6we Matrix FAQ

Banshee’s Guide to the 6we Matrix

The purpose of this document is to expand upon and clarify concepts that were presented in the 6th World Edition CRB.

Disclaimer: I decided to put together a Matrix Guide. I had submitted it for approval but never got any feedback, but I wanted to make it available to the public. So just note that is NOT official but it does fall in line with what I wrote in the 6WE CRB Matrix chapter when combined with my intentions and how I run things for my personal home campaign.

There are some rule changes proposed within, I feel they fix some of the issues that have come up since release but do not have an official stamp of approval from CGL (yet?).

Matrix access and networks:

Definitions

Access - all defined access types are not true legal access, which is why the matrix actions are opposed by the network. True legal users are technically going through the same check system but are assumed to always pass the check as long as their credentials are legit. Gaining true legal access can never be gained through hacking and should be carefully evaluated before being allowed in any given campaign.

Outsider - not a true access level, but rather the default level that everything starts at. Actions requiring Outsider access do not require hacking to gain access before using.
User - the lowest level of actual access, allows use of most things on the network
Admin - the highest level possible for hacked access, allows for full control of the network.

Networks

PAN - mobile networks based on personal devices such as commlinks, cyberdecks, and RCC’s
Host - basically non-mobile super servers, the backbone of the matrix

Devices

Any piece of gear, specifically in regards to the matrix, anything that has capacity to be wireless or interact with the matrix.
Devices only have Device Ratings unless connected to a network, therefore must rely on a network for matrix attributes, except as noted in a few special circumstances as indicated below.

Access is determined per network, not per device. So if you want to mess with a device you have to hack the network, UNLESS that device is running by itself and not part of a network.

Maintaining access to multiple networks (both PAN’s and Hosts) is possible but any overwatch score gained is cumulative. Dropping access to a PAN requires no test or action unless you are link locked, dropping access to a host requires the Exit Host action.

Maintaining access to a nested Host allows you to interact with that Host as well as any devices or personas in that host even if you are in a different Host, as long as you are in a Host that is in the network. This applies to all “users” but not IC, IC is native to the Host and can not leave it.

Example: If you have access to Host A (general), B (administration), and C (security) but are currently in C because you probed your way down through the network and needed to get access to the security host, you can still interact with devices on host A and B.

Losing access

Anytime you or the network is rebooted all access levels are reset
Using the Exit Host action resets all access levels you have on that Host
Getting crashed (i.e. persona matrix condition reduced to zero) kicks you off of the matrix and resets all access levels.

Devices

Most relevant devices are given a device rating in their description, but if not provided then use the following table as a general guideline as to what rating to use.

Device Type	Rating	Examples
Simple	1	General appliances, public terminals, entertainment systems
Average	2	Personal electronics, basic cyberware, weapons, residential security devices, basic vehicles
Smart	3	Security vehicles, alphaware, corporate security devices
Advanced	4	High-end devices, betaware, military vehicles and security devices
Cutting Edge	5	Deltaware, credsticks, black-ops vehicles and security devices
Bleeding Edge	6+	Billion-nuyen experimental devices, space craft

Hosts and Device limits - Hosts do not have a device limit

PAN’s and Device limits

Rules as written make having a decently defended team PAN a confusing mess due to low device limits. To offset this I propose the following …

Slaved devices - limited as specified in the CRB. These are normally devices that can be remote operated (such as drones/vehicles and weapon platforms) but could also include other devices that require extended range and protection at the same time.
Networked devices - no limit on the number of devices that can be networked to a PAN, distance limited by Data Processing of the network. They can not be remote operated. They DO get to use the master networks matrix attributes as normal.
Unlinked - these are the devices that do not belong to any network and only have whatever is built into them to work with. (example the commlink sitting in your bug out bag hidden in your safehouse) Unlinked devices that do not have any (unless integral to the device such as a D/F on a commlink) of the normal ASDF attributes can substitute Device Rating for Firewall (all other matrix attributes are zero).

What does this mean for Remote Operation?

This remains as is in the CRB, as long as you’re able to connect to the device you are able to control the device directly and take any action the device is capable of.

Networked distance limit

The maximum distance that a network can extend is the network's Data Processing x 100 meters.

Example team setup - Each team member networks all of their personal devices to their commlink (providing personal protection based the commlink), then the team hacker can either network each commlink (providing presumably upgraded protection) or slave each commlink (allowing the same upgraded protection but at extended range).

Personas and Attributes

A Spider (a corporate security matrix specialist) can CHOOSE to use any combination of Mental and ASDF Attributes of their persona/device OR the Host they are currently in. This allows a corporation to hire Spiders without investing in as much gear as long as they are operating primarily in a Host. For full VR a good Spider technically only needs a DNI (trodes, datajack, or cyberjack...etc), sim module, and skills with no need for a cyberdeck.. Only when or if they leave a Host to pursue an enemy hacker do they need to rely on their own devices.

