Players Handbook - Offline Version

Welcome, Player

About This Handbook

This handbook is your complete guide to participating in Malware & Monsters sessions - engaging, team-based security training experiences that put you at the center of realistic incident response simulation scenarios. Our approach develops security awareness and hands-on cybersecurity skills through collaborative learning experiences.

Whether you’re a seasoned security professional or curious newcomer, you’ll find that Malware & Monsters creates authentic learning through collaborative problem-solving, not lectures or presentations.

Legacy & Contemporary Threats: You’ll encounter both foundational cybersecurity incidents that shaped the field (like Code Red, Stuxnet, and Ghost RAT) and modern threats currently impacting organizations (like LockBit, FakeBat, and WannaCry). This historical perspective helps understand how attack techniques evolved and why certain defenses developed.

What Makes This Different?

Your expertise matters. Unlike traditional training where you passively receive information, Malware & Monsters puts your knowledge, experience, and instincts at the center of every scenario.

Real challenges, safe environment. Face realistic cyber threats in a collaborative setting where mistakes become learning opportunities and diverse perspectives create better solutions.

Team-based discovery. Work with incident response teammates to uncover, analyze, and respond to digital threats - just like you would in the real world.

How to Use This Handbook

If You’re New to Cybersecurity

Start with Introduction to understand the learning philosophy
Read Understanding Malmons to grasp the core concepts
Focus on Incident Response Roles to find your place on the team
Reference Game Mechanics when you need rule clarifications

If You’re an Experienced Practitioner

Jump to The Containment System to see how your skills translate to gameplay
Explore Competitive Elements for advanced challenges
Check Maldex Collection for the community knowledge-building aspects
Use Training and Progression to track your growing expertise

If You’re Looking for Quick Reference

Type Effectiveness Chart - Visual guide to malware type interactions (see handbook resources)
Role Quick Reference - At-a-glance role abilities and responsibilities (see handbook resources)
Common Game Terms - Definitions and terminology (see shared glossary)

What You’ll Learn

Through Malware & Monsters sessions, you’ll develop:

Collaborative incident response skills through realistic team scenarios
Technical knowledge about real malware families and attack techniques
Communication abilities for explaining technical concepts across disciplines
Strategic thinking about cybersecurity from multiple organizational perspectives
Confidence in your ability to contribute meaningfully to security teams

The Community Aspect

Malware & Monsters isn’t just a learning activity - it’s a growing community of cybersecurity professionals who believe in:

Collaborative learning over competitive individual achievement
Practical experience over theoretical knowledge alone
Diverse perspectives making everyone more effective
Continuous improvement through shared experiences and insights

Ready to Begin?

Each chapter builds naturally on the previous ones, but feel free to explore based on your interests and experience level. The most important thing is to jump in and start collaborating!

Getting Started

Your first Malware & Monsters experience will begin with character creation, where you’ll:

Share your expertise with your teammates
Choose your role based on interests and team needs
Develop your character around your real skills and personality
Face your first incident as a collaborative response team

No preparation required - just bring your curiosity, your experience (whatever level), and your willingness to work as part of a team.

Join the Community

Contribute scenarios and Malmon discoveries
Share insights from your sessions
Connect with other players and incident masters
Help grow the collaborative learning network

For community resources and connections, visit: [community website placeholder]

Educational Use Statement

Malware & Monsters is designed for educational purposes. All scenarios are based on publicly available threat intelligence and research. The game does not provide actual malware samples or detailed exploitation techniques that could be misused.

Introduction to Malware & Monsters

The Philosophy Behind the Experience

Cybersecurity is fundamentally a collaborative discipline. Real incidents require diverse expertise, clear communication, and coordinated response. Yet most cybersecurity training isolates learners in individual exercises or passive presentations.

Malware & Monsters flips this approach through our innovative security training platform. Instead of learning about cybersecurity, you practice cybersecurity education through realistic, team-based security training scenarios. Our gamified incident response training transforms traditional learning into engaging incident response simulation experiences that build real cybersecurity skills.

Learning Through Discovery

In every Malware & Monsters session that focuses on collaborative learning cybersecurity:

Your knowledge drives the content. The Incident Master facilitates, but your expertise and insights create the learning experience.
Questions matter more than answers. The goal isn’t to memorize facts, but to develop the thinking skills that drive cybersecurity skills development.
Mistakes become insights. When approaches don’t work, the team learns together why and develops better strategies.
Collaboration creates confidence. Working with teammates builds both technical skills and communication abilities essential for security professional development.

How Sessions Work

The Basic Structure

Every Malware & Monsters session follows a three-phase incident response structure:

Discovery Phase (Round 1): Your team investigates initial symptoms to identify what type of threat you’re facing. Each team member approaches the investigation from their role’s perspective, then shares findings to collectively identify the specific Malmon.

Investigation Phase (Round 2): With the threat identified, your team analyzes the scope of the incident, understands the attack progression, and assesses potential impact. This phase often reveals the Malmon’s attempts to evolve or escalate.

Response Phase (Round 3): Your team coordinates a comprehensive response strategy, implements containment measures, and works to neutralize the threat before it can cause maximum damage.

Your Role in the Team

Rather than playing a generic “cybersecurity professional,” you’ll take on a specific role that matches your interests and expertise:

Detective: You excel at finding clues and analyzing evidence
Protector: You focus on stopping threats and securing systems
Tracker: You monitor data flows and network behavior
Communicator: You handle stakeholder relations and coordinate response
Crisis Manager: You oversee the overall incident response strategy
Threat Hunter: You proactively search for hidden threats and attack indicators

These roles aren’t rigid job descriptions - they’re lenses through which you approach problems, ensuring every team member contributes their unique perspective.

What Makes Malmons Special

Digital Threats as Creatures

In Malware & Monsters, malware families are represented as Malmons - digital creatures with distinct personalities, capabilities, and behaviors. This isn’t just a creative choice; it reflects how cybersecurity professionals actually think about threats.

Just as biologists classify animals by species with predictable behaviors, cybersecurity professionals categorize malware families by their attack patterns, evasion techniques, and objectives. A GaboonGrabber behaves differently from WannaCry, which behaves differently from Stuxnet.

Legacy and Contemporary Threats

Your Malmon encounters span cybersecurity history, helping you understand how threats evolved:

Legacy Malmons represent foundational attacks that shaped the field - Code Red (2001) demonstrated internet-scale worm propagation, Stuxnet (2010) revealed nation-state capabilities, and Ghost RAT (2008) pioneered APT techniques still used today.

Contemporary Malmons reflect current threat landscapes - LockBit represents modern ransomware operations, FakeBat shows today’s loader tactics, and WannaCry bridges legacy vulnerabilities with contemporary impact.

This historical perspective helps teams recognize patterns, understand why certain defenses exist, and apply lessons from past incidents to current challenges.

The Type System

Every Malmon belongs to one or more types that determine its strengths and weaknesses:

Trojan-types excel at deception but struggle against behavioral analysis
Worm-types spread rapidly through networks but can be contained through isolation
Ransomware-types threaten data integrity but are vulnerable to backup strategies
Rootkit-types hide deep in systems but can be exposed through forensic techniques

Understanding these type relationships helps you choose the most effective response strategies.

Evolution and Adaptation

Malmons can evolve during incidents, gaining new capabilities and becoming more dangerous. A basic Trojan might evolve into an Advanced Persistent Threat if not contained quickly. This evolution mechanic reflects how real cyber attacks escalate when not addressed promptly.

Example Malmon Card

Here’s what a typical Malmon card looks like:

Each Malmon card provides essential information for understanding the threat’s behavior, capabilities, and vulnerabilities - helping your team choose the most effective response strategies.

The Learning Experience

Building Real Skills

While the creature-collection framework makes learning engaging, every mechanic teaches genuine cybersecurity concepts. Research demonstrates that game-based learning environments effectively enhance skill acquisition and knowledge retention [@gee2003video; @connolly2012systematic]:

Type effectiveness teaches you to match defensive strategies to specific threat categories
Evolution mechanics demonstrate how attacks escalate when not contained quickly
Collaborative investigation builds the communication skills essential for incident response [@johnson1999cooperative]
Role specialization helps you understand how different security functions work together

Safe Environment for Growth

Malware & Monsters creates a safe space to develop cybersecurity expertise through social learning processes [@vygotsky1978mind]:

Ask questions without feeling inexperienced
Make mistakes and learn from them collaboratively
Share knowledge and learn from others’ expertise
Practice communication across different technical backgrounds
Build confidence in your ability to contribute to security teams

Community Knowledge Building

Every session contributes to a growing collection of community knowledge:

MalDex entries document your team’s encounters with different Malmons
Response strategies get shared with other teams and organizations
Lessons learned help improve future incident response
Technique sharing spreads effective practices across the community

What to Expect in Your First Session

Character Creation

You’ll start by sharing your cybersecurity-related experience with your teammates. This could be professional work, academic study, hobby projects, or just general curiosity about technology. Based on these interests and team needs, you’ll collaboratively choose roles.

Then you’ll develop your character - keeping your real name but building a personality around your chosen role. Are you a paranoid Detective who notices every anomaly? A protective Protector who takes attacks personally? A methodical Crisis Manager who thinks in flowcharts? Have fun with the archetypes while staying true to your actual interests.

Example Role: Detective

During investigations, you might collect evidence artifacts - pieces of information from incident reports, system logs, or security alerts that help your team understand what happened.

The Incident Begins

Your Incident Master will present initial symptoms - computers running slowly, suspicious emails, unusual network traffic. Your team investigates these symptoms from different role perspectives, sharing discoveries and building toward identifying the specific Malmon you’re facing.

Collaborative Problem-Solving

Throughout the session, you’ll work together to understand the threat, assess its impact, and coordinate an effective response. The Incident Master facilitates this process through questions and guidance, but your team’s knowledge and decisions drive the experience.

Learning Through Reflection

Sessions conclude with reflection on what you discovered, what strategies worked, and what you might do differently. These insights get captured in your team’s MalDex entry and shared with the broader community.

Getting the Most from Your Experience

Embrace Your Role

Don’t worry about being the “smartest” person in the room. Each role brings valuable perspectives, and the best solutions emerge from diverse viewpoints working together.

Ask Questions

If you don’t understand something, ask. If you’re curious about a technique someone mentioned, explore it. If you disagree with a proposed approach, voice your concerns. Questions drive learning and often reveal important insights.

Think Like Your Character

Get into your role’s mindset. How would a Detective approach this evidence? What would worry a Protector about this attack? How would a Communicator explain this to management? Role-playing enhances both engagement and learning.

Learn from Others

Pay attention to how your teammates think through problems. What questions do they ask? What patterns do they notice? What tools do they suggest? Every session is an opportunity to expand your own mental toolkit.

Ready to Start?

Malware & Monsters sessions require no special preparation beyond curiosity and willingness to collaborate. You’ll learn the specific mechanics as you play, guided by your Incident Master and supported by your teammates.

The most important thing to remember: this is a collaborative learning experience. Your success is measured not by individual achievement, but by how well your team works together to understand and respond to cybersecurity challenges. This approach aligns with established cooperative learning principles that emphasize collective problem-solving and shared knowledge construction [@slavin1996research].

In the following chapters, you’ll learn about the specific systems and mechanics that make Malware & Monsters work - from understanding Malmon types and abilities to mastering advanced response strategies. But remember, these are tools to support collaborative learning, not rules to memorize. This experiential gaming approach builds on proven pedagogical frameworks for cybersecurity education [@kiili2005digital; @cone2007video].

Your First Session

When you arrive at your first Malware & Monsters session, you’ll need nothing more than:

Curiosity about cybersecurity challenges
Willingness to work as part of a team
Openness to sharing your perspective and learning from others
Enthusiasm for collaborative problem-solving

Everything else you’ll learn through the experience itself.

Preparing for Your Session

Welcome to your first step toward becoming an effective cybersecurity incident responder through our security training platform! Whether you’re a seasoned security professional or someone curious about cybersecurity education, this chapter will help you prepare for a successful and engaging Malware & Monsters session using our innovative incident response simulation methodology.

What to Expect

Your Learning Journey

A Malware & Monsters session is collaborative storytelling meets cybersecurity education through gamified incident response training. You’ll work with 4-5 other participants to respond to a simulated cybersecurity incident, combining your real-world knowledge with game mechanics to create an authentic team-based security training experience that drives cybersecurity skills development.

Session Structure:

Setup: Character creation and team formation
Round 1: Discovery - What’s happening?
Round 2: Investigation - How bad is it?
Round 3: Response - How do we fix it?

The Collaborative Difference

Unlike traditional training where an expert lectures, in Malware & Monsters:

Your expertise drives the content
Questions are more valuable than answers
Learning happens through discovery, not memorization
Every perspective contributes something valuable

Before You Arrive

What Expertise You Bring

Everyone has valuable knowledge to contribute. Here’s how different backgrounds enhance the experience:

Technical Professionals

Your deep knowledge provides authentic technical context, but remember:

Share insights, don’t lecture - Build on others’ discoveries
Ask questions that help less technical teammates learn
Embrace uncertainty - Even experts don’t know everything
Learn from business perspectives - Technical solutions must work for organizations

Business/Non-Technical Participants

Your perspective is crucial for realistic incident response:

Business impact awareness - What really matters to organizations
Communication skills - Translating between technical and business needs
Common sense - Often the most important cybersecurity skill
User behavior insights - How people actually interact with technology

Students/New to Cybersecurity

Your fresh perspective and questions drive learning for everyone:

Curious questioning - “Why?” and “What if?” push deeper understanding
Pattern recognition - New eyes often see things others miss
Enthusiasm - Your energy and interest motivate the whole team
Learning mindset - Modeling how to grow through collaboration

Setting Learning Intentions

Before your session, consider:

What do you want to learn?

Specific cybersecurity concepts or techniques
How incident response teams work together
Communication skills for technical topics
Problem-solving approaches for complex challenges

What can you contribute?

Professional experience from your field
Analytical or creative thinking approaches
Communication and collaboration skills
Questions that help everyone learn

How do you learn best?

Through discussion and explanation
By working through problems hands-on
By asking questions and exploring scenarios
Through storytelling and examples

Managing Pre-Session Anxiety

“I Don’t Know Enough” Syndrome

This is completely normal! Even cybersecurity experts feel this way when encountering new scenarios or working with specialists from other domains.

Remember

No one knows everything - Even experts are learning constantly
Your questions help others learn - What confuses you confuses others too
Different types of knowledge matter - Technical, business, user, regulatory
Facilitators support your success - They want you to contribute meaningfully

Common Concerns and Realities

“What if I say something wrong?”

Mistakes become learning opportunities for everyone
Other participants will build on and refine ideas collaboratively
The facilitator guides discussions to keep them productive
Being wrong about details doesn’t invalidate your perspective

“What if I don’t understand the technical aspects?”

Technical participants will explain concepts as needed
You can contribute business, user, or common-sense perspectives
Your questions often lead to the most important insights
Non-technical understanding is crucial for real-world cybersecurity

“What if I can’t role-play or act?”

Character development is minimal - mostly using your real name and expertise
You can be as much or as little “in character” as feels comfortable
The focus is on collaborative problem-solving, not performance
Your authentic self is the best character you can play

Practical Preparation

What to Bring

Required:

Yourself and your experience - The most important contribution
Curiosity and willingness to collaborate
Openness to learning from others

Helpful but not required:

Notebook for capturing insights - Digital or paper
Professional experience examples to share when relevant
Questions about cybersecurity you’d like to explore

Provided at the session:

All game materials (dice, cards, reference sheets)
Scenario information and context
Technical reference materials as needed

Mental Preparation

Collaborative Mindset:

“Yes, and…” - Build on others’ ideas rather than contradicting
Question-driven learning - Curiosity is more valuable than certainty
Shared success - The team wins or learns together
Authentic contribution - Your real expertise and perspective matter

Growth Mindset:

Learning through mistakes - Errors become insights
Questions show engagement - Asking is better than staying silent
Different expertise types - Technical, business, user, regulatory all matter
Continuous learning - Everyone, including experts, is always learning

Your Role in Team Success

What Makes a Great Teammate

Active Participation:

Share relevant insights when you have them
Ask questions when you’re curious or confused
Build on others’ ideas with “Yes, and…” thinking
Support quieter teammates by inviting their input

Generous Listening:

Give others space to share their expertise
Ask follow-up questions to understand better
Connect insights across different perspectives
Acknowledge good ideas and helpful contributions

Authentic Contribution:

Share your real knowledge and experience
Admit when you don’t know something
Offer your perspective even if it’s different
Stay engaged even when topics are unfamiliar

Building Team Chemistry

During Character Creation:

Be genuinely interested in others’ backgrounds
Share something real about your own experience
Look for connections and complementary expertise
Set a tone of curiosity and mutual support

Throughout the Session:

Refer to teammates by their character names
Build on the team dynamic and shared story
Celebrate team discoveries and successes
Support each other through challenges

Setting Yourself Up for Success

Learning Mindset Checklist

Before your session, confirm you’re ready with this mindset:

I have valuable expertise to contribute
I can learn important things from my teammates
Questions are more valuable than having all the answers
Mistakes and uncertainty are part of learning
Collaboration creates better outcomes than individual work
Everyone’s perspective matters, including mine

Session Day Preparation

Arrive Ready to:

Introduce yourself authentically - Share your real background and interests
Listen actively - Others have knowledge you can learn from
Contribute genuinely - Your perspective and questions matter
Embrace the unexpected - Sessions evolve based on team discoveries
Have fun learning - Enjoy the collaborative problem-solving experience

Emergency Phrases for New Participants

When You’re Lost:

“Can someone explain what [term] means?”
“I’m not familiar with that concept - can you give me the basics?”
“How does this connect to what we discussed earlier?”
“What’s the most important thing I should understand here?”

When Contributing:

“From my experience in [your field], this seems similar to…”
“I don’t know the technical details, but from a business perspective…”
“That reminds me of a situation where…”
“What if we approached this from the angle of…?”

When Supporting Others:

“That’s an interesting point - can you tell us more?”
“How does that connect to what [teammate] said earlier?”
“What would that look like in practice?”
“That’s a perspective I hadn’t considered.”

Remember

Your success isn’t measured by how much you already know, but by how effectively you collaborate, contribute, and learn with your team. Come as yourself, bring your curiosity, and trust the process!

What’s Next

Now that you’re prepared for your session experience, let’s explore the world of Malmons - the digital threats you’ll be investigating and responding to as a team. Understanding these “creatures” and their behaviors will help you contribute effectively to your incident response team’s success.

Ready to dive deeper? Continue to Understanding Malmons to learn about the digital threats you’ll encounter, or jump to Effective Participation for tips on being an excellent teammate.

Understanding Malmons

What Are Malmons?

Malmons are digital threats represented as creatures with distinct characteristics, behaviors, and capabilities within our cybersecurity education framework. Each Malmon represents a real malware family or attack technique, but thinking of them as creatures with personalities helps teams understand their behavior patterns and develop effective countermeasures through security awareness training methodologies.

Just as a wildlife biologist studies animal behaviors to predict where they’ll go and what they’ll do, cybersecurity professionals study Malmon behaviors to anticipate attack progression and choose appropriate defenses.

Real Threats, Creature Framework

Every Malmon in the collection is based on actual malware families studied by security researchers:

GaboonGrabber represents sophisticated Trojans that mimic legitimate software
WannaCry embodies the rapid-spreading network worms that can paralyze organizations
Stuxnet captures the precision and stealth of nation-state cyber weapons
LockBit demonstrates modern ransomware-as-a-service operations

The creature framework makes these threats more approachable and memorable while maintaining technical accuracy about their real-world behaviors, supporting cybersecurity skills development through our gamified incident response training approach.

The Type System

Every Malmon belongs to one or more types that determine its strengths, weaknesses, and preferred attack methods. Understanding type relationships is crucial for effective incident response.

Primary Types

Trojan-Type Malmons

Characteristics: Masters of deception and disguise

Strengths: Evade traditional security defenses, appear legitimate to users
Common Behaviors: Masquerade as software updates, hide in trusted processes
Weaknesses: Vulnerable to behavioral analysis and runtime monitoring
Examples: GaboonGrabber, FakeBat

Worm-Type Malmons

Characteristics: Rapid network propagation specialists

Strengths: Self-replicating, can spread without user interaction
Common Behaviors: Exploit network vulnerabilities, lateral movement
Weaknesses: Contained by network segmentation and traffic monitoring
Examples: WannaCry, Code Red, Raspberry Robin

Ransomware-Type Malmons

Characteristics: Data hostage specialists

Strengths: High impact through data encryption, direct financial motivation
Common Behaviors: File encryption, demand payments, deadline pressure
Weaknesses: Defeated by comprehensive backup strategies and network isolation
Examples: LockBit, WannaCry (hybrid type)

Rootkit-Type Malmons

Characteristics: Deep system infiltration experts

Strengths: Hide at system level, difficult to detect, maintain persistence
Common Behaviors: Modify system components, evade detection tools
Weaknesses: Exposed by forensic analysis and integrity checking
Examples: Stuxnet (hybrid), advanced persistence mechanisms

APT-Type Malmons (Advanced Persistent Threat)

Characteristics: Long-term stealth operations

Strengths: Patient, sophisticated, well-resourced attacks
Common Behaviors: Slow progression, intelligence gathering, target research
Weaknesses: Vulnerable to threat intelligence and behavioral analysis
Examples: Stuxnet, Noodle RAT, Gh0st RAT

Infostealer-Type Malmons

Characteristics: Data harvesting specialists

Strengths: Targeted data collection, credential theft
Common Behaviors: Monitor user activity, harvest passwords, collect sensitive data
Weaknesses: Defeated by encryption and access controls
Examples: Noodle RAT, PoisonIvy

Type Effectiveness Matrix

Different response strategies work better against specific Malmon types:

Hybrid Types

Many advanced Malmons combine characteristics from multiple types:

WannaCry: Worm/Ransomware hybrid with rapid spreading and data encryption
Stuxnet: APT/Rootkit hybrid with nation-state sophistication and deep system access
LitterDrifter: Worm/APT hybrid spreading via USB with geopolitical targeting

Legacy vs Contemporary Malmons

The Malmon collection includes both contemporary threats and Legacy Malmons - historically significant threats that shaped modern cybersecurity practices. Understanding both helps teams learn from the evolution of digital threats.

🕰️ Legacy Malmons

Legacy Malmons represent threats from cybersecurity history (typically 2000-2010) that were revolutionary for their time and established attack patterns still seen today.

Characteristics of Legacy Malmons

Visual Identification: Legacy Malmons are easily identified by their card design:

“LEGACY” Type Prefix: Cards display “LEGACY • WORM/HISTORICAL” instead of just “WORM/HISTORICAL”
Historical Context: Card descriptions reference specific years and historical technology
Evolution Information: Cards explain how the threat has evolved into modern forms
Educational Focus: Emphasis on learning value and pattern recognition

Key Differences from Contemporary Malmons: - Legacy cards teach threat evolution and historical context - Contemporary cards focus on current practical response techniques - Both use identical game mechanics and statistics - Legacy threats often have lower detection scores reflecting historical security limitations

Legacy Malmon Examples

Code Red (2001) - Worm/Historical

Historical Impact: First major internet-wide worm, infected 400,000 servers
Innovation: Automated scanning and mass infection without files
Modern Descendants: Web application attacks, API vulnerabilities, cloud breaches
Learning Value: Understanding automated threat propagation principles

Stuxnet (2010) - APT/Rootkit/Historical

Historical Impact: First known cyber weapon targeting industrial control systems
Innovation: Nation-state precision targeting, physical damage from cyber attacks
Modern Descendants: Critical infrastructure attacks, OT security concerns
Learning Value: Understanding sophisticated nation-state capabilities

Gh0st RAT (2009) - APT/Infostealer/Historical

Historical Impact: Popularized remote access trojans for espionage
Innovation: Comprehensive remote control and data exfiltration
Modern Descendants: Modern RATs, advanced persistent threats
Learning Value: Understanding long-term persistent access techniques

Poison Ivy (2005) - APT/Infostealer/Historical

Historical Impact: Established corporate espionage attack patterns
Innovation: Targeted data theft from specific organizations
Modern Descendants: Modern corporate espionage, supply chain attacks
Learning Value: Understanding targeted threat actor methodologies

🆕 Contemporary Malmons

Contemporary Malmons represent current active threats using modern techniques and targeting today’s technology infrastructure.

Contemporary Examples

GaboonGrabber - Modern Trojan/Stealth

Additional Contemporary Malmons:

LockBit: Current ransomware-as-a-service operations
Raspberry Robin: Modern USB-based propagation techniques
FakeBat: Current malvertising and social engineering

Learning from Both Eras

Historical + Modernization Sessions

Some sessions use Legacy Malmons with a two-phase approach:

Historical Investigation: Experience the threat using period-appropriate technology and knowledge
Collaborative Modernization: Work together to discover how the threat has evolved into current forms

This approach helps teams understand:

Threat Evolution: How attack patterns adapt to new technology
Defensive Evolution: How security practices developed in response
Pattern Recognition: Identifying persistent attack principles across eras
Historical Context: Why current security practices exist

Contemporary-Only Sessions

Most sessions focus on Contemporary Malmons for immediate practical value:

Current Techniques: Learn responses using modern tools and practices
Immediate Application: Skills directly applicable to current work
Modern Context: Scenarios using current technology and business environments

Malmon Abilities and Characteristics

Signature Abilities

Each Malmon has unique capabilities that define its attack patterns:

Primary Abilities

Core strengths that the Malmon excels at:

Perfect Mimicry: Appears identical to legitimate software
Rapid Propagation: Spreads quickly through network vulnerabilities
Deep Persistence: Maintains access through system restarts and updates
Behavioral Camouflage: Blends normal activity patterns to avoid detection

Special Attacks

Unique techniques that distinguish each Malmon:

Fileless Deployment: Operates entirely in memory without disk artifacts
Kill Switch Vulnerability: Can be instantly neutralized if weakness is discovered
Multi-Payload Delivery: Deploys additional threats after establishing foothold
Air Gap Jumping: Spreads between isolated network segments

Hidden Abilities

Capabilities revealed during incidents that surprise response teams:

Command Center Coordination: Controls other Malmons in coordinated attacks
Zero-Day Arsenal: Uses previously unknown vulnerabilities
Cross-Platform Infection: Spreads between different operating systems
Industrial Sabotage: Targets critical infrastructure and physical systems

Threat Levels

Malmons are classified by complexity and potential impact:

⭐ Basic: Straightforward threats with well-understood behaviors
⭐⭐ Intermediate: Sophisticated threats requiring coordinated response
⭐⭐⭐ Advanced: Nation-state level threats with multiple advanced capabilities

Evolution Mechanics

One of the most important Malmon characteristics is their ability to evolve during incidents, gaining new capabilities and becoming more dangerous if not contained quickly.

