Guide for Untrusted – The truly Untrust(ed)worthy Guide
Welcome to the One-Stop Super Guide for Untrusted, an ambitious little project to write a singular guide that will cover most of your newbie, basic and intermediary tactics. The guide is a living work and will (potentially) be expanded as the game developes (do feel free to leave more tips and feedback in comments, I’ll gladly add your input to the guide as well).
Note that the guide is not necessarily meant to be read in one go, especially not if you’re new to the game (like, how many pages is it at now?). Maybe check out the basic sections (I’ve marked them with a (!!)) first, play a bit whilst cross-referencing the guide’s class section with what you rolled, and read the other sections somewhen later.
Also the obvious disclaimer that the Class-specific sections are intentionally kept to a single, simple playstyle. Of course you can pull a double Blackhat claiming Journalist and then ‘revealing’ as Scriptkiddie stunt… but new players shouldn’t try.
But now, enjoy!
And remember the first rule of the game: Don’t trust anyone!
Except this guide. Always trust this guide!
(But don’t, it might be a mole…)
Useful Links / Resources
Just a quick heads-up on some links you might find useful:
- The www.playuntrusted.com – https://www.playuntrusted.com/manual/, accessible even without running the game.
- Untrusted’s discord.com – https://discord.com/invite/hypdzcy
(!!) Gameflow Overview
… something that neither tutorial nor manual seem to aptly cover. Here’s the gist of it:
Everyone ‘is’ NetSec (NetSec = ‘The Good Guys’ ~= Townies ~= Innocent). Except those that aren’t.
2 of the players are Agents who inflitrated NetSec, additionally there’s a number of Neutral roles, depending on total player count.
No role can be present more than twice (barring a very specific item you shouldn’t concern yourself with), some roles are unique (most notable the leaders of both factions).
Games can start with 10-16 players, which influences
- the number of Neutrals (and NetSec) in the game. But it’s always 2 Agents.
- how many people the AL (Agent Leader) can convert. 1 for <= 12 players, 2 for > 12.
- the time limit. Can be between 7 and 9 days, scaling with player count. Will be announced alongside your class in the Event Log at game start. (Note that there are ways to increase the time limit in-game.)
- the size of the topology (the laptops and servers). More players = larger network to hack.
In the game, you switch between DAY and NIGHT phases. Most classes have actions for both phases, but some are limited and only really active at one phase.
At DAY, the game revolves around the topology: Hacking new nodes, mining old ones, launching rollbacks or using DDOS (to name a few).
At NIGHT, the game revolves around the operators: Arrests/murders, investigation, blocking or protection (again, only to name an examplary selection).
As general rule of thumb, operators cannot affect other operators with abilities at DAY, nor affect network nodes with abilities at NIGHTS. (There are a few specific exceptions, such as ‘ISP Isolation’ at DAY or ‘Wipe’ at NIGHT… but more on that later.)
To elaborate on what usually happens, during a DAY
- most NetSec classes will hack nodes, as assigned by OP, or assist in hacking nodes.
- some NetSec classes might do other tasks (or be unable to perform useful Day actions)
- Neutrals will generally pretend to be hacking nodes (possibly doing something else)
- Agents will generally pretend to be hacking nodes (possibly doing something else)
At the end of a DAY
- the results of all hacks issues during the DAY phase will be evaluated, and usually some nodes get captured. For each node captured, EXACTLY ONE person gets a success confirmation. Common lingo: that operator ‘SEIZED’ the node (or might ‘claim’ to have seized a node).
- not all hacks will result in success. (And fake hacks by Neutrals/Agents cannot result in success.)
- a DDOS might be revealed and cancels hacks or Rollbacks
- a successfull Rollback might be revealed, ‘uncapturing’ one of the nodes (and cancelling all hacks beyond the rollback’d node)
Generally, Netsec will want to hack ‘forward’ (aka, progressing towards right) to reach their target, whilst Agents (and some Neutrals) will try to stall or actively hinder NetSec.
Note that time is short: You got 7 days to hack 4 columns for 10 players, and 9 days to hack 5 columns for 16 players. You need 1 day minimum per column, and the AL’s Rollback will usually cost you 2 days. Math dictates NetSec is under very relevant time pressure to complete their ‘DAY objective’ on time.
- NetSec classes have a variety of abilities, most of them of the category protecting (themselves or others), blocking (Midnight Visit) someone, investigating someone in some form, or setting up other actions
- Agents go on the offense and can use their various arrest, conversion and/or investigation abilities
- Neutrals do a wide range of activities that can’t be summarized easily.
A usual NIGHT is likely to conclude with
- 1 or more operators being arrested. If there’s no arrest in a Night that deserves a raised eyebrow (Agents either hit an arrest-immune neutral, the arrest was protected against, or the arrester got blocked.)
- multiple operators will be blocked by random Midnight Visits, preventing their Night Actions (except Midnight Visits, they cannot cancel each other).
- some people are likely to have been watched by an investigative ability (usually Netsec or Neutral, rarely Agent).
- rarely somebody gets murdered. There’s very few abilities like that, and only ONE (Sociopath) that can be used before N4 (Night 4). Most deaths will be the result of lynch votes or disconnects, not NIGHT actions.
At both DAY and NIGHT,
- all operators can talk in the public chat
- all operators can access the player list, dead/arrested player’s logs, the Event Log, or check the public topology and pwned nodes’ access logs
- all operators can access their own Personal Logs and edit them
- all operators can send mails (private messages / whispers) to other operators
- Agents can talk in their private ASC
and, most importantly:
everyone can vote to have an operator killed at the end of the phase.
Anyone can place a vote against anyone (alive) by clicking their name. You are locked into your choice for 10 seconds, after which you can change it to someone else (or cancel it by selecting the same person).
Votes are public, and a counter tallies the total number of votes, turning GREEN if a majority is reached and YELLOW if a majority will be existant if the OP voted for this person. This is because the OP’s vote is tallied once, but counts double.
Note that randomly voting for people for no reason is frowned upon and might get your voted in semi-justified retaliation.
Generally, if suspicion exists, the first action is to demand logs. Followed by a lynchmob if no log is provided within the next 10-20 seconds.
Note that pointing out an obvious contradicton in somebody’s log (or in the network node logs) is a very good reason to start a lynch vote,
and it’s usually accepted that the OP can demand for logs and call for lynches at any given time (mileage may vary according to perceived competence of OP).
Be wary of unanimous votes on anything but crystal-clear Agent screw-ups. If everybody voted, that means the other Agents and Neutrals voted in favor. If there’s 6 people left, 2 of them Agent, and you are NetSec, and you manage to get 5 people to vote for the one fellow… chances are he’s not an Agent.
If a phase closes with a majority of votes, that operator will die, with no way of preventing it in any shape or form, in the coming phase transition. Their action is however still executed, so be wary of lynching, i.e., a Journalist at DAY, she is likely to deploy her rollback as final revenge.
I hope this provides you a rough overview of how games tend to run.
(!!) waht do i hack – "Top Top Bottom Bottom"
The tutorial does a great job at passing the OP the completely dumb and mundane duty of telling people the obvious: In the assumption that hacking classes are pretty evenly spread across the player list, and without any other information to act on, the best move is always to split up and try to hack as many nodes ‘forward’ at once as possible. (This may change in the later phases of the game, but then you’ll probably have a good grasp of what needs to be done anyways, and OP can take actual lead, with actual information.)
Therefore, apply the rule of thumb: Top Top Bottom Bottom
- The top half of the player list goes for the top node, the bottom half of the player list goes for he bottom node. (Of whatever rightmost layer available.)
- If there’s only one node, the answer becomes even more obvious.
- If there’s three nodes, simply split the list into top, mid and bottom.
- If you have two choices that aren’t in the same column, top half of list takes left, bottom half of list takes right.
For anything more complex, and for special DAY abilites, this is when you actually need the OP’s input. Everything else should be common sense.
Note that this is a ‘generic’ instruction ‘for hacking classes’. You do not need to explicitly point out that you cannot hack, nor do you need to apologize for, i.e., Data Mining. The rule of thumb, or alternatively OPs general instructions, are meant to avoid overlap, NOT to mandate the low-skill hacking classes to waste their DAY action on hacks the Blackhats can take care of.
Addendum: It’s not really relevant whether that split is perfect, because whether it’s 5 unknown-classes-claiming-to-hack or 6, the result is approximately the same.
The key reasoning behind this default approach is that, especially early, NetSec has a lot of hacking power… so focussing on too few nodes is likely to waste successes that could have garnered multiple nodes in a single DAY.
Towards the middle of the game, splitting up makes it harder for hostiles to block NetSec hacking efforts with Rollbacks or DDOS. And going to an off-path branch might reveal an alternative route that a rollback won’t affect, or at least discover a secondary target, or give a Journalist a dead-end to dramabomb.
Only towards the end does the rule of thumb become less prevalent… but at this point you probably intuititvely know which direction to hack, with or without an alive OP providing (useful) instructions.
As the game progresses, and the player list (in all likelyhood) grows shorter, and Blackhats and non-hackers might become reveal, it’s possible that OP will rearrange the list into different groups. Such as "Blue to Magenta is top, everyone else is bottom". Or maybe even put in an effort and assign individual colors to specific callsigns (Aka, "Blue, Yellow, Magenta, Red, you are all alpha. […] Alpha go for 177).
Another addendum: Generally, refer to nodes either by their position (top, bottom, right, next), their type (laptop, server) or the last 3 digits of the IP.
There’s no reason ever to type out the full IP, since the first 3 segments are always identical for all nodes within a single game.
(!!) "No Logs, No Mercy" – Information Asymetry
Right now, ask yourself, do you know how to use the personal log? If the answer is anything but "Yes", read the following paragraph, then head to the tutorial and play around with the log until the answer is "Yes". (I’ll explain why, further down the line.)
Instead of writing down information manually in a Death Note or Last Will, in Untrusted you use a Personal Log, filled with semi-automatically generated entries. This means, whilst you can write log entires, you shouldn’t (except for adding additional comments between log entries).
Simply pick the class you want to pretend to be (your actual class is always pre-selected, so in case of NetSec, you probably don’t need to change that) in the bottom right (RED).
Depending on your selected class, you can then select a time (DAY/NIGHT) and will see an according set of actions (BLUE). Note that the game will even label actions that do not fit the chosen time frame with [N/A] (i.e. you cannot Hack Target at NIGHT, nor can you Midnight Talk at DAY).
Depending on your action, you might be able to select a target (YELLOW). This could be either a player or a node (IP Adress).
After selecting the correct target (or not having to select), click ‘Append to Log’ to add the line (note that it will always be added to the bottom, regardless of where your cursor might be. The log has full Copy/Paste support though). Your entry should appear in the GREEN circled area.
If you did not perform an action, you can hit "Append Empty Action" instead. As a default, always log for each time span, either the action, or an empty action.
If you do your job right, your log could look like this example
Note that, in this example, I added comments below NIGHT 1 and NIGHT 2, adding information on what happened to me those nights (i.e. I was midnight visited N1, and almost arrested N2).
Bonus fun fact: Logs tend to have a lot of entries, so if you want some to stick out, CAPS don’t really help (as DAY / NIGHT is already in caps). But putting a " – " in front does, because the indent breaks the text pattern. So INDENT important entries (and being attacked, or figuring out a not-netsec, are pretty important entries).
At this point, please try writing a log (in tutorial) yourself. (Also note that the Netsec Tutorial is dumb and doesn’t let you select all timespans right away)
Okay, now that you know HOW to write a log, on to the question as to WHY you need a log: Information Asymetry.
In this game, Netsec has the numbers, but lacks information, whilst Agents are always outnumbered, but have a lot of information, such as
- who the other agents are, and what their abilities are
- how the topology looks (i.e. where the target server is, and which nodes are critical chokepoints)
- what the rest of their team is doing (as they can talk on a secure channel)
- who was targeted for arrests and conversions, and why they may not have succeeded
Therefore, any additional factors of obfuscation / disinformation / confusion / lies are an advantage for the Agents, and a disadvantage to NetSec.
