Security instinct is built, not briefed.

A slide deck can tell your team what good security looks like. It can’t make them do it when the room is tense and the clock is running. Instinct doesn’t come from being told about a decision. It comes from making it, getting it wrong somewhere it’s safe to get wrong, and making it again. That’s the whole reason these games exist.

Each one is a serious game, the same category as planning poker or a well-run tabletop. Not gamified slideware, and not a party game. Each takes a security problem that normally lives in a document, a board decision under NIS2, a continuity plan, a system architecture, an incident, a risk number, and puts it on the table, where your technical people and your business people have to work it out together and out loud. Most of them run against your real environment, not a case study, so what you practice is the thing you’ll actually face.

Five games. Pick the problem you need your team to practice.

EXPOSURE

Security governance for the board table, not the server room. The only governance game built around what management actually decides under NIS2.

FAILOVER

Test your plan before the plan tests you. The only BCM exercise run against your actual continuity plan, not a case study.

FAULT LINE

Build the company, break it, learn why. The only risk workshop where you can point at the part that failed.

Malware & Monsters

Real decisions, real pressure, real learning. A tabletop incident response game where the scenario changes because of what you do.

So, tell me… (Risk Deck)

Your security people and your business people read the same incident, then have to agree on how bad it really is. Cooperative, print and play.

Not sure which fits?

Tell me about your team and what you want them to practice, and I’ll point you to the right game or a custom session.

No cookies here

Notice there’s no cookie banner here.
That’s intentional and the site is still GDPR-compliant. I chose to avoid cookies and stick to basic, privacy-friendly stats.
My analytics are cookieless: self-hosted Plausible (EU) and PostHog in cookieless mode, with your IP anonymized. No cross-site tracking, nothing that identifies you.
The one cookie I can set does the opposite of every other cookie: it tells my stats to ignore you completely, and you only get it if you ask.

Everybody wins.