Evolution Triggers

Malmons attempt to evolve when:

Time Pressure

Teams take too long to identify the threat type
Investigation phase extends without effective containment
Response actions are delayed or poorly coordinated

Environmental Conditions

Network lacks proper segmentation
Systems missing critical security updates
Monitoring coverage has blind spots
Backup systems are inadequate or offline

Failed Containment

Initial response strategies prove ineffective
Malmon successfully evades detection attempts
Team fails to exploit known type weaknesses
Coordination between team members breaks down

Evolution Examples

GaboonGrabber Evolution Chain

Basic Form: Simple Trojan mimicking software updates

Evolves To: Multi-Stage Loader deploying additional payloads
Final Form: Advanced Persistent Threat with network-wide compromise
Trigger: Successful initial infection + 24+ hours without containment

WannaCry Evolution Chain

Basic Form: Ransomware encrypting local files

Evolves To: Network Worm spreading via SMB vulnerabilities
Final Form: Global Pandemic Worm with infrastructure impact
Trigger: Network propagation success + vulnerable target environment

WannaCry ATT&CK Analysis

Code Red Evolution Chain

Basic Form: Web Server Worm with simple defacement

Evolves To: DDoS Botnet with coordinated attacks
Final Form: Internet Infrastructure Threat
Trigger: Large-scale propagation + coordination with other instances

Code Red ATT&CK Analysis

Preventing Evolution

Teams can prevent Malmon evolution through:

Rapid identification using type-specific detection methods
Effective containment exploiting known type weaknesses
Coordinated response leveraging each role’s expertise
Environmental hardening addressing vulnerabilities the Malmon requires

Regional Variants

Malmons adapt to different environments, creating regional variants with specialized capabilities:

Industry-Specific Variants

Healthcare Variants

HIPAA-Focused Targeting: Specialized in medical record theft
Clinical System Integration: Understands healthcare workflows
Compliance Evasion: Avoids triggering regulatory monitoring

Financial Variants

PCI-DSS Awareness: Targets payment card data specifically
Banking Protocol Knowledge: Exploits financial system communications
Transaction Manipulation: Capable of altering financial transfers

Industrial Variants

SCADA Integration: Targets industrial control systems
Physical Process Understanding: Can cause real-world damage
Safety System Bypass: Disables critical safety mechanisms

Geographic Variants

Nation-State Variants

Geopolitical Targeting: Focuses on specific countries or regions
Cultural Intelligence: Uses region-specific social engineering
Infrastructure Knowledge: Targets country-specific critical systems

Legendary Malmons

Some Malmons are so sophisticated and impactful they’re classified as Legendary - ultra-rare threats that represent the pinnacle of cyber attack capabilities.

Characteristics of Legendary Malmons

Nation-state development with significant resource investment
Multiple zero-day exploits unknown to the security community
Cross-platform capabilities affecting diverse systems
Physical world impact beyond typical digital damage
Historical significance changing cybersecurity practices

Known Legendary Malmons

Stuxnet ⭐⭐⭐ (Legendary)

The Industrial Saboteur

Signature Ability: Air Gap Jumping via USB propagation
Special Attack: Centrifuge Manipulation targeting uranium enrichment
Hidden Ability: Four Zero-Day Arsenal with coordinated exploitation
Evolution: Global Infrastructure Targeting across critical sectors

Stuxnet ATT&CK Analysis

Conficker ⭐⭐⭐ (Legendary)

The Persistent Pandemic

Signature Ability: Multi-Vector Propagation via network, USB, and email
Special Attack: Domain Generation Algorithm evading takedown efforts
Hidden Ability: Botnet Coordination with millions of infected systems
Evolution: Self-Updating Infrastructure with autonomous capabilities

Understanding Malmon Behavior in Practice

Reading Malmon Cards

Each Malmon you encounter will be presented on a visual card. Here’s how to read the different components:

Card Header and Basic Information

The header shows the malmon’s name, type classification, and threat level (⭐ to ⭐⭐⭐).

Primary Abilities

The primary ability represents the malmon’s core strength and main attack method.

Special Attacks

Special attacks are unique techniques that distinguish this malmon from others of the same type.

Hidden Abilities and Weaknesses

Hidden abilities are revealed during incidents, while weaknesses show how to effectively counter the malmon.

MITRE ATT&CK Technique Analysis

Applying Type Knowledge

When your team encounters a Trojan-type Malmon like GaboonGrabber:

Effective Strategies:

Focus on behavioral analysis rather than signature detection
Examine process behavior and memory usage patterns
Interview users about recent software installations
Check for unsigned or suspicious executables

Less Effective Strategies:

Relying solely on antivirus signatures
Network-based containment (Trojans often operate locally)
Simple file-based detection (may miss fileless variants)

Team Coordination:

Detective: Analyze execution artifacts and user reports
Protector: Deploy behavioral monitoring tools
Tracker: Monitor for unusual outbound communications
Communicator: Investigate social engineering vectors

Building Your Malmon Knowledge

The Learning Process

Understanding Malmons develops through:

Direct Encounters during incident response sessions
Team Discussions about effective and ineffective strategies
Community Sharing of successful response techniques
MalDex Documentation capturing lessons learned
Cross-Training with teammates who have different expertise

Developing Type Intuition

With experience, you’ll develop intuitive understanding of: - Which response strategies work best against specific types - How to recognize type characteristics from initial symptoms - When Malmons are likely to attempt evolution - How different types interact in hybrid or coordinated attacks

Remember: Types Are Tools, Not Rules

The type system helps you think systematically about threats and responses, but real incidents often involve unique circumstances. Use type knowledge as a starting point, but always adapt to the specific situation your team faces.

In the next chapter, we’ll explore how different incident response roles approach Malmon encounters, and how your chosen role shapes your contribution to the team’s success.

Session Types and Scenarios

Understanding Different Session Approaches

Malware & Monsters sessions come in several different formats, each designed for specific learning goals and group needs. Understanding what to expect from each type helps you prepare mentally and contributes more effectively to your team’s success.

Session Format Overview

Standard Contemporary Sessions

What to Expect: Modern cybersecurity incidents using current technology and contemporary threats

Duration: 90-120 minutes
Focus: Current incident response techniques and modern threats
Technology Context: Cloud platforms, modern networks, current security tools
Learning Goals: Practical skills for today’s cybersecurity challenges
Preparation: Review current cybersecurity practices and tools

Typical Experience: You’ll respond to incidents involving malmons like GaboonGrabber or WannaCry in modern organizational contexts with current technology and business requirements.

Legacy Malmon Sessions

What They Are: Sessions featuring historically significant threats (Code Red, Stuxnet, Gh0st RAT, Poison Ivy) with two possible approaches:

Historical Foundation Approach: - Duration: 2+ hours for full exploration - Focus: Understanding cybersecurity history and threat evolution - Technology Context: Authentic period technology (2001-2010) - Learning Goals: How threats and defenses have evolved over time - Preparation: Open mind about historical technology limitations

Contemporary Approach:

Duration: 90-120 minutes
Focus: Modern versions of historical threats
Technology Context: Current technology with evolved attack techniques
Learning Goals: How classic attack patterns manifest in modern environments
Preparation: Understanding both historical significance and current applications

Session Structure Variations

Standard Session Flow

Opening Phase (15 minutes)

Team introductions and expertise discovery
Role assignments based on backgrounds and preferences
Initial incident briefing and context setting
Questions about organizational environment

Your Focus: Listen to teammates’ backgrounds, think about your preferred role, ask clarifying questions about the incident context.

Investigation Phase (30-45 minutes)

Initial symptoms analysis and hypothesis development
Evidence gathering through role-specific actions
Collaborative discovery of threat characteristics
Progressive revelation of attack complexity

Your Focus: Use your role’s perspective to investigate specific aspects, share findings with teammates, build on others’ discoveries.

Response Phase (30-45 minutes)

Coordinated containment and mitigation actions
Adaptation to evolving threat circumstances
Business continuity and communication management
Success measurement and impact assessment

Your Focus: Execute role-specific response actions, coordinate with teammates, adapt plans based on changing conditions.

Debrief Phase (15 minutes)

Team reflection on what worked well
Lessons learned and improvement opportunities
Real-world application discussion
Connection to broader cybersecurity principles

Your Focus: Share honest reflections, learn from teammates’ perspectives, think about workplace applications.

Historical Foundation Session Flow

Historical Context Setting (15 minutes)

Period technology and security landscape introduction
Historical organizational environment explanation
Era-appropriate assumptions and limitations
Setting expectations for collaborative learning

Your Focus: Absorb historical context, ask questions about unfamiliar technology, prepare to think within period constraints.

Authentic Historical Investigation (45 minutes)

Respond using only period-available tools and knowledge
Work within historical technology limitations
Experience security assumptions that proved incorrect
Understand response challenges of the era

Your Focus: Think like someone from that time period, work with teammates to understand historical challenges, avoid using modern knowledge.

Collaborative Modernization (30 minutes)

Discuss how the attack would work with current technology
Explore evolution of attack techniques and defensive capabilities
Connect historical lessons to modern cybersecurity challenges
Identify persistent patterns across time periods

Your Focus: Contribute perspectives on how threats have evolved, learn from teammates’ insights about historical progression.

Learning Synthesis (15 minutes)

Reflect on patterns in threat evolution
Discuss lessons applicable to current work
Consider future threat development trends
Connect individual expertise to historical learning

Your Focus: Share insights about threat evolution, connect learning to your current work, think about future implications.

Scenario Card Variations

What Are Scenario Cards?

Each malmon can be encountered in multiple scenario cards - different organizational contexts that change the business environment, stakeholder priorities, and response constraints while keeping the core threat behavior consistent.

Example Scenario Card: Healthcare Crisis

Organizational Context Examples

Healthcare Scenarios:

Regulatory compliance pressures (HIPAA, patient safety)
Critical patient care system dependencies
Medical device security considerations
Public health and safety implications

Financial Services Scenarios:

Regulatory oversight (SOX, PCI DSS, banking regulations)
Real-time transaction processing requirements
Customer financial data protection
Market confidence and reputation managementOrganizational

Government/Critical Infrastructure Scenarios:

National security implications
Public service continuity requirements
Interagency coordination needsOrganizational
Public safety and crisis communication

Small Business Scenarios:

Limited technical resources and expertise
Budget constraints for response actions
Personal relationships with customers
Survival-level business impact decisions

Why Different Scenarios Matter

Real-World Relevance

The same technical threat affects organizations very differently based on: - Industry regulations and compliance requirements - Business model and revenue dependencies
- Stakeholder expectations and communication needs - Available resources and technical capabilities

Role Perspective Development

Different scenarios help you understand how your incident response role adapts to: - Varying organizational priorities and constraints - Different stakeholder communication requirements - Industry-specific regulatory and legal considerations - Diverse technical environments and resource levels

What to Expect as a Player

Collaborative Learning Environment

Your Expertise Matters

Sessions build on what you already know
Questions are more valuable than immediate answers
Different perspectives enhance team understanding
Learning happens through shared discovery

No “Gotcha” Moments

IMs guide discovery rather than test knowledge
Mistakes become learning opportunities for everyone
Teams succeed through collaboration, not individual brilliance
Real-world complexity is acknowledged and supported

Realistic Complexity

Incidents evolve based on team actions and discoveries
Information emerges gradually through investigation
Multiple valid approaches exist for most challenges
Business and technical considerations both matter

Session Preparation Tips

For Any Session Type

Review your professional experience for relevant insights
Think about your preferred incident response role
Prepare to listen to and build on teammates’ ideas
Bring curiosity about cybersecurity challenges

For Historical Foundation Sessions

Prepare for technology contexts different from current experience
Approach with curiosity about cybersecurity evolution
Be ready for collaborative discovery and learning
Expect to gain new perspectives on current threats

For Contemporary Sessions

Consider current cybersecurity challenges in your industry
Think about modern tool capabilities and limitations
Prepare to apply contemporary best practices
Connect session learning to current work context

Common Player Questions

“What if I don’t know the answer?”

Perfect! Sessions are designed for collaborative discovery. Your questions and perspective help the entire team learn together.

“What if I’m not technical enough?”

Every role contributes unique value. Incident response requires business understanding, communication skills, and strategic thinking alongside technical expertise.

“What if I disagree with a teammate’s approach?”

Discuss it! Real incident response involves evaluating different approaches and finding the best path forward through team collaboration.

“What if the scenario is outside my industry experience?”

Great learning opportunity! Understanding how cybersecurity challenges vary across industries enhances your overall professional perspective.

Maximizing Your Learning Experience

Active Participation Strategies

Ask Questions

Clarify unfamiliar concepts or terminology
Explore the reasoning behind teammates’ suggestions
Understand the business context and stakeholder concerns
Connect session events to real-world experience

Build on Others’ Ideas

Expand on teammates’ suggestions with additional details
Combine different perspectives into comprehensive solutions
Help quiet team members contribute their expertise
Synthesize technical and business considerations

Cross-Session Learning

Pattern Recognition

Over multiple sessions, you’ll begin recognizing:

Common attack patterns across different malmons
Effective team collaboration techniques
Industry-specific cybersecurity challenges
Evolution patterns in threats and defenses

Skill Development

Regular participation develops:

Incident response coordination and communication
Technical problem-solving under pressure
Business risk assessment and decision-making
Cross-functional team collaboration abilities

Professional Application

Session experiences translate to workplace improvements in:

Incident response plan development and testing
Cross-team collaboration during security events
Risk communication with non-technical stakeholders
Strategic thinking about cybersecurity investments

Understanding these different session types and approaches helps you contribute more effectively to your team’s success while maximizing your own learning from each Malware & Monsters experience.

In the next chapter, we’ll explore specific techniques for effective participation regardless of which session type you encounter.

Effective Participation in Team-Based Security Training

Being an effective participant in Malware & Monsters goes beyond understanding the rules or having cybersecurity knowledge. It’s about collaborative learning, authentic contribution, and creating an environment where everyone can succeed together [@johnson1999cooperative]. This chapter provides practical guidance for being an excellent teammate and maximizing everyone’s learning experience.

The Art of Collaborative Learning Cybersecurity

Building on Others’ Ideas

The “Yes, And…” Principle: In collaborative learning, the most powerful phrase is “Yes, and…” This approach builds on established principles of cooperative learning that emphasize positive interdependence and shared knowledge construction [@slavin1996research]:

Validates others’ contributions before adding your own perspective
Creates momentum rather than stopping conversation
Builds team ideas rather than competing individual concepts
Encourages participation by making it safe to share ideas

Examples in Practice:

Instead of: “That’s wrong because antivirus doesn’t work that way.”
Try: “Yes, antivirus is important, and we should also consider that modern malware often evades traditional signatures…”

Instead of: “No, we should check the network first.”
Try: “Yes, system analysis is crucial, and network traffic might tell us how this spread…”

Instead of: “That won’t work in our environment.”
Try: “Yes, that approach has merit, and we’d need to adapt it for our specific constraints…”

Active Listening Techniques

Listen to Understand, Not to Respond:

Focus fully on what teammates are saying
Ask clarifying questions before adding your perspective
Paraphrase what you heard to confirm understanding
Connect their insights to your own knowledge

Listening for Learning:

Notice expertise patterns - Who knows what domains well?
Identify knowledge gaps - Where could you help fill in information?
Spot connections - How do different perspectives relate?
Track team progress - Are we moving toward solutions together?

Contributing Your Expertise for Security Awareness Training

Explaining Complex Concepts

Make Technical Knowledge Accessible:

Use Analogies:

“Network segmentation is like having different locked rooms in a building”
“Digital signatures are like tamper-evident seals on packages”
“Behavioral analysis is like noticing when someone acts out of character”

Provide Context:

Why it matters - “This is important because…”
How it works - “The basic idea is…”
What it looks like - “You’d see this as…”
When to use it - “This approach works best when…”

Check for Understanding:

“Does that make sense?”
“What questions do you have about this?”
“How does this connect to what you’ve seen?”

When You Don’t Know Something

Admitting Knowledge Gaps Gracefully:

Powerful Phrases

“I’m not familiar with that - can you explain more?”
“That’s outside my expertise - what should I know about it?”
“I’ve heard of that but never used it - how does it work?”
“That’s a great question - who here might know?”

Turn Gaps into Learning Opportunities:

Ask specific questions - “What would that look like in practice?”
Request examples - “Can you give me a scenario where that would happen?”
Connect to your experience - “How does that relate to [something you do know]?”
Offer related knowledge - “I don’t know that tool, but I know this similar approach…”

Managing Group Dynamics

Organizational A good teamwork is the responsibility of everyone. So if someone is quiet, someone is too dominating or the group dynamics are somehow off in other ways, everyone participats in levelling the play field, so to speak.

Encouraging Participation

When Someone Seems Quiet:

Direct questions - “Sarah, what would you check first in this situation?”
Invite perspectives - “We haven’t heard from the Communicator role yet - thoughts?”
Build on partial contributions - “That’s an interesting point - tell us more”
Create safe spaces - “What questions do you have about what we’ve discussed?”

When Someone Dominates:

Redirect gently - “That’s helpful - let’s hear other perspectives too”
Ask them to facilitate - “Can you help us get input from everyone?”
Time-box contributions - “Let’s do a quick round where everyone shares one insight”
Channel expertise - “You clearly know this area - can you help others learn by asking them questions?”

Handling Disagreements

When Perspectives Differ:

Productive Disagreement:

“I see it differently because…”
“My experience suggests…”
“What if we considered both approaches?”
“Can we test both ideas in our scenario?”

Focus on Learning:

Explore differences - “Why do you think our experiences differ?”
Find common ground - “What do we agree on?”
Test ideas - “How could we determine which approach works better?”
Learn from conflict - “What can these different perspectives teach us?”

Building Team Chemistry

Creating Psychological Safety:

Celebrate mistakes - “Great question - I don’t know either!”
Acknowledge learning - “I just learned something new from you”
Share uncertainty - “I’m not sure about this either - let’s figure it out together”
Value all contributions - “That’s a perspective I wouldn’t have considered”

Maximizing Learning During Sessions

Active Engagement Strategies

Stay Mentally Active:

Ask “why” questions - “Why would an attacker choose this approach?”
Consider alternatives - “What other ways could this happen?”
Connect to real world - “How does this relate to actual incidents?”
Think ahead - “What should we expect to happen next?”

Make Connections:

Link to your experience - “This reminds me of…”
Connect team insights - “That builds on what Alex said about…”
Bridge knowledge domains - “From a business perspective, this means…”
Synthesize learning - “So what we’re seeing is a pattern where…”

Learning from Different Perspectives

Technical Learning for Non-Technical Participants:

Ask for analogies - “Can you explain that in business terms?”
Request examples - “What would I actually see if this happened?”
Seek context - “Why would someone choose this attack method?”
Connect to impacts - “How does this technical detail affect our organization?”

Business Learning for Technical Participants:

Explore consequences - “What would this mean for our customers?”
Understand priorities - “What matters most to leadership during incidents?”
Learn communication - “How would you explain this to non-technical stakeholders?”
Consider constraints - “What business factors limit our response options?”

Common Participation Challenges

Overcoming Imposter Syndrome

“I Don’t Belong Here”: Remember that:

Diverse perspectives strengthen teams - Your background adds value
Questions drive learning - Not knowing is why you’re here
Everyone was new once - Even experts started as beginners
Contribution takes many forms - Not just technical knowledge

Practical Steps:

Start with questions - They’re always valuable
Share relevant experience - Even from other fields
Offer your perspective - Different viewpoints matter
Build on others - “Yes, and…” creates connection

Managing Information Overload

When Things Move Too Fast:

Ask for clarification - “Can we slow down and explain that term?”
Request summaries - “Can someone summarize where we are?”
Focus on big picture - “What’s the most important thing to understand here?”
Take notes - Capture key concepts for later review

Staying Engaged When Lost:

Ask pattern questions - “What patterns are we seeing?”
Request analogies - “How is this like something I might know?”
Focus on your role - “From my character’s perspective…”
Contribute your strengths - Business impact, user behavior, communication

Handling Mistakes and Confusion

When You’re Wrong:

Thank the correction - “Thanks for clarifying that”
Ask follow-up questions - “Can you help me understand why?”
Learn from the mistake - “What should I have considered?”
Move forward - Don’t dwell on being wrong

When You’re Confused:

Ask specific questions - “I’m lost on this technical part - can you explain?”
Request examples - “What would this look like in practice?”
Seek analogies - “How is this like something more familiar?”
Focus on learning - “What’s the key concept I should understand?”

Building Long-Term Learning Relationships

During Sessions

Connect with Teammates:

Exchange contact information if desired
Identify shared interests in cybersecurity topics
Discuss real-world applications of session insights
Plan follow-up conversations on interesting topics

After Sessions

Maintain Learning Connections:

Share relevant articles or resources you find
Follow up on session insights applied in real work
Continue technical discussions started during the session
Collaborate on cybersecurity projects or learning goals

Building on Session Foundations

Core Cybersecurity Concepts

Essential Knowledge Areas: Based on common session topics, these foundational areas will enhance your understanding:

Threat Landscape and Attack Methods:

MITRE ATT&CK Framework: Comprehensive knowledge base of adversary tactics and techniques
- Website: attack.mitre.org
- Start with: ATT&CK for Enterprise, basic tactics overview
- Application: Maps to session Malmon behaviors and evolution patterns

Incident Response and Digital Forensics:

NIST Cybersecurity Framework: Industry-standard approach to cybersecurity management
- Resource: NIST Special Publication 800-61 (Computer Security Incident Handling Guide)
- Application: Provides structure for the session’s discovery-investigation-response phases

Security Architecture and Controls:

Defense in Depth Principles: Layered security approach
- Resources: SANS white papers on security architecture
- Application: Explains the containment systems and type effectiveness concepts from sessions

Technical Skills Development

Hands-On Learning Opportunities:

Virtual Labs and Sandboxes:

CyberDefenders: Blue team challenges and incident response scenarios
TryHackMe: Beginner-friendly cybersecurity learning platform
VulnHub: Vulnerable machines for practicing security skills
Application: Practice techniques and tools encountered during sessions

Home Lab Setup:

Virtualization Platforms: VMware, VirtualBox, or Hyper-V
Security Tools: Open-source SIEM, network monitoring, malware analysis
Practice Networks: Set up realistic environments for hands-on learning
Application: Replicate session scenarios for deeper understanding

Programming and Scripting:

Python for Cybersecurity: Automation, analysis, and tool development
PowerShell for Windows Security: System administration and incident response
Bash/Linux Skills: Command-line proficiency for security tools
Application: Automate tasks discussed during sessions, build custom tools

Role-Specific Learning Paths

🔍 Detective (Cyber Sleuth) Development

Digital Forensics and Incident Analysis:

Foundational Learning:

SANS FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics
Volatility Framework: Memory analysis for malware investigation
Autopsy and Sleuth Kit: Open-source digital forensics tools
Application: Develop expertise in evidence analysis and pattern recognition

Advanced Skills:

Malware Analysis: Reverse engineering and behavior analysis
Timeline Analysis: Reconstructing attack sequences and evidence correlation
Log Analysis: Advanced SIEM queries and correlation techniques
Application: Enhance detective skills demonstrated during sessions

Certifications to Consider:

GCIH: GIAC Certified Incident Handler
GCFA: GIAC Certified Forensic Analyst
CISSP: Certified Information Systems Security Professional

🛡️ Protector (Digital Guardian) Development

Security Engineering and Defense:

Foundational Learning:

Network Security: Firewalls, IDS/IPS, network segmentation
Endpoint Protection: EDR, antivirus, application control
Security Architecture: Defense in depth, zero trust principles
Application: Build expertise in protective measures discussed during sessions

Advanced Skills:

Security Automation: SOAR platforms, automated response systems
Threat Intelligence: Integration of threat feeds with defensive systems
Red Team Thinking: Understanding attacker methods to improve defenses
Application: Develop proactive defense capabilities

Certifications to Consider:

GSEC: GIAC Security Essentials
GCED: GIAC Certified Enterprise Defender
CISSP: Certified Information Systems Security Professional

📡 Tracker (Data Whisperer) Development

Network Security and Data Analysis:

Foundational Learning:

Network Protocol Analysis: Wireshark, tcpdump, network forensics
Security Information and Event Management (SIEM): Splunk, ELK Stack, QRadar
Data Analytics: Statistical analysis, machine learning for security
Application: Enhance data flow analysis and pattern recognition skills

Advanced Skills:

Threat Hunting: Proactive threat detection and analysis
Network Behavior Analysis: Anomaly detection and traffic analysis
Big Data Security: Analytics platforms for large-scale security data
Application: Develop sophisticated tracking and analysis capabilities

Certifications to Consider:

GMON: GIAC Continuous Monitoring
GNFA: GIAC Network Forensic Analyst
Data Science Certifications: Python, R, machine learning for security

👥 Communicator (People Whisperer) Development

Security Governance and Risk Management:

Foundational Learning:

Risk Assessment and Management: Frameworks, methodologies, reporting
Compliance and Governance: Regulatory requirements, audit processes
Security Awareness and Training: Adult learning, behavior change
Application: Develop skills in stakeholder communication and risk translation

Advanced Skills:

Crisis Communication: Managing communications during security incidents
Executive Reporting: Translating technical risks into business language
Change Management: Implementing security culture improvements
Application: Build expertise in human factors and organizational security

Certifications to Consider:

CISA: Certified Information Systems Auditor
CISM: Certified Information Security Manager
CRISC: Certified in Risk and Information Systems Control

⚡ Crisis Manager (Chaos Wrangler) Development

Security Leadership and Coordination:

Foundational Learning:

Incident Command System (ICS): Emergency management frameworks
Business Continuity Planning: Disaster recovery, resilience planning
Project Management: Coordination, resource management, timeline planning
Application: Develop skills in complex incident coordination and leadership

Advanced Skills:

Executive Leadership: Board-level security communication and strategy
Multi-Agency Coordination: Working with law enforcement, partners, vendors
Strategic Planning: Long-term security program development
Application: Build capability for large-scale incident management

Certifications to Consider:

CISSP: Certified Information Systems Security Professional
CISM: Certified Information Security Manager
PMP: Project Management Professional

🎯 Threat Hunter (Pattern Seeker) Development

Advanced Threat Detection and Intelligence:

Foundational Learning:

Threat Intelligence: Sources, analysis, integration, sharing
Advanced Persistent Threat (APT) Analysis: Nation-state and advanced actors
Behavioral Analysis: User and entity behavior analytics (UEBA)
Application: Develop proactive threat discovery and analysis skills

Advanced Skills:

Adversary Emulation: Red team techniques for blue team improvement
Threat Modeling: Systematic analysis of potential attack paths
Intelligence Analysis: Structured analytic techniques for cybersecurity
Application: Build sophisticated threat hunting and intelligence capabilities

Certifications to Consider:

GCTI: GIAC Cyber Threat Intelligence
GREM: GIAC Reverse Engineering Malware
Certified Threat Intelligence Analyst (CTIA)

Industry-Specific Learning

Healthcare Cybersecurity

Specialized Knowledge Areas:

HIPAA Compliance: Privacy, security, breach notification requirements
Medical Device Security: FDA regulations, device management, patient safety
Clinical Workflow Integration: Balancing security with patient care
Resources: Healthcare Information and Management Systems Society (HIMSS)

Financial Services Security

Specialized Knowledge Areas:

PCI DSS Compliance: Payment card industry security standards
Financial Regulations: SOX, GLBA, banking-specific requirements
Fraud Detection: Transaction monitoring, behavioral analytics
Resources: Financial Services Information Sharing and Analysis Center (FS-ISAC)

Industrial/OT Security

Specialized Knowledge Areas:

Industrial Control Systems (ICS): SCADA, PLCs, manufacturing systems
Operational Technology (OT): Air-gapped networks, legacy systems
Safety and Security Integration: Balancing cybersecurity with operational safety
Resources: Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)

Cloud Security

Specialized Knowledge Areas:

Cloud Architecture: AWS, Azure, GCP security models
Container Security: Docker, Kubernetes, microservices security
DevSecOps: Integrating security into development and deployment
Resources: Cloud Security Alliance (CSA)

Professional Development Resources

Formal Education Options

University Programs:

Graduate Degrees: Master’s in Cybersecurity, Information Assurance
Certificate Programs: Professional cybersecurity certificates
Online Programs: Flexible options for working professionals
Application: Structured learning path for career advancement

Professional Training:

SANS Institute: Hands-on cybersecurity training and certification
EC-Council: Ethical hacking and cybersecurity certifications
ISC2: Professional certification and continuing education
Application: Specialized skills development in specific areas

Self-Directed Learning

Online Learning Platforms:

Coursera: University-level cybersecurity courses
Udemy: Practical skills and tool-specific training
Pluralsight: Technology-focused learning paths
LinkedIn Learning: Professional skills and certification prep

Books and Publications:

Technical Books: In-depth coverage of specific topics
Industry Publications: Current trends and threat intelligence
Research Papers: Academic and industry research findings
Application: Deep dive into areas of interest from sessions

Conferences and Events:

DEF CON: Hacker conference with diverse tracks
BSides: Local security conferences in many cities around the world. Great way to meet your local community!
SANS conferences: Training and (free) networking events
Industry-specific events: Tailored to specific sectors or roles

Community and Networking

Professional Organizations

General Cybersecurity:

ISC2: Global cybersecurity professional organization
ISACA: Information systems audit, control, and security
SANS Community: Training alumni and professional network
CompTIA: Computing technology industry association

Specialized Communities:

Women in Cybersecurity (WiCyS): Supporting women in the field
OWASP: Open Web Application Security Project
InfraGard: Private sector and law enforcement partnership
Industry-specific ISACs: Information sharing and analysis centers

Local Communities

Meetups and User Groups:

2600 Meetings: Hacker/security enthusiast gatherings
OWASP Local Chapters: Application security focused groups
Professional meetups: ISACA, ISC2, and other organization chapters

Volunteering Opportunities:

Conference organization: Help with local security events
Educational outreach: Teach cybersecurity to students or community groups
Mentorship programs: Support newcomers to the field
Application: Give back while building professional network

Online Communities

Forums and Discussion Platforms:

Reddit: r/cybersecurity, r/netsec, specialized subreddits
Discord/Slack: Real-time chat communities
Professional LinkedIn groups: Industry-specific networking
Stack Overflow: Technical Q&A for cybersecurity tools and techniques

Social Media:

BlueSky: Cybersecurity professionals, researchers, and news
LinkedIn: Professional networking and industry updates
YouTube: Technical tutorials and conference presentations

The Learning Journey Never Ends

Cybersecurity is a field that requires continuous learning and adaptation. The collaborative skills, curiosity, and growth mindset you develop through Malware & Monsters sessions will serve you throughout your career as you navigate evolving threats, emerging technologies, and changing organizational needs. Embrace the journey of lifelong learning and help others do the same.

Remember: The goal isn’t to learn everything about cybersecurity - it’s to develop the skills, relationships, and habits that will help you continue growing throughout your career. Use these resources strategically based on your interests, goals, and opportunities, and always remember that the best learning happens when you’re helping others learn too.

How can I continue learning about these topics?
Which teammates would I like to stay connected with?

Remember

Effective participation isn’t about being the smartest person in the room - it’s about helping everyone learn together. Your questions, insights, mistakes, and perspective all contribute to creating a rich learning experience for the entire team.

What’s Next

Now that you understand how to participate effectively, you’re ready to learn about the specific roles you might play in your incident response team. Each role brings unique perspectives and capabilities to cybersecurity challenges, and understanding them will help you contribute most effectively to your team’s success.

Continue to Incident Response Roles to explore the six different ways you can contribute to your team, or jump ahead to Role-Playing Guide for tips on bringing your character to life.

Incident Response Roles

The Power of Role Specialization

In real cybersecurity incidents, effective response comes from teams where each member contributes their unique expertise and perspective. Malware & Monsters captures this reality by giving each player a specialized role that shapes how they approach problems and what they notice first.

Your role isn’t a rigid job description - it’s a lens through which you view incidents and a framework for contributing your knowledge effectively. The most successful teams leverage each role’s strengths while maintaining collaborative decision-making.

Role Overview

Here’s a quick preview of the six core incident response roles. Each brings a unique perspective to cybersecurity challenges:

The Six Core Roles

🔍 Detective (Cyber Sleuth)

Archetype: “I see patterns others miss. Every attack tells a story.”

What Detectives Excel At

Pattern Recognition: Spotting anomalies in logs, processes, and user behavior
Evidence Analysis: Connecting seemingly unrelated clues into coherent attack timelines
Digital Forensics: Understanding what artifacts attacks leave behind
Timeline Construction: Building accurate chronologies of attack progression

Detective Mindset

Detectives are naturally suspicious and detail-oriented. They notice when things are “off” - even by small percentages. They think in terms of evidence and proof, always asking “what does this tell us?” and “what else should we check?”

Classic Detective Behaviors:

Keeping mental (or actual) spreadsheets of normal vs. abnormal behavior
Getting excited about small details that others overlook
Asking follow-up questions about inconsistencies
Wanting to understand the “why” behind every piece of evidence

What Detectives Investigate During Incidents

Discovery Phase:

System logs for unusual process executions
File creation/modification timestamps
Network connection patterns
User activity patterns and reports

Investigation Phase:

Attack vector analysis and entry points
Persistence mechanisms and registry changes
Data access patterns and potential theft
Command and control communications

Response Phase:

Evidence preservation for future analysis
Indicators of compromise (IoC) development
Attack attribution and technique identification
Documentation for lessons learned

Detective Role-Playing Tips

Be curious about details others might skip
Ask “what does this remind you of?” when examining evidence
Share your thought process: “This pattern suggests…”
Connect current findings to previous experiences

Sample Detective Introduction: “I’m Sarah, and I’ve been watching our system logs like Netflix for three years. I notice when things are 0.2% off normal, and right now everything feels 15% wrong. I’m already mentally building a timeline of every suspicious event from the past week.”

🛡️ Protector (Digital Guardian)

Archetype: “Not on my watch. Every system is someone I’m protecting.”

What Protectors Excel At

Threat Containment: Stopping attacks from spreading or causing more damage
System Hardening: Implementing defenses and security controls
Damage Assessment: Understanding what systems are compromised and how badly
Recovery Planning: Getting systems back to secure, operational states

Protector Mindset

Protectors take attacks personally. They view systems as their responsibility and feel genuine offense when threats try to compromise them. They think in terms of defense, containment, and protection, always asking “how do we stop this?” and “what’s vulnerable?”

Classic Protector Behaviors:

Naming security tools like beloved pets
Getting visibly angry at malware behavior
Instinctively thinking about worst-case scenarios
Wanting to take immediate action to limit damage

What Protectors Focus On During Incidents

Discovery Phase:

Identifying compromised systems and accounts
Assessing current security control effectiveness
Checking backup systems and disaster recovery readiness
Evaluating immediate containment options

Investigation Phase:

Mapping attack spread and lateral movement
Testing security control bypasses
Assessing data integrity and system damage
Planning containment strategies

Response Phase:

Implementing isolation and quarantine measures
Deploying additional security controls
Coordinating system restoration efforts
Preventing attack evolution and spread

Protector Role-Playing Tips

Express personal investment in system security
Think about immediate protective actions
Consider the human impact of system compromises
Focus on practical, implementable defenses

Sample Protector Introduction: “I’m Mike, and these servers are my children. Someone just tried to hurt my babies, and I take that very personally. I’ve got defensive tools locked and loaded, and I’m not afraid to use them.”

📡 Tracker (Data Whisperer)

Archetype: “I follow the digital breadcrumbs. Data flows tell me everything.”

What Trackers Excel At

Network Analysis: Understanding traffic patterns and communication flows
Data Flow Monitoring: Tracking what information moves where
Connection Mapping: Identifying relationships between systems and threats
Behavioral Analysis: Recognizing unusual patterns in data movement

Tracker Mindset

Trackers visualize networks and data flows like maps or subway systems. They can “see” information moving through systems and notice when something travels where it shouldn’t. They think in terms of connections, patterns, and flows, always asking “where is this going?” and “what pattern does this create?”

Classic Tracker Behaviors:

Describing networks in visual/spatial terms
Getting excited about interesting traffic patterns
Naming suspicious connections and IP addresses
Speaking in network protocols and port numbers

What Trackers Monitor During Incidents

Discovery Phase:

Unusual outbound network connections
Data exfiltration patterns and volumes
Internal network traffic anomalies
Command and control communications

Investigation Phase:

Lateral movement pathways through networks
Data staging and collection activities
External infrastructure and threat actor tools
Network-based persistence mechanisms

Response Phase:

Blocking malicious network communications
Monitoring for continued threat activity
Tracking threat actor infrastructure changes
Validating containment effectiveness

Tracker Role-Playing Tips

Use spatial/visual metaphors for network activity
Get excited about discovering communication patterns
Think about data like water flowing through pipes
Focus on connections and relationships between systems

Sample Tracker Introduction: “I’m Alex, and I see our network like a subway map in my head. Right now there’s a train going somewhere it shouldn’t, and I’m going to follow it back to the station. Probably going to name this threat ‘Sneaky Pete’ until we know what it really is.”

👥 Communicator (People Whisperer)

Archetype: “I translate between human and technical. Everyone needs to understand what’s happening.”

What Communicators Excel At

Stakeholder Management: Keeping executives, users, and teams informed
Technical Translation: Explaining complex concepts in accessible terms
Crisis Communication: Managing information flow during high-stress situations
Business Impact Assessment: Understanding organizational and compliance implications

Communicator Mindset

Communicators naturally think about the human side of cybersecurity incidents. They consider who needs to know what, when, and how to explain it effectively. They bridge technical and business worlds, always asking “who else is affected?” and “how do we explain this clearly?”

Classic Communicator Behaviors:

Automatically translating technical jargon into plain language
Thinking about compliance and regulatory requirements
Considering user experience and business continuity
Using analogies to explain complex technical concepts

What Communicators Handle During Incidents

Discovery Phase:

Interviewing users about suspicious activities
Assessing initial business impact and scope
Planning stakeholder notification strategies
Understanding social engineering vectors

Investigation Phase:

Managing executive and customer communications
Coordinating with legal and compliance teams
Assessing regulatory notification requirements
Planning user training and awareness responses

Response Phase:

Coordinating organization-wide response activities
Managing external communications and media
Planning post-incident user education
Documenting lessons learned for future training

Communicator Role-Playing Tips

Think about how to explain technical findings to non-technical people
Consider the business and human impact of incidents
Ask about organizational policies and compliance requirements
Focus on clear, actionable communication

Sample Communicator Introduction: “I’m Jamie, and I’m the one who explains why turning it off and on again won’t fix APT infiltration. I keep our CEO from panicking and our users from clicking suspicious links. Think of me as a cybersecurity translator.”

⚡ Crisis Manager (Chaos Wrangler)

Archetype: “I see the big picture. Someone has to keep track of everything while you specialists do your magic.”

What Crisis Managers Excel At

Incident Coordination: Orchestrating team efforts and decision-making
Resource Management: Allocating time, people, and tools effectively
Priority Setting: Determining what needs attention first
Strategic Planning: Balancing short-term response with long-term recovery

Crisis Manager Mindset

Crisis Managers naturally organize complex situations into manageable components. They think systematically about dependencies, timelines, and resource allocation. They see the forest while others focus on trees, always asking “what’s our overall strategy?” and “how do all these pieces fit together?”

Classic Crisis Manager Behaviors:

Creating mental (or actual) project plans for incident response
Thinking about task dependencies and critical paths
Getting energized by complex, multi-faceted problems
Speaking in terms of priorities, timelines, and coordination

What Crisis Managers Coordinate During Incidents

Discovery Phase:

Team role assignment and investigation coordination
Communication protocols and information sharing
Timeline establishment and milestone planning
Resource requirement assessment

Investigation Phase:

Cross-functional team coordination
Priority setting for multiple investigation tracks
Decision-making process facilitation
External resource coordination (vendors, authorities)

Response Phase:

Comprehensive response strategy coordination
Multi-team effort synchronization
Recovery planning and business continuity
Post-incident review and improvement planning

Crisis Manager Role-Playing Tips

Focus on team coordination and communication
Think about timelines, dependencies, and priorities
Ask about resource availability and constraints
Consider both immediate response and long-term recovery

Sample Crisis Manager Introduction: “I’m Taylor, and I’m the one making sure we’re all solving the same problem instead of five different ones. I have a mental Gantt chart of this incident, and right now we’re behind schedule but not off track.”

🎯 Threat Hunter (Pattern Seeker)

Archetype: “I don’t wait for alerts. I go looking for trouble before it finds us.”

What Threat Hunters Excel At

Proactive Investigation: Finding threats that aren’t yet detected
Hypothesis-Driven Analysis: Testing theories about attack techniques
Adversary Behavior Analysis: Understanding attacker tactics and motivations
Intelligence Development: Creating actionable threat intelligence

Threat Hunter Mindset

Threat Hunters assume breach and actively search for signs of compromise. They think like attackers to predict where threats might hide. They approach problems with curiosity and skepticism, always asking “what aren’t we seeing?” and “what would I do if I were the attacker?”

Classic Threat Hunter Behaviors:

Questioning initial findings and looking deeper
Thinking about what attackers would do next
Getting excited about discovering hidden threats
Using threat intelligence to guide investigation

What Threat Hunters Search For During Incidents

Discovery Phase:

Hidden threats not revealed by initial investigation
Signs of earlier, undetected compromise
Related threat actor activities and campaigns
Advanced evasion techniques and living-off-the-land tactics

Investigation Phase:

Persistence mechanisms beyond obvious indicators
Lateral movement techniques and covert channels
Data staging areas and collection points
Command and control infrastructure analysis

Response Phase:

Remaining threat actor presence after containment
New attack techniques and tool development
Threat actor adaptation to response activities
Intelligence collection for future defense

Threat Hunter Role-Playing Tips

Always assume there’s more to discover
Think from the attacker’s perspective
Question obvious conclusions and dig deeper
Connect current incident to broader threat landscape

Sample Threat Hunter Introduction: “I’m Jordan, and I never trust first impressions when it comes to security incidents. While everyone’s dealing with the obvious threat, I’m looking for what the attacker really doesn’t want us to find. Something this visible is usually hiding something more interesting.”

Role Collaboration and Team Dynamics

How Roles Work Together

The magic of Malware & Monsters happens when different roles combine their perspectives:

Investigation Collaboration Example

Detective finds unusual process execution in logs
Protector identifies which systems are affected
Tracker discovers external communication to suspicious IPs
Communicator interviews users who received phishing emails
Crisis Manager coordinates timeline and next steps
Threat Hunter searches for related compromise indicators

Each role contributes unique value that the others might miss.

Role-Based Type Effectiveness

Different roles have natural advantages against specific Malmon types based on their expertise and approach:

Understanding Your Role’s Strengths

Detective Advantages:

vs. Trojans: Excel at detecting deception and social engineering vectors
vs. APTs: Pattern recognition reveals long-term campaign indicators
vs. Rootkits: Forensic skills uncover hidden artifacts and persistence

Protector Advantages:

vs. Worms: Network isolation and segmentation prevent spread
vs. Ransomware: Backup systems and recovery procedures mitigate impact
vs. Basic threats: Security controls and hardening provide strong defense

Tracker Advantages:

vs. Worms: Network propagation creates obvious traffic patterns
vs. Infostealers: Data exfiltration generates detectable network activity
vs. APTs: Long-term monitoring reveals communication patterns

Communicator Advantages:

vs. Trojans: Social engineering requires user education response
vs. Ransomware: Business impact assessment and stakeholder management critical
vs. APTs: Long-term incidents require sustained stakeholder communication

Crisis Manager Advantages:

vs. Ransomware: Business continuity and crisis coordination essential
vs. APTs: Complex response requires strategic coordination
vs. Worms: Rapid spread requires immediate resource allocation

Threat Hunter Advantages:

vs. APTs: Proactive hunting essential for sophisticated threats
vs. Rootkits: Advanced techniques required to find hidden threats
vs. Infostealers: Proactive search reveals data collection activities

Remember: These are strengths, not limitations. Every role can contribute to any Malmon type - this helps you know where to lean into your expertise.

Natural Role Partnerships

Detective + Threat Hunter

Detectives provide evidence-based analysis while Threat Hunters ask “what else should we look for?” Together they create comprehensive investigation strategies.

Protector + Crisis Manager

Protectors focus on immediate containment while Crisis Managers coordinate broader response efforts. This partnership balances tactical action with strategic planning.

Tracker + Communicator

Trackers provide technical network analysis while Communicators assess business impact and stakeholder needs. Together they create complete situational awareness.

Managing Role Overlap

Sometimes roles have overlapping interests or conflicting priorities:

When Multiple Roles Want the Same Action

Acknowledge all perspectives: “Both Detective and Threat Hunter want to investigate those logs”
Divide the work: Detective focuses on timeline, Threat Hunter looks for hidden threats
Leverage different approaches: Each role brings unique techniques

When Roles Disagree on Priorities

Crisis Manager coordination: Help team evaluate trade-offs
Communicator facilitation: Ensure all concerns are heard
Collaborative decision-making: Find solutions that address multiple role concerns

Choosing Your Role

Based on Your Interests

If You Enjoy…

Solving puzzles and finding patterns: Detective or Threat Hunter
Protecting systems and stopping attacks: Protector
Understanding networks and data flows: Tracker
Working with people and business issues: Communicator
Organizing complex projects: Crisis Manager

Based on Your Experience

Technical Background

Any role can leverage technical expertise, but consider:

Detective: If you like log analysis and forensics
Protector: If you focus on security tools and hardening
Tracker: If you work with networks and monitoring
Threat Hunter: If you do security research or advanced analysis

Business Background

Communicator: Natural fit for business-focused professionals
Crisis Manager: Great for project management experience
Any role: Business perspective enhances every role

Mixed or New to Cybersecurity

All roles welcome newcomers! Choose based on what sounds interesting rather than what you “should” know.

Role Development Over Time

Starting Simple

Your first sessions might focus on basic role activities:

Detective: Looking for obvious anomalies
Protector: Implementing standard containment
Tracker: Monitoring basic network patterns

Growing Complexity

As you gain experience:

Detective: Advanced forensic techniques and complex timeline analysis
Protector: Sophisticated defense strategies and threat prediction
Tracker: Deep network analysis and behavioral detection

Cross-Role Learning

Experienced players often understand multiple roles, making them more effective in their chosen specialty.

Role-Playing Tips for All Roles

Embrace the Archetype

Have fun with role stereotypes and characteristics
Let your role’s personality influence how you approach problems
Use role-consistent language and metaphors

Stay True to Your Expertise

Contribute your real knowledge through your role’s lens
Don’t feel limited by role boundaries when you have relevant expertise
Share insights that help the team, regardless of role

Support Other Roles

Ask questions that help other roles contribute
Build on others’ findings from your role’s perspective
Acknowledge when other roles have better expertise for specific issues

Learn from Experience

Pay attention to how your role’s perspective contributes to solutions
Notice what other roles teach you about incident response
Develop your role’s intuition through practice

Role Flexibility

While roles provide structure and focus, don’t let them become rigid boundaries. The best teams leverage each member’s full expertise while maintaining role-based perspectives that ensure comprehensive coverage of incident response needs.

In the next chapter, we’ll explore the Containment System - how your team uses security controls and techniques to neutralize Malmon threats and restore organizational security.

Role-Playing Guide

Role-playing in Malware & Monsters isn’t about theatrical performance or elaborate costumes. It’s about bringing your authentic self to a cybersecurity incident response scenario while embracing the perspective and personality of your chosen role. This chapter will help you develop memorable characters that enhance collaborative learning cybersecurity and create engaging team-based security training dynamics that support cybersecurity skills development.

Understanding Character Development

The Foundation: You + Role + Situation

Your Character Is:

70% your real self - Name, expertise, personality, values
20% role archetype - Detective’s curiosity, Protector’s defensiveness, etc.
10% scenario context - How your character fits in this organization

Not Required:

Acting ability or dramatic performance (although it makes everything more fun)
Fictional backstories or elaborate personalities
Accents, costumes, or theatrical elements
Being someone completely different from yourself

Building Your Character in 5 Minutes

Step 1: Keep Your Real Name Most players use their actual first name, making it easy to stay connected to the character while building team relationships.

Step 2: Embrace Your Role Archetype Each role has recognizable patterns that make them fun and memorable:

🔍 Detective - Obsessed with details others miss
🛡️ Protector - Takes attacks personally, protective of systems
📡 Tracker - Visualizes networks and data flows
👥 Communicator - Translates between technical and business
⚡ Crisis Manager - Organizes chaos, sees big picture
🎯 Threat Hunter - Proactively seeks hidden dangers

Example: Protector Role Card

Step 3: Add One Personal Touch Choose something that makes your character memorable: - A work habit or quirk - A particular concern or motivation - A way of talking about your expertise - A relationship to the organization you’re protecting

Character Development in Practice

Detective Character Example

Real Person: Sarah, IT Support Specialist
Role Archetype: 🔍 Detective - obsessed with patterns and details
Personal Touch: Keeps spreadsheets of “normal” vs “abnormal” system behavior

Character Introduction:
“I’m Sarah from IT Support. I’ve been watching our system logs like Netflix for two years, and I notice when things are even 0.2% off normal. Right now, everything feels 15% wrong, and that means we have a problem.”

Character Consistency:

Refers to data patterns and percentages
Gets excited about log files and timestamps
Notices details others overlook
Takes system anomalies personally

Protector Character Example

Real Person: Marcus, Software Developer
Role Archetype: 🛡️ Protector - treats systems like family
Personal Touch: Names his security tools and gets angry at attackers

Character Introduction:
“I’m Marcus from Systems Administration. These servers are my children, and someone just tried to hurt my babies. I’ve got Firewall Fluffy and IDS Spike ready to defend our house, and I’m not happy about this intrusion.”

Character Consistency:

Refers to systems with parental protectiveness
Uses military or defensive metaphors
Takes security breaches personally
Focuses on immediate protection and containment

Communicator Character Example

Real Person: Jamie, Risk Management
Role Archetype: 👥 Communicator - translates between worlds
Personal Touch: Already mentally preparing explanations for executives

Character Introduction:
“I’m Jamie from Risk Management. I’m the one who explains to our CEO why ‘just unplug everything’ isn’t actually a solution. I’m already calculating compliance implications and figuring out how to keep stakeholders calm while we fix this.”

Character Consistency:

Thinks about business impact and communication
Translates technical concepts into business language
Worries about stakeholder reactions
Focuses on managing the human side of incidents

Staying in Character

Natural Character Consistency

Use Your Role’s Perspective: Instead of generic responses, filter through your character’s viewpoint:

Generic: “We should check the network.”
Detective: “I want to see the network logs - there’s got to be a pattern in the timing.”
Protector: “We need to isolate the infected systems before this spreads further.”
Tracker: “Let me map the data flows - I can visualize where this is going.”

Ask Character-Appropriate Questions:

Detective: “What evidence are we missing? What doesn’t fit the pattern?”
Protector: “What systems are most vulnerable? How do we stop this now?”
Tracker: “Where is data going? What connections look suspicious?”
Communicator: “Who needs to know about this? How do we explain the impact?”
Crisis Manager: “What’s our priority order? How do we coordinate response?”
Threat Hunter: “What else might be hidden? Where should we look next?”

Balancing Character and Expertise

When Your Real Knowledge Conflicts with Character:
Your real expertise always takes priority over character limitations. If you know something important, share it - just do it in character.

Example:
Real knowledge: You’re a network security expert who knows about advanced persistent threats
Character: Detective focused on log analysis
Solution: “Looking at these log patterns, my detective instincts are telling me this might be more than a simple intrusion - the persistence mechanisms look like an advanced persistent threat.”

Character Interactions and Team Chemistry

Building Team Dynamics

Complementary Characters:

Detective and Tracker can collaborate on evidence analysis
Protector and Crisis Manager can coordinate defensive responses
Communicator and Crisis Manager can handle stakeholder management
Threat Hunter and Detective can uncover hidden threats

Character Tension (Productive):

Protector wants immediate action vs Detective wants more analysis
Crisis Manager focuses on coordination vs roles want to act independently
Communicator worries about business impact vs technical roles focus on threat

Character Moments That Enhance Learning

When Characters Disagree:
Use character perspective to explore different approaches:
Detective: “We need more data before we act - what if we’re wrong about the threat?”
Protector: “Every minute we wait, this thing could be spreading to more systems!”
Communicator: “Can we do both? Start containment while gathering more evidence?”

When Characters Celebrate:
Acknowledge team successes in character:
Tracker: “Beautiful work isolating that data flow - we’ve got them cornered!”
Detective: “The pattern is finally clear - this is exactly how they got in!”
Crisis Manager: “Excellent coordination everyone - we’re ahead of schedule!”

Advanced Character Techniques

Character Growth During Sessions

Round 1 Character Reactions:
How does your character feel about discovering the threat?

Detective: Excited by the puzzle, concerned about complexity
Protector: Angry about the intrusion, determined to fight back
Tracker: Fascinated by attack patterns, worried about data loss

Round 2 Character Development:
How does understanding the scope change your character?

Detective: More focused, following evidence trails
Protector: More strategic, planning comprehensive defense
Communicator: More concerned, calculating business impact

Round 3 Character Resolution:
How has this incident changed your character?

Detective: Satisfied by solving the puzzle, planning better monitoring
Protector: Relieved systems are safe, implementing stronger defenses
Crisis Manager: Proud of team coordination, documenting lessons learned

Character Voice and Language

Develop Consistent Speech Patterns:

Detective Language:

“The evidence suggests…”
“I’m seeing a pattern where…”
“The timeline doesn’t add up…”
“Something’s not right about…”

Protector Language:

“We need to defend against…”
“I’m not letting this thing…”
“Time to deploy countermeasures…”
“Our systems are under attack…”

Tracker Language:

“Data is flowing to…”
“I’m seeing connections between…”
“The network is telling us…”
“Following the digital trail…”

Communicator Language:

“From a business perspective…”
“We need to inform stakeholders that…”
“The impact to operations is…”
“How do we explain this to…”

Common Role-Playing Challenges

“I Feel Silly Talking in Character”

Remember:

You’re not acting - you’re problem-solving from a specific perspective
Other players are focused on the scenario, not judging your performance
Character voice develops naturally over time
Authenticity matters more than theatrical skill

Start Small:

Use your character’s name when introducing ideas
Ask questions your character would ask
Express concerns your character would have
Build complexity gradually as you feel comfortable

“My Character Conflicts with My Knowledge”

Always Prioritize Learning:
If you have important knowledge, share it - just frame it through your character:

“As a Detective, my instincts are telling me this looks like [technical concept you know about]…”

“My Protector training is saying we should consider [security measure you’re familiar with]…”

“I Don’t Know How My Character Would React”

Default to Your Real Reaction: When unsure, respond as yourself but through your role’s perspective:

What would you actually do in this situation?
How does your role’s focus change that approach?
What concerns would your character have?
What questions would your character ask?

Character Development Worksheet

Before Your Session:

Basic Character Information:

Name: [Your real first name]
Role: [Detective/Protector/Tracker/Communicator/Crisis Manager/Threat Hunter]
Professional Background: [Your real expertise]
Character Quirk: [One memorable trait or habit]

Character Motivation:

Why do you care about protecting this organization?
What would devastate you if it were compromised?
How do you approach problems in your area of expertise?
What’s your biggest professional concern?

Character Voice:

How do you talk about your work?
What phrases or analogies do you use naturally?
What gets you excited or frustrated?
How do you interact with teammates?

Integration with Learning Goals

Character as Learning Tool

Different Perspectives Reveal Different Insights:

Detective perspective focuses on evidence and analysis
Protector perspective emphasizes immediate response and defense
Tracker perspective reveals data flows and network relationships
Communicator perspective highlights business impact and stakeholder needs

Character Decisions Deepen Understanding:
When you make choices as your character, you explore:

How different roles prioritize differently
Why certain approaches matter more to specific functions
How team coordination requires balancing perspectives
What real incident responders consider important

Character Growth as Learning Outcome

By the End of Your Session:

Your character has “lived through” a cybersecurity incident
You’ve experienced decision-making from a specific role perspective
You understand how different functions contribute to incident response
You’ve practiced collaborative problem-solving in a realistic context

The Secret of Great Characters

The best characters in Malware & Monsters are authentic people who embrace their role’s perspective while contributing their real expertise. You don’t need to be a great actor - you just need to be a great teammate who thinks about problems from your character’s point of view.

What’s Next

Now that you understand how to develop and play your character effectively, you’re ready to explore the containment systems and security controls your incident response team will use to counter Malmon threats. Understanding these tools and techniques will help you make informed character decisions and contribute effectively to your team’s response strategy.

Continue to The Containment System to learn about the security tools and techniques your team will use, or jump to Maximizing Learning for strategies to get the most educational value from your sessions.

The Containment System for Incident Response Training

From Capture to Containment

Traditional creature-collection games focus on capturing creatures for training and battle. Malware & Monsters flips this concept: instead of collecting threats for your team, you work to contain and neutralize them before they can cause damage to your organization.

The Containment System represents the tools, techniques, and strategies that cybersecurity professionals use to stop, analyze, and eliminate digital threats. Just as different creatures require different capture techniques, different Malmon types respond better to specific containment approaches.

Security Controls: Your Containment Arsenal

Understanding Security Controls

Security Controls are your primary tools for containing Malmons. Each control represents a category of cybersecurity defenses, from basic antivirus software to advanced behavioral analysis systems. The key to successful containment is matching the right controls to the specific Malmon type you’re facing.

Type Effectiveness Overview

Understanding which security controls work best against different Malmon types is fundamental to successful containment:

Basic Security Controls

Signature Detection

What it does: Identifies known malware patterns and file signatures
Best against: Basic variants of known Malmon families
Effectiveness: High against unmodified threats, low against evolved forms
Team applications:

Detective: “The file hash matches known GaboonGrabber samples”
Protector: “Deploying signature updates across all endpoints”

Effectiveness Ratings: - Super Effective vs: Basic Trojans, known Worms - Normal vs: Most standard threats
- Not Effective vs: Zero-day variants, Polymorphic threats

Network Isolation

What it does: Separates infected systems from critical network resources
Best against: Worm-type Malmons attempting lateral movement
Effectiveness: Excellent for containing spread, prevents evolution

Team applications:

Protector: “Moving infected workstations to quarantine VLAN”
Tracker: “Monitoring quarantine network for continued threat activity”

Effectiveness Ratings: - Super Effective vs: Worms, Network-propagating threats - Normal vs: APTs, Infostealers - Not Effective vs: Air-gap jumping threats, USB-based Malmons

System Restoration

What it does: Returns compromised systems to known-good states
Best against: File-encrypting and system-modifying threats
Effectiveness: High for undoing damage, moderate for prevention

Team applications:

Protector: “Initiating rollback to yesterday’s clean backup”
Crisis Manager: “Coordinating restoration priorities across departments”

Effectiveness Ratings: - Super Effective vs: Ransomware, System modifiers - Normal vs: Most persistent threats - Not Effective vs: Data theft (damage already done)

Advanced Security Controls

Behavioral Analysis

What it does: Monitors system and network behavior for anomalous patterns
Best against: Evasive and sophisticated threats that avoid signatures
Effectiveness: Excellent against novel techniques, requires expertise

Team applications:

Detective: “Process behavior shows signs of injection techniques”
Threat Hunter: “Baseline deviation suggests hidden persistence mechanism”

Effectiveness Ratings: - Super Effective vs: Trojans, Rootkits, APTs - Normal vs: Straightforward attacks - Not Effective vs: Perfectly mimicked legitimate behavior

Threat Intelligence

What it does: Uses knowledge of attacker techniques and infrastructure
Best against: Organized threat actor campaigns and known attack patterns
Effectiveness: High when intelligence is current and relevant

Team applications:

Threat Hunter: “This C2 infrastructure matches known Lazarus Group patterns”
Communicator: “Intelligence suggests this is part of broader campaign”

Effectiveness Ratings: - Super Effective vs: APTs, Nation-state threats - Normal vs: Organized cybercrime - Not Effective vs: Novel or amateur threats

Zero Trust Architecture

What it does: Assumes breach and verifies every access request
Best against: Advanced persistent threats and lateral movement
Effectiveness: Excellent for containment, requires significant implementation

Team applications:

Crisis Manager: “Implementing enhanced verification for all system access”
Protector: “Zero trust controls are limiting threat movement effectively”

Effectiveness Ratings: - Super Effective vs: APTs, Lateral movement specialists - Normal vs: Most organized threats - Not Effective vs: Legitimate-access-based attacks

Advanced Containment Techniques

Coordinated Multi-Control Deployment

The Layered Defense Approach

Rather than relying on single controls, advanced containment uses multiple complementary techniques:

Example: Containing a Worm/Ransomware Hybrid

Immediate Isolation (Protector) - Prevent spread
Behavioral Analysis (Detective) - Understand attack progression
Backup Validation (Protector) - Ensure recovery capabilities
Communication Blocking (Tracker) - Disrupt command and control
User Coordination (Communicator) - Prevent user actions that aid the attack

Team-Based Control Synergies

Detective + Threat Hunter Synergy:

Detective provides forensic evidence of Malmon behavior
Threat Hunter uses evidence to search for related threats
Combined intelligence improves containment targeting

Protector + Crisis Manager Synergy:

Protector implements technical containment measures
Crisis Manager coordinates resource allocation and priorities
Combined approach ensures comprehensive coverage

Tracker + Communicator Synergy:

Tracker identifies affected systems and data flows
Communicator assesses business impact and stakeholder needs
Combined perspective balances technical and business requirements

Environmental Containment Factors

Network Architecture Advantages

Micro-segmentation: Limits Worm-type spread
Air-gapped Critical Systems: Protects against most threats
Monitoring Coverage: Improves detection and containment speed
Backup Diversity: Enhances recovery capabilities

Organizational Readiness Multipliers

Incident Response Team Training: Improves coordination effectiveness
Updated Security Tools: Provides better containment capabilities
Clear Communication Protocols: Reduces response time
Management Support: Enables resource deployment

Containment Planning and Execution

Pre-Incident Preparation

Control Inventory Assessment

Before facing real threats, teams should understand their available controls:

Questions for Team Discussion:

What signature detection capabilities do we have?
How quickly can we isolate infected systems?
What backup and recovery options are available?
Do we have behavioral analysis tools and expertise?
What threat intelligence sources can we access?

Role-Specific Containment Responsibilities

Detective Containment Focus:

Evidence preservation during containment actions
Identification of containment success indicators
Analysis of Malmon resistance to specific controls
Documentation of containment effectiveness

Protector Containment Focus:

Technical implementation of containment measures
System isolation and restoration procedures
Security control deployment and configuration
Damage assessment and recovery planning

Tracker Containment Focus:

Network traffic monitoring during containment
Validation of communication blocking effectiveness
Monitoring for continued threat activity
Network-based containment implementation

Communicator Containment Focus:

Stakeholder notification during containment efforts
Business impact assessment of containment measures
User coordination to support containment activities
External communication about incident status

Crisis Manager Containment Focus:

Overall containment strategy coordination
Resource allocation for containment efforts
Timeline management and priority setting
Integration of all team containment activities

Threat Hunter Containment Focus:

Proactive search for additional threats during containment
Assessment of containment effectiveness
Investigation of potential threat evolution or adaptation
Intelligence gathering for improved future containment

During-Incident Containment Execution

The Containment Decision Process

Step 1: Threat Assessment

What type of Malmon are we facing?
What are its primary capabilities and objectives?
How has it already impacted our environment?
What are the likely evolution triggers?

Step 2: Control Selection

Which controls are most effective against this Malmon type?
What controls do we have immediately available?
How can we combine controls for maximum effectiveness?
What are the risks of each containment approach?

Step 3: Coordinated Implementation

Who implements each control?
What is the sequence and timing of implementation?
How do we monitor containment effectiveness?
What are our backup plans if initial containment fails?

Step 4: Validation and Adjustment

Is the Malmon contained or still active?
Are there signs of evolution or adaptation?
Do we need additional or different controls?
What can we improve about our containment approach?

Containment Failure and Recovery

When Containment Doesn’t Work

Common Containment Failure Modes

Type Mismatch: Using controls ineffective against the specific Malmon type
Timing Issues: Attempting containment after evolution or spread
Coordination Problems: Team members working at cross purposes
Resource Limitations: Insufficient tools or expertise for the threat level
Environmental Gaps: Network or system vulnerabilities that enable evasion

Learning from Containment Failures

Failed containment attempts provide valuable learning opportunities:

Questions for Team Reflection:

What did we misunderstand about the Malmon’s capabilities?
Which controls worked better or worse than expected?
How could we have coordinated more effectively?
What environmental factors contributed to containment difficulty?
What would we do differently in a similar situation?

Recovery and Resilience

Post-Containment Activities

Even after successful containment, important work remains:

System Recovery:

Restoration of affected systems and data
Validation of system integrity and security
Implementation of additional protections
User access restoration and validation

Intelligence Development:

Documentation of Malmon characteristics and behavior
Sharing of containment techniques with community
Development of improved detection signatures
Enhancement of organizational defenses

Team Development:

Review of containment coordination and effectiveness
Identification of skill gaps and training needs
Refinement of roles and responsibilities
Preparation for future, more advanced threats

Building Containment Expertise

Individual Skill Development

For Each Role

Detective: Develop expertise in forensic analysis, evidence preservation, and containment validation techniques.

Protector: Build proficiency with security tools, system recovery procedures, and technical containment implementation.

Tracker: Master network monitoring, traffic analysis, and network-based containment approaches.

Communicator: Learn business impact assessment, stakeholder management during crises, and coordination techniques.

Crisis Manager: Develop project management skills, resource allocation strategies, and team coordination capabilities.

Threat Hunter: Build intelligence analysis skills, proactive investigation techniques, and advanced threat detection capabilities.

Team Skill Development

Collaborative Containment Exercises

Scenario-based practice with different Malmon types
Cross-training to understand other roles’ containment responsibilities
Communication drills for coordinating containment activities
Tool familiarization across different security control categories

Community Learning

Sharing containment experiences with other teams and organizations
Learning from community failures and successes
Contributing to containment technique development
Participating in collaborative threat intelligence efforts

Remember: Containment is Collaborative

No single role or control can contain all Malmons effectively. The most successful containment efforts combine different controls, leverage each role’s expertise, and adapt to the specific characteristics of the threat being faced.

In the next chapter, we’ll explore the Training and Progression system - how you develop expertise, earn recognition for your growing skills, and advance through increasingly challenging cybersecurity scenarios.

Training and Progression

The Path to Cybersecurity Mastery

Malware & Monsters isn’t just about individual sessions - it’s about building genuine cybersecurity expertise through structured progression. Like any skill-based pursuit, your abilities grow through practice, collaboration, and increasingly challenging scenarios.

The Training and Progression system recognizes your developing expertise, provides clear advancement paths, and creates opportunities to take on greater cybersecurity challenges while building a community of collaborative defenders.

Experience and Skill Development

How You Gain Experience

Session-Based Learning

Every Malware & Monsters session provides multiple opportunities to develop cybersecurity skills:

Discovery Achievements:

First Contact: Successfully identifying a new Malmon type (+2 XP)
Pattern Recognition: Connecting symptoms to specific attack techniques (+3 XP)
Evidence Analysis: Drawing accurate conclusions from digital artifacts (+3 XP)
Collaborative Insight: Building on teammates’ discoveries (+2 XP)

Investigation Mastery:

Impact Assessment: Accurately determining attack scope and damage (+4 XP)
Attribution Analysis: Identifying attack techniques and potential threat actors (+5 XP)
Vulnerability Identification: Understanding how the attack succeeded (+4 XP)
Timeline Construction: Building accurate attack progression narratives (+3 XP)

Response Excellence:

Strategic Containment: Selecting optimal controls for specific Malmon types (+5 XP)
Team Coordination: Effectively coordinating multi-role response efforts (+4 XP)
Crisis Communication: Managing stakeholder expectations during incidents (+3 XP)
Adaptive Response: Adjusting strategy when initial approaches prove ineffective (+6 XP)

Role-Specific Expertise Development

Each role has specialized advancement tracks reflecting real cybersecurity career paths:

🔍 Detective Advancement:

Forensic Analysis: Digital evidence examination and timeline construction
Threat Research: Understanding malware families and attack techniques
Pattern Recognition: Identifying anomalies and attack indicators
Intelligence Development: Creating actionable threat intelligence

🛡️ Protector Advancement:

System Hardening: Implementing effective security controls and configurations
Incident Response: Technical containment and recovery procedures
Risk Assessment: Evaluating and prioritizing security vulnerabilities
Security Architecture: Designing defensive systems and processes

📡 Tracker Advancement:

Network Analysis: Understanding traffic patterns and communication flows
Behavioral Monitoring: Detecting anomalous activities and attack progression
Data Flow Security: Protecting information in transit and at rest
Infrastructure Defense: Securing network architecture and services

👥 Communicator Advancement:

Stakeholder Management: Coordinating with executives, users, and external parties
Crisis Communication: Managing information flow during security incidents
Business Alignment: Translating technical security issues into business language
Compliance Coordination: Managing regulatory and legal aspects of incidents

⚡ Crisis Manager Advancement:

Incident Coordination: Orchestrating complex, multi-team response efforts
Resource Management: Allocating personnel, tools, and time effectively
Strategic Planning: Balancing immediate response with long-term recovery
Organizational Leadership: Building and maintaining effective security programs

🎯 Threat Hunter Advancement:

Proactive Investigation: Finding threats before they trigger alerts
Adversary Analysis: Understanding attacker tactics, techniques, and procedures
Hypothesis Testing: Developing and validating theories about threat activity
Intelligence Integration: Using external intelligence to guide hunting activities

Skill Rating System

Individual Competencies

Your growing expertise is tracked across multiple dimensions:

Technical Skills (1-10 scale):

Malware Analysis: Understanding threat capabilities and behaviors
Network Security: Protecting and monitoring network infrastructure
Digital Forensics: Investigating and analyzing security incidents
Risk Assessment: Evaluating and prioritizing security concerns
Security Architecture: Designing effective defensive systems

Collaboration Skills (1-10 scale):

Team Coordination: Working effectively with diverse incident response teams
Knowledge Sharing: Teaching and learning from cybersecurity colleagues
Communication: Explaining technical concepts across different audiences
Leadership: Guiding teams through complex security challenges
Adaptability: Adjusting approach based on new information and circumstances

Organizational Skills (1-10 scale):

Business Understanding: Connecting security activities to organizational objectives
Compliance Knowledge: Understanding regulatory and legal requirements
Vendor Management: Working with external security providers and tools
Training Development: Building cybersecurity capabilities in others
Strategic Thinking: Planning long-term security improvements

Skill Development Through Practice

Novice Level (Skills 1-3):

Focus on learning basic concepts and terminology
Practice fundamental techniques with guidance
Develop confidence in core role responsibilities
Build relationships with more experienced team members

Competent Level (Skills 4-6):

Apply knowledge independently in routine situations
Contribute meaningfully to team efforts
Begin specializing in areas of particular interest
Mentor newcomers to cybersecurity

Expert Level (Skills 7-9):

Handle complex, non-routine cybersecurity challenges
Lead response efforts for sophisticated threats
Develop new techniques and approaches
Train and develop other cybersecurity professionals

Master Level (Skill 10):

Innovate solutions for novel cybersecurity problems
Shape organizational and community cybersecurity practices
Publish research and contribute to the field
Build and lead high-performing cybersecurity teams

Security Domain Mastery

The Badge System

Recognition of your growing expertise comes through Security Domain Badges - achievements that demonstrate mastery of specific cybersecurity disciplines.

Core Security Domains

🌐 Network Security Badge “Guardian of Digital Highways”

Network Security Badge - Cybersecurity Skills Development Achievement for Team-Based Security Training

Requirements:

Successfully contain 5 Worm-type Malmons using network isolation
Demonstrate proficiency with traffic analysis and monitoring
Coordinate effective network-based incident response
Contribute to network security architecture improvements

Skills Demonstrated:

Network traffic analysis and anomaly detection
Firewall configuration and network segmentation
Intrusion detection and prevention systems
Network forensics and incident investigation

Career Connections: Network Security Engineer, SOC Analyst, Network Architect

💻 Endpoint Security Badge “Protector of Digital Workstations”

Endpoint Security Badge - Security Awareness Training Progress Badge for Cybersecurity Education

Requirements:

Successfully contain 5 Trojan or Rootkit-type Malmons
Master behavioral analysis and system monitoring techniques
Lead system recovery and hardening efforts
Develop endpoint protection strategies

Skills Demonstrated:

Host-based intrusion detection and response
Malware analysis and reverse engineering
System forensics and timeline analysis
Endpoint protection platform management

Career Connections: Incident Response Specialist, Malware Analyst, Endpoint Security Engineer

🗄️ Data Protection Badge “Guardian of Digital Assets”

Data Protection Badge - Incident Response Training Certification for Security Professional Development

Requirements:

Successfully defend against 5 Ransomware or Infostealer-type Malmons
Implement effective backup and recovery strategies
Demonstrate data loss prevention techniques
Lead data breach response efforts

Skills Demonstrated:

Data classification and handling procedures
Encryption implementation and key management
Backup strategy development and testing
Data breach investigation and notification

Career Connections: Data Protection Officer, Compliance Manager, Risk Analyst

👤 Human Factor Security Badge “Defender Against Social Engineering”

Human Factor Security Badge - Collaborative Learning Cybersecurity Achievement for Security Training Platform

Requirements:

Successfully counter 5 social engineering or phishing-based attacks
Develop effective security awareness training programs
Demonstrate crisis communication skills
Lead user education and awareness efforts

Skills Demonstrated:

Social engineering attack recognition and prevention
Security awareness training development and delivery
Incident communication and stakeholder management
Behavioral security risk assessment

Career Connections: Security Awareness Manager, Training Coordinator, Risk Communication Specialist

🏭 Critical Infrastructure Security Badge “Protector of Essential Systems”

Critical Infrastructure Security Badge - Gamified Incident Response Training Achievement for MITRE ATT&CK Training

Requirements:

Successfully defend against 3 industrial control system threats
Understand operational technology (OT) security principles
Coordinate IT/OT security integration efforts
Develop business continuity and disaster recovery plans

Skills Demonstrated:

Industrial control system (ICS/SCADA) security
Operational technology risk assessment
Business continuity planning and implementation
Critical infrastructure protection strategies

Career Connections: Critical Infrastructure Protection Specialist, OT Security Engineer, Business Continuity Manager

🏛️ Governance and Compliance Badge “Navigator of Regulatory Requirements”

Governance and Compliance Badge - Incident Response Tabletop Exercise Certification for Cybersecurity Gamification

Requirements:

Successfully manage compliance aspects of 5 security incidents
Demonstrate understanding of relevant regulatory frameworks
Lead compliance reporting and documentation efforts
Develop risk management and governance programs

Skills Demonstrated:

Regulatory compliance management (GDPR, HIPAA, SOX, etc.)
Risk assessment and management frameworks
Incident reporting and documentation
Security governance and policy development

Career Connections: Compliance Officer, Risk Manager, Governance Specialist, CISO

Advanced Specialization Tracks

Elite Challenge Levels

🔥 APT Specialist “Hunter of Advanced Persistent Threats”

Requirements:

Successfully counter 3 nation-state level Malmons (⭐⭐⭐)
Demonstrate advanced threat hunting capabilities
Lead complex, multi-month incident investigations
Develop threat intelligence and attribution analysis

Skills Demonstrated:

Advanced persistent threat detection and response
Threat actor profiling and attribution analysis
Long-term incident investigation and case management
Threat intelligence development and sharing

🌍 Global Incident Commander “Leader of International Response Efforts”

Requirements:

Coordinate incident response across multiple organizations
Manage complex, multi-stakeholder security incidents
Demonstrate cross-cultural communication and coordination
Lead international cybersecurity cooperation efforts

Skills Demonstrated:

Large-scale incident command and coordination
International cybersecurity cooperation and information sharing
Cross-organizational relationship building and management
Crisis leadership and decision-making under pressure

🧪 Security Researcher “Discoverer of New Threats and Defenses”

Requirements:

Discover and document a new Malmon variant or technique
Publish original cybersecurity research
Contribute new detection or defense capabilities to the community
Mentor other researchers and practitioners

Skills Demonstrated:

Original cybersecurity research methodology
Malware analysis and reverse engineering
Vulnerability research and responsible disclosure
Academic and industry research publication

Community Recognition and Leadership

Trainer Certification Pathway

Level 1: Session Assistant

Requirements:

Complete 10 Malware & Monsters sessions as participant
Demonstrate proficiency across all 6 roles
Show consistent collaborative learning behavior
Receive recommendation from experienced Incident Master

Responsibilities:

Assist Incident Masters with session setup and logistics
Help new participants understand game mechanics
Provide technical expertise when called upon
Support community building and engagement activities

Level 2: Incident Master

Requirements:

Complete Level 1 certification requirements
Successfully facilitate 5 sessions under mentor supervision
Demonstrate effective question-asking and facilitation skills
Show ability to adapt sessions for different audience expertise levels

Responsibilities:

Independently facilitate Malware & Monsters sessions
Adapt scenarios for different organizational contexts
Mentor new facilitators and session assistants
Contribute to scenario development and improvement

Level 3: Master Trainer

Requirements:

Complete Level 2 certification requirements
Train 10 new Incident Masters
Develop original scenarios or Malmons for community use
Demonstrate leadership in community building and outreach

Responsibilities:

Train and certify new Incident Masters
Develop advanced scenarios and training materials
Lead community initiatives and improvements
Represent the community at conferences and professional events

Community Contribution Recognition

Malmon Discoverer

“First to encounter and document new threats”

Recognition for discovering and documenting new Malmon variants
Naming rights for contributed Malmons
Special recognition in community documentation
Priority access to advanced training and certification opportunities

Scenario Architect

“Creator of compelling learning experiences”

Recognition for developing high-quality training scenarios
Credit for contributed scenarios used by other facilitators
Invitation to participate in curriculum development efforts
Opportunity to present at community conferences and events

Community Champion

“Builder of collaborative learning networks”

Recognition for outstanding community building and engagement
Leadership opportunities in community governance and direction
Invitation to participate in strategic planning and development
Special recognition at community events and publications

Progression Tracking and Goal Setting

Personal Development Planning

Skill Assessment and Goal Setting

Regular self-assessment helps track progress and identify development priorities:

Quarterly Skill Review Questions:

Which cybersecurity domains am I most interested in pursuing?
What specific skills do I want to develop in the next quarter?
Which Security Domain Badges align with my career goals?
How can I contribute more effectively to team efforts?
What advanced challenges am I ready to take on?

