This guide will give you some tips and strategies on deducing various roles and how to sort truth from falsehoods
 
 

Overview

Untrusted, as with Mafia, Werewolf, Town of Salem, Secret Hitler and the like is mainly about social deduction.
 
 
While you can lynch willy-nilly and pray that you manage to vote off AGENTS, you will invariably catch NETSEC and other friendly members in the crossfire. This means loosing valuable players, sources of information and voting power.
 
 
It is far more effective (and satisfying) to vote players only after making deductions and finding solid proof that players aren’t who they say they are.
 
 
This guide will give you some tips on how to form these deduction and gather these proofs.
 
 
In order to form deductions, you will need information. In Untrusted, this can be found from several sources.
 
 
 

The Network Topology

The layout of the network can help you predict the actions of AGENTs. One of the main goals of AGENTs is to stop the hack and they will do anything in their power to achieve this. The main tools at their disposal are Rollbacks and Denial of Service.
 
 
When attempting to hinder NETSECs progress through the network they will almost always focus on chokepoints. These are nodes that NETSEC must hack to secure other nodes. AGENTS will use Denial of Service on unhacked nodes to prevent NETSEC from connecting to the node and they will attempt to rollback and re-secure hacked nodes to slow down NETSEC.
 
 
You can use this information to predict when AGENTS will attempt DoS or rollbacks and plan accordingly. For instance, if you can see that there is only one hackable node on the topology, you know that AGENTs will attempt to DoS it and you can then deploy wiresharks as Netspecs in order to discover the AGENTs.
 
 
Alternatively, if it is late game and NETSEC is close to hacking the target node, you know that AGENTs will attempt to rollback a chokepoint and you can then have blackhats and script kiddies DOS these nodes to prevent rollbacks.
 
 
One exception to using chokepoints are coordinated rollbacks. This happens when there are two paths forward in the topology, and the Agent Leader and their Offensive mole perform a simultaneous rollback on both these nodes. If this happens, you now know that the Agent Leader has an Offensive mole, and you can then begin questioning any players with an Offensive class.
 
 
 

Node Connection Logs

Node connection logs can give you a lot of information about hacking classes (or those who claim to be one)
 
 
Firstly, only hacking classes can connect to nodes (or fake connect using the Unskilled Attack ability). Therefore, if a player claims a non hacking class (say an inside man or an enforcer) yet they have connection logs on the servers, you know they are lying and can begin questioning them.
 
 
Secondly, the inverse is also true, and hacking classes are expected to hack (especially if ordered by the Operation Leader) and will show connection logs. If a player claims a hacking class and isnt hacking (shown by the lack of connection logs), this would be considered suspicious, and you can begin questioning them. Additionally, if a hacking class hacks on some days but skips others, you can deduce that they are using other day abilities instead of hacking and can question them. In these cases, players can claim that they were ISPed which is why they couldnt hack, which can be verified by netspecs.
 
 
Secondly, hacking a node is hard for most classes and requires cooperation to be completed successfully. The main exceptions to this are Blackhats and the Operation Leader who can often hack nodes entirely on their own. This is called “soloing” a node. As a result, if you see only a few hackers on a particular node and especially only a single hacker on a particular node, you know that you found a powerful hacker, either a BlackHat or the Operation leader.
 
 
AGENTs will almost never use their hacking skills to aid NETSEC and would instead, use Unskilled Attacks, depending on other NETSEC players to hack the node and maintain their cover. Thus, you will almost never find them soloing a node, unless they’re doing so to prove their claim when challenged. In this case, AGENTS will only hack nodes they know are deadends or only progress the hack when their cover is being questioned and they are close to being voted out.
 
 
Thirdly, classes with the Download Intel ability will often reconnect to already hacked nodes to search for any intel. So if you see that someone has connected to a node after it has already been hacked, you know you have found a downloader who you can email privately, directing them on which node to download. Non downloading hacking classes will continue forward, hacking nodes and not revisiting hacked ones.
 
