How to Run a Cybersecurity Awareness Workshop Online

This is a one-hour experience. The structure below fits that window exactly - 10 minutes to set the stage (or assign it offline), 30 minutes to get everyone into rooms and play, and 20-30 minutes to close with a real breach exercise that connects what just happened in the game to what happens in the real world.

Set the Stage

Cybersecurity fundamentals + how to play Byte Club.

10 min · or assign offline

Host the Game

Get players into rooms and compete in real time.

30 min

Analyze a Real Breach

Kill Chain breakdown + NIST CSF group discussion.

20–30 min

Step 1 - Set the Stage 10 min · or assign offline

The Byte Club interactive tutorial covers cybersecurity fundamentals for context - the Cyber Kill Chain, how attackers move through a network, the defender's role, and how to play the game. No prior security knowledge needed. You have two ways to run it.

Option A - Recommended

Independent Exploration

Send participants the tutorial link before the session and ask them to complete it on their own. This gives everyone time to absorb the concepts at their own pace and frees your live session entirely for the game and breach exercise.

Send the link 24 hours in advance: "Complete this 10-minute interactive tutorial before our session. No prep needed, just click through."

Option B - Live Screenshare

Facilitated Walkthrough

Screenshare the tutorial and narrate as you click through it. Effective when participants have no security background or when you want to ground each concept in your organization's specific context before the game.

Pause at the Kill Chain stages and ask: "Where have you seen this step play out in a real news story?" Even non-technical participants usually recognize a breach headline when broken down this way.

Step 1 Action

Open the Byte Club interactive tutorial. Send this link to participants in advance, or share your screen and walk through it together during the session.

Launch the Byte Club Demo

Step 2 - Host the Game 30 min

The game room is created live, during the session. Each room generates a unique code that connects everyone to your specific session. How you set it up depends on group size.

Up to 4 Players

Single Room

The host creates a room directly in the Byte Club lobby. A unique room code appears on screen. Share that code in your video call chat and players enter it to join. Everyone plays in one session together.

Passive observers can watch over a player's shoulder or via screenshare. The attacker-vs-defender format is easy to follow as a spectator and often sparks the best debrief moments.

5+ People / Multiple Tables

Event Hub - Multiple Rooms

Use the Event Hub to create multiple rooms at once. Each room gets its own unique code. Assign players into groups of 2-4 and distribute each group's code via breakout room chat or a shared doc. Groups play simultaneously then reconvene.

Mixing experience levels in each room usually produces stronger conversations than separating them. The IT person and the HR manager at the same table learn more from each other than they would apart.

1

Create the room during the session

Open Byte Club while on the call. Create a room and share the unique code via video call chat. Players enter the code to join. Do not pre-share a generic link - the room code is what connects everyone to your specific live session.
2

Brief the rules in 90 seconds

Once everyone is in the lobby: "One player is the attacker moving through the Kill Chain stages. The others are defenders trying to detect and block each step before the attacker reaches their objective." That is enough. Resist the urge to explain more - the game teaches the rest.
3

Run the game and observe

Watch for decisions made under pressure - who detects early, who waits for certainty, who prioritizes response over prevention. Note which Kill Chain stages the attacker got through undetected. These observations are your bridge into the breach exercise.
4

Call time and note where the attacker got to

Ask someone to capture the final game state. Which Kill Chain stages were completed before defenders responded? This maps directly to the real breach you will analyze next - the question is the same in both cases: where did detection fail?

Step 2 Action - Do this live, during your session

For a single group (up to 4): open Byte Club and create a room. For larger groups: use the Event Hub to create multiple rooms and assign players to each.

Create a Room - Byte Club

10 min

Set the Stage

or assign offline

30 min

Host the Game

rooms + play

20–30 min

Breach Analysis

use what time remains

Total: 1 hour

Step 3 - Analyze a Real Breach 20–30 min

The game puts players inside the attacker-defender dynamic. The breach exercise connects that experience to a real organization that faced the same dynamic and lost. The structure is simple: pick a breach, write one sentence using Kill Chain language, then discuss as a group what NIST controls could have changed the outcome.

Part A - Pick Your Breach

Before the session, find a recent breach that's relevant to your audience's industry or role. A current story lands harder than a famous old one people recognize the names, the risk feels real, and the conversation goes deeper. Swap it out each time you run the workshop to keep it fresh.

Where to find a good breach: Check The Hacker News (thehackernews.com) for current incidents. Look for a story with a clear entry point a phishing email, leaked credentials, a software vulnerability so participants have something concrete to map onto the Kill Chain. Pick one that would resonate with your audience: a breach in their sector, a tactic their organization is vulnerable to, or a name they already recognize from the news.

What makes a good breach to pick

A clear entry point phishing, exposed credentials, an unpatched system, a third-party vendor. The simpler the initial access, the better the discussion.

A measurable impact systems down, data exfiltrated, ransom paid. Numbers make the cost of missed detection concrete.

