Cyberdrill

Stop training with boring PDFs. Cyberdrill launches realistic, AI-powered social engineering simulations to coach employees in real-time. Safety first, privacy always.

Comment

Inspiration

The inspiration for CyberDrill stems from a stark contrast in safety culture: while every organization conducts physical fire drills to prepare for the rare event of a fire, very few conduct "cyber drills" for the much more common threat of social engineering. Given that approximately 90% of data breaches are triggered by human error—often a single click on a malicious link—there is a critical need to move beyond static training PDFs and into active, realistic simulations that build digital muscle memory.

What it does

CyberDrill is an automated simulation platform that orchestrates coordinated "attacks" across multiple communication channels. An employer can use a centralized dashboard to launch a drill that sends a targeted, AI-generated phishing email to employees. Moments later, the platform triggers an automated "vishing" (voice phishing) call that references the email to create a sense of urgency. The link in the email leads to a visually cloned login page where employee interactions are monitored. If a user enters credentials, the system logs the "compromised" attempt for the employer’s report but immediately redirects the employee to a "Learning Moment" page that highlights the specific red flags they missed.

How we built it

We built CyberDrill using a modern, scalable tech stack designed for high-performance real-time interactions and seamless AI integration:

Frontend & Framework: We used NextJS and React to build a responsive, high-speed dashboard for employers and the interactive "Learning Moment" pages for employees. NextJS API routes allowed us to handle server-side logic efficiently within a single project structure.

Backend Environment: The core logic was powered by NodeJS, providing the event-driven architecture necessary to synchronize email triggers and phone calls.

Database & Real-time State: Supabase served as our backend-as-a-service, handling our PostgreSQL database for employee records and drill analytics. We utilized Supabase’s real-time subscriptions to push instant "link clicked" alerts to the employer dashboard.

AI Orchestration: We integrated Backboard to act as the brain of the operation, generating highly personalized phishing lures and vishing scripts. These scripts were then passed to ElevenLabs, which generated the professional-grade human voices used for our automated phone simulations.

Communication Layers: Resend was our choice for email delivery, ensuring that our simulated phishing emails landed directly in the inbox with high deliverability.

Infrastructure & Tooling: We used Backboard to manage our administrative workflows and project organization. During development and live demoing, Ngrok was essential for tunneling our local environment, allowing us to receive webhooks and host our cloned landing pages securely for the judges to see.

Challenges we ran into

One of the primary technical hurdles was synchronizing the multi-channel attack. Ensuring the phone call triggered at the optimal window after the email was sent required careful timing logic. Additionally, cloning modern, dynamic login pages (such as those using React or complex SSO providers) presented difficulties, as these sites often have scripts that break when hosted on a different domain. We also had to solve the ethical challenge of building a "phishing tool" by ensuring the architecture was physically incapable of storing actual user passwords, maintaining a strict "training-only" focus.'

Accomplishments that we're proud of

We are particularly proud of the "No-Auth" capture logic, which proves a security vulnerability exists without creating a new one. Successfully coordinating an AI-generated voice call with an email simulation was a major milestone, as it elevates the drill from a simple "test" to a high-fidelity experience. Finally, the "Learning Moment" redirect transforms a potential "Gotcha!" into a supportive educational tool, which is vital for maintaining a positive security culture.

What we learned

The project highlighted that social engineering is less about technical exploits and more about psychological pressure. We learned that the "Multi-Channel" approach significantly increases the likelihood of a successful "breach" compared to email alone. From a technical standpoint, we gained deep insights into web scraping, the intricacies of domain spoofing, and the importance of UX design in educational security platforms.

What's next for Cyberdrill

The future of the platform involves expanding the depth of the simulations and the breadth of the analytics:

SSO Integration: Developing safer ways to simulate modern Single Sign-On (SSO) environments.

Adaptive AI: Implementing AI that adjusts the difficulty of the "lure" based on an individual employee’s past performance.

Automated Reporting: Generating comprehensive "Security Culture Reports" that companies can use for compliance or insurance purposes.

Expanded Voice Personas: Adding a library of diverse AI voices and accents to simulate various international social engineering tactics.

Built With

Share this project:

Updates