You win by successfully defending against every type of attacker (Script Kiddies to Nation states).
You lose if: 1) You run out of budget to to maintain your operations. 2) If your data is ex-filtrated to tht public.

You are given a budget and access to a subset of mitigations. Click the mitigations you want to activate. Each activitation will reduce your budget. Active mitigcations show there state by color: Green=ready, Yellow=compromised, Red=broken. When you are ready, click the "RUN" button. This will start the attack.

Once the attack has begun the scenario will show a series of attack, failure, and inject cards. Each level has a core set of defined cards as well as radomaly generated cards. The number of cards increases with each level.

• Attack Cards: If you deployed an effective mitigation these cards are benign and are ignored. Good job! If not, you will given the chance to remediate at a cost. If you choose to ignore the expose will continue.
  
• Failure Cards: This is an attack that just always works, even if you have the right mitigation deployed. Real-life example: you did phishing training but somebody clicked on that email anyway.
  
• Inject cards: These can be good, bad, or indifferent. Respond or ignore as you see fit.