The Original Incident Response Card Game
by Black Hills Information Security, Antisyphon Training, and Active Countermeasures.
Turn Incident Response Into a Game
Backdoors & Breaches takes traditional tabletop exercises and turns them into a structured, cooperative card game.
An Incident Captain crafts a scenario using hidden Attack cards, while Defenders work together—using Detections, dice, and critical thinking—to uncover what happened before it’s too late.
The original CORE Deck contains 52 unique cards that all represent different aspects of Incident response, including commonly seen attacks, detections, and more!
With Backdoors & Breaches, you can:
- Train IR and blue teams on realistic attack paths
- Run tabletop exercises with a clear, repeatable framework
- Introduce students and new Security Consultants to incident response
- Encourage discussion about detection coverage, tools, and playbooks
What’s Included
📦 52 Unique CORE Cards
Every Core Deck includes 52 cards representing Attacks, Detections, and Injects. Each card features a title, description, detection ideas, tools, and resources so the learning continues long after the game ends.
🎯 Four Attack Categories
Attacks are broken into four categories—Initial Compromise, Pivot & Escalate, Persistence, and C2 & Exfil. Combining one card from each category gives you thousands of unique incident scenarios.
📘 Visual Guide & Turn Tracker
The downloadable Visual Guide walks you through setup and gameplay step-by-step, and the printable Turn Tracker helps you record turns, rolls, and key findings during each exercise.
How the Game Works
Four simple steps. Cooperative incident response practice.
1️⃣ Build the Incident
The Incident Captain secretly selects one Attack card from each category (Initial Compromise, Pivot & Escalate, Persistence, and C2 & Exfil) to create a four-step attack path.
2️⃣ Set Up the Table
Separate the deck into Attacks, Procedures, and Injects. Deal out rows of Procedure cards—some as “Established Procedures” with a roll bonus, and others as backup options when you need them.
3️⃣ Investigate & Roll
On each turn, Defenders choose a Procedure, discuss what they’re looking for, and roll a d20. Successful rolls can reveal Attack cards; failures advance the turn counter and can trigger Injects that change the scenario.
4️⃣ Win (or Lose) as a Team
The game is fully cooperative: you win or lose together. Reveal all four Attack cards within 10 turns to win; if time runs out, use the debrief to talk about gaps, tooling, and real-world improvements.
Download the Rulebook
Everything you need to run Backdoors & Breaches at your organization, classroom, or event is in the Visual Guide.
More of a Visual Learner?
Don’t worry, we’ve got you!
Check out this video showing gameplay in action!
Using Backdoors & Breaches at Your Event
Backdoors & Breaches works well for security meetups, conferences, cyber clubs, and internal trainings.
Use it as a standalone exercise or pair it with talks, workshops, or live demos.
- Run 30–60 minute game sessions for lunch-and-learns or drills
- Use real logs, SIEM queries, and EDR data alongside gameplay
- Capture findings and action items with the Turn Tracker
- End each session with a debrief focused on your environment
Want BHIS to run a Backdoors & Breaches session for your team or event?
We can help facilitate tournaments and tabletop sessions at your organization or conference.
Frequently Asked Questions
Do I need anything besides the Core Deck?
You’ll need a Backdoors & Breaches Core Deck, a d20 (or dice app), and at least two players.
The ideal group size is 5–7 Defenders plus one Incident Captain. Expansion decks are optional but add new cards and variety.
Can Backdoors & Breaches be used for real training?
Yes. Backdoors & Breaches is used by high school and university cyber clubs, security consultants, enterprises, and government teams around the world to practice incident response and identify gaps in detection and process.
BHIS Tribe of Businesses
