators matching your infrastructure. Ask Bravo: are those indicators live right now? Ask Alpha: what does the HANSEN-SAP-01 system profile tell you about why this server was vulnerable? Ask Charlie: how do the CFCS advisory TTPs match what Alpha and Bravo are finding?”

End-of-round check: Has the IC identified HANSEN-SAP-01 as the active threat? Has anyone raised the need to preserve memory before isolating?

Guardrail: 20–25 min. Advance when IC has identified the active attack path.

Round 2 – Deep Analysis, First Pass

Released: 3 cards per team at start of Round 2

Alpha finds: 5 hidden processes on HANSEN-SAP-01 via DKOM hook; PID 4028 has active C2 connection; certificate is valid but payload is malicious – supply chain compromise confirmed; Pass-the-Hash pattern confirmed across all 6 sessions

Bravo finds: Full 3-4 week lateral movement log – 6 NTLM sessions all off-hours, all bypassing CA; COLLBRIDGE-EXCL-003 has no expiry, no review, no security sign-off; ITSM-29847 governance failure chain

Charlie finds: Raw GenixLibrary access logs showing off-hours activity by svc-rdbridge-admin; deep C2 enrichment with UTC+8 operational tempo and Chinese-nexus hosting; CFCS cross-victim intelligence showing campaign scope and dwell times at other targets

IC synthesis: Three independent parallel decisions now visible: (1) forensic preservation before isolation (Alpha); (2) close credential and exception gap simultaneously (Bravo); (3) cross-reference CFCS advisory against findings and begin building attribution picture (Charlie). None of these decisions blocks the others.

Facilitator navigation prompt: “You have three briefings in front of you. How do Alpha and Bravo’s findings compare against the CFCS advisory indicators – and which containment decisions can run in parallel?”

Red flag to watch: If any team proposes reimaging HANSEN-SAP-01 before Alpha briefs the memory forensics card, play the CISO NPC line immediately: “We will lose the kernel driver artifact if we do that now. CFCS has already asked for it.”

Guardrail: 25 min. Advance when IC has synthesized all three team briefings.

Round 3 – IC #2 Onboarding (After Handover)

Released: 1 card per team at start of Round 3. IC #2 is now in command.

Alpha (A-R3-1): Kernel driver activity timeline gap – a 47-second gap in the rootkit’s activity log during the memory capture window. Either anti-forensics or firmware micro-reboot. Alpha must reason about evidence integrity under uncertainty. Does the gap change their operational decisions? Should they disclose it to CFCS?

Bravo (B-R3-1): Historical NetFlow baseline – 6-month traffic comparison shows a 30-50% increase in Collaborative Bridge traffic that coincides with a documented ITSM migration, not the attacker. Bravo must confront detection difficulty: aggregate monitoring would not have caught this. Per-account decomposition is the only way.

Charlie (C-R3-1): C2 infrastructure rotation alert – a previously dormant domain from the CFCS indicator package has rotated to a new IP in the same ASN as the confirmed C2. Charlie should brief the IC immediately and coordinate with Bravo to block the new IP preemptively.

IC #2 synthesis: This is IC #2’s orientation round. The cards deepen understanding without requiring major new decisions. IC #2 should use this round to: verify the whiteboard status inherited from IC #1, ask teams to confirm what has been executed vs. what was only discussed, and call for a briefing when ready.

Facilitator navigation prompt: If IC #2 is hesitant, use the intervention ladder. “What is the minimum you need to make a provisional decision?” Give them space – the handover is meant to be uncomfortable.

Guardrail: 17 min. Advance when IC #2 calls their first briefing.

Important

Before releasing R4 cards, check: Has IC #2 confirmed containment status on the whiteboard? Has Charlie briefed an attribution assessment? These are prerequisites for the R4 phase.

Round 4 – Developments (IC #2 Now in Command)

Released: 2 cards per team at start of Round 4

Alpha: Rootkit capability analysis reveals API imports, hooked system calls, and behavioral observations showing a purpose-built espionage toolkit targeting life sciences file types (.fasta, .gb, .gbk, .seq, .ab1) with hardcoded GenixLibrary paths – changes the question from “generic theft” to “targeted collection escalation” (archives first, then active projects, then core IP collections); lateral movement scope expansion shows PID 4036 enumerated 3 targets and HANSEN-SAP-02 is partially compromised

Bravo: ~7 GB historical exfiltration (Mar 20–Apr 14) to identified attacker infrastructure; active ongoing transfer of core IP collections (~2-3 GB so far, v1 ~10-15% transferred, v2 ~5-10% transferred, still in progress); 3 independent DLP gaps all failed simultaneously

