SANS Cyber Ranges

SANS Cyber Ranges provides an essential step in your cybersecurity training, allowing you to apply your skills and gain practical experience in an interactive and isolated environment, with no real-world risk, built by industry-leading SANS instructors.

SANS Cyber Ranges focus on the practical application and assessment of hands-on cybersecurity training. The cyber range enables you and your team to apply skills you’ve learned in a curated and isolated environment, that gives you insight into what you are excelling at, and what you need to focus more on. You walk away with real world experiences on how to handle situations, without the real-world risk associated with practicing on live production equipment and systems. Then when you are back in the office you are prepared for whatever threats come your way. And as new threats and exploits come up, you can trust SANS to provide you with the latest information, research and strategies to deal with them all.

  • Competitive and gamified
  • For individuals and teams
  • Practice and assess skills
  • Isolated environments
  • Capture-the-flag ranges & real-world simulations
  • Expert tactics, hints, and tips
  • Reduced response times
  • Cyber Ranges for all skill levels
  • Always up to date and cutting edge

New NetWars Core Version 8!


SANS NetWars Core Version 8 is a new and exciting Cyber Range from SANS. Featuring AWS cloud content and more — it has fun story driven challenges to keep you engaged in learning and practicing your essential cybersecurity skills. We’ve also eliminated the need to download large VM files locally — 100% browser based challenges!


A next-generation hacker, Trace R. Tee, was destined for great things until someone started messing with the timeline. Travel through time and assist a doctor in setting things right. Stop the bad actors, find out who’s behind the attacks on Trace, and become the new assistant the universe needs!

NetWars Continuous

Get the cybersecurity assessments and practice you need, at your convenience with NetWars Continuous.

  • 24/7 Access for 4 months
  • Comprehensive set of disciplines and focus areas
  • Scenario based challenges
  • and more!

NetWars is our premier Cyber Range, appropriate for all cybersecurity skill levels. NetWars poses a series of multifaceted, interactive and situational cybersecurity challenges. The challenges test a wide variety of disciplines and subject matter across 5 levels that increase in difficulty. These challenges may be completed individually or as a team. NetWars also features an automated hint system to help participants solve questions they may find particularly difficult. The available hints help participants develop new skills and ensure that every participant steadily progresses through the challenge.

  • For individuals and teams up to 5, of all skill levels
  • Custom virtual machine based challenges
  • Scorecard of you or your teams performance upon completion
  • Automated hint system; hints do not affect scores
  • Real time score board of players/teams

All NetWars contains 5 levels, progressively increasing in difficulty, for players to advance through as they achieve and master new skill sets. This structure allows all participants, from beginners to experts, to find a fit for themselves in our ranges.

Level 1
For people new to information security (infosec) who are building their skills from the ground up.

Level 2
For entry-level infosec professionals with solid capabilities, who are beginning to build skills in specialized areas.

Level 3
For mid-level infosec pros with years of industry experience already under their belts, who are above average in skills and disciplines.

Level 4
For senior-level infosec pros who have developed specialized skills in cyber and are leaders not only at their organizations but also in the industry at large.

Level 5
For the elite-level infosec pros, capable of tackling the most advanced scenarios and challenges.

NetWars Formats

Tournaments vs. Continuous

NetWars TournamentNetWars Continuous









Product Specifications

  • NetWars Core is an industry leading multi-disciplinary cyber range that covers a wide range of subject matter. It is the most comprehensive and diverse of the NetWars focus areas. NetWars Core is recommended for all infosec practitioners.

    NetWars Core Version 8 Overview

    SANS NetWars Core Version 8 is a new and exciting Cyber Range from SANS. Featuring AWS cloud content and more — it has fun story driven challenges to keep you engaged in learning and practicing your essential cybersecurity skills. We’ve also eliminated the need to download large VM files locally — 100% browser based challenges!

    NetWars Core Version 8 Story

    A next-generation hacker, Trace R. Tee, was destined for great things until someone started messing with the timeline. Travel through time and assist a doctor in setting things right. Stop the bad actors, find out who’s behind the attacks on Trace, and become the new assistant the universe needs!

