Vatican City’s Cyber Defense Reliant on Unprecedented Volunteer Force

October 8, 2025

A novel, non-traditional cyber defense model has emerged to protect one of the world’s most high-profile entities. Vatican City State, despite its global significance, possesses a critically underdeveloped cybersecurity posture, making it highly vulnerable to a spectrum of threat actors. In response, an international group of volunteer cybersecurity professionals has formed a de facto, pro-bono threat intelligence and defense unit, highlighting a significant security gap within a sovereign state.

The ad-hoc group, known as the “Vatican Cyber Volunteers,” was founded in 2022 by a Dutch IT security expert. The collective now numbers over 90 specialists from around the globe who dedicate their free time to securing the Holy See’s digital assets.

Identified Threat Landscape and Key Incidents

The Vatican’s digital infrastructure, which includes state, diplomatic, and financial entities like the Vatican Bank, presents a rich target for espionage, disruption, and financial crime. Intelligence gathered by the volunteer group and public reports indicate a persistent and varied threat, including:

State-Sponsored Activity: The Vatican’s diplomatic communications have been targeted by Advanced Persistent Threat (APT) groups. Notably, Chinese state-sponsored actors were identified in attacks against Vatican mail servers in 2020.
Hacktivism and Geopolitical Retaliation: Following critical remarks by Pope Francis regarding the Russian invasion of Ukraine, pro-Russian actors launched significant Distributed Denial-of-Service (DDoS) attacks against Vatican websites in 2022, causing service disruptions.
Information Elicitation and Espionage: The volunteer group has identified rogue Wi-Fi access points deployed near the Vatican, a classic tactic to intercept credentials and communications from unsuspecting employees via man-in-the-middle (MITM) attacks.
Ideologically and Religiously Motivated Attacks: A recent surge in phishing campaigns and other cyberattacks has been observed, coinciding with the election of the new Pope. This activity is attributed to both state-affiliated and ideologically motivated threat groups.

Vulnerability Assessment: A Nation-State Without a CISO

The core of the Vatican’s vulnerability lies in its organizational structure. There is no central authority, such as a Chief Information Security Officer (CISO), responsible for a unified cybersecurity strategy. This has resulted in a fragmented and often outdated digital infrastructure.

The 2024 Global Cybersecurity Index reflected this critical deficiency, placing Vatican City in its lowest-performing category alongside nations like Afghanistan and Yemen. While its physical security, managed by the Swiss Guard and Gendarmerie Corps, is robust, it lacks the mandate and resources to counter digital threats.

A Novel Crowd-Sourced Defense Model

The “Vatican Cyber Volunteers” operate from an external perspective, mirroring the viewpoint of a potential attacker. Their activities represent the core functions of a modern Security Operations Center (SOC):

External Attack Surface Management: The group continuously scans Vatican systems for vulnerabilities visible from the public internet, such as outdated software and inadvertently exposed servers.
Proactive Threat Intelligence: Volunteers monitor the clear, deep, and dark web for emerging threats, active malware campaigns, and data leaks containing credentials potentially linked to Vatican systems.
Incident Reporting and Remediation: Findings are documented and communicated directly to the Vatican’s Dicastery for Communication, providing actionable intelligence and remediation recommendations.

Outlook and Strategic Implications

While the efforts of the volunteer group are a commendable and innovative stopgap, the reliance on a non-official, pro-bono entity for the cyber defense of a sovereign state is an unsustainable and high-risk strategy.

The group’s founder has actively advocated for structural change, providing the Vatican with a detailed 60-page framework for establishing a professional cybersecurity program, risk assessment protocols, and secure development processes. The primary obstacle is not financial—as many security vendors would likely offer services at reduced cost or on a donation basis—but a lack of decisive commitment from the Vatican leadership to institutionalize cybersecurity at the same level as its physical security.

Until the Vatican establishes a formal CISO position and a dedicated, properly resourced cybersecurity department, it will remain a soft target for a growing number of sophisticated threat actors. This unique case serves as a stark reminder that in the modern threat landscape, even the most historic institutions are only as strong as their digital defenses.

Shenouda.nl is the personal website of Joe Shenouda, a seasoned cybersecurity expert and CISO, dedicated to providing strategic insights into the global cyber threat landscape through threat intelligence analysis. The site features blog posts on current cyber incidents, such as data breaches, hacktivist activities, and geopolitical cyber conflicts, often mapping threats to frameworks like MITRE ATT&CK and offering defense recommendations. It serves as a resource for professionals in the field, combining Joe’s extensive experience in cyber defense with timely analyses of emerging threats.