🔍 Detective

🔍

Detective

Cyber Sleuth

🎭 Archetype

"I see patterns others miss. Every attack tells a story."

💪 Strengths

Pattern Recognition: Spotting anomalies in logs and behavior
Evidence Analysis: Connecting clues into attack timelines
Digital Forensics: Understanding attack artifacts
Timeline Construction: Building accurate chronologies

🎯 Focus Areas

• System logs and process executions
• Attack vector analysis and entry points
• Evidence preservation and IoC development
• Attack attribution and technique identification

🎪 Roleplay Tips

• Be curious about details others might skip
• Ask 'what does this remind you of?' when examining evidence
• Share your thought process: 'This pattern suggests...'
• Connect current findings to previous experiences

🎲 Game Modifiers

🎲
+3 Forensic Analysis
Log analysis, timeline construction, evidence correlation
🎲
+2 Pattern Recognition
Identifying anomalies, connecting disparate clues
🎲
+1 Documentation
Creating detailed incident records, IoC development

When You Shine

Round 1 (Detection & Analysis) is your prime time – you’re the one pulling logs, building timelines, and turning scattered alerts into a coherent picture of what actually happened. Round 3 (Post-Incident) calls on you again: the debrief and lessons-learned are built on your documentation. During Round 2 (Containment) you step back – that’s the Protector’s moment – but stay engaged because containment targets can shift as new evidence emerges.

The risk to watch for: the team wants to act before you’ve finished. Hold the line. A containment action based on incomplete scope can destroy evidence, miss persistence mechanisms, or isolate the wrong system entirely. Your job is to make sure the team knows exactly what they’re dealing with before anyone pulls a plug.

Earning Your Bonuses

  • +3 Forensic Analysis:
    • “I examine the event logs for the 90-minute window before the alert fired”
    • “I build an attack timeline from the artifacts we’ve collected”
    • “I correlate the log entries to find Patient Zero”
  • +2 Pattern Recognition:
    • “I compare these registry changes to known malware persistence patterns”
    • “I notice the process spawning chain is unusual – this doesn’t match normal behaviour”
    • “I spot the anomaly in the authentication log”
  • +1 Documentation:
    • “I compile the IoC list from our findings so the team can use them”
    • “I write up the confirmed attack vector for the post-incident report”

Questions to Drive the Game

  1. “What does the process execution history look like on the affected machine?”

    Process execution logs reveal parent-child relationships that expose what ran, when, and what spawned it – this is usually where the initial payload execution and any anomalous behaviour first become visible.

  2. “Are there scheduled tasks or registry run keys I can examine?”

    Persistence is the attacker’s insurance policy. Before the team takes containment action, you want to know whether the threat has already planted a way back in.

  3. “What’s the earliest sign of compromise in the logs – can we find Patient Zero?”

    Working backwards from the alert to the origin defines the true scope. Without this anchor, containment is guesswork and the team may miss the actual entry point entirely.

  4. “Do these indicators match anything in our threat intelligence?”

    Known signatures mean known TTPs – and known TTPs mean you can predict the next stage of the attack rather than react to it after it happens.

  5. “What artefacts did the attacker leave behind that I can preserve?”

    Artefact preservation is time-sensitive. Memory contents, temporary files, and volatile log entries disappear the moment someone reboots – get to them before the Protector acts.

Working With Your Team

  • Tracker brings you network data; you interpret what it means for the attack narrative – C2 beacons, exfiltration windows, and lateral movement timestamps all slot into your timeline and reveal the full attack path
  • Protector needs your timeline before isolating – contain the wrong thing and you lose evidence; hand them a clear scope statement before they act so they know exactly what to target
  • Threat Hunter validates whether your findings are part of a broader campaign – share your IoCs proactively so they can pivot before the team commits to a remediation path
  • Crisis Manager depends on your summaries to make decisions under pressure – keep updates brief and actionable: what’s confirmed, what’s suspected, what’s still unknown

Interaction frequency across a typical 3-round session:

%%{init: {'theme': 'base', 'themeVariables': {'background': 'transparent', 'edgeLabelBackground': 'transparent', 'lineColor': '#6b7280'}, 'flowchart': {'curve': 'basis'}}}%%
graph LR
    TRK(["📡 Tracker"]):::trk -->|"75% · network data"| DET
    DET(["🔍 Detective"]):::focal -->|"80% · timeline"| PRO(["🛡️ Protector"]):::pro
    DET -->|"70% · summaries"| CRI(["⚡ Crisis Manager"]):::cri
    DET <-->|"55% · findings"| THR(["🎯 Threat Hunter"]):::thr
    DET -.->|"40% · facts"| COM(["📢 Communicator"]):::com
    classDef focal fill:#e8a020,stroke:#b07010,color:#111,font-weight:bold
    classDef pro fill:#16a34a,stroke:#15803d,color:#fff
    classDef trk fill:#0891b2,stroke:#0e7490,color:#fff
    classDef cri fill:#dc2626,stroke:#b91c1c,color:#fff
    classDef thr fill:#ea580c,stroke:#c2410c,color:#fff
    classDef com fill:#7c3aed,stroke:#6d28d9,color:#fff

Badges

All badges are available to everyone. As Detective you’ll most naturally contribute to:

  • 🌐 Network Security Guardian of Digital Highways – awarded for traffic analysis, protocol exploitation identification, and network threat documentation; your log correlation and IoC development feed directly into the technical proficiency criteria
  • 💻 Endpoint Security Protector of Digital Workstations – awarded for behavioural analysis, artefact examination, and timeline construction; every attack timeline you build and every persistence mechanism you uncover advances this badge