By Grace Menna, Senior Fellow in Public Interest Cybersecurity
As 2025 comes to a close, CTLC reflects on the first year of the Cyber Resilience Corps, including accomplishments and shared anecdotes about the successes of cyber volunteering organizations.
Origins of the CRC: Launching the Mission
Community organizations — nonprofits, rural hospitals, schools, local utilities, counties, municipalities, and small businesses — are vital to delivering essential services to the public, but they are often the least prepared to protect themselves from cyberattacks. Often wholly responsible for their own defense, these organizations are particularly vulnerable to attacks that could disrupt the delivery of critical social and public services. As their cybersecurity challenges grow and the federal government shifts responsibility for cybersecurity toward state and regional leadership, hands-on support from a broad coalition of groups is needed to create a safety net that strengthens community cyber defenses and ensures the availability of vital human services.
The UC Berkeley Center for Long-Term Cybersecurity (CLTC) has worked on multiple fronts to address the challenge of public interest cybersecurity. Through our work in stewarding the Consortium of Cybersecurity Clinics — a network of programs that train students to provide pro bono cybersecurity assistance — we worked closely with other Craig Newmark Philanthropies grantees through the Cyber Civil Defense Initiative. We also worked with the High-Risk Communities Protection Initiative, a 2024 program led by CISA’s Joint Cyber Defense Collaborative (JCDC), to centralize resources for communities at heightened risk of cyber attacks.
To take these efforts one step further, CLTC joined forces with the CyberPeace Institute in late 2024 to found the Cyber Resilience Corps (CRC), a dedicated group of practitioners — including cyber volunteering leaders, private-sector partners, experts, and community leaders — with a mission to unite and strengthen volunteer efforts to deliver real, hands-on cybersecurity support where it’s needed most.
Mapping the Landscape & Defining the Solution
Through a series of three plenary sessions held between January and May of 2025, CLTC and the CyberPeace Institute hosted the Cyber Resilience Corps working group, 30 individuals who worked together to map the existing ecosystem of cyber services, identify gaps, and develop a series of recommendations for next steps. This working group purposely included a wide range of stakeholders — including cyber-defense tool makers and providers, representatives from policymakers, industry leaders, investors, and coordinating bodies — to ensure a diversity of perspectives and depth of expertise. The group discussed key challenges facing community organizations and shaped recommendations for immediate and long-term actions to build a safety net for community organizations. The findings from this group’s discussion were used later in the year as the foundation for CLTC’s report, “The Roadmap to Community Cyber Defense.”
One of the group’s key recommendations was to mature the volunteer cyber services ecosystem by enhancing visibility, coordination, and advocacy. The group highlighted the need to create a precise map of existing services and to aggregate data to measure effectiveness, while simultaneously advocating for government support, funding, and legal protections. Operationally, the group’s focus was on structuring talent pipelines to harness untapped volunteer energy, coordinating representation across industry events, and defining clear lifecycle processes — from generating demand for cyber hygiene within community organizations to managing handoffs after one-time volunteer services conclude.
Deploying the Infrastructure: The cybervolunteers.us Platform
In June, the Cyber Resilience Corps launched its platform at cybervolunteers.us, creating a centralized resource for both prospective cyber volunteers and community organizations seeking help in identifying relevant cyber volunteering opportunities and services. At launch, the platform mapped over 45 individual cyber volunteering programs across the United States, with approximately 3,900 volunteers currently helping around 500 community organizations each year. These programs span university cyber clinics, state civilian cyber corps, and nonprofit cyber-volunteering groups – all of which provide hands-on services to target-rich, resource-poor organizations.
Advancing the Field: Research & Roadmaps
The Roadmap for Community Cyber Defense
In June, drawing on the findings and insights of the plenary working group, CLTC published “The Roadmap for Community Cyber Defense.” To develop the report, authors Sarah Powazek and Grace Menna critically examined the structural barriers that lead to cyber insecurity among community organizations, and charted a path forward to mobilize more cyber civil defenders and protect a growing number of community organizations from cyber attacks.
The report proposes a “co-responsibility model” for cybersecurity that details which responsibilities community organizations can reasonably be expected to shoulder, and what duties should be shifted toward other, more capable actors. The report argues that community organizations should “keep one hand on the wheel” but should not be “mechanics” — i.e., they should be responsible for understanding cybersecurity risk, and for seeking and advocating for solutions to those risks, but they should not be expected to have in-house cybersecurity expertise.
The Roadmap report proposes an “on-ramp” to address immediate gaps in services, with nine specific recommendations to rapidly assist local schools, cities, nonprofits, and utilities across three lines of effort. In addition, the authors proposed a long-term “destination” for the cybersecurity industry to work toward to shift the burden away from community organizations.
The report also includes a guidebook designed to help state governments develop “cyber support ecosystems” within their states and regions. The guidebook centralizes information on some of the most popular regional cyber defense programs, and features applied case studies and model legislation to facilitate adoption.
