Backdoors & Breaches - Rules

Please note: The rules outlined below should be considered a guideline. The gameflow was designed to give Incidentmasters a lot of flexibility how they conduct the game. This game is not about winning or losing! It is about communication, training, and learning. And above that it is about having fun together!


Backdoors & Breaches - online, like its table top version, is a moderated team based game. The decisions of the moderator (Incident Master) are final. He is the one who (virtually) holds all the cards and makes the rules.

The goal of the game is discover (reveal) all four cards of the attack scenario within ten turns, by using one of the available procedures

Start of the Game

At the start of the game the attack scenario is prepared by randomly selecting four cards (one from each category):

In addition ten procedures are selected. Four of these procedures are considered to be well established or written down and will provide a bonus of +3 to the dice roll determining success or failure. To start the game the Incidentmaster gives a short introduction into the attack situation without revealing too much.

Playing the Game

As mentioned above, the game is turn based. Each turn starts with the players selecting a procedure based on the narrative given by the Incident Master. The incidentmaster will then roll a D20 (20-sided dice) to determine failure (1 to 10) and success (11 to 20). The roll is modified by +3 if the procedure is well known (or written down). During the game additional modifiers may be applied.

If the listed detection on one of the attack cards matches the chosen procedure and the roll was successful, the Incident Master will reveal the card. If the procedure can be used to detect more than one attack it is in the discretion of the Incident Master which attack is revealed.

If a played procedure was successful it can be played again immediately. Unsuccessful procedures become unavailable for three turns

The described process is repeated until all four attack cards are revealed (game is won) or ten turns are used without all cards are revealed (game is lost).

Whenever a 1 or a 20 is rolled, or players fail three times in a row an Inject Card is drawn by the Incident Master. Inject Cards add chaos to the game and facilitate conversation. They can add negative or positive events to the game, sometimes they do not affect the game, sometimes they can end the game!


As mentioned above these rules are to be considered a guideline and the engine offers enough flexibility to let you play the game in the way you benefit the most. You could for example award a positive modifier if your security team is very effective in some area or even add a negative modifier if they lack certain capabilities.

In any event, please remember that this is above all a training exercise and should be treated as such! Use it to train, to learn, and to comnunicate. And above all: HAVE FUN!!