Individual Development Plans

Create structured plans for advancing your cybersecurity expertise:

Goal Setting Framework:

Technical Skill Goals: Specific competencies to develop or improve
Collaboration Goals: Ways to enhance team effectiveness and leadership
Community Goals: Contributions to the broader cybersecurity community
Career Goals: Professional development and advancement objectives
Learning Goals: New areas of cybersecurity to explore and understand

Team Development and Advancement

Collective Capability Building

Teams that regularly work together can pursue collective advancement:

Team Achievement Tracks:

Rapid Response Team: Consistently achieve containment in minimal time
Complex Threat Specialists: Successfully handle the most sophisticated Malmons
Training Excellence: Develop and deliver outstanding cybersecurity education
Innovation Leaders: Create new techniques and approaches for the community

Organizational Integration

Connect Malware & Monsters progression to real organizational development:

Professional Development Integration:

Align badge requirements with job role expectations
Use skill assessments for performance review and development planning
Connect community contributions to professional recognition programs
Integrate training progression with career advancement opportunities

Your Progression Journey

Remember that cybersecurity expertise develops over time through consistent practice, continuous learning, and meaningful collaboration. Focus on contributing to your team’s success, learning from every experience, and building relationships with others who share your commitment to defending against digital threats.

The progression system recognizes that cybersecurity mastery comes from combining technical knowledge, practical experience, and collaborative skills. Every session is an opportunity to grow, every challenge a chance to learn, and every success a step toward building a more secure digital world.

In the next chapter, we’ll explore the specific Game Mechanics that make all these learning experiences possible - from dice rolls and decision points to the collaborative storytelling that brings cybersecurity scenarios to life.

Game Mechanics

How the Magic Happens

Behind every engaging Malware & Monsters session lies a carefully designed system of game mechanics that transform cybersecurity education into collaborative adventures. These mechanics create structure for incident response training while preserving the authentic problem-solving that makes real incident response both challenging and rewarding. Our approach combines cybersecurity gamification with team-based security training methodologies.

Quick Reference Guide

Here’s an at-a-glance overview of the core mechanics:

Understanding these mechanics helps you get the most from your sessions, whether you’re contributing technical expertise, asking strategic questions, or coordinating team efforts.

The Three-Round Structure

Round-Based Incident Response

Every Malware & Monsters session follows the natural progression of real cybersecurity incidents, organized into three distinct rounds that mirror professional incident response methodology. This incident response simulation structure provides hands-on cybersecurity skills development through collaborative learning cybersecurity approaches.

Round 1: Discovery Phase

Objective: Identify the specific Malmon threatening your organization

What Happens:

Individual Investigation: Each role explores the incident from their unique perspective
Knowledge Sharing: Team collaborates to connect clues and build understanding
Malmon Identification: Group determines which specific threat they’re facing

Success Indicators:

Team correctly identifies the Malmon type and primary capabilities
All roles contribute meaningful insights to the investigation
Group builds accurate understanding of the threat’s behavior patterns
Foundation established for effective response planning

Common Challenges:

Analysis Paralysis: Getting stuck debating details instead of building overall picture
Role Overlap: Multiple people investigating the same aspects
Information Hoarding: Not sharing discoveries effectively with teammates

Facilitator Role: Guide discovery through questions, help connect disparate clues, ensure all voices are heard

Round 2: Investigation Phase

Objective: Understand the attack’s scope, impact, and progression

What Happens:

Impact Assessment: Determine what systems, data, and processes are affected
Attack Vector Analysis: Understand how the Malmon gained access and spread
Evolution Assessment: Evaluate risk of threat escalation or expansion

Success Indicators:

Comprehensive understanding of current and potential damage
Clear picture of attack timeline and progression
Identification of vulnerabilities that enabled the attack
Realistic assessment of Malmon evolution risks

Common Challenges:

Scope Creep: Trying to investigate everything instead of focusing on critical aspects
Blame Focus: Spending time on fault-finding instead of impact assessment
Technical Rabbit Holes: Getting lost in technical details at expense of bigger picture

Facilitator Role: Keep investigation focused on actionable intelligence, manage time allocation, prepare for evolution decision point

Round 3: Response Phase

Objective: Coordinate effective containment and recovery actions

What Happens:

Strategy Development: Choose containment approaches based on Malmon characteristics
Coordinated Implementation: Execute response plan with role-specific actions
Outcome Resolution: Determine effectiveness and capture lessons learned

Success Indicators:

Response strategy matches Malmon type weaknesses
Team coordination leverages each role’s strengths
Actions are prioritized appropriately for organizational impact
Learning captured for future incidents

Common Challenges:

Hero Ball: One person trying to handle all response activities
Tool Fixation: Focusing on familiar tools instead of most effective approaches
Coordination Breakdown: Conflicting actions or duplicated efforts

Facilitator Role: Ensure collaborative decision-making, manage resource allocation, adjudicate action outcomes

Action System and Decision Making

Player Actions

Action Allocation

Each player receives 2 actions per round, representing the realistic constraint that incident responders must prioritize their time and attention during crisis situations.

Action Types:

Investigation Actions: Gathering information and analyzing evidence
Communication Actions: Coordinating with teammates, stakeholders, or external parties
Technical Actions: Implementing tools, configuring systems, or deploying countermeasures
Strategic Actions: Planning, prioritizing, or coordinating team efforts

Role-Specific Action Examples

🔍 Detective Actions:

Analyze system logs for suspicious activity patterns
Interview users who reported unusual computer behavior
Examine file artifacts for malware signatures or behaviors
Correlate timeline of events across multiple data sources

🛡️ Protector Actions:

Deploy additional security controls on critical systems
Isolate infected workstations from network resources
Validate backup integrity and recovery capabilities
Implement emergency access restrictions

📡 Tracker Actions:

Monitor network traffic for ongoing malicious communication
Trace data exfiltration pathways and volumes
Identify lateral movement patterns through network logs
Block command and control communications

👥 Communicator Actions:

Notify executive leadership about incident status
Coordinate with affected business units about impact
Interface with legal team about regulatory requirements
Communicate with users about protective measures

⚡ Crisis Manager Actions:

Prioritize response activities across team members
Allocate additional resources to critical response efforts
Coordinate timeline and dependencies between response actions
Interface with external vendors or authorities

🎯 Threat Hunter Actions:

Search for additional compromise indicators not yet discovered
Investigate potential related threats or attack campaigns
Validate effectiveness of implemented security controls
Develop threat intelligence for future defense

Collaborative Action Bonuses

Synergy Mechanics

Actions become more effective when team members coordinate their efforts:

Direct Support (+2 bonus):

When one player’s action directly enables or enhances another’s:

Detective provides forensic evidence that Protector uses to configure security tools
Tracker identifies communication patterns that Threat Hunter investigates further
Communicator gathers business requirements that Crisis Manager incorporates into response planning

Team Coordination (+3 bonus):

When multiple players coordinate on a unified objective:

All technical roles working together to contain a specific threat vector
Entire team collaborating to understand a complex, multi-stage attack
Coordinated communication effort to manage organizational and external stakeholders

Perfect Teamwork (Automatic Success):

When the entire team demonstrates clear collaboration and leverages collective expertise:

Each role contributes unique, valuable perspective
Actions build logically on each other
Team demonstrates clear understanding of both technical and business aspects
Real-world cybersecurity knowledge drives decision-making

Dice Mechanics and Uncertainty

When to Roll Dice

Not every action requires dice - many successful outcomes emerge from good planning, appropriate expertise, and effective collaboration. Dice are used primarily to:

Resolve uncertain outcomes where expertise alone doesn’t guarantee success
Add tension and excitement to critical decision points
Simulate real-world unpredictability in cybersecurity incidents
Encourage creative problem-solving when initial approaches face obstacles

Difficulty Levels

Easy Tasks (Target: 8+)

When: Standard procedures with appropriate tools and expertise Examples:

Running antivirus scans on suspected infected systems
Basic network traffic monitoring with established tools
Standard backup restoration procedures
Routine communication with familiar stakeholders

Success Rate: ~85% for most players, encouraging confidence building

Medium Tasks (Target: 12+)

When: Complex analysis or coordination requiring expertise and some luck Examples:

Advanced malware analysis requiring reverse engineering
Coordinating response across multiple business units
Implementing novel security controls under time pressure
Managing crisis communication with external parties

Success Rate: ~60% for most players, creating meaningful challenge

Hard Tasks (Target: 16+)

When: Cutting-edge techniques, high-stakes decisions, or overcoming significant obstacles Examples:

Developing custom tools to counter sophisticated threats
Managing organization-wide crisis with regulatory implications
Responding to zero-day exploits with no established procedures
Coordinating international incident response efforts

Success Rate: ~35% for most players, requiring exceptional teamwork or expertise

Automatic Success (No Roll Required)

When: Group demonstrates clear expertise and appropriate approach

No dice needed for:

Actions clearly within a role’s expertise area with proper knowledge demonstrated
Solutions that demonstrate real-world cybersecurity knowledge and best practices
Well-coordinated team efforts with logical planning and clear execution steps
Creative approaches that directly address threat-specific vulnerabilities
Standard procedures executed with appropriate tools and clear understanding
Communication actions with familiar stakeholders using established protocols

Examples of Automatic Success: - Detective analyzing logs using tools they clearly understand - Protector implementing well-known security controls for the specific threat type - Team collaboratively developing a response plan that leverages each role’s expertise - Communicator providing clear, accurate incident updates to executive leadership

Modifiers and Bonuses

Role Expertise Bonuses

+1: Action clearly matches role specialization and player demonstrates relevant knowledge
+2: Action leverages specific real-world experience or advanced expertise

Collaboration Bonuses

+2: Action directly supports or builds on teammate’s efforts
+3: Multiple team members coordinate on unified approach
+4: Entire team demonstrates excellent communication and coordination

Type Effectiveness Bonuses

+3: Using containment approaches that are super effective against current Malmon type
+1: Standard effectiveness approaches
-2: Approaches that are not effective against current Malmon type

Environmental Factors

+2: Organization has strong security posture that supports the action
+1: Standard organizational capabilities
-1: Organizational limitations or policy constraints
-2: Significant environmental obstacles (budget, politics, technical debt)

Time Pressure Penalties

-1: Working under increased time pressure due to threat evolution risk
-2: Responding to actively evolving threat with immediate impact
-3: Crisis-level response with organization-threatening implications

IM Decision Making: When to Roll vs. Automatic Success

For Incident Masters: Use these guidelines to determine when players should roll dice versus achieving automatic success.

Call for Dice Rolls When:

Uncertain Outcomes: Player demonstrates knowledge but success depends on external factors
Time Pressure: Standard procedures under crisis conditions with complicating factors
Novel Situations: Creative solutions that haven’t been tried before in this context
High Stakes: Critical decisions where failure has significant consequences
Learning Opportunities: Moments where uncertainty creates valuable discussion

Grant Automatic Success When:

Clear Expertise: Player demonstrates specific, relevant cybersecurity knowledge
Appropriate Tools: Standard procedures with proper tools and clear understanding
Excellent Teamwork: Well-coordinated efforts that leverage multiple roles effectively
Type Advantage: Approaches that directly exploit Malmon weaknesses
Good Planning: Logical, well-thought-out approaches with clear execution steps

Examples in Practice:

“I’ll check the Windows Event Logs for Process Creation events around the time of the alert” → Automatic Success (specific, appropriate procedure)

“I’ll try to reverse-engineer this unknown malware sample to understand its capabilities” → Medium Roll (expertise required, time pressure, uncertain outcome)

“We’ll coordinate a network isolation while preparing stakeholder communications” → Automatic Success (good teamwork, clear procedures)

Network Security Status Tracking

The Organizational Health Meter

Network Security Status represents your organization’s current cybersecurity posture, starting at 100 and changing based on threat actions and team responses.

Status Categories

Secure (90-100):

Threat contained with minimal impact
Organization continues normal operations
Strong defensive posture maintained
Incident serves as learning opportunity

Concerned (75-89):

Threat identified but active impact occurring
Some operational disruption but manageable
Enhanced monitoring and controls needed
Clear path to resolution available

Critical (50-74):

Significant threat impact on operations
Major response effort required
Potential for regulatory or customer notification
Recovery efforts needed alongside containment

Compromised (25-49):

Severe organizational impact
Business operations significantly affected
Executive leadership involvement required
Extensive recovery and improvement efforts needed

Crisis (0-24):

Organization-threatening incident
Potential for business failure or regulatory action
Industry notification and cooperation may be needed
Fundamental security improvements required

Status Change Factors

Negative Impacts (Decreasing Status)

Malmon Evolution: -10 to -20 points depending on severity
Data Exfiltration: -5 to -15 points based on sensitivity and volume
System Damage: -5 to -10 points based on criticality
Failed Containment: -3 to -8 points based on approach
Time Pressure: -3 to -5 points per round without progress

Positive Improvements (Increasing Status)

Successful Containment: +10 to +20 points based on effectiveness
Early Detection: +5 to +10 points for rapid Malmon identification
Effective Coordination: +3 to +8 points for excellent teamwork
Type Advantage: +5 points for using super effective approaches
Proactive Measures: +3 to +5 points for preventing escalation

Status as Learning Tool

Network Security Status isn’t just a score - it’s a learning mechanism that helps teams understand:

Impact Assessment: How different threats affect organizational operations
Response Effectiveness: Which approaches provide the most protection
Coordination Value: How teamwork improves outcomes
Time Sensitivity: Why rapid response matters in cybersecurity
Business Perspective: How technical decisions affect organizational health

Turn-Based Incident Response

Action Sequence and Timing

Individual Action Phase

Players declare and resolve their actions in role-based order, allowing for natural workflow:

Crisis Manager establishes priorities and resource allocation
Detective and Threat Hunter gather and analyze information
Tracker monitors network and data flow activities
Protector implements technical containment measures
Communicator coordinates stakeholder management and external communication

This sequence mirrors real incident response workflows while ensuring all roles contribute meaningfully.

Collaborative Resolution Phase

After individual actions, the team works together to:

Share discoveries and insights from individual investigations
Coordinate approach for upcoming actions and decisions
Assess progress toward containment and recovery objectives
Plan next steps based on current understanding and threat evolution

Managing the Pace

Time Pressure Simulation

Real cybersecurity incidents involve genuine time pressure, which the game simulates through:

Round timers that encourage decision-making under pressure
Evolution threats that escalate if response is delayed
Competing priorities that force teams to make difficult choices
Information uncertainty that requires action before complete analysis

Maintaining Engagement

Individual contribution: Every player gets meaningful actions every round
Varied challenges: Different types of decisions and problems each round
Building tension: Difficulty increases as threats evolve or spread
Collaborative payoffs: Team coordination produces better outcomes than individual heroics

Status Conditions and Threat Evolution

Malmon Status Conditions

Throughout the session, Malmons can gain various status conditions that affect their behavior and the team’s response options:

Active Conditions

Detected: Team knows the Malmon is present but hasn’t contained it
Quarantined: Malmon is isolated but still functional within constraints
Analyzed: Team understands the Malmon’s capabilities and objectives
Tracked: Team can monitor the Malmon’s activities and communications
Attributed: Team has connected the Malmon to specific threat actors or campaigns

Containment Conditions

Disrupted: Malmon’s primary capabilities have been temporarily disabled
Contained: Malmon cannot spread or cause additional damage
Neutralized: Malmon has been completely eliminated from the environment
Studied: Malmon has been preserved for analysis and intelligence development

Evolution Mechanics

Evolution Triggers

Malmons attempt to evolve when specific conditions are met:

Time Pressure: Taking too long in any phase increases evolution risk
Failed Containment: Unsuccessful response attempts trigger adaptation
Environmental Opportunity: Network vulnerabilities or security gaps enable evolution
External Coordination: Contact with threat actor infrastructure triggers upgrades

Evolution Effects

When Malmons evolve, they gain new capabilities:

Enhanced Evasion: Increased resistance to detection and analysis
Improved Persistence: Better ability to survive containment attempts
Extended Reach: Capability to affect additional systems or data
New Techniques: Access to different attack methods or objectives
Coordination Abilities: Capacity to work with other threats or threat actors

Preventing Evolution

Teams can prevent Malmon evolution through:

Rapid Response: Quick identification and containment before evolution triggers
Effective Containment: Using approaches that exploit Malmon type weaknesses
Environmental Hardening: Addressing vulnerabilities that enable evolution
Communication Disruption: Blocking external coordination that triggers upgrades

Mechanics Serve Learning

Remember that all these game mechanics exist to support collaborative cybersecurity learning. When mechanics help create engaging experiences that build real skills, they’re working correctly. When they get in the way of learning or collaboration, don’t hesitate to adapt them to serve your team’s educational objectives.

These game mechanics create the framework for authentic cybersecurity learning experiences while maintaining the engaging, collaborative nature that makes Malware & Monsters effective. In the next chapter, we’ll explore how this framework supports the MalDex Collection system - the community knowledge-building aspect that captures and shares cybersecurity insights across teams and organizations.

The MalDex Collection System

Building Community Knowledge Through Shared Discovery

The MalDex (Malware Index) represents the collective cybersecurity knowledge of the Malware & Monsters community. Unlike traditional threat databases maintained by security vendors, the MalDex grows through collaborative learning experiences where teams document their encounters, share effective response techniques, and contribute insights that benefit the entire community.

Every session you participate in adds to this growing repository of practical cybersecurity knowledge, creating a living document of how real teams respond to digital threats.

What Makes a MalDex Entry

The Structure of Collaborative Knowledge

Each MalDex entry represents the collective wisdom gained from multiple teams encountering the same Malmon under different circumstances. Rather than dry technical specifications, these entries capture the human experience of cybersecurity incident response.

Core Entry Components

Malmon Profile:

MALMON: GaboonGrabber (#001)
Classification: Trojan/Stealth ⭐⭐
First Documented: Research by Lena Yu, 2023
Community Encounters: 47 teams across 12 organizations

BEHAVIORAL SUMMARY:
"A master of deception that convinced our users it was a legitimate 
security update. What seemed like a simple Trojan evolved into our 
most challenging incident when it began deploying multiple payloads."
- TechCorp Incident Response Team, March 2024

Discovery Patterns:

Common Symptoms: How teams typically first notice this Malmon
Detection Challenges: What makes this threat difficult to identify
Breakthrough Moments: Key insights that led to successful identification
False Positives: Similar symptoms that might mislead investigation

Response Strategies:

Effective Approaches: Containment strategies that consistently work
Team Coordination: How different roles contribute to successful response
Common Mistakes: Approaches that seem logical but prove ineffective
Adaptive Techniques: How teams adjusted when initial responses failed

Community Insights:

Lessons Learned: Key takeaways from multiple team encounters
Best Practices: Techniques developed through community experience
Environmental Factors: How organizational context affects response
Evolution Patterns: How this Malmon adapts to containment efforts

Collaborative Documentation Process

During Session Documentation

Real-Time Capture: As your session progresses, teams naturally generate the insights that become MalDex entries:

Discovery Phase: “We initially thought this was a network issue because…”
Investigation Phase: “The breakthrough came when we realized…”
Response Phase: “What really worked was coordinating between…”

Role-Specific Contributions: Each role contributes unique perspectives to the MalDex entry:

🔍 Detective Insights:

Forensic artifacts that indicate this specific Malmon
Timeline patterns typical of this threat’s progression
Evidence that distinguishes this Malmon from similar threats
Investigation techniques that prove most effective

🛡️ Protector Documentation:

Containment approaches that successfully stopped the threat
System hardening techniques that prevent reinfection
Recovery procedures specific to this Malmon’s damage patterns
Security controls that provide effective protection

📡 Tracker Observations:

Network behavior patterns characteristic of this Malmon
Communication signatures that enable identification
Data flow anomalies that signal active compromise
Monitoring techniques that catch this threat early

👥 Communicator Records:

Stakeholder concerns and questions typical of this incident type
Communication strategies that effectively manage crisis response
Business impact patterns associated with this threat
User education approaches that prevent future infections

⚡ Crisis Manager Synthesis:

Coordination challenges specific to this type of incident
Resource allocation strategies that improve response effectiveness
Timeline management approaches for this threat’s characteristics
Integration techniques for complex, multi-team responses

🎯 Threat Hunter Intelligence:

Proactive indicators that signal this Malmon’s presence
Hunting techniques effective against this threat family
Attribution insights and threat actor behavioral patterns
Intelligence sources that provide early warning of campaigns

Post-Session Synthesis

Collaborative Review (approx. 10 minutes): At the end of each session, teams work together to capture their collective experience:

Key Questions for MalDex Documentation:

“What surprised us most about this Malmon’s behavior?”
“Which response techniques worked better than expected?”
“What would we do differently if we faced this threat again?”
“What insights could help other teams facing similar situations?”

Community Contribution Process:

Session Summary: Brief narrative of the team’s experience
Key Insights: 3-5 most important discoveries or techniques
Lessons Learned: What this encounter taught about cybersecurity
Recommendations: Advice for future teams facing this Malmon

Types of MalDex Knowledge

Foundational Entries: The Core Collection

Starter Malmons (⭐ Threat Level)

Purpose: Build confidence and fundamental skills Examples: Basic Trojans, simple Worms, straightforward Ransomware

Educational Focus:

Fundamental cybersecurity concepts and terminology
Basic incident response coordination and communication
Standard tool usage and containment procedures
Team collaboration and role specialization

MalDex Value: These entries focus on teaching rather than challenge, providing clear examples of cybersecurity principles in action.

Intermediate Threats (⭐⭐ Threat Level)

Purpose: Develop advanced skills and coordination capabilities Examples: GaboonGrabber, LockBit, Raspberry Robin

Educational Focus:

Type effectiveness and strategic tool selection
Complex coordination between multiple team roles
Advanced containment techniques and adaptive response
Real-world complexity and environmental factors

MalDex Value: Rich documentation of team coordination challenges and solutions, showcasing how different approaches succeed or fail.

Advanced Challenges (⭐⭐⭐ Threat Level)

Purpose: Master-level cybersecurity expertise and leadership Examples: Stuxnet, sophisticated APTs, nation-state campaigns

Educational Focus:

Cutting-edge threat analysis and attribution
Complex, multi-stakeholder incident coordination
Advanced persistence and evasion technique recognition
Strategic cybersecurity planning and risk assessment

MalDex Value: Deep insights into sophisticated threat response, including coordination across organizations and integration of threat intelligence.

Specialized Collections

Regional Variant Documentation

Healthcare Malmons:

MALMON: GaboonGrabber (Healthcare Variant)
Specializations: HIPAA-aware data targeting, EHR system exploitation
Unique Challenges: Patient care continuity during response
Effective Approaches: Coordinated IT/Clinical team response
Regulatory Considerations: Breach notification timelines and requirements

Financial Malmons:

MALMON: LockBit (Banking Variant) 
Specializations: PCI-DSS scope awareness, real-time transaction targeting
Unique Challenges: Balancing security response with transaction processing
Effective Approaches: Coordinated cybersecurity/business operations response
Regulatory Considerations: Financial services regulatory reporting

LockBit ATT&CK Analysis for Financial Environments

Critical Infrastructure Malmons:

MALMON: Stuxnet (Power Grid Variant)
Specializations: SCADA system targeting, physical world impact
Unique Challenges: IT/OT coordination and safety system considerations
Effective Approaches: Cross-functional engineering and security teams
Regulatory Considerations: Critical infrastructure protection requirements

Evolutionary Chains Documentation

Malmon Evolution Tracking: Teams document how threats change and adapt over time:

EVOLUTION CHAIN: Basic Phishing → Credential Harvesting → Lateral Movement → Data Exfiltration

Stage 1 Indicators: Simple email-based social engineering
Stage 2 Triggers: Successful credential collection + network access
Stage 3 Capabilities: Internal reconnaissance and privilege escalation  
Stage 4 Objectives: Systematic data collection and exfiltration

Prevention Points: User training (Stage 1), MFA (Stage 2), Network segmentation (Stage 3), DLP (Stage 4)
Team Coordination: Communicator → Detective → Tracker → Protector response progression

Advanced Documentation Categories

Cross-Organizational Incident Records

Multi-Organization Campaigns: When the same threat affects multiple organizations, MalDex entries capture the broader patterns:

Attack Infrastructure: Shared command and control systems
Timing Patterns: Coordinated campaigns across multiple targets
Adaptation Techniques: How threats evolve based on defensive responses
Information Sharing: How organizations coordinated response efforts

Technique Evolution Documentation

Defensive Innovation Records: As teams develop new response techniques, the MalDex preserves these innovations:

Novel Containment Approaches: Creative solutions to unique challenges
Coordination Improvements: Better ways to organize team response efforts
Tool Integration: Effective combinations of security technologies
Communication Strategies: Improved stakeholder management techniques

Community Sharing and Growth

The Knowledge Network Effect

Local Community Building

Organization-Level Collections: Teams within the same organization build institutional knowledge:

Environmental Factors: How organizational culture affects incident response
Resource Constraints: Working within specific budget and staffing limitations
Integration Challenges: Coordinating with existing business processes
Continuous Improvement: Iterative enhancement of response capabilities

Regional Communities: Geographic or industry communities share common challenges:

Regulatory Environment: Compliance requirements specific to jurisdictions
Threat Landscape: Regional threat actor activities and campaigns
Resource Sharing: Mutual aid and coordination during major incidents
Best Practice Development: Industry-specific response improvements

Contributing to the MalDex

Individual Contributions

Session Documentation: Every participant can contribute to community knowledge:

Unique Insights: Novel observations about Malmon behavior or response techniques
Role Perspective: Specialized insights from your incident response role
Environmental Context: How your organizational setting affected the incident
Lessons Learned: Personal and team growth from the experience

Quality Indicators for Contributions:

Actionable Insights: Information that helps other teams respond more effectively
Specific Details: Concrete techniques and approaches rather than general principles
Environmental Context: Clear explanation of organizational factors that affected outcomes
Collaborative Focus: Emphasis on team coordination and communication

Community Recognition

Contributor Categories:

Discoverer Status:

First team to document a new Malmon variant or behavior
Recognition in community MalDex with team name and organization
Priority access to advanced training scenarios featuring the discovered threat

Innovation Recognition:

Teams that develop novel response techniques or coordination approaches
Documentation of innovative approaches with attribution to contributing team
Invitation to present techniques at community conferences and training events

Documentation Excellence:

Teams that provide exceptionally clear and helpful MalDex entries
Recognition for entries that consistently help other teams succeed
Invitation to contribute to training curriculum and scenario development

MalDex as Learning Progression

Skill Development Through Documentation

Progressive Complexity: As teams advance, their MalDex contributions become more sophisticated:

Novice Contributions:

Basic Malmon identification and standard response procedures
Clear documentation of fundamental cybersecurity concepts
Team coordination experiences and lessons learned

Intermediate Contributions:

Advanced technique development and type effectiveness insights
Complex coordination strategies and role specialization approaches
Environmental adaptation and organizational context consideration

Expert Contributions:

Novel threat analysis and attribution insights
Innovation in response techniques and coordination methodologies
Cross-organizational pattern recognition and strategic intelligence

Community Learning Acceleration

Collective Intelligence Benefits: The MalDex accelerates learning for the entire community:

Reduced Learning Curves: New teams benefit from accumulated community experience
Faster Response Development: Proven techniques spread quickly through the network
Innovation Amplification: Creative solutions reach broader audiences
Quality Improvement: Community feedback improves documentation and techniques

Building Your MalDex Collection

Personal Learning Tracking

Individual Progress Metrics

Encounter Documentation: Track your growing cybersecurity experience through MalDex participation:

Malmons Encountered: Range of threats you’ve helped respond to
Roles Mastered: Incident response perspectives you’ve experienced
Techniques Contributed: Your additions to community knowledge
Environments Experienced: Different organizational contexts you’ve worked in

Knowledge Development Indicators:

Pattern Recognition: Ability to connect current incidents to previous experience
Technique Mastery: Proficiency with various response approaches and tools
Coordination Skills: Effectiveness in team collaboration and communication
Innovation Capability: Development of novel approaches to cybersecurity challenges

Team Capability Building

Collective Team Growth: Regular teams can track their developing expertise through MalDex contributions:

Team Coordination Evolution: Improvement in collaborative response effectiveness
Specialization Development: Growth in role-specific expertise and capabilities
Innovation Culture: Team’s contribution to technique development and improvement
Knowledge Sharing: Effectiveness in teaching and learning from other teams

Professional Development Integration

Career Advancement Connection

Portfolio Development: MalDex contributions demonstrate professional cybersecurity capabilities:

Practical Experience: Documented evidence of incident response participation
Technical Knowledge: Specific expertise with various threat types and response techniques
Collaboration Skills: Proven ability to work effectively in cybersecurity teams
Innovation Capacity: Contribution to field advancement and best practice development

Your Contribution Matters

Every session you participate in, every insight you share, and every technique you document contributes to a growing repository of cybersecurity knowledge that benefits defenders worldwide. The MalDex is more than a game mechanic - it’s a community commitment to collaborative learning and mutual advancement in cybersecurity.

