About CISO Simulator
CISO Simulator is a free, browser-based cybersecurity strategy simulator. The player runs information security as the CISO of a fictional 500-person company across 5 in-game years. No install, no signup required, plays in 30–45 minutes.
Why this exists
Security leadership is one of the few executive functions that has almost no good simulation. Aspiring CISOs read frameworks (NIST CSF, ISO 27001, MITRE ATT&CK), study for certifications (CISSP, CCISO, CISM), and shadow incumbents — but the actual job, with its budget trade-offs, board politics, vendor management, breach response, and 5-year strategic cadence, is something you only learn by doing. CISO Simulator is a sandbox for doing it without the consequences.
What's modeled
The simulation tracks five live metrics (Composite Posture, Board Confidence, Customer Trust, Business Friction, Team Morale), six posture subscores (Detection, Response, Prevention, Recovery, Identity, Awareness), 52 cybersecurity risks aligned to real frameworks, and 99+ vendor-neutral product, hire, and service investments. The event catalog covers ransomware, regulator-clock disclosures (GDPR Art. 33, SEC 8-K, NYDFS Part 500, OCR HHS, DORA, CIRCIA, NIS2), board strategic reviews, M&A diligence shocks, AI red-team findings, vendor consolidation pressure, and team management crises.
About the creator
CISO Simulator was designed and built by Arik Volovsky — 25+ years in cybersecurity, including former Sales Engineering Manager at Symantec / Broadcom, SE Team Leader at Forcepoint, and leading CISO positions, with deep experience across both defensive and offensive security. Connect on LinkedIn.
The risk-and-control mechanics are grounded in real security practice — the risk register aligns with NIST CSF functional areas, the catalog reflects how real security tooling categories actually work in practice, and the scenarios draw from common CISO archetypes (post-incident recovery, fintech IPO crunch, healthcare ransomware year, AI startup, M&A integration). The catalog is deliberately vendor-neutral — categories like "Mid-Tier EDR" and "Continuous Control Monitoring" instead of brand names — so the game stays evergreen and useful as a thinking tool for real procurement.
Who operates CISO Simulator
CISO Simulator is built and operated by CyberKIS — a cybersecurity sales engineering practice (SE-aaS) that embeds certified presales engineers into the pipelines of channel partners, resellers, distributors, and enterprise security teams. CyberKIS engineers do the technical work behind cybersecurity sales — discovery, demos, proofs of concept, RFP responses, system design, deployment, and post-sales support — across coverage areas including ZTNA, SWG, CASB, FWaaS, DLP, RBI, CSPM, and EDR. The simulator is the practice's open educational artifact: a way to make the multi-year CISO trade-offs CyberKIS engineers see in the field actually playable, vendor-neutral, and free.
If you're a security vendor scaling a channel without hiring SEs in every region, a partner trying to win a deal you don't have technical depth to close, or an enterprise team that needs vendor-agnostic engineers to architect and deploy a security stack — that's the day job behind this simulator. Learn more at CyberKIS — Cybersecurity Sales Engineering or read about CyberKIS's full services.
Source material and frameworks referenced
The simulation is grounded in publicly-available, widely-recognized cybersecurity frameworks rather than proprietary research. The risk register and posture model align with NIST Cybersecurity Framework 2.0 functional areas (Govern, Identify, Protect, Detect, Respond, Recover) and reference attack patterns from MITRE ATT&CK. Regulatory event modeling tracks the actual disclosure clocks for SEC Item 1.05 (8-K), GDPR Article 33, NYDFS Part 500, OCR HHS (HIPAA), EU DORA, CIRCIA, NIS2, and EU CSRD. The certification preparation guidance maps directly to (ISC)² CISSP, EC-Council CCISO, and ISACA CISM domains. Real-incident references in the per-risk rationales — Colonial Pipeline, Change Healthcare, MGM Resorts, Capital One, MOVEit, XZ Utils, Okta, Air Canada chatbot — are all matters of public record drawn from primary disclosures and SEC filings.
Editorial principles
Every page on this site is drafted with AI assistance and edited by hand against my 25-year experience in security strategy and CISO roles. Specifics like the per-risk incident citations (Colonial Pipeline, Change Healthcare, MGM Resorts, Capital One, MOVEit, XZ Utils, Okta, Air Canada chatbot) and the framework alignment (NIST CSF 2.0, MITRE ATT&CK, regulator clocks) are checked against primary sources. The simulation mechanics, scenario design, and risk register were authored from practice. The catalog descriptions reflect how each tool category actually operates — including the unglamorous parts like "your $300k SIEM ships at 30% effectiveness without a Detection Engineer." Where the simulation simplifies (it has to — it's a 30-minute game, not a five-year graduate program), the simplification is documented in the mechanics reference rather than hidden. If a guide ever feels too smooth, that's the AI draft showing through; if a number ever looks wrong, message me on LinkedIn — I'll fix it.
Contact and feedback
Bug reports, factual corrections, suggested mechanics, scenario ideas, or content collaboration — all welcome. Feedback from working CISOs, security analysts, students, and academics is what keeps the simulation honest. Reach out via the in-game advisor panel after starting a run.
Who it's for
- Aspiring CISOs and CISO-track security leaders
- Students preparing for CISSP, CCISO, CISM certification
- Cybersecurity professionals exploring strategy trade-offs
- Gamification enthusiasts interested in turn-based simulations rooted in real risk-and-control mechanics
How to play
Click here to start a free run — no signup needed. The game plays in your browser and saves to local storage. If you want to keep your run across devices or appear on the leaderboard, you can sign up later — your run migrates to your account automatically.
Contact
For feedback, bug reports, or feature requests, reach out via the in-game advisor panel.
Copyright and use
CISO Simulator and all of its content — game design, mechanics, risk register, investment catalog, scenarios, and narrative text — are © 2026 Arik Volovsky. All rights reserved. Reproduction, redistribution, derivative works, or re-hosting of any kind is prohibited without express written permission. Public references with attribution (e.g., "CISO Simulator at cisobility.com") are welcome.