Charlie: Recovery prioritization with containment verification checklist – vendor notification + CFCS sharing + GenixLibrary decisions all need owners; campaign scope consolidation with attribution synthesis template and CFCS coordination status

IC synthesis: IC #2 must now deal with: (1) the targeting specificity revelation – the rootkit is purpose-built for GenixLibrary with hardcoded paths and life sciences file types, which changes the competitive exposure assessment; (2) HANSEN-SAP-02 containment scope expansion, (3) vendor notification decision for CaliSync GmbH, (4) CFCS artifact sharing scope. The active R&D data transfer is the live stake – teams’ containment speed determines whether the core IP collections are saved.

Facilitator navigation prompt: “Charlie hasn’t briefed yet. Hold the containment scope decision until all three teams have reported.”

If IC #2 tries to move to the vendor notification decision before Bravo briefs: “Hold – Bravo hasn’t reported yet. Does their finding change your position?”

Guardrail: 20–25 min. Advance when IC #2 has synthesized all three team briefings and confirmed key decisions.

Late Round 4 – Closing Decisions

IC #2: Confirm vendor notification decision for CaliSync GmbH. Confirm CFCS artifact handoff scope and timeline. Confirm GenixLibrary integrity verification plan. Confirm HANSEN-SAP-02 containment status. Confirm NetFlow export assigned.

Facilitator reads each gap’s debrief_question aloud in sequence. The room must name an owner before moving to the next gap.

Close: “Name one thing. One owner. One date. Go around the room – one sentence per person.”

Senior contact handoff: If a senior customer contact is present (CISO, head of IR, or equivalent), hand this moment to them rather than running it yourself. Brief them beforehand that you’ll pass the floor to them for the accountability round. They have the authority and organisational context to make accountability land – an external facilitator asking the same question carries less weight.

The Central Dilemma

Preserve forensic evidence for counterintelligence value vs. immediate eradication – and how far has the attacker already spread?

Winnti’s dilemma is actually two dilemmas that must be managed simultaneously:

Dilemma 1 (Technical – Preserve vs. Eradicate): HANSEN-SAP-01 has an active C2 connection and a kernel rootkit. Isolating immediately cuts the active attacker access but may degrade evidence quality. The CFCS counterintelligence case depends on the kernel driver artifact with chain of custody intact. The correct sequence is: preserve memory image first, then isolate – but operational urgency creates pressure to cut the connection first.

Dilemma 2 (Scope – How far has the attacker spread?): The R4 rootkit capability analysis reveals a purpose-built espionage toolkit with hardcoded GenixLibrary paths and life sciences file type targeting, and HANSEN-SAP-02 shows a partial compromise. The question is no longer just “what was stolen” but “how targeted is the collection and how many systems are affected.” The targeting escalation pattern (archives first, then active projects, then core IP collections) reveals the attacker’s strategic priorities. Containment scope may need to expand, but over-scoping wastes time during an active exfiltration window.

The central insight: these two dilemmas can be sequenced, not conflated. Technical containment (Rounds 1-2) proceeds independently of scope assessment (R4). Teams that try to resolve both simultaneously will fail at both. The IC’s job is to sequence them.

Information Asymmetry Map

Alpha knows Bravo knows Charlie knows IC must synthesize
HANSEN-SAP-01 system profile reveals a neglected legacy server with CaliSyncPro and valid cert; Azure AD anomaly confirms active access The active attacker path is Collaborative Bridge NTLM from HANSEN-SAP-01; outbound traffic shows C2 beacon pattern with SNI spoofing and large data transfers GenixLibrary holds the core IP collections; CFCS advisory TTPs match Alpha’s and Bravo’s findings Isolate HANSEN-SAP-01 (Bravo), but preserve memory first (Alpha) – these are sequenced actions, not simultaneous
Supply chain paradox – valid cert, legitimate portal, malicious payload; rootkit targets life sciences file types with hardcoded GenixLibrary paths COLLBRIDGE-EXCL-003 has no expiry – revoking credentials without closing the exception leaves a second exploitation path open CFCS advisory TTPs match Alpha’s findings; C2 enrichment points to Chinese-nexus APT; attribution is Charlie’s to build Credential revocation AND exception closure (Bravo) = two distinct actions the IC must confirm both completed
Rootkit analysis shows API imports and behavioral observations revealing purpose-built targeting of life sciences file types with hardcoded GenixLibrary paths and escalating collection pattern; HANSEN-SAP-02 partially compromised ~7 GB historical to identified infrastructure plus active ongoing R&D data transfer (~2-3 GB so far); 3 DLP rules each had an independent gap; per-session volume never triggered threshold Recovery prioritization with containment verification; campaign scope consolidation with attribution synthesis; CFCS coordination status Scope expansion (HANSEN-SAP-02) + targeting specificity (Alpha rootkit analysis shows purpose-built collection toolkit) + active transfer stakes (containment speed) + vendor notification decision + CFCS artifact handoff scope

Common Failure Modes

1. Team proposes reimaging HANSEN-SAP-01 before memory image is captured

What it looks like: Bravo or Alpha proposes wiping and rebuilding HANSEN-SAP-01 before Alpha’s Deep Analysis 1 (memory forensics) has been briefed.

