🛡️ Protector
Protector
🎭 Archetype
💪 Strengths
• Security Architecture: Understanding defensive systems
• Threat Containment: Stopping attacks in progress
• Access Control: Managing permissions and restrictions
• Incident Isolation: Preventing spread of compromise
🎯 Focus Areas
• Network segmentation and isolation
• Security tool configuration and deployment
• Backup systems and recovery procedures
• Access control and privilege management
🎪 Roleplay Tips
• Think defensively: 'How do we stop this now?'
• Consider business continuity in every decision
• Be protective of critical assets
• Focus on immediate containment before analysis
🎲 Game Modifiers
When You Shine
Round 2 is your moment – when the team has established scope and the question shifts from what happened to how do we stop it, you take the lead. Containment strategy, isolation decisions, access revocations – these are your calls to drive. Round 3 (Recovery) keeps you busy too: rebuild-versus-remediate decisions, system hardening, and confirming the environment is clean before anyone restores services.
During Round 1 you’re listening and preparing. Use the time while Detective and Tracker gather information to map the blast radius: what can the compromised system reach, what backups exist, what emergency change procedures are available. When scope is confirmed you need to act fast, and that preparation makes the difference.
The pressure to watch for: the business wants systems back online immediately. Hold that line. Restoring too soon risks reinfection, and it can destroy forensic evidence that’s still needed for the post-incident review. Your job is to be the person in the room who makes sure recovery is done right, not just fast.
Earning Your Bonuses
- +3 Containment:
- “I isolate the affected machines from the network segment”
- “I revoke the compromised account’s access tokens immediately”
- “I enable enhanced logging on all adjacent systems”
- +2 Security Architecture:
- “I review our network segmentation – what can the attacker reach from here?”
- “I identify which security controls were bypassed and how we close that gap”
- +1 Business Continuity:
- “I confirm our backups are clean and identify the last known-good restore point”
- “I estimate recovery time for rebuild versus remediate so we can make an informed decision”
Questions to Drive the Game
“What network access does the compromised system have – what can the attacker reach from here?”
Blast radius is the first thing to establish. Until you know what the compromised system can communicate with, you don’t know what else is at risk or where to draw the containment boundary.
“Are our backups isolated from the affected segment and confirmed clean?”
Ransomware specifically targets backup systems. If backups are compromised, the recovery calculus changes entirely – you may be looking at a rebuild from scratch rather than a restore.
“What’s the blast radius if we don’t contain right now?”
Asking this out loud forces the team to confront the cost of waiting for more information. Sometimes the answer justifies aggressive action before scope is fully confirmed.
“Which systems are most critical to protect first?”
Containment sequencing matters – protecting the crown jewels before you have full scope means you’re prioritising the right things even when the picture is still incomplete.
“Do we have an emergency change process for immediate isolation?”
Real organisations have change management constraints. Knowing the emergency bypass procedure in advance means you can act within governance rather than around it – which matters enormously post-incident.
Working With Your Team
- Detective defines the scope; don’t isolate before you know what you’re containing – premature isolation can destroy forensic evidence and leave the team blind to the full extent of the compromise
- Tracker tells you which network paths the attacker used – you block them; their infrastructure map is your targeting list for firewall rules, ACL changes, and account revocations
- Crisis Manager coordinates your containment actions with the business decisions – check in before major isolation actions so they can manage stakeholder expectations and authorise emergency changes in parallel
- Communicator needs your containment status to explain impact to leadership – give them clear, timely updates: which systems are isolated, which services are affected, and what the recovery timeline looks like
Interaction frequency across a typical 3-round session:
%%{init: {'theme': 'base', 'themeVariables': {'background': 'transparent', 'edgeLabelBackground': 'transparent', 'lineColor': '#6b7280'}, 'flowchart': {'curve': 'basis'}}}%%
graph LR
DET(["🔍 Detective"]):::det -->|"80% · scope"| PRO
TRK(["📡 Tracker"]):::trk -->|"65% · network paths"| PRO
PRO(["🛡️ Protector"]):::focal <-->|"85% · authorization"| CRI(["⚡ Crisis Manager"]):::cri
PRO -->|"55% · status"| COM(["📢 Communicator"]):::com
THR(["🎯 Threat Hunter"]):::thr -.->|"35% · eradication"| PRO
classDef focal fill:#e8a020,stroke:#b07010,color:#111,font-weight:bold
classDef det fill:#2563eb,stroke:#1d4ed8,color:#fff
classDef trk fill:#0891b2,stroke:#0e7490,color:#fff
classDef cri fill:#dc2626,stroke:#b91c1c,color:#fff
classDef thr fill:#ea580c,stroke:#c2410c,color:#fff
classDef com fill:#7c3aed,stroke:#6d28d9,color:#fff
Badges
All badges are available to everyone. As Protector you’ll most naturally contribute to:
- 💻 Endpoint Security Protector of Digital Workstations – awarded for malware containment, system recovery, and hardening; your containment decisions and post-incident configuration work are the heart of this badge
- 🗄️ Data Protection Guardian of Digital Assets – awarded for backup strategy, access controls, and breach response; your backup verification and clean restore-point identification map directly to the criteria
- 🏭 Critical Infrastructure Security Protector of Essential Systems – awarded for IT/OT isolation, operational continuity, and ICS/SCADA awareness; your ability to contain without disrupting essential processes is exactly what this badge tests