⚡ Crisis Manager
Crisis Manager
🎭 Archetype
💪 Strengths
• Resource Allocation: Deploying people and tools effectively
• Priority Management: Deciding what's most important right now
• Team Coordination: Keeping everyone working toward common goals
• Decision Making: Making calls when information is incomplete
🎯 Focus Areas
• Response coordination and resource allocation
• Prioritization and decision making under pressure
• Escalation management and authority interfaces
• Overall incident strategy and planning
🎪 Roleplay Tips
• Think strategically about resource allocation
• Keep the big picture in mind during technical discussions
• Don't hesitate to make decisions with incomplete information
• Focus on coordination rather than doing everything yourself
🎲 Game Modifiers
When You Shine
Your role is active from the moment an incident is declared to the moment it’s formally closed, but you’re most critical at the decision points that no other role can call. The tension point in Round 2 – contain now versus investigate further – is yours to resolve. The team will often be split; someone has to break the deadlock, and that’s you.
In Round 1 your job is to keep the team together and prevent fragmentation – making sure everyone has the same picture, that parallel workstreams don’t contradict each other, and that the most important questions get assigned to the right people. In Round 3 you close the incident out: confirm it’s over, own the post-mortem, and make sure lessons actually get captured rather than disappearing in the debrief.
The failure mode to watch for: getting pulled into the technical investigation. The moment you start doing the forensics yourself, you stop coordinating – and the team loses its anchor. Your value is the view from above. Stay there.
Earning Your Bonuses
- +3 Coordination:
- “I call a team sync so everyone has the same picture before we diverge”
- “I assign Tracker and Detective to work the exfiltration question in parallel”
- “I set the response priorities for the next 30 minutes”
- +2 Strategic Planning:
- “I make the call: we contain now rather than wait for complete forensics”
- “I decide we need external IR support and escalate”
- “I establish the decision: rebuild or remediate?”
- +1 Escalation Management:
- “I brief the CISO and get authorisation for the emergency change”
- “I loop in legal before we notify externally”
Questions to Drive the Game
“What do we know, what don’t we know, and what do we need to decide right now?”
This three-part frame cuts through noise by forcing the team to separate confirmed facts from assumptions – and to identify which open questions actually require a decision versus which ones can wait.
“Are we making progress, or do we need to change approach?”
Teams under pressure can get stuck in unproductive loops without noticing. Asking this explicitly creates permission to call it and redirect effort to where it will actually move the incident forward.
“What resources do we need that we don’t currently have?”
Gaps in expertise or tooling don’t resolve themselves. Identifying them early – and deciding whether to escalate, bring in external help, or work around the constraint – is a command decision.
“Is this within our own containment ability, or do we need to escalate?”
Some incidents exceed internal capability. Recognising this and escalating to an external IR firm or relevant authorities is a strength, not a failure – but it requires the Crisis Manager to make the call before the situation deteriorates further.
“What’s the single most important thing we should be doing in the next 15 minutes?”
When the team loses focus, this question resets everything. It forces prioritisation and gives people a clear next action at the exact moment the incident feels most overwhelming.
Working With Your Team
- Detective and Tracker feed you the situation picture – you synthesise it into decisions; pull regular updates from both and reconcile any contradictions before they reach the rest of the team or leadership
- Protector executes the containment actions you authorise – make sure every major isolation decision has your explicit go-ahead; ad-hoc containment without coordination can break dependencies the team doesn’t know about
- Communicator handles stakeholders so you can focus on the technical response – but brief them frequently; they can only protect you from external pressure if they know what’s happening and what’s been decided
- Threat Hunter tells you if the scope is bigger than it looks – which changes your resource decisions entirely; their “this looks like a broader campaign” assessment is the trigger to escalate, expand the team, or revise the containment plan
Interaction frequency across a typical 3-round session:
%%{init: {'theme': 'base', 'themeVariables': {'background': 'transparent', 'edgeLabelBackground': 'transparent', 'lineColor': '#6b7280'}, 'flowchart': {'curve': 'basis'}}}%%
graph LR
DET(["🔍 Detective"]):::det -->|"70% · summaries"| CRI
TRK(["📡 Tracker"]):::trk -->|"70% · exfiltration"| CRI
CRI(["⚡ Crisis Manager"]):::focal <-->|"85% · authorization"| PRO(["🛡️ Protector"]):::pro
CRI <-->|"85% · strategy"| COM(["📢 Communicator"]):::com
THR(["🎯 Threat Hunter"]):::thr -->|"65% · scope"| CRI
classDef focal fill:#e8a020,stroke:#b07010,color:#111,font-weight:bold
classDef det fill:#2563eb,stroke:#1d4ed8,color:#fff
classDef pro fill:#16a34a,stroke:#15803d,color:#fff
classDef trk fill:#0891b2,stroke:#0e7490,color:#fff
classDef thr fill:#ea580c,stroke:#c2410c,color:#fff
classDef com fill:#7c3aed,stroke:#6d28d9,color:#fff
Badges
All badges are available to everyone. As Crisis Manager you’ll most naturally contribute to:
- 🏛️ Governance & Compliance Navigator of Regulatory Requirements – awarded for incident command, risk framework application, compliance coordination, and regulatory reporting; running the complete response from triage to sign-off is the definition of this badge
- Any badge – a “directed 3+ other players in a coordinated response” criterion appears across every badge; your role fulfils it most naturally, so active coordination in any session advances your badge progress across the board