You have run the tabletop. Everyone was in the room. Legal was there, finance was there, the IR lead walked the team through the scenario, and the executive sponsor said the right things. Action items were captured. The deck was uploaded to SharePoint. Six months later, when the pager actually fires at 2:47 AM on a Sunday, half of those action items are not done, the on-call analyst was hired after the exercise and was not in the room, and the executive sponsor is on a flight with their phone in airplane mode.
This is not a failure of intent. It is a failure of format. Tabletop exercises in their traditional shape — a facilitator reading from a script, a room nodding along, a Word doc afterward — were never designed to produce muscle memory. They were designed to produce a record that the exercise happened. Auditors get what they need. Teams do not.
DICE — Defensive Incident Containment Exercises — is built on a different premise. If you want a team to perform under pressure, you have to put them under pressure. If you want them to remember a decision, they have to make it themselves, watch it play out, and live with the consequence. If you want the playbook to get better, the playbook has to fail in a room where nobody got hurt.
DICE is a turn-based simulation engine for incident response and security operations teams. It borrows its structure from the oldest and most durable training format in human history — the tabletop role-playing game — and points it directly at the runbook your team will run when the breach actually arrives.
What DICE Actually Is
Strip away the marketing language and DICE is three things working together.
It is a scenario library — forty-plus pre-authored incidents covering ransomware detonation, business email compromise, supply-chain compromise, insider exfiltration, cloud key leakage, ICS intrusion, and the regulatory incidents that follow them. Each scenario ships with an adversary profile, a kill chain mapped to MITRE ATT&CK, a difficulty class, and a set of branching outcomes that change with your team’s choices.
It is a role and character sheet system — six operator archetypes (Analyst, Threat Hunter, Incident Responder, Engineer, Intelligence Officer, and Incident Commander) each with their own ability scores, proficiencies, and signature actions. Every player picks a sheet at the start of a campaign and keeps it across sessions. Growth and gaps are visible from one encounter to the next.
It is a dice mechanics engine — every action a player takes during the encounter is resolved as a skill check. Roll a d20, add your ability modifier, beat the difficulty class the scenario sets. Natural 20s open opportunities the playbook did not account for. Natural 1s introduce the complication that finally surfaces the missing detection rule. The dice are real. The randomness is the point.
Together these produce something that traditional tabletop exercises cannot: a session where the team’s decisions actually drive the outcome, where every choice is auditable, and where the failures happen in a room where the worst consequence is laughing at yourself.
A Round at the Table
To explain what playing DICE feels like, here is what one round looks like from inside the game.
Your team is running scenario R-07, a mid-stage ransomware incident. The initial detonation happened forty minutes ago in narrative time. Three workstations in the finance department are encrypting. The Dungeon Master — DICE calls them the DM, the role rotates — opens round three.
Initiative is rolled. The Threat Hunter goes first. She declares her action: hunt for the command-and-control beacon that the EDR alert mentioned but did not isolate. The DM sets the difficulty class at 17 — high, because the network is noisy and the adversary is using domain fronting. The player rolls a d20 on her character sheet. The roll comes up 14. Her INT modifier is +2 and she has proficiency in network forensics, adding another +3. Total: 19. She makes the DC by two. The DM narrates: she finds the beacon, confirms the C2 domain, and adds the indicator to the team’s working intel.
The Incident Responder is up next. He calls a containment action — isolate the three encrypting hosts at the switch level. DC 15. He rolls a 6 plus his +4 modifier — 10. He misses by five. The DM does not just say “you fail.” The DM says: the network team you paged is in a maintenance window and cannot push the change for ninety minutes of game time. Lateral movement continues. Round four will open with a fourth host encrypting. The team has a decision to make about whether to spend their action economy chasing containment or pivoting to evidence preservation.
The Incident Commander rolls a CHA check to brief the CISO without escalating into a panic call to the board. He rolls a 3. Natural 1. Critical fumble. The DM narrates: the CISO heard “ransomware” and called the CEO before the Incident Commander could finish the briefing. Round four will open with an unscheduled board call eating fifteen minutes of the Incident Commander’s time.
That is one round. Three players, four actions, two successes, one failure with consequences, and one critical fumble that shape what the next round looks like. The whole thing took eleven minutes of real wall-clock time. By the end of the session — typically six to ten rounds across ninety minutes — the team has rehearsed eighty to a hundred discrete decisions, each one auditable, each one with a documented outcome.
This is what tabletop exercises were always trying to be.
