Game Mechanics

How the Magic Happens

Behind every engaging Malware & Monsters session lies a carefully designed system of game mechanics that transform cybersecurity education into collaborative adventures. These mechanics create structure for incident response training while preserving the authentic problem-solving that makes real incident response both challenging and rewarding. Our approach combines cybersecurity gamification with team-based security training methodologies.

Quick Reference Guide

Here’s an at-a-glance overview of the core mechanics:

Malmon

GAME MECHANICS REFERENCE
⭐⭐⭐⭐⭐
👹
🔍5
🔒5
📡5
💣5
🥷5
Property Icons:
🔍Detection
🔒Persistence
📡Spread
💣Payload
🥷Evasion

Understanding these mechanics helps you get the most from your sessions, whether you’re contributing technical expertise, asking strategic questions, or coordinating team efforts.

The Three-Round Structure

Round-Based Incident Response

Every Malware & Monsters session follows the natural progression of real cybersecurity incidents, organized into three distinct rounds that mirror professional incident response methodology. This incident response simulation structure provides hands-on cybersecurity skills development through collaborative learning cybersecurity approaches.

Round 1: Discovery Phase

Objective: Identify the specific Malmon threatening your organization

What Happens:

  • Individual Investigation: Each role explores the incident from their unique perspective
  • Knowledge Sharing: Team collaborates to connect clues and build understanding
  • Malmon Identification: Group determines which specific threat they’re facing

Success Indicators:

  • Team correctly identifies the Malmon type and primary capabilities
  • All roles contribute meaningful insights to the investigation
  • Group builds accurate understanding of the threat’s behavior patterns
  • Foundation established for effective response planning

Common Challenges:

  • Analysis Paralysis: Getting stuck debating details instead of building overall picture
  • Role Overlap: Multiple people investigating the same aspects
  • Information Hoarding: Not sharing discoveries effectively with teammates

Facilitator Role: Guide discovery through questions, help connect disparate clues, ensure all voices are heard

Round 2: Investigation Phase

Objective: Understand the attack’s scope, impact, and progression

What Happens:

  • Impact Assessment: Determine what systems, data, and processes are affected
  • Attack Vector Analysis: Understand how the Malmon gained access and spread
  • Evolution Assessment: Evaluate risk of threat escalation or expansion

Success Indicators:

  • Comprehensive understanding of current and potential damage
  • Clear picture of attack timeline and progression
  • Identification of vulnerabilities that enabled the attack
  • Realistic assessment of Malmon evolution risks

Common Challenges:

  • Scope Creep: Trying to investigate everything instead of focusing on critical aspects
  • Blame Focus: Spending time on fault-finding instead of impact assessment
  • Technical Rabbit Holes: Getting lost in technical details at expense of bigger picture

Facilitator Role: Keep investigation focused on actionable intelligence, manage time allocation, prepare for evolution decision point

Round 3: Response Phase

Objective: Coordinate effective containment and recovery actions

What Happens:

  • Strategy Development: Choose containment approaches based on Malmon characteristics
  • Coordinated Implementation: Execute response plan with role-specific actions
  • Outcome Resolution: Determine effectiveness and capture lessons learned

Success Indicators:

  • Response strategy matches Malmon type weaknesses
  • Team coordination leverages each role’s strengths
  • Actions are prioritized appropriately for organizational impact
  • Learning captured for future incidents

Common Challenges:

  • Hero Ball: One person trying to handle all response activities
  • Tool Fixation: Focusing on familiar tools instead of most effective approaches
  • Coordination Breakdown: Conflicting actions or duplicated efforts

Facilitator Role: Ensure collaborative decision-making, manage resource allocation, adjudicate action outcomes

Action System and Decision Making

Player Actions

Action Allocation

Each player receives 2 actions per round, representing the realistic constraint that incident responders must prioritize their time and attention during crisis situations.

