Introducing the Play Arcade — 12 GRC Mini-Games

Long study sessions are great for going deep, but most of GRC capability is built in the small reps — recalling a control ID under time pressure, picking the right framework for a scenario, triaging an incident before the page goes cold.

That's why we've added a new top-level section to the site: Play. The Play Arcade is a hub of 12 short, replayable GRC mini-games — fast enough for a coffee break, deliberate enough that you actually learn something.

The games split into two categories: Drills sharpen recall and pattern-matching, and Simulations put you in the seat to make decisions. Both earn XP, both work on mobile, and all of them are available now.

Drills — sharpen your recall

Drills are short, repeatable, and built for quick wins. They're the easiest way to keep terminology, acronyms, and control libraries fresh between longer learning sessions.

GRC Trivia

Quickfire 10-question rounds across frameworks, acronyms, and incidents. Fifteen seconds per question — how fast can you go clean? Play GRC Trivia →

Flashcards

Spaced-repetition decks for control IDs, framework clauses, and acronyms. The cards you struggle with come back sooner; the ones you nail get spaced out. Open Flashcards →

Speed Run

Solve as many mini-scenarios as you can in five minutes flat. Great for a daily warm-up that builds judgment under time pressure. Start a Speed Run →

Acronym Rush

Rapid-fire acronym expansion — NIST, PCI, SOC, HIPAA, GDPR, and dozens more. If you ever freeze in interviews on a TLA, this is the one. Play Acronym Rush →

Regulation Roulette

Read a scenario, pick the regulation that actually applies. Every answer comes with an explanation, so you build the reasoning, not just the reflex. Spin the wheel →

Control ID Memory

Memory match — pair control IDs with their descriptions across major frameworks. Painless way to internalise the libraries you use every day. Play Control ID Memory →

Simulations — put yourself in the seat

Sims are scenario-style mini-games. They're still bite-sized, but instead of recall they ask you to make calls — score a risk, choose a response action, structure a policy.

Risk Matrix Puzzle

Drag risks onto the 5×5 matrix and compare your ratings against expert scoring. Calibrates how you think about likelihood and impact. Play Risk Matrix Puzzle →

Framework Match

Match controls across NIST CSF, ISO 27001, and SOC 2 — crosswalk as a game. Builds the muscle memory you need when you're mapping a framework for real. Play Framework Match →

Incident Simulator

Choose-your-own-adventure incident response with branching outcomes. Pick the wrong containment step early and you'll feel it three turns later. Run an incident →

Evidence Hunt

Dig through logs, tickets, and screenshots to surface the right audit evidence. The closest thing on the site to actually sitting an audit walkthrough. Hunt for evidence →

Threat Modeler

STRIDE threats, components, and mitigating controls — model the system as a puzzle. A friendlier on-ramp to threat modelling than a blank Miro board. Open Threat Modeler →

Policy Builder

Drag clauses into a compliant policy — purpose, scope, roles, controls, exceptions. By round three you'll know what a policy needs without thinking about it. Build a policy →

Why play matters for GRC

GRC is unusually punishing to learn from textbooks. The frameworks are wide, the acronyms collide, and the muscle you actually need on the job — “what do I do right now?” — only forms through reps.

Short games solve three problems that long-form learning doesn't:

• Cadence. Five-minute sessions are easy to slot into a day. You learn more from twenty short reps than two long ones.
• Recall over recognition. Reading about ISO 27001 Annex A feels productive; being asked to name a control cold tells you whether it actually stuck.
• Low stakes for high-stakes skills. Misjudging a risk score in a game costs nothing. Misjudging it on a board paper costs a lot.

How to get the most out of it

A few patterns we've seen work well from early users:

• Warm up with a Drill before a longer Learning Journey or Scenario session — Acronym Rush or Trivia gets your head in GRC mode.
• Cool down with a Sim after a study block — Incident Simulator or Risk Matrix Puzzle make you apply what you just read.
• Pair with the prep tools. Use Flashcards and Control ID Memory in the run-up to a CISA or CISM sitting alongside Exam Prep.
• Defend a streak. Every game earns XP and feeds into the leaderboard, so a daily five-minute habit compounds.

Available now

The Play Arcade is live for everyone — free and Pro accounts both get access to all 12 games. Find it under the new Play menu in the top nav, or jump straight in below.