CybeRisk

// GAME MANUAL

How to play CybeRisk

CybeRisk is an asymmetric multiplayer strategy game. One player takes the Attacker role, the other takes the Defender (CISO) role. Actions play out over real time — minutes, hours, or days. Budget is the primary constraint on both sides.

Roles

THE HACKER — ATTACKER

Probe defenses, launch exploits, pivot through networks, and exfiltrate data before the CISO locks you out. Your income comes from successful operations — ransomware payments, data sales, and extortion.

EXAMPLE ACTIONS

  • → Reconnaissance — discover IP addresses and services
  • → Exploit — attempt to compromise a target system
  • → Pivot — move laterally through the network
  • → Exfiltrate — extract data from compromised systems

THE CISO — DEFENDER

Monitor your infrastructure, patch vulnerabilities, deploy honeypots, and respond to incidents before the breach goes critical. Your income grows from customers — protect them or lose them.

EXAMPLE ACTIONS

  • → Patch — close known vulnerabilities (takes time)
  • → Monitor — increase detection probability on a segment
  • → Honeypot — deploy decoys to trap and reveal attackers
  • → Incident Response — contain a confirmed breach

Nations

Attacker nations are drawn from MITRE ATT&CK groups with documented state-nexus. Defender nations are the most frequently targeted countries in the DBIR and ATT&CK victim intelligence. Nation selection is cosmetic / lore — it does not change starting budget or available items.

ATTACKER NATIONS (12)

🇨🇳

China

APT41, APT10

🇷🇺

Russia

APT28, APT29

🇰🇵

North Korea

Lazarus Group

🇮🇷

Iran

APT33, APT34

🇺🇸

United States

Equation Group

🇬🇧

United Kingdom

GCHQ

🇮🇱

Israel

Duqu, Stuxnet

🇻🇳

Vietnam

APT32

🇮🇳

India

SideWinder

🇵🇰

Pakistan

Transparent Tribe

🇹🇷

Turkey

Sea Turtle

🇱🇧

Lebanon

Dark Caracal

DEFENDER NATIONS (17)

🇺🇸

United States

US · T1

🇯🇵

Japan

JP · T1

🇮🇳

India

IN · T1

🇩🇪

Germany

DE · T1

🇬🇧

United Kingdom

GB · T2

🇫🇷

France

FR · T2

🇮🇹

Italy

IT · T2

🇰🇷

South Korea

KR · T2

🇨🇦

Canada

CA · T2

🇦🇺

Australia

AU · T2

🇳🇱

Netherlands

NL · T3

🇸🇦

Saudi Arabia

SA · T3

🇹🇼

Taiwan

TW · T3

🇵🇱

Poland

PL · T3

🇮🇱

Israel

IL · T3

🇺🇦

Ukraine

UA · T3

🇪🇪

Estonia

EE · T3

Tier 1 = largest markets (US multiplier 1.0). Tier 2 = mid-size. Tier 3 = small. Market size affects defender growth capacity. See Economy section below.

Economy & Budget

ATTACKER STARTS$50,000
DEFENDER STARTS$100,000
ECONOMY TICKevery 5 min

ATTACKER INCOME

No passive income by default. Income is earned through successful operations:

  • Purchasing Ransomware-as-a-Service ($10K) unlocks extortion income events
  • APT archetype (planned) receives state funding as passive income
  • Successful data exfiltration generates one-time payments

DEFENDER INCOME

Driven by a live customer growth simulation. Revenue accumulates every 5-minute tick:

  • Starts with a seed customer base determined by industry
  • Customers grow via S-curve (logistic) model — slows near market capacity
  • Must expand to new countries to continue growing past saturation

DEFENDER INDUSTRIES

Industry is chosen at onboarding and determines starting customers, revenue per customer, growth rate, mandatory compliance spend, and which cloud services deploy automatically. Breach value = attacker payout on full compromise (Ponemon-scaled).

Financial Services

$3,000

$25,000

$200,000

Technology

$2,500

$8,000

$150,000

Energy & Utilities

$2,200

$15,000

$130,000

Pharmaceutical

$2,000

$12,000

$160,000

Healthcare

$1,500

$18,000

$250,000

Manufacturing

$1,200

$5,000

$110,000

Retail

$1,000

$10,000

$95,000

Government

$900

$15,000

$80,000

Hospitality

$750

$5,000

$90,000

Education

$500

$0

$65,000

Compliance = mandatory spend locked from $100K starting budget on day one. Source: IBM Cost of a Data Breach Report 2024 (Ponemon Institute).

Defender Growth Model

Defender income follows a logistic (S-curve) model. Growth slows as the market approaches saturation and stops entirely at capacity — forcing deliberate country expansion.

capacity = industryBaseCapacity × countryMarketMultiplier
headroom = 1 − (customers / capacity)
new_customers = customers × dailyGrowthRate × headroom × elapsed_days
income_tick = customers × rev/customer/day × elapsed_days

At 50% capacity → 50% of base growth rate. At 90% → 10%. At 100% → growth stops. Expand or stagnate.

