90 ratings
The truly Untrust(ed)worthy Guide
By [TAG]Alblaka
A singular super-guide dedicated to providing basics, common gameplay tactics, detailed class & ability explanations, and intermediate strategies.
Welcome to the One-Stop Super Guide for Untrusted, an ambitious little project to write a singular guide that will cover most of your newbie, basic and intermediary tactics. The guide is a living work and will (potentially) be expanded as the game developes (do feel free to leave more tips and feedback in comments, I'll gladly add your input to the guide as well).

Note that the guide is not necessarily meant to be read in one go, especially not if you're new to the game (like, how many pages is it at now?). Maybe check out the basic sections (I've marked them with a (!!)) first, play a bit whilst cross-referencing the guide's class section with what you rolled, and read the other sections somewhen later.

Also the obvious disclaimer that the Class-specific sections are intentionally kept to a single, simple playstyle. Of course you can pull a double Blackhat claiming Journalist and then 'revealing' as Scriptkiddie stunt... but new players shouldn't try.

But now, enjoy!
And remember the first rule of the game: Don't trust anyone!
Except this guide. Always trust this guide!
(But don't, it might be a mole...)
Useful Links / Resources
Just a quick heads-up on some links you might find useful:
  • The official manual webpage[www.playuntrusted.com], accessible even without running the game.
  • Untrusted's public Discord server[discord.com]
  • Offical documentation of the order in which actions are resolved[www.playuntrusted.com]
  • The link for accessing your profile (which is always public, includes your stats, and the logs of the last 10 games played (great for figuring out where something went wrong) is "https://eu01.playuntrusted.com/profile/PLAYERNAME/". Note that you must only replace the PLAYERNAME, the "/" at the end is actually mandatory.
(!!) Gameflow Overview
... something that neither tutorial nor manual seem to aptly cover. Here's the gist of it:

Everyone 'is' NetSec (NetSec = 'The Good Guys' ~= Townies ~= Innocent). Except those that aren't.
2 of the players are Agents who inflitrated NetSec, additionally there's a number of Neutral roles, depending on total player count.
No role can be present more than twice (barring a very specific item you shouldn't concern yourself with), some roles are unique (most notable the leaders of both factions).

Games can start with 10-16 players, which influences
  • the number of Neutrals (and NetSec) in the game. But it's always 2 Agents.
  • how many people the AL (Agent Leader) can convert. 1 for <= 12 players, 2 for > 12.
  • the time limit. Can be between 7 and 9 days, scaling with player count. Will be announced alongside your class in the Event Log at game start. (Note that there are ways to increase the time limit in-game.)
  • the size of the topology (the laptops and servers). More players = larger network to hack.

In the game, you switch between DAY and NIGHT phases. Most classes have actions for both phases, but some are limited and only really active at one phase.
At DAY, the game revolves around the topology: Hacking new nodes, mining old ones, launching rollbacks or using DDOS (to name a few).
At NIGHT, the game revolves around the operators: Arrests/murders, investigation, blocking or protection (again, only to name an examplary selection).
As general rule of thumb, operators cannot affect other operators with abilities at DAY, nor affect network nodes with abilities at NIGHTS. (There are a few specific exceptions, such as 'ISP Isolation' at DAY or 'Wipe' at NIGHT... but more on that later.)

To elaborate on what usually happens, during a DAY
  • most NetSec classes will hack nodes, as assigned by OP, or assist in hacking nodes.
  • some NetSec classes might do other tasks (or be unable to perform useful Day actions)
  • Neutrals will generally pretend to be hacking nodes (possibly doing something else)
  • Agents will generally pretend to be hacking nodes (possibly doing something else)
At the end of a DAY
  • the results of all hacks issues during the DAY phase will be evaluated, and usually some nodes get captured. For each node captured, EXACTLY ONE person gets a success confirmation. Common lingo: that operator 'SEIZED' the node (or might 'claim' to have seized a node).
  • not all hacks will result in success. (And fake hacks by Neutrals/Agents cannot result in success.)
  • a DDOS might be revealed and cancels hacks or Rollbacks
  • a successfull Rollback might be revealed, 'uncapturing' one of the nodes (and cancelling all hacks beyond the rollback'd node)

Generally, Netsec will want to hack 'forward' (aka, progressing towards right) to reach their target, whilst Agents (and some Neutrals) will try to stall or actively hinder NetSec.
Note that time is short: You got 7 days to hack 4 columns for 10 players, and 9 days to hack 5 columns for 16 players. You need 1 day minimum per column, and the AL's Rollback will usually cost you 2 days. Math dictates NetSec is under very relevant time pressure to complete their 'DAY objective' on time.

  • NetSec classes have a variety of abilities, most of them of the category protecting (themselves or others), blocking (Midnight Visit) someone, investigating someone in some form, or setting up other actions
  • Agents go on the offense and can use their various arrest, conversion and/or investigation abilities
  • Neutrals do a wide range of activities that can't be summarized easily.
A usual NIGHT is likely to conclude with
  • 1 or more operators being arrested. If there's no arrest in a Night that deserves a raised eyebrow (Agents either hit an arrest-immune neutral, the arrest was protected against, or the arrester got blocked.)
  • multiple operators will be blocked by random Midnight Visits, preventing their Night Actions (except Midnight Visits, they cannot cancel each other).
  • some people are likely to have been watched by an investigative ability (usually Netsec or Neutral, rarely Agent).
  • rarely somebody gets murdered. There's very few abilities like that, and only ONE (Sociopath) that can be used before N4 (Night 4). Most deaths will be the result of lynch votes or disconnects, not NIGHT actions.

At both DAY and NIGHT,
  • all operators can talk in the public chat
  • all operators can access the player list, dead/arrested player's logs, the Event Log, or check the public topology and pwned nodes' access logs
  • all operators can access their own Personal Logs and edit them
  • all operators can send mails (private messages / whispers) to other operators
  • Agents can talk in their private ASC
and, most importantly:
everyone can vote to have an operator killed at the end of the phase.
Anyone can place a vote against anyone (alive) by clicking their name. You are locked into your choice for 10 seconds, after which you can change it to someone else (or cancel it by selecting the same person).
Votes are public, and a counter tallies the total number of votes, turning GREEN if a majority is reached and YELLOW if a majority will be existant if the OP voted for this person. This is because the OP's vote is tallied once, but counts double.

Note that randomly voting for people for no reason is frowned upon and might get your voted in semi-justified retaliation.
Generally, if suspicion exists, the first action is to demand logs. Followed by a lynchmob if no log is provided within the next 10-20 seconds.
Note that pointing out an obvious contradicton in somebody's log (or in the network node logs) is a very good reason to start a lynch vote,
and it's usually accepted that the OP can demand for logs and call for lynches at any given time (mileage may vary according to perceived competence of OP).

Be wary of unanimous votes on anything but crystal-clear Agent screw-ups. If everybody voted, that means the other Agents and Neutrals voted in favor. If there's 6 people left, 2 of them Agent, and you are NetSec, and you manage to get 5 people to vote for the one fellow... chances are he's not an Agent.

If a phase closes with a majority of votes, that operator will die, with no way of preventing it in any shape or form, in the coming phase transition. Note that the lynch death will be processed before anything else that happens at NIGHT. Therefore, i.e. lynching a Field Agent in a NIGHT phase will prevent them from arresting anyone that NIGHT.

I hope this provides you a rough overview of how games tend to run.
(!!) waht do i hack - "Top Top Bottom Bottom" / "split"
The tutorial does a great job at passing the OP the completely dumb and mundane duty of telling people the obvious: In the assumption that hacking classes are pretty evenly spread across the player list, and without any other information to act on, the best move is always to split up and try to hack as many nodes 'forward' at once as possible. (This may change in the later phases of the game, but then you'll probably have a good grasp of what needs to be done anyways, and OP can take actual lead, with actual information.)

Therefore, apply the rule of thumb: Top Top Bottom Bottom (also referred to simply as '(do) split')
  • The top half of the player list goes for the top node, the bottom half of the player list goes for he bottom node. (Of whatever rightmost layer available.)
  • If there's only one node, the answer becomes even more obvious.
  • If there's three nodes, simply split the list into top, mid and bottom.
  • If you have two choices that aren't in the same column, top half of list takes left, bottom half of list takes right.
For anything more complex, and for special DAY abilites, this is when you actually need the OP's input. Everything else should be common sense.

Note that this is a 'generic' instruction 'for hacking classes'. You do not need to explicitly point out that you cannot hack, nor do you need to apologize for, i.e., Data Mining. The rule of thumb, or alternatively OPs general instructions, are meant to avoid overlap, NOT to mandate the low-skill hacking classes to waste their DAY action on hacks the Blackhats can take care of.

Addendum: It's not really relevant whether that split is perfect, because whether it's 5 unknown-classes-claiming-to-hack or 6, the result is approximately the same.

The key reasoning behind this default approach is that, especially early, NetSec has a lot of hacking power... so focussing on too few nodes is likely to waste successes that could have garnered multiple nodes in a single DAY.
Towards the middle of the game, splitting up makes it harder for hostiles to block NetSec hacking efforts with Rollbacks or DDOS. And going to an off-path branch might reveal an alternative route that a rollback won't affect, or at least discover a secondary target, or give a Journalist a dead-end to dramabomb.
Only towards the end does the rule of thumb become less prevalent... but at this point you probably intuititvely know which direction to hack, with or without an alive OP providing (useful) instructions.

As the game progresses, and the player list (in all likelyhood) grows shorter, and Blackhats and non-hackers might become reveal, it's possible that OP will rearrange the list into different groups. Such as "Blue to Magenta is top, everyone else is bottom". Or maybe even put in an effort and assign individual colors to specific callsigns (Aka, "Blue, Yellow, Magenta, Red, you are all alpha. [...] Alpha go for 177).

Another addendum: Generally, refer to nodes either by their position (top, bottom, right, next), their type (laptop, server) or the last 3 digits of the IP.
There's no reason ever to type out the full IP, since the first 3 segments are always identical for all nodes within a single game.
(!!) "No Logs, No Mercy" - Information Asymetry
Right now, ask yourself, do you know how to use the personal log? If the answer is anything but "Yes", read the following paragraph, then head to the tutorial and play around with the log until the answer is "Yes". (I'll explain why, further down the line.)

Seriously, you WILL be lynched in the game if you don't know how to log, and it's NOT fun to be lynched early on for "no reason".
(And it honestly is a dull bummer of a game for everyone if Agents don't even try to protect themselves from a lynchmob with a half-decent log.)

Instead of writing down information manually in a Death Note or Last Will, in Untrusted you use a Personal Log, filled with semi-automatically generated entries. This means, whilst you can write log entires, you shouldn't (except for adding additional comments between log entries).
Simply pick the class you want to pretend to be (your actual class is always pre-selected, so in case of NetSec, you probably don't need to change that) in the bottom right (RED).
As well, don't forget to type out your class in the first line of the log. No, it does not fill that in automatically, and yes, people have been lynched for forgetting that part.

Depending on your selected class, you can then select a time (DAY/NIGHT) and will see an according set of actions (BLUE). Note that the game will even label actions that do not fit the chosen time frame with [N/A] (i.e. you cannot Hack Target at NIGHT, nor can you Midnight Talk at DAY), and that you cannot select a timeframe that has not happened yet.

Depending on your action, you might be able to select a target (YELLOW). This could be either a player or a node (IP Adress).

After selecting the correct target (or not having to select), click 'Append to Log' to add the line (note that it will always be added to the bottom, regardless of where your cursor might be. The log has full Copy/Paste support though). Your entry should appear in the GREEN circled area.
If you did not perform an action, you can hit "Append Empty Action" instead. As a default, always log for each time span, either the action, or an empty action.

If you do your job right, your log could look like this example
Note that, in this example, I manually added comments below NIGHT 1 and NIGHT 2, adding information on what happened to me those nights (i.e. I was midnight visited N1, and almost arrested N2).

Bonus fun fact: Logs tend to have a lot of entries, so if you want some to stick out, CAPS don't really help (as DAY / NIGHT is already in caps). But putting a " - " in front does, because the indent breaks the text pattern. So INDENT important entries (and being attacked, or figuring out a not-netsec, are pretty important entries).

At this point, please try writing a log (in tutorial) yourself.

Okay, now that you know HOW to write a log, on to the question as to WHY you need a log: Information Asymetry.

In this game, Netsec has the numbers, but lacks information, whilst Agents are always outnumbered, but have a lot of information, such as
  • who the other agents are, and what their abilities are
  • how the topology looks (i.e. where the target server is, and which nodes are critical chokepoints)
  • what the rest of their team is doing (as they can talk on a secure channel)
  • who was targeted for arrests and conversions, and why they may not have succeeded

Therefore, any additional factors of obfuscation / disinformation / confusion / lies are an advantage for the Agents, and a disadvantage to NetSec.

Logs are the best way to keep detailed information and debunk lies, and consequently are NetSec's most valuable tool to compete with the Agents. Therefore as NetSec, your #2 priority (after using your actions) is to keep your log accurate and up to date.
Seriously. Decide on an action (usually, it should be obvious and maybe even be clear the phase before), then log that action. You got 120 seconds to make those couple clicks, everyone can do as much.
If you for some reason make last second changes, or forget to log, immedeately fix that in the next phase. You can freely edit your log, make sure it's accurate, clear and orderly. Massive discrepancies in logs, such as three consecutive "NIGHT 3: nothing" are indicative of someone panicking and trying to hurry a log when being asked for logs, aka, they are indicative of a non-NetSec. You might end up being lynched for that alone.

Which, in reverse, means that everyone faking a role (aka, Agents and Neutrals) is forced to keep an accurate and detailled (if falsified) log as well, or it will be immedeately clear that they are lieing. This is twice as relevant because it's very easy to keep a honest log, but a lot harder to fabricate a flawless lieing one. Therefore, demanding everyone to keep a log is reasonable, because it's easy for NetSec themselves.

That's where the "No Logs, No Mercy" comes in: If there is any doubt (or 'sus') on any operator, and they lack the ability to verify their class through a past or present action, they must post their logs. Because way too often Neutral/Agent classes will fail to fabricate good logs, and calling them out on a contradiction is a free lynch in favor of NetSec. There's no excuse not to keep a log as real NetSec,
thus if you claim to be NetSec, but cannot provide a log upon being asked, you will be lynched. And rightfully so.

ergo: No Logs, No Mercy.

To post your log, select the part of the log you want to post (usually everything. Note that not selecting anything will occasionally default to everything), and hit "Send selection and close". This will copypaste your selected log entries straight into the public chat.

(Note that being 'unable' or unwilling to post your entire log, or 'accidentally' only posting half of it is extremely suspicious and usually grounds for being lynched.)

Now, mind you, there are some specific instances where a NetSec might want to omit critical details from his log. Such as figuring out the OP's identity. And it's fair to then redact/censor that part of your log, just as it is fair to (to evoid textwalling) to only post selectively relevant parts of your log (but you should always post your entire log if it's generically asked for).
But the rest of your log should nontheless be perfectly accurate and complete at all times, especially at the end of a NIGHT phase (after which you might wake up in jail).