    Example Topics in NetWars Core Tournament:

    • Bash and PowerShell skills
    • Windows and Linux memory forensics
    • Web application challenges
    • A “smart home” mobile application
    • Vulnerable connected cameras
    • Layer 2/DHCP attacks
    • BloodHound for Active Directory analysis
    • Kerberoasting as an Active Directory attack
    • Injection attacks
    • Windows exploitation
    • Network traffic capture and analysis
    • Command Line Kung Fu
    • Penetration testing
    • Advanced database hacking
    • Common Management System vulnerability exploitation
    • Reverse engineering and debugging
    • Threat detection through log analysis
    • Binary exploitation
    • Windows and Linux privilege escalation
    • Firewall fundamentals
    • Cryptographic security and exploitation
    • Fuzzing
    • Advanced malware analysis
    • Social engineering
    • Intrusion detection
    • WAF evasion
    • Linux fundamentals
    • Scanning/Enumeration


    • Linux and Windows basics
    • DNS analysis
    • Regular expressions
    • Light and heavy web application testing (GraphQL included)
    • Malware analysis on Windows with SysInternals
    • Malware analysis on Linux with common Linux tools
    • Exploit/shellcode development
    • Network traffic analysis and manipulation with

      TCPDump, Wireshark, Tshark, Scapy, and Zeek
    • Ngrok for reverse shell handling
    • SOCKS proxy creation for pivoting
    • Log4Shell exploitation of off-the-shelf

      (Apache Solr) and a custom application
    • AWS credential abuse
    • Kerberoasting in Windows Active Directory
    • SMB fileshare exploration for sensitive information

    Computer Requirements:

    A modern web browser

    Optional: Players may use their own systems and tools for certain challenges

  • NetWars Core Continuous is an extension of Core Tournament, meant solely for individuals, and covers an even wider range of subject matter for deeper skills assessment and practice. It is for all individual infosec practitioners and offers the convenience of 4 months of extended access, anywhere in the world.

    Extended topics in NetWars Core Continuous include:

    • Powershell offense, defense, survival
    • API Manipulation
    • Hash extension exploitation & Cryptographic security controls
    • Linux terminal
    • check file contents with head, tail, cat, less, and wc
    • check OS version with uname and lsb_release
    • verify basics with hostname and whoami
    • searching environment variables with env and grep
    • verifying user data with /etc/passwd
    • testing file access controls with su
    • elevated permissions with sudo
    • file analysis with strings
    • running process analysis with ps
    • stopping processes with kill
    • command history analysis with .bash_history and grep
    • inspecting insecure password storage with recursive grep
    • comparing files with diff
    • modifying file permissions with chmod
    • file integrity checking with md5sum
    • Base64 encoding/decoding with base64
    • output manipulation with sed, awk, rot13, sort, uniq, tr, and cut
    • binary analysis with xxd
    • task scheduling with cron
    • PowerShell terminal
    • filesystem analysis
    • environment variable analysis
    • running process analysis
    • stopping processes
    • Base64 encoding/decoding
    • searching for files with given name/contents
    • file integrity checking
    • command history analysis
    • compressed file manipulation
    • loop operations
    • conditional operations
    • web requests
    • alternate data streams (ADS)
    • Packet capture analysis
    • analysis with Wireshark
    • file extraction from stream with Wireshark
    • basic traffic filtering with Wireshark/Tshark display filters
    • advanced traffic filtering with Wireshark/Tshark display filters
    • malicious traffic identification
    • HTTP(S) analysis
    • identifying vulnerabilities and flaws with Wireshark and Tshark
    • server-side JavaScript Injection (SSJS)
    • SQL Injection (SQLi)
    • Remote File Inclusion (RFI)
    • Insecure File Upload
    • Command Injection
    • HTTP requests with cURL
    • deobfuscating JavaScript with web browser developer tools
    • manipulating JavaScript objects with web browser developer tools
    • HTTP2 analysis
    • vulnerability scanning with Nikto and wpscan
    • cookie manipulation
    • Network Analysis
    • raw connections with netcat
    • network connection status with netstat
    • port and version scanning with Nmap
    • secure file transmission with scp
    • dynamic proxies
    • malicious traffic matching with Snort
    • packet capture with Tcpdump
    • filtering traffic with Berkeley Packet Filters (BPF)
    • DNS querying with dig, nslookup, and nsupdate
    • network defense with iptables
    • packet dissection and crafting with Scapy
    • application fuzzing with boofuzz
    • SMB connections with smbclient
    • Penetration testing (system, network, and web application)
    • password cracking with John the Ripper
    • password guessing with THC Hydra
    • password guessing with wfuzz
    • exploit research with online, open databases
    • exploitation with Metasploit
    • SQL database exploitation manually and with SQLMap
    • social engineering with the Social Engineering Toolkit (SET)
    • cookie stealing with cross-site scripting (XSS)
    • malware generation with msfvenom
    • LDAP injection
    • API manipulation
    • deserialization attacks
    • manual Windows vulnerability enumeration and exploitation
    • privilege escalation
    • Scripting
    • Python scripting
    • Perl scripting
    • Forensics
    • file forensics with Volatility
    • file extraction with Scalpel
    • Linux executable analysis with GDB
    • Data analysis
    • database analysis with SQLite
    • regular expressions (regex)
    • metadata analysis with exiftool
    • PDF analysis with pdftotext
    • JSON manipulation with jq
    • QR code generation
    • Cryptography
    • securing data with gpg
    • hash extension exploitation