Personas can only be formed by matrix devices specifically, a matrix device is defined as a device possessing any of the ASDF attributes. A persona must have one matrix device possessing the D/F attributes, and can have the option of adding a cyberdeck to gain the A/S attributes. To gain and use any of the attributes and abilities of a matrix device it must be used as part of your persona.

NOTE: the matrix rules were written independently of the rigging rules, allowing an RCC to combine with a cyberdeck breaks the matrix rules as I designed them. I therefore suggest that you do not allow the combination, or at the very least you may allow them to form a Persona but only allow the use of one or the other at any given time. I.e. if using a deck then all of the functions of a RCC other than it’s matrix attributes are unusable, and vice versa.

Swapping matrix attributes … what does it mean that “You can rotate any non-zero attributes through your persona, even if they originated from different devices.”

This means you can NOT use two devices that only have the Data Processing and Firewall attributes and then swap two of them over to Attack and Sleaze. For example combining a commlink and a RCC mean you still have zeroes in Attack and Sleaze but you can choose to use whichever combination of Data Processing and Firewall you want. You can however swap the attributes on the device itself even if one of them is zero, as is the case for some commlinks.

What device takes the matrix damage when my Persona is attacked?

With the addition of allowing matrix attributes to be swapped across devices it adds the complexity of what device takes the damage?
Any device formed matrix persona should include at least one of the following … a cyberdeck, RCC, or commlink. So I propose an order of hierarchy of these devices, start at the top and work your way down until you hit a device that is present.
1st: Cyberdeck, 2nd: RCC, 3rd: Cyberjack, 4th: Commlink
To change (including swapping, adding, or removing) which devices form your persona you must reboot.

Using the Matrix

Under Grab the Dice, the skill dice pools listed for Legal and Illegal actions are only a generality and are overruled by specific dice pools as shown in the action descriptions.

Optional rule: if you want to simplify and handwave a lot of the complexity of the Matrix rules you can just rely on these two dice pools versus an opposed roll of Willpower + Firewall or Firewall x 2.

Pg 178: “Once you have initiated a hack, you cannot swap the base values of your Attack or Sleaze Attributes as long as you have access to the place you hacked into.”

So what initiates a hack? Using either Brute force or Backdoor Entry to successfully gain access to a network. Once you do this you cannot swap your Attack and Sleaze until you leave that network.

Suggested skill specializations and the actions they relate to.

Cracking

Cybercombat: Brute Force, Crash Program, Data Spike, Tar Pit, Resonance Spike
Electronic Warfare: Check OS, Control Device, Hide, Jam Signals, Jump Into Rigged Device, Snoop
Hacking: Backdoor Entry, Crack File, Hash Check, Probe, Spoof Command

Electronics

Computer: Edit File, Erase Matrix Signature, Matrix Perception, Matrix Search
Hardware: Turning off Wireless, removing headjammer, using keycard copier, using tag eraser, using bug scanner
Software: Disarm Data Bomb, Format Device, Jack Out, Jump into Rigged Device, Reboot Device, Set Data Bomb, Trace Icon
Threading: all non combat complex forms

Overwatch Score: Resetting your OS to zero requires that you take the time to log off of the matrix completely and reboot your device. Please note that will also reset any exploits you may have open (especially including Probe and Backdoor Entry). (As noted in the Reboot Device matrix action)

Direct Connection … What is it and what does it mean to a hacker?

Direct connection offers no advantages on hacking a network beyond the connection itself. This means the network still gets its full defense pool, but you have zero penalty due to noise and you can bypass any nodes or Hosts that the network may be hidden and/or protected by. Example; direct connection to a security camera allows you to hack the Security Host directly without first entering the Public host if the Security host was nested within the Public host. A direct connection also allows a hacker to access a non-wireless device.
How do I direct connect?

Physically connect to a device with a cable (your cyberdeck, cyberjack, datajack, and control rig all come equipped with a retractable fiber optic cable) or data tap
Use the technomancer echo Skinlink
Optional rule: wireless direct connection

If you are within 10 meters of the device, can detect the device (see matrix perception), and the device is wireless enabled you can form a “wireless direct connection”.

Cyberjacks

The table on Page 177 is the correct table for Cyberjacks, not Page 284.

The Matrix Init Bonus for cyberjacks is the extra dice you get when in VR.

Cyberjacks are able to perform all functions of both a datajack and a commlink, except voice communication because they lack any direct audio output component.

Commlinks

After seeing things in action for a while now, commlinks in general have attributes that are too low (especially if we allow devices to use DR as Firewall), I suggest changing to ….

