Quick Reference Guide

Session Structure At-a-Glance

Character Creation

Skills Discovery: Share cybersecurity experience with team
Role Assignment: Collaborative selection based on interests
Character Development: Build personality around chosen role

Round 1: Discovery Phase

Objective: Identify the specific Malmon
Individual Investigation: Each role explores from their perspective
Knowledge Sharing: Team connects clues and builds understanding
Malmon Identification: Determine threat type and characteristics

Round 2: Investigation Phase

Objective: Understand attack scope and impact
Impact Assessment: What systems/data are affected?
Attack Vector Analysis: How did it succeed?
Evolution Assessment: Risk of threat escalation

Round 3: Response Phase

Objective: Coordinate effective containment
Strategy Development: Choose approaches based on Malmon type
Implementation: Execute coordinated response
Resolution: Outcome and lessons learned

Role Quick Reference

🔍 Detective (Cyber Sleuth)

Focus: Finding clues and analyzing evidence
Typical Actions:

Analyze system logs and digital artifacts
Interview users about suspicious activities
Examine file signatures and process behaviors
Build attack timelines and evidence chains

Team Contributions:

Pattern recognition and anomaly detection
Forensic evidence collection and analysis
Timeline construction and attack progression
Connecting disparate clues into coherent picture

🛡️ Protector (Digital Guardian)

Focus: Stopping threats and securing systems
Typical Actions:

Implement security controls and containment measures
Isolate infected systems from network
Deploy backup and recovery procedures
Harden systems against further attacks

Team Contributions:

Technical containment implementation
System damage assessment and recovery
Security control deployment and configuration
Immediate threat mitigation

📡 Tracker (Data Whisperer)

Focus: Monitoring data flows and network behavior
Typical Actions:

Monitor network traffic for anomalies
Trace data exfiltration and communication paths
Identify lateral movement through networks
Block malicious communications

Team Contributions:

Network behavior analysis
Data flow monitoring and protection
Communication pattern recognition
Network-based containment validation

👥 Communicator (People Whisperer)

Focus: Stakeholder management and coordination
Typical Actions:

Interview users about attack vectors
Coordinate with management and external parties
Assess business impact and compliance requirements
Manage crisis communication

Team Contributions:

Stakeholder coordination and communication
Business impact assessment
Regulatory and compliance considerations
User education and awareness

⚡ Crisis Manager (Chaos Wrangler)

Focus: Overall incident coordination and strategy
Typical Actions:

Coordinate team activities and resource allocation
Set priorities and manage timeline
Interface with senior leadership
Plan recovery and business continuity

Team Contributions:

Strategic coordination and planning
Resource allocation and priority setting
Cross-functional team integration
Timeline and dependency management

🎯 Threat Hunter (Pattern Seeker)

Focus: Proactive threat discovery and intelligence
Typical Actions:

Search for hidden threats and persistence mechanisms
Investigate potential related attacks
Develop threat intelligence and attribution
Validate security control effectiveness

Team Contributions:

Proactive threat discovery
Advanced threat analysis and attribution
Intelligence development and sharing
Security control validation and testing

Type Effectiveness Chart

Malmon Type	Super Effective Against	Weak To	Common Examples
Trojan	Defense systems	Detection/Behavioral analysis	GaboonGrabber, FakeBat
Worm	Networks	Isolation/Segmentation	WannaCry, Code Red, Raspberry Robin
Ransomware	Data	Backup systems	LockBit, WannaCry (hybrid)
Rootkit	System integrity	Forensic analysis	Advanced persistence mechanisms
APT	Time/Patience	Intelligence/Threat hunting	Stuxnet, Noodle RAT, Gh0st RAT
Infostealer	Privacy	Encryption/Access controls	Noodle RAT, PoisonIvy

Security Control Effectiveness

Control Type	Super Effective vs	Normal vs	Not Effective vs
Signature Detection	Basic Trojans, Known Worms	Most standard threats	Zero-days, Polymorphic
Network Isolation	Worms, Network propagation	APTs, Infostealers	Air-gap jumping
Backup Systems	Ransomware, Data encryption	Most persistent threats	Data theft (post-exfiltration)
Behavioral Analysis	Trojans, APTs, Evasive threats	Standard attacks	Perfect mimicry
Threat Intelligence	APTs, Nation-state	Organized cybercrime	Novel/amateur threats
Forensic Analysis	Rootkits, System modifications	Advanced threats	Fast-moving Worms

