Cyber ranges may be one of the most effective ways to train IT professionals in defending against cyber attacks. The virtual environments deliver simulated real-world attacks that test multiple dimensions and stakeholders within diverse environments. Cybersecurity teams can use cyber ranges to practice defending against simulated threats in immersive training scenarios, essentially preparing and rehearsing for the “boom event” when a breach occurs.

But, cyber range training is not just for IT departments or SOC teams. A boom event affects the whole company, so it’s important to provide cyber range training to the entire organization so they have the right knowledge when an incident occurs. Stakeholders from across a company, such as marketing, legal, HR teams and even C-suite executives, can benefit from the experience

No longer is it only IT and SOC teams that should learn new ways to communicate, collaborate and access their networks remotely. Now, more than ever, companies need to ensure their entire organizations are well-prepared for a new wave of attacks, as they tackle the demand of maintaining and building protocols around a remote workforce. 

To make this possible, understanding the success of cyber range training and what is involved is the first step to better security preparedness. 

The Psychology Behind Cyber Range’s Success


Dr. Jessica Barker maintains that for cyber range training to be effective, it needs to be relevant to the people it is aimed at. Barker, who co-founded Cygenta and runs cyber.uk, specializes in the human element of cybersecurity and helps organizations with cybersecurity training. She also points out that any training needs to be engaging, interesting and feel useful.

But, engaging training is only one part of the equation. For best results, cyber range training should also simulate real-life scenarios as much as possible.

According to Circadence.com, active learning involves collaborating with teams and applying concepts to real-world exercises, which improves memory retention rates to 75%, compared to 5% through traditional learning methods. 

Professor Cleotilde (Coty) Gonzalez said what sets cyber range training apart is its “transfer of skills” and an important characteristic: similarity.

“The more similar the transfer situation is to the training situation, the better the transfer of training will be,” says Gonzalez, who is part of the Department of Social and Decision Sciences at Carnegie Mellon University and is founder of the Dynamic Decision Making Laboratory. “As an analogy, think of pilot training in complex and realistic simulations. They are trained to land, take off, and deal with situations in particular simulations that are as close as possible to the aircrafts they will be dealing with in real life.”

According to a blog in ComputerWeekly.com, 96% of workers saw benefits from gamified learning exercises, including increased awareness of weaknesses, knowledge of how breaches occur, improved teamwork and response times and enhanced self-efficacy. 

While the effects of similarity to transfer of training are unquestionable, businesses must define what kind of decision-makers they want to train. For Gonzales, similarity, adaptability, and diversity are critical for addressing current cybersecurity challenges.

“Do we want to train someone who can address cyberattacks in a particular cyber range? Or, do we want to train adaptable individuals that can solve problems and adapt to new situations? The cyberattacks will never be exactly the same, and thus we need to think of robust training for adaptability,” says Gonzalez.

What Does Cyber Range Looks Like

Cyber range offerings are classified by their capabilities. 

  • A simple, pre-defined, network-accessible environment is limited and may have a single virtual machine, which provides an infrastructure for capture the flag (CTF) exercises.
  • Another is a locally accessible infrastructure into which malware cannot be introduced. Team members use their own laptops and work emails.
  • A third is a complex, locally accessible infrastructure where all equipment and devices are provided by the cyber range vendor. Malware may be safely run without fear of contaminating a network.

Most cyber training has defenders, called a blue team, working against a computer-managed attack scenario or human attackers, known as a red team. There is a simulated network with various security capabilities and a scenario emulator creating valid and malicious network streams. The cyber range is customizable to mirror a company’s network.

Most trainings can be done on-premise or via a cloud-based virtualized SOC, which has increased in popularity during the recent pandemic.

How to Accommodate Cyber Range Needs


If your organization thinks cyber range is too complicated to tackle alone or lacks facilities to simulate real-world attacks, there are training labs that offer the resources required for training. 

The City of Los Angeles is one entity that decided to do their own training and build a progressive partnership with the pubic and private sector when they created LA CyberLab (LACL) in 2017. The Los Angeles municipal government’s IT team analyzes more than 1 billion cybersecurity-related events daily. Dealing with activity at this scale calls for measures that go beyond old-school training methodologies.

The LACL is a first-of-its-kind, public-private partnership on cybersecurity among a municipal government, private sector partners and research universities. Ted Ross, CIO for the City of Los Angeles and General Manager of the Information Technology Agency (ITA), explains that the LACL provides targeted education and training to different audiences.

The LACL offers threat-hunting techniques geared to cyber professionals and cyber hygiene for small business owners. According to Ross, the IT team regularly conducts two types of cyber range training and exercises to improve the city’s cybersecurity effectiveness. It administers hands-on red team/blue team exercises using a third-party vendor playing the red team for both simulated and real penetration attempts of city assets. The City of Los Angeles also joins local businesses, the Department of Homeland Security and the FBI to conduct cybersecurity tabletop exercises specifically targeted to critical urban infrastructure.

“While plans and preparations are very useful, nothing improves your cybersecurity posture and response like a real-world test,” Ross says. “Each cyber range exercise builds real-world experience for IT professionals, identifies potential weaknesses, improves response coordination across teams and impresses the importance of good cybersecurity for the residents and businesses of Los Angeles that rely on their government.”

The LACL also hosted its first cyber security summit in 2019 for cyber professionals and industry on the latest trends and innovation and launched a new threat sharing platform: the LA Cyber Lab Cyber Threat Intelligence Sharing Platform (TISP) with IBM.

Ross also shared some specific strategies that have helped his organization and other LACL participants find success with cyber range training. While real-world exercises certainly sound exciting and immersive, they can not succeed without proper preparation. 

  • Prepare your security operations and IT teams before the exercises.
  • Ensure your team has the appropriate technical training and certification, such as an Ethical Hacker certification.
  • Prepare tools and technologies for detection, threat hunting and response (IDS, Firewall, SIEM etc.).
  • Prepare your workflow, playbooks and incident response plan for common cyber attack types.
  • Ensure all assets for the exercises are updated and patched. 
  • Treat your red team, your offensive security experts attacking your systems and breaking into defenses, as a partner. Always plan to have a “hot-wash” session afterward to go over lessons learned and recommendations. 
  • Always have an action plan to resolve issues soon after the exercises.

If the concept of cyber range training is new to your company, it’s understandable that you might be overwhelmed. However, these training exercises always come up as productive and successful. Those organizations that prioritize cyber range training will almost always boast a more robust cybersecurity posture. 

For more in-depth analysis of cyber range training, SANS has a great resource here

More from Advanced Threats

GootBot – Gootloader’s new approach to post-exploitation

8 min read - IBM X-Force discovered a new variant of Gootloader — the "GootBot" implant — which facilitates stealthy lateral movement and makes detection and blocking of Gootloader campaigns more difficult within enterprise environments. X-Force observed these campaigns leveraging SEO poisoning, wagering on unsuspecting victims' search activity, which we analyze further in the blog. The Gootloader group’s introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2…

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Top-ranking banking trojan Ramnit out to steal payment card data

4 min read - Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today