Logs are the best way to keep detailed information, and therefore NetSec’s most valuable tool to compete with the Agents. Therefore as NetSec, your #2 priority (after using your actions) is to keep your log accurate and up to date.
Seriously. Decide on an action (usually, it should be obvious and maybe even be clear the phase before), then log that action. You got 120 seconds to make those couple clicks, everyone can do as much.
If you for some reason make last second changes, or forget to log, immedeately fix that in the next phase. You can freely edit your log, make sure it’s accurate, clear and orderly. Massive discrepancies in logs, such as three consecutive "NIGHT 3: nothing" are indicative of someone panicking and trying to hurry a log when being asked for logs, aka, they are indicative of a non-NetSec. You might end up being lynched for that alone.
Which, in reverse, means that everyone faking a role (aka, Agents and Neutrals) is forced to keep an accurate and detailled (if falsified) log as well, or it will be immedeately clear that they are lieing. This is twice as relevant because it’s very easy to keep a honest log, but a lot harder to fabricate a flawless lieing one. Therefore, demanding everyone to keep a log is reasonable, because it’s easy for NetSec themselves.
That’s where the "No Logs, No Mercy" comes in: If there is any doubt (or ‘sus’) on any operator, and they lack the ability to verify their class through a past or present action, they must post their logs. Because way too often Neutral/Agent classes will fail to fabricate good logs, and calling them out on a contradiction is a free lynch in favor of NetSec. There’s no excuse not to keep a log as real NetSec,
thus if you claim to be NetSec, but cannot provide a log upon being asked, you will be lynched. And rightfully so.
ergo: No Logs, No Mercy.
To post your log, select the part of the log you want to post (usually everything. Note that not selecting anything will as well default to everything), and hit "Send selection and close". This will copypaste your selected log entries straight into the public chat.
(Note that being ‘unable’ or unwilling to post your entire log, or ‘accidentally’ only posting half of it is extremely suspicious and usually grounds for being lynched.)
Now, mind you, there are some specific instances where a NetSec might want to omit critical details from his log. Such as figuring out the OP’s identity. And it’s fair to then redact/censor that part of your log. But the rest of your log should nontheless be perfectly accurate.
Also, note that "I’m too important to reveal logs" is never an excuse. The only person who can truly claim that is the OP, and they can just send an anonymous "X is good, no need for logs" message to protect themselves (and also totally give their own cover away, but eh, better than being lynched).
Key events during the DAY – Rollback and DDOS
There’s a number of things that will happen during the day, which may or may not end up being misinterpreted by new players, therefore here the synopsis:
(Note that all Rollbacks and DDOS (if successful) will always be made public to everyone in the Event Log.)
A rollback is an Agent-sided tool that reverts control of an already captured (network) node. It stalls NetSec’s progress, and usually costs them 2 days if executed on a chokepoint: One day because any hacks further down the line will automatically be cancelled, the second day because NetSec will spend the next day recapturing the rollback’d server.
Note that this requires a node to be a chokepoint in first place. Aka, a node through which all traffic from left to right must flow. If there are multiple nodes in the same column, all pwned by NetSec, and all of them connect to a target node in the next column, then the previous nodes are NOT chokepoints, and rolling them back wouldn’t hinder NetSec (significantly).
To examplify (from the perspective of an Agent, who has full topology knowledge):
RED circled nodes are chokepoints. If either of the two is ever rolled back, all hacks will fail and NetSec will lose their 2 days.
The ORANGE circled node is practically a chokepoint (because it is the only path to the target server), but technically rolling it back wouldn’t stop hacks against the ‘unimportant’ other nodes above.
All of those 3 nodes are valid and valuable targets for Agent rollback’s. And, as explained earlier, the Agents have the advantage by knowing which nodes are chokepoints from the get-go, whilst NetSec will only figure this out as they hack and explore the topology.
Note that ONLY the rollback’d server is ever ‘lost’. If, i.e., the very first in line of nodes is rolled back, all nodes will disappear from the public topography, but only one node was rolled back. The other nodes are still under NetSec control (aka: ‘pwned’/owned/green), but simply cannot be accessed until the rollback’d node is recaptured. So don’t get overly discouraged by ‘the entire network just disappeared’, not all progress is lost.
As for the presence of the Rollback skill: It is a DAY action with exactly 1 charge, meaning it can only be performed ONCE. As well, there’s only three classes that have the ability to do Rollbacks: The Agent Leader (always in the game), a Journalist (Neutral, likely to have 1 or rarely 2 in the game, but will be lynched if she uses it) and Offense Moles (converted Spearpisher/ImprovHacker).
This means, in any game, you almost certainly will end up being rollbacked once by the Agent Leader unless the AL is taken out early, or loses his rollback to a DDOS.
If more than 1 rollback occur, this means the Agents either managed to convert a Spearpisher (which is possible, but very rare, as Spearpishers are a single specific class, and can protect themselves from conversion), or that a Journalist decided to screw over NetSec. (Which, coincidentally, is the single-most hotly debated reason as to whether Journalists should ever not be lynched…)
Sidenote: Therefore, a NetSec friendly move for a Journalist would be to intentionally ‘waste’ a rollback on an unimportant node that isn’t a chokepoint. This way, you remove your only threatening ability and might persuade NetSec to leave you alone.
An important drawback of the Rollback: As any action on a node, Rollbacks leave a log of who performed a Rollback.
Silver lining: Rollbacks by Agents or Offense Moles (but not the Journalist!!) additionally generate fake log entries.
This means, once you recapture the node next day, you can check the previously rollback’d nodes logs for who did it, and will usually get a list of suspects. ONE of the entries of people accessing the node at the DAY the Rollback occured, IS THE AGENT WHO PERFORMED THE ROLLBACK. It is well advised to start aggressively lynching people (especially those that cannot prove they couldn’t have done it) on that list until you find the Agent.
As for the most interesting section to you (maybe): How to prevent a Rollback?
There is exactly two ways to prevent a Rollback: execute a DDOS on the same time and node as the Rollback occurs, or the Field Agents ISP Block. Though, since it’s usually the Agent Leader doing the rollback, you will never end up with a Field Agent ISP Blocking that (and even accidentally ISP Blocking a Journalist rollback is VERY unlikely).
So that only leaves the
Distributed Denial of Service
A DDOS occupies any one target node, and pre-emptively blocks all DAY actions on that node (except the Tamper Logs action, which specifically states it uses physical access circumventing DDOS).
Which means it can
- prevent NetSec from hacking an open node (bad).
- prevent a data miner from digging for intel on a pwned node (kinda bad, but legitimately happens frequently and is not a big deal).
- prevent the execution of a Rollback, whilst consuming the Rollback’s single charge.
Therefore, predicting when an Agent (Leader) will use his only Rollback charge, and sniping it with a well-timed DDOS is an extremely powerful move that can potentially decide the game and secure NetSec victory.
As for who has it: Only Blackhats, the most powerful hacking class NetSec has.
And Scriptkiddies, which makes them surprisingly useful to NetSec, if they don’t go for the random trollfactor and just DDOS nodes NetSec is currently trying to hack ‘4 da lulz’. (Note that a publicly revealed Scriptkiddie, who blocks an Agent’s rollback, will likely get arrested right afterwards… which conflicts with their Neutral Goal.)
Aaaaand Agent Leader (with a 33% chance). So usually you will see him using DDOS to hinder NetSec, rather than block a fellow Agent’s Rollback… and probably get a Scriptkiddie lynched in the process.
Only those three classes can DDOS, and only the Blachat is certain to be siding with NetSec.
As with all DAY actions on servers, DDOS leave connection logs. Though note that it does not block other accesses from generating a log, so a malicious DDOS on a node targeted for hack is usually well-hidden among legitimate hack attempts.
But a benign DDOS (on a pwned node) tends to reveal the Blackhat/Scriptkiddie who performed it Be mindful of that.
Also note that the Network Specialist has the unique ‘Wire Shark’ DAY ability that, when used at the same DAY, automatically reveals to them the identities of anyone who launches a DDOS at that DAY.
Be mindful with that knowledge, because combined with whether it was a benign (on pwned chokepoint) or malicious (on unowned node) DDOS, this can give you intel on who the Blackhats (valuable NetSec), Agent Leader (valuable Agent) or Scriptkiddie (…) are.
If you want to dodge a Wire Shark: Be advised it comes with a hefty 3 Day Cooldown. I.e. usage on D1 means D2 and D3 cannot be sharked… unless there’s two Network Specialists coordinating.
Personal events after a DAY – SEIZE and ISP Block
There’s a few very specific things that can happen during a DAY, that only provide you a personal log and aren’t visible tot he public. The more common ones are:
Successfully seizing a node
Whenever a node is hacked by NetSec, ONE hacker participating in the hack ‘gets the credit’ for ‘seizing’ the node. To them, the Event Log will reveal that they ‘successfully hacked’ the node, whilst it will display a(n expected) failure to all other hackers.
That information is valuable, because it’s most likely to apply to NetSec classes, specifically OP, Blackhat, Network Specialist and Social Engineer (who all have above-average hacking skills).
However be wary that an Agent Leader with the Hack skill (33% chance) has a high hacking skill as well, and that even Rival Hackers, Sociopaths, lesser NetSec classes and very rarely even a Scriptkiddie can successfully seize a node.
So, proclaiming that you seized a node kinda puts a ‘I’m a valuable NetSec Class’ target on your back that can draw arrest attention… but is not necessarily confirmation enough for anybody to trust you.
DO LOG a successfull seize (if just to contradict some Neutral/Agent class trying to take credit), but ponder carefully whether it is worth revealing it.
DO CONSIDER COUNTER-CLAIMing if somebody falsely announces success on a hack against a node that YOU actually seized. There’s very little reason to make that fake claim, and since lieing is bad for NetSec, you should rightfully try to get the other operator lynched. (Good luck proving it was actually you, though.) If you don’t think you can get them lynched, make a big remark in your log to have that person lynched for lieing and save it for later.
DO CLAIM SUCCESS WHEN you were the only one to even access that node. Bit of a honey trap, but if you’re the only person who accesses a node the day it was hacked, the fact that you seized the node is essentially public knowledge… yet it’s Agents and Neutrals that are most likely to actually check on node logs and then specifically target you, so it’s likely adviseable to point out to the public that you just, verifyable, seized that node (unless you think Agents are likely to miss it anyways) and potentially need protection.
Your Internet Connection suddenly failed
As in; in-game…
The Field Agent has a valuable ISP Isolation skill, that allows them to block one operators DAY action. It has no cooldown, but only 3 charges, and if the Field Agent decides to use it they cannot have fake-hacked and therefore left a log on a node at the same day. As in: If somebody consistently ‘helps hacking’, except for the days where, conveniently, your net shut off, then they’re potentially the Field Agent.
Therefore, as NetSec, ALWAYS announce you have been ISP Blocked. This goes double since Neutrals or even Agents may ‘log’ that ‘I have been ISP Blocked, that’s why I didn’t hack that DAY’ to cover their limited hacking abilities or other malicious activity.
If somebody has ISP Block on his log, but did NOT proclaim this publicly the DAY it happened, this is EXTREMELY SUSPICIOUS and usually warrants a lynch.
Sidenote: Of course this means non-NetSec classes can loudly proclaim ISP Blocks, either to sow confusion or otherwise give the Field Agent hints… but the Network Specialist can actually verify whether that claim is true in the following NIGHT, so that’s a risky play. That’s why you can usually trust public ISP Block claims to be honest.
Frequent events during the NIGHT – Visit-visit-visisisitit and watched
Whilst the big actions that happen during the DAY tend to be proclaimed to everyone (during the shift to the NIGHT phase),
NIGHT actions tend to not leave a public result, outside of operators being arrested/murdered. Therefore, it’s highly adviseable to NetSec to log everything that happens to them during the NIGHT… and for some occurences, mentioning them in public chat right away is advised, too:
(aka Midnight Visit / visiting)
One of the probably most misused and misinterpreted skills of the game.
Midnight Meeting is a NIGHT (duh) skill, that allows a class to visit another target, and block their NIGHT action, whilst revealing your identity (but not class!) to them.
Please read that again: Midnight Visits can potentially block another NetSec’s valuable NIGHT action (such as protecting or investigating people), AND gives somebody very concise information about what class you might be (and you do not want to give that information to the wrong people needlessly).
OR it can end up ruining an Agents NIGHT, or maybe help you confirm your identity to a fellow NetSec.
Mechanically, Midnight Meeting, like all occupying/blocking abilities, is evaluated first in a NIGHT phase. Therefore, it overrides other NIGHT abilities (such as protection, investigation, murder…), but does not block other Midnight Visits. If Dr. Red visits Dr. Green, and Dr. Green visits Dr. Blue at the same NIGHT, the result will be that Dr. Blue is blocked, and Dr. Green is not affected (it will still say you have been visited and occupied… just that it didn’t cancel your own Midnight Meeting).
(There is some wonky interaction between Mignight Meetingand Escort abilities… in that Escorts cancel operators attempt to perform Midnight Visists, and Midnight Meetingcan cancel an Enforcers Escort… so what happens if Dr Red escorts Dr Green, but Dr Green Midnights Dr Red?)
Now who can Midnight Meeting? The answer is; the big shots:
- Journalist (Though her action is called ‘Get Scoop’)
- Agent Leader
- Offense Mole (converted Spearpisher)
Note that Agent Leaders do not often spend a NIGHT on a Midnight Meeting (rather than Conversion), and that Offensive Mole’s are relatively rare. Therefore, if you get Midnight Meeting’d (and you would be hard-pressed to ever survive a game without that happening once), Netsec/Journalist are your most likely candidates… and they just gave you their identity.
Note that only the Journalist does not have a 2 day cooldown (aka; every other NIGHT) on her Midnight Meeting / Get Scoop.
Sidenote: The Analyst is in fact the most likely class to visit you, because their ‘Ask the Right Question’ Night skill is a visit, too. But it does not block your own NIGHT action. Therefore, if you get a visit notification, AND were performing a NIGHT action, but have not been blocked, the visit was an Analyst. (Note that if you did not perform a NIGHT action, you will not be told whether you have been blocked, therefore won’t know for certain whether it was an Analyst.) This does however mean that the Analyst can visit every NIGHT, instead of every other. She still can only block people every other NIGHT though.
As to how to react to a vist? Depends on a lot of factors. Usually, you can assume that someone visiting you is not hostile to NetSec (especially if it’s an Analyst). If you are a class that is dependent on it’s NIGHT actions (such as Enforcer, Operation Leader, Agent Leader, Agent, etc) you may want to message the person to stop hindering you (at the risk of them doing it again if the think you are on a different faction). In reverse, some classes are not really affected by being blocked at NIGHT (such as Blackhat), so you could as well play it cool.
In almost no circumstance, should you publicly reveal who visited you, as it marks them as a target for Agent arrests. (Exceptions, such as "Don’t lynch me, I was supposed to do X last night, but Y blocked me!" exist.) But DO note the visit in your log.
"You have been watched."
This is the second variety of very common NIGHT action that might happen to you. First advice: Don’t panic.
There’s plenty of abilities that visit you and then give you the "You have been watched." prompt, such as (exemplary)
- Social Engineers / Bounty Hunters "Doxx and Stalk"
- Inside Man’s / Sociopaths "Follow"
- CCTVs "Install CCTV Surveillance"
Essentially, all you can derive is that somebody tried to gain intel about you or your NIGHT actions, and might have learned of your faction, or whom you visited last NIGHT (if any).
Generally, you want to log these events, but (especially if you’re NetSec), there’s no reason to be overly concerned, or even mention it in public. (You especially wouldn’t want to warn Agents that a CCTV might be covering you.)
Don’t be surprised though if somebody mails you on the next DAY (i.e. revealing they’re the Social and now trust you, or asking why you visited X, or asking what happened to you last night (CCTV checking what the NIGHT actions targeting you were).
Be warned that not all investigative actions leave that remark. So ‘not being watched’ does not equal ‘you’re not a target’.
Escorts, Conversion and Arrest Attempts
The most benign kind of NIGHT notification is the one that somebody is watching over you… one way or another.
If you’re being escorted / moved to a new Hideout, generally this means somebody deigned you worthy of their protective NIGHT action. Enforcers can do this every NIGHT, Operation Leaders can do it every other NIGHT.
Note that this will as well occupy/cancel your NIGHT action (unless it’s a Midnight Meeting)… so if you have NetSec NIGHT business to do, good luck figuring out how to let your guardian angel know.
Note: The Field Agent can, instead of directly arresting you, instead pretend to escort you. You will then automatically be targeted for an arrest the following NIGHT. However, this kind of ‘fake’ escort does not block your own NIGHT action. DO mention that in public right away!
As with most NIGHT stuff, you definitely want to note all this down in your log, but you may or may not want to reveal it. Publicly acknowledging that you’re being protected draws attention (and whilst Agents might not want to arrest you regularly, this could make you a juicy target for a STING operation, endangering your savior).
This changes DRASTICALLY if you have been protected from an actual ARREST/MURDER attempt. At this point, the Agents (or whoever else targeted you) already know that you have been protected, so you might as well go public with it. (Your protector will know, too, but they shouldn’t reveal their identity, whilst you got nothing to lose by revealing you have already been attacked.)
Failed Conversions are a different story. You cannot be protected from the Agent Leaders conversion by virtue of being escorted (as it only protects you from arrests or murder attempts). But some classes, notably Neutrals, Blackhats and Operation Leaders, are immune to conversion.
If the Agent Leader failed to convert you he will expect you to be either a Neutral, or a High-Value NetSec. If you do not wish to publicly pretend being a Journalist (who is immune to conversion AND arrests, but not an enemy of NetSec), you might want to reveal that you’re a valuable NetSec role (with evidence) and ask for actual protection.
It’s common for Agents to arrest conversion-immune targets in the following night, if they do not suspect the person to be a Bounty Hunter or Journalist, as it nets them a high chance of catching valuable targets.
Obvious addendum: You shouldn’t publicly mention if you have been SUCCESSFULLY converted, either. You’re on their side now.
‘Network of Trust’ – What and how to?
CLASS – NetSec – Operation Leader
(aka: the OP)
The innately most central classes of NetSec, and also the one that always goes to the most green player in any given lobby.
Your main priority is to coordinate the public discussion. Use your Covert Broadcast to assign specific hacking tasks during the DAY, direct protection efforts (since you got one of the protection abilities) during the NIGHT.
Note that you do not necessarily need to tell people which node to hack… the rule of thumb "Top Top, Bottom Bottom" applies. But if you want to act on intel the public does not have, you may override that rule or remind people to use non-hacking DAY abilities.
Also, avoid explicitly calling for a DDOS, unless you think your Blackhats are actually Greenhats; The goal of a DDOS is to catch the Agent Leader whilst deploying his rollback… the AL won’t Rollback if he knows the DDOS is coming.
Generally, lay low, do not draw attention in chat. BUT, don’t be silent either. I’ve successfully sniped, and seen snipes, of OP’s exactly because they’re always the silent guy (as they overuse their anonymous chat tool). Don’t be that easily figured out. Drop a line occasionally, maybe acknowledge (or complain about) the OP’s instructions.
You should try to grant root at some point before you die, but at the same time make sure not to grant it to a stranger who might be an Agent, and as well be wary of giving it to a publicly known NetSec (who might be converted). Blackhats are great targets for roots, as they cannot ever be converted. And Neutrals can potentially work, too… but obviously they’re a bit less reliable as future OPs.
Your general playbook:
Hack target nodes alongside everyone else.
Consider granting root to a valid (preferably privately confirmed) NetSec or public Blackhat.
Use the 0-Day on a server you know will not see much action (in the ways of DDOS or Blackhats). Keep in mind YOU can call those shots to ensure this condition is met.
Make liberal use of Emergency Extraction (it only has 3 charges, yes, but it comes with a cooldown… so you can’t even use it up before N5 anyways). You’re essentially half an Enforcer at NIGHT. (And keep in mind that it protects targets from Arrests, Murders AND Conversion attempts.)
Move Hideout is a great follow-up when you have been subject of a failed conversion attempt last night, or just generally think the Agents have a reason to target you. Don’t throw it out willy-nilly.
Really, most of your play comes by coordinating people via Covert Broadcast.
(Also note that OP is legitimately THE ONE operator who does NOT need to make a log. If things come to blows, you can always claim to be OP, and confirm yourself via Covert Broadcast to the public, without posting logs. Your log should only contain critical information you need to pass on in case you get arrested/killed.)
CLASS – NetSec – CCTV Specialist
usually abbreviated to ‘CCTV’
A bit of a wonky NetSec class, for the reason that you have very little DAY Actions, and don’t do too much at NIGHT either, but still manage to frequently end up the single largest pool of intel any single operator possesses.
Your CCTV Surveillance works like this: You can place two cameras, at NIGHT. From that moment on, including the NIGHT you place one, you will passively be notified of ANY visits targeting the person you placed the CCTV at. (And yes, this means you will always see yourself visiting the target that NIGHT.)
Once placed, you do not leave to visit anyone ever again, and will continously gather all information on visits… which can be lethal for finding Field Agents performing arrests (As in: If you see somebody visiting a person, and that person is arrested that same NIGHT, one of the somebody’s who visited is the Agent. Plusminus Agent setting up a Planned Raid the previous day, of course…)
BONUS ROUND: As an interesting and powerful gimmick, a CCTV can actually not only gain intel from his own camera, but from those of a potential second CCTV Specialist, as well. So if you suddenly receive notifications about people visiting someone you didn’t install a CCTV at… you got a pardner. And even better: Your fellow CCTV is one of the people you saw visiting your non-target!
Figuring out each other’s identities is a massive boost, because this way you double your intel gain AND can coordinate to cover more important targets… or each other!
Your general playbook:
Make liberal use of your Create Hideout. Really, spam it whenever available, there’s no reason not to.
Bait Law Enforcement is tricky to use. It has a high cooldown, and if you only send one tip every 3 days (the fastest you can do it), it’s fairly obvious that you’re a CCTV, not a Bounty Hunter. (Same when the Agents receive multiple tips at the same DAY.) It’s not a great tool, except for warning the Agents that there’s a CCTV present.
Don’t feel bad if all you do at DAY is either build selfish hidey holes or laze about. Your job is to bust Agents with your intel later, not to be a hero during daytime.
Don’t waste Move Hideout early, as you’re very unlikely to be targeted (since you’re not hacking). On the other hand, don’t be too stingy, since you got 3 charges anyways (and can spam them out in three consecutive nights, if necessary).
Try to get the CCTV cams out sooner rather than later, both to get more intel on what is happening, and to potentially identify the existence of a 2nd CCTV. Try to target high-profile targets, though obviously it’s hard to find those early… but ‘saving a camera for a valuable target later’ is a risky move.
Should be fairly obvious, but ALWAYS LOG ALL NIGHTLY VISITS YOU OBSERVE, unless you already know the classes of the visitors and think it’s better to omit that information.
CLASS – NetSec – Enforcer
The bad boy among the good guys… lacks a clear abbreviation, but occasionally misslabelled ‘bouncer’
Your job is simple: Protect people, or beat someone up so bad that you potentially un-alive them.
The tricky part comes in when determining to what of those things to do to whom.
Generally, there’s no harm in Escorting random targets. At worst you protected someone who wasn’t (going to be) attacked. At best you denied the Agents an arrest on a valuable NetSec, or just wasted an AL’s Conversion cooldown (because yes, you protect people from being converted, and it still puts the AL on 2 day cooldown).
Be advised though, that your escort additionally occupies a target, cancelling their night action. In general, you will hear your target complain vehemently in chat if you keep ruining their NIGHTly plan, and be advised that your primary wish target, the Blackhat, is entirely unaffected (as her only NIGHT ability is a Midnight Meet… which cannot be blocked, because it’s a blocking ability itself).
Your interrogate should be directed at anyone drawing suspicion: If you find inconsistencies in their logs, simply calling for their logs in public will make those inconsistencies visible without actually giving away your role. Alternatively, it will allow you to gain intel as to whom to protect.
Always keep in mind that logs can be falsified, and that early on logs likely don’t contain much, whilst later on, you will have your hands busy protecting.
Disorganized Murder can be a play to even the odds, but you can only use it starting in N4, whilst NetSec can publicly lynch TWO people ‘per night’ (as in, one per phase) from D1. If somebody needs a killing, they don’t need you. Things change if you have a trusted NetSec feeding you private info… but that’s risky and you know it.
Your general playbook:
You literally cannot do anything (reasonable) at DAY.
Liberally use Escort on basically everyone, but in particular those you think have drawn attention. Don’t be shy to pick one target and stick to them for the rest of the game, if you think they’re valuable NetSec.
Interrogate becomes more useful later, and can be thrown willy-nilly to either find obviously fabricated logs, or gleam intel from legitimate logs. Just be wary that each night you interrogate is a night someone isn’t protected, and that a legitimate-looking log might still be fabricated.
Disorganized Murder is a rare play if, after D4, for some reason you alone have specific intel on a bad guy that cannot be made public instead.
CLASS – NetSec – Inside Man
Amusingly, usually referred to as ‘Inside Man’
Honestly one of the most akward roles in the game: You kinda do stuff, but nothing with clearly visible effect, and you can pretty much reveal D1 and everyone will go "what exactly do you do again?" and Agents will probably only target you because they literally have nothing better to do.
You’re not a high value class, and you should be keenly aware of that: If you are forced to reveal, you will only receive protection if the Enforcer/OP have nothing better to do, and be ready to accept being lynched on the slightest suspicion because you can’t even confirm yourself ‘and we can risk losing an Inside Man anyways’.
Two lines (or, well…) on your abilities:
Your Keylogger is a simple two-part ability: At DAY you plant it. At NIGHT you retrieve it to give all hackers an invisible boost for the next DAY. Your Keylogger can be destroyed (by moles, most notably), but then you can simply plant a new one.
Your Insider Knowledge gives you the IP addresses of SECONDARY targets. Secondary targets are nodes that contain intel that Data Miners (Analyst/Spearphisher) can pick up to give NetSec a boost (ranging from "X is not a Scriptkiddie" to "Here, have +24 hours for the hack"), but are not relevant for, or related to, the actual target node. Don’t get those two things confused, and don’t cause NetSec to focus into the wrong direction. Wasting two days of hacking to MAYBE get +24 hours is not helpful.
And whilst this knowledge of secondary targets is kind-of-useful, it is so only to two specific classes, who may or may not ever get access to the server (it could be the very first node in the network, or something on a sidebranch that is utterly irrelevant), and whom you have no real way of contacting reliably without outing yourself… yeah, you see the point.
As a slight silver lining, if for some reason you have been boring enough to survive to the late-game, you will immedeately see the target server marked with a red target symbol if it becomes accessible in the public topography. Calling that out is usually worth blowing your cover (if you hadn’t already), assuming there even are multiple last-column servers to chose from.
Your general playbook:
You got only two charges on Insider Knowledge, so you might as well use them before you get arrested. Make sure to log the IP’s of secondary targets.
Otherwise (or maybe even before above), Plant your Keylogger whenever possible.
There’s not much else to your job, you’re a blue collar wage slave after all.
If you know that the next day will see difficult hacking action (Blackhats busy DDOSing, or lots of servers), retrieve the Keylogger for a sweet boost.
Otherwise, consider whether Follow-ing is worth it (it’s a MUCH weaker, and more limited CCTV… though you can specifically follow a suspect operator and maybe discoer the Agent as he arrests someone).
If nothing else, just Dive all those Dumpster, who knows whether it will help.
You have no excuse to ever be doing nothing at NIGHT.
CLASS – NetSec – Analyst
Undervalued, overclaimed, and at the butt of all jokes (also, no common abbreviation)
A fairly straightforward class: You do servers at DAY, and do operators at NIGHT. As in, hack servers and talk to operators.
Note that your Download Intel has a 100% success rate… just that only a few nodes (1-3?) contain valuable intel to begin with. So don’t waste time mining the same node over and over, but simply cover as many as possible. This isn’t a maximum priority though, since even finding intel is not necessarily that powerful.
Your Log Analysis will allow you to purge a node of all fake logs. This can be useful if you spot a server with obviously falsified logs (or a rollback’d server, who is guarantueed to have false logs), but usually your team would rather want to lynch people right when the logs become available, not wait 2 phases for you to maybe clean them up…
Be aware that both of those actions leave access logs on the already hacked node and, past Rollback and DDOS, are the only skills to do so. Anyone paying attention to ‘past DAY’s nodes’ will spot that you’re a Spearphisher/Analyst. And the ones that do pay attention are usually the Agents.
As well, be careful about misusing Ask The Right Question: It only tells you whether somebody has a legitimate Hack Target ability (aka, one that can succeed), or whether they don’t. Problem is:
Finding out somebody can’t hack isn’t suspicious: NetSec Field Ops (Enforcer, Inside Man, CCTV) can’t hack, eitther.
And finding out somebody can hack, doesn’t necessarily mean they’re NetSec, since the Sociopath and Rival Hacker can both hack, and the AL can roll a legitimate Hack Target skill with 33% odds.
So the trick is to specifically Ask The Right Question to those that are claiming to hack, aka those that show up on node logs. If any of those come back as can hack, it’s worthless intel, but if any of those come back as ‘cannot hack’, it means they’re faking hacks… which only Neutrals or Agents do. (Though, be wary of Faked Logs.)
As well, massive caveeat: Ask The Right Question causes you to visit someone, and is displayed to them as visit with your identity… but does NOT occupy them. This skill is the only visit that does this, and therefore you’re essentially giving away your role and identity to a random target (usually one you suspect of being non-Netsec)… which is pretty much a high-risk play. Note that your class can be concealed by the target being occupied at the same night by chance, or by the target being oblivious to this specific interaction… but don’t rely on that.
Your general playbook:
If you got access to a node with Fake Logs, consider clearing those (usually only worth it on rollbacked servers).
Otherwise: Download Intel (also: mine, from Data Mining) from a node you / nobody else mined yet.
Otherwise, hack something, preferably laptops (the odds of you succeeding a hack on a server are… slim).
General advice as for Midnight Meeting goes, twice caution for Ask The Right Question.
It’s perfectly fine to do nothing for a NIGHT, even if you could be probingvisiting people non-stop.
CLASS – NetSec – Network Specialist
aka ‘Net’/’Network’. Note that both ‘NetS(p)ec’ and ‘Spec(ialist)’ tend to lead to confusion.
A fairly solid and straight-forward class, and the arch-enemy of dumb/malicious script-kiddies and careless ALs.
Your Wire Shark lets you detect the origin of any DDOS performed at a given DAY… but comes with a hefty 3 day cooldown. It timed correctly, you can deduce the sources of either benign or malicious DDOS (details in the respective previous section), either for personal intel or for lynching a Scriptkiddie / Agent Leader / Greenhat (derogatory term for a (newbie) Blackhat that DDOS’s his own team).
Outside of that, be warned that your Cover Your Tracks only provides you a CHANCE of avoiding arrest, does not hinder conversion AND can be blocked by a (mis)timed Midnight Meeting. It’s better than nothing though.
Your Review Connection Logs is a very specific tool for the rare case someone publicly claims that his ISP has been cut last day. If you use this skill right away in the following night, you can verify whether their claim is true.
If somebody claims ISP Block, but you deem that false, that’s a reason for a lynch. Which is why noone will ever fake claim ISP Block, go figure.
Your general playbook:
If you expect a DDOS (of the malicious kind), use Wire Shark. Given it’s cooldown, it’s not worth it to use it to try figuring out Blackhat identities.
If you’re supposed to hack a server node, alongside others, it’s usually a good call to use Probe Node, as it makes the target permanently easier to hack (including rehacking after a rollback).
If you’re on your own, or targeting a laptop node, it’s likely more efficient to simply hack it yourself, given that you DO have a good hacking skill.
Not much to do, really. If somebody claims ISP Block, do the obligatory Review, but otherwise maybe throw out one of your two Cover Your Tracks for good measure… that’s about it.
CLASS – NetSec – Social Engineer
Gets frequently lynched for ‘he claimed socialpath!’, better abbreviation: ‘Engi’
The Transporter of Untrusted. The Master Troll. Coincidentally, also a very powerful class if it plays it’s cards at the right moment.
Your Impersonate works as following: You select a target to spoof at DAY. In the following NIGHT ANY emails you send will have the spoofed identity as sender, thus hiding your true identity. Additionally, anyone who directly replies to the spoofed E-Mail will write their answer to you, not the spoofed identity (needs confirmation).
This is the perfect tool to sow confusion, but as NetSec, confusion hinders your own team the most, therefore you should only use this tool to very specifically confuse a small subset of players you actively consider suspect, or to relay intel you have anonymously. (For the latter, it’s highly recommended to put something like "This is spoofed, I’m Engi" into the subject… and even then you can’t be sure the receiver won’t think it was actually your spoof target sending the mail.)
Your Doxx and Stalk is the most powerful Investigative ability in the game, only rivalled by the Agent Leaders equivalent (since that one doesn’t require a visit). It lets you instantly determine whether a target is NetSec, Neutral or Agent. Though it does come with limitations:
- the AL will show up as NetSec during the first 3 NIGHTs
- anyone framed by a Bounty Hunter will show up as NetSec
- even those you identified as NetSec could be turned mole at a later NIGHT
Take note of it’s massive 4 day cooldown (longest cooldown in the game), meaning you will have to survive to N5 to even be able to use it twice (assuming you use it N1).
Misdirection allows you to effectively protect yourself from both Arrests and Conversions… and also Investigative abilities of any kind. (Though it’s a dead giveaway that you’re either a Social Engineer or Spearphisher for anyone targeting you.)
And if Misdirection is out, you can deflect anyone targeting you for the NIGHT to instead target someone of your choice. Be wary, as this might cause the arrest of a more valuable NetSec, might cause you to get lynched (think: redirecting a fellow Engi’s Doxx to an Agent), and will do exactly nothing if the person you redirect to is the guy trying to murder you.
Your general playbook:
Hack targets as assigned, preferably laptops, since your hacking skill is low.
It will be rare for you to use your limited-charges Impersonate instead.
You usually want to DOXX at N1. The long cooldown means that’s the most reliable way to actually use both charges, and finding a Neutral / Field Agent early is usually worth the risk of accidentally labelling the AL as NetSec.
Otherwise, you have to consider whether you are enough of a target to use one of your two self-protection abilities… but given you have 4 charges, you can be pretty liberal/paranoid about using them.
CLASS – NetSec – Blackhat
‘BH’ leads to confusion with that far less NetSec-y guy, so ‘Hat’ might be more apt
A class that is both deceptively simple, but as well one of NetSec’s most powerful assets… and rightfully often considered to be 2nd in priority only to OP (who Blackhats tend to be handed Root from, given that Blackhats are immune to conversion).
Consider reading up on the above section on DDOS, as you are NetSec’s main source of this critical ability.
Beyond that, your abilities are straight forward. Note that you will tend to hog the SEIZED claims from most nodes. If you don’t get a SEIZE on a hack, but the target was hacked, it’s not implausible to assume that the other Blackhat did it.
Your general playbook:
If you got reason to expect a Rollback, don’t hesitate to DDOS a pwned node. Twice in a row, if necessary.
Otherwise, you usually want to be hacking.
Exploit Vulnerability is wasted on laptops, since you can usually take them with a single hack anyways. It might be worth it on a server node in the latter half of the game, if you suspect that a lot of other hack-support abilities have been taken out.
Midnight Meeting or not, that is the question. Be mindful that you don’t want non-NetSec to know that you’re a Blackhat (one of the two NetSec classes able to Midnight), and that you got a 2 day cooldown on it. Blocking a potential Agent at night can be a valid play if you got reasonable suspicion.