Also, note that "I'm too important to reveal logs" is never an excuse. The only person who can truly claim that is the OP, and they can just send an anonymous "X is good, no need for logs" message to protect themselves (and also totally give their own cover away, but eh, better than being lynched).
Key events during the DAY - Rollback and DDOS
There's a number of things that will happen during the day, which may or may not end up being misinterpreted by new players, therefore here the synopsis:
(Note that all Rollbacks and DDOS (if successful) will always be made public to everyone in the Event Log.)

A rollback is an Agent-sided tool that reverts control of an already captured (network) node. It stalls NetSec's progress, and usually costs them 2 days if executed on a chokepoint: One day because any hacks further down the line will automatically be cancelled, the second day because NetSec will spend the next day recapturing the rollback'd server.
Note that this requires a node to be a chokepoint in first place. Aka, a node through which all traffic from left to right must flow. If there are multiple nodes in the same column, all pwned by NetSec, and all of them connect to a target node in the next column, then the previous nodes are NOT chokepoints, and rolling them back wouldn't hinder NetSec (significantly).

To examplify (from the perspective of an Agent, who has full topology knowledge):
RED circled nodes are chokepoints. If either of the two is ever rolled back, all hacks will fail and NetSec will lose their 2 days.
The ORANGE circled node is practically a chokepoint (because it is the only path to the target server), but technically rolling it back wouldn't stop a hack against the topmost laptop in the 3rd column (as it can be reached through the previous chokepoint node).
All of those 3 nodes are valid and valuable targets for Agent rollback's. And, as explained earlier, the Agents have the advantage by knowing which nodes are chokepoints from the get-go, whilst NetSec will only figure this out as they hack and explore the topology.

Note that ONLY the rollback'd server is ever 'lost'. If, i.e., the very first in line of nodes is rolled back, all nodes will disappear from the public topography, but only one node was rolled back. The other nodes are still under NetSec control (aka: 'pwned'/owned/green), but simply cannot be accessed until the rollback'd node is recaptured. So don't get overly discouraged by 'the entire network just disappeared', not all progress is lost.

As for the presence of the Rollback skill: It is a DAY action with exactly 1 charge, meaning it can only be performed ONCE. As well, there's only three classes that have the ability to do Rollbacks: The Agent Leader (always in the game), a Journalist (Neutral, likely to have 1 or rarely 2 in the game, but will be lynched if she uses it) and Offense Moles (converted Spearpisher/ImprovHacker).

This means, in any game, you almost certainly will end up being rollbacked once by the Agent Leader unless the AL is taken out early, or loses his rollback to a DDOS.
If more than 1 rollback occur, this means the Agents either managed to convert a Spearpisher (which is possible, but very rare, as Spearpishers are a single specific class, and can protect themselves from conversion), or that a Journalist decided to screw over NetSec. (Which, coincidentally, is the single-most hotly debated reason as to whether Journalists should ever not be lynched...)

Sidenote: Therefore, a NetSec friendly move for a Journalist would be to intentionally 'waste' a rollback on an unimportant node that isn't a chokepoint. This way, you remove your only threatening ability and might persuade NetSec to leave you alone.

An important drawback of the Rollback: As any action on a node, Rollbacks leave a log of who performed a Rollback.
Silver lining: Rollbacks by Agents or Offense Moles (but not the Journalist!!) additionally generate fake log entries.
This means, once you recapture the node next day, you can check the previously rollback'd nodes logs for who did it, and will usually get a list of suspects. ONE of the entries of people accessing the node at the DAY the Rollback occured, IS THE AGENT WHO PERFORMED THE ROLLBACK. It is well advised to start aggressively lynching people (especially those that cannot prove they couldn't have done it) on that list until you find the Agent.

As for the most interesting section to you (maybe): How to prevent a Rollback?
There is exactly one way to prevent a Rollback: execute a DDOS on the same time and node as the Rollback occurs.

Distributed Denial of Service
A DDOS occupies any one target node, and pre-emptively blocks all DAY actions on that node (except the Tamper Logs action, which specifically states it uses physical access circumventing DDOS).
Which means it can
  • prevent NetSec from hacking an open node (bad).
  • prevent a data miner from digging for intel on a pwned node (kinda bad, but legitimately happens frequently and is not a big deal).
  • prevent the execution of a Rollback, whilst consuming the Rollback's single charge.

Therefore, predicting when an Agent (Leader) will use his only Rollback charge, and sniping it with a well-timed DDOS is an extremely powerful move that can potentially decide the game and secure NetSec victory.

As for who has it:
  • Only Blackhats, the most powerful hacking class NetSec has
  • and Scriptkiddies, which makes them surprisingly useful to NetSec, but which can put them on the list of targets-to-be-arrested of Agents, depite the Scriptkiddies Neutral alignment.
  • Aaaaand Agent Leader (with a 33% chance). But it's impossible for him to DDOS his own Rollback, so not quite as relevant here.
Only those three classes can DDOS, and only the Blachat is certain to be siding with NetSec.

Whilst protecting an pwned node against a Rollback is considered a 'benign' (= good) DDOS, there's as well a way to perform 'malicious' (= evil) DDOS: If you DDOS a node that NetSec is trying to hack at the same day, you effectively waste their DAY and all operator's actions targeting that same node.
Performing a malicious DDOS as a Scriptkiddie is legitimate, but a great way to get yourself lynched, doing it as an Agent Leader is fair game, but risky for the reason mentioned in the next paragraph. Performing a malicious DDOS as a Blackhat is almost always a case of active gamethrowing and a reportable offense (and as well will get you lynched as Scriptkiddie).

Note that as of the recent patch, DDOS no longer creates logs on nodes. This means a BH could DDOS a node without revealing themselves plainly, but it as well means an AL can DDOS with relative safety. Also, it makes it that bit more tricky for the SK to cheaply confirm themselves as source of the DDOS, especially if 2 SK (legitimately or otherwise) claim to have DDOS'd the same node at the same time.

Note that the Network Specialist has the unique 'Wire Shark' DAY ability that, when used at the same DAY, automatically reveals to them the identities of anyone who launches a DDOS at that DAY.
Be mindful with that knowledge, because combined with whether it was a benign (on pwned chokepoint) or malicious (on unowned node) DDOS, this can give you intel on who the Blackhats (valuable NetSec), Agent Leader (valuable Agent) or Scriptkiddie (...) are.
If you want to dodge a Wire Shark: Be advised it comes with a hefty 3 Day Cooldown. I.e. usage on D1 means D2 and D3 cannot be sharked... unless there's two Network Specialists coordinating.
Personal events after a DAY - SEIZE and ISP Block
There's a few very specific things that can happen during a DAY, that only provide you a personal log and aren't visible tot he public. The more common ones are:

Successfully seizing a node
Whenever a node is hacked by NetSec, ONE hacker participating in the hack 'gets the credit' for 'seizing' the node. To them, the Event Log will reveal that they 'successfully hacked' the node, whilst it will display a(n expected) failure to all other hackers.

That information is valuable, because it's most likely to apply to NetSec classes, specifically OP, Blackhat, Network Specialist and Social Engineer (who all have above-average hacking skills).
However be wary that an Agent Leader with the Hack skill (33% chance) has a high hacking skill as well, and that even Rival Hackers, Sociopaths, lesser NetSec classes and very rarely even a Scriptkiddie can successfully seize a node.

So, proclaiming that you seized a node kinda puts a 'I'm a valuable NetSec Class' target on your back that can draw arrest attention... but is not necessarily confirmation enough for anybody to trust you.

DO LOG a successfull seize (if just to contradict some Neutral/Agent class trying to take credit), but ponder carefully whether it is worth revealing it.

DO CONSIDER COUNTER-CLAIMing if somebody falsely announces success on a hack against a node that YOU actually seized. There's very little reason to make that fake claim, and since lieing is bad for NetSec, you should rightfully try to get the other operator lynched. (Good luck proving it was actually you, though.) If you don't think you can get them lynched, make a big remark in your log to have that person lynched for lieing and save it for later.

DO CLAIM SUCCESS WHEN you were the only one to even access that node. Bit of a honey trap, but if you're the only person who accesses a node the day it was hacked, the fact that you seized the node is essentially public knowledge... yet it's Agents and Neutrals that are most likely to actually check on node logs and then specifically target you, so it's likely adviseable to point out to the public that you just, verifyable, seized that node (unless you think Agents are likely to miss it anyways) and potentially need protection.

Your Internet Connection suddenly failed
As in; in-game...
The Field Agent has a valuable ISP Isolation skill, that allows them to block one operators DAY action. It has no cooldown, but only 3 charges, and if the Field Agent decides to use it they cannot have fake-hacked and therefore left a log on a node at the same day. As in: If somebody consistently 'helps hacking', except for the days where, conveniently, your net shut off, then they're potentially the Field Agent.

Therefore, as NetSec, ALWAYS announce you have been ISP Blocked. This goes double since Neutrals or even Agents may 'log' that 'I have been ISP Blocked, that's why I didn't hack that DAY' to cover their limited hacking abilities or other malicious activity.

If somebody has ISP Block on his log, but did NOT proclaim this publicly the DAY it happened, this is EXTREMELY SUSPICIOUS and usually warrants a lynch.

Sidenote: Of course this means non-NetSec classes can loudly proclaim ISP Blocks, either to sow confusion or otherwise give the Field Agent hints... but the Network Specialist can actually verify whether that claim is true in the following NIGHT, so that's a risky play. That's why you can usually trust public ISP Block claims to be honest.
Node Logs - How to read them, and how to READ them
Being able to read and actually UNDERSTAND node logs seems to already be a lost art, but given it's such a fundamental (and even simple) skill, it shall be included in this guide:

As explained in the tutorial any operator can freely access the logs of a pwned (green) node in the topology, by clicking on the respective node. (Note: Agents can access the logs of any node, since they can see all of the topology. Though usually the unhacked ones are bare of any logs anyways.) You can further post access logs to the chat by clicking the symbol left of any individual entry.

These node access logs are invaluable treasure troves of information... for both sides.

First and, most obviously, the logs will contain the accesses of anybody who tried to hack the node, (with the DAY). In many cases, this will mean a node's log will consist of many entries all for the same DAY.
This is arguably the least valuable information, because every hacker on NetSec, and most Neutrals and Agents will be leaving those logs with both legitimate and 'fake' hacking skills. But it can help you identify those that are not (claiming to be) NetSec hacking classes, as they will never leave logs.

Furthermore, if the topology is wider (aka, multiple parallel nodes in a column), you may be able to derive more information from this this: For any successfully hacked node, ONE of the accesses at the DAY of success must point to the person who successfully hacked it. Which is almost certainly a NetSec hacking class and more likely to be a Blackhat, Network Specialist or Operation Leader (as they have the highest hacking skill, and are therefore most likely to seize a node).
Be wary that the Agent Leader has a 33% chance to roll a surprisingly high hacking skill, and that the Rival Hacker always comes with solid hacking skills. And that, occasionally, even Sociopaths or Scriptkiddies can successfully seize a server. Though other Neutrals, and the Field Agent, can NEVER seize a node
Figuring out who seized a node is valuable information on whom to trust or protect or, in fact, arrest.
It's not uncommon for a NetSec (or even a Rival Hacker) who solo's a node (aka, is the only one to access a node at a day and successfully hack it) to reveal his role right away, given that solo'ing a node instantly paints a massive target on you anyways.

A second source of information is the presence of Data Miners (Spearphisher, Analyst), who may want to use their Gather Intelligence skill on already hacked nodes. Except for a few FAR more overt abilities those two classes are the only ones that can do so. If you therefore, from N2 onwards, check a log, and see that somebody accessed it after it was already successfully hacked, you can be certain that they must have done so as Analyst or Spearphisher... both NetSec hacking classes.
This essentially makes them trusted NetSec for anyone paying attention to node logs, and is as well the reason why Analysts tend to die quite early agains competent Agents. Spears less so, as they are far more attractive to convert instead, or can defend themselves for two NIGHTs with Misdirection.

On a similar note, it is very easily possible to identify Blackhats (and Scriptkiddies) when they launch a benign DDOS on an already pwned node: A DDOS is always announced publicly in the Event Log, and it always leaves a log on the respective node. There might be multiple logs for the day when the DDOS was launched, usually aforementioned Data Miners or the AL's failed attempt at a Rollback (or even somebody else launching a DDOS, too... 2 DDOS on the same node will not display two separate messages, and neither will fail).
Again, if only a single access log for the day of DDOS exists, it's painfully obvious as to who launched it, and that person should usually call for public protection (as, either way, they very clearly sided with NetSec). Just be wary that an AL has a 33% chance to roll DDOS as his random skill, and might try to gain NetSec trust this way (though that is extremely unlikely).

Lastly, the most important event on the topology is always a Rollback. And, guess what, this does leave logs, too. Therefore, recapturing a node after it has been roll backed will always reveal the person who performed the rollback... just that Agent rollbacks as well leave a couple fake logs for the same DAY, so you will rather get a LIST of suspects, ONE of which is guarantueed to be an agent.
Do not hesitate to lynch your way up/down that list for anyone who cannot provide a reasonable log proving that they cannot be AL (such as having an access logged on a different node, for the same day). If the list is too large, or you're too uncertain, note that the Analyst can remove fake logs as a DAY action... just that this will mean you'll have to wait 2 more phases. After that, however, you will be able to nail the AL with 100% certainity.

Messing with logs: Fake Logs and Wipe
Besides the fact that most non-NetSec classes will constantly fake hacking access logs everywhere,
there's two skills that ACTUALLY mess with the access logs on server:

The Field Agent (and Rival Hacker) has the Fake Logs DAY skill. It will, for the DAY it is used, create 1-3 access logs for randomly chosen identities, without leaving an access log itself (except that it might randomly generate for itself). It has a low cooldown, infinite charges, and can be spammed at will.
This skill is of somewhat dubiose use, as it's impact is little, and it's usually glaringly obvious that logs have been faked, since it might throw self-proclaimed non-hacking classes onto a node (and there is legitimately no reason why someone pretending to be a non-hacker would then use fake hacks to leave a log incriminating themselves), or even create duplicate access logs (either showing the same identity logging on two nodes at once, or even twice on the same node for the same DAY).
Furthermore, whilst it helps obfuscating information specifically Agents do not want to usually cover information telling them whom to target with priority... and whilst Agents know when the Field Agent uses Fake Logs, they do not know which of the generated logs are actually fake.
In sum, this skill has little niche use.

The other, far more impactful, skill is the Rival Hacker's (though the Offensive Mole gets one as well) Wipe. It is the only node-related ability executed at NIGHT and it will, without leaving a logs, remove ALL logs from a targeted node. (As well as destroying any secondary intel that might have been on the system.)
The most potent use for a Wipe is, obviously, to clean up after a Rollback, hiding the AL's tracks for good. There's little NetSec can do to prevent Wipe's (except randomly blocking the Rival Hacker at the NIGHT he tries to use it), and nothing they can do afterwards to recover the logs.
Node Logs - Continuation
Limitations of Fake Logging
There's one caveeat with the fabolous use of the Unskilled Attack skill to generate access logs for the purpose of faking a hacking class: It's only believeable if it's consistent.
If, upon examining a number of node logs, you notice that one operator has access logs for some days, but not for others, that is a valid reason to suspect them.
There's very little reason for a NetSec hacking class to not leave an access log every day, with exactly three exceptions:
  • It's the OP, and they transferred root
  • They're an Engi and used Impersonate
  • They have been ISP blocked.
However, the first is exceptionally rare (and in worst case the OP will find a way to tell you to back off from your suspicion), an Engi using an Impersonate would have to provide you a damn good reason, and a NetSec being legitimately ISP blocked should have already announced that in public chat.
There is, however one pitfall: It could be that they, during that DAY, DID hack a node... just one that isn't currently hacked/accessible, and consequently you can't see it's log. This is perfectly possible an explanation and one you should usually believe (though it's not unusual for faking classes to forget about this and start coming up with far less believable excuses).

