Skip to main content

The Security Architect – Game Overview

Gareth Shelwell
Updated

Play here: https://caniphish.com/free-cyber-security-games

Quicklinks:

How to Play | Security Actions | Cyber Attacks

Game Introduction:

You’ve just been hired as the Security Architect for a fast-growing law firm, globally recognized as the go-to for some of the world’s biggest and most sensitive legal cases.

Their meteoric rise has catapulted them into the spotlight—but while the headlines got bigger, their security posture stayed the same. Behind the scenes, their defenses are outdated, fragmented, and dangerously unprepared for the level of threat they now face. Now, they’re a prime target for nation-state actors and elite cybercrime syndicates. Attacks are relentless. Resources are limited. And you’ve got just 24 months to turn things around. One wrong move could mean front-page headlines, massive financial losses, and careers destroyed.

Image: Screenshot of the 'Action Selection' tab. The player is deciding whether they should select 'Deploy A Secure Email Gateway' as their security action for this turn. A solid option with significant benefits in these early stages!

How to Play:

The Security Architect is a turn-based cyber security game that spans 24 months. To win, you must defend your organization against a continuous stream of cyber attacks that are increasingly difficult to defend against. Each month, you have the opportunity to enhance your organization's cyber defenses. You must balance short-term defenses with long-term resilience to prevent breaches and strengthen your organization’s security posture.

Objectives

Your primary objective is to survive all 24 months without your organization being compromised by a cyber attack. If a cyber attack is successful, you immediately lose the game. At the end of the 24 months, you win the game.

Additionally, there are several secondary objectives that are used to calculate a unique score at the end of your game. These secondary objectives are derived from the real-world need to create a security program that not only secures an organization but does so in a cost-effective and minimally invasive way. Accordingly, unspent credits, employee productivity, and security posture are used to calculate the ending game score.

Game Metrics

  • Security Budget: Represented as an allotment of credits. Credits are used when attempting to implement or deploy certain actions. The default value is 100/100.
  • Productivity: Represented as a 0-100 score and is used to determine how invasive a security program is in terms of reducing or increasing the productivity of employees in an organization. The default value is 75/100.
  • Security Posture: Represented as a 0-100 score and is used to determine how effective a security program is in terms of mitigating cyber security threats across an organization. The default value is 0/100.
  • Month: Represented as a 1-24 value and is used to represent what month the game is currently on. The default value is 1/24.

Strategic Gameplay

Each turn, you choose one action from a list of real-world-inspired security measures—like deploying email filters, running phishing simulations, or investing in awareness training. Each action includes:

  • A credit cost (some are free)

  • A deployment time (1, 2, or 3 months)

  • A potential impact on productivity

Once selected, time advances by the number of months the action takes to complete. For example, a 3-month action means you move ahead three months. During that time, your organization is vulnerable—if you haven’t already built up a layered defense, you may be exposed to cyber-attacks.

Note: Cyber attacks can occur at any month. If you’re deploying a 3-month action, there’s a chance you could face multiple attacks during that period.

Some actions are temporary, providing short-term protection, while others are permanent and continue to strengthen your organization over time. Use temporary actions tactically—especially when paired with threat intelligence, which allows you to preview potential future attacks.

Certain actions also have prerequisites, meaning they require one or more other actions to be completed before they become available. This adds a strategic planning layer to your defence-building efforts.

Midway Budget Review

At the start of month 13, your annual security budget is refreshed. Make sure to spend as much of your security budget as possible before this refresh; if you don't use it, you lose it!

By default, your budget will refresh back to 100 credits. However, two criteria can influence whether you are given more or less than this baseline:

Employee Productivity: The starting employee productivity is 75/100. Any increases or decreases have a 1 to 1 effect on the security budget. For example, if productivity decreases by 5, then the budget is decreased by 5 credits.

ISO 27001 Certification: If an ISO 27001 certification is obtained prior to the start of month 13, the leadership team will provide you with a bonus of 70 credits.

Game Tools & Interface

Throughout the game, you’ll navigate between four main tabs to manage your defenses and respond to threats:

  • Action Selection
    Choose from 30 different security measures to implement. Actions are searchable and categorized into their respective control grouping (e.g., Identity Security, Human Security, etc.). Hover over each action to view a tooltip showing its financial cost, impact on security posture and productivity, and time to deploy.

  • Deployed Controls
    Displays all actions you’ve implemented so far, allowing you to keep track of your current defenses and any prerequisites you've already fulfilled.

  • Incident Log
    Shows a history of past attacks, including which months the attacks took place, whether the attack succeeded, and what the attack attempted to exploit.

  • Threat Intelligence
    Reveals upcoming attacks and suggests which actions you should implement to mitigate them. Use this to plan ahead and prevent breaches before they happen.

Turn Order

The Security Architect is a turn-based game where months represent turns. Each month, a series of events take place, which are processed in the following order:

  • Action Submission Phase: The action submission phase is at the start of the month. During this phase, players can plan and choose their next action. Once an action is submitted, the turn begins.
  • Action Processing Phase: If an action is due to be completed, it is processed immediately after the month starts.
  • Attack Processing Phase: ttack is due to take place, it occurs immediately after the action processing phase.
  • Game Change Phase: If there is a change in game state, such as a game win, game loss, or annual budget refresh, it occurs after the attack processing phase.

Example: Let's say you are on Month 3. You submit an action that will take 2 months to complete (e.g., Deploying SSO), and an attack is due to take place in Month 4. In this scenario, events will be processed in the following order:

  • Month 3: Starts
    1. Action Submission Phase: You submit the action to deploy SSO.
    2. Action Processing Phase: SSO deployment action was processed but not completed (Month 1/2).
    3. Attack Processing Phase: No attack processed.
    4. Game Change Phase: No change in game state.
  • Month 3: Ends
  • Month 4: Starts
    1. Action Submission Phase: Skipped as SSO deployment is still in progress.
    2. Action Processing Phase: SSO deployment action processed and completed (Month 2/2).
    3. Attack Processing Phase: Attack processed and successfully evaded.
    4. Game Change Phase: No change in game state.
  • Month 4: Ends

Security Actions

Security actions are the heart of your strategy in The Security Architect. Each action represents a real-world defensive measure you can implement to protect your organization from the incoming cyberattacks. Some are quick wins, others require long-term planning, and all come with trade-offs in cost, time, and impact.

Note: Action costs and effects are subject to change

Download the Source Excel File or click the image to enlarge

security-actions-v4.png

Cyber Attacks

Cyber attacks are the driving threat in The Security Architect—and the reason your defenses matter. Each attack simulates a real-world technique used by malicious actors to breach organizations. Some are simple and easily blocked, while others are advanced, persistent, and devastating if left unchecked.

Attacks don’t occur every month, and their timing is unpredictable. As the game progresses, they become more sophisticated, requiring stronger and more layered defenses. Understanding when attacks are likely to occur—and what posture you need to withstand them—is critical to your survival.

The table below outlines the attack timeline and the minimum security posture required to successfully defend against each wave.

Note: Cyber attack metrics are subject to change

Download the Source Excel File or click the image to enlarge

cyber-attacks-still.png

Related articles

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk