SANS Cyber Ranges

SANS Cyber Ranges provides an essential step in your cybersecurity training, allowing you to apply your skills and gain practical experience in an interactive and isolated environment, with no real-world risk, built by industry-leading SANS instructors.

SANS Cyber Ranges focus on the practical application and assessment of hands-on cybersecurity training. The cyber range enables you and your team to apply skills you’ve learned in a curated and isolated environment, that gives you insight into what you are excelling at, and what you need to focus more on. You walk away with real world experiences on how to handle situations, without the real-world risk associated with practicing on live production equipment and systems. Then when you are back in the office you are prepared for whatever threats come your way. And as new threats and exploits come up, you can trust SANS to provide you with the latest information, research and strategies to deal with them all.

  • Competitive and gamified
  • For individuals and teams
  • Practice and assess skills
  • Isolated environments
  • Capture-the-flag ranges & real-world simulations
  • Expert tactics, hints, and tips
  • Reduced response times
  • Cyber Ranges for all skill levels
  • Always up to date and cutting edge


NetWars is our premier Cyber Range, appropriate for all cybersecurity skill levels. NetWars poses a series of multifaceted, interactive and situational cybersecurity challenges. The challenges test a wide variety of disciplines and subject matter across 5 levels that increase in difficulty. These challenges may be completed individually or as a team. NetWars also features an automated hint system to help participants solve questions they may find particularly difficult. The available hints help participants develop new skills and ensure that every participant steadily progresses through the challenge.

  • For individuals and teams up to 5, of all skill levels
  • Custom virtual machine based challenges
  • Scorecard of you or your teams performance upon completion
  • Automated hint system; hints do not affect scores
  • Real time score board of players/teams

All NetWars contains 5 levels, progressively increasing in difficulty, for players to advance through as they achieve and master new skill sets. This structure allows all participants, from beginners to experts, to find a fit for themselves in our ranges.

Level 1
For people new to information security (infosec) who are building their skills from the ground up.

Level 2
For entry-level infosec professionals with solid capabilities, who are beginning to build skills in specialized areas.

Level 3
For mid-level infosec pros with years of industry experience already under their belts, who are above average in skills and disciplines.

Level 4
For senior-level infosec pros who have developed specialized skills in cyber and are leaders not only at their organizations but also in the industry at large.

Level 5
For the elite-level infosec pros, capable of tackling the most advanced scenarios and challenges.

New NetWars Core Version 9!

NetWars Core Tournament version 9 will take you deep into the upside-down cybersecurity world where all your hands-on cyber skills will be put to the test. More immersive than ever before, our gamified version 9 brings you all new real-world challenges, including Azure command line, Azure cloud penetration testing, cyber threat intelligence, and network protocol analysis.

Our 100% browser based NetWars challenge allows teams and individuals to play in this high-end interface platform.

NetWars Core Tournaments are only available at select, in-person SANS training events.


Help a young group of friends in peril to find out who is behind a terrible danger, possibly involving the Hackins National Laboratory.

NetWars Continuous

Experience NetWars pressure-free with NetWars Continuous, a 4-month subscription to extended content.

  • NetWars Ranges Available: Core and DFIR.
  • Extended Engagement: Explore the intricacies of a subject matter thoroughly and be ready to apply learned skills effectively.
  • Flexible Access: Crucial for individuals who need to balance training with other commitments and reduce travel costs.
  • At Your Own Pace: Available 24/7, be ready to enable in-depth learning, practice, and assessment online anytime and anywhere.

Find an Upcoming NetWars Tournament

NetWars Tournaments is an in-person event only that is free for enrolled students in selected SANS training events. These training events host one or more NetWars options, available for two days with 3-hour sessions. Tournaments generally award prizes to top players, and the prizes vary per event.

Tournaments vs. Continuous

NetWars TournamentNetWars Continuous









Product Specifications

  • NetWars Core is an industry leading multi-disciplinary cyber range that covers a wide range of subject matter. It is the most comprehensive and diverse of the NetWars focus areas. NetWars Core is recommended for all infosec practitioners.

    NetWars Core Version 9 Overview

    SANS NetWars Core Version 9 is super accessible and broadly applicable. Students from SEC301: Introduction to Cyber Security, to SEC760: Advanced Exploit Development for Penetration Testers can get through challenges with hints (or not!) and earn points.

