Individual activities that players take during rounds. Each player receives 2 actions per round to investigate, communicate, implement technical solutions, or coordinate strategy.
Collaborative Bonus
Additional effectiveness gained when team members coordinate their efforts. Ranges from +2 for direct support to automatic success for perfect teamwork.
Containment
The process of stopping, isolating, and neutralizing Malmon threats. Success depends on matching appropriate security controls to specific Malmon types.
Evolution
The process by which Malmons gain new capabilities and become more dangerous if not contained quickly. Triggered by time pressure, failed containment, or environmental factors.
Incident Master (IM)
The facilitator who guides collaborative learning sessions. Focuses on asking questions and enabling discovery rather than providing answers.
MalDex
The community knowledge repository documenting Malmon encounters, response strategies, and lessons learned from collaborative sessions.
Malmon
Digital threats represented as creatures with distinct behaviors, capabilities, and weaknesses. Based on real malware families and attack techniques.
Network Security Status
A measure (0-100) of organizational cybersecurity health that changes based on threat impact and team response effectiveness.
Type Effectiveness
The strategic relationship between Malmon types and security controls, where certain approaches are super effective, normal, or not effective against specific threats.
Malmon Types
APT (Advanced Persistent Threat)
Long-term, sophisticated threats that use patience and advanced techniques. Strong against time-based defenses, weak to intelligence and threat hunting.
Infostealer
Malmons focused on data collection and credential harvesting. Strong against privacy, weak to encryption and access controls.
Ransomware
Threats that encrypt data and demand payment. Strong against data availability, weak to backup systems and network isolation.
Rootkit
Deep system threats that hide at kernel or firmware level. Strong against system integrity, weak to forensic analysis and behavioral monitoring.
Trojan
Deceptive threats that masquerade as legitimate software. Strong against traditional defenses, weak to detection and behavioral analysis.
Worm
Self-propagating threats that spread through network vulnerabilities. Strong against networks, weak to isolation and segmentation.
Security Controls
Backup Systems
Recovery capabilities and data redundancy. Super effective against Ransomware, normal against most threats, not effective against data theft post-exfiltration.
Behavioral Analysis
Runtime monitoring and anomaly detection. Super effective against Trojans, APTs, and evasive threats. Normal against standard attacks.
Forensic Analysis
Deep investigation and evidence examination. Super effective against Rootkits and system modifications. Normal against advanced threats.
Network Isolation
Segmentation and quarantine capabilities. Super effective against Worms and network propagation. Not effective against air-gap jumping threats.
Signature Detection
Pattern-based identification of known threats. Super effective against basic Trojans and known Worms. Not effective against zero-days and polymorphic threats.
Threat Intelligence
Knowledge of adversary techniques and campaigns. Super effective against APTs and nation-state threats. Not effective against novel or amateur threats.
Incident Response Roles
🔍 Detective (Cyber Sleuth)
Specializes in finding clues, analyzing evidence, and building attack timelines. Excels at pattern recognition and forensic investigation.
🛡️ Protector (Digital Guardian)
Focuses on stopping threats and securing systems. Implements containment measures, deploys security controls, and manages recovery.
📡 Tracker (Data Whisperer)
Monitors data flows and network behavior. Analyzes traffic patterns, traces communications, and validates containment effectiveness.
👥 Communicator (People Whisperer)
Handles stakeholder relations and coordinates response. Manages crisis communication, assesses business impact, and coordinates with external parties.
⚡ Crisis Manager (Chaos Wrangler)
Oversees overall incident coordination and strategy. Allocates resources, sets priorities, and integrates cross-functional response efforts.
🎯 Threat Hunter (Pattern Seeker)
Proactively searches for hidden threats and develops intelligence. Tests hypotheses, investigates potential compromises, and validates security controls.
Session Structure
Character Creation
Opening process including skills discovery, role assignment, and character development around real names and interests.
Discovery Phase (Round 1)
Identifying the specific Malmon through individual investigation, knowledge sharing, and collaborative analysis.
Investigation Phase (Round 2)
Analyzing attack scope, impact, and progression. Includes impact assessment, attack vector analysis, and evolution risk evaluation.
