// GAME MANUAL
How to play CybeRisk
CybeRisk is an asymmetric multiplayer strategy game. One player takes the Attacker role, the other takes the Defender (CISO) role. Actions play out over real time — minutes, hours, or days. Budget is the primary constraint on both sides.
Roles
THE HACKER — ATTACKER
Probe defenses, launch exploits, pivot through networks, and exfiltrate data before the CISO locks you out. Your income comes from successful operations — ransomware payments, data sales, and extortion.
EXAMPLE ACTIONS
- → Reconnaissance — discover IP addresses and services
- → Exploit — attempt to compromise a target system
- → Pivot — move laterally through the network
- → Exfiltrate — extract data from compromised systems
THE CISO — DEFENDER
Monitor your infrastructure, patch vulnerabilities, deploy honeypots, and respond to incidents before the breach goes critical. Your income grows from customers — protect them or lose them.
EXAMPLE ACTIONS
- → Patch — close known vulnerabilities (takes time)
- → Monitor — increase detection probability on a segment
- → Honeypot — deploy decoys to trap and reveal attackers
- → Incident Response — contain a confirmed breach
Nations
Attacker nations are drawn from MITRE ATT&CK groups with documented state-nexus. Defender nations are the most frequently targeted countries in the DBIR and ATT&CK victim intelligence. Nation selection is cosmetic / lore — it does not change starting budget or available items.
ATTACKER NATIONS (12)
China
APT41, APT10
Russia
APT28, APT29
North Korea
Lazarus Group
Iran
APT33, APT34
United States
Equation Group
United Kingdom
GCHQ
Israel
Duqu, Stuxnet
Vietnam
APT32
India
SideWinder
Pakistan
Transparent Tribe
Turkey
Sea Turtle
Lebanon
Dark Caracal
DEFENDER NATIONS (17)
United States
US · T1
Japan
JP · T1
India
IN · T1
Germany
DE · T1
United Kingdom
GB · T2
France
FR · T2
Italy
IT · T2
South Korea
KR · T2
Canada
CA · T2
Australia
AU · T2
Netherlands
NL · T3
Saudi Arabia
SA · T3
Taiwan
TW · T3
Poland
PL · T3
Israel
IL · T3
Ukraine
UA · T3
Estonia
EE · T3
Tier 1 = largest markets (US multiplier 1.0). Tier 2 = mid-size. Tier 3 = small. Market size affects defender growth capacity. See Economy section below.
Economy & Budget
ATTACKER INCOME
No passive income by default. Income is earned through successful operations:
- → Purchasing Ransomware-as-a-Service ($10K) unlocks extortion income events
- → APT archetype (planned) receives state funding as passive income
- → Successful data exfiltration generates one-time payments
DEFENDER INCOME
Driven by a live customer growth simulation. Revenue accumulates every 5-minute tick:
- → Starts with a seed customer base determined by industry
- → Customers grow via S-curve (logistic) model — slows near market capacity
- → Must expand to new countries to continue growing past saturation
DEFENDER INDUSTRIES
Industry is chosen at onboarding and determines starting customers, revenue per customer, growth rate, mandatory compliance spend, and which cloud services deploy automatically. Breach value = attacker payout on full compromise (Ponemon-scaled).
Financial Services
$3,000
$25,000
$200,000
Technology
$2,500
$8,000
$150,000
Energy & Utilities
$2,200
$15,000
$130,000
Pharmaceutical
$2,000
$12,000
$160,000
Healthcare
$1,500
$18,000
$250,000
Manufacturing
$1,200
$5,000
$110,000
Retail
$1,000
$10,000
$95,000
Government
$900
$15,000
$80,000
Hospitality
$750
$5,000
$90,000
Education
$500
$0
$65,000
Compliance = mandatory spend locked from $100K starting budget on day one. Source: IBM Cost of a Data Breach Report 2024 (Ponemon Institute).
Defender Growth Model
Defender income follows a logistic (S-curve) model. Growth slows as the market approaches saturation and stops entirely at capacity — forcing deliberate country expansion.
capacity = industryBaseCapacity × countryMarketMultiplier
headroom = 1 − (customers / capacity)
new_customers = customers × dailyGrowthRate × headroom × elapsed_days
income_tick = customers × rev/customer/day × elapsed_days
At 50% capacity → 50% of base growth rate. At 90% → 10%. At 100% → growth stops. Expand or stagnate.
Financial Services
75
$40
0.5%
750
$3,000
Technology
100
$25
1.5%
2,000
$2,500
Energy & Utilities
200
$11
0.2%
1,000
$2,200
Pharmaceutical
50
$40
0.4%
500
$2,000
Healthcare
50
$30
0.6%
600
$1,500
Manufacturing
100
$12
0.3%
1,000
$1,200
Retail
200
$5
1.0%
4,000
$1,000
Government
300
$3
0.1%
1,500
$900
Hospitality
150
$5
0.8%
3,000
$750
Education
500
$1
0.5%
5,000
$500
Market Saturation & Country Expansion
When a country’s customer count approaches capacity, growth stalls. The player switches to CEO Mode — a strategic map overlay — to choose and pay for expansion into a new market. This is a deliberate decision, not automatic. Expansion widens the attack surface: every deployed service gets a new regional set of IP addresses.
