Free Cyber Security Games
How To Play
Game Background
You’ve just been hired as the Security Architect for a fast-growing law firm, globally recognized as the go-to for some of the world’s biggest and most sensitive legal cases.
Their meteoric rise has catapulted them into the spotlight—but while the headlines got bigger, their security posture stayed the same. Behind the scenes, their defenses are outdated, fragmented, and dangerously unprepared for the level of threat they now face. Now, they’re a prime target for nation-state actors and elite cybercrime syndicates. Attacks are relentless. Resources are limited. And you’ve got just 24 months to turn things around. One wrong move could mean front-page headlines, massive financial losses, and careers destroyed.
Objectives
Your primary objective is to survive all 24 months without your organization being compromised by a cyber attack. If a cyber attack is successful, you immediately lose the game. At the end of the 24 months, you win the game.
Additionally, there are several secondary objectives that are used to calculate a unique score at the end of your game. These secondary objectives are derived from the real-world need to create a security program that not only secures an organization but does so in a cost-effective and minimally invasive way. Accordingly, unspent credits, employee productivity, and security posture are used to calculate the ending game score.
Game Metrics
- Security Budget: Represented as an allotment of credits. Credits are used when attempting to implement or deploy certain actions. The starting value is 100/100.
- Productivity: Represented as a 0-100 score and is used to determine how invasive a security program is in terms of reducing or increasing the productivity of employees in an organization. The starting value is 75/100.
- Security Posture: Represented as a 0-100 score and is used to determine how effective a security program is in terms of mitigating cyber security threats across an organization. The starting value is 0/100.
- Month: Represented as a 1-24 value and is used to represent what month the game is currently on. The starting value is 1/24.
Turn Order
The Security Architect is a turn-based game where months represent turns. Each month, a series of events take place, which are processed in the following order:
- Action Submission Phase: The action submission phase is at the start of the month. During this phase, players can plan and choose their next action. Once an action is submitted, the turn begins.
- Action Processing Phase: If an action is due to be completed, it is processed immediately after the month starts.
- Attack Processing Phase: If an attack is due to take place, it occurs immediately after the action processing phase.
- Game Change Phase: If there is a change in game state, such as a game win, game loss, or annual budget refresh, it occurs after the attack processing phase.
Example: Let's say you are on Month 3. You submit an action that will take 2 months to complete (e.g., Deploying SSO), and an attack is due to take place in Month 4. In this scenario, events will be processed in the following order:
- Month 3: Starts
-
- Action Submission Phase: You submit the action to deploy SSO.
- Action Processing Phase: SSO deployment action was processed but not completed (Month 1/2).
- Attack Processing Phase: No attack processed.
- Game Change Phase: No change in game state.
- Month 3: Ends
- Month 4: Starts
-
- Action Submission Phase: Skipped as SSO deployment is still in progress.
- Action Processing Phase: SSO deployment action processed and completed (Month 2/2).
- Attack Processing Phase: Attack processed and successfully evaded.
- Game Change Phase: No change in game state.
- Month 4: Ends
Budget Refresh
At the start of month 13, your annual security budget is refreshed. Make sure to spend as much of your security budget as possible before this refresh; if you don't use it, you lose it!
By default, your budget will refresh back to 100 credits. However, two criteria can influence whether you are given more or less than this baseline:
- Employee Productivity: The starting employee productivity is 75/100. Any increases or decreases have a 1 to 1 effect on the security budget. For example, if productivity decreases by 5, then the budget is decreased by 5 credits.
- ISO 27001 Certification: If an ISO 27001 certification is obtained prior to the start of month 13, the leadership team will provide you with a bonus of 70 credits.
Game Interface
Throughout the game, you’ll navigate between four main tabs to manage your defenses and respond to threats:
- Action Selection: Choose from 30 different security measures to implement. Actions are searchable and categorized into their respective control grouping (e.g., Identity Security, Human Security, etc.). Hover over each action to view a tooltip showing its financial cost, impact on security posture and productivity, and time to deploy.
- Deployed Controls: Displays all actions you’ve implemented so far, allowing you to keep track of your current defenses and any prerequisites you've already fulfilled.
- Incident Log: Shows a history of past attacks, including which months the attacks took place, whether the attack succeeded, and what the attack attempted to exploit.
- Threat Intelligence: Reveals upcoming attacks and suggests which actions you should implement to mitigate them. Use this to plan ahead and prevent breaches before they happen.
More Information
Are you after a full list of security actions or cyber attacks, or have some questions? Check out our knowledge base article.