Assuming you however have identified an identity that did for some reason skip a DAY of hacking, take note that this is indicative of the following classes:
  • a Field Agent using his ISP Isolation (or Fake Log)
  • a Journalist using her Rollback
  • an AL using his Rollback
  • a Bounty Hunter using his Spill the Beans
  • or any class with a Fake Hack that either ran out of them (since they're limited to 5 uses, or 3 for Scriptkiddie) or wanted to preserve them by skipping a DAY
If you know (or suspect) that, at the same DAY as the 'missing hack', some of the above mentioned skills was used... you now found a prime suspect.
Note that, 'indicative' is no guarantuee though, and there might be the one or other goofball blackhat who things not hacking for a day will make them invisible to Agents.

The AL DDOS pitfall
A little known correlation that should be explained here: The Agent Leader gets, at random, either a legitimate Hack Target skill, a fake Unskilled Attack skill OR a DDOS.
However, this means if the AL gets the DDOS, they don't have any OTHER means (except a very obvious rollback) to generate logs on nodes. However, both Blackhat and Scriptkiddie can always both DDOS and leave (fake) hacking logs.
If somebody is seen performing a DDOS (especially a malicious one), but without having any other access log, that's usually a good reason to lynch them.
Frequent events during the NIGHT - Visit-visit-visisisitit and watched
Whilst the big actions that happen during the DAY tend to be proclaimed to everyone (during the shift to the NIGHT phase),
NIGHT actions tend to not leave a public result, outside of operators being arrested/murdered. Therefore, it's highly adviseable to NetSec to log everything that happens to them during the NIGHT... and for some occurences, mentioning them in public chat right away is advised, too:

Midnight Meeting
(aka Midnight Visit / visiting)
One of the probably most misused and misinterpreted skills of the game.
Midnight Meeting is a NIGHT (duh) skill, that allows a class to visit another target, and block their NIGHT action, whilst revealing your identity (but not class!) to them.
Please read that again: Midnight Visits can potentially block another NetSec's valuable NIGHT action (such as protecting or investigating people), AND gives somebody very concise information about what class you might be (and you do not want to give that information to the wrong people needlessly).
OR it can end up ruining an Agents NIGHT, or maybe help you confirm your identity to a fellow NetSec.

Mechanically, Midnight Meeting, like all occupying/blocking abilities, is evaluated first in a NIGHT phase. Therefore, it overrides other NIGHT abilities (such as protection, investigation, murder...), but does not block other Midnight Visits. If Dr. Red visits Dr. Green, and Dr. Green visits Dr. Blue at the same NIGHT, the result will be that Dr. Blue is blocked, and Dr. Green is not affected (it will still say you have been visited and occupied... just that it didn't cancel your own Midnight Meeting).

(There is some wonky interaction between Mignight Meetingand Escort abilities... in that Escorts cancel operators attempt to perform Midnight Visists, and Midnight Meetingcan cancel an Enforcers Escort... so what happens if Dr Red escorts Dr Green, but Dr Green Midnights Dr Red?)

Now who can Midnight Meeting? The answer is; the big shots:
  • Blackhat
  • Analyst
  • Journalist (Though her action is called 'Get Scoop')
  • Agent Leader
  • Offense Mole (converted Spearpisher)
Note that Agent Leaders do not often spend a NIGHT on a Midnight Meeting (rather than Conversion), and that Offensive Mole's are relatively rare. Therefore, if you get Midnight Meeting'd (and you would be hard-pressed to ever survive a game without that happening once), Netsec/Journalist are your most likely candidates... and they just gave you their identity.
Note that only the Journalist does not have a 2 day cooldown (aka; every other NIGHT) on her Midnight Meeting / Get Scoop.

Sidenote: The Analyst is in fact the most likely class to visit you, because their 'Ask the Right Question' Night skill is a visit, too. But it does not block your own NIGHT action. Therefore, if you get a visit notification, AND were performing a NIGHT action, but have not been blocked, the visit was an Analyst. (Note that if you did not perform a NIGHT action, you will not be told whether you have been blocked, therefore won't know for certain whether it was an Analyst.) This does however mean that the Analyst can visit every NIGHT, instead of every other. She still can only block people every other NIGHT though.

As to how to react to a vist? Depends on a lot of factors. Usually, you can assume that someone visiting you is not hostile to NetSec (especially if it's an Analyst). If you are a class that is dependent on it's NIGHT actions (such as Enforcer, Operation Leader, Agent Leader, Agent, etc) you may want to message the person to stop hindering you (at the risk of them doing it again if the think you are on a different faction). In reverse, some classes are not really affected by being blocked at NIGHT (such as Blackhat), so you could as well play it cool.
In almost no circumstance, should you publicly reveal who visited you, as it marks them as a target for Agent arrests. (Exceptions, such as "Don't lynch me, I was supposed to do X last night, but Y blocked me!" exist.) But DO note the visit in your log.

"You have been watched."
This is the second variety of very common NIGHT action that might happen to you. First advice: Don't panic.

There's plenty of abilities that visit you and then give you the "You have been watched." prompt, such as (exemplary)
  • Social Engineers / Bounty Hunters "Doxx and Stalk"
  • Inside Man's / Sociopaths "Follow"
  • CCTVs "Install CCTV Surveillance"
Essentially, all you can derive is that somebody tried to gain intel about you or your NIGHT actions, and might have learned of your faction, or whom you visited last NIGHT (if any).

Generally, you want to log these events, but (especially if you're NetSec), there's no reason to be overly concerned, or even mention it in public. (You especially wouldn't want to warn Agents that a CCTV might be covering you.)
Don't be surprised though if somebody mails you on the next DAY (i.e. revealing they're the Social and now trust you, or asking why you visited X, or asking what happened to you last night (CCTV checking what the NIGHT actions targeting you were).

Be warned that not all investigative actions leave that remark. So 'not being watched' does not equal 'you're not a target'.

Escorts, Conversion and Arrest Attempts
The most benign kind of NIGHT notification is the one that somebody is watching over you... one way or another.

If you're being escorted / moved to a new Hideout, generally this means somebody deigned you worthy of their protective NIGHT action. Enforcers can do this every NIGHT, Operation Leaders can do it every other NIGHT.
Note that this will as well occupy/cancel your NIGHT action (unless it's a Midnight Meeting)... so if you have NetSec NIGHT business to do, good luck figuring out how to let your guardian angel know.
Note: The Field Agent can, instead of directly arresting you, instead pretend to escort you. You will then automatically be targeted for an arrest the following NIGHT. However, this kind of 'fake' escort does not block your own NIGHT action.No longer distinguishable.

As with most NIGHT stuff, you definitely want to note all this down in your log, but you may or may not want to reveal it. Publicly acknowledging that you're being protected draws attention (and whilst Agents might not want to arrest you regularly, this could make you a juicy target for a STING operation, endangering your savior).

This changes DRASTICALLY if you have been protected from an actual ARREST/MURDER attempt. At this point, the Agents (or whoever else targeted you) already know that you have been protected, so you might as well go public with it. (Your protector will know, too, but they shouldn't reveal their identity, whilst you got nothing to lose by revealing you have already been attacked.)

Failed Conversions are a different story. You cannot be protected from the Agent Leaders conversion by virtue of being escorted (as it only protects you from arrests or murder attempts). But some classes, notably Neutrals, Blackhats and Operation Leaders, are immune to conversion.
If the Agent Leader failed to convert you he will expect you to be either a Neutral, or a High-Value NetSec. If you do not wish to publicly pretend being a Journalist (who is immune to conversion AND arrests, but not an enemy of NetSec), you might want to reveal that you're a valuable NetSec role (with evidence) and ask for actual protection.
It's common for Agents to arrest conversion-immune targets in the following night, if they do not suspect the person to be a Bounty Hunter or Journalist, as it nets them a high chance of catching valuable targets.

Obvious addendum: You shouldn't publicly mention if you have been SUCCESSFULLY converted, either. You're on their side now.
'Network of Trust' - What and how to?
The concept of 'Network of Trust' is based around the fact that the public (and as such 'NetSec') holds very little information, but individually, it is QUITE possibly to figure out other operators roles and identities... or at the very least to narrow it down. Yet, even with that knowledge, you do not necessarily want to go public.

Imagine you (as NetSec, maybe an Enforcer) have figured out another operators class to be Blackhat. You definitely don't want Agents to know that, nor do you want to have to answer questions as to how you know that, potentially putting targets on both of you.

This is where 'Networks of Trust' comes in: It is perfectly usual to mail another player, declaring that you know X about them, and therefore trust them. In fact, it can be essential to winning a game, especially as Neutral.

You can further exchange your logs (manual copypaste (CTRL+C/CTRL+V) works from log to mail) with another player to verify each other's class, or to combine information, or otherwise trade suspicion or coordinate your actions.

Note that there is the possibility of someone wiretapping your mails, but only two classes (Rival Hacker / Field Mole) have that ability, and in both cases they must target you specifically, and will only be able to listen to you for one DAY+NIGHT phase... the risk is so damn minimal that you should generally ignore it.
Similarly, Social Engineers, Investigative Moles or Criminal can Impersonate people and essentially 'send E-Mails with a fake sender', but this would be incredebly difficult to pull off accurately, and will automatically be revealed as a spoof if you respond (to the actual network member) and they are confused over the mail they never actually sent. Also, mails can never be spoofed at DAY, only at NIGHT.

Moving on, if either of you then finds another operator who's aligned to your faction, you can then include them, sharing each others identities, and so on. This is when you've successfully created a 'Network of Trust'.

As a bonus, your network can then have a singular public 'speaker', who makes accusations or otherwise reveals important information (that does not risk the identity of other members of the network). This way, you can share your relevant information with public NetSec, but only leave a single member exposed as target for Agents, making it more likely for Enforcers to protect them (or maybe you're leaving them out as a bait, with CCTV on them, or they're a class with good self-defense (Spear/Engi)).

Of course, there's caveeats:
  • It's entirely possible for you to mistakenly identify an Agent/Neutral as trustworthy. Be careful and aware of the fact that Neutrals (and occasionally AL) DO have legit hacking abilities, and that AL is disguised as NetSec for the first 3 NIGHTs.
  • At any later NIGHT, one person in your network of trust may end up converted, exposing your network, and risking to feed you fake information. Most commonly though, they will suddenly become awfully silent and stop sharing information. Do not hesitate to occasionally ask for the logs of other network members, there's no reason why they would have stopped logging, riiiight?
  • On rare occasions, a newbie NetSec may decide that you protecting another operator (whom you trust to be NetSec) must be indicative of you both being Agents. Paranoia is a heck of a drug, good luck getting them off it.

This means that trusting another operator (in a game named 'Untrusted', go figure) can be risky... but as well rewarding. And if the alternative is to silently sit in your bubble waiting out the inevitably outcome of the game, it might be very well worth that risk (for the fun alone).

(As well, it's fairly hilarious to win 'with your ally', only to find out they're a random Neutral who completely botched his goal despite having your misguided assistance.)

Abusing Networks of Trust
Of course, this concept wouldn't be complete without some way to counter-act it: Both as a Neutral and (to an lesser extent) as a Agent, you might have abilities that can imitate NetSec behavior... and that, plus a bit of guesswork and statistical analysis can go a long way in pretending to be something you aren't.

I.e., imagine being a Bounty Hunter. You cannot be arrested, and therefore have no risk when mingling with NetSec or being labelled a NetSec in public. Your Frame ability displays a 'Watched' notification, same as your actual Doxx. It's entirely plausible to Frame someone (which would actively fail on Agents, thus assuring you that a successfully framed target must be Neutral/NetSec), and then the DAY after, message them, explaining you just doxx'd them as NetSec, and now trust them:
If they are NetSec, you will come across as perfectly regular Social Engineer. If they are not NetSec (aka; a Neutral), they will know you lied... but still don't have a reason (or way) to call you out on it, since "X said I'm NetSec, but I'm actually Neutral, LYNCH HE" kinda gets both of you lynched. In fact, they might just message you back claiming that that you're bullshitting, because they are class X. Neutrals can easily ally, so that's a win for you, too.

Likewise, as Agent, if you tagged an operator as some class that has little innate intel gathering ability (think: Spearphisher or maybe Inside Man), but they aren't talking much (in public chat) and suddenly bring forth accurate information... they are likely to be in a Network of Trust. Converting them could net you both an 'Inside Man' into the network, a list of names and roles to target, and a way to manipulate the network to avoid agents. Just keep in mind that moles have flimsy cover, and that a mole being found out who pledged you to be 'trustworthy' can easily get you lynched.
Also, just making up random information (or using information gained by dead/arrested logs, the AL's own investigative ability, or the knowledge of converted moles), can allow you to fool other operators in trusting you... and if you ever come under scrutiny, having two different people publicly declare they trust you, plus having a reasonable log, is a great way to protect yourself from lynches. Also bonus points if you are somewhen outed, and right after lynching you netsec jumps on the people who were defending you mere moments ago.
'Reading the Clock' and intiating 'the Purge'
First, let's establish the used timeframe in the game:
  • Each match always has a fixed duration, announced at match start, ranging from 7 to 9 days. This includes both DAY and NIGHT phases, and the exact number is depends on player count.
  • The topology (aka, the network) can contain either 4 or 5 columns. This, again, depends on player count.
  • It takes at least one day for NetSec to hack 'through' any given column.
  • There's always a path leading to the target server in a 'single' line from the first column to the last one. (Aka, if there's 5 columns, NetSec could win by hacking the exactly correct 5 nodes.)

So, with 10-12 players, a 4-column topology will give NetSec 7 days of which they need 4 at minimum to complete the hack. On the other end, 15-16 players will give NetSec 9 days for a 5-column topology.

However, obviously there are factors altering that 'best case' NetSec:
  • The duration can be extended by 1 day (& night) by secondary Intel Download. (There's no guarantuee that this goody is present in a game, and even if it is, it might be that noone downloads it. Don't rely on this.)
  • NetSec may fail hacking the correct node, essentially 'Wasting a day'. Note that there is always at least one 'direct' path to the target server, but there might be multiple. More commonly, there are 'dead-ends' or 'useless' backtracking nodes.
  • Alternatively, NetSec may fail hacking any node at all, wasting a day as well. Note that a loss of OP/BH/Netty can lead to this occuring frequently. And if any of these classes are public, FA can ISP Isolate them to the same detrimental effect.
  • NetSec may lose one day to being DDOS'd (aka, the target of their hacking being DDOS'd).
  • Upon a successfull rollback (as explained before), NetSec loses 2 days: One because their current day hacking is interrupted, a second because they need to retake the node that was rolled back. This only works on a chokepoint, so fanning out reduces the risk.

Why is this all relevant here? Because it's imperative, as NetSec and Agent alike, to read the clock: Does NetSec still have enough time to complete a hack? Is it impossible, or just barely possible? Did AL use his rollback yet? What are the odds of a Jorno or offense-mole rollback?