Important distinction: Network isolation of HANSEN-SAP-01 is safe and does not destroy evidence – isolating cuts the network connection while leaving memory and disk artifacts intact. The CISO NPC trigger is for reimaging (wiping the disk) only.

Facilitator response: Play CISO NPC line immediately – do not wait for the cross-team briefing: “We will lose the kernel driver artifact if we reimage now. CFCS has already asked for it.”

2. Credential revocation without closing the exception

What it looks like: IC confirms svc-rdbridge-admin is revoked but does not ask whether COLLBRIDGE-EXCL-003 has been closed. The path remains open for exploitation via another account in the HANSEN-SAP-01 subnet.

Facilitator response: “Bravo – if the credentials are revoked, is the Conditional Access path into Azure AD still open via that exception? What would close it completely?”

3. Scope statement lacks nuance

What it looks like: IC provides leadership a single exfiltration figure without distinguishing historical (~7 GB) from active transfer (~2-3 GB core IP), or without noting the targeting escalation pattern revealed by the rootkit analysis.

Facilitator response: Challenge immediately: “When you say that figure – is that confirmed to all channels? Is the transfer still active? And based on Alpha’s rootkit analysis, what does the targeting pattern tell you about what the attacker prioritized?”

4. IC handover drops the R&D data thread

What it looks like: IC #1 hands over containment status and forensic preservation state but does not communicate the vendor notification decision or the CFCS artifact handoff scope – both of which were open during Rounds 1-2.

Facilitator response: Ask IC #2 immediately after handover: “What do you still not know? What decisions are still open that IC #1 handed you?” If IC #2 cannot name the vendor notification decision and the CFCS artifact handoff – the handover failed.

Note: Do not expect IC #2 to name HANSEN-SAP-02 – that server is not introduced until Round 4 cards. The handover check is limited to what IC #1 actually had visibility on.

5. GenixLibrary integrity verification deferred indefinitely

What it looks like: IC learns of the rootkit’s targeted collection pattern but defers GenixLibrary exposure assessment without a timeline or rationale. The purpose-built targeting of life sciences file types and hardcoded GenixLibrary paths makes competitive exposure assessment urgent – not just an operational decision but a question of which specific research programs the attacker prioritized.

Facilitator response: “Alpha’s rootkit analysis found hardcoded GenixLibrary paths and life sciences file type targeting. What does that targeting pattern tell you about competitive exposure – and who is assessing which research projects were accessed?”

NPC Reference Sheets

Print one sheet per NPC. Full character sheets with backstory, secrets, triggers, and lines are in the separate NPC Reference Sheets.

Red Flag Dashboard

Inject Red flag Facilitator response if triggered
INJ-001 No owner assigned for HANSEN-SAP-01 isolation after 10 min “Which team owns the isolation action – and who is accountable to the IC?”
INJ-002 Reimaging proposed before memory image captured Play CISO NPC immediately – do not wait for cross-team briefing
INJ-003 svc-rdbridge-admin revoked but COLLBRIDGE-EXCL-003 not closed “Bravo – if the credentials are revoked, is the Azure AD path still open via that exception?”
INJ-004 Leadership given exfiltration figure without distinguishing historical vs. active transfer or without noting the targeting escalation pattern “Is that the full picture? What about the active transfer? And what did Alpha’s rootkit analysis say about what the attacker was specifically targeting?”
INJ-005 Team treats CFCS artifact handoff as blocked by vendor notification decision “These are separate decisions. CFCS is requesting anonymized artifacts. Vendor notification is a different conversation. Which one has an active intelligence window?”
INJ-006 Debrief opens with “what the attacker did” rather than what the organization’s own decisions made possible “We know what they did. What did your organization’s own decisions make possible?”

Session Timeline Card

Print on card stock and laminate. T+0 = session start time.

Guardrail times are ceilings, not targets. Advance on event triggers – when the IC has synthesized and decisions have owners. Only compress to the guardrail if the event has not occurred in time. Never cut a productive discussion to hit a time.

