Hacking Tunnel Goons for corporate security training

The Itch.io download is linked at the bottom if you just want to see the game.

Every year I run a cybersecurity tabletop excercise (TTX) at my workplace for our SOC2 certification. I give a scenario and my coworkers game-out how they would repond. These exercises are a well established practice within the industry, you can even get material for running them from CISA.

• These are tabletop role-playing games even if they don't use that phrase.
• Their usual form is a FKR style experience with the participants describing what they are doing and the facilitator describing the outcomes with no randomization.

Adding some flavor: Running these is a dry experience and the only bit of fun I've been able to inject is making over-the-top scenarios. Adding random character creation and a dice randomization mechanic makes things fun.

• Tunnel Goons is a system that's easy for someone with no TTRPG experience to pickup and play.
• The mechanics of encouraging players to use their skills and inventory works well with this kind of exercise.

Real world skills: I chose three skills to match the skills needed in a real-life incident response: Investigate, Remediate, and Communicate. A lifepath-like character creation gives the players a bit of flavor.

• Investigation is used when trying to figure out what is happening and why.
• Remediation is used to try and fix things and patch the underlying issues.
• Communication is used to coordinate the response and update stakeholders.

Scenario sparks: A short set of tables for the facilitator gives random incident scenario ideas. These can be used ahead of time so the facilitator can fill-in the blanks and add a bit of relevancy to their own systems.

In the future I might add a more detailed "facilitator guide" targeted at folks who want to run this but aren't very familiar with TTRPGs.