If you assume that AL rollback will be successfull, NetSec will need 6 DAYs of successfull hacking to beat a 4-column topology, and 7 DAYs for a 5-column. That leaves VERY little leeway for failing a hack or getting DDOSd.

Knowing whether NetSec still has enough time to complete the hack is CRUCIAL in determining whether to move on to

'The purge' is essentially the process of NetSec abandoning 'victory by hack' and focussing on 'victory by elimination of Agents' instead: If you do not have enough time to complete the hack you MUST start purging, or the game will end in either Draw (OP alive) or Agent victory (OP dead).
If the time window is too narrow, i.e. because NetSec wasted a DAY early on, and, accounting for AL rollback, will have to hack the target server on the 'last DAY', you should CONSIDER purging to at least create yoursell an alternative option when something else goes wrong costing you that crucial bit of time.

(Note that even before 'purge mode', you should of course strive to already lynch Agents or harmful Neutrals when they're found out. But you are not under time pressure to lynch someone every phase.)

Assuming that victory by hacking is impossible, the only remaining choice to NetSec is to aggressively 'purge' their ranks by lynching people in the hope of removing all Agents (AL, FA and 1-2 moles) from play. This will result in instant NetSec victory, even if it happens on the last NIGHT phase (aka, after the hacking time limit expires).

The most critical realization is that, once you are in a purge, you should lynch one identity EVERY SINGLE PHASE. At this point time is playing against NetSec and recommending to wait for concrete info or confirmation is only helping Agents.

A purge usually consists of aggressively demanding logs from basically everyone (usually top to bottom on player list, for convenience) who hasn't yet been killed, arrested or otherwise confirmed as NetSec, and lynching whoever is the currently most suspicious / least confirmed identity. Keep in mind that NetSec can be converted as the game goes on, so somebody being 'confirmed NetSec' early on may STILL be an Agent NOW.
It's perfectly usual for this phase to kill off a few NetSec or Neutrals, but this shouldn't deter NetSec from continuing anyways: If the time is running out, the only way to win is to lynch people. Not lynching people, even it may hit the wrong ones, equals giving Agents the free victory.

Still, NetSec should be wary of faction numbrs and track how many assumed/confirmed Neutrals are still in the game, how many Agents are left, and what NetSec's 'vote power' should be: If there's only few NetSec left, and you just joined a majority lynchmob against another player, chances are that this player is NetSec.

Also, this late into the game, apply due caution to any '100% Agent' claims: Whilst a "I'm Engi, X is Agent!" claim is entirely believeable at D2 (because X not being Agent would lead to the claimant being lynched next, and trading 1:1 isn't in Agents favor that early), this does NOT apply in a late-game purge: If NetSec is just barely outnumbering Agents, one false lynch (worst case: in a NIGHT phase, followed by an arrest) can lead to Agent voting majority and consequent loss of the game.

Essentially, 'the purge' is the hectic final action phase of Untrusted, in which accurate logging, deduction skills and deception will decide which faction will win the game.
CLASS - NetSec - Operation Leader
(aka: the OP. Officially: OL)
The innately most central classes of NetSec, and also the one that always goes to the most green player in any given lobby.

Your main priority is to coordinate the public discussion. Use your Covert Broadcast to assign specific hacking tasks during the DAY, direct protection efforts (since you got one of the protection abilities) during the NIGHT.
Note that you do not necessarily need to tell people which node to hack... the rule of thumb "Top Top, Bottom Bottom" applies. But if you want to act on intel the public does not have, you may override that rule or remind people to use non-hacking DAY abilities.
Also, avoid explicitly calling for a DDOS, unless you think your Blackhats are actually Greenhats; The goal of a DDOS is to catch the Agent Leader whilst deploying his rollback... the AL won't Rollback if he knows the DDOS is coming.

Generally, lay low, do not draw attention in chat. BUT, don't be silent either. I've successfully sniped, and seen snipes, of OP's exactly because they're always the silent guy (as they overuse their anonymous chat tool). Don't be that easily figured out. Drop a line occasionally, maybe acknowledge (or complain about) the OP's instructions.

You should try to grant root at some point before you die, but at the same time make sure not to grant it to a stranger who might be an Agent, and as well be wary of giving it to a publicly known NetSec (who might be converted). Blackhats are great targets for roots, as they cannot ever be converted. And Neutrals can potentially work, too... but obviously they're a bit less reliable as future OPs. Note that a Neutral receiving root and then becoming 'OP' after the previous OP's death, will NOT switch class, with the sole exception of Sociopath. The Neutral will gain access to the Covert Broadcast, but nothing else (and their goals remain unchanged, and this even holds true for Sociopath).

Your general playbook:
Hack target nodes alongside everyone else.
Consider granting root to a valid (preferably privately confirmed) NetSec or public Blackhat.
Use the 0-Day on a server you know will not see much action (in the ways of DDOS or Blackhats). Keep in mind YOU can call those shots to ensure this condition is met.

Make liberal use of Emergency Extraction (it only has 3 charges, yes, but it comes with a cooldown... so you can't even use it up before N5 anyways). You're essentially half an Enforcer at NIGHT. (And keep in mind that it protects targets from Arrests, Murders AND Conversion attempts.)
Move Hideout is a great follow-up when you have been subject of a failed conversion attempt last night, or just generally think the Agents have a reason to target you. Don't throw it out willy-nilly.

Really, most of your play comes by coordinating people via Covert Broadcast.

(Also note that OP is legitimately THE ONE operator who does NOT need to make a log. If things come to blows, you can always claim to be OP, and confirm yourself via Covert Broadcast to the public, without posting logs. Your log should only contain critical information you need to pass on in case you get arrested/killed.)
CLASS - NetSec - CCTV Specialist
usually abbreviated to 'CCTV'
A bit of a wonky NetSec class, for the reason that you have very little DAY Actions, and don't do too much at NIGHT either, but still manage to frequently end up the single largest pool of intel any single operator possesses.

Your CCTV Surveillance works like this: You can place two cameras, at NIGHT. From that moment on, including the NIGHT you place one, you will passively be notified of ANY visits targeting the person you placed the CCTV at. (And yes, this means you will always see yourself visiting the target that NIGHT.)

Once placed, you do not leave to visit anyone ever again, and will continously gather all information on visits... which can be lethal for finding Field Agents performing arrests (As in: If you see somebody visiting a person, and that person is arrested that same NIGHT, one of the somebody's who visited is the Agent. Plusminus Agent setting up a Planned Raid the previous day, of course...)

BONUS ROUND: As an interesting and powerful gimmick, a CCTV can actually not only gain intel from his own camera, but from those of a potential second CCTV Specialist, as well. So if you suddenly receive notifications about people visiting someone you didn't install a CCTV at... you got a pardner. And even better: Your fellow CCTV is one of the people you saw visiting your non-target!
Figuring out each other's identities is a massive boost, because this way you double your intel gain AND can coordinate to cover more important targets... or each other!

Your general playbook:
Make liberal use of your Create Hideout. Really, spam it whenever available, there's no reason not to.
Bait Law Enforcement is tricky to use. It has a high cooldown, and if you only send one tip every 3 days (the fastest you can do it), it's fairly obvious that you're a CCTV, not a Bounty Hunter. (Same when the Agents receive multiple tips at the same DAY.) It's not a great tool, except for warning the Agents that there's a CCTV present.
Don't feel bad if all you do at DAY is either build selfish hidey holes or laze about. Your job is to bust Agents with your intel later, not to be a hero during daytime.

Don't waste Move Hideout early, as you're very unlikely to be targeted (since you're not hacking). On the other hand, don't be too stingy, since you got 3 charges anyways (and can spam them out in three consecutive nights, if necessary).
Try to get the CCTV cams out sooner rather than later, both to get more intel on what is happening, and to potentially identify the existence of a 2nd CCTV. Try to target high-profile targets, though obviously it's hard to find those early... but 'saving a camera for a valuable target later' is a risky move.

Should be fairly obvious, but ALWAYS LOG ALL NIGHTLY VISITS YOU OBSERVE, unless you already know the classes of the visitors and think it's better to omit that information.
CLASS - NetSec - Enforcer

The bad boy among the good guys... lacks a clear abbreviation, but occasionally misslabelled 'bouncer'

Your job is simple: Protect people, or beat someone up so bad that you potentially un-alive them.
The tricky part comes in when determining to what of those things to do to whom.

Generally, there's no harm in Escorting random targets. At worst you protected someone who wasn't (going to be) attacked. At best you denied the Agents an arrest on a valuable NetSec, or just wasted an AL's Conversion cooldown (because yes, you protect people from being converted, and it still puts the AL on 2 day cooldown).
Be advised though, that your escort additionally occupies a target, cancelling their night action. In general, you will hear your target complain vehemently in chat if you keep ruining their NIGHTly plan, and be advised that your primary wish target, the Blackhat, is entirely unaffected (as her only NIGHT ability is a Midnight Meet... which cannot be blocked, because it's a blocking ability itself).

Your interrogate should be directed at anyone drawing suspicion: If you find inconsistencies in their logs, simply calling for their logs in public will make those inconsistencies visible without actually giving away your role. Alternatively, it will allow you to gain intel as to whom to protect.
Always keep in mind that logs can be falsified, and that early on logs likely don't contain much, whilst later on, you will have your hands busy protecting.

Disorganized Murder can be a play to even the odds, but you can only use it starting in N4, whilst NetSec can publicly lynch TWO people 'per night' (as in, one per phase) from D1. If somebody needs a killing, they don't need you. Things change if you have a trusted NetSec feeding you private info... but that's risky and you know it.

Your general playbook:
You literally cannot do anything (reasonable) at DAY.

Liberally use Escort on basically everyone, but in particular those you think have drawn attention. Don't be shy to pick one target and stick to them for the rest of the game, if you think they're valuable NetSec.
Interrogate becomes more useful later, and can be thrown willy-nilly to either find obviously fabricated logs, or gleam intel from legitimate logs. Just be wary that each night you interrogate is a night someone isn't protected, and that a legitimate-looking log might still be fabricated.
Disorganized Murder is a rare play if, after D4, for some reason you alone have specific intel on a bad guy that cannot be made public instead.
CLASS - NetSec - Inside Man
Amusingly, usually referred to as 'Inside Man'

Honestly one of the most akward roles in the game: You kinda do stuff, but nothing with clearly visible effect, and you can pretty much reveal D1 and everyone will go "what exactly do you do again?" and Agents will probably only target you because they literally have nothing better to do.

You're not a high value class, and you should be keenly aware of that: If you are forced to reveal, you will only receive protection if the Enforcer/OP have nothing better to do, and be ready to accept being lynched on the slightest suspicion because you can't even confirm yourself 'and we can risk losing an Inside Man anyways'.

Two lines (or, well...) on your abilities:
Your Keylogger is a simple two-part ability: At DAY you plant it. At NIGHT you retrieve it to give all hackers an invisible boost for the next DAY. Your Keylogger can be destroyed (by moles, most notably), but then you can simply plant a new one.

Your Insider Knowledge gives you the IP addresses of SECONDARY targets. Secondary targets are nodes that contain intel that Data Miners (Analyst/Spearphisher) can pick up to give NetSec a boost (ranging from "X is not a Scriptkiddie" to "Here, have +24 hours for the hack"), but are not relevant for, or related to, the actual target node. Don't get those two things confused, and don't cause NetSec to focus into the wrong direction. Wasting two days of hacking to MAYBE get +24 hours is not helpful.
And whilst this knowledge of secondary targets is kind-of-useful, it is so only to two specific classes, who may or may not ever get access to the server (it could be the very first node in the network, or something on a sidebranch that is utterly irrelevant), and whom you have no real way of contacting reliably without outing yourself... yeah, you see the point.

As a slight silver lining, if for some reason you have been boring enough to survive to the late-game, you will immedeately see the target server marked with a red target symbol if it becomes accessible in the public topography. Calling that out is usually worth blowing your cover (if you hadn't already), assuming there even are multiple last-column servers to chose from.

Your general playbook:
You got only two charges on Insider Knowledge, so you might as well use them before you get arrested. Make sure to log the IP's of secondary targets.
Otherwise (or maybe even before above), Plant your Keylogger whenever possible.
There's not much else to your job, you're a blue collar wage slave after all.

If you know that the next day will see difficult hacking action (Blackhats busy DDOSing, or lots of servers), retrieve the Keylogger for a sweet boost.
Otherwise, consider whether Follow-ing is worth it (it's a MUCH weaker, and more limited CCTV... though you can specifically follow a suspect operator and maybe discoer the Agent as he arrests someone).
If nothing else, just Dive all those Dumpster, who knows whether it will help.
You have no excuse to ever be doing nothing at NIGHT.
INTERMEZZO I - The Red Button and when to (not) push it
One fairly deceptive ability that is essentially a beginner trap, is Desperate Measure.

It's a DAY ability of CCTV Specialists, Enforcers and Inside Men, that becomes unlocked at D4, and turns you into an Improvised Hacker.

Here's the problems:
  • Improvised Hacker is a very weak class.
  • The key gain of 'you can hack now' is mitigated by your actually abyssimal hacking skill.
  • You lose the perks of your previous class.
  • You might end up confusing NetSec with your sudden change, leading to a lynch.

So, as a general baseline, DO NOT PUSH THE RED BUTTON unless you got a very good and specific reason to do so.

The only redeeming qualities/gimmicks of the Improvised Hacker are:
  • IH sucks at hacking, but he CAN Hack. Moles cannot, therefore becoming Improvised Hacker allows you to leave logs to prove that you are (a now useless) NetSec in the later phases of the game.
  • IH can use Download Intel, which is a NetSec exclusive skill and again a way to 100% prove yourself.
  • IH gains one use of Move Hideout, potentially letting you dodge an arrest if you made yourself a target.

As a CCTV Specialist, you do not want to switch to IH until you've become entirely useless: As long as there is a cam left on somebody, you want to stay CCTV so you can keep monitoring them. Once you switch, you lose access to your placed cams! Also, you don't need to switch for protection, because you got three charges of Move Hideout as CCTV anyways. But if no cam is left (all arrested/killed) AND you used up all three Hideouts you are literally doing nothing and might as well switch (tho this is rare to occur).

As an Enforcer, you almost never want to switch, because you got plenty logging to prove your class, and the ability to murder Agents/Neutrals starting at N4 is crucial when NetSec starts losing vote majority. The only reason why you should consider hitting the button is if you know you will be arrested/attacked/converted next NIGHT. Being planraided (escorted whilst you're sure there is no Enforcer left) is a good reason to switch the next DAY and Move Hideout the following NIGHT.
Enforcer > Improvised Hacker > Arrested Enforcer.

As an Inside Man, you are the only NetSec class that has legitimate incentive to switch to Improv without being actively threatened: Your key value comes from Insider Knowledge and Follow, both skills that can be used only twice, and you can easily use them up by N3. Switching D4 will allow you to remain active (if of questionable use), allows you to actually Download the Intel you uncovered yourself (without the need to publicize it) and you could even go public as Inside Man D4 to bait Agents into trying to attack you N4 whilst using Move Hideout. Maybe more importantly, Inside Man is a trivial claim to fake, so you're probably the NetSec most likely to be lynched just because of that... but Improv's Download Intel can save you there.
Just keep in mind that if hacking nodes is your goal, Keylogger will probably serve your team better than an Improv's hacking attempts.
CLASS - NetSec - Analyst
Undervalued, overclaimed, and at the butt of all jokes (also, no common abbreviation)

A fairly straightforward class: You do servers at DAY, and do operators at NIGHT. As in, hack servers and talk to operators.

