EVERY ALERT
IS A DECISION.

Someone on your team is the mole. Five chapters. A queue that never stops. The analyst before you left fragments — if you're sharp enough to find them.

FOLLOW ON ITCH.IO ▶ READ THE FILE
5 STORY CHAPTERS
14 HIDDEN FRAGMENTS
3 POSSIBLE ENDINGS
77 INCIDENT TEMPLATES
30 ANALYST TOOLS

■ STORY MODE

INSIDE JOB

Meridian Financial Solutions was breached. The official story is that it ended there.

The analyst who caught it — Kira Vasquez — stopped showing up. Her terminal is still logged in. Her queue is still filling.

Now it's yours.

Five chapters. A procedurally-generated SOC that never stops screaming. Fragments of Kira's last shift hidden in cache files only a real analyst would think to check. Three endings — because the mole is still in the building, and you might not find them in time.

Not in the mood for a mystery? Operations mode is the full freeform roguelike — five campaign types, 80 queue events, 10 ascending difficulty levels, permadeath runs as long or as short as you want them.

STEP INTO THE SOC

Watch a triage unfold. Every alert is real. Every decision has consequences. The clock is always ticking.

INCIDENT ZERO — SHIFT 1 · ACT 1
soc@iz:~$ start-shift --campaign apt
[SHIFT] Deploying to APT campaign... 3 acts, 3 lives, no second chances.
[QUEUE] Loading threat scenarios...
[ALERT] Incoming — INC-4471
CRITICAL INC-4471 ⏱ 01:58
Lateral movement via PsExec — DC01.corp.local
MITRE: T1570 · Vendor: FortiSight · Host: DC01 · User: svc-backup
soc@iz:~$ tool --siem-query "svc-backup lateral"
[SIEM] 47 events found. Service account svc-backup authenticated to 12 hosts in 3 minutes.
[SIEM] Pattern: sequential auth → admin share access → PsExec deploy
soc@iz:~$ triage --escalate INC-4471
✓ CORRECT — True Positive. +350 pts. Streak: 4. Intel Credits: +3 IC
[QUEUE] Next alert loading...

HOW IT WORKS

TRIAGE

Alerts flood your queue with decay timers. Read the evidence, check the artifacts, decide: escalate or dismiss. Miss a CRITICAL threat and you lose a life.

INVESTIGATE

Deploy your toolkit — SIEM queries, process trees, DNS lookups, sandboxes. 30 tools across 8 categories, each with 3 upgrade tiers. Build the loadout that fits your playstyle.

SURVIVE

3 acts. 3 lives. Boss fights. Queue events. Correlated alerts. Every run is procedurally generated — learn the patterns, master the tools, climb the ranks.

BUILT FOR DEPTH

A 5-chapter mystery on top of a full roguelike. Not a tutorial. Not a quiz.

Incident Zero priority briefing — Operation Daily Grind Act 1 of 3 narrative with shift log atmosphere.

STORY + 5 CAMPAIGNS

Inside Job: a 5-chapter insider-threat mystery with 14 hidden fragments and 3 endings. Or jump into Operations mode — APT kill chains, insider threats, ransomware, supply chain compromise, or mixed ops.

NARRATIVE + FREEFORM
Incident Zero starter tool draft — three tool cards (Threat Intelligence, Sandbox and Detonation, Network Analysis) with descriptions and charge counts.

30 ANALYST TOOLS

SIEM queries, packet captures, memory snapshots, sandbox detonation. Draft 3 each run, upgrade with Intel Credits between acts. Every loadout plays differently.

8 CATEGORIES · 3 TIERS
Incident Zero shift map — procedural node graph showing encounter, elite, reward, rest, event, shop, boss, and act-boss nodes branching from a start node.

BOSS ENCOUNTERS

Unique mini-bosses mid-act. Act bosses that test everything you've learned. Each one demands a different skill set — and you won't see them coming.

11 BOSS ENCOUNTERS · 2 TIERS
Incident Zero mid-shift triage — five incidents in the queue with decay timers, signals panel, artifacts, relationships, and escalate or close buttons.

HEAT SYSTEM

10 ascending difficulty levels. Shorter timers, fewer lives, hidden correlations, planted evidence. For analysts who want to prove they're the best.

HADES-STYLE ASCENDING CHALLENGE

WHO IT'S FOR

IF YOU LIKED PAPERS PLEASE, ORWELL, OR INSCRYPTION

A job with a mystery underneath it.

  • 5-chapter linear story — no cybersecurity knowledge needed
  • Single literary voice — no mode toggle, no compromise
  • Hidden fragments, branching decisions, 3 endings
  • Roguelike loop means the mystery replays differently every time
  • Papers Please tension + Slay the Spire build variety
IF YOU'VE WORKED A SOC SHIFT

Finally — a game that gets it.

  • Paired artifacts — every narrative entry has a forensic companion (subpoena records, SIEM logs, EXIF metadata). Read both halves. The pairing is the evidence.
  • 77 incident templates covering all 14 MITRE ATT&CK tactics
  • Fictional vendors, authentic tooling (SIEM / EDR / NDR / MDR / DLP)
  • Teaches triage under time pressure — the actual core skill
  • Fully offline. Works in air-gapped environments. Seeded RNG for team replay.

FOLLOW THE DEPLOYMENT

Incident Zero is in the polish window — coming soon to itch.io (pay what you want) and Steam. Follow on Itch to get notified the moment it ships.

FOLLOW ON ITCH.IO ▶

YOUR SHIFT STARTS NOW.

5 chapters · 14 fragments · 3 endings · 1 mole

FOLLOW ON ITCH.IO ▶