 
Lastly, node connection logs should always match up with the personal logs of a player. For example, if Dr. Blue claims in his logs that he connected to node .25 on day 3, then the connection logs should indicate such. If there is a mismatch, you know this player is lying and his logs are fake.
 
 
It is important to note however, that AGENTs and some neutrals have the ability to alter logs, and Rollbacks will always add fake logs to the node in question. The analyst would come in very handy here as they can clear these fake logs. If an analyst can clear the fake logs added during a rollback, the true logs left behind will show the AGENT or other player who performed the rollback. That is why AGENTS will almost always perform a rollback, only when they have a mole that can Wipe the logs from the node.
 
 
 

Voting Patterns

Voting patterns can tell you a lot about who may be AGENTs in a given game. Because AGENTs are so few in number, they will rarely vote their own or their friendlies, unless they have no other choice to maintain their cover. However, AGENTs will have no problem voting non agent players as that means one less player they need to arrest and one less player who can vote against them. As a result, you will notice some patterns while voting players, especially in the late game.
 
 
Firstly, as agents will vote other players but rarely their own, you will notice that some players will be voted out more easily than others, If a player is quickly voted off without bickering or debate, it is likely that AGENTs are voting with the group and pushing to get rid of this player.
 
 
Secondly, the inverse is true. As agents are reluctant to vote their own, you will notice that it will be hard to canvas enough votes to assassinate certain players. Therefore, if you notice that some players arent voting for a particular player who turn out to be an AGENT, you can then deduce that the players who were hesitant to vote or late in voting may also be AGENTs as well.
 
 
 

Chat Interactions

Certain things that players say in the main chat can often tell you a lot about what their roles and factions are. These tips below will show some of these patterns.
 
 
Firstly, if a player says that downloaders should download a particular node, they are either a Confidential Informant who uploaded their intel, or an Inside Man who used their Inside Knowledge ability. Alternatively, they could be a Forensic Specialist who used their Upload Fake Intel ability.
 
 
Secondly, the inverse is true as well. If a player is asking for nodes that have information on them, they are probably a class with downloading abilities (or claiming to be one).
 
 
Thirdly, by the nature of their roles, Operation Leaders will have a lot to do. Between sending out broadcasts, emailing players, using their abilities and coordinating with other netsec players, they will often write very little in the main chat. If you find someone writing especially little but they are hacking nodes and moving forward every day, you probably found the OL
 
 
Fourthly, the above is even more true with agents. Between coordinating their strategies in the Agent Secure Chat, updating their fake logs, using their abilities and trying to keep a low profile, agents will often say little and almost never claim unless prompted.
 
 
Also, sociopaths, due to their role, often try to get as close to OL as possible. This means that they will often agree with OL and praise their strategies in the main chat and give suggestions to “help” the hack. Alternatively, in order to avoid too much attention, they will keep quiet and say little, hoping to deduce who the OL is so they can murder them and steal their credentials.
 
 
 

Follows and CCTV

The follow and CCTV Surveillance abilities are very powerful means of determining the whereabouts of certain players.
 
 
Firstly, if you see a player visit another player the same night that player is arrested, it is safe to assume that you found the FA. Alternatively, the arrested player may have been Planned Raided, in which case they would have mentioned an escort on the night previously. In any case, any player who visits another the night of their arrest should be immediately suspicious
 
 
Secondly, if you see player A visit player B and player A turns out to be an Agent Leader then you will know that player B has a fair chance of being a mole.
 
 
CCTVs are also powerful as they can verify each other. If as a CCTV, you see someone else claim CCTV, check with them to make sure your claimed camera locations match up. They should be able to see who your cameras are on and you should be able to see theirs. If there’s a mismatch then you know you found a fake claim.
 
 

 
 
This is all about Untrusted – Tips and Strategies Operation Leader Guide; I hope you enjoy reading the Guide! If you feel like we should add more information or we forget/mistake, please let us know via commenting below, and thanks! See you soon!