Predictably patterned blocks will fall from the game's sky. It's your job to spin these blocks mid air to achieve a perfect fit on the game's ground level.

  • LEFT ARROW moves the block array leftwards
  • RIGHT ARROW moves the block array rightwards
  • UP ARROW pivots the block array 90 degrees

Once an entire row worth of empty spaces are filled with blocks, that row will disappear and your score will be suddenly flush with points. Conversely, if too many blocks accumulate vertically and extend past the skyline at the top of the game screen, it's lights out for you. Budget space and time wisely.

Think of it this way: the game ends when you go out of business because your supply chain got too long and all the vulnerabilities you swept under the rug came back to haunt you.


In their infinite wisdom, the game developers have seen fit to bestow you with super human power ups. Simply press SPACE and correctly answer some real world trivia questions to access one of the following wildly effective tools:

  • add a block - useful to fill in holes
  • remove a block - useful to remove problem blocks
  • move a block - helpful both to get a block 'out of the way' and to fill in hole
  • clear all blocks - use in attacked or sued, helpful if supply chain gets too long
  • speed up - needed if lawsuit is slowing your business
  • slow down - necesary if attacked, useful if game is going too fast
  • fix a vulnerability
  • fix a licensing issue
  • remove all vulnerabilities
  • remove all licensing issues
  • Superpower - exchange for any other powerup

What? You don't need no stinkin' Power Ups? Guess again.


As much as we all wish this was the Atari in your parents' basement, this is the RSA Sandbox -- a venue to explore the vulnerabilities that haunt modern cyber security. Accordingly, we've built in a few little hiccups along the way to get you thinking about the supply chain of your block arrays.

During the game, you may notice a few little hiccups that make it nigh on impossible to continue without earning a power up or two. Here are some of the fun little challenges life will throw your way:

  1. vulnerabilities (potential security holes in an otherwise functioning security paradigm)
    • any vulnerability in a row will prevent it being cleared.
    • vulnerabilities make it more likely that you'll be hit with a cyber attack (see below).
    • a vulnerability's arrival is a function of game time and wrong answers to trivia questions.
    • you will recognize a vulnerability on sight
      • Known vulnerabilities are yellow/gray blocks that appear either in dropping blocks or in uncleared blocks at the bottom.
      • Invisible vulnerabilities (zero days) are white-on-white blocks. If you see one, you'd better get your power ups in order.
  2. licensing issues (extraneous blocks that gunk up the works)
    • licensing issues are brown/grey blocks that also prevent a row from being cleared.
    • the more license issues, the greater the likelihood of a lawsuit (see below).
    • like vulnerabilities, license issues are a function of game time and wrong answers to trivia questions
  3. cyber attacks(rapid changes in operating conditions that take over entire sections of the gameboard and speed the game up uncontrollably)
    • ignore enough (5) vulnerabilities in your block supply chain and you'll be in for a nasty surprise
    • the game will accelerate to its fastest speed and an entire line of exploits will magically appear on your screen preventing operations. Hit the space bar!
  4. licensing lawsuits (tiresome procedures that gum up entire sections of the game board and slow the game to a snail's pace)
    • ignore enough (5) liscensing issues in your block supply chain and you'll be in for a nasty surprise
    • not only will the game slow down to a snail's pace, but a fresh coat of pesky brown/grey injunctions will festoon your existing block arrays. Hit the space bar!


Points are scored in several ways:

  1. chronological longevity / block drops
  2. rows cleared
  3. questions answered

The amount of points scored is also influenced by game conditions. For instance, the value of clearing a row raises exponentially with the number of rows cleared at once.


tetrominos vs quiz

just like in real life, it is sometimes expedient to defer patches due to more imediate revenue needs, sometimes leaving vulnerability or license issues in place lets you build rows that can be cleared at once (since fix/add/delete/move/... are done while game is paused) - but be careful, since it also increases you likelihood of a cyberattack or lawsuit.

It's not an easy tradeoff.

The game is not tilted towards fixing - you will get a lower score if you spend all your time fixing. Conversely you will likely go out of business due to a cyberattack or lawsuit if ignore them entirely. The best strategy is trading off between the two, and investing in areas that reduce the likelihood (e.g. SBOM, Automation, OpenChain) of them occuring in the first place.

Just a little wisdom for thought for those with the ears to hear it.

6. Contest

There will be two contests at BSidesLV. Both start when the talk on the game starts - 4PM PDT on Sunday 1-Aug. One contest is for the duration of the talk/Q&A with prizes awarded at Q&A. The other contest lasts 24 hours.

Save the tetrominoes world from supply chain vulnerabilities to win pragmatic real world prizes including custom cocktail instruction from a superlative mixologist.

See contest rules and contest prizes for more information.