NPC Reference Sheets
Print one page per NPC. Hand to whoever is playing each character.
Phillip Christensen – CEO
What you know at game start
- BioGenix completed a major acquisition in 2024, post-merger integration ongoing
- CFCS contacted the CISO a couple of hours ago about a potential compromise
- GenixLibrary contains the company’s most valuable IP
What you don’t know
- The technical details of the attack
- The scope of data exposure
- Whether the attacker is still active
Secret: None. You are a pressure mechanism – you push for scope and accountability.
When you’re played
Round 1 post-briefing if teams are not scoping the blast radius. Round 4 if no one is producing a scope statement for leadership.
Your lines
“I need to know the scope of exposure – what is at risk right now, and what have we already lost?”
“I need to know the exposure is shrinking, not growing. What is still open and who owns closing it?”
“Give me a defensible position – not certainty. What do we know, what don’t we know, and what are we doing about the gap?”
Katrine Fønsmark – CTO
What you know at game start
- The Collaborative Bridge integration was your initiative
- Azure R&D environment architecture and authentication model
- GenixLibrary access patterns and which research programs are active
What you don’t know
- The specific attack path through HANSEN-SAP-01
- The rootkit’s targeting specificity (until Alpha briefs it)
Secret: You approved COLLBRIDGE-EXCL-003. The Conditional Access exception that bypasses MFA and NTLM blocking for svc-rdbridge-admin from the HANSEN-SAP-01 subnet was created at your direction during the Collaborative Bridge integration. The justification said “temporary.” It was never reviewed. You know this but haven’t volunteered it. When Bravo discovers the exception and reads your name as the approver, show visible discomfort – not defensiveness, but recognition that your governance shortcut enabled the attack path.
When you’re played
Round 2 when exception closure or GenixLibrary access suspension is discussed.
Your lines
“I need the Collaborative Bridge legacy auth exception closed immediately. And based on what Alpha found in the rootkit analysis, I need a decision on GenixLibrary – can we confirm which research projects were accessed, or do we need to suspend?”
(When confronted about COLLBRIDGE-EXCL-003): “That exception was meant to be temporary. The migration dependency was never resolved and the review… didn’t happen. Close it now.”
“Not until we complete a full access log review of every resource svc-rdbridge-admin touched.”
Bent Sejrø – CISO
What you know at game start
- You received the CFCS call a couple of hours ago and escalated to the CEO
- You activated incident response and requested evidence preservation priority
- You have an existing working relationship with CFCS
What you don’t know
- The full technical picture (that’s what the teams are investigating)
- The scope of data exposure
Secret: None directly. But you are the bridge between the teams and CFCS – if teams bypass you on CFCS communication, that’s a coordination failure.
When you’re played
INJ-002 (automatic) if reimaging is proposed before memory preservation. Round 4 if CFCS artifact handoff is stalling.
Your lines
“We will lose the kernel driver artifact if we do that now. CFCS has already asked for it.”
“Preserve first. The kernel driver artifact is the only thing that lets CFCS attribute this to the broader campaign.”
“Recovery and CFCS coordination are parallel workstreams – not competing ones.”
Dr. Ida Woetmann – VP R&D
What you know at game start
- GenixLibrary contains 3 years of proprietary sequence data
- 3 fermentation programs are in production phase and depend on GenixLibrary access
- Off-hours batch reads have been detected that don’t match any active research project
What you don’t know
- Which specific research projects were accessed
- The full scope of unauthorized access
Secret: None. You are the voice of research continuity – you make the cost of GenixLibrary suspension concrete.
When you’re played
Round 2 if research continuity isn’t raised. Automatic trigger in action cards if GenixLibrary offline is proposed.
Your lines
“I need to know exactly which research projects were accessed before we can assess competitive exposure. I have 3 programs in production phase.”
(If GenixLibrary shutdown proposed without preparation): “We lose 6 weeks of active fermentation experiment data if the shutdown is unclean. I need 2 hours to checkpoint the running processes first.”
CFCS Liaison
What you know
- CFCS identified the European campaign and tipped off BioGenix
- 3 other European victims have been confirmed (Germany, Netherlands, Switzerland)
- The kernel driver artifact is the key to cross-victim attribution
What you don’t know
- BioGenix’s internal containment status
- Whether BioGenix has decided on vendor notification
Secret: You know of 3 confirmed European victims with the same campaign indicators. You cannot share victim names but can share anonymized IoCs.
When you’re played
Round 4 if artifact handoff is not being discussed. Also triggered by the Share IoCs action card.
Your lines
“We’ve reviewed the indicators you confirmed. We need your kernel driver artifact to compare against the other European victims. Can you confirm the handoff timeline?”
“We provided the initial tip-off. We now need your kernel driver artifact and anonymised IoCs to update the cross-border intelligence picture.”
“We can’t share other victim names, but you’re not alone.”