The MalDex Collection System transforms individual learning experiences into community wisdom, creating a living repository of cybersecurity knowledge that grows stronger with every session and every team that chooses to share their insights with the broader community of collaborative defenders.

In the next chapter, we’ll explore the Competitive Elements that add excitement and motivation to cybersecurity learning while maintaining the collaborative spirit that makes Malware & Monsters effective.

Competitive Elements

Competition That Builds Community

While Malware & Monsters emphasizes collaborative learning above all else, competitive elements add excitement, motivation, and opportunities for teams to test their growing cybersecurity expertise against increasingly challenging scenarios. These competitions maintain the educational focus while creating memorable experiences that celebrate cybersecurity excellence.

The key principle: compete to learn, not to win. Every competitive element is designed to accelerate learning, build community connections, and recognize the diverse ways teams can excel in cybersecurity.

Tournament Formats and Structure

Regular Competition Categories

Speed Response Challenges

Format: Teams race to contain threats as quickly as possible while maintaining effectiveness

Rules:

Standard 90-minute session compressed to 60 minutes
All phases must be completed with full team coordination
Network Security Status must remain above 70 at completion
Bonus points for maintaining status above 85

Scoring:

Base Points: 100 points for successful containment
Speed Bonus: +1 point per minute under 60-minute target
Excellence Bonus: +10 points for Network Security Status above 85
Coordination Bonus: +5 points for exceptional team collaboration

Skills Emphasized:

Rapid decision-making under pressure
Efficient communication and coordination
Prioritization and resource allocation
Streamlined incident response procedures

Example Competition:
“The 2025 Regional Speed Response Championship featured 12 teams facing GaboonGrabber infections. Team TechGuard achieved containment in 42 minutes with 91 Network Security Status, earning 127 points and setting a new regional record.”

Perfect Response Competitions

Format: Teams attempt to achieve zero-impact incident resolution

Rules:

Network Security Status must never drop below 95
All team roles must contribute meaningful insights
Complete Malmon analysis and attribution required
Comprehensive prevention plan must be developed

Scoring:

Perfection Achievement: 200 points for maintaining 95+ Network Security Status
Analysis Bonus: +25 points for complete Malmon characterization
Prevention Bonus: +15 points for comprehensive future protection plan
Innovation Bonus: +10 points for novel techniques or insights

Skills Emphasized:

Proactive threat hunting and early detection
Comprehensive risk assessment and impact analysis
Thorough incident documentation and intelligence development
Strategic prevention planning and organizational improvement

Damage Limitation Contests

Format: Teams face severe, advanced threats and compete to minimize organizational impact

Rules:

Scenarios begin with Network Security Status at 40 (already compromised)
Teams must prevent further degradation while building toward recovery
Multiple threat vectors and ongoing attacks throughout session
External pressure from simulated stakeholders and media

Scoring:

Recovery Points: +2 points per Network Security Status point recovered
Stabilization Bonus: +20 points for stopping further degradation
Coordination Bonus: +15 points for excellent crisis management
Communication Bonus: +10 points for effective stakeholder management

Skills Emphasized:

Crisis leadership and decision-making
Multi-stakeholder coordination and communication
Advanced threat analysis and sophisticated response techniques
Organizational resilience and recovery planning

Advanced Tournament Formats

Red Team vs Blue Team Battles

Format: Two teams face off with one playing attackers and the other defenders

Structure:

Red Team: Plans and executes Malmon deployment and evolution
Blue Team: Responds to the attack using standard incident response roles
Neutral Facilitator: Manages scenario and adjudicates outcomes
45-minute attack phase followed by 45-minute response phase

Red Team Objectives:

Successfully deploy chosen Malmon without immediate detection
Achieve specific attack objectives (data exfiltration, system disruption, etc.)
Evolve the Malmon to increase impact and resist containment
Maintain persistence despite Blue Team response efforts

Blue Team Objectives:

Detect the attack as quickly as possible
Contain the Malmon before it achieves primary objectives
Prevent evolution and escalation of the threat
Maintain Network Security Status above acceptable thresholds

Learning Benefits:

Attacker Perspective: Understanding how threats think and operate
Defender Pressure: Realistic stress of responding to active attacks
Technique Development: Innovation in both attack and defense methods
Scenario Realism: Dynamic, adaptive threats that respond to defensive actions

Multi-Organization Championships

Format: Teams from different organizations collaborate and compete simultaneously

Structure:

Shared Threat Scenario: All teams face the same sophisticated Malmon campaign
Information Sharing Phases: Teams can share intelligence and coordinate response
Individual Scoring: Each team scored on their organizational response
Collaboration Bonus: Additional points for effective inter-organizational coordination

Competition Dynamics:

Intelligence Sharing: Teams benefit from sharing threat indicators and techniques
Resource Trading: Teams can request assistance with specialized expertise
Coordinated Response: Major threats require industry-wide coordination
Competitive Collaboration: Teams succeed individually through collective action

Real-World Parallels:

Industry Information Sharing: Reflects real cybersecurity community cooperation
Mutual Aid Agreements: Simulates cross-organizational incident response
Threat Intelligence Networks: Demonstrates value of community-based defense
Regulatory Coordination: Includes interactions with simulated government agencies

Scoring Systems and Recognition

Individual Achievement Tracking

Personal Competition Statistics

Performance Metrics:

Competition Participation: Number of competitive events entered
Achievement Rate: Percentage of competitions with successful outcomes
Specialization Recognition: Consistent excellence in specific competition types
Improvement Trajectory: Growth in performance over time

Role-Specific Excellence:

Detective MVP: Outstanding investigation and analysis performance
Protector Hero: Exceptional containment and system protection
Tracker Champion: Superior network monitoring and data flow analysis
Communicator Star: Excellence in stakeholder management and coordination
Crisis Manager Leader: Outstanding team coordination and strategic planning
Threat Hunter Elite: Exceptional proactive threat discovery and intelligence

Achievement Badges and Recognition

Competition-Specific Badges:

Speed Demon: Consistently fast response times with effective outcomes
Perfectionist: Multiple perfect response achievements
Crisis Master: Excellence in high-pressure, severe incident scenarios
Team Captain: Outstanding leadership in team coordination and communication
Innovator: Recognition for developing novel techniques and approaches

Team Performance Recognition

Team Achievement Categories

Coordination Excellence:

Perfect Harmony: Teams demonstrating exceptional role coordination
Communication Masters: Outstanding information sharing and decision-making
Adaptive Response: Excellence in adjusting strategies based on changing circumstances
Learning Leaders: Teams that consistently improve and help others improve

Competitive Achievement Levels:

Regional Champions: Top performers in geographic or industry-based competitions
National Recognition: Outstanding performance in country-wide competitions
International Excellence: Top teams in global championship events
Hall of Fame: Teams with sustained excellence across multiple competition seasons

Organizational Recognition Programs

Institutional Competition Support:

Corporate League Standings: Rankings for organizations with multiple competing teams
Training Investment Recognition: Organizations that effectively develop competitive teams
Community Contribution Awards: Organizations that host events or contribute resources
Innovation Leadership: Organizations that develop new techniques or scenarios

Educational Integration and Learning Outcomes

Competition as Learning Accelerator

Skill Development Through Competition

Pressure Testing:

Decision Making: Rapid choices under time pressure with incomplete information
Communication: Clear, concise information sharing in high-stress situations
Coordination: Effective teamwork when stakes are elevated
Adaptation: Flexibility when initial approaches prove ineffective

Innovation Motivation:

Creative Problem Solving: Pressure to find novel solutions to complex challenges
Technique Refinement: Optimization of response procedures through repeated practice
Cross-Pollination: Learning from observing other teams’ approaches and techniques
Excellence Standards: Setting higher performance goals through competitive benchmarking

Real-World Application Benefits

Professional Skill Transfer:

Incident Response Readiness: Competition experience translates to actual incident confidence
Team Leadership: Competitive coordination skills apply to workplace cybersecurity teams
Pressure Management: Experience performing under competitive pressure aids crisis response
Continuous Improvement: Competitive mindset drives ongoing skill and process refinement

Maintaining Educational Focus

Competition Design Principles

Learning-First Competition:

Educational Objectives: Every competition format designed to teach specific cybersecurity concepts
Skill Development: Competitive elements support rather than replace learning goals
Inclusive Participation: Multiple ways to excel accommodate different strengths and interests
Community Building: Competition fosters relationships and mutual support

Avoiding Negative Competition:

Collaboration Emphasis: Teams succeed through internal coordination, not defeating others
Knowledge Sharing: Encouraging technique sharing between competitors
Growth Recognition: Celebrating improvement and learning alongside winning
Sportsmanship Standards: Community norms that prioritize respect and mutual advancement

Post-Competition Learning Integration

Competition Debriefing:

Technique Analysis: Discussion of effective and ineffective approaches across all teams
Innovation Sharing: Presentation of novel techniques discovered during competition
Lesson Integration: Incorporation of competitive insights into regular training sessions
Community Building: Social events that build relationships between competing teams

Documentation and Knowledge Sharing:

Competition MalDex Entries: Special documentation of insights gained through competitive scenarios
Technique Publications: Sharing of innovative approaches developed for competitive advantage
Training Integration: Incorporation of competitive scenarios into regular educational programming
Mentor Network Development: Connecting experienced competitors with developing teams

Competition as Community Building

Remember that the ultimate goal of competitive elements is to strengthen the cybersecurity community through shared learning, relationship building, and mutual advancement. The best competitors are those who elevate not just their own performance, but the performance of everyone around them.

Competitive elements in Malware & Monsters create excitement and motivation while maintaining focus on collaborative learning and community building. These competitions provide opportunities to test growing skills, learn from others, and contribute to the advancement of cybersecurity knowledge and practice.

In the next chapter, we’ll explore how Malware & Monsters empowers you to maximize learning efforts and how you get the most out of that.

Maximizing Learning

Malware & Monsters sessions create rich learning opportunities that extend far beyond the time you spend with your team playing. This chapter provides strategies for capturing insights during sessions, reflecting on experiences afterward, and applying your discoveries to real-world cybersecurity challenges.

As you can tell, there is a lot of opportunity both to learn and to cross off checklists. Obviously the latter is not mandatory. Take it as experience, use what you can and ignore the rest.

Active Learning During Sessions

The Mindset of Discovery

Learning Through Questions: The most powerful learning happens when you’re actively curious rather than passively receiving information.

Powerful Learning Questions:

“Why would an attacker choose this approach?” - Understand adversary thinking
“What would this look like in my organization?” - Connect to real-world context
“How does this connect to what we found earlier?” - Build understanding patterns
“What would happen if we tried a different approach?” - Explore alternatives
“What assumptions are we making?” - Challenge thinking

Capturing Insights in Real-Time

Note-Taking Strategies:

The Three-Column Method:

What Happened	Why It Matters	How I Can Use This
Team identified process injection	Shows how malware hides	Check our monitoring tools
Communicator translated technical terms	Helps with stakeholder buy-in	Practice explaining security
Type effectiveness guided response	Different threats need different tools	Map our security stack

The Question Journal: Keep track of questions that arise during the session:

Questions that were answered and how
Questions that weren’t answered (for follow-up research)
Questions that led to the biggest insights
Questions you wish you had asked

Learning from Different Perspectives

Technical Learning for Non-Technical Participants:

Focus on Concepts, Not Implementation:

Understand the “why” behind technical decisions
Learn the business impact of technical vulnerabilities
Practice translating between technical and business language
Identify patterns that don’t require deep technical knowledge

Example Learning Moments:

Why behavioral analysis catches threats signature-based detection misses
How network segmentation limits attack spread
Why user training is as important as technical controls
How incident response coordination affects business operations

Business Learning for Technical Participants:

Expand Beyond Technical Solutions:

Understand stakeholder concerns during security incidents
Learn communication strategies for different audiences
Explore business constraints that affect technical decisions
Practice explaining technical concepts to non-technical people

Example Learning Moments:

How to brief executives during active incidents
Why compliance requirements affect incident response procedures
How business continuity planning integrates with security
What metrics matter most to business stakeholders

Reflection Techniques

Immediate Post-Session Reflection

The Five-Minute Capture:
Right after your session, spend five minutes documenting:

What surprised you?

Insights that challenged your assumptions
Approaches you hadn’t considered
Connections you didn’t expect
Questions that emerged

What confirmed your existing knowledge?

Experiences that validated your understanding
Techniques that worked as expected
Patterns that matched your previous experience
Concepts that were reinforced

What do you want to explore further?

Topics that sparked curiosity
Techniques you want to learn more about
Questions that weren’t fully answered
Areas for professional development

Deeper Reflection Within 24 Hours

The Learning Debrief:
While the experience is still fresh, conduct a more thorough reflection:

Team Dynamics Analysis:

What made the collaboration effective?
How did different expertise types contribute?
What communication techniques worked best?
How did your character perspective influence your thinking?

Technical Insights:

What cybersecurity concepts became clearer?
Which attack techniques were new to you?
What defensive strategies made the most sense?
How do these insights apply to your work context?

Process Learning:

What problem-solving approaches were most effective?
How did the team coordinate decision-making?
What role did questions play in discovery?
How did collaboration enhance individual knowledge?

Weekly Reflection Practice

The Connection Exercise:
One week after your session:

Real-World Connections:

What situations at work remind you of the session scenario?
How have you applied insights from the session?
What questions from the session are you still exploring?
How has your cybersecurity awareness changed?

Knowledge Integration:

How do session insights connect to your existing knowledge?
What gaps in understanding became apparent?
Which concepts need further exploration?
How can you build on what you learned?

Applying Learning to Real-World Contexts

Immediate Applications

In Your Current Role:

For Technical Professionals:

Review your organization’s security tools with new perspective
Apply threat hunting techniques learned during the session
Improve communication with non-technical stakeholders
Consider team coordination approaches for incident response

For Business Professionals:

Enhance cybersecurity risk discussions with technical context
Improve incident communication and stakeholder management
Ask better questions during security briefings
Understand technical constraints on business decisions

For Students/Career Changers:

Research cybersecurity career paths that interest you
Practice technical concepts in lab environments
Build professional networks from session connections
Develop cybersecurity vocabulary and understanding

Long-Term Professional Development

Skills Development Planning:

Communication Skills:

Practice explaining technical concepts to different audiences
Develop analogies and examples that make security accessible
Learn to ask questions that uncover important information
Build confidence in collaborative problem-solving

Technical Skills:

Pursue training in areas that sparked interest during sessions
Set up home labs to practice concepts learned
Seek mentorship from more experienced session participants
Join cybersecurity communities and discussion groups

Strategic Thinking:

Develop understanding of how cybersecurity supports business goals
Learn to balance security concerns with operational needs
Practice risk assessment and decision-making under pressure
Build systems thinking for complex security challenges

Continuing Education and Growth

Building on Session Insights

Formal Learning Opportunities:

Cybersecurity courses that explore topics from your session
Professional certifications relevant to your role interests
Conference presentations on techniques you encountered
Academic research on cybersecurity topics that intrigued you

Informal Learning Networks:

Cybersecurity meetups and professional groups
Online communities focused on specific security topics
Mentorship relationships with experienced practitioners
Study groups with other session participants

Creating Learning Habits

Daily Learning Practice:

Read cybersecurity news with session insights in mind
Practice technical concepts in safe lab environments
Discuss security topics with colleagues and friends
Apply collaborative problem-solving to other challenges

Weekly Learning Commitments:

Follow up on one question that emerged during your session
Practice explaining one cybersecurity concept to someone else
Research one tool or technique you encountered
Connect with one person from your session about shared interests

Learning Assessment and Goal Setting

Setting Future Learning Goals

Short-Term Goals (1-3 Months):
Based on your session experience, identify:

Specific cybersecurity skills you want to develop
Professional relationships you want to build
Knowledge gaps you want to fill
Practical applications you want to explore

Medium-Term Goals (6-12 Months):
Consider how session insights might influence:

Professional development and career planning
Educational choices and skill-building activities
Community involvement and networking
Contribution to cybersecurity knowledge and practice

Long-Term Vision (1-3 Years):
Reflect on how the session experience connects to:

Career aspirations in cybersecurity or related fields
Leadership and mentorship opportunities
Community building and knowledge sharing
Advancing the field of cybersecurity education and practice

Learning Documentation Templates

Session Learning Log

Date: [Session Date]
Malmon Encountered: [Name and Type]
Your Role: [Character and Role]
Team Members: [Names and Roles]

Key Insights:

[Most important technical insight]
[Most important collaboration insight]
[Most important real-world application]

Questions for Further Exploration:

[Technical questions to research]
[Career/professional questions to explore]
[Practical application questions to test]

Action Items:

[Specific follow-up research to do]
[People to connect with for continued learning]
[Skills to practice or develop]
[Real-world applications to try]

Monthly Learning Review

Sessions Attended: [List of sessions and dates]
Key Learning Themes: [Patterns across multiple sessions]
Skills Developed: [New capabilities gained]
Knowledge Gaps Identified: [Areas needing further development]
Real-World Applications: [How insights have been applied]
Network Growth: [New professional connections made]
Future Learning Goals: [Next steps for continued development]

The Learning Multiplier Effect

The true value of Malware & Monsters sessions isn’t just in the time you spend with your team playing - it’s in how those insights compound over weeks and months as you apply them, share them, and build on them. Active reflection and intentional application turn a single session into months of continued learning and professional growth.

Creating Your Learning Legacy

Documenting Your Journey

Why Document Your Learning:

Tracks your professional development over time
Helps you recognize patterns in your interests and growth
Provides evidence of learning for career advancement
Creates resources you can share with others
Builds confidence in your cybersecurity knowledge

Methods for Documentation:

Learning journals with regular reflection entries
Professional portfolio showcasing cybersecurity projects
Blog posts about insights and applications
Presentations to colleagues about concepts learned
Mentorship activities sharing knowledge with others

Paying It Forward

The Virtuous Cycle of Learning:
As you gain cybersecurity knowledge and confidence:

Help onboard new participants to future sessions
Share insights and resources with learning communities
Mentor others interested in cybersecurity careers
Contribute to cybersecurity education and awareness
Build inclusive, collaborative learning environments

Community Contribution: Your learning journey doesn’t end with your session - it continues as you help others discover the joy and importance of collaborative cybersecurity education.

What’s Next

You’ve now explored all the key aspects of being an effective Malware & Monsters participant. From preparation and participation to character development and learning maximization, you have the tools to make the most of your cybersecurity learning journey.

Ready to put it all together? Continue to Beyond the Game to explore how your session experience connects to the broader cybersecurity community and your long-term professional development.

Want to dive deeper into specific aspects? Visit the practical guides in the appendix for worksheets, templates, and detailed instructions for maximizing your learning experience.

Beyond the Game

From Session to Career: Lasting Impact

While Malware & Monsters sessions are engaging and educational experiences in themselves, the framework’s true value lies in how it transforms cybersecurity education, professional development, and community building far beyond any individual gaming session. The skills, relationships, and mindset developed through collaborative learning create ripple effects that strengthen cybersecurity capabilities across organizations, industries, and the global community [@wenger1998communities; @lave1991situated].

This chapter explores how Malware & Monsters principles and practices extend into real-world cybersecurity work, career development, and community building initiatives.

There are many wanys to learn, many different companies and company cultures. This is meant as inspiration to what you could do to make an impact on yourself and your surroundings using your experience from playing *Malware & Monsters. Use what you can and ignore the rest.

Professional Development and Career Integration

Translating Game Skills to Workplace Excellence

Incident Response Readiness

From Simulation to Reality:
The collaborative problem-solving skills developed in Malware & Monsters translate directly to real cybersecurity incidents:

Communication Under Pressure:

Game Experience: Coordinating team response during rounds with evolving threats
Workplace Application: Managing stakeholder communication during actual security incidents
Skill Transfer: Clear, concise information sharing when stakes are high and time is limited

Cross-Functional Coordination:

Game Experience: Integrating Detective, Protector, Tracker, and Communicator perspectives
Workplace Application: Coordinating between IT, legal, compliance, and business units during incidents
Skill Transfer: Understanding how different organizational functions contribute to cybersecurity

Adaptive Problem Solving:

Game Experience: Adjusting strategies when Malmons evolve or initial approaches prove ineffective
Workplace Application: Modifying response plans as real incidents develop and reveal new complexities
Skill Transfer: Flexibility and creativity in developing solutions to novel cybersecurity challenges

Enhanced Technical Competencies

Type-Based Strategic Thinking:

Game Concept: Matching containment strategies to specific Malmon types and characteristics
Real-World Application: Selecting appropriate security tools and techniques based on threat intelligence
Professional Value: More effective resource allocation and response prioritization

Pattern Recognition and Analysis:

Game Development: Learning to identify Malmon behaviors and predict evolution triggers
Career Application: Recognizing attack patterns and anticipating threat actor next moves
Skill Enhancement: Improved threat hunting and proactive security capabilities

Risk Assessment and Prioritization:

Game Framework: Managing Network Security Status and balancing response speed with thoroughness
Workplace Integration: Evaluating business impact and prioritizing security investments
Leadership Value: Better decision-making about cybersecurity resource allocation

Career Advancement Pathways

Role Specialization and Development

Incident Response Career Tracks:

🔍 Detective Path: Security Analyst → Senior Analyst → Lead Investigator → DFIR Manager

Malware & Monsters Foundation: Pattern recognition, evidence analysis, timeline construction
Professional Development: Digital forensics certifications, malware analysis training
Career Acceleration: Demonstrated ability to coordinate investigative efforts and mentor junior analysts

🛡️ Protector Path: Security Engineer → Senior Engineer → Security Architect → CISO

Malware & Monsters Foundation: System hardening, containment strategies, recovery planning
Professional Development: Security architecture training, risk management certifications
Career Acceleration: Proven ability to design and implement comprehensive security programs

📡 Tracker Path: SOC Analyst → Senior SOC Analyst → SOC Manager → Security Operations Director

Malware & Monsters Foundation: Network monitoring, behavioral analysis, threat detection
Professional Development: Advanced monitoring tools training, threat intelligence certifications
Career Acceleration: Experience in coordinating complex monitoring operations and threat response

👥 Communicator Path: Security Coordinator → Compliance Manager → Risk Manager → Chief Risk Officer

Malware & Monsters Foundation: Stakeholder management, crisis communication, business impact assessment
Professional Development: Risk management frameworks, regulatory compliance training
Career Acceleration: Demonstrated ability to translate technical risks into business language

⚡ Crisis Manager Path: Incident Coordinator → Incident Manager → Business Continuity Manager → Chief Operating Officer

Malware & Monsters Foundation: Team coordination, resource allocation, strategic planning
Professional Development: Project management certifications, business continuity training
Career Acceleration: Proven leadership in high-pressure, complex coordination scenarios

🎯 Threat Hunter Path: Junior Hunter → Senior Hunter → Lead Hunter → Threat Intelligence Director

Malware & Monsters Foundation: Proactive investigation, hypothesis testing, intelligence analysis
Professional Development: Advanced hunting techniques, threat intelligence analysis training
Career Acceleration: Experience in developing innovative hunting approaches and mentoring hunters

Portfolio Development and Documentation

Professional Credentialing:

Incident Response Portfolio: Documented experience across diverse threat scenarios and organizational contexts
Collaboration Evidence: Demonstrated ability to work effectively in cross-functional cybersecurity teams
Innovation Documentation: Contributions to technique development and community knowledge
Leadership Examples: Experience in mentoring, training, and developing other cybersecurity professionals

Continuing Education Integration:

CPE Credits: Many cybersecurity certifications recognize collaborative learning experiences
Conference Presentations: Malware & Monsters insights provide material for professional speaking opportunities
Publication Opportunities: Community contributions can lead to industry articles and research papers
Professional Networking: Community connections create career advancement and collaboration opportunities

Organizational Integration and Impact

Building Cybersecurity Culture

Team Development Initiatives:

Cross-Training Programs: Using Malware & Monsters principles to build multi-skilled cybersecurity teams
Communication Improvement: Implementing collaborative communication protocols learned through game sessions
Incident Response Enhancement: Integrating role-based coordination approaches into organizational IR procedures
Knowledge Sharing Culture: Establishing communities of practice based on MalDex documentation principles

Organizational Learning Systems:

After-Action Reviews: Applying post-session reflection techniques to real incident analysis
Skill Development Tracking: Using progression systems to identify and address cybersecurity skill gaps
Innovation Encouragement: Creating environments that reward creative problem-solving and technique development
Community Engagement: Supporting employee participation in broader cybersecurity learning communities

Strategic Cybersecurity Planning

Risk Management Integration:

Scenario-Based Planning: Using Malmon-type thinking to develop comprehensive threat response plans
Capability Assessment: Evaluating organizational cybersecurity readiness using role-based competency frameworks
Resource Allocation: Applying type effectiveness principles to cybersecurity technology and staffing decisions
Stakeholder Communication: Using Communicator role insights to improve cybersecurity program advocacy

