Shadowrun 20th Anniversary's cover.

For this post we’ll be using Shadowrun 4th Edition, published in 2005. More specifically, we’ll be using the 20th Anniversary core book published in 2009, which uses the same base rules as 4th Edition but incorporates errata and some material that was previously published in supplements.

Setting Overview

If Shadowrun 1e’s Matrix was inspired by 80s mainframes, then 4th edition’s is inspired by the Internet as it was in 2005, plus some reasonable extrapolations of things that were in fashion among futurists then but didn’t necessarily pan out in the following decades. It does end up looking a lot like what we actually have here in 2023, with a few important differences.

Instead of being built around high-speed cell towers, the mobile Matrix is a ubiquitous wireless mesh network. Individual devices in a mesh cooperate to route its network traffic without the need for central coordination.

The Internet of Things was also in fashion, so every object that could possibly have a use for built-in computing and network capability has that capability. Most of those devices are fairly limited, but computer hardware is apparently so cheap and standardized that many of them have unused capacity that could be repurposed by a clever hacker. One example is someone converting cheap appliances into mesh routers to to bring connectivity to a “dead zone”. It’s also easy to turn off a device’s wireless capability with a simple command or in some cases a physical switch.

Almost everyone carries a commlink, a device that’s equivalent to a real-world smartphone in form factor and usage. They often connect to a variety of peripherals, more limited devices that are built to talk to commlinks and not to the wider Matrix. These range from augmented-reality glasses to that smartlinked gun your character owns. A big server of the sort that’s the target of a hacking run is called a nexus. I will just say “server” instead.

Augmented Reality is a big deal here, with most things connected to a mesh having some sort of AR presence, and general interaction with your commlink and the Matrix happening through AR interfaces. If you can use AR to help with your current task you gain a bonus to the roll. Examples include finding your way around town with that handy videogame-style minimap, overlaying a blueprint and instructions over the thing you’re fixing, firing a smarlinked gun, finding someone in a crowd when you have a face-recognition database, and so on. One can also choose to go “full VR”, which more useful for certain applications (mainly hacking).

Secure facilities of the sort shadowrunners are hired to break into have internal mesh networks. They use tactics like limited signal ranges and radio-blocking paint to keep their signal contained to the physical space they service, and might not be connected to the wider Matrix at all. In some the paydata is going to be in a server that’s only accessible via wired connection or even via its own terminal. While sometimes it’s still possible for a hacker to work from home, they will most often have to hoof it alongside the rest of the team and take on devices and intranets as they come.

Just like it happens with Shadowrun 1e, a lot of criticism of this model comes from a mismatch between the person’s understanding of the modern (2023) Internet and the model they used to build the Matrix in the books. It’s a bit worse here both because of the usual edition warrior shenanigans, and because the differences are more obscure. On the bright side it’s a lot easier to change the explanation behind the Matrix to a 2023-current one here than it would be to do the same to Shadowrun 1e’s 80s extravaganza.

Mechanics Overview

Hacker characters are called, well, hackers. They use powerful commlinks and a suite of specialized software to hack mesh-connected devices. Most often this means some peripheral or commlink-level device like a camera, alarm, door or handy pieces of scenery like unattended cars and other things that can be used to ruin an enemy’s day. It can also mean hacking into a big nexus to steal data and generally do the same things you could do back in SR 1. All devices are described by the same set of attributes, and use the same types of programs.

Stuff like memory, storage, file sizes, and download speeds are still considerations in the fiction, but they don’t get detailed rules. Unless the GM judges a given chunk of data is too large, you can download it in one turn and store it in your commlink. Some really huge files might take multiple turns to download or might not fit your storage at all, and the GM decides when that’s the case based on common sense. You don’t need to worry about storing your run’s paydata, but you also can’t try to get cute and download the entire public Matrix into a talking teddy bear.

