A sophisticated threat actor has breached the network perimeter.
Turn-based cyber defense built on the frameworks you work with every day.
Framework Alignment
Every mechanic in Zero Day Command maps to a phase, decision, or concept from the frameworks your team actually uses. This is not a marketing claim — here is the mapping.
Domain 4 (Incident Response) and Domain 2 (Vulnerability Management) are the most directly simulated. Detection, containment decisions, and evidence discipline are core to both the cert and the game.
The most direct certification alignment. PICERL phases, evidence handling, kill chain analysis, and the post-incident lessons-learned brief all appear explicitly in Zero Day Command gameplay.
Incident response management, evidence collection, monitoring, and business continuity (the Continuity resource) map to Domain 7 concepts. A useful reinforcement alongside exam study.
The Detect and Respond functions are the mechanical spine of the game. Public trust and communications (RS.CO), evidence quality for attribution (RS.AN), and recovery (RC.RP) all have direct in-game counterparts.
Zero Day Command is not affiliated with, endorsed by, or certified by CompTIA, GIAC/SANS, ISC², or NIST. Framework alignment is based on the game designer's own mapping of mechanics to publicly available framework documentation.
Core Loop
Every turn cycles through four phases that map to the 800-61 process. The threat advances whether you're ready or not.
Command Resources
Every decision affects at least one. These aren't game points — they model the actual tensions an IR commander manages under pressure.
Falls when the attack is visible and you stay silent. Rises when you communicate with evidence. Issue a public notice without HIGH evidence and you lose credibility. Wait too long and you lose the public. ↳ NIST CSF RS.CO
Reflects operational health across all systems. Compromised nodes drain it. Isolation costs it. Restoration recovers it. Hit zero and critical operations halt. ↳ NIST CSF RC.RP / Business Continuity
Determines what actions are safe and what statements are credible. Scanning builds it. Acting without it is guesswork. Attributing without HIGH evidence is a liability. ↳ NIST 800-61 Phase 2 / RS.AN
Commander Actions
Each action costs Action Points. You never have enough. Every one maps to something in your playbook.
On-Device AI Analyst
ARIA is your embedded incident analyst. She observes the board state every turn and delivers real-time intelligence in incident-response language — reading threat patterns, flagging evidence gaps, and calling out exposure risks.
She never tells you what to do. The decisions — and their consequences — are yours.
After the mission, ARIA generates a full post-mortem: kill chain reconstruction, commander assessment, and an optimal response playbook. The learning happens in the debrief.
@Generable. ARIA reads the actual game state and generates contextual intelligence every turn. Follow-up questions in the debrief are answered live.All inference is on-device. No game state leaves your phone. Ever.
Adaptive Threat Engine
The threat actor isn't scripted. It models stealth preference, urgency, and target value independently each turn — and adapts to your defensive patterns. Isolate the same route twice and it probes for alternatives. Just like a real adversary would.
The threat actor moves through Initial Access → Execution → Lateral Movement → Collection → Exfiltration. Stealth, persistence, and urgency are modelled as independent variables that shift as the engagement develops.
The engine tracks your defensive habits across turns. Heavy isolation triggers route exploration. Heavy scanning triggers stealth escalation. Reactive defenders get punished for patterns — the same dynamic SOC teams face against persistent threat actors.
Powered by a seeded xorshift64 RNG. Every attacker decision is fully reproducible — replay uses the same seed so the After-Action Report can show you exactly where the outcome turned on a specific choice.
After-Action Report
When the mission ends — win or lose — ARIA generates a full post-mortem. Not a score screen. A structured report that maps every decision to real IR practice.
A turn-by-turn reconstruction of the attacker's movement, your responses, and the key decision points where the outcome was shaped. The pivot turn — the single moment that determined everything — is explicitly identified.
ARIA scores your decisions against optimal IR practice — evidence discipline before action, communication timing, isolation sequencing, containment-vs-continuity tradeoffs. The same dimensions tested in CySA+ and GCIH.
Each debrief maps what just happened to real incident response concepts — NIST SP 800-61 phases, the ATT&CK kill chain, evidence handling standards, and the external communications playbook. The brief treats you like a practitioner, not a student.
Covered in every After-Action Report
For the Security Community
Every mechanic is something you'd recognise from a real engagement — lateral movement triage, evidence before action, the cost of staying silent too long. Validate your instincts against a system that will punish the wrong ones.
The containment decisions, evidence discipline, and post-incident analysis are core to both certifications. Zero Day Command won't replace study — but it will make the concepts intuitive rather than abstract.
A zero-setup tabletop substitute. No infrastructure. No budget. Fully offline. Hand it to a new analyst before their first tabletop exercise and watch what they learn about prioritisation and communication timing.
Platform
Native iOS features — no extra accounts, no third-party services, no friction.
Compete on global leaderboards for operations cleared, daily streak, and credit bank. Earn achievements for gold ratings, veteran operations, and long streaks. Opt in at first launch — optional, never required.
Credits, streaks, and completed operations sync seamlessly via iCloud Key-Value Storage. Conflict resolution always favours progress — your highest score wins across devices. No account needed beyond your Apple ID.
Pre-action warnings explain the risk before you commit. Post-action coaching explains the real IR principle behind what just happened. Designed for new players — switch it off when you're ready to operate independently.
A native iOS share sheet on every result screen lets you share your score card — rating, metrics, turns used — to any app. Straightforward, no screenshots required.
Beyond the 15-mission campaign, Field Operations offers 51 procedurally generated incidents at five difficulty tiers — Apprentice through Veteran. Every op uses a seeded RNG so results are fully replayable and comparable.
A rotating daily operation with a shared seed — every player worldwide faces the same incident. Builds streak and credits. Designed to be completable in a single commute.
Built For iOS
Written in Swift 6 with full strict concurrency enforcement. @MainActor @Observable game engine. actor ARIASystem for fully isolated Foundation Models calls. No third-party frameworks.
The mission board is rendered with SwiftUI's Canvas API. Every node, route, and indicator is drawn natively. No game engines, no Unity, no Godot — pure iOS.
No analytics. No tracking. No account. No crash reporting. All AI inference runs entirely on-device via Apple Foundation Models. The app has no network entitlements beyond StoreKit and iCloud. Your game state is yours.
⬤ THE CLOCK IS RUNNING
Tutorial and Mission 1 are free. Full game is a one-time purchase — no subscription, no ads, no account.
Join Public Beta on TestFlightiOS 18.0+ required · Best on iOS 26+ with ARIA · iPad supported