Among the programs recommended in the report are cybersecurity clinics, which train students at colleges and universities to provide pro bono cybersecurity services to community organizations, and student-staffed security operations centers (SOCs). States are also advised to promote the development of state civilian cyber corps programs, teams of cybersecurity professionals who volunteer to provide cybersecurity services, as well as nonprofit volunteering groups, which provide free or at-cost cyber resilience services to under-resourced communities.
The Role of IT and Security Service Providers in Improving the Long-Term Cyber Resilience of Community Organizations
In August, CLTC published a report focused on the role of private-sector security providers in bolstering the digital defenses of community organizations. “A Path to Long-Term Cyber Resilience for Under-Resourced Organizations,” authored by CLTC Nonresident Fellow Michael Razeeq, examined how IT and security service providers (ITSSPs) — including managed service providers (MSPs), managed security service providers (MSSPs), and other types of IT and security service providers — can improve the long-term cyber resilience of under-resourced organizations. Razeeq assessed existing research and conducted semi-structured interviews with individuals from a range of ITSSPs, as well as two state government officials with experience working with IT and information security service providers.
Razeeq’s study maps the roles of different types of ITSSPs and how they serve their clients, and offers recommendations and calls to action to position more ITSSPs to be able to support under-resourced organizations. The report recommends a range of “demand-side actions” that under-resourced organizations and the communities that work with them can take to improve the awareness and procurement of ITSSP services. The report also recommends “supply-side actions” to increase the availability and capacity of ITSSPs to support organizations with limited resources to defend themselves online.
Amplifying the Call for Cyber Civil Defense
Throughout the year, members of the Cyber Resilience Corps went on the road to share their research findings with communities across the country, with a focus on recruiting more skilled individuals into the cyber volunteering ecosystem. In April, CLTC Senior Fellow Grace Menna spoke at the BSides Seattle Security Conference on Cyber Civil Defense and outlined different ways to get involved in cyber volunteering.
In August, Menna presented findings from the first year of operations of the Cyber Resilience Corps at the I Am the Calvary Track at BSides Las Vegas. Her talk outlined the structural barriers in the current ecosystem of support for community organizations and charted a path forward to mobilize more cyber civil defenders and protect a growing number of community organizations from cyber attacks.
Days later, Menna and Razeeq presented at the DEF CON Policy Village, where they outlined the role of MSPs and MSSPs in protecting high-risk communities; they also shared other key insights and recommendations from Razeeq’s report, “A Path to Long-Term Cyber Resilience for Under-Resourced Organizations.”
On August 10th, Sarah Powazek, Program Director of the Public Interest Cybersecurity program, took to the main stage at DEF CON with other members of the Cyber Resilience Corps — including Adrien Ogee of CyberPeace Institute, and Jake Braun of DEF CON Franklin — to share key lessons learned from running on-the-ground cyber volunteering programs, and to outline future plans for scaling up efforts and joining forces.
The team has also spread the message about cyber volunteering through media features. In June, CyberScoop’s Derek Johnson wrote an article spotlighting the “Roadmap to Community Cyber Defense,” and in August, Sarah Powazek joined Dave Bittner on the CyberWire Daily podcast to discuss how the Cyber Resilience Corps came together, and to dig into the key themes from the Roadmap report.
Meanwhile,CLTC’s Grace Menna and Sarah Powazek wrote an op-ed published by Aspen Digital that spotlighted the growing role of states in leading coordinated cyber volunteer response. “States and communities have rallied cyber volunteers to serve the least-resourced organizations,” they wrote. “One of the best investments that industry leaders, nonprofits, and individual cyber volunteers can make in the coming years is to help states double down on creating a cyber safety net where any organization can receive affordable cybersecurity services.”
In October, Justin Sherman hosted Sarah Powazek and Michael Razeeq on the Lawfare Daily Podcast to discuss cyber threats facing states, what options and resources states currently have to address cybersecurity problems, and how state cyber corps and volunteer programs fit into the picture. Additionally, on the Firewalls Don’t Stop Dragons Podcast, Carey Parker interviewed Razeeq, Menna, Ogee, and Eric Franco, Cybersecurity Preparedness Coordinator for Wisconsin Emergency Management, about the role of cyber volunteers in helping under-resourced organizations defend themselves online. In November, the Cyber Resilience Corps’ Cyber Volunteering Day event was spotlighted in an article in GovTech.
Uniting and Mobilizing the Ecosystem
Cyber Civil Defense Summit 2025
Many members of the Cyber Resilience Corps had the opportunity to meet in person for the first time at CLTC’s third-annual Cyber Civil Defense Summit, which was held in June in Washington, D.C. The Summit spotlighted state and local resilience models through diverse keynotes and panels. (An overview of key learnings from the event can be found here.)
One key insight arising from the summit: cybersecurity remains a rare area of bipartisan agreement within state legislatures, but funding remains the most significant barrier to passage. In a panel led by CLTC Non-Resident Fellow Iranga Kahangama, a group of three lawmakers — Indiana State Senator Liz Brown (R, District 15), Maryland State Senator Katie Fry Hester (D, District 9), and Texas House Representative Giovanni Capriglione (R, District 98) — all agreed that cybersecurity remains an issue around which bipartisan consensus is the norm in state legislatures. Cybersecurity-related bills often receive bipartisan, if not unanimous, support from both Democratic and Republican lawmakers.