    NetWars Core Version 9 Story

    A group of young friends are facing terrible danger, possibly associates with the local Hackins National Laboratory. You can help! Help defend our heroes - find out who's behind all this and maybe even strike back.

    NEW Topics in NetWars Core Tournament Version 9:

    • Cyber threat intelligence
    • Azure command line
    • Azure cloud penetration testing
    • Network protocol analysis

    Example Topics in NetWars Core Tournament Version 9:

    • Linux command line
    • Windows command line
    • Malware reverse engineering
    • Firewall configuration
    • Forensics
    • Incident response
    • OSINT
    • Web application penetration testing
    • API penetration testing

    Computer Requirements:

    • Browser-based
    • Preference for Chromium-based web browser
    • 8GB of RAM
  • NetWars Core Continuous is an extension of Core Tournament, meant solely for individuals, and covers an even wider range of subject matter for deeper skills assessment and practice. It is for all individual infosec practitioners and offers the convenience of 4 months of extended access, anywhere in the world.

    Extended topics in NetWars Core Continuous include:

    • Powershell offense, defense, survival
    • API Manipulation
    • Hash extension exploitation & Cryptographic security controls
    • Linux terminal
    • check file contents with head, tail, cat, less, and wc
    • check OS version with uname and lsb_release
    • verify basics with hostname and whoami
    • searching environment variables with env and grep
    • verifying user data with /etc/passwd
    • testing file access controls with su
    • elevated permissions with sudo
    • file analysis with strings
    • running process analysis with ps
    • stopping processes with kill
    • command history analysis with .bash_history and grep
    • inspecting insecure password storage with recursive grep
    • comparing files with diff
    • modifying file permissions with chmod
    • file integrity checking with md5sum
    • Base64 encoding/decoding with base64
    • output manipulation with sed, awk, rot13, sort, uniq, tr, and cut
    • binary analysis with xxd
    • task scheduling with cron
    • PowerShell terminal
    • filesystem analysis
    • environment variable analysis
    • running process analysis
    • stopping processes
    • Base64 encoding/decoding
    • searching for files with given name/contents
    • file integrity checking
    • command history analysis
    • compressed file manipulation
    • loop operations
    • conditional operations
    • web requests
    • alternate data streams (ADS)
    • Packet capture analysis
    • analysis with Wireshark
    • file extraction from stream with Wireshark
    • basic traffic filtering with Wireshark/Tshark display filters
    • advanced traffic filtering with Wireshark/Tshark display filters
    • malicious traffic identification
    • HTTP(S) analysis
    • identifying vulnerabilities and flaws with Wireshark and Tshark
    • server-side JavaScript Injection (SSJS)
    • SQL Injection (SQLi)
    • Remote File Inclusion (RFI)
    • Insecure File Upload
    • Command Injection
    • HTTP requests with cURL
    • deobfuscating JavaScript with web browser developer tools
    • manipulating JavaScript objects with web browser developer tools
    • HTTP2 analysis
    • vulnerability scanning with Nikto and wpscan
    • cookie manipulation
    • Network Analysis
    • raw connections with netcat
    • network connection status with netstat
    • port and version scanning with Nmap
    • secure file transmission with scp
    • dynamic proxies
    • malicious traffic matching with Snort
    • packet capture with Tcpdump
    • filtering traffic with Berkeley Packet Filters (BPF)
    • DNS querying with dig, nslookup, and nsupdate
    • network defense with iptables
    • packet dissection and crafting with Scapy
    • application fuzzing with boofuzz
    • SMB connections with smbclient
    • Penetration testing (system, network, and web application)
    • password cracking with John the Ripper
    • password guessing with THC Hydra
    • password guessing with wfuzz
    • exploit research with online, open databases
    • exploitation with Metasploit
    • SQL database exploitation manually and with SQLMap
    • social engineering with the Social Engineering Toolkit (SET)
    • cookie stealing with cross-site scripting (XSS)
    • malware generation with msfvenom
    • LDAP injection
    • API manipulation
    • deserialization attacks
    • manual Windows vulnerability enumeration and exploitation
    • privilege escalation
    • Scripting
    • Python scripting
    • Perl scripting
    • Forensics
    • file forensics with Volatility
    • file extraction with Scalpel
    • Linux executable analysis with GDB
    • Data analysis
    • database analysis with SQLite
    • regular expressions (regex)
    • metadata analysis with exiftool
    • PDF analysis with pdftotext
    • JSON manipulation with jq
    • QR code generation
    • Cryptography
    • securing data with gpg
    • hash extension exploitation

    Computer Requirements:
    64-bit, x86, 2.0 GHz+


    40GB+ Free

    Operating System
    Windows 10 or later, Mac OS 10.15 or later, Linux

    Software for Range
    VMware Virtualization

    * 8GB is possible with reduced performance

  • NetWars Cyber Defense is specifically focused on cyber defense and threat detection; prevent, defend, and analyze increasingly more complex, real-world attack scenarios against your enterprise, from simplistic, brute-force attacks to ransomware campaigns.