PHASE 1: OPENING (5 min)
  IC briefing + both ICs introduced
  IC #2 leaves the room
  Release R1 envelopes → teams begin analysis
  Guardrail: complete by T+5

PHASE 2: ROUND 1 -- INITIAL INDICATORS
  Teams analyze R1 cards (8-12 min)
  Navigation check: if teams still reading at T+13, prompt
  Cross-team briefing + IC #1 synthesis
  Event trigger: advance when IC has identified the active attack path
  Guardrail: complete by T+28

PHASE 3: ROUND 2 -- DEEP ANALYSIS
  Release R2 envelopes (3 per team) → teams begin
  Threat clock T1 check at ~T+45
  Cross-team briefing + IC #1 synthesis
  Threat clock T2 check at ~T+60
  Event trigger: advance when credential, exception, and memory decisions have named owners
  Guardrail: complete by T+70

PHASE 4: IC HANDOVER
  Hand IC checklist to IC #1 (5 min before expected handover)
  IC #1 handover to IC #2 -- facilitator stays silent, observes
  IC #2: "What do you still not know?" (facilitator asks, then steps back)
  Event trigger: advance when IC #2 has received the handover
  Guardrail: complete by T+78

PHASE 5: ROUND 3 -- IC #2 ONBOARDING
  Release R3 envelopes (1 per team) → IC #2 orients
  IC #2 verifies whiteboard, calls first briefing
  Event trigger: advance when IC #2 calls first briefing
  Guardrail: complete by T+95

PHASE 6: ROUND 4 -- DEVELOPMENTS & CLOSING
  Release R4 envelopes (2 per team) → teams begin (IC #2 in command)
  Threat clock T3 check at start of round
  Cross-team briefing + IC #2 synthesis
  Threat clock T4 check during round
  Play CFCS follow-up NPC if artifact handoff not discussed
  Closing: "Name one thing. One owner. One date." -- around the room
  Event trigger: advance when IC #2 has confirmed key decisions
  Guardrail: game closes by T+125

PHASE 6: DEBRIEF (30 min)
  5 debrief questions
  Guardrail: closes by T+150

IC Briefing Cards

Print the IC Cards before the session — two A4 pages, cut in half. Page 1 has pre-session briefing cards (IC #1 and IC #2 roles). Page 2 has mid-session handover cards (SBAR briefing and incoming commander).

Scenario-specific roll points for IC #1: Credential revocation (svc-rdbridge-admin) — Medium 10+. Exception closure (COLLBRIDGE-EXCL-003) — Medium 10+.

Scenario-specific decisions for IC #2: Preserve vs. eradicate (HANSEN-SAP-01) — Hard 15+. Vendor notification (CaliSync GmbH) — policy decision, no roll. Recovery prioritization.

Facilitator Cue Script

Linear sequence of facilitator actions. Keep this in hand during the session.

OPENING (T+0 to T+5)

  1. Brief both ICs — hand them page 1 of the IC Cards, deliver scenario-specific verbal briefings
  2. Send IC #2 out of the room
  3. Read the opening briefing aloud (in character as CISO Bent Sejrø):

“CFCS – Center for Cybersikkerhed – contacted me a couple of hours ago. They have identified a supply chain compromise campaign targeting European life sciences organisations. Based on network telemetry they have shared with us, indicators match our infrastructure.

We do not yet know if we are compromised. That is what you are here to determine.

BioGenix Solutions is a Danish biosolutions company, 1,800 employees, specialising in precision fermentation and industrial enzyme engineering. We completed a major acquisition in 2024 and are still managing post-merger integration.

GenixLibrary is our proprietary R&D sequence database. It contains our most commercially valuable research data. If an attacker has accessed it, the consequences are significant.

We also have legacy infrastructure from the merger that is still connected to our environment. CFCS has flagged this as relevant to their indicators.

Investigate whether BioGenix is compromised. Determine the scope. Contain the threat. Your teams will receive evidence cards with findings from your investigation. Analyse them, brief your Incident Commander, and make containment decisions.”

  1. Release R1 envelopes (2 cards per team)
  2. Start your timer

ROUND 1 — INITIAL INDICATORS (T+5 to T+28)

  1. Circulate between teams. Listen, don’t interject.
  2. Navigation check (if teams still reading after ~10 min): prompt with CFCS indicator questions
  3. When teams are ready: call cross-team briefing (each team lead briefs IC #1, 60-90 sec each)
  4. IC #1 synthesizes on whiteboard
  5. End-of-round check: Has IC identified HANSEN-SAP-01 as the active threat?