Item	Rating	Attributes (D/F)
Meta Link	1	1/2
Sony Emperor	2	2/2
Renraku Sensei	3	2/3
Erika Elite	4	3/4
Hermes Ikon	5	3/5
Transys Avalon	6	4/6

Matrix Perception

Should go without saying but this works just the Perception skill except only in the Matrix. This means a single matrix perception check will reveal all hidden networks and/or icons in the vicinity just like walking into an ambush situation and making a perception check to see the ninjas about to jump you.
Running Silent is network based and not device based, so you set your PAN to silent mode and then it and all of its connected devices are concealed behind the Sleaze attribute of the master device. Please note that running silent does not require you actually have a Sleaze attribute, but it sure does help to have one if you want to remain hidden.
You do NOT have to make a matrix perception check just to see public icons that are not running silent or hidden in some fashion. Anything more than 1 net hit not only sees the hidden icon,but also provides extra information. (Also see Hosts for detecting icons inside a Host.)
You do use matrix perception on a public icon if you want to observe it in detail to learn more about it. This is generally an unopposed test with each hit providing a single piece of information.
Matrix Perception and Technomancers - the 5 hits required to see a technomancer is to see that they are a technomancer, just detecting them as another icon on the matrix is a normal perception check as determined by the circumstances. However to know that they are a technomancer and just not another decker requires you to observe in detail and score at least 5 hits.

Matrix Actions

Actions that are linked to an attribute also require that you have a value of at least 1 in that attribute.
Getting noticed

Attack linked actions are always obvious and the target network will know it under attack regardless of whether the action is successful or not.
Sleaze linked actions are very subtle and hard to detect, a target will only know it is being targeted when the action results in a glitch.
Most other actions will be noticed whenever the action attempt fails, exceptions to this are actions that are completely passive or actions that result in obvious results.
Passive actions are actions that have zero effect on a target and therefore give no reason for the target to notice them. These would include such actions as Check OS, Matrix Perception, Matrix Search, Reconfigure, Send Message, and Switch Mode.
Some actions could be noticed even when they are successful just because they create an effect that is obvious. These would include such actions as Control Device, Crash Program, and Reboot Device.
Complex Forms are much like spells and generally very subtle and go unnoticed until the effect is obvious.

What can I do when I detect a hacker in my network?

Well the first option is obvious … engage them in cybercombat, but what if you don’t want to or lack the skills and equipment to do so properly? Well the only real option is to shut down your network (reboot or just turn off).

Files - there are two basic file types that you need to differentiate between. Let’s call them Public and Private.

Public files - These are files that are not protected, hidden, or encrypted in any way. To find such a file depends on where it is located. If it is a public file available to anyone on the matrix then it is a Matrix Search, to find an public file on a private network you just need to be in the network (i.e. have the proper access level for the network) then make a simple Matrix Perception check. Threshold should follow the same format as Hash Check. To open and read a public file requires no test.
Private files - These are files that are protected or encrypted to conceal their presence and/or content. These files will only be found in a network (usually a host but could also be a PAN), finding them uses the Hash Check action. A protected file is one that has been locked by use of the Edit File action, and can be opened by using the Edit File action. An encrypted file must be cracked before attempting to open. Note that a file can be both protected and encrypted.

Backdoor Entry - use of this action includes the Enter Host action when used on a Host. This can only be used once per Probe, if you Reboot before using the Backdoor or use it to enter the Host then leave you must perform a new Probe action to establish a new Backdoor.
Control Device vs Spoof Command - Control is for prolonged and/or sustained use of a device, Spoof is for a single one and done action performed by the device itself. You can spoof a drone to fire one shot at a given target using its own pilot and autosofts but to use the same drone for more than that one shot or to use your own skill then you need to use control. Spoof is tricking the device into performing a single command ... the matrix equivalent of the jedi mind trick; control device is actually using it as it is intended to be used.
Enter/Exit Host - Exiting a host network will reset all of your access levels for that host, including all Probe/Backdoor or Brute Force exploits. To re-enter that host you must start all over with a new Probe or Brute Force hack attempt. For nested hosts this means when you leave the network as a whole and exit to the matrix specifically.

Nested Hosts - when exiting a nested host you can choose to exit to a connected host (as long as you have access to the desired host, otherwise you must establish access first) in the chain or exit out to the matrix leaving the entire network. This means you can move freely (as long as you spend the minor action Enter/Exit Host to do so) among all connected hosts that you are maintaining access to. You can also choose to drop access to any given host as well to lower OS accumulation when you exit a host to move into another on the same network.

Full Matrix Defense - this is just the matrix equivalent of Full Defense and allows you to add Firewall to all cybercombat (damaging) defense tests until the next combat round. NOT just the next attack.

Optional rule: normally is only used to defend against attacks that cause damage, but as an option can be used to defend against any type of action that is linked to the attack attribute.

Matrix Search - please note that this will only provide publicly searchable information! Any secretive information that is hidden behind a firewall of any sort requires a hacker run! For example you might have access to some data haven that has the same information that would be available via traditional legwork using contacts but that doesn’t mean you are able to matrix search your way into finding a target's secret corporate orbital bank account number or some such thing.

Change to a simple test with a duration of 10 minutes using the Legwork table as thresholds instead of an extended test.
Access level should just be Outsider since this is just a general matrix use action.