Relevance to the room same industry, same size organization, or a tactic that mirrors something your group is currently defending against.

At least one avoidable failure a control that wasn't in place, a signal that was missed, a process that broke down. This is what the NIST table builds from.

Part B - Walk Through the Kill Chain

The breakdown below is pre-filled by you as the facilitator before the session. Share it on screen, print it out, or read each stage aloud then open it up for discussion. The MGM Resorts 2023 breach is used here as the example. If you sourced a different incident, swap in your own one-sentence summary for each stage using the same format.

The Cyber Kill Chain - Stage Reference

Recon

Weaponization

Delivery

Exploitation

Installation

Command & Control

Actions on Objective

Example Breakdown MGM Resorts 2023

1 · Recon

The attacker searched LinkedIn to identify an MGM IT support employee, gathering their name, title, and enough personal detail to pass a verbal identity check.

2 · Weaponization

Using the employee's profile, the attacker built a social engineering script designed to impersonate them convincingly to an IT helpdesk representative.

3 · Delivery

The attacker called MGM's IT helpdesk directly, impersonating the employee and requesting a credential reset no malware, no phishing link, just a 10-minute phone call.

4 · Exploitation

The helpdesk reset the credentials and granted access without verifying identity through a secure second channel, trusting the caller's social proof alone.

5 · Installation

With valid credentials, the attacker established persistent access and deployed ALPHV/BlackCat ransomware across MGM's internal systems and infrastructure.

6 · Command & Control

The ransomware maintained an encrypted communication channel back to attacker-controlled infrastructure, allowing the group to coordinate, exfiltrate data, and issue an extortion demand.

7 · Actions on Objective

Hotel reservations, slot machines, digital room keys, and casino operations were disrupted across multiple MGM properties for days with estimated damages exceeding $100 million.

As you walk through each stage, ask the group: "Does this match what you saw in the game?" The connections between the game mechanics and the real breach are the moments that stick. Participants don't need to write anything the discussion is the exercise.

Part C - Fill in the NIST Controls

Using the MGM breach you just mapped above, work through the six NIST Cybersecurity Framework 2.0 functions as a group. For each one, discuss what was missing, what was present but failed, and what a stronger control would have changed. The Kill Chain breakdown from Part B is your evidence the NIST table is where you ask "what should have stopped that?" Use the prompts to guide the conversation. You don't need to complete every row.

Function	Discussion Prompt MGM Resorts 2023
Govern Set the rules everyone operates by	Did MGM have a policy requiring identity verification before a credential reset? Was there clear ownership of who is responsible when a social engineering attack bypasses the helpdesk? Govern is the function that defines the rules if no policy existed, this is where the failure started, before anyone picked up a phone.
Identify Know what matters most and how critical it is	MGM's casino operations reservations, slot machines, payment systems, digital room keys are among its most critical assets. Were those systems classified by criticality? Did that classification connect back to the helpdesk credential reset process that served as the gateway to all of them? Identify is about knowing what you can't afford to lose, and rating the risk of every path that leads there.
Protect Limit the blast radius	What access control, segmentation, or authentication requirement would have stopped the attacker between the credential reset and casino operations going offline? Where was MFA missing on the helpdesk reset process? Where was least-privilege not enforced once credentials were obtained?
Detect See the anomaly early	After credentials were reset, the attacker moved through MGM's systems before deploying ransomware. What monitoring or behavioral anomaly detection would have flagged unusual access patterns a new login location, an account accessing systems outside its normal scope, lateral movement between unrelated systems?
Respond Contain and communicate	Once ransomware was detected, MGM took days to restore operations. What did the incident response plan call for? Who had authority to shut down systems, and how quickly could they act? What was communicated to guests, staff, and regulators and when?
Recover Restore and learn	Recovery took over a week and cost an estimated $100M+. What backups, redundant systems, or continuity plans existed for casino operations? What changed in MGM's security posture after the breach and which of those changes should have been in place before it happened?

A Note on Facilitation

You do not need to be a security expert to run this workshop. The game builds the experiential foundation and the breach exercise is structured so the discussion guides itself. Your role is to keep the conversation moving and connect what participants say back to the game they just played.

The most powerful moment in this workshop is usually when someone maps a decision they made in the game - waiting to respond, missing a lateral movement, leaving a path open - directly onto the breach they are analyzing. When that connection lands, you do not need to explain anything. The room does it for you.

Ready to Run Your Workshop?

Byte Club is available now. Setup takes under 10 minutes and no technical background is required to facilitate.

Get Byte Club Preview the Tutorial

How to Run a Cybersecurity AwarenessWorkshop Online

Step 1 - Set the Stage 10 min · or assign offline

Step 2 - Host the Game 30 min

Step 3 - Analyze a Real Breach 20–30 min

Part A - Pick Your Breach

Part B - Walk Through the Kill Chain

Part C - Fill in the NIST Controls

A Note on Facilitation

Ready to Run Your Workshop?

How to Run a Cybersecurity Awareness
Workshop Online