CISO Game Scenarios
Each scenario is a different starting hand. Pick one that stresses the muscle you want to train — your first run, your tenth, or one that mirrors the company you actually work at.
How scenarios shape the simulation
A CISO Game scenario sets the starting conditions for a 5-year (20-quarter) campaign: company size, tech profile, region, starting team, year-1 budget, annual budget growth rate, and difficulty (which moves your starting board confidence and friction). Some scenarios also override the starting board confidence or morale to simulate specific real-world contexts — a freshly-fired predecessor's team starts with low morale, a fintech pre-IPO board starts hawkish.
Choosing a scenario by your goal
If you're learning the mechanics: Boot Camp gives you a generous budget and friendly board so you can see how investments, hires, and events interact without losing fast. If you've played a few runs and want to study a real archetype: Standard SaaS is the balanced default. If you want the most-common new-CISO experience: Post-Incident Recovery starts you three months after a public S3 leak with a depleted budget, low morale, and a suspicious board — the most common archetype the catalog was missing. If you want to feel the heat of regulator-driven programs: Fintech IPO Crunch and Healthcare Ransomware Year both punish governance shortcuts. If you want to test AI-specific risk modeling: AI Startup activates the AI focus toggle and adds 6 AI-specific risks (R23–R28) plus AI-tooling unlocks. If you want to see M&A integration risk: Tuck-in acquisition closes Q1 lands a 120-employee target on your desk.
What scenarios don't change
The win/lose conditions are constant: at Q20 you need Composite Posture ≥ 60, Board Confidence ≥ 30, and cumulative overspend ≤ $500,000. You can lose early — board below 20 for 3 consecutive quarters fires you, and overspend past $1M ends the run. The ~50 events in the catalog are gated by triggers (quarter, risk exposure, team condition, purchase condition) rather than scenario, so a single playthrough surfaces a different mix depending on the strategic choices you make inside it.
The full scenario list
- Standard runMid-size SaaS company. Balanced challenge.
- Fintech IPO crunchTight budget, hawkish board, regulatory eye on you.
- Healthcare ransomware yearRansomware is hitting peers monthly. HIPAA is on the line.
- AI startupSeries-B, AI-first, six new AI risks in your register.
- Post-incident recoveryYou took the job because the previous CISO was fired after a breach.
- Tuck-in acquisition closes Q1Your CEO just signed paperwork. You inherit a security debt.
- Boardroom Boot CampEase in. The board is patient and the budget is generous.