Malware & Monsters

Visual Guide

Everything You Need to Play

4–6 players + 1 Incident Master  ·  45–75 min  ·  Zero-prep scenarios

This slide deck mirrors the 8-page printed Visual Guide. Use it to walk a group through M&M before their first session. The printed guide is available on the website – hand it out for reference during play.

Two fully scripted zero-prep scenarios are included. Everything the IM needs is written out: NPC lines, clues, decision points, and resolution.

First-Order Rules

1. Core Loop: IM describes → players act → IM narrates
2. Success: Simple = auto. Complex = d20 (5+ / 10+ / 15+)
3. Collaboration: +1 per assist (max +3), or 2d20 take higher
4. Goal: Contain the malmon before it evolves

Everything else is optional detail.

These four rules are the foundation. They never change regardless of scenario, difficulty, or group.

The scenario teaches each additional mechanic (modifiers, type effectiveness, degrees of success) when it becomes relevant. Players do not need to memorise anything beyond these four rules before their first session.

If the group remembers nothing else: IM describes, players act, dice are rare, teamwork helps.

Pick Your Scenario

	FakeBat	GaboonGrabber
Setting	Creative agency, 12 staff	Nonprofit, 20 staff
Crisis	Malware + client deadline	Credential theft + fundraiser
Best for	Technical teams	Mixed / first-timers

Both scenarios are fully scripted zero-prep. The IM opens the facilitator guide and follows along – every NPC line, every clue, every decision point is written out.

Before the session (5 min): Open the FakeBat or GaboonGrabber facilitator guide. Print or have on screen. Bring role cards and Handouts A and B. One d20 per player.

FakeBat has slightly more technical depth. GaboonGrabber is better for groups where not everyone has a security background.

What Is Malware & Monsters?

• A team investigates a realistic cyber incident guided by one Incident Master
• No right answers written in advance – only the constraints of real IR
• Every session is self-contained. No prep, no continuity, no specialist knowledge

The team wins or loses together.

Malware & Monsters is a collaborative tabletop framework where 4–6 security professionals investigate a realistic cyber incident. Everyone plays an IR role. The IM knows the full picture from the start; everyone else discovers it through play.

Limited visibility, organisational pressure, and incomplete information are the mechanics – just like real incident response. No character acting required. Players play themselves with a professional lens.

The Cards

Malmon Card · Role Card

The next slides explain the two card types: the Malmon Card (held secretly by the IM) and the Role Card (one per player, face-up on the table).

The Malmon Card

• Players never see this card
• Defines the threat: identity, tactics, escalation
• Drives IM narration, adjudication, and pacing

The malmon card is what the IM holds secretly – it defines the threat. The IM uses it to narrate symptoms, adjudicate actions, and decide when the threat escalates.

Fields on the card:

• Name & Type: The threat identity and classification (Phishing, Ransomware, APT, etc.)
• Stars: Difficulty rating – one star is a first-session malmon
• Stats: Attack (how aggressive it escalates) and Stealth (how long before symptoms surface)
• Abilities: The malmon’s signature tactics – what it does during the attack
• Weakness: The approach that counters it – when to give the type bonus
• Evolution Trigger: What the malmon achieves to escalate to Stage 2
• Discovery: The initial access vector – how it got in

Malmon Card Fields

Field	Purpose
Name & Type	Threat identity and classification
Stars	Difficulty rating (1 star = beginner)
Stats	Attack aggression + Stealth duration
Abilities	Signature tactics during the attack
Weakness	What counters it (type bonus trigger)
Evolution Trigger	Conditions for Stage 2 escalation
Discovery	Initial access vector

Walk through each field briefly. The key insight for new IMs: you don’t need to memorise the card. Keep it face-up in front of you and refer to it during play. The stats guide your narration – high Attack means the malmon escalates aggressively; high Stealth means symptoms surface slowly.

The Evolution Trigger is the most important field for pacing. When the team’s choices allow the threat to progress, the malmon evolves and you escalate stakes.

The Role Card

• One card per player, face-up on the table
• Tells you what you’re good at and when you get +2
• No memorisation – just refer during play

Each player holds one role card for the whole session. It tells you what you are good at, what questions to ask, and what modifier to add when actions match your expertise.

Fields on the card:

• Archetype: Your investigative identity and mindset for the session
• Strengths: Specific areas where you apply your +2 modifier
• Focus Areas: The questions and tasks that belong to your role during play
• Roleplay Tips: How to show up in discussion – not acting, just a behavioural frame
• Game Modifiers: The exact bonuses and when they apply

Players are playing themselves with a professional lens, not acting as fictional characters.

The 4 Core Roles

🔍DETECTIVE

Find clues, connect evidence, build the timeline

🛡️PROTECTOR

Contain the threat, keep systems running

📡TRACKER

Watch the network, follow data flows, block exfiltration

📢COMMUNICATOR

Coordinate people, translate impact, manage stakeholders

These are the 4 core roles. Every session uses them. Each role provides a different investigative lens on the same incident – they are not difficulty tiers.

Fifth and sixth roles (Crisis Manager, Threat Hunter) exist for complex scenarios with advanced malmons, multiple simultaneous threats, or other factors requiring more specialised coverage. Use the 4 core roles for your first session.

Use the Role Distributor tool (on the website) to assign roles. Enter headcount, tap Distribute, each player opens their card on their phone.

Setup

• IM (5 min): Open facilitator guide. Stack handouts face-down. Malmon card visible to you only.
• Players (2 min): Open Role Distributor on a phone. Tap Distribute. Place role card face-up.

The IM knows the full picture from the start; everyone else discovers it through play. The malmon card stays in front of the IM – players do not see it.

The Role Distributor is a web tool on malwareandmonsters.com. Enter headcount and it assigns roles randomly. Each player opens their role card on their phone or prints it.

Bring one d20 per player (or use a dice app). Print Handouts A and B from the facilitator guide, or have them ready on a screen.

Playing the Game

Sequence · Dice · Modifiers

The next slides cover the gameplay loop: sequence of play, when to roll dice, difficulty targets, and modifiers.

Sequence of Play

Discussion is free. Actions cost your turn. Dice are rare.

Every round follows the same sequence. Most sessions are 70% discussion – the dice come out only when the outcome is genuinely uncertain and failure would be interesting.

The 7 steps:

1. IM opens the round – describe what the team observes: alerts, NPC behaviour, system anomalies. Never name the malmon.
2. Players discuss freely – ask questions, form hypotheses, request information. The IM answers freely. This is free – no action, no roll.
3. A player declares a specific action – “I want to analyse that log file” / “I call the finance director.” This costs your action. One per player per step.
4. IM judges the outcome – Clear expertise + right approach? Auto-success, no roll. Genuinely uncertain with real stakes? Proceed to step 5.
5. Roll d20 + modifiers – compare to target (5 / 10 / 15). Full success, partial (within 3), or failure.
6. IM narrates the result – deliver the next handout on a significant discovery. On failure: ask why – the answer is the learning moment.
7. Threat check – have the malmon’s evolution conditions been met? If yes, escalate and start Round 2.

How a Round Works

1. IM opens – describe symptoms, never name the malmon
2. Players discuss – free, no action, no roll
3. Player declares action – costs their turn
4. IM judges – auto-success or roll?
5. Roll d20 + modifiers – compare to 5 / 10 / 15
6. IM narrates – deliver handout on discovery
7. Threat check – evolution met? Escalate.

Walk through each step. Emphasise:

• Step 2 is free and where most of the session happens. Players should discuss, hypothesise, and debate before committing to actions.
• Step 4 is the IM’s judgment call. Many actions auto-succeed – only roll when the outcome is genuinely uncertain. Clear expertise plus the right approach equals automatic success.
• Step 6 on failure: ask “why did this fail?” The answer is usually where the learning happens. Failure is never a dead end.
• Step 7: evolution is not punishment. It is the scenario advancing to its next phase.

The Roll

Difficulty	Target	Success Rate	Example
Easy	5+	~95%	Log review, routine scan
Medium	10+	~70%	Analysis under pressure
Hard	15+	~40%	Cutting-edge, high-stakes

Default to Medium. With +2 role modifier: ~100% / ~80% / ~55%.

Only roll when the outcome is genuinely uncertain and failure would be interesting. Clear expertise plus the right approach equals automatic success, no roll needed.

When in doubt, default to Medium. Step down to Easy if the player has hands-on expertise in exactly this situation – there is no need for a roll when the outcome is not genuinely in question.

The probabilities shift significantly with the +2 role modifier. A Medium check goes from 70% to 80%, and a Hard check from 40% to 55%. This makes role alignment mechanically meaningful without being overpowering.

Success & Modifiers

Degrees of Success

Result	When
Critical	Natural 20
Full	Meets target
Partial	Within 3 below
Failure	4+ below

Modifiers

Source	Mod
Role alignment	+2
Type advantage	+2
Collaboration	advantage
Weakness / obstacle	–2
Time pressure	–2

Partial success is the most interesting result – something happened, but with a cost or complication the IM introduces. A failure is never a dead end: ask “why” the action failed, and that question is usually where the learning is.

Collaboration: +1 per assisting player (max +3), or advantage (roll two d20s, take the higher). When the whole team coordinates with clear role division, skip the dice – auto-success.

Natural 20: exceptional result – bonus information, or give the player advantage on their next action. Natural 1: find the absurdist reading, not a punishment. Something slightly ridiculous happens and everyone moves on.

If a player’s real-world knowledge directly applies to the action they’re taking, that expertise is already a +2 – or skip the roll entirely if there is no genuine uncertainty.

Session Structure

• Round 1 – Discovery: What is happening? What systems are affected?
• Round 2 – Investigation: How did they get in? What have they accessed?
• Round 3 – Response: Contain. Remediate. Communicate.

Injects: At key moments, hand the team a printed artifact handout. Players discuss how new evidence changes their picture. Deliver each inject after a significant discovery, after a decision point, or at the start of a new round.

