Compliance TycoonCVERiskPilot · v1.0
Play free
v1.0 · 2026 · Free for students & jobseekers, forever

Run an audit firm.
Survive an incident.
Learn real compliance.

An idle tycoon where every click is a control review, every hire a real audit role, and every incident a teachable failure. Built by the team behind CVERiskPilot. Designed to make GRC stick.

Start your firm →
🎓
Free for students and the unemployed, forever. Verified students and self-attested job-seekers get Founder's Edition (ad-free) and all Cert Prep Packs at no cost.
complianceTycoon.app/play
Audit Hours
847,250
+ 128.4 / sec
REVIEW CONTROL +1 AH
How it plays

Cookie Clicker, but the cookies are workpapers.

Click to review controls. Hire interns, then auditors, then partners. Win engagements, dodge incidents, and prestige into bigger industries — Healthcare, Finance, Federal, Spaceport.

01 · CORE LOOP

Click reviews controls

Each click is one Audit Hour. Earn revenue per AH. Hire automation that audits while you sleep. The numbers go up. The frameworks get hairier.

02 · ENGAGEMENTS

Real clients, real frameworks

SOC 2, ISO 27001, PCI DSS, HIPAA. Each client comes with a backstory, a control set, and at least one terrible secret. Finish on time, get paid.

03 · INCIDENTS

The intern committed AWS keys

Pop-up incidents force three-way ethical choices. Document and lose time. Bill extra and lose reputation. Hide it and inherit risk that compounds.

The Kerbal of Compliance

Every mechanic maps to a real concept.

Toggle Pro depth and the game annotates itself — every control number, every framework section, every incident links to the actual standard.

CC6.1
Logical Access
SOC 2 Trust Services Criteria for restricting access to authorized users.
A.5.19
Supplier Mgmt
ISO 27001:2022 Annex A control on third-party assurance.
§164.308
Admin Safeguards
HIPAA Security Rule administrative safeguards — risk analysis, training, sanctions.
Req 3
Stored CHD
PCI DSS v4.0 — protect stored cardholder data via encryption or tokenization.
AC-3
Access Enforcement
NIST 800-53 control mandating enforcement of approved authorizations.
POA&M
Plan of Action
The federal artifact tracking unresolved findings to closure dates.
Access

Free at the point of use. Pro tier optional.

We sell to firms that want to train new auditors. Individuals never pay. Students and jobseekers get Founder's Edition free, forever, with all Cert Prep Packs included.

FREE

$0forever

  • Full game
  • Up to Industry 4 — Federal
  • Community Discord
Play now
Most popular
FOUNDER'S EDITION

$0for students & jobseekers

  • Ad-free
  • All Cert Prep Packs (CISA / CISSP / CISM / CRISC)
  • Resume export of completed engagements
  • Verified via .edu or self-attestation
FIRM LICENSE

$28per seat / mo

  • Cohort dashboards
  • Custom framework packs
  • SCORM / LMS export
  • Dedicated success manager