Renewable Energy Engineering Simulation
|
Real energy science. Custom maps. Competitive scoring.
Capacity factors, O&M costs, CO₂ intensity and seasonal output variations based on NREL, IRENA and Lazard data. Every number is grounded in real engineering.
Paint your own terrain tile by tile before launching. Choose from 5 starter templates or build from scratch. Expand the grid mid-game as your city grows.
Weather storms, regulatory changes, grid failures and terrain shifts hit mid-simulation. Adapt your strategy — or lose control of demand.
Score on energy output, demand satisfaction, surplus generation, budget efficiency and CO₂ savings. No single strategy wins every round.
Place houses, apartments, factories, hospitals and schools to build your city. Population drives energy demand — balance growth with generation capacity.
Wire assets together with transmission lines. Smart grids cut losses from 8% to 2%. Substations, microgrids and storage hubs change how energy flows.
Four steps from blank map to energy empire.
Set your budget, difficulty, round count, season and scenario modifiers. Pick a map template or start blank.
Paint 7 terrain types tile by tile. The terrain affects every asset's output — coastal for wind, desert for solar, highland for geothermal.
Place energy assets, connect them with wires, add demand structures to power. Manage your budget across 14 asset types.
Simulate each round. React to live events, manage demand, score points. Expand and optimise across up to 20 rounds.
Each terrain affects asset performance differently. Strategy starts with placement.
From rooftop solar to concentrated solar towers — each with real capacity factors, build times and O&M costs.
See how your energy strategy stacks up. Top engineers are ranked by final score, efficiency and sustainability rating.
A renewable energy engineering simulation platform for real-world infrastructure planning and decision-making under uncertainty.
Power Pioneers was commissioned by Vanko Group as an engineering project. It simulates real-world challenges faced by renewable energy project leads such as terrain constraints, weather volatility, grid infrastructure, and budget management.
Each zone has a terrain type — coastal, highland, desert, urban, industrial, wetlands, or river. Terrain dictates which assets can be placed and how efficiently they generate. A wind farm in coastal zones outperforms one inland; solar arrays favour desert and highland sun exposure. Mid-game terrain shifts force players to re-plan.
Live weather data from the Open-Meteo API drives solar irradiance and wind speed each round. Storms, overcast skies, and seasonal swings introduce volatility — your generation forecast is never a guarantee. Players must build a portfolio resilient to weather shocks, not just optimised for ideal conditions.
Generation alone isn't enough — energy must reach demand zones through transmission lines and substations. Every connection has line-loss, every routing decision trades cost for efficiency. Poor grid design strands capacity; good design balances supply, demand, and redundancy across the network.
Players start with a fixed capital budget. Every asset, every line, every upgrade chips away at it. Crisis events impose unexpected costs. The final score weighs energy delivered, sustainability, and budget discipline — overspending early can lock you out of the late-game options that matter most.
Initial proof-of-concept: a single-zone simulation with hardcoded weather and a fixed asset roster. Established the core round-based loop and scoring model.
Power Pioneers is committed to protecting your personal information in accordance with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth).
This policy explains what personal information Power Pioneers collects, how it is used, who it is shared with, how it is protected, and the rights you have over your data. Power Pioneers is operated as an engineering project commissioned by Vanko Group. By creating an account or using the platform, you consent to the practices described below.
Username, email address, and password (stored only as a one-way bcrypt hash — never in plain text). Optional role designation (student / admin).
Simulation sessions, asset placements, zone connections, terrain selections, round outcomes, scores, and timestamps. This data exists to power the leaderboard, progress tracking, and your personal history.
IP address, browser type, device type, and timestamps of access — collected automatically by AWS CloudFront and CloudWatch logs for security and operational monitoring.
If you submit the contact form, we collect the name, email, and message you provide. This is delivered to our admin inbox via Amazon SES for the sole purpose of responding to your enquiry.
Your account data and gameplay records let you log in, resume sessions, view your scores, and appear on the leaderboard. Without this data the platform cannot function.
Technical data (IP, request logs) is used to detect abuse, throttle malicious traffic via AWS WAF, and investigate security incidents. Retention of these logs is limited to what is required for incident response.
Anonymised, aggregate statistics (e.g. total games played, average score, asset deployment patterns) may be used to improve the platform. Individuals are never identifiable in aggregate analytics.
Contact form submissions are used solely to reply to your message. We do not use them for marketing, profiling, or onward disclosure.
Data is hosted on Amazon Web Services infrastructure (Sydney region — ap-southeast-2). AWS acts as a data processor under our control. No data leaves AWS-controlled regions without an APP 8 cross-border assessment.
Weather data is fetched from the Open-Meteo public API. Only generic geographic coordinates are sent — no user identifiers, no account data, no IP-linked requests.
We do not sell, rent, or share personal information with advertisers, data brokers, or any party outside the operational service providers listed in this policy.
