DEFENSIVE INCIDENT CONTAINMENT EXECRCISES
THE INSTRUMENT
A turn-based simulation engine that puts your incident response plan on the table, then breaks it on purpose.
DICE does one job. It runs realistic incident scenarios against your team as a structured, turn-based encounter — dice, character sheets, attack rolls, saving throws — so the decisions, the handoffs, and the gaps get rehearsed under pressure instead of discovered during a breach.
FORM FACTOR
Browser-based simulation engine. Runs in any modern browser — no install, no client software. The Dungeon Master drives the session; players connect from anywhere.
SESSION MODEL
Turn-based encounters with initiative order, action economy, and time-pressure rounds. A 90-minute session typically covers six to ten in-game rounds — roughly four to twelve hours of real incident wall clock.
INPUTS
A scenario from the library — or a custom one you author. Optional player roster with assigned roles (Analyst, Hunter, Responder, Engineer, Intel Officer, Commander)
OUTPUTS
A complete session log with every action taken, every die rolled, every threshold missed. Containment timeline, dwell-time delta, and an after-action report mapped to the NIST IR lifecycle and MITRE ATT&CK.
INTEGRATIONS
Discord, Teams, and Slack for player chat.
THREE PILLARS OF PLAY
Scenarios, roles, and dice. The same three legs every tabletop has stood on for fifty years — pointed at your runbook.
A DICE session has three moving parts. The scenario sets the adversary, the kill chain, and the constraints. The roles assign who at the table can do what. The dice mechanics decide whether the action lands, partially lands, or fumbles into the next problem.
PIL. 01
The Scenario
ATT&CK notation, and branching outcomes that change with your rolls. 
PIL. 02
The Roles
Every player picks a character sheet — Analyst, Hunter, Responder, Engineer, Intel Officer, or Commander. Each role has a stat block, proficiencies, and a finite action economy per round. You can’t do everything. You have to decide who does what, and trust the table.
PIL. 03
The Mechanics
d20, add your ability modifier, beat the difficulty class the scenario sets. Natural 20s open opportunities the playbook didn’t account for. Natural 1s introduce the complication that finally surfaces the missing detection rule.
THE CHECK ENGINE
Twelve action types. Every move your responders make at 3 AM, encoded as a roll your team can actually fail.
The mechanics engine encodes the common actions an incident responder takes — triage, isolate, hunt, preserve, escalate, communicate — as discrete skill checks against a difficulty class. Real incidents fail at the seams. DICE puts the seams on the table so the failure is rehearsed, not lived.
Triage check
INT save · DC 12 → read the alert correctly
Containment action
DEX check · DC 15 → isolate the host before lateral move
Threat hunt
INT check · DC 17 → spot the C2 beacon in the noise
Forensic preservation
WIS check · DC 14 → capture memory before reboot
Escalation roll
CHA check · DC 13 → page the right exec, first try
Communications
CHA save · DC 16 → hold the line with the customer
Legal hold
INT save · DC 15 → scope the privilege correctly
Engineering pivot
CON check · DC 18 → push the WAF rule under fire
Initiative
DEX check · top of round → who acts first this turn
Stress save
CON save · DC 14 → avoid burnout penalty next round
Inspiration spend
free action · 1/session → advantage on next roll
Natural twenty
CRIT · auto-success + narrative bonus
AFTER-ACTION SCORING
Every session ends with a number. The model is open. You can read every weight that produced it.
The post-encounter score isn't a black box. Every signal — time to contain, evidence preserved, escalation latency, communication quality, regulatory fit — contributes a documented number of points. Teams can replay the same scenario six months later and see exactly where they got better.
| // SIGNAL | DESCRIPTION | MAX POINTS |
|---|---|---|
| time_to_contain | Adversary stopped before next ATT&CK tactic | +30 |
| dwell_time_cut | Detection round earlier than baseline scenario | +25 |
| evidence_preserved | Forensic artifacts captured before disposal | +20 |
| escalation_first_try | Right stakeholder paged on the first attempt | +15 |
| comms_hold | External communications consistent with legal | +15 |
| no_double_action | No two players burned the same action economy | +10 |
| handoff_clean | SOC to IR handoff with no dropped context | +10 |
| playbook_followed | Existing runbook steps invoked in order | +10 |
| natural_twenty | Critical success at any point in the encounter | +10 |
| inspiration_used | Player spent inspiration at the right moment | +5 |
| aar_signed | After-action report acknowledged by every role | +5 |
END TO END
Setup, play, debrief, archive. One platform, four stages, no spreadsheets.
Most tabletop exercises end with a verbal "we should fix that" and a Word doc nobody opens. DICE collapses the cycle into a single platform that captures the encounter, scores it, and pipes the action items straight into the systems your team actually uses.
