PenQuest is a two-player digital board game in which an attacker attempts to penetrate an abstracted IT network while the defender works to repel the threat and take preventive measures.

Under the hood, PenQuest uses a complex model that incorporates a variety of security concepts. For example, the attacker’s actions are derived from the MITRE ATT&CK framework, while defensive actions are based on MITRE D3FEND as as well as the NIST SP 800-53 security standard. The effects of data theft, system manipulation and attacks on availability are modeled in addition to the different phases of an attack (from reconnaissance to “detonation”) as well as the inter-dependencies of the systems.

This way, real threat scenarios can be easily recreated on PenQuest’s game board and combined to create awareness-raising measures, training and even risk analyses. Overall, PenQuest is designed to teach interested people the basics of cyber-attacks and how to defend against them. Thanks to the free configuration of actors and systems, there are hardly any restrictions: From modeling a ransomware attack on an isolated workstation to recreating a large-scale data theft, anything is possible.

Understanding threats and planning your organization’s
technical and organizational defense is not a game.

But it can be.

Anonymous PenQuest Alpha Tester


Media Owner

Robert Luh
Kokoschkagasse 6
A-3104 St. Pölten
Contact: robert.luh@fhstp.ac.at