Reboot Device & Jack Out - using either of these actions will reset your OS, but also removes ALL access levels and any Probe/Backdoor or Brute Force exploits.
Set Data Bomb - Detecting a Data Bomb isn’t hard, just taking the time and making a Matrix Perception check against the file to observe in detail and get at least 1 net hit will do it. Damage should be Bomb Rating x2 not x4.
Probe - yes this is an Opposed and Extended test at the same time. It is a “push your luck” scenario where you can continue to roll even if you succeed on your first roll if you want to build up those extra bonus dice to be used on Backdoor Entry later. However as is normal with extended tests you lose one dice per each additional attempt, but the target's defense pool does not reduce making each additional attempt that much harder with diminishing returns and higher risks. Also if you fail at any point along the way you lose any progress you have made up until that point and must start over from zero.

The Probe exploit duration (10-host rating hours) is inapplicable once you use it to gain entry via Backdoor. In other words this is only for how long the window remains open for you to try and gain access, once you gain (or fail) access it doesn’t matter anymore.
Optional - the interval should be 1 hour not 1 minute … or at least 10 or 15 minutes

Spoof Command - Dice pool should be Cracking + Logic vs Data Processing + Firewall or Pilot + Firewall
Trace Icon - there is no need to use this action if you can identify the icon AND physically see the device it is connected to. The purpose of this action is for tracing an icon back to its source when you don’t know what that source is.

Programs

You cannot run more than one instance of a specific program.

Hosts

Hosts, Noise, and Distance

There is no noise due to distance on the inside of a Host.
Noise due to Distance and gaining access to a Host

This varies depending on the type of Host. There are three basic types of Host that you need to deal with … virtual, physical, and offline
Virtual Hosts form the backbone of how the general population uses the matrix, corporations and governments (Owners) maintain these as easy access. Because they only exist as virtual “entities” as long as you have general matrix access there is no noise due to distance when connecting to them.
Physical Hosts are used for increased security purposes, these are probably the most likely type of host that a shadowrunner will probably be encountering. Any information or matrix uses that an Owner wants to keep secure with restricted access is using a physical host of some type. A physical host may link multiple actual physical locations without actually physically being in each location, noise due to distance is calculated by the distance between the hacker and the point of where they are attempting to access the host (Access Point). Most likely the facility they wish to infiltrate, but could also be any device that is connected to the host.
Offline Hosts are the most secure and just that … offline physical servers and can only be accessed by direct connection, so simply put there is no noise to deal with.

Host to Host connections - sometimes an Owner will want or need to connect two Hosts to transfer information. This is simply done by opening a temporary access to it’s main virtual host and using it as a relay to transfer the information.

Pg 185 “The virtual space in a host is separate from the Matrix at large, and any icons on that host are not accessible unless expressly part of a public-facing side. Gaining access to a host will allow interaction with the icons and devices on the inside.” What is this and what does it mean in game play?

The generally accepted term for this is the Host Event Horizon, anything on the public or “outside” side of the event horizon works just like any other persona or device on the matrix.
Public facing icons and devices are the pieces and parts of a Host that the Owner wants to be publically visible or usable by the general matrix user (usually customers) or devices that need to communicate directly with another Host or User. Examples of the first type would be a Point of Sale portal, or public directory..

Of particular interest to shadowrunners here is the specific case of maglocks and security cameras. Cameras would need to be public if the facility relies on third party offsite security to allow monitoring from outside of the host. Maglocks are a little bit more difficult but not by much. For protection purposes a maglock will almost always be on the inside of a host. So how do everyday legitimate users use it? Most maglock systems are passive, so using one is basically nothing more than the maglock making a matrix perception check to make sure the user is authorized (scanning a card, or checking the biometric data or key code against its database) this is represented in the rules by the opposed roll between a maglock and whatever method you are using to try and bypass it with. Hacking your way past one is probably the number one use of direct connection and using Spoof Command.

Remote hacking - so how does my decker that is sitting in the van using VR to hack access to the host know what icon to target to open the maglock to let my team into the lab to get the package they were hired to retrieve? Well assuming he already has access and is in the network then it is a simple matter of his team tells him which one.
Interaction - what does this include? In this case that means the only matrix action that you can directly take against any “inside” devices/icons is limited to Matrix Perception while being on the outside. All inside devices are considered to be running silent using the Host Rating+Sleaze of the Host as the opposed dice roll. To target any icon (persona, device, IC, nested sub-host, etc) on the inside you must first gain access via Brute Force, Backdoor Entry, or Direct Connection.
You can still Send Message across the host event horizon.
Nested Host Networks - the event horizon within a nested host network is a lot more malleable. Getting access, entering, and initial contact still works as above but once you have gained access and stay on the inside of the network as a whole you can cross the event horizon as needed.

What sets off an alarm in a Host?

