Skip to main content
Feature
BUSINESS • 8 min read

What is a cyber range? The answer has changed.

A cyber range is a controlled virtual environment where security teams practise detecting, investigating, and responding to real attacks, without the consequences of a live incident. For most of the last decade, that meant expensive, consultant-led simulations built for large enterprises and government agencies. That definition no longer holds. The tools, the access model, and the expectations of what a cyber range should do have all shifted. What was once a $50,000 to $100,000 annual event is becoming a repeatable, self-serve capability that security teams of all sizes can run on their own terms.

What does a cyber range actually do?

At its broadest, a cyber range is any isolated environment built to develop, test, or exercise cyber capabilities, spanning everything from academic research to national defense drills. What sets ours apart is a focus on simulating realistic, unfolding breaches inside a purpose-built virtual network.

TryHackMe offers a cyber range environment to simulate a realistic, unfolding breach inside a purpose-built virtual network. The team operates against it in real time: detecting threats, triaging alerts, investigating evidence, containing the attack, and recovering the environment. It's not a discussion about what the team would do, but rather a test of whether they can actually do it, under pressure, with incomplete information, coordinating across SOC and IR functions simultaneously.

That distinction matters more than it sounds. Most security teams have incident response plans, playbooks, and tooling in place. What they rarely get to test is the coordination, decision-making, and technical execution required when a real breach is unfolding. The gap between a theoretical IR capability and a real one is almost never visible until it's too late.

A cyber range makes that gap visible, in a controlled environment, before an incident, when processes and capability challenges can still be addressed.

How is a cyber range different from a tabletop exercise?

They're complementary, not competing, but they test fundamentally different things. A few key distinctions:

  • Tabletop exercises test decisions while cyber ranges test execution. A tabletop verifies what decisions your team would make, and a cyber range finds out whether they can actually do perform in a live environment, under pressure.
  • Not all tabletops are equal.  A static, template-based tabletop and an AI-powered and tailored tabletop like TryHackMe's are genuinely different tools. The latter can be customized for relevance to your environment, and run on a monthly cadence without budget approval.
  • Cyber ranges go further. They cover the full IR lifecycle, depending on context.
  • The two work best together. Tabletops for regular rehearsal, cyber ranges as the high-fidelity checkpoint that validates whether your team can execute when it counts.

For a deeper look at how modern tabletop exercises have changed, and why templates fall short for small security teams, read our full breakdown here.

What does a cyber range exercise actually cover?

A well-designed cyber range exercise runs the full incident response lifecycle, not just the detection phase that most training stops at.

The scope depends on where the exercise begins. Starting from an alert, that means detection, triage, and escalation, before moving into identification and scoping by higher-tier analysts and IR teams to verify and characterize the incident, then containment and isolation, eradication, recovery, and lessons learned. For exercises that begin post-escalation, the focus shifts to validation and identification before picking up the same path into containment and beyond. The phases most exercises skip, like escalation handoffs, containment logic, recovery sequencing, and evidence handling under time pressure, are exactly where real gaps tend to live.

The environment itself matters too. A realistic cyber range isn't a clean lab with an obvious smoking gun. It has noisy telemetry, incomplete information, and evolving facts that force genuine prioritisation decisions. The team doesn't know what they don't know, which is precisely the condition they'll face in a real incident.

Why did the traditional cyber range model fail most security teams?

The cyber range market has productized significantly. There are platform products with real technical fidelity, and consultancy-led engagements that deliver bespoke simulations for organizations with the budget and lead time to support them. But across the board, the market has a structural problem: it doesn't accommodate most security teams, and even for the teams it does accommodate, it forces a compromise on the thing that matters most: continuous improvement.

Readiness is built through repetition. The feedback loop, running exercises regularly, finding gaps, fixing them, running again, is what separates a team that responds well from one that doesn't. Almost every option in the current market breaks that loop either through cost, complexity, or infrequency.

There are broadly five archetypes, and each fails that loop in its own way.

The consultancy-led simulation. Expensive, requires significant lead time to scope and build, and can't be repeated without re-engaging the vendor from scratch. For most security teams, that means once a year at best, and the environment reflects the vendor's infrastructure, not the team’s. This limits how much the exercise actually transfers back to your operations.

