Cybersecurity Intelligence for the Humanitarian Sector

The Opportunity

The CyberPeace Institute is the cybersecurity arm of the humanitarian world — an NGO that protects other NGOs. They track cyberattacks against hospitals, aid organizations, and critical infrastructure, and they deploy volunteer cybersecurity professionals to help nonprofits that can't afford security teams of their own. Their CyberPeace Builders program has grown to 1,500 volunteers serving 240+ NGOs, backed by Microsoft, the Hewlett Foundation, Craig Newmark Philanthropies, and Splunk. They've documented over 3,178 cyberattacks on Ukrainian infrastructure alone through their CyberPeace Tracer platform.

Here's where it gets interesting: they've committed to the Beyond 125 Action Plan with Microsoft and the City of The Hague — scaling from 240 NGOs to 10,000 by March 2027. That's a 40x increase in two years. Their current systems — a matchmaking platform, manual threat analysis, sector-specific reports — were built for hundreds. They need to work for thousands. That's an ML infrastructure problem.

Proposal

The Problem Today

The CyberPeace Institute runs two core platforms: CyberPeace Tracer, which tracks and visualizes cyberattacks against humanitarian targets, and CyberPeace Builders, which matches volunteer cybersecurity professionals with NGOs that need help. Both platforms are hitting scaling walls.

On the Tracer side, analysts manually classify incoming attack reports — determining threat type (ransomware, phishing, DDoS, data breach), assessing severity, identifying patterns, and producing sector-specific threat landscape reports like their APAC Financial Inclusion report. As attack volume grows and they expand beyond the Ukraine conflict into new sectors and geographies, manual classification can't keep up.

On the Builders side, the matchmaking system connects volunteers from companies like Adobe, Capgemini, HPE, Mastercard, Okta, Rapid7, and WithSecure with NGOs based on the type of help needed. Craig Newmark Philanthropies invested $500K specifically to expand this platform, and an upgraded matchmaking system launched in 2025 — but going from 240 to 10,000 NGOs means the matching logic needs to get dramatically smarter. A volunteer who speaks French, knows Microsoft 365 security, and has availability on Tuesdays needs to be matched instantly with a Francophone NGO in West Africa that just had its Office 365 tenant compromised.

Meanwhile, Splunk is already partnering with them on AI/ML-based cyber-threat intelligence for NGOs, and they've launched an AI Skills for Nonprofits initiative with Microsoft Philanthropies. The appetite for ML is there. The internal capacity to build it isn't.

What We'd Build

CyberPeace Builders Matching Engine

The highest-impact build. The current matchmaking platform pairs volunteers with NGOs, but as they scale from 240 to 10,000 organizations, the matching logic needs to go from rule-based to ML-powered. The engine would score matches on multiple dimensions: volunteer expertise (endpoint security vs. cloud configuration vs. incident response), language and timezone alignment, NGO tech stack (Microsoft 365, Google Workspace, on-prem), threat profile, and urgency. It would learn from completed engagements — which pairings led to successful outcomes, which skills actually mattered for which threat types, where timezone mismatches caused delays. The goal is near-instant matching when an NGO reports an incident, even at 10,000-org scale.

Tracer Threat Classification Pipeline

CyberPeace Tracer already tracks thousands of attacks, but classification is manual. An ML pipeline would ingest incoming attack reports and automatically classify by threat type, severity, likely attribution, and affected sector. The model gets trained on the Institute's existing labeled dataset of 3,178+ documented attacks and enriched with external threat intelligence feeds. As new attacks come in, the system clusters similar incidents, detects campaign-level patterns (e.g., a coordinated phishing wave targeting health NGOs in East Africa), and auto-generates alerts. Analysts shift from doing classification to reviewing and refining it — dramatically increasing throughput as attack volume grows.

Sector Threat Landscape Automation

The Institute produces detailed threat landscape reports — like their Cyber Resilience for Financial Inclusion report covering APAC — but each one requires significant manual analysis. An automated pipeline would continuously aggregate attack data from Tracer, segment by sector (healthcare, humanitarian aid, financial inclusion, education) and geography, detect emerging trends, and draft report sections with supporting data visualizations. Analysts would edit and validate rather than build from scratch. When a new threat pattern emerges in one sector, the system flags whether it's appearing in others — turning reactive reporting into proactive intelligence.

NGO Cyber-Readiness Scoring

With 10,000 NGOs in the pipeline, the Institute needs to triage which organizations need help most urgently. A scoring model would assess each NGO's cyber-readiness based on their tech stack, existing security measures, sector risk profile, geographic threat landscape, and past incident history. NGOs with the widest gaps between their risk exposure and their defenses get prioritized. This feeds directly into the Builders matching engine — high-risk NGOs get matched with more experienced volunteers, while lower-risk organizations might receive automated guidance and training resources like the AI Skills for Nonprofits materials developed with Microsoft.

Build Phases