Hacking a device means obtaining illicit access to a user account inside it. If you have set of legitimate credentials for your target account then you don’t need to roll anything. Otherwise you can gain access by either probing the device over a period of hours or days, or by hacking on the fly. The latter is an aggressive approach that happens in combat time and carries a much higher risk of detection.

Hacking can be done in AR or VR. There are several advantages to doing it in VR, and even more for doing it with the safety limiters turned off (a condition known as “hot sim”). Hot sim is the preferred way to hack important nodes, but it also leaves you vulnerable to lethal damage from Black Ice.

There are three types of user account. Standard accounts can view and mess with their own data and perform basic functions of the device. Security accounts have access to more sensitive functions and thus are more protected. And administrator accounts are the most protected and have full control of everything. Individual nodes in adventure descriptions should also include a description of which account tiers they support and what those let users do.

It’s also possible to use a technique called “spoofing” to send single commands to nearby devices by pretending to be someone who’s authorized to do so. This is probably what you’re going to use for one-off environmental fuckery.

There is no Hacking Pool here, but all characters can spend Edge to boost any roll by doing things like rerolling failed dice.

Run Parameters

For the first time in this series our Hacker will be joining the physical team on-site. In this game, it’s common for a site to have more than one server, and for the really important ones to be isolated from the outside Matrix. This means the servers containing our main mission objectives can’t be hacked remotely.

As usual the core book provides us with a very handy sample Hacker which we can use for our run. This one’s an ork dude with an implanted commlink with all attributes at 5 and a full set of programs whose ratings vary between 2 and 5. His skills vary between 4 and 5 too. He’s better at sneaking around than at cybercombat, so we should take care not to trigger any alerts.

I don’t have a ready-made target site for him to hack, but I found this free document with some example sites and I’m going to take inspiration from this, from the SR1 mainframe, and from what little I know of real life to design a target network. Here it goes:

This company has a public site but that doesn’t get stats here because it’s hosted in some cloud provider elsewhere. It has an internal office network for its day to day business, separated from the Matrix by a beefy firewall. The firewall node is also not relevant to us because we’re hacking the site from the inside.

We’ll treat the entire office network as a single node: System 4, Response 4, Firewall 3, Analyze 2. User-level accounts allow each user to perform their daily work. The company’s accountant has a Security account that can access and manipulate the company’s money, and we need to breach it in order to steal that money. The network’s standard ice has Pilot 3, Analyze 3, Attack 3, Armor 3, and triggers when the node detects any unauthorized access. There’s another piece of ice here (Pilot 4, Analyze 4, Stealth 4, Track 4) that gets activated if the system detects unauthorized access to the security-tier account. It tries to trace the intruder’s connection and notifies the authorities when it succeeds.

Separate from the internal network, there is a security server in charge of alarms, cameras, badges and lockable doors. User accounts in this server let employee badges open some doors, but not the one that leads to the record room. Security accounts let their user operate alarms and cameras. The security server has its own wireless signal that covers the entire office, but it doesn’t connect to any other server and accounts on other hosts aren’t valid here. We want at least a Security account to perform most of our objectives. If the hacker is on site they might also try to spoof the individual devices.

The security server has System 4, Response 4, Firewall 4, Analyze 4. Its ice, which activates when an intruder is detected, has Pilot 4, Blackout 4, Armor 4. Any guards currently connected might also be alerted to the intruder. The server operates in hidden mode, so our hacker needs to find it before trying to hack it.

Cameras, alarms and doors attached to the security server all have Device Ratings of 3 and can be individually hacked or spoofed. Employee badges have Device Ratings of 2. All are subscribed to the security server.

The secret file server containing the evidence is located in the records room. It has no wireless interface at all, only a cable jack and a physical terminal. It has the same stats as the Security server: all stats at 4 plus Analyze 4. Its ice has Pilot 4, Black Hammer 4, and Armor 4, and is of course illegal for the target to possess. It has only security and admin accounts.