    Computer Requirements:
    64-bit, x86, 2.0 GHz+


    40GB+ Free

    Operating System
    Windows 10 or later, Mac OS 10.15 or later, Linux

    Software for Range
    VMware Virtualization

    * 8GB is possible with reduced performance

  • NetWars Cyber Defense is specifically focused on cyber defense and threat detection; prevent, defend, and analyze increasingly more complex, real-world attack scenarios against your enterprise, from simplistic, brute-force attacks to ransomware campaigns.

    Professionals who should consider taking NetWars Cyber Defense include experienced Security Administrators, Enterprise Defenders, Architects, Network Engineers, Incident Responders, Security Operations Specialists, Security Analysts, and Builders and Breakers.

    Example topics in NetWars Cyber Defense Tournament include:

    • Cyber Defense
    • Threat Hunting
    • Log Analysis
    • Packet Analysis
    • Cryptography
    • Windows Administration
    • Linux Administration
    • Network Security Monitoring
    • Continuous Security Monitoring
    • Steganography

    Computer Requirements:
    64-bit, x86, 2.0 GHz+


    40GB+ Free

    Operating System
    Windows 10 or later, Mac OS 10.15 or later, Linux

    Software for Range
    VMware Virtualization

    * 8GB is possible with reduced performance

  • NetWars DFIR is specifically focused on digital forensics, incident response, threat hunting, and malware analysis, that is tool-agnostic, from low level artifacts to high level behavioral observations.

    Professionals who should consider taking DFIR NetWars include experienced Digital Forensic Analysts, Forensic Examiners, Media Exploitation Examiners, Malware Analysts, Incident Responders, Threat Hunters, Security Operations Center (SOC) Analysts, Law Enforcement Officers, Federal Agents, Detectives, and Cyber Crime Investigators.

    Example topics in NetWars DFIR Tournament include:

    • Digital Forensics
    • Incident Response
    • Threat Hunting
    • Malware Analysis
    • SIFT Workstation (
    • Smartphone Forensics
    • Windows Forensics
    • MacOS and iOS Forensics
    • Network Forensics
    • Media Exploitation
    • Artifact Analysis
    • Rapid Triage
    • Database Analysis
    • Log analysis
    • Malicious attacks
    • Network traffic analysis
    • Reverse engineering and debugging
    • Intrusion detection

    Computer Requirements:
    64-bit, x86, 2.0 GHz+


    200GB+ Free. Approximately 50GB download of evidence files and virtual machines.

    USB 3.0 | Type-A or dongle with Type-A

    Operating System
    Windows 10 or later, Mac OS 10.15 or later, Linux

    Software for Range
    VMware Virtualization. Participants are expected to either provide their own forensics tools, or use the local VMware VM tools that we provide.

    * 8GB is possible with reduced performance.

  • NetWars ICS is specifically focused on industrial control systems and operational technology. It employs a literal cookie factory to unite the ICS/OT factions over the one true sweet treat; nom nom cookies. End goal: get the factory machinery working correctly so you and your peers can be rewarded with fresh baked cookies. ICS NetWars will bring players onto the factory floor and expose them to physical equipment and manufacturing components as they work through the NetWars scenario.

