CybeRisk

// GAME MANUAL

How to play CybeRisk

CybeRisk is an asymmetric multiplayer strategy game. One player takes the Attacker role, the other takes the Defender (CISO) role. Actions play out over real time — minutes, hours, or days. Budget is the primary constraint on both sides.


Roles

THE HACKER — ATTACKER

Probe defenses, launch exploits, pivot through networks, and exfiltrate data before the CISO locks you out. Your income comes from successful operations — ransomware payments, data sales, and extortion.

EXAMPLE ACTIONS

  • → Reconnaissance — discover IP addresses and services
  • → Exploit — attempt to compromise a target system
  • → Pivot — move laterally through the network
  • → Exfiltrate — extract data from compromised systems

THE CISO — DEFENDER

Monitor your infrastructure, patch vulnerabilities, deploy honeypots, and respond to incidents before the breach goes critical. Your income grows from customers — protect them or lose them.

EXAMPLE ACTIONS

  • → Patch — close known vulnerabilities (takes time)
  • → Monitor — increase detection probability on a segment
  • → Honeypot — deploy decoys to trap and reveal attackers
  • → Incident Response — contain a confirmed breach

Nations

Attacker nations are drawn from MITRE ATT&CK groups with documented state-nexus. Defender nations are the most frequently targeted countries in the DBIR and ATT&CK victim intelligence. Nation selection is cosmetic / lore — it does not change starting budget or available items.

ATTACKER NATIONS (12)

🇨🇳

China

APT41, APT10

🇷🇺

Russia

APT28, APT29

🇰🇵

North Korea

Lazarus Group

🇮🇷

Iran

APT33, APT34

🇺🇸

United States

Equation Group

🇬🇧

United Kingdom

GCHQ

🇮🇱

Israel

Duqu, Stuxnet

🇻🇳

Vietnam

APT32

🇮🇳

India

SideWinder

🇵🇰

Pakistan

Transparent Tribe

🇹🇷

Turkey

Sea Turtle

🇱🇧

Lebanon

Dark Caracal

DEFENDER NATIONS (17)

🇺🇸

United States

US · T1

🇯🇵

Japan

JP · T1

🇮🇳

India

IN · T1

🇩🇪

Germany

DE · T1

🇬🇧

United Kingdom

GB · T2

🇫🇷

France

FR · T2

🇮🇹

Italy

IT · T2

🇰🇷

South Korea

KR · T2

🇨🇦

Canada

CA · T2

🇦🇺

Australia

AU · T2

🇳🇱

Netherlands

NL · T3

🇸🇦

Saudi Arabia

SA · T3

🇹🇼

Taiwan

TW · T3

🇵🇱

Poland

PL · T3

🇮🇱

Israel

IL · T3

🇺🇦

Ukraine

UA · T3

🇪🇪

Estonia

EE · T3

Tier 1 = largest markets (US multiplier 1.0). Tier 2 = mid-size. Tier 3 = small. Market size affects defender growth capacity. See Economy section below.


Economy & Budget

ATTACKER STARTS$50,000
DEFENDER STARTS$100,000
ECONOMY TICKevery 5 min

ATTACKER INCOME

No passive income by default. Income is earned through successful operations:

  • Purchasing Ransomware-as-a-Service ($10K) unlocks extortion income events
  • APT archetype (planned) receives state funding as passive income
  • Successful data exfiltration generates one-time payments

DEFENDER INCOME

Driven by a live customer growth simulation. Revenue accumulates every 5-minute tick:

  • Starts with a seed customer base determined by industry
  • Customers grow via S-curve (logistic) model — slows near market capacity
  • Must expand to new countries to continue growing past saturation

DEFENDER INDUSTRIES

Industry is chosen at onboarding and determines starting customers, revenue per customer, growth rate, mandatory compliance spend, and which cloud services deploy automatically. Breach value = attacker payout on full compromise (Ponemon-scaled).

Financial Services

$3,000

$25,000

$200,000

Technology

$2,500

$8,000

$150,000

Energy & Utilities

$2,200

$15,000

$130,000

Pharmaceutical

$2,000

$12,000

$160,000

Healthcare

$1,500

$18,000

$250,000

Manufacturing

$1,200

$5,000

$110,000

Retail

$1,000

$10,000

$95,000

Government

$900

$15,000

$80,000

Hospitality

$750

$5,000

$90,000

Education

$500

$0

$65,000

Compliance = mandatory spend locked from $100K starting budget on day one. Source: IBM Cost of a Data Breach Report 2024 (Ponemon Institute).


Defender Growth Model

Defender income follows a logistic (S-curve) model. Growth slows as the market approaches saturation and stops entirely at capacity — forcing deliberate country expansion.

capacity = industryBaseCapacity × countryMarketMultiplier
headroom = 1 − (customers / capacity)
new_customers = customers × dailyGrowthRate × headroom × elapsed_days
income_tick = customers × rev/customer/day × elapsed_days

At 50% capacity → 50% of base growth rate. At 90% → 10%. At 100% → growth stops. Expand or stagnate.

Financial Services

75

$40

0.5%

750

$3,000

Technology

100

$25

1.5%

2,000

$2,500

Energy & Utilities

200

$11

0.2%

1,000

$2,200

Pharmaceutical

50

$40

0.4%

500

$2,000

Healthcare

50

$30

0.6%

600

$1,500

Manufacturing

100

$12

0.3%

1,000

$1,200

Retail

200

$5

1.0%

4,000

$1,000

Government

300

$3

0.1%

1,500

$900

Hospitality

150

$5

0.8%

3,000

$750

Education

500

$1

0.5%

5,000

$500


Market Saturation & Country Expansion

When a country’s customer count approaches capacity, growth stalls. The player switches to CEO Mode — a strategic map overlay — to choose and pay for expansion into a new market. This is a deliberate decision, not automatic. Expansion widens the attack surface: every deployed service gets a new regional set of IP addresses.

01

Enter CEO Mode

Switch from the CISO dashboard to the strategic country map.

02

Pick a market

Review market size, expansion cost, and projected income uplift per country.

03

Pay and deploy

$25K infrastructure + compliance cost deducted. New customer pool and regional IPs go live.

expansion_cost = $25,000 (infrastructure) + industryComplianceBase × countryRegulatoryMultiplier
// Technology → Germany: $25,000 + $8,000 × 0.8 = $31,400
// Healthcare → US: $25,000 + $20,000 × 0.0 = $25,000

17 MARKETS — MULTIPLIERS

US

United States

Paid at onboarding

T1

1.00

0.0

JP

Japan

APPI

T1

0.55

0.6

IN

India

PDPB

T1

0.45

0.2

DE

Germany

GDPR

T1

0.40

0.8

GB

United Kingdom

UK GDPR

T2

0.35

0.7

FR

France

GDPR

T2

0.30

0.8

IT

Italy

GDPR

T2

0.25

0.8

KR

South Korea

PIPA

T2

0.25

0.5

CA

Canada

PIPEDA

T2

0.22

0.5

AU

Australia

Privacy Act

T2

0.20

0.5

NL

Netherlands

GDPR

T3

0.12

0.8

SA

Saudi Arabia

PDPL

T3

0.12

0.2

TW

Taiwan

PDPA

T3

0.10

0.5

PL

Poland

GDPR

T3

0.09

0.8

IL

Israel

Privacy Protection Law

T3

0.06

0.2

UA

Ukraine

Personal Data Law

T3

0.04

0.2

EE

Estonia

GDPR

T3

0.015

0.8


Cloud Attack Surface

Cloud services auto-deploy when the defender’s customer count crosses a threshold. Each service exposes individual IP addresses generated deterministically from a SHA-256 hash of the profile and service key — stable and reachable across sessions. Attackers must perform reconnaissance to discover them. When a defender expands to a new country, every deployed service gains an additional set of regional IPs.