Action System

Actions Per Round

Each player: 2 actions per round
Action types: Investigation, Communication, Technical, Strategic

Dice Mechanics

Easy tasks (8+): Standard procedures with appropriate expertise (~85% success)
Medium tasks (12+): Complex analysis requiring expertise (~60% success)
Hard tasks (16+): Cutting-edge techniques or high stakes (~35% success)
Automatic Success: Clear expertise + appropriate approach

Collaboration Bonuses

Direct Support (+2): Actions that directly enable teammate efforts
Team Coordination (+3): Multiple players working on unified objective
Perfect Teamwork (Auto-Success): Excellent coordination + real expertise

Type Effectiveness Modifiers

Super Effective (+3): Using optimal approaches against Malmon weaknesses
Normal (0): Standard effectiveness
Not Effective (-2): Poor match between approach and threat type

Network Security Status

Status Levels

Secure (90-100): Minimal impact, normal operations continue
Concerned (75-89): Active threat but manageable response
Critical (50-74): Significant impact requiring major response
Compromised (25-49): Severe impact affecting business operations
Crisis (0-24): Organization-threatening incident

Status Changes

Decreases:

Malmon evolution (-10 to -20)
Data theft (-5 to -15)
Failed containment (-3 to -8)

Increases:

Successful containment (+10 to +20)
Early detection (+5 to +10)
Team coordination (+3 to +8)

Common Malmon Abilities

Universal Abilities

Perfect Mimicry: Appears identical to legitimate software
Rapid Propagation: Spreads quickly through vulnerabilities
Deep Persistence: Maintains access through restarts
Behavioral Camouflage: Blends with normal activity
Fileless Deployment: Operates entirely in memory
Multi-Payload Delivery: Deploys additional threats
Zero-Day Arsenal: Uses unknown vulnerabilities
Command Center Coordination: Controls other malware

Evolution Triggers

Time Pressure: Taking too long in any phase
Failed Containment: Unsuccessful response attempts
Environmental Opportunity: Network vulnerabilities or gaps
External Communication: Contact with threat actor infrastructure

Emergency Phrases for Teams

When Stuck

“What would we try if we had unlimited resources?”
“What’s our gut instinct about this situation?”
“What would this look like from [different role] perspective?”
“What’s the worst-case scenario if we’re wrong?”

For Coordination

“How do our findings connect together?”
“What’s our priority - speed or thoroughness?”
“Who has experience with this type of situation?”
“What could go wrong with this approach?”

For Learning

“What surprised us about this Malmon’s behavior?”
“Which techniques worked better than expected?”
“What would we do differently next time?”
“What can we share with other teams?”

Session Troubleshooting

If One Person Dominates

Redirect: “That’s helpful - let’s hear other perspectives”
Build on input: “Can someone add to what [Name] shared?”
Role-specific questions: “What questions would [Role] ask about this?”

If Energy Drops

Raise stakes: “What’s the worst-case scenario here?”
Create urgency: “What happens if we’re too slow?”
Personal investment: “Who would be affected if this succeeds?”

If Team Gets Too Technical

Broader perspective: “How does this connect to our overall objective?”
Role diversity: “What would worry the Communicator about this approach?”
Time management: “We have X minutes - what’s our priority?”

If Confused About Mechanics

Focus on story: “What would realistically happen in this situation?”
Use expertise: “Based on your experience, what makes sense here?”
Collaborative decision: “What does the team think is most logical?”

Character Development Prompts

For All Roles

What’s your character’s biggest professional fear?
How long have you worked in cybersecurity?
What motivates you to protect this organization?
What’s one quirk about how you approach problems?

Role-Specific Prompts

Detective: “What pattern or detail do others always miss?”
Protector: “What system do you consider ‘your baby’?”
Tracker: “How do you visualize network traffic in your mind?”
Communicator: “What’s your go-to analogy for explaining cybersecurity?”
Crisis Manager: “How do you organize chaos in your head?”
Threat Hunter: “What assumption do you always question first?”

Post-Session Reflection Questions

For Individuals

What’s one thing that surprised you during this session?
Which role perspective taught you something new?
What technique or approach could you use in real work?
How did your character’s perspective shape your decisions?

For Teams

What was our most effective moment of coordination?
Which discovery or insight was most valuable?
What would we do differently if we faced this Malmon again?
How can we apply these lessons to our actual work?

For MalDex Documentation

What surprised us most about this Malmon’s behavior?
Which response techniques worked better than expected?
What insights could help other teams facing similar threats?
What key lesson should other teams know about this experience?