    Professionals who should consider taking ICS NetWars include experienced Process Control Engineers, ICS/OT cybersecurity practitioners working in operational facilities, and IT cybersecurity professionals supporting ICS environments.

    Example topics in NetWars ICS Tournament include:

    • Blue Team (Defender) actions
    • Asset discovery and infrastructure mapping
    • Identifying adversary actions
    • log and file analysis
    • Endpoint forensics
    • ICS-specific malware detection
    • Engineering application use
    • Process restoration

    Computer Requirements:
    64-bit, x86, 2.0 GHz+


    40GB+ Free

    Operating System
    Windows 10 or later, Mac OS 10.15 or later, Linux

    Software for Range
    VMware Virtualization

    * 8GB is possible with reduced performance

  • NetWars GRID is similar to NetWars ICS in that it is focused on industrial control systems and operational technology. However, the NetWars GRID scenario is designed around the complex nature of distributed wide-area control systems found in critical infrastructure sectors like electric system operations. Utilizing a variety of real-world technologies found in electrical generation and distribution systems, the challenges are themed to the power system scenario, though the technology, protocols, architectures, and lessons learned are applicable across numerous critical infrastructure sectors beyond the electric sector.

    Professionals who should consider taking GRID NetWars include experienced IT and OT cybersecurity professionals supporting SCADA communications and control, field technicians, instrumentation and control, ICS field or plant control systems, and control center OT support teams.

    Example topics in NetWars GRID Tournament include:

    • Adversary actions
    • ICS Stage 1 and Stage 2 kill chain
    • Spear phishing
    • Command and control
    • Credential theft
    • Lateral and vertical movement
    • Security configuration modification
    • Process manipulation
    • Situational awareness impacts
    • Reliability effects
    • System integrity impacts
    • Blue Team (Defender) actions and Red Team (adversary) actions*

      *Variations of Netwars Grid exists

    Computer Requirements:
    64-bit, x86, 2.0 GHz+


    40GB+ Free

    Operating System
    Windows 10 or later, Mac OS 10.15 or later, Linux

    Software for Range
    VMware Virtualization

    * 8GB is possible with reduced performance

  • NetWars Mini is a text-based cyber range that is story-driven. It features rich storylines, hints, TAs and game servers similar to other NetWars ranges. However, NetWars Mini is browser based for easier access and deployment.

    Example topics in NetWars Mini include:

    • Linux command line tools and tricks
    • Linux file system permissions and administration
    • Command reference/main page treasure hunt
    • JSON parsing with “jq”, including bash scripting and database loading
    • Firmware analysis
    • Reverse engineering/binary exploitation
    • Packet captures and “tshark”
    • OSINT/exposed Git exploitation
    • MySQL analysis/exploitation
    • Web app pen testing
    • OSINT in social media, metadata, DNS records
    • Bash script/menu exploitation
    • Redis/PHP database exploitation
    • COBOL analysis/programming
    • HTTP request smuggling

    Computer Requirements:
    Internet Access and Chrome, Firefox, Safari, or Edge browsers.

  • NetWars Healthcare is based on the technologies and systems found in the medical field. It still features the rich storylines, hints, TAs and game servers as other NetWars ranges, but is browser-based for easier access and deployment.

    Example topics in NetWars Healthcare include:

    • Telemedicine and web app security
    • EMR and incident analysis
    • Medical device IoT security
    • Ransomware analysis and decryption
    • Hospital incident investigation with Windows domain event log analysis

    Computer Requirements:
    Internet Access and Chrome, Firefox, Safari, or Edge browsers.

  • All varieties of NetWars are PCTE compatible.

    Persistent Cyber Training Environment (PCTE) is a training platform that supports Joint Cyberspace Operations Forces by providing individual sustainment training, team certification, mission rehearsal, and the foundation for collective training exercises. It leverages existing connectivity to facilitate the sharing of resources, and provides additional cyber “maneuver space.” PCTE enables realistic training with variable conditions to increase readiness and lethality of our Cyberspace Operations Forces, while standardizing, simplifying, and automating the training management process.