01
Enter CEO Mode
Switch from the CISO dashboard to the strategic country map.
02
Pick a market
Review market size, expansion cost, and projected income uplift per country.
03
Pay and deploy
$25K infrastructure + compliance cost deducted. New customer pool and regional IPs go live.
expansion_cost = $25,000 (infrastructure) + industryComplianceBase × countryRegulatoryMultiplier
// Technology → Germany: $25,000 + $8,000 × 0.8 = $31,400
// Healthcare → US: $25,000 + $20,000 × 0.0 = $25,000
17 MARKETS — MULTIPLIERS
US
United States
Paid at onboarding
T1
1.00
0.0
JP
Japan
APPI
T1
0.55
0.6
IN
India
PDPB
T1
0.45
0.2
DE
Germany
GDPR
T1
0.40
0.8
GB
United Kingdom
UK GDPR
T2
0.35
0.7
FR
France
GDPR
T2
0.30
0.8
IT
Italy
GDPR
T2
0.25
0.8
KR
South Korea
PIPA
T2
0.25
0.5
CA
Canada
PIPEDA
T2
0.22
0.5
AU
Australia
Privacy Act
T2
0.20
0.5
NL
Netherlands
GDPR
T3
0.12
0.8
SA
Saudi Arabia
PDPL
T3
0.12
0.2
TW
Taiwan
PDPA
T3
0.10
0.5
PL
Poland
GDPR
T3
0.09
0.8
IL
Israel
Privacy Protection Law
T3
0.06
0.2
UA
Ukraine
Personal Data Law
T3
0.04
0.2
EE
Estonia
GDPR
T3
0.015
0.8
Cloud Attack Surface
Cloud services auto-deploy when the defender’s customer count crosses a threshold. Each service exposes individual IP addresses generated deterministically from a SHA-256 hash of the profile and service key — stable and reachable across sessions. Attackers must perform reconnaissance to discover them. When a defender expands to a new country, every deployed service gains an additional set of regional IPs.
UNIVERSAL SERVICES — ALL INDUSTRIES
Corporate Website
Public-facing presence — first recon target
Day 1
2
1
Email & Messaging
Email gateway — primary phishing vector
Day 1
3
1
CRM Platform
Customer PII and sales data
100 customers
2
1
Cloud Storage
Object store — misconfiguration = mass data exposure
200 customers
2
0
Remote Access VPN
Employee gateway — compromise = full network entry
300 customers
4
1
HR & Payroll
Employee PII and salary data
300 customers
2
0
Collaboration Suite
Video, chat, docs — insider threats thrive here
400 customers
3
1
Public API Gateway
Exposed endpoints — enumeration and abuse target
1,000 customers
4
2
Data Warehouse
Analytics store — exfil yields maximum intel value
2,000 customers
2
0
Content Delivery Network
Global edge — compromise enables supply-chain injection
5,000 customers
8
2
Software-intensive industries (Technology, Financial Services, Healthcare, Pharmaceutical, Government, Education, Energy & Utilities, Manufacturing) also deploy a Source Code Repository on day one — 3 IPs, 1 IPv6 prefix. Highest-value IP theft target.
INDUSTRY-SPECIFIC SERVICES
Payment Gateway
100
3
0
Financial Services, Retail, Hospitality
Online Banking Portal
1,000
4
1
Financial Services
Trading Platform
2,000
6
2
Financial Services
Electronic Health Records
50
3
0
Healthcare, Pharmaceutical
Telemedicine Portal
500
2
1
Healthcare
Patient Self-Service
1,000
3
1
Healthcare
Lab Information System
200
2
0
Pharmaceutical
R&D Data Platform
500
3
0
Pharmaceutical
SCADA/ICS Interface
50
4
0
Energy & Utilities, Manufacturing
ERP System
500
4
0
Energy & Utilities, Manufacturing
IoT Device Platform
1,000
6
2
Energy & Utilities, Manufacturing
E-Commerce Platform
100
4
1
Retail
POS Network
200
4
0
Retail, Hospitality
Warehouse Management
200
2
0
Retail, Manufacturing
Booking & Reservation
50
3
0
Hospitality
Learning Management System
200
3
1
Education
Student Portal
500
3
1
Education
Research Database
1,000
2
0
Education
Citizen Services Portal
500
3
1
Government
Case Management System
200
2
0
Government
Benefits & Permits
1,000
3
0
Government
Security Health — The CIA Triad
The defender’s organisation has three health metrics, rooted in the industry-standard CIA Triad. All three start at 100%. Attacker actions drain them. Defender purchases restore them instantly — there is no natural recovery. Let them fall and you bleed money every single tick.
C — CONFIDENTIALITY
Are your customers’ data and systems private? Every percentage below 100% triggers continuous customer churn and regulatory fines every tick.
