Malware & Monsters: Contain It Before It Evolves

Compliance now requires incident response exercises. NIS2, DORA, ISO 27001: they all say the exercises have to happen, and the auditors want them documented. The problem is not the requirement. The problem is that the exercises are boring and everyone knows it. You spend more time chasing calendar slots than running scenarios. Fix the boring problem and the rest collapses: people book themselves, the chasing stops, and you close the compliance gap with something that actually works instead of a checkbox.

That is why I built Malware & Monsters: a free tabletop role-playing game for incident response. Your team has to contain a real malware family before it evolves into something worse. One twenty-sided die, defined roles, an Incident Master running the table. Discussion is free. Actions roll. Modifiers stack the odds. Engagement is not a nice-to-have: it is the mechanism. Fun is what gets there first. When people are having fun they stop performing competence and start thinking out loud, which is the only state where the learning actually lands.

This is a practical talk: what Malware & Monsters is, what it is for, and how to run it yourself. It is free and fully documented. I will run a short round live, so you can feel what happens when a room of practitioners starts arguing about containment strategy in real time. If you want to know whether this would work for your team, that is your answer.