Malware & Monsters

Real decisions. Real pressure. Real learning.

The only IR exercise where the scenario changes because of what you do.
A tabletop incident response training game built on the HackBack framework. Played at BSides conferences across Europe and North America.

IR training that actually sticks

IR teams know the playbook. The playbook does not cover what is happening right now. Most tabletop exercises replay the same predetermined narrative regardless of what the team decides. Participants quickly learn to wait for the next slide.

Malware & Monsters is different. The scenario branches based on the decisions your team makes. A missed detection in round two changes what attackers can do in round three. A communication failure ripples forward. The pressure is real because the consequences are real, inside the game.

Traditional IR training treats people as recipients of information. Malware & Monsters treats them as decision-makers under pressure. The difference in retention and team cohesion is immediately visible in the debrief.

Most organisations run a tabletop once a year and call it done. Their teams remember the pizza, not the lessons. Malware & Monsters changes that.

Team playing the Malware and Monsters tabletop game around a game board

THE GAME

What Malware & Monsters actually is

Malware & Monsters is a tabletop role-playing game for incident response training. It is built on the HackBack framework: a structured approach to security exercises developed for practitioners, by practitioners. Each player takes on one of six specialist roles and responds to a live threat scenario that evolves as the session progresses.

Sessions run from 60 minutes to a full day depending on format. The standard format puts one Incident Manager with four to six players responding to a single threat chain. The large-group format divides fifteen to twenty participants into three specialist teams running coordinated tracks: threat hunting, forensic analysis, and communications, with interdependencies that force cross-team coordination.

The game runs without screens, without a slide deck, and without a facilitator reading from a script. Scenario injects arrive as physical cards. Decisions are made at the table. The Incident Manager calls the shots and lives with the consequences.

Every session is designed to surface the gaps in your team’s IR capability, not as a critique delivered after the fact, but as something that becomes visible in real time as the scenario develops.

SPECIALIST ROLES

The six specialist roles

Incident Manager

Coordinates the overall response. Owns decisions, delegates tasks, manages the timeline. Everything flows through the IM.

Threat Hunter

Identifies attacker presence and movement across the environment. Feeds findings to the Analyst and Forensicator.

Forensic Analyst

Reconstructs what happened and when. Preserves evidence integrity and builds the timeline the team will use in debrief.

Communications Officer

Manages internal and external communications. Decides what gets said, to whom, and when, including what does not get said.

Response Coordinator

Tracks action items, owns the incident log, and keeps the team from losing threads under pressure.

Threat Researcher

Provides threat intelligence and context. Researches attacker TTPs in real time and briefs the team on what they are likely facing.

LEARNING OUTCOMES

What your team walks away with

Threat detection and triage under pressure

Practise identifying and prioritising real threats when the clock is running and information is incomplete.

IR coordination across specialist functions

Experience what cross-role coordination looks like under pressure, and where it breaks down.

Cross-team communication when it matters

Build the habit of communicating clearly and early, before a real incident makes the cost of silence obvious.

Decision-making with incomplete information

Develop the judgment to act decisively when you do not have the full picture, which is always the case in a real incident.

Evidence handling and chain of custody

Learn what evidence integrity requires in practice, not just in theory, before a real incident puts it to the test.

Post-incident debrief skills that drive real improvement

Walk out of every session with specific lessons and a structured way to carry them forward into real-world practice.

HOW IT WORKS

How a session runs

Briefing: Roles assigned, scenario context established, ground rules set. No advance reading required.

Round 1: Initial indicators surface. Team triage and decides first responses. Scenario branches based on decisions made.

Round 2: Attacker actions escalate or pivot based on round one outcomes. Gaps in the round one response become visible.

Round 3: Resolution phase. Final decisions made, incident contained or not. Communications tested.

Debrief: Structured review using the HackBack debrief protocol. Teams identify not just what they would do differently, but form Implementation Intentions: specific “if this situation, then this action” commitments that make the learning actionable rather than abstract.

Who this is for

Malware & Monsters works for IR teams, SOC teams, and mixed security groups who need to build shared response capability without taking people offline for a full-day course. It runs with as few as four and as many as twenty participants.

Typical groups include incident responders and analysts who need to test coordination, security managers who need to understand where their team’s gaps are, and cross-functional groups where IT, security, and communications need to build a shared response muscle.

It does not require prior tabletop experience. It does require participants who are willing to make decisions under pressure and debrief honestly about what they got wrong.

NIS2 MAPPING

How Malware & Monsters maps to NIS2 incident handling

RequirementWhat it asksHow Malware & Monsters addresses it
NIS2 Article 21(2)(b), incident handlingEntities have incident-handling measures in placeRehearses incident handling as a branching tabletop where decisions change the outcome
NIS2 Article 23, reporting obligationsSignificant incidents are reported within set deadlines, 24h early warning and 72h notificationPuts the reporting decision and the clock into the exercise so the team practises it
General IR readinessTeams can detect, respond to, and recover from incidentsBuilds the instinct through repeated realistic decisions, not slideware

FAQ

Frequently asked questions

Can Malware & Monsters be used for NIS2 incident-response training?
Yes. It rehearses the incident handling and decision-making that NIS2 Article 21 expects, including the reporting clock from Article 23, as a branching tabletop where what the team does changes what happens next.
What makes it different from a scripted tabletop?
The scenario is not on rails. It changes because of the decisions the team makes, so people practise judgement under uncertainty rather than following a script.
Who is it for?
Incident responders, security teams, and the wider group that gets pulled into a real incident. It has been played at BSides conferences across Europe and North America.
How long is a session?
A facilitated tabletop session that fits a team’s day, shaped to the scenario you want to rehearse.
Do we need our own scenario?
No. It is built on the HackBack framework and can bring its own scenario, or run against one from your environment.
Is it a card game or a full exercise?
It is a tabletop incident-response training game. The game mechanics carry a real exercise, they are not the point in themselves.

Ready to put your team through it?

Sessions run on-site. Format and duration adapt to your group size and objectives.

Explore the full serious games lineup.

Why it works, and where the frameworks demand it: stop running boring tabletop exercises, CMMC incident response testing, and the FAR CUI rule.

No cookies here

Notice there’s no cookie banner here.
That’s intentional and the site is still GDPR-compliant. I chose to avoid cookies and stick to basic, privacy-friendly stats.
My analytics are cookieless: self-hosted Plausible (EU) and PostHog in cookieless mode, with your IP anonymized. No cross-site tracking, nothing that identifies you.
The one cookie I can set does the opposite of every other cookie: it tells my stats to ignore you completely, and you only get it if you ask.

Everybody wins.