The dedicated cyber range platform. Priced and built for large enterprise, government, and defence buyers. Complex to set up, primarily designed for individual or small-team scenarios rather than full-team breach simulation across the complete IR lifecycle. For teams that can access these platforms, the fidelity is real. But the cost and complexity make regular use impractical, and the exercise rarely reflects the team's actual environment.

The executive-focused discussion exercise. Designed for leadership and crisis management rather than technical responders. Doesn't test the hands-on capability of SOC or IR teams.

The gamified decision platform. More accessible and repeatable, but the fidelity ceiling limits what the feedback is actually worth. Rehearsing decisions in an abstract environment tells you something. It doesn't tell you whether your team can execute when it counts.

The individual training platform. Develops individual analyst skills but doesn't exercise the team as a coordinated operational unit. The gaps that surface in a real incident, escalation breakdowns, coordination failures, tooling blind spots under pressure don't show up in solo simulation.

The pattern across all five is the same: teams either can't access the tools at the fidelity they need, or they can access them but can't run them frequently enough for the feedback loop to do its job. That's the problem TryHackMe has built Live Breach Exercises to solve.

How has the cyber range model changed?

The shift is from service to product, and from annual event to repeatable practice.

The new generation of cyber range tooling is self-serve, configurable, and designed to run without a consultancy engagement. Teams build their own virtual environments, choose their own attack chains mapped to real APT profiles and MITRE ATT&CK techniques, and run exercises on their own schedule. The output isn't a consultant's report delivered weeks later. It's an automated post-exercise assessment ready immediately, structured for both technical teams and board-level review.

This matters because frequency is where the value compounds. One exercise a year surfaces one set of gaps. Quarterly exercises, each building on what the last one found, reshape how the team actually operates under pressure. The muscle memory, coordination instincts, and tooling familiarity that separate a prepared team from a reactive one don't come from a single annual event.

Who are cyber range exercises designed for?

Cyber ranges are team exercises, not individual training products. They require a functioning SOC or CSIRT operating as a unit, typically a minimum of three to five dedicated security staff with defined roles across detection, investigation, and response.

The core participants are CSIRT and IR teams executing technical response, SOC analysts working initial detection and investigation phases, and SOC managers overseeing escalation decisions and validating team readiness. CISOs and security leaders often sponsor and review the exercise, using results to demonstrate operational readiness to boards and regulators. Adjacent teams including IT operations, cloud infrastructure, legal, and communications can be brought in depending on scenario scope.

For organisations with smaller teams or earlier-stage security programmes, tabletop exercises and SOC simulation are the right starting point. Cyber ranges are the high-fidelity layer that becomes valuable once the team is operating as a coordinated unit.

What should good cyber range output look like?

An exercise that ends with a verbal debrief is a missed opportunity. The output of a well-designed cyber range should be a structured, evidence-based record of team performance: specific about where decisions broke down, and actionable about what to fix.

That means performance assessment mapped to the IR lifecycle and MITRE ATT&CK, documentation of where coordination failed and why, identification of tooling blind spots that only surface under live pressure, and a prioritised improvement plan that feeds directly into runbook updates, hiring decisions, and tooling investment. An executive summary suitable for board or auditor review should come as standard.

How TryHackMe is approaching cyber ranges differently

TryHackMe has spent years building individual analyst capability through the SOC Simulator, Threat Hunting Simulator, AI-powered tabletops and structured learning paths. Live Breach, our cyber range product now in early access, extends that into full-team, high-fidelity simulation.

Live Breach was built by a team that understands how security practitioners actually learn, how real incidents actually unfold, and what it takes to turn individual skill into coordinated team capability. That practitioner foundation shapes everything: the attack chains, the IR lifecycle coverage, the environment configuration, and the way results are reported back to both technical leads and the board.

The design philosophy is environment-specific and built for teams that want to own their own readiness practice. Rather than working in a generic lab built by a vendor, teams configure their own virtual network directly in the platform, choosing network topology, tooling stack, endpoints, and segmentation. Start from a baseline template (SMB, Enterprise, Government) and customise from there to reflect your actual environment.

For attack chains, teams choose from a catalogue of real APT profiles, or compose a custom chain using a MITRE ATT&CK-aligned technique library, setting initial access vectors, lateral movement paths, and persistence mechanisms. The exercise covers the full IR lifecycle: detection and triage through escalation, identification and scoping, containment and isolation, eradication, recovery, and lessons learned. Exercises are designed to run in two to four hours, intensive enough to be realistic, compact enough to fit within a working day.

Post-exercise reporting is automated and immediate: team performance against MITRE ATT&CK-mapped tasks, decision quality, process gaps, and prioritised recommendations, with an exec summary ready for board or regulator review.

Why TryHackMe built a cyber range for practitioners, by practitioners

High-fidelity breach simulation has been, for most of its existence, something that only the best-resourced teams could access, and only once a year.

That's a problem TryHackMe is in a specific position to fix. We've built a community of millions of security practitioners. We understand how analysts learn, how teams develop, and what the gap between individual skill and operational readiness actually looks like in practice. That practitioner foundation is what makes the approach to Live Breach different from a vendor building a cyber range product in isolation. The scenarios are grounded in how real attacks unfold. The IR lifecycle coverage reflects how real teams actually work. The self-serve model exists because we know what it costs, in time and money, to depend on an external vendor for something your team should own.

Security teams are often under-resourced and under-equipped with tools that fit their reality. Live Breach is built for them: teams that take readiness seriously, that want to test not just discuss, and that shouldn't need a six-figure budget to do it.

Live Breach is currently in early access. For teams that want additional support running their first exercise, options are available. Get in touch to discuss.

Frequently asked questions

What is a cyber range in cyber security? A cyber range is a controlled virtual environment where security teams practise responding to realistic attack scenarios. Unlike tabletop exercises, which are discussion-based, cyber ranges require teams to execute actual technical incident response: detecting, investigating, containing, and recovering from a simulated breach in a live virtual network.

How is a cyber range different from a penetration test? A penetration test is an offensive exercise that probes your systems for technical vulnerabilities. A cyber range is a defensive exercise that tests whether your security team can detect, respond to, and recover from an attack. Both are valuable and complementary; they test different sides of the same problem.

How often should a security team run cyber range exercises? Most mature security teams run a full cyber range exercise once or twice a year as a high-fidelity readiness checkpoint, with tabletop exercises and SOC simulation providing regular practice in between. As self-serve tooling makes exercises faster and cheaper to run, more frequent cadences are increasingly achievable.

How is a cyber range different from SOC simulation training? SOC simulation primarily focuses on individual analyst skills including triage, investigation, and tool familiarity, using pre-built scenarios. A cyber range is a team exercise: your whole SOC and CSIRT operating together in a shared virtual network, against a multi-stage attack chain, across the full IR lifecycle from alert through recovery. Different scope, fidelity, and purpose.

authorJoanna Duffy
Jun 26, 2026

Recommended

Get more insights, news, and assorted awesomeness around cyber training.

how-to-hunt-threats-with-splunk-and-wazuh-a-practical-soc-analyst-guideBlog • 7 min read

How to Hunt Threats With Splunk and Wazuh: A Practical SOC Analyst Guide

61% of organisations cite staffing as their top threat-hunting barrier. The analysts who close that gap fastest are the ones who practise with real tools on real data before they walk into a SOC environment for the first time.

how-to-start-a-career-in-cloud-security-what-you-need-to-know-in-2026Blog • 6 min read

How to Start a Career in Cloud Security: What You Need to Know in 2026

Cloud security is one of the fastest-growing and best-paid specialisations in cyber security right now. Cloud security spending is projected to grow 18% annually, driven by increasing cyber threats and multi-cloud adoption.

best-ctf-platforms-for-penetration-testers-how-to-choose-and-what-to-practiseBlog • 5 min read

Best CTF Platforms for Penetration Testers: How to Choose and What to Practise

Not all CTF platforms are built for the same purpose. Some are designed for beginners finding their feet. Some are academic competition environments.

Join over 640 organisations upskilling their
workforce with TryHackMe

TryHackMe for Business

We use cookies to ensure you get the best user experience. For more information see our cookie policy.