Cyber ranges may be one of the most effective ways to train IT professionals in defending against cyber attacks. The virtual environments deliver simulated real-world attacks that test multiple dimensions and stakeholders within diverse environments. Cybersecurity teams can use cyber ranges to practice defending against simulated threats in immersive training scenarios, essentially preparing and rehearsing for the “boom event” when a breach occurs.

But, cyber range training is not just for IT departments or SOC teams. A boom event affects the whole company, so it’s important to provide cyber range training to the entire organization so they have the right knowledge when an incident occurs. Stakeholders from across a company, such as marketing, legal, HR teams and even C-suite executives, can benefit from the experience

No longer is it only IT and SOC teams that should learn new ways to communicate, collaborate and access their networks remotely. Now, more than ever, companies need to ensure their entire organizations are well-prepared for a new wave of attacks, as they tackle the demand of maintaining and building protocols around a remote workforce. 

To make this possible, understanding the success of cyber range training and what is involved is the first step to better security preparedness. 

The Psychology Behind Cyber Range’s Success

Dr. Jessica Barker maintains that for cyber range training to be effective, it needs to be relevant to the people it is aimed at. Barker, who co-founded Cygenta and runs, specializes in the human element of cybersecurity and helps organizations with cybersecurity training. She also points out that any training needs to be engaging, interesting and feel useful.

But, engaging training is only one part of the equation. For best results, cyber range training should also simulate real-life scenarios as much as possible.

According to, active learning involves collaborating with teams and applying concepts to real-world exercises, which improves memory retention rates to 75%, compared to 5% through traditional learning methods. 

Professor Cleotilde (Coty) Gonzalez said what sets cyber range training apart is its “transfer of skills” and an important characteristic: similarity.

“The more similar the transfer situation is to the training situation, the better the transfer of training will be,” says Gonzalez, who is part of the Department of Social and Decision Sciences at Carnegie Mellon University and is founder of the Dynamic Decision Making Laboratory. “As an analogy, think of pilot training in complex and realistic simulations. They are trained to land, take off, and deal with situations in particular simulations that are as close as possible to the aircrafts they will be dealing with in real life.”

According to a blog in, 96% of workers saw benefits from gamified learning exercises, including increased awareness of weaknesses, knowledge of how breaches occur, improved teamwork and response times and enhanced self-efficacy. 

While the effects of similarity to transfer of training are unquestionable, businesses must define what kind of decision-makers they want to train. For Gonzales, similarity, adaptability, and diversity are critical for addressing current cybersecurity challenges.

“Do we want to train someone who can address cyberattacks in a particular cyber range? Or, do we want to train adaptable individuals that can solve problems and adapt to new situations? The cyberattacks will never be exactly the same, and thus we need to think of robust training for adaptability,” says Gonzalez.

What Does Cyber Range Looks Like

Cyber range offerings are classified by their capabilities. 

  • A simple, pre-defined, network-accessible environment is limited and may have a single virtual machine, which provides an infrastructure for capture the flag (CTF) exercises.
  • Another is a locally accessible infrastructure into which malware cannot be introduced. Team members use their own laptops and work emails.
  • A third is a complex, locally accessible infrastructure where all equipment and devices are provided by the cyber range vendor. Malware may be safely run without fear of contaminating a network.

Most cyber training has defenders, called a blue team, working against a computer-managed attack scenario or human attackers, known as a red team. There is a simulated network with various security capabilities and a scenario emulator creating valid and malicious network streams. The cyber range is customizable to mirror a company’s network.

Most trainings can be done on-premise or via a cloud-based virtualized SOC, which has increased in popularity during the recent pandemic.

How to Accommodate Cyber Range Needs

If your organization thinks cyber range is too complicated to tackle alone or lacks facilities to simulate real-world attacks, there are training labs that offer the resources required for training. 

The City of Los Angeles is one entity that decided to do their own training and build a progressive partnership with the pubic and private sector when they created LA CyberLab (LACL) in 2017. The Los Angeles municipal government’s IT team analyzes more than 1 billion cybersecurity-related events daily. Dealing with activity at this scale calls for measures that go beyond old-school training methodologies.

The LACL is a first-of-its-kind, public-private partnership on cybersecurity among a municipal government, private sector partners and research universities. Ted Ross, CIO for the City of Los Angeles and General Manager of the Information Technology Agency (ITA), explains that the LACL provides targeted education and training to different audiences.

The LACL offers threat-hunting techniques geared to cyber professionals and cyber hygiene for small business owners. According to Ross, the IT team regularly conducts two types of cyber range training and exercises to improve the city’s cybersecurity effectiveness. It administers hands-on red team/blue team exercises using a third-party vendor playing the red team for both simulated and real penetration attempts of city assets. The City of Los Angeles also joins local businesses, the Department of Homeland Security and the FBI to conduct cybersecurity tabletop exercises specifically targeted to critical urban infrastructure.

“While plans and preparations are very useful, nothing improves your cybersecurity posture and response like a real-world test,” Ross says. “Each cyber range exercise builds real-world experience for IT professionals, identifies potential weaknesses, improves response coordination across teams and impresses the importance of good cybersecurity for the residents and businesses of Los Angeles that rely on their government.”

The LACL also hosted its first cyber security summit in 2019 for cyber professionals and industry on the latest trends and innovation and launched a new threat sharing platform: the LA Cyber Lab Cyber Threat Intelligence Sharing Platform (TISP) with IBM.

Ross also shared some specific strategies that have helped his organization and other LACL participants find success with cyber range training. While real-world exercises certainly sound exciting and immersive, they can not succeed without proper preparation. 

  • Prepare your security operations and IT teams before the exercises.
  • Ensure your team has the appropriate technical training and certification, such as an Ethical Hacker certification.
  • Prepare tools and technologies for detection, threat hunting and response (IDS, Firewall, SIEM etc.).
  • Prepare your workflow, playbooks and incident response plan for common cyber attack types.
  • Ensure all assets for the exercises are updated and patched. 
  • Treat your red team, your offensive security experts attacking your systems and breaking into defenses, as a partner. Always plan to have a “hot-wash” session afterward to go over lessons learned and recommendations. 
  • Always have an action plan to resolve issues soon after the exercises.

If the concept of cyber range training is new to your company, it’s understandable that you might be overwhelmed. However, these training exercises always come up as productive and successful. Those organizations that prioritize cyber range training will almost always boast a more robust cybersecurity posture. 

For more in-depth analysis of cyber range training, SANS has a great resource here

More from Advanced Threats

Phishing kit trends and the top 10 spoofed brands of 2023

4 min read -  The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of…

Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns

16 min read - Since March 2024, IBM X-Force has been tracking several large-scale phishing campaigns distributing the Grandoreiro banking trojan, which is likely operated as a Malware-as-a-Service (MaaS). Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails. The latest malware variant also specifically targets over 1500 global banks, enabling attackers to perform banking fraud in over 60 countries…

A spotlight on Akira ransomware from X-Force Incident Response and Threat Intelligence

7 min read - This article was made possible thanks to contributions from Aaron Gdanski.IBM X-Force Incident Response and Threat Intelligence teams have investigated several Akira ransomware attacks since this threat actor group emerged in March 2023. This blog will share X-Force’s unique perspective on Akira gained while observing the threat actors behind this ransomware, including commands used to deploy the ransomware, active exploitation of CVE-2023-20269 and analysis of the ransomware binary.The Akira ransomware group has gained notoriety in the current cybersecurity landscape, underscored…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today