CMD+CTRL Cyber Range
The missing piece in your security training toolbag
Use as a practice range, run a competitive or awareness event, or manage talent
- Identify Rockstars. One client had someone from Finance join the security team after a competition.
- Find talent in remote areas. Fortune 300 outdoor apparel retailer in Maine recruits local college students.
- Improve collaboration. Blue-chip ISV runs monthly team events with a range specific to its cloud platform.
- Meet the hiring bar. Pen Testing broker uses real-time assessment capabilities to hire qualified contractors.
- Make training cool. The global brand ran 20+ tournaments worldwide after previous lackluster training.
Each had a waiting list and it won a coveted internal security award.
Meet our Ranges!
With ranges that vary in tech stacks and complexity, players become immersed in familiar environments and learn by doing (and having fun.)

Our flagship Cyber Range with Web and OWASP Top Ten challenges for all skill levels. Vulnerabilities range from basic cross-site scripting (XSS) to moderately complex Password Cracking and SQL injection (SQLi) attacks. more >>
Beginner-level range with rich eCommerce functionality. Covers OWASP Top Ten, business logic attacks, known vulnerable software, Open Source Intelligence (OSINT) reconnaissance and others. more>>
Beginner/intermediate-level range with a distinct employee, manager, and HR admin privileges. Heavy focus on data protection, escalation of privilege, vertical authorization attacks, and horizontal authorization attacks. more>>
Beginner/Intermediate-level range that tempts you to uncover hidden data and access content you shouldn’t be able to. Features several APIs and includes advanced SQLi and path traversal attacks. more>>
Intermediate-level range that includes poorly implemented mitigations (e.g. blacklisting and client-side validation) making exploits more challenging. Great for those who need to understand filter evasion, cryptography and advanced SQLi. more>>
Intermediate/advanced-level modern Single Page Application (SPA) with a heavy focus on APIs. A variety of challenges require a proxy which include encryption, password cracking, scripting, and path traversal. more>>
Advanced range with a user and admin functionality. Features 4 levels of binary exploitation challenges that require injecting script into PDF headers to be later processed by the system. Includes advanced evasion techniques and crypto (HMAC replay) attacks, XML Injection. more>>
An advanced range that uses a real phone or emulator to solve client-side and server-side challenges and crypto puzzles. Focus on crypto, mobile reverse engineering, buffer overflows and API attacks that require multiple steps to exploit. more>>