    PCTE supports the United States Cyber Command (USCYBERCOM) by enabling a critical need for the DoD and Joint Cyberspace Operations Forces to train at the individual, team, and force level. PCTE is one of the five elements of the Joint Cyber Warfighting Architecture (JCWA), provides a comprehensive, integrated cyberspace architecture to achieve and sustain the insight, agility, and lethality necessary for maintaining a competitive advantage against near-peer adversaries. PCTE will integrate and be inter-operable with the other JCWA elements to enable teams to train and rehearse using the available JCWA operational tools and capabilities.


Bootup CTF

Bootup CTF is a capture-the-flag style cyber range consisting of over 125 multi-disciplinary cybersecurity challenges. It can be played solo or as a team. Bootup runs virtually online for 24-72 hours. Players can log in to participate or log out to take breaks at any time, multiple times, during the open session. Bootup CTF also features an automated hint system to help participants with supporting material and content related to the questions.

  • Question and answer format
  • Play on your time
  • Modular
  • Browser based
  • A wide variety of topics

Bootup CTF is for individuals and teams of all levels. While the content is primarily beginner to intermediate, it provides an easy and convenient way to challenge yourself on the myriad of topics every cybersecurity professional faces daily. Because of the modular nature of Bootup CTF, you can engage and learn at your own pace, in contrast to the brain-crunching environment of other learning formats. And for the cherry on top, every Bootup CTF features prizes for the top scorers of the game.

Computer Requirements:
Internet Access and Chrome, Firefox, Safari, or Edge browsers.


Private and Custom Ranges

Private Range Products

Our Private Range portfolio consists of SANS Cyber City, SANS Cyber STX and Custom Ranges. See details below.
  • CyberCity is a hands-on, kinetic cyber range for learning how to analyze, assess, and defend control systems and operational infrastructure, as well as how to identify vulnerabilities that could result in significant kinetic impacts. It also guides students on strategies for conveying findings to leadership and public planners on the potential kinetic impacts of vulnerabilities and cyber attacks.

    CyberCity is a 1:87 scale miniaturized physical city controlled by the same equipment found in cities and municipalities around the globe, featuring SCADA-controlled electrical power distribution, as well as water, transit, hospital, bank, retail, and residential infrastructures. CyberCity challenges participants to defend the city’s infrastructure from terrorist cyber attacks, and to use offensive tactics to retake or maintain control of critical assets.

  • The Cyber Situational Training eXercise (Cyber STX) is SANS’s premiere in-depth training and validation cyber range. Teams of participants engage in an active Red-on-Blue team battle. Cyber STX provides a week of intense attack and defense of the critical cyber terrain. The red team develops and deploys a comprehensive campaign based on one or more specific advanced persistent threat(s) (APTS), utilizing their same tactics, techniques, and procedures (TTPs) and Indicators of Compromise (IOCs) as the given APTs. The blue team is challenged to defend against the red team attack.

    SANS instructors and teaching assistants (TAs) play the part of blue team coaches and red team/OPFOR operators, creating a highly realistic environment that can measure the capabilities of a blue team and its tools and communications, as well as the effectiveness of their TTPs. Additionally, the Cyber STX can take red teamer skills to the next level. SANS offers the Cyber STX on-site for private events, virtually in a cloud-based environment, or in a mixed mode with participants both local and remote. Cyber STX can include both Information Technology (IT) and Operations Technology (OT) infrastructures, depending on the specific environments participants are called on to protect. From an OT perspective, SANS runs Cyber STX missions with Industrial Control System (ICS) devices for power distribution, power generation, water refinement, port crane operations, manufacturing systems, and more.

    Professionals who should consider taking Cyber STX include experienced Military groups seeking in-depth training and validation, cyber protection teams, government agencies with responsibilities for defending critical systems, and large private industry organizations protecting complex infrastructure.

  • In most cases, SANS is able to craft a custom range challenge to meet the needs of the customer. Custom range requests require a customer meeting with the Cyber Range team to scope the project and provide options. Additionally, during the meeting SANS will help define learning objectives, develop scorecards, and configure the content and platform.

Upcoming Cyber Ranges

All scheduled ranges are online. Registration opens the Monday before the cyber range unless otherwise noted. To register, log into your SANS account and look for the range registration message at the top of your dashboard.

