Role Cards Reference
This appendix provides quick reference cards for all six incident response roles. Use these during gameplay for easy access to role strengths, focus areas, and roleplay guidance.
Role Cards Grid
Detective
π Archetype
πͺ Strengths
β’ Pattern Recognition: Spotting anomalies in logs and behavior
β’ Evidence Analysis: Connecting clues into attack timelines
β’ Digital Forensics: Understanding attack artifacts
β’ Timeline Construction: Building accurate chronologies
π― Focus Areas
β’ System logs and process executions
β’ Attack vector analysis and entry points
β’ Evidence preservation and IoC development
β’ Attack attribution and technique identification
πͺ Roleplay Tips
β’ Be curious about details others might skip
β’ Ask 'what does this remind you of?' when examining evidence
β’ Share your thought process: 'This pattern suggests...'
β’ Connect current findings to previous experiences
π² Game Modifiers
Protector
π Archetype
πͺ Strengths
β’ Security Architecture: Understanding defensive systems
β’ Threat Containment: Stopping attacks in progress
β’ Access Control: Managing permissions and restrictions
β’ Incident Isolation: Preventing spread of compromise
π― Focus Areas
β’ Network segmentation and isolation
β’ Security tool configuration and deployment
β’ Backup systems and recovery procedures
β’ Access control and privilege management
πͺ Roleplay Tips
β’ Think defensively: 'How do we stop this now?'
β’ Consider business continuity in every decision
β’ Be protective of critical assets
β’ Focus on immediate containment before analysis
π² Game Modifiers
Tracker
π Archetype
πͺ Strengths
β’ Network Analysis: Understanding traffic patterns and flows
β’ Data Flow Tracking: Following information through systems
β’ Communication Monitoring: Detecting C2 and exfiltration
β’ Infrastructure Mapping: Understanding network relationships
π― Focus Areas
β’ Network traffic and communication patterns
β’ Data exfiltration and C2 channels
β’ Lateral movement detection
β’ Infrastructure and connection analysis
πͺ Roleplay Tips
β’ Think in terms of flows and connections
β’ Ask 'where is this data going?' and 'what is calling home?'
β’ Visualize the network in your explanations
β’ Focus on movement and communication patterns
π² Game Modifiers
Communicator
π Archetype
πͺ Strengths
β’ Stakeholder Management: Coordinating with leadership and teams
β’ Crisis Communication: Clear messaging during high-stress situations
β’ Regulatory Compliance: Understanding notification requirements
β’ Risk Translation: Explaining technical impacts in business terms
π― Focus Areas
β’ Executive and management communication
β’ User and employee notifications
β’ External vendor and partner coordination
β’ Regulatory and legal compliance communication
πͺ Roleplay Tips
β’ Always consider 'who needs to know?' about developments
β’ Translate technical details into business impact
β’ Think about timing and messaging of communications
β’ Balance transparency with operational security
π² Game Modifiers
Crisis Manager
π Archetype
πͺ Strengths
β’ Resource Allocation: Deploying people and tools effectively
β’ Priority Management: Deciding what's most important right now
β’ Team Coordination: Keeping everyone working toward common goals
β’ Decision Making: Making calls when information is incomplete
π― Focus Areas
β’ Response coordination and resource allocation
β’ Prioritization and decision making under pressure
β’ Escalation management and authority interfaces
β’ Overall incident strategy and planning
πͺ Roleplay Tips
β’ Think strategically about resource allocation
β’ Keep the big picture in mind during technical discussions
β’ Don't hesitate to make decisions with incomplete information
β’ Focus on coordination rather than doing everything yourself
π² Game Modifiers
Threat Hunter
π Archetype
πͺ Strengths
β’ Advanced Detection: Finding sophisticated and hidden threats
β’ Attack Prediction: Anticipating threat behavior and evolution
β’ Intelligence Analysis: Using threat intelligence effectively
β’ Proactive Defense: Stopping attacks before they cause damage
π― Focus Areas
β’ Hidden threat detection and hunting
β’ Threat intelligence and attribution analysis
β’ Attack prediction and evolution assessment
β’ Advanced persistent threat investigation
πͺ Roleplay Tips
β’ Think beyond the immediate threat: 'What else might be here?'
β’ Use threat intelligence to predict attacker next moves
β’ Be proactive: look for what hasn't been found yet
β’ Consider the broader campaign beyond this incident
π² Game Modifiers
Quick Reference Summary
Role Strengths at a Glance
- π Detective: Pattern recognition, evidence analysis, timeline construction
- π‘οΈ Protector: Containment, security architecture, business continuity
- π‘ Tracker: Network analysis, data flow tracking, infrastructure mapping
- π’ Communicator: Stakeholder management, crisis communication, compliance
- β‘ Crisis Manager: Coordination, strategic planning, resource allocation
- π― Threat Hunter: Advanced detection, intelligence analysis, attack prediction
Team Composition Guidelines
For 4-Player Teams: - Essential Core: Detective, Protector, Communicator, Crisis Manager
For 5-Player Teams:
- Add: Tracker (for network-heavy scenarios) or Threat Hunter (for APT scenarios)
For 6-Player Teams: - Full team: All roles represented for comprehensive coverage
Role Modifier Quick Reference
Each role provides specific bonuses when actions match their expertise: - +3 bonus: Primary specialization area
- +2 bonus: Secondary strength area - +1 bonus: Supporting skill area
Use these modifiers when players demonstrate relevant knowledge and choose approaches that leverage their roleβs strengths.