    Professionals who should consider taking NetWars Cyber Defense include experienced Security Administrators, Enterprise Defenders, Architects, Network Engineers, Incident Responders, Security Operations Specialists, Security Analysts, and Builders and Breakers.

    Example topics in NetWars Cyber Defense Tournament include:

    • Cyber Defense
    • Threat Hunting
    • Log Analysis
    • Packet Analysis
    • Cryptography
    • Windows Administration
    • Linux Administration
    • Network Security Monitoring
    • Continuous Security Monitoring
    • Steganography

    Computer Requirements:
    64-bit, x86, 2.0 GHz+


    40GB+ Free

    Operating System
    Windows 10 or later, Mac OS 10.15 or later, Linux

    Software for Range
    VMware Virtualization

    * 8GB is possible with reduced performance

  • NetWars DFIR is specifically focused on digital forensics, incident response, threat hunting, and malware analysis, that is tool-agnostic, from low level artifacts to high level behavioral observations.

    Professionals who should consider taking DFIR NetWars include experienced Digital Forensic Analysts, Forensic Examiners, Media Exploitation Examiners, Malware Analysts, Incident Responders, Threat Hunters, Security Operations Center (SOC) Analysts, Law Enforcement Officers, Federal Agents, Detectives, and Cyber Crime Investigators.

    Example topics in NetWars DFIR Tournament include:

    • Digital Forensics
    • Incident Response
    • Threat Hunting
    • Malware Analysis
    • SIFT Workstation (
    • Smartphone Forensics
    • Windows Forensics
    • MacOS and iOS Forensics
    • Network Forensics
    • Media Exploitation
    • Artifact Analysis
    • Rapid Triage
    • Database Analysis
    • Log analysis
    • Malicious attacks
    • Network traffic analysis
    • Reverse engineering and debugging
    • Intrusion detection

    Computer Requirements:
    64-bit, x86, 2.0 GHz+


    200GB+ Free. Approximately 50GB download of evidence files and virtual machines.

    USB 3.0 | Type-A or dongle with Type-A

    Operating System
    Windows 10 or later, Mac OS 10.15 or later, Linux

    Software for Range
    VMware Virtualization. Participants are expected to either provide their own forensics tools, or use the local VMware VM tools that we provide.

    * 8GB is possible with reduced performance.

  • NetWars ICS is specifically focused on industrial control systems and operational technology. It employs a literal cookie factory to unite the ICS/OT factions over the one true sweet treat; nom nom cookies. End goal: get the factory machinery working correctly so you and your peers can be rewarded with fresh baked cookies. ICS NetWars will bring players onto the factory floor and expose them to physical equipment and manufacturing components as they work through the NetWars scenario.

    Professionals who should consider taking ICS NetWars include experienced Process Control Engineers, ICS/OT cybersecurity practitioners working in operational facilities, and IT cybersecurity professionals supporting ICS environments.

    Example topics in NetWars ICS Tournament include:

    • Blue Team (Defender) actions
    • Asset discovery and infrastructure mapping
    • Identifying adversary actions
    • log and file analysis
    • Endpoint forensics
    • ICS-specific malware detection
    • Engineering application use
    • Process restoration

    Computer Requirements:
    64-bit, x86, 2.0 GHz+


    40GB+ Free

    Operating System
    Windows 10 or later, Mac OS 10.15 or later, Linux

    Software for Range
    VMware Virtualization

    * 8GB is possible with reduced performance

  • NetWars GRID is similar to NetWars ICS in that it is focused on industrial control systems and operational technology. However, the NetWars GRID scenario is designed around the complex nature of distributed wide-area control systems found in critical infrastructure sectors like electric system operations. Utilizing a variety of real-world technologies found in electrical generation and distribution systems, the challenges are themed to the power system scenario, though the technology, protocols, architectures, and lessons learned are applicable across numerous critical infrastructure sectors beyond the electric sector.

