I’ve had the chance to mix two of my activities this year. Some of you might know that I work in IT security … and others will know that I enjoy games of all sorts (boardgames, puzzles, challenges, riddles, …). As part of my job, I’ve been creating a serious game. This game is born of the desire to make my specific field of IT security more understood. You see, I work as a Red Teamer… It doesn’t ring a bell? Do not fear, it’s the same for many, including in IT.

Sooo, let’s start with a definition. According to the NIST, a Red Team is:

A group of people authorized and organized to emulate a potential adversary’s attack or exploitation capabilities against an enterprise’s security posture. The Red Team’s objective is to improve enterprise cybersecurity by demonstrating the impacts of successful attacks and by demonstrating what works for the defenders (i.e., the Blue Team) in an operational environment.

That sounds cool doesn’t it? Yes, it is! For me it’s like a game where the Red Team is playing the role of malicious attackers. However, there’s so much more that makes red teaming valuable for a company and for the industry in general. There’s also much more than attacking the company for fun and profit. Red teaming is an over-hyped term and one that is often misused. This is were my game comes from, this idea of making people part of a (mock) Red Team operation to help them understand more about this field.

With that in mind, I wanted to play a role-playing game (RPG) with the audience… but how can one do that when the audience is 50 or 200 persons! I’ve settled on the closest alternative and created a “Choose Your Own Adventure” game. Yes, as in the book series from the eighties. In that game, you’re presented with a scenario that you can play. You are an external Red Team and have to perform a Red Team operation for your customer. On each page, you have multiple choices and (hopefully) you manage to get to the end of the game and provide valuable data points to your customer.

I’ve played that game multiple times now in different contexts (my team of experienced Red Teamers, IT security tech audience at Insomni’hack 2024, IT security high-level audience at FS-ISAC summit in Berlin). To enable everyone to vote, I’ve used simple paper cards (A5, strong paper), with coloured symbols on them. The symbols match the different choices that can be made in the game. And I, as the game master, will tell the story and tally the votes to continue the game. I thoroughly enjoyed playing this game with so many people and I think they did too :) If on top of that someone learnt a bit more about red teaming I’ve achieved my goals.

Example question

If you want to play the game too, or modify it for your own needs you can do it:

  • Play the game
  • Download the original .twee file: CYOA - Red Team edition.twee The game was created with Twinery and you can easily import and modify it in your browser. And I don’t explicitely license the game, feel free to do what you want with it. But of course credit is appreciated and I’d be interested to know what you did with it and how it went.

One last thing, kudos to Tim Malcolm Vetter who inspired this talk with his blog series: Choose Your Own Red Team Adventure And my thanks goes to Roei Sherman who had a look at my first draft and encouraged me to continue. He also did something similar but more targeted to business people, have a look at his blog.