Here's the thing nobody tells you when you start learning to hack: you cannot practise on real systems without permission. That is not a technicality. Unauthorised access is a criminal offence under the Computer Misuse Act and its equivalents worldwide, regardless of whether you cause damage or just poke around.
The good news? You do not need to. There is an entire ecosystem of deliberately broken machines and sites built specifically for you to attack, exploit, and own: legally, ethically, and completely consequence-free. This is where real skills get built.
Let's break down the best options, what each one gives you, and where to start.
Why Practise Environments Matter
Reading about SQL injection is one thing. Firing off a payload and watching a database spit out credentials is another. The gap between understanding a concept and being able to apply it under pressure is closed by one thing: repetition in a real environment.
Every room you compromise, every machine you root, every vulnerability you chain into a full exploit is a building block. Do enough of them and the techniques stop feeling like steps to remember and start feeling like instincts. That is when you are ready for the real world.
Category 1: Online Platforms (Start Here)
Online platforms are the fastest way to get hands-on. No local setup. No configuration headaches. Just open your browser and start hacking.
TryHackMe
This is your starting point. TryHackMe gives you guided, structured rooms across every offensive skill area: web exploitation, network scanning, Active Directory attacks, privilege escalation, OSINT, CTF challenges, and more. The browser-based AttackBox means you can practise from anywhere without installing a single tool.
What makes TryHackMe different from other platforms is the structure. Rooms explain the concept, walk you through the technique, and then put you in a live environment to apply it. You are not just reading theory and then facing a blank terminal. You are learning and doing at the same time.
The Jr Penetration Tester path takes you from fundamentals through web exploitation, network pentesting, and Active Directory attacks in a sequence that actually makes sense. Complete it and you have a public profile showing hundreds of hours of documented, hands-on offensive security practice.
Free account gets you started with hundreds of rooms and one hour of daily AttackBox. Premium unlocks the full path at around $10 per month.
Best for: Everyone. Beginners building foundations. Intermediate learners working through structured paths. Anyone who wants to crack their next challenge without the setup overhead.
Category 2: Intentionally Vulnerable Web Applications (Run Locally)
These are web applications built to be broken. Download them, spin them up locally in an isolated environment, and have at it. The key word is isolated: never expose these to a public network. They are deliberately insecure by design.
DVWA (Damn Vulnerable Web Application)
DVWA is the classic starting point for web application security practice. It covers SQL injection, XSS, CSRF, command injection, file inclusion, and brute force across three difficulty levels: low, medium, and high. Turn the security level up and the same vulnerability becomes harder to exploit, which forces you to actually understand what you are doing rather than following a fixed recipe.
Deploy it via Docker in minutes:
docker run --rm -it -p 80:80 vulnerables/web-dvwa
Best for: Beginners learning OWASP Top 10 fundamentals. The adjustable difficulty is what makes it genuinely useful for building skills progressively.
OWASP Juice Shop
Juice Shop is DVWA's more modern, more sophisticated cousin. It is a full JavaScript application (Node.js, Express, Angular) with over 100 vulnerabilities across beginner through expert difficulty. Crucially, it has a built-in challenge tracker so you always know what you have found and what you have missed.
It is the benchmark vulnerable web application for 2026: actively maintained, realistic in architecture, and comprehensive in coverage. If you only run one local web app, make it Juice Shop.
docker run --rm -p 3000:3000 bkimminich/juice-shop
Best for: Anyone past the basics who wants a more realistic, comprehensive web application to test against.
OWASP WebGoat
WebGoat takes a different approach. Instead of a free-form "find the vulnerability" environment, it is structured like an interactive textbook. It explains the vulnerability, walks you through the concept, and then challenges you to exploit it yourself. It even shows you the source code so you understand the root cause, not just the symptom.
If you want to understand why vulnerabilities exist rather than just how to exploit them, WebGoat is the pick.
Best for: Learners who want the conceptual depth that pure exploitation practice does not always provide.
