Malware & Monsters is an open-source incident response training framework. You learn by doing – investigating a simulated cyberattack as a team, making decisions under pressure, and discovering what works and what doesn’t.
There are no trick questions. There are no wrong answers.
There are decisions, consequences, and a debrief where the real learning happens.
malwareandmonsters.com
This Version is Custom
Today’s scenario is a custom exercise built for this session.
The full M&M framework – including a visual guide and zero-prep scenarios you can run tomorrow – is available free at malwareandmonsters.com
Three Teams. One Incident.
You have been divided into three specialist teams.
Each team receives different evidence.
No team has the complete picture. That is deliberate.
Your Incident Commander synthesises across all three teams.
Your Teams
ALPHA
BRAVO
CHARLIE
Forensics
Network & Infrastructure
Threat Intel & Recovery
What happened on the systems. Processes, artefacts, evidence.
How it moved through the network. Connections, access, traffic.
Who is behind it and how to respond. Attribution, scope, recovery.
The Incident Commanders
Two ICs Today
IC #1 manages the first half – Rounds 1 and 2
IC #2 takes over mid-session after a structured handover
The IC does not join a team. The IC listens, connects the threads, and decides when teams disagree.
The Whiteboard
The IC owns the whiteboard. It is the single source of truth.
whiteboard
CONTAINED
✓ svc-rdbridge-admin
✓ C2 blocked
OPEN
COLLBRIDGE-EXCL-003
HANSEN-SAP-01
GenixLibrary
??? more ???
When a containment action succeeds, the IC moves the note from OPEN to CONTAINED.
How a Round Works
Pick up your evidence cards – each team gets new cards
Analyse as a team – 8-12 minutes at your table
Team Lead briefs the IC – 60-90 seconds each, one at a time.
IC synthesises – connects the threads, updates the whiteboard
Next round – new envelopes, deeper evidence
If you need more information or context at any point, ask the facilitator.
The Rules
Your evidence stays at your table. Do not show cards to other teams.
When the facilitator calls time, analysis stops immediately and IC briefings begin. No extensions.
Team Leads brief the IC one at a time.
The IC’s call is the call. Voice disagreement once, then commit.
You will not have all the answers. That is fine. Neither does anyone else.
Dice
When the IC proposes a containment action:
Which team owns this? The IC assigns it.
How hard is it? The facilitator decides difficulty and drives the storyline accordingly.
What could go wrong? The team states the risk.
Roll. Success, partial, or failure.
Difficulty: Easy 5+ · Medium 10+ · Hard 15+ (d20)
Helps your roll: All teams briefed (+2) · Written rationale (+1) · Team named this risk before rolling: advantage (roll twice, take higher)
BioGenix Solutions
Danish biosolutions company, 1,800 employees
Precision fermentation and industrial enzyme engineering
Major acquisition completed in 2024 – post-merger integration ongoing
GenixLibrary – proprietary R&D sequence database, most commercially valuable research data
Legacy infrastructure from the merger still connected to the environment
Something Has Gone Wrong
CFCS contacted your CISO a couple of hours ago.
A supply chain compromise campaign targeting European life sciences.
Indicators match your infrastructure.
We do not yet know if we are compromised.
Your job is to find out.
Check In
Who is your Team Lead?
Does everyone know which team they are on?
Has the IC been briefed?
IC #2 – please leave the room now.
You have 2 minutes.
The scenario begins when the evidence cards are distributed.