The Dragon's Breach

30 Apr 2025 - joe

The Dragon’s Breach

A Medieval-Themed Cybersecurity Tabletop Exercise

Exercise Overview

Title: The Dragon’s Breach
Duration: 4 hours (recommended)
Target Audience: Kingdom Defenders, Royal Wizards, Castle Guards, Court Advisors
Difficulty: Squire to Knight-level
Objective: Test the kingdom’s ability to detect, contain, and neutralize a sophisticated infiltration by enemy forces using magic scrolls to breach the castle’s defenses and steal royal secrets.

Learning Objectives

1. Evaluate team coordination during complex security incidents
2. Test response capabilities against multi-vector attacks
3. Assess communication protocols between different kingdom defenders
4. Practice decision-making under pressure with limited information
5. Identify gaps in current defensive measures and protocols

Exercise Structure

Preparation Phase (2 weeks prior)

1. Dungeon Master Selection: Appoint 1-2 individuals to coordinate the exercise
2. Defender Selection: Identify key personnel from various kingdom divisions
3. Resource Preparation: Ready the necessary scrolls, communication crystals, and simulated castle environment
4. Pre-Exercise Briefing: Conduct a gathering explaining exercise parameters and expectations

Exercise Roles

1. Dungeon Master: Controls exercise flow, introduces scenarios, evaluates responses
2. Kingdom Defenders: Personnel responsible for monitoring magical defenses
3. Royal Wizards: Specialists who respond to magical incidents
4. Castle Guards: Physical security specialists focused on perimeter defense
5. Court Advisors: Decision-makers who balance kingdom security with diplomatic concerns
6. Observers: Record actions, decisions, and potential improvements
7. Allied Kingdom Representatives: (Optional) Add realism with inter-kingdom coordination

Exercise Materials

Required Documentation

1. Castle defense protocols
2. Emergency communication procedures
3. Allied kingdom contact information
4. Incident escalation matrices
5. Technical documentation of defensive enchantments
6. Exercise evaluation metrics

Technical Setup (Optional)

1. Castle war room simulation
2. Magical alert system using colored crystals
3. Map table with miniature figurines
4. Simulated enemy scout reports

Scenario Background

The Kingdom of Highkeep maintains a sophisticated network of defensive enchantments and wards surrounding the royal castle and its treasures. The Royal Wizard Corps provides monitoring and protection for:

• Castle Perimeter Wards (outer defense system)
• Royal Treasury Enchantments (valuable asset protection)
• Court Communication Scrolls (secure messaging system)
• Enemy Detection Mirrors (threat identification network)

The kingdom utilizes an advanced Magical Operations Center that monitors all defensive enchantments, with specialized wizards providing real-time analysis and coordination of magical defenses.

Exercise Narrative

The neighboring Kingdom of Shadowfen has dispatched their elite Dragon Knights to infiltrate Highkeep Castle. Their objective is to breach the magical defenses to steal sensitive information about the kingdom’s military capabilities and diplomatic strategies. The attack will unfold in multiple stages over the course of the exercise, combining both magical infiltration and traditional espionage.

Exercise Timeline and Scenarios

Phase 1: Initial Detection (0:00-1:00)

Setting the Scene (0:00-0:10)

• Dungeon Master introduces the scenario as a routine day in Highkeep Castle
• Teams are monitoring defensive enchantments and conducting regular patrols

Scenario 1 (0:10): Unusual Magical Signatures

• Perimeter wards detect faint magical signatures at multiple points around the castle
• The signatures do not match known friendly enchantments
• The pattern suggests systematic testing of defensive capabilities

Expected Actions:

• Begin investigating magical signatures
• Review recent magical activity logs
• Cross-reference with known enemy tactics
• Begin documenting observations in the kingdom’s arcane ledger

Scenario 2 (0:30): Compromised Sentry

• A castle guard reports unusual behavior from a fellow guard
• The affected guard appears confused about their patrol route and responsibilities
• Magical examination suggests subtle enchantment affecting memory
• The compromised guard had recently returned from leave in a border village

Expected Actions:

• Isolate the affected guard for further examination
• Dispatch wizards to check for memory enchantments
• Review patrol logs for security gaps
• Begin checking other guards who may have been affected

Scenario 3 (0:45): Intercepted Message

• Court scryers detect an unauthorized magical communication leaving the castle
• The message contains fragments of information about castle defenses
• Analysis suggests the use of advanced illusion magic to disguise the sender
• The communication was directed toward the Shadowfen border

Expected Actions:

