The Cyber Bestiary: A Field Guide to the Creatures of Bad Security Habits
2026-06-29
So yeah if you know me, you know I run IT for a small school district. Solo, babes. No security team, no SOC, no “let me escalate this to someone.” Just me, a mass of browser tabs, and whatever chaos the universe feels like delivering on any given Tuesday.
And y’all. I have SEEN things.
Not in the threat intel feeds (though, sure, those too). I’m talking about the things that live inside your organization. The habits, the shortcuts. The “it’s probably fine” moments that stack up quietly until nothing is fine and you’re explaining to leadership how a known exploit from six months ago walked right through the front door while everyone watched.
I’ve fought these creatures. I’ve tried to train people to spot them. I’ve had entire professional development sessions dedicated to them.
And tbh I’ve BEEN some of them. (The Specter of the Morrow and I have a deeply personal history that I am choosing not to elaborate on at this time)
So I did what any self-respecting bard would do. I wrote a silly little monster manual.
What follows is a catalog of the ten most common creatures encountered in the wilds of organizational cybersecurity. Documented over years of fieldwork in the dungeons of small IT departments, breakrooms, and parking lots where someone is definitely on the wrong wifi right now.
These creatures are real. Very real. This guide is intended as both a survival manual…and a warning.
1. The Miniature Mimic
“We’re too small to be a target.”
Classification: Monstrosity (shapechanger) | Habitat: Small businesses, nonprofits, school districts, anywhere with under 200 employees | Threat Level: CR 6
I work for a small org. I KNOW this creature intimately.
In the dungeons, mimics disguise themselves as ordinary objects. Treasure chests, mostly. Doors. The occasional barstool if the mimic has a sense of humor. You think it’s harmless. You think it’s just sitting there being small and unremarkable and not at all full of teeth. You reach for the handle and suddenly you’re glued to an amorphous blob that is very much going to eat you.
The Miniature Mimic is the belief that your organization is too boring, too tiny, too insignificant for anyone to bother attacking. You’re not a giant bank, you’re not a hospital. You’re just a little chest in a dungeon nobody visits. Not important.
Attackers LOVE that energy. They are COUNTING on it. Small organizations have weaker defenses, smaller budgets, fewer eyes on the network. You’re not harder to attack because you’re small. You’re EASIER babyyy. In D&D, mimics don’t pick the biggest adventurer in the party. They pick the one who reaches for the chest without checking first.
And the Miniature Mimic has the Adhesive trait. Once it grabs you, you can’t let go. Once a threat actor is inside a small org with no incident response plan? Good luck shaking ‘em loose. (Ask me how I know that ‘shaking ‘em loose’ is not a fun time. Actually don’t. I’m still recovering.)
Known Vulnerabilities: Size does not grant invisibility. A mimic is a mimic regardless of the dungeon it’s sitting in. Assume you’re a target, because you are.
2. Free Wiffy Harpies
“The wifi said ‘free’ so I connected.”
Classification: Monstrosity | Habitat: Coffee shops, airports, hotel lobbies, conference centers, anywhere with a “FREE WIFI” sign | Threat Level: CR 4 (in flocks)
Harpies don’t chase you. They don’t NEED to chase you. They sit on their cliffside and they sing, and their Luring Song (DC 12 Wisdom save, 300-foot range) makes you walk toward them voluntarily. You hear the melody, you think “oh that sounds nice” and then you start moving towards them. By the time you realize what’s happening, oh no now you’re standing at the edge of a cliff wondering how you got there.
Free wifi is the Luring Song of the modern world.
“Free Airport WiFi.” “CoffeeShop_Guest.” “HOTEL_LOBBY_FREE.” It sounds sooooo good. So convenient. No password even needed! You connect before your brain even finishes the Wisdom saving throw. And now every. single. packet you send is crossing someone else’s terrain. Harpies nest near natural hazards (cliffs, reefs, rocky shores) and let the terrain do the killing. An evil twin access point works the same way. The network lures you in. The man-in-the-middle does the damage.
And harpies travel in flocks. There’s never just one sketchy network. They’re five all singing at once and yours is the one that sounded the most legit.
(I am not going to pretend I haven’t connected to a cafe’s free wifi before. I HAVE. I am not immune to the song. I just know to use a VPN now because I’ve been personally victimized by my own bad decisions enough times.)
Known Vulnerabilities: Use a VPN. Or better yet, fail the Wisdom save on purpose and connect to your phone’s hotspot instead. The song can’t reach you if you brought your own bard.
3. The Specter of the Morrow
“I’ll update it later.”
Classification: Undead | Habitat: System tray notification bubbles, “Remind Me Tomorrow” buttons, every laptop that hasn’t restarted since February | Threat Level: CR 5
Yikes y’all. I told you this one was personal.