Don’t concern over defaulting to doing nothing at NIGHT. Your job is to shine at DAY.
CLASS – NetSec – Spearphisher
Aka ‘Spear’. Don’t try typing the full class (outside of your own log), Spearpishers have been lynched for that typo before.
A somewhat convoluted class, despite it’s technically simple skillset.
Your Spearphishing is an infinite charges ability, despite the somewhat misleading tooltip: Once you prep it, you can execute it, and once you executed it, you can prep it again. This does mean you can effectively spamcycle prep and execution each NIGHT/DAY, making nodes (or the same node, multiple times!) easier to hack. Usually a waste on laptops, but great on any servers.
Note that your Download Intel has a 100% success rate… just that only a few nodes (1-3?) contain valuable intel to begin with. So don’t waste time mining the same node over and over, but simply cover as many as possible. This isn’t a maximum priority though, since even finding intel is not necessarily that powerful.
Be aware that the Analysts Log Analysis and your Download Intel leave access logs on the already hacked node and, past Rollback and DDOS, are the only skills to do so. Anyone paying attention to ‘past DAY’s nodes’ will spot that you’re a Spearphisher/Analyst. And the ones that do pay attention are usually the Agents.
The amusing part is that, as Spearphisher, you both want to draw attention, and want to avoid being converted. Spearphisher is the only class that, upon being converted, becomes an Offense Mole, which again is the only way for the Agents to gain access to a second Rollback… which can be devastating.
On the other hand, you got two NIGHTS in which you can protect yourself from exactly that Conversion… so trying to draw attention away from Analysts (the only other class that will, like you, snoop around on already pwned nodes) to avoid them getting arrested is kinda your shtick.
Your general playbook:
Mine for intel, or execute your Spearphishing against a server node of your choice.
Only hack if there’s nothing else to do (such as D1).
Your go-to is to prep your Spearphishing if it’s not already done, otherwise consider whether you have enough attention on yourself to justify spending one of your scarce two Misdirection charges.
CLASS – NetSpec (Switch) – Improvised Hacker
Doesn’t really has an abbreviation, because if you switched to this class, you either wanted to see what the fancy red button does, or NetSec is in BIG trouble…
Becoming an Improvised Hacker
is already a pretty niche decision, that can only be taken by Field Ops NetSec (CCTV, Enforcer, Inside Man) after N3 is over, as a DAY action.
There’s very little reason to ever do that, because literally everyone else (on your team) can do the hacking better than you do now. The only conceiveable reason to switch is if, for some obscure reason,
- you lost several high-skill hack classes (Blackhat, OP, Engi, Net) early
- AND you still have a chance of winning by hack (usually because an Agent got taken out early
Even if the first condition is true, the most reasonable play is still to simply double down and lynch everyone whilst keeping your original classes, instead of switching classes and suddenly becoming a lynch target because you cannot confirm yourself anymore.
There’s technically the niche case that losing Spearphisers and Analysts early on leaves you with noone to data mine… but I would be hard-pressed to conclude that Data Mining is worth giving up a different class for. Except, maybe Inside Man (who, at least, has a legit synergy by being able to first figure out where intel is in first place).
Your abilities are straight forward, and come from other classes: Download Intel is equivalent to Analyst/Spearphishers one, Dumpster Dive comes from the Inside Man, Move Hideout is the same as OPs.
Beyond the loss of your original class’s abilities, and confusing everyone with the complete shift in your logs,
the biggest risk of your new class is that you are now an offensive NetSec class without conversion protection. The Spearphisher is the #1 on the wishlist of ‘targets to convert into moles’… and the only reason you aren’t above Spear, is because you shouldn’t be in a game to begin with. But IF the AL strikes you deal, probably thinking you are a different class… they just hit jackpot and get a new Rollback.
Your general playbook:
If you became Improv because your team lacks hackers, hack. Otherwise, data mining is more likely to help your team.
Dive ALL the Dumpsters. Repeatedly. With passion.
You only get to Move Hideout once, anyways, so make that one count.
You have no excuse to ever not do something at NIGHT.
INTERMEZZO I: (Fake) Claiming a Class
Thrown in here, because if you ignored my initial advice and read this guide from top to bottom, now’s the perfect time to explain it.
As explained, lieing (publicly) in this game is generally detrimental to NetSec due to their innate information disadvantage. (Lying to individuals specifically less so, but still risky.)
Therefore, a sound and basic strategy for new players (that got a NetSec) role, is to NOT lie, EVER. Be aware though, that there is a difference between ‘lieing’ and ‘remaining silent’: As newbie NetSec, avoid lieing at all costs… but please don’t simply reveal everything you know (such as your class, or other valuable identities) in public, either. There’s a reason the OP (most valuable NetSec) gets a anonymous broadcast tool, and that reason is NOT to go "Hi, I’m Dr. [insert OP’s color here]".
HOWEVER the opposite applies to any non-NetSec. Since ‘everyone is NetSec’ at the beginning of the game (and NetSec always has the majority in votes), proclaiming (or logging as) you are a class that is an enemy of NetSec is pretty much guarantueed to get you lynched.
Therefore (excluding advanced mind games that I will not cover at this point) you should never claim to be anything but
- any of the actual NetSec roles (detailled above)
- Journalist or Scriptkiddie (two neutral roles detailled below)
Reason being that
- Agent Leader, Field Agent , (Any) Mole and Runaway Snitch are obvious enemies to NetSec
- the ‘Neutral’ Bounty Hunter and Rival Hacker are direct enemies to NetSec
- the ‘Neutral’ Sociopath and Resentful Criminal both want to kill the OP (aka, NetSec) and therefore are hostile towards NetSec
Therefore, if you are not a NetSec, you have a very real interest in pretending to be one. That’s ‘claiming’. Note that this doesn’t mean you should loudly proclaim to be some fancy role in public D1.
Just that you should keep a log that perfectly imitates what your claimed role would be doing, ideally as close to your actual role’s activities as possible:
- If you’re claiming a hacking class, log Hack Target entries whilst using a Fake Hack ability.
- If you’re claiming a class that has some visiting ability (Midnight Meeting or investigative), log that you have been doing that whenever you use a NIGHT visit on someone. (Though be wary here that it’s very sus to be a Blackhat that just so happens to visit everyone who got arrested on those NIGHTs. Likewise you may not have the correct answers the claimed role would have gotten (and have to guess and hope it’s correct), or there can be other mismatches.
- Therefore, try to skirt the lines with writing hard-to-disprove lies: When AL, and rolling back one server, log that you have been dutifully hacking something on the front that regrettably was interrupted by the rollback. If you got to Fake Logs as FA, log a Hack Target, but note that you were ISP Blocked (therefore, no log on target node).
- The more ‘truthful’ and accurate your log, the less likely someone will doubt it. The more discrepancies in it, the higher the chance that someone involved in the discrepancies might spot it and call you out.
- In all instances, account for cooldowns, charges and what would be a likely action for the class that day: I.e. a Spearphisher will not prepare for 3 NIGHTS without ever executing. Nor can a Blackhat Mightnight Meet 4 NIGHTS in a row. And a class that logs doing ‘nothing’ when there is something it should be doing, is highly suspicious as well.
If suspicion ever falls on you, and you’re asked for logs, you can now easily provide them. And if there is no (obvious) discrepancy in your log, chances aren’t bad that people will move on to a different target of suspicion (maybe even the accuser), buying you a day or two.
The tricky part is that most Neutrals and Agents do not actually have the exact tools to perfectly fake a class. I.e. the AL cannot always hack. The FA cannot hack if he is blocking someone’s ISP. And both of the Agents need to do a lot of nightly visits that may not match up with the class they’re trying to claim. Most Neutrals and Agents do get some sort of ‘fake hack’ ability that does nothing but create logs on a server but which is sufficient to reasonably fake a number of hacking (therefore: most netsec) classes. So you will rarely be able to create a ‘perfect’ or bulletproof log (unless you actively missplay your real role for the sake of perfect cover… which is possible, albeit risky, because the game is closely balanced and not doing something for a night or two as Agents can lose you the game).
I’ll append ‘good/easy claim strategies’ to the individual Neutral and Agent class descriptions.
CLASS – Neutral (Benign) – Journalist
aka: ‘I just wanted a scoooopHURGH’
Journalist is one of the ‘Benign’ Neutral classes and in a really weird spot, because on one hand, she holds a Rollback (one of, if not the most powerful Agent-sided ability), on the other hand, she is both Arrest and Conversion immune and therefore Agents legitimately cannot touch her. Only Enforcers, Runaway Snitch, Neutrals or a lynch can remove her from the game.
Bonus round: If somebody attempts to arrest a Journalist, the Journalist will know the identity of the attacker.
So, the question is as to whether NetSec trusts her enough not to screw them over (at which case she is an asset in that she can block every NIGHT AND sniff out faction identities), or would rather lynch her right away (and lose both the risk and the reward).
This puts Journalist into the unique position that they can claim their class openly, from D1… and might actually be allowed to live.
However, they still need to scoop people, and then write articles, which, base level, takes 6 NIGHTs, assuming each scoop hits. If a scoop misses, she can recover by using her rollback next DAY… at the risk of angering NetSec (though if there’s an unimportant side node, that’s a good target for the Rollback without angering NetSec). Another failsafe is the ability to reveal the OP, which only takes one NIGHT, and gives an instant scoop… but again, this is likely to piss off NetSec, and you need to figure out OP first.
And then there’s the issue that randomly scooping people might upset those people as well, since it blocks their actions.
The Journalist is a powerful ally, and an even more fearsome enemy.
Your general playbook
Only use the Unskilled Attack if you’re trying to claim a NetSec hacking role. (Otherwise you might get lynched over screwing with logs.)
Only use the Rollback if you truly need the scoop, or NetSec is progressing too fast (since you need 5 NIGHTs absolute minimum), and prepare to be lynched in retaliation if your class is known.
If you have a unprocessed Scoop, Write Article. You never know when you will be occupied, so it’s best not to put this off.
Otherwise Get Scoop until you have a Scoop.
Expose OP is a very specific ability you want to only use against a known Sociopath OP, or with the OP’s approval. Or if you’re feeling lucky, punk.
As mentioned, simply claiming Journalist is a fairly legitimate move.
But since you’re Arrest and Convert immune, you could as well claim any high-risk hacking class (since you can fake hack), generate some logs, Midnight some people, draw an arrest and then sell out Agents/Neutrals to NetSec at your own leisure. NetSec might forgive you for the fake if you successfully sell them a FA. Or go all in, claim you’re Engi/Analyst and deliver the FA (after a failed arrest) as proof of your class.
CLASS – Neutral (Benign) – Script Kiddie
aka: SK (not the stabby kind), wannabee Greenhat
This class is technically simple to play, but still people get it wrong:
Your job is to survive. Your only relevant ability (DDOS) can hinder NetSec or Agents. If you hinder NetSec, you’ll be cought in the crossfire and arrested at random (or lynched). If you hinder Agents, they will want to arrest you, and you have no protection against that, only against conversions.
So the only real move is to either play perfectly neutral and do nothing the whole game (and hope that Agents have a more worthwhile target every NIGHT), or to actively claim a NetSec role and then just blend in for a while, and maybe reveal after you dodged a bullet with your Hideout and pray NetSec will protect you from then on.
The worst move you can do, is to DDOS the entry servers D1. Because at that point, if you are ever found out as SK, you will just be straight up lynched.
That’s all there is to this class, what did you expect with 3 skills?
Your general playbook:
Don’t wait with the fake hacks, just throw them out early. If you survive 5 days, you’re probably in the clear, because both sides will just murder each other.
When you are not faking hacks, use the DDOS. Benign, if you want to fake Blackhat, malicious, if you predict NetSec is out of time. Note that even timed out NetSec will be quite happy to lynch you for ruining their game though.
You literally only have one ability you can use once. Make it count.
Best used after you launch a benign DDOS that left your identity as ‘Blackhat’ exposed.