Action Types:

  • Investigation Actions: Gathering information and analyzing evidence
  • Communication Actions: Coordinating with teammates, stakeholders, or external parties
  • Technical Actions: Implementing tools, configuring systems, or deploying countermeasures
  • Strategic Actions: Planning, prioritizing, or coordinating team efforts

Role-Specific Action Examples

🔍 Detective Actions:

  • Analyze system logs for suspicious activity patterns
  • Interview users who reported unusual computer behavior
  • Examine file artifacts for malware signatures or behaviors
  • Correlate timeline of events across multiple data sources

🛡️ Protector Actions:

  • Deploy additional security controls on critical systems
  • Isolate infected workstations from network resources
  • Validate backup integrity and recovery capabilities
  • Implement emergency access restrictions

📡 Tracker Actions:

  • Monitor network traffic for ongoing malicious communication
  • Trace data exfiltration pathways and volumes
  • Identify lateral movement patterns through network logs
  • Block command and control communications

👥 Communicator Actions:

  • Notify executive leadership about incident status
  • Coordinate with affected business units about impact
  • Interface with legal team about regulatory requirements
  • Communicate with users about protective measures

⚡ Crisis Manager Actions:

  • Prioritize response activities across team members
  • Allocate additional resources to critical response efforts
  • Coordinate timeline and dependencies between response actions
  • Interface with external vendors or authorities

🎯 Threat Hunter Actions:

  • Search for additional compromise indicators not yet discovered
  • Investigate potential related threats or attack campaigns
  • Validate effectiveness of implemented security controls
  • Develop threat intelligence for future defense

Collaborative Action Bonuses

Synergy Mechanics

Actions become more effective when team members coordinate their efforts:

Direct Support (+2 bonus):

When one player’s action directly enables or enhances another’s:

  • Detective provides forensic evidence that Protector uses to configure security tools
  • Tracker identifies communication patterns that Threat Hunter investigates further
  • Communicator gathers business requirements that Crisis Manager incorporates into response planning

Team Coordination (+3 bonus):

When multiple players coordinate on a unified objective:

  • All technical roles working together to contain a specific threat vector
  • Entire team collaborating to understand a complex, multi-stage attack
  • Coordinated communication effort to manage organizational and external stakeholders

Perfect Teamwork (Automatic Success):

When the entire team demonstrates clear collaboration and leverages collective expertise:

  • Each role contributes unique, valuable perspective
  • Actions build logically on each other
  • Team demonstrates clear understanding of both technical and business aspects
  • Real-world cybersecurity knowledge drives decision-making

Dice Mechanics and Uncertainty

When to Roll Dice

Not every action requires dice - many successful outcomes emerge from good planning, appropriate expertise, and effective collaboration. Dice are used primarily to:

  • Resolve uncertain outcomes where expertise alone doesn’t guarantee success
  • Add tension and excitement to critical decision points
  • Simulate real-world unpredictability in cybersecurity incidents
  • Encourage creative problem-solving when initial approaches face obstacles

Difficulty Levels

Easy Tasks (Target: 8+)

When: Standard procedures with appropriate tools and expertise Examples:

  • Running antivirus scans on suspected infected systems
  • Basic network traffic monitoring with established tools
  • Standard backup restoration procedures
  • Routine communication with familiar stakeholders

Success Rate: ~85% for most players, encouraging confidence building

Medium Tasks (Target: 12+)

When: Complex analysis or coordination requiring expertise and some luck Examples:

  • Advanced malware analysis requiring reverse engineering
  • Coordinating response across multiple business units
  • Implementing novel security controls under time pressure
  • Managing crisis communication with external parties

Success Rate: ~60% for most players, creating meaningful challenge

Hard Tasks (Target: 16+)

When: Cutting-edge techniques, high-stakes decisions, or overcoming significant obstacles Examples:

  • Developing custom tools to counter sophisticated threats
  • Managing organization-wide crisis with regulatory implications
  • Responding to zero-day exploits with no established procedures
  • Coordinating international incident response efforts

Success Rate: ~35% for most players, requiring exceptional teamwork or expertise

Automatic Success (No Roll Required)

When: Group demonstrates clear expertise and appropriate approach

No dice needed for:

  • Actions clearly within a role’s expertise area with proper knowledge demonstrated
  • Solutions that demonstrate real-world cybersecurity knowledge and best practices
  • Well-coordinated team efforts with logical planning and clear execution steps
  • Creative approaches that directly address threat-specific vulnerabilities
  • Standard procedures executed with appropriate tools and clear understanding
  • Communication actions with familiar stakeholders using established protocols

Examples of Automatic Success: - Detective analyzing logs using tools they clearly understand - Protector implementing well-known security controls for the specific threat type - Team collaboratively developing a response plan that leverages each role’s expertise - Communicator providing clear, accurate incident updates to executive leadership

Modifiers and Bonuses

Role Expertise Bonuses

  • +1: Action clearly matches role specialization and player demonstrates relevant knowledge
  • +2: Action leverages specific real-world experience or advanced expertise

Collaboration Bonuses

  • +2: Action directly supports or builds on teammate’s efforts
  • +3: Multiple team members coordinate on unified approach
  • +4: Entire team demonstrates excellent communication and coordination

Type Effectiveness Bonuses

  • +3: Using containment approaches that are super effective against current Malmon type
  • +1: Standard effectiveness approaches
  • -2: Approaches that are not effective against current Malmon type

Environmental Factors

  • +2: Organization has strong security posture that supports the action
  • +1: Standard organizational capabilities
  • -1: Organizational limitations or policy constraints
  • -2: Significant environmental obstacles (budget, politics, technical debt)

Time Pressure Penalties

  • -1: Working under increased time pressure due to threat evolution risk
  • -2: Responding to actively evolving threat with immediate impact
  • -3: Crisis-level response with organization-threatening implications

IM Decision Making: When to Roll vs. Automatic Success

For Incident Masters: Use these guidelines to determine when players should roll dice versus achieving automatic success.

Call for Dice Rolls When:

  • Uncertain Outcomes: Player demonstrates knowledge but success depends on external factors
  • Time Pressure: Standard procedures under crisis conditions with complicating factors
  • Novel Situations: Creative solutions that haven’t been tried before in this context
  • High Stakes: Critical decisions where failure has significant consequences
  • Learning Opportunities: Moments where uncertainty creates valuable discussion

Grant Automatic Success When:

  • Clear Expertise: Player demonstrates specific, relevant cybersecurity knowledge
  • Appropriate Tools: Standard procedures with proper tools and clear understanding
  • Excellent Teamwork: Well-coordinated efforts that leverage multiple roles effectively
  • Type Advantage: Approaches that directly exploit Malmon weaknesses
  • Good Planning: Logical, well-thought-out approaches with clear execution steps

Examples in Practice:

“I’ll check the Windows Event Logs for Process Creation events around the time of the alert”Automatic Success (specific, appropriate procedure)

“I’ll try to reverse-engineer this unknown malware sample to understand its capabilities”Medium Roll (expertise required, time pressure, uncertain outcome)

“We’ll coordinate a network isolation while preparing stakeholder communications”Automatic Success (good teamwork, clear procedures)

Network Security Status Tracking

The Organizational Health Meter

Network Security Status represents your organization’s current cybersecurity posture, starting at 100 and changing based on threat actions and team responses.

Status Categories

Secure (90-100):

  • Threat contained with minimal impact
  • Organization continues normal operations
  • Strong defensive posture maintained
  • Incident serves as learning opportunity

Concerned (75-89):

  • Threat identified but active impact occurring
  • Some operational disruption but manageable
  • Enhanced monitoring and controls needed
  • Clear path to resolution available

Critical (50-74):

  • Significant threat impact on operations
  • Major response effort required
  • Potential for regulatory or customer notification
  • Recovery efforts needed alongside containment

Compromised (25-49):

  • Severe organizational impact
  • Business operations significantly affected
  • Executive leadership involvement required
  • Extensive recovery and improvement efforts needed

Crisis (0-24):

  • Organization-threatening incident
  • Potential for business failure or regulatory action
  • Industry notification and cooperation may be needed
  • Fundamental security improvements required

Status Change Factors

Negative Impacts (Decreasing Status)

  • Malmon Evolution: -10 to -20 points depending on severity
  • Data Exfiltration: -5 to -15 points based on sensitivity and volume
  • System Damage: -5 to -10 points based on criticality
  • Failed Containment: -3 to -8 points based on approach
  • Time Pressure: -3 to -5 points per round without progress

Positive Improvements (Increasing Status)

  • Successful Containment: +10 to +20 points based on effectiveness
  • Early Detection: +5 to +10 points for rapid Malmon identification
  • Effective Coordination: +3 to +8 points for excellent teamwork
  • Type Advantage: +5 points for using super effective approaches
  • Proactive Measures: +3 to +5 points for preventing escalation

