[RickDeckard]

I need some help on how you design a Matrix run in general. I understand the concepts of the Matrix, but I'm having a hard time design e.g. how a Host looks, what's in there, what kind of rolls does a Decker need to make to find paydata, how do I play the security. Is there such a thing as a Host map you'd design for a generic smash-and-grab in a host? Who would have host? Just companies or also crime syndicates etc?

[Stainless Steel Devil Rat]

The Matrix is 1/3 of the playing field in shadowrun, so naturally the Matrix defenses of a target should get its share of your attention when designing a run.

Usually there only needs to be one host per site, although if you want to make things complicated you can distribute various tasks across separate hosts. (an admin host, a security host, a customer service host, etc).  Before doing stats, you need to decide what functions are controlled by the host(s) and what are not.  Access control and running security devices are common functions, as well as whatever business concerns the site does. (a host in a car part manufacturing plant probably coordinates the assembly line, etc)

The first question you need to answer is how tough is the host? It should correspond with the physical nature of the site.  The chart on page 247 SR5 gives you an idea of where your ballpark should be.

The next question is how to distribute the ASDF ratings. Generally, you'll use an array of HR+0, HR+1, HR+2, HR+3. How they're assigned is saying some implicit things about the security posture:
Attack: high priority here says you want to punish people who hack your host
Sleaze: high priority here says you really are trying to keep a low profile (note: if the host isn't bothering to run silent, this is doing almost nothing for the host.  It should be the lowest stat 9 times out of 10)
Data Processing: It has mechanical benefits (initiative for IC) but primarily if this is the highest stat, you're communicating that the host primarily does legit business.
Firewall: Your basic security priority. 9 times out of 10 this should be either the highest or next highest stat for a host.

Once you've got Host Rating and ASDF array, you next have to decide what grid it is on.  If it's a megacorporate affiliated site, it's probably on that corp's global grid.  Of course that's only true if it's a publicly acknowledged site rather than some black site. Most hosts run by organizations with resources but without a TON of resources will be on the Local Grid.  If it's a government or not particularly rich host, the Public grid is usually the best choice.

You've got a lot of data by now, and that data speaks a lot of implications about the host.  You should be ready to decide what its security posture is by now.  What IC is loaded, how many/how good are the spiders.  You're as free here as you are in making up concerns about physical security.  It may help to have a "binder full of NPCs" and have some stock spiders of varying threat levels so you don't have to make them up from scratch every run.  As for IC, the only constraint to remember is there's only ever one of each kind of IC (so no 2x Patrol IC or similar) and the max number of different IC is equal to the Host Rating.  Beyond that, it's all free-form. Generally speaking only Patrol IC is running 24/7 in most hosts, simply as an in-universe precaution against employees being attacked by IC.  Although there's no mechanic for IC accidentally misidentifying legit users as hackers, so technically speaking there's nothing stopping you from having all the Host's IC running all the time (other than accusations of being a mean GM).

Sculpting is where you get to be creative. If you know your NPCs well enough, you should be able to think up some metaphors they'd find appealing (maybe the spiders and IC in a security host in Neo-Tokyo all look like robotic samurai).  A rule of thumb I like to use: the more open the host is meant to be to the public, the friendlier the sculpting.  A host that looks like a dark wizard's tower surrounded by a lava moat is conveying to the public that they're not welcome.


some advanced topics:
Remember, marks travel upstream but not downstream.  If a decker gets marks on a slaved maglock, he'll get that many marks on the host too.  However, even if you have 3 marks on the host you still need to hack the next maglock as slaved devices aren't all marked just because the host is.

Be sure to employ File Protection. Especially on things like security logs and anything confidential that the public shouldn't see. (remember, you need a mark on the host to enter the host, which means legit users can just snoop around at everything if you don't secure non-public files....)

Don't be shy to put some Data Bombs out there, too.  Especially on paydata.  Your choice as to whether or not the file gets deleted by the bomb, as appropriate to the paradigm you've developed and the sensitivity of the paydata itself.

Get very familiar and comfortable with the Matrix Search chart on pg 241.  It is your guideline on how hard to make tests to find something, based on how well hidden you want it to have been.  Most things that would qualify as paydata will probably be Limited Interest or Actively Hidden inside that host.

