Securing unreleased game builds for press previews: a practical guide
Game leaks cost Rockstar $5 million and forced their GTA 6 reveal early. With 62% of journalists receiving 11-50 pitches daily, publishers share builds more widely than ever, and each handoff is a potential leak vector. This guide covers the layered security model that protects unreleased builds during press previews without alienating the media who cover them.
Playruo Editorial TeamUpdated April 7, 202615 min read
- Why game leaks are a growing threat
- How press preview builds get leaked
- Why NDAs and embargoes aren't enough on their own
- The layered security model for press previews
- Cloud streaming vs. local builds: a security comparison
- Forensic watermarking: how it works and when to use it
- Access controls that scale with your press list
- How to secure previews without alienating journalists
- Sources
Why game leaks are a growing threat
Game leaks have escalated from embarrassing nuisances to multimillion-dollar crises. The financial, creative, and reputational damage of a leaked build can derail years of development and marketing strategy, and PR teams are increasingly on the front line.
The GTA 6 leak in 2022 cost Rockstar an estimated $5 million and thousands of hours of staff time to contain (Source: GamesRadar 2023). That same year, Insomniac Games suffered a ransomware attack that exposed 1.3 million files, including a playable build of Marvel's Wolverine, totaling 1.67 TB of data. The attackers demanded 50 BTC, roughly $2 million (Source: CyberDaily 2023).
These aren't isolated incidents. CD Projekt Red had its source code auctioned after refusing an $11 million ransom demand (Source: BleepingComputer 2021). Capcom lost 1 TB of data, including personal information of 15,649 individuals (Source: Capcom IR 2021).
Game Freak's "Teraleak" exposed 25+ years of Pokemon data and the personal records of 2,606 employees (Source: Hackread 2024). Go back further and Valve's Half-Life 2 source code theft resulted in an estimated $250 million in projected losses and delayed the game over a year (Source: ControlEng 2022).
The threat surface is growing. Akamai reported a 94% surge in layer 7 DDoS attacks against gaming companies between Q1 2023 and Q1 2024 (Source: Akamai 2024). Attackers know game studios hold high-value, time-sensitive intellectual property, and they're targeting it aggressively.
For PR and communications directors, the implication is direct: every press preview build you distribute is a potential leak vector. The window between a leaked build and a ruined marketing campaign can be measured in minutes.
It was one of the worst days of my life. You've worked on something for so long, and then to have it come out in the way that it did was disappointing, to myself and other members of the team.
How press preview builds get leaked
Understanding how leaks happen is the first step toward preventing them. Most press build leaks fall into four categories, and only one involves malicious intent from journalists.
Shared credentials. When a single login is shared across multiple journalists, there's no way to trace who accessed what. If that credential leaks to an unauthorized party, you've lost all visibility. Bandai Namco learned this lesson when shared access credentials circulated beyond their intended recipients.
Downloadable builds on local machines. Any file that reaches a journalist's device can be copied, decompiled, screen-captured, or uploaded. Even well-intentioned journalists may have compromised machines. Physical storage is inherently uncontrollable once it leaves your infrastructure.
Unsecured transfer methods. FTP links, unprotected cloud storage, or email attachments create interception points. A single forwarded link can cascade through an entire community in hours.
Social engineering and insider threats. Attackers target individual employees or contractors with access to pre-release builds. Rockstar reportedly fired 30+ employees for leaking GTA 6 information, having planted false info with unique identifiers to trace the sources (Source: RockstarIntel).
The common thread: once a build file exists outside your controlled infrastructure, you've lost the ability to contain it. This is why the security model for remote game press previews is shifting away from file distribution entirely.
Why NDAs and embargoes aren't enough on their own
NDAs and embargo agreements are necessary. They're also insufficient as your sole line of defense. The gap between legal protection and technical enforcement is where leaks thrive.
Enforcement is reactive, not preventive. An NDA lets you pursue damages after a leak. It does nothing to stop the leak from happening. By the time your legal team identifies the breach, screenshots or gameplay footage may have been viewed millions of times.
Attribution is nearly impossible without technical controls. If 50 journalists received the same build via the same download link, proving which one leaked it is extremely difficult. Legal action without clear attribution is expensive and usually fruitless.
Jurisdictional complexity. Your press list spans dozens of countries. Enforcing an NDA against a freelance journalist in a different legal jurisdiction is a resource drain most publishers can't justify for a single article.
Relationship damage. Pursuing legal action against journalists, even when justified, poisons the well for future coverage. PR directors know that the press relationships they've built over years can evaporate over a single aggressive legal action.
The smarter approach is to treat NDAs as the legal layer in a broader security stack. They set expectations and provide recourse, but they need technical enforcement to do the heavy lifting. Think of it like a lock on a door: the "no trespassing" sign (your NDA) matters, but the deadbolt (your technical controls) is what actually keeps people out.
