2026-05-06 –, IFEN room 3 Workshops and AI Security Village (Building D)
Incident response isn't just about knowing your tools - it's about coordinating under pressure, communicating when things go sideways, and making calls with incomplete information. Traditional training focuses on isolated techniques, missing the collaborative reality of actual incidents. And most tabletop exercises? Painfully dull. Participants zone out, give checkbox answers, and leave having learned little.
This workshop introduces Malware & Monsters (https://malwareandmonsters.com), a framework that turns IR training into something people actually enjoy. Think tabletop role-playing meets creature-collection mechanics, where teams "hunt and contain" digital threats through story-driven gameplay.
Game-based learning works - research shows it beats traditional instruction for skill building and retention. M&M makes participants actively discover concepts instead of sitting through lectures. Scenarios include organizational pressures, evolving threats, and stakeholder drama, turning abstract security concepts into tangible problems.
You'll experience the full methodology: learn the mechanics, build custom scenarios based on real malware families (mapped to MITRE ATT&CK), and run live simulations. Participants take specialized roles - Hunter, Analyst, Forensicator, Communicator, Coordinator, or Researcher - experiencing how security functions actually collaborate during incidents.
The framework includes legacy malmons from malware history—because history always repeats itself, and understanding past threats reveals patterns in current attacks. The "type effectiveness" system teaches strategic thinking about matching defenses to threats. Evolution mechanics show how attacks escalate when containment fails.
Participants walk away with ready-to-use materials and facilitation techniques for training that actually works.
Best of all? M&M is free to play in most cases.
Klaus Agnoletti has been an all-round infosec professional since 2004. As a long-time active member of the infosec community in Copenhagen, Denmark, he co-founded BSides København in 2019.
Currently he's a freelance storytelling cyber security advisor specializing in security transformation and community focused marketing, employer branding, playing security games and other fun assignments and ideas coming his way.
Lately he has also become a neurodiversity advocate speaking about ADHD to educate and break down taboos in an industry with a vast overrepresentation of neurodiversity and not very many talking about it.
Glen Sorensen is a Recovering CISO/vCISO-Type and is presently a Solutions Engineer with DeleteMe. He has worn numerous hats in his career, in areas such as security engineering and architecture, security operations, GRC, and leadership, including leading the security program for a credit union and for smaller organizations in a fractional role. He currently focuses on how exposed information and OSINT are weaponized in conjunction with AI toward social engineering attacks, and how that factors into greater enterprise cyber risk.
Glen approaches problems with practical solutions that bring good business value and has worked across many sectors, including financial services, healthcare, manufacturing, and others. He has served as a consulting expert in a large legal case involving healthcare and cyber attack detection technology. He has been in IT and security for 20+ years, depending on how much misspent youth you count. He is a privacy geek and a sucker for a good tabletop exercise, and also serves as an Incident Master for HackBack Gaming, which puts his countless hours of roleplaying game experience to work teaching people about cybersecurity and incident response.