Launching the Compliance Dungeon: Turning GRC into a Quest Worth Completing
βNot all those who audit are lostβ¦ but most wish they had a map.β
Today, I'm thrilled to officially launch something that's been brewing in my scroll stack for a while now:
π§ββοΈ The Compliance Dungeon β a gamified GRC toolkit for security teams, solo defenders, and risk professionals who understand that consistency of methodology matters. Whether you're organizing your compliance program or presenting it to executives, the same storytelling principles that make presentations compelling can make operational work engaging and memorable.
π― Why I Built the Dungeon
If you've ever tried to bootstrap a compliance program, you know how fast it can turn into a cursed labyrinth:
A dozen frameworks to juggle (SOC 2, ISO, NIST, CISβ¦)
Spreadsheets spawning like slimes in the dark
Half-written policies, undead audit notes, and to-do lists hexed by necromancers
And somewhere in the shadows⦠the Auditor Dragon circles
I've been there β in startups, scaling security teams, and advising founders who know they need compliance, but don't know where to start. I've also watched new hires get dropped into sprawling control maps with no context and a vague "get us compliant" mandate.
The result? Burnout. Overengineering. Missed risks. Dead documentation.
But here's what I've learned: The same archetypal thinking that transforms boring security presentations into executive epics can bring clarity and engagement to operational work too.
The Compliance Dungeon was born from the idea that we deserve better tools β ones that make it easier to see where you are, what's left to do, and how it all connectsβ¦ without losing the narrative along the way.
𧩠What It Is
The Compliance Dungeon is a Coda-based GRC tracker β reimagined as a fantasy-themed dungeon crawl.
At its core, it's a quest-based compliance system with XP, progress bars, dungeon levels, and fantasy role classes (like Policy Mage, IAM Ranger, and Audit Bard). But under the hood, it's fully aligned with four real-world frameworks:
SOC 2
ISO 27001
NIST Cybersecurity Framework
CIS Controls
Each dungeon level maps to a control domain (Access Control, Risk, Policy & Governance, etc.), and every quest is mapped to one or more frameworks.
β You don't just check boxes. You complete quests, earn XP, and level up your program in a way that's visual, motivating, and actionable.
π Why Storytelling Matters in Compliance
This dungeon approach isn't just about making work fun β it's about consistency of methodology.
When you organize your compliance program using the same mythological framework that transforms your presentations, something powerful happens:
Operational clarity emerges from archetypal structure
Team engagement increases when work has narrative meaning
Executive communication becomes natural because your ops match your storytelling
Progress tracking feels like character development, not checkbox grinding
Whether you're a solo practitioner building your first program or a seasoned professional looking to bring your team along on the journey, consistent mythology creates both clarity and momentum.
And yes, this is a preview of the Mythological Security Storytelling Framework I'm developing β where security professionals learn to transform their data into compelling executive narratives. The Compliance Dungeon is mythology in operational action.
π§ Who It's For
Whether you're solo or scaling, The Dungeon meets you where you are:
π€ Solo Security Practitioners
First hire? IT generalist doing "security stuff" on the side? The Dungeon gives you a clear, structured path forward β no guesswork, no bloat.
π§βπ€βπ§ Startup & Small Teams
Prepping for SOC 2 or due diligence? Use the Dungeon as your living roadmap. Filter by framework, control area, or class and stay focused.
π’ New Security Teams in Enterprise Environments
Building a GRC foundation in a big org? This helps you delegate clearly, onboard new team members faster, and make the invisible visible.
π€ GRC Nerds (like me)
Already fluent in frameworks but need a better way to visualize progress, assign tasks, or onboard others? This is your scroll.
π― Security Storytellers
Professionals who understand that when your operational tools match your presentation methodology, everything becomes more coherent and compelling.
π‘ What Makes It Different
π― Framework-Aligned, but Flexible
Start with core frameworks, expand with side quests or custom tasks.
π§ββοΈ Role-Based Filtering
Assign "classes" to quests so your IAM Ranger, Policy Mage, or IR Paladin knows where to focus.
𧱠XP Tracking & Progress Bars
Celebrate wins β big or small. Motivation matters.
π Narrative-Driven
It's not just a tracker. It's a story. And your compliance program is the hero's journey.
π οΈ Customizable Foundation
Built in Coda. Easy to modify, clone, and expand for your org's workflows.
π Storytelling Integration
Perfect for security professionals who want their operational approach to match their communication methodology.
π Where to Start
If you're ready to explore, begin your journey at πͺ΄ Level 0 β The Courtyard of Curiosity.
You'll find fast wins, habit-building side quests, and foundational tasks to get momentum rolling before diving into the heavier levels.
Need guidance? The Read Me First page includes everything you need to begin β including tips, navigation help, and lore.
π§ Final Thoughts
Compliance doesn't have to be a slog through spreadsheets, folders, and forgotten frameworks. It can be a guided journey. A creative process. Even⦠a little bit fun.
More importantly, it can be the operational foundation that supports the epic stories you'll tell about your security program.
When executives ask about your compliance posture, imagine presenting your dungeon progress as a kingdom's journey from chaos to order. When auditors want evidence, picture showing them a completed quest log that tells the story of your program's evolution.
If the Compliance Dungeon helps you build your program, stay organized, or face the Auditor Dragon with a little more confidence β it will have done its job.
π‘οΈ If you're curious, brave, or just tired of control chaos β you're invited to step inside.
Your next quest awaits.
π Ready to Begin?
π¬ Or shoot me a scroll at vmosby@thesmokingprinter.com with your questions, feedback, or tales from your own GRC adventures.
Want to learn how to present your dungeon progress as compelling executive narratives? Check out The Framework one my personal website.
May your risks be logged, your policies be blessed, and your audit prep always be early.
β The Cyber Lorekeeper (aka Victoria)
Want to help make it better? I'm also looking for beta testers to provide feedback on usability and missing features. If you'd prefer to test-drive the Dungeon in exchange for 15 minutes of honest feedback, shoot me a note at vmosby@thesmokingprinter.com. Beta testers get the final version free plus early access to future updates.