    Professionals who should consider taking GRID NetWars include experienced IT and OT cybersecurity professionals supporting SCADA communications and control, field technicians, instrumentation and control, ICS field or plant control systems, and control center OT support teams.

    Example topics in NetWars GRID Tournament include:

    • Adversary actions
    • ICS Stage 1 and Stage 2 kill chain
    • Spear phishing
    • Command and control
    • Credential theft
    • Lateral and vertical movement
    • Security configuration modification
    • Process manipulation
    • Situational awareness impacts
    • Reliability effects
    • System integrity impacts
    • Blue Team (Defender) actions and Red Team (adversary) actions*

      *Variations of Netwars Grid exists

    Computer Requirements:
    64-bit, x86, 2.0 GHz+


    40GB+ Free

    Operating System
    Windows 10 or later, Mac OS 10.15 or later, Linux

    Software for Range
    VMware Virtualization

    * 8GB is possible with reduced performance

  • NetWars Healthcare is based on the technologies and systems found in the medical field. It still features the rich storylines, hints, TAs and game servers as other NetWars ranges, but is browser-based for easier access and deployment.

    Example topics in NetWars Healthcare include:

    • Telemedicine and web app security
    • EMR and incident analysis
    • Medical device IoT security
    • Ransomware analysis and decryption
    • Hospital incident investigation with Windows domain event log analysis

    Computer Requirements:
    Internet Access and Chrome, Firefox, Safari, or Edge browsers.

  • All varieties of NetWars are PCTE compatible.

    Persistent Cyber Training Environment (PCTE) is a training platform that supports Joint Cyberspace Operations Forces by providing individual sustainment training, team certification, mission rehearsal, and the foundation for collective training exercises. It leverages existing connectivity to facilitate the sharing of resources, and provides additional cyber “maneuver space.” PCTE enables realistic training with variable conditions to increase readiness and lethality of our Cyberspace Operations Forces, while standardizing, simplifying, and automating the training management process.

    PCTE supports the United States Cyber Command (USCYBERCOM) by enabling a critical need for the DoD and Joint Cyberspace Operations Forces to train at the individual, team, and force level. PCTE is one of the five elements of the Joint Cyber Warfighting Architecture (JCWA), provides a comprehensive, integrated cyberspace architecture to achieve and sustain the insight, agility, and lethality necessary for maintaining a competitive advantage against near-peer adversaries. PCTE will integrate and be inter-operable with the other JCWA elements to enable teams to train and rehearse using the available JCWA operational tools and capabilities.

Bootup CTF

Bootup CTF is a capture-the-flag style cyber range consisting of over 125 multi-disciplinary cybersecurity challenges. It can be played solo or as a team. Bootup runs virtually online for 24-72 hours. Players can log in to participate or log out to take breaks at any time, multiple times, during the open session. Bootup CTF also features an automated hint system to help participants with supporting material and content related to the questions.

  • Question and answer format
  • Play on your time
  • Modular
  • Browser based
  • A wide variety of topics

Bootup CTF is for individuals and teams of all levels. While the content is primarily beginner to intermediate, it provides an easy and convenient way to challenge yourself on the myriad of topics every cybersecurity professional faces daily. Because of the modular nature of Bootup CTF, you can engage and learn at your own pace, in contrast to the brain-crunching environment of other learning formats. And for the cherry on top, every Bootup CTF features prizes for the top scorers of the game.

Computer Requirements:
Internet Access and Chrome, Firefox, Safari, or Edge browsers.

Custom Ranges

SANS is able to craft a custom range challenge to meet the needs of the customer. Custom range requests require a customer meeting with the Cyber Range team to scope the project and provide options. Additionally, during the meeting SANS will help define learning objectives, develop scorecards, and configure the content and platform.