Vendor and Partnership Management:

Service Provider Evaluation: Assessing cybersecurity vendors using collaborative effectiveness criteria
Industry Cooperation: Participating in information sharing initiatives modeled on community MalDex principles
Training Provider Selection: Choosing cybersecurity education based on collaborative learning effectiveness
Technology Integration: Implementing security tools that support rather than hinder team coordination

Community Building and Knowledge Sharing

Local Cybersecurity Communities

Regional Chapter Development

Geographic Community Building:

Local Meetups: Regular Malware & Monsters sessions that build regional cybersecurity networks
Industry Groups: Sector-specific communities (healthcare, finance, education) that address common challenges
Academic Partnerships: Collaboration with universities to integrate collaborative learning into cybersecurity curricula
Professional Development: CPE-eligible sessions that support certification maintenance and advancement

Community Leadership Opportunities:

Chapter Organization: Leading local communities and organizing educational events
Mentorship Programs: Experienced practitioners supporting newcomers to cybersecurity
Content Development: Creating scenarios and Malmons relevant to regional threat landscapes
Advocacy Initiatives: Promoting collaborative learning approaches within professional organizations

Cross-Organizational Collaboration

Information Sharing Networks:

Threat Intelligence Sharing: Communities that share indicators, techniques, and response strategies
Mutual Aid Agreements: Formal and informal cooperation during major cybersecurity incidents
Best Practice Development: Collaborative development of industry-specific cybersecurity approaches
Research Partnerships: Joint investigation and analysis of emerging threats and defense techniques

Industry Advancement Initiatives:

Standard Development: Contributing to cybersecurity framework and standard development through community insights
Policy Advocacy: Using community voice to influence cybersecurity policy and regulation
Workforce Development: Addressing cybersecurity talent shortage through improved education and training approaches
Innovation Acceleration: Collaborative development of new cybersecurity tools, techniques, and methodologies

Academic Integration and Research

Curriculum Development and Enhancement

Educational Institution Partnerships:

Course Integration: Incorporating Malware & Monsters principles into cybersecurity degree programs
Practical Skills Development: Balancing theoretical knowledge with collaborative, hands-on experience
Industry Relevance: Ensuring academic programs prepare students for real-world cybersecurity collaboration
Continuous Improvement: Regular updating of curricula based on community feedback and industry evolution

Research and Development Opportunities:

Effectiveness Studies: Academic research on collaborative learning approaches in cybersecurity education [@pastor2020cyber; @trickel2017shell]
Innovation Documentation: Scholarly publication of techniques and insights developed through community practice
Cross-Disciplinary Research: Integration with psychology, education, and organizational behavior research
Longitudinal Studies: Tracking long-term career and skill development outcomes from collaborative learning

Student and Early Career Development

Pipeline Development Programs:

Student Competitions: Academic events that introduce collaborative cybersecurity learning to emerging professionals
Internship Integration: Work-study programs that apply collaborative learning principles in professional settings
Mentorship Networks: Connecting students with experienced practitioners through community participation
Career Guidance: Using community networks to provide realistic career advice and opportunity identification

Transition Support Initiatives:

New Graduate Programs: Structured onboarding that applies collaborative learning to early career development
Professional Integration: Helping new cybersecurity professionals find communities and mentorship opportunities
Skill Validation: Providing evidence of collaborative capabilities to support early career advancement
Network Building: Creating lasting professional relationships through educational community participation

Global Cybersecurity Advancement

International Cooperation and Standards

Cross-Border Collaboration:

Global Community Networks: International participation in collaborative cybersecurity learning
Cultural Adaptation: Modifying approaches to work effectively across different cultural and regulatory contexts
Language Accessibility: Developing materials and approaches that work across language barriers
International Incident Response: Applying collaborative coordination to cross-border cybersecurity incidents

Capacity Building Initiatives:

Developing Nation Support: Sharing collaborative learning approaches to build cybersecurity capacity in emerging economies
Technology Transfer: Adapting collaborative learning to different technological and infrastructure contexts
Train-the-Trainer Programs: Building global facilitator networks that can support regional community development
Resource Sharing: Making collaborative learning materials and approaches available to resource-constrained communities

Research and Innovation Networks

Global Knowledge Development:

Distributed Research: Collaborative investigation of cybersecurity challenges across multiple communities and organizations
Innovation Sharing: Rapid dissemination of effective techniques and approaches across global networks
Standard Evolution: Contributing community insights to the development of international cybersecurity standards and frameworks
Threat Intelligence Networks: Global sharing of threat information and response techniques through collaborative learning communities

Technology and Platform Development

Digital Platform Evolution

Community Technology Needs

Platform Requirements for Collaborative Learning:

Distributed Session Management: Supporting synchronous and asynchronous collaborative learning across geographic distances
Knowledge Repository Systems: Scalable MalDex platforms that support community knowledge building and sharing
Progress Tracking Integration: Systems that connect learning progression to professional development and certification
Community Networking Tools: Platforms that facilitate mentorship, collaboration, and knowledge sharing relationships

Integration with Professional Tools:

SIEM and Security Tool Integration: Connecting collaborative learning with actual cybersecurity technology platforms
Incident Response System Integration: Applying collaborative learning insights to improve commercial IR platforms
Training Management Systems: Integration with corporate learning and development platforms
Certification and CPE Systems: Automated tracking and reporting of collaborative learning for professional development

Innovation and Development Opportunities

Technology Enhancement Initiatives:

AI-Assisted Facilitation: Using artificial intelligence to support facilitators and enhance learning experiences
Immersive Technology Integration: Virtual and augmented reality applications for cybersecurity training
Adaptive Learning Systems: Technology that adjusts scenarios and difficulty based on participant skills and learning objectives
Analytics and Assessment: Data-driven insights into learning effectiveness and skill development

Open Source and Community Development:

Open Platform Development: Community-driven development of collaborative learning technology platforms
Scenario Sharing Systems: Open repositories of community-developed learning scenarios and Malmons
Integration APIs: Technical interfaces that allow integration with existing cybersecurity and education technology
Documentation and Support: Community-maintained resources for platform deployment and customization

Future Platform Capabilities

Enhanced Learning Experiences

Advanced Scenario Development:

Dynamic Threat Evolution: Scenarios that adapt in real-time based on team responses and external threat intelligence
Organizational Context Simulation: Detailed simulation of different organizational cultures, constraints, and stakeholder dynamics
Regulatory Environment Integration: Scenarios that accurately reflect different compliance and regulatory requirements
Crisis Realism Enhancement: Increased fidelity in simulating the stress, time pressure, and complexity of real cybersecurity incidents

Personalized Learning Pathways:

Individual Skill Assessment: Automated evaluation of cybersecurity competencies and learning needs
Adaptive Scenario Selection: Intelligent matching of participants to scenarios that optimize learning outcomes
Progress Tracking and Analytics: Detailed insights into skill development and learning effectiveness
Career Path Integration: Connection between learning activities and specific cybersecurity career development objectives

Community Platform Features

Global Community Integration:

Cross-Cultural Learning Support: Platform features that facilitate effective collaboration across cultural and linguistic differences
Time Zone Coordination: Tools that support global community participation despite geographic distribution
Language Translation: Real-time translation capabilities that enable broader community participation
Cultural Adaptation: Scenario and content customization for different cultural and regulatory contexts

Professional Integration Capabilities:

Credential Recognition: Formal recognition of collaborative learning achievements by industry organizations and certification bodies
Employer Integration: Tools that allow organizations to track and support employee participation in collaborative learning
Career Development Planning: Integration with professional development planning and performance management systems
Industry Networking: Features that facilitate professional relationship building and collaboration opportunities

Measuring Impact and Continuous Improvement

Assessment and Evaluation

Individual Impact Measurement

Skill Development Tracking:

Pre/Post Assessment: Measuring cybersecurity knowledge and capability improvement through participation
Longitudinal Career Tracking: Following participant career advancement and professional achievement over time
Competency Validation: External validation of skills developed through collaborative learning experiences
Behavioral Change Assessment: Measuring changes in professional behavior, collaboration, and decision-making

Professional Outcome Evaluation:

Career Advancement Correlation: Analyzing relationship between collaborative learning participation and career progression
Performance Improvement: Measuring workplace cybersecurity performance improvements attributed to collaborative learning
Leadership Development: Tracking development of leadership and mentorship capabilities through community participation
Innovation Contribution: Documenting participant contributions to cybersecurity technique development and knowledge advancement

Organizational Impact Assessment

Capability Enhancement Measurement:

Incident Response Improvement: Measuring organizational IR effectiveness before and after implementing collaborative learning approaches
Team Coordination Enhancement: Assessing improvement in cross-functional cybersecurity collaboration
Knowledge Sharing Culture: Evaluating development of organizational learning and knowledge sharing practices
Innovation and Adaptation: Measuring organizational capacity for cybersecurity innovation and adaptive response

Return on Investment Analysis:

Training Effectiveness Comparison: Comparing collaborative learning outcomes to traditional cybersecurity training approaches
Cost-Benefit Evaluation: Analyzing investment in collaborative learning relative to cybersecurity capability improvement
Risk Reduction Assessment: Measuring organizational risk reduction attributed to improved cybersecurity capabilities
Strategic Value Creation: Evaluating broader organizational benefits from enhanced cybersecurity culture and capabilities

Community Impact Evaluation

Network Effect Measurement:

Knowledge Dissemination Tracking: Measuring how insights and techniques spread through collaborative learning networks
Community Growth Assessment: Evaluating expansion and sustainability of collaborative learning communities
Cross-Organizational Collaboration: Measuring improvement in industry-wide cybersecurity cooperation and information sharing
Global Capacity Building: Assessing contribution to global cybersecurity capability development

Industry Advancement Contribution:

Standard and Framework Influence: Documenting community contributions to cybersecurity standard and framework development
Research and Innovation Impact: Measuring community contributions to cybersecurity research and technique development
Workforce Development Effect: Assessing contribution to addressing cybersecurity talent shortage and skill gaps
Cultural Change Influence: Evaluating impact on cybersecurity industry culture and collaborative practices

Continuous Evolution and Improvement

Feedback Integration and Adaptation

Community-Driven Development:

Participant Feedback Systems: Regular collection and analysis of participant experience and improvement suggestions
Facilitator Development Programs: Ongoing training and support for community facilitators and leaders
Content Evolution: Continuous updating of scenarios, Malmons, and learning materials based on threat landscape changes
Methodology Refinement: Ongoing improvement of collaborative learning techniques based on effectiveness research and community feedback

Research-Informed Enhancement:

Academic Partnership Development: Collaboration with educational and research institutions to study and improve collaborative learning
Effectiveness Research Integration: Incorporating findings from learning science and cybersecurity education research
Innovation Testing: Systematic evaluation of new approaches, technologies, and methodologies
Best Practice Documentation: Ongoing capture and sharing of effective practices across different communities and contexts

Sustainability and Growth Planning

Long-Term Community Sustainability:

Leadership Development: Training and supporting community leaders to ensure ongoing vitality and growth
Resource Sustainability: Developing sustainable funding and resource models for community activities and platform development
Quality Maintenance: Ensuring consistent quality and educational effectiveness as communities scale
Innovation Continuity: Maintaining capacity for ongoing innovation and adaptation to emerging cybersecurity challenges

Global Expansion Strategy:

Cultural Adaptation: Developing approaches that work effectively across different cultural and regulatory contexts
Language Accessibility: Creating materials and experiences accessible to non-English speaking communities
Technology Accessibility: Ensuring platform and approach accessibility in different technological and infrastructure contexts
Capacity Building: Supporting development of local facilitator and leadership capacity in emerging communities

The Ripple Effect of Collaborative Learning

Every Malware & Monsters session creates ripples that extend far beyond the immediate participants. Skills developed in one session improve workplace cybersecurity. Relationships built in communities strengthen industry cooperation. Innovations discovered through collaboration advance the entire field. The ultimate measure of success is not individual achievement, but the collective advancement of cybersecurity capability and community resilience.

Malware & Monsters extends far beyond gaming sessions to create lasting impact in cybersecurity education, professional development, and community building. By focusing on collaborative learning, knowledge sharing, and continuous improvement, the framework contributes to building a more skilled, connected, and effective global cybersecurity community.

The true power of Malware & Monsters lies not in any individual component, but in how it connects people, builds capabilities, and creates communities committed to collaborative defense against digital threats. In a field where threats evolve rapidly and cooperation is essential, these connections and capabilities make all the difference.

Quick Reference

Quick Reference Guide

Session Structure At-a-Glance

Character Creation

Skills Discovery: Share cybersecurity experience with team
Role Assignment: Collaborative selection based on interests
Character Development: Build personality around chosen role

Round 1: Discovery Phase

Objective: Identify the specific Malmon
Individual Investigation: Each role explores from their perspective
Knowledge Sharing: Team connects clues and builds understanding
Malmon Identification: Determine threat type and characteristics

Round 2: Investigation Phase

Objective: Understand attack scope and impact
Impact Assessment: What systems/data are affected?
Attack Vector Analysis: How did it succeed?
Evolution Assessment: Risk of threat escalation

Round 3: Response Phase

Objective: Coordinate effective containment
Strategy Development: Choose approaches based on Malmon type
Implementation: Execute coordinated response
Resolution: Outcome and lessons learned

Role Quick Reference

🔍 Detective (Cyber Sleuth)

Focus: Finding clues and analyzing evidence
Typical Actions:

Analyze system logs and digital artifacts
Interview users about suspicious activities
Examine file signatures and process behaviors
Build attack timelines and evidence chains

Team Contributions:

Pattern recognition and anomaly detection
Forensic evidence collection and analysis
Timeline construction and attack progression
Connecting disparate clues into coherent picture

🛡️ Protector (Digital Guardian)

Focus: Stopping threats and securing systems
Typical Actions:

Implement security controls and containment measures
Isolate infected systems from network
Deploy backup and recovery procedures
Harden systems against further attacks

Team Contributions:

Technical containment implementation
System damage assessment and recovery
Security control deployment and configuration
Immediate threat mitigation

📡 Tracker (Data Whisperer)

Focus: Monitoring data flows and network behavior
Typical Actions:

Monitor network traffic for anomalies
Trace data exfiltration and communication paths
Identify lateral movement through networks
Block malicious communications

Team Contributions:

Network behavior analysis
Data flow monitoring and protection
Communication pattern recognition
Network-based containment validation

👥 Communicator (People Whisperer)

Focus: Stakeholder management and coordination
Typical Actions:

Interview users about attack vectors
Coordinate with management and external parties
Assess business impact and compliance requirements
Manage crisis communication

Team Contributions:

Stakeholder coordination and communication
Business impact assessment
Regulatory and compliance considerations
User education and awareness

⚡ Crisis Manager (Chaos Wrangler)

Focus: Overall incident coordination and strategy
Typical Actions:

Coordinate team activities and resource allocation
Set priorities and manage timeline
Interface with senior leadership
Plan recovery and business continuity

Team Contributions:

Strategic coordination and planning
Resource allocation and priority setting
Cross-functional team integration
Timeline and dependency management

🎯 Threat Hunter (Pattern Seeker)

Focus: Proactive threat discovery and intelligence
Typical Actions:

Search for hidden threats and persistence mechanisms
Investigate potential related attacks
Develop threat intelligence and attribution
Validate security control effectiveness

Team Contributions:

Proactive threat discovery
Advanced threat analysis and attribution
Intelligence development and sharing
Security control validation and testing

Type Effectiveness Chart

Malmon Type	Super Effective Against	Weak To	Common Examples
Trojan	Defense systems	Detection/Behavioral analysis	GaboonGrabber, FakeBat
Worm	Networks	Isolation/Segmentation	WannaCry, Code Red, Raspberry Robin
Ransomware	Data	Backup systems	LockBit, WannaCry (hybrid)
Rootkit	System integrity	Forensic analysis	Advanced persistence mechanisms
APT	Time/Patience	Intelligence/Threat hunting	Stuxnet, Noodle RAT, Gh0st RAT
Infostealer	Privacy	Encryption/Access controls	Noodle RAT, PoisonIvy

Security Control Effectiveness

Control Type	Super Effective vs	Normal vs	Not Effective vs
Signature Detection	Basic Trojans, Known Worms	Most standard threats	Zero-days, Polymorphic
Network Isolation	Worms, Network propagation	APTs, Infostealers	Air-gap jumping
Backup Systems	Ransomware, Data encryption	Most persistent threats	Data theft (post-exfiltration)
Behavioral Analysis	Trojans, APTs, Evasive threats	Standard attacks	Perfect mimicry
Threat Intelligence	APTs, Nation-state	Organized cybercrime	Novel/amateur threats
Forensic Analysis	Rootkits, System modifications	Advanced threats	Fast-moving Worms

Action System

Actions Per Round

Each player: 2 actions per round
Action types: Investigation, Communication, Technical, Strategic

Dice Mechanics

Easy tasks (8+): Standard procedures with appropriate expertise (~85% success)
Medium tasks (12+): Complex analysis requiring expertise (~60% success)
Hard tasks (16+): Cutting-edge techniques or high stakes (~35% success)
Automatic Success: Clear expertise + appropriate approach

Collaboration Bonuses

Direct Support (+2): Actions that directly enable teammate efforts
Team Coordination (+3): Multiple players working on unified objective
Perfect Teamwork (Auto-Success): Excellent coordination + real expertise

Type Effectiveness Modifiers

Super Effective (+3): Using optimal approaches against Malmon weaknesses
Normal (0): Standard effectiveness
Not Effective (-2): Poor match between approach and threat type

Network Security Status

Status Levels

Secure (90-100): Minimal impact, normal operations continue
Concerned (75-89): Active threat but manageable response
Critical (50-74): Significant impact requiring major response
Compromised (25-49): Severe impact affecting business operations
Crisis (0-24): Organization-threatening incident

Status Changes

Decreases:

Malmon evolution (-10 to -20)
Data theft (-5 to -15)
Failed containment (-3 to -8)

Increases:

Successful containment (+10 to +20)
Early detection (+5 to +10)
Team coordination (+3 to +8)

Common Malmon Abilities

Universal Abilities

Perfect Mimicry: Appears identical to legitimate software
Rapid Propagation: Spreads quickly through vulnerabilities
Deep Persistence: Maintains access through restarts
Behavioral Camouflage: Blends with normal activity
Fileless Deployment: Operates entirely in memory
Multi-Payload Delivery: Deploys additional threats
Zero-Day Arsenal: Uses unknown vulnerabilities
Command Center Coordination: Controls other malware

Evolution Triggers

Time Pressure: Taking too long in any phase
Failed Containment: Unsuccessful response attempts
Environmental Opportunity: Network vulnerabilities or gaps
External Communication: Contact with threat actor infrastructure

Emergency Phrases for Teams

When Stuck

“What would we try if we had unlimited resources?”
“What’s our gut instinct about this situation?”
“What would this look like from [different role] perspective?”
“What’s the worst-case scenario if we’re wrong?”

For Coordination

“How do our findings connect together?”
“What’s our priority - speed or thoroughness?”
“Who has experience with this type of situation?”
“What could go wrong with this approach?”

For Learning

“What surprised us about this Malmon’s behavior?”
“Which techniques worked better than expected?”
“What would we do differently next time?”
“What can we share with other teams?”

Session Troubleshooting

If One Person Dominates

Redirect: “That’s helpful - let’s hear other perspectives”
Build on input: “Can someone add to what [Name] shared?”
Role-specific questions: “What questions would [Role] ask about this?”

If Energy Drops

Raise stakes: “What’s the worst-case scenario here?”
Create urgency: “What happens if we’re too slow?”
Personal investment: “Who would be affected if this succeeds?”

If Team Gets Too Technical

Broader perspective: “How does this connect to our overall objective?”
Role diversity: “What would worry the Communicator about this approach?”
Time management: “We have X minutes - what’s our priority?”

If Confused About Mechanics

Focus on story: “What would realistically happen in this situation?”
Use expertise: “Based on your experience, what makes sense here?”
Collaborative decision: “What does the team think is most logical?”

Character Development Prompts

For All Roles

What’s your character’s biggest professional fear?
How long have you worked in cybersecurity?
What motivates you to protect this organization?
What’s one quirk about how you approach problems?

Role-Specific Prompts

Detective: “What pattern or detail do others always miss?”
Protector: “What system do you consider ‘your baby’?”
Tracker: “How do you visualize network traffic in your mind?”
Communicator: “What’s your go-to analogy for explaining cybersecurity?”
Crisis Manager: “How do you organize chaos in your head?”
Threat Hunter: “What assumption do you always question first?”

Post-Session Reflection Questions

For Individuals

What’s one thing that surprised you during this session?
Which role perspective taught you something new?
What technique or approach could you use in real work?
How did your character’s perspective shape your decisions?

For Teams

What was our most effective moment of coordination?
Which discovery or insight was most valuable?
What would we do differently if we faced this Malmon again?
How can we apply these lessons to our actual work?

For MalDex Documentation

What surprised us most about this Malmon’s behavior?
Which response techniques worked better than expected?
What insights could help other teams facing similar threats?
What key lesson should other teams know about this experience?

Type Effectiveness Reference

Complete Type Interaction Matrix

Understanding which security controls work best against different Malmon types is fundamental to effective incident response:

Detailed Type Characteristics

Trojan-Type Malmons

Core Characteristics:

Deception Specialists: Excel at appearing legitimate
User Interaction Required: Depend on user execution or installation
Process Hiding: Often inject into or masquerade as legitimate processes
Payload Delivery: Frequently serve as first stage for other threats

Type Effectiveness Analysis:

Super Effective Against:

Traditional signature-based detection systems
Static security controls that rely on known bad indicators
User awareness programs that focus on obvious threats

Common Examples: GaboonGrabber, FakeBat Evolution Path: Often evolve into APT-level threats with persistence and lateral movement

Worm-Type Malmons

Core Characteristics:

Self-Propagating: Spread automatically without user interaction
Network Exploitation: Use network vulnerabilities for rapid spread
Infrastructure Impact: Can affect multiple systems simultaneously
Speed Advantage: Rapid propagation can overwhelm response efforts

Type Effectiveness Analysis:

Super Effective Against:

Unpatched network infrastructure
Poorly segmented networks
Organizations with weak change management

Common Examples: WannaCry, Code Red, Raspberry Robin Evolution Path: May evolve into coordinated botnets or multi-vector attacks

Ransomware-Type Malmons

Core Characteristics:

Data Encryption: Primary attack vector against organizational data
Financial Motivation: Direct monetary demands and business disruption
Time Pressure: Create urgency through deadline-driven demands
Business Impact: Target critical business processes and data

Type Effectiveness Analysis:

Super Effective Against:

Organizations with poor backup strategies
Critical data without redundancy
Systems dependent on real-time data access

Common Examples: LockBit, WannaCry (hybrid type) Evolution Path: Often evolve to include data theft and double extortion

Rootkit-Type Malmons

Core Characteristics:

Deep System Access: Operate at kernel or firmware level
Stealth Operations: Designed to remain hidden from detection tools
Persistence Focus: Maintain access through system changes and updates
Detection Evasion: Actively hide from security tools and analysis

Type Effectiveness Analysis:

Super Effective Against:

Signature-based detection systems
Standard malware scanning tools
Network-based security controls

Common Examples: Advanced persistence mechanisms, kernel-level malware Evolution Path: Often part of sophisticated APT campaigns

APT-Type Malmons (Advanced Persistent Threat)

Core Characteristics:

Long-Term Operations: Patient, methodical approach to objectives
Sophisticated Techniques: Use advanced tools and zero-day exploits
Intelligence Gathering: Focus on reconnaissance and data collection
Adaptive Behavior: Modify tactics based on defensive responses

Type Effectiveness Analysis:

Super Effective Against:

Organizations with limited threat hunting capabilities
Environments with weak monitoring and logging
Targets with valuable long-term intelligence value

Common Examples: Stuxnet, Noodle RAT, Gh0st RAT Evolution Path: Continuously evolve tools and techniques based on defensive measures

Infostealer-Type Malmons

Core Characteristics:

Data Collection Focus: Primary objective is information gathering
Credential Harvesting: Target passwords, keys, and authentication data
Silent Operation: Minimize detection while maximizing data collection
Exfiltration Capability: Efficient methods for removing stolen data

Type Effectiveness Analysis:

Super Effective Against:

Organizations with weak access controls
Systems with unencrypted sensitive data
Environments lacking data loss prevention

Common Examples: Noodle RAT, PoisonIvy
Evolution Path: Often evolve to include lateral movement and privilege escalation

Role-Based Type Effectiveness

Understanding how different incident response roles interact with Malmon types helps optimize team coordination:

Detective Advantages by Type

Most Effective Against:

Trojans: Excel at identifying deception and social engineering vectors
Rootkits: Forensic skills reveal hidden artifacts and persistence mechanisms
APTs: Pattern recognition helps identify long-term campaign indicators

Challenging Types:

Worms: Fast-moving threats may outpace investigation efforts
Ransomware: Time pressure limits thorough analysis opportunities

Protector Advantages by Type

Most Effective Against:

Worms: Network isolation and segmentation prevent spread
Ransomware: Backup systems and recovery procedures mitigate impact
Trojans: Security controls and system hardening prevent execution

Challenging Types:

Rootkits: Deep system access bypasses standard security controls
APTs: Patient, sophisticated attacks adapt to defensive measures

Tracker Advantages by Type

Most Effective Against:

Worms: Network propagation creates obvious traffic patterns
Infostealers: Data exfiltration generates detectable network activity
APTs: Long-term monitoring reveals communication patterns

Challenging Types:

Rootkits: May operate below network visibility layer
Trojans: Limited network activity during initial infection phase

Communicator Advantages by Type

Most Effective Against:

Trojans: Social engineering aspects require user education response
Ransomware: Business impact assessment and stakeholder management critical
APTs: Long-term incidents require sustained stakeholder communication

Challenging Types:

Worms: Technical response may be prioritized over communication
Rootkits: Highly technical nature limits business stakeholder involvement

Crisis Manager Advantages by Type

Most Effective Against:

Ransomware: Business continuity and crisis coordination essential
APTs: Long-term, complex response requires strategic coordination
Worms: Rapid spread requires immediate resource allocation and coordination

Challenging Types:

Rootkits: Highly technical response may require specialized coordination
Trojans: Initial response may be straightforward without complex coordination needs

Threat Hunter Advantages by Type

Most Effective Against:

APTs: Proactive hunting essential for detecting patient, sophisticated threats
Rootkits: Advanced techniques required to find hidden threats
Infostealers: Proactive search reveals data collection activities

Challenging Types: - Worms: Reactive response may be more appropriate than proactive hunting - Ransomware: Time pressure may limit comprehensive hunting activities

Strategic Response Planning

Type-Based Response Strategies

Understanding type effectiveness helps prioritize response actions:

Trojan Response Priority

Behavioral Analysis: Detect abnormal process behavior
User Investigation: Understand social engineering vector
Signature Detection: Block known variants
System Hardening: Prevent future similar attacks

Worm Response Priority

Network Isolation: Immediate containment of spread
Signature Detection: Block at network perimeter
Patch Management: Address underlying vulnerabilities
Recovery Planning: Restore affected systems

Ransomware Response Priority

Network Isolation: Prevent spread to additional systems
Backup Systems: Initiate recovery from clean backups
Business Continuity: Maintain critical operations
Forensic Preservation: Preserve evidence for investigation

Rootkit Response Priority

Forensic Analysis: Deep investigation to uncover presence
Behavioral Analysis: Monitor for unusual system activity
System Rebuild: Clean reinstallation of affected systems
Enhanced Monitoring: Implement advanced detection capabilities

APT Response Priority

Threat Intelligence: Understand campaign and attribution
Behavioral Analysis: Detect subtle, long-term activities
Forensic Analysis: Comprehensive investigation and timeline
Strategic Hardening: Long-term improvements to prevent persistence

Infostealer Response Priority

Behavioral Analysis: Detect unusual data access patterns
Threat Intelligence: Understand data theft techniques and objectives
Access Control Review: Implement enhanced authentication and authorization
Data Protection: Encrypt and monitor sensitive information

Environment-Specific Considerations

Different organizational environments face varying type effectiveness challenges:

Healthcare Environment Type Effectiveness

Trojans: High risk due to diverse, often unmanaged medical devices
Ransomware: Critical impact on patient care and safety systems
Infostealers: HIPAA compliance and patient privacy concerns
APTs: Nation-state interest in healthcare data and research

Financial Services Type Effectiveness

Infostealers: High value targets for financial and customer data
APTs: Nation-state and organized crime interest
Trojans: Banking trojans specifically designed for financial targeting
Ransomware: Business disruption impacts market and customer confidence

Critical Infrastructure Type Effectiveness

APTs: Nation-state targeting of critical systems
Worms: Potential for cascading failures across infrastructure
Rootkits: Deep system access threatens operational technology
Ransomware: Service disruption affects public safety and economic stability

Educational Institution Type Effectiveness

Trojans: High risk due to diverse user base and BYOD policies
Infostealers: Research data and student information targets
Worms: Large, diverse networks facilitate rapid spread
APTs: Nation-state interest in research and intellectual property

Quick Decision Matrix

Time-Critical Type Assessment

For rapid initial assessment during incident response:

Rapid Spread Indicators → Likely Worm:

Multiple simultaneous infections
Network-based propagation patterns
Exploit-based initial access

Stealth Operation Indicators → Likely APT/Rootkit:

Subtle system changes
Long-term persistence evidence
Advanced evasion techniques

Business Disruption Indicators → Likely Ransomware:

File encryption activities
Ransom demands or payment instructions
Critical system unavailability

Data Collection Indicators → Likely Infostealer:

Unusual data access patterns
Credential harvesting activities
Systematic information gathering

Social Engineering Indicators → Likely Trojan:

User-initiated execution
Masquerading as legitimate software
Email or web-based delivery

Using This Reference During Sessions

This matrix provides rapid initial type assessment. Use it for quick decisions during time-pressured incidents, then refine understanding through detailed investigation and team collaboration.