Note that your Download Intel has a 100% success rate... just that only a few nodes (1-3?) contain valuable intel to begin with. So don't waste time mining the same node over and over, but simply cover as many as possible. This isn't a maximum priority though, since even finding intel is not necessarily that powerful.

Your Log Analysis will allow you to purge a node of all fake logs. This can be useful if you spot a server with obviously falsified logs (or a rollback'd server, who is guarantueed to have false logs), but usually your team would rather want to lynch people right when the logs become available, not wait 2 phases for you to maybe clean them up...

Be aware that both of those actions leave access logs on the already hacked node and, past Rollback and DDOS, are the only skills to do so. Anyone paying attention to 'past DAY's nodes' will spot that you're a Spearphisher/Analyst. And the ones that do pay attention are usually the Agents.

As well, be careful about misusing Ask The Right Question: It only tells you whether somebody has a legitimate Hack Target ability (aka, one that can succeed), or whether they don't. Problem is:
Finding out somebody can't hack isn't suspicious: NetSec Field Ops (Enforcer, Inside Man, CCTV) can't hack, eitther.
And finding out somebody can hack, doesn't necessarily mean they're NetSec, since the Sociopath and Rival Hacker can both hack, and the AL can roll a legitimate Hack Target skill with 33% odds.
So the trick is to specifically Ask The Right Question to those that are claiming to hack, aka those that show up on node logs. If any of those come back as can hack, it's worthless intel, but if any of those come back as 'cannot hack', it means they're faking hacks... which only Neutrals or Agents do. (Though, be wary of Faked Logs.) Note that despite its description, Ask The Right Question will merely display the generic "You have been watched." message to the target.

Your general playbook:
If you got access to a node with Fake Logs, consider clearing those (usually only worth it on rollbacked servers).
Otherwise: Download Intel (also: mine, from Data Mining) from a node you / nobody else mined yet.
Otherwise, hack something, preferably laptops (the odds of you succeeding a hack on a server are... slim).

General advice as for Midnight Meeting goes, Ask the Right Question is best used as frequent as its cooldown allows (as described above),
It's perfectly fine to do nothing for a NIGHT, even if you could be probingvisiting people non-stop.
CLASS - NetSec - Network Specialist

aka 'Net'/'Network'. Note that both 'NetS(p)ec' and 'Spec(ialist)' tend to lead to confusion.

A fairly solid and straight-forward class, and the arch-enemy of dumb/malicious script-kiddies and careless ALs.

Your Wire Shark lets you detect the origin of any DDOS performed at a given DAY... but comes with a hefty 3 day cooldown. It timed correctly, you can deduce the sources of either benign or malicious DDOS (details in the respective previous section), either for personal intel or for lynching a Scriptkiddie / Agent Leader / Greenhat (derogatory term for a (newbie) Blackhat that DDOS's his own team).

Outside of that, be warned that your Cover Your Tracks only provides you a CHANCE of avoiding arrest, does not hinder conversion AND can be blocked by a (mis)timed Midnight Meeting. It's better than nothing though.

Your Review Connection Logs is a very specific tool for the rare case someone publicly claims that his ISP has been cut last day. If you use this skill right away in the following night, you can verify whether their claim is true.
If somebody claims ISP Block, but you deem that false, that's a reason for a lynch. Which is why noone will ever fake claim ISP Block, go figure.
Note that randomly using Review Connection Logs is a very bad idea. Not because it affects anyone negatively, or because it has only 3 charges, but because logging a completely pointless use of it is rookie mistake for people faking a claim on this class. So you may end up lynched over having a seemingly fabricated log.

Your general playbook:
If you expect a DDOS (of the malicious kind), use Wire Shark. Given it's cooldown, it's not worth it to use it to try figuring out Blackhat identities.
If you're supposed to hack a server node, alongside others, it's usually a good call to use Probe Node, as it makes the target permanently easier to hack (including rehacking after a rollback).
If you're on your own, or targeting a laptop node, it's likely more efficient to simply hack it yourself, given that you DO have a good hacking skill.

Not much to do, really. If somebody claims ISP Block, do the obligatory Review, but otherwise maybe throw out one of your two Cover Your Tracks for good measure... that's about it.
CLASS - NetSec - Social Engineer

Gets frequently lynched for 'he claimed socialpath!', better abbreviation: 'Engi'

The Transporter of Untrusted. The Master Troll. Coincidentally, also a very powerful class if it plays it's cards at the right moment.

Your Impersonate works as following: You select a target to spoof at DAY. In the following NIGHT ANY emails you send will have the spoofed identity as sender, thus hiding your true identity. Note that any messages addressed TOWARDS the spoofed identity will reach them as normal, not you.
This is the perfect tool to sow confusion, but as NetSec, confusion hinders your own team the most, therefore you should only use this tool to very specifically confuse a small subset of players you actively consider suspect, or to relay intel you have anonymously. (For the latter, it's highly recommended to put something like "This is spoofed, I'm Engi" into the subject... and even then you can't be sure the receiver won't think it was actually your spoof target sending the mail.)

Your Doxx and Stalk is the most powerful Investigative ability in the game, only rivalled by the Agent Leaders equivalent (since that one doesn't require a visit). It lets you instantly determine whether a target is NetSec, Neutral or Agent. Though it does come with limitations:
  • the AL will show up as NetSec during the first 3 NIGHTs
  • anyone framed by a Bounty Hunter will show up as NetSec
  • even those you identified as NetSec could be turned mole at a later NIGHT
Take note of it's massive 4 day cooldown (longest cooldown in the game), meaning you will have to survive to N5 to even be able to use it twice (assuming you use it N1).

Misdirection allows you to effectively protect yourself from both Arrests and Conversions... and also Investigative abilities of any kind. (Though it's a dead giveaway that you're either a Social Engineer or Spearphisher for anyone targeting you.)

And if Misdirection is out, you can deflect anyone targeting you for the NIGHT to instead target someone of your choice. Be wary, as this might cause the arrest of a more valuable NetSec, might cause you to get lynched (think: redirecting a fellow Engi's Doxx to an Agent), and will do exactly nothing if the person you redirect to is the guy trying to murder you.

Your general playbook:
Hack targets as assigned, preferably laptops, since your hacking skill is low.
It will be rare for you to use your limited-charges Impersonate instead.

You usually want to DOXX at N1. The long cooldown means that's the most reliable way to actually use both charges, and finding a Neutral / Field Agent early is usually worth the risk of accidentally labelling the AL as NetSec.
Otherwise, you have to consider whether you are enough of a target to use one of your two self-protection abilities... but given you have 4 charges, you can be pretty liberal/paranoid about using them.
CLASS - NetSec - Blackhat

officially: 'BH', but occasionally leads to confusion with that far less NetSec-y guy, so 'Hat' might be more apt

A class that is both deceptively simple, but as well one of NetSec's most powerful assets... and rightfully often considered to be 2nd in priority only to OP (who Blackhats tend to be handed Root from, given that Blackhats are immune to conversion).

Consider reading up on the above section on DDOS, as you are NetSec's main source of this critical ability.

Beyond that, your abilities are straight forward. Note that you will tend to hog the SEIZED claims from most nodes. If you don't get a SEIZE on a hack, but the target was hacked, it's not implausible to assume that the other Blackhat did it.

Your general playbook:
If you got reason to expect a Rollback, don't hesitate to DDOS a pwned node. Twice in a row, if necessary.
Otherwise, you usually want to be hacking.
Exploit Vulnerability is wasted on laptops, since you can usually take them with a single hack anyways. It might be worth it on a server node in the latter half of the game, if you suspect that a lot of other hack-support abilities have been taken out.

Midnight Meeting or not, that is the question. Be mindful that you don't want non-NetSec to know that you're a Blackhat (one of the two NetSec classes able to Midnight), and that you got a 2 day cooldown on it. Blocking a potential Agent at night can be a valid play if you got reasonable suspicion.
Don't concern over defaulting to doing nothing at NIGHT. Your job is to shine at DAY.
CLASS - NetSec - Spearphisher

Aka 'Spear'. Don't try typing the full class (outside of your own log), Spearpishers have been lynched for that typo before.

A somewhat convoluted class, despite it's technically simple skillset.

Your Spearphishing is an infinite charges ability, despite the somewhat misleading tooltip: Once you prep it, you can execute it, and once you executed it, you can prep it again. This does mean you can effectively spamcycle prep and execution each NIGHT/DAY, making nodes (or the same node, multiple times!) easier to hack. Usually a waste on laptops, but great on any servers.

Note that your Download Intel has a 100% success rate... just that only a few nodes (1-3?) contain valuable intel to begin with. So don't waste time mining the same node over and over, but simply cover as many as possible. This isn't a maximum priority though, since even finding intel is not necessarily that powerful.
Be aware that the Analysts Log Analysis and your Download Intel leave access logs on the already hacked node and, past Rollback and DDOS, are the only skills to do so. Anyone paying attention to 'past DAY's nodes' will spot that you're a Spearphisher/Analyst. And the ones that do pay attention are usually the Agents.

The amusing part is that, as Spearphisher, you both want to draw attention, and want to avoid being converted. Spearphisher is the only class that, upon being converted, becomes an Offense Mole, which again is the only way for the Agents to gain access to a second Rollback... which can be devastating.
On the other hand, you got two NIGHTS in which you can protect yourself from exactly that Conversion... so trying to draw attention away from Analysts (the only other class that will, like you, snoop around on already pwned nodes) to avoid them getting arrested is kinda your shtick.

Your general playbook:
Mine for intel, or execute your Spearphishing against a server node of your choice.
Only hack if there's nothing else to do (such as D1).

Your go-to is to prep your Spearphishing if it's not already done, otherwise consider whether you have enough attention on yourself to justify spending one of your scarce two Misdirection charges.
CLASS - NetSec (Switch) - Improvised Hacker

Doesn't really has an abbreviation, because if you switched to this class, you either wanted to see what the fancy red button does, or NetSec is in BIG trouble...

Becoming an Improvised Hacker
is already a pretty niche decision, that can only be taken by Field Ops NetSec (CCTV, Enforcer, Inside Man) after N3 is over, as a DAY action.

There's very little reason to ever do that, because literally everyone else (on your team) can do the hacking better than you do now. The only conceiveable reason to switch is if, for some obscure reason,
  • you lost several high-skill hack classes (Blackhat, OP, Engi, Net) early
  • AND you still have a chance of winning by hack (usually because an Agent got taken out early
Even if the first condition is true, the most reasonable play is still to simply double down and lynch everyone whilst keeping your original classes, instead of switching classes and suddenly becoming a lynch target because you cannot confirm yourself anymore.

There's technically the niche case that losing Spearphisers and Analysts early on leaves you with noone to data mine... but I would be hard-pressed to conclude that Data Mining is worth giving up a different class for. Except, maybe Inside Man (who, at least, has a legit synergy by being able to first figure out where intel is in first place).

Your abilities are straight forward, and come from other classes: Download Intel is equivalent to Analyst/Spearphishers one, Dumpster Dive comes from the Inside Man, Move Hideout is the same as OPs.

Beyond the loss of your original class's abilities, and confusing everyone with the complete shift in your logs,
the biggest risk of your new class is that you are now an offensive NetSec class without conversion protection. The Spearphisher is the #1 on the wishlist of 'targets to convert into moles'... and the only reason you aren't above Spear, is because you shouldn't be in a game to begin with. But IF the AL strikes you deal, probably thinking you are a different class... they just hit jackpot and get a new Rollback.

Your general playbook:
If you became Improv because your team lacks hackers, hack. Otherwise, data mining is more likely to help your team.

Dive ALL the Dumpsters. Repeatedly. With passion.
You only get to Move Hideout once, anyways, so make that one count.
You have no excuse to ever not do something at NIGHT.
INTERMEZZO II: (Fake) Claiming a Class
Thrown in here, because if you ignored my initial advice and read this guide from top to bottom, now's the perfect time to explain it.

As explained, lieing (publicly) in this game is generally detrimental to NetSec due to their innate information disadvantage. (Lying to individuals specifically less so, but still risky.)
Therefore, a sound and basic strategy for new players (that got a NetSec) role, is to NOT lie, EVER. Be aware though, that there is a difference between 'lieing' and 'remaining silent': As newbie NetSec, avoid lieing at all costs... but please don't simply reveal everything you know (such as your class, or other valuable identities) in public, either. There's a reason the OP (most valuable NetSec) gets a anonymous broadcast tool, and that reason is NOT to go "Hi, I'm Dr. [insert OP's color here]".

HOWEVER the opposite applies to any non-NetSec. Since 'everyone is NetSec' at the beginning of the game (and NetSec always has the majority in votes), proclaiming you are (or logging as) a class that is an enemy of NetSec is pretty much guarantueed to get you lynched.

Therefore (excluding advanced mind games that I will not cover at this point) you should never claim to be anything but
  • any of the actual NetSec roles (detailled above)
  • Journalist or Scriptkiddie (two neutral roles detailled below)

Reason being that
  • Agent Leader, Field Agent , (Any) Mole and Runaway Snitch are obvious enemies to NetSec
  • the 'Neutral' Bounty Hunter and Rival Hacker are direct enemies to NetSec
  • the 'Neutral' Sociopath and Resentful Criminal both want to kill the OP (aka, NetSec) and therefore are hostile towards NetSec

Therefore, if you are not a NetSec, you have a very real interest in pretending to be one. That's 'claiming'. Note that this doesn't mean you should loudly proclaim to be some fancy role in public D1.
Just that you should keep a log that perfectly imitates what your claimed role would be doing, ideally as close to your actual role's activities as possible:
  • If you're claiming a hacking class, log Hack Target entries whilst using a Fake Hack ability.
  • If you're claiming a class that has some visiting ability (Midnight Meeting or investigative), log that you have been doing that whenever you use a NIGHT visit on someone. Though be wary here that it's very sus to be a Blackhat that just so happens to visit everyone who got arrested on those NIGHTs. Likewise you may not have the correct answers the claimed role would have gotten (and have to guess and hope it's correct), or there can be other mismatches.
  • Therefore, try to skirt the lines with writing hard-to-disprove lies: When AL, and rolling back one server, log that you have been dutifully hacking something on the front that regrettably was interrupted by the rollback. If you got to Fake Logs as FA, log a Hack Target, but note that you were ISP Blocked (therefore, no log on target node).
  • The more 'truthful' and accurate your log, the less likely someone will doubt it. The more discrepancies in it, the higher the chance that someone involved in the discrepancies might spot it and call you out.
  • In all instances, account for cooldowns, charges and what would be a likely action for the class that day: I.e. a Spearphisher will not prepare for 3 NIGHTS without ever executing. Nor can a Blackhat Mightnight Meet 4 NIGHTS in a row. And a class that logs doing 'nothing' when there is something it should be doing, is highly suspicious as well.
If suspicion ever falls on you, and you're asked for logs, you can now easily provide them. And if there is no (obvious) discrepancy in your log, chances aren't bad that people will move on to a different target of suspicion (maybe even the accuser), buying you a day or two. Note however, that as much as a minor and honestly accidental typo can get you lynched instantly, so apply due diligence when forging logs. (And yeah, no log will get you lynched as well, so there's no way around this.)