Financial Services

75

$40

0.5%

750

$3,000

Technology

100

$25

1.5%

2,000

$2,500

Energy & Utilities

200

$11

0.2%

1,000

$2,200

Pharmaceutical

50

$40

0.4%

500

$2,000

Healthcare

50

$30

0.6%

600

$1,500

Manufacturing

100

$12

0.3%

1,000

$1,200

Retail

200

$5

1.0%

4,000

$1,000

Government

300

$3

0.1%

1,500

$900

Hospitality

150

$5

0.8%

3,000

$750

Education

500

$1

0.5%

5,000

$500

Market Saturation & Country Expansion

When a country’s customer count approaches capacity, growth stalls. The player switches to CEO Mode — a strategic map overlay — to choose and pay for expansion into a new market. This is a deliberate decision, not automatic. Expansion widens the attack surface: every deployed service gets a new regional set of IP addresses.

01

Enter CEO Mode

Switch from the CISO dashboard to the strategic country map.

02

Pick a market

Review market size, expansion cost, and projected income uplift per country.

03

Pay and deploy

$25K infrastructure + compliance cost deducted. New customer pool and regional IPs go live.

expansion_cost = $25,000 (infrastructure) + industryComplianceBase × countryRegulatoryMultiplier
// Technology → Germany: $25,000 + $8,000 × 0.8 = $31,400
// Healthcare → US: $25,000 + $20,000 × 0.0 = $25,000

17 MARKETS — MULTIPLIERS

US

United States

Paid at onboarding

T1

1.00

0.0

JP

Japan

APPI

T1

0.55

0.6

IN

India

PDPB

T1

0.45

0.2

DE

Germany

GDPR

T1

0.40

0.8

GB

United Kingdom

UK GDPR

T2

0.35

0.7

FR

France

GDPR

T2

0.30

0.8

IT

Italy

GDPR

T2

0.25

0.8

KR

South Korea

PIPA

T2

0.25

0.5

CA

Canada

PIPEDA

T2

0.22

0.5

AU

Australia

Privacy Act

T2

0.20

0.5

NL

Netherlands

GDPR

T3

0.12

0.8

SA

Saudi Arabia

PDPL

T3

0.12

0.2

TW

Taiwan

PDPA

T3

0.10

0.5

PL

Poland

GDPR

T3

0.09

0.8

IL

Israel

Privacy Protection Law

T3

0.06

0.2

UA

Ukraine

Personal Data Law

T3

0.04

0.2

EE

Estonia

GDPR

T3

0.015

0.8

Cloud Attack Surface

Cloud services auto-deploy when the defender’s customer count crosses a threshold. Each service exposes individual IP addresses generated deterministically from a SHA-256 hash of the profile and service key — stable and reachable across sessions. Attackers must perform reconnaissance to discover them. When a defender expands to a new country, every deployed service gains an additional set of regional IPs.

UNIVERSAL SERVICES — ALL INDUSTRIES

Corporate Website

Public-facing presence — first recon target

Day 1

2

1

Email & Messaging

Email gateway — primary phishing vector

Day 1

3

1

CRM Platform

Customer PII and sales data

100 customers

2

1

Cloud Storage

Object store — misconfiguration = mass data exposure

200 customers

2

0

Remote Access VPN

Employee gateway — compromise = full network entry

300 customers

4

1

HR & Payroll

Employee PII and salary data

300 customers

2

0

Collaboration Suite

Video, chat, docs — insider threats thrive here

400 customers

3

1

Public API Gateway

Exposed endpoints — enumeration and abuse target

1,000 customers

4

2

Data Warehouse

Analytics store — exfil yields maximum intel value

2,000 customers

2

0

Content Delivery Network

Global edge — compromise enables supply-chain injection

5,000 customers

8

2

Software-intensive industries (Technology, Financial Services, Healthcare, Pharmaceutical, Government, Education, Energy & Utilities, Manufacturing) also deploy a Source Code Repository on day one — 3 IPs, 1 IPv6 prefix. Highest-value IP theft target.

INDUSTRY-SPECIFIC SERVICES

Payment Gateway

100

3

0

Financial Services, Retail, Hospitality

Online Banking Portal

1,000

4

1

Financial Services

Trading Platform

2,000

6

2

Financial Services

Electronic Health Records

50

3

0

Healthcare, Pharmaceutical

Telemedicine Portal

500

2

1

Healthcare

Patient Self-Service

1,000

3

1

Healthcare

Lab Information System

200

2

0

Pharmaceutical

R&D Data Platform

500

3

0

Pharmaceutical

SCADA/ICS Interface

50

4

0

Energy & Utilities, Manufacturing

ERP System

500

4

0

Energy & Utilities, Manufacturing

IoT Device Platform

1,000

6

2

Energy & Utilities, Manufacturing

E-Commerce Platform

100

4

1

Retail

POS Network

200

4

0

Retail, Hospitality

Warehouse Management

200

2

0

Retail, Manufacturing

Booking & Reservation

50

3

0

Hospitality

Learning Management System

200

3

1

Education

Student Portal

500

3

1

Education

Research Database

1,000

2

0

Education

Citizen Services Portal

500

3

1

Government

Case Management System

200

2

0

Government

Benefits & Permits

1,000

3

0

Government

Turn System

Actions are queued with a duration. Once submitted, they run in the background via a server-side job queue. You will be notified when an action completes. You do not need to be online — the game continues while you are away.

01

Queue an action

Select an action from your arsenal. Set a target. Confirm.

02

Wait for resolution

Actions resolve over minutes to hours in real time. You will be notified.

03

Adapt your strategy

Every completed action changes the board state. Respond or escalate.

Win Conditions

Win conditions are not yet finalised and will be defined during the private beta. The current design direction is breach-based: the attacker wins by successfully compromising a specific high-value service and exfiltrating data; the defender wins by detecting and containing the breach before the attacker reaches their objective.