You are the IR lead responding to a live cyber incident. Each turn represents a decision window. Act fast, contain the threat, and limit business impact — the attacker won't wait.
On first load you'll see the Start Scenario dialog. Enter your Team name, an Exercise ID (teams sharing the same Exercise ID appear on the same leaderboard), and choose a difficulty.
The Options ▾ button in the header opens the options panel — or press Esc from anywhere on the board. The panel shows your current team and exercise context as a pill at the top, and contains:
Each turn you have a limited number of Action Points, shown in the header as AP x/x. Each action you take on the network costs 1 AP. When your AP is exhausted, press Next Turn to advance to the next turn.
A formula line below the AP counter breaks down how your budget was calculated: Base 3 + bonus for high Detection Capability − penalties for low Containment Progress or low Availability. For example: Base 3 +1 detection = 4. Keeping your KPIs healthy earns you additional AP each turn.
You can also press Next Turn early — for example, to let time pass and observe how the attacker progresses without spending all your AP.
The optional Turn Timer appears in the header as a countdown card. Configure it in Options → Turn Timer, where you can enable/disable it, switch between 3m / 5m / 10m, and restart the timer for the current turn.
When the timer expires, the game shows a Turn Timer Expired overlay with a direct Next Turn button so teams can keep pace in timed exercises.
After pressing Next Turn, a Turn Recap overlay shows you what happened during that turn: events that fired, KPI changes, and any new SOC detections raised. Dismiss it to keep playing.
Each turn the attacker can advance their campaign. Events fire automatically based on scenario conditions — compromised nodes, weak containment, active C2 channels, and so on. You cannot prevent events from triggering, but you can reduce their impact by acting decisively early.
The canvas shows your organisation's network, divided into subnets (labelled boxes) containing nodes (individual hosts and devices). Each node shows its name and current status.
Click any node or subnet to open the Action Menu for that target. Actions are grouped by category and only show those relevant to the target's current state.
Drag any subnet to reposition it on the canvas. Positions are saved automatically per team and exercise.
Use the zoom controls (bottom-left of canvas) or Ctrl + scroll to zoom in and out. Click Reset Layout to restore default positions.
The media card above the canvas displays the most recent press article about the incident. Articles are styled as one of five formats — News Report, Analysis, Social Wire, Market Watch, or Opinion — each providing a different narrative angle on the unfolding crisis. Click the Newsroom button in the header to open the full media feed and read all published stories in chronological order.
Most game controls are accessible via keyboard so you can navigate the board quickly without reaching for the mouse.
| Key | Action |
|---|---|
| 1 | Switch Ops view to Metrics |
| 2 | Switch Ops view to Alerts |
| 3 | Switch Ops view to Findings |
| 4 | Switch Ops view to Timeline |
| Enter | Advance to Next Turn |
| Esc | Open / close the Options menu; also closes any open overlay |
Findings storage limits: the scenario stores up to 1 action-created finding per turn and 14 findings total. If a limit is reached, an action can still succeed but no new finding is saved in the Findings tab.
| Action | What it does |
|---|---|
| Run Malware Scan | Runs an EDR scan on the node. Builds detection capability and produces a finding. It can confirm malware indicators or find no high-confidence signs in the current sweep, but a compromised or encrypted host still needs containment or recovery afterward. May partially complete on noisy hosts or fail if the attacker has tampered with the agent. |
| Capture Memory | Acquires a forensic memory snapshot and produces a finding for analyst review. Improves follow-up triage and some later response actions, but does not directly change node status. Can be blocked by rootkits or access restrictions. |
| Investigate Alert | Triages an open SOC detection on this node. It can confirm compromise, clear false-positive suspicion, or leave the node suspicious when telemetry is still inconclusive. Only available when a 🔵 SOC alert is open on the node. |
| Enable SIEM Rule | Deploys a new detection rule pack to the SIEM. Large boost to Detection Capability across all sensors. |
| Action | What it does |
|---|---|
| EDR Isolate | Cuts the node from the network via the EDR agent. Strong containment, but the node becomes unavailable. Reversible with Lift EDR Isolation. |
| Lift EDR Isolation | Restores network connectivity. Always succeeds — use once the node is clean. |
| Isolate VLAN | Quarantines the node at the network switch level. Stronger than EDR isolation but may affect adjacent hosts on the same VLAN. |
| Lift VLAN Isolation | Restores VLAN connectivity. Always succeeds. |
| Isolate Subnet | (Subnet action) Severs all inter-subnet traffic for the entire subnet. Maximum containment — useful when multiple nodes are affected. |
| Lift Subnet Isolation | (Subnet action) Reconnects the subnet. Always succeeds. |
| Block Incoming Traffic | Pushes an ingress deny rule for malicious inbound traffic at the perimeter firewall. Reduces external attack surface while keeping intended business paths where possible. |
| Block Outgoing Traffic | Pushes an egress deny rule for malicious outbound/exfiltration traffic. Severs C2 callbacks and exfiltration channels. Critical when a data breach is suspected. |
| Unblock Incoming / Outgoing | Reverts the respective firewall rule. Always succeeds — but re-opening egress while a breach is unresolved increases regulatory exposure. |
| Disable Service | Terminates a suspicious process or service. May fail if the process is kernel-protected or has a persistence mechanism. |
| Shutdown | Remotely powers down the node. Hard containment — the node goes fully offline. Rarely fails but partial shutdown (OS hang) is possible on ransomware-affected hosts. |
| Action | What it does |
|---|---|
| Reset Credentials | Forces a bulk password reset across accounts associated with the node. Clears the creds_dumped threat flag. Should be done promptly after a credential theft event. |
| Verify Backup Integrity | Checks backup catalogue hashes against the vault. Confirms whether backups can be trusted before attempting a restore. Strongly recommended before Restore from Backup. |
| Restore from Backup | Attempts to restore a system from its last clean backup. Available on both Encrypted and Compromised nodes. Running this without verifying integrity first significantly increases the risk of restoring corrupted data. |
Most actions are not guaranteed to succeed. When you take an action, the result is one of three outcomes:
An Outcome Result card appears after every action explaining exactly what happened and why. Read it — it often contains a recommended next step.
