What are Gamebooks in ContraForce?

Gamebooks are ContraForce's SOP enforcement engine. They turn standard operating procedures into executable, governed workflows that Security Delivery Agents follow across every tenant.

How do Gamebooks standardize SOPs across Sentinel tenants?

Gamebooks define the exact investigation and response procedures for each incident type. When an incident occurs in any tenant, Security Delivery Agents execute the Gamebook workflow consistently.

Gamebooks: Enforce SOPs Across Every Tenant, Every Time

Gamebooks are ContraForce's framework for encoding and enforcing security operations SOPs (Standard Operating Procedures) across every managed tenant automatically. Unlike traditional playbooks that script rigid if/then sequences or runbooks that document manual steps, Gamebooks define the operational guardrails -- permitted actions, required approvals, compliance standards, and escalation criteria -- within which Security Delivery Agents operate autonomously. The result: 100% SOP consistency across unlimited tenants, with a full audit trail supporting SOC 2 Type II compliance.

The SOP Consistency Problem

MSSPs face a fundamental quality control challenge. When 8-12 analysts handle incidents across 100+ tenants, each analyst brings their own interpretation of response procedures. A phishing incident in Tenant A gets handled differently from an identical incident in Tenant B -- different investigation depth, different response actions, different documentation quality. This inconsistency creates:

Compliance risk: Auditors find gaps when response quality varies by analyst or shift
Customer churn: Clients receiving inconsistent service quality lose confidence
Training overhead: New analysts take 3-6 months to learn tribal knowledge
Liability exposure: Missed steps in incident response create legal vulnerability

Gamebooks vs. Playbooks vs. Runbooks

Feature	Gamebooks (ContraForce)	SOAR Playbooks	Runbooks
Execution model	AI agents operate within defined guardrails	Scripted if/then automation	Manual human execution
Adaptability	Agents adapt steps to incident context	Fixed sequence (breaks on edge cases)	Analyst discretion (inconsistent)
Multi-tenant consistency	100% identical enforcement	Per-tenant configuration required	Depends on analyst compliance
Maintenance burden	Update once, applies everywhere	Maintain per-tenant playbooks	Document updates often ignored
Audit trail	Every action logged with reasoning	Execution logs only	Manual documentation (often incomplete)
Approval gates	Configurable per-action, per-severity, per-customer	Per-playbook	N/A (all manual)
Engineering required	No code -- SOP-driven configuration	Python/scripting expertise	None (but no automation)
Time to create	Minutes (template-based)	Days to weeks	Hours (documentation only)

How Gamebooks Work

1. Define Your SOP Standards

Start with ContraForce's pre-built Gamebook templates for common incident types: phishing, endpoint compromise, identity compromise, data exfiltration, and more. Customize each template to match your organization's specific SOPs -- which actions to automate, which require approval, and what compliance evidence to collect.

2. Set Guardrails and Approval Gates

For each Gamebook, configure:

Automated actions: Steps the Security Delivery Agent can execute without human approval (e.g., enrich IOCs, correlate alerts, initiate AV scan)
Approval-required actions: High-impact steps that need analyst confirmation (e.g., device isolation, account disablement, data wipe)
Escalation criteria: Conditions that trigger human escalation (e.g., VIP user affected, novel attack pattern, severity threshold)
Compliance requirements: Evidence collection and documentation standards (e.g., chain of custody, notification timelines)

3. Deploy Across All Tenants

Once configured, a Gamebook applies to every connected tenant automatically. No per-tenant customization is required for standard SOPs. Tenant-specific overrides (e.g., "never auto-isolate this server") can be layered on top of the base Gamebook.

4. Agents Execute Within Guardrails

When a Security Delivery Agent processes an incident, it references the matching Gamebook to determine its operational boundaries. The agent adapts its specific investigation and response steps to the incident context while staying within the Gamebook's defined standards. This produces consistent outcomes without rigid scripting.

5. Audit and Improve

Every Gamebook execution generates a complete audit record: which SOP was applied, what actions were taken, what evidence was collected, and whether any steps required human intervention. Review these records to identify improvement opportunities, demonstrate compliance, and refine Gamebooks over time.

Implementation Steps for MSSPs

Inventory your current SOPs -- Document your existing response procedures for your top 10 incident types
Map to Gamebook templates -- Match each SOP to ContraForce's pre-built templates and identify gaps
Configure approval gates -- Decide which actions auto-execute and which need analyst approval
Set tenant overrides -- Add customer-specific exceptions (protected assets, notification preferences)
Activate and monitor -- Enable Gamebooks in monitor mode first, review agent decisions for 1-2 weeks
Switch to enforcement -- Move to full autonomous execution once confidence is established
Review and iterate -- Monthly Gamebook reviews to incorporate new threat patterns and SOP updates

Compliance Benefits

Gamebooks directly address audit requirements that MSSPs face:

SOC 2 Type II: Gamebook audit trails provide evidence of consistent, documented incident response procedures
Customer SLAs: Gamebook execution timestamps prove response time compliance
Regulatory reporting: Automated evidence collection supports breach notification timelines (GDPR 72-hour, HIPAA 60-day)

Frequently Asked Questions

How long does it take to create a Gamebook?

ContraForce provides pre-built Gamebook templates for the most common incident types. Customizing a template to match your SOPs takes minutes -- it is a configuration exercise, not a coding project. Building a completely custom Gamebook from scratch typically takes 1-2 hours.

Can different customers have different Gamebooks?

Yes. You can assign specific Gamebooks to individual tenants or groups of tenants. Most MSSPs use a base set of Gamebooks across all tenants with tenant-specific overrides for customers with unique compliance requirements or protected asset lists.

How do Gamebooks handle incidents that do not match any pattern?

When an incident does not match any configured Gamebook pattern, the Security Delivery Agent performs standard enrichment and investigation, then escalates to a human analyst with the investigation context pre-built. The analyst's resolution can then inform a new Gamebook for future similar incidents.

Do I need engineering or coding skills to create Gamebooks?

No. Gamebooks are configured through ContraForce's interface using SOP-driven settings: select incident types, define permitted actions, set approval gates, and configure compliance requirements. No Python, no scripting, no API integration work.

How do Gamebooks maintain consistency across time zones and shifts?

Because Gamebooks are enforced by Security Delivery Agents (not human analysts), they execute identically regardless of time zone, shift, or analyst availability. A 3 AM incident receives the same quality of response as a 10 AM incident. This eliminates the "night shift quality problem" common in traditional SOCs.

Can Gamebooks integrate with our existing ticketing or PSA system?

Yes. ContraForce integrates with common PSA and ticketing platforms used by MSSPs. Gamebooks can automatically create, update, and close tickets in your existing system as part of the incident response workflow, maintaining a single source of truth for service delivery records.