Evolution: When the team’s choices allow the threat to progress, the malmon evolves. Escalate stakes and deliver the next artifact handout. Evolution is not a punishment – it is the scenario advancing to its next phase.

Ending:

• Win: The malmon is contained before the threat escalates beyond recovery.
• Lose: The threat reaches its Stage 2 objective – data exfiltrated, files compromised, client notified.

A loss in a hard scenario teaches more than an easy win.

Breaking the Rules

• Skip dice entirely – narrate based on reasoning quality
• Give advantage for clever moves – roll twice, take higher
• Don’t roll for facts – real expertise counts without dice
• Let players name their modifier – justify it, get +2
• Cut to Round 3 if time is short

The first-order rules never change. Everything else is yours.

Full list of customisations:

• Skip the dice entirely for groups where rolling feels artificial – narrate outcomes based on the quality of the team’s reasoning.
• Give advantage for a genuinely clever move – if a player makes a smart call that changes the room, let them roll twice and take the higher. Reserve it so it still means something.
• Let two players who both contributed both roll, take the higher. Faster than arbitrating who “gets” the roll, and teamwork should help.
• Don’t roll for facts, only for conclusions – real-world knowledge a player contributes counts without a roll. Roll when they’re drawing a conclusion under pressure, not when they’re contributing expertise.
• Let players name their own modifier – ask what skill they’re using. If they can justify it, give +2. It surfaces real expertise and makes specialisation feel earned.
• Roll your own dice when the world is undecided – if you haven’t decided whether something is true, roll out loud. The fiction breathes differently when even the IM doesn’t know yet.
• Adjust difficulty on the fly – if a group is struggling, drop targets by 3. If they’re coasting, raise them.
• Make nat 1s absurd, not punishing – find the ridiculous reading and move on.
• Cut to Round 3 if time is short – pick a decision point and jump straight to containment and response.

Example Session

WannaCry – Hospital Under Attack

The next two slides walk through a condensed example from an advanced scenario: WannaCry attacking a hospital during flu season surge. Four players: Detective, Protector, Tracker, Communicator.

Example: Round 1

IM: “Tuesday evening. Every ICU bed occupied. Network Admin: ‘SMB scanning on port 445 from dozens of internal addresses.’ ED Director: ‘Our systems are down. This is a patient safety emergency.’”

• Detective: “Are these systems patched?” → Legacy Windows, MS17-010 deferred
• Tracker: “Segmenting clinical subnet now.” → Easy (5+), rolls 14. Success – but 14 workstations already encrypted.

Full IM opening narration: “Tuesday evening. Memorial Health System – every ICU bed occupied, ED at 150% capacity. Network Admin Brian Martinez: ‘Thomas, I’m seeing automated SMB scanning on port 445 from dozens of internal addresses.’ ED Director Dr. Patricia Lee arrives seconds later: ‘Our systems are down. We have patients waiting and cannot access allergy records or lab results. This is a patient safety emergency.’”

The Detective’s question is free – no action, no roll. The IM answers: legacy Windows, the MS17-010 patch was deferred on medical device networks two months ago to avoid disrupting care.

The Tracker declares an action (costs their turn). Network segmentation is straightforward for a Tracker – Easy difficulty, target 5+. Rolls 14, full success. Clinical subnet isolated, patient monitoring holds. But 14 ED workstations were already inside the propagation path – encrypted.

Example: The Kill Switch

• Protector: “Does it query an external domain before encrypting?” → Medium (10+), +2 role. Rolls 8. Partial – finds DNS queries, can’t confirm purpose.
• Communicator: “I call Microsoft with the domain.” → Medium (10+), +2 role. Rolls 13. Success – it’s the WannaCry kill switch. Propagation stops.

Neither alone would have got there. The team kept the ICU online.

The Protector’s partial success (2 below target) left just enough for the Communicator to act on. This is the collaboration mechanic in action – the partial result created an opening that another role could exploit.

IM full picture wrap-up: “Memorial Health deferred the MS17-010 patch two months ago to protect medical device uptime – a reasonable operational call with serious consequences. WannaCry exploited EternalBlue, spread automatically across every unpatched host, and encrypted 14 administrative workstations. Network segmentation was incomplete; the Tracker’s fast containment closed that gap before ICU monitoring fell. The kill switch halted further propagation. Patient care restored within four hours.”

The team kept the ICU online. That is incident response.

Resources

Resource	What it’s for
FakeBat: Friday Deadline	Scripted facilitator guide
GaboonGrabber: The Fundraiser Email	Scripted facilitator guide
Role Distributor	Assign roles in seconds
Printable Tent Cards	A4 folded, one per seat
Players Quick Start	One-page player onboarding
IM Quick Start Guide	Full IM mechanics reference

malwareandmonsters.com

All resources are available on the website. The printed Visual Guide has clickable links to each resource. Direct people to malwareandmonsters.com as the single entry point.

For this session: you only need the facilitator guide (FakeBat or GaboonGrabber), role cards (via Role Distributor), and one d20 per player. Everything else is optional reference material.