Malware & Monsters

Large Group Session

Malware & Monsters

Something Has Gone Wrong

You Have Been Called In

Your organisation is under attack.

You do not have the full picture yet.

Your job is to get it.

This is the atmosphere-setter. Pause here. Let the room quiet down. Don’t rush.

Do NOT name the malmon or explain the scenario yet – that comes in the scenario slides. This slide is just to signal: we are starting, stakes are real, pay attention.

Three Teams. One Incident.

How This Session Works

You have been divided into three specialist teams.

Each team receives different evidence.

No team has the complete picture. That is deliberate.

Your Incident Commander synthesizes across all three teams.

The key insight for players: information asymmetry is the mechanic, not a bug. Teams are supposed to have incomplete pictures. The synthesis moment is where the learning happens.

If anyone asks “why can’t we share cards?” – explain it here: the exercise simulates real IR where different functions see different slices of an incident.

Your Teams

Three Lenses on the Same Incident

ALPHA Forensics

What happened at the system level – processes, files, artifacts, timelines.

BRAVO Network & Infrastructure

How it moved, what it touched, where it came from, where it is going.

CHARLIE Business Impact

What it means for operations, stakeholders, and decisions under pressure.

Each team’s lens is genuinely different – not a difficulty tier. Alpha is not “harder” than Charlie. They are different angles on the same incident.

Emphasise this. Charlie’s business impact framing is just as analytically demanding as Alpha’s forensics work – it just asks different questions.

The Incident Commander

One Person. One Job.

The IC does not join a team.

The IC listens to all three teams, connects the threads, and makes decisions when the teams disagree.

The IC is not expected to know more than the teams.

The IC is expected to integrate what the teams know.

Brief the IC privately before this slide if you have not already done so.

Key message for the room: do not put the IC under pressure to have all the answers. Their job is synthesis, not omniscience.

If the group chose an IC who leads incidents in real life, this is your moment to reframe: “In this exercise, your job is different. You are the listener and the synthesizer, not the technical lead.”

How a Round Works

The Same Pattern, Every Round

%%{init: {
  "theme": "base",
  "themeVariables": {
    "primaryColor": "#f8f9fa",
    "primaryTextColor": "#2c3e50",
    "primaryBorderColor": "#dee2e6",
    "lineColor": "#2c3e50",
    "fontFamily": "\"Source Sans Pro\", sans-serif",
    "fontSize": "15px"
  }
}}%%
flowchart LR
    E["Open your\nenvelope"] --> A["Analyse\nas a team"]
    A --> B["Team Lead\nbriefs the IC"]
    B --> I["IC synthesizes\nacross all teams"]
    I --> N["Next round\nenvelope"]

    classDef step fill:#f8f9fa,stroke:#dee2e6,color:#2c3e50,font-weight:bold
    classDef ic   fill:#2c3e50,stroke:#2c3e50,color:#ffffff,font-weight:bold

    class E,A,B,N step
    class I ic

%%{init: {
  "theme": "base",
  "themeVariables": {
    "primaryColor": "#f8f9fa",
    "primaryTextColor": "#2c3e50",
    "primaryBorderColor": "#dee2e6",
    "lineColor": "#2c3e50",
    "fontFamily": "\"Source Sans Pro\", sans-serif",
    "fontSize": "15px"
  }
}}%%
flowchart LR
    E["Open your\nenvelope"] --> A["Analyse\nas a team"]
    A --> B["Team Lead\nbriefs the IC"]
    B --> I["IC synthesizes\nacross all teams"]
    I --> N["Next round\nenvelope"]

    classDef step fill:#f8f9fa,stroke:#dee2e6,color:#2c3e50,font-weight:bold
    classDef ic   fill:#2c3e50,stroke:#2c3e50,color:#ffffff,font-weight:bold

    class E,A,B,N step
    class I ic

Walk through this diagram slowly. Most players will not have done this format before.

Key points:

• The envelope is sealed. Open it only when the round starts.
• Analysis happens at the table. The IC does not join the table.
• The Team Lead brief is short – 2-3 minutes maximum. Not a presentation.
• The IC synthesizes across all three briefs before the next round starts.

The Rules

Five Things That Make This Work

1. Your evidence stays at your table. Do not show cards to other teams.

2. When the timer ends, analysis ends. The cross-team briefing starts immediately.

3. Team Leads brief the IC. Not the other way round. The IC listens first.

4. The IC’s call is the call. Voice disagreement once, then commit.

5. You will not have all the answers. That is fine. Neither does anyone else.

Read these aloud, slowly, one at a time.

Rule 5 is the most important for managing anxiety – especially with senior participants who are not used to working with incomplete information.

If anyone pushes back on Rule 4 (“but what if the IC is wrong?”) – that is a debrief question. In real IR, someone has to call it. Let the exercise create that tension.

Dice (If Your IM Chooses)

Optional – Not Every Session Uses Them

From Round 3, the IC may roll a d20 when calling a response.

Helps your roll:

• Teams correctly identified the threat: +2
• All 3 teams fully briefed the IC: +1
• All 3 teams agreed on a recommendation: roll 2 dice, take the higher

Hurts your roll:

• Wrong response for what you are facing: -2
• IC called before all teams had briefed: -1
• Time pressure: -1 to -2

Your IM will confirm whether dice are in play before Round 3.

Only show this slide if you are using dice. Skip it entirely if not.

One pass through the columns is enough – players do not need to memorise modifiers, the IM applies them during the session.

What You Are Trying to Achieve

The Objective

By the end of this session, your three teams and your IC should be able to answer three questions:

What is happening?

How did it get here?

What do we do about it?

Not all teams will answer all three questions. The IC is responsible for the final synthesis.

Keep this abstract. Do not name the malmon, do not hint at the attack vector.

These three questions are the universal objectives for any IR investigation. The scenario content will make them specific. This slide is just framing the cognitive goal.

A Few Minutes Before You Start

Check In With Your Team

• Who is your Team Lead?
• Does everyone know which team they are on?
• Has the IC been briefed?

You have 2 minutes.

The scenario begins when the envelopes are distributed.

This is a breathing space before you hand out envelopes and launch the scenario.

Use this time to:

• Confirm the IC has been pulled aside and briefed (if not already done)
• Check that team wearable markers are on
• Make sure the whiteboard is labelled ALPHA / BRAVO / CHARLIE
• Confirm your own notes are ready

When you are ready: switch to the scenario-specific slides and begin.

Ready.

This is the handoff slide. Full brand blue background, minimal text.

After this slide, switch to the scenario-specific slide deck and deliver the opening hook.

Do not describe the scenario here. Let the scenario slides carry the opening narrative.