Back to Quest Board
🩷

The Scattered Legion

Targeting Staff Working From Home
P2 — High

Your realm's defenders have been dispersed across distant lands, working from keeps and homesteads far from the central fortress. The enemy has seized upon this scattered formation, targeting the weakest outposts to find a way past the castle walls. When the guardians are far from home, every hearth becomes a potential breach point.

45 minutes
DC 12
3 Injects
4–12 Players

Compliance Frameworks

NIST CSF PR.AC ISO 27001 A.6.2 NCSC Home Working Guidance

🛡️ Roles & Party Members

War Chief Required
Incident Commander

Leads the response team, coordinates containment across distributed workforce

Arcane Engineer Required
IT Operations Lead

Manages remote access infrastructure, endpoint security, and network containment

Shadow Watcher Required
SOC Analyst

Analyses threat indicators, monitors remote endpoints, investigates compromise scope

Keeper of the Codex Required
Compliance / DPO

Assesses data protection implications of home working compromise, regulatory obligations

Guild Master Optional
HR Representative

Manages staff welfare, addresses conduct matters, coordinates with affected employees

Town Crier Optional
Communications Lead

Drafts staff advisories, manages external communication if breach is confirmed

High Council Elder Optional
Senior Management

Provides executive decision authority, approves policy changes to remote working arrangements

⚡ Inject Timeline

1
The Outpost Breached — A Remote Worker Compromised
T+0 Minutes

It is 14:00 UTC on a Friday afternoon. The bank operates a hybrid working model, with approximately 60% of staff working from home on any given day. The SOC receives an alert from the EDR platform: a ...

6 Discussion Prompts 1 Dice Events 4 Possible Complications
2
The Widening Storm — Multiple Outposts Under Attack
T+20 Minutes

The investigation has revealed that the attack on the operations manager was not an isolated incident. The SOC has identified a coordinated campaign targeting the bank's remote workers. Over the past...

6 Discussion Prompts 1 Dice Events 4 Possible Complications
3
The New Order — Rebuilding Defences
T+35 Minutes

The immediate incident is contained. All compromised accounts have been disabled and re-credentialed. Affected devices have been reimaged or quarantined. The attacker has been ejected from the network...

6 Discussion Prompts 1 Dice Events 4 Possible Complications

📋 Debrief Questions

Post-Battle Assessment
  1. Were remote access security controls adequate to protect against targeted attacks?
  2. How effective was the detection and response for compromised remote endpoints?
  3. Were policies around personal device usage, password reuse, and public Wi-Fi adequate?
  4. How well did the organisation balance security with employee privacy and experience?
  5. Were GDPR breach notification procedures clear and timely?
  6. What strategic changes to remote working security architecture are needed?