Specters are incorporeal undead that exist because of unfinished business. They haunt the places where something was left undone. They can’t rest. They can’t move on. Just stuck, rattling around in the walls of whatever task they never completed.
Your unpatched systems have the same vibe.
The Specter of the Morrow is the ghost of every update you postponed, every “Remind Me Tomorrow” you clicked, every restart you swore you’d do at the end of the day and then didn’t because you had 47 tabs open and you were NOT about to lose your place. It has Incorporeal Movement which means it passes straight through your defenses. Because an unpatched vulnerability isn’t a wall. It’s the outline of where a wall used to be.
Then there’s Life Drain. Every day you delay an update, the specter drains a little more of your security posture. Slowwww. *quiet*. You don’t even notice it until you’re trying to figure out how a known exploit from six months ago got through and the answer is: you told it to come back tomorrow.
And it did.
I have absolutely clicked “Remind Me Tomorrow” with the unearned confidence of someone who has never once been exploited. Multiple times. In a row. While knowing EXACTLY what I was doing. The specter doesn’t care that you know better. It cares that you didn’t DO better.
Known Vulnerabilities: Specters are weak to sunlight. Updates are sunlight. Turn on auto-updates. Restart your computer. Let the specter rest.
4. The Sticky Ooze
“I just wrote it on a sticky note so I wouldn’t forget.”
Classification: Ooze | Habitat: Monitor bezels, desk drawers (barely), the underside of keyboards (aspirational hiding) | Threat Level: CR 3
Oozes are mindless. That’s the first thing to understand. There’s no INT score here. No cunning, no plan, no malice. An ooze just…exists? Being sticky and transparent and dissolving whatever it touches.
A password on a sticky note is the same creature.
Nobody writes their password on a Post-it because they’re TRYING to compromise the network. They do it because they’re human and they have 102 passwords and their brain said “nahhhh” and their hand reached for a pen. Zero thought involved. Just instinct. Just a little yellow square clinging to the edge of a monitor, visible to anyone who glances at the desk.
I have seen these in the wild so many times y’all. Just OUT there. In the OPEN. Sometimes multiple sticky notes on the same monitor like a little password garden blooming in the fluorescent light. And the person is always surprised when I gently suggest maaaaaayyyyyybe we find another way to store those. Because they genuinely forgot the note was there. That’s the thing about sticky notes. People just stop seeing them.
Oozes in D&D are also famously transparent. The gelatinous cube requires a DC 15 Perception check to notice and it takes up an ENTIRE 10-by-10 space. That note has been there so long it’s basically furniture. But the credentials on it? Still live, still valid. Still very much readable by anyone who walks past with functioning eyes.
Known Vulnerabilities: A password manager, my love. That’s it. Give the ooze somewhere to live that isn’t the open air. Contain it. Vault it. You don’t leave acid in an open cup on your desk. Same logic.
5. The Basilisk of the Unerring Gaze
“I can always spot a phishing email.”
Classification: Monstrosity | Habitat: Every inbox. Especially the inbox of the person who is VERY confident about their inbox. | Threat Level: CR 7
The basilisk petrifies you through eye contact. Eight legs, real creepy, low to the ground, slow but absolutely lethal. Doesn’t need to be fast. Just needs you to look. One failed save and you’re starting to turn to stone. Two failed saves and you’re a statue.
Now here’s the part that makes this entry sing: in D&D, a basilisk can be fooled by its own reflection. If it sees itself in a mirror, it mistakes its reflection for a rival and targets itself with its own gaze.
That’s overconfidence in a monster stat block.
The person who says “I can always spot a phishing email” is the basilisk staring into a mirror. So sure their gaze is unerring that they stop being careful. They stop checking URLs. They stop hovering over links. They move fast because they KNOW.
And listen. I have been this person. I have looked at a phishing email and thought “pfft, obvious” and then clicked through something I should’ve inspected closer because I was busy and confident and wrong. You know who falls for phish the hardest? People who are sure they can’t be phished. Every. Single. Time.
Modern phishing is not the Nigerian prince anymore, y’all. It’s pixel-perfect spoofs. It’s thread hijacking. It’s an email from “your boss” sent from a domain that’s juuuuust one letter off. That email is looking right back atcha and your confidence is what petrifies your judgment.
The only defense listed in the Monster Manual? Avert your eyes. Accept that you CAN be fooled. And look more carefully because of it.
Known Vulnerabilities: Humility. SLOW DOWN. Hover before you click. Report anything weird even if you’re “pretty sure” it’s fine. The adventurers who survive the basilisk are the ones who never assume their Perception check is high enough.
6. Silent Shades
“I just downloaded this app to help with work.”