[Iron Serpent Prince]

However, even if you have 3 marks on the host you still need to hack the next maglock as slaved devices aren't all marked just because the host is.

Just a note, with MARKs on the controlling host, a decker can use Spoof Command (Core Book, page 242) to bypass locks without the need to hack them directly.  It is another way to skin that particular cat.  If you'll pardon the Linux joke.

[Stainless Steel Devil Rat]

However, even if you have 3 marks on the host you still need to hack the next maglock as slaved devices aren't all marked just because the host is.

Just a note, with MARKs on the controlling host, a decker can use Spoof Command (Core Book, page 242) to bypass locks without the need to hack them directly.  It is another way to skin that particular cat.  If you'll pardon the Linux joke.

That's debateable, as while you're impersonating the host you're still performing the spoof command on the lock.  I'd say you need marks on the target, not on what you're pretending to be.

Luckily for the OP, he's the GM and he can decide for his own table.

[Iron Serpent Prince]

That's debateable, as while you're impersonating the host you're still performing the spoof command on the lock.  I'd say you need marks on the target, not on what you're pretending to be.

Not debateable at all, by RAW:

SPOOF COMMAND (COMPLEX ACTION)
Marks Required: 1 (see description)
Test: Hacking + Intuition [Sleaze] v. Logic + Firewall

You spoof a device’s owner’s identity, making the device think that your command is a legitimate one from its owner. You need one mark on the icon you are imitating; you do not need a mark on the target. The opposing dice roll is still based on the target, though. This trick only works on devices and agents, not IC, sprites, hosts, personas, or any other icons.

[Stainless Steel Devil Rat]

Ah, nice find.

Of course, there's the risk of Patrol IC or a spider noticing that the lock is inexplicably responding to a command the host never sent, but yeah you pick your poison and live with the results

[RiggerBob]

Not debateable at all, by RAW:

SPOOF COMMAND (COMPLEX ACTION)
Marks Required: 1 (see description)
Test: Hacking + Intuition [Sleaze] v. Logic + Firewall

You spoof a device’s owner’s identity, making the device think that your command is a legitimate one from its owner. You need one mark on the icon you are imitating; you do not need a mark on the target. The opposing dice roll is still based on the target, though. This trick only works on devices and agents, not IC, sprites, hosts, personas, or any other icons.

Actually it is debatable, because the rules completely fail to clarify ownership.

The book talks about corporations as owners of devices their employees use, but RAW legally owning a device is different from being the matrix-wise "owner" ("Owning a device and being its owner aren’t necessarily the same thing", Core, p.236) and only personas can be "owners" ("The owner of an icon can intentionally transfer ownership to another persona [...], Core, p.237) which leads to:

a) You can't spoof a device with marks on the controlling host, because it's not the owner.
b) You can't spoof a corporate owned device with marks on it's "owner", because the corporation itself is not a person and has no persona to mark in the first place.

Using the a corporate host as the (matrix-)owner of corporate equipment slaved to it is a commonly used workaround, but not exactly RAW. 

[RickDeckard]

Thanks, that was incredibly helpful! The crunch can be very crunchy in SR so so far I’ve mostly kept it pretty generic just using the visual fluff, but I’m ready to take on the more complex aspects.

One more question: the Track IC that patrols 24/7, how often does it check for intruders? Every combat turn I imagine. And that’s just a Matrix Perception roll?

So if I want to design a non-lethal but well protected Host I could have it launch Probe, Tar Baby, Track IC as soon as the Patrol IC spots the intruder, effectively link locking, tracking and alerting physical security. Does all that IC launch simultaneously at the beginning of the turn or only one per turn?

Does the Decker automatically know what is launched or does he have to roll perception to ID the IC?

What does it mean when it says “if the Host gets a mark on you”? Is that the same as if the Patrol IC spots you since the Host doesn’t really actively do anything by itself?

[Stainless Steel Devil Rat]

Thanks, that was incredibly helpful! The crunch can be very crunchy in SR so so far I’ve mostly kept it pretty generic just using the visual fluff, but I’m ready to take on the more complex aspects.

