Bluezoo Games

Play a game, learn something new.

APT Game Instructions


APT consists of a deck of 108 cards:

  • 36 Project cards
  • 22 Security Control cards
  • 21 Threat cards
  • 21 Vulnerability cards
  • 4 unique Special Threat cards
  • 3 unique Special Control cards
  • 1 game rules card


Complete three initiatives before any other player. Initiatives consist of a number of project cards based on the number players in the game.

  • Two players: Six project cards to complete an initiative.
  • Three players: Five project cards, and
  • Four players: Four project cards.


View from a single player’s perspective.

Separate vulnerability cards from the rest of the deck and shuffle. Lay face down. This is the vulnerability pile (or vuln pile for short). Leave a space next to the vuln pile for the vuln discard pile.

Shuffle the remaining cards and place face down next to the vuln pile. This is the draw pile. Leave space next to the draw pile for the controls & threats discard pile.

Deal each player five cards face down from the draw pile.

Deal each player one vuln card face up in front of them. This becomes their vuln row. Vulns in this row can be exploited by other players’ threat cards.


Each player picks up their cards. Player to left of dealer goes first.

While its a player’s turn, they are the Attacker. All other players are Defenders. The attacker may play any number of cards in their hand, or none if they wish to pass. Defenders may play any number of security controls to counter threats the attacker may play against them.

Remember the basic principle of information security: Threats EXPLOIT vulns. Security controls COUNTER threats. Security controls also MITIGATE vulns. Play works like this: Lay Project cards > Mitigate your Vulns with Controls > Attack Defenders with Threats.

  • LAY PROJECT CARDS. All Project cards in the attacker’s hand must ALWAYS be laid face up at the start of the attacker’s turn. This becomes their project row. If the attacker has enough project cards to complete an initiative, the project cards can be set aside and the attacker’s score increases by one. Completed initiatives cannot be touched by other players. Backdoor note: If the Attacker has a Backdoor in play against them, then a Project card is first surrendered to the player who created the Backdoor (see below for more info on Backdoors) before the Project card can be applied to an Initiative. The Threat and Vuln cards involved in the Backdoor are returned to their discard piles.
  • MITIGATE VULNS. Security Control cards may be played to remove vulns from one’s own vuln row. One control card removes one vuln or vuln stack (see STACKS below.) A Security Control card can mitigate any vuln listed in its Mitigate column.
  • ATTACK WITH THREATS. A Threat card can exploit any vuln listed in its Exploit column. Attackers play Threat cards against Defenders with associated Vulns. If a defender has no exploitable vulns, only the APT or the DDoS threats can be played against them.
  • DEFENDERS. During the Attacker’s turn, Security Control cards may also be played by Defenders to counter a Threat card that is played against them or otherwise affects them. A Security Control card can counter any threat listed in its Counter column.
  • Special Threats and Special Controls are rare cards in the deck and may appear in your hand from time to time. Read the instructions on a Special card for information on how to play it.


When an Attacker plays a threat against a Defender’s vuln, the attacker lays the threat face up next to the defender’s vuln card. The Defender then checks to see if they have a security control card that will counter the threat. If the Defender has no applicable security control, then the attacker has successfully exploited the vuln, and steals a project card from the Defender’s project row. If the Defender has no Project cards, then the Attacker has created a Backdoor (see below.)

If the Attacker laid the threat against a vuln stack, then the Attacker steals as many Project cards as were in the vuln stack. Both threat and exploited vuln card (or vuln stack) are moved to their respective discard piles.

If the Defender has a Security Control card that counters the threat, they play it immediately when attacked. Upon successfully countering a threat, the Defender does not lose a Project card, and the threat, vuln (or vuln stack) and control card are all discarded in their respective discard piles. The only exception is the APT card which always steals at least one Project card no matter if the defender counters the threat.


When an Attacker plays a Threat against a Defender who cannot counter and has no Project cards, the Attacker has created a Backdoor. Both the Threat and the Vuln are turned sideways on the Defender’s vuln row to indicate the Backdoor exists. While a player has a Backdoor installed, no other Backdoors may be created against them.

When the player with a Backdoor lays a Project card at the beginning of their turn, the first Project card goes immediately to the player that created the Backdoor. Some Security Control cards can be used to counter Backdoors. Otherwise, there is no defense. The player loses the Project card and both the Threat and Vuln used to create the Backdoor are returned to their discard piles.


Once the Attacker has played all the cards they wish (or can), they draw the number of cards they played from the draw pile so they always end their turn with five cards in their hand. Once cards are drawn no further action can be taken. Their turn ends.

If the Attacker chooses not to play any cards, or cannot play any, they may discard any number of cards from their hand they wish and pick enough cards from the draw pile to bring the total number of cards in their hand to five, which ends their turn. Attackers may also pass without discarding any cards, which also ends their turn.

Once the Attacker’s turn ends, a new vuln card is drawn from the vuln pile for every player to be added to their vuln row (because no matter how secure your network, new vulns always crop up over time).  Duplicate vulns are stacked. If there are not enough vuln cards in the vuln pile for all players, then no one gets a vuln card that turn.

Play then moves to the next player who becomes the Attacker.


When a player receives more than one of the same Vuln card into their vuln row, it is stacked on the existing Vuln card. Watch out! The more vulns you have stacked the more Project cards you can lose to an Attacker who successfully plays a threat against you! Similarly, if a player lays a Security Control card to mitigate the vuln, the player removes the entire stack from their vuln row to the vuln discard pile. When an Attacker plays a threat against a Defender who cannot counter, the defender loses as many Project cards from their project row as vuln cards in the stack. If the Defender does not have as many project cards as their exploited vuln stack, the Attacker takes whatever project cards the Defender had. No Backdoor is created in this case.


Defenders who lay Security Control cards to counter threats played against them do not draw more cards until AFTER their next turn ends. That means a player may begin their turn with less than five cards in their hand. But their turn always ends with five cards.

If either draw pile runs out, reshuffle its discard pile.

If you have any questions or comments about the rules, feel free to leave it in the comments section here. We’ll get right back to you with a clarification (or a thank you!)

Last updated: 2018-07-08

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: