Cyberverse

We built a wind tunnel for digital civilization. AI attackers hunt human vulnerabilities inside real organizations. Watch how the digital world actually fails — before it does.

Comment

Inspiration

Humanity has never lost a civilization to a natural disaster it could not simulate. We model hurricanes. We crash-test bridges. We put pilots in simulators before they touch a real aircraft.

But we deploy entire digital civilizations — organizations with thousands of humans, critical data, and cascading dependencies — into a hostile internet with no rehearsal. No wind tunnel. No way to understand how they fail under intelligent attack until they actually do.

The assumption we are challenging is this: that cybersecurity is a technical problem.

It is not. It is a human behavior problem at civilizational scale. Every major breach in history traces back to a person — a junior employee who clicked a link, a developer who reused a password, an executive who bypassed a security policy. The attack surface is not the network. It is the humans inside it.

No tool exists to simulate this. Not at the level of individual human decision-making, not with agents that reason and adapt, not with outcomes that emerge rather than being scripted.

Cyberverse is our attempt to build that tool.

What it does

Cyberverse is a persistent multi-agent simulation engine for digital civilization, visualized as a real-time interactive 3D globe.

Organizations appear as nodes at their real geographic coordinates. AI-driven attackers continuously scan, select targets, and exploit vulnerabilities inside those organizations. AI-driven defenders monitor, patch, and respond. Every 10 seconds the world ticks forward — producing emergent outcomes no one scripted.

The attack surface is human. Each organization has employees with realistic profiles: roles, seniority, access levels, and behavioral vulnerabilities. Attackers do not target companies. They target people inside companies — identifying the weakest human with the highest access and exploiting them.

Attack success is probabilistic: attacker skill, weighted at 50%, combines with employee vulnerability bonuses and is offset by active defense modifiers. A high company-level security score does not prevent breach if one high-access employee carries critical vulnerabilities. Security level is not an input to the simulation. It is an output — emerging from the behavior of the humans inside the organization.

Organizations transition through states — secure, under attack, breached — and recover through active defense. The globe reflects this live. You watch digital civilization breathe.

How we built it

The simulation engine is a deterministic tick loop. Each tick executes an attacker phase and a defender phase for every active organization. Attack type selection is driven entirely by employee vulnerability profiles — phishing targets employees who click links, credential stuffing targets those who reuse passwords, social engineering targets employees with low security awareness. The engine does not follow a script. It follows logic.

Employee rosters are generated by AI when an organization is added. The model receives the company profile — industry, size, age, security budget — and produces a realistic set of humans with roles, access levels, and behavioral vulnerabilities appropriate to that context. A 3-year-old fintech startup gets very different people than a 50-year-old automotive enterprise. This matters because the people are the entire attack surface.

The frontend is a React application with a Three.js globe rendered via globe.gl — a fully interactive 3D earth with real geographic placement, animated attack arcs color-coded by attack type, and live pulsing nodes that reflect simulation state in real time.

The backend is Supabase with realtime subscriptions pushing state changes to every connected client the moment a tick resolves. The world updates itself.

AI assistance was used for coding and drafting. The core concept, simulation architecture, and the insight that humans — not infrastructure — are the real attack surface came from us.

Challenges we ran into

The hardest problem was making emergent behavior feel true rather than random. Early versions produced chaotic noise. Attackers needed to think — reconnaissance before exploitation, patience when defenses are strong, preference for high-access targets. The moment we modeled attacker decision-making as a reasoning process rather than a probability table, the simulation started producing outcomes that felt uncomfortably real.

The second challenge was the human layer. Building a system where individual employee behavioral profiles — not company-level security metrics — determine breach outcomes required rethinking the entire data model. The insight that changed everything: security level is an output, not an input. It emerges from the behavior of the humans inside the organization.

The third challenge was the globe itself. Placing hundreds of company nodes at real coordinates, preventing overlap, rendering attack arcs with correct animation timing, and handling interaction without fighting the auto-rotation — each of these was a layer of complexity that had to be solved without breaking the others.

Accomplishments that we're proud of

The first time the simulation produced an outcome we did not predict.

An attacker spent three ticks on reconnaissance. Then exploited a junior employee — not because she had weak passwords, but because she worked remotely, used a personal device, and had access to a system three levels above her seniority. The company's overall security level was 0.87. It breached anyway.

That is what real attacks look like. We did not script it. The agents decided.

What we learned

Security awareness is not binary. It degrades. It improves. It varies by role, by seniority, by industry culture. The simulation only started reflecting reality when we stopped treating humans as static vulnerability scores and started treating them as agents with state that changes over time.

Emergent behavior requires constraints, not freedom. The fewer options agents have, the more strategic their behavior becomes. Complexity emerges from simple rules applied consistently — not from complex rules applied randomly.

What's next for Cyberverse

Cyberverse is not a product. It is a substrate.

The immediate next layer is real organizational data — allowing security teams to import their actual org structures, role distributions, and security posture to simulate their specific risk profile before a real attacker finds it first.

Beyond that: scenario mode — running specific attack campaigns (ransomware wave, nation-state APT, supply chain attack) against a target organization and observing emergent outcomes across hundreds of ticks.

Beyond that: multiplayer defense — letting security teams intervene in real time, making decisions that compete against AI attackers that adapt.

The long-term vision is a world where no organization deploys into a hostile internet without first understanding how its humans will fail under intelligent pressure. A flight simulator for digital civilization. Built not because it is easy — but because the alternative is continuing to learn only from disasters that have already happened.

Built With

  • gemini-2.5-flash
  • globe.gl
  • grok-api
  • jetbrains-mono
  • medoai
  • react
  • react-router
  • shadcn/ui
  • supabase
  • supabase-edge-functions
  • supabase-realtime
  • tailwind-css
  • three.js
  • typescript
  • vercel
  • vite
Share this project:

Updates