Gamified Incident Response training

Testing your incident response (IR) plans is critical to maintaining strong and effective cybersecurity. By testing your plans, you can identify any weaknesses, improve responsiveness, strengthen trust within the organization, update outdated procedures and comply with regulatory requirements such as NIS2. The testing process allows the organization to take steps to improve its resources and procedures, anticipate and manage cyber attacks more effectively and minimize the damaging effects of a security incident.

We have turned IR training into a game

This has several advantages. Most importantly, it is more fun and engaging for everyone without compromising the goal of learning.

If you’ve played Dungeons & Dragons (D&D), you’re already familiar with the concept: armed with a game character and a 20-sided die, you’re part of a team that must work together to solve demanding challenges, all while the tides run high and one unexpected challenge after another must be overcome.

Where in D&D you move around in a strange world filled with magic, this is far more realistic: together with your team, you play through realistic security incidents. You can either be a character similar to something you know or you can be something completely different; it depends on what the goal of the training is. But no matter what, it is guaranteed to be both educational and fun.

Our game allows everyone on the team to have familiar roles such as:

  • Managing Director / CEO
  • IT Director / CIO
  • Chief Financial Officer / CFO
  • Head of Communications / CCO
  • Firewall, server or network administrator
  • IT security officer / CISO

The roles are just examples and can be adapted to the organization to the extent necessary.

As a starting point, the exercise can have one or more purposes

IR training

  • The scenarios played can be very general or built around existing IR plans adapted to the current technology stack.
  • Roles in the game can be adapted to the participants’ personalities.
  • The purpose is to train in a realistic scenario where there is an opportunity to discover weaknesses and unachieved potential in the existing IR plans – exactly like in a traditional training session.
  • Since everyone is playing a character that is not themselves, it is without the interfering egos that can be present in a traditional training session or in a real world situation.



  • The team plays unfamiliar roles, which creates sympathy and understanding of what happens in other parts of the business during a real security incident.


Enhancing processes

  • Does the existing IR plan meet its objective? Are there inconsistencies? We debrief the game together afterwards and uncover the potential for improvements.
  • Team building
  • IR training can also be a fun team exercise. By adding an element of play on top of learning, we fabricate a relevant scenario.

How the game should be carried out?

Whether the game should be carried out without extensive planning, based on a standard scenario or whether we should adapt the scenario and roles to the company’s existing IR plans and the participants, are up to you. It depends a lot on what the purpose of the exercise is.

Let’s talk about it if you are in doubt.

In general, the game works best if it doesn’t become super-technical, but instead becomes a widely represented, general exercise that is carried out across the company.

The game is controlled by an Incident Master (IM) and an Inject Assistant (IA) if needed. IM controls the course of the game on an overall level, whereas IA handles the individual injects that quite naturally occurs during the game. IM will always be an experienced cyber security specialist with long industry experience and specific experience within IR training.

In practice, it works like this: You set up a team, preferably with broad competences and responsibilities in the company. We show up with a scenario we have agreed on in advance. We play three rounds and each player performs two actions for each round. Each participant plays a character that, as previously mentioned, may or may not resemble their role in a real-life incident.

The game starts with the IM kicking off the scenario and setting the scene. It is then up to the team, guided by the IM, to navigate it and get the company back on track. Each time a player performs an action, e.g. discovering the ransomware at play or trying to deflate an upcoming shitstorm, a die is rolled to determine the course of action. And just when you think the worst is over, IA siderails the game with an injection; perhaps participants’ close family is affected by illness or something else that temporarily suspends them from the game. Just like in real life, unforeseen events happen which – as long as it is a game – makes it more fun and engaging.

The game usually takes 3-4 hours. It can be played by 6-10 people physically, virtually or hybrid.

The latter, however, requires a certain camera and microphone quality in the room where the majority of the players are, so everyone has an equal opportunity to both hear and see what is happening at all times during the game, regardless of where they are.

Get in touch if you are interested in knowing more.