OBJECTIVE
Survive 7 game days as a SOC operator. Defend company infrastructure against nation-state and criminal threat actors. You lose if 3 breaches succeed.
THE THREAT LOOP
Every few minutes a threat actor attempts an intrusion. It is checked against your Coverage %:
- Detected → CRIT fires in SIEM, incident created — assign an analyst immediately.
- Undetected → silent dwell. Surfaced eventually by your MTTD timer — or not at all until breach.
- Breach → undetected dwell expires, or a detected incident goes unhandled too long.
RESPONDING TO INCIDENTS
- CRIT alert fires in the SIEM strip at the bottom.
- Incident card appears in the centre panel with a breach countdown.
- Click ASSIGN ANALYST — a free analyst begins working it.
- Analyst works through: TRIAGE → CONTAIN → ERADICATE → RECOVER
- A LESSONS LEARNED sign-off appears after — click it for a per-category IR speed bonus.
KEY STATS
- Coverage % — detection chance on spawn. Your primary defence. Target 50%+ immediately.
- MTTD — Mean Time to Detect: how long before an undetected threat is eventually caught. Lower is safer.
- Vuln Score — directly increases threat spawn frequency. Patch regularly; don't let it compound.
- Analysts Free — your throughput ceiling. Running 0 free while incidents pile up is the most common way to lose.
- Budget — hits zero and paid services (MSSP, SAT, Consultant) auto-cancel. Idle money doesn't defend you. Spend it.
RANDOM EVENTS
Crises fire periodically — DDoS barrages, zero-days, tool outages, insider threats, budget audits. Shown as ACTIVE EVENTS in the left panel. Events may cut Coverage %, drain budget, or spike threat rates. Ride them out.
NETWORK MAP
The minimap in the left panel shows your infrastructure in real time. Green = healthy. Amber = vulnerable (unpatched CVEs). Red = under attack or breached. Animated packets show active threats moving through the network.
DETECTION & INTELLIGENCE
DETECTION ENG — $25k–$50k per upgrade
Upgrade SIEM detection rules across all 12 MITRE ATT&CK technique categories (up to level 5 each). Each level raises Coverage % and adds a category-specific detection bonus. Your highest-ROI investment — prioritise this above almost everything else.
THREAT INTEL — $50k–$250k per feed
Subscribe to commercial threat intel feeds for passive Coverage % boosts and MTTD reductions. Each feed targets specific actor categories and stacks with Detection Engineering. Buy the cheapest feeds first — ROI diminishes as you stack them.
VULNERABILITY MANAGEMENT
VULN MGMT — $10k scan, variable patch costs
Run a scan to discover CVEs across your infrastructure. Patch individually (HIGH: $8–12k, MED: $3–6k, LOW: $1–3k), patch all criticals at a small discount, or patch everything with a 15% bulk discount. Vuln Score directly accelerates threat spawn rate.
AUTOMATED RESPONSE
SOAR PLATFORM — $100k platform + $20k per playbook
Security Orchestration, Automation and Response. The platform alone does nothing — deploy playbooks per ATT&CK category ($20k each, 12 total). Each playbook adds +25% speed to TRIAGE and CONTAIN stages for that technique. Best purchased mid-game when incidents are overwhelming analysts.
ADVERSARIAL TESTING
RED TEAM — $30k–$150k per engagement
Commission a penetration test. While the engagement runs, that attack category is suppressed — all threats in it auto-detect. On completion you receive a coverage bonus and SIEM rule improvement for that category. Use it to shore up a detection blind spot while engineers catch up.
ANALYST STAFFING
HIRE ANALYST — $75k
Each analyst handles one active incident at a time. Maximum 8. Hire early — analysts are your throughput ceiling and the most common bottleneck.
ANALYST ACTIVITIES (consume one slot for the duration)
SEND TO TRAINING — $30k · 24h · permanent +10% IR speed (max +30%)
Offline for 24 game-hours. On return, permanently boosts all analysts' IR stage speed by +10%. Three trainings caps the bonus. Do it early before incident waves hit.
THREAT HUNT — $40k · 8h · surfaces 1–3 hidden threats
Proactive hunt for lurking undetected threats. On return, creates incidents for any found — turning silent dwell into cases you can close. Use when MTTD is high and you suspect threats are accumulating invisibly.
TABLETOP EXERCISE — $25k · 4h · +15% IR speed for 48h
IR team runs through a simulated scenario. On completion, grants a temporary +15% speed boost lasting 48 game-hours — visible in the posture panel. Stack with training bonus for maximum throughput during a surge.
PATCH SPRINT — $10k · 3h · free-patches all LOW vulns
Analyst focuses entirely on remediation. On completion, patches every discovered LOW-severity vulnerability at no additional cost. Only available when low vulns are outstanding. Excellent value early in the game.
OSINT RESEARCH — $20k · 6h · 3 guaranteed-detection charges
Analyst profiles active threat actors. On completion, loads 3 charges — next 3 threats that spawn are immediately detected regardless of Coverage %, each logged with OSINT attribution in SIEM. Use before anticipated high-activity periods.
PARTNERS
SECURITY AWARENESS TRAINING — $50k setup + $10k/cycle
Blocks 35% of all Initial Access threat spawns at the employee layer — the threat never enters your environment. Ongoing cost; auto-cancels on insufficient budget. Cheap early insurance on any difficulty.
MSSP — $150k setup + $15k/cycle
Auto-assigns free analysts to unhandled incidents each tick. A safety net so incidents never breach simply because you missed the alert. Expensive — only worth it when you're consistently running out of free analysts.
CONSULTANT — $75k engagement fee
Passive Coverage % and MTTD improvement plus a daily briefing with one data-driven action recommendation tailored to your current posture. Hire on day 1 — the briefings alone direct your spending effectively.
Survive a week and you can extend the engagement. Your budget, analysts, and SOAR platform carry over. Everything else is subject to the natural entropy of a real security program.
WHAT CHANGES BETWEEN WEEKS
Detection Rule Decay
Adversaries adapt new TTPs. You need to re-invest to keep up.
Intel Feed Subscriptions Expire
Feeds run for 7 game-days from purchase — check days remaining in the modal and renew before they lapse. New higher-tier feeds also unlock each week.
Consultant Engagements Expire
Consultant engagements run for 7 game-days from hire — check days remaining in the left panel and re-engage before they lapse to maintain defensive bonuses.
SOAR Platform Staleness
Operations have deployed more stuff without telling you.
Reduced Security Budget
Nothing bad happened last week, so why should the board keep funding you?
Escalated Adversary Activity
Welcome to the Red Queen Problem.
New CVE Disclosures
Patches don't just land on Tuesdays.
FIRST MOVES BY DIFFICULTY
ANALYST (Easy) — $800k start, 3 analysts, 45% coverage
Hire a Consultant day 1 for guided spending. Push Coverage above 60% fast. Buy Security Awareness Training early — it pays for itself within 2 income cycles. Run a Tabletop once your team is stable.
ENGINEER (Medium) — $500k start, 2 analysts, 25% coverage
Hire a third analyst immediately. Send one to training as soon as coverage is above 40%. Buy SAT before the incident wave peaks around day 2. OSINT research is strong here — 6h is affordable when you have 3 analysts.
HUNTER (Hard) — $300k start, 1 analyst, 10% coverage
First $75k goes on a second analyst — no exceptions. Patch sprints and OSINT are your best early tools. Don't buy SOAR or MSSP until coverage is above 40%. Every dollar counts; avoid analyst activities until you have 3+ on the team.
GENERAL STRATEGY
- Coverage first. Everything else is secondary until you can detect most threats on spawn.
- Never let analysts sit idle when incidents are open. Unhandled incidents breach. If all incidents are covered and a slot is free, run an analyst activity.
- Watch the breach countdown. The timer on each incident card is how long you have. Triage fast, especially on hard difficulties.
- Campaign actors escalate. The same actor appearing multiple times gains skill and speed. Don't ignore repeated names in the SIEM.
- Vuln Score compounds. Every point above 50 meaningfully increases spawn rate. Patch regularly — not in bulk emergencies.
- Budget is a weapon, not a score. Idle money doesn't defend you. Invest aggressively early.
SCORING
Your final grade is determined by posture at end-of-operation: breaches are a hard floor (3 = F, 2 = D, 1 = C). For zero-breach runs, grade is based on Coverage %, MTTD, unpatched vulnerabilities, and open incidents at game end (S / A / B).
CONTROLS
- SPACE — pause / resume | 1 2 3 4 — set speed | ? — help | M — mute
SIEM FEED
Click the strip at the bottom to expand the full event history. CRIT = immediate action needed. WARN = monitor. OK/INFO = informational. Use the filter buttons to focus on ALERTS or INCIDENTS only.
Thanks for playing. Genuinely.
I would like to tell you how much time and effort I put into development, but the reality is that PumaSOC went from first ideation to working release in a single day thanks to Claude Code. It was built from scratch, without prior scaffolding, through pure nit-picking conversation about dumb security tropes.
While I hope everybody enjoys this game, I hope my peers in the security industry especially will give me a single, silent nod of respect for the subtle realistic details (and snark) I have crammed into it. After years of Hollywood-style hacking games, I wanted to build the one that actual experts could appreciate.
WHY THIS GAME EXISTS
Security is my thing. Threat and vulnerability management, monitoring and response operations, and advisory services, especially — but also operational, physical, and personal security. I spend a lot of time thinking about how to protect things, even when they're not mine to protect.
I'm not a developer, but with the dawn of AI-assisted development, all I have to be is a project manager and UX tester. I truly believe that we are at a turning point in cybersecurity unlike anything we have seen before, and that AI is the ultimate Red Queen. The fact that you are reading this at all proves it to be true.
Built by greykit.com