Primary Data Sources

• MITRE ATT&CK: canonical source for threat groups, software, techniques, and campaign relationships. Used for most actor, malware, and technique mappings.
• MISP Galaxy Threat Actors: supplemental actor metadata and alias coverage used for enrichment and cross-matching.
• Curated incident flows: manually maintained incident chains used for chronology, provenance, and exact-incident experiments.
• Center for Threat-Informed Defense Adversary Emulation Library: additional ordered behavior sequences and emulation plans.
• ATT&CK Evaluations / emulation plans: supporting attack-flow material used to expand timeline-style sequence coverage.
• Sophos Threat Profiles: actor-profile enrichment source used for aliases, tools, objectives, and manual review support during backfill work.
• Curated incident articles and public reporting: selected source articles may appear in solved reports when a case has a reviewed incident-source link.

How The Current Game Is Built

The live game currently uses a strict 3-phase actor model:

1. Identify the threat actor.
2. Identify malware used by that actor.
3. Identify a technique used by that actor.

A publishable actor entry must have complete Phase 1 clue data and enough relationship coverage to support the other two phases. In practice that means the actor must have a country, first-observed year, target categories, motivation tags, at least one malware link, and at least three linked ATT&CK techniques.

Methodology

• We ingest structured sources into a local snapshot keyed by source hashes and snapshot IDs.
• We normalize actor names, aliases, malware/software IDs, and ATT&CK techniques across sources.
• We use manual override files to backfill missing metadata when public reporting supports a defensible value.
• We exclude actors with missing required clue fields from the live puzzle pool.
• We validate baked puzzle days to catch missing clue fields, leakage, and exact-chain inconsistencies before publication.
• We expose MITRE links in the solved report so players can read the canonical ATT&CK entries for the actor, malware, and technique they identified.

The current live snapshot is built from a candidate pool of 88 actor candidates, 95 malware candidates, and 691 technique candidates.

That produces a naive cartesian total of 5,776,760 possible actor-malware-technique combinations, but the live game does not use arbitrary mixes. When we require the malware and technique to both be genuinely linked to the same actor in the active snapshot, the real playable pool is 6,267 actor-linked three-phase combinations across 49 actors.

About Sophos Threat Profiles

Sophos threat-profile exports were used as a secondary enrichment layer during the actor backfill process. They were useful for alias review, objective hints, and some country and tool context, but they are not the canonical source for playable actor eligibility. ATT&CK-backed relationships and reviewed overrides remain the primary basis for publication decisions.

Current Limitations

Not every public source has the same structure or level of certainty. ATT&CK is strong for relationships, but incident chronology often requires curated flows or reviewed source articles. Where attribution or metadata is unclear, we prefer to omit a value or exclude an actor rather than publish a weak clue.