The ideal claim is Blackhat, since you can both fake hacks/exploits and launch real DDOS. However, you can’t visit, and either Analyst or Engi can figure you out easily, no way to work around that. Additionally, public Blackhats draw Agent attention, which is the opposite of what you want.
Beyond that, you could possible claim Inside Man, but then any benign DDOS (and at some point even a malicious one) will expose you.
Everything else would be heavy improv.
CLASS – Neutral (Hostile) – Bounty Hunter
The envy of Blackhats everywhere, because he nabbed the abbreviation BH
So, the obvious part first: You’re essentially an Agent without access to their comms, and enjoy immunity against arrests (only shared with the Journalist), so your only concern is being found out by NetSec.
If you denounce a target during the DAY, the Agents get a Event Log message about your tip. Problem is: BH’s like to spam out tips on random people in the hopes of earning bounties, and CCTV can send out (fake) denounces, too. You can easily earn bounties by denouncing ‘obvious’ targets like publicly confirmed NetSec though, albeit this will definitely cause *rolleyes* on the Agent channel.
Your main goal is to identify low-profile NetSec members and selectively rat those out (or even straight up arrest them). It’s not a bad move to wait until you got actual intel, and then both denounce and citizen arrest that person in the same DAY/NIGHT. Even if Agents did not act, you have proven to them that you exist (valuable intel to them) and that you actually know what you’re doing.
The main toal for that is your Doxx and Stalk, the same super-powerful investigative abiltiy the Social Engineer has. Only the long cooldown is a problem, so make sure to as well keep an eye out for other indicators of NetSec activity.
Be advised that Frame, despite it’s name, doesn’t actually mark people as ‘evil to be lynched’… but rather the opposite, since it ‘frames’ them as NetSec.
- If used against an Agent, you will be notified that you found an Agent (which is great, since you can then contact them and start cooperating).
- If you target a Neutral, they will now appear as a NetSec upon investigation (of any kind) & death reveal (and grant bounties). You kinda screw over Benign Neutrals (who can then be arrested) and Agents (as they waste time arresting Neutrals) this way, but it’s unlikely they will find out.
- If you target a NetSec, they will remain NetSec but the class displayed upon death will change. Which is a dead giveaway that they have been framed (if their role was confirmed before), but can serve for hilarious confusion and mislead those that don’t check logs and just throw quick glances at the player list.
Note that your Citizen’s Arrest is a pretty safe move by itself… but that a lot of arrests (especially on the same day) will start throwing up the suspicion that there’s a BH. And there’s only so much Planned Raids and Stings can do.
Your general playbook:
If you’re claiming a non-hack class, Spill the Beans. Probably always, even if that makes you less trustworthy.
If you’re claiming a hack class, stick to using your Unskilled Attack to create covering logs, and use Spill the Beans selectively once you got a lead worth risking the hole in your cover.
As with Social Engineer, Doxx is best used early because of it’s long cooldown.
Beyond that, you can either try arresting targets you identified as NetSec, or otherwise just throw Frames at people, followed by Denounce or a Citizen Arrest (keep in mind: Framed Neutrals give you bounties anyways). Just be wary that all of those log a visit… and most legit classes can’t visit every night.
Plant Fake Information is your dull ‘I got nothing else to do’ card. It doesn’t leave a trace though, and can slightly hinder NetSec.
Bounty Hunter doesn’t get any good free claims.
Enforcer and CCTV are out, Inside Man is doable (but be wary of being seen visiting too often). Otherwise, you can claim a hack class with your Fake Hacks.. and most hack classes have visit abilities… except that you can’t Midnight Meet. Social Engineer is a semi-do-able claim, unless somebody challenges you to spoof them.
Pick a story, stick to it, and be as physically uninteresting as possible, whilst trying to figure out the Agents to ally with them (they will then help you maintain cover, maybe).
CLASS – Neutral (Hostile) – Rival Hacker
aka: ‘RH’, tends to quit NIGHT 0
Rival Hacker is a somewhat difficult role, because you’re very actively racing against time to figure out the Agents, before they end up arresting you either by coincidence, or because they (not incorrectly) tag you as a legitimate hacking class.
However, you’re compensated for that with two distinct and powerful abilities:
Wiretap allows you to monitor another operators mails for one DAY and NIGHT (not Agent ASC though), which might gleam you amazing levels of intel, if you pick the right person.
Wipe is a game changer, because wiping a server that has just been rollbacked destroys all evidence as to who the AL is, and additionally raises a red flag that a Rival Hacker is in the game. Which is actually good, because you WANT Agents to be more careful with their arrests.
Alternatively, you can try to signal Agents by using your Alter Logs ability right away, since, at game start, only you and Field Agent have it. Thus, if on N1 access logs for a just hacked node are already altered, the Field Agent will know it has been a Rival Hacker (unless they happened to do the same, or are blind), whereas NetSec will likely suspect it was the Field Agent.
Additionally, you get Doxx, but you’ll usually only end up finding an occasional Neutral that way… primarily use it to gain the trust of NetSec, or to solify your claim.
Given that you have a fairly solid hacking skill, you might want to actively avoid hacking forward nodes (as you would be helping NetSec a lot), and either find excuses to target off-path nodes, or just not hack whatsoever and claim a not-hacking role (albeit this will put you at risk of an Analyst calling you out).
Your general playbook:
Decide as to whether you want to signal the Field Agent by using Alter Logs, otherwise your time is best spent using Hack Target to build your cover.
If a node was rollback’d, Wipe it right away. This is a big blow to NetSec and secures you the Agent’s favor.
Otherwise, stick to using Doxx and Wiretap (probably Doxx first, as it has a longer cooldown and Wiretap needs you to predict a intel-mailing target) when they’re available, whilst accounting for the visists this will generate.
Since you can legitimately hack, any hacking classes can work as a claim.
A fairly solid bet is Engi, since you can actually Doxx (and even imitate a Doxx with Wiretap), just be wary that you cannot Impersonate (albeit that’s rarely called for).
Alternatively, you can go for the risk haul and claim Blackhat after seizing a node or two… but your lack of DDOS and Midnight Meeting are relevant vulnerabilities (and you definitely don’t want Agents to tag you as Blackhat before you allied with them).
CLASS – Neutral (Chaotic) – Resentful Criminal
aka: Criminal, occasionally RC
For when having one side of the conflict as enemy isn’t enough.
Note that your win condition is fairly specific:
- the Agent Leader (regardless of whether he goes Field Agent or not) must be killed
- the Operation Leader must be killed OR arrested (root is entirerly irrelevant)
- and you must survive (but being arrested is fine(confirmation needed))
Technically, this puts you more at odds with the Agents, than NetSec, because they will be far more annoyed over a dead AL, and can far easier remove you with a nightly arrest… and will probably do that at random anyways. And as well, OP might just get arrested anyways, solving that part of the equation.
However, you are still an uncertainity factor that will likely start murdering people at random come N4… and that tends to hit NetSec more often than not, so you might end up lynched. Heck, you might even end up lynched by ‘NetSec’ Agents and Moles, who want to protect their AL.
Your skillset is extraordinary though: You can spoof E-Mails like the Engi, you can watch people with Looking for an old friend (which is, except for it’s result, indistinguishable from an Engi’s Doxx), and you got the Enforcers Interrogate and Disorganized Murder skills.
Try to gather as much information as possible, hope that the OP bites it early, and then simply track down the AL together with NetSec. Inversely, if the AL dies early (which might be tough to figure out, due to his 3 days of diguise even applying in death), you’re best advised to try allying with the remaining Agents.
Don’t hesitate to use the combination of interrogated intel and spoofing to force yourself into networks of trust.
Your general playbook:
If you intend to claim a hack class, make liberal use of the Unskilled Attack. Otherwise, it’s perfectly fine to do nothing.
Alternatively, feel free to use the Impersonate to sow distrust, but be wary that being too obvious will give away that there’s a RC.
Disorganized Murder only becomes available at N4, but from then is a good tool to start taking things into your own hands. Also makes the game shorter, which helps you survive.
Looking for an old friend has unlimited uses, but a 3 day cooldown, so it could be prudent to spam it whenever available. Prioritize silent hacking operators (likely to be OP) and even if you don’t find anything, use it to fake Doxx visists.
If not using either above, make liberal use of your 3 charges of Interrogate, but keep in mind that any logs retrieved could be fake. Target seemingly competent players for maximum effect.
Your bread & butter are either Social Engineer or Enforcer claims.
If you can correctly guess Doxx results (which isn”t too hard, as in most cases it would be ‘NetSec’), there’s little that will disprove an Engi (outside of being murdered, as you lack Engi’s stack of defense abilities). Only Analyst/Engi can sniff you out actively.
Otherwise, you can mime a semi-convincing Enforcer, in that this protects you from Analyst, but you lack the ability to actually escort people, which is kinda Enforcers job to begin with.
Beyond that Inside Man is a kind-of-open claim, and you might get away with regular hacking class claims, if the people you visit don’t call out your visits as non-blocking.
CLASS – Neutral (Chaotic) – Sociopath
aka: ‘Socio’, occasionally ‘No I cannot spoof mails’
The looney of the setting, albeit with a certain bit of Hannibal Lecter to it:
You don’t just cause chaos, you orchestrate it. Your goal is self-explanatory, but getting there actually gives you a bit leeway
- You can be granted root by OP. But you have little tools to gain OP’s trust to begin with.
- You can crack root on the day after OP’s death. But only if OP did not pass off root (which usually only occurs with newbie OPs, or if root passes to a new OP, who then gets arrested next).
- You can snipe the OP directly, killing them and forcibly seizing root… if you figured out the OPs identity yourself.
The big warning note: It’s almost always painfully obvious if a Socio becomes OP. Except for when you’re legitimately granted root by a now-arrested OP, a new OP showing up after the old one was Murdered at night tends to raise eyebrows, and if he had granted root before, the person who received root, but didn’t become OP, will probably call you out. Additionally, OP’s ALWAYS announce if root has passed to them, so if OP is arrested at NIGHT, but you need the DAY to actually crack root, that is one DAY of silence… and suddenly speaking up at NIGHT will, again, cause people to correctly suspect Socio involvement.
That said, people knowing you’re a Socio OP is not all that bad. I mean, it is kind of bad if you murdered the OP to get there… but past that NetSec has little reason to lynch you unless you actively (and openly) sabotage them. Bonus point: Agents have little means to remove you by lynch for that same reason.
Consequently, you can now simply play a legitimately NetSec-aligned SociOP, do your job, and consequently force the Agents to arrest you because you’re actively helping NetSec just as a real OP would do… which clears your win condition.
As to whether you reveal your identity after becoming OP, depends on whether you have to expect a retalitory lynch, and on personal preference.
Note that your Frame ability works the same as the Bounty Hunters:
- If used against an Agent, you will be notified that you found an Agent.
- If you target a Neutral, they will now appear as a NetSec upon investigation (of any kind) & death reveal. This doesn’t really help you and only screws over Neutrals.
- If you target a NetSec, they will remain NetSec but the class displayed upon death will change. Which is a dead giveaway that they have been framed (if their role was confirmed before), but can serve for hilarious confusion and mislead those that don’t check logs and just throw quick glances at the player list. There’s the off chance that the OP didn’t keep a log, so framing them might hide that the OP was murderded, allowing you to actually take over root silently.
Your general playbook:
Whenever OP dies, and no new covert broadcasts are sent, use Crack Credentials right away to seize that sweet sweet root.
Otherwise: Hack. Unless you insist on claiming a non-hacker class, you have a legit hacking skill and it’s your best cover.
If you know who OP is, and they’re unlikely to be protected by Enforcers, Murder them, there’s little reason not to (unless your identity is known to NetSec and you expect retaliation lynch).
Otherwise, you probably want to use Follow or Frame to gather intel (the latter to sniff out Agents), or to take the slow approach and Frame your known OP to obscure their class for a silent takeover.
Note that claiming Socio should get you lynched by NetSec, because you’re both threatening OP, and might give Agents a second STING charge.