UNIVERSAL SERVICES — ALL INDUSTRIES

Corporate Website

Public-facing presence — first recon target

Day 1

2

1

Email & Messaging

Email gateway — primary phishing vector

Day 1

3

1

CRM Platform

Customer PII and sales data

100 customers

2

1

Cloud Storage

Object store — misconfiguration = mass data exposure

200 customers

2

0

Remote Access VPN

Employee gateway — compromise = full network entry

300 customers

4

1

HR & Payroll

Employee PII and salary data

300 customers

2

0

Collaboration Suite

Video, chat, docs — insider threats thrive here

400 customers

3

1

Public API Gateway

Exposed endpoints — enumeration and abuse target

1,000 customers

4

2

Data Warehouse

Analytics store — exfil yields maximum intel value

2,000 customers

2

0

Content Delivery Network

Global edge — compromise enables supply-chain injection

5,000 customers

8

2

Software-intensive industries (Technology, Financial Services, Healthcare, Pharmaceutical, Government, Education, Energy & Utilities, Manufacturing) also deploy a Source Code Repository on day one — 3 IPs, 1 IPv6 prefix. Highest-value IP theft target.

INDUSTRY-SPECIFIC SERVICES

Payment Gateway

100

3

0

Financial Services, Retail, Hospitality

Online Banking Portal

1,000

4

1

Financial Services

Trading Platform

2,000

6

2

Financial Services

Electronic Health Records

50

3

0

Healthcare, Pharmaceutical

Telemedicine Portal

500

2

1

Healthcare

Patient Self-Service

1,000

3

1

Healthcare

Lab Information System

200

2

0

Pharmaceutical

R&D Data Platform

500

3

0

Pharmaceutical

SCADA/ICS Interface

50

4

0

Energy & Utilities, Manufacturing

ERP System

500

4

0

Energy & Utilities, Manufacturing

IoT Device Platform

1,000

6

2

Energy & Utilities, Manufacturing

E-Commerce Platform

100

4

1

Retail

POS Network

200

4

0

Retail, Hospitality

Warehouse Management

200

2

0

Retail, Manufacturing

Booking & Reservation

50

3

0

Hospitality

Learning Management System

200

3

1

Education

Student Portal

500

3

1

Education

Research Database

1,000

2

0

Education

Citizen Services Portal

500

3

1

Government

Case Management System

200

2

0

Government

Benefits & Permits

1,000

3

0

Government


Security Health — The CIA Triad

The defender’s organisation has three health metrics, rooted in the industry-standard CIA Triad. All three start at 100%. Attacker actions drain them. Defender purchases restore them instantly — there is no natural recovery. Let them fall and you bleed money every single tick.

C — CONFIDENTIALITY

Are your customers’ data and systems private? Every percentage below 100% triggers continuous customer churn and regulatory fines every tick.

→ customer loss per tick:

customers × 0.0003 × deficit%

→ GDPR/compliance fine per tick:

complianceCost × 0.005 × deficit%

I — INTEGRITY

Is your data and code trustworthy? Integrity damage cuts revenue quality and triggers continuous forensic remediation costs — the longer you leave it, the more you pay.

→ revenue multiplier:

income × (0.5 + 0.5 × I/100)

→ remediation drain per tick:

breachPayout × 0.003 × deficit%

A — AVAILABILITY

Are your systems up and serving customers? Availability is a direct multiplier on every dollar of revenue. A ransomware attack cutting this in half cuts your income in half — immediately.

→ revenue multiplier:

income × (A / 100)

→ combined worst case (A=50, I=0):

25% of normal income

BREACH EVENT THRESHOLDS — ONE-TIME PONEMON COSTS

When confidentiality first crosses a threshold downward, a one-time loss event fires — modelled on Ponemon Institute 2024 breach cost data. These stack and never reset: recovering confidentiality does not erase the historical loss.

< 80%

Minor Data Breach

$15,000 flat

+ 10% of breach value × fill-rate

< 50%

Significant Breach

$35,000 flat

+ 30% of breach value × fill-rate

< 20%

Major Breach — Catastrophic

$75,000 flat

+ 60% of breach value × fill-rate

fill-rate = customerCount ÷ industryBaseCapacity. A startup pays less in absolute terms than an enterprise. Example — Healthcare ($250K breach value) at 50% capacity, Significant Breach: $35K + $37.5K = $72.5K one-time hit.


Arsenal

Both sides invest their budget in one-time purchases. Each item permanently shifts the underlying FAIR risk equation — attack damage is not flat, it is a ratio of attacker Threat Capability vs defender Control Strength.

attackMultiplier = TCap / (TCap + CS)
effectiveDamage = intendedDelta × attackMultiplier
// Script kiddie (TCap≈25) vs hardened CISO (CS≈80) → 24% of damage lands
// APT (TCap≈120) vs same CISO (CS≈80) → 60% of damage lands

ATTACKER ARSENAL — 12 ITEMS

Each item raises Threat Capability (TCap). Base TCap = 20.

Phishing Kit

T1566

$500

+5

VPN / Proxy Chain

T1090

$800

+3

Credential Dump

T1589

$1,000

+5

Social Engineering Script

T1598

$1,500

+8

Known CVE Exploit

T1190

$2,000

+15

C2 Infrastructure

T1583

$3,000

+10

Botnet — 500 nodes

T1583

$5,000

+8

Custom Malware Loader

T1059

$8,000

+20

Ransomware-as-a-Service

T1486 · unlocks income

$10,000

+15

Insider Recruit

T1078

$15,000

+25

Botnet — 10K nodes

T1583

$20,000

+15

Zero-Day Exploit

T1190

$50,000

+40

Max TCap (all items): 189. At CS=0 every attack is full damage.

DEFENDER ARSENAL — 14 ITEMS

Each item raises Control Strength (CS) and may restore CIA metrics. Base CS = 0.

Security Awareness Training

PR.AT

$2,000

+8

MFA Rollout

PR.AC

$3,000

+12

C +10

Web Application Firewall

PR.PT

$4,000

+10

A +10

Threat Intelligence Feed

ID.RA

$6,000

+5

Deception Technology

DE.CM

$7,000

+5

EDR Solution

DE.CM

$8,000

+15

I +20

Data Loss Prevention

PR.DS

$9,000

+12

C +15

ISO 27001 Certification

GV.RM

$10,000

+8

Cyber Insurance Policy

RS.MI

$12,000

+0

C +10

SOC 2 Audit

GV.RM

$12,000

+8

SIEM Platform

DE.AE

$15,000

+10

I +10

Penetration Test

ID.RA

$15,000

+8

C/I/A +5

SOAR Platform

RS.MI

$18,000

+12

IR Retainer 24/7

RS.RP

$20,000

+5

A +20

Max CS (all items): 118. Even a max-geared CISO absorbs ~38% of a full APT’s damage.


Turn System

Actions are queued with a duration. Once submitted, they run in the background via a server-side job queue. You will be notified when an action completes. You do not need to be online — the game continues while you are away.

01

Queue an action

Select an action from your arsenal. Set a target. Confirm.

02

Wait for resolution

Actions resolve over minutes to hours in real time. You will be notified.

03

Adapt your strategy

Every completed action changes the board state. Respond or escalate.


Win Conditions

Win conditions are being finalised during the private beta. The current design direction:

ATTACKER WINS BY

  • Pushing confidentiality below 20% (Major Breach threshold) — triggering catastrophic Ponemon losses
  • Successfully exfiltrating data from a high-value service before the defender contains the breach
  • Bankrupting the defender through combined CIA drain, fines, and breach event costs

DEFENDER WINS BY

  • Detecting and containing the breach before the attacker reaches the Major threshold
  • Building Control Strength high enough to reduce attack damage to negligible levels
  • Outlasting the attacker’s budget — if their treasury hits zero, operations cease