Status as Learning Tool

Network Security Status isn’t just a score - it’s a learning mechanism that helps teams understand:

  • Impact Assessment: How different threats affect organizational operations
  • Response Effectiveness: Which approaches provide the most protection
  • Coordination Value: How teamwork improves outcomes
  • Time Sensitivity: Why rapid response matters in cybersecurity
  • Business Perspective: How technical decisions affect organizational health

Turn-Based Incident Response

Action Sequence and Timing

Individual Action Phase

Players declare and resolve their actions in role-based order, allowing for natural workflow:

  1. Crisis Manager establishes priorities and resource allocation
  2. Detective and Threat Hunter gather and analyze information
  3. Tracker monitors network and data flow activities
  4. Protector implements technical containment measures
  5. Communicator coordinates stakeholder management and external communication

This sequence mirrors real incident response workflows while ensuring all roles contribute meaningfully.

Collaborative Resolution Phase

After individual actions, the team works together to:

  • Share discoveries and insights from individual investigations
  • Coordinate approach for upcoming actions and decisions
  • Assess progress toward containment and recovery objectives
  • Plan next steps based on current understanding and threat evolution

Managing the Pace

Time Pressure Simulation

Real cybersecurity incidents involve genuine time pressure, which the game simulates through:

  • Round timers that encourage decision-making under pressure
  • Evolution threats that escalate if response is delayed
  • Competing priorities that force teams to make difficult choices
  • Information uncertainty that requires action before complete analysis

Maintaining Engagement

  • Individual contribution: Every player gets meaningful actions every round
  • Varied challenges: Different types of decisions and problems each round
  • Building tension: Difficulty increases as threats evolve or spread
  • Collaborative payoffs: Team coordination produces better outcomes than individual heroics

Status Conditions and Threat Evolution

Malmon Status Conditions

Throughout the session, Malmons can gain various status conditions that affect their behavior and the team’s response options:

Active Conditions

  • Detected: Team knows the Malmon is present but hasn’t contained it
  • Quarantined: Malmon is isolated but still functional within constraints
  • Analyzed: Team understands the Malmon’s capabilities and objectives
  • Tracked: Team can monitor the Malmon’s activities and communications
  • Attributed: Team has connected the Malmon to specific threat actors or campaigns

Containment Conditions

  • Disrupted: Malmon’s primary capabilities have been temporarily disabled
  • Contained: Malmon cannot spread or cause additional damage
  • Neutralized: Malmon has been completely eliminated from the environment
  • Studied: Malmon has been preserved for analysis and intelligence development

Evolution Mechanics

Evolution Triggers

Malmons attempt to evolve when specific conditions are met:

  • Time Pressure: Taking too long in any phase increases evolution risk
  • Failed Containment: Unsuccessful response attempts trigger adaptation
  • Environmental Opportunity: Network vulnerabilities or security gaps enable evolution
  • External Coordination: Contact with threat actor infrastructure triggers upgrades

Evolution Effects

When Malmons evolve, they gain new capabilities:

  • Enhanced Evasion: Increased resistance to detection and analysis
  • Improved Persistence: Better ability to survive containment attempts
  • Extended Reach: Capability to affect additional systems or data
  • New Techniques: Access to different attack methods or objectives
  • Coordination Abilities: Capacity to work with other threats or threat actors

Preventing Evolution

Teams can prevent Malmon evolution through:

  • Rapid Response: Quick identification and containment before evolution triggers
  • Effective Containment: Using approaches that exploit Malmon type weaknesses
  • Environmental Hardening: Addressing vulnerabilities that enable evolution
  • Communication Disruption: Blocking external coordination that triggers upgrades
Mechanics Serve Learning

Remember that all these game mechanics exist to support collaborative cybersecurity learning. When mechanics help create engaging experiences that build real skills, they’re working correctly. When they get in the way of learning or collaboration, don’t hesitate to adapt them to serve your team’s educational objectives.

These game mechanics create the framework for authentic cybersecurity learning experiences while maintaining the engaging, collaborative nature that makes Malware & Monsters effective. In the next chapter, we’ll explore how this framework supports the MalDex Collection system - the community knowledge-building aspect that captures and shares cybersecurity insights across teams and organizations.