Hacking Games: From Cyber-Themed Magic to Real Hacking That Moves the Plot
Track 2 – 2:35pm
Dr Z. Cliffe Schreuders Reader in Cyber Security Leeds Beckett University; Founder of Hacktivity Cyber Security Labs
Bio
Dr Z. Cliffe Schreuders is Reader in Cyber Security and Director of the Cybercrime and Security Innovation (CSI) Centre at Leeds Beckett University. Cliffe has experience leading large collaborative research projects, and enjoys designing and programming novel solutions to challenging problems. Cliffe is the founder of Hacktivity Cyber Security Labs and leads the SecGen and Break Escape open-source projects. Cliffe teaches cyber security topics, with the belief that learners should have the opportunity to put theory into practice.
Talk Abstract
This talk surveys the landscape of cyber security games — from boardgames and card games to video games and CTFs — and asks how much of the hacking is real. It culminates in the design of Break Escape: a game where the technical challenges are genuine, the environment spans physical and digital security, and the story reacts to what you do.
At one end of the spectrum are games that use cyber security as pure aesthetic. Cyberpunk 2077 and Watch Dogs dress their worlds in cyber security details — corporate networks, zero-days, social engineering — but the hacking itself is a magic system. You press a button; things happen. No understanding required.
One step further are games where the terminology is accurate and the design captures something true about security, but gameplay still does not require real skills. Control-Alt-Hack and [d0x3d!] bring security concepts to the tabletop. Research has found that cyber security content in games and what players actually learn can diverge significantly — even content-rich games can produce play where security concepts never surface at all.
Backdoors & Breaches and Elevation of Privilege prompt genuine security reflections, without technical application. Further along, games like Hacknet get closer in feel, with an authentic-looking terminal — but it is a simulation, not a real OS, and the commands are its own invention.
CTFs sit at the technical end: real tools, real techniques, real skills. Like almost every video game ever made, they are built on lock-and-key progression, where challenge A unlocks challenge B — the mission graph structure familiar from game design literature, which applies as naturally to CTF chains as it does to Zelda dungeons. The difference is that CTFs have no world around the locks. You own the box. Then what?
Break Escape is our attempt to answer that question — an open source game framework built on SecGen, our randomised hacking scenario generator. Designed to be a game first, it places real technical challenges on required puzzle paths spanning physical and digital security: navigating offices, picking pin-tumbler locks, cloning RFID credentials using Flipper Zero mechanics, social engineering NPCs, and capturing CTF flags from live VMs.
In the first mission of *SAFETYNET: Holding Back the ENTROPY*, *First Contact*, you go undercover into a company with a spy-vs-spy insider threat. Challenges span physical access (lockpicking), social engineering, decoding messages, and a live Linux VM — SSH brute force, system navigation, privilege escalation. The mission ends with a confrontation with multiple resolution paths: arrest, exposure, or something much darker. The player has agency inside a story with real security context and genuine technical depth.
The talk covers the game design — mission graphs across dungeon layout and CTF chains, per-character NPC dialogue, branching narrative in Ink — and the technical implementation in Rails and Phaser.js. Break Escape is open source, and available to play.
Intended Audience
If you are interested in cyber security education, CTFs, or game design — or just enjoy playing games — and interested to see some new innovations in cyber security games.
How NSFW is this talk?
(How spicy is your talk in chilli's?)
🌶️🌶️