→ customer loss per tick:
customers × 0.0003 × deficit%
→ GDPR/compliance fine per tick:
complianceCost × 0.005 × deficit%
I — INTEGRITY
Is your data and code trustworthy? Integrity damage cuts revenue quality and triggers continuous forensic remediation costs — the longer you leave it, the more you pay.
→ revenue multiplier:
income × (0.5 + 0.5 × I/100)
→ remediation drain per tick:
breachPayout × 0.003 × deficit%
A — AVAILABILITY
Are your systems up and serving customers? Availability is a direct multiplier on every dollar of revenue. A ransomware attack cutting this in half cuts your income in half — immediately.
→ revenue multiplier:
income × (A / 100)
→ combined worst case (A=50, I=0):
25% of normal income
BREACH EVENT THRESHOLDS — ONE-TIME PONEMON COSTS
When confidentiality first crosses a threshold downward, a one-time loss event fires — modelled on Ponemon Institute 2024 breach cost data. These stack and never reset: recovering confidentiality does not erase the historical loss.
< 80%
Minor Data Breach
$15,000 flat
+ 10% of breach value × fill-rate
< 50%
Significant Breach
$35,000 flat
+ 30% of breach value × fill-rate
< 20%
Major Breach — Catastrophic
$75,000 flat
+ 60% of breach value × fill-rate
fill-rate = customerCount ÷ industryBaseCapacity. A startup pays less in absolute terms than an enterprise. Example — Healthcare ($250K breach value) at 50% capacity, Significant Breach: $35K + $37.5K = $72.5K one-time hit.
Arsenal
Both sides invest their budget in one-time purchases. Each item permanently shifts the underlying FAIR risk equation — attack damage is not flat, it is a ratio of attacker Threat Capability vs defender Control Strength.
attackMultiplier = TCap / (TCap + CS)
effectiveDamage = intendedDelta × attackMultiplier
// Script kiddie (TCap≈25) vs hardened CISO (CS≈80) → 24% of damage lands
// APT (TCap≈120) vs same CISO (CS≈80) → 60% of damage lands
ATTACKER ARSENAL — 12 ITEMS
Each item raises Threat Capability (TCap). Base TCap = 20.
Phishing Kit
T1566
$500
+5
VPN / Proxy Chain
T1090
$800
+3
Credential Dump
T1589
$1,000
+5
Social Engineering Script
T1598
$1,500
+8
Known CVE Exploit
T1190
$2,000
+15
C2 Infrastructure
T1583
$3,000
+10
Botnet — 500 nodes
T1583
$5,000
+8
Custom Malware Loader
T1059
$8,000
+20
Ransomware-as-a-Service
T1486 · unlocks income
$10,000
+15
Insider Recruit
T1078
$15,000
+25
Botnet — 10K nodes
T1583
$20,000
+15
Zero-Day Exploit
T1190
$50,000
+40
Max TCap (all items): 189. At CS=0 every attack is full damage.
DEFENDER ARSENAL — 14 ITEMS
Each item raises Control Strength (CS) and may restore CIA metrics. Base CS = 0.
Security Awareness Training
PR.AT
$2,000
+8
—
MFA Rollout
PR.AC
$3,000
+12
C +10
Web Application Firewall
PR.PT
$4,000
+10
A +10
Threat Intelligence Feed
ID.RA
$6,000
+5
—
Deception Technology
DE.CM
$7,000
+5
—
EDR Solution
DE.CM
$8,000
+15
I +20
Data Loss Prevention
PR.DS
$9,000
+12
C +15
ISO 27001 Certification
GV.RM
$10,000
+8
—
Cyber Insurance Policy
RS.MI
$12,000
+0
C +10
SOC 2 Audit
GV.RM
$12,000
+8
—
SIEM Platform
DE.AE
$15,000
+10
I +10
Penetration Test
ID.RA
$15,000
+8
C/I/A +5
SOAR Platform
RS.MI
$18,000
+12
—
IR Retainer 24/7
RS.RP
$20,000
+5
A +20
Max CS (all items): 118. Even a max-geared CISO absorbs ~38% of a full APT’s damage.
Turn System
Actions are queued with a duration. Once submitted, they run in the background via a server-side job queue. You will be notified when an action completes. You do not need to be online — the game continues while you are away.
01
Queue an action
Select an action from your arsenal. Set a target. Confirm.
02
Wait for resolution
Actions resolve over minutes to hours in real time. You will be notified.
03
Adapt your strategy
Every completed action changes the board state. Respond or escalate.
Win Conditions
Win conditions are being finalised during the private beta. The current design direction:
ATTACKER WINS BY
- → Pushing confidentiality below 20% (Major Breach threshold) — triggering catastrophic Ponemon losses
- → Successfully exfiltrating data from a high-value service before the defender contains the breach
- → Bankrupting the defender through combined CIA drain, fines, and breach event costs
DEFENDER WINS BY
- → Detecting and containing the breach before the attacker reaches the Major threshold
- → Building Control Strength high enough to reduce attack damage to negligible levels
- → Outlasting the attacker’s budget — if their treasury hits zero, operations cease