The layered security model for press previews
Effective press preview security isn't about one silver bullet. It's a stack of complementary controls, each addressing a different threat vector. Here's how to think about it in layers.
Layer 1: infrastructure isolation
The build should never exist as a downloadable file on a journalist's device. Cloud streaming achieves this by running the game on a remote server and sending only a video stream to the browser. No binaries, no assets, no source code ever leave your infrastructure.
IP law analysts confirm this approach. Marks & Clerk notes that cloud gaming "keeps assets away from consumers, protecting publisher IP" (Source: Marks & Clerk). Crowell & Moring adds that "greater security [exists] in cloud gaming since builds never reach client devices" (Source: Crowell & Moring 2023).
Layer 2: access controls
Every session should be individually authenticated. This means unique links per journalist, password protection, time-window restrictions, and geo-blocking. If a journalist in Paris shares their link with someone in another region, geo-blocking can prevent unauthorized access before it starts.
Session-level controls also include concurrent session limits (preventing credential sharing), session duration caps (limiting exposure windows), and instant access revocation (cutting off access the moment a problem is detected).
Layer 3: forensic traceability
Even with streaming, journalists can still take photos of their screen or use external capture devices. Forensic watermarking embeds invisible, per-session identifiers directly into the video stream. If a screenshot leaks, you can trace it back to the exact session, journalist, and timestamp.
Layer 4: environment hardening
The streaming environment itself needs to be locked down. A kiosk environment removes access to the command line, file browsers, clipboard, and external network connections. The journalist sees the game and nothing else. No tools to extract, copy, or transmit data from the session.
Layer 5: monitoring and forensics
Complete session logs (who accessed what, when, for how long, from where) provide both real-time monitoring and post-incident forensic capability. If a leak occurs, you can narrow down the source in minutes rather than weeks.
| Layer | Threat addressed | Example controls |
|---|---|---|
| Infrastructure isolation | File theft, decompilation, redistribution | Cloud streaming, no local files |
| Access controls | Unauthorized access, credential sharing | Unique links, geo-blocking, time windows, revocation |
| Forensic traceability | Screen capture leaks, attribution | Per-session watermarking, session IDs |
| Environment hardening | Data exfiltration from session | Kiosk mode, no CLI, no clipboard, no external access |
| Monitoring and forensics | Slow detection, poor attribution | Full session logs, real-time alerts |
Cloud streaming vs. local builds: a security comparison
The fundamental question for press preview security is whether the build leaves your infrastructure. This single factor determines the ceiling on every other security control you can implement.
With local builds (download codes, physical media, or self-hosted installers), the game's files physically exist on the journalist's machine. At that point, you're relying entirely on trust, NDAs, and the journalist's own device security. You have no visibility into what happens to those files after download.
Cloud streaming flips this model. The game runs on a server you control. The journalist receives a video stream in their browser. If they close the tab, the session ends. There's nothing to copy, decompile, or redistribute.
Research on piracy supports the importance of this distinction. A peer-reviewed study of 86 Denuvo-protected titles found that piracy causes a mean 20% revenue loss when DRM is cracked early, dropping to zero after 12 weeks (Source: Entertainment Computing 2024). The pre-launch window, exactly when press previews happen, is when protection matters most.
| Security factor | Local build distribution | Cloud streaming |
|---|---|---|
| Files on journalist device | Yes, full game binaries | No, video stream only |
| Decompilation risk | High | None |
| Redistribution risk | High (files can be copied) | None (nothing to copy) |
| Screen capture prevention | Not possible | Forensic watermarking deters and traces |
| Access revocation | Impossible after download | Instant, per-session |
| Session monitoring | None | Full logs (who, when, where, duration) |
| Credential sharing detection | Difficult | Concurrent session limits, geo-checks |
| Setup for journalist | Download, install, configure | Click a link in the browser |
Ubisoft demonstrated the operational viability of this model at scale during 2020, delivering 1,500+ remote demos across 30+ countries using Parsec's streaming technology (Source: Parsec case study). The industry has since moved toward browser-based solutions that eliminate even the app installation step.
For a deeper dive into the cloud gaming infrastructure powering these solutions, including codec selection, protocol design, and latency optimization, see our complete publisher guide.
Forensic watermarking: how it works and when to use it
Forensic watermarking is the critical "last mile" of press preview security. Even when you control the infrastructure and the access, someone can always point a camera at their screen. Watermarking doesn't prevent that, but it makes it traceable.
How forensic watermarks work
A forensic watermark embeds a unique, invisible identifier into the video stream for each session. Unlike visible watermarks (which can be cropped or blurred away), forensic marks are spread across the entire frame, surviving compression, cropping, color adjustments, and even photographs of the screen.
Denuvo launched TraceMark for Gaming at GDC 2024, bringing this technology specifically to the games industry (Source: Irdeto). The system embeds invisible watermarks that persist through common manipulation techniques, linking any leaked footage back to a specific session.
In a cloud streaming context, watermarking happens server-side, within the video encoding pipeline. The journalist never sees or interacts with the watermark. If leaked footage surfaces, the publisher extracts the watermark, matches it to a session ID, and identifies the source.
When to use it
Forensic watermarking is most valuable for:
- High-profile pre-launch previews where a single leaked screenshot could dominate news cycles
- Embargo-sensitive content where early disclosure undermines coordinated marketing campaigns
- Extended preview sessions where journalists have prolonged access to unreleased content
- Large press lists where the number of recipients makes manual oversight impractical
The deterrent effect matters as much as the forensic capability. When journalists know their session is individually watermarked, the incentive to break an embargo drops significantly.
When you have a small team, they have better things to do than worry about security! It's a skillset that is very challenging to have, and scarce.
This is precisely why outsourcing security infrastructure to a specialized platform makes sense for most publishers. Building forensic watermarking, kiosk environments, and session monitoring in-house requires expertise that most PR teams (and many IT teams) don't have.
Access controls that scale with your press list
A preview campaign for a major release might involve 200+ journalists across 30 countries, with access windows staggered by region and outlet tier. Managing this manually is a recipe for security gaps.
Per-journalist access links
Every journalist should receive a unique, non-transferable access link. This is the foundation: if a link leaks, you revoke that one link without affecting anyone else. Shared credentials (one login for everyone) are the single most common source of unauthorized access in press previews.
Time-window restrictions
Access should open and close automatically based on your campaign timeline. A journalist who needs access for a three-day preview window shouldn't have a link that works indefinitely. Automated time windows eliminate the risk of forgotten, still-active access points weeks after your campaign ends.
Geographic controls
Geo-blocking restricts sessions to expected locations. If your press list is limited to North American and European outlets, there's no reason to allow connections from other regions. This catches both credential sharing and unauthorized access from unexpected locations.
Session and concurrency limits
Capping concurrent sessions per link prevents credential sharing in real time. If a journalist's link is suddenly being used from two locations simultaneously, the system can block the second session and alert your team.
Session duration caps add another layer: even if someone gains access, they can't run an indefinite recording session.
Instant revocation
When something goes wrong (and eventually it will), you need to cut access immediately. Revocation should be per-journalist, taking effect within seconds, without requiring a rebuild or redistribution of the entire preview environment.
These controls are standard in platforms designed for game demo distribution methods at scale. The key is choosing infrastructure that treats these as default features, not premium add-ons.
How to secure previews without alienating journalists
Security controls are worthless if they make the preview experience so frustrating that journalists skip your game entirely. With 62% of game journalists receiving 11 to 50 pitches per day (Source: Big Games Machine 2024), the friction of your preview directly affects whether they engage.
Eliminate setup friction
The highest-friction step in any press preview is installation. Downloading a build, managing hardware requirements, troubleshooting driver issues: all of this erodes goodwill before the journalist even sees your game. Browser-based streaming removes every one of these steps. The journalist clicks a link, enters a password, and plays.
Playruo's approach is instructive here: no app, no account, no download. The journalist's browser is the only requirement. This isn't just a convenience play; it's a security feature. No installed software means no attack surface on the journalist's machine, and no files to extract afterward.
Respect the journalist's time
67% of journalists want review copies three or more weeks before launch (Source: Big Games Machine 2024). Meeting this expectation while maintaining security requires a system that can spin up and tear down access quickly. Cloud streaming makes this practical: you can grant three weeks of access within a defined time window without worrying about builds sitting on uncontrolled devices for that entire period.
Make security invisible
The best security doesn't ask the journalist to do anything differently. Forensic watermarking is invisible. Geo-blocking happens before the session loads. Session limits work silently in the background. The journalist's experience should be: click the link, play the game, write the story.
Playruo allowed us to present Empire of the Ants to journalists from all over the world, and the experience was excellent. Playruo has been an invaluable asset to our communications strategy, and a new tool we'll be using for future projects.
Communicate the "why" transparently
Journalists understand the stakes. They've seen what leaks do to development teams. A brief, honest note explaining that sessions are individually watermarked and monitored doesn't antagonize professionals; it sets expectations. Most journalists appreciate knowing the rules upfront rather than discovering them after a violation.
Maintain quality as a non-negotiable
Security cannot come at the cost of input responsiveness or visual fidelity. If the streaming experience feels sluggish or artifacted, journalists will write about that, not your game. Playruo's technology addresses this with 8 ms glass-to-glass latency over QUIC protocol, supporting H.264, HEVC, VP9, and AV1 codecs. For context, competitor platforms like Parsec and Shadow require dedicated app installations and report latency figures above 35 ms (per Playruo's internal benchmarks; independent third-party comparisons are limited).
The lesson from publishers already running secure remote previews is clear: remote playtesting and press preview infrastructure doesn't have to choose between security and experience. The platforms that win publisher adoption are the ones that make both invisible.
Sources
| Label | URL | Note |
|---|---|---|
| GamesRadar 2023 | https://www.gamesradar.com/the-gta-6-leak-cost-rockstar-dollar5-million-and-thousands-of-hours-of-staff-time/ | GTA 6 leak financial impact from court proceedings |
| CyberDaily 2023 | https://www.cyberdaily.au/culture/9959-snikt-rhysida-dumps-more-than-a-terabyte-of-insomniac-games-internal-data | Insomniac Games hack, 1.3M files / 1.7 TB exposed |
| BleepingComputer 2021 | https://www.bleepingcomputer.com/news/security/cd-projekts-stolen-source-code-allegedly-sold-by-ransomware-gang/ | CD Projekt Red source code auction after ransomware attack |
| Capcom IR 2021 | https://www.capcom.co.jp/ir/english/news/html/e210413.html | Capcom ransomware incident, 1 TB stolen, 15,649 individuals affected |
| Hackread 2024 | https://hackread.com/teraleak-pokemon-developer-game-freak-hacked-data-leak/ | Game Freak "Teraleak," 25+ years of Pokemon data exposed |
| ControlEng 2022 | https://www.controleng.com/throwback-attack-hacker-steals-source-code-for-half-life-2-video-game/ | Half-Life 2 source code theft, $250M projected loss |
| RockstarIntel | https://rockstarintel.com/rockstar-claim-they-fired-gta-6-staff-for-leaking-features-from-unannounced-games/ | Rockstar fired 30+ employees for leaking, used unique identifier traps |
| Akamai 2024 | https://www.akamai.com/blog/security-research/games-security-trends-is-a-battle-royale | 94% surge in layer 7 DDoS attacks against gaming |
| Entertainment Computing 2024 | https://www.sciencedirect.com/science/article/abs/pii/S1875952124002532 | Peer-reviewed study of 86 Denuvo titles, 20% mean revenue loss from early piracy |
| Big Games Machine 2024 | https://www.biggamesmachine.com/2024-game-journalist-survey/ | Survey of 150+ game journalists on pitch volume and preview preferences |
| Parsec case study | https://parsec.app/case-study/ubisoft | Ubisoft delivered 1,500+ remote demos across 30+ countries in 2020 via Parsec |
| Marks & Clerk | https://www.marks-clerk.com/insights/latest-insights/102jw2x-the-effect-of-cloud-gaming-on-videogame-piracy/ | IP analysis: cloud gaming keeps assets away from consumers |
| Crowell & Moring 2023 | https://www.crowell.com/en/insights/client-alerts/top-ip-considerations-for-cloud-gaming-in-2023 | IP analysis: greater security when builds never reach client devices |
| Irdeto - Denuvo TraceMark | https://irdeto.com/video-games/denuvo-anti-leak | Forensic watermarking for gaming launched at GDC 2024 |
| Playruo technology page | https://playruo.com/technology | Latency, security specs (self-reported) |
My mind is racing with ideas on how to use Playruo for our upcoming releases. This changes the way we approach press access.
Sources
| Source | Notes |
|---|---|
| GamesRadar 2023 | GTA 6 leak financial impact from court proceedings |
| CyberDaily 2023 | Insomniac Games hack, 1.3M files / 1.7 TB exposed |
| BleepingComputer 2021 | CD Projekt Red source code auction after ransomware attack |
| Capcom IR 2021 | Capcom ransomware incident, 1 TB stolen, 15,649 individuals affected |
| Hackread 2024 | Game Freak "Teraleak," 25+ years of Pokemon data exposed |
| ControlEng 2022 | Half-Life 2 source code theft, $250M projected loss |
| RockstarIntel | Rockstar fired 30+ employees for leaking, used unique identifier traps |
| Akamai 2024 | 94% surge in layer 7 DDoS attacks against gaming |
| Entertainment Computing 2024 | Peer-reviewed study of 86 Denuvo titles, 20% mean revenue loss from early piracy |
| Big Games Machine 2024 | Survey of 150+ game journalists on pitch volume and preview preferences |
| Parsec case study | Ubisoft delivered 1,500+ remote demos across 30+ countries in 2020 via Parsec |
| Marks & Clerk | IP analysis: cloud gaming keeps assets away from consumers |
| Crowell & Moring 2023 | IP analysis: greater security when builds never reach client devices |
| Irdeto - Denuvo TraceMark | Forensic watermarking for gaming launched at GDC 2024 |
| Playruo technology page | Latency, security specs (self-reported) |
