A paralyzed company and decisions to be made urgently: the serious game BlackOut raises players’ awareness of cyber risk by confronting them with ransomware (almost) like in real life.
As soon as the game starts, worry sets in. With BlackOut, his new serious game launched in June 2026, the BlueSecure publisher, specializing in cyber risk awareness, takes me on an adventure that I do not want to experience in reality. It all starts on a dark winter morning with a heavy atmosphere that already announces the difficulties to come. It’s 9:45 a.m. in the La Défense district. A voice appears: that of the narrator who invites me to slip into the shoes of an employee of a company called Demotex.
My name is Manu Sotrin, as revealed by my badge which I present to the access reader to enter the premises. Very quickly, I understood that the company in which I work operates in an environment highly exposed to cyber risks. It is in fact an “industrial company supplying essential parts for electrical networks”, the narrator tells me. These are the kind of businesses that cybercriminals like to target: a successful attack can shut down an entire supply chain, weaken the critical electricity sector and have significant repercussions on the country’s economy.
A frankly negligent collaborator
Once I arrive at my office, I have a coffee, start my computer and open my mailbox. I click on the last email sent on Friday October 31, 2025. I therefore understand that it is Monday morning and that my character is probably not fully awake for his work week which is only just beginning. This email indicates that it comes from the General Directorate of Public Finances. This is obviously false. And it contains an attachment file named “invoice”. Manu clicks on it. Then suddenly appears, in full screen, a message from a group of cybercriminals called HAXX.
Written in English, this message indicates that my files have been encrypted. “Send us 500 BTC, otherwise we will publish your data on the dark web,” the cybercriminal group demands in its message. My character does not seem very aware of cyber risk. Some elements of the email did not warn him. Obviously, there is no reason for the DGFIP to send him an invoice. And the email address is a poor imitation of the official address.
The narrator finally lets me take control of my character. I can choose between disconnecting the workstation from the network, closing the window, or restarting my computer. I obviously disconnect the extension. The narrator congratulates me by explaining that it will limit the spread of the attack.
The countdown is on
I immediately alert the company’s CISO, Liam, who has already noticed the attack: “The servers are going down, one by one. So it’s not an outage, but definitely ransomware,” he confirms to me, his face defeated and tired. A countdown follows: the narrator tells me that I only have twenty minutes left “to decide, mobilize, contain and regain control” of the situation.
The lure of the challenge makes my heart beat a little faster. After cutting off external access to the information system, Liam urgently brings together a crisis unit with the data protection officer (DPO), Georges, the HR manager, Marc, and the communications manager, Mathilde. Ana, the general manager, is missing, who is traveling. The narrator slips me into the shoes of each of them simultaneously to make the best decisions for them. Bad decisions slow down the resolution of the crisis by adding minutes to the clock.
Each of them approaches the crisis with their own point of view and defends their priorities. When the HR director wants to “not panic the whole company”, the DPO constantly relates the exchanges to the legal rules to follow in the event of a cyber crisis: “On communication, let’s remain careful. Communicating to our customers too early can cause errors. Communicating too late constitutes regulatory non-compliance. Remember, the GDPR gives us 72 hours to notify the CNIL if personal data has leaked. And as Demotex is an essential services organization, we must warn Anssi without delay We must qualify the incident before notifying it to the CNIL, Anssi and our customers”, retorts the DPO to the HR director.
I then find myself immersed in the closed doors of a crisis unit where each decision that I take in the place of the characters must take into account several parameters: the concerns of employees who do not understand the situation, the rumors, the journalists who are starting to take an interest in the crisis, the legal obligations to respect, the business recovery plan to launch, etc. One of the main concerns of the crisis unit is to contain information while demonstrating maximum transparency. It is therefore up to me to decide, in place of the HR manager or the communications manager, on the level of information to be transmitted to employees and journalists.
This is for example the case when Ana, the CEO, suddenly arrives in the crisis unit, having just returned from her trip. The communications manager then tells him that the journalists have just been made aware of the cyber crisis. Panicked, the general director then offers to pay the ransom. At that moment, the DPO and the CISO look at each other, shocked and petrified. Of course, the best practice is not to pay it. But, out of curiosity, I couldn’t help but pay it for him. This was my only decision considered faulty during the entire game, and it earned me an immediate game over. I had to start from scratch.
A game that keeps its promise of awareness
Players familiar with cybersecurity issues will manage to resolve the cyber crisis within the allotted time without difficulty. But this game is not aimed at them. It is aimed at employees who are not very aware of cyber risks. This game allows them to measure the impact that simple negligence, like that of Manu, can have on the entire organization. And for good reason: the video game format involves them much more in the effort to understand these risks than simple phishing tests sent a few times a year to their email inbox.
The launch of this video game is therefore a blessing to prepare all employees of companies required to respect the obligations of the NIS 2 directive, which the DPO sometimes mentions without mentioning it, which is regrettable. Another regret: the absence of the CIO. He never appears in the game, although he occupies a central role in cyber crisis management within SMEs and mid-sized companies, which often do not have the financial means to recruit a CISO. Hoping that a future version will integrate it, so that SME employees can even better understand the concrete consequences of such ransomware.