Classification: Undead | Habitat: Personal devices on the company network, unauthorized SaaS tools, the AI chatbot someone on your team has been feeding sensitive data into for three months and you JUST found out about it | Threat Level: CR 5 (escalates with numbers)
Shades lurk in dim light and darkness. They have Shadow Stealth and they’re Amorphous, squeezing through cracks as narrow as one inch. Their Strength Drain attack is where it gets scary: slow, necrotic, cumulative. You don’t die to a shade in one hit. You weaken gradually, until your Strength hits zero and you just…collapse.
Shadow IT works the exact same way.
It lives in the parts of your organization that IT can’t see. The person who signed up for a free AI transcription tool using their work email. The coworker using a personal Dropbox to share files because the official system is “too slow.” The person who copied an enrollment spreadsheet into ChatGPT to “help clean up the formatting”, forgetting that the last three columns had parent SSNs and emergency contact info.
(That last one. THAT last one. If you work in IT and your eye didn’t just twitch reading that, I don’t trust you.)
None of these people are TRYING to do damage. They’re just working in dim light. And the shades are there.
The spawn mechanic is what makes this entry a true nightmare. When a humanoid dies to a shade’s attack, a NEW shade rises from the corpse. One person finds an unsanctioned tool that works great. They tell a coworker. That coworker tells two more. Now you have five shadow apps running in your environment and IT knows about zero of them. By the time I find out about something like this it’s already a whole colony.
Known Vulnerabilities: Light. Shades are weak to sunlight and visibility is your radiant damage. You can’t ban shadow IT out of existence (the shades will just find darker corners). But you CAN make it easy to bring tools into the light. Create a process for requesting new tools that doesn’t feel like filing a tax return. If asking permission is harder than just downloading the thing, the shades win every time.
7. The Allip of Eternal Echoes
“I just use the same password for everything.”
Classification: Undead | Habitat: Everywhere. Simultaneously. That’s the whole problem. | Threat Level: CR 8
An Allip is what happens when someone dies with a secret they can never stop telling. An undead creature that endlessly whispers the same maddening fragment, over and over and over and over, driving anyone who listens toward insanity. The whisper never changes. The echo never stops.
One password. Every account. Every service. Every login screen you’ve encountered for the last six years. The echo never changes.
The Allip’s Whisper of Compulsion does Psychic damage and the creature can use Howling Babble to target everyone in a 30-foot radius. THAT is a credential stuffing attack. One breached database leaks your password and suddenly the echo radiates outward, hitting every account you used it on. Your email your bank your cloud storage your work VPN. All reverberating with the same maddening phrase: mypassword2026.
Allips also have Incorporeal Movement. They pass through walls. And one compromised credential does not respect the boundaries between your personal life and your professional one. It moves through both like they’re not even there.
I won’t pretend I didn’t use the same password for like eight years of my life before I knew better. We’ve ALL been the Allip. The difference is whether you stay one.
Known Vulnerabilities: Break the echo. Use a password manager and let it generate the gibberish so every account has its own unique, unguessable passphrase. The Allip only has power because the whisper is the same everywhere. Change the words and the spell breaks.
8. Fleetfinger Quicklings
“I only walked away for like two seconds.”
Classification: Fey | Habitat: The space between your chair and the door. The thirty-five seconds it takes to refill your coffee. | Threat Level: CR 3 (but they swarm)
Quicklings are tiiiiiiny widdle fey creatures with a base speed of 120 feet. That is ABSURD. For context, a human moves 30 feet per round. A quickling moves four times that in the same six seconds. They’re so fast they’re nearly invisible when they move (DC 16 Perception check to even notice one zip past).
They do not need you to be gone for long.
You stood up. You walked to the printer. You went to ask someone a question. Maybe you ran to the bathroom. Maybe you literally turned around in your chair to talk to the person behind you. Two seconds. You were gone for two seconds.
Quicklings move at 120 feet per round. In two seconds (one-third of a round), a quickling covers 40 feet. That’s across your office to your unlocked workstation and back. With time to spare. And quicklings are pack creatures. They swarm. One unlocked screen is a beacon for every little fey thief in the building.
In the time it takes to walk to the breakroom, a quickling could read your open email, send a message from your account, access a shared drive, or just glance at whatever sensitive document you left on screen. They don’t need a lot of time. They need ANY time at all.
Known Vulnerabilities: Win+L. Ctrl+Cmd+Q. Whatever your lock shortcut is, make it muscle memory. The quickling can’t breach a locked screen. It’s fast but it’s…okay well it IS magical. But your lock screen is faster than its fingers. Probably. Lock it anyway, my babies.
9. The Doppelgänger
“I just shared my login so they could get in.”
