The Shadow Breach

30 Apr 2025 - joe

The Shadow Breach: A D&D-Themed Cybersecurity Exercise

Campaign Overview

Title: The Shadow Breach
Adventure Duration: One 4-hour session
Adventurer Levels: 5-10 (SOC analysts to security directors)
Difficulty: Challenging
Quest Objective: Test the adventuring party’s ability to detect, contain, and defeat a powerful shadow mage who is attempting to corrupt multiple kingdoms through a sophisticated magical infiltration.

Learning Enchantments

1. Evaluate party coordination during complex magical threats
2. Test arcane countermeasure capabilities across different spell vectors
3. Assess communication scrolls both within the party and with allied kingdoms
4. Practice decision-making under pressure with limited divination information
5. Identify gaps in current magical defense plans

Campaign Structure

Preparation Phase (2 weeks prior)

1. Dungeon Master Selection: Appoint 1-2 individuals to lead the adventure
2. Adventurer Selection: Identify key heroes from various classes and guilds
3. Magical Resource Preparation: Ready the necessary spell components, communication scrolls, and simulated magical environments
4. Pre-Adventure Briefing: Conduct a short session explaining adventure rules and expectations

Adventure Roles

1. Dungeon Master: Controls adventure flow, introduces magical threats, evaluates responses
2. Player Characters: Mages (analysts), Clerics/Paladins (incident responders), Artificers (security engineers), Nobles/Kings/Queens (management)
3. Observers: Scribes who document actions, decisions, and potential improvement areas
4. Allied Kingdom Representatives: (Optional) Can participate to add realism to kingdom communications

Adventure Materials

Required Scrolls and Tomes

1. Magical defense and counterspell grimoire
2. Communication scroll templates
3. Allied kingdom contact information
4. Spell escalation procedures
5. Arcane documentation of magical networks
6. Adventure evaluation scrolls

Magical Setup (Optional)

1. Isolated arcane laboratory for simulated magical forensics
2. Sending stone network (separate from kingdom network)
3. Hourglass display
4. Magical collaboration artifacts

Campaign Background

The Guardian Order is a well-established Magical Security Provider offering arcane monitoring and threat response services to over 50 kingdoms across various realms. Among their key clients are:

• The Royal Bank of Goldkeep (treasury realm)
• The Healing Sanctum of Lifewell (healing realm)
• The Arcane Grid of Powerforge (elemental infrastructure)
• The Enchanted Towers of Technos (magical technology)

The Guardian Order uses a Scrying Operations Chamber that aggregates magical signatures and alerts from client kingdoms, with a centralized crystal ball for monitoring and response.

Adventure Narrative

A sophisticated shadow mage has identified the Guardian Order as a prime target for a corruption attack. Their objective is to compromise the Order’s magical infrastructure to gain access to high-value kingdoms. The attack will unfold in multiple stages over the course of the adventure.

Adventure Timeline and Magical Events

Phase 1: Initial Corruption (0:00-1:00)

Setting the Scene (0:00-0:10)

• Dungeon Master introduces the day as a normal day at the Guardian Order’s Scrying Operations Chamber
• Adventurers are at their regular posts performing routine magical monitoring

Magical Event 1 (0:10): Suspicious Arcane Signature

• A magical alert shows an unusual successful authentication to the scrying network from an unrecognized ley line
• The arcane credentials belong to a junior scrying mage who is currently on pilgrimage to the outer planes
• The authentication occurred during the dark hours when most mages rest

Expected Actions:

• Investigate the magical alert
• Check mage’s status through sending stones
• Review authentication source and patterns
• Begin documenting the magical incursion in the order’s tome

Magical Event 2 (0:30): Discovery of Suspicious Activity

• The compromised arcane signature has been observed casting unusual divination spells in the scrying network
• Divinations focused on gathering information about kingdom connections, particularly for Goldkeep and Powerforge
• Several attempts to enhance magical permissions were detected in the aether

Expected Actions:

• Escalate the incident to senior mages and paladins
• Consider creating wards around potentially affected magical nodes
• Begin preparing initial kingdom communication scrolls if necessary
• Start assembling a magical incident response party

Magical Event 3 (0:45): Dark Artifact Detection

• A detection ward identifies a potential data extraction artifact installed on an internal magical node
• The artifact appears to have been placed using the compromised credentials
• Initial evidence suggests sensitive information about kingdom magical defenses may have been accessed

Expected Actions:

• Activate formal magical countermeasure procedures
• Assign roles and responsibilities to party members
• Begin deeper arcane investigation
• Consider whether to notify allied kingdoms at this stage

Phase 2: Arcane Escalation (1:00-2:00)

Magical Event 4 (1:00): Kingdom Alert - Goldkeep

• Goldkeep’s Royal Mages send an urgent message reporting suspicious magical activities in their realm
• They’ve detected arcane probing coming from a ley line associated with the Guardian Order’s management infrastructure
• The probing appears to be targeting their gold and treasure transmutation systems

Expected Actions:

• Acknowledge the potential connection to the earlier corruption
• Collaborate with the kingdom’s magical defense team
• Investigate potential magical portal from Guardian Order systems to kingdom network
• Update incident documentation and escalate internally to higher-ranking mages

Magical Event 5 (1:20): Dark Magic Detection

• Analysis of the compromised magical node reveals a sophisticated, previously unseen shadow portal
• The portal provides persistent access and has anti-detection enchantments
• Evidence shows the dark magic has been present for approximately one full moon cycle

Expected Actions:

• Perform detailed magical analysis
• Begin investigating the original corruption vector
• Consider implications for other magical systems and kingdoms
• Update the incident response party and noble council

Magical Event 6 (1:40): Detection Avoidance Magic

• The shadow mage begins erasing magical traces and evidence from compromised nodes
• Attempts to modify scrying wards to avoid future detection are observed
• A powerful curse scroll is discovered but not yet activated

Expected Actions:

• Take steps to preserve magical evidence before it’s dispelled
• Implement additional scrying to track shadow mage movements
• Consider magical isolation measures
• Update risk assessment based on curse scroll discovery

Phase 3: Magical Crisis Management (2:00-3:00)

Magical Event 7 (2:00): Critical Infrastructure Alert

• Powerforge reports unusual magical connection attempts to their elemental control system
• The attempts are coming from trusted Guardian Order monitoring crystals
• Powerforge has severed the Guardian Order’s arcane connections as a precaution

Expected Actions:

• Acknowledge the severity of the magical situation
• Implement crisis communication scrolls
• Coordinate with Powerforge’s arcane defense team
• Prepare for potential reporting to the High Arcane Council

Magical Event 8 (2:20): Noble Council Involvement

• The Guardian Order’s High Mage requests an immediate magical briefing on the situation
• Several other kingdoms have begun sending messages with concerns
• Bards from various realms have reached out asking about a potential breach of magical defenses

Expected Actions:

• Prepare a concise magical summary for the High Mage
• Organize information for efficient decision-making
• Advise on potential public relations strategies
• Continue technical arcane response activities

Magical Event 9 (2:40): Dark Demands

• A magical demand appears on several compromised crystal balls
• The shadow mage claims to have extracted kingdom secrets and threatens to publish them in the town squares
• They demand 2 million gold pieces in dragon-blessed currency within 48 hours

Expected Actions:

• Document the magical demand
• Assess legitimacy of the shadow mage’s claims
• Discuss potential response options with leadership
• Consider royal guard notification
• Prepare for potential magical breach notifications

Phase 4: Resolution and Recovery (3:00-4:00)

Magical Event 10 (3:00): Shadow Mage Tactics Identified

• Magical forensics reveals the complete attack path and spells used
• Arcane evidence points to a known shadow mage with connections to the Shadowfell
• A vulnerability in the scrying network’s portal system is identified as the initial entry point

Expected Actions:

• Document all findings for post-incident analysis
• Develop a comprehensive magical cleansing plan
• Prioritize critical magical gaps for immediate warding
• Prepare technical details for affected kingdoms

Magical Event 11 (3:20): Containment Decision Point

• The incident response party must decide on final containment spells
• Options include temporary shutdown of the scrying network vs. aggressive monitoring enchantments
• Each option has different impacts on magical service delivery and recovery time

Expected Actions:

• Evaluate pros and cons of each option
• Make a decision based on magical risk assessment
• Communicate the decision and rationale to stakeholders
• Begin implementing the chosen approach

Magical Event 12 (3:40): Recovery Planning

• With the immediate magical threat contained, focus shifts to recovery
• Multiple kingdoms are requesting detailed magical incident scrolls
• High Arcane Council reporting deadlines are approaching

Expected Actions:

• Develop a prioritized magical recovery sequence
• Create a sending stone communication plan for different stakeholders
• Prepare initial council notifications
• Begin documenting lessons learned in the arcane tomes

Conclusion (3:50-4:00)

• Dungeon Master declares the end of the adventure
• Brief initial feedback from adventurers
• Schedule a formal council debrief session for the following day

Adventure Evaluation

Evaluation Metrics

1. Detection Effectiveness
   • Time to detect initial magical corruption
   • Ability to identify related magical events
   • Thoroughness of arcane investigation
2. Response Efficiency
   • Time from detection to initial magical countermeasures
   • Appropriateness of spell countermeasures
   • Resource allocation and utilization of magical components
3. Communication Effectiveness
   • Internal sending stone clarity and timeliness
   • Kingdom communication appropriateness
   • Noble council updates and escalations
4. Decision Quality
   • Magical risk assessment accuracy
   • Decision-making under the pressure of time constraints
   • Balance between magical security and kingdom services