This is determined by what the Owner has established for its security protocols (ie how hard does the GM want to make it?). My suggestions would be one (or combination) of the following …

As soon as a hack action is detected
Once a hacker is detected by a matrix perception check (Patrol IC or a Spider)
Overwatch Score hits a certain threshold (set at a level below convergence at 40) can also be tiered and used to trigger different levels of alarms at different points.

Example: OS 5: Patrol IC begins making perceptions checks every round, OS 10: Tar Baby IC is activated, OS 15: Blaster IC is activated, OS 20: Spider is called in

IC uses the Attributes(ASDF) of its Host for all applicable uses (such as calculating Attack Rating and Damage).

Patrol IC - You can choose to have Patrol IC make perception checks more often than once per minute if you want to and/or have reason for it. Yes, Patrol IC knows you are an illegal user when they detect you.

Sprites

Diagnostics Power - effect should be +1 per net hit

Sprites and Mental Attributes/Skill: Sprites have mental attributes and skill ranks equal to their rating

Examples

Example 1; Mungo’s Point of View:

Using Matrix Perception as a form of recon
Running silent + Data spike
Brute force Admin access to a PAN
Snoop on communications

Using Matrix Perception as a form of recon to pick out someone’s gear

Mungo, sitting at a café in a busy downtown area in Seattle, automatically, without taking a regular perception test, notices the security guard that is openly patrolling the street outside. Just like regular perception Mungo does not need to take a test to notice things that are immediately obvious in the Matrix either, and since the guard is not running his Personal Area Network in silent mode (or otherwise trying to hide from him) Mungo also automatically, without taking a matrix perception test, spots it via his Augmented Reality ‘overlay’. The PAN of the guard consists of all the wireless enabled personal electronic devices he carry on his body, including what appears to be a firearm, all networked to the device the security guard is currently using to access the matrix with.

Mungo is interested in what type of device this is and spends a Matrix Perception Major action to observe the device that the security guard’s persona icon originates from more in detail. He gets 3 hits which let him know that it has a device rating of 3, that it currently runs a DF array of 2 3 and that it’s only program slot is currently running Signal Scrub. “Standard issue Renraku Sensei, this should not be any problem”, Mungo mumbles to himself.

He is also interested in what type of firearm we are dealing with. He chooses to spend another action to analyze the device icon of the firearm and finds out that it is a Colt America L36 light pistol with a Device Rating of 2. His street samurai partner, which is somewhat of a gun-nut, would instead probably have observed it in detail more directly while taking a regular perception test before coming to the same conclusion.

Data Spiking a sec guard’s gun (protected by his personal PAN)

Mungo decides to target the gun with a Data Spike.

Actions linked to attack are always obvious so to prevent being immediately spotted Mungo first switches his cyberdeck, and with that his entire PAN, to running silent. To not suffer a negative dice pool modifier of having higher Sleaze than Attack he also configures his cyberjack and cyberdeck with an ASDF array of 4 3 3 4.

Mungo does not currently have access on the security guard’s PAN, but Data Spike is an Outsider action and the gun is part of a PAN (and not behind the event horizon of a Host), so a direct connection or access on the network is not needed.

Mungo’s trusted Erika MCD-6 just has two program slots. The first slot is running Exploit, which is a hacking program that reduces the target’s Defense Rating by 2, and to fully compensate for the local noise Mungo uses the second program slot for Signal Scrubber.

Grab Some Dice

Data Spike is resolved as an opposed Cracking + Logic vs Data Processing + Firewall test. Mungo’s player grabs 10 dice while the GM grabs 5 dice, representing the network defending for the security guard’s gun.

Distribute Edge

Mungo’s Attack Rating is equal to his Attack + Sleaze = 7. The Defense Rating of the target is Data Processing + Firewall = 5, which is reduced to 3 due to the Exploit hacking program running in Mungo’s cyberdeck. Since Mungo’s AR is 4 or more than the target’s DR he gains a point of Edge for that.

Roll Dice and Spend Edge

Mungo uses the Edge he just gained on the Matrix Edge Action Emergency Boost to increase his Attack by 1 while the guard decides to not spend any Edge at this point.

Mungo’s player rolls his 10 dice and gains 3 successes. GM opposes the test with 5 dice and gets 2 hits. Mungo’s Data Spike lands with a total of 1 net hit. GM notes that Mungo’s overwatch score increased by 2 from the defense and by another point because of the hacking program that was used.

Determine effect.

With a Device Rating of 2 the gun has a Matrix Condition Monitor of 2/2+8=9 boxes. With an Attack of 4, increased to 5 due to the Emergency Boost action, Data Spike in this case has a base Damage Value of 5/2 which is rounded up to 3. It is then increased to 4 from the net hit.

Matrix damage is opposed by Firewall. GM roll 3 dice and get 1 hit. The gun takes 3 boxes of matrix damage. Anyone taking a shot with it will now get a negative dice pool modifier of 1 dice. Mungo makes a mental note that he should probably invest into a more powerful cyberdeck if he ever wishes to engage in more cybercombat in the future.

A bit of smoke and small sparks emerge from the firearm. The guard goes into panic mode as he takes cover behind a dumpster. Mungo automatically notices that the device icon of the firearm disappears from the matrix as the security guard spends a Minor action to successfully turn off the wireless capability of the pistol (which was resolved as an unopposed Electronics + Logic test where you need at least 1 hit). The security guard also spends his Major action on Full Matrix Defense, adding Firewall to his defense roll in case another Data Spike, or other damaging matrix attack, is coming his way.

Brute forcing access to a PAN

Mungo chuckles as he takes a sip from his soykaf and wonders if the security guard will call this in or not. Monitoring communications, however, require Admin access. To probe the network in order to get access to the PAN via a backdoor would take too long so instead he decides to brute force access on the network directly.

Brute Force is normally resolved as an opposed Cracking + Logic vs Willpower + Firewall test, but since Mungo is going for Admin directly the Firewall gains a positive dice pool modifier of 2 dice. Note that since Brute Force is linked to Attack, by the optional rule, Firewall could be added to the defender a second time as part of the Full Matrix Defense action even though Brute Force technically doesn't deal Matrix Damage on its own.

Typically AR and DR during Matrix encounters would evaluate the same as the first time and Mungo would get a point of Edge just like during the data spike action before, but when going for Admin access directly with a brute force attempt the DR of the target is increased by 4 which means neither side gains any Edge on this specific action.

Mungo’s player lucks out with 4 hits while the opposing side gets 3 hits. GM notes that Mungo’s overwatch score increased to 7, three from the opposing defense and again another point due to the hacking program being used.

The Brute Force attempt was successful and Mungo now has Admin access on the security guard’s PAN. Just like Data Spike, Brute Force is an action linked to Attack which means the action is immediately obvious and the security guard is now fully aware of the fact that a hacker is present inside his Personal Area Network.

Eavesdropping on an outgoing call (Snoop)

With being considered an Admin on the security guard’s PAN, Mungo can now attempt to snoop all incoming and outgoing communications.

Mungo’s AR is 4 higher than the security guard’s DR and he gets a point of edge (it evaluates in the same way as the previous Data Spike).

Snoop is resolved as an opposed Cracking + Logic vs Logic + Firewall test. Mungo’s player gets 3 hits while the opposing side gets 1 hit. GM notes that Mungo’s overwatch score increased to 9.

The Snoop attempt was successful, but unlike the previous Data Spike and Brute Force, this action is not linked to Attack and since the attempt was successful the security guard is unaware that his communications are currently being monitored. Mungo gets to immediately listen in on (and record if he so wishes) an on-going voice conversation the security guard has with an unknown recipient. Apparently it seems as if he is calling some sort of matrix specialist.

Example 2; Tattoo’s Point of View

Using Matrix Perception to find a silent running hacker
Probe + Backdoor entry a PAN
Trace Icon
Complex Form usage

3km away, Tattoo receives a distress call from an old friend that she has not talked to in ages. “Calm down Bob, what is happening”, she says. After a few seconds she understands that Bob was patrolling the local mall when some punk started to throw data spikes at his equipment and, from what Bob is describing, perhaps also successfully invaded his PAN.

Her body goes limp on the couch, the room around her quickly fades away and everything slows down as her mind speeds up and she slips into hot-sim VR.

Using Matrix Perception to find a silent running hacker, Trying Again.

Tattoo tries to “spot the hacker that is currently attacking Bob’s network”. Normally it is a Major action to spot a silent running network, but since Tattoo is a Technomancer using a Living Persona it is only a Minor action (it is also a Minor action for characters that use a cyberdeck and/or a cyberjack). Matrix Perception is resolved as an opposed Electronics + Intuition vs Willpower + Sleaze test. The test suffers a negative dice pool modifier of 3 dice because of noise due to distance.

Tattoo gets only 2 hits, while the eluding hacker gets 5 hits; and the attempt fails.

“Perhaps he already jacked out?”, she thinks to herself as she decides to double check by spending another Minor action to Try Again, just to be sure. Retrying a test when circumstances have not changed imposes a negative dice pool modifier of 2 dice - yet she manages to get 6 hits, while Mungo gets 4 hits. Just by being successful Tattoo now locates the hostile network and with the net hits Tattoo also discovers that it has a Device Rating of 1 and that it is running Signal Scrub and Exploit. “Heh, so… you little punk… you are just running an Erika MCD-6 are you“, Tattoo thinks as her body is lifeless on the couch at home. “Now… where are you hiding you little bastard”.

Gaining illegal access to a PAN via Probe...

Tracing the physical location requires Admin access. Determined to not spook the hacker until it's too late, Tattoo decides to silently probe the network for weaknesses.

Unlike a decker, a technomancer's ASDF array is derived from their mental attributes. With Charisma 4, Intuition 5, Logic 5 and Willpower 6 she ends up with a base ASDF array of 4 5 5 6. On top of this, with a Reconfigure Matrix Attribute minor action, she distributes her Resonance attribute of 5 with 2 points on Attack and 3 points on Sleaze for a total ASDF array of 6 8 5 6.