ROUND 2 — DEEP ANALYSIS (T+28 to T+70)

  1. Release R2 envelopes (3 cards per team)
  2. Circulate. Watch for red flag INJ-002 (reimaging before memory capture) — play CISO NPC immediately if triggered
  3. Threat clock T1 check at ~T+45: fire if svc-rdbridge-admin NOT revoked
  4. Navigation check at ~10 min into analysis
  5. When teams ready: cross-team briefing
  6. IC #1 synthesizes. Three decisions should have owners: credential revocation, exception closure, memory preservation
  7. Threat clock T2 check at ~T+60: fire if COLLBRIDGE-EXCL-003 NOT closed
  8. Guardrail: if not at handover by T+70, compress

IC HANDOVER (T+70 to T+78)

  1. Hand IC #1 the SBAR handover card (page 2 of IC Cards, top half)
  2. Call IC #2 back into the room, hand them the incoming commander card (page 2, bottom half)
  3. Stay silent during the SBAR briefing. Observe.
  4. Wait for IC #2 to say “I have command.” Do not prompt — the delay is the finding.
  5. After IC #2 accepts command, ask: “What do you still not know?”
  6. If IC #2 can’t answer, or if they delayed accepting — note for debrief

ROUND 3 — IC #2 ONBOARDING (T+78 to T+95)

  1. Release R3 envelopes (1 card per team)
  2. IC #2 verifies whiteboard status inherited from IC #1
  3. Circulate. Give IC #2 space to orient.
  4. When IC #2 calls their first briefing: teams brief (60-90 sec each)
  5. IC #2 synthesizes. Respond to Charlie’s C2 rotation alert if raised.
  6. Guardrail: advance to Round 4 by T+95

ROUND 4 — DEVELOPMENTS (T+95 to T+125)

  1. Release R4 envelopes (2 cards per team). IC #2 in command.
  2. Circulate. Watch for red flag INJ-004 (scope statement without nuance)
  3. Threat clock T3 check: fire if memory image NOT preserved
  4. Navigation check at ~10 min
  5. When teams ready: cross-team briefing
  6. Play CFCS NPC if artifact handoff not discussed: “We need your kernel driver artifact. Can you confirm the handoff timeline?”
  7. Threat clock T4 check: fire if GenixLibrary NOT isolated (or credential + exception not both contained)
  8. Play CEO NPC if scope/containment not addressed
  9. Guardrail: game closes by T+125

CLOSING (T+125)

  1. “Name one thing. One owner. One date.” — go around the room, one sentence per person
  2. Threat clock T5: read success or failure version based on whiteboard

DEBRIEF (30 min)

  1. “Take 30 seconds and write down the one decision point you most want to revisit.”
  2. Ask the 5 debrief questions (5 min each):
  3. Could this happen here? (reality check)
  4. Two-step containment (credential + exception)
  5. Detection dependency (what if CFCS hadn’t called?)
  6. Vendor notification (who owned it, when?)
  7. Legacy infrastructure debt (how many like this?)
  8. Closing: “One thing I will do differently next week.” — one sentence per person

Preparation Checklist

See the printable Preparation Checklist for the full day-before packing list, envelope assembly, room setup, and pre-game steps.

Debrief Focus

1. “Could this happen to your organisation? What would be different – and what would be the same?”

Surfaces: the reality check. Forces the room to connect the game to their own environment. If “very realistic” – the follow-up questions hit harder. If “not realistic” – probe why. The assumptions usually reveal blind spots.

2. “The credential was revoked. Was the attack path closed? What second action was required – and how many teams completed both?”

Surfaces: the two-step close (credential revocation + exception closure); the failure mode of treating one action as sufficient. Actionable: review your own exception closure procedures.

3. “CFCS tipped you off. What if they hadn’t called? Would your own monitoring have caught this? When?”

Surfaces: external detection dependency; DLP gaps; the difference between having monitoring and having monitoring that catches this specific pattern. Actionable: evaluate your actual detection coverage against this attack profile.

4. “CaliSync’s build pipeline is still compromised. Other organisations are still receiving infected updates. When did you notify the vendor? Who owned that decision?”

Surfaces: vendor notification as a decision with external consequences; the authority gap between identifying the need and acting on it. Actionable: define vendor notification ownership and thresholds.

5.HANSEN-SAP-01 was 18 months past its decommission date with no patches, no monitoring, and active cloud access. How many systems like this exist in your organisation right now?”

Surfaces: decommissioning backlog as structural attack surface. Actionable: audit legacy systems, review exception governance, close orphaned ITSM tickets.