You may request a copy of the personal information we hold about you at any time, free of charge, by emailing the address below.
If any data we hold about you is inaccurate, outdated, or incomplete, you may request that we correct it. Updates are applied within 30 days of a verified request.
You may request deletion of your account and associated gameplay data. Anonymised aggregate statistics may be retained where individual identity has been irreversibly removed.
If you believe we have breached the APPs, you may complain to us directly, and escalate unresolved complaints to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
Account and gameplay data is retained while your account remains active and for up to 12 months after deletion, after which it is permanently removed from primary databases and backups. Security logs are retained for up to 90 days. Contact form messages are retained only as long as required to resolve the enquiry.
All data is encrypted in transit (TLS 1.3) and at rest (AES-256 via AWS RDS / S3). Passwords are stored as bcrypt hashes only. The application sits behind AWS WAF and AWS Shield Standard. For full technical detail, see the Cyber Security page.
For any privacy-related request — access, correction, deletion, or complaint — email admin.powerpioneers@gmail.com. We will acknowledge your request within 7 business days and respond substantively within 30 days.
Power Pioneers is engineered with a multi-layered security posture spanning network, application, data, identity, and monitoring controls — built on AWS managed services.
We operate under a defence-in-depth model: no single control is trusted to secure the platform. Network, application, data, and identity layers each enforce independent protections, so the compromise of any one layer does not cascade. Where AWS managed services provide a hardened, audited primitive (WAF, KMS, IAM, RDS encryption), we prefer them over self-managed equivalents.
All inbound traffic passes through AWS WAF with managed rule sets for the OWASP Top 10 — SQL injection, XSS, command injection, path traversal, and known-bad bot signatures are blocked at the edge before reaching the application.
AWS Shield Standard provides always-on DDoS mitigation at the network and transport layers, absorbing volumetric attacks before they reach application infrastructure.
Static assets served via Amazon CloudFront with origin shielding. The origin server is not directly internet-accessible — only CloudFront's signed-edge fingerprint can reach it.
WAF rate-based rules cap requests per source IP. Sensitive endpoints (login, registration, contact form) carry tighter per-route limits to defeat credential stuffing and form abuse.
TLS 1.3 enforced end-to-end via AWS Certificate Manager (ACM). HSTS headers prevent protocol downgrade. No HTTP fallback is exposed.
Every server endpoint validates payload shape, type, and length before touching the database. Parameterised SQL queries eliminate injection vectors regardless of input.
Passwords are hashed with bcrypt (cost factor 12) before storage. Plain-text passwords never persist anywhere — not in logs, not in memory beyond the request, not in backups.
Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy headers are applied to all responses, blocking clickjacking, MIME sniffing, and information leakage.
The MySQL database runs on Amazon RDS with AES-256 encryption at rest via AWS KMS. Encryption keys are rotated annually. Database snapshots, automated backups, and read replicas inherit the same encryption. S3 buckets storing assets use SSE-KMS.
TLS 1.3 with strong cipher suites enforced for every external connection. Internal AWS-to-AWS traffic (app → RDS, app → SES) is encrypted using AWS-managed certificates inside the VPC.
Database credentials, API keys, and SES credentials are stored in AWS Secrets Manager and injected at runtime. No long-lived secrets exist in the codebase, .env files, or container images.
Automated daily RDS backups with 7-day point-in-time recovery. Backups are encrypted and stored in a separate AWS account to protect against accidental deletion or ransomware-style attacks on primary infrastructure.
Application services authenticate to AWS using IAM roles, not long-lived access keys. Temporary credentials are rotated automatically every few hours by AWS STS.
Every IAM policy follows the principle of least privilege — services receive the narrowest possible permission set, scoped to specific resources and actions.
All administrative access to the AWS console and infrastructure requires multi-factor authentication. Root credentials are sealed and used only for break-glass scenarios.
User sessions are signed, time-limited, and invalidated on logout or password change. Session tokens are stored with HttpOnly, Secure, and SameSite=Lax flags.
Every API call against AWS resources is logged to CloudTrail and retained for audit. Unauthorised or anomalous actions trigger automated alerts.
Application logs, request rates, error rates, and resource utilisation stream into CloudWatch. Threshold alarms page the on-call operator for anomalies in real time.
Amazon GuardDuty continuously analyses VPC flow logs, DNS logs, and CloudTrail for known threat patterns — port scans, crypto-mining, credential exfiltration, and known-bad IPs.
Documented runbooks govern containment, eradication, and recovery for credential compromise, data exposure, and DDoS events. Post-incident review feeds back into hardening.
If you discover a security vulnerability, please report it privately to admin.powerpioneers@gmail.com before disclosing it publicly. We commit to acknowledging your report within 72 hours and providing a remediation timeline. Researchers acting in good faith will not be subject to legal action.