The Mechanics, in Detail
DICE encodes the common actions of incident response as discrete skill checks. The full mechanics catalog includes triage checks (INT save, did you read the alert correctly), containment actions (DEX check, did you isolate the host before lateral movement), threat hunts (INT check, can you spot the beacon in the noise), forensic preservation (WIS check, did you capture memory before the reboot), escalation rolls (CHA check, did you page the right exec on the first try), communications (CHA save, can you hold the line with the customer), legal hold (INT save, did you scope the privilege correctly), engineering pivots (CON check, can you push the WAF rule under fire), initiative rolls (DEX check, who acts first this turn), and stress saves (CON save, avoid burnout penalty next round).
Each character has an action economy of three actions per round, plus bonus actions, reactions, and free actions. You cannot do everything. You have to decide who does what, in what order, and trust the table to execute their piece. This is the single most important behavior DICE trains. Real incidents fail not because individual responders are incompetent but because the team’s collective action economy is mismanaged. Three people chase containment while nobody preserves evidence. Two people draft customer comms while legal is left out of the loop. DICE makes this failure mode visible inside a round instead of inside a deposition.
Once per session each player can spend Inspiration — a free action that grants advantage (roll two d20s, take the higher) on their next roll. Inspiration is earned through good play in earlier sessions and through risk-taking in the current one. It is the mechanic that rewards the analyst who flags the weird thing instead of the one who plays it safe.
What You Walk Out With
When the encounter ends, DICE generates an after-action report automatically. Not in the next sprint. Not when somebody on the team finds time. The moment the final round closes.
The report includes a complete timeline of every action taken, every die rolled, every threshold made or missed. It includes a score broken down by signal — time to contain, dwell-time delta against baseline, evidence preserved, escalation latency, communication quality, handoff cleanliness, runbook adherence. The score is not a black box. Every contributing weight is published. Teams can replay the same scenario six months later and see, line by line, where they got better.
The report exports as PDF for leadership and as an ATT&CK Navigator layer for your detection engineering team. The replay is on file the next time the scenario runs — including the next time the team runs the same scenario with a different cast of characters, which happens more often than you would think.
The scoring bands are simple. Zero to twenty-nine is a Fumble — the breach won, replay after the after-action review fixes the playbook. Thirty to fifty-four is a Partial — contained late, real damage, lessons are concrete and gaps are named. Fifty-five to seventy-nine is a Success — contained on time, runbook held under pressure, refine the seams the encounter exposed. Eighty to one hundred is a Critical Win — contained early, clean handoffs, the team is calibrated, promote a harder scenario next session.
Why This Works Where Traditional Tabletops Do Not
Three reasons.
First, the consequences are real inside the encounter. A bad roll has a downstream effect that ripples through the rest of the session. The team feels the cost of the mistake, not as a theoretical “we should fix that,” but as the actual difficulty of the next round. This is how procedural memory forms. Reading about a mistake teaches you nothing. Living the consequence of a mistake teaches you the lesson permanently.
Second, the randomness exposes brittle plans. Most playbooks read beautifully on paper because their authors assume every step succeeds. DICE makes every step a roll. A playbook that breaks the first time the third step fumbles is a playbook your team needed to know was brittle before the actual incident proved it. The dice are not a gimmick. They are a stress test.
Third, the format is engaging in a way that drives retention. Adult learners do not remember PowerPoint. They remember the time their critical fumble triggered an unscheduled board call and the rest of the team had to bail them out. Eighteen months later they will still remember the lesson and the specific roll that taught it. Studies on tabletop training in other high-stakes domains — aviation, surgery, military operations — consistently show that scenario-driven, decision-loaded simulations produce retention rates three to five times higher than narrative-driven training. There is no reason to believe security operations is the exception.
Who DICE Is For
DICE is built for incident response teams, security operations centers, and the cross-functional partners they have to coordinate with during a real incident. That means it is also built for legal, communications, engineering, and the executive layer — the people whose absence from traditional tabletops is precisely why traditional tabletops fail.
It runs in any modern browser. No client install. The DM drives the session from one screen, players connect from anywhere, and the engine handles the rolls, the action economy, the timeline, and the scoring. A session takes about ninety minutes of real wall-clock time and covers four to twelve hours of in-game incident time. Most teams run one DICE session per month and rotate the DM role across senior analysts.
What Happens Next
The teams that are going to handle their next breach well are not the teams with the longest runbook. They are the teams whose runbook has already been tested, whose handoffs have already been rehearsed, whose communication chain has already been timed, and whose executives have already been in the room when the wrong page got escalated.
DICE puts your team in that room every month, costs you ninety minutes a session, and walks you out with a measurable score, a documented gap analysis, and a set of action items already in your ticketing system.
The runbook on paper is fiction until it is tested. The dice find the seams. Roll for initiative.