How To Play
Game Background
You’re stepping into the digital underground as an ambitious newcomer—a rookie blackhat with big dreams of infamy and rapid wealth. The allure of quick cash and a notorious name draws you in, even though you're just beginning to learn the ropes.
In your 24-month journey, you'll dive headfirst into a whirlwind of skill-building and high-risk exploits. Every line of code you write and every social engineering tactic you test is a gamble between skyrocketing success and catastrophic failure. The targets on your radar range from corrupt corporate giants to unsuspecting institutions—each hack a chance to etch your name into the dark annals of cybercrime.
Yet, while the promise of fame and fortune fuels your ambition, your inexperience means the stakes are higher than ever. One wrong move, one poorly executed breach, could unravel your fledgling career before it truly takes off. The digital arena is unforgiving, and the margin for error is razor-thin. Welcome to a world where every breakthrough could be your ticket to legendary status—or your downfall.
Objectives
Your primary objective is to survive all 24 months without being identified by law enforcement and without running out of credits. At the end of the 24 months, you win the game.
Additionally, there are several secondary objectives that are used to calculate a unique score at the end of your game. These secondary objectives are derived from the real-world risks and drivers that hackers have. Credits, street cred, and skill level are all factors used to calculate the ending game score.
Game Metrics
- Funds: Represented as an allotment of credits. Credits are used when attempting to procure hacking tools, hacking infrastructure, and data dumps, and also as an ongoing living expense of 2 credits per month. You have a starting balance of 30 credits.
- Street Cred: Represented as a 0-100 score and is used to determine what your reputation is among the hacking and law enforcement communities. A high reputation provides you with access to hacking tools that are otherwise restricted but also puts you at a higher risk of being targeted and found by law enforcement. The starting value is 0/100.
- Skill Level: Represented as a 0-100 score and is used to determine how knowledgeable you are as a hacker. A higher skill level unlocks the ability to use certain types of tools, perform certain types of attacks, increase the likelihood an attack is successful, and avoid detection by law enforcement. The starting value is 0/100.
- Month: Represented as a 1-24 value and is used to represent what month the game is currently on. The starting value is 1/24.
Turn Order
The Social Engineer is a turn-based game where months represent turns. Each month, a series of events take place, which are processed in the following order:
- Action Submission Phase: The action submission phase is at the start of the month. During this phase, players can plan and choose their next action. Once an action is submitted, the turn begins.
- Action Processing Phase: If an action is due to be completed, it is processed immediately after the month starts.
- Law Enforcement Phase: If a law enforcement action is due to take place, it occurs immediately after the action processing phase.
- Game Change Phase: If there is a change in game state, such as a game win or loss, it occurs after the law enforcement phase. Additionally, during this phase, a monthly living expense cost of 2 credits is incurred. If this results in a negative credit balance, the game is lost.
Example: Let's say you are on Month 6. You submit an action that will take 2 months to complete (e.g., Spear Phishing Campaign Targeting Company Finance Teams). In this scenario, events will be processed in the following order:
- Month 6: Starts
-
- Action Submission Phase: You submit the action to run a Spear Phishing Campaign Targeting Company Finance Teams.
- Action Processing Phase: Attack action was processed but not completed (Month 1/2).
- Law Enforcement Phase: No attack processed.
- Game Change Phase: No change in game state.
- Month 6: Ends
- Month 7: Starts
-
- Action Submission Phase: Skipped as attack is still in progress.
- Action Processing Phase: Cyber attack action processed and successful (Month 2/2).
- Law Enforcement Phase: Whilst the attack was successful, law enforcement were able to identify and arrest you.
- Game Change Phase: Game is lost.
- Month 7: Ends
Game Interface
Throughout the game, you’ll navigate between four main tabs to manage your attacks and respond to threats:
- Action Selection: Choose from 40 different actions that are categorized into three distinct groups. Learning actions increase your hacking skill level. Procurement actions provide access to tools and data dumps. Attack actions perform cyber attacks that can increase credits, skill, and street cred.
- Tools & Knowledge: Displays all learning undertaken, hacker tools deployed, and risk reduction efforts implemented.
- Attack Log: Shows a history of past attacks, including which months the attacks took place, whether the attack succeeded, and what the outcome of the attack was (e.g. provided credits, street cred, or law enforcement response).
- Threat Intelligence: Reveals chatter on dark web forums and marketplaces of potential law enforcement honeypots and provides insight into upcoming law enforcement actions.
More Information
Are you after a full list of actions or have some questions? Check out our knowledge base article.