Assets are the network nodes you're defending. Each represents a real system — firewalls, servers, databases, IoT devices, workstations, and more.

NETWORK ZONES

The network is arranged in concentric security zones, from outside to inside:

Perimeter (Zone 0-1) — Internet-facing systems. The red team's entry point. Firewalls, VPNs, web servers, Wi-Fi access points.
Internal (Zone 2) — Corporate infrastructure. Workstations, printers, internal servers.
Secure (Zone 3) — Protected systems. Application servers, monitoring, domain controllers.
Critical (Zone 4) — Crown jewels. Databases, SCADA systems, data stores. A breach here is an automatic F.

ASSET DISCOVERY

You start knowing only some assets. New assets are discovered by:

• Vuln scanning a node reveals its direct neighbors.
• Deploying EDR may reveal hidden shadow IT assets.
• The red team attacking an undiscovered node will also reveal it to you.

MAP COLORS

Dark green = discovered but not scanned
Green = scanned, all vulns fixed
Amber pulsing = anomaly detected (needs investigation)
Orange = has unfixed high-severity vulns
Red pulsing = confirmed compromise

SCANNING

Passive Scanning — Runs automatically on all discovered nodes. Slow, detects only 6 common vulnerability types (exposed services, weak crypto, default creds, misconfigurations, cloud misconfig, end-of-life). The pulsing green bar in the left panel shows passive scan progress.

Vuln Scan (15-25s, 1 analyst) — Runs a vulnerability scanner (like Nessus or Qualys). Reveals all vulnerabilities on the node, discovers neighboring assets, and upgrades the node to Tier 2 detection. Double-click an unscanned node to start.

Deploy EDR (20-30s, 1 analyst) — Installs an endpoint detection agent (like CrowdStrike). Reduces exploitability of all vulns on the node, may discover shadow IT, and upgrades to Tier 1 detection (instant alerts). Also auto-confirms any existing compromise. Double-click a scanned node to start.

LEFT PANEL BARS

Each asset in the left panel shows status bars:

Scan bar — Pulsing green (passive), bright green (vuln scan), cyan (EDR deployed).
Risk bar — Yellow shows known risk. Pulsing red when compromised. Cyan overlay shows investigation progress.
Fix bar — Amber segments show active remediation progress on that node's vulnerabilities.

Vulnerabilities are the attack surface the red team exploits. Each vuln has a severity (1-10), an attack vector (Network, Local, Physical), and a category that determines how it's discovered and what fixes are available.

SEVERITY

Severity ranges from 1 (informational) to 10 (critical). Higher severity means the red team is more likely to exploit it and gets bigger bonuses when they do. Severity colors:

1-3 = Low   4-6 = Medium   7-8 = High   9-10 = Critical

ATTACK VECTORS

Network — Exploitable remotely. The most dangerous vector.
Local — Requires local access. Exploitable after compromise or from same-zone foothold.
Physical — Requires physical presence. Only exploitable by an onsite pentester.

REMEDIATION OPTIONS

Listed from least to most effective. Hover over buttons in-game for details.

Mitigate — Applies a workaround that reduces exploitability by 50-75%. Cheap, fast, and always succeeds. Doesn't fix the root cause — the vuln remains, just harder to exploit. Use this when budget is tight, for zero-days, or as a stopgap until you can apply a real fix.

Configure — A configuration change that reduces severity by 3-5 points. Cheap and fast with 85-100% success rate. May fail because operations reverts the config change. Good for quickly downgrading Critical vulns to manageable levels.

Patch — Applies a vendor patch for a full fix. Moderate cost and time, 70-95% success rate. May fail due to change window denials, dependency conflicts, or incompatible systems. The workhorse fix for most vulns.

Replace — Full component replacement. Expensive and slow, but 95-100% success rate. Required for end-of-life systems that can't be patched. The most thorough fix available.

FAILED REMEDIATIONS

When a fix fails, the button changes to Rework [type]. Reworking costs 1.5x the original price but uses the same success rate. You can also choose a different remediation strategy — for example, if a patch fails, try replacing the component instead.

A mitigated vulnerability can still be properly fixed later. If you mitigate something early to reduce immediate risk, come back and patch or replace it when resources free up.