This gives her an AR of 6+8=14. As she initiates the hack this is compared to Mungo’s DR of 3+4=7 and she gets a point of Edge because of the difference.

As most illegal matrix actions, Probe is resolved with Cracking + Logic. Probe is a bit special in that it is opposed by either Willpower + Firewall or Firewall + Firewall. That the test has two listed defence tests means that for example a Host that is not monitored by a Spider is allowed to defend with Firewall + Firewall (instead of just 0 + Firewall). The test also suffers a negative dice pool modifier of 3 dice because of noise due to distance. Probe is also linked to Sleaze, but since her Sleaze attribute is equal or higher than her Attack attribute she does not get a negative dice pool modifier because of this.

Tattoo and Mungo both get 3 hits. Ties typically go to the aggressor so the test was a success and Tattoo finds a glitch that might be possible to exploit in order to get inside the network, but since it did not generate any net hits there will not be any bonus dice to the following Backdoor Entry attempt later.

She now has the option to extend the test and roll one less die than the previous attempt (while the target does not reduce theirs) in hopes to generate some net hits, but in the process she would also risk losing the backdoor she already secured. She thinks for a second, but even though a failed attempt would typically not cause any alarms she decides she rather not spend more time probing the network and instead take her chances to take the Backdoor Entry action without any extra net hits.

...followed by Backdoor Entry

Tattoo takes a deep breath before she goes for the exploit she just found. Failure here means that she needs to start over, probing the network again.

Tattoo’s AR is still a lot higher than Mungo’s DR (it evaluates in the same way as the previous Probe attempt) and she gets another Edge because of that.

Backdoor Entry is resolved with Cracking + Logic vs Willpower + Firewall. The test suffers a negative dice pool modifier of 3 dice because of noise due to distance. Tattoo gets 6 hits and Mungo gets 2 hits. Tattoo gains Admin access on the target network without Mungo noticing anything - she is like a ghost in the machine.

Tracing physical location

Still in the same player-turn, she trades in her remaining 4 Minor Actions for a Major action and immediately starts a trace. AR and DR still evaluates the same way as the initial Probe so she gets another point of Edge, which is also the maximum number of Edge she may earn during a combat round. Trace Icon is an illegal action that is resolved with Electronics + Intuition vs Sleaze + Willpower (or Sleaze + Firewall). Due to the distance there is still a negative dice pool modifier of 3 dice. She is successful and now gets to track the hacker, in real time, for as long as she can detect him - even if she decides to drop the admin access on his network. The hacker is currently located in a café in the very mall where Bob is patrolling.

Threading of a complex form

“Let’s see how big ripples you caused in the matrix so far”, Tattoo thinks, as she starts to thread complex forms on the hacker’s network that mimics telltale signs of illegal activity. Planning to thread enough of them to eventually have GOD converge on the poor sob.

She again gets a point of Edge. Tattletale is resolved as an Electronics + Resonance test where each hit adds 1 to the OS of the target. She gets 4 hits and Mungo’s OS consequently increases by 4.

Tattletale also has a Fade value of 3, which is resisted by Willpower + Logic. She gets 3 hits which is enough to resist all of it and she takes no damage.

Being in hot-sim VR she trades her remaining 4 minor actions for a major action and attacks Mungo with another Tattletale. She gains another point of Edge as she takes the Electronics + Resonance test. This time she gets 3 hits and Mungo’s OS is increased by another 3 points.

Resisting Fade 3 wth her Willpower + Logic this time only gets 2 hits. Fade that is not fully resisted deals damage directly on the stun condition monitor of the technomancer, unless the remaining damage is higher than the resonance attribute, in which case the damage becomes physical.

At the same time as she takes the stun damage, Tattoo spends 3 of the Edge she already earned on the 3-point Edge Boost “Heal one box of stun damage”.

Complex forms are generally pretty subtle, but Mungo would automatically notice that his OS went up if he was running Baby Monitor, which Tattoo knew he wasn't. He could also find out by frequently taking the Check OS action, but until he does he has no idea at all that GOD is about to converge on him. Any second now….

Example 3; Spike’s Point of View

Hacking a standalone object (can of Dragon Piss, or such).
Spoof Commanding a maglock to open (protected by a Host, but on the visible side of the event horizon)
Control Device-ing a security drone to turn on its handlers (protected by host, and inside the event horizon, going for Brute Force access due to the time constraint)
Altering cybereye/camera feeds to edit out images of infiltrating teammates

Hacking a standalone object (can of Dragon Piss, or such).

Spike tries to gain User access on a can of Dragon Piss, an unattended device that is not part of any network. Since it is not running silent or otherwise trying to hide he notices its device icon without taking an opposed Matrix Perception test. Brute Force is resolved with Cracking + Logic vs. Willpower + Firewall.

