2025-08-04 –, Diamond
Tired of boring tabletop exercises that put your team to sleep? Transform incident response training with an innovative roleplaying framework inspired by tabletop RPGs. This hands-on workshop guides you through designing engaging cybersecurity exercises using dice rolls, character abilities, and dynamic scenarios.
In this 4-hour session, you'll experience this approach through demonstration, then develop your own scenarios in small groups. Learn to create character roles with unique abilities, design realistic incident response challenges using the MITRE ATT&CK framework, and craft unexpected events that keep participants engaged.
This approach emphasizes the human elements of incident response, making it accessible to both technical and non-technical audiences. Groups will test each other's scenarios, providing immediate feedback for refinement.
You'll leave with a ready-to-implement scenario, facilitation skills as a "Incident Master," and community resources for continued development. Whether you're responsible for team training or building security culture, this workshop provides practical tools to make incident response training both fun and effective.
This intensive 4-hour workshop introduces cybersecurity professionals to an innovative roleplaying approach for incident response training. Moving beyond traditional tabletop exercises, participants will learn to design and implement dynamic scenarios that simulate the pressure, uncertainty, and collaborative decision-making required during real security incidents.
Workshop Value Proposition
Traditional IR exercises often fail to create authentic crisis environments or fully engage technical staff. This workshop presents a solution through:
- Character-based roleplaying that builds cross-functional understanding
- Game mechanics that simulate the uncertainty of real incidents
- Dynamic scenarios that evolve based on team decisions
- Collaborative problem-solving under realistic time constraints
Workshop Structure
Foundations (1 hour)
After brief introductions, participants learn core incident response roleplaying mechanics including character roles, action resolution, and facilitation techniques. A live demonstration with volunteers showcases how these mechanics create realistic incident dynamics.
Scenario Development (1 hour 15 minutes)
Participants learn IR scenario design principles focused on:
- Accurately representing attack patterns using MITRE ATT&CK
- Creating realistic incident detection and investigation challenges
- Simulating stakeholder management during incidents
- Balancing technical accuracy with engaging gameplay
Small groups then generate incident scenarios tailored to specific IR challenges like ransomware response, data breaches, or insider threats.
Hands-On Development (1 hour)
Groups develop detailed IR scenarios including:
- Escalation patterns reflecting real attacker behavior
- Decision points that test IR policies and procedures
- "Injects" simulating stakeholder demands and technical complications
- Round structures reflecting detection, containment, and recovery phases
Implementation and Practice (30 minutes)
Groups exchange scenarios for brief playtesting, providing immediate feedback. Participants then develop implementation plans for their own organizations, addressing team size, technical skill variance, and integration with existing IR programs.
Conclusion (15 minutes)
The workshop concludes with key takeaways and resources for continued development.
IR Training Focus
This workshop specifically addresses common IR training challenges:
- Simulating the pressure of time-sensitive security decisions
- Practicing stakeholder communications during incidents
- Building cross-functional teamwork between technical and non-technical roles
- Testing incident playbooks in unexpected scenarios
- Creating safe environments to practice difficult decision-making
- Developing empathy for various roles in the incident response process
Participants leave with ready-to-implement IR scenarios designed to test and strengthen their organization's incident response capabilities through engaging, realistic simulations that go beyond traditional tabletops.
Glen Sorensen is a Virtual Chief Information Security Officer (vCISO) with Cyber Risk Opportunities. He has worn numerous hats in his career, in areas such as security engineering and architecture, security operations, GRC, and leadership. He has held a variety of roles as an analyst, engineer, consultant, auditor, regulator, and information security officer for a financial institution.
Glen approaches problems with practical solutions that bring good business value and has worked across many sectors, including financial services, healthcare, manufacturing, and others. He has served as a consulting expert in a large legal case involving healthcare and cyber attack detection technology. He has been in IT and security for 15+ years, longer if you count years of misspent youth bending technology and countless hours of roleplaying games. He is a sucker for a good tabletop exercise and serves as an Incident Master for HackBack Gaming, the fun kind of TTX.
Klaus Agnoletti has been an all-round infosec professional since 2004. As a long-time active member of the infosec community in Copenhagen, Denmark, he co-founded BSides København in 2019.
Currently he's a freelance storytelling cyber security advisor specializing in security transformation and community focused marketing, employer branding, playing security games and other fun assignments and ideas coming his way.
Lately he has also become a neurodiversity advocate speaking about ADHD to educate and break down taboos in an industry with a vast overrepresentation of neurodiversity and not very many talking about it.