📡 Tracker
Tracker
🎭 Archetype
💪 Strengths
• Network Analysis: Understanding traffic patterns and flows
• Data Flow Tracking: Following information through systems
• Communication Monitoring: Detecting C2 and exfiltration
• Infrastructure Mapping: Understanding network relationships
🎯 Focus Areas
• Network traffic and communication patterns
• Data exfiltration and C2 channels
• Lateral movement detection
• Infrastructure and connection analysis
🎪 Roleplay Tips
• Think in terms of flows and connections
• Ask 'where is this data going?' and 'what is calling home?'
• Visualize the network in your explanations
• Focus on movement and communication patterns
🎲 Game Modifiers
When You Shine
Round 1 and Round 2 are your prime time. In Round 1 you’re tracing the network fingerprint of the attack: where did it originate, what is it connecting to, where is it spreading. In Round 2 your exfiltration assessment becomes decisive – the breach determination hinges on whether data actually left the building, and only you can answer that.
You’re also the role most likely to catch things that weren’t in the initial alert scope. Lateral movement, unexpected east-west traffic, beaconing to infrastructure that nobody was watching – these don’t appear in endpoint logs, which means they don’t exist until you surface them. Round 3 then uses your network evidence to close out the timeline and verify that post-containment traffic is clean.
The temptation to avoid: getting absorbed in packet-level detail when the team needs directional answers. Know when to report what you’ve found versus continuing to dig. A confident “no evidence of exfiltration” delivered at the right moment is worth more than an exhaustive analysis delivered too late.
Earning Your Bonuses
- +3 Network Analysis:
- “I pull the firewall logs and look for outbound connections to unusual IPs”
- “I analyse traffic volume to spot data staging behaviour”
- “I map which internal systems are communicating unexpectedly with each other”
- +2 Data Tracking:
- “I check DNS query logs for signs of C2 beaconing”
- “I look for large outbound transfers in the last 24 hours”
- “I determine whether any data actually left the network”
- +1 Infrastructure Mapping:
- “I document the network path the attacker took through our systems”
- “I map everything the compromised host can reach”
Questions to Drive the Game
“What outbound connections has this machine made in the last 24 hours?”
Unusual outbound connections typically reveal the C2 channel or data staging activity – this is usually the fastest path to confirming active compromise beyond the initial alert.
“Are there DNS requests to unusual or newly registered domains?”
C2 traffic frequently hides in DNS. Algorithmically generated domain names and newly registered domains are a strong signal of automated beaconing.
“Can I see the firewall logs for east-west traffic between internal segments?”
Lateral movement shows up in east-west traffic, not just north-south. If the attacker has pivoted to other internal systems, this is where it becomes visible.
“Is there evidence of data staging or unusually large outbound transfers?”
Data staging – collecting files to a single location before exfiltration – often shows up as anomalous internal traffic before the final transfer. Catching it at the staging stage is far better than confirming it after data has left.
“What does the network topology look like between the affected systems and our crown jewels?”
The Protector needs this answer to sequence their containment decisions. You can give it – map the reachable path between the compromise and the highest-value targets before isolation begins.
Working With Your Team
- Detective uses your network findings to complete the attack timeline – share timestamps, connection logs, and anomaly summaries as you find them rather than waiting to compile a full report; they can start correlating immediately
- Protector uses your infrastructure map to know exactly what to block – translate your findings into actionable targets: these network paths, these endpoints, these accounts need to be cut
- Threat Hunter pivots off your C2 indicators to identify the broader campaign – when you identify attacker-controlled infrastructure, hand those indicators over immediately so they can search for related activity across the environment
- Crisis Manager needs your exfiltration assessment for the breach determination – this is often the highest-stakes answer in the session; be precise about what you can confirm versus what remains uncertain
Interaction frequency across a typical 3-round session:
%%{init: {'theme': 'base', 'themeVariables': {'background': 'transparent', 'edgeLabelBackground': 'transparent', 'lineColor': '#6b7280'}, 'flowchart': {'curve': 'basis'}}}%%
graph LR
TRK(["📡 Tracker"]):::focal -->|"75% · network data"| DET(["🔍 Detective"]):::det
TRK -->|"65% · infra map"| PRO(["🛡️ Protector"]):::pro
TRK -->|"70% · exfiltration"| CRI(["⚡ Crisis Manager"]):::cri
TRK <-->|"65% · C2 indicators"| THR(["🎯 Threat Hunter"]):::thr
TRK -.->|"30% · data flows"| COM(["📢 Communicator"]):::com
classDef focal fill:#e8a020,stroke:#b07010,color:#111,font-weight:bold
classDef det fill:#2563eb,stroke:#1d4ed8,color:#fff
classDef pro fill:#16a34a,stroke:#15803d,color:#fff
classDef cri fill:#dc2626,stroke:#b91c1c,color:#fff
classDef thr fill:#ea580c,stroke:#c2410c,color:#fff
classDef com fill:#7c3aed,stroke:#6d28d9,color:#fff
Badges
All badges are available to everyone. As Tracker you’ll most naturally contribute to:
- 🌐 Network Security Guardian of Digital Highways – awarded for traffic monitoring, C2 identification, and network containment coordination; the Tracker’s toolkit – firewall logs, DNS analysis, lateral movement detection – directly satisfies the technical proficiency criteria
- 🗄️ Data Protection Guardian of Digital Assets – awarded for exfiltration detection, data flow mapping, and breach evidence; your determination of whether data actually left the network is the pivotal moment for this badge