One more question: the Track IC that patrols 24/7, how often does it check for intruders? Every combat turn I imagine. And that’s just a Matrix Perception roll?

Patrol IC.  Track IC is something else  

You can have the hacker be scanned however often you like .Patrol IC can scan the PC's Persona every pass of every combat turn but that's probably unrealistically mean to the player in most hosts, as surely the Patrol IC has thousands of icons to keep tabs on.  It would be realistic/fair for Patrol IC to only "get around" to the PC hacker once every X period of time... and X is a bigger chunk of time the bigger/more complex the host.

As the GM, you have the player in a Catch-22.  If he runs silent, yes the Patrol IC first has to successfully spot him in order to then target for a matrix perception.  So maybe you should run silent?  Maybe not, because the IC only needs 1 hit on an unopposed Matrix Perception test to tell there's a silent running icon inside the host. That doesn't spot the silent running hacker but if you want, knowing a silent running icon is present is all it takes for the host to go on alert anyway.

Do you not run silent then?  Well, naturally you don't have to be spotted. But it's not all bad news, because of course you have a mark on the host or else you can't even be inside the host.  That mark makes you "legit", even if the mark was illegally gained.  The IC can inspect you, but as far as the host is concerned you're legit.  The IC can sniff you out as a hacker though by checking what programs you're running or what your last matrix action performed was.  If anything illegal turns up the IC can trigger alert.  See the chart on pg 235 for what sorts of things IC or Spiders might look for on a user's persona.  And of course, if the hacker doesn't make his icon look like it belongs, spiders or even IC might confront the persona right away if he's not running silent.

So if I want to design a non-lethal but well protected Host I could have it launch Probe, Tar Baby, Track IC as soon as the Patrol IC spots the intruder, effectively link locking, tracking and alerting physical security. Does all that IC launch simultaneously at the beginning of the turn or only one per turn?

The Host launches IC at the start of a combat turn. It can only launch 1 IC persona per turn.  It's up to you whether it goes through a progression, or keeps re-launching the same IC if the hacker killed it last turn.  Remember, the nasty things IC do only happens on a successful attack.  If the hacker is running silent, the hacker still must be successfully spotted.  But if the host has scored a mark on the hacker (see Probe IC) then running silent doesn't help anymore (but still imposes the -2 dice penalty!)

You can be as mean or as nasty as you like with IC comboes.  There's some real synergy by running certain IC with other IC.  Be evil.  Or not.  Depending on how nice or mean you want to be as a GM

Does the Decker automatically know what is launched or does he have to roll perception to ID the IC?

All you can tell is icon type.  That new persona that appeared could be some kind of IC, or it could be another Spider logging in to respond to events.  No telling until you do a matrix perception.  Or the decker can guess, based on what the persona is doing.

What does it mean when it says “if the Host gets a mark on you”? Is that the same as if the Patrol IC spots you since the Host doesn’t really actively do anything by itself?

Being spotted is not the same thing as having been marked.  All Patrol IC ever does is matrix perception tests. Whether the Host goes on alert based on the results of that perception test is completely up to the GM.  But a matrix perception test doesn't score a mark.  Probe IC will score marks, Spiders can score marks via Hack on the Fly or Brute Force (the same way a hacker does).  Or the hacker might have invited a mark from the host as a way to gain entry without breaking in illegally (I like to imagine that the non-hacking public gain their marks to enter hosts by the host first requiring the persona invite a reciprocal mark).   Remember that the hacker can attempt to remove marks on his persona (pg. 239) and that while PCs can't share marks between each other, IC all share marks and spotting results. (if the Patrol IC sees you, ALL the IC sees you. If the Probe IC marks you, the nasty stuff also has marks on you...)

[Michael Chandra]

I recall rules about how many icons present mean how often Patrol scans you, but can't remember if that's SR5 or only SR4.

[Stainless Steel Devil Rat]

I recall rules about how many icons present mean how often Patrol scans you, but can't remember if that's SR5 or only SR4.

There's a guideline in Data Trails.

[RickDeckard]

Thanks all, I think I have enough to go by to give the runners a fun experience in the Matrix =)