• Activate formal security incident protocols
• Begin tracing the source of the communication
• Enhance monitoring of all court communications
• Consider notifying allied kingdoms of potential breach

Phase 2: Escalation (1:00-2:00)

Scenario 4 (1:00): Diplomatic Visitor Concerns

• An observant court advisor notices unusual interest in defense systems from a diplomatic envoy
• The envoy has been asking detailed questions about magical defenses
• Background check reveals discrepancies in their diplomatic credentials
• Their scheduled meetings include access to sensitive areas of the castle

Expected Actions:

• Enhance surveillance of the diplomatic party
• Review and potentially restrict their castle access
• Investigate potential connection to earlier incidents
• Update incident documentation and escalate to senior advisors

Scenario 5 (1:20): Magical Ward Failure

• Several perimeter wards suddenly fail in a coordinated pattern
• Magical analysis reveals sophisticated counter-enchantments were applied
• The disabled wards create a potential entry path to the Royal Archives
• Evidence suggests the counter-enchantments were cast from inside the castle

Expected Actions:

• Dispatch Royal Wizards to restore critical wards
• Deploy castle guards to physically secure the vulnerable areas
• Begin investigating how counter-enchantments were applied
• Update court advisors on escalating threat level

Scenario 6 (1:40): Shapeshifter Evidence

• Castle guards discover discarded magical items in a rarely-used corridor
• Items include potion residue consistent with shapeshifting magic
• Nearby, they find unconscious servant who reports their identity was stolen
• Security logs show the “servant” accessed restricted areas recently

Expected Actions:

• Lock down the castle to prevent the shapeshifter’s escape
• Implement magical and physical identification checks
• Secure the areas the imposter accessed
• Update threat assessment based on shapeshifter capabilities

Phase 3: Crisis Management (2:00-3:00)

Scenario 7 (2:00): Royal Archive Breach

• Alarm enchantments activate in the Royal Archives
• Guards discover evidence of magical document duplication
• Several critical scrolls containing military plans show residue of copying spells
• The thief appears to have used secret passages known only to castle inhabitants

Expected Actions:

• Secure the archives to prevent further theft
• Catalog all potentially compromised documents
• Activate contingency plans for exposed secrets
• Begin magical forensic analysis of the scene

Scenario 8 (2:20): Court Wizard Involvement

• The Royal Archmage demands immediate briefing on the situation
• Evidence suggests a trusted member of the court may be compromised
• Court advisors begin questioning the response team’s actions
• Outside the castle, scouts report unusual activity near the Shadowfen border

Expected Actions:

• Prepare concise briefing with verified information
• Present containment options to leadership
• Advise on diplomatic and military implications
• Continue technical response while managing court politics

Scenario 9 (2:40): Dragon Knight Confrontation

• Castle guards corner a suspected infiltrator attempting to escape
• The infiltrator reveals themselves as a Dragon Knight of Shadowfen
• They use powerful combat magic to fight their way toward the castle gates
• Evidence suggests they’re attempting to rendezvous with accomplices outside

Expected Actions:

• Coordinate magical and physical response to capture the Dragon Knight
• Secure potential escape routes
• Prepare for possible additional infiltrators
• Consider whether to interrogate or track the Knight to find accomplices

Phase 4: Resolution and Recovery (3:00-4:00)

Scenario 10 (3:00): Infiltration Method Identified

• Investigation reveals the complete attack methodology and techniques used
• Evidence confirms Shadowfen’s involvement with assistance from a court insider
• A vulnerability in the castle’s magical wards is identified as the initial entry point
• The identity of the court insider is discovered

Expected Actions:

• Document complete findings for royal review
• Develop a comprehensive remediation plan
• Prioritize critical vulnerabilities for immediate fixing
• Prepare for potential diplomatic fallout

Scenario 11 (3:20): Containment Decision Point

• The response team must decide on final containment strategy
• Options include publicly exposing the plot vs. quiet diplomatic pressure
• Each option has different implications for kingdom security and relations
• Court advisors disagree on the best approach

Expected Actions:

• Evaluate each option based on kingdom interests
• Make recommendation based on comprehensive risk assessment
• Communicate decisions and rationale to royal leadership
• Begin implementing the chosen strategy

Scenario 12 (3:40): Recovery Planning

• With immediate threats contained, focus shifts to strengthening defenses
• Court advisors require assessment of potential intelligence damage
• Allies request briefings on security implications
• Kingdom requires updated defensive measures against similar threats

Expected Actions:

• Develop prioritized recovery and enhancement plan
• Create communication strategy for allied kingdoms
• Recommend improvements to magical and physical security
• Begin documenting lessons learned for future training

Conclusion (3:50-4:00)

• Dungeon Master declares the end of the exercise
• Brief initial feedback from participants
• Schedule a formal council debrief session for the following day

Exercise Evaluation

Evaluation Metrics

1. Detection Effectiveness
   • Time to detect initial infiltration attempts
   • Ability to correlate separate suspicious activities
   • Thoroughness of investigation and evidence gathering
2. Response Efficiency
   • Time from detection to initial response
   • Appropriateness of magical and physical countermeasures
   • Resource coordination during castle-wide incident
3. Communication Effectiveness
   • Internal communication clarity and timeliness
   • Coordination between magical and physical defense teams
   • Leadership updates and escalations
4. Decision Quality
   • Security assessment accuracy
   • Decision-making under pressure
   • Balance between kingdom security and diplomatic consequences

Post-Exercise Activities

1. Initial Debrief (Immediately following exercise)
   • Quick round-table discussion of initial impressions
   • Identification of major strengths and challenges
   • Collection of immediate feedback from all participants
2. Formal Council Review (1-2 days after exercise)
   • Structured review of exercise timeline and decisions
   • Analysis of major decision points
   • Documentation of lessons learned
3. Improvement Planning (1-2 weeks after exercise)
   • Development of specific action items
   • Assignment of responsibilities for improvements
   • Timeline for implementing changes
4. Follow-up Training (3-6 months later)
   • Targeted exercises to test improvements
   • Focus on previously identified weaknesses
   • Validate effectiveness of changes

Dungeon Master Guidelines

Pre-Exercise Preparation

1. Scenario Customization
   • Adjust magical and technical details to match your castle’s specific defenses
   • Modify kingdom names and relationships as appropriate
   • Ensure scenarios reflect realistic threats for your realm
2. Information Control
   • Determine what information is available to participants at each stage
   • Prepare answers for likely questions from participants
   • Create physical or magical information artifacts for scenarios
3. Environment Setup
   • Arrange the exercise space to simulate castle operations
   • Prepare maps and visual aids for castle defense
   • Consider props and atmospheric elements to enhance immersion

During Exercise Facilitation

1. Maintaining Fantasy Realism
   • Introduce complications that might occur in medieval/fantasy settings
   • Provide realistic time pressures for critical situations
   • Limit information as would happen in a real infiltration
2. Adaptability
   • Be prepared to adjust scenario pacing based on participant progress
   • Have additional challenges ready if teams resolve issues quickly
   • Be willing to provide guidance if teams get completely stuck
3. Observation
   • Take notes on key decisions and actions
   • Identify teaching moments for the debrief
   • Document specific areas for improvement

Post-Exercise Activities

1. Facilitating Discussion
   • Use open-ended questions to promote reflection
   • Focus on process improvements rather than assigning blame
   • Highlight both strengths and areas for improvement
2. Documentation
   • Compile observations and participant feedback
   • Prepare a comprehensive after-action report
   • Develop specific, actionable recommendations

Appendix: Detailed Technical Scenarios

Magical Signature Analysis

• Type: Shadowfen Stealth Enchantments
• Frequency: Oscillating at irregular intervals to avoid detection
• Components: Traces of nightshade, raven feather, and shadow essence
• Pattern: Probing at junctions of overlapping ward boundaries
• Detection Method: Enhanced crystal resonance using moonstone amplification

Shapeshifter Evidence

• Potion Residue: Characteristic blue-green stain of advanced transmutation
• Magical Signature: Shadowfen royal alchemist’s unique formulation
• Duration: Approximately 6 hours per dose based on residue degradation
• Limitations: Cannot replicate magical abilities, only physical appearance
• Countermeasures: Truth-stone checkpoints, aura verification by court wizards

Dragon Knight Capabilities

• Combat Training: Elite Shadowfen military with specialized magic resistance
• Magical Abilities: Limited combat spells, defensive enchantments, communication magic
• Equipment: Enchanted armor reducing magical detection by 75%
• Tactics: Primarily seeks to avoid detection rather than direct confrontation
• Weaknesses: Methods rely heavily on inside knowledge and preparation

Court Insider Analysis

• Position: Mid-level advisor with access to multiple secure areas
• Compromise Method: Combination of blackmail and magical compulsion
• Access Utilized: Library, archives, and guard rotation schedules
• Timeline: Active collaboration for approximately three months
• Evidence: Irregular financial transactions, unexplained absences, magical residue from memory modifications