The tricky part is that most Neutrals and Agents do not actually have the exact tools to perfectly fake a class. I.e. the AL cannot always hack. The FA cannot hack if he is blocking someone's ISP. And both of the Agents need to do a lot of nightly visits that may not match up with the class they're trying to claim. Most Neutrals and Agents do get some sort of 'fake hack' ability that does nothing but create logs on a server but which is sufficient to reasonably fake a number of hacking (therefore: most netsec) classes. So you will rarely be able to create a 'perfect' or 'bulletproof' log. But sometimes, just having a log is entirely sufficient. It's like that saying: You don't need to be faster than the bear, just faster than the next guy behind you.

I'll append 'good/easy claim strategies' to the individual Neutral and Agent class descriptions.
INTERMEZZO III - Neutral Diplomacy
There's a lot positive to be said about Untrusted for making the Neutral classes, mostly, interesting and offering them several ways to play. However, even then some classes tend to lean into one direction far more than others, and I've therefore (inofficially) labelled them as such:
  • BENIGN Neutrals (Journalist / Scriptkiddie) can screw over NetSec, but are usually a limited threat to them, whilst being more dangerous for Agents. This is why it's possible to survive by using either class as a (fake) claim without being lynched right away.
  • HOSTILE Neutrals (Bounty Hunter / Rival Hacker) are by definition of their goals allied to the Agents, and usually treated with according hostility.
  • CHAOTIC Neutrals (Resentful Criminal / Sociopath) have goals that put them at odds with both NetSec and Agents, but in oddly specific ways that do not exclude them allying with either side. They're likely to be lynched if they get uncovered under the wrong conditions.

Figuring out each identity's class is already a core aspect of the game, but likewise it's important to try figuring out which Neutrals are present in a given game:
  • Somebody gets non-lynch murdered before N4? There must be a Sociopath in the game, who tried to Murder OP.
  • A NetSec dies, but his class does not match his log or his public claims? Could be AL, but more likely to have been Frame by either Bounty Hunter or Sociopath.
  • Multiple arrests in a single NIGHT, that cannot be explained by a Sting? Bounty Hunter is the only class next to Field Agent / Snitch that can perform arrests.
  • An exorbitant plentitude of Fake Logs? Likely a Rival Hacker, since Fake Logs has a 2D cooldown. If there's Fake Logs every day, or multiple instances on a single DAY, assume there is a RH.
  • A node lost all it's logs, presumably after a rollback? Must be a Rival Hacker or an offensive mole. If this happens early, more likely to be a Rival Hacker.
  • Rollback on an uncritical/Dead-End node? Probably Journalist. Though she probably declared that publicly by now.

Using this knowledge, you can try to spot potential allies aligned to your own faction/class... and maybe want to avoid lynching them. Note however, that Neutrals are fair game to any other class or faction, including other Neutrals. NetSec may lynch a Scriptkiddie they deem no longer useful, Agents frequently throw Bounty Hunters under the bus if need be, and there's no holds barred for Neutrals fighting amongst each other.

In the following class specific sections, I'll append a paragraph on a Neutral's alignment and potential/reasonable alliance. Note that these aren't strict rules, but baseline recommendations. A Rival Hacker can try to side with Netsec if they wish to. Just don't expect to have an easy win that way.
CLASS - Neutral (Benign) - Journalist

aka: 'I just wanted a scoooopHURGH'

Journalist is one of the 'Benign' Neutral classes and in a really weird spot, because on one hand, she holds a Rollback (one of, if not the most powerful Agent-sided ability), on the other hand, she is both Arrest and Conversion immune and therefore Agents legitimately cannot touch her. Only Enforcers, Runaway Snitch, Neutrals or a lynch can remove her from the game.
Bonus round: If somebody attempts to arrest a Journalist, the Journalist will know the identity of the attacker.
So, the question is as to whether NetSec trusts her enough not to screw them over (at which case she is an asset in that she can block every NIGHT AND sniff out faction identities), or would rather lynch her right away (and lose both the risk and the reward).

This puts Journalist into the unique position that they can claim their class openly, from D1... and might actually be allowed to live.

However, they still need to scoop people, and then write articles, which, base level, takes 6 NIGHTs, assuming each scoop hits. If a scoop misses, she can recover by using her rollback next DAY... at the risk of angering NetSec (though if there's an unimportant side node, that's a good target for the Rollback without angering NetSec). Another failsafe is the ability to reveal the OP, which only takes one NIGHT, and gives an instant scoop... but again, this is likely to piss off NetSec, and you need to figure out OP first.
And then there's the issue that randomly scooping people might upset those people as well, since it blocks their actions.

The Journalist is a powerful ally, and an even more fearsome enemy.

Your general playbook
Only use the Unskilled Attack if you're trying to claim a NetSec hacking role. (Otherwise you might get lynched over screwing with logs.)
Only use the Rollback if you truly need the scoop, or NetSec is progressing too fast (since you need 5 NIGHTs absolute minimum), and prepare to be lynched in retaliation if your class is known.

If you have a unprocessed Scoop, Write Article. You never know when you will be occupied, so it's best not to put this off.
Otherwise Get Scoop until you have a Scoop.
Expose OP is a very specific ability you want to only use against a known Sociopath OP, or with the OP's approval. Or if you're feeling lucky, punk.

Potential claims:
As mentioned, simply claiming Journalist is a fairly legitimate move.
But since you're Arrest and Convert immune, you could as well claim any high-risk hacking class (since you can fake hack), generate some logs, Midnight some people, draw an arrest and then sell out Agents/Neutrals to NetSec at your own leisure. NetSec might forgive you for the fake if you successfully sell them a FA. Or go all in, claim you're Engi/Analyst and deliver the FA (after a failed arrest) as proof of your class.

Journalist is a powerful Anti-Agent Neutral, but the fact she doesn't want Agents to lose too quickly gives her a precarious diplomatic position. Figuring out the Agents (by baiting an arrest) will give you solid blackmail material and an ace in negotiating with NetSec. Just don't get lynched for 'withholding information'.
The biggest issue a Journalist faces is the scrutiny towards their claim: claiming Journalist is a convenient move to deter Agent arrest, for both NetSecs and Neutrals, and even AL's will ocasionally claim Journalist. Persuade people that you are the 'real deal' by rolling back an unimportant node or by scooping two NIGHTs in a row (Midnight Visit has a cooldown, Get a Scoop does not).
Note that you can find out other Neutrals with Get a Scoop, excactly because they don't give you scoops. Use that knowledge carefully though, because both Sociopaths and Bounty Hunters can frame you to remove your arrest immunity, and the Criminal can simply kill you past D4.
CLASS - Neutral (Benign) - Script Kiddie

aka: SK (not the stabby kind), wannabee Greenhat

This class is technically simple to play, but still people get it wrong:
Your job is to survive. Your only relevant ability (DDOS) can hinder NetSec or Agents. If you hinder NetSec, you'll be cought in the crossfire and arrested at random (or lynched). If you hinder Agents, they will want to arrest you, and you have no protection against that, only against conversions.
So the only real move is to either play perfectly neutral and do nothing the whole game (and hope that Agents have a more worthwhile target every NIGHT), or to actively claim a NetSec role and then just blend in for a while, and maybe reveal after you dodged a bullet with your Hideout and pray NetSec will protect you from then on.
The worst move you can do, is to DDOS the entry servers D1. Because at that point, if you are ever found out as SK, you will just be straight up lynched.

With the recent update, you now not only have 1 charge of the kind-of-useful Move Hideout (that is however cancelled by occupying visits), but as well 2 charges of the DAY skill Create Hideout, allowing you to buff up the former to 3 NIGHTs of unreliable invulnerability.
It's not the best, but it allows you to juke an arrest or two when timed proper, and can buy you the extra time you need to become an invaluable voting ally to Agents.

Your general playbook:
You now got the fun choice between building up your defenses with Create Hideout, or maintaining your cover with your sacre uses of Scriptkiddie Attack. Chose wisely, as the former will leave easily called out gaps in your access logs.
When you are not faking hacks, use the DDOS. Benign, if you want to fake Blackhat, malicious, if you predict NetSec is out of time. Note that even timed out NetSec will be quite happy to lynch you for ruining their game though.

You literally only have one ability you can use at NIGHT, make those charges count
Best used after you launch a benign DDOS that left your identity as 'Blackhat' exposed, or after you have been subject to a failed conversion attempt (usually the next step for Agents is to throw an arrest as well).

Possible claims:
You could publicly claim Scriptkiddie, but you're not very likely to survive like that unless it's already late in the game.
The ideal claim is Blackhat, since you can both fake hacks/exploits and launch real DDOS. However, you can't visit, and either Analyst or Engi can figure you out easily, no way to work around that. Additionally, public Blackhats draw Agent attention, which is the opposite of what you want.
Beyond that, you could possible claim Inside Man, but then any benign DDOS (and at some point even a malicious one) will expose you. Everything else would be heavy improv.

Your greatest asset is the fact that you're irrelevant. You can only DDOS, and if you use them in favor of NetSec, they got little reason to lynch you. If you loudly proclaim your DDOS usage beforehand, you will even avoid angering the AL by sniping his rollback (though he will likely be mildly annoyed by you preventing rollbacks to be used, still).
You're an unattractive target to Agents because of your three Hideouts, too, but be wary that NetSec may claim Scriptkiddie for that same reason, causing Agents to poke you at random.
Note that you can assure NetSec you are not a DDOS AL by using at least one Scriptkiddie Attack: DDOS AL cannot leave fake hacking logs.
Neutrals probably don't care about you, unless they think you're faking the SK claim.
CLASS - Neutral (Hostile) - Bounty Hunter

officially: 'BOHU', but frequently nabs the 'BH' abbreviation

So, the obvious part first: You're essentially an Agent without access to their comms, and enjoy immunity against arrests (only shared with the Journalist), so your only concern is being found out by NetSec.

If you denounce a target during the DAY, the Agents get a Event Log message about your tip. Problem is: BH's like to spam out tips on random people in the hopes of earning bounties, and CCTV can send out (fake) denounces, too. You can easily earn bounties by denouncing 'obvious' targets like publicly confirmed NetSec though, albeit this will definitely cause *rolleyes* on the Agent channel.

Your main goal is to identify low-profile NetSec members and selectively rat those out (or even straight up arrest them). It's not a bad move to wait until you got actual intel, and then both denounce and citizen arrest that person in the same DAY/NIGHT. Even if Agents did not act, you have proven to them that you exist (valuable intel to them) and that you actually know what you're doing.

Note that you get bounties either if a denounced target is arrested OR if you personally arrest a target (denounced or not), as long as the target is either NetSec, or has been framed (by you).

The main tool for that is your Doxx and Stalk, the same super-powerful investigative abiltiy the Social Engineer has. Only the long cooldown is a problem, so make sure to as well keep an eye out for other indicators of NetSec activity.

Be advised that Frame, despite it's name, doesn't actually mark people as 'evil to be lynched'... but rather the opposite, since it 'frames' them as NetSec.
  • If used against an Agent, you will be notified that you found an Agent (which is great, since you can then contact them and start cooperating).
  • If you target a Neutral, they will now appear as a NetSec upon investigation (of any kind) & death reveal (and grant bounties). You kinda screw over Benign Neutrals (who can then be arrested) and Agents (as they waste time arresting Neutrals) this way, but it's unlikely they will find out.
  • If you target a NetSec, they will remain NetSec but the class displayed upon death will change. Which is a dead giveaway that they have been framed (if their role was confirmed before), but can serve for hilarious confusion and mislead those that don't check logs and just throw quick glances at the player list.

Note that your Citizen's Arrest is a pretty safe move by itself... but that a lot of arrests (especially on the same day) will start throwing up the suspicion that there's a BH. And there's only so much Planned Raids and Stings can do.

Your general playbook:
If you're claiming a non-hack class, Spill the Beans. Probably always, even if that makes you less trustworthy.
If you're claiming a hack class, you'll have to make the call between building cover by hacking, and Spilling the Beans to get your bounties. Don't be too stingy with doing the latter, or the game might be over before you got your goal complete.

As with Social Engineer, Doxx is best used early because of it's long cooldown.
Beyond that, you can either try arresting targets you identified as NetSec, or otherwise just throw Frames at people, followed by Denounce or a Citizen Arrest (keep in mind: Framed Neutrals give you bounties anyways). Just be wary that all of those log a visit... and most legit classes can't visit every night.
Plant Fake Information is your dull 'I got nothing else to do' card. It doesn't leave a trace though, and can slightly hinder NetSec.

Potential claims:
Bounty Hunter doesn't get any good free claims.
Enforcer and CCTV are out, Inside Man is doable (but be wary of being seen visiting too often). Otherwise, you can claim a hack class with your Fake Hacks.. and most hack classes have visit abilities... except that you can't Midnight Meet. Social Engineer is a semi-do-able claim, unless somebody challenges you to spoof them.
Pick a story, stick to it, and be as physically uninteresting as possible, whilst trying to figure out the Agents to ally with them (they will then help you maintain cover, maybe).

You're pretty much gurantueed to be an ally to Agents. The only issue is coordinating with them, and not being found out by NetSec (who will NOT let you live, especially not if you arrested someone).
Be wary that Agents will likely not risk themselves to cover you in case you're found out, and that, likewise, it may be in your best interest to sell out Agents when found out, especially if you got your three bounties and can consequently side with NetSec publicly and win that way.
Neutrals are potentially sources of bounties to you, if you frame them. You're the Agent's greatest assets for removing Journalists, just be advised you'll probably have to Citizen Arrest public journalists, as Field Agents are unlikely to risk believing that you already framed the Journalist.
Be wary of Sociopath or fellow Bounty Hunters framing you in return.
CLASS - Neutral (Hostile) - Rival Hacker

aka: 'RH', tends to quit NIGHT 0

Rival Hacker is a somewhat difficult role, because you're very actively racing against time to figure out the Agents, before they end up arresting you either by coincidence, or because they (not incorrectly) tag you as a legitimate hacking class. Note that they might as well end up converting you, as you're the only Neutral class not conversion immune. Technically, this makes you stronger by giving you the Rollback skill, but you lose out on a doxx, and since you were already an ally to the Agent team, it's a waste of a conversion in most cases. But hey, not arrested is good, right?

However, you're compensated for that with two distinct and powerful abilities:
Wiretap allows you to monitor another operators mails for one DAY and NIGHT (not Agent ASC though), which might gleam you amazing levels of intel, if you pick the right person.
Wipe is a game changer, because wiping a server that has just been rollbacked destroys all evidence as to who the AL is, and additionally raises a red flag that a Rival Hacker is in the game. Which is actually good, because you WANT Agents to be more careful with their arrests.

Alternatively, you can try to signal Agents by using your Alter Logs ability right away, since, at game start, only you and Field Agent have it. Thus, if on N1 access logs for a just hacked node are already altered, the Field Agent will know it has been a Rival Hacker (unless they happened to do the same, or are blind), whereas NetSec will likely suspect it was the Field Agent.