Category 3: Vulnerable Virtual Machines (Full System Practice)
Web apps cover one slice of the attack surface. Vulnerable VMs give you the full picture: network scanning, service enumeration, exploitation, privilege escalation, post-exploitation. This is where you practise the complete attack chain.
Metasploitable 2 and 3
Metasploitable is a Linux virtual machine built to be exploited with Metasploit. It runs a deliberately misconfigured set of services, vulnerable FTP, SMB, web applications, databases, and more. Fire up Nmap, enumerate what is running, find your entry point, and get a shell.
Metasploitable 3 adds Windows targets and more complex vulnerability chains, making it the natural progression once you have worked through version 2.
Best for: Learning the full network penetration testing workflow. Scan, enumerate, exploit, escalate. This is the cycle that real engagements follow.
VulnHub
VulnHub is a library of community-created vulnerable virtual machines, each designed as a self-contained challenge. Hundreds of machines, ranging from beginner-friendly to genuinely brutal, cover web exploitation, binary exploitation, Active Directory, CTF scenarios, and more. Every machine comes with a community writeup once you have solved it, so you can compare your approach to others.
Download a machine, import it into VirtualBox or VMware, and hack away.
Best for: Intermediate learners who want unguided practice across a wide range of scenarios and skill areas.
Category 4: Web-Based Challenges and Learning Labs
PortSwigger Web Security Academy
Entirely free. No account needed for most content. PortSwigger covers every major web application vulnerability class from apprentice through expert level, with live labs that test real exploitation rather than theory. If you are targeting web application penetration testing or bug bounty, this is the primary resource. Full stop.
Best for: Web security specifically. Not a general starting point but exceptional within its scope.
HackThisSite
HackThisSite is a long-running free platform with web challenges, realistic scenarios, and programming missions. It is less polished than modern platforms but carries a large community and a solid catalogue of challenges across multiple categories.
Best for: Supplementary web challenge practice and CTF-style missions.
The Full Picture: Which to Use When
| Resource | Type | Skill level | Free? | Best for |
|---|---|---|---|---|
| TryHackMe | Online platform | Beginner to advanced | Free tier + ~$10/mo Premium | Structured, guided learning across all offensive skill areas |
| DVWA | Local web app | Beginner | Free | OWASP Top 10 basics with adjustable difficulty |
| OWASP Juice Shop | Local web app | Beginner to advanced | Free | Comprehensive, modern web app with 100+ vulnerabilities |
| OWASP WebGoat | Local web app | Beginner to intermediate | Free | Structured, lesson-based web vulnerability learning |
| Metasploitable 2/3 | Vulnerable VM | Beginner to intermediate | Free | Full network pentest workflow: scan, enumerate, exploit, escalate |
| VulnHub | Vulnerable VM library | Beginner to advanced | Free | Unguided machine challenges across all skill levels |
| PortSwigger Web Academy | Online labs | Beginner to expert | Free | Web application security depth |
The Golden Rule of Practice Environments
One rule, non-negotiable: isolate everything.
Vulnerable machines are vulnerable on purpose. DVWA, Metasploitable, Juice Shop: none of them should ever be accessible from the internet or from your main network. Run them inside VirtualBox or VMware with host-only or internal networking. Your practice environment is a controlled lab, not a live system.
On TryHackMe, this is handled for you. Every machine runs in an isolated cloud environment. No local setup, no network configuration, no risk of accidentally exposing a vulnerable service. It is the reason TryHackMe is the best starting point for most learners: you get the hands-on practice without the infrastructure headache.
The Smartest Way to Use All of These
Do not pick one and ignore the rest. Use them in combination, in sequence.
Start on TryHackMe. The guided rooms build the fundamentals and give you the technique vocabulary you need to make sense of everything else. Once you have completed the foundational rooms and started on the Jr Penetration Tester path, spin up Juice Shop or Metasploitable locally and try to apply what you have learned without guidance.
That combination of structured learning on TryHackMe followed by unguided practice in local lab environments is how skills move from "I know how to do this" to "I can do this without thinking about it."
Crack your first challenge. Root your first machine. Level up.
Nick O'Grady