This game has multiple levels that are progressively more challenging. In each level you need to a set an initial defense and maximize enough budget to address any actions and/or compromises that occur during the attack phase. As you progress through the levels your capability to deploy more types of mitigations (defenses) will increase. The sophistication of your attackers will also increase. By the last level you will have available all of the mitigations defined in Mitre's Att&ck framework and your adversary will be using every technique in the their playbook.

You have the next BIG IDEA and a very talented team of three (Me, Myself, and I). The bad news is budget is tight so you need to be smart about how you spend your resources. The good news is your new and not a direct target for a serious attack. However, the world is full wanttabe hackers (Script Kiddies) playing with Metasploit, scanning IPv4 addresses, and spamming new domain admins. You likely only have only a single server. Focus your resources on protecting that server and try not to click on anything stupid.

Of course your Mom and your dog Spot think anything you do is wonderful. But now you have real customers paying cash money! Cool, you are not the next Jeff Bezos yet, but cash and PII (credit cards) are coming in. You have hired a small but talented team, and there might one or two that think they are smarter than you! The attacks will not be overly sophisticated, but fundamental control of user access to resource is key.

With money rolling in so is the attention. There are few groups that are not happy with your innovation. Taking you down before you to big for your britches is for Hacktivists. By in large Hacktivists are mostly interested in disruption. They can be very effective at using existing toolsets. If they get to your customer data they will become a PR nightmare and scuttle your IPO.

Congrats, you're publicly traded! As CEO you have your eye on joining the cool kids club "The Fortune 500". With growth comes pain. You have managers managing managers. You don't know everyone. The need for policy, controls, and compliance audits are now a higher priority. You are big enough that curtain attackers will see value in trying to monetize your customer data, intellectual property, or both. The attackers look to compromise then escalate enough to control and/or exfiltrate your data. Ransomware, extortion, resale. Remember, cyber criminals are really only motivated by money.

Your hot new AI innovations mean a big contract to the DoD. It is a cut-throat business and "others" whether inside or outside the country are willing to be creative to "acquire" what you have. Adversaries have very aggressive playbooks that would make a Hollywood producer jealous.

The final round. Mano-a-mano. The adversaries have a full playbook, people, time, and money. Hopefully you have been smart in the previous rounds. You will all the resources you can muster, because people are coming after you and they don't play fair.