SANS Cyber Situational Training eXercise (Cyber STX)

The premiere in-depth training and validation cyber range


The SANS Cyber Situational Training eXercise (Cyber STX) is our premiere in-depth training and validation cyber range. Teams of participants engage in active Red-on-blue battle during an intense free-flowing week defending critical cyber terrain. The red team develops a comprehensive campaign based on one or more specific Advanced Persistent Threat(s), utilizing their same Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IOCs) as the given APTs.

SANS instructors and Teaching Assistants (TAs) play the part of blue team coaches and red team / OPFOR operators, creating a highly realistic environment that can measure a blue team’s abilities, the capabilities of their tools and communications, and the effectiveness of their TTPs. Additionally, the Cyber STX can take red teamer skills to the next level. SANS offers the Cyber STX on-site for private events, virtually in a cloud-based environment, or in a mixed mode with participants both local and remote. Cyber STX can include both Information Technology (IT) and Operations Technology (OT) infrastructures, depending on the specific environments participants are called on to protect. From an OT perspective, SANS runs Cyber STX missions with Industrial Control System (ICS) devices for power distribution, power generation, water refinement, port crane operations, manufacturing systems, and more.

Characteristics of Cyber STX

  • Live fire red-on-blue engagement lasting a week
  • Custom, detailed campaign utilizing the TTPs and IOCs of one or more specific Advanced Persistent Threats
  • SANS instructors act as blue team coaches, red teamers and coaches, and white cell organizers
  • Daily shot validation emphasizing lessons learned and planning for subsequent days
  • After Action Review on final day
  • IT and OT environments, with the amount of OT and types of ICS infrastructures determined based on participants’ job needs
  • Run anywhere, with local participants, remote participants, or mixed mode
  • Ideal for teams of 30 to 100+ participants
  • Blue team can utilize their own tools or a set of SANS recommended tools

Who should participate?

  • Military groups seeking in-depth training and validation
  • Cyber Protection Teams
  • Government agencies with responsibilities for defending critical systems
  • Large private industry organizations protecting complex infrastructure

Cyber STX Case Study

Case Study

Learn how the US Army gets battle-ready with SANS Cyber Situational Training eXercise (Cyber STX). 

Cyber STX in Action

Hear from cyber range creators Ed Skoudis and Josh Wright about how the Cyber STX red-on-blue exercises were used to simulate multiple attacks on water, transportation, and other infrastructure systems at a Muscatatuck Urban Training Complex training event in this video.


Cyber STX for Your Team

Build a Cyber STX experience that meets your team’s training needs. SANS will help you to:
  • Define Learning Objectives
  • Develop Scorecards
  • Configure Content & Platform


    NetWars is challenging for all levels of expertise, has great hints if you get stuck, and promotes continuous education.
    Jon-Michael Lacek
    - Wegmans Food Markets
    Core NetWars was challenging but not frustrating for newbies. This is my first time doing NetWars and it has been a blast.
    Rachael Murray
    - Northwestern Mutual
    Having participated in NetWars Continuous and in the NetWars Tournament, I can honestly say that they were the most intellectually challenging and enjoyable tests of technical skills in which I have participated.
    Kees Leune
    - Adelphi University