However, with your legitimate Hack Target skill, you can fairly efficiently claim any one NetSec hacking class… just be wary that your NIGHT Abilities are either silent (Frame)(confirmation needed) or ‘Watch’ (Follow), thus you can’t fake Midnight Meeting. Engi is a do-able claim, maybe Spear if you want to gamble that nobody sees you visiting.
INTERMEZZO IIa – Neutral Diplomacy (Explanation & Benign)
And for another intermezzo, this time conveniently placed after you have browsed through both NetSec and Neutral classes.
There’s a lot positive to be said about Untrusted for making the Neutral classes, mostly, interesting and offering them several ways to play. However, even then some classes tend to lean into one direction far more than others, and I’ve therefore (inofficially) labelled them as such:
- BENIGN Neutrals (Journalist / Scriptkiddie) can screw over NetSec, but are usually a limited threat to them, whilst being more dangerous for Agents. This is why it’s possible to survive by using either class as a (fake) claim without being lynched right away.
- HOSTILE Neutrals (Bounty Hunter / Rival Hacker) are by definition of their goals allied to the Agents, and usually treated with according hostility.
- CHAOTIC Neutrals (Resentful Criminal / Sociopath) have goals that put them at odds with both NetSec and Agents, but in oddly specific ways that do not exclude them allying with either side. They’re likely to be lynched if they get uncovered under the wrong conditions.
Therefore, I dedicate this section to the Neutrals, and how interacting with them (aka Neutral Diplomacy) is to be considered for both NetSec and Agents respectively.
Which, of course, requires you to have already identified a Neutral, either in public,or private.
- + She is Conversion and Arrest Immune, and therefore has zero reason to be afraid of Agents. An ‘immune’ NetSec-aligned class is a powerful asset.
- + She can infinitely scoop each night, completely locking down a discovered Agent if she wishes to.
- + Her scooping can sniff out Neutrals.
- + There’s no reason for her to work against NetSec, as long as NetSec agrees not to close out the game before her 3 articles are finished. OP can easily give her a free article by agreeing to a live interview on NIGHTly TV.
- + If the Journalists agrees to waste her Rollback on a irrelevant node, she becomes a non-threat to NetSec entirely.
- – NetSec can win a game quickly (by removing an Agent early, or rushing through the topology), whilst Agent victories always take long… thus it’s the Journalists interest to delay a too-successfull NetSec.
- – There’s no guarantuee the Journalist might not suddenly side with Agents in the lategame and Rollback NetSec into an assured loss at the last possible moment.
- – There’s no way to dissuade a Journalist from constantly scooping people… which is more likely than not to block NetSec NIGHT actions.
- – If the Journalist gets blocked at NIGHT, preventing her from writing her articles, her time window becomes more narrow and this might push her to hinder NetSec to regain lost time.
- + Gaining access to a second rollback would be a game changer. Note that it’s even possible to force the Journalist into using her rollback by simply letting NetSec push ahead quickly (at the risk of losing the game if the Journalist fails, or there is none).
- + Since removing all NetSec takes long, usually Agents victories come from long games… which aligns with the Journalists interests.
- – You have no way, whatsoever, to coerce the Journalist into allying with you, as you can neither arrest, nor convert her, and trying to get her lynched might draw suspicion (until you can pass it off as ‘afraid of rollback’.
- – If intending to claim a Neutral role (SK/Journalist), the Journalist might blow your cover.
- – Accidentally stumbling (or being redirected) into the Journalist with a random arrest will divulge the Field Agent’s identity to the Journalist… essentially giving her a very potent blackmail argument
In sum: Journalist is a very potent and, more importantly, invulnerable threat to Agents. If NetSec makes some concessions (not hacking too fast, giving up a node to rollback, revealing OP identity), there’s no reason (but malice) for the Journalist to refuse siding with NetSec.
- + SK has access to DDOS, which can be invaluable to protect nodes from Rollback whilst Blackhats can concentrate on hacking (or after the latter has been arrested).
- + There’s pretty much nothing the SK can do against NetSec beyond throwing a malicious DDOS that will result in his own lynching.
- + SK’s Scriptkiddie Attack only has 3 charges, and he has no notable NIGHT abiltiies, making him somewhat ineffective in hiding his class (or sowing confusion with fake claims)
- + Whilst giving the Agents random intel with Unsecured Device is bad, having a public SK around is great, as it gives the Agents an easy arrest target. Not having NetSec arrested for a NIGHT is always a plus.
- – With the lack of immunity, it’s not infeasible that a SK can be blackmailed by Agents once they figure out his identity, forcing him to use his DDOS maliciously.
- – If lategame rolls around and NetSec is close to losing majority, SK is likely to be the first to switch sides to avoid being arrested.
- – The SK’s Unsecured Access can give the Agents intel when arrested, so just lynching him might be a wise move.
- – Once the DDOS are used up (or if the Rollback already went through), SK can contribute little to NetSec… and he knows this, and might be very reluctant to actually use up all his leverage (aka, both DDOS charges).
- + SK can easily be intimidated, on the sole basis that they have very little protection, can’t make friends (due to a lack of intel gathering NIGHT abilities) and are likely to be abandoned by NetSec anyways.
- + Having a SK survive into late-game is an almost assured vote in favor of Agents.
- + There really isn’t much the SK can actually do to support NetSec, especially if you got your Rollback past potential DDOS already. Also note that your Field Agent can ISP Block a revealed SK to deny the DDOS (and potentially get the SK lynched) anyways.
- – Arresting the SK will give you (occasionally) useful intel on NetSec, so it can be worth it to nab a NetSec-aligned SK when you got no better target.
- – There is no guarantuee a SK will actually accept blackmail (or a honest alliance), and Mutually Assured Loss isn’t exactly a fun way to go out.
In Sum: Both sides should frequently re-examine whether the SK is still enough of a benefit to them and whether that benefit justifies the risk associated with him.
INTERMEZZO IIb – Neutral Diplomacy (Hostile)
- + Being immune to both conversion and arrest would make a BH a great NetSec ally.
- + If a BH already has his three bounties… he doesn’t have a reason to work with Agents any further and may be willing to side with NetSec to avoid getting lynched.
- – Usually, when BH obtains three bounties, that menas that > 3 people have been arrested, most likely a lot of NetSec, which means that to not get lynched, BH will side with the now non-NetSec majority anyways.
- – BH has no abilities that are useful to NetSec, beyond maybe being able to Frame-Arrest Neutrals.
- – BH actively wants to arrest NetSec members.
- – BH cannot even succed in his goal without Agent arrests (as his Citizen’s Arrest only has two charges).
- + You cannot act against the BH on your own, as he is both Arrest and Conversion Immune.
- + BH profits from having NetSec (or framed Neutrals) arrested… so his interests are innately aligned with yours.
- + BH can aid you in gathering intel on NetSec, and communicate that intel somewhat effectively even without knowing your identity
- – When found out by NetSec, a BH can be quite willing to sell out your identity (if you have revealed yourself) to save himself from a lynch, especially since you have no means of retaliating against him.
- – Even if above deal fails, BH might still sell you out in malice or incompetence.
- – BH might bail on your alliance if they obtain their three bounties.
In Sum: Bounty Hunters are fairly obvios and ‘forced’ allies to Agents… but only at the beginning of the game. It’s risky for them to try switching sides, but not entirely impossible, and accordingly Agents if have tread carefully when dealing with them.
- + When found out, you might be able to talk the RH into giving up Agent identities in exchange for not being lynched.
- – RH has no abilities (beyond above) that would be of any use to NetSec)
- – RH’s objective is, quite literally, to stop NetSec from winning.
- + His objective almost perfectly matches with yours, making you natural allies.
- + The Wipe ability is the most powerful combo piece to pair with Agent Leader’s Rollback… and he can easily use it the NIGHT after the Rollback, even without prior coordination.
- + You can technically arrest him at any time, given you bonus pressure on coercing him into doing exactly what you want… including things that might end up having him be lynched.
- o You’re not unlikely to accidentally arrest a RH if you don’t find out his identity.
- – Be wary of a Rival Hacker selling you out as a Last Measure, as they cannot ever win when lynched (even if NetSec loses).
- – Though oddly specific: The Rival Hacker can win whilst you lose: In the unlikely event of a draw (time out, but original OP still alive). Thus they will aid you in preventing NetSec’s hack, but have no incentive to actually take out the original OP.
In Sum: Rival Hackers are per definition allies of the Agents… but they’re not perfectly reliable allies, both because they might end up being targeted by Agents unknowingly, and because exposing yourself to a Rival Hacker might lead to a sell-out. But for NetSec, they’re an obvious enemy and lynch.
INTERMEZZO IIc – Neutral Diplomacy (Chaotic)
- + The RC can kill targets at NIGHT, and can take out any Agent either by accident or intentionally.
- + The RC must kill the AL to succeed, and will thus actively try to lynch the same guy you’re looking for.
- + If your OP is already dead/arrested, the RC has no reason to target NetSec further.
- + If threatened with a lynch, it’s not unfeasible to persuade a RC to become a murder tool for NetSec.
- – Random Disorganized Murders are more likely to hit NetSec than anything else.
- – RC has no tools beyond murder that actually benefit NetSec (since stealing logs can only find valuable information on legitimate NetSec to begin with).
- – The RC has the unique ability to identify the OP through a nightly visit alone, and the objective to remove that highly valuable member of NetSec.
- – The RC can be arrested, and can therefore be threatened by Agents into siding with them. And an alliance is not inherently impossible, since the AL can promise to give up his life once Agents secured an Agent victory.
- – Killing the Agent Leader early on (yey), will make RC redouble his focus on taking out NetSec (ney), and makes all remaining Agents natural (if temporal) allies.
- + The RC can sniff out the OP for you, and even murder him if your FA is busy.
- + The RC’s Interrogate can retrieve valuable private NetSec information… if you can get him to share.
- + If your AL is dead, he got no reason to target you, but you have the option of arresting him if he doesn’t cooperate.
- – If your AL is alive, this guy is your stern enemy. Unless you can reasonably persuade him that AL will sacrifice himself later.
- – Trusting a RC can be dangerous, as they can take out Agents known to them at NIGHT… and even claim it was an Enforcer.
- – Whilst a RC doesn’t want to be arrested (randomly), they don’t want to be lynched either. So, if revealed, they might flip to NetSec. And are almost certain to sell you out if it benefits them.
In Sum: Resentful Criminal is a unreliable ally to either side, but as well can serve a ‘ecosystem balance’ factor, as he will ‘indirectly flip’ to become an ally of whatever side loses their leader first. Whatever you do, keep them on a short leash, and remember the name of the game.
- + Once OP, he specifically wants to be arrested by Agents and thus makes for a convenient distraction-for-a-NIGHT.
- + The best way to get arrested is to be a threat, therefore a SociOP is likely to act in favor of NetSec.
- + If your OP dies without passing root, the Socio is the only class that can reobtain root for NetSec… you just need to get him to pass root (to your side) once he becomes OP. Try threatening him with Enforcer protection.
- – If your OP is still alive, the Socio is probably your enemy.
- – If your OP is good (hard to find), the Socio might side with Agents to take out random people to Crack instead.
- – If found out in public, it might be better to lynch them, rather than risk Agents arresting them for a bonus Sting charge.
- – A Socio is not unlikely to ally with Agents to avoid being arrested before he obtains OP. And he might just pass root straight to an Agent upon his arranged arrest.
- + He wants to kill OP, and then be arrested, removing the OP again. That is in your favor.
- + If you are allied to a Socio, you an arrest them in the NIGHT after they Crack Root. Which means Root cannot be passed on to a NetSec.
- + A well-placed Murder will steal control over root from NetSec, even if it was previously granted.
- + Obtaining a Socio’s trust (honestly or otherwise), can net you root and an instant victory.
- – Once OP, you have zero leverage over Socio’s actions, as your only way of dealing with him is an arrest, which is his victory. Which leaves you little choice but arrest him as soon as possible.
- – If SociOP’s identity is known, it might be actually hard to arrest them past all the Enforcers swarming around the obvious bait, wasting precious NIGHTs.
- – Simply arresting a Socio before he obtains OP status nets your Field Agent a second charge of the powerful Sting ability. Well worth it.
There’s no real alliances once a Socio obtains root: He will want to be arrested, and Agents will want to arrest him, and it will be tough to prevent that as NetSec. Before that, however, he can become an unwilling ally to Agents, and can maybe be blackmailed by NetSec into granting root or risk being lynched instead of arrested. Whether you call that an ‘alliance’ is up to you.
CLASS DUO – Agent Leader & Field Agent
These classes always enter a game together, and always know each other from N0. Ideally, they will closely coordinate each others actions, thus it’s reasonable to explain in parallel.
These roles aren’t necessarily complex in their abilities… but the problem is that they’re balanced around having powerful ‘simple’ abilities, and their coordination. Means, if you don’t make the correct ‘simple’ decisions on where to use those abilities, or fail to coordinate with your partner-in-law-enforcerment, you’ll probably lose the game, because your side exactly only has you two to begin with.
Therefore, first things first: use the ASC channel liberally, and always inform your comrade what you will be doing at NIGHT. Also, if you perform anything special at DAY (you don’t need to tell them which IP specifically you fake hack, tho). And if you’re claiming a role (why wouldn’t you?!) it might be good to inform them which one, if just to avoid stacking up claims on the same role (4 Inside Man claims is akward). Don’t hesitate to throw each other "I escorted you N3" or other instructions to append to each others logs to make them more believeable. If one of you is found out early, you’re both toast anyways.
Right away, you will see which randomized DAY ability you have been granted. Announce it in the ASC, as it will have a major effect on your personal playstyle:
- Hack Target – If you get this one, you cannot be found out by Analyst, and actually gain a fairly high hacking skill, allowing you to seize (hopefully unimportant) nodes and to build trust with NetSec. Downside, you might end up actually helping them.
- Unskilled Attack – A default fake hack ability, equal to what the FA starts with. Less foolproof than the Hack Target, but at least this way you can liberally hack ‘as ordered’ without risk of actually helping NetSec.
- DDOS – A useful tool to aggressively delay NetSec, or to close out a timed victory, but at the expense of not being able to generate any access logs. Additionally, DDOS can be found out by Wire Shark, exposing you for an instant lynch.
Furthermore, (re)check the Event Log for your assigned cover class: Little-known feature, but you are actually told what NetSec class you have been disguised as. This cover will last until D4, meaning any Doxx (from Engis or Neutrals) will display you as NetSec.
Additionally, if you are lynched before that point in time, the player list will display your class as that disguise class. If you haven’t been 100% certainly identified as AL before the lynch, a well-faked log matching your cover class might persuade NetSec that they legitimately got the wrong guy, and start tearing each other apart over ‘false’ accusations, maybe buying your remaining 1-2 Agents enough time to still win the game. Consider it a parting gift, albeit a frequently useless one.
If your disguise class matches a class you can fake, you might want to do that. Or otherwise, at least write a convincing log for that class anyways, even if it does not match your actions. If you’re not forced to post logs before D4, you’re then still free to switch your claim to whatever fits best.
On your abilities:
Rollback is a ‘must have/use’ for most games, as otherwise NetSec will bust through to the target before you can arrest them. Check on the Rollback/DDOS section for a detailled insight on this skill.
Strike Deal is your NIGHTly key ability. It’s charges scale with player amount (1 for <= 12 players, 2 for > 12), and it comes with a notable cooldown. However, it as well is the only charge-based ability that does not deplete upon failure. So failing in your conversion (which only occurs on Neutrals, Operation Leader or Blackhat), is not the end of the world, just a lost NIGHT.
Note that converting a target takes place after the NIGHT ends, therefore their abilities will still be performed. The class of the converted mole is directly derived from his NetSec class before conversion:
- Converted NETSEC/Field-OP (CCTV Specialist, Enforcer, Inside Man)
- Converted NETSEC/Investigative (Analyst, Network Specialist, Social Engineer)
- Converted NETSEC/offensive (Spearphisher, Improvised Hacker)
Intelligence Informer has to be noted, for the fact that it is NOT a visit. Meaning it’s entirely untraceable, and the target does not receive any notification. This makes it a perfect ability to use during ‘logged nothing’ NIGHTs.
Your start is a bit less stressfull than the AL’s, since you don’t have any randomized shenanigans going on. However, you don’t have any cover identity, can be Doxx’d as Agent from D1, and will constantly be visiting people who then ‘coincidentally’ get arrested.
Given this somewhat risky role, it’s technically your responsibility to maintain contact with any Neutrals your team might discover and wants to ally with. Especially the Resentful Criminal shouldn’t be told your AL’s identity.
Your abilities at DAY are relatively mundane: Fake Logs can kinda throw off people (and doesn’t leave any trace of yourself, except for occasionally random fake logs… which you can denounce as such), but it’s not too useful (especially since it reveals that you have not ISP cut / fake hacked that DAY.
Unskilled Attack is your regular tool to fake a hack-capable class. But given that the use of either of your other DAY abilities will prevent you from leaving a log, it’s not unheard of to simply not use this whatsoever and stick to claiming a non-hack class.
ISP Isolation however is a crucial skill that comes with no cooldown, but only 3 charges. It allows you to freely, and without risk for yourself, block another operators DAY action, assuming it was an action targeting a node. You are the only class that has this ability, and in fact the only class that can interfere with another class’s DAY activity at all.
On the NIGHT side, you are the main weight of the Agents: You get several different flavors of arresting people (which is pretty much the equivalent of killing people in Mafia/Werewolf games).
Your Arrest is your default zero-conditions-attached go-to.
Sting is a more powerful arrest that will hit more targets. Note that an Enforcer visiting the target will still protect the target from arrest, whilst however being arrested himself.
Planned Raid pretends to escort a target, but schedules a (no-visit-from-you-that-night) arrest on them for the next NIGHT. Whilst this does sound like a great tool to pretend being an Enforcer PLANNED RAID DOES NOT OCCUPY TARGETS, whilst Escort does! This means, if you simply planraid a target, THEY WILL KNOW YOU DID EXACTLY THAT. Which might lead to them asking whether somebody knows who visited them that night, or for protection the next NIGHT (because, yes, an Enforcer can protect them from the incoming raid next NIGHT). The design intention here is that, to use Planned Raid, you need to coordinate with the AL for him to Midnight Meet the target at the same NIGHT. If the target is visited, escorted and occupied, they cannot discern whether it was the visit or the escort that occupied them.
(Alternatively, you can just use a blank Planned Raid and pray that the target just so happens to be occupied the same NIGHT, or be unaware of this caveeat… or maybe even organize with a different (NetSec) assistant to occupy a target that NIGHT.)
CLASS DUO – Agent Leader & Field Agent (General Playbook)
Because the previous section just wasn’t short enough to fit this in…
It’s difficult to provide a straight up playbook, because these two classes, like none other, have to costantly adapt to the situation, how arrests/conversions play out, and which Neutrals are present.
I’ll try to provide you a generic playbook for the starting phase though, and a set of common moves that might be helpful.
Both of you usually want to maintain your cover by use of your (fake) hacking skills (or not).
The FA will want to selectively use ISP Block, but keep in mind he only gets three charges… and it’s wise to save one up if you need to get past a Blackhat DDOS.
Keep in mind that, in most games, the AL must launch a successfull Rollback costing NetSec 2 days or they’ll likely reach their target server within the alloted time frame.
So, take a look at the topology, examine chokepoints, and determine which nodes are good targets, and which ones will be obvious (and therefore likely DDOS’d) targets. Since the Rollback risks leaving the AL exposed via logs, you want to Rollback on a chokepoint for full -2 days effect, but AS LATE as possible.
If you know the Rollback won’t be DDOS’d (Blackhats/Scriptkiddies dealt with, or out of charges, or there are too many chokepoints for them to guess your target), the FA can support the AL by using his Fake Logs ability at the same time as the Rollback. This will increase the number of fake logs (confirmation needed) and hide the AL’s track better (but still not entirely).
ARREST PEOPLE. Really, it seems obvious, but a lot of Agent games fail because the Field Agent is not doing his one primary job. Every single NIGHT, someone should be arrested, or at the very least an arrest attempted, or a Planned Raid set up. There is no excuse not to.
As AL, you will always want to use up all charges of your Strike Deal, meaning one successfull conversion for 12 or less players, and two successful conversions for 13 or more players (player count at game start). Anything less and you are potentially moving towards a loss (if NetSec is anywhere near competent).
Consequently, it seems logical to spam Strike Deal from N1 in the hope of converting someone right away, and then being able to use Strike Deal again come N3. Factoring in that you cannot convert 1-3 NetSec, and the Neutrals, and might go occupied, it’s not rare for a conversion to fail, in which case the timeframe shifts, and being found out and lynched before you got those conversions, is bad for the team.
However, take note that the single-most valuable convert is a Spearphisher, as that is the only class that will turn into an Offensive Mole, and consequently have the ability to perform a Rollback at DAY AND A WIPE AT NIGHT, the most powerful ‘Agent node control’ combo in the game, all in one class.
Holding off on converting someone until you think you found a Spearphisher, to then specifically convert them, might be worth the risk of not using conversions at all. (This is twice as true if you only got one charge to begin with.)
This leads to a concundrum: if you want to use a Planned Raid, the AL should almost certainly use his Midnight Meet to cover the FA’s lack of occupying power… but the AL will probably be busy converting, or using Midnight Meet to gather trust and find a Spearphisher during most NIGHTS.
Thus the use of a coordinated Planned Midnight Raid must be carefully evaluated against the opportunity cost of the AL not doing something else instead.
As once-per game gambit, if the Field Agent thinks there’s an Enforcer about and knows who is a likely target for protection, they can use the Sting ability to specifically arrest the Enforcer (even without having to discover the Enforcer’s identity first). This is a bit of a brute-force and waste’s the Sting on ‘just a single’ arrest, but removing NetSec’s only (legitimate) Enforcer can make a lot of value classes vulnerable and thus be worth it.
Alternatively, throwing a Sting at a suspicious (but from whom you believe to be NetSec) player, at a NIGHT where you expect them to be visited / investigated, can be a great play to net you multiple arrests at once. Bonus points if you capture more than 2 operatives, and/or if NetSec is panicked thinking there’s a BH on the loose and starts lynching Neutrals.
If anything more complex doesn’t apply, the AL should probably just fall back to his perfectly safe, zero-clue-leaving Informer ability, whereas the FA should arrest targets at will, trying to prioritize NetSec classes, yet avoiding those protected (by Enforcers or own abilities) or those under known CCTV surveillance.
Reminder: Always inform your teammate(s) on the ASC, after a NIGHT phase when your abilities didn’t work, and why they didn’t work. Being blocked is a nuisance, but a conversion-immune target is important information (as they’re either OP/Blackhat, and thus high-value targets, or Neutral, and thus a potential ally).
CLASS – Moles & Snitches
Disclaimer & Permission
Disclaimer: The author(s) of this article are not associated or affiliated with Knu, or any developers of this game (beyond some Discord chitchat and arresting them once in-game). As well, the game is under developement and game mechanics might change, therefore this guide does not guarnatuee absolute accuracy. Furthermore, it is heavily biased by my own experience with and in the game, and may change as the game’s meta developes.
Do feel free to contribute your own knowledge in the comment section, though be advised that this guide will not feature vastly complex strategies, both because it’s meant to give new players a thorough understanding of the game and because it’s no fun to spill all the tricks.
For the sake of expanding this guide’s Fair Use protection, I’ve pre-emptively asked Knu to grant his blessing for use of the pictures featured above:
So, let’s be clear, that the dev of this game already broke it’s first rule by trusting me 😀
I hope you enjoy what we shared today about Untrusted – The truly Untrust(ed)worthy Guide. If there is anything, you want us to add, please let us know via comment below! See you soon! And thanks!
- All Untrusted Posts List