February 4-5

SANS Cyber Threat Intelligence Summit 2023
DFIR NetWars
February 9-10SANS Offensive Operations London 2023Core NetWars
February 16-17SANS Munich February 2023DFIR NetWars
March 9-10SANS Cloud Security Amsterdam 2023Core NetWars
March 16-17SANS Cyber Threat Intelligence Summit 2023
Core and Cyber Defense NetWars
March 16-17SANS London March 2023Cyber Defence NetWars
March 23-24SANS Paris March 2023DFIR NetWars
April 5-6SANS 2023
Core, Cyber Defense, and DFIR NetWars
April 20-21SANS Pen Test Austin 2023
Core NetWars
April 20-21SANS Threat Hunting LondonDFIR NetWars
May 6-7SANS ICS Security Summit & Training 2023
Grid NetWars
May 11-12SANS London May 2023Core NetWars
May 18-19SANS Security West 2023
Core, Cyber Defense, and DFIR NetWars
May 25-26SANS Amsterdam May 2023 Wk 1Core NetWars
June 1-2SANS Amsterdam May 20233 Wk 2Core NetWars
June 8-9SANS London June 2023Cyber Defence NetWars
June 8-9SANS Rocky Mountain Summer 2023
Core NetWars
June 15-16SANS Paris June 2023DFIR NetWars
June 21-22SANS ICS Europe 2023GRID NetWars
June 29-30SANS Munich 2023Cyber Defence NetWars
July 13-14SANSFIRE 2023
Core NetWars, Cyber Defence, DFIR
August 8-9DFIR Summit
August 17-18SANS Chicago 2023
Core NetWars
September 9-10SANS Network Security 2023
Core NetWars, Cyber Defence, DFIR, GRID

Premier Cyber Range Events

Throughout the year SANS hosts several premier events for our various cybersecurity communities throughout the world.

Customer Quotes

NetWars is challenging for all levels of expertise, has great hints if you get stuck, and promotes continuous education.
Jon-Michael Lacek
- Wegmans Food Markets
Core NetWars was challenging but not frustrating for newbies. This is my first time doing NetWars and it has been a blast.
Rachael Murray
- Northwestern Mutual
Having participated in NetWars Continuous and in the NetWars Tournament, I can honestly say that they were the most intellectually challenging and enjoyable tests of technical skills in which I have participated.
Kees Leune
- Adelphi University
These challenges were so much fun. Really covered so many different topics. Love how you were forced to use tshark and MySQL. Made you have to learn or relearn topic again.
C. Moody
The gamified environment made it fun and the hints were a welcome feature that really helped make progress in a limited time frame
Adam B.
Fun challenges that really pushed you to think and adapt to overcome a variety of interesting scenarios
William L.
The increased difficulty and challenge levels as you moved through the questions encouraged you to keep going and build on the skills being practices
Dan C.
This Mini-Netwars has been a great educational experience for me in learning different ways to accomplish tasks. For my learning level, this has been challenging and rewarding
Ricardo V.
I’m a defender, so knowing how attackers attack is useful. One of the most dangerous attacks in this exercise was flashing firmware on a device that wasn’t properly secured.
Annah W.
Cyber 42 helped test our understanding of the lessons over time.
T. Court
With NetWars CyberCity we hope to turn the tables by providing our first-line cyber defenders with the necessary skills and hands-on training to fend off online attacks and regain control of cyberspace
Eric B.
[Cyber STX] provided our team the most realistic training environment we have encountered... We hope other CPTs get to experience this
Maj. Marty
Learning new things, thinking from new angles and the topics make it an excellent experience for me
I love how I am able to both sharpen old skills and learn new skills and tools to add to my arsenal... from the use of various famous tools to the writing of simple to complex bash calls and scripts for those tools
Jessica V.
I love taking part in the NetWars. There is such a range of challenges to complete... I had no idea you could over write C functions in binaries as simply as setting an environment variable
Oliver T.
For anyone that hasn’t taken part in NetWars before, I can tell you that its brilliant and lots of fun.
Umar Javed
CEO - CyDefOps
Every point is a team success no matter who cracks the answer and gets the point(s). Have fun, connect with others and if you win that’s an added extra.
Umar Javed
CEO - CyDefOps
Don’t focus too much on getting to the top, enjoy the experience, if you team up you can learn so much from others and it definitely helps to divide and conquer based on your skills and experience.
Umar Javed
CEO - CyDefOps

    Case Studies

    Our Range Authors and Contributors