Here is a straightforward observation about the security industry: it produces more history than it retains. The Morris Worm is a foundational event. Most working professionals know the name. Fewer could place it accurately on a timeline relative to DEF CON’s founding, or tell you whether it preceded Shodan by a decade or two.
Zero Day Timeline, from Reclaim Security, is a game that makes exactly that kind of knowledge testable. It takes cybersecurity milestones and turns them into a drag-and-drop timeline challenge. Players place event cards in the correct chronological order. The game spans from the 1970s through 2025. The question it asks, session after session, is not whether you recognize an event but whether you know where it belongs in the sequence that produced the industry as it exists today.
What You See When You Load the Game
The interface does a lot of communicative work before a single card is placed. A neon pink and cyan perspective grid runs toward a retro synthwave horizon against a black background. Card text is rendered in terminal-style monospace. Each card carries an event ID in the format of an incident tracking entry. The header tracks score, streak multiplier, and total cards placed. A “Cash Out” button gives players the option to lock in their score rather than risk losing progress on an uncertain placement.
The home screen shows a Top Operators leaderboard. The current top entry shows 99,500 points across 32 cards placed, with the player listed under a handle and classified, with dry humor, as a “Nation State Actor.” A button in the lower left corner of the home screen allows players to submit events they believe belong in the deck.
Two play modes are available. The standard single player session is the core experience and can be played anonymously. Two Player Duel requires both participants to register before competing, connecting the result to a named identity and making the outcome part of a record.
What the Cards Actually Contain
Cards carry more content than a name and a year. Expanding any card reveals a narrative description of the event’s significance and, in many cases, a lore flavor text entry. The card for Nir Zuk founding Palo Alto Networks includes the detail that Zuk set out to rethink the stateful inspection model he helped build at Check Point, and that his license plate legend read “CHKP KLR.” Cards are also tagged by category. “Titans and Tycoons” groups vendor and founder milestones. Other categories organize events by type across the broader timeline.
What Is Actually in the Deck
The card set ranges across five decades of cyber history. The early cards establish the origins. The Brain Virus in 1986, one of the first PC viruses targeting MS-DOS systems. The Morris Worm in 1988, an early internet worm that became a reference event for understanding network-propagating malware.
From there, the deck moves through hacker culture: DEF CON 1 in 1993, and the L0pht Heavy Industries testimony before the U.S. Senate in 1998, when the group warned that internet infrastructure was structurally vulnerable enough to be brought down.
The 2000s section covers industry formation. Gartner defining the SIEM category in 2005. Symantec acquiring Veritas that same year. Maty Siman founding Checkmarx in 2006. Shodan launching in 2009.
The 2010s section is dense, which reflects the period’s density in the actual industry. Barnaby Jack’s ATM jackpotting at Black Hat in 2010. The Cyber Kill Chain in 2011. The concentrated events of 2014: the @SwiftOnSecurity account, Dan Geer’s policy keynote at Black Hat, and the Sony Pictures breach. Chris Roberts’ aviation security incident in 2015. CrowdStrike’s role in the DNC investigation in 2016. WannaCry in 2017. AppSec Village at DEF CON 27 in 2019. Nir Zuk founding Palo Alto Networks sits in this era under the “Titans and Tycoons” category.
The 2020s close the arc with SolarWinds in 2020, CNAPP emerging as a category and Log4Shell arriving as a crisis in 2021, Google acquiring Mandiant in 2022, and Preemptive Security as an emerging industry orientation in 2025.
The Mechanics Behind the Challenge
Points are awarded for correct placements. Consecutive correct placements build a streak multiplier. Players have three strikes before the session ends. A wrong placement costs one strike. A correct placement resets the count entirely, which means recovery is always possible and the game rewards sustained accuracy rather than punishing a single slip permanently.
The SOC Toolkit gives players three strategic aids: Nmap Scan to identify the decade, Threat Intel to reveal the exact year, and Sandbox to absorb an incorrect placement without losing a strike or breaking the streak. Each is a finite resource. Spending one early is a trade-off against needing it later.
When a session ends, players are prompted to enter a username and submit their score for the Top Operators leaderboard. Results can be shared to LinkedIn, X, Facebook, or Reddit, which extends the competitive layer well beyond the game session itself.
At the Gartner SRM Summit
Reclaim Security will be at the Gartner Security and Risk Management Summit, June 1 through 3, 2026, at National Harbor, Maryland. Attendees visiting Booth #652 can win a limited-edition physical card deck.
More details at the Reclaim Security website.
The Sequencing Problem
The reason timeline-format games reveal things that traditional trivia does not is that sequence is harder than recognition. Most security professionals could identify Log4Shell from a description. Fewer have a precise, confident intuition for whether it occurred before or after the CNAPP category was defined, or whether SolarWinds preceded Google’s acquisition of Mandiant.
The game surfaces these uncertainties. It turns the gaps in sequential knowledge into a visible, measurable, shareable experience. That is what makes it work for a security audience specifically. The people who feel the tension most acutely are the ones who know the field well enough to be surprised by what they do not know.