Post-Adventure Activities

1. Quick Council (Immediately following adventure)
   • Quick round-table discussion of initial impressions
   • Identification of major strengths and challenges
   • Collection of immediate feedback on magical scrolls
2. Formal Debrief (1-2 days after adventure)
   • Structured review of adventure timeline and decisions
   • Analysis of major magical decision points
   • Documentation of lessons learned in the grand tome
3. Improvement Planning (1-2 weeks after adventure)
   • Development of specific magical action items
   • Assignment of responsibilities for improvements
   • Timeline for implementing magical changes
4. Follow-up Adventure (3-6 months later)
   • Targeted scenario to test magical improvements
   • Focus on previously identified weaknesses
   • Validate effectiveness of changes to arcane defenses

Dungeon Master Guidelines

Pre-Adventure Preparation

1. Scenario Customization
   • Adjust magical details to match your order’s environment
   • Modify kingdom names and realms as appropriate
   • Ensure magical events are realistic for your tools and processes
2. Information Control
   • Determine what information is available to adventurers at each stage
   • Prepare answers for likely questions from adventurers
   • Create physical or magical information cards for events
3. Environment Setup
   • Arrange the adventure space to facilitate party communications
   • Test any magical systems or simulations
   • Prepare backup plans for magical failures

During Adventure Facilitation

1. Maintaining Realism
   • Introduce complications that might occur in real magical incidents
   • Provide realistic time pressures via hourglasses
   • Limit information as would happen in real magical scenarios
2. Adaptability
   • Be prepared to adjust scenario pacing based on adventurer progress
   • Have additional magical events ready if parties resolve issues quickly
   • Be willing to provide hints if parties get completely stuck in magical puzzles
3. Observation
   • Take notes on key decisions and actions
   • Identify teaching moments for the debrief
   • Document specific areas for magical improvement

Post-Adventure Activities

1. Facilitating Discussion
   • Use open-ended questions to promote reflection
   • Focus on process improvements rather than assigning blame to specific mages
   • Highlight both strengths and areas for magical improvement
2. Documentation
   • Compile observations and adventurer feedback
   • Prepare a comprehensive after-action scroll
   • Develop specific, actionable magical recommendations

Appendix: Detailed Magical Events

Magical Details for Event 1

• Mage Name: James Wilsonfire
• Source Ley Line: The Eastern Shadowlands (unusual connection point)
• Timestamp: During the third hour of darkness
• Access method: Portal gateway followed by scrying orb activation
• Failed attempts: None (successful on first magical attempt)

Magical Details for Event 2

• Divination spells cast:

  REVEAL kingdoms, kingdom_name, realm, primary_contact WHERE priority_level = 'High'
  REVEAL connection_runes, access_sigils, defense_diagrams FROM kingdom_access WHERE kingdom_id = 'GB001'
  REVEAL * FROM mage_registry WHERE access_level = 'Archmage'
  

• Permission escalation attempt:

  • Use of built-in diagnostic spell with known sigil manipulation vulnerability
  • Attempt to add magical signature to archmage security circle

Magical Details for Event 3

• Dark artifact details:
  • Name: Shadowserve (disguised as legitimate magical process)
  • Location: Hidden in the Central Spellcasting Chamber
  • Behavior: Establishes encrypted magical connection to dark tower at Shadow Coordinates 45.67.231.188
  • Data accessed: Kingdom configuration grimoire, magical defense diagrams, ward configurations

Magical Details for Event 5

• Dark magic characteristics:
  • Custom-built shadow portal with elements similar to known dark mage “Shadowmamba”
  • Uses magical tunneling for command and control
  • Anti-detection capabilities including magical trace removal and timestamp alteration
  • Casts directly into the ethereal plane to avoid physical detection
  • Command and control magical domains:
    • status-update-service.shadowrealm
    • cdn-delivery-network.darkplane
    • system-verification.voidspace

Magical Details for Event 7

• Powerforge elemental control connection attempts:
  • Target systems: Elemental binding controllers
  • Access attempts using legitimate Guardian Order service sigils
  • Commands attempted include configuration changes to elemental management settings
  • Source: Guardian Order monitoring crystal in the Western Tower

Magical Details for Event 9

• Dark demand scroll text:

  ATTENTION GUARDIAN ORDER:
    
  Your magical defenses have been corrupted. We have extracted 2.3 tons of magical secrets including:
  - Kingdom defense diagrams
  - Access sigils
  - Confidential kingdom secrets
    
  If you want to prevent these secrets from being published in every town square, send 35 Dragon Coins to the following magical vault:
  Shadow Vault 1Hf7iBvhjZU4RfTft72uLnRRWvbcXioLEP
    
  You have 48 hours. The magical hourglass is turning.
    
  For proof, check magical container Evidence in your security director's crystal ball.
  

Magical Details for Event 10

• Attack path:
  1. Initial access via exploited vulnerability in portal service (Magical Flaw #2023-XXXX)
  2. Sigil theft using memory scraping spell
  3. Lateral movement via compromised archmage account
  4. Persistence established through modified ritual schedules and corrupted magical artifacts
  5. Defense evasion using time-altering spells and magical trace removal
  6. Command and control via encrypted magical tunneling
  7. Secret exfiltration via chunked, encrypted transfers to changing magical destinations