Response Phase (Round 3)
Coordinating effective containment. Includes strategy development, coordinated implementation, and outcome resolution.
Cybersecurity Concepts
Attack Vector
The method by which a Malmon gains initial access to target systems. Common vectors include email, web, network vulnerabilities, and removable media.
Attribution
The process of identifying threat actors responsible for attacks. Includes technical attribution (tools and techniques) and strategic attribution (motivation and capabilities).
Command and Control (C2)
Communication channels between Malmons and threat actors. Critical for ongoing attack coordination and data exfiltration.
Cyber Kill Chain
The progression of attack activities from initial reconnaissance through final objectives. Provides framework for understanding attack progression.
Digital Forensics
The investigation and analysis of digital evidence from cybersecurity incidents. Includes timeline construction, artifact analysis, and attribution development.
Indicators of Compromise (IoCs)
Technical artifacts that suggest malicious activity. Include file hashes, IP addresses, domain names, and behavioral patterns.
Lateral Movement
The process by which threats spread through networks after initial compromise. Often involves credential theft and privilege escalation.
Persistence
Techniques used by threats to maintain access through system restarts, updates, and other disruptions. Critical for long-term compromise.
Privilege Escalation
The process of gaining higher-level system access than initially obtained. Enables broader compromise and deeper system access.
Zero-Day
Previously unknown vulnerabilities that lack available patches or signatures. Particularly effective against traditional detection methods.
Community Terms
Badge System
Recognition framework for cybersecurity domain mastery. Includes Network Security, Endpoint Security, Data Protection, and other specialized areas.
Community Champion
Recognition for outstanding community building and engagement efforts. Includes leadership in community governance and development.
Discoverer Status
Recognition for first teams to document new Malmon variants or innovative response techniques. Includes naming rights and special community recognition.
Elite Four
Advanced specialization tracks including APT Specialist, Global Incident Commander, and Security Researcher. Represents master-level cybersecurity expertise.
Innovation Recognition
Community acknowledgment for developing novel response techniques or coordination approaches. Includes attribution and presentation opportunities.
Master Trainer
Highest level of facilitator certification. Includes training other facilitators, developing curricula, and leading community initiatives.
Scenario Architect
Recognition for developing high-quality training scenarios and learning experiences. Includes content contribution and educational excellence.
Technical Terms
MITRE ATT&CK
Framework for describing adversary tactics, techniques, and procedures. Provides structured approach to understanding threat behavior and developing defenses.
Security Operations Center (SOC)
Centralized function for monitoring, detecting, and responding to cybersecurity threats. Includes people, processes, and technology for 24/7 security oversight.
Threat Intelligence
Actionable information about current and emerging security threats. Includes indicators, tactics, techniques, and strategic context for defensive planning.
Incident Response
Structured approach to managing cybersecurity incidents. Includes preparation, identification, containment, eradication, recovery, and lessons learned.
Vulnerability Management
Process of identifying, assessing, and addressing security weaknesses in systems and applications. Critical for reducing attack surface.
Risk Assessment
Evaluation of potential cybersecurity threats and their likely impact on organizational objectives. Includes likelihood, impact, and mitigation strategies.
Business Continuity
Planning and preparation for maintaining critical operations during and after cybersecurity incidents. Includes backup systems, alternate processes, and recovery procedures.
Compliance
Adherence to regulatory and legal requirements related to cybersecurity and data protection. Includes frameworks like GDPR, HIPAA, and SOX.
Learning and Development
Continuing Professional Education (CPE)
Ongoing learning requirements for maintaining cybersecurity certifications. Many programs recognize collaborative learning experiences.
Cross-Training
Learning about cybersecurity roles and responsibilities outside your primary specialization. Improves team coordination and career flexibility.
Mentorship
Relationship between experienced and developing cybersecurity professionals. Critical for career development and knowledge transfer.
Professional Development
Structured approach to building cybersecurity knowledge, skills, and capabilities. Includes formal education, certification, and practical experience.
Skill Assessment
Evaluation of cybersecurity competencies and capabilities. Used for identifying development needs and tracking progress.
Community of Practice
Group of cybersecurity professionals who share knowledge, experiences, and best practices. Essential for ongoing learning and professional development.