How did AI impact the simulated election in the wargame?

AI-driven bots generated over 7 million posts, leading to a 1.78% swing that changed the election result.

Why is this wargame significant in the context of current cybersecurity threats?

It highlights the potential for AI to be used in real-world disinformation campaigns, emphasizing the need for robust defenses against such threats.

UNSW's 'Capture the Narrative' Wargame Reveals AI's Power in Social Media Manipulation

Discover how UNSW's innovative wargame exposed the potential of AI-driven bots to influence social media narratives and sway election outcomes.

Published: April 14, 2026

Share this on:

Executive Summary

In 2025, the University of New South Wales (UNSW) conducted 'Capture the Narrative,' a pioneering wargame where students developed AI-driven bots to influence a simulated election on a fictional social media platform. Over four weeks, participants generated over 7 million posts, with more than 60% of content produced by these bots. The exercise demonstrated how AI can be leveraged to manipulate public opinion, resulting in a 1.78% swing that altered the election outcome. This experiment underscores the growing threat of AI-powered influence operations in real-world scenarios. (unsw.edu.au)

The relevance of this incident is heightened by the increasing use of AI in disinformation campaigns. For instance, Microsoft reported that China has begun employing generative AI to create realistic images supporting divisive U.S. political content, marking a significant evolution in influence operations. (axios.com)

Why This Matters Now

The 'Capture the Narrative' wargame highlights the urgent need for robust defenses against AI-driven disinformation. As AI technologies become more accessible, malicious actors can more easily manipulate public opinion, posing significant risks to democratic processes and societal trust.

Attack Path Analysis

Adversaries initiated the attack by exploiting unencrypted traffic to intercept sensitive data. They then escalated privileges by manipulating IAM roles to gain broader access. Utilizing east-west traffic, they moved laterally across the network to access critical systems. Command and control were established through covert channels, allowing persistent access. Data was exfiltrated via unauthorized outbound traffic to external servers. Finally, the impact included data manipulation and disruption of services.

Kill Chain Progression

Initial Compromise

Highinferred

Privilege Escalation

High

Lateral Movement

High

Command & Control

High

Exfiltration

High

Impact

High

Initial Compromise

Description

Adversaries exploited unencrypted traffic to intercept sensitive data in transit.

Confidence:

High

MITRE ATT&CK® Techniques

Resource Development

T1588.007

Obtain Capabilities: Artificial Intelligence

Initial Access

T1566

Phishing

Resource Development

T1585

Establish Accounts

Resource Development

T1586

Compromise Accounts

Resource Development

T1583

Develop Capabilities

Resource Development

T1584

Compromise Infrastructure

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

NIST Special Publication 800-53 – System Monitoring

Control ID: SI-4

The use of AI-driven bots to manipulate social media platforms indicates a lack of effective system monitoring to detect and respond to such activities.

PCI DSS 4.0 – Incident Response Plan

Control ID: 12.10

The incident highlights the need for a comprehensive incident response plan to address AI-driven social engineering attacks.

NYDFS 23 NYCRR 500 – Cybersecurity Program

Control ID: 500.02

The manipulation of social media platforms underscores the necessity for a robust cybersecurity program that includes measures against AI-powered threats.

Digital Operational Resilience Act (DORA) – ICT Risk Management Framework

Control ID: Article 5

The incident demonstrates the importance of an ICT risk management framework that accounts for emerging AI-related threats.

NIS2 Directive – Cybersecurity Risk Management Measures

Control ID: Article 21

The use of AI in influence operations highlights the need for comprehensive risk management measures to address such cybersecurity threats.

CISA Zero Trust Maturity Model 2.0 – Identity Management

Control ID: Identity

The incident emphasizes the importance of robust identity management practices to prevent unauthorized access and manipulation by AI-driven entities.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Government Administration

AI-powered influence operations targeting elections pose critical threats to democratic processes, requiring enhanced social media monitoring and public information security frameworks.

Political Organization

Direct exposure to AI-driven bot manipulation campaigns designed to sway electoral outcomes through sophisticated social media influence operations and narrative control.

Higher Education/Acadamia

Educational institutions face risks from AI manipulation research applications while needing cybersecurity training programs to combat influence operations and misinformation campaigns.

Broadcast Media

Media organizations must defend against AI-generated content designed to manipulate public opinion while implementing detection systems for automated influence campaigns.

Sources

Wargame Exercise Demonstrates How Social Media Manipulation Workshttps://www.darkreading.com/cyber-risk/wargame-demonstrates-social-media-manipulation
Verified

How Fake People Became Real Influencershttps://www.theatlantic.com/podcasts/2026/04/how-fake-people-became-real-influencers/686755/

Verified

AI in the Age of Fake (Imagined) Contenthttps://www.stimson.org/2026/ai-in-the-age-of-fake-imagined-content/

Verified

Frequently Asked Questions

The objective was to demonstrate how AI-driven bots can manipulate social media narratives to influence public opinion and election outcomes.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to exploit unencrypted traffic, escalate privileges, move laterally, establish covert channels, and exfiltrate data, thereby reducing the overall blast radius.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: Implementing Aviatrix CNSF would likely limit the attacker's ability to intercept unencrypted data, reducing the risk of initial compromise.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: Aviatrix Zero Trust Segmentation would likely constrain the attacker's ability to escalate privileges by enforcing strict access controls based on identity and context.

Lateral Movement

Control: East-West Traffic Security

Mitigation: Aviatrix East-West Traffic Security would likely reduce the attacker's ability to move laterally by segmenting workloads and enforcing strict communication policies.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: Aviatrix Multicloud Visibility & Control would likely limit the attacker's ability to establish covert channels by providing comprehensive monitoring and control over network traffic.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: Aviatrix Egress Security & Policy Enforcement would likely constrain the attacker's ability to exfiltrate data by controlling and monitoring outbound traffic.

Impact (Mitigations)

While Aviatrix CNSF could limit the attacker's ability to manipulate data and disrupt services, some impact may still occur depending on the attacker's initial access and the organization's specific configurations.

Impact at a Glance

Affected Business Functions

Public Relations
Marketing
Customer Engagement
Brand Management

Operational Disruption

Estimated downtime: N/A

Financial Impact

Estimated loss: N/A

Data Exposure

n/a

Recommended Actions

• Implement Encrypted Traffic (HPE) to secure data in transit and prevent interception.
• Enforce Zero Trust Segmentation to limit privilege escalation and lateral movement.
• Utilize East-West Traffic Security to monitor and control internal traffic flows.
• Deploy Egress Security & Policy Enforcement to detect and block unauthorized outbound traffic.
• Establish Threat Detection & Anomaly Response mechanisms to identify and respond to suspicious activities promptly.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

UNSW's 'Capture the Narrative' Wargame Reveals AI's Power in Social Media Manipulation

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

MITRE ATT&CK® Techniques

Obtain Capabilities: Artificial Intelligence

Phishing

Establish Accounts

Compromise Accounts

Develop Capabilities

Compromise Infrastructure

Potential Compliance Exposure

NIST Special Publication 800-53 – System Monitoring

PCI DSS 4.0 – Incident Response Plan

NYDFS 23 NYCRR 500 – Cybersecurity Program

Digital Operational Resilience Act (DORA) – ICT Risk Management Framework

NIS2 Directive – Cybersecurity Risk Management Measures

CISA Zero Trust Maturity Model 2.0 – Identity Management

Sector Implications

Government Administration

Political Organization

Higher Education/Acadamia

Broadcast Media

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads