Inquiring Minds Want to Know about Cyber Ranges

Stephen Schneiter

Administrator
Staff member
  • Nov 26, 2018
    776
    6
    3,132
    102,091
    Knoxville, TN
    Hey, CINners! James Stanger and I are wondering about your use of cyber ranges. By "cyber ranges," we're talking about interactive individual and/or team-oriented environments where people work on specific skills (e.g., security analytics skills), courses (e.g., Security+), individual skills (securing APIs against Advanced Persistent Threats), and/or Capture the Flab (CTF). So, here's the question:

    What cyber range environments do you use?

    And, here's a follow up question: What do you like or not like about cyber range environments?
     
    At Prometheus Cyber Consulting, cyber ranges are a core part of both our internal training and community outreach efforts. We regularly use platforms like TryHackMe, Hack The Box, and Cyber Range Pro for structured skill-building, red vs. blue team simulations, and CTFs.

    Last year, we launched a free cyber training initiative for local youth, using PicoCTF challenges as the foundation. It was an incredible experience-many of the students had never touched a command line before, and by the end of the program, they were solving real-world security puzzles and thinking like ethical hackers. It was inspiring to watch their confidence grow through hands-on learning.

    Internally, we also run custom cyber range scenarios for our consultants. One standout exercise was a simulated API attack and defense drill, where teams had to secure a vulnerable API under threat from an APT-style actor. Exercises like these not only sharpen technical skills but also build teamwork and incident response capabilities.

    What we love about cyber ranges:
    - Realistic scenarios and immediate feedback
    - Gamified learning environments that keep learners engaged
    - The ability to tailor experiences to our specific training goals

    What we find limiting:
    - Limited customization options in some platforms
    - Cost barriers for smaller teams or non-profit projects
    - Some ranges lack depth in simulating enterprise-level infrastructure

    Always happy to connect and share ideas-especially with others passionate about hands-on cybersecurity education.

    Precious "Greetings From Red Team Offensive"
     
    Thank you, Stephen! Yeah, everyone: I've been curious, lately, how folks are feeling about cyber ranges. What are your experiences, and what specific vendors do you use? And, to expand on our above questions just a bit, what features do you and your students appreciate?

    Hol'up - Full Stop, Helm

    Dost my eyes yet decieveth me, or hast the great Dr. James Stanger made his presence known here in the CIN?

    Oh and @Stephen Schneiter - "Capture the Flab"?? See and every Partner Summit, I roll into the gym at 0600 for the morning lift. I'm beginning to think this may have to be a more defined thing...

    As for Cyber ranges, I've always been constrained to have to build my own, or use freebee environments like Hack the Box or the like. And one of the things I've often found is that you get general concepts down - but the one off specifics that tend to make things interesting tend to get left off, particularly as how threats evolve over time.
     
    Hey James! 👋


    I’ve used a variety of cyber range environments depending on the training goals. Here are a few I’ve worked with:
    • TryHackMe—Great for beginners and intermediate learners. Some rooms for attacking perspectives: to learn security tools (Hydra, Nmap, OpenVas ...)
    • Damn Vulnerable Web Application (DVWA) and Metasploitable2 for testing.
    • Wazuh Demo Labs—Useful for blue team/defensive security labs, like SIEM and incident response, with the integration of TIP (Threat Intelligence Platform) like MISP, Vulnerability detector module, IDS/IPS (Suricata and Snort)
    What I Like:
    - Hands-on practice — It’s the best way to learn and retain technical skills.
    - Team-based scenarios — Some ranges offer Red vs. Blue, which simulates real-world teamwork and adversarial thinking.

    What I Don’t Like:
    - Cost barriers — High-quality cyber ranges can be expensive for individuals without organizational backing.
     
    • Like
    Reactions: precious
    At Prometheus Cyber Consulting, cyber ranges are a core part of both our internal training and community outreach efforts. We regularly use platforms like TryHackMe, Hack The Box, and Cyber Range Pro for structured skill-building, red vs. blue team simulations, and CTFs.

    Last year, we launched a free cyber training initiative for local youth, using PicoCTF challenges as the foundation. It was an incredible experience-many of the students had never touched a command line before, and by the end of the program, they were solving real-world security puzzles and thinking like ethical hackers. It was inspiring to watch their confidence grow through hands-on learning.

    Internally, we also run custom cyber range scenarios for our consultants. One standout exercise was a simulated API attack and defense drill, where teams had to secure a vulnerable API under threat from an APT-style actor. Exercises like these not only sharpen technical skills but also build teamwork and incident response capabilities.

    What we love about cyber ranges:
    - Realistic scenarios and immediate feedback
    - Gamified learning environments that keep learners engaged
    - The ability to tailor experiences to our specific training goals

    What we find limiting:
    - Limited customization options in some platforms
    - Cost barriers for smaller teams or non-profit projects
    - Some ranges lack depth in simulating enterprise-level infrastructure

    Always happy to connect and share ideas-especially with others passionate about hands-on cybersecurity education.

    Precious "Greetings From Red Team Offensive"
    Thank you,

    Hol'up - Full Stop, Helm

    Dost my eyes yet decieveth me, or hast the great Dr. James Stanger made his presence known here in the CIN?

    Oh and @Stephen Schneiter - "Capture the Flab"?? See and every Partner Summit, I roll into the gym at 0600 for the morning lift. I'm beginning to think this may have to be a more defined thing...

    As for Cyber ranges, I've always been constrained to have to build my own, or use freebee environments like Hack the Box or the like. And one of the things I've often found is that you get general concepts down - but the one off specifics that tend to make things interesting tend to get left off, particularly as how threats evolve over time.
    Yes, I'm here in the forum, Sir Rick! And, the "Capture the Flab" is definitely from me . . . both because of a "typo," and for fairly obvious reasons!
     
    At Prometheus Cyber Consulting, cyber ranges are a core part of both our internal training and community outreach efforts. We regularly use platforms like TryHackMe, Hack The Box, and Cyber Range Pro for structured skill-building, red vs. blue team simulations, and CTFs.

    Last year, we launched a free cyber training initiative for local youth, using PicoCTF challenges as the foundation. It was an incredible experience-many of the students had never touched a command line before, and by the end of the program, they were solving real-world security puzzles and thinking like ethical hackers. It was inspiring to watch their confidence grow through hands-on learning.

    Internally, we also run custom cyber range scenarios for our consultants. One standout exercise was a simulated API attack and defense drill, where teams had to secure a vulnerable API under threat from an APT-style actor. Exercises like these not only sharpen technical skills but also build teamwork and incident response capabilities.

    What we love about cyber ranges:
    - Realistic scenarios and immediate feedback
    - Gamified learning environments that keep learners engaged
    - The ability to tailor experiences to our specific training goals

    What we find limiting:
    - Limited customization options in some platforms
    - Cost barriers for smaller teams or non-profit projects
    - Some ranges lack depth in simulating enterprise-level infrastructure

    Always happy to connect and share ideas-especially with others passionate about hands-on cybersecurity education.

    Precious "Greetings From Red Team Offensive"


    Precious (Prometheus Cyber Consulting):

    Thank you much for your very specific run-down of what you love about cyber ranges, and what you find limiting. I think you've really listed the big 3, know what I mean? Customization and cost go hand-in-hand, right? And, it's tough to simulate enterprise-level infrastructure, given licensing issues, etc. Right?

    So cool that you simulate API-based attacks and defense; I talk with quite a few industry folks worldwide, and second to social engineering, API-based attacks are the second thing that C-level leaders talk about when discussing security issues. So cool to see you focusing on that with a cyber range. And, young folks love the gamification of a cyber range; it's all about getting hands-on, right?

    James
    Chief Technology Evangelist, CompTIA
    [email protected]
     
    • Love
    Reactions: precious
    Hey James! 👋


    I’ve used a variety of cyber range environments depending on the training goals. Here are a few I’ve worked with:
    • TryHackMe—Great for beginners and intermediate learners. Some rooms for attacking perspectives: to learn security tools (Hydra, Nmap, OpenVas ...)
    • Damn Vulnerable Web Application (DVWA) and Metasploitable2 for testing.
    • Wazuh Demo Labs—Useful for blue team/defensive security labs, like SIEM and incident response, with the integration of TIP (Threat Intelligence Platform) like MISP, Vulnerability detector module, IDS/IPS (Suricata and Snort)
    What I Like:
    - Hands-on practice — It’s the best way to learn and retain technical skills.
    - Team-based scenarios — Some ranges offer Red vs. Blue, which simulates real-world teamwork and adversarial thinking.

    What I Don’t Like:
    - Cost barriers — High-quality cyber ranges can be expensive for individuals without organizational backing.

    Abdelmlak:

    Yes - the cost barrier is just . . . brutal! And, thank you for the rundown of the "personalities," as it were, of the various environments, based on goals. What is your favorite environment for team-based scenarios?

    Best regards,


    James
    Chief Technology Evangelist, CompTIA
    [email protected]
     
    Abdelmlak:
    Yes - the cost barrier is just . . . brutal! And, thank you for the rundown of the "personalities," as it were, of the various environments, based on goals. What is your favorite environment for team-based scenarios?

    Best regards,


    James
    Chief Technology Evangelist, CompTIA
    [email protected]
    Hey James! Thanks for the kind words.


    For team-based scenarios, I really enjoy Wazuh Demo Labs. When combined with tools like Suricata, MISP, and vulnerability modules, it offers a great Red vs. Blue experience. It’s especially strong for blue team training and simulating real-world SOC environments.


    Let me know if you'd like more details!


    Best,
    Abdelmlak