Classification: Monstrosity (shapechanger) | Habitat: Help desk tickets, onboarding shortcuts, “just this once” situations | Threat Level: CR 6
A doppelgänger can polymorph into any humanoid it’s seen. It can Read Thoughts within 60 feet. While wearing your face, it gets advantage on Deception, Persuasion, Intimidation, AND Insight checks. It walks through the front door looking exactly like you and nobody questions it because why would they?
You gave someone your password because they needed to get into a system and it was easier than going through the proper channels. Maybe it was a coworker. Maybe it was a new hire on their first day and IT hadn’t set up their account yet. Maybe it was your boss. It FELT fine. Helpful even. You were being a team player.
You just handed them your face.
While they’re logged in as you, every action they take has your name on it. Every file they access every email they send every record they touch every every EVERY. The audit trail says one person: YOU. The doppelgänger walks through the front door because someone held it open and said “here, wear this, you’ll blend right in.”
And Read Thoughts? Once someone has your credentials, they can see everything you can see. Your access level your permissions your inbox your saved documents. YOUR face. Their intentions.
Here’s what I tell people when they share credentials with a good heart and good intentions: I love that you’re trying to help. I really do. But I would rather get a help desk ticket at 4:55 on a Friday than find out someone else was wearing your digital face in the building all week.
Known Vulnerabilities: Nobody should ever need your credentials. If they can’t get in, the answer is a help desk ticket. Temporary access, role-based permissions, proper onboarding. All of it exists specifically to keep the doppelgänger out of your party.
10. The Lich Queen of Unbroken Chains
“But we’ve always done it this way.”
Classification: Undead | Habitat: Legacy systems, policy documents last updated in 2014, “the server in the closet that Dave set up before he left” | Threat Level: CR 15 (legendary)
This is the final boss. OooOooOOohhhh scary.
The lich is the most powerful undead in the Monster Manual. A spellcaster who chose to bind their soul to a soul anchor rather than accept death. As long as the soul anchor survives, the lich cannot be permanently destroyed. Kill the body and it reforms. Smash it to pieces and it reassembles. The lich endures because it has chained its existence to an object it will protect at all costs.
The Lich Queen of Unbroken Chains is the legacy process. The outdated system. The “way it’s always been done” that refuses to die because its soul anchor is still intact.
And the soul anchor?
Organizational inertia.
Somewhere in your org there’s a process that made sense way back in 2015 and has been running on autopilot ever since. Maybe it’s a shared spreadsheet that contains things a shared spreadsheet should absolutely not contain. Maybe it’s an admin account still using the password the original sysadmin set before they retired. Maybe it’s a firewall rule that no one remembers creating but everyone is afraid to delete.
THAT is the soul anchor. That’s what’s keeping the lich alive.
The Lich Queen doesn’t just survive. She commands. She has Legendary Actions and Lair Actions. The old way of doing things shapes the entire environment around it. New employees learn the bad habit on day one. New systems get configured to match the old workflow. The chains are unbroken because every new link gets forged to match the ones that came before.
Every other creature in this bestiary? Manageable. A VPN here, a password manager there, a lock screen shortcut, some humility about phishing. Those are individual encounters.
The Lich Queen is a systems problem. She’s the reason the other nine creatures keep spawning. She’s the culture that lets them thrive. And she doesn’t go down to a single adventurer swinging a longsword.
She goes down when someone finally says “so yeah but…WHY are we still doing it this way?” and means it enough to actually do something about it.
Known Vulnerabilities: Find the soul anchor. Destroy it. Audit the legacy systems. Question the old policies. Challenge the processes nobody has looked at because “it still works.” And yeah, it does still work. The way a lich works. Technically functional. Deeply cursed. Holding your entire org hostage from inside a closet.
If you’ve encountered any of these creatures in the wild, you are not alone. They’re everywhere. They thrive in the gaps between good intentions and actual security practices. They feed on “it’s probably fine.”
And I get it. When you’re a team of one, you can’t fight ALL TEN at the same time. You have to pick your fights, build your party from the inside out, and create a culture that fights alongside you instead of accidentally summoning more monsters. That’s the whole job.
(Which, incidentally, is exactly what I’m talking about at the SANS Security Awareness Summit this August. Building security culture when you’re the only one in the dungeon. Come hang. It’s in Vegas. Let’s go to the Sphere together or something.)
Stay vigilant. May your rolls be Nat 20s.
And y’all. Check your surroundings for mimics.
Liz Gore is a Director of IT, SANS Cyber Academy graduate (GFACT, GSEC, GCIH), and the person who just wrote an entire monster manual about her coworkers’ security habits. Find her at lizgore.com or cataloging workplace cryptids on the internet.