Malware & Monsters
Real decisions. Real pressure. Real learning.
IR training that actually sticks
IR teams know the playbook. The playbook does not cover what is happening right now. Most tabletop exercises replay the same predetermined narrative regardless of what the team decides. Participants quickly learn to wait for the next slide.
Malware & Monsters is different. The scenario branches based on the decisions your team makes. A missed detection in round two changes what attackers can do in round three. A communication failure ripples forward. The pressure is real because the consequences are real, inside the game.
Traditional IR training treats people as recipients of information. Malware & Monsters treats them as decision-makers under pressure. The difference in retention and team cohesion is immediately visible in the debrief.
Most organisations run a tabletop once a year and call it done. Their teams remember the pizza, not the lessons. Malware & Monsters changes that.
THE GAME
What Malware & Monsters actually is
Malware & Monsters is a tabletop role-playing game for incident response training. It is built on the HackBack framework: a structured approach to security exercises developed for practitioners, by practitioners. Each player takes on one of six specialist roles and responds to a live threat scenario that evolves as the session progresses.
Sessions run from 60 minutes to a full day depending on format. The standard format puts one Incident Manager with four to six players responding to a single threat chain. The large-group format divides fifteen to twenty participants into three specialist teams running coordinated tracks: threat hunting, forensic analysis, and communications, with interdependencies that force cross-team coordination.
The game runs without screens, without a slide deck, and without a facilitator reading from a script. Scenario injects arrive as physical cards. Decisions are made at the table. The Incident Manager calls the shots and lives with the consequences.
Every session is designed to surface the gaps in your team’s IR capability, not as a critique delivered after the fact, but as something that becomes visible in real time as the scenario develops.
SPECIALIST ROLES
The six specialist roles
Incident Manager
Coordinates the overall response. Owns decisions, delegates tasks, manages the timeline. Everything flows through the IM.
Threat Hunter
Forensic Analyst
Communications Officer
Response Coordinator
Threat Researcher
LEARNING OUTCOMES
What your team walks away with
Threat detection and triage under pressure
IR coordination across specialist functions
Cross-team communication when it matters
Decision-making with incomplete information
Evidence handling and chain of custody
Post-incident debrief skills that drive real improvement
HOW IT WORKS
How a session runs
Briefing: Roles assigned, scenario context established, ground rules set. No advance reading required.
Round 1: Initial indicators surface. Team triage and decides first responses. Scenario branches based on decisions made.
Round 2: Attacker actions escalate or pivot based on round one outcomes. Gaps in the round one response become visible.
Round 3: Resolution phase. Final decisions made, incident contained or not. Communications tested.
Debrief: Structured review using the HackBack debrief protocol. Teams identify not just what they would do differently, but form Implementation Intentions: specific “if this situation, then this action” commitments that make the learning actionable rather than abstract.
Who this is for
Malware & Monsters works for IR teams, SOC teams, and mixed security groups who need to build shared response capability without taking people offline for a full-day course. It runs with as few as four and as many as twenty participants.
Typical groups include incident responders and analysts who need to test coordination, security managers who need to understand where their team’s gaps are, and cross-functional groups where IT, security, and communications need to build a shared response muscle.
It does not require prior tabletop experience. It does require participants who are willing to make decisions under pressure and debrief honestly about what they got wrong.
NIS2 MAPPING
How Malware & Monsters maps to NIS2 incident handling
| Requirement | What it asks | How Malware & Monsters addresses it |
|---|---|---|
| NIS2 Article 21(2)(b), incident handling | Entities have incident-handling measures in place | Rehearses incident handling as a branching tabletop where decisions change the outcome |
| NIS2 Article 23, reporting obligations | Significant incidents are reported within set deadlines, 24h early warning and 72h notification | Puts the reporting decision and the clock into the exercise so the team practises it |
| General IR readiness | Teams can detect, respond to, and recover from incidents | Builds the instinct through repeated realistic decisions, not slideware |
FAQ
Frequently asked questions
Can Malware & Monsters be used for NIS2 incident-response training?
What makes it different from a scripted tabletop?
Who is it for?
How long is a session?
Do we need our own scenario?
Is it a card game or a full exercise?
Ready to put your team through it?
Sessions run on-site. Format and duration adapt to your group size and objectives.
Explore the full serious games lineup.
Why it works, and where the frameworks demand it: stop running boring tabletop exercises, CMMC incident response testing, and the FAR CUI rule.