Additionally, you get Doxx, but you'll usually only end up finding an occasional Neutral that way... primarily use it to gain the trust of NetSec, or to solify your claim.

Given that you have a fairly solid hacking skill, you might want to actively avoid hacking forward nodes (as you would be helping NetSec a lot), and either find excuses to target off-path nodes, or just not hack whatsoever and claim a not-hacking role (albeit this will put you at risk of an Analyst calling you out).

Your general playbook:
Decide as to whether you want to signal the Field Agent by using Alter Logs, otherwise your time is best spent using Hack Target to build your cover.

If a node was rollback'd, Wipe it right away. This is a big blow to NetSec and secures you the Agent's favor.
Otherwise, stick to using Doxx and Wiretap (probably Doxx first, as it has a longer cooldown and Wiretap needs you to predict a intel-mailing target) when they're available, whilst accounting for the visists this will generate.

Possible claims:
Since you can legitimately hack, any hacking classes can work as a claim.
A fairly solid bet is Engi, since you can actually Doxx (and even imitate a Doxx with Wiretap), just be wary that you cannot Impersonate (albeit that's rarely called for).
Alternatively, you can go for the risk haul and claim Blackhat after seizing a node or two... but your lack of DDOS and Midnight Meeting are relevant vulnerabilities (and you definitely don't want Agents to tag you as Blackhat before you allied with them).

Your win condition is literally the same as Agents, so you're probably their ally. However, the issue comes from trying to contact them before being arrested by accident. Note that there's little reason for NetSec to ever leave you alive, and very few players, if any, would agree to leave you alive as a hacking pet.
There's little you can do to Neutrals, though they can make convenient allies if they're not aligned to NetSec.
CLASS - Neutral (Chaotic) - Resentful Criminal

aka: Criminal, occasionally RC

For when having one side of the conflict as enemy isn't enough.
Note that your win condition is fairly specific:
  • the Agent Leader (regardless of whether he goes Field Agent or not) must be killed
  • the Operation Leader must be killed OR arrested (root is entirerly irrelevant)
  • and you must survive (but being arrested is fine(confirmation needed))
Technically, this puts you more at odds with the Agents, than NetSec, because they will be far more annoyed over a dead AL, and can far easier remove you with a nightly arrest... and will probably do that at random anyways. And as well, OP might just get arrested anyways, solving that part of the equation.
However, you are still an uncertainity factor that will likely start murdering people at random come N4... and that tends to hit NetSec more often than not, so you might end up lynched. Heck, you might even end up lynched by 'NetSec' Agents and Moles, who want to protect their AL.

Your skillset is extraordinary though: You can spoof E-Mails like the Engi, you can watch people with Looking for an old friend (which is, except for it's result, indistinguishable from an Engi's Doxx), and you got the Enforcers Interrogate and Disorganized Murder skills.

Try to gather as much information as possible, hope that the OP bites it early, and then simply track down the AL together with NetSec. Inversely, if the AL dies early (which might be tough to figure out, due to his 3 days of diguise even applying in death), you're best advised to try allying with the remaining Agents.
Don't hesitate to use the combination of interrogated intel and spoofing to force yourself into networks of trust.

Your general playbook:
If you intend to claim a hack class, make liberal use of the Unskilled Attack. Otherwise, it's perfectly fine to do nothing.
Alternatively, feel free to use the Impersonate to sow distrust, but be wary that being too obvious will give away that there's a RC.

Disorganized Murder only becomes available at N4, but from then is a good tool to start taking things into your own hands. Also makes the game shorter, which helps you survive.
Looking for an old friend has unlimited uses, but a 3 day cooldown, so it could be prudent to spam it whenever available. Prioritize silent hacking operators (likely to be OP) and even if you don't find anything, use it to fake Doxx visists.
If not using either above, make liberal use of your 3 charges of Interrogate, but keep in mind that any logs retrieved could be fake. Target seemingly competent players for maximum effect.

Possible claims:
Your bread & butter are either Social Engineer or Enforcer claims.
If you can correctly guess Doxx results (which isn''t too hard, as in most cases it would be 'NetSec'), there's little that will disprove an Engi (outside of being murdered, as you lack Engi's stack of defense abilities). Only Analyst/Engi can sniff you out actively.
Otherwise, you can mime a semi-convincing Enforcer, in that this protects you from Analyst, but you lack the ability to actually escort people, which is kinda Enforcers job to begin with.
Beyond that Inside Man is a kind-of-open claim, and you might get away with regular hacking class claims, if the people you visit don't call out your visits as non-blocking.

Whilst your goal tells you to attack both sides, you will end up on NetSec's side amusingly often: OP's don't tend to live long (free), and once he's arrested, your sole target becomes the AL. Additionally, you can mime Enforcers but log-wise and by functionality, so there's no reason for NetSec not to treat you as an Enforcer if OP is dead anyways.
Be wary of being called out into public tho: regardless of which side you're siding with, the other can either lynch or arrest you.
Neutrals are mostly irrelevant or potential allies to you, but remember that you can freely murder them if you deem it necessary to secure alliances with one of the two big factions.
CLASS - Neutral (Chaotic) - Sociopath

aka: 'Socio', likes to evolve into 'SociOP'

The looney of the setting, albeit with a certain bit of Hannibal Lecter to it:
You don't just cause chaos, you orchestrate it. Your goal is self-explanatory, but getting there actually gives you a bit leeway
  • You can be granted root by OP. But you have little tools to gain OP's trust to begin with.
  • You can crack root on the day after OP's death. But only if OP did not pass off root (which usually only occurs with newbie OPs, or if root passes to a new OP, who then gets arrested next). Note that the ability to Crack becomes available once there's 'a dead OP' in the player list, but you still need to correctly target a node that a dead OP actually accessed before.
  • You can snipe the OP directly, killing them and forcibly seizing root... if you figured out the OPs identity yourself.

The big warning note: It's almost always painfully obvious if a Socio becomes OP. Except for when you're legitimately granted root by a now-arrested OP, a new OP showing up after the old one was Murdered at night tends to raise eyebrows, and if he had granted root before, the person who received root, but didn't become OP, will probably call you out. Additionally, OP's ALWAYS announce if root has passed to them, so if OP is arrested at NIGHT, but you need the DAY to actually crack root, that is one DAY of silence... and suddenly speaking up at NIGHT will, again, cause people to correctly suspect Socio involvement.

For your nightly shenanigans, note that the Sociopath's Murder is the only ability that can KILL people before N4. All other Murder abilities have a time gate and cannot be used on the first three NIGHTs. (Note that of course people can still disconnect (suicide) or be lynched. But any 'unexplainable' death at N1-3 is always the work of a Sociopath, so be wary of giving away your game if you are not certain to seize root with that murder.
Without root, you're just a pesky Neutral to NetSec, and a 2nd Sting charge to Agents.

If you succeeded taking root tho, people knowing you're a Socio OP is not all that bad. I mean, it is kind of bad if you murdered the OP to get there... but past that NetSec has little reason to lynch you unless you actively (and openly) sabotage them. Bonus point: Agents have little means to remove you by lynch for that same reason.
Consequently, you can now simply play a legitimately NetSec-aligned SociOP, do your job, and consequently force the Agents to arrest you because you're actively helping NetSec just as a real OP would do... which clears your win condition.
As to whether you reveal your identity after becoming OP, depends on whether you have to expect a retalitory lynch, and on personal preference.

Note that your Frame ability works the same as the Bounty Hunters:
  • If used against an Agent, you will be notified that you found an Agent.
  • If you target a Neutral, they will now appear as a NetSec upon investigation (of any kind) & death reveal. This doesn't really help you and only screws over Neutrals.
  • If you target a NetSec, they will remain NetSec but the class displayed upon death will change. Which is a dead giveaway that they have been framed (if their role was confirmed before), but can serve for hilarious confusion and mislead those that don't check logs and just throw quick glances at the player list. There's the off chance that the OP didn't keep a log, so framing them might hide that the OP was murderded, allowing you to actually take over root silently.

Your general playbook:
Whenever OP dies, and no new covert broadcasts are sent, use Crack Credentials right away to seize that sweet sweet root.
Otherwise: Hack. Unless you insist on claiming a non-hacker class, you have a legit hacking skill and it's your best cover.

If you know who OP is, and they're unlikely to be protected by Enforcers, Murder them, there's little reason not to (unless your identity is known to NetSec and you expect retaliation lynch).
Otherwise, you probably want to use Follow or Frame to gather intel (the latter to sniff out Agents), or to take the slow approach and Frame your known OP to obscure their class for a silent takeover.

Possible Claims:
Note that claiming Socio should get you lynched by NetSec, because you're both threatening OP, and might give Agents a second STING charge.
However, with your legitimate Hack Target skill, you can fairly efficiently claim any one NetSec hacking class... just be wary that your non-murder NIGHT Abilities always give the 'You have been watched!' notification, thus you can't fake Midnight Meeting. Engi is a do-able claim, maybe Spear if you want to gamble that nobody sees you visiting.

Sociopath is a class that noone wants as ally before you obtain root, and everyone wants as ally once you do. If you're revealed before OP dies, chances are NetSec will lynch you to protect OP and avoid giving Agents a 2nd Sting, and Agents will arrest you for that 2nd Sting. After you obtain root, NetSec will not want to lynch you because you got legitimate OP powers, whilst Agents will want to arrest you for the very same reason.
It's a rare case when somebody finds you out and does not publicize that right away, try to build an alliance on that semi-reasonable sympathy.
CLASS DUO - Agent Leader & Field Agent
These classes always enter a game together, and always know each other from D1. Ideally, they will closely coordinate each others actions, thus it's reasonable to explain them in parallel.

These roles aren't necessarily complex in their abilities... but the problem is that they're balanced around having powerful 'simple' abilities, and their coordination. Means, if you don't make the correct decisions on where to use those 'simple' abilities, or fail to coordinate with your partner-in-law-enforcerment, you'll probably lose the game, because your side exactly only has you two to begin with.

Therefore, first things first: use the ASC channel liberally, and always inform your comrade what you will be doing at NIGHT. Also, if you perform anything special at DAY (you don't need to tell them which IP specifically you fake hack, tho). And if you're claiming a role (why wouldn't you?!) it might be good to inform them which one, if just to avoid stacking up claims on the same role (4 Inside Man claims is akward). Don't hesitate to throw each other "I escorted you N3" or other instructions to append to each others logs to make them more believeable. If one of you is found out early, you're both toast anyways.

Agent Leader
aka: AL

Right away, you will see which randomized DAY ability you have been granted. Announce it in the ASC, as it will have a major effect on your personal playstyle:
  • Hack Target - If you get this one, you cannot be found out by Analyst, and actually gain a fairly high hacking skill, allowing you to seize (hopefully unimportant) nodes and to build trust with NetSec. Downside, you might end up actually helping them.
  • Unskilled Attack - A default fake hack ability, equal to what the FA starts with. Less foolproof than the Hack Target, but at least this way you can liberally hack 'as ordered' without risk of actually helping NetSec.
  • DDOS - A useful tool to aggressively delay NetSec, or to close out a timed victory, but at the expense of not being able to generate any access logs. Additionally, DDOS can be found out by Wire Shark, exposing you for an instant lynch.

Furthermore, (re)check the Event Log for your assigned cover class: Little-known feature, but you are actually told what NetSec class you have been disguised as. This cover will last until D4, meaning any Doxx (from Engis or Neutrals) will display you as NetSec.
Additionally, if you are lynched before that point in time, the player list will display your class as that disguise class. If you haven't been 100% certainly identified as AL before the lynch, a well-faked log matching your cover class might persuade NetSec that they legitimately got the wrong guy, and start tearing each other apart over 'false' accusations, maybe buying your remaining 1-2 Agents enough time to still win the game. Consider it a parting gift, albeit a frequently useless one.
If your disguise class matches a class you can fake, you might want to do that. Or otherwise, at least write a convincing log for that class anyways, even if it does not match your actions. If you're not forced to post logs before D4, you're then still free to switch your claim to whatever fits best.

On your abilities:
Rollback is a 'must have/use' for most games, as otherwise NetSec will bust through to the target before you can arrest them. Check on the Rollback/DDOS section for a detailled insight on this skill.
Strike Deal is your NIGHTly key ability. It's charges scale with player amount (1 for <= 12 players, 2 for > 12), and it comes with a notable cooldown. However, it as well is the only charge-based ability that does not deplete upon failure. So failing in your conversion (which only occurs on Neutrals, Operation Leader or Blackhat), is not the end of the world, just a lost NIGHT.
Note that converting a target takes place after the NIGHT ends, therefore their abilities will still be performed. The class of the converted mole is directly derived from his NetSec class before conversion:
  • Converted NETSEC/Field-OP (CCTV Specialist, Enforcer, Inside Man)
  • Converted NETSEC/Investigative (Analyst, Network Specialist, Social Engineer)
  • Converted NETSEC/offensive (Spearphisher, Improvised Hacker)
Intelligence Informer has to be noted, for the fact that it is NOT a visit. Meaning it's entirely untraceable, and the target does not receive any notification. This makes it a perfect ability to use during 'logged nothing' NIGHTs.

Field Agent
aka: FA

Your start is a bit less stressfull than the AL's, since you don't have any randomized shenanigans going on. However, you don't have any cover identity, can be Doxx'd as Agent from D1, and will constantly be visiting people who then 'coincidentally' get arrested.
Given this somewhat risky role, it's technically your responsibility to maintain contact with any Neutrals your team might discover and wants to ally with. Especially the Resentful Criminal shouldn't be told your AL's identity.

Your abilities at DAY are relatively mundane: Fake Logs can kinda throw off people (and doesn't leave any trace of yourself, except for occasionally random fake logs... which you can denounce as such), but it's not too useful (especially since it reveals that you have not ISP cut / fake hacked that DAY.
Unskilled Attack is your regular tool to fake a hack-capable class. But given that the use of either of your other DAY abilities will prevent you from leaving a log, it's not unheard of to simply not use this whatsoever and stick to claiming a non-hack class.
ISP Isolation however is a crucial skill that comes with no cooldown, but only 3 charges. It allows you to freely, and without risk for yourself, block another operators DAY action (excluding DDOS and rollback), assuming it was an action targeting a node. You are the only class that has this ability, beyond the Investigative Mole. Used on high-hacking-skil classes, it can slow down NetSec dramatically.

On the NIGHT side, you are the main weight of the Agents: You get several different flavors of arresting people (which is pretty much the equivalent of killing people in Mafia/Werewolf games).
Bounty Hunter and Journalist are immune to being arrested (unless framed), and there are a fair number of defensive abilities that will cause an arrest attempt to fail, same if you get occupied.
Note that trying to arrest a (not framed) Journalist will reveal your identity to her. Be wary of both publicly confirmed Journalists, but as well of NetSec trying to claim Journalist to dissuade you from arresting them.

Your Arrest is your default zero-conditions-attached go-to.
Sting is a more powerful arrest that will hit more targets. Note that an Enforcer visiting the target will still protect the target from arrest.
Planned Raid pretends to escort a target, but schedules a (no-visit-from-you-that-night) arrest on them for the next NIGHT. Whilst this does sound like a great tool to pretend being an Enforcer, PLANNED RAID DOES NOT OCCUPY TARGETS, whilst Escort does!After being changed last patch there is no way for the target (or anyone) to tell apart a Planned Raid from an Escort. Except that your target will be arrested without being visited the next NIGHT. This is still plainly visible to a CCTV, unless someone happens to visit them in the NIGHT of the arrest by coincidence... in which case neat, free randomlynch.
Keep in mind it leaves the target in play for one round longer though.
CLASS DUO - Agent Leader & Field Agent (General Playbook)
Because the previous section just wasn't short enough to fit this in...

It's difficult to provide a straight up playbook, because these two classes, like none other, have to costantly adapt to the situation, how arrests/conversions play out, and which Neutrals are present.
I'll try to provide you a generic playbook for the starting phase though, and a set of common moves that might be helpful.

Both of you usually want to maintain your cover by use of your (fake) hacking skills (or not).
The FA will want to selectively use ISP Block, but keep in mind he only gets three charges. (Note that it cannot block a DDOS, but any hack, including a zeroday, or a wireshark.)
Keep in mind that, in most games, the AL must launch a successfull Rollback costing NetSec 2 days or they'll likely reach their target server within the alloted time frame.
So, take a look at the topology, examine chokepoints, and determine which nodes are good targets, and which ones will be obvious (and therefore likely DDOS'd) targets. Since the Rollback risks leaving the AL exposed via logs, you want to Rollback on a chokepoint for full -2 days effect, but AS LATE as possible.
If you know the Rollback won't be DDOS'd (Blackhats/Scriptkiddies dealt with, or out of charges, or there are too many chokepoints for them to guess your target), the FA can support the AL by using his Fake Logs ability at the same time as the Rollback. This will increase the number of fake logs (confirmation needed) and hide the AL's track better (but still not entirely).

ARREST PEOPLE. Really, it seems obvious, but a lot of Agent games fail because the Field Agent is not doing his one primary job. Every single NIGHT, someone should be arrested, or at the very least an arrest attempted, or a Planned Raid set up. There is no excuse not to.

As AL, you will always want to use up all charges of your Strike Deal, meaning one successfull conversion for 12 or less players, and two successful conversions for 13 or more players (player count at game start). Anything less and you are potentially moving towards a loss (if NetSec is anywhere near competent).
Consequently, it seems logical to spam Strike Deal from N1 in the hope of converting someone right away, and then being able to use Strike Deal again come N3. Factoring in that you cannot convert 1-3 NetSec, and the Neutrals, and might go occupied, it's not rare for a conversion to fail, in which case the timeframe shifts, and being found out and lynched before you got those conversions, is bad for the team.
However, take note that the single-most valuable convert is a Spearphisher, as that is the only class that will turn into an Offensive Mole, and consequently have the ability to perform a Rollback at DAY AND A WIPE AT NIGHT, the most powerful 'Agent node control' combo in the game, all in one class.
Holding off on converting someone until you think you found a Spearphisher, to then specifically convert them, might be worth the risk of not using conversions at all. (This is twice as true if you only got one charge to begin with.)

This leads to a concundrum: if you want to use a Planned Raid, the AL should almost certainly use his Midnight Meet to cover the FA's lack of occupying power... but the AL will probably be busy converting, or using Midnight Meet to gather trust and find a Spearphisher during most NIGHTS.
Thus the use of a coordinated Planned Midnight Raid must be carefully evaluated against the opportunity cost of the AL not doing something else instead.

As once-per game gambit, throwing a Sting at a suspicious (but from whom you believe to be NetSec) player, at a NIGHT where you expect them to be visited / investigated, can be a great play to net you multiple arrests at once. Bonus points if you capture more than 2 operatives, and/or if NetSec is panicked thinking there's a BH on the loose and starts lynching Neutrals.

If anything more complex doesn't apply, the AL should probably just fall back to his perfectly safe, zero-clue-leaving Informer ability, whereas the FA should arrest targets at will, trying to prioritize NetSec classes, yet avoiding those protected (by OL or own abilities) or those under known CCTV surveillance.

Reminder: Always inform your teammate(s) on the ASC, after a NIGHT phase when your abilities didn't work, and why they didn't work. Being blocked is a nuisance, but a conversion-immune target is important information (as they're either OP/Blackhat, and thus high-value targets, or Neutral, and thus a potential ally).
CLASS - Moles & Snitches (General Information)
Note that, at game start, there is never any Mole/Snitch, only ever the two Agents (AL/FA).

Conversion Process
It is through the Agent Leaders 'Strike a Deal' NIGHT action, that a NetSec class (except for Blackhat and OP) is converted into a mole. (The precise term is 'Converted NETSEC/[type]', but you'll usually just refer to them as 'mole' or 'snitch'. Potentially with a '[type] mole'.) Note that the Rival Hacker is the only Neutral class that can be converted, and will turn into a Offensive Mole.

Conversions can be protected against by regular defense mechanisms (Enforcer Escort, Move Hideout, Misdirection), and it has a 2 day cooldown (if successful, or if dodged by a defense mechanism, cooldown does NOT apply if AL is blocked).

It's not unusual for an AL, especially in a >12 player game, to use his Conversion on N1 thus you should usually assume there'll ALWAYS be at least that one mole in the game alongside the two Agents, usually from N1/2 on.

However, take note that there's actually plenty of classes that are immune to Conversion (Neutrals, 0-2 Blackhats, 1 OP)... so it's not rare for random conversions to fail, which can leave the AL to spend several NIGHTs before succeeding at all.

What changes?
First of all, the converted operators class changes (usually permanently) to his new mole class, granting them new abilities. Most notably moles never have a (fake) hacking ability. Additionally, the operator is now considered an Agent for all purposes, meaning
  • investigative abilities will tag them as such
  • they get access to the ASC and can see other Agent identities
  • their win condition is changed and now aligns with the Agent ones

There is no coming back from this alignment switch, you're part of 'them' now. And it's a reportable offense to try continuing to help NetSec (why do I even need to point this out...)
As well, note that a mole is, by definition of his position and (compared to Agents; weak) abilities, always a less valuable member of the Agents than AL or FA... and fully expected to throw themselves under the bus if the necessity arises, unless dictated otherwise by AL or FA.
(Note that this still doesn't mean you have to blow your cover to try saving another Agent from a hopelessly botched situation... if the ALs Rollback log clearly calls them out as such, there's no point in trying to claim that you can confirm they didn't do it (because you probably can't), it will not save them, merely get you lynched next.)

Note that for the purpose of claiming, you have to consider that moles tend to be very limited in their abilities, and have very few applicable classes they can effectively fake (alone because they potentially lose their hacking ability). Additionally, you would have to potentially rewrite several DAYs and NIGHTs worth of logs. And that's only even an option if you didn't already reveal your class to someone or the public.
Therefore it's almost always adviseable to simply keep claiming the class you were before conversion and try to obscure your sudden shift in abilities as good as possible.

Difference between Moles and Snitches
The difference is not immedeately clear by game's description: Any NetSec converted by the AL's Strike a Deal become moles. However, if (afterwards) everybody else on the Agent team dies, only leaving a single mole, the mole will then become a Runaway Snitch. Note that if the Agents converted two operators, one of the moles has to die for the other to become a snitch.

Note that, opposed to moles, Snitches gain access to a fake hack ability, and can even murder and (indirectly) arrest operators at NIGHT... making them significantly more powerful than regular moles (on their respective own).

This serves as a 'last ditch' effort and gives solo 'ex-moles' a (slim) chance to still win the game.
CLASS - Converted NETSEC/Field-OP
Because being a wage slave wasn't enough of a torture already...
Converted from: CCTV Specialist, Enforcer, Inside Man

A relatively simple mole with little in the ways of abilities, but the innate advantage that they are less likely to be found out: You didn't have a hacking ability before this, either, so your cover (especially if you claimed Inside Man before) will usually remain more or less intact.

Your Jam Network ability is functionally identical to the Field Agent's ISP Isolation, except that you can only use it one single time. Coordinate with Agents for maximum effect.

You are one of only two classes that can use Wiretap to listen to another operators in- and outgoing mail traffic. Whilst this ability CAN be extremely powerful... you need to know who is mailing critical information to begin with, which can be tricky.

Your general playbook:
Spam Plant Fake Information, there's little else you can do.
Save up the Jammer until the Agents have identified a strong hacking class and needs the gamble at an extra day.

Wiretap a target that appears to be in cahoots with other operators. It's your one infinite-charges ability, so it should be used with priority.
Otherwise, you could Follow someone to either build your cover (as it generates 'watched' notifications) or to try gleaming intel,
since Search for Keyloggers is pretty much your simple (and usually useless) fallback move you spam out otherwise.
CLASS - Converted NETSEC/Investigative
With exactly zero investigative abilities...
Converted from: Analyst, Network Specialist, Social Engineer

If you were a Social Engineer before this, you actually still got a chance to maintain cover, because nobody will remember that you actually 'keep' your Impersonate skill upon conversion. (And, opposed to Engi, you as Agent have no reason not to use it to sow maximum confusion in whatever way you deem possible.)
Otherwise (and maybe even then) you'll be screwed over by your lack of hack however.

It doesn't help that your Setup is a once of a kind ability that no other class has, thought it's hard to trace back to you, and it tends to cause a nice amount of confusion.
To clarify it: Setup, if used on a target A, occupies A (cancelling their NIGHT action), and then causes A to visit B (with B receiving the usual visit message... but without being blocked, hence giving away that this was a setup). A however will receive a message that B visited them and consequently make it appear like B Midnight'd them. Note thowever that B is not occupied, and may therefore realize that it's a Setup.
It can still cause A to distrust B (especially if B claimed a role that shouldn't have a Midnight), and if B doesn't call it out as a setup can lead to fun results of the lynchy variety. Furthermore, if B is being Sting-arrested, it will add A to the arrests (but good luck hitting THAT jackpot). Lastly, keep in mind that it will be a visible visit from A to B, that A is not aware of and will probably deny.

Your general playbook:
You can liberally use Impersonate, since you do not have to worry about confusing your allies, just be aware of it's two charge limit.
Otherwise, Alter all the Logs. Is it useful? Probably not. Do you have nothing better to do? Probably yes.

You only got two uses of Setup, and it's too much of a red flag to be used carelessly. Use it in coordination with other Agents to specifically block protection abilities or other valuable NIGHT actions.
Otherwise, stick to doing nothing, whilst pretending to do everything.
CLASS - Converted NETSEC/offensive
The one mole you will never regret to become.
Converted from: Spearphisher, Improvised Hacker, Rival Hacker

It's remarkable how moles generally tend to be weird and a bit limited,
yet this one mole is the single-most powerful anti-hacking class in the game, bar none.

Alongside your new boss himself, you are the only class with access to a Rollback that includes Fake Logs... not that you would actually need the latter, because you as well get the 'unique' abilitiy of the Rival Hacker, the Wipe.
Meaning you can (and probably should, on first opportunity) Rollback a node of your choice at DAY, and then Wipe it in the following NIGHT, leaving no trace of who did it.

Beyond that, you gain the unique Harden Node ability to make not-yet-pwned nodes harder to hack. Note that it does leave an access log, so using it to fortify some (target) server far ahead of currently visible systems will leave glaringly obvious logs identifying you as an agent (if they ever take it).
Though on the other hand you can use it alongside the hacks of other players and it will be indistinguishable from your previous Hacking Skills. Just note it's lengthy cooldown

As well, for some unfathomable reason, you now gain access to the tell-tale Midnight Meeting ability (that you definitely couldn't have had before conversion), which allows you to block people or build a new class cover.

Your general playbook:
Unless ordered otherwise by AL, Rollback a chokepoint on the first chance you get (accounting for potential DDOS and such). This is your most critical skill, and getting it out before being found is always worth it.
Then just spam out your Harden on nodes that are a path to, or the target server.

Use your Midnight Meeting if you have a reason to, but be wary that using a 2nd Rollback will raise a red flag to your class's existence... and to anyone suddenly being able to do Midnight Meetings.
CLASS - Runaway Snitch
Snitches apply stitches...
Converted from: Any mole, automatically, when no other Agent is alive

After having remembered that there's this thing called the internet that even a random Journalist could grab some scripts from,
you are now the Agent's last bastion of hope to win the game... probably by a time-out for NetSec.

Note that your unique Snitch to Cops ability lets you arrest people (as the only class beyond Field Agent / Bounty Hunter), and even does so without you visiting the target, but has a hefty 3 day cooldown.

If you were a hacking class before initial conversion, you will appreciate the ability to build cover with fake hacks again, but you have no other ability beyond those removing players, so be wary.

Your general playbook:
Fake hacks if you need it and it fits your claimed class, nothing otherwise.

Make liberal use of your safe and trackless arrest (usually you only get to use it once, anyways),
otherwise do not shy away from murdering your way through what remains of NetSec. It's not like you have much of a choice.
Disclaimer & Permission
Disclaimer: The author(s) of this article are not associated or affiliated with Knu, or any developers of this game (beyond some Discord chitchat and arresting them once in-game). As well, the game is under developement and game mechanics might change, therefore this guide does not guarnatuee absolute accuracy. Furthermore, it is heavily biased by my own experience with and in the game, and may change as the game's meta developes.

Do feel free to contribute your own knowledge in the comment section, though be advised that this guide will not feature vastly complex strategies, both because it's meant to give new players an accessible understanding of the game and because it's no fun to spill all the tricks.

For the sake of expanding this guide's Fair Use protection, I've pre-emptively asked Knu to grant his blessing for use of the pictures featured above:So, let's be clear, that the dev of this game already broke it's first rule by trusting me :D
< >
𝙈𝙤𝙑𝙖𝙡𝙙 Oct 28, 2021 @ 11:02pm 
thank u
THANOSCAR5 May 29, 2021 @ 12:53pm 
nice guide, thank you
DeadSpace47 May 10, 2021 @ 6:40am 
l think it would be wise to add some images on the part 'Top top bottom bottom' in order to explain how the tactic works on, at least, 2 different examples. Don't know about others but, l sometimes have problems understanding something in text unless it is has an image alongside it. A picture can explain a lot of things and for me, for someone who doesn't speak fluently English, l may not understand what are you saying, even if l am an experienced in English. l believe it will be more organized if you use more visual examples(bolding or underline certain words will also help on people who want to know the 'musts').

In the end, it is a suggestion. l do like the guide and found myself interested on this.
Smoop2020 Feb 11, 2021 @ 3:18am 
This is very good thanks man.
[TAG]Alblaka  [author] Feb 10, 2021 @ 6:25am 
@Clin: I'm wary of putting every possible interaction for 'if you target someone with this ability, and X and Y but Z, then THAT will happen' in the respective class sections, as that goes beyond what the class sections are meant to convey. But gien how frequently beginner FA's (try to) arrest public Journalists... yeah, I might add that.
clin Feb 10, 2021 @ 3:00am 
I learnt that "If somebody attempts to arrest a Journalist, the Journalist will know the identity of the attacker," in the journo section. Wondering if it should be put in the section of those who can arrest also?
com1t Feb 9, 2021 @ 4:25pm 
itll take me hours to read this but so far ive read 20mins of it and ive already learned stuff i didnt know before o-o
Pols Feb 8, 2021 @ 3:44pm 
a very long and good guide, gj dude
Knu  [developer] Feb 3, 2021 @ 10:20am 
of course I trusted you, look what an amazing guide you wrote <3