VULNERABILITY CATEGORIES

Categories affect which vulns passive scanning can find, and which fixes are most appropriate:

Passively detectable: Exposed services, weak crypto, default credentials, misconfigurations, cloud misconfig, end-of-life software.
Scan required: Unpatched software, injection flaws, access control issues, API vulnerabilities, supply chain risks, insecure protocols.
EDR required: Missing monitoring, insider threat indicators, physical security gaps, zero-days.

The red team is an AI-controlled adversary with 1-3 independent pentester agents. They operate like a second player — limited resources, strategic decisions, and real-time operations.

PENTESTER AGENTS

Each pentester independently selects targets, scans, exploits, and establishes footholds. More pentesters at higher threat levels:

TL 1: 1 pentester    TL 2-3: 2 pentesters    TL 4+: 3 pentesters (faster at TL 6+)

A pentester's attack chain: Scan target (5-12s) → Exploit vuln (4-10s) → Compromise → Persist or Pivot. Each step takes real time, giving you windows to detect and respond.

ATTACK BEHAVIOR

You get a 3-minute head start before the red team activates. Use this time to scan and prioritize fixes.

Once active, each pentester operates independently. Their behavior adapts to their situation:

No footholds — Probe and attack perimeter nodes (zone 0-1), looking for an entry point.
Has foothold — Expand inward, prioritizing high-value and deeper-zone neighbors.
Deep footholds — Aggressively target critical assets (zone 4). Attack speed increases.
Locked out — Regroup and re-target the perimeter. The red team never gives up.

PERSISTENCE vs PIVOT

Persistence (15-30s) — Establishes a durable foothold on high-value nodes. Survives your incident response. Even after you kick the attacker out, the persistence marker remains — the red team can re-enter in just 5 seconds. Use Burn & Rebuild to fully eliminate it.

Pivot (3-8s) — Quick lateral move through low-value nodes (IoT, printers). Fragile — if you reclaim the source node via IR, the pivot fails and the downstream foothold is lost.

PHYSICAL INTRUSION

When the red team is locked out remotely (no viable targets for 30+ seconds), a pentester may go onsite:

Coffee Shop — Pentester arrives onsite (10-15s). Can attack Wi-Fi access points and wireless workstations with no penalty for failure. Low risk for the attacker.

Physical Penetration — Optional high-stakes move. The pentester attempts to physically access secured areas (server rooms, data centers). Success gives instant persistence via USB-jack. Failure risks permanent removal — the pentester is caught and detained by security. Fixing physical security vulns makes this harder and more likely to result in capture.

DETECTION TIERS

Your ability to see attacks depends on your monitoring posture:

Tier 1 (EDR deployed) — Instant, specific alerts. Compromises immediately confirmed.
Tier 2 (vuln scanned) — Delayed, vague zone-level alerts. Compromises appear as amber anomalies — must be investigated to confirm.
Tier 3 (unscanned / missing monitoring) — Completely silent. You won't know you're compromised until the red team pivots to a monitored node.

The "Missing Monitoring" vulnerability forces Tier 3 even on scanned nodes — fix it or stay blind.

INCIDENT RESPONSE

Anomaly Investigation (5-10s, 1 analyst) — Confirms whether an anomaly is a real compromise or false positive. Required for Tier 2 detections. Tier 1 nodes skip this step — compromise is auto-confirmed.

Incident Response (10-20s, 1 analyst) — Evicts the attacker and hardens the node for 4 minutes. This is a race — if the pentester completes persistence before your IR finishes, the foothold survives even after the attacker is kicked out.

Burn & Rebuild ($8-20K, 25-45s, 1 analyst) — Scorched-earth system replacement. The only way to fully eliminate persistence. Takes the node offline during rebuild, severs downstream red team access. The node comes back clean with zero vulnerabilities. Cannot be done during active compromise — complete IR first. Warning: completing a rebuild costs you one analyst permanently — someone's getting fired for letting it get this bad.

Thanks for playing!

This is the third game in the PumaSOC universe:

• PumaSOC — Run your own security operations program from the comfort of your SIEM interface!
• PumaResponse — An incident response choose-your-own-edutainment-adventure!
• PumaSecure — Taking over vulnerability management in the middle of a red team assessment!

Once again, this app was made by me, who is not a developer, using Claude Code.

Built by greykit.com