Some administrative reversal actions — Lift EDR Isolation, Lift VLAN Isolation, Unblock Incoming, Unblock Outgoing, Lift Subnet Isolation — always succeed, as they undo policies you control.
Your performance is tracked across four KPIs, visible in the Ops → Metrics sidebar tab.
The network may contain Critical Applications — high-value services essential to business continuity. When you click a node or subnet, the action menu header displays any critical apps running there, including their description, criticality level (how vital to operations), and business facing status (whether customer-visible). These details help you prioritize your response — e.g., a critical customer-facing database deserves faster recovery than internal tools.
The Severity badge in the top-right Metrics panel is computed in real time from your Impact KPI, system availability, and the number of compromised/encrypted nodes:
Your final score is calculated at the end of the scenario based on all four KPIs. A summary is available via Options → Summary, and a full debrief via Options → Debrief.
Teams sharing the same Exercise ID are ranked on the Scoreboard panel (Ops → Metrics, scroll down). Scores update after every action and turn.
When the attacker carries out activity, the SOC (Security Operations Centre) may raise a detection alert. Detections appear:
Detections with open status can be investigated using the Investigate Alert action on the affected node. A successful investigation will confirm or clear a compromise, adjusting the node's status accordingly. You can click alerts in the Alerts view or in the node action menu to open detailed context before responding.
The Ops tab contains four sub-views, switchable via the nav row:
When you click a node, the Action Menu provides a Recommended now suggestion and an Early-turn coach hint (especially in turns 1–3). Use these as a tactical baseline when under time pressure, then refine based on your timeline and evidence context.
The CISO tab shows governance injects from your Chief Information Security Officer. These arrive at key moments and require a decision: you choose from two or more options, each with different risk/cost trade-offs. The game pauses for CISO decisions — you must respond before you can start the next turn.
A pulsing indicator on the CISO tab means a decision is waiting. Delaying does not help — the game will not advance until the decision is made.
Investigation and response actions produce findings — structured evidence items saved to the Findings tab. These include:
Storage limits: up to 1 action-created finding per turn and 14 findings total per scenario. Event-generated findings can still consume total slots; once full, new findings are not stored.
| Finding | Produced by | Contains |
|---|---|---|
| EDR Scan Report | Run Malware Scan | Hash inventory, process list, threat indicators for the scanned node. |
| Memory Dump (metadata) | Capture Memory | Volatile memory metadata — running processes, network sockets, injected code indicators. |
| Firewall Policy Change | Block/Unblock Incoming or Outgoing | Record of the rule change, direction, timestamp, and requesting node context. |
| Identity Response | Reset Credentials | List of accounts affected, reset timestamp, and Kerberos ticket validity window. |
| Service Action Log | Disable Service | Process name, PID, stop method, and outcome. |
| Restore Summary | Restore from Backup | Backup set used, restore timestamp, and service health check result. |
| Recovery Forensics | Verify Backup Integrity | Snapshot hash comparison results, any mismatches flagged. |
| SIEM Rule Pack | Enable SIEM Rule | Detection signature IDs deployed and sensor coverage status. |
| Network Segmentation | Isolate / Lift Subnet | Subnet ID, isolation state, ACL change record. |
Reviewing findings doesn't just inform your decisions — it directly improves your tactical response odds. When you open a finding preview in the Findings tab, the system classifies the evidence and temporarily boosts your success odds on related response actions for the next 1–2 turns:
Gameplay Impact: Actively reviewing evidence as you respond creates urgency — if you have a credential finding in hand, now is the time to attempt Reset Credentials while the bonus is active. Evidence review becomes a strategic resource, not just audit trail.
Findings also contribute to your baseline KPI — Detection, Containment, and Impact metrics all shift based on the evidence class when you review a finding, providing both immediate tactical advantage and long-term insight.
The Lobby shows live leaderboard standings for all teams in an exercise. It's designed to be projected for group sessions.
The Facilitator panel gives instructors a real-time view of all active teams: their current KPIs, incident severity, turn number, and score. Facilitators can also pause or resume individual team sessions.
Use Options → Advanced → Seeded Start to start a scenario with a specific seed number. All teams given the same seed will face the exact same scenario, event sequence, and attacker behaviour — useful for controlled exercises where you want fair comparison between teams.