Use this matrix for rapid initial type assessment, then refine understanding through detailed investigation.

Role Cards Reference

This appendix provides quick reference cards for all six incident response roles. Use these during gameplay for easy access to role strengths, focus areas, and roleplay guidance.

Role Cards Grid

Quick Reference Summary

Role Strengths at a Glance

🔍 Detective: Pattern recognition, evidence analysis, timeline construction
🛡️ Protector: Containment, security architecture, business continuity
📡 Tracker: Network analysis, data flow tracking, infrastructure mapping
📢 Communicator: Stakeholder management, crisis communication, compliance
⚡ Crisis Manager: Coordination, strategic planning, resource allocation
🎯 Threat Hunter: Advanced detection, intelligence analysis, attack prediction

Team Composition Guidelines

For 4-Player Teams: - Essential Core: Detective, Protector, Communicator, Crisis Manager

For 5-Player Teams:
- Add: Tracker (for network-heavy scenarios) or Threat Hunter (for APT scenarios)

For 6-Player Teams: - Full team: All roles represented for comprehensive coverage

Role Modifier Quick Reference

Each role provides specific bonuses when actions match their expertise: - +3 bonus: Primary specialization area
- +2 bonus: Secondary strength area - +1 bonus: Supporting skill area

Use these modifiers when players demonstrate relevant knowledge and choose approaches that leverage their role’s strengths.

Badge Assessment Checklists

This appendix provides specific, measurable criteria for earning Security Domain Badges and clear checklists for players to track their progress.

Badge Tracking System

Clear Tracking Responsibilities

Player Responsibilities: - Use the checklists below to track your own progress - Check off criteria immediately when you demonstrate them in sessions - Keep your checklist with you during every session - Request IM validation at the end of sessions (not during active gameplay) - Submit completed checklists to IM for final badge award

IM Responsibilities: - Observe and note when players demonstrate specific criteria during sessions - Validate completed criteria at session end using observable evidence - Sign off only on criteria that were genuinely demonstrated with clear knowledge - Award badges when ALL criteria are validated complete - Announce badge achievements to encourage others

Step-by-Step Badge Earning Process

During Sessions: 1. Player: Bring checklist to every session 2. Player: Check off criteria as you demonstrate them in real-time 3. IM: Make notes about player demonstrations during gameplay

At Session End: 4. Player: Ask IM to validate any newly completed criteria 5. IM: Review demonstrations and sign off on genuinely completed items 6. Both: Discuss progress and plan focus areas for next sessions

When All Criteria Complete: 7. Player: Submit completed checklist to IM for final review 8. IM: Verify all criteria with signatures and award badge 9. IM: Present badge certificate and announce to community

🌐 Network Security Badge Checklist

“Guardian of Digital Highways”

Required Criteria (All Must Be Completed)

Worm Containment Expertise (5 Required): - [ ] Containment 1: Demonstrated network segmentation by explaining specific VLAN isolation or firewall rules to contain Worm spread, with IM observing accurate technical steps - [ ] Containment 2: Identified and blocked specific C2 communication by naming exact IPs, domains, or protocols, resulting in successful threat communication disruption - [ ] Containment 3: Prevented lateral movement by implementing specific access controls (named user accounts, system permissions, or network ACLs) that stopped Worm spread - [ ] Containment 4: Led team coordination where you directed at least 2 other roles in simultaneous system isolation, resulting in successful multi-system containment - [ ] Containment 5: Under time pressure (active Worm spreading scenario), implemented emergency network partitioning using specific tools or procedures within 2 rounds

Technical Proficiency Demonstrations: - [ ] Traffic Analysis: Examined actual network logs/data and correctly identified at least 3 specific indicators of malicious activity (unusual ports, suspicious IPs, abnormal traffic volumes) - [ ] Protocol Understanding: Accurately explained how a specific network protocol (HTTP, DNS, SMB, etc.) was being exploited, including technical details observed by IM - [ ] Tool Proficiency: Named and correctly described using specific network monitoring tools (Wireshark, SIEM platforms, etc.) appropriate for the threat scenario - [ ] Architecture Knowledge: Drew or described network topology showing how threat spreads and where containment points should be placed, with technical accuracy

Response Coordination: - [ ] Team Leadership: Successfully directed at least 3 other players in coordinated network response actions, with clear role assignments and successful outcome - [ ] Stakeholder Communication: Explained network security situation in business terms to simulated executive/user, avoiding technical jargon while maintaining accuracy - [ ] Documentation: Verbally provided or wrote clear incident summary including: what happened, how it was contained, and what network changes were made

Improvement Contribution: - [ ] Lessons Learned: Provided at least 2 specific, implementable recommendations for preventing similar network attacks, based on session scenario - [ ] Process Enhancement: Suggested specific procedural improvements to network response, explaining exactly what should change and why

IM Validation Requirements: IM must observe genuine demonstration of each criterion during gameplay, not just discussion. Sign only when player shows clear technical knowledge and successful execution.

IM Validation Signature: _________________ Date: _________ Badge Awarded: ☐ Yes ☐ Not Yet (explain): _______________________

💻 Endpoint Security Badge Checklist

“Protector of Digital Workstations”

Required Criteria (All Must Be Completed)

Malware Containment Expertise (5 Required): - [ ] Containment 1: Successfully contained a Trojan-type Malmon on infected endpoint - [ ] Containment 2: Removed Rootkit-type threat using appropriate tools and techniques - [ ] Containment 3: Prevented malware execution through behavioral blocking - [ ] Containment 4: Coordinated system isolation during active compromise - [ ] Containment 5: Led recovery efforts for severely compromised endpoint

Analysis and Investigation: - [ ] Behavioral Analysis: Identified malicious behavior patterns in system activity - [ ] Artifact Examination: Analyzed malware artifacts to understand capabilities - [ ] Timeline Construction: Built accurate timeline of endpoint compromise - [ ] Impact Assessment: Determined scope of compromise and data at risk

System Hardening and Recovery: - [ ] Recovery Leadership: Successfully led complete system recovery and hardening - [ ] Prevention Strategy: Implemented specific controls to prevent reinfection - [ ] Configuration Management: Applied appropriate security configurations post-incident

Knowledge Demonstration: - [ ] Tool Mastery: Demonstrated competent use of endpoint protection platforms - [ ] Process Understanding: Explained endpoint incident response procedures clearly

IM Validation Requirements: IM must observe genuine demonstration of each criterion during gameplay, not just discussion. Sign only when player shows clear technical knowledge and successful execution.

IM Validation Signature: _________________ Date: _________ Badge Awarded: ☐ Yes ☐ Not Yet (explain): _______________________

🗄️ Data Protection Badge Checklist

“Guardian of Digital Assets”

Required Criteria (All Must Be Completed)

Data Threat Response (5 Required): - [ ] Response 1: Successfully prevented data exfiltration during Ransomware attack - [ ] Response 2: Contained Infostealer-type Malmon before significant data loss - [ ] Response 3: Implemented emergency data protection during active breach - [ ] Response 4: Led data recovery efforts using backup systems - [ ] Response 5: Coordinated data breach response including notification procedures

Technical Implementation: - [ ] Backup Strategy: Demonstrated effective backup and recovery strategy deployment - [ ] Encryption Application: Applied appropriate encryption to protect data at risk - [ ] Access Controls: Implemented data access restrictions during incident response - [ ] DLP Techniques: Used data loss prevention techniques to limit exposure

Compliance and Governance: - [ ] Breach Response: Led data breach investigation following established procedures - [ ] Notification Management: Managed appropriate stakeholder notifications for data incidents - [ ] Documentation: Created comprehensive data incident documentation for compliance

Risk Assessment: - [ ] Impact Analysis: Accurately assessed potential impact of data compromise - [ ] Classification Understanding: Demonstrated understanding of data classification principles

IM Validation Requirements: IM must observe genuine demonstration of each criterion during gameplay, not just discussion. Sign only when player shows clear technical knowledge and successful execution.

IM Validation Signature: _________________ Date: _________ Badge Awarded: ☐ Yes ☐ Not Yet (explain): _______________________

👤 Human Factor Security Badge Checklist

“Defender Against Social Engineering”

Required Criteria (All Must Be Completed)

Social Engineering Defense (5 Required): - [ ] Defense 1: Identified and countered phishing attack targeting organization - [ ] Defense 2: Prevented social engineering attempt through user education - [ ] Defense 3: Responded effectively to pretexting or impersonation attack - [ ] Defense 4: Led response to business email compromise attempt - [ ] Defense 5: Coordinated organization-wide response to social engineering campaign

Education and Awareness: - [ ] Training Development: Created or contributed to security awareness training materials - [ ] User Engagement: Successfully educated users about social engineering threats - [ ] Behavioral Change: Demonstrated measurable improvement in user security behavior

Communication Excellence: - [ ] Crisis Communication: Managed clear communication during social engineering incident - [ ] Stakeholder Management: Effectively coordinated with executives during human factor incidents - [ ] User Support: Provided supportive, educational response to victimized users

Risk Assessment: - [ ] Vulnerability Analysis: Assessed human factor vulnerabilities in organizational context - [ ] Program Development: Contributed to development of security awareness program

IM Validation Requirements: IM must observe genuine demonstration of each criterion during gameplay, not just discussion. Sign only when player shows clear technical knowledge and successful execution.

IM Validation Signature: _________________ Date: _________ Badge Awarded: ☐ Yes ☐ Not Yet (explain): _______________________

🏭 Critical Infrastructure Security Badge Checklist

“Protector of Essential Systems”

Required Criteria (All Must Be Completed)

Infrastructure Threat Response (3 Required): - [ ] Response 1: Successfully defended against threat targeting industrial control systems - [ ] Response 2: Managed incident affecting operational technology (OT) environment - [ ] Response 3: Coordinated response involving both IT and OT systems

Technical Understanding: - [ ] OT Security Principles: Demonstrated understanding of operational technology security requirements - [ ] IT/OT Integration: Explained security implications of IT/OT convergence - [ ] Control System Knowledge: Showed familiarity with ICS/SCADA security concerns

Business Continuity: - [ ] Continuity Planning: Contributed to business continuity and disaster recovery planning - [ ] Operational Impact: Assessed operational impact of security incidents on critical processes - [ ] Recovery Strategy: Developed or implemented recovery strategies for critical infrastructure

Coordination and Leadership: - [ ] Cross-Team Coordination: Successfully coordinated between IT and OT security teams - [ ] Stakeholder Management: Managed communications with operational and executive stakeholders

IM Validation Signature: _________________ Date: _________

🏛️ Governance and Compliance Badge Checklist

“Navigator of Regulatory Requirements”

Required Criteria (All Must Be Completed)

Compliance Management (5 Required): - [ ] Management 1: Successfully managed compliance aspects of GDPR-relevant security incident - [ ] Management 2: Handled regulatory reporting requirements during security incident - [ ] Management 3: Managed compliance documentation for industry-specific regulations - [ ] Management 4: Coordinated legal and compliance teams during security incident - [ ] Management 5: Led regulatory notification process during significant security event

Framework Understanding: - [ ] Regulatory Knowledge: Demonstrated understanding of relevant regulatory frameworks - [ ] Risk Framework Application: Applied risk management frameworks to security incidents - [ ] Policy Development: Contributed to security governance policy development

Documentation and Reporting: - [ ] Incident Documentation: Created comprehensive compliance-focused incident documentation - [ ] Regulatory Reporting: Completed accurate regulatory incident reporting - [ ] Risk Assessment: Conducted and documented regulatory risk assessments

Program Development: - [ ] Governance Contribution: Contributed to development of security governance programs - [ ] Compliance Integration: Integrated compliance requirements into security response procedures

IM Validation Requirements: IM must observe genuine demonstration of each criterion during gameplay, not just discussion. Sign only when player shows clear technical knowledge and successful execution.

IM Validation Signature: _________________ Date: _________ Badge Awarded: ☐ Yes ☐ Not Yet (explain): _______________________

Badge Award Process

For Players:

Track Progress: Use checklists during sessions to note completed criteria
Request Validation: Ask IM to validate completed items during or after sessions
Complete Requirements: Ensure all criteria are checked off and validated
Badge Request: Request badge award when all criteria are complete

For Incident Masters:

Observe Performance: Watch for criteria demonstrations during gameplay
Validate Completion: Sign off on completed criteria when genuinely demonstrated
Award Badges: Present badges when all criteria are verifiably complete
Community Recognition: Announce badge achievements to encourage others

Validation Standards:

Real Demonstration: Criteria must be actually demonstrated, not just discussed
Context Appropriate: Demonstrations should occur in relevant scenario contexts
Knowledge-Based: Players should show understanding, not just lucky outcomes
Collaborative: Recognize both individual contribution and team collaboration

Badge Certificate Template:

MALWARE & MONSTERS SECURITY DOMAIN BADGE

This certifies that

[PLAYER NAME]

has successfully demonstrated mastery of

[BADGE NAME] - [BADGE SUBTITLE]

by completing all required criteria through
collaborative cybersecurity learning sessions.

Awarded on: [DATE]
Validated by: [IM SIGNATURE]
Community: [ORGANIZATION/GROUP]

Glossary

Core Game Terms

Action: Individual activities that players take during rounds. Each player receives 2 actions per round to investigate, communicate, implement technical solutions, or coordinate strategy.
Collaborative Bonus: Additional effectiveness gained when team members coordinate their efforts. Ranges from +2 for direct support to automatic success for perfect teamwork.
Containment: The process of stopping, isolating, and neutralizing Malmon threats. Success depends on matching appropriate security controls to specific Malmon types.
Evolution: The process by which Malmons gain new capabilities and become more dangerous if not contained quickly. Triggered by time pressure, failed containment, or environmental factors.
Incident Master (IM): The facilitator who guides collaborative learning sessions. Focuses on asking questions and enabling discovery rather than providing answers.
MalDex: The community knowledge repository documenting Malmon encounters, response strategies, and lessons learned from collaborative sessions.
Malmon: Digital threats represented as creatures with distinct behaviors, capabilities, and weaknesses. Based on real malware families and attack techniques.
Network Security Status: A measure (0-100) of organizational cybersecurity health that changes based on threat impact and team response effectiveness.
Type Effectiveness: The strategic relationship between Malmon types and security controls, where certain approaches are super effective, normal, or not effective against specific threats.

Malmon Types

APT (Advanced Persistent Threat): Long-term, sophisticated threats that use patience and advanced techniques. Strong against time-based defenses, weak to intelligence and threat hunting.
Infostealer: Malmons focused on data collection and credential harvesting. Strong against privacy, weak to encryption and access controls.
Ransomware: Threats that encrypt data and demand payment. Strong against data availability, weak to backup systems and network isolation.
Rootkit: Deep system threats that hide at kernel or firmware level. Strong against system integrity, weak to forensic analysis and behavioral monitoring.
Trojan: Deceptive threats that masquerade as legitimate software. Strong against traditional defenses, weak to detection and behavioral analysis.
Worm: Self-propagating threats that spread through network vulnerabilities. Strong against networks, weak to isolation and segmentation.

Security Controls

Backup Systems: Recovery capabilities and data redundancy. Super effective against Ransomware, normal against most threats, not effective against data theft post-exfiltration.
Behavioral Analysis: Runtime monitoring and anomaly detection. Super effective against Trojans, APTs, and evasive threats. Normal against standard attacks.
Forensic Analysis: Deep investigation and evidence examination. Super effective against Rootkits and system modifications. Normal against advanced threats.
Network Isolation: Segmentation and quarantine capabilities. Super effective against Worms and network propagation. Not effective against air-gap jumping threats.
Signature Detection: Pattern-based identification of known threats. Super effective against basic Trojans and known Worms. Not effective against zero-days and polymorphic threats.
Threat Intelligence: Knowledge of adversary techniques and campaigns. Super effective against APTs and nation-state threats. Not effective against novel or amateur threats.

Incident Response Roles

🔍 Detective (Cyber Sleuth): Specializes in finding clues, analyzing evidence, and building attack timelines. Excels at pattern recognition and forensic investigation.
🛡️ Protector (Digital Guardian): Focuses on stopping threats and securing systems. Implements containment measures, deploys security controls, and manages recovery.
📡 Tracker (Data Whisperer): Monitors data flows and network behavior. Analyzes traffic patterns, traces communications, and validates containment effectiveness.
👥 Communicator (People Whisperer): Handles stakeholder relations and coordinates response. Manages crisis communication, assesses business impact, and coordinates with external parties.
⚡ Crisis Manager (Chaos Wrangler): Oversees overall incident coordination and strategy. Allocates resources, sets priorities, and integrates cross-functional response efforts.
🎯 Threat Hunter (Pattern Seeker): Proactively searches for hidden threats and develops intelligence. Tests hypotheses, investigates potential compromises, and validates security controls.

Session Structure

Character Creation: Opening process including skills discovery, role assignment, and character development around real names and interests.
Discovery Phase (Round 1): Identifying the specific Malmon through individual investigation, knowledge sharing, and collaborative analysis.
Investigation Phase (Round 2): Analyzing attack scope, impact, and progression. Includes impact assessment, attack vector analysis, and evolution risk evaluation.
Response Phase (Round 3): Coordinating effective containment. Includes strategy development, coordinated implementation, and outcome resolution.

Cybersecurity Concepts

Attack Vector: The method by which a Malmon gains initial access to target systems. Common vectors include email, web, network vulnerabilities, and removable media.
Attribution: The process of identifying threat actors responsible for attacks. Includes technical attribution (tools and techniques) and strategic attribution (motivation and capabilities).
Command and Control (C2): Communication channels between Malmons and threat actors. Critical for ongoing attack coordination and data exfiltration.
Cyber Kill Chain: The progression of attack activities from initial reconnaissance through final objectives. Provides framework for understanding attack progression.
Digital Forensics: The investigation and analysis of digital evidence from cybersecurity incidents. Includes timeline construction, artifact analysis, and attribution development.
Indicators of Compromise (IoCs): Technical artifacts that suggest malicious activity. Include file hashes, IP addresses, domain names, and behavioral patterns.
Lateral Movement: The process by which threats spread through networks after initial compromise. Often involves credential theft and privilege escalation.
Persistence: Techniques used by threats to maintain access through system restarts, updates, and other disruptions. Critical for long-term compromise.
Privilege Escalation: The process of gaining higher-level system access than initially obtained. Enables broader compromise and deeper system access.
Zero-Day: Previously unknown vulnerabilities that lack available patches or signatures. Particularly effective against traditional detection methods.

Community Terms

Badge System: Recognition framework for cybersecurity domain mastery. Includes Network Security, Endpoint Security, Data Protection, and other specialized areas.
Community Champion: Recognition for outstanding community building and engagement efforts. Includes leadership in community governance and development.
Discoverer Status: Recognition for first teams to document new Malmon variants or innovative response techniques. Includes naming rights and special community recognition.
Elite Four: Advanced specialization tracks including APT Specialist, Global Incident Commander, and Security Researcher. Represents master-level cybersecurity expertise.
Innovation Recognition: Community acknowledgment for developing novel response techniques or coordination approaches. Includes attribution and presentation opportunities.
Master Trainer: Highest level of facilitator certification. Includes training other facilitators, developing curricula, and leading community initiatives.
Scenario Architect: Recognition for developing high-quality training scenarios and learning experiences. Includes content contribution and educational excellence.

Technical Terms

MITRE ATT&CK: Framework for describing adversary tactics, techniques, and procedures. Provides structured approach to understanding threat behavior and developing defenses.
Security Operations Center (SOC): Centralized function for monitoring, detecting, and responding to cybersecurity threats. Includes people, processes, and technology for 24/7 security oversight.
Threat Intelligence: Actionable information about current and emerging security threats. Includes indicators, tactics, techniques, and strategic context for defensive planning.
Incident Response: Structured approach to managing cybersecurity incidents. Includes preparation, identification, containment, eradication, recovery, and lessons learned.
Vulnerability Management: Process of identifying, assessing, and addressing security weaknesses in systems and applications. Critical for reducing attack surface.
Risk Assessment: Evaluation of potential cybersecurity threats and their likely impact on organizational objectives. Includes likelihood, impact, and mitigation strategies.
Business Continuity: Planning and preparation for maintaining critical operations during and after cybersecurity incidents. Includes backup systems, alternate processes, and recovery procedures.
Compliance: Adherence to regulatory and legal requirements related to cybersecurity and data protection. Includes frameworks like GDPR, HIPAA, and SOX.

Learning and Development

Continuing Professional Education (CPE): Ongoing learning requirements for maintaining cybersecurity certifications. Many programs recognize collaborative learning experiences.
Cross-Training: Learning about cybersecurity roles and responsibilities outside your primary specialization. Improves team coordination and career flexibility.
Mentorship: Relationship between experienced and developing cybersecurity professionals. Critical for career development and knowledge transfer.
Professional Development: Structured approach to building cybersecurity knowledge, skills, and capabilities. Includes formal education, certification, and practical experience.
Skill Assessment: Evaluation of cybersecurity competencies and capabilities. Used for identifying development needs and tracking progress.
Community of Practice: Group of cybersecurity professionals who share knowledge, experiences, and best practices. Essential for ongoing learning and professional development.

Players Handbook - Offline Version

Welcome, Player

About This Handbook

What Makes This Different?

How to Use This Handbook

If You’re New to Cybersecurity

If You’re an Experienced Practitioner

If You’re Looking for Quick Reference

What You’ll Learn

The Community Aspect

Getting Started

Introduction to Malware & Monsters

The Philosophy Behind the Experience

Learning Through Discovery

How Sessions Work

The Basic Structure

Your Role in the Team

What Makes Malmons Special

Digital Threats as Creatures

Legacy and Contemporary Threats

The Type System

Evolution and Adaptation

Example Malmon Card

The Learning Experience

Building Real Skills

Safe Environment for Growth

Community Knowledge Building

What to Expect in Your First Session

Character Creation

Example Role: Detective

The Incident Begins

Collaborative Problem-Solving

Learning Through Reflection

Getting the Most from Your Experience

Embrace Your Role

Share Your Knowledge

Ask Questions

Think Like Your Character

Learn from Others

Ready to Start?

Preparing for Your Session

What to Expect

Your Learning Journey

The Collaborative Difference

Before You Arrive

What Expertise You Bring

Setting Learning Intentions

Managing Pre-Session Anxiety

“I Don’t Know Enough” Syndrome

Common Concerns and Realities

Practical Preparation

What to Bring

Mental Preparation

Your Role in Team Success

What Makes a Great Teammate

Building Team Chemistry

Setting Yourself Up for Success

Learning Mindset Checklist

Session Day Preparation

Emergency Phrases for New Participants

What’s Next

Understanding Malmons

What Are Malmons?

Real Threats, Creature Framework

The Type System

Primary Types

Trojan-Type Malmons

Worm-Type Malmons

Ransomware-Type Malmons

Rootkit-Type Malmons

APT-Type Malmons (Advanced Persistent Threat)

Infostealer-Type Malmons

Type Effectiveness Matrix

Hybrid Types

Legacy vs Contemporary Malmons

🕰️ Legacy Malmons

Characteristics of Legacy Malmons

Legacy Malmon Examples

🆕 Contemporary Malmons

Contemporary Examples