Upcoming NetWars Tournaments

The SANS NetWars Tournaments below are FREE when you register in a 4 to 6-day paid course at selected SANS Training events. Click on the location for more information about the SANS Training event.
DateLocationNetWars Tournament
Jun 6-7Munich | DECyber Defense NetWars
Jun 13-14Paris | FRCore NetWars
Jun 21-22Orlando, FL | USICS NetWars
Jun 27-28San Antonio, TX | USCore NetWars
Jul 18-19Washington, DC | USCore NetWars
Cyber Defense NetWars
Jul 25-26Amsterdam | NLCyber Defense NetWars
Jul 25-26Amsterdam | NLCore NetWars
Aug 1-2Virtual | British Summer TimeCore NetWars
Aug 8-9London | GBCore NetWars
Aug 22-23Amsterdam | NLCyber Defense NetWars
Aug 27-28Salt Lake City, UT | USDFIR NetWars
Sep 5-6London | GBDFIR NetWars
Sep 7-8Las Vegas, NV | USGrid NetWars
Core NetWars
Sep 12-13Amsterdam | NLCyber Defense NetWars
Sep 19-20Baltimore, MD | USCore NetWars
Sep 19-20Paris | FRCyber Defense NetWars
Sep 26-27Copenhagen | DKCyber Defense NetWars
Oct 3-4Prague | CZDFIR NetWars
Oct 10-11Amsterdam | NLCore NetWars
Oct 17-18Munich | DECyber Defense NetWars
Oct 24-25Munich | DEDFIR NetWars
Oct 31 - Nov 1Orlando, FL | USCore NetWars
Oct 31 - Nov 1Virtual | Greenwich Mean TimeCore NetWars
Nov 2-3Universal City, CA | USCore NetWars
Nov 7-8London | GBCore NetWars
Nov 14-15Amsterdam | NLDFIR NetWars
Nov 21-22Coral Gables, FL | USDFIR NetWars
Nov 21-22Amsterdam | NLCyber Defense NetWars
Dec 5-6London | GBCyber Defense NetWars
Dec 12-13Frankfurt | DECyber Defense NetWars
Dec 16-17Washington, DC | USCore NetWars
Dec 19-20Amsterdam | NLCore NetWars
Feb 20-21New Orleans, LA | USICS NetWars
Mar 6-7Baltimore, MD | USCore NetWars
Apr 16-17Orlando, FL | USCore NetWars
DFIR NetWars
May 8-9San Diego, CA | USCore NetWars

Premier Cyber Range Events

Throughout the year SANS hosts several premier events for our various cybersecurity communities throughout the world.

Customer Quotes

For anyone that hasn’t taken part in NetWars before, I can tell you that its brilliant and lots of fun.
Umar Javed
CEO - CyDefOps
NetWars is challenging for all levels of expertise, has great hints if you get stuck, and promotes continuous education.
Jon-Michael Lacek
- Wegmans Food Markets
These challenges were so much fun. Really covered so many different topics. Love how you were forced to use tshark and MySQL. Made you have to learn or relearn topic again.
C. Moody
Every point is a team success no matter who cracks the answer and gets the point(s). Have fun, connect with others and if you win that’s an added extra.
Umar Javed
CEO - CyDefOps
Having participated in NetWars Continuous and in the NetWars Tournament, I can honestly say that they were the most intellectually challenging and enjoyable tests of technical skills in which I have participated.
Kees Leune
- Adelphi University
The gamified environment made it fun and the hints were a welcome feature that really helped make progress in a limited time frame
Adam B.
Don’t focus too much on getting to the top, enjoy the experience, if you team up you can learn so much from others and it definitely helps to divide and conquer based on your skills and experience.
Umar Javed
CEO - CyDefOps
Core NetWars was challenging but not frustrating for newbies. This is my first time doing NetWars and it has been a blast.
Rachael Murray
- Northwestern Mutual
Fun challenges that really pushed you to think and adapt to overcome a variety of interesting scenarios
William L.
The increased difficulty and challenge levels as you moved through the questions encouraged you to keep going and build on the skills being practices
Dan C.
This Mini-Netwars has been a great educational experience for me in learning different ways to accomplish tasks. For my learning level, this has been challenging and rewarding
Ricardo V.
I’m a defender, so knowing how attackers attack is useful. One of the most dangerous attacks in this exercise was flashing firmware on a device that wasn’t properly secured.
Annah W.
[Cyber STX] provided our team the most realistic training environment we have encountered... We hope other CPTs get to experience this
Maj. Marty
Learning new things, thinking from new angles and the topics make it an excellent experience for me
I love how I am able to both sharpen old skills and learn new skills and tools to add to my arsenal... from the use of various famous tools to the writing of simple to complex bash calls and scripts for those tools
Jessica V.
I love taking part in the NetWars. There is such a range of challenges to complete... I had no idea you could over write C functions in binaries as simply as setting an environment variable
Oliver T.

    Our Range Authors and Contributors