CyberSim

A tabletop exercise where cybersecurity is what happens while you're making other plans.

What it is

CyberSim is a fast-paced, interactive cybersecurity tabletop exercise. In each scenario, players work toward a familiar real-world goal — winning a close campaign, promoting policy change, monitoring an election — while cybersecurity threats keep getting in the way. CyberSim is powered by a digital facilitator's application, but the exercise is best played in person.

The novelty of CyberSim is that, just like in life, most folks aren't focused on cybersecurity. They're trying to go about their business — but if they don't plan for and respond to digital dangers, they'll hit setbacks that derail their real goals. A volunteer rage-quits and you don't cut off his access in time: now you've got a data breach. Skip two-factor authentication to save money: eventually there's a password compromise. The game teaches by making the consequences feel real, in a fictional environment where it's safe to lose.

The core insight: most cybersecurity training describes threats. CyberSim makes you experience the tradeoffs — time pressure, never enough money, competing priorities — in a scenario that mirrors how different types of organizations actually work. Five scenarios are currently available:

Election campaign

Players take on a range of roles in a political party fighting an uphill election campaign, managing rallies, advertising, fundraising, and voter communication, while cybersecurity incidents keep interrupting.

Civil society organization and nonprofits

Staff of a civic organization and network of grassroots volunteers are working to build public support for a voting rights referendum. Designed to mirror the busyness and intensity of a typical civic organization's work, participants must navigate external challenges that threaten to sink their campaign and endanger their community.

Parliaments and legislatures

Participants play as elected Members of Parliament, legislative officials, and staff working together to maintain the parliament's approval rating while navigating external challenges that threaten to derail the passage of critical legislation.

Election observer teams

Racing against the clock of an upcoming election, nonpartisan election monitors must manage the chaos of a major deployment and recruit their needed observers while trying to keep themselves — and their precious data — safe from the range of adversaries trying to disrupt their work for free and fair elections.

City and local government

City staff work to build public confidence around a major infrastructure bond — public education, not campaigning — while cyberattacks, scams, and security lapses threaten the city's credibility and basic operations.

The scenario library is extensible, and adding to it is one of the most valuable contributions anyone can make (see below).

Deployment and use

CyberSim is in active use as of 2026. Current partners include the National Civic League, the Aspen Institute, and Freedom House. CyberSim tabletop exercises have been run more than 30 times, training more than 500 people across at least a dozen countries and international contexts, including Ghana, India, Kenya, Malaysia, Serbia, Kosovo, Tunisia, South Africa, Belgium, Lithuania, Portugal, and the United States.

The primary project home is cybersim.app. That site is the best place to learn how the exercise works, explore the available scenarios, and think through whether CyberSim is a fit for your team. This page provides background on CoCitizen's stewardship of the open-source version.

Run CyberSim with CoCitizen

CyberSim is open source, but it is not really a self-serve web game. It works best as a facilitated, in-person session: a room, a screen, eight to eighteen players, two or three facilitators, and enough time for the debrief. The simulation itself is a fast, frantic hour; the learning happens when the group walks back through the mess together.

If your reaction to cybersim.app is "this looks useful, but good lord, I do not want to run it myself," that is reasonable. CoCitizen contributors may be available to handle setup and hosting, facilitate a session, train your team, or build a custom scenario for your sector.

Origin and credit

CyberSim began as a project of the National Democratic Institute (NDI). It has been supported over the last decade by Take Nine, Microsoft, the National Endowment for Democracy, and the National Civic League. The digital facilitator's application was developed in partnership with RisingStack. Members of the CoCitizen team were part of the original project.

CoCitizen's role

The original public upstream project is no longer actively maintained. CoCitizen stepped in as steward of the public version — including managing current facilitator's app deployments, adding app functionality, and rebuilding the deployment documentation so that self-hosted instances are actually practical.

RisingStack, the original development firm, continues to contribute improvements to the facilitator's app under a separate contract.

License

GNU General Public License v3 (GPL-3.0). Use it, fork it, adapt it — keep the attribution and license intact.

Code

CyberSim gameplay materials and facilitation guidance can be found here:

Code for the facilitator's app can be found here:

Get involved

The most valuable contribution anyone can make is a new scenario. Scenarios are built in Airtable — no coding required, but you do need to think carefully about how threats and consequences chain together. If you're part of a community or organization type that isn't represented by our current scenarios, and you'd like to help us build one, get in touch and we'll walk you through it.

If you have thoughts for how to improve any of the existing scenarios — new threats, fun plot twists, gaps you've noticed — let us know and we'll work to incorporate your ideas.

Code, documentation, issue reports, and deployment feedback are also welcome. Open an issue on GitHub or write to contact@cocitizen.com.