Since the can is unattended and have been for quite some time it will use zero dice in place for the mental attribute. It is also not part of any network which means it does not have any Firewall, instead it uses its device rating of 1 as substitution to Firewall.

Spike will probably not fail with this test (and GM will probably even let him buy hits here), but GM should still roll the opposing die to check if overwatch score is generated or not.

Hacking a random defenseless standalone object does typically not grant any Edge.

Spoof Commanding a maglock to open (protected by a Host, but on the visible side of the event horizon)

The team informs Spike that they are in front of a door that is closed shut by a magnetic locking mechanism. The maglock is part of the Host network, but it is a matrix facing device located on the visible side of the Host’s event horizon. This means Spike may spot it without an opposed Matrix Perception test.

It also means he may Spoof a simple one and done Command, for example “unlock” or “lock”, to the maglock remotely from his van without having a direct connection to the device and without having User or Admin access on the Host network. Since Spoof Command is an illegal action, opposed hits of this test will increase OS.

Note that since Spoof Command is not linked to Attack nor Sleaze this could also be attempted by someone only using a RCC or a commlink, just as long as they got the required Cracking skill (but since their AR would be zero the spider monitoring the host would probably gain a free Edge in that case).

Control Device-ing a security drone to turn on its handlers (protected by host, and inside the event horizon, going for Brute Force access due to the time constraint)

The team gets ambushed by three guards and an armed security drone. The shit is about to hit the fan. The drone is not only part of the Host network - it is also considered to be on the ‘inside’, behind the Host’s event horizon.

Even if the drone is on the inside of the Host, Spike may still take a Matrix Perception test to spot it if he wishes, but it would in that case be opposed by Willpower of the corporate decker monitoring the Host (if it has one) plus Sleaze of the Host.

Spoof Command could be used to trick the autopilot of the drone to accept a simple one and done instruction, for example “fire one narrow burst at one guard”, but because the drone is behind the event horizon of the Host, Spike would need to first establish a direct connection to the Drone (or hack the network to get to the inside). The drone would defend against the Spoof Command action with Firewall of the network plus the higher of either Data Processing of the network or its own Pilot rating.

As Spike is out in the van he can’t establish a direct connection and is instead forced to hack the network. Spike goes for a quick and dirty Brute Force + Enter Host hack (rather than a slow and sneaky Probe + Backdoor Entry hack). Brute Force is resolved with Cracking + Logic vs. Willpower + Firewall.

Since it is linked to Attack it will always be obvious and the Host will go on high alert. Patrol IC will start looking for the offending hacker (if Spike is not already running silent he will automatically get spotted once he decides to Enter the Host). Depending on security protocols the Host might start launching more and more dangerous IC at the end of each combat turn (but they can’t act on Spike until the Patrol IC of the Host successfully locates him). Each combat round Spike chooses to maintain User access on the network his OS will also automatically increase by 1. On the plus side, Brute Force only takes a Major action to execute.

Once being inside the network, spotting devices that are part of the network will no longer be opposed, no matter if they are on the public matrix facing side or behind the event horizon of the Host. Instead of Spoofing a Command to the autopilot of the drone, Spike takes the Control Device action to get sustained control over the drone. Control Device is resolved with Electronics + Logic vs. Willpower + Firewall. Unlike the Spoof Command action, opposing hits from the Control Device action does not generate any extra OS.

Unlike Spoof Command, Control Device also lets Spike choose to either instruct the autopilot of the drone to take more complex actions (for example “keep firing narrow bursts on the troll until it drops to the floor”) or directly remote control the drone himself, using his own skills and attributes (for example Engineering + Logic to fire its onboard weapons).

Illegally spoofing a command, legally commanding or directly remote controlling will automatically fail if the device is already under the direct control of someone else (if for example someone has already jumped into it), but luckily for Spike and his team the drone was just running on autopilot.

Altering cybereye/camera feeds to edit out images of infiltrating teammates

Spike’s exfiltrating teammates are about to cross the line of sight of a camera.

If a surveillance camera is not behind the event horizon of a host (or Spike have a direct connection to the camera), no matter if Spike have access on the network or not, he can use Spoof Command to trick the camera to accept a simple one and done instruction, for example “turn 15 degrees to the left”, in order to create a blind spot along the corridor wall under the camera that his teammates can use to slip by without getting recorded.

He could also Data Spike the camera until it is fully bricked, but this would not be very subtle and alarms would probably be raised (then again, this could perhaps be used to create a diversion of sorts).

But since Spike already has User access on the network (from the previous Brute Force+Enter Host hack) he instead chooses to directly edit out his teammates from the video feed. This is handled by taking the Edit File action once every combat round as long as his team happens to be within line of sight of the camera. Edit File is resolved as an opposed Electronics + Logic vs. Intuition + Firewall or Firewall + Sleaze test and since it is a legal action it will not generate any extra OS due to opposed hits (but maintaining illegal User access from his Brute Force hack will still increase his OS by 1 every combat round).