“Cybersecurity isn’t partisan in nature,” Rep. Capriglione said. “Everyone has constituents who have had a phishing attack against them, or they work for a company that had their passwords breached or their information stolen…. Almost every tech bill that I have passed has had one or more Democrats as joint authors.”
Throughout the day, speakers spotlighted initiatives that support organizations operating below the “cyber poverty line” by providing free or discounted cybersecurity services. Such programs include cyber volunteering initiatives that harness the expertise of professionals working in the private sector, university-based cybersecurity clinics, and free government-provided services. However, several panelists identified that while a growing number of programs now offer pro-bono cybersecurity services, the organizations most in need often do not know these resources exist.
In a panel entitled “Without Washington? Rethinking Shared Responsibility for Regional Cyber Resilience,” Tony Sauerhoff, the former CISO for the State of Texas, noted that, despite the value programs like university cyber clinics and regional security operation centers (RSOCs) provide, it is difficult to get entities to participate. “I can tell you from experience: it’s tougher than you might think to give away free, valuable resources,” he said. “It’s a lot of work to get entities on board…. A lot of education is involved. But it’s also really important.”
Sauerhoff described the significant effort required to bring clients on board and help them understand the cyber risks their organizations face. He described the challenge of getting leaders at local government offices to grasp the likelihood that their networks could be compromised, or to understand the potential impacts, available mitigation options, and how they can take ownership of the challenge.
He also cautioned that funding alone is not a cure-all remedy, noting that even free resources and services go unused — particularly in rural areas — because organizations may lack the expertise or understanding to seek them out or make use of them. Sauerhoff stressed that improving rates of adoption depends on education, relationship building, and a mindset shift among local leaders.
Cyber Volunteering Day
On October 23rd, CLTC teamed up with Wisconsin Emergency Management to host 75 cyber defenders from across academia, state government, and civil society for the first-of-its-kind Cyber Volunteering Day. This event was an opportunity for boots-on-the-ground cyber defenders to share best practices and expand services for community infrastructure. This was the first time that state cyber corps leaders and cyber clinics across the country were in the same room together.
Expert facilitators from across the country led interactive sessions on common themes across cyber volunteering, including:
- How to address cyber volunteering legal issues;
- Best practices for recruiting, onboarding, and retaining volunteers;
- Metrics and measuring the success of programs;
- Collaborating and handing off post-engagement to MSPs/MSSPs;
- Public-private cooperation and information sharing; and
- Working alongside cyber insurance providers and private-sector partners.
Momentum & The Road Ahead
Community Wins
Cyber volunteering programs across the country scored many wins across 2025. Over the past year, DEF CON Franklin, a nationwide cyber volunteering program, established partnerships with small and rural water systems across several new states. These partnerships have delivered high-quality cybersecurity assistance and consultation to diverse “cyber-poor” and “target-rich” communities. As DEF CON Franklin volunteers start with the basics, they have helped the staff and leadership of these water systems improve their password security, conduct mapping of all IT / OT assets, and bolster system operator awareness of foreign and domestic cyber threats.
In coordination with cybersecurity experts, DEF CON Franklin also partnered with Cloudflare to design and deliver a tailored deployment of free cyber tools through Cloudflare’s Project Galileo program for water utilities across several states. This effort supports Franklin’s mission to scale its cyber volunteer taskforce for water through a national MSSP model, thereby strengthening cyber resilience in our nation’s underserved communities.
Cyber-specific reserve teams, a model of government-run cyber volunteering programs administered by various State Guard units, continued to mature and demonstrate increased preparedness. Joshua Copeland, Louisiana State Guard Cyber Reserve’s Chief Warrant Officer, was awarded the State Guard Association of the United States’ Officer of the Year Award for 2025 in recognition of his and his team’s work to enhance the state’s preparedness and response to cyber incidents, ensuring mission continuity during emergencies and promoting collaboration with local and federal partners. Additionally, at the State Guard Association of the United States, the Maryland Defense Force Cyber Defense Unit placed third in the annual capture the flag exercise.
Semilla Cyber, a Puerto Rican organization focused on building local cybersecurity talent through education, training, and community engagement, and on aiming to develop skilled professionals to protect the region’s digital infrastructure, expanded its footprint by securing renewed funding channels on Benevity, and by establishing key alliances at the ISSA Puerto Rico Conference. They are actively bolstering community resilience through new operational partnerships and advanced national training exercises in Wisconsin.
Future Horizons: Expanding Our Reach with Regional Cyber Civil Defense Summits in 2026
Building on our successes from the past year, in 2026, the Cyber Resilience Corps will host three Regional Cyber Civil Defense Summits to meet with state leaders in their regions and discuss how states and the cyber civil defense community can build new kinds of regional ecosystems. Stay tuned for more information on dates and locations for these events.
Interested in joining us? Register your interest here.
